Non-Archimedean Ergodic Theory and Pseudorandom Generators

NON-ARCHIMEDEAN ER GODIC THEOR Y AND PSEUDORANDOM GENER A TORS VLADIMIR ANASHIN Abstract. The paper dev elops tec hniques in or der to construct computer programs, pseudorandom n um ber generators (PRNG), th at produce uniformly distributed sequences. The paper exploits an approach that trea ts standard processor instructions (arithmetic and bit wise l ogical ones) as contin uous f unc- tions on the s pace of 2-adic inte gers. Within this approach, a PRNG is consid- ered as a dynamical system and is studied b y means of the non -Archimedean ergodic t heory . 1. Introduction An y computer progr am c ould be v ie w ed as a comp osition of basic instr uc tio ns which a r e the s implest instructions p erfor med by a pro cessor (CPU), i.e., as a comp osition of op er ators o f a pro per as sembler. These o pe r ators depend o n a t yp e of CPU. Usually corr esp onding assemblers include some op erato rs which are common for all CP Us indep endently of the type: these a re ar ithmetic op erator s (addition, multiplication), bitwise logical op erator s (e.g., AND , a bitwise co njunction; OR , a bitwise disjunction, XOR , a bitwise lo gical ‘exclusive or ’, etc.), and some other s (e.g., left and right shifts). Speaking for mally , all these common op erators a re deﬁned o n the set B n of all n -bit words, where n is the length of machine words the CPU o per ates (which is sometimes c alled the CPU bitlength). How ev er, all these common op erator s could be in a natural wa y extended to the set Z 2 of all inﬁnite strings of ze r os and o nes. The la tter set Z 2 could b e endow ed with a metric (called a 2-adic metric) and so beco mes a (non-Archimedean) metric space. In terestingly , all these common op era to rs are c o ntinuous functions with resp ect to this metr ic . So, all computer prog r ams build from these op erator s co uld b e viewed as contin uous 2-adic functions; whence, their behaviour could b e s tudied with the use of non- Archimedean analysis . In this pap er, we apply this appro ach to cons tr uct and study pseudorandom generators. Pseudora ndom (n um ber) generator (a P RNG fo r short) is a computer pro gram that pr o duces a ra ndom-lo oking sequence of machine words, which could b e also treated as a sequence of num bers in their bas e-2 ex pansions. Pseudora ndom gener - ators a r e widely used in numerous applications , es pec ia lly in simulation (e.g ., quasi Monte Carlo) and cryptogra phy (e.g., s tream ciphers). A theory (b etter to s ay , theories) o f PRNG is a n imp orta n t par t of computer science , see e.g.,[ 21 , Chapter 3]. W e say ‘theorie s o f PRNG’ since the very deﬁnition of pseudora ndomness as- sumes that the pro duced sequence must pass certain class of statistica l tests, so the deﬁnition of a PRNG dep ends o n the choice of the tests. Actually the pap er could be co ns idered as a contribution to a non-Archimedean theo ry of PRNG. 1 2 VLADIMIR ANASHIN As a rule, the weakest statistical prop erty the seq uence must necessar ily s atisfy to b e considered pse udo random is uniform distribution; tha t is, each term o f the sequence must o ccur with the sa me frequency . F or exa mple, a well-known linear congruential generator (LCG) pro duces the recur rence s equence { x i } ∞ i =0 ov er the set { 0 , 1 , . . . , m − 1 } according to the recurre nc e law x i +1 ≡ a + bx i (mo d m ), for some rational integers a, b . This s equence is unifor mly distributed if and only if it is pur ely p er io dic a nd the leng th of its shor test p erio d is equal to the mo dulus m . The latter condition implies that e ach num ber of { 0 , 1 , . . . , m − 1 } o ccur s at the per io d exactly onc e and vice versa. W e r efer such s equences as strictly uniformly distributed. In other words, the LCG pr o duces a unifor mly distr ibuted sequenc e if a nd only if the mapping x 7→ a + b x (mo d m ) of the re s idue r ing Z /m Z mo dulo m p ermutes residues { 0 , 1 , . . . , m − 1 } cy c lically . W e call the mapping x 7→ a + bx of the ring Z of rationa l integers t ra nsitive mo dulo m in this case. It is not diﬃcult to see that every comp os ition f of arithmetic and bitwise logical op erators , which deﬁnes a ma pping of Z 2 int o Z 2 , induces a w ell deﬁned mapping f mo d 2 n of the residue r ing Z / 2 n Z (t hat is, on the set B n ) into itse lf, for all n = 1 , 2 , . . . . It turns out that the mapping f mo d 2 n is tr a nsitive for al l n if and only if the mapping f is er go dic (with r esp e ct to the Haar me asur e) on Z 2 , see e.g., [ 7 ] for a pro of. Thus, to construct PRNGs (that pro duce strictly uniformly distributed sequences ov er B n ) out of a rithmetic and bitwise lo gical op erators we just need to co nstruct the corre s po nding er go dic transfor mation o f the space Z 2 . This appro ach was already utilized in [ 1 , 2 , 3 , 4 , 5 , 6 , 8 , 9 , 1 0 , 23 ] in order to construct numerous non-line ar congruential genera tors and to study their prop er- ties. The pa p er is orga nized as follows: • In section 2 we demo nstrate that a c tually a CPU works with approxima- tions o f 2-adic integers with resp ect to 2- adic metric. • In s ection 3 we demonstr ate that b oth arithmetic, bitwise log ical a nd some other instruc tio ns o f CPU could b e extended to functions that are con- tin uous on the metric spac e Z 2 , as w ell as prog rams combined from these instructions; a nd that pro grams pro ducing uniformly distributed sequences could b e constructed as automata with o utput/s ta te transition functions being , a ccordingly , ergo dic/ measure preser ving transfo r mations with re- sp ect to a nor ma lized Haa r measur e, which is a natural pr obabilistic mea - sure on Z 2 . • In s ection 4 we develop v arious techniques that co uld b e used to constr uct the ab ov e mentioned erg o dic/measure pres erving tra nsformations, or to verify whether a given transfo rmation is ergo dic/ measure pr eserving. This section could serve mainly as a survey; how ever, it co n tains new results as well. • In section 5 we study (with the use of the ab ov e mentioned techniques) t wo sp ecial types of fast PRNG: ﬁrst one, deﬁned by the recurrence law x i +1 ≡ a + P m j =1 a j ( x i X OR b j ) (mo d 2 n ), and the second one, deﬁned by the recurr ence law x i +1 ≡ a + P m j =0 a j δ j ( x i ), where δ j ( x ) = x AND 2 j 2 j , the j -th bina ry digit in the base-2 ex pansion of x . These gener ators ar e of sp ecial int erest to stre am ciphers since they ar e utilized in some designs, see [ 8 , 11 ]. p -ADIC ERGODICITY AND PSEUDORANDOMNESS 3 • In section 6 we study prop erties o f a sequence pro duced by ergo dic transfor- mation of the space Z 2 . W e demonstra te, in pa rticular, that this sequence satisfy D.Knuth’s rando mness criterion Q1 , see [ 21 , Section 3.5, Deﬁnition Q1]. • W e co nclude in section 7 . The pap er is partly based on the author’s pr eprint [ 5 ], results of section 5 were announced in author’s pa per s [ 1 , 2 ] without pro o fs. Note that mo st r esults o f the pap er could b e re-stated for a r bitrary pr ime p , a nd not o nly for p = 2. Some p -adic arguments were explo ited in studies of certain s pec ial t yp es of PRNGs, s ee [ 19 , 33 , 35 ]. How ever, none o f these w orks study P RNGs comb ined of basic computer ins tructions (b oth arithmetic and log ic a l) as co ntin uous 2- adic dynamical systems: In [ 19 ] only an output of a feedback-with-carry shift re gister is considered as a 2-adic integer (which actually is a rational, a n irreducible frac- tion with o dd denominator ), in [ 33 , 14 ] authors study pr op erties of pseudorandom nu mbers obtained from round-o ﬀ er rors in calculations of 2 - v ariate linear maps (ac- tually they deal with a transfor ma tion x 7→ ⌊ θ p k x ⌋ of the space Z p of p -adic integers, where ⌊·⌋ is an ‘integer part’ of a p -a dic num b er), in [ 35 ] authors study a genera tor with recur r ence law x i +1 = x i ( x i − 1) 2 on Z 2 , w hich is a 2 -adic analog of a real logistic map. It worth noting he r e that there is a v ast litera ture o n PRNGs based on o p e r ations of ﬁnite ﬁelds and r ings, see [ 15 ] and refer e nc e s ther e in. Howev er , to o ur bes t knowledge none of these works use p - adic techn iques. W e note that the pres ent ed pa per can also be considered as a contribution to the theory of p -adic dyna mica l s ystems (esp ecially to the p - adic erg o dic theory). The la tter theory recently a ttr a cted signiﬁca n t interest due to its applications in mathematical physics, biology , genetics, cognitive sciences, etc., see e.g. [ 16 , 18 ] and references therein. H ow ever, usually relev ant works study dynamics o n the whole ﬁeld Q p of p -adic num ber s, or even on its alg ebraic closur e C p , see the works just cited, as w ell a s e.g., [ 12 , 13 ]. In our pa per , we study dyna mica l sy stems on Z p , which is the ring o f integers of Q p , and simultaneously a ball of radius 1. Int erestingly , our techniques developed primarily to study PRNGs was successfully applied to solve a problem (that was set up by A. Khrennikov) on ergo dicity of per turb ed mono mial ma ps o n p -adic spheres, see [ 7 ]. 2. Basics A contemporar y pro cessor is word-oriented. That is , it works with words of zero es a nd ones o f a certa in ﬁxed length n (usually n = 8 , 16 , 32 , 6 4 ). Each binar y word z ∈ B n of le ng th n could b e co nsidered a s a base- 2 expans ion of a num b er z ∈ { 0 , 1 , . . . , 2 n − 1 } a nd vice versa. W e also can identify the set { 0 , 1 , . . . , 2 n − 1 } with res idues mo dulo 2 n ; that is with elements of the r esidue ring Z / 2 n Z modulo 2 n . Actually , arithmetic (n umer ical) instructions o f a pro cesso r a r e just op erations of the res idue r ing Z / 2 n Z : An n -bit word pro cesso r p erforming a single ins tr uction of a ddition (o r m ultiplication) of tw o n -bit num b er s just deletes more signiﬁca n t digits of the sum (or of a pro duct) of these num ber s th us merely reducing the result mo dulo 2 n . Note that to calcula te a sum of tw o int egers (i.e., without reducing the result mo dulo 2 n ) a ‘standard’ pro cess or uses not a single instruction but inv okes a prog ram (that is a se quence of basic ins tructions). 4 VLADIMIR ANASHIN Another k ind of basic instruc tio ns o f a pro cessor ar e bitwise lo gic al op erations: X OR , OR , AND , NOT , which ar e cle ar from their deﬁnitions. It worth noting only that the set B n with resp ect to XOR could b e co nsidered a ls o as an n -dimens io nal vector space ov er a ﬁeld Z / 2 Z = B . A third t yp e o f instructions could b e called machine ones, since they dep e nd on the pr o cessor. But usually they include such standard instr uctions as shifts (left and right) of a n n -bit word. As an example we give for mal deﬁnitio ns of some basic instructions (bitwise logical and machine), the deﬁnitions for the rest of thes e instructions could b e obtained by an a nalogy . Let z = δ 0 ( z ) + δ 1 ( z ) · 2 + δ 2 ( z ) · 2 2 + δ 3 ( z ) · 2 3 + · · · be a base-2 e x pansion for z ∈ N 0 = { 0 , 1 , 2 , . . . } (that is, δ j ( z ) ∈ { 0 , 1 } ). Then, according to the r esp ective deﬁnitions of instr uctions, we have • y XOR z = y ⊕ z is a bit wise addition mo dulo 2: δ j ( y XOR z ) ≡ δ j ( y ) + δ j ( z ) (mo d 2); • y AND z is a bit wise multiplication mo dulo 2: δ j ( y AND z ) ≡ δ j ( y ) · δ j ( z ) (mo d 2); • NOT , a bitwise logical neg ation: δ j ( NOT ( z )) ≡ δ j ( z ) + 1 (mo d 2); • ⌊ z 2 ⌋ , the integral pa rt of z 2 , is a shift tow ards le ss signiﬁca n t bits; • 2 · z is a shift tow a rds mor e signiﬁcant bits; • y AND z is masking of z w ith the mask y ; • z (mod 2 k ) = z AN D (2 k − 1) is a re duction of z mo dulo 2 k Note that in literature ⊕ is used a long with XOR for a bitwise ‘exclusive or ’ op era tor, ∨ a long with OR , and ∧ (or ⊙ ) alo ng with AND . In the rest of this pap er we use only OR for bitwise logical ‘or’, AND for bitwise logica l ‘and’, we use XOR for ‘exclusive or ’. W e can ma ke now the following imp ortant obser v ation: Ba sic instructions of a pro cessor a r e well deﬁned functions on the set N 0 (of non-negative ra tional integers) v aluated in N 0 . Moreov er, all men tioned basic instructions, arithmetic, bitwise logical and ma- chine ones , a re deﬁned on the set Z 2 of all 2- adic integers, which within the context of this pap er could b e tho ught o f as a s et o f all countably inﬁnite binary s equences with terms indexe d by 0 , 1 , 2 , . . . . Sequences with o nly ﬁnite num ber of 1s c o rre- sp ond to non-negative ra tional integers in their base-2 expa nsions, seq uences with only ﬁnite num b er of 0s co rresp ond to neg ative rational integers, while even tually per io dic sequences (that is, sequences that b ecome p erio dic starting with a certain place) corr esp ond to rationa l num b er s repres en ted by irr educible fra ctions with o dd denominators: for insta nce, 3 = . . . 0001 1, − 3 = . . . 1 1101, 1 3 = . . . 10 10101 1, − 1 3 = . . . 1010 1 01. So δ j ( u ) for u ∈ Z 2 is merely the j -th term of the corr e spo nding sequence. Arithmetic op erations (addition and mu ltiplication) with these s equences could be deﬁned via standard ‘schoo l-textb o ok’ algo rithms of a ddition and m ultiplication of natural num b er s represented by base- 2 ex pa nsions. E a ch ter m of a sequenc e that corres p o nds to the sum (re spe ctively , to the pro duct) of tw o g iven sequences co uld be ca lc ulated by these alg orithms with a ﬁnite num ber o f steps. Thu s, Z 2 is a commutativ e ring with resp ect to the so deﬁned addition and m ultiplication. It is a metric s pace with resp ect to the metric (distance) d 2 ( u, v ) deﬁned by the following r ule: d 2 ( u, v ) = k u − v k 2 = 1 2 n , wher e n is the s ma llest p -ADIC ERGODICITY AND PSEUDORANDOMNESS 5 non-negative ra tional integer s uc h that δ n ( u ) 6 = δ n ( v ), and d 2 ( u, v ) = 0 if no such n exists (i.e., if u = v ). F or instance d 2 (3 , 1 3 ) = 1 8 . The function d 2 ( u, 0 ) = k u k 2 is a norm of a 2-adic integer u , and o rd 2 u = − log 2 k u 2 k 2 is a 2-a dic v a luation o f u . Note that for u ∈ N 0 the v alua tion ord 2 u is mer ely the exp onent of the highest power of 2 that divides u (thus, lo osely sp eaking, o rd 2 0 = ∞ , so k 0 k 2 = 0). Once the metr ic is deﬁned, one de ﬁnes notions of convergen t sequences , limits, contin uous functions on the metric s pa ce, even deriv atives if the spa ce is a commu- tative ring. F or instance, with resp ect to the so deﬁned metr ic o n Z 2 the following sequence tends to − 1 = . . . 