One-stroke polynomials over a ring of modulo 2 w
aa r X i v : . [ c s . I T ] J u l JSIAM Letters Vol.** (****) pp.1– c (cid:13) **** Japan Society for Industrial and Applied Mathematics
One-stroke polynomials over a ring of modulo w Atsushi Iwasaki and Ken Umeno Graduate school of Informatics, Kyoto University, Yoshida-honmachi, Kyoto city, JapanE-mail [email protected]
Received
Abstract
Permutation polynomials over a ring of modulo 2 w are well adopted to digital computers anddigital signal processors, and so they are in particular expected to be useful for cryptographyand pseudo random number generators. Since a longer period of the polynomial is demandedin general, we derive a necessary and sufficient condition that polynomials are permutatingand their periods are the longest over the ring. We call polynomials which satisfy the condition“one-stroke polynomials over the ring”. Keywords permutation polynomial, modulo 2 w , cryptography, pseudo random number gen-erator Research Activity Group
Applied Chaos
1. Introduction
A polynomial is called a permutation polynomial overa finite ring R if the polynomial is bijection over R . Al-though R is a finite field in many studies, we deal witha ring of modulo 2 w in this paper. Studies about per-mutation polynomials over the ring are very importantbecause they are well adopted to with digital comput-ers and digital signal processors. They can calculate val-ues of permutation polynomials over the ring faster thanover a finite field because 2 power residue operation ispractically negligible. Then, they are in particular ex-pected to be useful for cryptography and pseudo randomnumber generators, and some applications have been al-ready proposed [1–3].There are two important studies about permutationpolynomials over the ring. One is about periods ofthe polynomials. For cryptography and pseudo randomnumber generators, such periods are expected to belonger. Then, a necessary and sufficient condition tomaximize the periods of the permutation polynomialsshould be explored. When the period of the permuta-tion polynomial is maximized, there exists only one or-bit passed by the polynomial over the ring and the orbitpasses all the elements of the ring. Since a map whichdraws such only one orbit is called “one-stroke map”[4], we call such permutation polynomials “one-strokepolynomials” in this paper. The necessary and sufficientcondition that specifies one-stroke polynomials with theassumption that the degree of the permutation polyno-mials are restricted to 1 or 2 is known [5]. One-strokepolynomials whose degrees are 1 or 2 are used in a lin-ear congruential method and a quadratic congruentialmethod, which are pseudo random number generators.A sufficient condition without any assumption has alsobeen known [6], but a necessary and sufficient conditionwithout the assumption has not been known as far asthe authors know.The other is more fundamental. In order to study about permutation polynomials over a ring of modulo2 w , we should know which polynomials are permuta-tion polynomials. The necessary and sufficient condi-tion that specifies permutation polynomials have beenalready studied [7].Based on the above, we study about the one-strokepolynomials over a ring of modulo 2 w whose degrees are arbitrary . This paper is constructed as follows. In section2, we introduce permutation polynomials over a ring ofmodulo 2 w . In section 3, we derive the necessary andsufficient condition to specifies one-stroke polynomialsover the ring. In section 4, we introduce some propertiesabout one-stroke polynomials over the ring. Finally, weconclude this paper.
2. Permutation polynomials over a ringof modulo 2 w In this section, we introduce permutation polynomialsover a ring of modulo 2 w . Definition 2.1.
A finite degree polynomial f ( X ) withinteger coefficients is called a permutation polynomialover a ring of modulo 2 w if ∀ w ≥ , { f ( ¯ X ) mod 2 w | ¯ X ∈ Z / w Z } = Z / w Z . The necessary and sufficient condition that specifiespermutation polynomials over the ring is given by thefollowing theorem [7].
Theorem 2.1. [Rivest, 2001]
A polynomial f ( X ) = P Ni =0 a i X i , where the coefficients are integers, is a per-mutation polynomial over a ring of modulo 2 w if andonly if a ≡ , (1)( a + a + a + · · · ) ≡ , (2)( a + a + a + · · · ) ≡ . (3)The following lemma is used in order to prove Theo- – 1 – SIAM Letters Vol. ** (****) pp.1– Atsushi Iwasaki et al. rem 2.1. We also use the lemma in the next section.
