Information Processing Letters 74 (2000) 175–182

On distribution properties of sequences with perfect linearcomplexity profile

Markus Schneider1

University of Hagen, Fachgebiet Kommunikationssysteme, 58084 Hagen, Germany

Received 6 July 1999Communicated by T. Lengauer

Abstract

The linear complexity and the linear complexity profile of sequences are used as unpredictability criteria in streamcipher applications. In this context, sequences with perfect linear complexity profile (PLCP) are of special interest. Furtherunpredictability requirements are given by the distribution properties of the sequence elements that should be similar to thedistribution properties of a real random sequence. In this paper, the distribution of binary symbols for the class of PLCP-sequences is given by means of statistical moments. These moments are compared with the corresponding moments of realrandom sequences. 2000 Elsevier Science B.V. All rights reserved.

Keywords:Pseudorandom sequence; Linear complexity profile; Cryptography

1. Introduction

Stream ciphers use binary pseudorandom sequencessn = s0, s1, . . . , sn−1, with elementssi ∈ GF(2) for 06i < n and i, n ∈ Z [4]. For security reasons, the pseudorandom generator should produce the sequence in sucha way that an attacker should not be able to predict any unknown sequence element with probability better thanP(si = 0)= P(si = 1)= 0.5 even if he knows the generation principle or any other sequence elements. Therefore,in order to avoid some attacks, the elements of a pseudorandom sequence should be distributed like the outcomeof a fair coin tossed repeatedly. As a further requirement, the reconstruction of a linear feedback shift register(LFSR) with small length that can generate the whole sequence should be avoided. The linear complexity (LC)L(sn) of a sequencesn = s0, . . . , sn−1 is defined as the length of the shortest LFSR that is able to produce thesequencesn. But high LC is not sufficient to guarantee an unpredictable sequence. Rueppel introduced the linearcomplexity profile (LCP) as a further criterion which is given by the sequenceL(s1), . . . ,L(sn) [4]. The LCP ofa truely random sequencesn consisting ofn elements is expected to follow the(i/2)-line in a close manner fori = 1, . . . , n. Those sequencessn whose LCP is given byL(si) = di/2e for 16 i 6 n are said to have a perfect

1 Present address: GMD – SIT, German National Research Center for Information Technology, Dolivostr. 15, 64293, Darmstadt, Germany.Email: markus.schneider@darmstadt.gmd.de.

0020-0190/00/$ – see front matter 2000 Elsevier Science B.V. All rights reserved.PII: S0020-0190(00)00045-4

176 M. Schneider / Information Processing Letters 74 (2000) 175–182

linear complexity profile (PLCP). Wang gave a necessary and sufficient condition for PLCP-sequences [5]. Heshowed that a sequencesn has PLCP if and only if

s0= 1 and s2i = s2i−1+ si−1, for 16 i 6⌊(n− 1)/2

⌋. (1)

In general, sequence requirements have to be fulfilled simultaneously. In this context, it is not clear if PLCP-sequences fulfill the requirements concerning the distribution of their elements. In order to analyze somedistribution properties of PLCP-sequences, we introduce the weightw(sn) of a sequencesn as the number of1s in the sequence. Furthermore,w(si) denotes the weight of the single sequence elementsi . In our experiment, aPLCP-sequencesn is randomly chosen out of the set of all PLCP-sequences with fixed lengthn. Thus, we thinkof w(sn) as a random variable. This allows us to considerP(w(sn) = k) that represents the probability that afinite PLCP-sequencesn has weightk, wherek is taken from the range ofw(sn), i.e., 06 k 6 n. Analogous-ly, P(w(si) = 0) = P(si = 0), P(w(si ) = 1) = P(si = 1). Unfortunately, the distribution ofw(sn) for PLCP-sequences with arbitrary chosenn is not known in the literature. Even if this distribution is unknown, we showhow some statistical moments ofw(sn) can be derived. These moments give us some new insight in the propertiesof PLCP-sequences. Finally, we compare these statistical moments for PLCP-sequences with the correspondingmoments for truely random sequences. Other work in the area of linear complexity profiles was done in [2,3,6].

