1. Introduction
Breakthroughs in electronics and telecommunications fields have made Internet of Things (IoT) a reality, with an every day growing number of sensors and devices around us. Nowadays, diverse critical services, such as smartgrid, ehealth, agricultural or industrial automation, depend on an IoT infrastructure. At any rate, as the services around IoT grow dramatically, so do the security risks [
1,
2].
Lowcost IoT devices, currently characterized by their resource constraints in processing power, memory, size and energy consumption, are also recognizable by their minimal or nonexistent security. Combining this lack of security with their network dependability, they become the perfect target as a gateway to the whole network [
3]. There are already some attacks where a vulnerable IoT sensor was used to gain control over the whole system (in [
4], wireless sensors are used to gain access to an automotive system).
This is the reason why general research [
5], 5Grelated research [
6] or specific calls such as that of NIST for lightweight cryptography primitives [
7], are addressing this concerning topic. Although different protocols of communication and orchestration are being proposed [
8], lightweight cryptography in general and stream ciphers in particular are the stepping stones on which such protocols are built to guarantee both device and network security.
Currently, linear feedback shift registers (LFSRs) are key components in stream ciphers, often used as pseudorandom number generators (PRNG). A representative example of LFSRbased practical design is the J3Gen, a pseudorandom number generator for lowcost passive radio frequency identification (RFID) tags. Such a generator has been analyzed and revised in [
9,
10], respectively.
In addition, we present the generalized selfshrinking generator, a family of ciphers suitable for cryptography [
11]. This generator remains strong against different algorithms that analyze the cryptographic strength (e.g., linear complexity) of its sequences. Such algorithms can be enumerated as follows: (1) the wellknown Berlekamp–Massey algorithm [
12], (2) the sequence decomposition algorithm developed by Cardell et al. in [
13] and (3) the folding sequence decomposition algorithm introduced in this paper. To our knowledge, no other algorithms to calculate the parameter linear complexity of binary sequences are described in the literature.
The study of the generalized selfshrinking generator is not a random choice. Indeed, it produces not only sequences that are difficult to be analyzed by the Berlekamp–Massey algorithm, but also it has been implemented in hardware [
14] along on RFID devices [
15]. Studying the robustness of these sequences could prevent vulnerabilities on the IoT devices and the services built on them.
The paper is organized as follows.
Section 2 includes a succinct revision of LFSRs and sequence generators based on irregular decimation, a wide type of generators including the generalized selfshrinking generator.
Section 3 describes the characteristics and generalities of the binomial sequences (BS), binary sequences that constitute the foundations of the two last algorithms mentioned above. The main contributions of this work are in
Section 4, where we analyze three algorithms to calculate the linear complexity of binary sequences: (a) the standard Berlekamp–Massey algorithm, (b) the basic binomial sequence decomposition (bBSD) algorithm, an improved version of the algorithm developed in [
13], that analyzes different properties of the binary sequences and (c) the folding binomial sequence decomposition (fBSD) algorithm, the novel proposal based on the symmetry of the binomial sequences.
Section 5 includes the discussion and comparison among the three previous algorithms. Finally, conclusions and possible future research lines in
Section 6 end the paper.
2. Sequence Generators Based on Linear Feedback Shift Registers
Linear feedback shift registers (LFSRs) [
16] are linear structures currently used in the generation of pseudorandom sequences. The LFSRs are electronic devices included in the majority of sequence generators described in the literature. The main reasons for such a generalized use of LFSRs are: these devices provide high performance when used for sequence generation, they are particularly wellsuited to hardware implementations, and such registers can be easily analyzed by means of basic algebraic techniques.
According to
Figure 1, a LFSR consists of: (a)
L interconnected stages numbered from left to right
$(0,1,\dots ,L1)$ where each of them stores one bit, (b) the feedback polynomial
$p\left(x\right)$ of degree
L notated
with binary coefficients
${c}_{i}$ and (c) the initial state or stage contents at the initial time. LFSRs generate sequences by means of shifts of the stage contents and linear feedback to the last stage.