111, 1 , 3 , 7 , 15 , 31 , . . . , 2 n − 1 , . . . − → d 2 − 1 , bit wise logica l o per ators (such as XOR , AND , ...) de ﬁne contin uo us functions in t w o v ariables, the function f ( x ) = x X OR a is diﬀerentiable everywhere o n Z 2 for every rational integer a : Its der iv ative is − 1 for negative a , and 1 in the opp osite c ase (see example 4.15 fo r other examples o f this k ind and more deta ile d ca lc ula tions). Reduction mo dulo 2 n of a 2 -adic integer v , i.e., setting all terms of the corre- sp onding sequence with indexes gr eater than n − 1 to zero (that is, taking the ﬁrst n digits in the repres e n tation o f v ) is just an appr oximation of a 2 -adic in teger v by a ra tio nal integer with precisio n 1 2 n : This approximation is an n -digit p ositive rational integer v AND (2 n − 1); the latter will b e denoted a lso as v mo d 2 n . Actually a pr o c essor works with appr oximations of 2-adic int e gers with r esp e ct to 2-adic metric : When one trie s to load a num b er whose base-2 expansio n contains more than n signiﬁca n t bits into a registry of an n -pro cessor , the pr o cessor just writes only n low order bits of the num ber in a reg istry thus reducing the num ber mo dulo 2 n . Thus, precision of the a pproximation is deﬁned by the bitlength of the pro cessor . All these considerations (after pro p er mo diﬁca tions) remain true for arbitra ry prime p , and not only for p = 2, thus leading to the notio n of a p -adic integer and to p -adic ana lysis. F o r forma l intro duction to p - a dic analys is, exact notions and results see any r elev ant b o ok, e.g. [ 22 , 28 ]. 3. Appro ach Arithmetic and bit wis e lo gical op erations a re not indep endent: Some of them could b e expressed via the o thers. F or instance, for all u, v ∈ Z 2 NOT u = u X OR ( − 1); u + N OT u = − 1 ; u XOR v = u + v − 2 ( u AN D v ); u O R v = u + v − ( u AND v ); u O R v = ( u X OR v ) + ( u AND v ) . (1) 6 VLADIMIR ANASHIN Pro ofs of identities ( 1 ) a re just an exer cise: F or example, if α, β ∈ { 0 , 1 } then α XOR β = α + β − 2 αβ and α OR β = α + β − αβ . Hence: u XOR v = ∞ X i =0 2 i ( δ i ( u ) XOR δ i ( v )) = ∞ X i =0 2 i ( δ i ( u ) + δ i ( v ) − 2 δ i ( u ) δ i ( v )) = ∞ X i =0 2 i ( δ i ( u )) + ∞ X i =0 2 i ( δ i ( v )) − 2 · ∞ X i =0 2 i ( δ i ( u ) δ i ( v )) = u + v − 2 ( u AND v ) . Pro ofs of the rema ining identities can b e made by analogy and thus are omitted. A shift tow ards more s igniﬁcant digits, as well as mask ing could b e derived from the ab ove op er ations: An m - step shift o f u is 2 m u ; masking of u is u AND M , where M is an integer which base- 2 expansion is a ma sk (i.e., a string of 0s a nd 1s). A common featur e the ab ove mentioned arithmetic, bitwise logic al and machine op erations all s hare is tha t they ar e, with the only exception of shifts tow ar ds less signiﬁca n t bits, c omp atible , that is, ω ( u, v ) ≡ ω ( u 1 , v 1 ) (mo d 2 r ) whenever bo th congr uences u ≡ u 1 (mo d 2 r ) a nd v ≡ v 1 (mo d 2 r ) hold s im ultaneously (here ω stands for a n y of these o p er ations, ar ithmetic, bitwise logical, or machine). The no tion o f a co mpatible ma pping could b e natura lly gener alized to mapping s ( Z / 2 l Z ) t → ( Z / 2 l Z ) s and Z t 2 → Z s 2 of Ca rtesian pro ducts. W e note that c onsiderations we made a b ove, after prop er mo diﬁcations hold for arbitrar y prime p , a nd not only for p = 2. The cas e of o dd prime p is imp orta n t to pr o duce pseudora ndom sequences on N sy m bo ls, N > 2. PRNGs that pr o duce pseudorandom num ber s in the rang e { 0 , 1 , 2 , . . . , N − 1 } are often used in pra ctice, and we a re going to discuss them also. How ever, the case p = 2 will be sometimes exceptional in o ur consider ations (this often happ e ns in p -a dic analy sis), s o from time to time we hav e to switch to the case p = 2 and then revert back to the g e neral case. The compatibility prop erty , b eing origina lly stated in algebra ic terms, could b e expressed in terms of p -a dic analys is as well, for a rbitrary prime p , and no t o nly for p = 2. Namely this is no t diﬃcult to v erify that the function F : Z t p → Z s p is c omp atible if and only if it satisﬁes Lipschitz c ondition with c o eﬃcient 1 with r esp e ct t o p -adic distanc e ; e.g ., for s = t = 1 the function F is c o mpatible if a nd only if k F ( u ) − F ( v ) k p ≤ k u − v k p for all u, v ∈ Z p . Obviously , a comp os ition o f compatible mappings is a compatible ma pping. W e list now some imp ortant examples of compatible o per ators ( Z p ) t → ( Z p ) s , p prime. Here ar e so me of them that or ig inate from ar ithmetic op era tions: p -ADIC ERGODICITY AND PSEUDORANDOMNESS 7 m ultiplication, · : ( u, v ) 7→ u v ; addition, + : ( u, v ) 7→ u + v ; subtraction, − : ( u, v ) 7→ u − v ; exp onentiation, ↑ p : ( u, v ) 7→ u ↑ p v = (1 + pu ) v ; raising to nega tive p owers , u ↑ p ( − n ) = (1 + pu ) − n ; division, / p : u/ p v = u · ( v ↑ p ( − 1)) = u 1 + p v . (2) The o ther part originates fro m digitwise lo gical o p er ations of p -v a lued logic: digitwise multiplication u ⊙ p v : δ j ( u ⊙ p v ) ≡ δ j ( u ) δ j ( v ) (mo d p ); digitwise addition u ⊕ p v : δ j ( u ⊕ p v ) ≡ δ j ( u ) + δ j ( v ) (mo d p ); digitwise subtra ction u ⊖ p v : δ j ( u ⊖ p v ) ≡ δ j ( u ) − δ j ( v ) (mo d p ) . (3) Here δ j ( z ) ( j = 0 , 1 , 2 , . . . ) stands for the j -th digit of z in its ba s e- p ex pa nsion. F or p = 2 equations ( 3 ) deﬁne AND and XOR . In cas e p = 2 compatible ma ppings could b e character ized in terms of Bo o lean functions. N amely , each tra nsformation T : Z / 2 n Z → Z / 2 n Z of the residue r ing Z/ 2 n Z mo dulo 2 n could b e consider ed as an e ns em ble of n Bo olea n functions τ T i ( χ 0 , . . . , χ n − 1 ), i = 0 , 1 , 2 , . . . , n − 1, in n Bo olea n v a riables χ 0 , . . . , χ n − 1 by assuming χ i = δ i ( u ), τ T i ( χ 0 , . . . , χ n − 1 ) = δ i ( T ( u )) for u running fr om 0 to 2 n − 1 . The following easy pro p os ition holds. Prop ositio n 3.1. [ 1 ] A mapping T : Z / 2 n Z → Z / 2 n Z ( ac c or dingly, a mapping T : Z 2 → Z 2 ) is c omp atible if and only if e ach Bo ole an function τ T i ( χ 0 , χ 1 , . . . ) = δ i ( T ( u )) , i = 0 , 1 , 2 , . . . , do es n ot dep end on the variable s χ j = δ j ( u ) for j > i . Note. W e use the term ‘co mpatible’ instea d of the term ‘conse r v ative’ of [ 1 ], since the latter term in numerous pap ers on algebr aic systems has a ttained a no ther mea n- ing, s ee [ 26 , p. 45 ]. No te that in the theory of Bo olean functions ma ppings satis- fying conditions of the pro po sition are also known as t riangular mappings, and as T-functions in cryptogr aphy . The pro po sition a fter prop er restatement (in terms of functions o f p -v alued logic ) also ho lds for o dd prime p . F or multiv ariate mappings prop osition 3.1 holds a lso: a ma pping T = ( t 1 , . . . , t s ) : Z r 2 → Z s 2 is compatible if and only if e ach Bo olean function τ t j i ( χ 1 , 0 , χ 1 , 1 , . . . , χ r, 0 , χ r, 1 , . . . ) = δ i ( t k ( u, . . . , u r )) ( i = 0 , 1 , 2 , . . . , k = 0 , 1 , . . . , s ) do es no t dep end on v a r iables χ ℓ,j = δ j ( u ℓ ) for j > i ( ℓ = 1 , 2 , . . . , r ). Now, given a co mpatible mapping T : Z 2 → Z 2 , o ne c an deﬁne an induced mapping T mod 2 n : Z / 2 n Z → Z / 2 n Z as suming ( T mo d 2 n )( z ) = T ( z ) mo d 2 n = ( T ( z )) AND (2 n − 1 ) for z = 0 , 1 , 2 , . . . , 2 n − 1 . The induced mapping is obviously a compatible mapping of the ring Z / 2 n Z into itse lf. F or o dd pr ime p , as well as for m ultiv a riate ca se T : Z s p → Z t p an induced mapping T mo d p n could b e deﬁned by analogy . 8 VLADIMIR ANASHIN Deﬁnition 3 . 2. W e ca ll a compatible mapping T : Z p → Z p bije ct ive mo dulo p n if and only if the induced mapping T mo d p n is a pe r mut ation on Z /p n Z ; w e call T tr ansitive mo dulo p n , if and only if T mo d p n is a p ermutation with a single cycle. W e call a compatible mapping T : Z s p → Z t p b alanc e d mo dulo p n if and only if the induced mapping T mo d p n maps ( Z /p n Z ) s onto ( Z /p n Z ) t , a nd each element of ( Z /p n Z ) t has the same num ber o f preimages in ( Z /p n Z ) s . Often a pseudo random g e nerator could b e cons tr ucted as a ﬁnite a utomaton A = h N , M , f , F, u 0 i with a ﬁnite state set N , sta te transition function f : N → N , ﬁnite output alpha bet M , output function F : N → M and a n initial state (seed) u 0 ∈ N . The following sequence T = { u j = f j ( u 0 ) } ∞ j =0 is called a sequence of states: f j ( u 0 ) = f ( . . . f ( | {z } j tim es u 0 ) . . . ) ( j = 1 , 2 , . . . ); f 0 ( u 0 ) = u 0 . Thu s, the generator pro duces the output sequence S ov er the set M o ut of the sequence of states: S = F ( u 0 ) , F ( f ( u 0 )) , F ( f 2 ( u 0 )) , . . . , F ( f j ( u 0 )) , . . . Mappings that are transitive mo dulo p n , as well a s mappings that a r e balanced mo dulo p n could be us e d a s building blo cks o f pseudo random gener ators to provide bo th lar ge p e r io d length and uniform distribution of output sequences . Namely , the following obvious pro p os ition holds. Prop ositio n 3.3 . If the st ate tr ansition function f of t he automaton A is tr ansitive on the s tate set N , i.e., if f is a p ermut ation with a single cycle of length | N | , if, further, | N | is a multiple of | M | , and if t he output funct ion F : N → M is b alanc e d ( i.e., | F − 1 ( s ) | = | F − 1 ( t ) | for al l s, t ∈ M ) , then the out put s e quenc e S o f t he automaton A is pur ely p erio dic with p erio d length | N | (i.e., maximum po ssible) , and e ach element of M o c cu rs at the p erio d the same numb er of times, | N | | M | exactly. That is, the o utput sequence S is strictly uniformly distributed. Note that in case N = B kn and M = B ln one c a n use a transitive mo dulo 2 kn compatible state tra nsition function f : Z / 2 kn Z → Z / 2 kn Z and a balanced mo d- ulo 2 n output function F : ( Z / 2 n Z ) k → ( Z / 2 n Z ) l to pro duce a str ictly unifor mly distributed s e q uence. Now we describ e connectio ns b etw e e n generator s of strictly uniformly dis tributed sequences a nd p -adic erg o dic theory . Reca ll that a dynamic al system on a m e asur- able sp ac e S is a triple ( S ; µ ; f ), wher e S is a set endow ed with a measur e µ , a nd f : S → S is a me asura ble fun ction ; that is, a n f -preima g e of any measur able subset is a measurable s ubset. These basic deﬁnitions fro m dynamica l sys tem theory , as well a s the following o nes, co uld b e found at [ 24 ]; see also [ 17 ] as a comprehens ive monogra ph on v arious a spe cts of dynamical s ystems theory . A tr aje ct ory o f a dynamica l system is a sequence x 0 , x 1 = f ( x 0 ) , . . . , x i = f ( x i − 1 ) = f i ( x 0 ) , . . . of p oints of the spa ce S , x 0 is called an initial p oint o f the tr a jectory . If F : S → T is a measurable mapping to some other mea surable space T with a measure ν (that is, if an F -preimag e of any ν -measura ble subset of T is a µ -mea surable subset of X ), the sequence F ( x 0 ) , F ( x 1 ) , F ( x 2 ) , . . . is ca lled an observable . Note that the p -ADIC ERGODICITY AND PSEUDORANDOMNESS 9 tra jector y for mally lo oks like the sequence of sta tes o f a pseudor andom gener ator, whereas the observ a ble r esembles the output sequence. A mapping F : S → Y of a measura ble space S into a measur able space Y endow ed with probabilistic measure µ a nd ν , resp ectively , is said to b e me asur e pr eserving (or, so metimes, e quipr ob able ) whe ne ver µ ( F − 1 ( S )) = ν ( S ) for each meas ur able subset S ⊂ Y . In c a se S = Y and µ = ν , a measure pre serving ma pping F is said to b e er go dic whenever for each measur a ble subs et S such that F − 1 ( S ) = S holds either µ ( S ) = 1 or µ ( S ) = 0. Recall that to deﬁne a meas ure µ on some s et S we should assign non-nega tive real num ber s to some subsets that a re called elementary . All other me asura ble subsets are comp ositions o f these elementary s ubsets with re s pec t to countable unions, intersections, and c omplement s. Elementary subsets in Z p are ba lls B p − k ( a ) = a + p k Z p of r adii p − k (in other words, co -sets with resp ect to ideal generated b y p k ). T o each ball we assig n a nu mber µ p ( B p − k ( a )) = 1 p k . This wa y we deﬁne a pro babilistic measur e on the space Z p , µ p ( Z p ) = 1. The measur e µ p is called a (normalized) Haar me asur e o n Z p . The normalized Haar measur e on Z n p could b e deﬁned by ana logy . Note that the sequence { s i } ∞ i =0 of p - adic integers is uniformly distributed (with resp ect to the nor malized Haar measure µ p on Z p ) if and only if it is uniformly distributed mo dulo p k for all k = 1 , 2 , . . . ; That is, for every a ∈ Z /p k Z rela tive nu mbers of o ccur rences of a in the initial s e g ment of length ℓ in the seque nce { s i mo d p k } of residues mo dulo p k are asymptotica lly equal, i.e., lim ℓ →∞ A ( a,ℓ ) ℓ = 1 p k , wher e A ( a, ℓ ) = |{ s i ≡ a (mo d p k ) : i < ℓ }| , see [ 24 ] for deta ils . Thus, str ictly uniformly distributed s e q uences a re uniformly distributed in the common sense of theory of distr ibutio ns of seq uences. Moreover, the following theorem (which was announced in [ 4 ] and pr ov ed in [ 7 ]) holds. Theorem 3. 1. F or m = n = 1 , a c omp atible mapping F : Z n p → Z m p pr eserves the normalize d Haar me asu r e µ p on Z p ( r esp., is er go dic with r esp e ct to µ p ) if and only if it is bije ct ive ( r esp., tr ansitive ) mo dulo p k for al l k = 1 , 2 , 3 , . . . F or n ≥ m , the mapping F pr eserves me asur e µ p if and only if it induc es a b alanc e d mapping of ( Z /p k Z ) n onto ( Z /p k Z ) m , for al l k = 1 , 2 , 3 , . . . . This theorem in combination with prop os ition 3.3 implies in particula r that whenever one choo s es a compatible and ergo dic mapping f : Z 2 → Z 2 as a state transition function of the automaton A , and a c o mpatible a nd meas ur e-preser ving mapping F : ( Z / 2 n Z ) k → ( Z / 2 n Z ) l as an output function of A , b o th the s e quence of states and output sequence of the auto maton are unifor mly distributed with re s pec t to the Haar measure. This implies that reduction o f these sequences mo dulo 2 n results in strictly unifo r mly distributed seq ue nce s o f binary words. Note a lso that reduction mo dulo 2 n a computer p erforms a utomatically . Thu s, theorem 3.1 gives us a wa y to construct g enerators of uniformly distr ibuted sequences out o f s tandard computer instructions. Now the pro blem is how to de- scrib e these measure pr eserving (in particula r , er go dic) mappings in the cla ss of all compatible mappings. W e star t to develop some theory to answer the following questions: What comp ositions of bas ic instructions are mea sure preser ving? are ergo dic? Given a comp osition of bas ic instructions, is it measure preser ving? is it ergo dic? 10 VLADIMIR ANASHIN 4. Tools In this section we introduce v ario us techniques in or der to construct measure preserving a nd/or ergo dic mappings, as well as to verify whether a g iven mapping is mea sure preser v ing or, r e spe ctively , ergo dic. W e ar e ma inly fo cuse d on the class of compatible ma ppings. Main results of Subsection 4.1 are Theor em 4.1 and Theor em 4.3 . With the use of these one ca n verify whether a given function is meas ure-preser ving, or ergo dic. Theorem 4.1 gives a genera l method yet demands a function m ust b e repr e sented via interpolation series. Theorem 4.3 g ives a n easier metho d for a na rrow er class of functions, which is, how ever, rather wide: e.g., it contains po lynomials and ra tional functions. The ma in result of Subsectio n 4.2 is Theorem 4.4 , which gives a g e ne r al metho d how to c o nstruct a measure - preserving or ergo dic fucntion out of ar bitrary compat- ible function. Theorem 4.5 is the ce ntral p oint o f Subsection 4.3 . Being mor e of theoretical v alue, it has as a conseque nc e a us e ful P rop osition 4.10 , which g ives an ea sy metho d to construct new v ast classes of er go dic functions o ut of given erg o dic function. Subsection 4 .4 deals with diﬀerentiation. In particula r, this subsection int ro duces Calculus for functions build from basic computer op erators . The main result of this subsection is Theor em 4.7 which gives co nditions for a uniformly diﬀerentiable function to b e er go dic. 4.1. In terp olation series. The general characteriza tion of compatible er g o dic functions is given by the following theo rem. Theorem 4. 