2. Weight-distributions of PLCP-sequences

If we consider a truely random binary sequencern = r0, . . . , rn−1 with probabilitiesP(w(ri )= 0)= P(ri = 0)= P(w(ri )= 1)= P(ri = 1)= 0.5 for i = 0, . . . , n− 1, andk-wise mutual independent elements for 26 k 6 n,then it is a known fact thatE[w(rn)] = 1

2n andVar[w(rn)] = 14n [1]. The third-order moment yieldsE[(w(rn)−

12n)

3] = 0, which follows by the symmetric distribution ofw(rn) with respect to12n. The fourth-order moment

E[(w(rn)− 12n)

4] is calculated exploiting the linearity of expectation, and the fact thatw(rn)=∑n−1i=0 w(ri):

E

[(w(rn)− n

2

)4]=E

[(n−1∑i=0

w(ri)

)4]− 2nE

[(n−1∑i=0

w(ri )

)3]

+ 3n2

2E

[(n−1∑i=0

w(ri)

)2]− n

3

2E

[n−1∑i=0

w(ri )

]+ n

4

16

= 3n2− 2n

16. (2)

In the case of PLCP-sequences, the moments can not be given in a straightforward manner, because the numberof PLCP-sequences with specified weights, respectively their probabilities, are not known. Reflecting the PLCP-condition given in (1), it follows for 16 i 6 n− 1 and ‘i odd’ thatP(w(si )= 1)= P(si = 1)= 0.5. In case of ‘ieven’, we also haveP(w(si )= 1)= P(si = 1)= 0.5. This follows by the pairwise mutual independence ofsi/2−1andsi−1 that implies statistical independence:

P(si = 1)= P(si−1= 0, si/2−1= 1)+ P(si−1= 1, si/2−1= 0)

= 0.5 · P(si/2−1= 1)+ 0.5 · P(si/2−1= 0)

= 0.5.

Theorem 1. Let sn be a PLCP-sequence withn> 1. Then,E[w(sn)] = (n+ 1)/2.

Proof. The proof follows fromP(w(s0)= 1)= P(s0= 1)= 1 andP(w(si )= 1)= P(si = 1)= 12 for 16 i < n,

and the linearity ofE[w(sn)]:

M. Schneider / Information Processing Letters 74 (2000) 175–182 177

E[w(sn)

]=E[1+w(s1, . . . , sn−1)]= 1+

n−1∑i=1

E[w(si)

]= n+ 1

2. 2

In order to calculateVar[w(sn)], it is useful to introduce the following lemma.

Lemma 2. Let sn be a PLCP-sequence withn > 5, and 2 < i < j < n. Then, si and sj are statisticallyindependent.

Proof. Let 2< i < j < n, n > 5, anda, b, b1, b2 ∈ GF(2) with b = b1 + b2. In order to prove the statisticalindependence ofsi and sj , it suffices to show thatP(si = a, sj = b) = 0.25. In case of ‘j odd’, the statisticalindependence ofsi andsj is obvious. In case of ‘j even’, we have

P(si = a, sj = b)= P(sj = b|si = a) · 0.5= [P(sj/2−1= b1, sj−1= b2|si = a)+ P(sj/2−1= b1+ 1, sj−1= b2+ 1|si = a)

] · 0.5= [P(sj/2−1= b1|si = a) · P(sj−1 = b2|si = a)+ P(sj/2−1= b1+ 1|si = a) · P(sj−1= b2+ 1|si = a)

] · 0.5.If i 6= j − 1, si andsj−1 are statistically independent. Thus,

P(si = a, sj = b)= [P(sj/2−1= b1|si = a) · P(sj−1 = b2)+ P(sj/2−1= b1+ 1|si = a) · P(sj−1= b2+ 1)

] · 0.5= [P(sj/2−1= b1|si = a)+ P(sj/2−1= b1+ 1|si = a)

] · 0.25= 0.25.

If i = j−1, then eitherP(sj−1= b2|si = a)= 1 andP(sj−1 = b2+1|si = a)= 0 or vice versa. Without restrictionof generality, leta = b2. Then,

P(si = a, sj = b)=[P(sj/2−1= b1|si = a) · 1+ P(sj/2−1= b1+ 1|si = a) · 0

] · 0.5= P(sj/2−1= b1) · 0.5= 0.25.

The statistical independence ofsi andsj follows. 2Theorem 3. Let sn be a PLCP-sequence withn> 3. Then, Var[w(sn)] = (n− 3)/4.