Lemma 2.1.
Let f ( X ) is a polynomial with integer co-efficients. Then, f ( X ) is a permutation polynomial overa ring of modulo 2 w if and only if ∀ w ≥ , f ( X + 2 w − ) ≡ f ( X ) + 2 w − mod 2 w . The following lemma is also used in the next section.
Lemma 2.2.
Let f ( X ) is a permutation polynomialover a ring of modulo 2 w . Then, f j ( X ) is also a per-mutation polynomial over the ring for arbitrary integer j , where f j ( X ) := f ◦ f j − ( X ) and f ( X ) := f ( X ).
3. One-stroke polynomial
In this section, we derive a necessary and sufficientcondition that coefficients of one-stroke polynomials overa ring of modulo 2 w satisfy. First, we exactly define one-stroke polynomials over a ring of modulo 2 w . Definition 3.1.
Let f ( X ) is a permutation polynomialover a ring of modulo 2 w . If f ( X ) satisfy ∀ w ≥ , ∀ ¯ X, { f i ( ¯ X ) mod 2 w | i ∈ Z / w Z } = Z / w Z ,f ( X ) is called a one-stroke polynomial over a ring ofmodulo 2 w . Example 3.1.
We consider polynomials F ( X ) = 4 X + X + 1 and G ( X ) = 6 X + 2 X + X + 1. Both of themare permutation polynomials over a ring of modulo 2 w .Fig. 1 and 2 show orbits on a ring of modulo 2 w passedby F ( X ) and G ( X ), respectively. In Fig. 1, each orbitpasses all elements of the ring where the orbit is passedon. It means that F ( X ) is a one-stroke polynomial overa ring of modulo 2 w . On the other hand, G ( X ) is not aone-stroke polynomial over a ring of modulo 2 w becausethere is not an orbit which passes all elements of Z / Z .2 ✻ ✻ ✲ ✲ ✲ ✲ ✲ ✲ ❄ ❄ ✛ ✛ ✛ ✛ ✛ ✛ (c)3 ✻ ✲ ❄ ✛ (a) 3 ✻ ✲ ✲ ✲ ❄ ✛ ✛ ✛ (b) Fig. 1. Orbits passed by F ( X ). (a) Orbit on Z / Z . (b) Orbiton Z / Z . (c) Orbit on Z / Z . Next, we introduce some lemmas. By the definition,the following two lemmas are obviously true.
Lemma 3.1.
Let f ( X ) is a permutation polynomialover a ring of modulo 2 w . Then, f ( X ) is a one-strokepolynomial over the ring if and only if f i (0) ≡ w ⇔ i ≡ w . ✻ ✲ ❄ ✛ (a) 3 ✻ ✲ ❄ ✛ ✲ ❄ ✛ ✻ (b) Fig. 2. Orbits passed by G ( X ). (a) Orbit on Z / Z . (b) Orbiton Z / Z . Lemma 3.2.
Let f ( X ) is a permutation polynomialover a ring of modulo 2 w . Then, f ( X ) is a one-strokepolynomial over the ring if and only if f w (0) ≡ w ,f w − (0) w . Lemma 3.3.
Let f ( X ) is a permutation polynomialover a ring of modulo 2 w . Then, f ( X ) is a one-strokepolynomial over the ring if and only if ∀ w ≥ , f w − (0) ≡ w − mod 2 w . (4) Proof
Assume that f ( X ) is a one-stroke polynomialover the ring. By the definition, ∀ w ≥ , ∃ i ≤ w , s.t. f i (0) ≡ w − mod 2 w . Then, by Lemma 2.1 and 2.2, f i (0) ≡ f i (2 w − ) mod 2 w ≡ w . By Lemma 3.1, 2 i = 2 w . Then, i = 2 w − .Conversely, assume that (4) is true. Then, by Lemma2.1 and 2.2, f w (0) ≡ f w − (2 w − ) mod 2 w ≡ w . By Lemma 3.2, f ( X ) is a one-stroke polynomial over thering. Lemma 3.4.
