BINARY SEQUENCES DERIVED FROM DIFFERENCES OF CONSECUTIVE QUADRATIC RESIDUES

. For a prime p ≥ 5 let q 0 ,q 1 ,...,q ( p − 3) / 2 be the quadratic residues modulo p in increasing order. We study two ( p − 3) / 2-periodic binary sequences ( d n ) and ( t n ) deﬁned by d n = q n + q n +1 mod 2 and t n = 1 if q n +1 = q n + 1 and t n = 0 otherwise, n = 0 , 1 ,..., ( p − 5) / 2. For both sequences we ﬁnd some suﬃcient conditions for attaining the maximal linear complexity ( p − 3) / 2. Studying the linear complexity of ( d n ) was motivated by heuristics of Caragiu et al. However, ( d n ) is not balanced and we show that a period of ( d n ) contains about 1 / 3 zeros and 2 / 3 ones if p is suﬃciently large. In contrast, ( t n ) is not only essentially balanced but also all longer patterns of length s appear essentially equally often in the vector sequence ( t n ,t n +1 ,...,t n + s − 1 ), n = 0 , 1 ,..., ( p − 5) / 2, for any ﬁxed s and suﬃciently large p .


Introduction
The linear complexity L(s n ) of a sequence (s n ) over F 2 is the length L of the shortest linear recurrence with coefficients c 0 , . . . , c L−1 ∈ F 2 . It is an important measure for the unpredictability and thus suitability of a sequence in cryptography. For surveys on linear complexity and related measures see [10,11,16,17]. Caragiu et al. [2] suggested to study the linear complexity of the sequence of the parities of differences of consecutive quadratic residues modulo p. In particular, they calculated the linear complexities for the first 1000 primes p ≥ 5.
(2) dper The heuristic of Caragiu et al. for the linear complexity of (d n ) shows that among the first 1000 primes p ≥ 5 there are 671 sequences (d n ) with maximal linear complexity (p − 3)/2. In Section 2, we give some sufficient conditions on p for the maximality of L(d n ) = (p − 3)/2.
Balancedness is another desirable feature of a cryptographic sequence, that is, each period should contain about the same numbers of zeros and ones. We show in Section 3 that the sequence (d n ) contains asymptotically 1/3 zeros and 2/3 ones in each period and is very unbalanced.
(3) tndef In Section 4 we will show that (t n ) is essentially balanced. Moreover, for fixed length s each pattern (t n , t n+1 , . . . , t n+s−1 ) = x ∈ {0, 1} s appears for essentially the same number of n with 0 ≤ n ≤ (p − 3)/2 provided that p is sufficiently large with respect to s.
Finally, we study the linear complexity of (t n ) in Section 5 and provide a sufficient criterion for the maximality of L(t n ). We also prove a lower bound on the N th maximum order complexity of (t n ) which implies a rather moderate but non-trivial and unconditional lower bound on the N th linear complexity of (t n ).
We use the notation f (n) = O(g(n)) if |f (n)| ≤ cg(n) for some absolute constant c > 0.
2 Linear complexity of (d n ) dnlc Our starting point to determine the linear complexity of a periodic sequence is [3, Lemma 8.2.1].
cdr Lemma 1. Let (s n ) be a T -periodic sequence over F 2 and Then the linear complexity L(s n ) of (s n ) is We write the period of the sequence (d n ) in the form with integers s ≥ 0 and odd r. Then we have We have to determine gcd(X T − 1, D(X)), where First we study whether D(X) is divisible by (X − 1), that is, we determine the value of D(1) ∈ F 2 . According to the definition of the sequence (d n ), we get Since −1 is a quadratic residue modulo p if and only if p ≡ 1 mod 4 and 2 is a quadratic residue modulo p if and only if p ≡ ±1 mod 8, the largest quadratic residue q (p−3)/2 modulo p is In the remaining case p ≡ 7 mod 8, both −1 and −2 are quadratic non-residues. Hence, the largest quadratic residue modulo p is p − u for some u > 2. Assume u = 2m for some positive integer m. Since −u and 2 are both quadratic residues modulo p, −m ≡ p − m mod p is quadratic residue modulo p as well, a contradiction to the maximality of p − u. Hence, u is odd. So, the largest quadratic residue modulo p is Thus we have D(1) = 0, p ≡ 3 mod 8, 1, p ≡ 3 mod 8.
(4) S1 We return now to a general binary sequence (s n ) of period T . The following provides a necessary condition for S(β) = 0 for a primitive rth root of unity β in some extension field of F 2 . Sbeta Lemma 2. Let r be an odd prime divisor of T such that 2 is a primitive root modulo r. Let β be any primitive rth root of unity in some extension field of F 2 . If S(β) = 0, then we have Proof. Since 2 is a primitive root modulo r, the cyclotomic polynomial is irreducible over F 2 , and thus the minimal polynomial of β. In particular we have and 1, β, . . . , β r−2 are linearly independent. Since β r = 1 we get Assume S(β) = 0. Then we get Hence, since r is odd and the result follows. ✷ Now we are ready to prove a sufficient condition on p for (d n ) having maximal linear complexity L(d n ) = (p − 3)/2. Theorem 1. Let p = 2 s+1 r + 3 be a prime with s ∈ {0, 1} and either r = 1 or r an odd prime such that 2 is a primitive root modulo r. Then the linear complexity of the sequence (d n ) defined by (1) and (2) is maximal, Proof. Since p = 2 s+1 r+3 with s ∈ {0, 1} and r is odd, we have p ≡ 3 mod 8. It follows from (4) that D(1) = 1. If 2 by Lemma 1. Now let r be an odd prime such that 2 is a primitive root modulo r. Next we prove that D(β) = 0 for any primitive rth root of unity β.
Assume D(β) = 0. If s = 0, we get by Lemma 2. However, each n with 1 ≤ n ≤ p − 3 and where . . denotes the Legendre symbol, corresponds to some (q i , q i+1 ) = (n, n+ 2) and thus d i ≡ n + n + 2 ≡ 0 mod 2. By [4, Proposition 2] there are at least such n, a contradiction for p > 25. The only remaining primes p ≤ 25 of the form p = 2r + 3 with odd r > 1 are p = 13 and 17. For p = 13 we have q 0 = 1 and q 1 = 3, that is, d 0 = 0, a contradiction. For p = 17 we get r = 7 but 2 is a quadratic residue modulo 7 and thus not a primitive root modulo 7. If s = 1, we have p ≡ 7 mod 8, p ≥ 23, and we get from Lemma 2 Thus, we obtain gcd(X T − 1, S(X)) = 1, and the result follows. ✷ 3 Imbalance of (d n ) imbalance In this section we show that, for sufficiently large p, the sequence (d n ) is imbalanced. More specifically, about 2/3 of the sequence elements are equal to 1.
Theorem 2. Let N (0) and N (1) denote the number of 0s and 1s in a period of the sequence (d n ), respectively. Then we have Proof. We first prove a lower bound on N (1). We need a well known result about the pattern distribution of Legendre symbols.
Assume that the pattern x contains r zeros. Then for r ≥ 1 we have (