Proof. This proof is mainly based on Lemma 2 and the linearity of expectation. Furthermore, we use the fact thatw(s0, s1, s2)= 2 for all PLCP-sequences. Thus,Var[w(sn)] = 0 for n= 3. If n= 4, thenVar[w(sn)] = 0.25. Bothcases are in accordance with the claim of Theorem 3. Ifn > 4, we can apply Lemma 2 and get

Var[w(sn)

]=E[(w(sn)−E[w(sn)])2]=E[( n−1∑i=3

w(si)− n− 3

2

)2]

=E[(

n−1∑i=3

w(si)

)2]− (n− 3) ·E

[n−1∑i=3

w(si)

]+ (n− 3)2

4

=E[n−1∑i=3

w(si)

]+ 2 ·E

[ ∑2<i<j<n

w(si)w(sj )

]− (n− 3)2

4

= n− 3

2+ 2 · 1

4·(n− 3

2

)− (n− 3)2

4= n− 3

4. 2

178 M. Schneider / Information Processing Letters 74 (2000) 175–182

For completeness, it remains to consider the casesn= 1 andn= 2. It can be easily verified thatVar[w(s1)] = 0andVar[w(s2)] = 0.25.

In the following lemma, we give some probabilities for triples consisting of arbitrary and pairwise differentsequence elements of a PLCP-sequence, that will be used for the third-order moments.

Lemma 4. Let sn be a PLCP-sequence withn> 6, and2< i < j < k < n. Then, we have

P3= P(si = sj = sk = 1)={

0, if j = k − 1 andi = 12k− 1,

18, otherwise.

(3)

Proof. CaseI: ‘ k odd’. In this case,sk and (si , sj ) are statistically independent. Using Lemma 2 yieldsP3 =P(sk = 1) · P(si = sj = 1)= 1

2 · 14 = 1

8.CaseII: ‘ k even,j = k − 1, andi = 1

2k − 1’. Here, we use the fact thatsk = sj + si . Thus,P3= 0.CaseIII: ‘ (k even andj 6= k − 1) or (k even,j = k − 1, and i 6= 1

2k − 1)’. If k = 6, we have(i, j, k) ∈{(3,4,6), (3,5,6), (4,5,6)}. Here, we can easily verify thatP3= 1

8 by looking at the 8 different PLCP-sequenceswith 7 elements. Ifk > 8, we have by Lemma 2

P3= P(sk = 1|si = sj = 1) · P(si = sj = 1)

= P(sk−1 6= sk/2−1|si = sj = 1) · 14 .

If j 6= k − 1, thensk−1 andsj are statistically independent, andP3= 18 follows. If j = k − 1 andi 6= 1

2k − 1, thenP3= P(sk/2−1= 0|si = sj = 1) · 1

4 = P(sk/2−1= 0|si = 1) · 14 = 1

8. 2Considering the segments3, . . . , sn−1 of a PLCP-sequencesn with n > 6, the number of triples(i, j, k) with

2< i < j < k < n, for whichP3 = 0, is given byd(n− 8)/2e · σ(n− 9), whereσ(x)= 1 if x > 0, andσ(x)= 0if x < 0.

Theorem 5. Let sn be a PLCP-sequence withn> 1. Then,

E[(w(sn)−E[w(sn)])3]=−3

4·⌈n− 8

2

⌉· σ(n− 9),

whereσ(x)= 1 if x > 0, andσ(x)= 0 if x < 0.

Proof. For 16 n6 5, we can easily verify thatE[(w(sn)−E[w(sn)])3] = 0 holds. Ifn> 6, we can use the resultsof Lemmas 2, 4, and Theorems 1, 3. Furthermore, we apply the results concerning the number of triples(i, j, k)

with 2< i < j < k < n for whichP(si = sj = sk = 1)= 0.

