Correlation measures of binary sequences derived from Euler quotients

1.   Introduction

Let $\mathcal{S} = (s_0, s_1, ..., s_{T-1})$ be a binary sequence over $\mathbb{F}_2 = \{0, 1\}$ and $\ell$ a positive integer. Mauduit and Sárközy ^[16] introduced the correlation measure of order $\ell$ for $\mathcal{S}$, which is defined as

where the maximum is taken over all $U\in \mathbb{N}$ and $D = (d_1, d_2, \ldots, d_\ell)$ with integers $0 \leq d_1 < d_2 < \ldots < d_\ell \le T - U$.

From the viewpoint of cryptography, it is excepted that measure of order $\ell$ of sequences is as"small" (in terms of $T$, in particular, is $o(T)$ as $T\rightarrow \infty$) as possible. Cassaigne, Mauduit and Sárközy ^[4] studied the values of $C_{\ell}(\mathcal{S})$ for $\mathcal{S}\in \left\{0, 1\right\}^{T}$ chosen equiprobable. It was shown in ^[4] that for every integer $\ell\geq 2$ and real $\varepsilon > 0$, there are numbers $T_0 = T_0(\varepsilon, \ell)$ and $\delta = \delta(\varepsilon, \ell) > 0$ such that for all $T\geq T_0$ we have

with probability at least $1-\varepsilon$.

Additionally, we use the following definition for the periodic correlation measure of order $\ell$ of $\mathcal{S}$,

where $D = (d_1, d_2, \ldots, d_\ell)$ and $0\le d_1 < d_2 < \ldots < d_\ell < T$. It is clear that $\theta_2(\mathcal{S})$ is the (classic) auto-correlation of $\mathcal{S}$ and $\theta_\ell(\mathcal{S})\leq C_{\ell}(\mathcal{S})$. Thus for every integer $\ell\geq 2$ and real $\varepsilon > 0$, there is number $T_0 = T_0(\varepsilon, \ell)$ such that for all $T\geq T_0$ we have $\theta_\ell(\mathcal{S}) < 5\sqrt{\ell T\log T}$ with probability at least $1-\varepsilon$.

In this work, we mainly consider the periodic correlation measure of order $4$ for some binary sequences derived from Euler quotients studied recently.

Let $p$ be a prime and let $n$ be an integer with $\gcd(n, p) = 1$. From Fermat's little theorem we know that $n^{p-1}\equiv 1\ (\bmod\ p)$. Then the Fermat quotient $Q_p(n)$ is defined as

We also define $Q_{p}(n) = 0$ if $\gcd(n, p) > 1$. Fermat quotients arose from the study of the first case of Fermat's last theorem, and have many applications in number theory (see ^{[2,5,12,14,17,19,20,21]} for details). Define the $p^2$-periodic binary sequence ${\bf{\overline{s}}} = \left(\overline{s}_0, \overline{s}_1, \cdots, \overline{s}_{p^2-1}\right)$ by

The second author (partially with other co-authors) studied the well-distribution measure and correlation measure of order $2$ of ${\bf{\overline{s}}}$ by using estimates for exponential sums of Fermat quotients in ^[11], the linear complexity of ${\bf{\overline{s}}}$ in ^[7,10], and the trace representation of ${\bf{\overline{s}}}$ by determining the defining pairs of all binary characteristic sequences of cosets in ^[6]. In ^[15] the first author with another co-author showed that the $4$-order correlation measure of ${\bf{\overline{s}}}$ is very large.

Let $m\geq 2$ be an odd number and let $n$ be an integer coprime to $m$. The Euler's theorem says that $n^{\phi(m)}\equiv 1\ (\bmod\ m)$, where $\phi$ is the Euler's totient function. Then the Euler quotient $Q_{m}(n)$ is defined as

We also define $Q_{m}(n) = 0$ if $\gcd(n, m) > 1$. Agoh, Dilcher and Skula ^[1] studied the detailed properties of Euler quotients. For example, from Proposition 2.1 of ^[1] we have

Recently many binary sequences were constructed from Euler quotients. For example, let $m = p^{\tau}$ for a fixed number $\tau\geq 1$, the $p^{\tau+1}$-periodic sequence ${\bf{\widetilde{s}}} = \left(\widetilde{s}_0, \widetilde{s}_1, \cdots, \widetilde{s}_{p^{\tau+1}-1}\right)$ is defined by

The linear complexity of ${\bf{\widetilde{s}}}$ had been investigated in ^[13] and the trace representation of ${\bf{\widetilde{s}}}$ was given in ^[8].

Moreover, let $m = pq$ be an odd semiprime with $p\mid (q-1)$, the $pq^2$-periodic sequence ${\bf{\widehat{s}}} = \left(\widehat{s}_0, \widehat{s}_1, \cdots, \widehat{s}_{pq^2-1}\right)$ is defined by

Recently the minimal polynomials and linear complexities were determined in ^[22] for ${\bf{\widehat{s}}}$, and the trace representation of ${\bf{\widehat{s}}}$ has been given in ^[23] provided that $2^{q-1}\not\equiv 1 \ (\bmod\ q^2)$.

