Computing the Linear Complexityin a Class of Cryptographic Sequences

Amparo Fuster-Sabater1 and Sara D. Cardell2(B)

1 Instituto de Tecnologıas Fısicas y de la Informacion, CSIC,144, Serrano, 28006 Madrid, Spain

amparo@iec.csic.es2 Instituto de Matematica, Estatıstica e Computacao Cientıfica, UNICAMP,

Campinas, Brazilsdcardell@ime.unicamp.br

Abstract. In this work, we present a method of computing the linearcomplexity of the sequences produced by the cryptographic sequencegenerator known as generalized self-shrinking generator. This approachis based on the comparison of different shifted versions of a single PN-sequence. Just the analysis of binary digits in these shifted sequencesallows one to determine the linear complexity of those generalizedsequences. The method is simple, direct and efficient. Furthermore, theconcept of linear recurrence relationship and the rows of the Sierpinski’striangle are the basic tools in this computation.

Keywords: Generalized self-shrinking generator · Linear complexityLinear recurrence relationship · Sierpinski’s triangle

1 Introduction

Confidentiality of sensitive information makes use of an encryption functioncalled cipher that converts the original message or plaintext into the cipheredmessage or ciphertext. In symmetric cryptography (or secret key cryptography)there is a single piece of secret information called key. Such a secret key is sharedby both legitimate communicating parties. Secret key cryptography is currentlydivided into two large classes: stream ciphers and block-ciphers depending onwhether the encryption function is applied either to each individual bit or to ablock of bits, respectively.

Stream ciphers are the fastest and simplest among all the encryption pro-cedures so they are in widespread use and can be found in many technologicalapplications e.g. the encryption system E0 in Bluetooth network specifications[8], the algorithm RC4 in Microsoft Word processor and Microsoft Excel spread-sheet [21] or the SNOW 3G Generator [15] in wireless communication of high-speed data with 4G/LTE (Long-Term Evolution) technology.

The basic problem in stream cipher design is to generate from a short andtruly random key a long and pseudorandom sequence called keystream sequence.c© Springer International Publishing AG, part of Springer Nature 2018O. Gervasi et al. (Eds.): ICCSA 2018, LNCS 10960, pp. 110–122, 2018.https://doi.org/10.1007/978-3-319-95162-1_8

Computing the Linear Complexity in a Class of Cryptographic Sequences 111

For encryption, the sender performs the bitwise XOR (exclusive-OR) operationamong the bits of the plaintext and the keystream sequence. The result is theciphertext to be sent to the receiver. For decryption, the receiver generates thesame keystream sequence, performs the same bitwise XOR operation betweenthe received ciphertext and the keystream sequence and recovers the originalmessage. Notice that both encryption and decryption procedures use the sameXOR logic operation, an extremely simple and balanced operation.

Most keystream generators are based on maximal-length Linear FeedbackShift Registers (LFSRs) [13] whose output sequences, the PN-sequences, are com-bined in a non linear way to produce pseudorandom sequences of cryptographicapplication. Combinational generators, non-linear filters, clock-controlled gener-ators or irregularly decimated generators are some of the most popular keystreamgenerators. See [11,12,19] for a comprehensive introduction to this topic.

Inside the family of irregularly decimated generators, we can enumerate: (a)the shrinking generator [6] that involves two LFSRs, (b) the self-shrinking gen-erator [18] involving only one LFSR and (c) the most representative elementof this family, the generalized self-shrinking generator or family of generators[14], that includes the self-shrinking generator as one of its members. Irregu-larly decimated generators produce sequences with long periods, good correla-tion, excellent run distribution, balancedness [9], simplicity of implementation,etc. The underlying idea of this type of generators is the irregular decimationof a PN-sequence according to the bits of another. The decimation result is asequence that will be used as keystream sequence in the cryptographic proce-dure. This work focuses on the generalized self-shrinking generators and theiroutput sequences the so-called generalized self-shrunken sequences.

Linear complexity, LC, is a much used metric of the security of a keystreamsequence [20]. Roughly speaking, LC measures the amount of sequence bitsneeded to reconstruct the rest of the sequence. In cryptographic terms, linearcomplexity must be as large as possible; the recommended value is approximatelyhalf the sequence period, LC � T/2. Traditionally the linear complexity ofa sequence is computed by the Berlekamp-Massey algorithm [17] after havingprocessed at least 2·LC bits of such a sequence. For sequences in a cryptographicrange (T = 1038), the generation and application of such an algorithm can bean extremely hard task. In spite of its importance, the linear complexity of thegeneralized self-shrunken sequences is a topic never considered nor analysed. Inthis work, we introduce a simple method of computing the linear complexityof the generalized self-shrunken sequences. No generation of such sequences isneeded as we just use different shifted versions of a single PN-sequence.

