new inversive pseudorandom number generators

XCIII.4 (2000)

Incomplete exponential sums over finite fields and their applications to

new inversive pseudorandom number generators

by

Harald Niederreiter and Arne Winterhof (Wien)

1. Introduction. Let F

be the finite field of order q = p

with a prime p and an integer k ≥ 1. Further let {β

, . . . , β

} be an ordered basis of F

over F

. Define ξ

, n = 0, 1, . . . , q − 1, by

(1) ξ

= n

β

+ . . . + n

β

if

n = n

+ n

p + . . . + n

p

, 0 ≤ n

< p, i = 1, . . . , k,

and note that ξ

, ξ

, . . . , ξ

run exactly through all elements of F

. We obtain the sequence ξ

, ξ

, . . . by extending with period q (ξ

= ξ

). More- over, let

γ =

 γ

if γ ∈ F

, 0 if γ = 0.

For given α ∈ F

, β ∈ F

, we generate a sequence γ

, γ

, . . . of elements of F

by

(2) γ

= αξ

+ β for n = 0, 1, . . .

We study exponential sums over F

which in the simplest case are of the form

N −1

X

n=0

χ(γ

) for 1 ≤ N ≤ q,

where χ is a nontrivial additive character of F

. Upper bounds for these exponential sums are then applied to the analysis of two new inversive meth- ods for pseudorandom number and vector generation. These new methods are defined as follows. If

(3) γ

= c

β

+ c

β

+ . . . + c

β

with all c

∈ F

,

2000 Mathematics Subject Classification: 11K38, 11K45, 11T23, 65C10.

[387]

then we derive digital explicit inversive pseudorandom numbers in the inter- val [0, 1) by putting

y

= X

c

p

and explicit inversive pseudorandom vectors by

u

= 1

p (c

, c

, . . . , c

) ∈ [0, 1)

for n = 0, 1, . . . It is trivial that the sequences y

, y

, . . . and u

, u

, . . . are purely periodic with period q. In the special case k = 1 we get the explicit inversive congruential pseudorandom numbers introduced in [2].

After some auxiliary results in Section 2 we prove some new bounds for incomplete exponential sums over finite fields in Section 3 which allow us to give nontrivial results on the distribution of sequences of digital explicit inversive pseudorandom numbers and explicit inversive pseudorandom vec- tors. The application to digital explicit inversive pseudorandom numbers is presented in Section 4 and to explicit inversive pseudorandom vectors in Section 5. In particular, we generalize the result of [2, Theorem 1] on the statistical properties over the full period of pseudorandom numbers gener- ated by the explicit inversive congruential method and present new results for statistical properties over parts of the period. Moreover, we extend the range for nontrivial results using the method of [9]–[11].

2. Auxiliary results. The following bound for exponential sums can be found in [5, Theorem 2].

Lemma 1. Let χ be a nontrivial additive character of F

and let f /g be a rational function over F

. Let v be the number of distinct roots of the polynomial g in the algebraic closure F

of F

. Suppose that f /g is not of the form A

− A, where A is a rational function over F

. Then

X

ξ∈F_q, g(ξ)6=0

χ

 f (ξ) g(ξ)

 

  ≤ (max(deg(f ), deg(g)) + v

− 2)q

+ δ,

where v

= v and δ = 1 if deg(f ) ≤ deg(g), and v

= v + 1 and δ = 0 otherwise.

Lemma 2. Let f /g be a rational function over F

such that g is not

divisible by the pth power of a nonconstant polynomial over F

, f 6= 0, and

deg(f ) − deg(g) 6≡ 0 mod p or deg(f ) < deg(g). Then f /g is not of the form

A

− A, where A is a rational function over F

.

P r o o f. Suppose we had f g =

 b c



− b c , where b, c ∈ F

[x] and gcd(b, c) = 1. Then

c

f = (b

− c

)bg.

From gcd(b, c) = 1 it follows that c

divides g. This divisibility relation can hold only if c is a nonzero constant. Thus,

f = (ω

b

+ ω

b)g

for suitable ω

, ω

∈ F

with ω

ω

6= 0. This implies that deg(f ) − deg(g) is a multiple of p and deg(f ) ≥ deg(g), which is a contradiction.

