On lattice profile of the elliptic curve linear congruential generators

Lattice tests are quality measures for assessing the intrinsic structure of pseudorandom number generators. Recently a new lattice test has been introduced by Niederreiter and Winterhof. In this paper, we present a general inequality that is satisfied by any periodic sequence. Then, we analyze the behavior of the linear congruential generators on elliptic curves (EC-LCG) under this new lattice test and prove that the EC-LCG passes it up to very high dimensions. We also use a result of Brandstätter and Winterhof on the linear complexity profile related to the correlation measure of order k\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$k$$\end{document} to present lower bounds on the linear complexity profile of some binary sequences derived from the EC-LCG.

Let (η n ), n = 0, 1, . . . , be a sequence over the finite field F q of q elements of period T . The characteristic of the field F q will be p, so q = p m , for some positive integer m.
The largest dimension s such that (η n ) satisfies the s-dimensional N -lattice test is called lattice profile at N , denoted by S(η n , N ). Moreover, let S(η n , N ).
One can verify that S(η n ) = S(η n , T ) for any periodic sequence T of period T > 1. And clearly S(η n ) = 1 if the period T = 1.
If additionally F q is a finite prime field, i.e., q = p, this special lattice test for N = T is the one which was proposed by Marsaglia in [16].
It is easy to see S(η n , N ) ≤ S(η n , N ). On the other hand, S(η n , T ) is bounded below by an expression depending only on S(η n ), if T is a prime. We prove the following Lemma,which comes from [15,Lemma 1]. The residue classes modulo T are identified with integers in the range {0, . . . , T − 1} and vice versa.
T a prime and 0 < d 1 < · · · < d s−1 < T , then there exists an integer r ∈ Z with gcd(r, T ) = 1 such that, The next theorem gives a general inequality that relates S(η n , T ) with S(η n ) for any sequence (η n ), when T is prime.

Proposition 1.3 Let (η n ) be any T -periodic sequence with T prime, if s satisfies the following inequality
then the sequence (η n ) passes the s-dimensional T -lattice test with any lags.
for 0 ≤ n ≤ T −1 and let V be the subspace of F s q spanned by all η n,d −η 0 for 0 ≤ n ≤ T −1. Let us denote by V ⊥ = {u ∈ F s q : u · v = 0 for all v ∈ V } the orthogonal space of V , where · denotes the usual inner product. By our hypothesis, dim(V ) < s and dim(V ⊥ ) ≥ 1, so there exists a non zero vector α ∈ V ⊥ and α · η n,d − η 0 = 0, for 0 ≤ n ≤ T − 1.
Operating with S(η n , T ), we obtain the result.

Elliptic curves
Recent developments point towards an interest in the elliptic curve analogues of pseudorandom number generators, which are reasonably new sources of pseudo-random numbers based on the group structure of elliptic curves over finite fields. These generators include the linear congruential generator on elliptic curves, the power generator on elliptic curves and the Naor-Reingold generator on elliptic curves, see the recent survey [23]. We first introduce some notions and basic facts of elliptic curves over finite fields. Let E be an elliptic curve over F q , where q = p m is a prime power and p > 3, given by an affine Weierstrass equation of the standard form with nonzero discriminant, see [10]. It is known that the set E(F q ) of F q -rational points of E forms an abelian group under an appropriate composition rule denoted by ⊕ and with the point at infinity O as the neutral element. We recall that , the linear congruential generator on elliptic curves, EC-LCG, is defined as where U 0 is the initial point. In this article, let G ∈ E(F q ) be a point of order T , that means T is the size of the cyclic group G generated by G. The EC-LCG is a T -periodic sequence over F q × F q . Some other important elliptic curve generators are also studied in the last decade, such as the elliptic curve power generator and the elliptic curve Naor-Reingold generator.
For a k-dimensional integer vector (a 1 , . . . , a k ) ∈ Z k T , the elliptic curve Naor-Reingold generator, EC-NRG, is defined as the sequence: F a (n) = a n 1 1 , . . . , a n k where n = n 1 , . . . , n k is the bit representation of n, 0 ≤ n ≤ 2 k − 1, addding zeros until length k.
We conclude this section with some results on rational functions, which are needed in our proofs.
Any rational function has only a finite number of zeros and poles. Let ord G ( f ) be the order of f at G. In fact, [10, p. 22] or [24, Definition I. 1.9]. Obviously, ord G ( f ) = 0 for all but finitely many G ∈ E(F q ) and ord For example, deg(x) = 2 and deg(y) = 3. We need the following results.
Proof Using the definition of deg and Lemma 1.4, In the same way, we get that the other summand is less than the degree of g, this finishes the proof. Lemma 1.6 Let f, g ∈ F q (E) be nonconstant rational functions with disjoint pole sets. Then f + g is nonconstant.
Proof Suppose G is a pole of f , then G is not a pole of g, so ord G ( f ) < ord G (g) = 0. Then by Lemma 1.4, we have i.e., G is a pole of f + g, so function f + g is nonconstant.
Remark The proof of Lemma 1.6 also indicates that the set of poles of f + g is exactly the union of the poles of f and g with disjoint pole sets.

