On the distribution of Low Hamming Weight products

Jeffrey Hoffstein et al. (Discrete Appl. Math. 130:37–49, 2003) introduced the Low Hamming Weight products (LHWP) X = x1x2x3 as random exponent of elements in a group or a ring to improve the operational efficiency, where each xi has Hamming Weight Ham(xi) in its binary representation. The random power or multiple be used in many cryptographic constructions, such as Diffie–Hellman key exchange, elliptic curve ElGamal variants, and NTRU public-key cryptosystem. But their randomness is just a conjecture, which lacks of the security proof. The main purpose of this paper is using the analytic method and the properties of the character sums to prove the distribution of the Hamming weight products, which is related to their pseudorandomness and unpredictability. It is important to research the application of LHWP in cryptographic constructions. Our theory shows that the LHWP are exponentially close to the uniform distribution, namely, an attack on algorithm (Hoffstein et al. in Discrete Appl. Math. 130:37–49, 2003) needs polynomial time to reach exponentially close probabilities of success.


Background
Jeffrey Hoffstein and Joseph H. Silverman [1] proposed a new algorithm of fast exponentiation via Low Hamming Weight Products (LHWP), which is universally applied in cryptography. For example, Diffie-Hellman key exchange needs to output a random power of g k in a finite field F , if input an element g in F . Divesh Aggarwal [2] introduced a new public-key cryptosystem whose security is based on the Mersenne Low Hamming Weight Ratio: there exist two Low Hamming Weight integers A and B such that A B is difficult to distinguish from a uniformly random string. NTRU algorithm [3][4][5] is suspected to be resistant to quantum attacks, their key generation requires a random polynomial product fg in the ring.
The products X = x 1 x 2 x 3 of integers in [1] acts as the exponent over G = F 2 n , where each x i is a low Hamming weight number in its binary representation. It is a rapid method and has significant advantage of reducing the computation of powers in a group such as the Galois field F 2 n . These kinds of questions also appear in [2,[6][7][8][9], where the representation of LHWP is applied to attack the relevant cryptosystems, and the Hamming weight model can be concentrated on the Differential Power Analysis.
The efficiency of the algorithm [1] is based on an assumption that a random multiplier is a product of factors, which is called the Low Hamming Product Assumption (see Definition 2). The security of the algorithm [2] is based on the assumption of Low Hamming Weight Ratio. They are all believed to be easily and rapidly computed, however, their randomness or pseudorandomness just is a conjecture, which is widely used, but lacks the solid foundation.
The main purpose of this paper is by using the analytic method and the bounds of the character sums to prove that the LHWP are exponentially close to the uniform distribution, which can imply their pseudorandomness. Furthermore, the theorem shows the unpredictability of LHWP. In addition, an attack on algorithm [1] needs polynomial time to reach exponentially close probabilities of success. The following are the definitions of low Hamming weight and some fundamental concepts required: Denote by Ham(X) = Hamming weight of X the number of 1s in the binary representation of X. In order to compute X faster, it is more advantageous to choose X such that Ham(X) is small. However, if Ham(X) is too small, then the algorithm can be exploited by an attacker who is trying to operate brutally. Let p > 2 n be a prime, and let Z p be the residue integer ring modulo p. All elements c ∈ Z p have the unique binary representation with a fixed specified binary Hamming weight h = k i . The Hamming weight number is equivalent to the Hamming distance from the all-zero string of the same length, which is widely used in several disciplines including information theory, coding theory, and cryptography. For example, the Hamming weight operation can be interpreted as a conversion from the unitary numeral system to binary numbers. Victor K Wei shows that a generalized Hamming weight is a natural generalization of the minimum distance. It is used to characterize the cryptographic performance of a linear code over the wire-tap channel (see [10]).

Definition 2 (Low Hamming product assumption) Let h be an integer. Given n-bit strings
A and B of low Hamming weight h are independent, it is difficult to distinguish between the product AB and a uniformly distributed random n-bit string. The security proof in Sect. 3 also requires the regularity of the probability distributions. The variation distance of two distributions X and Y over a finite domain D is defined Recall that the definition of a statistical distance (sometimes it is called statistical closeness (see [11]) is: Let n ∈ N be an integer, for every positive polynomial p(·), and all sufficient large n, we say that two probability ensembles X n and Y n are statistically close if (X n , Y n ) is a negligible function of 1 p(n) .
Similarly, δ-statistical closeness to uniform distribution (see [12,13]) can be concluded based on the definition of statistical distance: where we taking uniform probabilities of Y to equal 1 p-1 . More precisely, δ-statistically close means that the statistical distance (X) is exponentially small.

