Maximum-Order Complexity and Correlation Measures

1. Introduction

For a positive integer N, the Nth linear complexity $L(\mathcal{S},N)$ of a binary sequence $\mathcal{S}={\left(s_i\right)}_{i=0}^{\infty }$ is the smallest positive integer L such that there are constants $c_0,c_1,...,c_{L-1}\in {\mathbb{F}}_2$ with

$$s_{i+L}=c_{L-1}{s}_{i+L-1}+...+c_0{s}_i,0\le i\le N-L-1.$$

(We use the convention $L(\mathcal{S},N)=0$ if $s_0=\dots =s_{N-1}=0$ and $L(\mathcal{S},N)=N$ if $s_0=\dots =s_{N-2}=0\ne s_{N-1}$.) The Nth linear complexity is a measure for the predictability of a sequence and thus its unsuitability in cryptography. For surveys on linear complexity and related measures of pseudorandomness see [1,2,3,4,5,6].

Let k be a positive integer. Mauduit and Sárközy introduced the (Nth) correlation measure of order k of a binary sequence $\mathcal{S}={\left(s_i\right)}_{i=0}^{\infty }$ in [7] as

$$C_k(\mathcal{S},N)=\underset{U,D}{max}\left|\sum _{i=0}^{U-1}{(-1)}^{s_{i+d_1}+s_{i+d_2}+...+s_{i+d_k}}\right|,$$

where the maximum is taken over all $D=(d_1,d_2,...,d_k)$ with non-negative integers $0\le d_1<d_2<...<d_k$ and U such that $U+d_k\le N$. (Actually, [7] deals with finite sequences ${\left({(-1)}^{s_i}\right)}_{i=0}^{N-1}$ of length N over $\{-1,+1\}$.)

Brandstätter and the second author [8] proved the following relation between the Nth linear complexity and the correlation measures of order k:

$$L(\mathcal{S},N)\ge N-\underset{1\le k\le L(\mathcal{S},N)+1}{max}{C}_k(\mathcal{S},N),N\ge 1.$$

(1)

Roughly speaking, any sequence with small correlation measure up to a sufficiently large order k must have a high Nth linear complexity as well.

For example, the Legendre sequence $\mathcal{L}={\left({\ell }_i\right)}_{i=0}^{\infty }$ defined by

$${\ell }_i=\left\{\begin{array}{cc}1,& \mathrm{if}i\mathrm{is\; a\; quadratic\; non-residue\; modulo}p,\hfill \\ 0,& \mathrm{otherwise},\hfill \end{array}\right.$$

where $p>2$ is a prime, satisfies

$$C_k(\mathcal{L},N)\ll k{p}^{1/2}\log p,1\le N\le p,$$

(2)

and thus (1) implies

$$N\ll L(\mathcal{L},N)p^{1/2}\log p,1\le N\le p.$$

Using $L(\mathcal{L},N)\ge L(\mathcal{L},p)$ for any $N>p$ we get

$$L(\mathcal{L},N)\gg \frac{min\{N,p\}}{p^{1/2}\log p},N\ge 1,$$

see [7,9] (Theorem 9.2). (Here $f\left(N\right)\ll g\left(N\right)$ is equivalent to $\left|f\right(N\left)\right|\le cg\left(N\right)$ for some absolute constant c.)

The Nth maximum-order complexity $M(\mathcal{S},N)$ of a binary sequence $\mathcal{S}={\left(s_i\right)}_{i=0}^{\infty }$ is the smallest positive integer M such that there is a polynomial $f(x_1,\dots ,x_M)\in {\mathbb{F}}_2[x_1,\dots ,x_M]$ with

$$s_{i+M}=f(s_i,s_{i+1},\dots ,s_{i+M-1}),0\le i\le N-M-1,$$

(3)

see [10,11,12]. Obviously we have

$$M(\mathcal{S},N)\le L(\mathcal{S},N)$$

and the maximum-order complexity is a finer measure of pseudorandomness than the linear complexity.

In this paper we analyze the relationship between maximum-order complexity $M(\mathcal{S},N)$ and the correlation measures $C_k(\mathcal{S},N)$ of order k. Our main result is the following theorem:

Theorem 1.

For any binary sequence $\mathcal{S}$ we have

$$M(\mathcal{S},N)\ge N-2^{M(\mathcal{S},N)+1}\underset{1\le k\le M(\mathcal{S},N)+1}{max}{C}_k(\mathcal{S},N),N\ge 1.$$

Again, any nontrivial bound on $C_k(\mathcal{S},N)$ for all k up to a sufficiently large order provides a nontrivial bound on $M(\mathcal{S},N)$. For example, for the Legendre sequence we get immediately from (2)

$$N\ll 2^{M(\mathcal{L},N)}M(\mathcal{L},N)p^{1/2}\log p,1\le N\le p.$$

Now we have either $M(\mathcal{L},N)>\log p$ and the bound (4) below is trivial or $M(\mathcal{L},N)\le \log p$ which implies

$$M(\mathcal{L},N)\ge \log (\min \{N,p\}/p^{1/2})+O\left(\log \log p\right),$$

(4)

see also [9] (Theorem 9.3). (Here $f\left(N\right)=O\left(g\right(N\left)\right)$ is equivalent to $f\left(N\right)\ll g\left(N\right)$.)

We prove Theorem 1 in the next section.