Lattice profile of EC-LCG
We will consider the lattice test with lags for sequences derived from the EC-LCG in general fields. Using the generator (U n ) defined by (1.2) and a function f ∈ F q (E) with a single pole, the linear congruential sequence with elliptic curves is defined by η n = f (U n ), for n = 0, 1, . . .
(2.1) From Proposition 1.3 and the result in [14] we get a lower bound for S(η n , T ), however, in the next Theorem, we prove a stronger lower bound.
In particular, Proof We assume that the sequence (η n ) does not pass the s-dimensional N -lattice test for some lags 0 < d 1 < · · · < d s−1 < T . Put for 0 ≤ n ≤ T −1 and let V be the subspace of F s q spanned by all η n,d −η 0 for 0 ≤ n ≤ T −1.
That is, where 0 ≤ n ≤ N − 1. Let Q be a generic rational point and Since H is the single pole of f , we see that H (d i G⊕U 0 ) is the only pole of f •τ W (d i G⊕W ). By Lemma 1.6 it is easy to see that F is a nonconstant rational function since the points where is the inversive operation of ⊕. Furthermore, by Lemma 1.5 we have According to (2.2), at least M points nG : 0 ≤ n ≤ N − 1 are zeros of F, where otherwise.

So we have
which leads to the desired result.
For f (x, y) = x, a case frequently studied, like in [11,23] and the survey [25], we have the following corollary.

Corollary 2.2 For the T -periodic sequence
For Naor-Reingold sequences with elliptic curves, Proposition 1.3 and the results of [5] says that the sequence passes the 2-lattice test, for almost all choices of a 1 , . . . , a k .