In this work, we shall further study the (periodic) correlation measures of ${\bf{\widetilde{s}}}$ and ${\bf{\widehat{s}}}$ by introducing a new approach based on Dirichlet characters, Ramanujan sums and Gauss sums. We state below the main result.

Theorem 1.1. Let $k\geq 5$ be a prime and let $m$ be an odd number with $k\mid m$. Suppose that $Q_{m}(n)$ is $km$-periodicand the $km$-periodic sequence ${\bf{s}} = \left(s_0, s_1, \cdots, s_{km-1}\right)\in\{0, 1\}^{km}$ is defined by

Then there exists absolute constant $\delta > 0$ such that

The restriction $k\geq 5$ can not be relaxed since otherwise we have $s_t = s_{t+3m}$ for all $0\leq t\leq km-1$. The assumptions $k\mid m$, $k$ is a prime and $m$ is odd will be vital in the proof of Lemmas 2.1 and 2.2 in Section 2. Taking special values of $m$ and $k$ in Theorem 1.1, we immediately get the correlation measures of ${\bf{\widetilde{s}}}$ and ${\bf{\widehat{s}}}$.

Corollary 1.1. Let $p\geq 5$ be a prime and let $\tau\geq 1$ be a fixed integer. Let the $p^{\tau+1}$-periodic sequence ${\bf{\widetilde{s}}} = \left(\widetilde{s}_0, \widetilde{s}_1, \cdots, \widetilde{s}_{p^{\tau+1}-1}\right)$ be defined as in $(1.3)$.Then we have

Corollary 1.2. Let $p$ and $q$ be two distinct odd primes with $p\mid (q-1)$ and $q\geq 5$, and letthe $pq^2$-periodic sequence ${\bf{\widehat{s}}} = \left(\widehat{s}_0, \widehat{s}_1, \cdots, \widehat{s}_{pq^2-1}\right)$ be defined as in $(1.4)$.Then we have

Our results indicate that the correlation measures of order $4$ of ${\bf{\widetilde{s}}}$ and ${\bf{\widehat{s}}}$ are very large provided that $p$ and $q$ are sufficiently large. Therefore these sequences are not suitable for cryptography.

To prove Theorem 1.1, we introduce basic properties of Dirichlet characters, Ramanujan sums and Gauss sums, and then prove two lemmas on the mean values of characters sums in Section 2. We express $(-1)^{s_t}$ in terms of character sums in Section 3 to finish the proof of Theorem 1.1 by using the results showed in Section 2.

We write $f(n) = O(g(n))$ or $f(n)\ll g(n)$ if $|f(n)|\le c g(n)$ for some absolute constant $c > 0$.

2.   Dirichlet characters and Gauss sums

Let $N > 1$ be an integer. The Ramanujan sum is denoted by

where $e_{N}(x) = \hbox{e}^{2\pi\sqrt{-1}x/N}$. We have

where $\mu$ is the Möbius function.

We recall that a Dirichlet character $\chi$ modulo $N$ is a function satisfying:

(i). $\chi(t_1t_2) = \chi(t_1)\chi(t_2)$,

(ii). $\chi(t+N) = \chi(t)$,

(iii). $\chi(t) = 0$ for $\gcd(t, N) > 1$,

(iv). $\chi$ is not identically zero.

When $\chi(n) = 1$ for all $n$ with $\gcd(n, N) = 1$ we say $\chi$ is the trivial character modulo $N$. An integer $d\mid N$ is called an induced modulus for $\chi$ if $\chi(a) = 1$ whenever $\gcd(a, N) = 1$ and $a\equiv 1\ (\bmod\ d)$. A Dirichlet character $\chi$ mod $N$ is said to be primitive mod $N$ if it has no induced modulus $d < N$. The smallest induced modulus $d$ for $\chi$ is called the conductor of $\chi$. Every non-trivial character $\chi$ modulo $N$ can be uniquely written as $\chi = \chi_0\chi^{*}$, where $\chi_0$ is the trivial character modulo $N$ and $\chi^{*}$ is the primitive character modulo the conductor of $\chi$.

For a Dirichlet character $\chi$ mod $N$, the Gauss sum associated with $\chi$ is defined by

Let $N^{*}$ be the conductor for $\chi$ and let $\chi^{*}$ be the induced primitive character.

Let $N_1$ be the maximal divisor of $N$ such that $N_1$ and $N^{*}$ have the same prime divisors. Then we have

See Chapter 8 of ^[3] or Chapter 1 of ^[18] for more details of Dirichlet characters, Ramanujan sums and Gauss sums.

Now we prove two lemmas on the mean values of characters sums.

