; = Vi2m+1whereVi is some integer and letfibe the number of; = Vi2m+1. Thus, M2s= l i=1 fiVi2s22s(m+1): (6) From (5) M0 60 10qM40+ 16q2M20 = M60 10qM4+ 16q2M2 = 8q3 l i=1 fiVi2(Vi20 4)(Vi20 1) = 0:
Therefore, the only possible value ofViare0; 61, and 62. Thus as in the case ofCBCH? , for 6= ,
; 2 0; 6 2q; 6 8q :
Since the first three even momentsM2s; M2s0 fors = 1; 2; 3 are the
same, it follows that the two codes have the same weight distribution.
REFERENCES
[1] S. Boztas¸ and P. V. Kumar, “Binary sequences with Gold-like correla-tion but larger linear span,” IEEE Trans. Inform. Theory, vol. 40, pp. 532–537, Mar. 1994.
[2] A. Canteaut, P. Charpin, and H. Dobbertin, “Binarym-sequences with three-valued crosscorrelation: A proof of Welch’s conjecture,” IEEE Trans. Inform. Theory, vol. 46, pp. 4–8, Jan 2000.
[3] A. Chang, “Minimum distance and decoding algorithm for cyclic codes,” Ph.D. dissertation, Univ. So. Calif., Los Angeles, CA, 1998. [4] A. Chang, P. Gaal, S. W. Golomb, G. Gong, and P. V. Kumar, “On a
sequence conjectured to have ideal 2-level autocorrelation function,” in IEEE Int. Symp. Information Theory, Cambridge, MA, Aug. 16–21, 1998, p. 468.
[5] A. Chang, T. Helleseth, and P. V. Kumar, “Further results on a conjec-tured 2-level autocorrelation sequence,” in 36th Ann. Allerton Conf. Communication, Control and Computing, Allerton, IL, Sept. 23–25, 1998.
[6] J. Dillon and H. Dobbertin, Cyclic difference sets with Singer parame-ters, to be published.
[7] H. Dobbertin, “Kasami power functions, permutation polynomials and cyclic difference sets,” in NATO-A.S.I. Workshop, Bad Windsheim, Ger-many, Aug. 3–14, 1998.
[8] R. Gold, “Maximal recursive sequences with 3-valued recursive cross-correlation functions,” IEEE Trans. Inform. Theory, vol. IT-14, pp. 154–156, Jan. 1968.
[9] G. Gong and S. W. Golomb, “Hadamard transforms of three-term se-quences,” IEEE Trans. Inform. Theory, vol. 45, pp. 2059–2060, Sept. 1999.
[10] C. R. P. Hartmann and K. K. Tzeng, “Generalization of the BCH bound,” Inform. Contr., vol. 20, pp. 489–498, 1972.
[11] T. Helleseth and P. V. Kumar, “Pseudonoise sequences,” in The Mobile Communications Handbook, J. Gibson, Ed. New York: CRC Press and IEEE Press, 1996.
[12] , “Sequences with low correlation,” in Handbook of Coding Theory, V. Pless and C. Huffman, Eds. Amsterdam, The Netherlands: Elsevier, 1998.
[13] T. Kasami, “Weight distributions of Bose–Choudhary–Hochquengham codes,” in Combinatorial Mathematics and its Applications. Chapel Hill, NC: Univ. North Carolina Press, 1969.
[14] P. V. Kumar and C.-M. Liu, “On lower bounds to the maximum correla-tion of complex roots-of-unity sequences,” IEEE Trans. Inform. Theory, vol. 36, pp. 633–640, May 1990.
[15] F. J. MacWilliams and N. J. A. Sloane, The Theory of Error-Correcting Codes. Amsterdam, The Netherlands: North Holland, 1979. [16] B. R. McDonald, Finite Rings with Identity. New York: Marcel
Dekker, 1974.
[17] R. J. McEliece, “On periodic sequences from GF(q),” J. Combin. Theory, vol. 10, no. 1, pp. 80–91, Jan. 1971.
[18] J.-S. No, S. W. Golomb, G. Gong, H.-K. Lee, and P. Gaal, “Binary pseu-dorandom sequences of period2 01 with ideal autocorrelation,” IEEE Trans. Inform. Theory, vol. 44, pp. 814–817, Mar. 1998.
[19] D. V. Sarwate and M. B. Pursley, “Crosscorrelation properties of pseu-dorandom and related sequences,” Proc. IEEE, vol. 68, pp. 593–619, 1980.
