On the Distribution of P-Error Linear Complexity of P-Ary Sequences with Period Pn

IEICE TRANS. INF. & SYST., VOL.E102–D, NO.12 DECEMBER 2019 2595

LETTER On the Distribution of p-Error Linear Complexity of p-Ary Sequences with Period pn

Miao TANG†, Juxiang WANG††a), Nonmembers,MinjiaSHI†††, Member, and Jing LIANG††††, Nonmember

SUMMARY Linear complexity and the k-error linear complexity of pe- k-error linear complexity at least for small k. riodic sequences are the important security indices of stream cipher sys- For a given periodic binary sequence S of period N = tems. This paper focuses on the distribution of p-error linear complexity n ffi n n 2 , the linear complexity can be more e ciently computed of p-ary sequences with period p .Forp-ary sequences of period p with O linear complexity pn − p + 1, n ≥ 1, we present all possible values of the p- via the Chan-Games algorithm [6] with (N) bit operations, 2 error linear complexity, and derive the exact formulas to count the number while the Berlekamp-Massey algorithm requires O(N )bit of the sequences with any given p-error linear complexity. operations. Stamp and Martin [5] extended the Chan-Games key words: periodic sequence, k-error linear complexity, counting func- algorithm for computing the k-error linear complexity of tion, stream ciphers S for a fixed k. Generalization of these results to pn- periodic sequences over the finite field GF(pm), were shown 1. Introduction in [2], [7], [8]. For binary sequences of period 2n, Ruep- pel [1] presented the counting function for the number of se- Sequences with good pseudorandomness and complexity quences with fixed linear complexity. In [9], [10], the count- properties are widely used as key streams in cryptographic ing function for the number of sequences with fixed 1-error applications [1]–[3]. Among the measures commonly used linear complexity are presented. The counting functions on to measure the complexity of a sequence S is its linear com- k-error linear complexity in the case k = 2 and k = 3was plexity LC(S ). In engineering terms, the linear complexity treated in [11] and [12], respectively. For p-ary sequences LC(S ) is defined to be the length of the shortest linear feed- of period pn, the counting function for the number of se- back shift register (LFSR) that can generate S . The LFSR quences with fixed linear complexity and fixed 1-error linear that generates a given sequence S can be determined by the complexity, were shown in [13], [14], respectively. well-known Berlekamp-Massey algorithm [4], for this algo- The rest of this paper is arranged as follows. Section 2 rithm requires only 2LC(S ) consecutive bits to completely introduces some basic definitions and previously related re- determine the linear complexity of S . Hence, high linear sults. Section 3 presents the counting function for the num- complexity is essential for cryptographic applications. ber of sequences with given p-error linear complexity. The For a cryptographically strong sequence, the linear expected value of p-error linear complexity of sequences complexity should not decrease drastically if a few bits are with linear complexity pn − p+1 is also calculated in Sect. 3. changed, since knowledge of the first few terms can