Lemma 3. Let χ be a nontrivial additive character of F

, N be an integer with 1 ≤ N ≤ q, and ξ

be defined as in (1) for n = 0, . . . , N − 1. Then

X

µ∈F^∗_q

N −1

X

n=0

χ(µξ

)    ≤ ql

 4

π

log p + 1.38



+ N (p

− 1), where l = d(log N )/log pe.

P r o o f. We proceed as in [12, Section 3]. For j = 0, . . . , l − 1 define M

= {µ ∈ F

| χ(µβ

) = . . . = χ(µβ

) = 1, χ(µβ

) 6= 1}

and

M

= {µ ∈ F

| χ(µβ

) = . . . = χ(µβ

) = 1}.

Then we can write X

µ∈F^∗_q

N −1

X

n=0

χ(µξ

)    =

X

X

µ∈M_j

N −1

X

n=0

χ(µξ

)   

= X

X

µ∈Mj

N −1

X

n=0

χ(µξ

)  

 + N (p

− 1).

Now we fix µ ∈ M

, 0 ≤ j ≤ l − 1, and consider the sum

N −1

X

n=0

χ(µξ

).

For 0 ≤ n ≤ N − 1 we have

ξ

= n

β

+ . . . + n

β

, 0 ≤ n

< p, 1 ≤ i ≤ l, where n = n

+ n

p + . . . + n

p

. This yields

χ(µξ

) = χ(µβ

)

. . . χ(µβ

)

with χ(µβ

) 6= 1. We write

N − 1 = r

+ r

p + . . . + r

p

, 0 ≤ r

< p, 1 ≤ i ≤ l.

If j ≤ l − 2 and (n

, . . . , n

) 6= (r

, . . . , r

), then by fixing n

, . . . , n

, n

, . . . , n

and summing χ(µξ

) over n

= 0, 1, . . . , p − 1 we get 0. Therefore, in the range of summation n = 0, 1, . . . , N − 1 we are left with the terms χ(µξ

) for which (n

, . . . , n

) = (r

, . . . , r

). Thus,

(4)

N −1

X

n=0

χ(µξ

)    =

 X

n₁,...,n_j+1

χ(µβ

)

  , where the last sum is over all n

, . . . , n

with

n

+ n

p + . . . + n

p

≤ r

+ r

p + . . . + r

p

.

The identity (4) holds trivially for j = l − 1 as well. If r

6= 0, then by (4) we obtain

N −1

X

n=0

χ(µξ

)    ≤ p

r_j+1

X

χ(µβ

)

 + p

= p

  χ(r

µβ

) − 1 χ(µβ

) − 1

    + p

,

and this holds trivially for r

= 0 as well. For fixed 0 ≤ j ≤ l − 1 this yields

X

µ∈M_j

N −1

X

n=0

χ(µξ

)  

 ≤ p

p

p−1

X

u=1

  sin(πr

u/p) sin(πu/p)

  + p

p

(p − 1)

≤ p

 4

π

p log p + 0.38p + 0.7



+ p

(p − 1), where we used [12, Lemma 5] in the first step and [1, Theorem 1] in the second step. Simple calculations yield the lemma.

Let C(p) denote the set of integers h with −p/2 < h ≤ p/2 and let C

(p) be the set of k-dimensional points (h

, . . . , h

) with h

∈ C(p) for 1 ≤ j ≤ k.

For (h

, . . . , h

) ∈ C

(p) we put Q

(h

, . . . , h

) = 1 if (h

, . . . , h

) = 0 and Q

(h

, . . . , h

) = p

csc π

p |h

| if (h

, . . . , h

) 6= 0,

where d = d(h

, . . . , h

) is the largest j with h

6= 0. Let C

(p) be the set of all nonzero s × k matrices with entries in C(p). For H = (h

) ∈ C

(p) we define

W

(H) = Y

Q

(h

, . . . , h

).

The following lemma is obtained by using [6, Lemma 3.13] for p = 2 and an inequality in the proof of [8, Theorem 2] for p > 2.

