Algebraic dependence in generating functions and expansion complexity

In 2012, Diem introduced a new figure of merit for cryptographic sequences called expansion complexity. Recently, a series of paper has been published for analysis of expansion complexity and for testing sequences in terms of this new measure of randomness. In this paper, we continue this analysis. First we study the expansion complexity in terms of the Gr\"obner basis of the underlying polynomial ideal. Next, we prove bounds on the expansion complexity for random sequences. Finally, we study the expansion complexity of sequences defined by differential equations, including the inversive generator.


Introduction
For a sequence S = (s n ) ∞ n=0 over the finite field F q of q elements, we define its generating function G(x) of S by s n x n , viewed as a formal power series over F q .
A sequence S is called expansion sequence or automatic sequence if its generating function satisfies an algebraic equation (1) h(x, G(x)) = 0 for some nonzero polynomial h(x, y) ∈ F q [x, y].Clearly, the polynomials h(x, y) ∈ F q [x, y] satisfying (1) form an ideal in F q [x, y].This ideal is called the defining ideal and it is a principal ideal generated by an irreducible polynomial, see [3,Proposition 4].Expansion sequences can be efficiently computed from a relatively short subsequence via the generating polynomial of its defining ideal [3,Section 5].
Proposition 1.Let S be an expansion sequence and let h(x, y) be the generating polynomial of its defining ideal.The sequence S is uniquely determined by h(x, y) and its initial sequence of length (deg h) 2 .Moreover, h(x, y) can be computed in polynomial time (in log q • deg h) from an initial sequence of length (deg h) 2 .
Based on Proposition 1, Diem [3] defined the N th expansion complexity in the following way.For a positive integer N , the N th expansion complexity E N = E N (S) is E N = 0 if s 0 = . . .= s N −1 = 0 and otherwise the least total degree of a nonzero polynomial h(x, y) ∈ F q [x, y] with (2) h(x, G(x)) ≡ 0 mod x N .
For recent results on expansion complexity we refer to [9,10].For example, it was pointed out in [9], that small expansion complexity does not imply high predictability in the sense of Proposition 1.
Example.Let S be a sequence over the finite field F p (p ≥ 3) with initial segment S = 000001 . . .and generating function G(x) ≡ x 5 mod x 6 .Then its 6th expansion complexity is E 6 (S) = 2 realized by the polynomial h(x, y) = x • y.However, the first 4 elements do not determine the whole initial segment with length 6.
In order to achieve the predictability of sequences in terms of Proposition 1, one needs to require that the polynomial h(x, y) satisfying ( 2) is irreducible.This observation leads to the i(rreducible)-expansion complexity of a sequence.Accordingly, for a positive integer N , the N th i-expansion complexity 0 and otherwise the least total degree of an irreducible polynomial h(x, y) ∈ F q [x, y] with (2).
See [9] for more details for expansion and i-expansion complexity.
In this paper we first give bounds on the expansion and i-expansion complexity in terms of the Gröbner basis of the ideal of polynomials (2) in Section 2. In Section 3 we study the typical value of expansion complexity for random sequences.Finally, in Section 4 we study the expansion complexity of sequences defined by differential equations.An example of such a sequence is the so-called explicit inversive generator.

Expansion complexity and Gröbner bases
In this section we determine the expansion and i-expansion complexity of a sequence in terms of the Gröbner basis of its defining ideal.

2.1.
A brief introduction to Gröbner bases.In the following section, we give a brief introduction of Gröbner bases with special emphasis in properties.For a more complete introduction, we recommend to consult the introductory books of Eisenbud [4] and zur Gathen [13].In this section we focus only on polynomials with 2 variables and recall the basic notion just for this special case.
It is known that for any ideal I, there exists {P 1 , . . ., P ℓ } that is a reduced Gröbner basis with respect to < grlex and this basis is unique, apart from permutations of the elements.
The following corollary directly follows from Property (f).

2.2.
Main results on expansion complexity and Gröbner bases.For a sequence Clearly, G(x) ≡ G N (x) mod x N .The polynomials h(x, y) satisfying (2) form an ideal I generated by I = y − G N (x), x N .We prove the following result which makes a link between the expansion and i-expansion complexity and the Gröbner basis of I.
Theorem 1.Given any sequence S over F q let P = {P 1 , . . ., P ℓ } be a reduced Gröbner basis for y − G N (x), x N with respect to < grlex .Then