1. [ 1 , 2 ] A function f : Z 2 → Z 2 is c omp atible if and only if it c an b e r epr esente d as f ( x ) = c 0 + ∞ X i =1 c i 2 ⌊ log 2 i ⌋  x i  ( x ∈ Z 2 ); The function f is c omp atible and me asure pr eserving if and only if it c an b e r epr e- sente d as f ( x ) = c 0 + x + ∞ X i =1 c i 2 ⌊ log 2 i ⌋ +1  x i  ( x ∈ Z 2 ); The function f is c omp atible and er go dic if and only if it c an b e r epr esente d as f ( x ) = 1 + x + ∞ X i =1 c i 2 ⌊ log 2 ( i +1) ⌋ +1  x i  ( x ∈ Z 2 ) , wher e c 0 , c 1 , c 2 . . . ∈ Z 2 . Here, as usual,  x i  =    x ( x − 1) · · · ( x − i + 1 ) i ! , for i = 1 , 2 , . . . ; 1 , for i = 0 , and ⌊ α ⌋ is the integral part o f α , i.e., the larg est ratio na l integer not exceeding α . Note. F or o dd prime p an a nalog of the statement of theorem 4.1 provides o nly suﬃcient co nditions for ergo dicity (resp., mea sure preserv ation) of f : namely , if ( c, p ) = 1, i.e ., if c is a unit (=inv er tible element) of Z p , then the function f ( x ) = p -ADIC ERGODICITY AND PSEUDORANDOMNESS 11 c + x + P ∞ i =1 c i p ⌊ log p ( i +1) ⌋ +1  x i  deﬁnes a compatible and ergo dic mapping o f Z p onto itself, and the function f ( x ) = c 0 + c · x + P ∞ i =1 c i p ⌊ log p i ⌋ +1  x i  deﬁnes a compatible and measur e preser ving mapping of Z p onto itself (see [ 4 ]). Thu s, in view of theo rem 4.1 one can choose a state tra ns ition function to be a po lynomial with r ational (not necessarily integer) co e ﬃcie n ts se tting c i = 0 for all but ﬁnite num b er o f i . Note tha t to de ter mine whether a g iven p o ly nomial f with rational (and not nece s sarily integer) co eﬃcients is integer v alue d (that is, maps Z p int o itself ), compatible and ergo dic, it is s uﬃcien t to determine whether it induces a p ermutation with a sing le cycle of O (deg f ) integral p oints. T o be mor e exact, the following prop osition holds. Prop ositio n 4.1. [ 4 ] A p olynomial f ( x ) ∈ Q p [ x ] over the ﬁeld of p -adic numb ers Q p is inte ger value d, c omp atible, and er go dic ( r esp., me asure pr eserving ) if and only if z 7→ f ( z ) mo d p ⌊ log p (deg f ) ⌋ +3 , wher e z runs thr ough 0 , 1 , . . . , p ⌊ log p (deg f ) ⌋ +3 − 1 , is a c omp atible and tr ansitive ( r esp., bije ctive ) mapping of the r esidue ring Z /p ⌊ log p (deg f ) ⌋ +3 Z onto itself. Although this is not very ess ent ial for further considera tions, we no te, how ever, that the series in the sta temen t of theorem 4.1 and of the note thereafter are uniformly conv er gent with res pec t to p -adic distance. Thu s the mapping f : Z p → Z p is well deﬁned and contin uous with r esp ect to p -adic distance, see [ 28 , C ha pter 9]. Theorem 4.1 can be applied in desig n o f exp onential (the ones based on exp o- nent iation) gener ators of unifor mly distributed sequences. Example 4 .2 . F or any o dd a = 1 + 2 m the function f ( x ) = ax + a x is trans itiv e mo dulo 2 n , for all n = 1 , 2 , . . . Indeed, in view of theo rem 4.1 the function f deﬁnes a c o mpatible and ergo dic transformatio n of Z 2 since f ( x ) = (1 +2 m ) x +(1 +2 m ) x = x +2 mx + P ∞ i =0 m i 2 i  x i  = 1 + x + 4 m  x 1  + P ∞ i =2 m i 2 i  x i  and i ≥ ⌊ lo g 2 ( i + 1 ) ⌋ + 1 for all i = 2 , 3 , 4 , . . . . This g enerator could b e of pr a ctical v alue since it uses no t more tha n n + 1 m ultiplications mo dulo 2 n of n -bit num ber s; of c o urse, one should use calls to the lo ok- up table a 2 j mo d 2 n , j = 1 , 2 , 3 , . . . , n − 1. The latter table must be precomputed, cor resp onding calcula tio ns involv e n − 1 multiplications mo dulo 2 n . Note. A similar argument shows that for every prime p and every a ≡ 1 (mo d p ) the function f ( x ) = ax + a x deﬁnes a co mpatible a nd erg o dic mapping of Z p onto itself. F or p oly nomials with (rational o r p - adic) integer co eﬃcients theore m 4.1 may b e restated in the following form. Prop ositio n 4 .3. [ 1 , 2 ] Rep r esent a p olynomial f ( x ) ∈ Z 2 [ x ] in a b asis of desc end- ing factorial p owers x 0 = 1 , x 1 = x, . . . , x i = x ( x − 1 ) · · · ( x − i + 1) , . . . , that is, let f ( x ) = d X i =0 c i · x i 12 VLADIMIR ANASHIN for c 0 , c 1 , . . . , c d ∈ Z 2 . Then the p olynomial f induc es an er go dic (and, obviously , a compatible) mapping of Z 2 onto itself if and only if its c o eﬃcients c 0 , c 1 , c 2 , c 3 satisfy the fol lowing c ongru enc es: c 0 ≡ 1 (mod 2) , c 1 ≡ 1 (mo d 4) , c 2 ≡ 0 (mod 2) , c 3 ≡ 0 (mo d 4) . The p olynomial f induc es a me asur e pr eserving mapping if and only if c 1 ≡ 1 ( mo d 2) , c 2 ≡ 0 ( mo d 2) , c 3 ≡ 0 ( mo d 2) . Thu s, to pr ovide ergo dicity of the p olynomial f it is necessa ry and suﬃcien t to ﬁx 6 bits o nly , while the o ther bits o f co eﬃcients of f may be arbitrar y . This guarantees tra nsitivity of the sta te transition function z 7→ f ( z ) mo d 2 n for ea ch n , and hence, uniform distribution of the seque nc e of states. Prop ositio n 4.3 implies that the p olynomia l f ( x ) ∈ Z [ x ] is erg o dic (re s p., measur e preserving ) if and only if it is tra nsitive mo dulo 8 (resp., if a nd o nly if it is bijective mo dulo 4). A co rresp onding as sertion holds in a general case, for a rbitrary pr ime p . Theorem 4. 2. [ 25 ] A p olynomial f ( x ) ∈ Z p [ x ] induc es an er go dic tra nsformation of Z p if and only if it is tr ansitive mo dulo p 2 for p 6 = 2 , 3 , or mo dulo p 3 , for p = 2 , 3 . The p olynomial f ( x ) ∈ Z p [ x ] induc es a me asur e pr eserving tr ansformation of Z p if and only if it is bije ctive mo dulo p 2 . Example 4.4 . The mapping x 7→ f ( x ) ≡ x + 2 x 2 (mo d 2 32 ) (which is used in a cipher RC6, see [ 30 ]) is bijectiv e, s inc e it is bijective mo dulo 4: f (0) ≡ 0 (mod 4), f (1) ≡ 3 (mo d 4), f (2) ≡ 2 (mo d 4), f (3) ≡ 1 (mo d 4 ). Thus, the mapping x 7→ f ( x ) ≡ x + 2 x 2 (mo d 2 n ) is bijective for a ll n = 1 , 2 , . . . . Hence, with the use of theore m 4.2 it is p oss ible to constr uct transitive mo dulo q > 1 mappings for ar bitrary natural q : One just takes f ( z ) = (1 + z + ˆ qg ( z )) mo d q , where g ( x ) ∈ Z [ x ] is a n arbitr ary p o lynomial, and ˆ q is a pro duct o f p s p for a ll prime factors p of q , where s 2 = s 3 = 3, and s p = 2 for p 6 = 2 , 3. F or ex ample, a po lynomial f ( x ) = 20 1 + 201 x + 200 x 17 is tr ansitive mo dulo 10 n for ar bitrary n . In these consideratio ns , the p olynomia l g ( x ) may b e chosen, roughly spe aking, ‘more o r less at ra ndom’, yet the output sequence will b e uniformly distributed for any choice o f g ( x ). This a ssertion can be ge neralized also: Prop ositio n 4. 5. [ 4 ] L et p b e a prime, and let g ( x ) b e an arbitr ary c omp osition of arithmetic op er ations (see ( 2 ) o f section 3 ) . Then the mapping z 7→ 1 + z + p 2 g ( z ) ( z ∈ Z p ) is er go dic. In fact, b oth pro po sitions 4.3 , 4 .5 a nd theorem 4.2 are sp ecial cases of the fol- lowing genera l theor em. Theorem 4.3. [ 4 ] L et B p b e a class of al l fun ctions deﬁne d by series of the form f ( x ) = P ∞ i =0 c i · x i , wher e c 0 , c 1 , . . . ar e p -adic int e gers, and x i , i = 0 , 1 , 2 , . . . , ar e desc ending factoria l p owers (see pr op osition 4.3 ) . Then the function f ∈ B p pr eserves me asur e if and only if it is bije ctive m o dulo p 2 ; f is er go dic if and only if it is t ra nsitive mo dulo p 2 ( for p 6 = 2 , 3) , or mo du lo p 3 ( for p ∈ { 2 , 3 } ) . Note. As it was shown in [ 4 ], the clas s B p contains all p olynomial functions over Z p , as well as ana lytic (e.g., r ational, entire) functions that a re conv er gent everywhere p -ADIC ERGODICITY AND PSEUDORANDOMNESS 13 on Z p . Actually , every mapping that is a comp osition of arithmetic op erator s ( 2 ) b elong to B p ; thus, every such mapping mo dulo p n could b e induced b y a po lynomial with rational int eger co e ﬃcien ts (see the end of Sectio n 4 in [ 4 ]). F or instance, the mapping x 7→ (3 x + 3 x ) mo d 2 n (whic h is tr ansitive mo dulo 2 n , s e e example 4.2 ) could b e induced by the p olynomial 1 + x + 4  x 1  + P n − 1 i =2 2 i  x i  = 1 + 5 x + P n − 1 i =2 2 i i ! · x i — just note that c i = 2 i i ! are 2-a dic integers since the ex po nen t of ma x imal p ow er of 2 that is a factor o f i ! is ex actly i − wt 2 i , where wt 2 i is a num b er of 1s in the base-2 expansion o f i (see e.g. [ 22 , Chapter 1, Section 2, Exercise 1 2 ]); thus k c i k 2 = 2 − wt 2 i ≤ 1, i.e. c i ∈ Z 2 and so c i mo d 2 n ∈ Z . Theorem 4.3 implies that, for instance, the state tr a nsition function f ( z ) = (1 + z + ζ ( q ) 2 (1 + ζ ( q ) u ( z )) v ( z ) ) mo d q is transitive mo dulo q fo r each na tural q > 1 and arbitrar y p oly no mials u ( x ) , v ( x ) ∈ Z [ x ], wher e ζ ( q ) is a pro duct of all prime factors of q . So one ca n choose as a state transition function not only po lynomial functions, but also r ational functions, as well as analy tic ones. F o r insta nce, certa in inversive gener ators (that explo it multip licative in verses o f residues mo dulo 2 n ) could b e considered. Example 4.6 . The function f ( x ) = − 1 2 x +1 − x is transitive mo dulo 2 n , for all n = 1 , 2 , 3 , . . . . Indeed, the function f ( x ) = ( − 1 + 2 x − 4 x 2 + 8 x 3 − · · · ) − x = − 1 + x − 4 x 2 + 8 ( · · · ) is analy tic and is deﬁned everywhere on Z 2 ; thus f ∈ B p . Now the conclusion follows from theor em 4.3 since by dir ect ca lculations it c o uld b e easily veriﬁed that the function f ( x ) ≡ − 1 + x − 4 x 2 (mo d 8) is trans itive mo dulo 8. Note that the mapping x 7→ f ( x ) mo d 2 n could b e induced by the p o lynomial − 1 + x − 4 x 2 + 8 x 3 + · · · + ( − 1) n 2 n − 1 x n − 1 . 4.2. Com binations of op erators. A transfor mation of the r esidue ring Z /q Z in- duced by a p olynomial with rational integer co eﬃcients is the only type o f mapping that could b e construc ted as a co mpo sition of arithmetic op era tions, + and · . The class of a ll trans itive mo dulo q mappings induced by p olynomials with r ational inte- ger co eﬃcients is r ather wide: F or ins tance, fo r q = 2 n it co ntains 2 O ( n 2 ) mappings (for e xact v alue se e [ 25 , Pro po sition 16]). How ever, this c la ss could b e widened signiﬁcantly (up to a class of order 2 2 n − n − 1 in case q = 2 n ) by including bitwise logical op era tors into the comp osition. Actually , every co mpatible mapping could be co ns tructed this wa y . Prop ositio n 4. 7 . L et g b e a c omp atible m apping of Z 2 onto itself. Then for e ach n = 1 , 2 , . . . the mapping ¯ g = g mo d 2 n c ould b e r epr esent e d as a ﬁ nite c omp osition of arithmetic and bitwise lo gic al op er ators (actually , as a comp osition of +, XOR , AND and shifts tow ards higher o rder bits, i.e., m ultiplications by powers of 2) . Pr o of. In view of prop os ition 3.1 , one could represent ¯ g as ¯ g ( x ) = γ 0 ( χ 0 ) + 2 γ 1 ( χ 0 , χ 1 ) + · · · + 2 n − 1 γ n − 1 ( χ 0 , . . . , χ n − 1 ) , where γ i = δ i ( ¯ g ), χ i = δ i ( x ), i = 0 , 1 , . . . , n − 1 . Since each γ i ( χ 0 , . . . , χ i ) is a Bo olean function in Bo olea n v a riables χ 0 , . . . , χ i , it co uld b e expres s ed v ia ﬁnite nu mber of X OR s and AND s o f these v ariables χ 0 , . . . , χ i . Y et each v a riable χ j could 14 VLADIMIR ANASHIN be expr essed as χ j = δ j ( x ) = 2 − j ( x AND (2 j )); th us 2 i γ i ( χ 0 , . . . , χ i ) = γ i (2 i ( x AND (1)) , 2 i − 1 ( x AND (2)) , . . . 2( x AND (2 i − 1 )) , x AN D (2 i )) , and the conclusion follows.  It turns out that there is an e asy way to c onst ruct a me asur e pr eserving or er go dic mapping out of an arbitr ary c omp atible mapping: Theorem 4.4. [ 4 ] Le t ∆ b e a diﬀer en c e op er ator, i.e., ∆ g ( x ) = g ( x + 1) − g ( x ) by deﬁnition. L et, further, p b e a prime, let c b e c oprime with p , gcd( c, p ) = 1 , and let g : Z p → Z p b e a c omp atible mapping. Then the mapping z 7→ c + z + p ∆ g ( z ) ( z ∈ Z p ) is er go dic, and the mapping z 7→ d + c z + pg ( z ) , pr eserves me asur e for arbitr ary d . Mor e over, if p = 2 , then the c onverse also holds: Each c omp atible and er go dic ( r esp e ctively, e ach c omp atible and me asur e pr eserving ) mapping z 7→ f ( z ) ( z ∈ Z 2 ) c an b e r epr esent e d as f ( x ) = 1 + x + 2∆ g ( x ) ( r esp e ctively as f ( x ) = d + x + 2 g ( x )) for s u itable d ∈ Z 2 and c omp atible g : Z 2 → Z 2 . Note. The case p = 2 is the only ca se wher e the conv er s e of the ﬁrst a s sertion of the pro po sition 4.4 holds . Example 4.8 . P rop osition 4.4 immediately implies Theor em 2 o f [ 20 ]: F or any comp osition f o f primitive functions, the mapping x 7→ x + 2 f ( x ) (mod 2 n ) is inv ertible — just note that a comp os itio n of primitive functions is compatible (s e e [ 20 ] for the deﬁnition of primitive functions).  Theorem 4.4 could b e an imp or tant to ol in design of pseudora ndom g enerator s, since it pr ovides hig h ﬂex ibility dur ing design. In fact, one may use nea rly arbi- trary comp osition o f arithmetic a nd bitwise log ic a l op erato rs to pro duce a strictly uniformly distributed sequence: Bo th for g ( x ) = x XOR (2 x + 1) a nd for g ( x ) = 1 + 2 x AND x 2 + x 3 OR x 4 3 + 4 (5 + 6 x 5 ) x 6 X OR x 7 ! 7+ 8 x 8 9+10 x 9 (note, bo th these functions g are compatible!) the sequence { x i } deﬁned by the recurrence relation x i +1 = (1 + x i + 2( g ( x i + 1) − g ( x i ))) mo d 2 n is str ic tly uniformly distributed in Z / 2 n Z , for a ll n = 1 , 2 , 3 . . . . Actually , a designer could v ary the func- tion g in a very wide scop e without worsening prescrib ed v alues of some imp or tant statistical characteris tics of output sequence. As a matter o f fact, choos ing pr op er arithmetic and bit wise logical op erator s the desig ner is restr icted o nly by desirable per formance since any compa tible erg o dic ma pping co uld b e pr o duced this wa y . 