Lemma 4. For any s ≥ 1 and k ≥ 1 we have X

H∈C_s×k^∗ (2)

W

(H) <

 k 2 + 1



, X

H∈C^∗_s×k(p)

W

(H) <

 2

π k log p + 2 5 k + 1



if p > 2.

The following lemma is needed in the proof of Theorem 3 in Section 3.

For nonnegative integers n and i we define n ⊕ i by (5) n ⊕ i = j ⇔ ξ

+ ξ

= ξ

; 0 ≤ j < q.

Lemma 5. For given integers L and m with 0 ≤ L, m < q, the number of integers n with 0 ≤ n ≤ L for which n ⊕ m > L is at most m. Furthermore, the number of integers n with 0 ≤ n ≤ L which are not of the form r ⊕ m for some 0 ≤ r ≤ L is at most m.

P r o o f. Note that for 0 ≤ n < q we can obtain n ⊕ m by adding the digit vectors (in base p) of n and m as elements of the vector space F

and then identifying the resulting digit vector with the corresponding integer in the interval [0, q). Thus, for 0 ≤ n ≤ L we have

n ⊕ m ≤ n + m ≤ L + m.

Since n

⊕m 6= n

⊕m for 0 ≤ n

< n

< q, the numbers L+1, L+2, . . . , L+m can appear as values of n ⊕ m for at most m values of n with 0 ≤ n ≤ L.

The second part is shown in a similar way.

3. Bounds for exponential sums. Let γ

, γ

, . . . be the sequence of elements of F

generated by (2) and (1). For a nontrivial additive character χ of F

, for µ

, µ

, . . . , µ

∈ F

, and for an integer N with 1 ≤ N ≤ q we consider the exponential sums

S

=

N −1

X

n=0

χ



X

i=0

µ

γ

 , where ⊕ is defined by (5).

Theorem 1. If µ

, µ

, . . . , µ

are not all 0, then

|S

| ≤ (2s − 2)q

+ s + 1.

P r o o f. We can assume that s < q since otherwise the result is trivial.

Then we have

|S

| =    X

ξ∈Fq

χ



X

i=0

µ

α(ξ + ξ

) + β

   ≤ s +

X

ξ∈F_q, g(ξ)6=0

χ

 f (ξ) g(ξ)

   ,

where

f (x) =

s−1

X

i=0

µ

Y

j=0,j6=i

(α(x + ξ

) + β) and

g(x) =

s−1

Y

j=0

(α(x + ξ

) + β).

Since at least one µ

is nonzero, the uniqueness of the partial fraction decom- position for rational functions implies that f 6= 0. Since deg(f ) < deg(g), Lemmas 1 and 2 yield the result.

The proof of Theorem 1 does not use the special ordering (1) of the elements of F

. An arbitrary but fixed ordering would be sufficient. But for N < q, the case treated in the next theorem, we need (1).

Theorem 2. If µ

, µ

, . . . , µ

are not all 0, then

|S

| < s(2q

+ 1)

 4

π

log p

+ 1.38l + 1



for 1 ≤ N < q, where l = d(log N )/log pe.

P r o o f. We can again assume that s < q. With σ

= P

i=0

µ

γ

we have

S

= X

χ(σ

)

N −1

X

t=0

1 q

X

µ∈F_q

χ(µ(ξ

− ξ

))

= 1 q

X

µ∈Fq



X

t=0

χ(−µξ

)



X

n=0

χ(σ

+ µξ

)



= N q

q−1

X

n=0

χ(σ

) + 1 q

X

µ∈F^∗_q



X

t=0

χ(−µξ

)



X

n=0

χ(σ

+ µξ

)

 ,

and so

|S

| ≤ N

q |S

| + 1 q

X

µ∈F^∗_q

N −1

X

t=0

χ(µξ

)    ·

X

χ(σ

+ µξ

)

.

For µ ∈ F

we have  

q−1

X

n=0

χ(σ

+ µξ

)    =

   X

ξ∈Fq

χ



X

i=0

µ

α(ξ + ξ

) + β + µξ

  

≤ s +    

X

ξ∈F_q, g(ξ)6=0

χ

 f (ξ) g(ξ)

   ,

where

f (x) = µx

s−1

Y

j=0

(α(x + ξ

) + β) +

s−1

X

i=0

µ

Y

j=0, j6=i

(α(x + ξ

) + β) and

g(x) =

s−1

Y

j=0

(α(x + ξ

) + β).