Main results
Motivated by the universal use of Hamming weight in cryptography, studying the uniform distribution properties of LHWP is an important and interesting problem because it reveals some quality guarantee of their pseudorandomness. It is crucial for the security of the algorithms. We start with the following problem: Let p > 2 n be a prime and denote by Z p the residue ring modulo p. Given h ∈ Z p , find x 1 , x 2 , x 3 ∈ Z p of Hamming weight h, where x i corresponds to an n-bit string of arbitrary Hamming weight, such that X = x 1 x 2 x 3 exists and is uniformly distributed in Z p . More specifically, is uniformly distributed, where p is a prime. Let B be the set of integers with Hamming weight less than h, that is, if x i ∈ B, and Ham(x i ) ≤ h, where i = 1, 2, 3, then the cardinality |B| = 0≤j≤h n j .
We consider the distribution of modular sums To be more specific, given a fixed c ∈ Z p , denote by N(B, c) the number of solutions of the congruence For such integers x 1 , x 2 , x 3 ∈ B, denote the probability by P(B, c), it is clearly P(B, c) = 1 |B| 3 N(B, c).
In Sect. 4, we shall use the classical bounds of character sums to give a uniform distribution proof for (2), which is related to the security of the algorithm [1]. That is, we shall prove the following Theorem Let 2 n < p < 2 5n be a prime. For some constants δ > 0, > 0, the LHWP x = x 1 x 2 x 3 is δ-statistically close to uniform distribution, namely

Some lemmas
Let χ p be the set of multiplicative characters of the multiplicative group Z * p . Denote by χ * p the subset of nontrivial characters.
In this section, we shall give several necessary lemmas, which appear in the proof of our theorem. First, we have the following  From p < 2 5n , we obtain x∈B χ(X) |B|p -1 40 +o(1) , thus taking γ = 1 40 > 0, the claim of Lemma 1 holds.
Remark The most well known bound of max χ∈χ * p | X∈B χ(X)| is Polya-Vinogradov inequality (see [ which is nontrivial for B ≥ p 1 2 + . However, this bound related to B is too large to be used for our proof. In such cases we apply Lemma 1.
Lemma 2 Let X ∈ B be an integer, its binary representation being an n-bit string of Hamming weight less than h, then |B| = 0≤j≤h n j , therefore, where the entropy function is Proof See [16,Sect. 10.11].

Proof of the Theorem
Recall that (see [17,Chap. 5]) if G is a finite Abelian group (multiplicative) of order |G|, a character χ of G is a homomorphism from G into the multiplicative group U of complex numbers of absolute value 1, that is, a mapping from G into U with χ(g 1 g 2 ) = χ(g 1 )χ(g 2 ) for all g 1 , g 2 ∈ G. Then supposing g and h are elements of a finite Abelian group G, the following is the well-known property of character sums: In this section, we shall complete the proof of our theorem. Note that Clearly , N(B, c) is the number of solutions of the congruence (2), thus we have If χ = χ 0 is the trivial character, then the corresponding term of N(B, c) is |B| 3 /(p -1), Therefore, from Lemma 1, we have Using the Cauchy-Schwarz inequality, we obtain Combining (3) and (4), we can easily get Recalling that p > 2 n , for 0 ≤ γ ≤ 1, A > 0, from Lemmas 1 and 2, as well as (5), for some δ > 0, > 0, the following inequality holds: That is, the statistical distance is exponentially small. We also can conclude that the LHWP are exponentially close to the uniform distribution, namely, and attack on algorithm [1] needs polynomial time to reach exponentially close probabilities of success. This proves the theorem.

Conclusion
Character sums are important and useful tools in the analytic number theory. In this paper we use character sums to prove the pseudorandomness of LHWP, which play a central role in cryptology, algorithms, and many other areas. It is important and meaningful to establish the uniform distribution of such products for giving the security assurance of cryptographic constructions. In addition, we need to emphasize that for our bounds to be nontrivial, the cardinality of the LHWP B should be sufficiently large, however, it also applies to sparse integers.

Notations
Throughout the paper the implied constants in symbols big "O" and " " depend on the small real parameter "γ > 0". Notations A B and A = O(B) are equivalent to |A| ≤ B. The symbol small "o(1)" denotes the function tending to 0.