Assume that f ( X ) is a permutation poly-nomial over a ring of modulo 2 w and f ( X ) satisfy f (0) ≡ f (0) ≡ ∀ w ≥ , f w − (0) ≡ w − mod 2 w . Proof
Assume that f ( X ) = P b i X i and f ( X ) = P c i X i , where all b i and c i are integers. By the assump-tion of the lemma, b ≡ c ≡ f ( X ) is a permutation polynomial over the ring,by Lemma 2.2, f ( X ) is also permutation polynomialover the ring. Then, by the Theorem 2.1, b ≡ f ( X ) = f ◦ f ( X ), c = b + 2 b b b + 3 b b b + 4 b b b + · · ·≡ b mod 4 ( ∵ b ≡ ≡ ∵ b ≡ . Assume that there exists an integer ¯ w ≥ f ¯ w − (0) ≡ ¯ w − mod 2 ¯ w and the first degree’s coef-ficient of the f ¯ w − ( X ) is 1 under modulo 4. We ex-press f ¯ w − ( X ) and f ¯ w ( X ) as f ¯ w − ( X ) = P d i X i and f ¯ w ( X ) = P e i X i , where all d i and e i are integers. By – 2 – SIAM Letters Vol. ** (****) pp.1– Atsushi Iwasaki et al. the assumption, d ≡ d ≡ ¯ w − mod 2 ¯ w . e = d + 2 d d d + 3 d d d + 4 d d d + · · ·≡ d mod 4 ( ∵ d ≡ ¯ w − mod 2 ¯ w ) ≡ ∵ d ≡ ,e = d + d d + d d + d d + · · ·≡ d + d d mod 2 ¯ w +1 ( ∵ d ≡ ¯ w − mod 2 ¯ w ) ≡ ¯ w mod 2 ¯ w +1 ( ∵ d ≡ . Then, f ¯ w (0) ≡ ¯ w mod 2 ¯ w +1 and the first degree’s co-efficient of f ¯ w ( X ) is 1 under modulo 4.From the above, the lemma is true.Finally, we introduce a necessary and sufficient condi-tion that specifies one-stroke polynomials over a ring ofmodulo 2 w . Theorem 3.1.
Let f ( X ) = P Ni =0 a i X i is a polynomial,where all a i are integers. Then, f ( X ) is a one-strokepolynomial over a ring of modulo 2 w if and only if a ≡ ,a ≡ , ( a + a + a + · · · ) ≡ , ( a + a + a + · · · ) ≡ a mod 4 , ( a + a + a + · · · ) ≡ . Proof If f ( X ) is a one-stroke polynomial over the ring, f ( X ) is a permutation polynomial over the ring. Then,by Theorem 2.1, Lemmas 3.3 and 3.4, f ( X ) is a one-stroke polynomial over the ring if and only if (1), (2),(3) and f (0) ≡ , f (0) ≡ , f (0) ≡ . Since f (0) = a , f (0) ≡ ⇔ a ≡ . Since f (0) = a + a a + a a + · · · + a N a N , if a ≡ f (0) ≡ a (1 + a + a + a + · · · )+ ( a + a + a + · · · ) mod 4 ≡ a + a + a + · · · + a N mod 4 . Then, f (0) ≡ , a ≡ , (1) and (3) ⇔ ( a + a + a + · · · ) ≡ ,a ≡ , (1) and (3) . We express f ( X ) as f ( X ) = P b i X i , where all b i areintegers. If f ( X ) is a permutation polynomial over thering, f ( X ) is also a permutation polynomial over thering by Lemma 2.2, and so b ≡ b ≡ b ≡ f (0) = b + b b + b b + b b + · · ·≡ b + 2 b ) mod 8 . If a ≡ b = a a + N X i =2 a i (cid:26) i ( i − a a i − + ia a i − (cid:27) ≡ a + N X i =2 a i (cid:26) i ( i − ia (cid:27) mod 2 ≡ a + N X i =2 a i (cid:26) i ( i − (cid:27) mod 2 ( ∵ (3)) ≡ a + ( a + a + a + · · · )+ ( a + a + a + · · · ) mod 2 ≡ ( a + a + a + · · · ) + ( a + a + a · · · ) mod 2 ,b = a + 2 a a a + 3 a a a + · · · + N a N a a N ≡ a (3 a + 5 a + 7 a + · · · )+ a a (2 a + 4 a + 6 a · · · ) mod 4 ≡ a (3 a + a + 3 a + · · · )+ a a (2 a + 2 a + 2 a · · · ) mod 4 ≡ a ( a + a + a · · · ) + a ( a + a + a + · · · )+ 2( a + a + a · · · ) mod 4 ≡ a + 2( a + a + a + · · · )+ ( a + a + a + · · · )+ 2( a + a + a · · · ) mod 4 . Then, f (0) ≡ { a + ( a + a + a + · · · ) } mod 8 . Therefore, f (0) ≡ , b ≡ , (1) , (2) and (3) ⇔ ( a + a + a + · · · ) ≡ a mod 4 ,b ≡ , (1) , (2) and (3) . From the above, the theorem is true.