Lemmas 1–3 yield X

µ∈F^∗_q

N −1

X

t=0

χ(µξ

)    ·

q−1

X

n=0

χ(σ

+ µξ

)   

≤ s(2q

+ 1) X

µ∈F^∗_q

N −1

X

t=0

χ(µξ

)   

≤ s(2q

+ 1)

 ql

 4

π

log p + 1.38



+ N (p

− 1)

 , where l = d(log N )/log pe. Hence we obtain, by Theorem 1,

|S

| ≤ N

q ((2s − 2)q

+ s + 1) + s(2q

+ 1)

 4

π

log p

+ 1.38l + N (p

− p

)

 . Simple calculations yield the theorem.

Theorem 2 is nontrivial only if N is at least of the order of magnitude sq

log q. Now we prove a bound which is nontrivial for N at least of the order of magnitude sq

using a new method introduced in [9] and extended in [10] and [11].

Theorem 3. If µ

, µ

, . . . , µ

are not all 0, then

|S

| < √

5s

N

q

+ q

+ 1 for 1 ≤ N < q.

P r o o f. We can assume that 2s + 1 ≤ 2q

since otherwise the result is trivial. With σ

= P

i=0

µ

γ

and any integer m with 0 ≤ m < q we

have, by Lemma 5,   S

−

N −1

X

n=0

χ(σ

)    ≤ 2m.

For an integer M with 1 ≤ M ≤ q we use the above inequality for m = 0, 1, . . . , M − 1 and we get

(6) M |S

| < W + M

,

where

W =   

N −1

X

n=0 M −1

X

m=0

χ(σ

)    ≤

N −1

X

n=0

M −1

X

m=0

χ(σ

)   . By the Cauchy–Schwarz inequality we obtain

W

≤ N

N −1

X

n=0

M −1

X

m=0

χ(σ

)  

≤ N X

ξ∈F_q

M −1

X

m=0

χ



X

i=0

µ

α(ξ + ξ

+ ξ

)+β

  

= N

M −1

X

m1,m2=0

X

ξ∈F_q

χ



X

i=0

µ

(α(ξ + ξ

+ ξ

) + β − α(ξ + ξ

+ ξ

)+β)

 .

If m

= m

, then the sum over ξ is equal to q. For m

6= m

let f (x) = α(ξ

− ξ

)

s−1

X

i=0

µ

Y

j=0, j6=i

(α(x + ξ

+ ξ

) + β)(α(x + ξ

+ ξ

) + β) and

g(x) =

s−1

Y

j=0

(α(x + ξ

+ ξ

) + β)(α(x + ξ

+ ξ

) + β).

Then    X

ξ∈Fq

χ



X

i=0

µ

(α(ξ + ξ

+ ξ

) + β − α(ξ + ξ

+ ξ

) + β)

  

≤ 2s +    

X

ξ∈F_q, g^∗(ξ)6=0

χ

 f

(ξ) g

(ξ)

   ,

where f

= f /(f, g) and g

= g/(f, g). For the application of Lemmas 1 and 2 we need that g

is squarefree (p = 2!) and f

6= 0.

In g(x) we can have repetition of factors only if there exist 0 ≤ i, j ≤ s−1 with i 6= j such that

(7) ξ

+ ξ

= ξ

+ ξ

.

Then α(x+ξ

+ξ

)+β is a common factor of f and g. Hence g

is squarefree.

Suppose we have f

= 0. Let i be an index with µ

6= 0. Then 0 = f

(−α

β − ξ

− ξ

) = f (−α

β − ξ

− ξ

)

= α(ξ

− ξ

)µ

s−1

Y

j=0, j6=i

α(ξ

− ξ

)α(ξ

− ξ

+ ξ

− ξ

)

yields the existence of 0 ≤ j ≤ s − 1, i 6= j, satisfying (7). There are at most s − 1 possible indices m

6= m

satisfying (7) for given m

and i. For these m

we estimate trivially.