The output of an LFSR with nonzero initial state is a binary sequence denoted by
$\left\{{a}_{n}\right\}$$(n=0,1,2,\dots )$. If the polynomial
$p\left(x\right)$ is primitive [
16], then the output sequence is called PNsequence (or pseudonoise sequence). In addition, the period of a PNsequence is
$T={2}^{L}1$ bits with
${2}^{L1}$ ones and
${2}^{L1}1$ zeros.
The linear complexity of a sequence, notated $LC$, quantifies the number of bits necessary to reconstruct the whole sequence. For particular applications of binary sequences, e.g., cryptographic applications (stream ciphers), $LC$ must be as large as possible. Moreover, the linear complexity is a parameter closely related to the concept of LFSR. In fact, the linear complexity of a sequence is defined as the length of the shortest LFSR that generates such a sequence.
Although an LFSR in itself is an excellent generator of pseudorandom sequence, in practice it has undesirable linearity properties which reduce the security of its use. Due to these linearities, LFSRs exhibit a very low
$LC$ of value just
L. Consequently, in the process of generation of the pseudorandom sequence, any type of nonlinearity must be introduced. The irregular decimation of PNsequences is one of the most popular techniques to destroy the inherent linearity of the LFSRs [
17,
18]. In brief, this procedure is based on the fact of removing some bits of a PNsequence according to the bits of another one.
Inside the type of irregularly decimated generators, we can enumerate: (a) the shrinking generator introduced in [
19] that includes two LFSRs, (b) the selfshrinking generator [
20] that involves just one LFSR and (c) the generalized selfshrinking generator proposed in [
21] that is considered as a simplification of the shrinking generator as well as a generalization of the selfshrinking generator. In this work, we focus on the last type of generator, that is, the generalized selfshrinking generator.
The Generalized SelfShrinking Generator (GSSG)
The generalized selfshrinking generator can be described as follows:
It makes use of two PNsequences: $\left\{{a}_{n}\right\}$ a PNsequence produced by an LFSR with L stages and a shifted version of such a sequence denoted by $\left\{{v}_{n}\right\}$. In fact, $\left\{{v}_{n}\right\}=\left\{{a}_{n+p}\right\}$, thus $\left\{{v}_{n}\right\}$ corresponds to the own sequence $\left\{{a}_{n}\right\}$ rotated cyclically p positions to the left with $(p=0,1,\dots ,{2}^{L}2)$.
In order to generate the output sequence, it relates both sequences by means of a simple decimation rule.
For
$n\ge 0$, the decimation rule is defined as follows:
Thus, for each value of
p, an output sequence
${\left\{{s}_{n}\right\}}_{p}={\{{s}_{0}\phantom{\rule{0.166667em}{0ex}}{s}_{1}\phantom{\rule{0.166667em}{0ex}}{s}_{2}\dots \}}_{p}$ is generated. Such a sequence is called the
p generalized selfshrunken sequence (GSSsequence) or simply generalized sequence associated with the shift
p. Recall that
$\left\{{a}_{n}\right\}$ remains fixed while
$\left\{{v}_{n}\right\}$ is the sliding sequence or leftshifted version of
$\left\{{a}_{n}\right\}$. If
p ranges in the interval
$[0,1,\dots ,{2}^{L}2]$, then we obtain the
${2}^{L}1$ members of the family of generalized sequences based on the PNsequence
$\left\{{a}_{n}\right\}$. Since the PNsequence has
${2}^{L1}$ ones, the period of any generalized sequence will be
${2}^{L1}$ or divisors of this number, in any case, a power of 2. In addition, the
$LC$ of every GSSsequence is upperbounded by
${2}^{L1}(L2)$ [
22] (Theorem 2). Next, an illustrative example of a family of GSSsequences is introduced.
