Prime Numbers
.pdf
402 |
Chapter 8 THE UBIQUITY OF PRIME NUMBERS |
1998], it is shown that most of the bits of xn can be kept, and the result is still cryptographically secure. There is thus much less computation per bit.
There are many other generators in current use, such as shift-register, chaotic, and cellular-automata (CA) generators. Some generators have been cryptographically “broken,” notably the simpler congruential ones, even if the linear congruence is replaced with higher polynomial forms [Lagarias 1990]. One dilemma that besets researchers in this field is that the generators that may well be quite “secure,” such as the discrete exponential variety that in turn depends on the DL problem for its security, are sluggish. Incidentally, there are various standard randomness tests, especially as regard random generation of binary bits, which can often be invoked to demolish— alternatively to bestow some measure of confidence upon—a given generator [Menezes et al. 1997].
On the issue of security, an interesting idea due to V. Miller is to use a linear-congruential generator, but with elliptic addition. Given an elliptic curve E over a finite field, one might choose integer a and point B E and iterate
Pn+1 = [a]Pn + B, |
(8.1) |
where the addition is elliptic addition and now the seed will be some initial point P0 E. One might then use the x-coordinate of Pn as a random field element. This scheme is not as clearly breakable as is the ordinary linear congruential scheme. It is of interest that certain multipliers a, such as powers of two, would be relatively e cient because of the implied simplicity of the elliptic multiplication ladder. Then, too, one could perhaps use reduced operations inherent in Algorithm 7.2.8. In other words, use only x-coordinates and live with the ambiguity in [a]P ± B, never actually adding points per se, but having to take square roots.
Incidentally, a di erent approach to the use of elliptic curves for random generators appears in [Gong et al. 1999], where the older ideas of shift registers and codewords are generalized to curves over F2m (see Exercise 8.29).
Along the same lines, let us discuss for a moment the problem of random bit generation. Surely, one can contemplate using some bit—such as the lowest bit—of a “good” random-number generator. But one wonders, for example, whether the calculation of Legendre symbols appropriate to point-finding on elliptic curves,
x3 + ax + b
p
= ±1,
with x running over consecutive integers in an interval and with the (rare) zero value thrown out, say, constitute a statistically acceptable random walk of ±1 values. And one wonders further whether the input of x into a Legendresymbol machine, but from a linear-congruential or other generator, provides extra randomness in any statistical sense.
Such attempts at random bit streams should be compared statistically to the simple exclusive-or bit generators. An example given in [Press et al. 1996]
8.2 Random-number generation |
403 |
is based on the primitive polynomial (mod 2)
x18 + x5 + x2 + x + 1.
(A polynomial over a finite field F is primitive if it is irreducible and if a root is a cyclic generator for the multiplicative group of the finite field generated by the root.) If one has a “current” bit x−1, and labels the previous 17 bits x−2, x−3, . . . , x−18, then the shifting logic appropriate to the given polynomial is to form a new bit x0 according to the logic
x0 = x−18, x−5 = x−5 x0, x−2 = x−2 x0, x−1 = x−1 x0,
where “ ” is the exclusive-or operator (equivalent to addition in the evencharacteristic field). Then all of the indices are shifted so that the new x−1—the new current bit—is the x0 from the above operations. An explicit algorithm is the following:
Algorithm 8.2.7 (Simple and fast random-bit generator). This algorithm provides seeding and random functions for a random-bit generator based on the polynomial x18 + x5 + x2 + x + 1 over F2.
1. [Procedure seed] |
|
||
seed() { |
17 |
; |
// 100000000000000000 binary. |
h = 2 |
|
||
m = 20 + 21 + 24; |
// Mask is 10011 binary. |
||
Choose starting integer seed x in [1, 218]; return;
}
2. [Function random returning 0 or 1] random() {
if((x & h) = 0) { // The bitwise “and”of x, h is compared to 0. x = ((x m) << 1) | 1; // “Exclusive-or” ( ) and “or” (|) taken. return 1;
}
x = x << 1; return 0;
}
The reference [Press et al. 1996] has a listing of other polynomials (mod 2) for selected degrees up through 100.
In any comprehensive study of random number generation, one witnesses the conceptual feedback involving prime numbers. Not only do many proposed random-number generators involve primes per se, but many of the algorithms—such as some of the ones appearing in this book—use recourse
404 |
Chapter 8 THE UBIQUITY OF PRIME NUMBERS |
to suitable random numbers. But if one lifts the requirement of statistically testable randomness as it is usually invoked, there is quite another way to use random sequences. It is to these alternatives—falling under the rubric of quasi-Monte Carlo (qMC)—to which we next turn.
8.3Quasi-Monte Carlo (qMC) methods
Who would have guessed, back in the times of Gauss, Euler, Legendre, say, that primes would attain some practical value in the financial-market analysis of the latter twentieth century? We refer here not to cryptographic uses— which certainly do emerge whenever money is involved—but quasi-Monte Carlo science which, loosely speaking, is a specific form of Monte Carlo (i.e., statistically motivated) analysis. Monte Carlo calculations pervade the fields of applied science.
The essential idea behind Monte Carlo calculation is to sample some large continuous (or even discrete, if need be) space—in doing a multidimensional integral, say—with random samples. Then one hopes that the “average” result is close to the true result one would obtain with the uncountable samples theoretically at hand. It is intriguing that number theory—in particular primenumber study—can be brought to bear on the science of quasi-Monte Carlo (qMC). The techniques of qMC di er from traditional Monte Carlo in that one does not seek expressly random sequences of samples. Instead, one attempts to provide quasirandom sequences that do not, in fact, obey the strict statistical rules of randomness, but instead have certain uniformity features attendant on the problem at hand.