Theorem 2.3
For γ > 0 and the T -periodic sequence (η n ) = (x(U n )) with Naor Reingold generator (U n ) with period T prime and k ≥ 2 log T. Then this sequence passes the 2-lattice test with any lags for almost all choices of a 1 , . . . , a k .
Theorem 2.1 can be extended to r -dimensional sequences investigated in [14]. We first define the lattice profile for r -dimensional sequences. Let 1 , n,2 , . . . , n,r ), n = 0, 1, . . . , T − 1 be a r -dimensional sequence over the finite field F q . Since F r q is isomorphic to F r q as vector space over F q , one can view ( n,1 , n,2 , . . . , n,r ) as an element of F q r by the relationship η n := 1 γ 1 + 2 γ 2 + · · · + r γ r ∈ F q r where γ 1 , . . . , γ r is a basis of F q r over F q . For given integers s ≥ 1, 0 < d 1 < d 2 · · · < d r , and N ≥ 2, we say that (η n ) passes the s-dimensional N -lattice test with lags d 1 , . . . , The largest dimension s such that (η n ) satisfies the s-dimensional N -lattice test for all lags d 1 , . . . , d s is denoted by S(η n , N ), i.e., which is called the generalized lattice profile at N of (η n ). Now we introduce r -dimensional elliptic curve sequences studied in [14].
Let H be a place of degree d of E and let be a set of r ≥ 1 rational functions with pole divisors of the form Since E has genus one, such functions always exist by the theorem of Riemann-Roch. We define ρ = r + . For r = 2 and H = O a natural example is given by f 1 (P) = x(P) and f 2 (P) = y(P), where P = (x(P), y(P)) = O. In this case, d = 1, ρ = 3 (see [14]).
That is, where 0 ≤ n ≤ N − 1. For 1 ≤ l ≤ r , we are going to define, By Lemma 1.6 and Remark 1, the poles of F l for all 1 ≤ l ≤ r are with α i = 0. On the other hand, using (2.3) we have for j ≤ i ≤ s − 1 Thus the F i are non-constant rational functions and Using (2.5), we have At last, we have to show that this function is not constant. Let k be the largest index with α k = 0 in {α j , α j+1 , . . . , α s−1 }. Then each F i has a pole at H (d k G ⊕ U 0 ) of order d(i + ). So γ 1 F 1 + γ 2 F 2 + · · · + γ r F r is non-constant and the degree is bounded by sdρ by Lemma 1.4. By Eq. (2.6), it has no poles in G if H / ∈ G ⊕U 0 , and at most s different poles in G if H ∈ G ⊕ U 0 . This gives which leads to the desired result.

Linear complexity of some binary sequences derived from EC-LCG
In [17], Mauduit and Sárközy introduced the notion of the correlation measure of order k, an important measure of pseudorandomness for finite binary sequences. Let then the correlation measure of order k of E T is defined as where the maximum is taken over all D = (d 1 , . . . , d k ) with non-negative integers 0 ≤ d 1 < · · · < d k < T and M such that M + d k ≤ T − 1.
We may consider E T as an infinite sequence of period T . We recall that the linear complexity profile L(E T , N ) is the least order L of a linear recurrence relation over F 2 e n+L = c 0 e n + c 1 e n+1 + · · · + c L−1 e n+L−1 , for 0 ≤ n ≤ N − L − 1 which is satisfied by the first N terms of E T , and the linear complexity L(E T ) is defined as see [25,26] for details on the linear complexity and also [8] for the relation with lattice tests. In [1, Theorem 1], Brandstätter and Winterhof used the correlation measure of order k to estimate a lower bound on the linear complexity profile L(E T , N ) for E T .

Lemma 3.1 For any T -periodic binary sequence E T , the following inequality holds
Below we present some binary sequences constructed using elliptic curves over the prime field F p in the literature. (We note that some of our references deal actually with the corresponding sequences e n = (−1) e n over {+1, −1}). Here we recall some notations. Let F p = {0, 1, . . . , p − 1} and G ∈ E(F p ) be a rational point of order T . We write x(i G) = x i and y(i G) = y i for i G = (x i , y i ).
In [3], the following five types of finite binary sequences S T = {s 0 , . . . , s T −1 } of length T are defined: So for appropriate f , we have the following result as proved in [2,Theorem 3]. In [4], Chen et al. defined a family of binary sequences using discrete logarithm along elliptic curves. Let g be a fixed primitive root modulo p. For each x ∈ F * p , let ind(x) denote the index (discrete logarithm) of x (to the base g) so that g ind(x) ≡ x (mod p).
We add the condition 1 ≤ ind(x) ≤ p − 1 to make the value of index unique. The sequence S T = {s 0 , . . . , s T −1 } is defined by The construction in (3.4) is an elliptic curve analogue of [13]. As the Example above shows, we should also select f carefully in this construction.  Finally, we remark that in the recent paper [18], Mérai pointed out some sufficient conditions for selecting appropriate f in (3.3) and (3.4) using ideas similar to the ones in [12].