5

What are some of the simplest known bijections in $\mathbb{Z}/n\mathbb{Z}$?

Offhand, the following classes of primitive bijections come to mind:

  • Addition/subtraction (+/–) of any constant
  • Multiplication ($\times$) by an odd constant (and division of course by multiplicative inverse)
  • Bitwise exclusive-or ($\oplus$) with any constant, or equivalently any inversion ($\lnot$) of specific bits
  • Rotary bit-shifting ($\ll$, $\gg$ with wrap-around)

and the following slightly-more-complex bijections:

  • Bit-reversal (reverse the ordering of bits in a number)
  • In general, any permuted mapping of the base-2 digits (bits) of a number — for example swapping two bits
  • Any maximal-length LFSR (Linear Feedback Shift Register) function

and of course the most general bijection:

  • Any permutation in $\mathbb{Z}/n\mathbb{Z}$

But I'm really most interested in the simplest bijections — that is, functions generally involving a single integer rather than a set of integers (multiplication, addition, exclusive-or, etc. all fit this).

The reason I’m interested is because I want to devise pseudorandom permutations in $\mathbb{Z}/n\mathbb{Z}$ by composing simple arithmetic functions.

So far, I’ve determined that permuting values in $\{0, \ldots, 2^{64}-1\}$ via 4 rounds of multiplication, addition, and bit-reversal (of randomly chosen multipliers and addends) for the case of $n=2^{64}$ is sufficient to pass PractRand for a few trillions of values, which is good for my purposes — but I'm just wondering if there are simpler formulations that produce random-looking permutations.

Todd Lehman
  • 341
  • 4
    What's a "primitive bijection"? I know what a primitive permutation group is but I am not sure this is related. – quid May 26 '18 at 00:08
  • 1
    @quid — Ah. By "primitive" I just mean simple, fundamental, or trivial functions. Multiplication by an odd constant in a field of cardinality $2^n$ is an example of a trivial/primitive bijection. That said, I'm not 100% certain I'm using the right terminology. (If I were more familiar with this area, I wouldn't need to ask this question. :) – Todd Lehman May 26 '18 at 00:13
  • 2
    It can easily be argued that permutations are simple and fundamental, so any bijection would be primitive. You would have to make the question a little bit more precise. – Arnaud Mortier May 26 '18 at 00:18
  • 1
    Historically, the first permutations put forward for their pseudorandom potential were the ones taking $x$ to $ax+b$ with $\gcd(a,n)=1$. Lehmer, 1949. – Gerry Myerson May 26 '18 at 02:33
  • @ArnaudMortier — Thanks. I've reworded things a bit. – Todd Lehman May 26 '18 at 03:27
  • 2
    Todd, just to make sure you know. In a field of cardinality $2^n$ all the even elements are equal to zero (so anything non-zero is "odd"). The field of cardinality $2^n$ is NOT the residue class ring of integers modulo $2^n$. It is an algebraic extension of $\Bbb{Z}/2$. Or, yet in other words, $\Bbb{Z}/n\Bbb{Z}$ is NOT a field when $n$ is a power of two. – Jyrki Lahtonen May 26 '18 at 11:59
  • Some links possibly valuable to people who find this question of interest: bijections of a set are permutations, and Wikipedia has articles on pseudorandom permutations and permutation polynomials and useful categories for permutations and pseudorandom number generators that point to some relevant material – Silverfish Sep 19 '23 at 19:28
  • The restriction here to functions $f$ that permute sets of the form ${0,1,2,\dots,2^{\ell}-1}$ is not actually a big one here. If I seek $g$ that permutes eg the set $S={1677,2717,2977,3757,\dots,9737,9776}$ of four-digit numbers divisible by 13 in which the digit 7 appears at least twice, it's enough to note $2^{14}>\max(S)$ so we take $\ell=14$. For $x\in S$ let $g(x)=f^p(x)$ where $p$ is the least positive integer for which $f^p(x)\in S$. Just iterate $f$ until the output passes the membership test for $S$! Relevant scicomp SE question – Silverfish Sep 19 '23 at 20:40

1 Answers1

5

A simple class of permutations (not yet listed) of the ring $R_\ell:=\Bbb{Z}/2^\ell\Bbb{Z}$ is the set of quadratic permutation polynomials.

Proposition. If $a$ is an odd integer, and $b$ is an even integer, then polynomial function $$ p(x)=ax+bx^2+c $$ is a permutation of $R_\ell$.

Proof. Because $R_\ell$ is finite it suffices to show that $p$ is injective. So let's assume that $p(x)\equiv p(y)\pmod{2^\ell}$ for some integers $x,y$. This means that $$ p(x)-p(y)=a(x-y)+b(x^2-y^2)+(c-c)=(x-y)\big(a+b(x+y)\big) $$ is divisible by $2^\ell$. By our assumptions $a$ is odd and $b(x+y)$ is even, so the factor $a+b(x+y)$ is necessarily odd. This means that $p(x)-p(y)$ can be divisible by $2^\ell$ if and only if $x-y$ is divisible by $2^\ell$. But then $x$ and $y$ represent the same coset in $R_\ell$. Q.E.D.

You can find "random enough" permutations within this class already. In 2008 (if memory serves) quadratic permutation polynomials were chosen to be used in the turbo codes of the then current release of the LTE cellular standard. In other words, if your cell operator subscribes to LTE, chances are that your smartphone is computing millions of values of such permutation polynomials per second.

Block lengths other than $n=2^\ell$ are also supported. In general you need $a$ to be coprime to $n$ and $b$ to be divisible by all the prime factors of $n$. The above proof goes through verbatim.

The theory for fine tuning the parameters of $p(x)$ for the purposes of turbo code interleavers was done by Oscar Takeshita and Jing Sun, at Ohio State at the time. The QPP-interleavers allow heavy duty parallelization in the decoding (at the receiving end) which was a major selling point.

Jyrki Lahtonen
  • 140,891