Although it is perhaps overly simplistic, a clear way to envision the di erence between random and qMC is this: Random points when dropped can be expected to exhibit “clumps” and “gaps,” whereas qMC points generally avoid each other to minimize clumping and tend to occupy previous gaps. For these reasons qMC points can be—depending on the spatial dimension and precise posing of the problem—superior for certain tasks such as numerical integration, min–max problems, and statistical estimation in general.
8.3.1Discrepancy theory
Say that one wants to know the value of an integral over some D-dimensional domain R, namely
I = · · · f (x) dDx,
R
but there is no reasonable hope of a closed-form, analytic evaluation. One might proceed in Monte Carlo fashion, by dropping a total of N “random” vectors x = (x1, . . . , xD) into the integration domain, then literally adding up the corresponding integrand values to get an average, and then multiplying by the measure of R to get an approximation, say I , for the exact integral I. On the general variance principles of statistics, we can expect the error to
8.3 Quasi-Monte Carlo (qMC) methods |
|
|
|
405 |
behave no better than |
√N |
, |
||
|I − I| = O |
||||
|
1 |
|
|
|
|
|
|
|
|
where of course, the implied big-O constant depends on the dimension D, the integrand f , and the domain R. It is interesting that the power law N −1/2, though, is independent of D. By contrast, a so-called “grid” method, in which we split the domain R into grid points, can be expected to behave no better than
|I − I| = O |
N 1/D |
, |
|
|
1 |
|
|
which growth can be quite unsatisfactory, especially for large D. In fact, a grid scheme—with few exceptions—makes practical sense only for 1- or perhaps 2- dimensional numerical integration, unless there is some special consideration like well-behaved integrand, extra reasons to use a grid, and so on. It is easy to see why Monte Carlo methods using random point sets have been used for decades on numerical integration problems in D ≥ 3 dimensions.
But there is a remarkable way to improve upon direct Monte Carlo, and
in fact obtain errors such as |
lnNN |
|
|
|I − I| = O |
, |
||
|
|
D |
|
or sometimes with lnD−1 powers appearing instead, depending on the implementation (we discuss this technicality in a moment). The idea is to use low-discrepancy sequences, a class of quasi-Monte Carlo (qMC) sequences (some authors define a low-discrepancy sequence as one for which the behavior of |I − I| is bounded as above; see Exercise 8.32). We stress again, an important observation is that qMC sequences are not random in the classical sense. In fact, the points belonging to qMC sequences tend to avoid each other (see Exercise 8.12).
We start our tour of qMC methods with a definition of discrepancy, where it is understood that vectors drawn out of regions R consist of real-valued components.
Definition 8.3.1. Let P be a set of at least N points in the (unit D-cube) region R = [0, 1]D. The discrepancy of P with respect to a family F of Lebesgue-measurable subregions of R is defined (neither DN nor DN is to be confused with dimension D) by
|
N (F ; P ) = |
φ F |
|
N |
− µ(φ) , |
D |
|
sup |
χ(φ; P ) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
where χ(φ; P ) is the number of points of P lying in φ, and µ denotes Lebesgue measure. Furthermore, the extreme discrepancy of P is defined by
DN (P ) = DN (G; P ),
408 |
Chapter 8 THE UBIQUITY OF PRIME NUMBERS |
These sequences are easy to envision and likewise easy to generate in practice; in fact, their generation is easier than one might suspect. Say we desire the van der Corput sequence for base B = 2. Then we simply count from n = 0, in binary
n = 0, 1, 10, 11, 100, . . . ,
and form the reversals of the bits to obtain (also in binary)
S = (0.0, 0.10, 0.01, 0.11, 0.001, . . .).
To put it symbolically, if we are counting and happen to be at integer index
n = nknk−1 . . . n1n0,
then the term ρB (n) S is given by reversing the digits thus:
ρB (n) = 0.n0n1 . . . nk.
It is known that every van der Corput sequence has
DN (SB ) = O |
N |
, |
|
|
|
ln N |
|
where the implied big-O constant depends only on B. It turns out that B = 3 has the smallest such constant, but the main point a ecting implementations is that the constant generally increases for larger bases B [Faure 1981].
For D > 1 dimensions, it is possible to generate qMC sequences based on the van der Corput forms, in the following manner:
¯ |
|
|
, . . . , BD} be a set of pairwise-coprime |
Definition 8.3.4. Let B = {B1, B2 |
|||
|
|
|
¯ |
bases, each Bi > 1. We define the Halton sequence for bases B by |
|||
S ¯ = (x |
n |
) , |
n = 0, 1, 2, . . . , |
B |
|
|
|
where
xn = (ρB1 (n), . . . , ρBD (n)).
In other words, a Halton sequence involves a specific base for each vector coordinate, and the respective bases are to be pairwise coprime. Thus for example, a qMC sequence of points in the (D = 3)-dimensional unit cube can be generated by choosing prime bases {B1, B2, B3} = {2, 3, 5} and counting n = 0, 1, 2, . . . in those bases simultaneously, to obtain
x0 = (0, 0, 0),
x1 = (1/2, 1/3, 1/5),x2 = (1/4, 2/3, 2/5),x3 = (3/4, 1/9, 3/5),
and so on. The manner in which these points deposit themselves in the unit 3-cube is interesting. We can see once again the basic, qualitative aspect