[20] T. Schaub, “A linear complexity approach to cyclic codes,” Ph.D. dis-sertation, Swiss Federal Ins. Technol., Zurich, Switzerland, 1988.
Fourier Transforms and the -Adic Span of Periodic Binary Sequences
Mark Goresky, Associate Member, IEEE,
Andrew M. Klapper, Member, IEEE, and Lawrence Washington
Abstract—An arithmetic or with-carry analog of Blahut's theorem is
pre-sented. This relates the length of the smallest feedback with-carry shift reg-ister to the number of nonzero classical Fourier coefficients of a periodic binary sequence.
Index Terms—Blahut's theorem, feedback register, Fourier coefficients,
periodic binary sequence,2-adic numbers.
I. INTRODUCTION
The purpose of this correspondence is to develop an arithmetic analog of Blahut's theorem [1], [3], which relates the linear span of a sequence to its discrete Fourier transform. For comparison, let us recall this theorem. LetS = a0; a1; 1 1 1 be a periodic binary sequence
with periodL. The linear span of S, denoted (S), is the length of the shortest linear recurrence satisfied byS or, equivalently, the size of the smallest linear feedback shift register that generatesS. It is an important measure of the complexity of a sequence, and it is used in a number of engineering applications. For example, suppose thatS is to be used as the key in a stream cipher. The Berlekamp–Massey algorithm can be used by a cryptanalyst to recover the sequence once
2(S) bits of S are known. Thus S is secure only if (S) is large.
Let be a primitive Lth root of unity in some field extension F of GF(2). (Such a exists if and only if L is odd. Various work has been done to extend Blahut's theorem to the case whenL is even, [4].) The
kth discrete Fourier coefficient of S is ak=
L01 i=0
aiki2 F:
Blahut's remarkable theorem says that the linear span ofS is equal to the number of nonzero discrete Fourier coefficients ofS. It makes
Manuscript received October 19, 1997; revised October 25, 1999. The work of A. Klapper was supported in part by NSF under Grant NCR-9400762. The work of L. Washington was supported in part by NSA under Grant MDA904-96-10036.
M. Goresky is with the School of Mathematics, Institute for Advanced Study, Princeton, NJ 08540 USA (e-mail: [email protected]).
A. M. Klapper is with the Department of Computer Science, 763H Anderson Hall, University of Kentucky, Lexington, KY 40506-0046 USA (e-mail: [email protected]).
L. Washington is with the Department of Mathematics, University of Mary-land, College Park, MD 20742 USA (e-mail: [email protected]).
Communicated by D. Stinson, Associate Editor for Complexity and Cryptog-raphy.
Publisher Item Identifier S 0018-9448(00)01669-2. 0018–9448/00$10.00 © 2000 IEEE
precise the common observation that a “complex” signal is one with many nonzero Fourier components.
Recently, two of the authors have developed an approach to pseudo-random sequences which is based on feedback with carry shift registers (or FCSR’s) [2]. It is in many ways analogous to the usual theory which is based on linear feedback shift registers. We include here just enough detail of the theory of FCSR's for our current purposes. An FCSR con-sists of a shift register and a small amount of auxiliary memory. For any periodic sequenceS, the size of the smallest FCSR that generates
S is called the 2-adic span and is denoted by 2(S). There is an
algo-rithm which is an analog of the Berlekamp–Massey algoalgo-rithm. Given approximately22(S) bits of S, it outputs the smallest FCSR that
gen-eratesS. FCSR’s can be thought of as arithmetic or with-carry analogs of linear feedback shift registers, and are related to arithmetic codes in much the same way that linear feedback shift registers are related to error-correcting codes.
The discrete Fourier transform (described above) does not appear to be the “correct” transform for the study of sequences generated by FCSR's, and it is not immediately obvious what the best replacement should be. In this correspondence, we show that the usual (complex) Fourier transform is an appropriate vehicle for the study of FCSR se-quences, and we use it to describe an analog of Blahut's theorem for the2-adic span of a sequence. Not only does this give a “shift register” interpretation for the usual (complex) Fourier transform of a periodic binary sequence, but it also adds another entry to the long and growing list of parallels between the theory of LFSR sequences and the theory of FCSR sequences.
II. STATEMENT OF THERESULT
In what follows we letS = a0; a1; 1 1 1 be a periodic binary sequence
with periodL and let 2 CCC be a complex primitive Lth root of unity.