4.3. Bo olean represen tation. In ca s e p = 2 the tw o pr eceding subsections give t wo (equiv alent) complete descriptions of the class of all co mpatible er g o dic map- pings, namely , theor em 4.1 and theorem 4.4 . They enable one to expr ess any co m- patible and transitive mo dulo 2 n state tra ns ition function either a s a po lynomial of s pec ia l kind ov er a ﬁeld Q of r ational n um ber s, or as a sp ecial co mpos ition o f arithmetic and bit wise logical op erations . Both these r epresentations are suitable for pro gramming, since they involv e only s ta ndard machine instructions. How ever, we need o ne more representation, in a Bo o le an for m (see prop osition 3.1 ). Although p -ADIC ERGODICITY AND PSEUDORANDOMNESS 15 this repre s ent ation is no t very conv enien t for prog ramming, it outlines some new metho ds for constr uctio n of ergo dic trans formations, see propo sition 4.10 b elow. Also, this repres en tation could b e of use while pr oving the er go dicity of some simple mappings, see e.g . example 4.9 b elow. The following theorem is just a resta tement of a known (at least 3 0 years old) result from the theory of Bo olea n functions, the so-called bijectivity/transitivit y cr iterion for tr iangle Bo olean mappings. How ever, the latter is ma thematical folklore, and thus it is so mewhat diﬃcult to attribute it, yet a r eader can ﬁnd a pro o f in, e.g ., [ 1 , Lemma 4.8]. Theorem 4.5. A mapping T : Z 2 → Z 2 is c omp atible and me asur e pr eserving if and only if for e ach i = 0 , 1 , . . . the algebr aic normal form, AN F, of the Bo ole an function τ T i = δ i ( T ) in Bo ole an variables χ 0 , . . . , χ i c an b e r epr esent e d as τ T i ( χ 0 , . . . , χ i ) = χ i + ϕ T i ( χ 0 , . . . , χ i − 1 ) , wher e ϕ T i is an AN F of a Bo ole an fun ction in Bo ole an variables χ 0 , . . . , χ i − 1 . The mapping T is c omp atible and er go dic if and only if, in additio n to alr e ady state d c onditions, t he fol lowing c onditions hold: ϕ T 0 = 1 , and e ach Bo ole an function ϕ T i ( i > 0 ) is of o dd weight. Note. Recall tha t the algebr aic n ormal form (ANF fo r shor t) o f the Bo olea n func- tion ψ ( χ 0 , . . . , χ j ) is the r epresentation of this function v ia ⊕ (addition mo dulo 2, that is, log ical ‘exclusive or’) and ⊙ (mult iplication modulo 2, that is, logical ‘and’, or conjunction). In other words, the ANF o f the Bo olea n function ψ is its representation in the for m ψ ( χ 0 , . . . , χ j ) = β ⊕ β 0 ⊙ χ 0 ⊕ β 1 ⊙ χ 1 ⊕ . . . ⊕ β 0 , 1 ⊙ χ 0 ⊙ χ 1 ⊕ . . . , where β , β 0 , . . . ∈ { 0 , 1 } . The ANF is sometimes called a Bo ole an p olynomial . In the sequel in the ANF we write + ins tead of ⊕ and · instead o f ⊙ when this do es not lead to misunder standing. Recall that weight of the B o olean function ψ in ( j + 1) v aria bles is the num b er o f ( j + 1)-bit words that satisfy ψ ; that is, weigh t of a Bo o lean function is cardina lit y of a tr uth set of the Bo olea n function. Note that weight of the Bo ole an function ϕ ( χ 0 , . . . , χ i − 1) in Bo ole an variables χ 0 , . . . , χ i − 1 is o dd if and only if de gr e e deg ϕ of t he Bo ole an fun ction ϕ is exactly i , that is, if and only if the ANF of ϕ c ontains a monomial χ 0 · · · χ i − 1 . Example 4 .9 . With the use of theorem 4.5 it is p ossible to give a short pro of of the main result of [ 20 ], na mely , of Theo rem 3 there: The mapping f ( x ) = x + ( x 2 OR C ) over n -bit wor ds is invertible if and only if t he le ast signiﬁc ant bit of C is 1. F or n ≥ 3 it is a p ermutation with a single cycle if and only if b oth the le ast signiﬁc ant bit and the thir d le ast s igniﬁc ant bit of C ar e 1 . Pr o of of the or em 3 of [ 20 ]. Recall that for x ∈ Z 2 and i = 0 , 1 , 2 , . . . we de- note χ i = δ i ( x ) ∈ { 0 , 1 } ; also we deno te c i = δ i ( C ). W e will ca lculate ANF of the Bo o lean function δ i ( x + ( x 2 OR C )) in v a riables χ 0 , χ 1 , . . . . W e start with the following easy claims: • δ 0 ( x 2 ) = χ 0 , δ 1 ( x 2 ) = 0, δ 2 ( x 2 ) = χ 0 χ 1 + χ 1 , • δ n ( x 2 ) = χ n − 1 χ 0 + ψ n ( χ 0 , . . . , χ n − 2 ) for all n ≥ 3, wher e ψ n is a Bo olean function in n − 1 Bo olean v ar iables χ 0 , . . . , χ n − 2 . 16 VLADIMIR ANASHIN The ﬁr st o f these claims could b e easily veriﬁed by direct calculations. T o pr ov e the second one r epresent x = ¯ x n − 1 + 2 n − 1 s n − 1 for ¯ x n − 1 = x mo d 2 n − 1 and calculate x 2 = ( ¯ x n − 1 + 2 n − 1 s n − 1 ) 2 = ¯ x 2 n − 1 + 2 n s n − 1 ¯ x n − 1 + 2 2 n − 2 s 2 n − 1 = ¯ x 2 n − 1 + 2 n χ n − 1 χ 0 (mo d 2 n +1 ) for n ≥ 3 a nd note that ¯ x 2 n − 1 depe nds o nly o n χ 0 , . . . , χ n − 2 . This g ives (1) δ 0 ( x 2 OR C ) = χ 0 + c 0 + χ 0 c 0 (2) δ 1 ( x 2 OR C ) = c 1 (3) δ 2 ( x 2 OR C ) = χ 0 χ 1 + χ 1 + c 2 + c 2 χ 1 + c 2 χ 0 χ 1 (4) δ n ( x 2 OR C ) = χ n − 1 χ 0 + ψ n + c n + c n χ n − 1 χ 0 + c n ψ n for n ≥ 3 F rom here it follows that if n ≥ 3, then δ n ( x 2 OR C ) = λ n ( χ 0 , . . . , χ n − 1 ), and deg λ n ≤ n − 1, s ince ψ n depe nds o nly o n χ 0 , . . . , χ n − 2 . Now we s uc c essively calculate γ n = δ n ( x + ( x 2 OR C )) for n = 0 , 1 , 2 , . . . . W e have δ 0 ( x + ( x 2 OR C )) = c 0 + χ 0 c 0 so nece ssarily c 0 = 1 since o therwise f is not bijective mo dulo 2. P r o ceeding further with c 0 = 1 we o btain δ 1 ( x + ( x 2 OR C )) = c 1 + χ 0 + χ 1 , since χ 1 is a car r y . T hen δ 2 ( x + ( x 2 OR C )) = ( c 1 χ 0 + c 1 χ 1 + χ 0 χ 1 ) + ( χ 0 χ 1 + χ 1 + c 2 + c 2 χ 1 + c 2 χ 0 χ 1 ) + χ 2 = c 1 χ 0 + c 1 χ 1 + χ 1 + c 2 + c 2 χ 1 + c 2 χ 0 χ 1 + χ 2 , here c 1 χ 0 + c 1 χ 1 + χ 0 χ 1 is a carr y . F rom here in v iew o f 4.5 we immediately deduce that c 2 = 1 since o ther wise f is not transitive mo dulo 8. Now for n ≥ 3 o ne has γ n = α n + λ n + χ n , where α n is a car ry , and α n +1 = α n λ n + α n χ n + λ n χ n . But if c 2 = 1 then deg α 3 = deg( µν + χ 2 µ + χ 2 ν ) = 3, w he r e µ = c 1 χ 0 + c 1 χ 1 + χ 0 χ 1 , ν = ( χ 0 χ 1 + χ 1 + c 2 + c 2 χ 1 + c 2 χ 0 χ 1 ) = 0. This implies inductively in view of (iv) ab ov e that deg α n +1 = n + 1 a nd that γ n +1 = χ n +1 + ξ n +1 ( χ 0 , . . . , χ n ), deg ξ n +1 = n + 1. So conditions of 4.5 are satisﬁed, thus ﬁnishing the pro of of theorem 3 of [ 20 ].  There ar e some other applica tions of Theo rem 4.5 . Prop ositio n 4. 10. L et F : Z n +1 2 → Z 2 b e a c omp atible mapping su ch that for al l z 1 , . . . , z n ∈ Z 2 the mapping F ( x, z 1 , . . . , z n ) : Z 2 → Z 2 is me asur e pr eserving. Then F ( f ( x ) , 2 g 1 ( x ) , . . . , 2 g n ( x )) pr eserves me asur e for al l c omp atible g 1 , . . . , g n : Z 2 → Z 2 and al l c omp atible and me asur e pr eserving f : Z 2 → Z 2 . Mor e over, if f is er go dic then f ( x + 4 g ( x )) , f ( x XOR (4 g ( x ))) , f ( x ) + 4 g ( x ) , and f ( x ) XOR (4 g ( x )) ar e er go dic for any c omp atible g : Z 2 → Z 2 Pr o of. Since the function F is co mpatible, δ i ( F ( u 0 , u 1 , . . . , u n ) do es not dep end on δ j ( u k ) = χ j,k for j > i (se e prop osition 3.1 and a no te thereafter). Co nsider ANF of the Bo olean function δ i ( F ( u 0 , u 1 , . . . , u n )): δ i ( F ( u 0 , u 1 , . . . , u n )) = χ 0 ,i Ψ i ( u 0 , u 1 , . . . , u n ) + Φ i ( u 0 , u 1 , . . . , u n ) , where Bo o lean functions Ψ i ( u 0 , u 1 , . . . , u n ) and Φ i ( u 0 , u 1 , . . . , u n ) do not dep end on χ 0 ,i ; that is, they dep end only on χ 0 , 0 , . . . , χ 0 ,i − 1 , χ 1 , 0 , . . . , χ 1 ,i , . . . , χ n, 0 , . . . , χ n,i . In view of theorem 4.5 , Ψ i = 1 since F ( x, z 1 , . . . , z n ) preserves measur e for a ll z 1 , . . . , z n ∈ Z 2 . Moreov er, then Φ i ( f ( x ) , 2 g 1 ( x ) , . . . , 2 g n ( x )) do es not dep end on χ i = δ i ( x ) sinc e δ j (2 g ( x )) do es no t dep end on χ i for all j = 1 , 2 , . . . , n . So in view of theor em 4.5 , δ i ( f ( x )) = χ i + ξ i ( f ( x )), where ξ i ( f ( x )) do es not dep end on χ i p -ADIC ERGODICITY AND PSEUDORANDOMNESS 17 since f prese r ves measure. Finally , δ i ( F ( f ( x ) , 2 g 1 ( x ) , . . . , 2 g n ( x ))) = δ i ( f ( x )) + Φ i ( f ( x ) , 2 g 1 ( x ) , . . . , 2 g n ( x )) = χ i + ξ i ( f ( x )) + Φ i ( f ( x ) , 2 g 1 ( x ) , . . . , 2 g n ( x )) = χ i + Ξ i , where the Bo olea n function Ξ i depe nds o nly o n χ 0 , . . . , χ i − 1 . This prov es the ﬁrst assertion of prop osition 4.10 in view of theore m 4.5 . W e prove the s econd a ssertion alo ng s imilar lines. F or z ∈ Z 2 and i = 0 , 1 , 2 , . . . let ζ i = δ i ( z ). Thus one can r epresent δ i ( z XOR 4 g ( z )) a nd δ i ( z + 4 g ( z )) v ia ANFs in Bo olean v a riables ζ 0 , ζ 1 , . . . , ζ i . Note that δ i ( z XOR 4 g ( z )) = ζ i + λ i ( z ), where λ i ( z ) = 0 fo r i = 0 , 1 and deg λ i ( z ) ≤ i − 1 for i > 1, since for i > 1 the B o olean function λ i ( z ) depe nds only o n ζ 0 , . . . , ζ i − 2 . F urther, we claim that δ i ( z + 4 g ( z )) = δ i ( z ) + µ i ( z ), where µ i ( z ) = µ g i ( z ) is 0 for i = 0 , 1 and deg µ i ( z ) ≤ i − 1 for i > 1. Indeed, µ i ( z ) = λ i ( z ) + α i ( z ), where the Bo olean function α i ( z ) is a carry . Y et α i ( z ) = 0 for i = 0 , 1 , 2, and α i ( z ) = ζ i − 1 λ i − 1 ( z ) + ζ i − 1 α i − 1 ( z ) + λ i − 1 ( z ) α i − 1 ( z ) for i ≥ 3 , a nd α i ( z ) de- pends only o n ζ 0 , . . . , ζ i − 1 since α i ( z ) is a carry . How ever, deg α 3 ( z ) = 2 and if deg α i − 1 ( z ) ≤ i − 2 then deg δ i − 1 ( z ) α i − 1 ( z ) ≤ i − 1, deg λ i − 1 ( z ) α i − 1 ( z ) ≤ i − 1, and deg ζ i − 1 λ i − 1 ( z ) ≤ i − 1 since α i − 1 ( z ) dep ends only o n ζ 0 , . . . , ζ i − 2 and λ i − 1 ( z ) depe nds o nly on ζ 0 , . . . , ζ i − 3 . Thus deg α i ( z ) ≤ i − 1 and hence deg µ i ( z ) ≤ i − 1. Now, since f ( x ) is ergo dic, δ i ( f ( x )) = χ i + ξ i ( x ), wher e the Bo o lean function ξ i depe nds only on χ 0 , . . . , χ i − 1 and, a dditionally , ξ 0 = 1, and deg ξ i = i fo r i > 0 (see theorem 4.5 ); i.e. ξ i ( x ) = χ 0 χ 1 · · · χ i − 1 + ϑ i ( x ), where deg ϑ i ( x ) ≤ i − 1 for i > 0. Hence, for ∗ ∈ { + , XOR } one has δ i ( f ( x ∗ 4 g ( x ))) = δ i ( x ∗ 4 g ( x )) + δ 0 ( x ∗ 4 g ( x )) δ 1 ( x ∗ 4 g ( x )) · · · δ i − 1 ( x ∗ 4 g ( x )) + ϑ i ( x ∗ 4 g ( x )); thus δ i ( f ( x ∗ 4 g ( x ))) = χ i + χ 0 · · · χ i − 1 + β ∗ i ( x ), wher e deg β ∗ i ( x ) ≤ i − 1 for i > 0 , and δ 0 ( f ( x ∗ 4 g ( x )) = δ 0 ( x ∗ 4 g ( x )) + 1 = χ 0 + 1. Finally , f ( x ∗ 4 g ( x )) fo r ∗ ∈ { + , X OR } is ergo dic in view of theorem 4.5 . In a similar manner it could b e demons tr ated that f ( x ) ∗ 4 g ( x ) is er go dic for ∗ ∈ { + , X OR } : δ i ( f ( x ) ∗ 4 g ( x )) = δ i ( f ( x )) for i = 0 , 1 and thu s sa tisfy the conditions of theor em 4.5 . F o r i > 1 one has δ i ( f ( x ) XOR 4 g ( x )) = χ i + ξ i ( x ) + δ i − 2 ( g ( x )); but δ i − 2 ( g ( x )) does not depend on χ i − 1 , χ i . Thus the Bo olean function ξ i ( x ) + δ i − 2 ( g ( x )) in v a r iables χ 0 , . . . , χ i − 1 is of o dd weight, since ξ i ( x ) is of o dd w eight, th us proving tha t f ( x ) XOR 4 g ( x ) is erg o dic. Now r epresent g ( x ) = g ( f − 1 ( f ( x ))) = h ( f ( x )), where f − 1 is the inv erse map- ping for f . Clearly , f − 1 ( x ) is w ell deﬁned since the mapping f : Z 2 → Z 2 is bi- jective; moreover f − 1 ( x ) is compatible and e r go dic. Finally δ i ( f ( x ) + 4 g ( x )) = δ i ( f ( x )) + µ ′ i ( f ( x )), wher e the ANF o f the Bo olean function µ ′ i ( x ) = µ h i ( x ) in Bo olean v ariables χ 0 , . . . , χ i − 1 do es not contain a monomial χ 0 · · · χ i − 1 (see the claim a bove). This implies that the ANF of the Bo olean function µ ′ i ( f ( x )) in Bo olean v a riables χ 0 , . . . , χ i − 1 do es not contain a monomial χ 0 · · · χ i − 1 either, since δ j ( f ( x )) = χ j + ξ j ( x ) and ξ j ( x ) dep end only o n χ 0 , . . . , χ j − 1 for j = 2 , 3 , . . . . Hence, δ i ( f ( x ) + 4 g ( x )) = χ i + ξ i ( x ) + µ ′ i ( f ( x )) and the Bo o lean function ξ i ( x ) + µ ′ i ( f ( x )) in Bo olean v ar iables χ 0 , . . . , χ i − 1 is of o dd weigh t. This ﬁnishes the pr o of in view of theorem 4.5 .  18 VLADIMIR ANASHIN Example 4 .11 . With the use of 4.10 it is po ssible to construct very fast generato r s x i +1 = f ( x i ) mo d 2 n that ar e transitive mo dulo 2 n . F or instance, take f ( x ) = ( . . . (((( x + c 0 ) XOR d 0 ) · · · + c m ) XOR d m , where c 0 ≡ 1 (mo d 2), a nd the r est of c i , d i are 0 mo dulo 4. In a general situatio n these functions f (for arbitr ary c i , d i ) were s tudied in [ 23 ], w her e it was prov ed that f is ergo dic if a nd only if it is tr ansitive mo dulo 4. 4.4. Uniform diﬀ eren ti ability . In prev io us subsections we consider some meth- o ds that could b e used to verify whether a g iven transfor mation f o f the spa ce Z 2 is measure preser v ing o r ergo dic. One wa y is to r epresent f by interp o lation serie s and apply theorem 4.1 , the s econd wa y is to represe nt f in a sp ecial form descr ib ed by theorem 4.4 , the third wa y is to use Bo olea n repre sentation and theorem 4.5 . These metho ds are universal meaning they co uld b e applied to any co mpa tible function f . Ho w ever, they work only in a univ aria te case. In this subsection we pr esent a nother metho d that works for multiv ar iate func- tions also , but is not universal any mor e ; the metho d could b e applied only to uniformly diﬀerentiable mappings and some mappings that are clo se to these. The class of these mappings is rather wide, though. Now we r ecall a gene r alized version of the main notio n of Calculus, a der iv ative mo dulo p k , w hich was orig inally introduced in [ 1 , 2 , 4 ]. By the deﬁnition, for p oints a = ( a 1 , . . . , a n ) and b = ( b 1 , . . . , b n ) of Z n p the cong ruence a ≡ b (mo d p s ) means that k a i − b i k p ≤ p − s (or, the same, that a i = b i + c i p s for suitable c i ∈ Z p , i = 1 , 2 , . . . , s ); that is k a − b k p ≤ p − s . Deﬁnition 4.12. A function F = ( f 1 , . . . , f m ) : Z n p → Z m p is said to b e diﬀer en t iable mo dulo p k at the p oint u = ( u 1 , . . . , u n ) ∈ Z n p if there exists a p ositive integer rational N and an n × m ma trix F ′ k ( u ) o ver Q p (called the Jac obi matrix m o dulo p k of the function F at the p oint u ) such that for every po sitive ra tional int eger K ≥ N and every h = ( h 1 , . . . , h n ) ∈ Z n p the cong ruence (4) F ( u + h ) ≡ F ( u ) + h F ′ k ( u ) (mod p k + K ) holds whenever k h k p ≤ p − K . In case m = 1 the Jacobi matrix mo dulo p k is ca lled a diﬀer ent ial mo dulo p k . In case m = n a deter mina n t o f the Ja cobi matrix mo dulo p k is called a Jac obian mo dulo p k . Entries o f the Jacobi matrix mo dulo p k are called p artial derivatives mo dulo p k of the function F at the p oint u . A partial de r iv ative (resp ectively , a diﬀerential) mo dulo p k is so metimes denoted as ∂ k f i ( u ) ∂ k x j (resp ectively , a s d k F ( u ) = P n i =1 ∂ k F ( u ) ∂ k x i d k x i ). Since the notion of function that is diﬀeren tiable mo dulo p k is of high imp or- tance for the theory that follows, we discuss this notion in detail. Compared to diﬀerentiabilit y , the diﬀerentiabilit y mo dulo p k is a weaker restriction. Sp eaking lo osely , in a univ ar iate case ( m = n = 1), deﬁnition 4.12 just yields that F ( u + h ) − F ( u ) h ≈ F ′ k ( u ) Note tha t whenever ≈ (‘approximately’) stands for an ‘ arbitr arily high precis ion’ one obtains a common deﬁnition o f diﬀerentiabilit y; how ever, if ≈ stands for a ‘precision that is not worse t han p − k ’, one obtains the diﬀerentiabilit y mo dulo p k . p -ADIC ERGODICITY AND PSEUDORANDOMNESS 19 W e note that the notio n of a der iv ative modulo p k hav e no direct analo g in the clas sical Calculus: A deriv ative with a precis ion up to the k -th dig it after the po int , b eing o ften used in common sp eech, is meaning le s s from the rigorous p oint of view s ince there is no distinguished base in real analysis. How ever, this no tio n is mea ningful in p -a dic ana lysis since there is a distinguished base; na mely , base- p . In p -a dic analysis, it is obvious that whenever a function is diﬀerentiable (and its deriv ative is a p -a dic in teger), it is diﬀerentiable mo dulo p k for all k = 1 , 2 , . . . , and in this c a se the deriv ative mo dulo p k is just a reduction of a deriv ative mo dulo p k (note that according to deﬁnition 4 .12 par tia l deriv atives mo dulo p k are determined up to a summand that is 0 mo dulo p k ). In cases when all partial deriv atives mo dulo p k at a ll points of Z n p are p - adic int egers, we say that the function F ha s int e ger value d derivative mo dulo p k ; in these c a ses we can asso cia te to each partial deriv ative mo dulo p k a unique ele men t of the r ing Z /p k Z ; a Ja cobi matrix mo dulo p k at each p oint u ∈ Z n p th us can b e considered as a matrix ov er a ring Z /p k Z . It turns out that this is exactly the ca se for a compatible function F . Namely , the fo llowing prop ositio n holds. Prop ositio n 4. 