The work is organized as follows. Fundamental and basic concepts usedthroughout the work are introduced in Sect. 2. Next in Sect. 3, the main result,a method of computing the linear complexity of generalized self-shrunkensequences, is developed; formulation, discussion and an illustrative example ofsuch a method are also provided. Finally, conclusions in Sect. 4 end the paper.

112 A. Fuster-Sabater and S. D. Cardell

2 Fundamentals and Basic Concepts

First of all, we introduce the concept of decimation of a binary sequence, whichwill be used repeatedly throughout this work. Let {ai} (i = 0, 1, 2, . . . ) be asequence defined over the binary field of two elements, ai ∈ F2. The decimation ofthe sequence {ai} by distance d is a new sequence {bi} (i = 0, 1, 2, . . . ) obtainedby taking every d-th term of {ai}, that is {bi} = {ad·i} [7].

Let L be a positive integer, and let c0, c1, . . . , cL−1 be given elements of thebinary field F2. A sequence {ai} satisfying the relation

ai+L = c1ai+L−1 + c2ai+L−2 + . . . + cL−1ai+1 + cLai, i ≥ 0 (1)

is called an L-th order linear recurring sequence in F2. A relation of the formgiven in (1) is called an L-th order homogeneous linear recurrence relationship(l.r.r.). The polynomial of degree L

P (x) = xL + c1xL−1 + c2x

L−2 + . . . + cL−1x + cL ∈ F2[x],

is called the characteristic polynomial of the linear recurrence relationship.

· · ·

· · ·

ai ai+1 ai+2 ai+L−2 ai+L−1

cL cL−1 cL−2 c2 c1

Fig. 1. An LFSR of length L

The generation of linear recurring sequences can be implemented on LinearFeedback Shift Registers (LFSRs). These devices handle information in formof bits and they are based on shifts and linear feedback. An LFSR consistsof L interconnected stages (LFSR length) of binary content, the characteristicpolynomial P (x) of its linear recurrence relationship and the non-zero initialstate (stage contents at the initial instant), see Fig. 2. If P (x) is a primitivepolynomial, then the register is said to be a maximal-length LFSR and its outputsequence {ai} is called a PN-sequence of period T = 2L − 1 with 2L−1 1′s and(2L−1 − 1) 0′s, see [13]. If α is a root of P (x), then α is a primitive element inF2L , the extension field of F2, that consists of 0 and appropriate powers of α[16]. Via the characteristic polynomial, there is a one-to-one correspondence

ai → αi (i = 0, 1, 2, . . . , 2L − 2) (2)

between the i-th element, ai, of the PN-sequence and the i-th power of α, notatedαi. The linear complexity is the length of the shortest LFSR that generates such

Computing the Linear Complexity in a Class of Cryptographic Sequences 113

a sequence or, equivalently, the lowest order linear recurrence relationship thatgenerates such a sequence.

The more representative element in the class of irregularly decimated gener-ators is the generalized self-shrinking generator [14] described as follows:

Definition 1. Let {ai} (i = 0, 1, 2, . . . ) be a PN-sequence generated by amaximal-length LFSR with an L-degree characteristic polynomial. Let p be aninteger and {vi} (i = 0, 1, 2, . . . ) be an p-position shifted version of {ai} with(p = 0, 1, 2, . . . , 2L − 2). The decimation rule is very simple:

1. If ai = 1, then vi is output, that is sj = vi.2. If ai = 0, then vi is discarded and there is no output bit.

In this way, for a fixed p a balanced output sequence s0 s1 s2 . . . denoted by{s(p)j} or simply {sj} is generated. Such a sequence is called the generalizedself-shrunken sequence (GSS) associated with the shift p. �

Recall that {ai} remains fixed while {vi} is the sliding sequence or left-shifted version of {ai}. When p ranges in the interval p ∈ [0, 1, 2, . . . , 2L − 2],then the class of 2L−1 generalized self-shrunken sequences (or simply generalizedsequences) is obtained. Let us see a simple example.

Example 1. For an LFSR of length L = 4, characteristic polynomial P (x) =x4 + x3 + 1 and initial state (1, 1, 1, 1), its corresponding PN-sequence is {ai} ={111101011001000}. Applying the previous decimation rule, we get 2L − 1 = 15generalized sequences {sj} based on {ai} and depicted in Table 1.

