Distribution and Polynomial Interpolation of the Dodis-Yampolskiy Pseudo-Random Function

Abstract

We give some theoretical support to the security of the cryptographic pseudo-random function proposed by Dodis and Yampolskiy in 2005. We study the distribution of the function values over general finite fields and over elliptic curves defined over prime finite fields. We also prove lower bounds on the degree of polynomials interpolating the values of these functions in these two settings.

A Proof of Proposition 1

The classical Weil bound for exponential sums can be found in [Wei48, NW00].

Lemma 4

Let F(x) be a non constant polynomial in \(\mathbb {F}_q[x]\) such that \(F(x)\ne h(x)^p-h(x)\) for any \(h(x)\in \overline{\mathbb {F}_q}(x)\). We have

$$\begin{aligned}\left| \sum _{x\in \mathbb {F}_q}\psi (F(x))\right| \le (\deg (F)-1)q^{1/2} \end{aligned}$$

We deduce the following simple lemma:

Lemma 5

For any pairwise distinct positive integers \(1\le r_1,\dots ,r_{\upsilon }\le R\), we have

$$\begin{aligned} \max _{\begin{array}{c} (a_1,\dots ,a_{\upsilon })\in \mathbb {F}_{p^r}^{\upsilon }\\ (a_1,\dots ,a_{\upsilon })\ne (0,\dots ,0) \end{array}}\left| \sum _{n=1}^{t}\psi \left( \sum _{i=1}^{\upsilon }a_ig^{r_in}\right) \right| \le Rq^{1/2}. \end{aligned}$$

Proof

Let \(s={(q-1)}/{t}\). We have \(g=\theta ^s\), where \(\theta \) is a primitive root in \(\mathbb {F}_{q}\) and

$$\begin{aligned} \sum _{n=1}^{t}\psi \left( \sum _{i=1}^{\upsilon }a_ig^{r_in}\right) =\sum _{n=1}^{t}\psi \left( \sum _{i=1}^{\upsilon }a_i\theta ^{sr_in}\right)= & {} \frac{1}{s}\sum _{n=1}^{q-1}\psi \left( \sum _{i=1}^{\upsilon }a_i\theta ^{sr_in}\right) \\= & {} \frac{1}{s}\left( \sum _{x\in \mathbb {F}_{q}}\psi \left( \sum _{i=1}^{\upsilon }a_ix^{sr_i}\right) -1\right) \end{aligned}$$

Applying Lemma 4, we obtain:

$$\begin{aligned} \max _{\begin{array}{c} (a_1,\dots ,a_{\upsilon })\in \mathbb {F}_{p^r}^{\upsilon }\\ (a_1,\dots ,a_{\upsilon })\ne (0,\dots ,0) \end{array}}\left| \sum _{n=1}^{t}\psi \left( \sum _{i=1}^{\upsilon }a_ig^{r_in}\right) \right| \le \frac{1}{s}((Rs-1)q^{1/2}+1)\le Rq^{1/2}. \end{aligned}$$

   \(\square \)

Proof

(Proposition 1 ). For any integer \(k\ge 2\), we have

$$\begin{aligned} {S_{a,b}}^k=\sum _{n_1,\dots ,n_k\in \mathbb {Z}_{t}^*}\psi \left( a\sum _{j=1}^{k}g^{1/n_j}\right) e_t\left( b\sum _{j=1}^{k} n_j\right) . \end{aligned}$$

For \(m \in \mathbb {Z}_{t}\), we collect together the terms with \(n_1+\dots +n_k\equiv m \bmod t\), getting:

$$\begin{aligned} \left| S_{a,b}\right| ^k\le \sum _{m\in \mathbb {Z}_{t}}\left| \sum _{\begin{array}{c} n_1,\dots ,n_k\in \mathbb {Z}_{t}^*\\ n_1+\dots +n_k\equiv m \bmod t \end{array}}\psi \left( a\sum _{j=1}^{k}g^{1/n_j}\right) \right| . \end{aligned}$$

By the Cauchy inequality, we can upper-bound \(\left| S_{a,b}\right| ^{2k} \) by

$$\begin{aligned} t\sum _{m\in \mathbb {Z}_{t}}\left| \sum _{\begin{array}{c} n_1,\dots ,n_k\in \mathbb {Z}_{t}^*\\ n_1+\dots +n_k\equiv m \bmod t \end{array}}\psi \left( a\sum _{j=1}^{k}g^{1/n_j}\right) \right| ^2 = t\sum _{(n_1,\dots ,n_{2k})\in N_k}\psi \left( a\sum _{j=1}^{2k}(-1)^jg^{1/n_j}\right) \end{aligned}$$

where the outside summation is taken over the set of vectors

$$\begin{aligned} N_k=\{(n_1,\dots ,n_{2k})\in (\mathbb {Z}_{t}^*)^{2k}\,: n_1+\dots +n_{2k-1}\equiv n_2+n_4+\dots +n_{2k} \bmod t)\}. \end{aligned}$$

