PSEUDORANDOM NUMBERS AND HASH FUNCTIONS FROM ITERATIONS OF MULTIVARIATE POLYNOMIALS 0 1 0 ALINA OSTAFE AND IGOR E. SHPARLINSKI 2 n Abstract. Dynamical systems generated by iterations of multi- a J variatepolynomialswithslowdegreegrowthhaveprovedtoadmit 0 good estimates of exponential sums along their orbits which in 1 turn lead to rather stronger bounds on the discrepancy for pseu- dorandomvectorsgeneratedby these iterations. Here we add new ] arguments to our original approach and also extend some of our T recent constructions and results to more general orbits of poly- N nomial iterations which may involve distinct polynomials as well. . h Using this construction we design a new class of hash functions t from iterations of polynomials and use our estimates to motivate a m their “mixing” properties. [ 2 Subject Classification (2000). 11K45; 11T23; 11T71; 94A60 v 9 1 5 1. Introduction 4 . 1.1. Background. Forasystemofm+1polynomialsF = {f ,...,f } 8 0 m 0 in m+1 variables over a ring R one can naturally define a dynamical 9 system generated by its iterations: 0 : (0) (k) (k−1) v f = f , f = f (f ,...,f ), k = 1,2... , i i i i 0 m i X for each i = 0,...,m, see [11, 12, 20, 41, 43, 44] and references therein r a forvarious aspects ofsuch dynamical systems. In particular, the length and the distribution of elements in the orbits of such dynamical sys- tems, starting from an initial value (u ,...,u ) ∈ Rm+1, have been 0,0 0,m of primal interest. In the special case of one linear univariate polynomial over a residue ring or a finite field such iterations are known as linear congruential generators, which have been successully used for decades in Quasi- Monte Carlo methods, see [31, 32]. On the other hand, in crypto- graphicsettings, such linear generatorshave beenthesubject ofvarious attacks [8, 13, 21, 25, 27] and thus are not recommended for crypto- graphic purposes. It should be noted that nonlinear generators have also been attacked [1, 2, 14, 17], but the attacks are much weaker and 1 2 ALINAOSTAFEANDIGOR E. SHPARLINSKI do not rule out their use for cryptographic purposes (provided reason- able precautions are made). Although linear congruential generators have been used quite sucessfully for Quasi-Monte Carlo methods, their linear structure shows in these applications too and often limits their applicability, see [31, 32]. Motivated by these potential applications, the statistical uniformity of the distribution (measured by the discrepancy) of one and multidi- mensional nonlinear polynomial generators have been intensively stud- ied in [15, 16, 33, 34, 35, 45]. However, all previously known results are nontrivial only for those polynomial generators that produce se- quences of extremely large period, which could be hard to achieve in practice. The reason behind this is that the degree of iterated polyno- mial systems grows exponentially, and that in all previous results on the general case the saving over the trivial bound has been logarithmic. Moreover, it is easy to see that in the one dimensional case (that is, for m = 0) the exponential growth ofthe degree of iterationsof a nonlinear polynomial is unavoidable. One also expects the same behaviour in the mulitidimensional case for “random” polynomials f ,...,f . However, 0 m as it has been shown in [37] for some specially selected polynomials f ,...,f the degree may grow