13. [ 1 , 2 ] L et a c omp atible fu n ction F = ( f 1 , . . . , f m ) : Z n p → Z m p b e uniformly diﬀer entiable mo dulo p k at the p oint u ∈ Z n p . Then   ∂ k f i ( u ) ∂ k x j   p ≤ 1 , i.e., F has int e ger value d derivatives mo dulo p k . F or functions with int eger v a lued deriv atives mo dulo p k the ‘rules of diﬀerenti- ation mo dulo p k ’ have the sa me (up to congruence mo dulo p k instead of equality) form a s for usual diﬀerentiation. F or instance, if b oth functions G : Z s p → Z n p and F : Z n p → Z m p are diﬀerentiable mo dulo p k at the po int s, r esp ectively , v = ( v 1 , . . . , v s ) and u = G ( v ), and their partial deriv atives mo dulo p k at these p oints are p -adic integers, then a comp ositio n F ◦ G : Z s p → Z m p of these functions is uni- formly diﬀerentiable mo dulo p k at the p oint v , all its partial deriv a tives mo dulo p k at this p oint a re p -adic integers, a nd ( F ◦ G ) ′ k ( v ) ≡ G ′ k ( v ) F ′ k ( u ) (mo d p k ). Deﬁnition 4 .14. A function F : Z n p → Z m p is said to be uniformly diﬀer ent iable mo dulo p k on Z n p if and o nly if there exists K ∈ N such that cong ruence ( 4 ) holds simult aneously for all u ∈ Z n p as so o n as k h i k p ≤ p − K , ( i = 1 , 2 , . . . , n ). The le ast of these K is denoted N k ( F ). Recall that al l p artial derivatives mo dulo p k of a u niformly diﬀer ent iable mo dulo p k function F ar e p erio dic funct ions with p erio d p N k ( F ) , see [ 1 , Prop os ition 2.12]. Thu s, e ach p artial derivative mo dulo p k c ould b e c onsider e d as a function deﬁne d on (and valuate d in) the r esidue ring Z /p N k ( F ) Z . Moreover, if a contin uatio n ˜ F of the function F = ( f 1 , . . . , f m ) : N n 0 → N m 0 to the space Z n p is a unifor mly diﬀerentiable mo dulo p k function on Z n p , then one can simultaneously contin ue the function F together with all its (partial) deriv atives mo dulo p k to the whole spa ce Z n p . Conse- quently , we may study if neces sary (partial) deriv atives mo dulo p k of the function ˜ F instead of those of F a nd vise versa. F or ex ample, a partial der iv ative ∂ k f i ( u ) ∂ k x j mo dulo p k v anishes mo dulo p k at no p oint of Z n p (that is, ∂ k f i ( u ) ∂ k x j 6≡ 0 (mo d p k ) for all u ∈ Z ( n ) p , o r, the sa me   ∂ k f i ( u ) ∂ k x j   p > p − k everywhere on Z n p ) if and o nly if ∂ k f i ( u ) ∂ k x j 6≡ 0 (mo d p k ) for all u ∈ { 0 , 1 , . . . , p N k ( F ) − 1 } . 20 VLADIMIR ANASHIN In ca s e p = 2, diﬀer e n tiation mo dulo p k could natura lly b e implement ed as a computer pr ogram since this diﬀerentiation just implies (for a univ aria te F ) e s tima- tion of the fraction F ( u + h ) − F ( h ) h with a k -bit pre cision, i.e., ev aluation o f the ﬁrs t n low o r der bits of the base-2 expansion of the corr esp onding num ber . T o ca lculate a deriv a tiv e o f, fo r instance, a state transition function, which is a co mpo sition of basic instructions of CPU (that is , o f ‘elementary’ functions , see pr op osition 4.7 ) one needs to know deriv atives o f these ‘elementary’ functions, such as arithmetic and bit wise log ic al op era tions. Here we brieﬂy introduce a p -adic a na log of a ‘table of deriv atives’ of a classica l Calculus. Example 4.15 . Deriv atives o f bitwise logical op era tions. (1) a funct ion f ( x ) = x AND c is uniformly diﬀer entiable on Z 2 for any c ∈ Z ; f ′ ( x ) = 0 for c ≥ 0 , and f ′ ( x ) = 1 for c < 0 , since f ( x + 2 n s ) = f ( x ), and f ( x + 2 n s ) = f ( x ) + 2 n s for n ≥ l ( | c | ), where l ( | c | ) is the bit length of absolute v alue of c (mind that for c ≥ 0 the 2- adic repr e sentation of − c starts with 2 l ( c ) − c in less signiﬁcant bits follow e d by . . . 1 1 : − 1 = . . . 111, − 3 = . . . 1 1 101, etc.). (2) a funct ion f ( x ) = x X OR c is uniformly diﬀer entiable on Z 2 for any c ∈ Z ; f ′ ( x ) = 1 for c ≥ 0 , and f ′ ( x ) = − 1 for c < 0 . This immedia tely follows from (i) since u XOR v = u + v − 2( x AND v ) (see ( 1 ) in section 3 ); thus ( x XOR c ) ′ = x ′ + c ′ − 2( x AND c ) ′ = 1 + 2 · (0 , for c ≥ 0; or − 1 , for c < 0). (3) in the same manner it could b e shown that functions ( x mo d 2 n ) , NOT ( x ) and ( x OR c ) for c ∈ Z ar e u n iformly diﬀer entiable on Z 2 , and ( x mo d 2 n ) ′ = 0 , ( NO T x ) ′ = − 1 , ( x OR c ) ′ = 1 for c ≥ 0 , ( x OR c ) ′ = 0 for c < 0 . (4) a fun ction f ( x, y ) = x XOR y is not u n iformly diﬀer entiable on Z 2 2 (as a bivariate fun ct ion), yet it is uniformly diﬀer entiable mo dulo 2 on Z 2 2 ; fro m (ii) it follows that its partial deriv a tiv es mo dulo 2 ar e 1 everywhere on Z 2 2 . Here is how it works altogether . Examples. A function f ( x ) = x + ( x 2 OR 5) is unifor mly diﬀerentiable on Z 2 , and f ′ ( x ) = 1 + 2 x · ( x OR 5 ) ′ = 1 + 2 x. A function F ( x, y ) = ( f ( x, y ) , g ( x, y )) = ( x XOR 2( x AND y ) , ( y + 3 x 3 ) XOR x ) is uniformly diﬀerent iable mo dulo 2 as a biv aria te function, and N 1 ( F ) = 1 ; na mely F ( x + 2 n t, y + 2 m s ) ≡ F ( x, y ) + (2 n t, 2 m s ) ·  1 x + 1 0 1  (mo d 2 k +1 ) for all m, n ≥ 1 (here k = min { m, n } ). The matr ix  1 x + 1 0 1  = F ′ 1 ( x, y ) is a Jacobi matrix mo dulo 2 o f F ; her e is how we calculate par tial deriv atives mo dulo 2: for instance, ∂ 1 g ( x , y ) ∂ 1 x = ∂ 1 ( y +3 x 3 ) ∂ 1 x · ∂ 1 ( u X O R x ) ∂ 1 u   u = y +3 x 3 + ∂ 1 x ∂ 1 x · ∂ 1 ( u X O R x ) ∂ 1 x   u = y +3 x 3 = 9 x 2 · 1 + 1 · 1 ≡ x + 1 (mo d 2). No te that a partial deriv a tive mo dulo 2 of the function 2( x AND y ) is always 0 mo dulo 2 b ecause of the mult iplier 2: the function x AND y is not diﬀerentiable mo dulo 2 a s biv ar iate function, yet 2( x AND y ) is. So the Jacobian of the function F is det F ′ 1 ≡ 1 (mo d 2). p -ADIC ERGODICITY AND PSEUDORANDOMNESS 21 Now let F = ( f 1 , . . . , f m ) : Z n p → Z m p and f : Z n p → Z p be co mpatible functions that a r e unifor mly diﬀer en tiable on Z n p mo dulo p . This is a relatively weak restric- tion since all uniformly diﬀerentiable on Z n p functions, a s well as functions tha t ar e uniformly diﬀerentiable on Z n p mo dulo p k for so me k ≥ 1, are uniformly diﬀeren- tiable on Z n p mo dulo p ; no te that ∂ F ∂ x i ≡ ∂ k F ∂ k x i ≡ ∂ k − 1 F ∂ k − 1 x i (mo d p k − 1 ). Moreover, all v alues of all par tial deriv atives mo dulo p k (and thus, modulo p ) of F and f a re p -adic integers everywhere o n Z n p (see pro po sition 4.13 ), so to calculate these v alues one can use the techniques considered ab ove. Theorem 4.6 . [ 1 , 2 , 4 ] A fun ction F : Z n p → Z m p is me asur e pr eserving whenever it is b alanc e d m o dulo p k for some k ≥ N 1 ( F ) and t he r ank of its J ac obi matrix F ′ 1 ( u ) mo du lo p is exactly m at al l p oints u = ( u 1 , . . . , u n ) ∈ ( Z /p k Z ) n . In c ase m = n t hese c onditions ar e also ne c ess ary, i.e., the fun ction F pr eserves me asur e if and only if it is bije ctive mo dulo p k for some k ≥ N 1 ( F ) and det( F ′ 1 ( u )) 6≡ 0 (mo d p ) for al l u = ( u 1 , . . . , u n ) ∈ ( Z /p k Z ) n . Mor e over, in the c onsider e d c ase these c onditions imply that F pr eserves me asure if and only if it is bije ct ive mo dulo p N 1 ( F )+1 . That is, if the mapping u 7→ F ( u ) mo d p N 1 ( F ) is balanced, and if the r ank of the Jacobi matrix F ′ 1 ( u ) modulo p is ex actly m at all po in ts u ∈ ( Z /p N 1 ( F ) Z ) n then e ach mapping u 7→ F ( u ) mo d p r of ( Z /p r Z ) n onto ( Z /p r Z ) m ( r = 1 , 2 , 3 , . . . ) is balanc e d (i.e., each p oint u ∈ ( Z /p r Z ) m has the same num ber of pr e images in ( Z /p r Z ) m , see deﬁnition 3.2 ). Example 4 .16 . W e consider a s ex a mples s o me mapping s that were studied in [ 20 ] to demonstra te how the techniques pr esented ab ove w ork. (1) A mapping ( x, y ) 7→ F ( x, y ) = ( x XOR 2( x AN D y ) , ( y + 3 x 3 ) XOR x ) mo d 2 r of ( Z / 2 r Z ) 2 onto ( Z / 2 r Z ) 2 is bije ctive for al l r = 1 , 2 , . . . Indeed, the function F is bijective mo dulo 2 N 1 ( F ) = 2 (direct veriﬁcation) and det ( F ′ 1 ( u )) ≡ 1 (mo d 2) for all u ∈ ( Z / 2 Z ) 2 (see the ta ble of deriv atives in exa mple 4.15 and exa mples thereafter). (2) The fol lowing mappings of Z / 2 r Z onto Z / 2 r Z ar e bije ct ive for al l r = 1 , 2 , . . . : x 7→ ( x + 2 x 2 ) mo d 2 r , x 7→ ( x + ( x 2 OR 1 )) mo d 2 r , x 7→ ( x X OR ( x 2 OR 1 )) mo d 2 r Indeed, all thre e mappings are uniformly diﬀeren tiable mo dulo 2, and N 1 = 1 for all of them. So it suﬃces to prov e that all three mappings are bijective mo dulo 2, i.e., as mappings of the residue ring Z / 2 Z mo dulo 2 onto itself (this could b e check ed by direct calculations), a nd that their deriv atives mo dulo 2 v anish at no p oint of Z / 2. The latter also holds, s ince 22 VLADIMIR ANASHIN the deriv atives ar e, r e spe ctively , 1 + 4 x ≡ 1 (mod 2) , 1 + 2 x · 1 ≡ 1 (mo d 2 ) , 1 + 2 x · 1 ≡ 1 (mo d 2 ) , since ( x 2 OR 1 ) ′ = 2 x · 1 ≡ 1 (mo d 2), a nd ( x X O R C ) ′ 1 ≡ 1 (mo d 2 ), see example 4.15 . (3) The fol lowing closely r elate d variants of the pr evious mappings of Z / 2 r onto Z / 2 r ar e n ot bije ctive for al l r = 1 , 2 , . . . : x 7→ ( x + x 2 ) mo d 2 r , x 7→ ( x + ( x 2 AND 1)) mo d 2 r , x 7→ ( x + ( x 3 OR 1 )) mo d 2 r , since they a r e c o mpatible but not bijective mo dulo 2. (4) (see [ 2 9 ], also [ 20 , Theorem 1]) L et P ( x ) = a 0 + a 1 x + · · · + a d x d b e a p oly- nomial with inte gr al c o eﬃcients. Then P ( x ) is a p ermutation p olynomial (i.e., is bijective) mo dulo 2 n , n > 1 if and only if a 1 is o dd, ( a 2 + a 4 + · · · ) is even, and ( a 3 + a 5 + · · · ) is even. In view of theore m 4.6 we need to verify whether the tw o conditions hold: ﬁr st, whether P is bijective mo dulo 2, and sec ond, whether P ′ ( z ) ≡ 1 (mo d 2) for z ∈ { 0 , 1 } . The ﬁrst condition gives that P (0 ) = a 0 and P (1 ) = a 0 + a 1 + a 2 + · · · a d m ust b e distinct mo dulo 2; hence a 1 + a 2 + · · · a d ≡ 1 (mo d 2). The second condition implies that P ′ (0) = a 1 ≡ 1 (mo d 2) , P ′ (1) ≡ a 1 + a 3 + a 5 + · · · ≡ 1 (mo d 2). Now combining all this together we get a 2 + a 3 + · · · a d ≡ 0 (mo d 2) and a 3 + a 5 + · · · ≡ 0 (mo d 2), hence a 2 + a 4 + · · · ≡ 0 (mo d 2). (5) As a b onus, we can use exa ctly the same pro of to get exactly the same characterization of bijective mo dulo 2 r ( r = 1 , 2 , . . . ) mapping s o f the for m x 7→ P ( x ) = a 0 X OR a 1 x XOR · · · X OR a d x d mo d 2 r since u XOR v is uniformly diﬀerentiable mo dulo 2 a s a biv a riate function, and its deriv ative mo dulo 2 is ex actly the same a s the deriv ative of u + v , and b e s ides, u XOR v ≡ u + v (mo d 2). Note that in genera l theorem 4.6 could b e a pplied to a clas s o f functions that is narrower than the cla ss of all co mpatible functions. How ever, it turns out that for p = 2 this is not the case. Namely , the following prop osition holds, which in fact is just a restatement o f a corres po nding asser tion of theor em 4.5 . Prop ositio n 4. 17. [ 1 , 2 ] If a c omp atible function g : Z 2 → Z 2 pr eserves me asur e then it is uniformly diﬀer entiable mo dulo 2 and has inte ger derivative mo dulo 2 , which is always 1 mo dulo 2 . The techniques introduce d ab ov e could also b e applied to characterize ergo dic functions. Theorem 4 .7. [ 1 , 2 , 4 ] L et a c omp atible function f : Z p → Z p b e uniformly diﬀer- entiable mo dulo p 2 . Then f is er go dic if and only if it is tr ansitive mo dulo p N 2 ( f )+1 when p is an o dd prime, or mo dulo 2 N 2 ( f )+2 when p = 2 . p -ADIC ERGODICITY AND PSEUDORANDOMNESS 23 Example 4 .18 . In [ 20 ] there is stated that “ ...neither the inv ertibility nor the c y cle structure of x + ( x 2 OR 5) could be determined by his ( i.e., mine — V.A. ) techniques.” See how e ver how it could be immediately done with the use of Theorem 4.7 : The function f ( x ) = x + ( x 2 OR 5 ) is uniformly diﬀerentiable on Z 2 , thus, it is unifor mly diﬀerentiable mo dulo 4 (see example 4.15 and an example thereafter), and N 2 ( f ) = 3. Now to pr ov e that f is ergo dic, in view of theorem 4.7 it suﬃces to demonstrate that f induces a p e rmutation with a single cycle on Z / 32 Z . Direct calculatio ns show that a string 0 , f (0 ) mo d 32 , f 2 (0) mo d 3 2 = f ( f (0)) mo d 32 , . . . , f 31 (0) mo d 3 2 is a p ermutation of a string 0 , 1 , 2 , . . . , 31 , thus ending the pro o f. 5. Tw o f ast genera tors In subse c tio n 4.1 we describ ed how to use int erp olation series to verify whether a given tra nsformation f o f the space Z 2 is er go dic (or preser ves measure): one m ust represent f as interpola tion ser ies a nd apply theo rem 4.1 . Genera lly sp ea k - ing, it is not an eas y ta sk to r epresent an arbitrar y contin uous transfo rmation f as interpola tion s e ries (althoug h s uch re pr esentation alwa ys exists). Nevertheless, the technique works. Here we apply this technique to establis h ergo dicity/measure preserv a tion conditions for tw o sp ecial transfor mations that are use d in cr ypto- graphic pseudorandom generato r s. Both these generato rs ar e fast: The ﬁrst of them uses o nly additions, XOR ’s and multiplications b y constants, the second uses additions of entries of a certain lo ok-up ta ble in acco rdance with bits of a v a riable. Theorem 5.1. The fol lowing is tru e: 1 ◦ The function f : Z 2 → Z 2 of the form f ( x ) = a + n X i =1 a i ( x XOR b i ) , wher e a, a i , b i ∈ Z 2 , i = 1 , 2 , 3 , . . . , pr eserves me asur e (r esp., is er go dic) if and only if it is bije ctive (r esp., tr ansitive) mo dulo 2 (r esp., mo dulo 4). 2 ◦ The function f : Z 2 → Z 2 of the form f ( x ) = a + ∞ X i =0 a i δ i ( x ) , wher e a, a i ∈ Z 2 , i = 0 , 1 , 2 , . . . , is c omp atible and er go dic if and only if the fol lowing c onditions hold simultane ous ly: a ≡ 1 (mod 2); a 0 ≡ 1 (mo d 4); k a i k 2 = 2 − i , for i = 1 , 2 , 3 , . . . . The function f is c omp atible and me asu re pr eserving if and only if k a i k 2 = 2 − i ( i = 0 , 1 , 2 , 3 , . . . ) . Pr o of of the or em 5.1 . Consider int erp olation s eries for δ i ( x ), i = 0 , 1 , 2 , . . . : δ i ( x ) = ∞ X i =0 σ i ( j )  x j  . T o a pply theo r em 4.1 we must es timate norms o f co e ﬃcie nts σ i ( j ) ﬁr st. T o do this, we need several lemmas. 