Definition II.1: Fork = 0; 1; 1 1 1 ; L01, the kth Fourier coefficient
is
^ak= L01
i=0
aiki2 CCC:
The set of Fourier coefficients is the Fourier transform ofS. We denote by(S) the number of nonzero Fourier coefficients of S.
The sequenceS can be interpreted as the coefficients of a 2-adic
integer
= 1
i=0 ai2i:
Such a series does not converge in the usual sense. Nevertheless, the set of such2-adic integers forms a ring ZZZ2. (An elementary review of the2-adic integers is presented in [2].) The ring ZZZ2of2-adic integers contains all the (usual) rational numbers with odd denominator. It turns out that, sinceS is periodic, the 2-adic integer is in fact a rational number, which we may write in lowest terms as
= 0pq
withp and q relatively prime, and 0 p < q. The 2-adic complexity is82(S) = log2(q). It differs from the 2-adic span by the number
of memory bits in the FCSR which is, in any case, no more than
log2(82(S)) and is completely analyzed in [2]. Our main result is Theorem II.2: LetS be a periodic binary sequence of period L.
Then the2-adic complexity 82(S) is bounded as follows: 82(S) < (S) + 2!(L)01
where!(L) denotes the number of distinct positive prime divisors of
L.
The “error” term2!(L)01is sharp, as the following result shows. The obstacle to obtaining a corresponding lower bound is that it is very difficult to estimate the cancelation between the numerator and denom-inator in the expression = 0h(2)=u(2) in Section III below. How-ever, in Section V we derive a lower bound for82(S) based on the
upper bound.
Proposition II.3: Let > 0. Then there exist periodic binary
se-quencesS with !(L) arbitrarily large such that
82(S) > (S) + (1 0 )2!(L)01:
Also, there exist periodic binary sequencesS with !(L) arbitrarily large such that
82(S) < (S) 0 (1 0 )2!(L)01:
The proof is given in Section IV.
III. PRELIMINARIES TO THEPROOF
There is a useful polynomial that connects the2-adic interpretation of a sequence with the definition of the Fourier coefficients
f(x) = L01
i=0 aixi:
Here we think off(x) as a polynomial with complex coefficients. Thus thenth Fourier coefficient is f(n) and the associated 2-adic integer is
= f(2)20+ f(2)2L+ f(2)22L+ 1 1 1 = 0f(2)2L0 1: (1) Now reduce to lowest terms, say = 0p=q, so that 82(S) = log2(q).
We need to find a relation betweengcd (f(2); 2L0 1) (the greatest common divisor) and the number of vanishing Fourier coefficients
f(k). In fact, we will relate both of these to the polynomial gcd (f(x); xL0 1) (which by Galois theory has integer coefficients).
Let
g(x) = gcd(f(x); xL0 1) and f(x) = g(x)h(x)
andxL0 1 = u(x)g(x). First, we claim that (S) = deg (u). Note that^an 6= 0 if and only if f(n) 6= 0 if and only if g(n) 6= 0 if
and only ifu(n) = 0. The last equivalence follows from the fact that
u(x)g(x) = xL0 1, and so each Lth root of unity nappears as a
root of exactly one ofu(x) and g(x). Note also that u(x) has exactly
deg (u) complex roots, and all are of the form n. Hence the number
of nonzero Fourier coefficients satisfies
(S) = deg (u): (2)
Next we bound82(S). Factoring g(2) out of the numerator and
de-nominator in (1) we obtain
= 0h(2)u(2) :
Ifh(2) and u(2) were relatively prime then we would have 82(S) = log2(u(2)). However, this is not always the case (even though the
poly-nomialsh(x) and u(x) are relatively prime, as polynomials with ra-tional coefficients.) The best we can say is that
82(S) log2(u(2)): (3)
Recall that thenth cyclotomic polynomial cn(x) is the minimal
poly-nomial (with integer coefficients) of the primitiventh roots of unity (that is, the monic polynomial of smallest degree that vanishes on the complex numberexp [2i=n]). Its degree is Euler's phi function (n), the number of positive integersj n that are relatively prime to n. Recall also [5, Proposition. 13.2.2] that
xL0 1 = njL
cn(x)
(wherenjL means that n is a divisor of L).
