On the $k$-error linear complexity of binary sequences derived from the discrete logarithm in finite fields

Let $q=p^r$ be a power of an odd prime $p$. We study binary sequences $\sigma=(\sigma_0,\sigma_1,\ldots)$ with entries in $\{0,1\}$ defined by using the quadratic character $\chi$ of the finite field $\mathbb{F}_q$: $$ \sigma_n=\left\{ \begin{array}{ll} 0,&\mathrm{if}\quad n= 0,\\ (1-\chi(\xi_n))/2,&\mathrm{if}\quad 1\leq n<q, \end{array} \right. $$ for the ordered elements $\xi_0,\xi_1,\ldots,\xi_{q-1}\in \mathbb{F}_q$. The $\sigma$ is Legendre sequence if $r=1$. Our first contribution is to prove a lower bound on the linear complexity of $\sigma$ for $r\geq 2$. The bound improves some results of Meidl and Winterhof. Our second contribution is to study the $k$-error linear complexity of $\sigma$ for $r=2$. It seems that we cannot settle the case when $r>2$ and leave it open.


Introduction
Pseudorandom sequences play an important role in cryptography. In particular in symmetric cryptography they serve as the secret key. So pseudorandom sequences are widely concerned. In this work, we begin with the Legendre sequence which has good behavior.
Let p be an odd prime. The Legendre sequence ℓ = {ℓ 0 , ℓ 1 , . . .} with entries in {0, 1} is defined as where · p is the Legendre symbol, that is for n with p ∤ n, n p = 1 if n ≡ a 2 (mod p) for some integer a and otherwise n p = −1. The Legendre sequence is extensively paid attention by many researchers. From the viewpoint of cryptography, the linear complexity (see the notion below) of it is studied in [7], the k-error linear complexity of it is studied in [2] 1 , and other feathers are studied in the literature, see e.g., [5,13].
It is natural to extend the Legendre symbol construction to define binary sequences from the extension field F q of q elements with q = p r . We order the elements of F q = {ξ 0 , ξ 1 , . . . , ξ q−1 } as follows.
It is clear σ is the Legendre sequence if r = 1 and d = 2. The (aperiodic) autocorrelation of σ was analyzed in [15] and the linear complexity of σ was studied in [14,18]. In particular, in [1,2] the k-error linear complexity over F p of σ was investigated for r = 1. One might ask whether it can be extended to the case r ≥ 2 for the k-error linear complexity. Indeed, [4,Proposition 2] tells us that we have to change a lot of elements to get a smaller periodic sequence with small linear complexity. So this might be the reason why the authors of [1,2] not study σ over F p furtherly for the case r ≥ 2.
In this work, we pay attention to the case when d = 2. The σ with entries in {0, 1} in Eq.(1) can be defined equivalently by using the quadratic character χ of F q : It is easy to see that χ(ξ n ) = (−1) σn for 1 ≤ n < q. The measures of pseudorandomness of the binary σ was studied in [16] for more general setting. Some related problems were considered in [10,11,12]. In the sequel, we first prove a lower bound on the linear complexity of of σ in Eq.(2) for q = p r with r ≥ 2 in Sect.2. The bound improves some results of Meidl and Winterhof in [14,18]. Then in Sect.3 we study its k-error linear complexity (over F 2 ) of σ for r = 2. This is different from [1,2], in which we remark again that the σ is treated over F p . It seems that we cannot settle the case when r > 2 and leave it open. The linear complexity is an important cryptographic characteristic of sequences and provides information on predictability and thus unsuitability for cryptography. Here we give a short introduction to the linear complexity of periodic sequences. Let F be a field. For a T -periodic sequence (s n ) over F, recall that the linear complexity over F, denoted by LC F ((s n )), is the least order L of a linear recurrence relation over F s n+L = c L−1 s n+L−1 + . . . + c 1 s n+1 + c 0 s n for n ≥ 0, which is satisfied by (s n ) and where c 0 = 0, c 1 , . . . , c L−1 ∈ F. Let which is called the generating polynomial of (s n ). Then the linear complexity over F of (s n ) can be computed as which is the degree of the characteristic polynomial, , of the sequence. See, e.g., [5] for details.
For a sequence to be cryptographically strong, its linear complexity should be high, but this complexity is not significantly reduced by changing a few terms. This leads to the notion of the k-error linear complexity. For integers k ≥ 0, the k-error linear complexity over F of (s n ), denoted by LC F k ((s n )), is the lowest linear complexity (over F) that can be obtained by changing at most k terms of the sequence per period (see [17], and see [6] for the related sphere complexity that was defined even earlier). Clearly, when w equals the number of nonzero terms of (s n ) per period, i.e., the weight of (s n ).