E[(w(sn)−E[w(sn)])3]=E[(w(sn)− n+ 1

2

)3]

=E[(

n−1∑i=3

w(si)

)3]− n

3− 6n2+ 9n

8

=E[n−1∑i=3

w(si)

]+ 6E

[ ∑2<i<j<n

w(si)w(sj )

]

+ 6E

[ ∑2<i<j<k<n

w(si)w(sj )w(sk)

]− n

3− 6n2+ 9n

8

M. Schneider / Information Processing Letters 74 (2000) 175–182 179

= n− 3

2+ 6 ·

(n− 3

2

)· 1

4+ 6 ·

[(n− 3

3

)−⌈n− 8

2

⌉· σ(n− 9)

]· 1

8− n

3− 6n2+ 9n

8

=−3

4·⌈n− 8

2

⌉· σ(n− 9). 2

Lemma 6. Let sn be a PLCP-sequence withn> 7, and2< i < j < k < l < n. Then, we have

P4= P(si = sj = sk = sl = 1)=

0, if α, β, γ , or δ are fulfilled,18, if ε is fulfilled,116, otherwise,

(4)

where the conditionsα, β , γ , δ, andε have the following specifications:

α = (j = k − 1, i = 12k− 1

),

β = (k = l − 1, i = 12l − 1

),

γ = (k = l − 1, j = 12l − 1

),

δ = (i = 3, j = 4, k = 5, l = 6),

ε = ((k = l − 1, j = 12l, i = 1

4l − 1)

or(k = l − 1, j = 1

2l − 2, i = 14l − 3

2

)).

Proof. CaseI: ‘ l odd,k odd’. In this case,(si, sj ) and(sk, sl) are statistically independent. Thus,P4 = P(si =sj = 1) · P(sk = sl = 1)= 1

4 · 14 = 1

16.CaseII: ‘ k even’. In this case, we use the result of Lemma 4. ConsiderP4= P(sl = 1|si = sj = sk = 1) ·P(si =

sj = sk = 1)= P(sl = 1|si = sj = sk = 1) · P3. If l is odd, we obtainP4 = P(sl = 1) · P3 = 12 · P3. If l is even,

we haveP4= P(sl−1 6= sl/2−1|si = sj = sk = 1) · P3= 12 · P3. Therefore,P4= 0 if j = k − 1 andi = 1

2k − 1 (seeconditionα). Otherwise,P4= 1

16.CaseIII: ‘ l even,k odd’. If l = 6, then we must have(i, j, k)= (3,4,5). In this caseP4= 0 as we can see when

we look at all PLCP-sequences of lengthn= 7 (see conditionδ). Now, let l > 8. Consider the following subcases,in which we use various times the results of the previous lemmas.

(A) k 6 l−3: Sincek is odd, we always haveP3= 18. Thus,P4= P(sl = 1|si = sj = sk = 1) ·P3= P(sl−1 6=

sl/2−1|si = sj = sk = 1) · 18 = 1

16.(B) (k = l − 1, i = 1

2l − 1) or (k = l − 1, j = 12l − 1): P4 = P(sl = 1|si = sj = sk = 1) · P3 = 0 · 1

8 = 0(see conditionsβ , γ ).

(C) (k = l − 1, j = 12l, i = 1

4l − 1) or (k = l − 1, j = 12l − 2, i = 1

4l − 32): If si=l/4−1= 1 andsj=l/2= 1,

we obtainsl/2−1= 0. If we also choosesk=l−1= 1, thensl = 1 is determined by the PLCP-condition. Weobtain a similar result, if we choosesi=l/4−3/2= 1 andsj=l/2−2= 1. Then,sl/2−1= 0, and ifsk=l−1 = 1,thensl = 1 is determined by the PLCP-condition. Thus, for both possibilitiesP4= P(sl = 1|si = sj = sk =1) · P3= 1 · 1

8 = 18 (see conditionε).

(D) (k = l−1, j 6= 12l−1, i 6= 1

2l−1) and(k = l−1, (j 6= 12l or i 6= 1

4l−1)) and(k = l−1, (j 6= 12l−2 ori 6=

14l − 3

2)): If j 6= 12l− 1 andi 6= 1

2l − 1 are fulfilled, we haveP(si = sj = sk = 1)= 18 by Lemma 4. Thus,

P4 = P(sl = 1|si = sj = sk = 1) · 18. Considering the conditional probability in the previous expression,

we obtainP(sl = 1|si = sj = sk = 1) = P(sl/2−1 = 0|si = sj = sk = 1) = 1− P(sl/2−1 = 1|si = sj =1) = 1− P(si = sj = sl/2−1 = 1)/P (si = sj = 1) = 1− 4 · P(si = sj = sl/2−1 = 1). In order to obtain

