AN EXTENSION OF BINARY THRESHOLD SEQUENCES FROM FERMAT QUOTIENTS

. We extend the construction of p 2 -periodic binary threshold sequences derived from Fermat quotients to the d -ary case where d is an odd prime divisor of p − 1, and then by deﬁning cyclotomic classes modulo p 2 , we present exact values of the linear complexity under the condition of d p − 1 (cid:54)≡ 1 (mod p 2 ). Also, we extend the results to the Euler quotients modulo p r with odd prime p and r ≥ 2. The linear complexity is very close to the period and is of desired value for cryptographic purpose. The results extend the linear complexity of the corresponding d -ary sequences when d is a primitive root modulo p 2 in earlier work. Finally, partial results for the linear complexity of the sequences when d p − 1 ≡ 1 (mod p 2 ) is given.


Introduction
For an odd prime p and an integer u with gcd(u, p) = 1, the Fermat quotient q p (u) modulo p is defined as the unique integer with More recently, Fermat quotients are studied from the viewpoint of cryptography, see [3,4,9,11,16]. Exactly speaking, Fermat quotients are used to construct pseudorandom sequences. And certain cryptographic measures, such as correlation measure and linear complexity, are also studied in the above literatures.
In particular, after adding the definition of q p (kp) = 0, k ∈ Z, Chen, Ostafe and Winterhof defined binary threshold sequences (e u ) in [4] by (1) e u = 0, if 0 ≤ q p (u)/p < 1 2 , 1, if 1 2 ≤ q p (u)/p < 1, The linear complexity (see below for the definition) of (e u ) was studied in [2]. Considering the application of d-ary sequences in many fields, we extend the binary sequences above to define (2) f u = where d is a prime and d|(p − 1) and = (p − 1)/d. In fact, if d = 2, (f u ) is the binary threshold sequence in (1). Below we will calculate the linear complexity of (f u ). The linear complexity is considered as a primary quality measure for periodic sequences and plays an important role in applications of sequences in cryptography. A low linear complexity has turned out to be undesirable for cryptographical applications. We recall that the linear complexity L((s u )) of a T -periodic sequence (s u ) with terms in the finite field F q with q elements is the least order L of a linear recurrence relation over F q is called the minimal polynomial of (s u ). The generating polynomial of (s u ) is defined by . It is easy to see that which is the degree of the minimal polynomial, see [14,17] for a more detailed exposition.
Theorem 2.1. Let (f u ) be the p 2 -periodic d-ary sequence defined as in (2). If d p−1 ≡ 1 (mod p 2 ), then the linear complexity L((f u )) and the minimal polynomial m f (x) of (f u ) are given by respectively.
for 0 ≤ l ≤ p − 1. From the definition of (f u ), we see that the generating polynomial of (f u ) is Let F d be the algebraic closure of finite fields F d and θ ∈ F d be a primitive p 2 -th root of unity. Below we will consider the common roots of E(x) and x p 2 − 1 in F d . The number of the common roots will imply the values of linear complexity of (f u ) by (3). The following lemmas are essential to the proof of Theorem 2.1.   (iv) Since θ is a primitive p 2 -th root of unity, i.e., θ p 2 = 1, we have Then we derive Proof. Denote by λ the multiplicative order of d modulo p 2 . We note here that λ|p(p − 1). According to the definition of Fermat quotients, we have Meanwhile, the minimal polynomial of θ a over F d is given by Proceed this process continually, we will get that That is, for any l = 0, 1, . . . , p − 1, the polynomial D l (x) has at least p(p − 1) many roots. However, in the set {u : 0 ≤ u ≤ p 2 − 1, gcd(u, p) = 1} there are only p − 1 many elements, which appear in D l (x) as exponents for all 0 ≤ l ≤ p − 1, larger than p 2 − p. (Notice that x p 2 −p never appears.) So by the pigeonhole principle, there exists at least one 0 ≤ l ≤ p − 1, such that deg(D l (x)) < p 2 − p. This is a contradiction to the fact that the polynomial D l (x) has at least p 2 − p many different roots. Therefore, for all u ∈ Z * p 2 , we always have D l (θ u ) = 0. Now we prove Theorem 2.1.
Proof of Theorem 2.1. We prove this theorem by the following two facts.
(i) If d p−1 ≡ 1 (mod p 2 ), then E(θ u ) = 0 if u ∈ Z * p 2 . Suppose that there is some a ∈ D k for some 0 ≤ k ≤ p − 1 such that E(θ a ) = 0, similar to the proof of Lemma 2.3, we have E(θ u ) = 0 holds for all u ∈ Z * p 2 . Then we get E(θ a ) = E(θ) = 0 where a ∈ D . It follows from (ii) and (iii) of Lemma 2.2 and after a simple calculation that Thus, we have by (iv) of Lemma 2.2. This contradicts Lemma 2.3. Therefore, for all u ∈ Z * p 2 , we always have E(θ u ) = 0.
Note the fact that each D l has p − 1 many elements for 0 ≤ l < p and D l (mod p) = {1, 2, . . . , p − 1} (see proof of Lemma 3 in [2]). So we have the following two results.
If u = 0, we have Putting everything together, we have E(θ u ) = 0 if and only if u ∈ {kp : 0 ≤ k ≤ p − 1}, that is, the number of the common roots of E(x) and x p 2 − 1 is p, so the linear complexity of (f u ) is