The 2L − 1 = 15 choices of p result in the 15 distinct shifts of {vi}. For eachsequence {vi}, a new generalized self-shrunken sequence is generated. �

Table 1. GSS sequences for Example 1

p {s(p)j} p {s(p)j}0 1111 1111 8 1001 0110

1 1110 0100 9 0010 0111

2 1101 1000 10 0100 1110

3 1010 1010 11 1000 1101

4 0101 0101 12 0001 1011

5 1011 0001 13 0011 1100

6 0110 1001 14 0111 0010

7 1100 0011

The period of the generalized sequences is a divisor of 2L−1. This class ofsequences always includes [10] the sequence {111111, . . .} for p = 0 and thesequences {101010, . . .} and {010101, . . .} for p = n, n + 1, where n is an integercorresponding to the power αn ∈ F2L satisfying αn+1 = αn + 1.

114 A. Fuster-Sabater and S. D. Cardell

Finally, let {ui} (i = 0, 1, . . . , 2L−1 − 1) be a sequence of period T = 2L−1

whose terms ui are elements of F2L . Keeping in mind the one-to-one correspon-dence defined in (2), the terms of {ui} are the powers of α associated with the1′s of {ai}. Let us see the sequence {ui} for the Example 1.

Table 2. Sequence {ui} for Example 1

F2L : 1 α α2 α3 α4 α5 α6 α7 α8 α9 α10 α11 α12 α13 α14

{ai} : 1 1 1 1 0 1 0 1 1 0 0 1 0 0 0

{ui} : 1 α α2 α3 α5 α7 α8 α11

Thus, the sequence {ui} = {1, α, α2, α3, α5, α7, α8, α11}. It is proved [1] thatthe sequence {ui} defined as before has a linear complexity upper bounded by:

LC({ui}) ≤ 2L−1 − (L − 2). (3)

3 Linear Complexity of the Generalized Sequences

As the generalized sequences have period power of 2, then the characteristicpolynomial of each generalized sequence is of the form (x+1)M where M = LC.Thus, (x + 1)M+1, (x + 1)M+2, (x + 1)M+3, . . . are characteristic polynomialsof higher degree defining linear recurrence relationships that the generalizedsequence has to satisfy. Contrarily, (x + 1)M−1, (x + 1)M−2, (x + 1)M−3, . . . arenot characteristic polynomials meaning that the generalized sequence does notsatisfy their corresponding linear recurrence relationships. This is the key ideato compute the LC in the class of generalized self-shrunken sequences.

The coefficients of a polynomial (x + 1)M are the binomial numbers(Mi

)

(i = 0, 1, . . . ,M) of the M-th row of the Pascal’s triangle [3,5]. When sucha triangle is reduced mod 2, then we get the Sierpinski’s triangle, see Fig. 2.Linear Cellular Automata (CA) with rules 102 and 60 [2,4,22] also define thecoefficients of this type of polynomial. See the CA-images with these rules inFig. 3, where black squares represent 1′s and white squares (inside the figure)represent 0′s.

Next we study the linear recurrence relationships of the sequence {ui} forsuccessive and decreasing values of M .

1. For M = 2L−1 − (L − 2):

According to Eq. (3), the sequence {ui} satisfies the l.r.r.

M∑

i=0

ci ui+p = 0 (p = 0, 1, 2, . . . , 2L − 2), (4)

where the ci are the binary coefficients of the M − th row in the the Sierpinski’striangle or in the CA-images, see Figs. 2 and 3.

Computing the Linear Complexity in a Class of Cryptographic Sequences 115

1

11

101

111 1

1001 0

101 0 11

101 00 1 1

11 1 1 1 1 1 1

1

11

101

1111

1001 0

101 0 11

101 00 1 1

11 1 1 1 1 1 1

1

11

1 0 1

1 1 1 1

1 0 0 10

1 0 101 1

1 0 10 011

1 1111111

0 000 0 00

000 0 00

0 000 0

000 0

0 00

00

0

Fig. 2. Binary Sierpinski’s triangle

If we denote ui = ατ(i), then we can rewrite the correspondence (2) as follows

ui = ατ(i) → aτ(i) (i = 0, 1, 2, . . . , 2L − 2).

Therefore,

M∑

i=0

ci ui+p =M∑

i=0

ci ατ(i)+p = 0 →M∑

i=0

ci aτ(i)+p = 0, (5)

where {aτ(i)+p} (i = 0, 1, 2, . . . ) denotes the generalized sequence {s(p)j} asso-ciated with the shift p. Thus, according to Eq. (5), all the generalized sequences{s(p)j} satisfy

∑Mi=0 ci aτ(i)+p = 0 and their linear complexities are upper

bounded by

LC({s(p)j}) ≤ 2L−1 − (L − 2) (p = 0, 1, 2, . . . , 2L − 2).