180 M. Schneider / Information Processing Letters 74 (2000) 175–182

P(si = sj = sl/2−1= 1)= 0, it is known by Lemma 4, that(i, j) ∈ {(14l − 3

2,12l − 2), (1

4l − 1, 12l)}. But

these two possibilities are excluded by the premises of the here considered case. Therefore,P(si = sj =sl/2−1= 1)= 1

8, andP(sl = 1|si = sj = sk = 1)= 12. Thus,P4= 1

2 · 18 = 1

16. 2Given the segments3, . . . , sn−1 of a PLCP-sequence withn> 6, our intention is now to think about the number

of 4-tuples(i, j, k, l) with 2< i < j < k < l < n, that have probabilityP4 = 0. In conditionα of Lemma 6, thenumber of 4-tuples(1

2x−1, x−1, x, l) for fixedx is given by the number of possibilities to choosel with x < l < n.This number is given by(n− 1− x) · σ(n− 9). In the same manner, we obtain the number of combinations forP4 = 0 satisfyingβ by (1

2x − 1) · σ(n− 9), and those satisfyingγ by (12x − 4) · σ(n− 9). Summing over these

three conditions, we obtain(n−6) ·σ(n−9). This has to be multiplied by the number of possibilities forx, whichis given byd(n − 8)/2e. Obviously, conditionδ is reprensented by exactly one combination. Summing over allthese parts, we obtain the number of 4-tuples(i, j, k, l) for P4 = 0 as(n− 6) · d(n − 8)/2e · σ(n − 9)+ 1. Thenumber of 4-tuples(i, j, k, l) for whichP4= 1

8 as described in conditionε is given byd(n− 16)/2e · σ(n− 17).Now, we have all the means to presentE[(w(sn)−E[w(sn)])4].

Theorem 7. Let sn be a PLCP-sequence withn> 7. Then,

E[(w(sn)−E[w(sn)])4]= 3n2− 20n+ 9

16+ 3

2·⌈n− 16

2

⌉· σ(n− 17).

Proof. In this proof, we use the results of Lemmas 2, 4, 6, and Theorems 1, 3, 5. Additionally, we apply theprevious considerations concerning the number of triples(i, j, k) with 2< i < j < k < n for whichP3 = 0, andthe number of 4-tuples(i, j, k, l) with 2< i < j < k < l < n for which P4 = 0, andP4 = 1

8, respectively. Letn> 7.

E[(w(sn)−E[w(sn)])4]=E

[(w(sn)− n+ 1

2

)4]=E

[(n−1∑i=3

w(si )− n− 3

2

)4]

=E[(

n−1∑i=3

w(si)

)4]− 2(n− 3)E

[(n−1∑i=3

w(si)

)3]+ 3

2(n− 3)2E

[(n−1∑i=3

w(si)

)2]

− 1

2(n− 3)3E

[n−1∑i=3

w(si )

]+ (n− 3)4

16.

If we consider the components of the last expression separately, we obtain

E

[n−1∑i=3

w(si)

]= n− 3

2,

and

E

[(n−1∑i=3

w(si)

)2]=E

[n−1∑i=3

w(si)

]+ 2E

[ ∑2<i<j<n

w(si)w(sj )

]

= n− 3

2+ 2 ·

(n− 3

2

)· 1

4= n

2− 5n+ 6

4,

M. Schneider / Information Processing Letters 74 (2000) 175–182 181

E

[(n−1∑i=3

w(si)

)3]

=E[n−1∑i=3

w(si)

]+ 6E

[ ∑2<i<j<n

w(si)w(sj )

]+ 6E

[ ∑2<i<j<k<n

w(si)w(sj )w(sk)

]

= n− 3

2+ 6 ·

(n− 3

2

)· 1

4+ 6 ·

[(n− 3

3

)−⌈n− 8

2

⌉σ(n− 9)

]· 1

8

= n3− 6n2+ 9n

8− 3

4·⌈n− 8

2

⌉· σ(n− 9),

E

[(n−1∑i=3

w(si)

)4]

=E[n−1∑i=3

w(si)

]+ 14E

[ ∑2<i<j<n

w(si)w(sj )

]+ 36E

[ ∑2<i<j<k<n

w(si)w(sj )w(sk)

]