significantly slower, a result that leads 0 m to much better estimates of exponential sums, and thus of discrepancy, for vectors generated by these iterations. Furthermore, it is shown in[36], that inthecase when such a polyno- mial map generates a permutation of the corresponding vector space, one can get better results “on average” over all initial values. It is also noticed in [36] that in fact one can avoid the use of the Weil bound (see [29, Chapter 5]) of exponential sums and achieve a better result with a more elementary argument. 1.2. Our results. Here, as in [36], we continue to study the poly- nomial systems of [37] and exploit the linearity with respect to one variable and polynomial degree growth with respect to the other vari- ables. This leads to a direct improvement of the results of [37]. This new approach also allows us to consider a slightly more general poly- nomial dynamical systems, where at each step a different polynomial map can be used, thus extending those of [37]. The argument is based ITERATIONS OF MULTIVARIATE POLYNOMIALS 3 onan elementary identity for exponential sums with linear polynomials and also on counting zeros of multivariate polynomials in finite fields. We remark that since the Weil bound is not needed anymore, one can certainly obtainanalogues of our results for residue rings (although counting the number of solutions of multivariate polynomial congru- ences may require more efforts than in the finite field settings). Furthermore, in [36, 37] only the truncated vectors (consisting of m components of the total output (m + 1)-dimensional vectors) are investigated. Here we show that in fact the whole output vectors can be studied, however for this we require a very deep result of Bourgain, Glibichuk and Konyagin [6] (for generalisation to residue rings one can also use the results of [3, 4]). Finally, we propose a construction of a hash function from polyno- mial maps. Although we make no claims of security or efficiency, we note that our results show that this hash function has “random-like” behaviour. Hash functions from walks on the set of isogenous elliptic curves generatedbylowdegreeisogenies, andtheircryptographicapplications, are considered in [7, 19]. Alternatively these walks can be described as sequences of rational function transformations on the coefficients of Weierstrass equations on elliptic curves, see [42] for a background. We hope that our results maybe useful for studying further properties of suchwalks, forexample, inshowing thatthehashfunctionof[7,19]has sufficiently uniformly distributed outputs and maybe used as a secure pseudorandom number generator. 2. Construction 2.1. Polynomial systems. Let F be an arbitrary field. As in [37], we consider a system F = {F ,...,F } of m + 1 polynomials in 0 m F[X ,...,X ] satisfying the following conditions 0 m F (X ,...,X ) = X G (X ,...,X )+H (X ,...,X ), 0 0 m 0 0 1 m 0 1 m F (X ,...,X ) = X G (X ,...,X )+H (X ,...,X ), 1 0 m 1 1 2 m 1 2 m (1) ... F (X ,...,X ) = X G (X )+H (X ), m−1 0 m m−1 m−1 m m−1 m F (X ,...,X ) = g X +h , m 0 m m m m 4 ALINAOSTAFEANDIGOR E. SHPARLINSKI where g ,h ∈ F, g 6= 0, G ,H ∈ F[X ,...,X ], i = 0,...,m−1. m m m i i i+1 m WealsoimposetheconditionthateachpolynomialG , i = 0,...,m−1, i has the unique leading monomial Xsi,i+1...Xsi,m, that is, i+1 m (2) G (X ,...,X ) = g Xsi,i+1...Xsi,m +G (X ,...,X ), i i+1 m i i+1 m i i+1 m where f (3) g ∈ F∗, deg G < s , deg H ≤ s , i Xj i i,j Xj i i,j for i = 0,...,m−1, j = i+1,...,m. f Given an integral upper triangular matrix 1 s s ... s 0,1 0,2 0,m 0 1 s ... s (4) S =  1,2 1,m ... 