24 VLADIMIR ANASHIN Lemma 5.1. F or al l i, j = 1 , 2 , 3 , . . . the fol lowing e quations hold σ i (0) = 0; σ 0 ( j ) = ( − 1) j +1 2 j − 1 ; σ i ( j ) = ( − 1) j +1 ∞ X k =1 ( − 1) k  j − 1 k 2 i − 1  . Pr o of of lemma 5.1 . As δ i (0) = 0 for all i = 0 , 1 , 2 , . . . , then σ i (0) = 0. F or all k = 0 , 1 , 2 , . . . we hav e: δ i ( k ) = k X j =0 σ i ( j )  k j  . F rom here, with the use of formulae whic h express a co eﬃcient of in terpo lation series of a p -adic function via the v alues of this function in rational integer p oints (see e.g. [ 28 , Chapter 9 , Sectio n 2]), we obtain that σ i ( j ) = ( − 1) j ∞ X k =0 ( − 1) k δ i ( k )  j k  . Hence, in view o f the deﬁnition of the function δ i ( j ), σ i ( j ) = ( − 1) j ∞ X s =1 s 2 i +1 − 1 X k =(2 s − 1)2 i ( − 1) k  j k  . F rom here , using the well-known iden tit y (which can be ea sily proved) (5) n X k = m ( − 1) k  a k  = ( − 1 ) m  a − 1 m − 1  + ( − 1) n  a − 1 n  , we conclude that σ i ( j ) = ( − 1) j ∞ X s =1  j − 1 (2 s − 1 )2 i − 1  −  j − 1 2 s · 2 i − 1  . This proves the lemma since the la tter identit y implies: σ i ( j ) = ( ( − 1) j +1 2 j − 1 , if i = 0; ( − 1) j +1 P ∞ k =1 ( − 1) k  j − 1 k 2 i − 1  otherwise.  Lemma 5 . 2. F or al l m, t, r = 0 , 1 , 2 , . . . that satisfy simultane ously two c onditions 0 ≤ t ≤ 2 m − 1 and m ≥ r the fol lowing c ongruenc e holds:  2 m − 1 t  ≡ ( − 1 ) t − ⌊ t 2 − r ⌋  2 m − r − 1 ⌊ t 2 − r ⌋  (mo d 2 m − r +1 ) . In p articular, for al l m, s, j ∈ N that satisfy simultane ously two c onditions m > s ≥ 1 and j ≤ 2 m − s − 1 t he fol lowing c ongru enc e holds:  2 m − 2 2 s j − 1  ≡ ( − 1 ) j 2 s j  2 m − s − 1 j − 1  (mo d 2 m − s +1 ) . p -ADIC ERGODICITY AND PSEUDORANDOMNESS 25 Pr o of of lemma 5.2 . Firstly , we r ecall that every s ∈ Z 2 has a unique repre sentation of the fo r m s = 2 ord 2 s ˆ s , where ˆ s is the unit of Z 2 (i.e., ˆ s is o dd, meaning δ 0 ( ˆ s ) = 1) and hence fo rth has a multiplicativ e inv er s e ˆ s − 1 in Z 2 . In these denotatio ns, assuming M = { i : i = 1 , 2 , . . . , t ; or d 2 i ≥ r } and M ′ a complement of M to { 1 , 2 , . . . , t } , we obta in that  2 m − 1 t  = t Y i =1 2 m − i i = t Y i =1  2 m − ord 2 i ˆ ı − 1  ≡ ( − 1) | M ′ | Y i ∈ M  ˆ s − 1 2 m − ord 2 i − 1  (mo d 2 m − r +1 ) . The condition o rd 2 i ≥ r for i = 1 , 2 , . . . , t ho lds if a nd only if i = j 2 r for j = 1 , 2 , . . . , ⌊ 2 − r t ⌋ . This means that | M ′ | = t − ⌊ 2 − r t ⌋ . So, the pro duct in the right hand part of the cong r uence ment ioned a b ove is equa l to ( − 1) | M ′ | ⌊ 2 − r t ⌋ Y j =1  ˆ  − 1 2 m − r − ord 2 j − 1  = ( − 1) t − ⌊ t 2 − r ⌋  2 m − r − 1 ⌊ t 2 − r ⌋  . This proves the ﬁrst par t of the sta tement. The seco nd par t now b ecomes o bvious, since  2 m − 2 2 s j − 1  = 2 m − 2 s j 2 m − 1  2 m − 1 2 s j − 1  ≡ 2 s j  2 m − 1 2 s j − 1  (mo d 2 m − s +1 ) .  Lemma 5.3. F or s, k = 1 , 2 , 3 , . . . , t he fol lowing holds: (1) k σ s ( k ) k 2 ≤ 2 −⌊ log 2 k ⌋ + s − 1 , if k 6 = 2 s , 2 s +1 ; (2) k σ s (2 s ) k 2 = 1 , k σ s (2 s +1 ) k 2 = 1 2 ; (3) k σ s (2 m − 1) k 2 ≤ 2 − m + s − 1 , if m > s ≥ 1 . Pr o of of lemma 5.3 . Repres en t k as k = 2 m + t , wher e m = ⌊ lo g 2 k ⌋ , 0 ≤ t < 2 m . W e may as sume that m ≥ s since otherwise σ s ( k ) = 0 in v ie w of lemma 5.1 . F urther, lemma 5.1 implies that (6) σ s (2 m + t ) = ( − 1) t +1 ∞ X j =1 ( − 1) j  2 m + t − 1 2 s j − 1  . With the use of the well-kno wn identit y (which can b e eas ily proved) n X k =0  a k  b n − k  =  a + b n  , 26 VLADIMIR ANASHIN we obtain tha t (7)  2 m − 1 + t 2 s j − 1  = ∞ X k =0  t k  2 m − 1 2 s j − k − 1  = ∞ X n =0 2 s − 1 X r =0  t 2 s n + r  2 m − 1 2 s ( j − n − 1 ) + (2 s − r − 1)  . Here, as usual, we assume that  a b  = 0 for b < 0 . In view of lemma 5.2 , equa tion ( 7 ) implies that (8) ∞ X n =0 2 s − 1 X r =0 ( − 1) n + r + j  t 2 s n + r  2 m − s − 1 j − n − 1  ≡  2 m − 1 + t 2 s j − 1  (mo d 2 m − s +1 ) Now ( 6 ) in view of ( 8 ) implies that (9) σ s (2 m + t ) ≡ ( − 1) t +1 ∞ X n =0 2 s − 1 X r =0 ( − 1) n + r  t 2 s n + r  ∞ X j =1  2 m − s − 1 j − n − 1  ≡ 2 2 m − s − 1 ( − 1) t +1 × ∞ X n =0 2 s − 1 X r =0 ( − 1) n + r  t 2 s n + r  (mo d 2 m − s +1 ) . Now applying iden tit y ( 5 ) a nd assuming that t 6 = 0, in view of lemma 5.1 we conclude that ( − 1) t +1 ∞ X n =0 2 s − 1 X r =0 ( − 1) n + r  t 2 s n + r  = ( − 1 ) t +1 × ∞ X n =0 ( − 1) n  t 2 s n + r  t − 1 2 s n − 1  −  t − 1 2 s ( n + 1) − 1  = 2( − 1) t +1 ∞ X n =1 ( − 1) n  t − 1 2 s n − 1  = 2 σ s ( t ) . The left hand part of this e quation is eq ual to -1 when t = 0. So , taking a ll these arguments into a ccount, from ( 9 ) we conclude that σ s (2 m + t ) ≡ ( 2 2 m − s σ s ( t ) (mo d 2 m − s +1 ) , if t 6 = 0; − 2 2 m − s − 1 (mo d 2 m − s +1 ) , if t = 0. The latter pr ov es sta temen ts (i) and (ii) since it e a sily implies that σ s (2 m + t ) ≡      1 (mo d 2 ) , if m = s , t = 0; 2 (mo d 4 ) , if m = s + 1, t = 0; 0 (mo d 2 m − s +1 ) , in all other ca ses. p -ADIC ERGODICITY AND PSEUDORANDOMNESS 27 Finally , if m > s ≥ 1, then co mbining to g ether lemmas 5.1 a nd 5.2 , we obtain that σ s (2 m − 1) ≡ 2 s ∞ X j =1  2 m − s − 1 j − 1  (mo d 2 m − s +1 ) . Now, applying a well-known identit y P n k =1 k  n k  = 2 n − 1 n , we co nclude that σ s (2 m − 1) ≡ 2 2 m − s − 1+ s (2 m − s − 1) (mo d 2 m − s +1 ) . This proves (iii) and the lemma.  Now everything is r eady to prov e theor em 5.1 . W e start with the statement 1 ◦ . The op eration XOR and, c o nsequently , the function f are compatible. Now, acting as in we co nclude that f ( x ) = a + n X i =1 a i b i + n X i =1 a i x − 2 n X i =1 ∞ X k =0 2 k δ k ( x ) δ k ( b i ) . Now, considering interp o lation s eries for δ k ( x ) and taking into the account that (in view of lemma 5.1 ) σ 0 (1) = 1 and σ i (1) = 0 for i = 1 , 2 , 3 , . . . , we obtain: f ( x ) = a + n X i =1 a i b i + x  n X i =1 a i − 2 n X i =1 δ 0 ( b i )  − ∞ X j =2  x j  S j , where S j = P n i =1 P ∞ k =0 2 k +1 σ k ( j ) δ k ( b i ) . Lemma 5.3 immediately implies that for k ≥ 2 2 k +1 σ k ( j ) ≡ ( 0 (mo d 2 ⌊ log 2 j ⌋ +1 ) , if j = 2 k , 2 k +1 ; 0 (mo d 2 ⌊ log 2 j ⌋ +2 ) , otherwise. Now theorem 4.1 implies that f pr eserves meas ur e (r esp., is er go dic) if and only if P n i =1 a i ≡ 1 (mo d 2) (resp., if a nd only if a + P n i =1 a i b i ≡ 1 (mo d 2) and P n i =1 a i + 2 P n i =1 b i ≡ 1 (mo d 4 )). This is obviously equiv a lent to the s tatement 1 ◦ of theor em 5.1 . T o pr ove statement 2 ◦ of the theorem we ﬁr st note that the functions δ i for i > 0 are not compatible. As σ i (0) = 0 for i > 0 (see lemma 5.1 ), we hav e f ( x ) = a + ∞ X j =1  x j  ∞ X i =0 a i σ i ( j ) . Theorem 4.1 implies now that the function f preserves meas ure if and only if the following congr uences hold s im ultaneously: (10) ( P ∞ i =0 a i σ i (1) ≡ 1 (mod 2); P ∞ i =0 a i σ i ( j ) ≡ 0 (mo d 2 ⌊ log 2 j ⌋ +1 ) , j = 2 , 3 , . . . In view of lemma 5.1 , the ﬁrst of the co nditions of ( 10 ) is equiv alent to the congru- ence (11) a 0 ≡ 1 (mo d 2) . 28 VLADIMIR ANASHIN Moreov er, lemma 5.1 implies that σ i ( j ) = 0 for i ≥ ⌊ log 2 j ⌋ . Hence, the se c ond of the conditio ns ( 10 ) is equiv alent to the following system o f cong ruences: (12) ⌊ log 2 j ⌋ X i =0 a i σ i ( j ) ≡ 0 (mo d 2 ⌊ log 2 j ⌋ +1 ) , j = 2 , 3 , . . . . Consider the following s ubsystem of system ( 12 ) for j = 2 k , k = 1 , 2 , 3 , . . . : (13) k X i =0 a i σ i (2 k ) ≡ 0 (mo d 2 k +1 ) , k = 1 , 2 , 3 , . . . W e assert that 2 - adic integers a i satisfy system of co ngruences ( 13 ) if and only if a i ≡ 2 i (mo d 2 i +1 ), i = 0 , 1 , 2 , . . . . W e pro c e e d with induction on i . If i = 1, then applying lemma 5.1 for k = 1 we co nc lude that (14) 2 a 0 + a 1 σ 1 (2) ≡ 0 (mo d 4 ) . In view o f (ii) of lemma 5.3 , the 2 -adic integer σ 1 (2) ha s a multiplicativ e inv erse in Z 2 , so in view of ( 1 1 ) congr uence ( 14 ) is equiv alent to the cong ruence a 1 ≡ 2 (mo d 4) . Now let the sta temen t under the pr o of b e tr ue for k < n ; conside r the congruence (15) n X i =0 a i σ i (2 n ) ≡ 0 (mo d 2 n +1 ) . By inductio n h ypo thesis, a i = 2 i + s i 2 i +1 ( i = 0 , 1 , . . . , n − 1 ) for suitable s i ∈ Z 2 . Then, taking into the a ccount statement (ii) of lemma 5.3 , we c onclude that a i σ i (2 n ) ≡ 2 n +1 (mo d 2 n +2 ) for i = 0 , 1 , . . . , n − 2 a nd a n − 1 σ n − 1 (2 n ) ≡ 2 n (mo d 2 n +1 ). Hence, congr uence ( 15 ) is equiv alent to the co ngruence 2 n + a n σ n (2 n ) ≡ 0 (mo d 2 n +1 ). As σ n (2 n ) is a unit o f Z 2 (b y v irtue of (ii) of le mma 5.3 ), the latter c o ngruence implies that a n ≡ 2 n (mo d 2 n +1 ). F rom (i) of lemma 5.3 we ea sily conclude that if a i ≡ 2 i (mo d 2 i +1 ), then a i also s atisfy e ach congruence of the system ( 12 ) for those j which ar e not p ow ers of 2. This means that the set of conditions ( 10 ) is e q uiv alent to the following set of congruences : a i ≡ 2 i (mo d 2 i +1 ) , i = 0 , 1 , 2 , 3 , . . . . Thu s we have prov ed the s econd part of the statement 2 ◦ . T o prove the ﬁrst part of this statement we note that since ⌊ log 2 ( i + 1 ) ⌋ + 1 = ⌊ lo g 2 i ⌋ + 1 for i 6 = 2 k − 1, the s uﬃcient and necess ary conditions for the function f to b e ergo dic (see theorem 4.1 ) in the case under considera tion have the fo llowing for m: (16) a ≡ 1 (mo d 2); (17) ∞ X i =0 a i σ i (1) ≡ 0 (mo d 4 ); (18) ∞ X i =0 a i σ i ( j ) ≡ 0 (mo d 2 ⌊ log 2 j ⌋ +1 ) , j = 2 , 3 , 4 , . . . ; (19) ∞ X i =0 a i σ i (2 k − 1) ≡ 0 (mo d 2 k +1 ) , k = 2 , 3 , 4 , . . . . p -ADIC ERGODICITY AND PSEUDORANDOMNESS 29 As σ i (1) = 0 for i 6 = 0 (see lemma 5.1 ), then ( 17 ) is equiv alent to the following condition: (20) a 0 ≡ 1 (mo d 2) . During the pr o of o f the second part of the statement 2 ◦ we hav e established that if a 0 ≡ 1 (mo d 2) (and, in particular, if ( 20 ) is satisﬁed) then the conditions ( 18 ) are equiv alent to c o nditions (21) a i ≡ 2 i (mo d 2 i +1 ) , ( i = 1 , 2 , 3 , . . . ) . Finally , combining tog ether s tatement s (i) of lemma 5.3 a nd of lemma 5.1 we con- clude that that if 2-a dic integers a i ( i = 0 , 1 , 2 , . . . ) satisfy conditions ( 21 ) and ( 20 ) simult aneously , then a i also satisfy c o nditions ( 1 9 ). Thus, the union of conditions ( 16 )—( 19 ) is equiv alent to the union of conditions ( 16 ), ( 20 ) , and of ( 21 ). This prov e s the ﬁrst part of the sta tement 2 ◦ and the whole theorem 5 .1 .  6. Estima tes of randomness Lo osely sp eaking, within a context of this pap er a PRNG is an algorithm that takes a sho rt binar y word (an initial state, a seed) and stretches it to a muc h lo nger word, which for any seed must lo ok like random, that is, like a s equence of fair coin tosses. Given a seed, the who le pe r io d of the pro duced sequence (which is neces- sarily p erio dic) is never use d in practice. Ho wever, the per io d must b e very long and as ‘random-lo ok ing’ as p ossible. In most applica tions (e.g., in cryptogr aphy), a per io d of the output sequence muc h b e exp onentially lo nger tha n the seed, and the algorithm must b e fast; whence, the corre spo nding progr am c a nnot b e complicated. Thu s, des igning a PRNG is a k ind of para dox: On the one hand, the outputted string must ‘lo ok like random’ (say , must have high Kolmog orov complexity); on the o ther ha nd, the gener a ting pro gram must b e s hort, whence, the K olmogor ov complexity of the pro duced sequence will b e necessa rily low. In real life settings they often a g ree that the output sequence ‘lo oks s uﬃciently random’ whenever it passes certain (in so me cases, ra ther limited) n um be r of statis- tical tests. In particular , the outputted string m ust hav e no obvious structure using which one c a n, g iven a s egment of the output se q uence, pr edict with hig h prob- ability the next bit. Of cours e, at least some seq ue nc e s gener a ted b y compatible ergo dic tra nsformations of the space Z 2 are highly pr edictable, e.g., seque nce s (even truncated ones ) pro duced by linea r cong ruential genera tors, see [ 31 ] and references therein. Note that recently ther e were developed a num ber of eﬀective prediction metho ds for machine lea rning, e.g. transduction [ 32 ], conformal prediction and some others, see [ 3 4 ]. It would be very interesting to understand what seq uences generated by compatible ergo dic tr ansformations o f the space Z 2 can b e predicted by these metho ds. How ever, this questio n is outside the scop e of the given pap er and can b e a theme of a future work. In this section we pursue a muc h less a mb itious goa l: W e study distributions and structural prop er ties of seq uences pro duced by compatible er go dic transfor ma tions of the space Z 2 in order to demons tr ate that at least with resp ect to some tests based on distribution of patterns these sequences a re go o d. A word of ca ution: F or so me conv enience during pro o fs, througho ut this s ection sp eaking of ba se-2 expansions, as well as o f 2-adic r epresentations, w e read them fr om left to right , so 110 1 means 1101 000 . . . ; and 1101 is a ba se-2 ex pa nsion of 11 , and not o f 13 ! 