allow the efficient generation of a sequence which closely ap- 2. The p-Ary Sequences of Period pn proximates the original sequence. This observation moti- n vates the definition of the k-error linear complexity of se- Let S = s1, s2,...be a p-ary sequences of period p , where quences [2], [5].Thek-error linear complexity of a periodic p is a prime. The linear complexity of S is defined to be the sequence S , denoted by LCk(S ), is defined to be the mini- least nonnegative integer t for which there exist coefficients mum linear complexity of S that can be obtained by chang- d1, d2,...,dt ∈ Fp such that ing up to k bits in one period and identical changes in all + + ···+ = , ≥ . other periods. Cryptographically strong sequences should si+t d1 si+t−1 dt si 0 for all integers i 1 not only have a large linear complexity, but also have a large In addition, the linear complexity of the zero sequence 0 is Manuscript received May 9, 2019. defined to be 0. For periodic sequences, knowing one period Manuscript revised July 27, 2019. means we know the whole sequence. Hence, we denote the Manuscript publicized September 2, 2019. linear complexity of S by LC(S )orLC(s(n)), where s(n) = †The author is with the Department of Applied Mathematics, (n) (s1, s2,...,spn ) is one period of S . Let the vector e has the Anhui Agricultural University, Anhui 230036,China. (n) †† same length with s over Fp.Thek-error linear complexity The author is with the School of Mathematics and Physics, (n) Anhui Jianzhu University, Anhui 230601, China. of S can be denoted by LCk(S )orLCk(s ), ††† The author is with the School of Mathematical Sciences, = { (n) + (n) w (n) ≤ }, Anhui University, Anhui 230601,China. LCk(S ) min LC(s e ): (e ) k †††† The author is with the Ministry of General Education, Anhui w (n) Xinhua University, Anhui 230088,China. where the Hamming weight (e ) denotes the number of (n) a) E-mail: [email protected] nonzero terms of e . DOI: 10.1587/transinf.2019EDL8093 For a given p-ary sequence of period pn, Kurosawa et

Copyright c 2019 The Institute of Electronics, Information and Communication Engineers IEICE TRANS. INF. & SYST., VOL.E102–D, NO.12 DECEMBER 2019 2596

ϕ(2)ϕ(3) ···ϕ(n) (n) (1) = , ,..., ∈ al. [15] showed that the minimal value kmin for which the k- ( 0 0 0 (s )) and s (a a a), a 0 Fp. (r) error linear complexity LCk(S )ofS is strictly less than its Then the Hamming weight w(s ) ≥ p for all 1 ≤ r ≤ n, linear complexity LC(S ) is exactly determined by (r) = ϕ(r+1)ϕ(r+2) ···ϕ(n) (n) where s 0 0 0 (s )). ∈ , ,..., n P5: For any b Fp and vector (s1 s2 sp) with kmin = Prod(p − LC(S )), ϕ0(s1, s2,...,sp) 0, it suffices to alter exactly one − − = n 1 + = n 1 j bit in {s1, s2,...,sp} to obtain ϕ0(s1, s2,...,sp) = 0 and where Prod(c) j=0 (i j 1) if the integer c j=0 (i j p ). n ϕ (s , s ,...,s ) = b. Moreover, the way of the bit changes Evidently, kmin = p for any p-ary sequences of period p 1 1 2 p with linear complexity pn − p + 1. is unique. + n+1 + n ϕ(n 1) −1 (n) = {v ∈ p |ϕ(n 1) v = (n)} For p-ary sequences of period p , Meidl and Nieder- P6: The set ( 0 ) (s ) Fp 0 ( ) s of reiter [13] showed that the number N(L) of sequences with preimages of s(n) has cardinality p(p−1)pn . linear complexity L, is determined by 3. Results