0 0 0 ... 1      define F(S,m) the set of all such polynomial systems of the form (1) satisfying the conditions (2) and (3). For an integer m ≥ 1 and an integral matrix S of the form (4), we consider a sequence of, not necessarily distinct, polynomial systems (5) F = {F ,...,F } ∈ F(S,m), k = 1,2,... . k k,0 k,m (j) We consider the sequence of polynomials F defined by the recurrence i relation (6) F(0) = X , F(k) = F (F(k−1),...,F(k−1)), k = 1,2,... . i i i k,i 0 m In particular, F denotes the identity map. 0 As in [36, Lemma 1], we have the following characterization of the (k) polynomials F , which in turn generalises and refines [37, Lemma 1]. i We note that unfortunately in [37] the unique leading monomial con- dition (3) is given in the form degG < degG instead of the required i i deg G < deg G , 0 ≤ i < j ≤ m, that is actually used in the proof Xj i Xj i of [37, Lemma 1]. f f ITERATIONS OF MULTIVARIATE POLYNOMIALS 5 Lemma 1. Let F ∈ F(S,m) be a sequence of polynomial systems (5). k Then for the polynomials F(k) given by (6) we have i (k) F = X G (X ,...,X )+H (X ,...,X ), i i k,i i+1 m k,i i+1 m where G ,H ∈ F[X ,...,X ] and k,i k,i i+1 m e e 1 degG = km−is ...s +ψ (k), 0 ≤ i ≤ m−1, ek,i e i,i+1 m−1,m i (m−i)! degGek,m = 0, with some polynomials ψ (T) ∈ Q[T] of degree degψ < m−i. i i e Proof. Writing F = X G +H we get k,i i k,i k,i F(k) = F(k−1)G F(k−1),...,F(k−1) +H F(k−1),...,F(k−1) . i i k,i i+1 m k,i i+1 m (cid:16) (cid:17) (cid:16) (cid:17) Thus an easy inductive argument implies that (k) F = X G (X ,...,X )+H (X ,...,X ) i i k,i i+1 m k,i i+1 m for some polynomials G ,H ∈ F[X ,...,X ], where i = 0,...,m, k,i k,i i+1 m e e k = 1,2,.... For the asymptotic feormuelas for the degrees of the polynomials G k,i (k) see [37, Lemma 1] where it is given for degF . We note that in [37] i only the case when at each step the same polynomial system F = Feis k applied but the proof holds for distinct systems F ∈ F(S,m) without k any changes. Indeed, let d = deg(X G ) = 1+degG , i = 0,...,m, k = 1,2.... k,i i k,i k,i Then the result follows immediately from the recursive formula e e (d ,...,d )t = Sk(1,...,1) k,0 k,m implied by (2) and (3), where 1 s s ... s 0,1 0,2 0,m 0 1 s ... s S =  1,2 1,m, ... 0 0 0 ... 1      and dT means the transposition of the vector d, see the proof of [37, Lemma 1] for more details. ⊔⊓ 6 ALINAOSTAFEANDIGOR E. SHPARLINSKI 2.2. Vector sequences. Given a sequence of polynomial systems (5), we fix a vector v ∈ Fm+1 and consider the sequence defined by a recur- p rence congruence modulo a prime p of the form (7) u ≡ F (u ,...,u ) (mod p), n = 0,1,..., n+1,i n+1,i n,0 n,m with some initial values (u ,...,u ) = v. 0,0 0,m We also assume that 0 ≤ u < p, i = 0,...,m, n = 0,1,.... n,i Using the following vector notation w = (u ,...,u ) n n,0 n,m we have the recurrence relation w = F (w ), n = 1,2,... . n n n−1 In particular, for any n,k ≥ 0 and i = 0,...,m we have (k) u = F (u ,...,u ), n+k,i i n,0 n,m (k) where thepolynomials F , i = 0,...,m, k = 1,2,..., aregiven by (6). i Clearly the sequence of vectors w is eventually periodic with some pe- n riod τ ≤ pm+1. We always assume that the sequence is