The expected value of the Nth maximum-order complexity is of order of magnitude $\log N$, see [10] as well as [12] (Remark 4) and references therein. Moreover, by [13] for a sequence of length N with very high probability the correlation measure $C_k(\mathcal{S},N)$ is of order of magnitude $\sqrt{kN\log N}$ and thus by Theorem 1 $M(\mathcal{S},N)\ge \frac{1}{2}\log N+O\left(\log \log N\right)$ which is in good correspondence to the result of [10].

In Section 3 we mention some straightforward extensions.

2. Proof of Theorem 1

Proof. 

Assume $\mathcal{S}$ satisfies (3). If $s_i=...=s_{i+M-1}=0$ for some $0\le i\le N-M-1$, then $s_{i+M}=f(0,...,0)$. Equivalently, ${(-1)}^{s_i}=...={(-1)}^{s_{i+M-1}}=1$ implies ${(-1)}^{s_{i+M}}={(-1)}^{f(0,\dots ,0)}$. Hence, for every $i=0,...,N-M-1$ we have

$$\left({(-1)}^{s_{i+M}}-{(-1)}^{f(0,\dots ,0)}\right)\prod _{j=0}^{M-1}\left({(-1)}^{s_{i+j}}+1\right)=0.$$

Summing over $i=0,...,N-M-1$ we get

$$\sum _{i=0}^{N-M-1}\left({(-1)}^{s_{i+M}}-{(-1)}^{f(0,\dots ,0)}\right)\prod _{j=0}^{M-1}\left({(-1)}^{s_{i+j}}+1\right)=0.$$

The left-hand side contains one “main” term $\pm (N-M)$ and $2^{M+1}-1$ terms of the form

$$\pm \sum _{i=0}^{N-M-1}{(-1)}^{s_{i+j_1}+s_{i+j_2}+\dots +s_{i+j_k}}$$

with $0\le j_1<j_2<...<j_k\le M$ and $1\le k\le M+1$. Therefore we have

$$N-M\le 2^{M+1}\underset{1\le k\le M+1}{max}\left|\sum _{i=0}^{N-M-1}{(-1)}^{s_{i+j_1}+s_{i+j_2}+\dots +s_{i+j_k}}\right|$$

and the result follows. ☐

3. Further Remarks

Theorem 1 can be easily extended to m-ary sequences with $m>2$ along the lines of [14]:

Let $\xi$ be a primitive mth root of unity. Then we have

$$\sum _{h=0}^{m-1}{\xi }^{hx}=0\mathrm{if}\mathrm{and}\mathrm{only}\mathrm{if}x\not\equiv 0modm.$$

As in the proof of Theorem 1 we get

$$\sum _{i=0}^{N-M-1}({\xi }^{s_{i+M}}-{\xi }^{f(0,\dots ,0)})\prod _{j=0}^{M-1}\sum _{h=0}^{m-1}{\xi }^{h{s}_{i+j}}=0.$$

We have one term of absolute value $N-M$ and $2m^M-1$ terms of the form

$$\alpha \sum _{i=0}^{N-M-1}{\xi }^{h_1{s}_{i+j_1}+h_2{s}_{i+j_2}+\dots +h_k{s}_{i+j_k}}$$

(5)

with $1\le h_1,\dots ,h_k<m$, $0\le j_1<j_2<\dots <j_k\le M$, $1\le k\le M+1$ and $\alpha \in \{1,-{\xi }^{f(0,\dots ,0)}\}$.

If m is a prime, then $x\mapsto hx$ is a permutation of ${\mathbb{Z}}_m$ for any $h\not\equiv 0modm$ and the sums in (5) can be estimated by the correlation measure $C_k(\mathcal{S},N)$ of order k for m-ary sequences as it is defined in [15] and we get

$$M(\mathcal{S},N)\ge N-2m^{M(\mathcal{S},N)}\underset{1\le k\le M(\mathcal{S},N)+1}{max}{C}_k(\mathcal{S},N),N\ge 1.$$

If m is composite, $x\mapsto hx$ is not a permutation of ${\mathbb{Z}}_m$ if $gcd(h,m)>1$ and we have to substitute the correlation measure of order k by the power correlation measure of order k introduced in [14].

Now we return to the case $m=2$.

Even if the correlation measure of order k is large for some small k, we may be still able to derive a nontrivial lower bound on the maximum-order complexity by substituting the correlation measure of order k by its analogue with bounded lags, see [16] for the analogue of (1). For example, the two-prime generator $\mathcal{T}={\left(t_i\right)}_{i=0}^{\infty }$, see [17], of length $pq$ with two odd primes $p<q$ satisfies

$$t_i+t_{i+p}+t_{i+q}+t_{i+p+q}=0$$

if $gcd(i,pq)=1$ and its correlation measure of order 4 is obviously close to $pq$, see [18]. However, if we bound the lags $d_1<\dots <d_k<p$ one can derive a nontrivial upper bound on the correlation measure of order k with bounded lags including $k=4$ as well as lower bounds on the maximum-order complexity using the analogue of Theorem 1 with bounded lags.

Finally, we mention that the lower bound (4) for the Legendre sequence can be extended to Legendre sequences with polynomials using the results of [19] as well as to their generalization using squares in arbitrary finite fields (of odd characteristic) using the results of [20,21]. For sequences defined with a character of order m see [15].