Sinceu(x) divides xL01, it must be a product of distinct cyclotomic polynomials
u(x) = t j=1
cn (x) (4)
withnj dividing L. Thus a bound for cn (2) leads to a bound for
82(S).
Proposition III.1: Letn be a positive integer and let m =
pjn
p = s(n)
(the product taken over all positive prime divisorsp of n) denote the largest square-free integer dividingn. Let q = n=m. Then
1 0 20q< cn(2) 2(n) < 1
ifn has an even number of distinct positive prime divisors, and
1 < c2n(n)(2) < (1 0 20q)01
ifn has an odd number of distinct positive prime divisors.
Proof: Recall the Möbius function, which is defined for
posi-tive integersn by
(n) = (01)k; if n is square-free and has k distinct positive
prime factors, and
= 0; otherwise:
Following are four basic properties of (see [5, Sec. 2.2]). 1)
jjn
(j) = 0;1; ifn > 1
ifn = 1: 2) (ab) = (a)(b) if a and b are relatively prime. 3)
jjnj(n=j) = (n).
4) cn(x) = jjn(x
j0 1)(n=j).
The fourth property is obtained by applying the Möbius inversion for-mula [5, Sec. 2.2] to the relationxn0 1 = djncd(x).
The fourth and third properties imply that
cn(2) = jjn
(2j0 1)(n=j)= 2(n) jjn
(1 0 20j)(n=j)
so it remains to estimate the latter product. We first need the following.
Lemma III.2: Letd 1 and let 0 < x 1=2. Then 1
j=d+1
(1 0 xj) > 1 0 xd:
Proof: The logarithm of the left-hand side can be expanded as 1 j=d+1 ln(1 0 xj) = 0 1 i=1 1 j=d+1 xij i : Since 1 j=d+1 xij 1 k=id+1 xk xid
with both inequalities being equalities only wheni = 1 and x = 1=2, we obtain 1 j=d+1 ln(1 0 xj+1) > 0 1 i=1 xid i = ln(1 0 xd):
This yields the lemma.
Returning to the proof of Proposition 3.1, assumem has an even number of distinct positive prime factors, so(m) = 1. Let q = n=m. Recall that(n=j) 6= 0 only when n=j is square-free, which is equiv-alent toq dividing j. Write j = qk. The condition jjn becomes kjm, and we have
jjn
(1 0 20j)(n=j)= kjm
(1 0 20qk)(m=k):
The first factor in this product is(1 0 20q)(m) = 1 0 20q. The remaining product is bounded above by
1 k=2
(1 0 20qk)01< (1 0 20q)01
by Lemma 3.2. This yields
cn(2) 2(n) =
jjn
(1 0 20j)(n=j)< 1:
To get a lower bound, note that the first nontrivial factor in
kjm
(1 0 20qk)(m=k)
is whenk = 1 and the second is when k is the smallest positive prime factorp of m. Since m has an even number of positive prime factors,
m=p has an odd number of positive prime factors, so (m=p) = 01.
The product for the remaining values ofk is bounded below by
k>p
(1 0 20qk) > (1 0 20qp):
This yields
cn(2)
2(n) > (1 0 20q)(1 0 20qp)01(1 0 20qp)
which yields the result.
The case whenm has an odd number of positive prime factors is similar.
Proposition III.3: Fix a positive square-free integerm 1. Then
s(n)=m
log2 c2n(n)(2) = 0(m)
Proof: The fact that all terms have the same sign follows
imme-diately from Proposition 3.1.
Observe that two integersm and n have exactly the same prime fac-tors if and only if each divides a power of the other. For simplicity, we writemjn1to mean thatm divides some power of n. For a square-free integerm, this is equivalent to mjn.
Now fix a positive squarefree integerm. We have s(n) = m if and only ifmjn and njm1. Moreover, a positive integerq occurs as n=m for somen with s(n) = m if and only if qjm1.
As in the proof of Proposition 3.1
cn(2) 2(n) = jjm (1 0 20jq)(m=j) whereq = n=m. Therefore, s(n)=m cn(2) 2(n) = qjm jjm (1 0 20jq)(m=j):
We want to rewrite this product as a product of factors (1 0 20k), each occuring to some power. No such factor occurs more than m (actually, no more than the number of positive divisors of m) since each occurence corresponds to a distinct divisor j of k. Moreover,
1
k=1(1020k)mconverges to a nonzero number. Therefore, the above
products converge “absolutely” (i.e., their logarithms are absolutely convergent series), so the rearrangement of the factors in the above in-finite products is justified.