30 VLADIMIR ANASHIN 6.1. Distribution of k -tuples. Whenever f is a compatible erg o dic tr ansforma- tion o f the space Z 2 , the s equence T n = { z i = f i ( z ) mod 2 n } ∞ i =0 is strictly uni- formly distributed as a seque nc e of binar y words o f length n (see section 3 ). How- ever, for applica tions it is imp or ta n t to study distributions of a bina ry sequence T ′ n obtained from T by concatenation of these n -bit words: Howev er, one could co ns ider the sa me seque nc e as a binary sequence and ask what is a distr ibution of n -tuples in this binar y s equence. Strict un iform distribution of an arbitr ary se qu enc e T as a se quenc e over Z / 2 n Z do es not n e c essarily imply un iform distribution of overlapping n -tuples, if this se qu enc e is c onsider e d as a binary se quenc e! F or instance, let T be the following strictly uniformly distributed s equence ov er Z / 4 Z with p e rio d length exactly 4: T = 0 23102 31023 1 . . . . Then its r e presentation as a binary sequence is T ′ = 00011 1100 0 01111000011110 . . . Obviously , when w e consider T as a sequence ov er the residue ring Z / 4 Z , then ea ch num ber of { 0 , 1 , 2 , 3 } o ccurs in the s equence with the same freq ue ncy 1 4 . Y et if we consider T as a binary sequence, then 00 (as well as 11 ) o cc ur s in this sequence with fre q uency 3 8 , wher eas 01 (and 10) o ccur s with frequency 1 8 . Thus, the sequenc e T is unifor mly distributed ov er Z / 4 Z , and it is not uniformly distributed over Z / 2 Z . In this subsection we show tha t this eﬀect do es not ta ke place for the sequences T n : Consideri ng t his s e quenc e as a binary se quen c e, a distribution of k -tuples is uniform, for al l k ≤ n . Now we state this prop erty mor e formally . Consider a (binar y) n - cycle C = ( ε 0 ε 1 . . . ε n − 1 ); that is , an oriented gr aph with vertices { a 0 , a 1 , . . . , a n − 1 } a nd edges { ( a 0 , a 1 ) , ( a 1 , a 2 ) , . . . , ( a n − 2 , a n − 1 ) , ( a n − 1 , a 0 ) } , where ea ch vertex a j is lab elled with ε j ∈ { 0 , 1 } , j = 0 , 1 , . . . , n − 1. (Note that then ( ε 0 ε 1 . . . ε n − 1 ) = ( ε n − 1 ε 0 . . . ε n − 2 ) = . . . , etc.). Clear, each purely p e rio dic sequence S o v er Z / 2 Z with p erio d α 0 . . . α n − 1 of length n co uld be rela ted to a binary n - cycle C ( S ) = ( α 0 . . . α n − 1 ). Conv ersely , to each binary n -cy cle ( α 0 . . . α n − 1 ) we could relate n purely p erio dic binar y sequences of p erio d length n : They a re n s hifted versions of the sequence α 0 . . . α n − 1 α 0 . . . α n − 1 . . . , that is α 1 . . . α n − 1 α 0 α 1 . . . α n − 1 α 0 . . . , α 2 . . . α n − 1 α 0 α 1 α 2 . . . α n − 1 α 0 α 1 . . . , . . . . . . . . . α n − 1 α 0 α 1 α 2 . . . α n − 2 α n − 1 α 0 α 1 α 2 . . . α n − 2 . . . F urther, a k -chain in a binary n -cycle C is a binary string β 0 . . . β k − 1 , k < n , that satisﬁes the following condition: There exis ts j ∈ { 0 , 1 , . . . , n − 1 } such that β i = ε ( i + j ) mo d n for i = 0 , 1 , . . . , k − 1. Thus, a k -chain is just a str ing of length k of lab els that cor resp onds to a chain of length k in a gr aph C . W e call a binary n -cycle C k -ful l , if each k -chain o ccurs in the gr a ph C the sa me nu mber r > 0 of times. Clearly , if C is k -full, then n = 2 k r . F or instance, a well-known De Br uijn sequence is an n - full 2 n -cycle. It is clearly that a k -full n -cycle is ( k − 1)-full: Each ( k − 1)- chain o ccurs in C exa ctly 2 r times, etc. Thus, if an n -cycle C ( S ) is k -full, then each m -tuple (where 1 ≤ m ≤ k ) o ccurs in the sequence S with the same p -ADIC ERGODICITY AND PSEUDORANDOMNESS 31 probability (limit frequency) 1 2 m . That is, the sequence S is k -distribute d , se e [ 21 , Section 3.5, Deﬁnition D]. Deﬁnition 6.1. A purely p er io dic bina ry sequence S with p e rio d length exac tly N is said to b e strictly k -distribute d if and o nly if a cor resp onding N -cy cle C ( S ) is k -full. Thu s, if a s equence S is strictly k -distributed, then it is str ictly s -distributed, for all p ositive s ≤ k . A k -distribution is a go o d ‘indica tor of ra ndomness’ of an inﬁnite sequence: The lar ger k , the better the sequence, i.e., ‘more r andom’. The b est ca se is when a s e quence is k -distributed for all k = 1 , 2 , . . . . Such sequences are called ∞ - distributed. Obviously , a p erio dic sequence can not b e ∞ -distributed. On the other ha nd, a p erio dic sequence is just an inﬁnite rep etition of a ﬁnite sequence, the p er io d. So we are in terested in ‘how random’ this ﬁnite sequence (the p erio d) is. Of course, it seems very reasona ble to consider a pe r io d of length n as an n -cycle and to study a distribution o f k -tuples in n -c y cle; fo r instance, if this n -cyc le is k -full, the distribution of k -tuples is strictly uniform. Ho wev er, other approaches also ex ist. In [ 21 , Section 3.5, Deﬁnition Q1 ] there is co nsidered the following ‘indicator of ra ndomness’ of a ﬁnite sequence ov er a ﬁnite alphab et A (we formulate the corres p o nding deﬁnition for A = { 0 , 1 } ): a ﬁnite binary sequence ε 0 ε 1 . . . ε N − 1 of length N is said to b e rando m (sic!), if and o nly if (22)     ν ( β 0 . . . β k − 1 ) N − 1 2 k     ≤ 1 √ N for all 0 < k ≤ log 2 N , where ν ( β 0 . . . β k − 1 ) is the num b er of o ccurrences of a binary word β 0 . . . β k − 1 in a binary word ε 0 ε 1 . . . ε N − 1 . If a ﬁnite sequence is random in the meaning of this Deﬁnition Q 1 of [ 21 ], we shall say that it has a pr op erty Q1 , or satisﬁes Q1 . W e sha ll a lso say that an inﬁnite p erio dic se quenc e satisﬁes Q1 if and only if its exa ct p erio d s atisﬁes Q1. Note that, co n trasting to the cas e of strict k -distribution, which implies s trict ( k − 1 )-distribution, it is not enough to demonstrate only that ineq ua lit y ( 22 ) holds for k = ⌊ log 2 N ⌋ to prov e a ﬁnite s equence of length N satisﬁes Q 1: F or instance, a sequence 1111 11110 0000111 satisﬁes ( 22 ) for k = ⌊ lo g 2 n ⌋ = 4, and do es not sa tis fy ( 22 ) for k = 3. Note that an analo g of prop erty Q1 for o dd pr ime p could b e sta ted in a n obvious wa y . Now we are able to state the following theorem. Theorem 6.1 . L et T ′ n b e a binary re pr esentation of the se quenc e T n (hence T ′ n is a purely p erio dic binary sequence of p erio d length e x actly n 2 n ) . Then the se quen c e T ′ n is strictly n -distribute d. Mor e over, this se quenc e satisﬁes Q1 . Pr o of. Let T ′ n = ζ 0 ζ 1 . . . b e a binary representation of the sequence T n . T ake a n arbitrar y binary word b = β 0 β 1 . . . β n − 1 , β j ∈ { 0 , 1 } , and for k ∈ { 0 , 1 , . . . , n − 1 } denote ν k ( b ) = |{ r : 0 ≤ r < n 2 n ; r ≡ k (mod n ); ζ r ζ r +1 . . . ζ r + n − 1 = β 0 β 1 . . . β n − 1 }| Obviously , ν 0 ( b ) is the nu mber of o ccur rences of a rational integer z w ith base-2 expansion β 0 β 1 . . . β n − 1 at the ex act pe rio d of the sequence Z . Hence, ν 0 ( b ) = 1 32 VLADIMIR ANASHIN since the sequence T n is strictly uniformly distributed modulo 2 n . Now consider ν k ( b ) for 0 < k < n . Fix k ∈ { 1 , 2 . . . , n − 1 } a nd let r = k + tn . Since f is compa tible, then ζ r ζ r +1 . . . ζ r + n − 1 = β 0 β 1 . . . β n − 1 holds if and only if the following t wo r elations hold simultaneously: (23) ζ tn + k ζ tn + k +1 . . . ζ tn + n − 1 = β 0 β 1 . . . β n − k − 1 (24) f t ( ζ tn ζ tn +1 . . . ζ tn + k − 1 ) ≡ β n − k β n − k +1 . . . β n − 1 (mo d 2 k ) . Here γ 0 γ 1 . . . γ s = γ 0 + γ 1 · 2 + · · · + γ s · 2 s for γ 0 , γ 1 , . . . , γ s ∈ { 0 , 1 } is a rational int eger with a base-2 expa ns ion γ 0 γ 1 . . . γ s . F or a given b = β 0 β 1 . . . β n − 1 congruence ( 24 ) has exac tly one solution α 0 α 1 . . . α k − 1 mo dulo 2 k , since f is ergo dic, whence , bijective mo dulo 2 k . Thus, in view of ( 23 ) and ( 24 ) we co nclude that ζ r ζ r +1 . . . ζ r + n − 1 = β 0 β 1 . . . β n − 1 holds if and only if (25) ζ s ζ s +1 . . . ζ s + n − 1 = α 0 α 1 . . . α k − 1 β 0 β 1 . . . β n − k − 1 , where s = tn . Y et there ex is ts exactly one s ≡ 0 (mo d n ), 0 ≤ s < 2 n n such that ( 25 ) holds , since every element of Z / 2 n Z o ccurs at the p erio d o f T n exactly once. W e conclude now that ν k ( b ) = 1 fo r all k ∈ { 0 , 1 , . . . , n − 1 } ; thus, ν ( b ) = P n − 1 j =0 ν j ( b ) = n fo r all b . This mea ns that the ( n 2 n )-cycle C ( T ′ n ) is n -full, whence, the sequence T ′ n is strictly n - distributed. This completes the pr o of of the ﬁrst assertion of the theor em. T o prove the seco nd assertio n note that in view of the ﬁrst a ssertion every m - tuple for 1 ≤ m ≤ n o cc urs at the n 2 n -cycle C ( T ′ n ) exactly 2 n − m n times. Thus, every such m -tuple o ccurs 2 n − m n − c times in the ﬁnite binary sequence ˆ T n = ˆ z 0 ˆ z 1 . . . ˆ z 2 n − 1 , where ˆ z for z ∈ { 0 , 1 , . . . , 2 n − 1 } is an n -bit sequence that ag rees with base-2 expansion of z . Note that c depe nds on the m -tuple, yet 0 ≤ c ≤ m − 1 for every m -tuple. Eas y a lgebra shows that ( 22 ) holds for these m -tuples. Now to prov e that T ′ n satisﬁes Q1 we hav e only to demonstrate that ( 22 ) holds for m -tuples with m = n + d , wher e 0 < d ≤ log 2 n . W e claim that any such m -tuple o ccurs in the seq uence ˆ T n not more than n times. Indeed, in this ca se ζ r ζ r +1 . . . ζ r + n + d − 1 = β 0 β 1 . . . β n + d − 1 holds if and only if bes ides the tw o r elations ( 23 ) and ( 24 ) the following extra congr uence holds: f ( ζ tn ζ tn +1 . . . ζ tn + k − 1 β 0 β 1 . . . β d − 1 ) ≡ β n − k β n − k +1 . . . β n + d − 1 (mo d 2 k + d ) , where k = r mo d n . Y et this extr a congruence ma y or may not ha ve a solution in unknowns ζ tn , ζ tn +1 , . . . , ζ tn + k − 1 ; this dep ends on β 0 β 1 . . . β n + d − 1 . But if such solution exists, it is unique for a given k ∈ { 0 , 1 , . . . , n − 1 } , since f is er go dic, whence, bijectiv e mo dulo 2 s for a ll s = 1 , 2 , . . . . This prov es o ur claim. Now exercise in ineq ualities s hows that ( 22 ) holds in this ca s e, thus completing the pro of of the theor em.  Note 6.2 . The second a ssertion of theo r em 6.1 holds for arbitrar y prime p . Namely , a b ase- p r epr esentation of an output se qu enc e of a c ongruential gener ator over Z /p n Z o f a m ax imu m p erio d length is st rictly n -distribute d s e quenc e over Z / p Z of p erio d length exactly p n n , which satisﬁes Q1 . p -ADIC ERGODICITY AND PSEUDORANDOMNESS 33 Moreov er, the ﬁrst ass ertion of theorem 6.1 a lso ho lds for a trunc ate d con- gruential generator ; that is, for a gener ator A of section 3 with output function F ( x ) =  x p n − k  mo d p k . Namely , a b ase- p re pr esentation of the output se qu enc e of a trunc ate d c ongruential gener ator over Z /p n Z of a maximum p erio d length is a pur ely p erio dic st r ictly k -distribute d se quenc e over Z /p Z of p erio d length p n k . The s econd assertio n for this g e ne r ator holds whenever 2 + p k > k p n − k ; th us, one c ould trun c ate ≤  n 2 − lo g p n 2  lower or der digits without aﬀe cting pr op erty Q1 . All these statements could b e prov ed by slig ht mo diﬁcations of the pr o of of theorem 6.1 . W e omit details. 6.2. Co ordinate s equences. In this subsection, we study some str uctural pro p- erties of a binary sequenc e pro duced b y a compatible er go dic tra nsformation f of the space Z 2 . Clea r, a bina ry s e quence S j = { δ j ( f i ( z 0 ) } ∞ i =0 (whic h is called the j -th c o or dinate se quenc e , is a purely p erio dic binary se quence of p erio d length 2 j +1 . Moreov er, it ea sy to understa nd that the se c ond half of the p erio d of every c o or- dinate se quen c e S j = s 0 , s 1 , s 2 , . . . is a bitwise ne gation of its ﬁrst half : (26) s i +2 j ≡ s i + 1 (mo d 2 ) , i = 0 , 1 , 2 , . . . This immediately follows from theorem 4.5 and means, lo osely sp eaking, that the j -th co o rdinate seque nc e is as complex as the ﬁr st half of its p er io d. So it is impo rtant to know what s equences of length 2 j could b e outputted a s the ﬁrs t half of the p erio d of the j -th co ordina te s equence; more for mally , what v alue s a re taken by the rational integer γ = s 0 + s 1 2 + s 2 2 2 + · · · + s 2 j − 1 2 2 j − 1 , fo r the j -th co o rdinate sequence S j = s 0 , s 1 , s 2 , . . . . In other words, let γ j ( f , z ) ∈ N 0 be such a n um ber that its base - 2 expansion agrees with the ﬁrst half of the p erio d of the j th co ordinate sequence; i.e., let γ j ( f , z ) = δ j ( f 0 ( z )) + 2 δ j ( f 1 ( z )) + 4 δ j ( f 2 ( z )) + · · · + 2 2 j − 1 δ j ( f 2 j − 1 ( z )) . Obviously , 0 ≤ γ j ( f , z ) ≤ 2 2 j − 1. The following natural questio n sho uld b e a n- swered: Given a c omp atible and erg o dic mapping f : Z 2 → Z 2 and a 2 -adic inte ger z ∈ Z 2 , what inﬁnite string γ 0 = γ 0 ( f , z ) , γ 1 = γ 1 ( f , z ) , γ 2 = γ 2 ( f , z ) , . . . (wher e γ j ∈ { 0 , 1 , . . . , 2 2 j − 1 } for j = 0 , 1 , 2 , . . . ) c ould b e obtaine d? And the a nswer is: any one. Na mely , the following theorem holds (which, int er- estingly , co uld b e proved by a ‘purely 2-adic’ argument). Theorem 6.2. L et Γ = { γ j ∈ N 0 : j = 0 , 1 , 2 , . . . } b e an arbitr ary se quenc e of non- ne gative r ational inte gers that satisfy 0 ≤ γ j ≤ 2 2 j − 1 for j = 0 , 1 , 2 , . . . . Ther e exists a c omp atible and er go dic mappi ng f : Z 2 → Z 2 and a 2 - adic inte ger z ∈ Z 2 such that δ j ( z ) = δ 0 ( γ j ) , δ 0 ( f i ( z )) ≡ γ 0 + i (mo d 2) , and δ j ( f i ( z )) ≡ δ i mo d 2 j ( γ j ) +  i 2 j  (mo d 2) for al l i, j ∈ N . Note. The seq ue nce nj i 2 j k mo d 2 : i = 1 , 2 , . . . o is mer ely a bina ry sequence of alternating ga ps and runs (i.e., blo cks of consecutive 0’s o r 1’s, resp ectively) of length 2 j each. 34 VLADIMIR ANASHIN Pr o of of the or em 6.2 . Put z = z 0 = P ∞ j =0 δ 0 ( γ j )2 j and z i = ( γ 0 + i ) mo d 2+ ∞ X j =1  δ i mo d 2 j ( γ j ) +  i 2 j  mo d 2  · 2 j for i = 1 , 2 , 3 , . . . . Consider a sequence Z = { z i : i = 0 , 1 , 2 , . . . } . Sp eaking infor- mally , we ar e ﬁlling a table with countable inﬁnite num ber of rows and columns in such a wa y that the ﬁrs t 2 j ent ries of the j -th co lumn r e present γ j in its base- 2 expansion, and the other entries o f this co lumn are obtained from these by apply- ing r ecursive relation ( 26 ). Then each i th row o f the table is a 2 -adic canonical representation of z i ∈ Z . W e shall pr ov e that Z is a dense subset in Z 2 , and then deﬁne f on Z in such a way that f is co mpa tible and ergo dic on Z . This will imply the assertio n of the theorem. Pro ceeding alo ng this wa y we cla im that Z mo d 2 k = Z / 2 k Z for all k = 1 , 2 , 3 , . . . , i.e., a na tur al ring homomor phis m mo d 2 k : z 7→ z mo d 2 k maps Z onto the res idue ring Z / 2 k Z . Indeed, this trivially holds for k = 1. Assuming our claim holds for k < m we prove it for k = m . Given a r bitrary t ∈ { 0 , 1 , . . . , 2 m − 1 } there ex ists z i ∈ Z s uch that z i ≡ t (mod 2 m − 1 ). If z i 6≡ t (mo d 2 m ) then δ m − 1 ( z i ) ≡ δ m − 1 ( t )+ 1 (mo d 2) and th us δ m − 1 ( z i +2 m − 1 ) ≡ δ m − 1 ( t ) (mo d 2). How ever, z i +2 m − 1 ≡ z i (mo d 2 m − 1 ). Hence z i +2 m − 1 ≡ t (mo d 2 m ). A simila r ar gument shows tha t for each k ∈ N the sequence { z i mo d 2 k } ∞ i =0 is purely perio dic with pe r io d length 2 k , and each t ∈ { 0 , 1 , . . . , 2 k − 1 } o ccurs at the p erio d exactly o nce (in particular , all members of Z are pair wise distinct 2-a dic int egers). Moreover, i ≡ i ′ (mo d 2 k ) if and only if z i ≡ z i ′ (mo d 2 k ). Consequently , Z is dense in Z 2 since for each t ∈ Z 2 and each k ∈ N there exists z i ∈ Z s uch that k z i − t k 2 ≤ 2 − k . Moreov er, if we deﬁne f ( z i ) = z i +1 for all i = 0 , 1 , 2 , . . . then k f ( z i ) − f ( z i ′ ) k 2 = k z i +1 − z i ′ +1 k 2 = k ( i + 1 ) − ( i ′ + 1) k 2 = k i − i ′ k 2 = k z i − z i ′ k 2 . Hence, f is well deﬁned and co mpatible o n Z ; it follows that the co nt inu ation of f to the whole space Z 2 is compatible. Y et f is tra ns itiv e mo dulo 2 k for each k ∈ N , so its c o nt inuation is ergo dic.  7. Conclusion In this pap er, we demo ns trate that, lo o sely sp eaking, a co nt empo rary digital computer ‘thinks 2-adica lly ’: Most co mmon pr o cessor instructions, b oth numerical (i.e., arithmetic, e.g. addition, m ultiplication), log ic al (such as bitwise OR , AND , XOR , NOT ) and machine (left a nd right shifts) a re co ntin uous functions with r esp ect to 2-adic metric. Hence, a c omputer pro g ram which is combined from these op erator s is a contin uous function deﬁned on (and v aluated in) the spac e of 2 -adic integers. So we b elieve that natura l metric for a dig ita l co mputer is non-Archimedean: The sequence o f states of a pro gram (as we have demonstrated by example of pro grams that gener ate pseudo random num b ers ) a dmits an adequate descr iptio n a s a s mo oth tra jector y in the non-Archimedean metric space. If so, a digital computer is likely to b e p erfect for simulating non-Archimedean dynamics , and not as go o d for sim- ulating Archimedean systems. The later phenomenon was a lready no tice d in numerical ana lysis: F or insta nce, pap er [ 27 ] r e a ds: p -ADIC ERGODICITY AND PSEUDORANDOMNESS 35 Digital computers are absolutely incapable o f showing true long - time dy na mics of some chaotic s ystems, including the tent ma p, the Bernoulli s hift map and their analogues, even in a high-precision ﬂoating-p oint a rithmetic. Note that b oth these dynamical systems, the tent map and the Bernoulli shift map, are ergo dic. How ever, theo retical a nalysis, as well as 1000 computer veriﬁ- cations in [ 27 ] demonstrate that b ehaviour of co rresp onding computer pr o grams is not erg o dic: It is found that a ll chaotic orbits will b e even tually conv erge to zero within N r iterations, and that the v alue of N r is uniquely determined by the details of digital ﬂoating - po int a rithmetic. Moreov er, inspired by r e sults of [ 27 ] we underto ok our own study of discr ete ver- sions of these tw o maps, suppo rted by c o mputer exp eriments based on ﬁxed-p oint (actually , integer) arithmetic instea d o f ﬂoating-p oint one. Namely , w e co nsidered a map B n : x 7→ ( x O R 1) − 1 2 (mo d 2 n ) a s a disc rete analog of the Bernoulli shift map, and a map T n : x 7→ x AND ( − 2) 2 − x · ( x AND 1) (mod 2 n ), as a discrete analog of the tent map. Both these maps are tra ns formations of the set { 0 , 1 , . . . , 2 n − 1 } = Z / 2 n Z , and elements of latter set can b e put into a cor resp ondence with real n um be r s in [0 , 1 ] via the Monna map, x = n − 1 X i =0 δ i ( x )2 i ← → n − 1 X i =0 δ i ( x )2 − i − 1 ∈ [0 , 1] . e.g., 2 = . . . 