and Proofs , = , = 1 L 0 N(L) − L−1, ≤ ≤ n. (1) (p 1)p 1 L p In this section, we concentrate on the p-ary sequence of pe- n n − + ≥ For a given p-ary sequence of period pn with linear com- riod p with linear complexity p p 1, n 1. plexity pn, Meidl and Venkateswarlu [14] presented that the Lemma 1. Let S be a p-ary sequence of period n n − + ≥ 1-error linear complexity of S is 0 or of the form p with linear complexity p p 1,n 1. Then w(s(n)) = p if and only if the nonzero elements of s(n) are n − r+1 + , ≤ ≤ − , ≤ ≤ r+1 − r − . , ,..., ∈{ , , ,..., n−1 − } p p c 0 r n 1 1 c p p 1 si1 p+1 si2 p+2 sip p+p for some i j 0 1 2 p 1 , = , ,..., = = ...= j 1 2 p, and si1 p+1 si2 p+2 sip p+p. In [14], it also has been showed that the number N1(L)of Proof s(1) = ϕ(2)ϕ(3) ··· n According to P4, we have 0 0 sequences with linear complexity p and 1-error linear com- ϕ(n) (n) (1) = , ,..., ∈ 0 (s )) and s (a a a), a 0 Fp. Note that plexity L is given by − (1) pn 1−1 s = si p+ j, j = 1, 2,...,p. Then there is ex- j i j=0 j (p − 1)pn, L = 0, { , ,..., } N (L) = + (2) actly one nonzero element in s j sp+ j spn−p+ j for ev- 1 (p − 1)2 pL r, L 0. = , ,..., = ery j 1 2 p. Moreover, the nonzero element si j p+ j (1) n = Given a p-ary sequence S of period p , its linear com- s j a. n plexity can efficiently be computed by the generalized Chan- Lemma 2. Let S be a p-ary sequence of period p n (n) Games algorithm [2]. Since we will use some aspects of with linear complexity p − p + 1 and w(s ) = p, n ≥ 1. (n+1) ∞ n+1 the generalized Chan-Games algorithm in the following, we Let S = (s ) be a p-ary sequence of period p with ϕ(n) = , ,..., − w (n+1) > ϕ(n+1) (n+1) = (n) present a short description. Let u , u 0 1 p 1, be (s ) p and 0 (s ) s . pn pn−1 ≤ the mappings from F to F , n > 1, by (1) Then the p-error linear complexity of S satisfies 1 p p n+1 n LC p(S ) ≤ p − p − p. (n+1) (n+1) p−u−1 − − (2) For all the vectors t such that t is differs from (n) (n) p j 1 n−1 + + + ϕ = − , = , ,..., . (r 1) (n 1) (n 1) = u (s )i s j·pn 1+i i 1 2 p s at most p terms, only one t satisfies LC(t ) u (n+1) (n+1) j=0 LC p(s ), else, the linear complexity of t is more than pn+1 − pn − p. Suppose that u, u = 0, 1,...,p − 1, is the least number such (n) (n) Proof Suppose that s + is the nonzero element of that ϕ (s(n)) 0. Then the linear complexity of S is given i j p j u (n) = , ,..., ffi by s for every j 1 2 p. Obviously, it su ces to (n+1) ϕ(n+1) (n+1) = alter appropriate p bits in s to obtain 0 (s ) LC(s(n)) = (p − u − 1)pn−1 + LC(s(n−1)), 0. It can be obtained by exactly one element change in { (n+1), (n+1) ,..., (n+1) } = , ,..., si p+ j spn+i p+ j s(p−1)pn+i p+ j for every j 1 2 p. (n−1) (n) (n) j j j where s = ϕu (s ). The generalized Chan-Games al- (n+1) (n+1) (n+1) Let t be a vector such that LC(t ) = LC p(s ). gorithm is obtained by applying this result recursively until Then the p-error linear complexity of S is n = 0. In the final step we will have a sequence with pe- s(0) LC s(0) = s(0) (n+1) n (n) riod . The linear complexity ( ) 1if 0 and LC p(s ) = (p − u − 1)p + LC(t ), LC(s(0)) = 0ifs(0) = 0. It obviously that s(0) = 0 if and only (n) (n+1) (n+1) if S is the zero sequence 0. where t = ϕu (s ) and u is the least number such that n (n+1) (n+1) Let S be a p-ary sequence of period p . We collect ϕu (s ) 0, u = 1, 2,...,p − 1. some obvious properties of the linear complexity LC(S ) and In the case that 2 ≤ u ≤ p − 1, the linear complex- ϕ(n) = , ,..., − > (n) n the mappings u , u 0 1 p 1, n 1. ity LC(t ) could be equal to any integer between 1 and p . w ϕ(n) (n) ≤ w (n) = , ,..., − (n+1) n+1 n P1: ( u (s )) (s ), u 0 1 p 1. Then we have 1 ≤ LC p(s ) ≤ p − 2p . We now show < n (n) P2: LC(S ) p if and only if s has the zero sum property, the case that u = 1. According to P5, it suffices to alter ex- pn = { (n+1), (n+1) ,..., (n+1) } that is, = s j 0. actly one bit in s s n s n to obtain j 1 i j p+ j p +i j p+ j (p−1)p +i j p+ j P3: LC(S ) = 0 if and only if s(n) = 0. n (1) (n+1) (n+1) (n+1) P4: LC(S ) = p − p + 1 if and only if s = ϕ (s , s n ,...,s n ) = 0 0 i j p+ j p +i j p+ j (p−1)p +i j p+ j LETTER 2597 and complexity pn − p + 1, the sequences S with p-error lin- w (n) = (n+1) (n+1) (n+1) ear complexity 0 are exactly the sequences with (s ) p. ϕ (s , s n ,...,s n ) = b 1 i j p+ j p +i j p+ j (p−1)p +i j p+ j According to Lemma 1, we have

(n) (n) (n) = − n−1 n−1 ··· n−1 = − pn−p. for any b ∈ Fp, j=1, 2,...,p. Then t , t ,...,t ∈ Np(0) (p 1)p p p (p 1)p i1 p+1 i2 p+2 ip p+p Fp could be arbitrary value by altered appropriate p bits in n− + (2) (3) (n) For the sequences S with p-error linear complexity p (n 1) (1) = ϕ ϕ ···ϕ (n) ffi r+1 r+1 r s .Fort ( 0 0 0 (t )), it su ces to select p + c,1≤ r ≤ n − 1, 1 ≤ c ≤ p − p − p,thep-error (n) (n) (n) (1) appropriate t , t ,...,t ∈ Fp to obtain t = 0, i1 p+1 i2 p+2 ip p+p linear complexity of S is ≤ (n) ≤ n − n+1 − n + ≤ then we get 1 LC(t ) p p and p 2p 1 (n) = n − r+1 + (r+1) . (n+1) n+1 n LC p(s ) p p LC p(s ) LC p(s ) ≤ p − p − p. This proves that the p- error linear complexity of S can be the arbitrary integer Let t(r+1) be the vector such that LC(t(r+1)) = LC (s(r+1)). + p lies in [1, pn 1 − pn − p]. Note that the way of the bit For every integer c,1≤ c ≤ pr+1−pr−p, there are (p−1)pc−1 + changes is unique. Then there is only one vector t(n 1) choices for t(r+1) such that LC(t(r+1)) = c by (1). Note that + + + (n 1) = (n 1) ∈ , n 1 − n − r+ r+ (n+1) (n+1) (n+1) satisfies LC(t ) LC p(s ) [1 p p p]. s( 1) differs from t( 1) at exactly s , s ,...,s for i1 p+1 i2 p+2 ip p+p (n) = ϕ(n) (n+1) r Else, we have that t 1 (t ) 0. Since we can some i j ∈{0, 1, 2,...,p −1}, j = 1, 2,...,p. Then there are (n) , (n) ,..., (n) ∈ − c−1 − r r ··· r = − 2 c+pr−1 not select appropriate ti p+1 ti p+2 ti p+p Fp to obtain (p 1)p (p 1)p p p (p 1) p choices for 1 2 p (r+1) (1) = ϕ(2)ϕ(3) ···ϕ(n) (n) = (n+1) > s by Lemma 2. Using P6 recursively we obtain that t 0 0 0 (t )) 0, then we get LC(t ) + n 1 − n − + − − r+1 − n−1 n− r+1+ + − p p p. (p−1)2 pc pr 1 p(p 1)p ···p(p 1)p = (p−1)2 pp p c pr 1 The following theorem presents all possible values of the p-error linear complexity of p-ary sequences of period is the number of p-ary sequences of period pn with linear pn with linear complexity pn − p + 1, n ≥ 1. complexity pn − p + 1 and p-error linear complexity pn − Theorem 1. For any p-ary sequence S of period pn pr+1 + c. with linear complexity pn − p + 1, the p-error linear com- Theorem 2 permits the calculation of the exact