By Lemmas 1 and 2 we obtain

W

≤ N (M sq + M

((4s − 2)q

+ 2s + 1)) ≤ N (M sq + 4M

sq

).

Choosing M = dq

e we get

W

/M

≤ 5sN q

, and thus

|S

| < √

5s

N

q

+ q

+ 1 by (6).

4. Digital explicit inversive pseudorandom numbers. We use the bounds for exponential sums obtained in the previous section to derive re- sults on the distribution of sequences of digital explicit inversive pseudoran- dom numbers over the full period and in parts of the period.

Given a sequence y

, y

, . . . of digital explicit inversive pseudorandom numbers and a dimension s ≥ 1, we consider the points

y

= (y

, y

, . . . , y

) ∈ [0, 1)

for n = 0, 1, . . . Then for any integer N with 1 ≤ N ≤ q we define the star discrepancy

D

= sup

J

|F

(J) − V (J)|,

where the supremum is extended over all subintervals J of [0, 1)

containing the origin, F

(J) is N

times the number of points among y

, y

, . . . , y

falling into J, and V (J) denotes the s-dimensional volume of J. In the following we establish an upper bound for D

.

Theorem 4. For any sequence of digital explicit inversive pseudoran- dom numbers, for any dimension s ≥ 1, and for any 1 ≤ N < q the star discrepancy D

satisfies

D

= O(min(N

q

log q, N

q

)(log q)

).

P r o o f. For H = (h

) ∈ C

(p) we define the exponential sum S

(H) =

N −1

X

n=0

e

 1 p

s−1

X

i=0

X

h

c

 ,

where e(u) = exp(2π √

−1u) for all real u and the c

∈ F

are as in (3).

Then by a general discrepancy bound in [3, Theorem 1(ii) and Lemma 3(iii)]

(see also [6, Theorem 3.12] for a slightly weaker version) we obtain (8) D

≤ 1 −

 1 − 1

q



+ 1

N

X

H∈C_s×k^∗ (p)

W

(H)|S

(H)|.

Let {δ

, . . . , δ

} be the dual basis of the given ordered basis {β

, . . . , β

} of F

over F

. Then by a well-known principle (see [4, p. 55]) we have

c

= Tr(δ

γ

) for 1 ≤ j ≤ k and n ≥ 0, where Tr denotes the trace function from F

to F

. Therefore

S

(H) =

N −1

X

n=0

e

 1 p

X

X

h

Tr(δ

γ

)



=

N −1

X

n=0

e

 1 p Tr



X

i=0

X

h

δ

γ



=

N −1

X

n=0

χ



X

i=0

µ

γ

 ,

where χ is the canonical additive character of F

and µ

= P

j=1

h

δ

∈ F

for 0 ≤ i ≤ s − 1. Since H is not the zero matrix and {δ

, . . . , δ

} is a basis of F

over F

, it follows that µ

, . . . , µ

are not all 0. Hence we may apply the results of Section 3.

We have by (8), Theorem 2, Theorem 3, and Lemma 4, D

< s

q + 1 N

 k 2 + 1



× min



s(2q

+ 1)

 4

π

log p

+ 1.38l + 1

 , √

5s

N

q

+ q

+ 1



if p = 2, and D

< s

q + 1 N

 2

π log q + 2 5 k + 1



× min



s(2q

+ 1)

 4

π

log p

+ 1.38l + 1

 , √

5s

N

q

+ q

+ 1



if p > 2.

Theorem 5. For any sequence of digital explicit inversive pseudorandom numbers and for any dimension s ≥ 1 the star discrepancy D

satisfies

D

= O(q

(log q)

).

P r o o f. The theorem follows by (8), Theorem 1, and Lemma 4 with the same arguments as in the proof of the previous theorem.

5. Explicit inversive pseudorandom vectors. Statistical indepen- dence properties of pseudorandom vectors are customarily assessed by the discrete discrepancy (see [6, Section 10.2]). Given a sequence u

, u

, . . . of explicit inversive pseudorandom vectors and an integer s ≥ 1, we consider the ks-dimensional points

v

= (u

, u

, . . . , u

) ∈ [0, 1)

for n = 0, 1, . . .