purely periodic, that is, w = w , n = 0,1,... . n+τ n As in [36, 37], we sometimes discard the last component and define the truncated vectors u = (u ,...,u ) n n,0 n,m−1 However, here we introduce a new argument which allows ussometimes to study full vectors w . n 3. Exponential Sums and Discrepancy 3.1. Preliminaries. Assume that the sequence {u } generated by (7) n is purely periodic with an arbitrary period τ. For integer vectors a = (a ,...,a ) ∈ Zm and b = (b ,...,b ) ∈ Zm+1 we introduce the 0 m−1 0 m exponential sums N−1 m−1 N−1 m Sa(N) = ep aiun,i and Tb(N) = ep biun,i , ! ! n=0 i=0 n=0 i=0 X X X X ITERATIONS OF MULTIVARIATE POLYNOMIALS 7 where e (z) = exp(2πiz/p). p Clearly, if b = (a0,...,am−1,0) then we simply have Sa(N) = Tb(N), thus the sums Tb(N) are direct generalisations of the sums Sa(N) that havebeentreatedin[36,37]. Hereweshowthattogetherwithsomead- ditional arguments, one can obtain similar results for the sums Tb(N). Bounds of these sums can be used to estimate the discrepancy of the corresponding sequences, which is a widely accepted quantitative measure of uniformity of distribution of sequences, andthus goodpseu- dorandom sequences should (after an appropriate scaling) have a small discrepancy, see [31, 32]. Given a sequence Γ of N points (8) Γ = (γ ,...,γ )N−1 n,1 n,s n=0 in the s-dimensional unit cu(cid:8)be [0,1)s it is natu(cid:9)ral to measure the level of its statistical uniformity in terms of the discrepancy ∆(Γ). More precisely, T (B) Γ ∆(Γ) = sup −|B| , N B⊆[0,1)s(cid:12) (cid:12) (cid:12) (cid:12) where TΓ(B) is the number of point(cid:12)s of Γ inside(cid:12)the box (cid:12) (cid:12) B = [α ,β )×...×[α ,β ) ⊆ [0,1)s 1 1 s s and the supremum is taken over all such boxes, see [9, 26]. Typically the bounds on the discrepancy of a sequence are derived from bounds of exponential sums with elements of this sequence. The relation is made explicit in the celebrated Erd˝os-Turan-Koksma in- equality, see [9, Theorem 1.21], which we present in the following form. Lemma 2. There exists a constantC dependingonlyon s such that for s any integer H > 1 and any sequence Γ of N points (8) the discrepancy ∆(Γ) satisfies the following bound: s N−1 s 1 1 1 ∆(Γ) ≤ C + exp 2πi h γ s j n,j H N |h |+1  0<X|h|≤HYj=1 j (cid:12)(cid:12)Xn=0 Xj=1 !(cid:12)(cid:12) (cid:12) (cid:12) where the sum is taken over all integers v(cid:12)ectors h = (h ,...,h ) ∈(cid:12)Zs (cid:12) 1 s (cid:12) with |h| = max |h | < H. j=1,...,s j 8 ALINAOSTAFEANDIGOR E. SHPARLINSKI We always assume that a finite field F of p elements is represented p by the set {0,1,...,p−1}. So for u ∈ F we always have u/p ∈ [0,1) p and thus we can talk about the discrepancy of vectors over F after p scaling them by 1/p. Throughout the paper, the implied constants in the symbols ‘O’ and ‘≪’ may occasionally, where obvious, depend on the matrix S and the integer m ≥ 1 (and are absolute otherwise). We recall that the notations A = O(B) and A ≪ B are all equivalent to the assertion that the inequality |A| ≤ cB holds for some constant c > 0. 