Example 1. For an LFSR with primitive polynomial $p\left(x\right)={x}^{4}+x+1$ and initial state $(1,1,1,1)$, we generate the generalized sequences depicted in Table 1. The bits in bold in the different sequences $\left\{{v}_{n}\right\}$ are the digits of the corresponding GSSsequence associated to the corresponding shift p. The PNsequence $\left\{{a}_{n}\right\}$ with period $T={2}^{4}1$ is written at the bottom of the table in columns 2 and 5. There are two particular facts that differentiate the GSSsequences from the PNsequences generated by LFSRs:
3. Binomial Sequences: Characteristics and Generalities
In this section, we introduce the binomial sequences as a new representation of the binary sequences whose period is a power of 2. Next, the close relationship between binomial sequences and Sierpinski’s triangle is also considered.
3.1. Concepts and Fundamentals of the Binomial Sequences
The binomial number $\left(\right)$ is the coefficient of the ith power ${x}^{i}$ in the polynomial expansion of ${(1+x)}^{n}$. For every nonnegative integer n, it is a wellknown fact that $\left(\right)open="("\; close=")">\genfrac{}{}{0pt}{}{n}{0}$, as well as $\left(\right)open="("\; close=")">\genfrac{}{}{0pt}{}{n}{i}$ for all $i>n$.
The concept of binomial sequence is defined in terms of the binomial coefficients $\left(\right)$ reduced modulo 2.
Definition 1. Given an integer $i\ge 0$, the sequence ${\left(\right)}_{{b}_{n}}$$(n=0,1,2,\dots )$ is called the ith binomial sequence if its elements are binomial coefficients reduced modulo 2, that is ${b}_{n}=\left(\right)open="("\; close=")">\genfrac{}{}{0pt}{}{n}{i}$.
Binomial sequences are currently notated ${\{\left(\right)open="("\; close=")">\genfrac{}{}{0pt}{}{n}{i}}_{\}}$$(n=0,1,2,\dots )$ and the integer i is the index of the binomial sequence. When n takes successive values, the binomial coefficients modulo 2 define the terms of a binary sequence with its corresponding period and linear complexity.
Table 2 shows the eight first binomial sequences
$\{\left(\right)open="("\; close=")">\genfrac{}{}{0pt}{}{n}{i}$,
$i=0,1,\dots ,7$, see [
24], where
${T}_{i}$ and
$L{C}_{i}$ denote period and linear complexity, respectively.
Next, fundamental properties of the binomial sequences that will be used throughout the work are introduced.
Given the binomial sequence
$\left\{\left(\right),\genfrac{}{}{0pt}{}{n}{{2}^{r}+i}\right\}$, with
$0\le i<{2}^{r}$ and
r being a nonnegative integer, we have that [
13] (Proposition 3):
 (a)
This binomial sequence has period $T={2}^{r+1}$.
 (b)
The period of such a binomial sequence has the following structure:
Every binary sequence whose period is a power of 2 can be written as a linear combination of a finite number of binomial sequences [
13] (Theorem 2). Such a combination is called the binomial sequence decomposition (BSD) of the sequence under consideration.
The linear complexity of the binomial sequence
$\left\{\left(\right),\genfrac{}{}{0pt}{}{n}{i}\right\}$ with
$i\ge 0$ is
$LC=i+1$, see [
13] (Theorem 13).
Given a sequence with BSD
${\sum}_{k=0}^{t}\left\{\left(\right),\genfrac{}{}{0pt}{}{n}{{i}_{k}}\right\}$, where
${i}_{0}<{i}_{1}<\cdots <{i}_{t}$ are integer indexes, then its linear complexity is given by
$LC={i}_{t}+1$, see [
13] (Corollary 14).
Given a sequence with BSD
${\sum}_{k=0}^{t}\left\{\left(\right),\genfrac{}{}{0pt}{}{n}{{i}_{k}}\right\}$, where
${i}_{0}<{i}_{1}<\cdots <{i}_{t}$ are integer indexes, then its period
T is that of the binomial sequence
$\left\{\left(\right),\genfrac{}{}{0pt}{}{n}{{i}_{t}}\right\}$, see [
24] (Theorem 1).