Then for any integer N with 1 ≤ N ≤ q we define the discrete discrepancy E

= max

J

|F

(J) − V (J)|,

where the maximum is over all subintervals J of [0, 1)

of the form J =

Y

 a

p , b

p



with integers a

, b

for 1 ≤ i ≤ ks, where F

(J) is N

times the number of points v

, v

, . . . , v

falling into J and V (J) denotes the ks-dimensional volume of J.

Theorem 6. For any sequence of k-dimensional inversive pseudorandom vectors, for any s ≥ 1, and for any 1 ≤ N < q = p

the discrete discrepancy E

satisfies

E

= O(min(N

q

log q, N

q

)(log p)

).

P r o o f. Let C

(p) be the set of nonzero vectors in C

(p). For h ∈ C

(p) we define the exponential sum

S

(h) =

N −1

X

n=0

e(h · v

),

where the dot denotes the standard inner product. By [7, Corollary 3] we get

E

≤ 1

N max

h∈C_ks^∗(p)

|S

(h)|

 4

π

log p + 1.41 + 0.61 p



.

For a fixed h ∈ C

(p) we write

h = (h

, h

, . . . , h

)

with h

∈ C

(p) for 0 ≤ i ≤ s − 1, where not all h

are 0. Then we have S

(h) =

N −1

X

n=0

e



X

i=0

h

· u



=

N −1

X

n=0

e

 1 p

X

X

h

c

 ,

where h

= (h

, . . . , h

) for 0 ≤ i ≤ s − 1 and all h

∈ C(p). As in the proof of Theorem 4 we get

S

(h) =

N −1

X

n=0

χ

 X

i=0

µ

γ



and thus the result.

Theorem 7. For any sequence of k-dimensional inversive pseudorandom vectors and for any s ≥ 1 the discrete discrepancy E

with q = p

satisfies

E

= O(q

(log p)

).

P r o o f. The theorem follows with the same arguments as in the proof of the previous theorem by Theorem 1.

References

[1] T. C o c h r a n e, On a trigonometric inequality of Vinogradov, J. Number Theory 27 (1987), 9–16.

[2] J. E i c h e n a u e r - H e r r m a n n, Statistical independence of a new class of inversive congruential pseudorandom numbers, Math. Comp. 60 (1993), 375–384.

[3] P. H e l l e k a l e k, General discrepancy estimates: the Walsh function system, Acta Arith. 67 (1994), 209–218.

[4] R. L i d l and H. N i e d e r r e i t e r, Introduction to Finite Fields and Their Applica- tions, revised ed., Cambridge Univ. Press, Cambridge, 1994.

[5] C. J. M o r e n o and O. M o r e n o, Exponential sums and Goppa codes: I , Proc. Amer.

Math. Soc. 111 (1991), 523–531.

[6] H. N i e d e r r e i t e r, Random Number Generation and Quasi-Monte Carlo Methods, SIAM, Philadelphia, 1992.

[7] —, Pseudorandom vector generation by the inversive method, ACM Trans. Modeling and Computer Simulation 4 (1994), 191–212.

[8] —, Improved bounds in the multiple-recursive matrix method for pseudorandom number and vector generation, Finite Fields Appl. 2 (1996), 225–240.

[9] H. N i e d e r r e i t e r and I. E. S h p a r l i n s k i, On the distribution of inversive congru- ential pseudorandom numbers in parts of the period, Math. Comp., to appear.

[10] —, —, On the distribution and lattice structure of nonlinear congruential pseudo- random numbers, Finite Fields Appl. 5 (1999), 246–253.

[11] —, —, On the distribution of pseudorandom numbers and vectors generated by in-

versive methods, Appl. Algebra Engrg. Comm. Comput., to appear.

[12] A. W i n t e r h o f, On the distribution of powers in finite fields, Finite Fields Appl. 4 (1998), 43–54.

Institute of Discrete Mathematics Austrian Academy of Sciences Sonnenfelsgasse 19

A-1010 Wien, Austria

E-mail: niederreiter@oeaw.ac.at arne.winterhof@oeaw.ac.at

Received on 3.12.1999 (3722)