formula plexity of S is either zero or of the form for the expected value of the p-error linear complexity of a random p-ary sequences of period pn with linear complexity n − r+1 + , p p c pn − p + 1, n ≥ 1. + Theorem 3. The expected value E of the p-error lin- where 1 ≤ r ≤ n − 1 and 1 ≤ c ≤ pr 1 − pr − p. p ear complexity of p-ary sequences of period pn with linear Proof According to P4, we have w(s(n)) ≥ p.Obvi- complexity pn − p + 1 is ously, the p-error linear complexity of S is 0 in the case w (n) = w (n) > − that (s ) p. We now show the case (s ) p. Sup- − −pn+pn n 1 n 1 p −pr+pr+1 pose that r,1≤ r ≤ n − 1, is the largest integer such that Ep = p − p − − p . (r) p − 1 w(s ) = p. Then the p-error linear complexity of S is r=1

(n) n r+1 (r+1) − pn−p LC p(s ) = p − p + LC p(s ). Proof According to (1), there are (p 1)p p-ary sequences of period pn with linear complexity pn − p + 1. Note that the pr-periodic sequence with period s(r) = From Theorem 2 we have ϕ(r+1) (r+1) (r) = r − + w (r) = 0 (s ) satisfies LC(s ) p p 1 and (s ) p. pn−p (r+1) r+1 (p − 1)p Ep = Np(L)L According to Lemma 2, we have 1 ≤ LC p(s ) ≤ p − r − L p p. Then the p-error linear complexity of S is of the + n−1 pr 1−pr−p form n r+1 = (p − 1)2 pp −p +c+pr−1(pn − pr+1 + c) + pn − pr 1 + c, r=1 c=1 + n−1 pr 1−pr−p + ≤ ≤ − ≤ ≤ r 1 − r − n+ − r+1+ − where 1 r n 1 and 1 c p p p. = (p − 1)pp n p p pr 1 (p − 1)pc The following theorem presents the exact formulas to r=1 c=1 n count the number of p-ary sequences of period p with lin- r+1 r n−1 p −p −p n − + n r+1 ear complexity p p 1 and fixed p-error linear complexity. −(p − 1)pp p−p +pr+r (p − 1)pc Theorem 2. The number of p-ary sequences of pe- r=1 c=1 n n riod p with linear complexity p − p + 1 and p-error linear + n−1 pr 1−pr−p complexity L is + pn −pr+1+pr−1 − 2 c ⎧ p p (p 1) cp ⎪ − pn−p, = , r=1 c=1 ⎨⎪ (p 1)p if L 0 L+pr− n r+ = − + . N (L) = ⎪ (p − 1)2 p 1, if L = p − p 1 + c, T1 T2 T3 p ⎩⎪ 0, otherwise, For the first term T1 we have + where 1 ≤ r ≤ n − 1 and 1 ≤ c ≤ pr 1 − pr − p. n−1 n pn+n −pr+1+pr−1 pr+1−pr−p+1 Proof For p-ary sequences of period p with linear T1 = (p − 1)p p (p − p) r=1 IEICE TRANS. INF. & SYST., VOL.E102–D, NO.12 DECEMBER 2019 2598

n−1 n−1 n pn+n −pr+p(r−1) −pr+1+pr ity of p-ary sequences of period p with linear complex- = (p − 1)p p − p −pn+pn ity pn − p + 1, n ≥ 1. Note that the value p and the r=1 r=1 p−1 − − r+ + n− − n+ + n 1 p pr 1 = (p − 1)pp p(pn − p p pn n). sum r=2 p in the formula for Ep is small. Hence n − − 1 the value of Ep is approximately equals to p 2p p−1 . For the second term T2 we get From the above discussion, we know that there are many n−1 sequences with large p-error linear complexity among all p- pn −pr+1+pr+r pr+1−pr−p+1 ary sequences of period pn with linear complexity pn − p+1. T2 =(p−1)p p (p − p) r=1 n−1 n Acknowledgments n r r =(p−1)pp p−p +p(r−1)+r+1 − p−p +p(r−1)+r r=1 r=2 We would like to thank the reviewers for their helpful com- n−1 ments. This work was supported by the Key Projects of n n r =(p−1)pp −p p2 − p−p +pn+n + (p−1) p−p +pr+r . the Natural Science Fund of Anhui Colleges and Univer- r=2 sities (KJ2017A136, KJ2019JD17, KJ2017A623) and the Key Projects of Support Program for Excellent Young Tal- For the third term T , using the identity 3 ents in Anhui Colleges and Universities (gxyqZD2016032). m + + (p − 1)2 jpj = (p − 1)mpm 1 − pm 1 + p References j=1 [1] R.A. Rueppel, Analysis and Design of Stream Ciphers, Springer- we get Verlag, 1986. n−1 [2] C. Ding, G. Xiao, and W. Shan, “The Stability Theory of Stream Ci- n r+1 r+1 r T = pp p−p +pr−1(p−1)(pr+1 − pr − p)pp −p −p+1 phers,” Lecture Notes in Computer Science, Springer-Verlag, 1991. 