Next we determine the exponent with which a factor(1 0 20k) oc-curs. The integerk occurs as a product jq, with qjm1andjjm, exactly whenkjm1. Fix such ak. The condition k = jq automatically implies
qjm1. The values ofj that yield k (i.e., k = jq for some q) are
there-fore exactly those that satisfy bothjjm and jjk. This is equivalent to
jjgcd (m; k). Therefore, the factor (1020k) occurs in the last product
with exponent
jjgcd(m;k)
(m=j):
Writem = gcd (m; k)m0. Sincem is square-free, gcd (m; k) and m0 are relatively prime, so(m=j) = (gcd (m; k)=j)(m0), by Prop-erty 2 of. Therefore, we obtain
(m0)
jjgcd (m;k)
(gcd (m; k)=j) = 0; whengcd (m; k) 6= 1
by Property 3 of , since gcd (m; k)=j runs though all the positive divisors ofgcd (m; k). Since kjm1, we havegcd (m; k) = 1 if and only ifk = 1, which corresponds to q = j = 1. Therefore, the product reduces to
(1 0 201)(m)= 20(m):
This completes the proof of Proposition 3.3.
Lemma III.4: Any integer L > 1 has 2!(s(L))01 positive square-free divisors with an odd number of positive prime factors.
Proof: The positive square-free divisors ofL are in one-to-one
correspondence with the subsets of the set of positive prime divisors of L. There are 2!(L) such subsets in all, half of which have even cardinality.
IV. PROOF OFTHEOREM2.2 It follows from (2) that
log2(u(2)) = t j=1 log2 cn (2) = t j=1 (nj) + log2 cn (2) 2(n ) = deg(u) + t j=1 log2 cn (2) 2(n ) :
Lets(nj) = mj. LetE and O denote the sets of positive square-free divisors ofL with (mj) = 1 and (mj) = 01, respectively. We
obtain
log2(u(2)) deg(u) + m 2O
log2
cn (2) 2(n )
since the terms withmj2 E are negative by Proposition 3.1. If there
are two or morenjwith the samemj, then group them together. We obtain a subsum of the sum in Proposition 3.3. Since all the terms in the sum of Proposition 3.3 are positive, the proposition gives the upper bound of1 for our subsum. By Lemma 3.4, there are at most 2s(L)01 distinct values ofmj 2 O. Therefore,
log2(u(2)) < deg (u) + 2!(L)01:
Theorem II.2 then follows from (2) and (3).
Proof of Proposition II.3: We finish by proving Proposition II.3.
LetN be a natural number and let p1 < p2 < 1 1 1 < pN be primes such that1 0 210p > 20. LetL = p1p21 1 1 pN and letn1; 1 1 1 ; nt
run through all positive divisors ofL such that (ni) = 01. Then t = 2N01by Lemma 3.4. Let
= c 01
n (2) 1 1 1 cn(2) = 0pq
in the notation of Section II, and letS be the corresponding periodic binary sequence. Then
(S) = i deg cn (X) = i (ni) and 82(S) = i log2(cn(2)) : We have cn(2) 2(n ) = jjn (1 0 20j)(n =j) > (1 0 201)01 jp (1 0 20j) > 2(1 0 210p ) by Lemma 3.2 > 210: Therefore, 82(S) > t i=1 ((ni) + (1 0 )) = (S) + (1 0 )2N01:
SinceN = !(L), we are done. The proof of the second half of Propo-sition 2.3 is obtained in a similar way by usingniwith(ni) = 1.
V. LOWERBOUNDS
In this section we derive a lower bound for8(S) using the upper bound in Theorem II.2. LetT = b0; b1; 1 1 1 be the sequence derived fromS by complementing the first bit in every period. That is,
bi= 1 0 aa i; ifLji i; else: We let = 1 i=0 bi2i
be the2-adic integer associated with T . We have
= 0x=y = 0xw=(2L0 1)
for some integersx, y, and z with wy = 2L0 1. T is periodic so, by Theorem II.2
82(T ) < (T ) + 2!(L)01:
For the Fourier coefficients ofT we have ^bk= 1 0 2a0+ ^ak. For
any integerc, we let
c(S) = jfk : ^ak6= cgj:
Then we have
(T ) = 102a (S):
To estimate the2-adic complexity of T , note that
= 0 1 0 2a2L0 10 = 0 1 0 2a2L0 10+ pz:
Thus102a0+pz = xw. Since 102a0is plus or minus one, it follows thatz is relatively prime to w. However, z divides 2L0 1 = yw, so z dividesy. Hence
82(T ) = log2(y) log2(z) = log2((2L0 1)=q) = log2(2L0 1) 0 log
2(q):
We have proved the following lower bound.