Extension
For an odd prime p, integers r ≥ 2 and u with gcd(u, p) = 1, the Euler quotient Q p r (u) modulo p r is defined as the unique integer with where ϕ(−) is the Euler totient function, and we also define See, e.g., [1,5,18] for details. We note that Q p r (u) is a p r+1 -periodic sequence modulo p r by the fact for any integers k and u with gcd(u, p) = 1. We note that Q p r (u) is an extension of the Fermat quotient q p (u) studied in [10,12,16,[19][20][21][22] and references therein.
We define the d-ary sequences (h u ) by where := (p − 1)/d, and M r := p r−1 + . . . + p + 1 = p r −1 p−1 . One can easily see that the sequences defined in (5) are the same as in (1) and (2) if d = 2, r = 1 and d > 2, r = 1, respectively. Thus, in the following, we will discuss the linear complexity of the sequences with restriction d > 2 and r > 1. For this sequences, we have Theorem 3.1. Let (h u ) be the p r+1 -periodic d-ary sequence defined as in Eq. (5). If d p−1 ≡ 1 (mod p 2 ), then the linear complexity L((h u )) and the minimal polynomial respectively.
In order to determine the linear complexity of the sequences, we will define a partition of the residue class ring modulo p n+1 with respect to the Euler quotient Q p n (u) for 1 ≤ n ≤ r.
Let D for n = 1, 2, . . . , r and l = 0, 1, . . . , p n − 1, then the generating polynomial of (h u ) is Since the proof is similar to that of the analogous conclusions about the sequence (f u ) proved in Section 2, we just give a sketch. Let β ∈ F d be any primitive p r+1 -th root of unity, then β p r−n ∈ F d is a primitive p n+1 -th root of unity for all integer n ≥ 1. We prove this theorem by the following lemmas.
If u ∈ p r−n D (n) l for 1 ≤ n ≤ r and 0 ≤ l ≤ p n − 1, write u = vp r−n for some v ∈ D Thus, from (i) and (ii) of Lemma 3.3 and after a simple calculation we have This contradicts Lemma 3.4. Therefore, for all u ∈ p r−n Z * p n+1 with 1 ≤ n ≤ r, we always have H(β u ) = 0.
(viii) H(β u ) = 0, if u ∈ p r Z p . The proof is similar to that of fact (ii) in the proof of Theorem 2.1, so we omit it.
Putting everything together, one can get the desired results.
To illustrate the validity of Theorem 3.1, some examples of p r+1 -periodic d-ary sequences (h u ) are given as follows:

Conclusion
For cryptographic purpose, one should construct pseudorandom sequences with high linear complexity according to the Berlekamp-Massey algorithm [15], which tells us that the complete sequences can be deduced from a knowledge of just 2L (here L is the linear complexity) consecutive terms from the sequences. So it is desired that the linear complexity should be at least half of the period. The linear complexity of the sequences in this article takes the values p r+1 −p, which are larger than half of the period. Thus, its good enough from view point of stream cipher.
It is natural to ask what will happen for the case of d p−1 ≡ 1 (mod p 2 )? Remark that primes p such that a p−1 ≡ 1 (mod p 2 ) are called Wieferich primes with base a in [6,13]. Historically, much computational effort has been devoted to finding solutions p and small fixed bases a. Nevertheless, it has been known for more than a century [7] that for an arbitrarily chosen prime p, infinitely many bases a exist for which a p−1 ≡ 1 (mod p 2 ) is satisfied. However, the known results show that such pairs (a, p) with 100 < a < 1000 and 10 4 < p < 10 11 are rare. Thus, the result generalizes the earlier one derived from Fermat quotients in [2]. It is difficult to determine the exact value of the linear complexity, here we only present following results without proof.