A lower bound on linear complexity
In this section, we prove a lower bound on linear complexity of σ in Eq.(2) for q = p r and r ≥ 2. Some results have been given in [14,18]. Our bound in Theorem 1 below improves that in [14,18] greatly. Let ord m (2) denote the order of 2 modulo m, i.e., ord m (2) is the least positive integer such that 2 ordm(2) ≡ 1 (mod m).
where 1 < λ < p is the order of 2 modulo p.
Proof. From Eq. (2), it is easy to see that the least period of σ is q = p r , since there are (q − 1)/2 many 1's in the first q terms of the sequence. Let . We see that X p r − 1 = (X p r−1 − 1) · Φ (r) (X) and Φ (r) (X) has exactly p r − p r−1 many roots, which are p r -th primitive elements in F 2 . Then by Lemma 1, Φ (r) (X) can be written as the product of (p − 1)/λ many irreduciable polynomials of degree λp r−1 : We show below that there exists i 0 : from which we get σ n = σ n+p r−1 for any integer n and hence p r−1 is the period of σ, a contradiction. Hence Φ (r) (X) ∤ S(X) and there exists at least one i 0 (X) ∤ S(X). Then from the notion of the characteristic polynomial of σ or Eq.(3), we have we finish the proof.
The bound is much better than that of [14, Thms.1 and 2] and [18]. We note that, Theorem 1 is indeed a general result for any p r -periodic binary sequences over F 2 and it covers almost all primes. As far as we know, the primes that satisfy 2 p−1 ≡ 1 (mod p 2 ) are very rare. It was shown that there are only two such primes 2 , 1093 and 3511, up to 6 × 10 17 [3].
We remark again, in [4,Prop.2] for any sequences over F p m with least period p r , the linear complexity is at least p r−1 + 1. Theorem 1 is a very similar statement to [4] for binary sequences.

k-Error linear complexity
In this section we consider the k-error linear complexity of σ in Eq.(2) for q = p 2 .
The way in the proof of Theorem 1 can help us to give a lower bound on the k-error linear complexity. Below we choose {1, γ} as a basis of F p 2 over F p and write ξ n ∈ F p 2 as n 1 + n 2 γ for n = n 1 + n 2 p, where 0 ≤ n 1 , n 2 < p. We first prove two lemmas. Lemma 2. Let T i = {i + jγ : 0 ≤ j < p} ⊆ F p 2 for 0 ≤ i < p. Then we have i · T 1 := {i(1 + jγ) : 0 ≤ j < p} = T i , i = 1, 2, . . . , p − 1.
where the σ n is defined by Eq.(2) with q = p 2 . Let ξ n 1 +n 2 p = n 1 + n 2 γ ∈ F p 2 in Eq.(2) be defined by using a basis {1, γ} over F p for 0 ≤ n 1 , n 2 < p. We have Proof. It is clear from Lemma 3.
Theorem 4. Let σ be the binary sequence of period q defined in Eq.(2) with q = p 2 . Let ξ n 1 +n 2 p = n 1 + n 2 γ ∈ F p 2 in Eq.(2) be defined by using a basis {1, γ} over F p for 0 ≤ n 1 , n 2 < p. If χ(γ) = −1 and 2 is primitive modulo p 2 , then the k-error linear complexity of σ satisfies if p ≡ 5 (mod 8), and Theorems 3 and 4 indicate that the sequence we considered has good stability, or in other words, its linear complexity is not significantly decreased by changing only a few (but not many) terms.

Final remarks
We study the linear complexity of binary sequences defined by using the quadratic character of the finite field F p r with r ≥ 2 and its k-error linear complexity for r = 2. Such sequences are an extension of Legendre sequences. It is interesting to consider the k-error linear complexity for r > 2.
From the construction, we find by Lemma 3 that σ 1 = σ 2 = · · · = σ p−1 and σ p = σ 2p = · · · = σ (p−1)p . This sacrifices some pseudorandomness of the sequence. So we can modify the construction as follows if n = 0, j p , if n = jp for 1 ≤ j < p, i p χ(ξ n ), if n = i + jp for 1 ≤ i < p, 0 ≤ j < p. Then the way in this work can be used to consider the linear complexity and k-error linear complexity.
ρ is referred to as a generalized Sidelnikov sequence, see e.g. [2], in which the k-error linear complexity (over F p ) of ρ was determined when r = 1. So it is interesting to consider the k-error linear complexity (over F 2 ) of ρ.