Theorem V.1: LetS be a periodic binary sequence of period L: Then 82(S) > log2(2L0 1) 0 102a (S) 0 2!(L)01:
REFERENCES
[1] R. Blahut, “Transform techniques for error-control codes,” IBM J. Res. Develop., vol. 23, pp. 299–315, 1979.
[2] A. Klapper and M. Goresky, “Feedback shift registers,2-adic span, and combiners with memory,” J. Crypt., vol. 10, pp. 111–147, 1997. [3] J. Massey, “Cryptography and system theory,” in Proc. 24th Allerton
Conf. Communication, Control, and Computers, Oct. 1–3, 1986. [4] J. Massey and S. Serconek, “Linear complexity of periodic sequences: A
general theory,” in Advances in Cryptology—CRYPTO 97, N. Koblitz, Ed., pp. 358–371. (Springer Lecture Notes in Computer Science, vol. 1109, New York: Springer Verlag, 1997.).
[5] K. Ireland and M. Rosen, “A classical introduction to modern number theory (second edition),” in Graduate Texts in Mathematics. New York: Springer Verlag, 1990, vol. 84.
A Lower Bound on the Linear Span of an FCSR
Changho Seo, Sangjin Lee, Yeoulouk Sung, Keunhee Han, and Sangchoon Kim
Abstract—We have derived a lower bound on the linear span of a binary
sequence generated by a Feedback with Carry Shift Register (FCSR) under the following condition: is a power of a prime such that = (
2) and (= 2 + 1) where both and are2-prime. This allows us to design FCSR stream ciphers similar to previously proposed Linear Feedback Shift Register (LFSR) stream ciphers.
Index Terms—Feedback with carry shift register (FCSR), linear
feed-back shift register (LFSR), linear span,2-adic span.
I. INTRODUCTION
The forthcoming information society requires ultra-high speed data communications. It also demands the communication channel to be secure. One of the most common technology is to use stream cipher. Hence the development of a good random number generator has been a hot topic in cryptology. Linear Feedback Shift Register (LFSR) [2] has been widely used as fast random number generators. A good stream cipher [1], should have good randomness, high period, linear span, and security against any known attack such as correlation attack. The size of the smallest LFSR that generates a given periodic sequence is called the linear span; it is an important measure of the cryptographic security of sequences. Such a shift register may be found efficiently using Berlekamp–Massey algorithm [1], which may be interpreted as the continued fraction expansion off(x)=g(x) in the ring Z=(2)[x] of formal power series. Thereby, LFSR has some weakness with respect to the linear span.
In 1994, Klapper and Goresky [4] proposed a new type of random number generator called Feedback with Carry Shift Register (FCSR). This register is equipped with an algebraic framework for analysis anal-ogous to that that in LFSR. This algebraic structure is based on algebra over the2-adic numbers [6] in which the sequences generated by FCSR can be analyzed, in the same way as the algebra over finite fields can be used to analyze LFSR sequences.
In this correspondence, we have derived a lower bound on the linear span of a binary sequence generated by a Feedback with Carry Shift Register (FCSR) with connection integerq; q is a power of a prime such thatq = re(e 2) and r (= 2p + 1); where both r and p are
2-prime.
In Section II, we briefly review FCSR and derive the linear span of an FCSR in Section III. Finally, Section IV contains the conclusion.
Manuscript received May 4, 1998; revised August 12, 1999. The work of Y. Sung was supported in part by the Research Institute of Basic Sciences, Kongju National University.
C. Seo and Y. Sung are with the Department of Applied Mathematics, Kongju National University, Kongju-city, 314–110, South Korea.
S. Lee is with the Department of Mathematics, Korea University, Chochiwon, 339-800, South Korea.
K. Han and S. Kim are with the Coding Technology Section, Electronics and Telecommunications Research Institute, Taejeon, 305–350, South Korea.
Communicated by D. Stinson, Associate Editor for Complexity and Cryptog-raphy.
Publisher Item Identifier S 0018-9448(00)01674-6. 0018–9448/00$10.00 © 2000 IEEE