So we have already determined an upper bound on the LC of all the generalizedsequences.

2. For M = 2L−1 − (L − 2) − 1:

We check if the sequence {ui} satisfies the l.r.r. with the new value of M andthe new row of coefficients ci in the Sierpinski’s triangle or in the CA-images.

M∑

i=0

ci ui+p = αm �= 0 (p = 0, 1, 2, . . . , 2L − 2),

116 A. Fuster-Sabater and S. D. Cardell

Fig. 3. CA-images: rule 102 (left) and rule 60 (right)

Therefore,

M∑

i=0

ci ατ(i)+p = αm →M∑

i=0

ci aτ(i)+p = am+p.

1. If am+p = 0 for some p, then the l.r.r. holds for the corresponding sequences{s(p)j} and their LC({s(p)j}) ≤ 2L−1 − (L − 2) − 1.

2. If am+p = 1 for some p, then the l.r.r. does not hold for the correspondingsequences {s(p)j} and their LC({s(p)j}) = 2L−1 − (L − 2).

As am+p (p = 0, 1, 2, . . . , 2L −2) is the PN-sequence {ai} starting at the termam, then we will have (2L−1 − 1) terms am+p = 0, that is (2L−1 − 1) generalizedsequences for which the l.r.r. holds, as well as 2L−1 terms am+p = 1, that is 2L−1

generalized sequences for which the l.r.r. does not holds.

3. For M = 2L−1 − (L − 2) − 2:

We check if the sequence {ui} satisfies the l.r.r. with the new value of M andthe new row of coefficients ci in the Sierpinski’s triangle or in the CA-images.

In fact, for the successive values of p we have two alternative values of thisl.r.r.

M∑

i=0

ci ui+p = αm1 �= 0M∑

i=0

ci ui+p = αm2 �= 0.

This yields to:

M∑

i=0

ci aτ(i)+p = am1+p

M∑

i=0

ci aτ(i)+p = am2+p.

Therefore, we get two shifted versions of the PN-sequence {ai}, one of themstarting at the term am1 and the other at am2 .

1. If am1+p = am2+p = 0 for some p, then the l.r.r. holds for the correspondingsequences {s(p)j} and LC({s(p)j}) ≤ 2L−1 − (L − 2) − 2.

Computing the Linear Complexity in a Class of Cryptographic Sequences 117

2. If am1+p = am2+p = 1 for some p, then the l.r.r. does not hold for thecorresponding sequences {s(p)j} and LC({s(p)j}) = 2L−1 − (L − 2) − 1.

Thus, we will have (2L−2 − 1) terms am1+p = am2+p = 0, that is there willbe (2L−2 − 1) generalized sequences with LC({s(p)j}) ≤ 2L−1 − (L − 2) − 2. Inthe same way, we will have 2L−2 terms am1+p = am2+p = 1, that is there willbe 2L−2 generalized sequences with LC({s(p)j}) = 2L−1 − (L − 2) − 1.

For successive and decreasing values of M , that is M = (2L−1 − (L − 2) −3), (2L−1−(L−2)−4), (2L−1−(L−2)−5), . . ., we get 4, 8, 16, . . . shifted versionsof the PN-sequence {ai}. The number of generalized sequences that satisfy (donot satisfy) the linear recurrence relationship in one step is half the number ofsequences obtained in the previous step. Now a numerical example is providedto clarify the method.

3.1 An Illustrative Example

Let us consider a maximal-length LFSR of length L = 5, characteristic poly-nomial P (x) = x5 + x2 + 1 and initial state (1, 1, 1, 1, 1), its correspondingPN-sequence is {ai} = {1111100011011101010000100101100} with period T =31. The sequence {ui} = {1, α, α2, α3, α4, α8, α9, α11, α12, α13, α15, α17, α22, α25,α27, α28} and α14 = α13 + 1. We compute the linear recurrence relationship fordifferent values of M .

1. For M = 2L−1 − (L − 2) = 13:

The sequence {ui} satisfies the linear recurrence relationship given by Eq. (4),where the coefficients ci are (1, 1, 0, 0, 1, 1, 0, 0, 1, 1, 0, 0, 1, 1), see the 13-th rowin Figs. 2 and 3. As

∑13i=0 ciaτ(i)+p = 0 (p = 0, 1, 2, . . . , 30), we know that the

linear complexity of all the generalized sequences is LC({s(p)j}) ≤ 13.