and
E * N (S) ≤ min{|LE(P i )| : P i ∈ P is irreducible}.As a consequence, we have the following bounds on the i-expansion complexity: From a Gröbner basis with respect to a lexicographic order one can compute the Gröbner basis of the same ideal with respect to the graded lexicographical using the FGLM algorithm [6].The computational complexity of the algorithm, from an ideal generated by . Thus one can find the polynomials P 1 , . . ., P ℓ in Theorem 1, and compute the expansion and i-expansion complexity in at most N 3 (log q) O(1) binary operations.
Proof.In order to prove the first part, observe that for any polynomial h(x, y) satisfying (2) we have LM (P i ) ≤ grlex LM (h) for some i, so deg For the second part, if s n = 0 for 2 ≤ n ≤ N − 1, then the result is immediate.Otherwise, we can reduce it to the case when s 0 = s 1 = 0.If the non-zero polynomial h(x, y) satisfies (2), then As E N (S) ≥ 2, we have |LE(P 1 )|, . . ., |LE(P ℓ )| ≥ 2 by the first part of the theorem.Then by Corollary 1 the reduced Gröbner basis changes according to the linear transform of the variables y → y + s 0 + s 1 x.Moreover, the irreducibly of polynomials h(x, y) and P 1 , . . ., P ℓ does not changes under this transformation.Evenmore, because the definition of < grlex , applying that linear transformation to P 1 , . . ., P ℓ results in a Gröbner basis with respect to < grlex .Now, we are going to show that one of the polynomials P 1 , . . ., P ℓ must be irreducible.Suppose contrary, that all the polynomials P 1 , . . ., P ℓ are reducible, so for all i = 1, . . ., ℓ, As P i belongs to the reduced Gröbner basis of y−G N (x), x N , we have Since s 0 = s 1 = 0, the smallest degree term of G N (x) has degree at least two, so we must have R i (x, y) ∈ x, y .Similarly, we also get T i (x, y) ∈ x, y .Write Then R i (x, y)T i (x, y) ∈ y 2 , yx, x 2 , so , yx, x 2 .However, y − G N (x) ∈ y 2 , yx, x 2 , a contradiction.