According to the previous properties, two important remarks are derived:
Remark 1. The period T of the binomial sequences $\{\left(\right)open="("\; close=")">\genfrac{}{}{0pt}{}{n}{i}$ ($i\ge 0$) can be quantified as follows:
${2}^{0}$ binomial sequences with period $T={2}^{1}$.
${2}^{1}$ binomial sequences with period $T={2}^{2}$.
${2}^{2}$ binomial sequences with period $T={2}^{3}$.
…and so on.
In general, ${2}^{i}$ binomial sequences with period $T={2}^{i+1}$ with $i\ge 0$.
On the other hand, the linear complexity of the binomial sequences is different for each binomial sequence $\{\left(\right)open="("\; close=")">\genfrac{}{}{0pt}{}{n}{i}$ and takes the value $LC=i+1$.
Remark 2. The generalized sequences are binary sequences whose period is a power of 2. Consequently, they can be written in terms of binomial sequences satisfying all the previous properties.
3.2. The Sierpinski’s Triangle
When the binomial coefficients are arranged into rows for the successive values of
$n=0,1,2,\dots $ (a row for each value of
n), then the generated structure is the wellknown Pascal’s triangle depicted in
Figure 2a. If we color the odd numbers and shade the even ones in such a triangle, then we get the Sierpinski’s triangle whose version reduced mod 2 is depicted in
Figure 2b.
Recall that the successive diagonals of the Sierpinski’s triangle in
Figure 2b correspond to the successive binomial sequences
$\left\{\left(\right),\genfrac{}{}{0pt}{}{n}{i}\right\}$,
$(i=0,1,2,\dots )$ with
$n\ge i$. That is, each diagonal of the triangle starts at the first 1 of the corresponding binomial sequence. Consequently, the binomial sequences can be found inside the Sierpinski’s triangle mod 2, as well as they can also be found inside certain linear cellular automata, e.g., cellular automata with rules 102 and 60 in Wolfram’s notation. See [
13] for more details.
4. Algorithms to Calculate the Linear Complexity
In this section, we describe and develop different algorithms to calculate the linear complexity of binary sequences. Except for the first algorithm (Berlekamp–Massey algorithm), the remaining may be applied exclusively to sequences whose length (period) is a power of 2. They are based on the characteristics and properties of the binomial sequences.
Once the Berlekamp–Massey algorithm has been considered, this section introduces in detail the basic binomial sequence decomposition algorithm (bBSD) and possible improvements to its implementation.
Next, a new approach to the binomial sequence decomposition is developed, giving rise to the folding binomial sequence decomposition algorithm (fBSD). Such an algorithm improves the throughput of previous methods thanks to the symmetry of the binomial sequences.
A comparison among Berlekamp–Massey, bBSD and fBSD algorithms will be presented in the next section of this work.
Previously to the algorithms, we introduce a particular notation to be used systematically in the sequel.
NOTATION: For the sake of simplicity, in the successive algorithms of this section, the binomial coefficient $\left(\right)$ will denote the corresponding kth binomial sequence. Then, the term ${\left(\right)}_{\genfrac{}{}{0pt}{}{n}{k}}$ stands for the binary subsequence of $\left(\right)$ between the bits i and j, while ${\left(\right)}_{\genfrac{}{}{0pt}{}{n}{k}}$ denotes the j first bits of the binomial sequence $\left(\right)$.
4.1. Berlekamp–Massey Algorithm
Traditionally, the general method of calculating the linear complexity of a sequence is the Berlekamp–Massey algorithm [
12]. It can be applied to sequences of any length, not necessarily a power of 2. Consequently, it is the most general among the algorithms that calculate the linear complexity of a sequence.
Given a binary sequence, this algorithm provides one with a general solution to the problem of synthesizing the shortest LFSR that generates such a sequence. At each step, the algorithm incrementally adjusts the length of the LFSR and the feedback polynomial to generate the subsequence analyzed to that point. The algorithm terminates when the whole sequence has been generated.
In order to work, this algorithm needs to process
$2\ast LC$ bits of the sequence with a computational complexity of
$O\left(L{C}^{2}\right)$ [
25].