0010 ← → 1 4 , 3 = . . . 0 011 ← → 1 2 + 1 4 = 3 4 , etc. Up to this corr esp on- dence, b oth B n and T n give the sa me plots in a unit sq uare a s, resp ectively , the Bernoulli shift and the tent map, being res tricted to real num ber s with n binar y digits after the p o int . Ho wever, b oth B n and T n are not ergo dic either: B n con- verges to 0 after at mo s t n itera tio ns, a nd T n alwa y s falls in shor t cyc le s, o f length n at most. This eﬀect canno t o c c ur for truly er go dic ma ps: Lo osely s pea king, ergo dic trans- formations ha ve no inv ar iant subsets, except of subsets o f measure 0 and of full measure. Thus, a n y ergo dic transfor mation o f a ﬁnite s e t (whic h is endow ed with a natura l probabilistic uniform measure) must necessar ily b e tra ns itive, i.e., must per mut e all elements of the set cyclically . In other words, these consider ations show that co mputer simulations of Archimedean ergo dic sys tems a re indeed ina dequate, since the corr e s po nding pr ograms clearly ex hibit a non-er go dic b ehaviour. On the cont rary , results of the present pa pe r demonstr a te that whenever o ne considers erg o dic transfor mation of the spa ce o f 2-a dic integers that sa tisfy Lipschitz condition with a constant 1, any restriction of this tr a nsformation to n -bit precision remains e rgo dic: Thus, dig ital computers are p erfect for simulating b ehaviour of these 2-a dic dynamical systems: In the pap er , the co rresp onding dynamics was used to construct eﬀective pseudorando m gener ators with prescrib ed characteris tics. Numerous co mputer e x per iment s with these progr a ms (e.g., the one s undertaken during the developmen t of the ABC stream cipher [ 8 ]) ar e in full ag reement with the theory presented a bove. At o ur view, these considera tions give us ano ther evidence that a non-Archimedean (namely , 2 -adic) metric is natural for digital computers, whereas the Archimedean metr ic is not. 36 VLADIMIR ANASHIN Y et another evidence is given b y the following obser v ation: Every digital com- puter, even the s implest one, can, by its very o r igin, prop er ly op erate with 2-a dic nu mbers. Let’s undertake the following ‘computer exp eriment’. Start MS Windows XP , run a built-in Ca lculator. Switc h to Scientiﬁc mo de. Pr ess D ec (that is, switch to decimals), press 1 , then +/-. The calculator r eturns -1, as pr escrib ed. Now, pr ess Bin , switching the calcula tor to bina ries. The calculato r r eturns ...111 (64 ones), a 2-a dic r e pr esentation of -1, up to the highes t precision the calcula tor could achieve, 64 bits. (Here a pro g rammer will most likely say that the c a lculator just uses the t wo’s c omplement ). Now pr ess Dec a gain; the c a lculator returns 1844 6744 0 73709551615. This num- ber is congruent to -1 mo dulo 2 64 . No w press s uccessively / , 3 , = , Bin , th us divid- ing the n um ber by 3 and representing the result in a binar y form. The calculator returns ...1 01010 10101 , a 2-a dic r epresentation of - 1 /3, with 2-a dic precisio n 2 − 64 . Indeed, switching back to D ec we obtain 6148 91469 1236517205, a multiplicativ e inv erse to -3 mo dulo 2 64 . This toy ex per iment could b e p erformed on most calculator s. Howev er , some- times a calculator returns an err oneous r esult. This usually happ ens when a cor - resp onding pr ogram is written in a higher -order lang uage. V ery lo osely sp eaking, the ca pa bilit y o f a calculator to p er form 2 -adic a rithmetic dep ends o n how the corres p o nding prog ram is written: progr ams written in a s sembler usually are more capable to p erform 2-adic calculations than the ones written in higher -level la n- guages. Progr ammers use a ssembler when they wan t to exploit CPU’s resources in the most optimal way; e.g., to store negative num b er s they use the tw o’s com- plement rather than r eserve sp ecial reg istry for a s ign. But the usag e of the tw o’s complement of x (that is, of NOT x ) is just a wa y to represent a neg a tive integer in a 2-adic for m, − x = 1 + NO T x , see equations ( 1 ) of Se c tion 3 . Thus, we might conclude that a CPU is used in a mor e optimal wa y when it actually works with binary words as with 2-adic num ber s. Thus, a CPU lo o ks more ‘non-Archimedean-oriented’ than ‘Archimedean-oriented’. W e human b eings are Archimedean crea tur es: W e a gree that the s urrounding ph ysical world is Archimedean judging by numerous exp er iments. Our exp e r ience gives us a strong evidence that tr a jectories of a physical (esp ecially , mechanical) dynamical system admit (as a r ule ) adequate descriptions by s mo o th cur ves in an Archimedean (Euclide a n) metric space. Moreover, we can sim ulate b ehaviour of these mechanical sy stems by o ther physical pro cesse s , e.g., by electrical o ne s : This wa y w e come to analo g computers that can sim ulate pr o cesses o f our physical (at least, mechanical) world with arbitrar y high pr ecision since their internal ba sic op erators are contin uo us functions with resp ect to Archimedean metric. But then, if we see tha t a digital co mputer cannot simulate lo ng-time dynamics even of ra ther simple Archimedean dynamica l systems, yet can simulate with arbi- trarily high precision non- Archimedean dynamics, we probably s hould ag r ee that digital computers are a kind of non-Archimedean devices , so mething like analo g c omputers for t he non-Ar chime de an world , sinc e their internal basic op erato rs ar e contin uous functions with resp ect to the 2-adic (i.e., no n-Archimedean) metric. W e b elieve that these consider ations must b e taken into account while simulating dynamical systems o n digital computers: Probably , the simulation will b e adeq uate for no n-Archimedean dynamica l systems, wherea s for non-Archimedean one s it will be not. p -ADIC ERGODICITY AND PSEUDORANDOMNESS 37 Also, the appr oach presented in the pa p er co uld pr obably b e applied to other problems of computer science, a nd no t only to the problem of pseudorando m gener - ation. F or instance, consider an automaton with a binary input and binary output. This automaton a ctually p erfor ms a trans fo rmation o f the space Z 2 of 2 -adic in- tegers: Each inﬁnite input s tring of 0s and 1s the automaton tra ns forms into a n inﬁnite output string of 0s and 1s (we supp ose that the initial state is ﬁxed). Note that every outputted i -th bit dep ends only on the inputted i -th bit and on the current state of the automaton. Y et the current state dep ends only on the previ- ous state and on the ( i − 1)-th input bit. Hence, for e very i = 1 , 2 , . . . , the i -th outputted bit dep ends o nly on bits 1 , 2 , . . . , i of the input string. Accor ding to the results of this pap er (s e e Pr o p o sition 3.1 ), the transformatio n of Z 2 per formed by the auto ma ton is co mpatible, that is, s atisfy the 2-adic Lipschitz condition with a c o nstant 1 and thus is co n tin uous. So 2-adic analys is can probably b e of use in automata theory . Ackno wledgement I thank Branko Dra g ovic h, F ranco Viv a ldi, a nd Igor V olovich for their interest to my work. My sp ecia l thanks to Andrei Khrennikov for encouraging discussions and hospitality during my stay a t V¨ axj¨ o universit y . References [1] V. Anashin. Uniforml y distributed sequences of p -adic inte- gers. Mathematic al Notes , 55(2):109– 133, 1994. Also av ailable fr om http://c rypto.rsu h.ru/papers/anashin- paper2.pdf . 2 , 3 , 7 , 10 , 11 , 15 , 18 , 19 , 21 , 22 [2] V. Anashin. Unif ormly distributed sequences ov er p -adic inte gers. In A.J. v an der Poorten, I.Shparlinski, and H. G. Zimmer, editors, N umb er the or e tic and algebr aic metho ds in c omputer scienc e, Pr o c Int’l Conf., Mosc ow June-July 1993 , pages 1–18. W orl d Scientiﬁc, 1995. Also a v ailable f rom http://c rypto.rsu h.ru/papers/anashin- paper1.pdf . 2 , 3 , 10 , 11 , 18 , 19 , 21 , 22 [3] V. Anashin. Uniformly distri buted s equence s in computer algebra, or ho w to constuct program generators of random num b ers. J. Math. Sci. , 89(4):1355–1 390, 1998. Also a v ailable fr om http://c rypto.rsu h.ru/papers/anashin- paper5.pdf . 2 [4] V. Anashin. Uni formly distributed sequences of p -adic integers, II. Discr ete Math. Appl. , 12(6):527– 590, 2002. Preprint av ailable from http://a rXiv.org/ abs/math.NT/0209407 . 2 , 9 , 11 , 12 , 13 , 14 , 18 , 21 , 22 [5] V. Anashin. Pseudorandom num b er generation by p -adic ergo dic transformations. Av ailable from http://a rxiv.org/ abs/cs.CR/0401030 , Jan uary 2004. 2 , 3 [6] V. Anashin. P s eudorandom nu mber generation by p -adic ergodic transformations: An ad- dendum. Av ailable from http://a rxiv.org/ abs/cs.CR/0402060 , F ebruary 2004. 2 [7] V. Anashin. Ergo dic transformations i n the s pace of p -adic intege rs. In Andrei Y u. Khren- niko v, Zoran Raki´ c, and Igor V. V olovic h, editors, p-adic Mathematica l Physics. 2-nd Int’l Confer enc e (Belgr ade, Serbia and Montene gr o 15–21 Septemb er 2005) , volume 826 of AIP Confer enc e Pr o c e e dings , pages 3–24, Melvil le, New Y ork, 2006. A m erican Institute of Physics. Preprint av ai lable f rom http://a rXiv.org/ abs/math.DS/0602083 . 2 , 3 , 9 [8] V. Anashin, A. Bogdano v, and I. Kizhv ato v. ABC: A New Fast Flexible Stream Cipher, Version 3. Av ailable from http://c rypto.rsu h.ru/papers/abc- spec- v3.pdf , 2006. 2 , 35 [9] V. S. Anashin. Non-Ar c hime de an Analysis, T-functions, and Crypto gr aphy . Lomonosow Mosco w State Universit y , In t’l Summer Sc ho ol ”Mathematical Methods and T ech - nologies in Computer Scienc e” Lect ure Notes edition, 2006. Preprint a v ailable from http://a rXiv.org/ abs/cs.CR/0612038 . 2 [10] V. S. Anashin. W reath pro ducts in stream cipher design. In Pr o c e e dings of the Int’l Se cu- rity and Counter acting T err orism Confer enc e , M osc ow, 2–3 Novemb er 2005 , pages 135–161, 38 VLADIMIR ANASHIN Mosco w, 2006. Lomonosov Moscow State Universit y , NA TO-Russi a Counsil. Pr eprint av ail- able f r om http://a rXiv.org/ abs/cs.CR/0602012 . 2 [11] Vl adimir Anashin, Andrey Bogdano v, and Ily a Kizh v ato v. Increasing the ABC Stream Cipher Perio d. T echnical report, ECR YPT, July 2005. http://w ww.ecrypt .eu.org/stream/papersdir/050.pdf . 2 [12] R. Benedett o. p -adic dynamics and Sulli v an’s no wandering domains theorem. Comp osito Mathematic a , 122:281–298, 2000. 3 [13] R. Benedetto. Hyp erb olic maps i n p -adic dynamics. Er g o d. The ory and Dy n. Sys. , 21:1–11, 2001. 3 [14] D. Bosio and F. Viv al di. Round-oﬀ errors and p - adic nu mbers. Nonline arity , 13:309–322, 2000. 3 [15] G. Everest, A. v an der Poorten, I. Shparli nski, and T. W ard. R e curr ence Se quenc es. , volume 104 of Math. Surv. and Mono gr aphs . Amer. Math. So c, 2003. 3 [16] M . Gundlac h, A. Khr ennik o v, and K.-O. Lindahl. Ergo dicit y on p - adic sphere. In German Op en Confer enc e on Pr ob abilit y and Statistics , page 61. Universit y of Hamburg, March 21–24 2000. 3 [17] A. Katok and B. Hasselblatt. Intr o duction to the M o dern The ory of Dynamic al Systems . Camb ridge Universit y Pr ess, 1998. 8 [18] A. Y u. K hrennik o v and M. Nilsson. p - adic Deterministic and R andom Dynamics . Kluw er Acad. Publ. , 2004. 3 [19] A. Kl app er and M . Goresky . F eedback shift registers, 2-adic span, and combiners with mem- ory . J. Cryptolo g y , 10:111–147, 1997. 3 [20] A. Kl imov and A. Shamir . A new class of inv ertible mappings. In B.S.Kali ski Jr. et al. , editor, Crypto gr aphic Har dwar e and Emb e dde d Systems 2002 , volume 2523 of Le ct . Notes in Comp. Sci , pages 470–483. Springer-V erl ag, 2003. 14 , 15 , 16 , 21 , 22 , 23 [21] D. Knut h. The Art of Computer Pr o gr amming , vo lume 2. Addison-Wesley , Thir d edition, 1998. 1 , 3 , 31 [22] N. K oblitz. p -adic Numb ers, p -adic Analysis, and Ze ta-functions . Springer-V erlag, 1977. 5 , 13 [23] L. Kotomina. F ast nonlinear congruen tial generators. Dipl oma Thesis, Russian State Univer- sity for the Humanities, M oscow, 1999. 2 , 18 [24] L. Kuip ers and H. N iederreiter. Uniform Distribution of Se q uenc es . John Wiley & Sons, N. Y., etc., 1974. 8 , 9 [25] M . V. Larin. T ransitive p olynomial transformations of residue cl ass r i ngs. Di scr ete Mathe- matics and Applic ations , 12(3):127–140, 2002. 12 , 13 [26] Hans Lausch and Wil fried N¨ obauer. Al gebr a of Polynomials . Nor th-Holl. Publ. Co, American Elsevier Publ. Co, 1973. 7 [27] Shujun Li. When chaos meets computers. Av ailable from http://a rxiv.org/ abs/nlin.CD/0405038 , June 2004. 34 , 35 [28] K. M ahler. p -adic Numb ers and their F unctions , vo lume 76 of Cambridge t r acts in Mathe- matics . Cambridge Univ. Press, 1980. 5 , 11 , 24 [29] R. Rivest. P ermuta tion polynomial s m odulo 2 w . Finite ﬁelds and appl. , 7(2):287–292 , 2001. 22 [30] R. Rivest, M. Robshaw, R. Sidney , and Y. L. Yin. The rc6 block cipher. T echnical rep ort. Av ailable from http://w ww.rsa.co m/rsalabs/rc6/ . 12 [31] B. Schne ier. Applie d Crypto g r aphy . Wiley , 1996. 29 [32] V. N. V apnik. Statistic al le arning the ory . Wil ey , N ew Y ork, 1998. 29 [33] F. Viv aldi and I. Vladim irov. Pseudo-randomness of round-oﬀ errors i n discretized linear maps on the plane. Int. J. of Bifur c ations and Chaos , 13:3373–3393, 2003. 3 [34] V. V ovk, A. Gammerman, and G. Shafer. Algorithmic le arning in a r andom world . Springer, 2005. 29 [35] F. W o odco ck and N. P . Smart. p - adic chao s and random n um ber generation. Exp. Math. , 7:334–342, 1998. 3

Non-Archimedean Ergodic Theory and Pseudorandom Generators

Original Paper

Comments & Academic Discussion

Leave a Comment

Original Paper

Related Papers

Comments & Academic Discussion

Leave a Comment