A probabilistic result
In this section we study the N th expansion complexity for random sequences.We prove, that for such sequences the N th expansion complexity is large.
Let µ q be the uniform probability measure on F q which assigns the measure 1/q to each element of F q .Let F ∞ q be the sequence space over F q and let µ ∞ q be the complete product probability measure on F ∞ q induced by µ q .We say that a property of sequences S ∈ F ∞ q holds µ ∞ q -almost everywhere if it holds for a set of sequences S of µ ∞ q -measure 1.We may view such a property as a typical property of a random sequence over F q .
Theorem 2. We have We remark, that Theorem 2 is the corrected form of [10,Theorem 4].In [10], the authors used [3, Proposition 7], which requires the irreducibly property, and consequently, it holds for the i-expansion complexity instead for the expansion complexity, see [9,Theorem 2].Theorem 2 gives now a lower bound on the expansion complexity of typical sequences.
Proof.First we fix an ε with 0 < ε < 1 and we put for some positive ε 0 if N is large enough.For such N put Since E N (S) depends only on the first N terms of S, the measure µ ∞ q (A N ) is given by ( 4) Without loss of generality, we can suppose that j = 1.
We estimate the cardinality of A N by the number of such sequences that . For a fixed irreducible polynomial of degree d there are at most d choices for S 1 (see [3, p. 332]) and q N −N1 choices for S 2 .If two irreducible polynomials are constant multiples of each other, they define the same sequences S 1 .
Let a polynomial f (x, y) of degree d be called normalized if in the coefficient vector (a 0 , a 1 , . . ., a d ) of the homogeneous part with degree d of f , i.e., the first nonzero element is 1.
Let I 2 (d) be the number of normalized irreducible polynomials (with two variables) in F q [x, y] of total degree d.Then by [2] we have One of the most important examples for such sequence is the explicit inversive generator over a prime field F p , with some prime p ≥ 3, defined by (8) s Theorem 3. Let S = (s n ) be a sequence over F p .Assume, that its generating function G(x) satisfies Previously, only a few examples for sequences were known with large expansion complexity, all of them share the property (7).Namely, the sequences of binomial coefficients A = (a n ) ∞ n=0 , defined by for some k ≥ 0, whose generating function is G k (x) = (1−x) −1−k by [10, Lemma 2], which satisfies (x − 1)G ′ k (x) − (k + 1)G k (x) = 0, and the explicit inversive generator defined by ( 8) with b = 0, see [9].
We also remark, that (9) defines a linear recurrence relation to the counterdependent sequence (n s n ) in terms of (s n ) and (n s n ).This type of relations appears in the so called counter-dependent nonlinear recursive pseudorandom number generators.A counter-dependent nonlinear recursive pseudorandom number generator is of the form: This class of generators was introduced by Shamir and Tsaban in order to avoid unexpected short cycles (see Definition 2.4 of [11]) for m = 1.Special cases of this type of generators have been studied in relation with exponential sums and multiplicative character sums [1,5,8,12].For example, sequences whose generating function G(x) satisfies x + s 0 = 0 coincides with the special class of sequences proposed by Shparlinski and Winterhof [12], defined as s n = ns n−1 + 1.
In order to prove Theorem 3, we need the following result, see [3,Lemma 6].
Lemma 2. Let h(x, y) ∈ F q [x, y] be an irreducible polynomial of degree d and let S be an expansion sequence defined by h(x, y).Let f (x, y) ∈ F q [x, y] be a nonzero polynomial with f (x, G(x)) ≡ 0 mod x d•deg f .
Then f (x, y) is a multiple of h(x, y).
Proof of Theorem 3. Put K = deg f 0 (x).There is a nonzero element among s 0 , . . ., s K+1 and thus E K+1 (S) ≥ 1.Indeed, if G(x) ≡ 0 mod x K+2 , then f 0 (x) = 0 by ( 9), a contradiction.If s 0 = 0, consider the sequence S = (s n ) with s0 = 1 and sn = s n for n ≥ 1.Let Ḡ(x) = G(x) + 1 be the generating function of S. Then h(x, Ḡ(x)) ≡ 0 mod x N if and only if h(x, G(x) + 1) ≡ 0 mod x N .Thus E N (S) = E N ( S) whenever E N (S) > 0. As it holds for N ≥ K + 1, we can assume that s 0 = 0 and E 1 (S) = 1.Now suppose that the result does not hold for some N ≥ K + 2, and fix N as a minimal value such (10) d(d + F ) < N.
where d = E N (S).We can assume, that d < p.Let h(x, y) ∈ F q [x, y] such that deg h(x, y) = d and h(x, G(x)) ≡ 0 mod x N .First we prove, that h(x, y) is irreducible.Suppose, that h(x, y) = h 1 (x, y)h 2 (x, y) and Then by the minimality of N we have Taking the derivative of the equation h(x, G(x)) ≡ 0 mod x N we get thus multiplying it with f 2 (x) the we get by ( 9) that ( 12) The degree of ( 13) Let S = (s n ) be an expansion sequence defined h(x, y) with sn = s n for 0 ≤ n < N .As d 2 < N , S is unique.Then by (10), (12) and by Lemma 2 we get that g(x, y) is a multiple of h(x, y), for some nonzero c(x, y) ∈ F q [x, y].Comparing the degrees of g(x, y) and c(x, y)h(x, y) with respect to y, we get c(x, y We show, that c(α) = 0. Write We can assume, that k < p and r k (x) = 0.The coefficient of If α is a zero of c, then it's a zero of g by ( 14) and thus it's a zero of ∂h ∂y by (13).As k < p, α is also a zero of r k .Let t ≥ 1 be the multiplicity of α in r k .As α is a single zero of f 2 , its multiplicity of the left hand side of (15) is t, while its multiplicity of the right hand side is at least t + 1, a contradiction.
Substituting x = α in (14), we get Since c(α) = 0, h(α, y) must be zero, otherwise it cannot be a constant multiple of its derivative.Thus the minimal polynomial of α divides h(x, y), a contradiction.
Theorem 3 allows us to control the expansion complexity of the explicit inversive generator defined by (8).We remark, that for b = 0 it was shown by Gómez-Pérez, Mérai and Niederreiter that the sequence has optimal expansion complexity, see [9].Now we deal with the general case.
On the other hand Then by ( 16) and (17) we get For N ≤ b we have thus by Theorem 3 we have For N > b (18) leads to and by Theorem 3 we get Remark.The proof gives the stronger bounds on expansion complexity of the explicit inversive generator S a,b with parameters a If the parameters (a, b) are chosen uniformly from F * p ×F p , then it provides a squareroot bound for almost all parameters (a, b) which is optimal, see [9, Theorem 1].
In Theorem 3 we gave lower bounds on the N th expansion complexity of sequences whose generating function satisfies a first order differential equation (7).However, we conjecture that sequences with higher order differential equation (7) have also large expansion complexity.Problem 1.Let S = (s n ) be a sequence in F q such that its generating function G(x) satisfies (7).Estimate the N th expansion complexity E N (S) of the sequence S in terms of the coefficient polynomials of (7).
In [10], Mérai, Niederreiter and Winterhof studied the connection between the expansion and linear complexity of sequences.We recall, that the N th linear complexity L N (S) of a sequence S over a finite field F q is zero if They proved, that large expansion complexity implies large linear complexity They also provided a lower bound on the expansion complexity in terms of the linear complexity, however the bound also depends on the linear recurrence relation (21).
Here we give lower bounds on the N th linear complexity of sequences with (7) over arbitrary (i.e.not prime) finite fields.This result along with [10] motivates Problem 1.
Comparing the degrees of both sides we get max

Corollary 2 .
Let S = (s n ) be the explicit inversive generator defined by (8) with a, b ∈ F p , a = 0. Then we have E N (S) ≥ cN 1/4 for 2 ≤ N < p for some absolute constant c > 0. Proof.For b = 0 a stronger bound follows from [9, Theorem 8], thus we can assume, that b = 0.As G a,b (x) = a −1 G 1,b/a (x), we can assume, that a = 1.Write G