2. For M = 2L−1 − (L − 2) − 1 = 12:

We check if the sequence {ui} satisfies the linear recurrence relationship givenby Eq. (4) for M = 12 and for the new coefficients ci (1, 0, 0, 0, 1, 0, 0, 0, 1, 0,

0, 0, 1), see the 12-th row in Figs. 2 and 3. In fact,∑12

i=0 ciατ(i)+p = α6 �= 0,then {a6+p} (p = 0, 1, 2, . . . , 30) is the PN-sequence {ai} starting at the terma6. Thus, according to Table 3, the 15 generalized sequences corresponding top = 0, 1, 4, 8, 10, 12, 13, 14, 15, 17, 18, 20, 23, 24, 30 (the 0′s of {a6+p} in bold) willsatisfy LC({s(p)j}) ≤ 12; while the 16 generalized sequences corresponding tothe remainder values of p (the 1′s of {a6+p}) will have LC({s(p)j}) = 13. There-fore, we have computed the LC of some generalized sequences just by analysingthe binary digits of the PN-sequence {a6+p}.

118 A. Fuster-Sabater and S. D. Cardell

Table 3. Linear complexity of GSS sequences

p = 0 4 8 12 16 20 24 28 30

{a6+p} 0 0 1 1 0 1 1 1 0 1 0 1 0 0 0 0 1 0 0 1 0 1 1 0 0 1 1 1 1 1 0

3. For M = 2L−1 − (L − 2) − 2 = 11:

We check if the sequence {ui} satisfies the linear recurrence relationship givenby Eq. (4) for M = 11 and for the new coefficients ci (1, 1, 1, 1, 0, 0, 0, 0, 1, 1,

1, 1), see the 11-th row in Figs. 2 and 3. Now ,∑11

i=0 ciατ(i)+p = α10, α16 �=0, alternatively for the successive values of p. Thus, according to Table 4, the7 generalized sequences corresponding to p = 0, 4, 8, 10, 13, 14, 20 will satisfyLC({s(p)j}) ≤ 11. Recall that the previous values of p correspond to the 0′scoinciding in the 3 shifted PN-sequences {a6+p} = {a10+p} = {a16+p} = 0, seethe columns in bold in Table 4.

On the other hand, the 8 generalized sequences corresponding to p = 1, 12, 15,17, 18, 23, 24, 30 will have LC({s(p)j}) = 12. Recall that the previous values ofp correspond to the 1′s coinciding in the 2 shifted PN-sequences {a10+p} ={a16+p} = 1 (on grey rectangles) but with {a6+p} = 0, see the columns inTable 4. Therefore, the comparison of binary digits in three shifted version of asingle PN-sequence allows us to compute the LC of other generalized sequences.

Table 4. Linear complexity of GSS sequences

p = 0 4 8 12 16 20 24 28 30

{a6+p} 0 0 1 1 0 1 1 1 0 1 0 1 0 0 0 0 1 0 0 1 0 1 1 0 0 1 1 1 1 1 0

{a10+p} 0 1 1 1 0 1 0 1 0 0 0 0 1 0 0 1 0 1 1 0 0 1 1 1 1 1 0 0 0 1 1{a16+p} 0 1 0 0 0 0 1 0 0 1 0 1 1 0 0 1 1 1 1 1 0 0 0 1 1 0 1 1 1 0 1

4. For M = 2L−1 − (L − 2) − 2 = 10:

We check if the sequence {ui} satisfies the linear recurrence relationship givenby Eq. (4) for M = 10 and for the new coefficients ci (1, 0, 1, 0, 0, 0, 0, 0, 1, 0, 1),see the 10-th row in Figs. 2 and 3. Now ,

∑10i=0 ciατ(i)+p = α7, α5, α24, α23 �= 0,

alternatively for the successive values of p. Thus, according to Table 5, the 3generalized sequences corresponding to p = 0, 13, 14 will satisfy LC({s(p)j}) ≤10. Recall that the previous values of p correspond to the 0′s coinciding in the7 shifted PN-sequences {a6+p} = {a10+p} = {a16+p} = {a7+p} = {a5+p} ={a24+p} = {a23+p} = 0, see the columns in bold in Table 5.

On the other hand, the 4 generalized sequences corresponding to p = 4, 8, 10,20 will have LC({s(p)j}) = 11. Recall that the previous values of p correspond tothe 1′s coinciding in the 4 shifted PN-sequences {a7+p} = {a5+p} = {a24+p} ={a23+p} = 1 (on grey rectangles) but with {a6+p} = {a10+p} = {a16+p} = 0, seethe columns in Table 5. Now, the comparison of binary digits in seven shiftedversion of a single PN-sequence allows us to compute the LC of more generalizedsequences.