=+24E

[ ∑2<i<j<k<l<n

w(si )w(sj )w(sk)w(sl)

]

= n− 3

2+ 14

(n− 3

2

)· 1

4+ 36

(n− 3

3

)· 1

8+ 24

[(n− 3

4

)− 1

]· 1

16

−[36· 1

8+ 24· 1

16· (n− 6)

]·⌈n− 8

2

⌉· σ(n− 9)+ 24 · 1

16·⌈n− 16

2

⌉· σ(n− 17)

= n4− 6n3+ 3n2+ 34n− 72

16− 3n− 9

2·⌈n− 8

2

⌉· σ(n− 9)+ 3

2·⌈n− 16

2

⌉· σ(n− 17).

Summarizing these results, it yields

E[(w(sn)−E[w(sn)])4]= 3n2− 20n+ 9

16+ 3

2·⌈n− 16

2

⌉· σ(n− 17). 2 (5)

For completeness, we now consider PLCP-sequence lengths 16 n6 6. In cases ‘n= 1’ and ‘n= 3’, we have

E[(w(sn)−E[w(sn)])4]= 0.

If n= 2, we have

E[(w(sn)−E[w(sn)])4]= 1

16.

If 4 6 n6 6,

E[(w(sn)−E[w(sn)])4]= 3n2− 20n+ 33

16.

The considered statistical moments of PLCP-sequencessn and truely random sequencesrn can now be comparedfor given values ofn (see Table 1).

182 M. Schneider / Information Processing Letters 74 (2000) 175–182

Table 1Statistical moments ofrn andsn

· rn sn

E[w(·)], n> 1 n2

n+12

Var[w(·)], n> 3 n4

n−34

E[(w(·)−E[w(·)])3], n> 1 0 − 34 · d n−8

2 e · σ(n− 9)

E[(w(·)−E[w(·)])4], n> 7 3n2−2n16

3n2−20n+916 + 3

2 · d n−162 e · σ(n− 17)

3. Conclusion

If we compare the statistical moments of finite PLCP-sequences with the corresponding results of truely randomsequences, we see thatE[w(sn)] andE[w(rn)], andVar[w(sn)] andVar[w(rn)], respectively, are approximatelyequal, as it is required from a pseudorandom sequencesn. This property results from the pairwise mutualindependence of PLCP-sequence elements. Fork > 2, the sequence elements are notk-wise mutual independentanymore. Therefore, the 3rd and 4th order momentsE[(w(sn) − E[w(sn)])3] andE[(w(rn) − E[w(rn)])3],respectivelyE[(w(sn) − E[w(sn)])4] andE[(w(rn) − E[w(rn)])4], show different properties. The differencesbetween the corresponding 3rd and 4th order moments grow for increasing sequence lengthn. This result stemsfrom thek-wise mutual dependence of PLCP-sequence elements fork > 2. To overcome the restrictivity of PLCP-sequences, it would be interesting to analyze the distribution properties of sequences whose LCP does never exceeda given distanceδ > 0 from the(i/2)-line.

Acknowledgement

I am grateful to Professor Firoz Kaderali under whose supervision this work was done.I would like to thank the anonymous referee for giving me useful hints. Especially, I wish to thank Werner

Poguntke for many helpful discussions.

References

[1] W. Feller, An Introduction to Probability Theory and its Applications, Vols. 1 & 2, Wiley, New York, 1968/1971.[2] H. Niederreiter, Sequences with almost perfect linear complexity profile, in: D. Chaum, W. Price (Eds.), Proceedings Advances in

Cryptology—EUROCRYPT’87, Lecture Notes in Comput. Sci., Vol. 304, Springer, Berlin, 1988, pp. 37–51.[3] H. Niederreiter, The linear complexity profile and the jump complexity of keystream sequences, in: I. Damgard (Ed.), Proceedings Advances

in Cryptology—EUROCRYPT’90, Lecture Notes in Comput. Sci., Vol. 473, Springer, Berlin, 1991, pp. 174–188.[4] R. Rueppel, Analysis and Design of Stream Ciphers, Springer, Berlin, 1986.[5] M. Wang, Cryptographic aspects of sequence complexity measures, Dissertation No. 8723, ETH Zurich, 1988.[6] M. Wang, Linear complexity profiles and jump complexity, Inform. Process. Lett. 61 (1997) 165–168.