Linear complexity of (t n )
Lt In this subsection we discuss the linear complexity of the sequence (t n ). We now put According to (8), the number N (1) of 1s in a period of (t n ) is equal to ( For the case p ≡ 1 mod 4, the period T = r = (p − 3)/2 of the sequence (t n ) is an odd number. If we suppose that r is a prime such that 2 is a primitive root modulo r, then Lemma 2 implies either T (β) = 0 or t h = T (1) for all h. Now 2 can be only a primitive root modulo r if it is not a square modulo r, that is, r ≡ ±3 mod 8 and thus p ≡ 9, 13 mod 16, in particular, we have p ≥ 13 and (t h ) is not constant by (8). Hence, T (β) = 0 for any primitive rth root of unity β. We obtain the following result.
Theorem 4. Let p be a prime with p ≡ 9 or 13 mod 16 such that r = p−3 2 is an odd prime and 2 is a primitive root modulo r. Then the linear complexity L(t n ) of the sequence (t n ) defined by (3) is and each lower bound on M (t n ) is also a lower bound on L(t n ). In particular we have the trivial lower bound However, there are n 1 and n 2 with 0 ≤ n 1 < n 2 ≤ N − 1 − M and t n1+i = t n2+i = 1, i = 0, . . . , M − 1, t n1+M = t n2+M , a contradiction to (13). Hence, (12) is not true and the result follows.

✷
Remark. Theorem 5 is in good correspondence to the result of [7] that the maximum order complexity of a random sequence of length N is of order of magnitude log N .
The correlation measure C 2 (s n ) of order 2 of a sequence (s n ) of length N is defined by where the maximum is taken over all integers M, d 1 , d 2 with 0 ≤ d 1 < d 2 ≤ N − M . There exist d 1 and d 2 with 0 ≤ d 1 < d 2 with s n+d1 = s n+d2 for n = 0, 1, . . . , M (s n ) − 2 and we get C 2 (s n ) ≥ M (s n ) − 1.
(14) cm A large correlation measure C 2 (s n ) of order 2 is undesirable for cryptographic applications since the expected value of C 2 (s n ) is of order of magnitude N 1/2 (log N ) 1/2 , see [1], and a cryptographic sequence should not be distinguishable from a random sequence. These results on expected values and (14) suggest that a good cryptographic sequence of length N should have maximum order complexity of order of magnitude between log N and N 1/2+ε .

Conclusion
We showed that the sequence (d n ) of the parities of differences of quadratic residues modulo p is very unbalanced. Hence, (d n ) is, despite of a high linear complexity (at least in some cases), not suitable in cryptography. We introduced an alternative sequence (t n ) which is not only balanced but also longer patterns appear essentially equally often. Moreover, we proved that (t n ) has in some cases a very high linear complexity and obtained a moderate but nontrivial lower bound on the N th maximum order complexity of (t n ). All these results indicate that (t n ) is an attractive candidate for applications in cryptography.