Computing the Linear Complexity in a Class of Cryptographic Sequences 119

Table 5. Linear complexity of GSS sequences

p = 0 4 8 12 16 20 24 28 30

{a6+p} 0 0 1 1 0 1 1 1 0 1 0 1 0 0 0 0 1 0 0 1 0 1 1 0 0 1 1 1 1 1 0

{a10+p} 0 1 1 1 0 1 0 1 0 0 0 0 1 0 0 1 0 1 1 0 0 1 1 1 1 1 0 0 0 1 1{a16+p} 0 1 0 0 0 0 1 0 0 1 0 1 1 0 0 1 1 1 1 1 0 0 0 1 1 0 1 1 1 0 1

{a7+p} 0 1 1 0 1 1 1 0 1 0 1 0 0 0 0 1 0 0 1 0 1 1 0 0 1 1 1 1 1 0 0{a5+p} 0 0 0 1 1 0 1 1 1 0 1 0 1 0 0 0 0 1 0 0 1 0 1 1 0 0 1 1 1 1 1{a24+p} 0 1 0 1 1 0 0 1 1 1 1 1 0 0 0 1 1 0 1 1 1 0 1 0 1 0 0 0 0 1 0{a23+p} 0 0 1 0 1 1 0 0 1 1 1 1 1 0 0 0 1 1 0 1 1 1 0 1 0 1 0 0 0 0 1

5. For M = 9, 8, 7, 6, . . . , 2:

We follow with the same procedure but no new values of∑M

i=0 ciατ(i)+p arecomputed.

6. For M = 1:

We check if the sequence {ui} satisfies the linear recurrence relationship givenby Eq. (4) for M = 1 and for the new coefficients ci (1, 1), see the 1-th row inFigs. 2 and 3. Now ,

∑1i=0 ciατ(i)+p = α18, α19, α20, α21, α14, α26, α29, α30 �= 0,

alternatively for the successive values of p. Thus, according to Table 6, the singlegeneralized sequence corresponding to p = 0 will satisfy LC({s(0)j}) = 1. Itis the identically 1 sequence. Recall that the value p = 0 corresponds to the0′s coinciding in the 15 shifted PN-sequences {a6+p} = {a10+p} = {a16+p} ={a7+p} = {a5+p} = {a24+p} = {a23+p} = {a18+p} = {a19+p} = {a20+p} ={a21+p} = {a14+p} = {a26+p} = {a29+p} = {a30+p} = 0, see the column in boldin Table 6.

On the other hand, the 2 generalized sequences corresponding to p = 13, 14will satisfy LC({s(p)j}) = 2. They correspond to the generalized sequences{1010 . . .} and {0101 . . .}. Recall that the previous values of p correspond to the1′s coinciding in the 8 shifted PN-sequences {a18+p} = {a19+p} = {a20+p} ={a21+p} = {a14+p} = {a26+p} = {a29+p} = {a30+p} = 1 (on grey rectangles) butwith {a6+p} = {a10+p} = {a16+p} = {a7+p} = {a5+p} = {a24+p} = {a23+p} =0, see the columns in Table 6. In this way, we have computed the LC of thewhole family of generalized sequences for this example.

In a general case, there will be 2L−1 generalized sequences with LC = 2L−1−(L−2), 2L−2 sequences with LC1 < 2L−1 − (L−2), 2L−3 sequences with LC2 <LC1 and so on, until we get the last three generalized sequences {101010, . . .}and {010101, . . .} with LC = 2 and the identically 1 sequence {111111, . . .}with LC = 1. The intermediate values LCi are in the interval 2L−2 < LCi ≤2L−1 − (L − 2) although they are not necessarily consecutive values.

3.2 Discussion of the Method

Notice that the method of computing the LC of the generalized self-shrunkensequences involves very simple operations. Indeed, the method is based on thecomparison of a single PN-sequence with some of its shifted versions. Only one

120 A. Fuster-Sabater and S. D. Cardell

Table 6. Linear complexity of GSS sequences

p = 0 4 8 12 16 20 24 28 30

{a6+p} 0 0 1 1 0 1 1 1 0 1 0 1 0 0 0 0 1 0 0 1 0 1 1 0 0 1 1 1 1 1 0

{a10+p} 0 1 1 1 0 1 0 1 0 0 0 0 1 0 0 1 0 1 1 0 0 1 1 1 1 1 0 0 0 1 1{a16+p} 0 1 0 0 0 0 1 0 0 1 0 1 1 0 0 1 1 1 1 1 0 0 0 1 1 0 1 1 1 0 1