One can see that for any \(m\in \mathbb {N}\) with \(\gcd (m,t)=1\), we have

$$\begin{aligned} \sum _{(n_1,\dots ,n_{2k})\in N_k}\psi \left( a\sum _{j=1}^{2k}(-1)^jg^{1/n_j}\right) =\sum _{(n_1,\dots ,n_{2k})\in N_k}\psi \left( a\sum _{j=1}^{2k}(-1)^jg^{m/n_j}\right) . \end{aligned}$$

Let us fix some parameter Q with \(Q\ge 2\log t\). Let \(\mathcal {Q}\) be the set of primes \(m \le Q\) with \(\gcd (m,t)=1\). Averaging over all \(m \in \mathcal {Q}\), we obtain

$$\begin{aligned} \left| S_{a,b}\right| ^{2k}\le \frac{t}{\sharp \mathcal {Q}}\sum _{m\in \mathcal {Q}}\sum _{(n_1,\dots ,n_{2k})\in N_k}\psi \left( a\sum _{j=1}^{2k}(-1)^jg^{m/n_j}\right) . \end{aligned}$$

The number w(t) of prime divisors of t satisfies \(w(t)\le (1+o(1)) ({\log t})/({\log \log t)}\) (which can be seen from the trivial inequality \(w(t)!\le t\) and the Stirling formula). By the prime number theorem, we have (since \(Q\ge 2\log t\)):

$$\begin{aligned} \sharp \mathcal {Q}\ge (1+o(1))\frac{Q}{\log Q}-(1+o(1))\frac{\log t}{\log (\log t)}\ge 0.5\frac{Q}{\log Q}, \end{aligned}$$

provided that t is large enough. We have \(\sharp N_k\le t^{2k-1}\). Using the Hölder inequality and then extending the region of summation, we obtain that for any integer \(\ell \ge 1\), we have:

$$\begin{aligned} \left| S_{a,b}\right| ^{4k\ell }\le & {} \frac{t^{2\ell }}{\sharp \mathcal {Q}^{2\ell }}(\sharp N_k)^{2\ell -1}\sum _{n_1,\dots ,n_{2k}\in \mathbb {Z}_{t}^*}\left| \sum _{m \in \mathcal {Q}}\psi \left( a\sum _{j=1}^{2k}(-1)^jg^{m/n_j}\right) \right| ^{2\ell } \\\ll & {} \frac{t^{4k\ell -2k+1}\log ^{2\ell }Q}{Q^{2\ell }}\sum _{n_1,\dots ,n_{2k}=1}^{t}\left| \sum _{m \in \mathcal {Q}}\psi \left( a\sum _{j=1}^{2k}(-1)^jg^{mn_j}\right) \right| ^{2\ell }\\= & {} \frac{t^{4k\ell -2k+1}\log ^{2\ell }Q}{Q^{2l}}\sum _{n_1,\dots ,n_{2k}=1}^{t}\sum _{m_1,\dots ,m_{2\ell }\in \mathcal {Q}}\psi \left( a\sum _{j=1}^{2k}\sum _{h=1}^{2\ell }(-1)^{j+h}g^{m_hn_j}\right) \\= & {} \frac{t^{4k\ell -2k+1}\log ^{2\ell }Q}{Q^{2\ell }}\sum _{m_1,\dots ,m_{2\ell }\in \mathcal {Q}}\left| \sum _{n=1}^{t}\psi \left( a\sum _{h=1}^{2\ell }(-1)^hg^{m_hn}\right) \right| ^{2k}. \end{aligned}$$

For \(O(\sharp \mathcal {Q}^\ell )\)=\(O(Q^\ell \log ^{-\ell } Q)\) tuples \((m_1,\dots ,m_{2\ell })\in \mathcal {Q}^{2\ell }\) such that the tuple of the elements on the odd positions \((m_1,\dots ,m_{2\ell -1})\) is a permutation of the elements on the even positions \((m_2,\dots ,m_{2\ell })\), we estimate the inner sum trivially as t.

For the remaining \(O((\sharp Q)^{2\ell })=O(Q^{2\ell }(\log Q)^{-2\ell })\) tuples, we use the bound of Lemma 5. Therefore,

$$\begin{aligned} \left| S_{a,b}\right| ^{4k\ell }\ll & {} \frac{t^{4k\ell -2k+1}\log ^{2\ell }Q}{Q^{2l}}(Q^\ell \log ^{-\ell }Q t^{2k}+Q^{2\ell }\log ^{-2\ell }Q(Qq^{1/2})^{2k})\\= & {} t^{4k\ell -2k+1}(Q^{-\ell }\log ^\ell Qt^{2k}+Q^{2k}q^k). \end{aligned}$$

Taking \(Q=2t^{2k/(2k+\ell )}q^{-k/(2k+\ell )}(\log q)^{\ell /(2k+\ell )}\) and if \(t\ge q^{1/2}(\log q)^2\), one can see that \(Q\ge 2\log t\) and we obtain

$$\begin{aligned} \left| S_{a,b}\right| ^{4k\ell }\ll t^{4k\ell -(2k\ell -2k-\ell )/(2k+\ell )}q^{k\ell /(2k+\ell )}(\log q)^{\ell /(2k+\ell )} \end{aligned}$$

and the result follows.    \(\square \)