3.2. Arbitrary Systems. Here we assume, exactly as in [37], that all polynomial systems (5) are the same, that is F = F. Our next results k are a direct improvement of the estimate of [37, Theorem 4] for the sums Sa(N) and also an extension of such bound to more general sums Tb(N). We need the following generalisation of the bound on exponential sums of [36, Lemma 2], which avoids using the Weil bound (see [29, Chapter 5]) and which is our main tool in improving the result of [37]. Lemma 3. Let F ∈ F(S,m) with s ...s 6= 0, then there is a 0,1 m−1,m positive integer k depending only on S and m such that for any integer 0 vectors k = (k ,...,k ), l = (l ,...,l ), min{k ,...,k ,l ,...,l } ≥ k 1 ν 1 ν 1 ν 1 ν 0 with components that are not permutations of each other and integer vector a = (a ,...,a ) with 0 m−1 gcd(a ,...,a ,p) = 1, 0 m−1 for the polynomial m−1 ν Fa,k,l = ai Fi(kh) −Fi(lh) Xi=0 Xh=1(cid:16) (cid:17) where the polynomials F(k) are given by (6), we have i p ep(Fa,k,l(w0,...,wm)) ≪ Kmpm, w0,.X..,wm=1 where K = max{k ,...,k ,l ,...,l }. 1 ν 1 ν ITERATIONS OF MULTIVARIATE POLYNOMIALS 9 Proof. Let s < m − 1 be the smallest integer such that a 6= 0. By s Lemma 1 we have Fa,k,l(x0,...,xm) m−1 ν = a x G (x ,...,x )−G (x ,...,x ) i i kh,i i+1 m lh,i i+1 m Xi=s Xh=1(cid:16) (cid:17) m−1 e ν e + a H (x ,...,x )−H (x ,...,x ) i kh,i i+1 m lh,i i+1 m Xi=s Xh=1(cid:16) (cid:17) ν e e = a x G (x ,...,x )−G (x ,...,x ) s s kh,s s+1 m lh,s s+1 m Xh=1(cid:16) (cid:17) e e +Ψa,k,l(xs+1,...,xm) for a certain polynomial Ψa,k,l(xs+1,...,xm) ∈ Fp[xs+1,...,xm]. Therefore, p ep(Fa,k,l(x0,...,xm)) x0,.X..,xm=1 p = ps ep(Ψa,k,l(xs+1,...,xm)) xs+1X,...,xm=1 p ν e a x G (x ,...,x )−G (x ,...,x ) . p s s kh,s s+1 m lh,s s+1 m ! xXs=1 Xh=1(cid:16) (cid:17) Recalling the identity e e p p, if c ≡ 0 (mod p), (9) e (cu) = p 0, if c 6≡ 0 (mod p), u=1 (cid:26) X see [30, Equation (5.9)], we conclude that the sum over the variable x s is nonzero only if the polynomial ν Φs,k,l = (Gkh,s −Glh,s) ∈ Fp[Xs+1,...,Xm] h=1 X is zero modulo p at (x e,...,x e). s+1 m Performing all trivial cancelations, without loss of generality we can also assume that the vectors k and l have no common elements. Thus, 10 ALINAOSTAFEANDIGOR E. SHPARLINSKI by Lemma 1, we see that if min{k ,...,k ,l ,...,l } ≥ k for a suf- 1 ν 1 ν 0 ficiently large k0 then the polynomial Φs,k,l is a nontrivial polynomial modulo p of degree O(Km−s) = O(Km). Also, a simple inductive ar- gument shows that a modulo p nontrivial polynomial in r variables of degree D may have only O(Dpr−1) zeros modulo p, which concludes the proof. ⊔⊓ Theorem 4. Let the sequence {u } be given by (7) for F = F, k = n k 1,2,..., with a polynomial system F ∈ F(S,m) of the form (1) of total degree d ≥ 2 and such that s ...s 6= 0. Assume that {w } is 0,1 m−1,m n purely periodic with period τ. Then for any fixed integer ν ≥ 1, positive integer N ≤ τ and nonzero vector a ∈ Fm the bound p Sa(N) ≪ N1−βm,νpαm,ν holds, where m2 +mν +m 1 α = and β = m,ν m,ν 2ν(m+ν) 2ν and the implied constant depends only on d, m and ν. Proof. We follow the same argument as in the proof of [37, Theorem 4], however instead of the Weil bound we use now Lemma 3 (and thus we optimise the parameters differently). In particular, as in [37] we obtain that for any integer K ≥ k , 0 (10) (K −k0 +1)|Sa(N)| ≤ W +K2, where k is the same as in Lemma 3 and 0 N−1 K m−1 W = e a u . i n+k,i (cid:12) !(cid:12) (cid:12)Xn=0 kX=k0 Xi=0 (cid:12) (cid:12) (cid:12) Using the H¨older inequa(cid:12)lity we derive (again exac(cid:12)tly the same way as (cid:12) (cid:12) in [37]) K W2ν ≤ N2ν−1 e(Fa,k,l(w0,...,wm)). k1,ℓ1,..X.,kν,ℓν=k0w0,...,wXm∈Fmp+1 For O(Kν) vectors (k ...,k ) and (ℓ ...,ℓ ) 1 ν 1 ν