{a7+p} 0 1 1 0 1 1 1 0 1 0 1 0 0 0 0 1 0 0 1 0 1 1 0 0 1 1 1 1 1 0 0{a5+p} 0 0 0 1 1 0 1 1 1 0 1 0 1 0 0 0 0 1 0 0 1 0 1 1 0 0 1 1 1 1 1{a24+p} 0 1 0 1 1 0 0 1 1 1 1 1 0 0 0 1 1 0 1 1 1 0 1 0 1 0 0 0 0 1 0{a23+p} 0 0 1 0 1 1 0 0 1 1 1 1 1 0 0 0 1 1 0 1 1 1 0 1 0 1 0 0 0 0 1

{a18+p} 0 0 0 0 1 0 0 1 0 1 1 0 0 1 1 1 1 1 0 0 0 1 1 0 1 1 1 0 1 0 1{a19+p} 0 0 0 1 0 0 1 0 1 1 0 0 1 1 1 1 1 0 0 0 1 1 0 1 1 1 0 1 0 1 0{a20+p} 0 0 1 0 0 1 0 1 1 0 0 1 1 1 1 1 0 0 0 1 1 0 1 1 1 0 1 0 1 0 0{a21+p} 0 1 0 0 1 0 1 1 0 0 1 1 1 1 1 0 0 0 1 1 0 1 1 1 0 1 0 1 0 0 0{a14+p} 0 1 0 1 0 0 0 0 1 0 0 1 0 1 1 0 0 1 1 1 1 1 0 0 0 1 1 0 1 1 1{a26+p} 0 1 1 0 0 1 1 1 1 1 0 0 0 1 1 0 1 1 1 0 1 0 1 0 0 0 0 1 0 0 1{a29+p} 0 0 1 1 1 1 1 0 0 0 1 1 0 1 1 1 0 1 0 1 0 0 0 0 1 0 0 1 0 1 1{a30+p} 0 1 1 1 1 1 0 0 0 1 1 0 1 1 1 0 1 0 1 0 0 0 0 1 0 0 1 0 1 1 0

sequence in each group of shifted PN-sequences is needed to determine the posi-tions of 1′s and 0′s. Thus, for an M < 2L−1−(L−2) given, just a linear recurrencerelationship

∑Mi=0 ci ατ(i)+p must be checked. It means that in total we will have

to analyse L − 2 groups. For L in a cryptographic range (L � 128) the efficientof the computational method is quite evident.

From the point of view of the keystream generator design, the procedurehere introduced allows the cryptographer to design a generalized self-shrinkinggenerator with a guaranteed maximum linear complexity. In fact, for M = 2L−1−(L − 2) − 1 and the computation of

∑Mi=0 ci ατ(i)+p = αm, the 1′s of the PN-

sequence {am+p} determine the possible shifts p of the generalized self-shrunkensequences {s(p)j} with a maximum complexity of value LC = 2L−1 − (L − 2).In brief, we guarantee an easy design of cryptographic sequences at the price ofminimum number of computational operations.

On the other hand, we know that the self-shrinking generator is an elementin the class of generalized self-shrinking generators. Moreover, the self-shrunkensequence is the generalized self-shrunken sequence corresponding to the shiftp = 2L−1. Thus, the application of the previous method allows us to determineeasily the linear complexity of such a sequence. In fact, LC = M0, where M0 isthe first value of the parameter M for which its corresponding shifted sequence{as+p} satisfies as+2L−1 = 1.

4 Conclusions

The class of generalized self-shrunken sequences exhibits good cryptographicproperties: balancedness, long period, excellent run distribution, good correla-tion, speed generation, etc. Nevertheless, a fundamental metric of their security,as the linear complexity, has never been considered for this family of sequences.In this work, we present a method of computing the linear complexity of gen-eralized self-shrunken sequences. The procedure is simple and it is based onthe comparison of different shifted versions of a single PN-sequence. In fact, the

Computing the Linear Complexity in a Class of Cryptographic Sequences 121

concepts of linear recurrence relationship, Sierpinski’s triangle and linear cellularautomata make easy to compute the starting point of the shifted PN-sequences.Later the comparison of their binary digits determines the exact value of thelinear complexity for the generalized sequences.

The method here developed guarantees an easy choice of generalizedsequences with maximum linear complexity.

As a consequence of this work, we can say that the computation of theexact value of the self-shrunken sequence linear complexity is just the naturalapplication of this method.