4. Some properties of one-stroke polyno-mials
In this section, we introduce some properties of one-stroke polynomials. We show computability of one-stroke polynomials. Under the assumption that the de-gree of one-stroke polynomial f ( X ) is lower than w , weshow that following values can be calculate with poly-nomial order times of w .(A) ¯ X satisfying ¯ Y ≡ f ( ¯ X ) mod 2 w for given ¯ Y .(B) j satisfying ¯ Y ≡ f j ( ¯ X ) mod 2 w for given ¯ X and¯ Y .(C) ¯ Y satisfying ¯ Y ≡ f j ( ¯ X ) mod 2 w for given ¯ X and j .In the paper [8], similar problem for permutation poly-nomials over the ring is discussed. Here, we use not onlyproperties of permutation polynomials over the ring butalso those of one-stroke polynomials over the ring. – 3 – SIAM Letters Vol. ** (****) pp.1– Atsushi Iwasaki et al.
Method to calculate (A).
The following algorithmcan calculate (A).(i) Set X ′ ← m ← Y f ( X ′ ) mod 2 m , X ′ ← m − .(iii) If m = w , output X ′ and finish this algorithm. Else, m ← m + 1 and return to (ii).In the step (ii), if ¯ Y ≡ f ( X ′ ) + 2 m − mod 2 m , ¯ Y ≡ f ( X ′ + 2 m − ) mod 2 m by Lemma 2.1. Therefore, thisalgorithm can calculate (A).Since the degree of f ( X ) is lower than w , it requires O ( w ) multiplications and O ( w ) additions on Z / w Z tocalculate the value of f ( X ) mod 2 w for given X . Thus,the calculation requires O ( w ) times. Since the calcu-lation is used O ( w ) times in the above algorithm, theabove algorithm requires O ( w ) times. Method to calculate (B).
In order to calculate (B),we introduce polynomials h i ( X ) ( i = 0 , , , · · · , w − h i ( X ) := (cid:16) f i ( X ) mod 2 w (cid:17) mod X ⌈ wi ⌉ . The polynomials h i ( X ) have the following properties.If ¯ X ≡ i , h i ( ¯ X ) ≡ f i ( ¯ X ) mod 2 w . If ¯ X ≡ i +1 , h i ( ¯ X ) ≡ i mod 2 i +1 , and if ¯ X ≡ i mod 2 i +1 , h i ( ¯ X ) ≡ i +1 . If we know h i ( X ), we can calculate h i +1 ( X ) as h i +1 ( X ) = h i ◦ h i ( X ) mod X ⌈ wi +1 ⌉ . Because the de-grees of h i ( X ) and h i +1 ( X ) are lower than ⌈ wi ⌉ , the cal-culation requires O ( ⌈ wi ⌉ ) multiplications and O ( ⌈ wi ⌉ )additions. Then, the calculation requires O ( w ⌈ wi ⌉ )times.By the estimation, it takes O ( w ) times to calculatethe list { h ( X ) , h ( X ) , h ( X ) , · · · , h w − ( X ) } .We show a method to calculate (B) by using h i ( X ).If we find j ′ and j ′′ such that0 ≡ f j ′ ( ¯ Y ) mod 2 w and 0 ≡ f j ′′ ( ¯ X ) mod 2 w , we can calculate as j ≡ j ′′ − j ′ mod 2 w . We, there-fore, assume that ¯ Y equals to 0 without loss of gener-ality. Assume that j = P w − i =0 ǫ ( i )2 i where ǫ ( i ) ∈ { , } .Then, f j ( ¯ X ) ≡ f ǫ ( w − w − ◦ f ǫ ( w − w − ◦· · ·◦ f ǫ (0)2 ( ¯ X )mod 2 w . By Lemma 3.1, if f j ( X ) ≡ w , then f ǫ ( m )2 m ◦ f ǫ ( m − m − ◦ · · · ◦ f ǫ (0)2 ( ¯ X ) ≡ m +1 for arbitrary m . Thus, by the properties of h i ( X ), f j ( ¯ X ) ≡ h ǫ ( w − w − ◦ h ǫ ( w − w − ◦ · · · h ǫ (0)2 mod 2 w . From the above, the following algorithm outputs j satys-fing f j ( ¯ X ) ≡ w .(i) Set i ← j ← X ′ = ¯ X .(ii) If X ′ ≡ i mod 2 i +1 , X ′ ← h i ( X ′ ) mod 2 w and j ← j + 2 i .(iii) If i = w −
