Domingo Gómez-Pérez

Predicting nonlinear pseudorandom number generators

Let p be a prime and let a and b be elements of the finite field Fp of p elements. The inversive congruential generator (ICG) is a sequence (u n ) of pseudorandom numbers defined by the relation u n+1 ≡ au -1 n +b mod p. We show that if sufficiently many of the most significant bits of several consecutive values u n of the ICG are given, one can recover the initial value u 0 (even in the case where the coefficients a and b are not known). We also obtain similar results for the quadratic congruential generator (QCG), v n+1 ≡ f(v n ) mod p, where f ∈ F p [X]. This suggests that for cryptographic applications ICG and QCG should be used with great care. Our results are somewhat similar to those known for the linear congruential generator (LCG), x n+1 ≡ ax n + b mod p, but they apply only to much longer bit strings. We also estimate limits of some heuristic approaches, which still remain much weaker than those known for LCG.

Predicting the Inversive Generator

Let p be a prime and let a and b be integers modulo p. The inversive congruential generator (ICG) is a sequence (u n ) of pseudorandom numbers defined by the relation \(U_{n+1}\equiv au{^{-1}_{n}}+b {\rm mod} p\).We show that if b and sufficiently many of the most significant bits of three consecutive values u n of the ICG are given, one can recover in polynomial time the initial value u 0 (even in the case where the coefficient a is unknown) provided that the initial value u 0 does not lie in a certain small subset of exceptional values.

Iterations of Multivariate Polynomials and Discrepancy of Pseudorandom Numbers

In this paper we present an extension of a result in [2] about a discrepancy bound for sequences of s-tuples of successive nonlinear multiple recursive congruential pseudorandom numbers of higher orders. The key of this note is based on linear properties of the iterations of multivariate polynomials.

Exponential sums with Dickson polynomials

We give new bounds of exponential sums with sequences of iterations of Dickson polynomials over prime finite fields. This result is motivated by possible applications to polynomial generators of pseudorandom numbers.

Algebraic entropy, automorphisms and sparsity of algebraic dynamical systems and pseudorandom number generators

We present several general results that show how algebraic dynamical systems with a slow degree growth and also rational automorphisms can be used to construct stronger pseudorandom number generators. We then give several concrete constructions that illustrate the applicability of these general results.

On the Carlitz rank of permutations of Fq and pseudorandom sequences

L. Carlitz proved that any permutation polynomial f over a finite field Fq is a composition of linear polynomials and inversions. Accordingly, the minimum number of inversions needed to obtain f is defined to be the Carlitz rank of f by Aksoy et al. The relation of the Carlitz rank of f to other invariants of the polynomial is of interest. Here we give a new lower bound for the Carlitz rank of f in terms of the number of nonzero coefficients of f which holds over any finite field. We also show that this complexity measure can be used to study classes of permutations with uniformly distributed orbits, which, for simplicity, we consider only over prime fields. This new approach enables us to analyze the properties of sequences generated by a large class of permutations of Fp, with the advantage that our bounds for the discrepancy and linear complexity depend on the Carlitz rank, not on the degree. Hence, the problem of the degree growth under iterations, which is the main drawback in all previous approaches, can be avoided.

The MMO problem

We consider a two polynomials analogue of the polynomial interpolation problem. Namely, we consider the Mixing Modular Operations (MMO) problem of recovering two polynomials <i>f</i> ∈ Z_<i>p</i>[<i>x</i>] and <i>g</i> ∈ Z_<i>q</i>[<i>x</i>] of known degree, where <i>p</i> and <i>q</i> are two (un)known positive integers, from the values of <i>f</i>(<i>t</i>) mod <i>p</i>+<i>g</i>(<i>t</i>) mod <i>q</i> at polynomially many points <i>t</i> ∈ Z. We show that if <i>p</i> and <i>q</i> are known, the MMO problem can be reduced to computing a close vector in a lattice with respect to the infinity norm. Using the Gaussian heuristic we also implemented in the SAGE system a polynomial-time algorithm. If <i>p</i> and <i>q</i> are kept secret, we do not know how to solve this problem. This problem is motivated by several potential cryptographic applications.

On irreducible divisors of iterated polynomials

D. Gomez-Perez, A. Ostafe, A.P. Nicolas and D. Sadornil have recently shown that for almost all polynomials f∈Fq[X] over the finite field of q elements, where q is an odd prime power, their iterates eventually become reducible polynomials over Fq. Here we combine their method with some new ideas to derive finer results about the arithmetic structure of iterates of f. In particular, we prove that the nth iterate of f has a square-free divisor of degree of order at least n1+o(1) as n→∞ (uniformly in q).

Linear complexity for multidimensional arrays - a numerical invariant

Linear complexity is a measure of how complex a one dimensional sequence can be. In this paper we extend the concept of linear complexity to multiple dimensions and present a definition that is invariant under well-orderings of the arrays. As a result we find that our new definition for the process introduced in the patent titled “Digital Watermarking” produces arrays with good asymptotic properties.

On lattice profile of the elliptic curve linear congruential generators

Lattice tests are quality measures for assessing the intrinsic structure of pseudorandom number generators. Recently a new lattice test has been introduced by Niederreiter and Winterhof. In this paper, we present a general inequality that is satisfied by any periodic sequence. Then, we analyze the behavior of the linear congruential generators on elliptic curves (EC-LCG) under this new lattice test and prove that the EC-LCG passes it up to very high dimensions. We also use a result of Brandstätter and Winterhof on the linear complexity profile related to the correlation measure of order