Lemma 2.1. Let $k\geq 5$ be a prime and let $m$ be an odd number with $k\mid m$.Let $\chi$ be a Dirichletcharacter modulo $km$ such that $\chi^m$ is trivial and $\chi^{m'}$ is not trivialfor all $1\leq m' < m$. For integers $a_1$, $a_2$, $a_3$ and $a_4$ we have

Proof. Note that if $k\geq 5$, then the polynomials $t$, $t+m$, $t+2m$ and $t+3m$ are distinct. By the condition $k\mid m$ and the properties of residue systems we get

By the condition $k\mid m$ we further deduce that

which show that $\chi\left(1+nm\right)$ is a non-trivial additive character modulo $k$. Since $k$ is a prime, there is uniquely an integer $\beta$ such that $1\leq \beta\leq k-1$ and $\chi\left(1+nm\right) = e_k(\beta n)$. Hence,

By the orthogonality relation for additive character

we have

Then from

Since $k\mid m$, we know that $\chi^{a_1+a_2+a_3+a_4}$ is a multiplicative character modulo $m$ if $k\mid a_1+a_2+a_3+a_4$. Then

is a Gauss sum associated with $\chi^{-(a_1+a_2+a_3+a_4)}$ modulo $m$. By the assumption $\chi^m$ is trivial and $\chi^{m'}$ is not trivial for all $1\leq m' < m$ we know that $\chi^{-(a_1+a_2+a_3+a_4)}$ is trivial if and only if $m\mid a_1+a_2+a_3+a_4$. Then from (2.1) and (2.2) we get

if $m\mid (a_1+a_2+a_3+a_4)$ and $k\mid (a_2+2a_3+3a_4)$, and

Therefore

Lemma 2.2. Let $m$ be an odd number and let $k$ be a positive integer with $k\leq m$. Define

Then we have

Proof. Roughly speaking, by the upper bound for exponential sum

we know that only the terms when $|a_1|, |a_2|, |a_3|, |a_4|$ all are small contribute significantly to the main term in $\Xi_{m, k}$. Furthermore, for small enough $|a_1|, |a_2|, |a_3|, |a_4|$ the system of congruence equations

is just a system of equations

Specifically, for absolute constant $c > 0$ we get from (2.4) that

By applying the above $\ll$ estimate directly to each of $a_1$, $a_2$, $a_3$, $a_4$ sequentially we have

It is not hard to show from (2.4) that

where we used the trivial bound $\left|\sum\limits_{l_1 = \frac{m+1}{2}}^{m-1}e_m\left(-(a_3+2a_4)l_1\right)\right|\ll m$. By applying the above $\ll$ estimate to each of $a_3$, $a_4$ sequentially we have

where we used (2.3) in the last equality.

Following the same arguments in Lemma 2.2 of ^[15] we have

and

By elementary calculations we get

Hence,

Furthermore, we have

For $1\leq u_1, u_3, u_4\leq \frac{m-1}{2}$ with $2\mid u_1+u_3$, we know that

Then $3u_3-u_1\equiv 2u_4\ (\bmod\ m) \Longleftrightarrow 3u_3-u_1 = 2u_4$. Hence,

Combining (2.5)–(2.8) we immediately get

This completes the proof of Lemma 2.2.

3.   Correlation measures of order $4$

Now we prove Theorem 1.1. By the orthogonality relations of additive character sums we get

Hence,

Define

Following from the assumption that $Q_m(n)$ is $km$-periodic we get $\chi_{km}(n+km) = \chi_{km}(n)$, and by (1.1) we have

Then $\chi_{km}(n)$ is a Dirichlet character modulo $km$ such that $\chi_{km}^m$ is trivial and $\chi_{km}^{m'}$ is not trivial for all $1\leq m' < m$. Therefore

By (2.4) we get

Then from (3.1) and (3.2) we have

Combining (2.4), (3.3), Lemmas 2.1 and 2.2 we get

Then there exists absolute constant $\delta > 0$ such that

This proves the result.

4.   Final remarks

In this work, we have claimed that two families of binary sequences (see (1.3) and (1.4)) studied in the past several years have 'large' values on the correlation measures of order $4$. They would be very vulnerable if used in cryptography.

It seems interesting to consider the case when the full peaks on the periodic correlation measure of these sequences appear, i.e., their periodic correlation measure of order $\ell$ equals to the period, see ^[9]. Such problem may be related to their linear complexity.

Acknowledgments

H. Liu was partially supported by National Natural Science Foundation of China under Grant No. 12071368, and the Science and Technology Program of Shaanxi Province of China under Grant No. 2019JM-573 and 2020JM-026.

Z. Chen and C. Wu were partially supported by the Provincial Natural Science Foundation of Fujian under grant No. 2020J01905, by the Science and Technology Project of Putian City under grant No. 2021R4001-10, and by the Putian Univ. under grant No. PTU-P-61772292.

Conflict of interest

The authors declared that they have no conflicts of interest to this work.