Acknowledgements. This research has been partially supported by Ministerio deEconomıa, Industria y Competitividad (MINECO), Agencia Estatal de Investigacion(AEI), and Fondo Europeo de Desarrollo Regional (FEDER, UE) under projectCOPCIS, reference TIN2017-84844-C2-1-R, and by Comunidad de Madrid (Spain)under project reference S2013/ICE-3095-CIBERDINE-CM, also co-funded by Euro-pean Union FEDER funds. The second author was supported by FAPESP with numberof process 2015/07246-0 and CAPES.

References

1. Blackburn, S.R.: The linear complexity of the self-shrinking generator. IEEE Trans.Inf. Theory 45(6), 2073–2077 (1999)

2. Cardell, S.D., Fuster-Sabater, A.: Linear models for the self-shrinking generatorbased on CA. J. Cell. Autom. 11(2–3), 195–211 (2016)

3. Cardell, S.D., Fuster-Sabater, A.: Recovering the MSS-sequence via CA. Proc.Comput. Sci. 80, 599–606 (2016)

4. Cardell, S.D., Fuster-Sabater, A.: Modelling the shrinking generator in terms oflinear CA. Adv. Math. Commun. 10(4), 797–809 (2016)

5. Cardell, S.D., Fuster-Sabater, A.: Linear models for high-complexity sequences. In:Gervasi, O., Murgante, B., Misra, S., Borruso, G., Torre, C.M., Rocha, A.M.A.C.,Taniar, D., Apduhan, B.O., Stankova, E., Cuzzocrea, A. (eds.) ICCSA 2017. LNCS,vol. 10404, pp. 314–324. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-62392-4 23

6. Coppersmith, D., Krawczyk, H., Mansour, Y.: The shrinking generator. In: Stinson,D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 22–39. Springer, Heidelberg (1994).https://doi.org/10.1007/3-540-48329-2 3

7. Duvall, P.F., Mortick, J.C.: Decimation of periodic sequences. SIAM J. Appl. Math.21(3), 367–372 (1971)

8. Fluhrer, S., Lucks, S.: Analysis of the E0 encryption system. In: Vaudenay, S.,Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 38–48. Springer, Heidelberg(2001). https://doi.org/10.1007/3-540-45537-X 3

9. Fuster-Sabater, A., Garcıa-Mochales, P.: A simple computational model for accep-tance/rejection of binary sequence generators. Appl. Math. Model. 31(8), 1548–1558 (2007)

10. Fuster-Sabater, A., Caballero-Gil, P.: Chaotic modelling of the generalized self-shrinking generator. Appl. Soft Comput. 11(2), 1876–1880 (2011)

11. Fuster-Sabater, A.: Aspects of linearity in cryptographic sequence generators. In:Murgante, B., Misra, S., Carlini, M., Torre, C.M., Nguyen, H.-Q., Taniar, D.,Apduhan, B.O., Gervasi, O. (eds.) ICCSA 2013. LNCS, vol. 7975, pp. 33–47.Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39640-3 3

122 A. Fuster-Sabater and S. D. Cardell

12. Fuster-Sabater, A.: Generation of cryptographic sequences by means of differenceequations. Appl. Math. Inf. Sci. 8(2), 1–10 (2014)

13. Golomb, S.W.: Shift Register-Sequences. Aegean Park Press, Laguna Hill (1982)14. Hu, Y., Xiao, G.: Generalized self-shrinking generator. IEEE Trans. Inf. Theory

50(4), 714–719 (2004)15. Jenkins, C., Schulte, M., Glossner, J.: Instructions and hardware designs for accel-

erating SNOW 3G on a software-defined radio platform. Analog Integr. Circ. Sig.Process. 69(2–3), 207–218 (2011)

16. Lidl, R., Niederreiter, H.: Introduction to Finite Fields and Their Applications.Cambridge University Press, Cambridge (1986)

17. Massey, J.L.: Shift-register synthesis and BCH decoding. IEEE Trans. Inf. Theory15(1), 122–127 (1969)

18. Meier, W., Staffelbach, O.: The self-shrinking generator. In: De Santis, A. (ed.)EUROCRYPT 1994. LNCS, vol. 950, pp. 205–214. Springer, Heidelberg (1995).https://doi.org/10.1007/BFb0053436

19. Menezes, A.J., et al.: Handbook of Applied Cryptography. CRC Press, New York(1997)

20. Paar, C., Pelzl, J.: Understanding Cryptography. Springer, Berlin (2010)21. Paul, G., Maitra, S.: RC4 Stream Cipher and its Variants. CRC Press, Taylor and

Francis Group, Boca Raton (2012)22. Wolfram, S.: Cellular automata as simple self-organizing system. Caltrech preprint

CALT 68–938 (1982)