4.2. Basic Binomial Sequence Decomposition (bBSD)
Based on the mathematical results provided in the previous section, a basic binomial sequence decomposition algorithm (bBSD) can be designed in order to calculate the $LC$ of a given sequence. In particular, two facts are used:
A sequence of length
l can be decomposed in
$t+1$ binomial sequences (item 2. in
Section 3.1):
The linear complexity of a sequence can be calculated from the binomial sequence of maximum index in its BSD (item 3. in
Section 3.1). Since the binomial sequences are written in increasing order, then
$LC$ satisfies the following expression:
The resulting algorithm can be seen in Algorithm 1. It takes the sequence to be analyzed as input and checks for every bit equal to 1. When $bi{t}_{i}$ is equal to 1, it sums the sequence with the corresponding binomial sequence ($seq=seq+\left(\right)open="("\; close=")">\genfrac{}{}{0pt}{}{n}{i}$), stopping when all the binomial sequences have been already found. In that case, the resulting sequence $seq$ is the identically null sequence.
Once the BSD has been obtained, the binomial sequence
$\left(\right)$ allows us, via the Equation (
1), to calculate
$LC$. A stepbystep example of the algorithm decomposing a sequence
$se{q}_{16}=00100100\phantom{\rule{4pt}{0ex}}10111101$ of length
$l=16$ can be seen in
Table 3.
Algorithm 1 Basic Binomial Sequence Decomposition (bBSD). 
Require:$seq$: intercepted bits $binom=[\varnothing ]$ for $i=0;\phantom{\rule{4pt}{0ex}}i<length\left(seq\right);\phantom{\rule{4pt}{0ex}}i$++ do if $se{q}_{i}\ne 0$ then $seq+=\left(\right)open="("\; close=")">\genfrac{}{}{0pt}{}{n}{i}$ $binom.add\left(i\right)$ end if end for return $binom$: Binomial decomposition of the intercepted bits

Thus, the bBSD algorithm is able to calculate $LC$, as the Berlekamp–Massey algorithm does, but after having processed only $LC$ bits of the sequence instead of $2\ast LC$. The complexity of bBSD algorithm, which performs the sum of two sequences of l bits (l additions) for every binomial sequence, is $O(t\ast l)$, t being the number of binomial sequences in which the main sequence is decomposed with $\phantom{\rule{4pt}{0ex}}t\ll l$.
Moreover, the logic of the algorithm can be improved by avoiding the sum of the subsequences that are zero. On the one hand, thanks to item 1 (b) in
Section 3.1, we know that
$\left(\right)open="("\; close=")">\genfrac{}{}{0pt}{}{n}{k}$. On the other hand, at each step of the bBSD algorithm, the sequence begins with zeros. That is, at step
i, the
${k}_{i}$ first terms of the sequence are zeros.
If these two facts are combined, then the number of operations performed by the algorithm can be reduced. When the algorithm detects the first 1 in the ith position of $seq$, instead of performing the sum of two sequences of l bits ($seq+\left(\right)open="("\; close=")">\genfrac{}{}{0pt}{}{n}{i}$), it just sums both sequences between the ith and $(l1)$th bits ($se{q}_{i,l1}+{\left(\right)}_{\genfrac{}{}{0pt}{}{n}{i}}i,l1$), as the beginning of both sequences (from bit 0 up to bit $i1$) are made up of zeros.
Compared with
$t\ast l$, the number of operations is reduced as follows:
In addition, for sequences whose
$LC$ is upper bounded, we do not need to perform the sum of any binomial sequence after the binomial of maximum index is attained. This is the case for every GSSsequence produced by the generalized selfshrinking generator. Since the linear complexity of this family of sequences satisfies the inequality:
and its maximum length is
$l={2}^{L1}$ (
L being the number of stages in the LFSR that generates the GSSsequences), then
Therefore, the maximum index
${k}_{max}$ in the BSD of these sequences is:
and the final number of operations in the algorithm will be:
Thus, at each algorithm step, the number of operations is incrementally reduced.