3 [3] S.W. Golomb and G. Gong, “Signal Design for Good Correlation,” = r 1 For Wireless Communication, Croptography and Radar, Cambridge − n 1 University Press, 2005. pn −pr+1+pr−1 pr+1−pr−p+1 − p p (p − p) [4] J. Massey, “Shift-register synthesis and BCH decoding,” IEEE r=1 Trans. Inf. Theory, vol.15, no.1, pp.122–127, 1969. [5] M. Stamp and C.F. Martin, “An algorithm for the k-error linear com- =T4 − T5, plexity of binary sequences of period 2n,” IEEE Trans. Inf. Theory, where vol.39, no.4, pp.1398–1401, 1993. − [6] R. Games and A. Chan, “A fast algorithm for determining the linear n 1 n = − pn −pr+p(r−1) r+1 − r − complexity of a binary sequence with period 2 ,” IEEE Trans. Inf. T4 (p 1)p p (p p p) Theory, vol.29, no.1, pp.144–146, 1983. r=1 [7] T. Kaida, S. Uehara, and K. Imamura, “An algorithm for the k-error n−1 n−1 linear complexity of sequences over GF(pm) with period pn, p a n r r =(p−1)pp −p (p−1) p−p +pr+r − p−p +pr+1 prime,” Inform. Comput., vol.151, no.1-2, pp.134–147, 1999. r=1 r=1 [8] T. Kaida, “On the generalized Lauder-Paterson algorithm and profiles of the k-error linear complexity for exponent periodic and sequences,” Sequences and Their Applications 2004, Springer, n−1 pp.166–178, 2005. n r+1 r+1 r n T = pp p−p +pr−1(pp −p −p+1 − p) [9] W. Meidl, “On the stability of 2 -periodic binary sequences,” IEEE 5 Trans. Inf. Theory, vol.51, pp.1151–1155, 2005. = r 1 [10] F.-W. Fu, H. Niederreiter, and M. Su, “The characterization of − n 1 n 2n-periodic binary sequences with fixed 1-error linear complexity,” pn −pr+p(r−1) −pr+p(r−1) = p p − p Sequences and Their Applications 2006, Springer, pp.88–103, 2006. n r=1 r=2 [11] R. Kavulurn, “Characterization of 2 -periodic binary sequences with n n = pp (p−p − p−p +p(n−1)) fixed 2-error or 3-error linear complexity,” Des. Codes Cryptogr., vol.53, no.2, pp.75–97, 2009. − −pn+pn pn−p 1 p [12] J. Zhou and W. Liu, “The k-error linear complexity distribution for = (p − 1)p . n p − 1 2 -periodic binary sequences,” Des. Codes Cryptogr., vol.73, no.1, pp.55–75, 2014. By combinbining the formulas for T1, T2, T4 and T5 we get [13] W. Meidl and H. Niederreiter, “On the expected value of the linear complexity and k-error linear complexity of periodic sequences,” −pn+pn n−1 1 − p r IEEE Trans. Inf. Theory, vol.48, no.11, pp.2817–2825, 2002. E = pn − p − − p−p +pr+1 p p − 1 [14] W. Meidl and A. Venkateswarlu, “Remarks on the k-error linear r=1 complexity of pn-periodic sequences,” Des. Codes Cryptogr., vol.42, no.2, pp.181–193, 2007. 4. Concluding Remarks [15] K. Kurosawa, F. Sato, T. Sakata, and W. Kishimoto, “A relation- ship between linear complexity and k-error linear complexity,” IEEE In this paper, we obtain exact results for the counting func- Trans. Inf. Theory, vol.46, no.2, pp.694–698, 2000. tion and the expected value for the p-error linear complex-