1, output j and finish this algorithm.Else, i ← i + 1 and return to step 2. It takes O ( w ⌈ wi ⌉ ) times to calculate the valueof h i ( ¯ X ) for given ¯ X . Then, this algorithm re-quires O ( w log w ) times, but calculating (B) re-quires O ( w ) because we must calculate the list { h ( X ) , h ( X ) , h ( X ) , · · · , h w − ( X ) } . Method to calculate (C).
By using the above algo-rithm, we can find j ′ such that f j ′ ( ¯ X ) ≡ w , andso it is enough to show an algorithm to calculate f k (0)mod 2 w for given k . Assume that k = P w − i =0 ǫ ( i )2 i where ǫ ( i ) ∈ { , } . Then, f k (0) ≡ f ǫ (0)2 ◦ f ǫ (1)2 ◦· · · ◦ f ǫ ( w − w − (0) mod 2 w . By Lemma 3.1, f ǫ ( m )2 m ◦ f ǫ ( m +1)2 m +1 ◦ · · · ◦ f ǫ ( w − w − (0) ≡ m +1 for ar-bitrary m . Thus, by the properties of h i ( X ), f k (0) ≡ h ǫ (0)2 ◦ h ǫ (1)2 ◦ · · · h ǫ ( w − w − mod 2 w . Then, the following algorithm outputs f k (0) mod 2 w .(i) Set i ← w − X ′ = 0.(ii) If ( i + 1)-th least significant bit of k is 1, X ′ ← h i ( X ′ ) mod 2 w .(iii) If i = 0, output X ′ and finish this algorithm. Else, i ← i − O ( w log w ) times, but cal-culating (C) requires O ( w ) by the same reason why themethod to calculate (B) requires O ( w ) times.
5. Conclusion
We derived the necessary and sufficient condition tospecify one-stroke polynomials over a ring of modulo2 w . The condition enables us to construct many longsequences with maximum periods such that the distri-bution of points of the sequences are uniform over thering. In addition, one-stroke polynomials have some in-teresting properties. One-stroke polynomials will be ap-plied for many fields including cryptography and pseudorandom number generators. References (2016), 30-37.[4] K. Umeno, Complex systems and communication, in: In-formation systems as complex systems, Waseda UniversityAdvanced Institute for Complex Systems ed., pp. 181-250,Kyouritsu-syuppansya, Tokyo, 2007 (In Japanese).[5] D. E. Knuth, The Art of Computer Programming. VoI. 2,Addison-Wesley, Upper Saddle River, 1981.[6] R. Coveyou, Random Number Generation Is Too Importantto Be Left to Chance, Studies in Applied Mathematics, III(1970), 70-111.[7] R. L. Rivest, Permutation polynomials modulo 2 w , FiniteFields and their Applications, (2001), 287-292.[8] A. Iwasaki and K. Umeno, Three Theorems on odd degreeChebyshev polynomials and more generalized permutationpolynomials over a ring of module 2 w , arXiv:1602.08238v2,2016., arXiv:1602.08238v2,2016.