To upgrade the code in Algorithm 1, only the summation limits must be changed, which will now be
$seq=se{q}_{i,{k}_{max}}+{\left(\right)}_{\genfrac{}{}{0pt}{}{n}{i}}i,{k}_{max}$, with
${k}_{max}$ given in Equation (
2).
In brief, the bBSD algorithm will require at most ($llogl$) bits of the sequence to calculate the $LC$ with a complexity less than $O(t\ast l)$.
4.3. Folding Binomial Sequence Decomposition (fBSD): Theoretical Foundations
Despite the improvement in both complexity and length requirements between bBSD and Berlekamp–Massey, there is still room for enhancing the decomposition mechanism.
In the next subsection, a new algorithm design is explained, improving the results of the bBSD algorithm by taking advantage of the symmetry of the binomial sequences.
In this subsection, we develop new properties of the binomial sequences, particularly symmetric properties, on which the fBSD algorithm is based.
First of all, a result that relates the index k of a binomial sequence with the period of such a sequence is introduced.
Theorem 1. For every binomial sequence $\left(\right)$ with $k>0$, there exists an integer $m>0$, such that ${2}^{m}$ is the period of the binomial sequence, as well as the index k satisfying the inequality: Proof. In fact, any integer
$k>0$ can be written in the range
${2}^{m1}\le k<{2}^{m}$, where
${2}^{m1}$ and
${2}^{m}$ are two consecutive powers of 2 and
$m\ge 1$. In this case,
j being an integer in the interval
$0\le j<{2}^{m1}$. Thus, the binomial sequence can be written as:
and, according to item 1. (b) in
Section 3.1, its period will be
$l={2}^{m}$. □
Therefore, the index
k determines the period of the binomial sequence
$\left(\right)$. Moreover, recall that in Equation (
3)
if $j=0$, then k takes the minimum value $k={2}^{m1}$,
if $j={2}^{m1}1$, then k takes the maximum value $k={2}^{m}1$.
Thus, k ranges in the interval $k\in [{2}^{m1},{2}^{m}1]$ and the next corollary follows directly:
Corollary 1. The number of different binomial sequences $\left(\right)$ with the same period ($l={2}^{m}$) is ${2}^{m1}$.
Symmetry of (${}_{k}^{n}$)
There are different properties regarding the symmetric structure of the binomial sequences and their relation to the powers of 2 that are explained in the following.
Every binomial sequence
$\left(\right)$ with length
$l={2}^{m}$ (
$m>0$) can be divided into two subsequences of length
$\frac{l}{2}$ as follows:
On the other hand, recall that the binomial sequence
$\left(\right)$ starts with
k zeros. Therefore, if
$k\ge \frac{l}{2}$, then such a sequence can be divided in the following way:
where
$zero{s}_{\frac{l}{2}}$ represents the subsequence identically null of length
$\frac{l}{2}$.
In fact, this is a simplification of a stronger result, defined in the next theorem.
Theorem 2. Every binomial sequence ${\left(\right)}_{\genfrac{}{}{0pt}{}{n}{k}}$ can be divided into two sequences of length $\frac{l}{2}$ as follows:
 1.
If $k\ge \frac{l}{2}$, then  2.
Proof. Since
$k\ge \frac{l}{2}$, it can be written as
$k={2}^{m1}+i$ with
$0\le i<{2}^{m1}$. Then,
Since
$k<\frac{l}{2}={2}^{m1}$, it can be written as
$k={2}^{j}+i$ with
$0\le i<{2}^{j}$, where
i and
j are integers as well as
$j<m1$. The binomial sequence
$\left(\right)open="("\; close=")">\genfrac{}{}{0pt}{}{n}{k}$ has length
${2}^{j+1}$, that is a power of 2, as well as
${2}^{j+1}<{2}^{m}$. Thus, the first and second subsequences in Equation (
4) are equal.
□
In
Table 4, where the binomial decomposition of
$se{q}_{16}$ is represented with
$\frac{l}{2}=8$, the condition 1 of the Theorem 2 is observable on the binomial sequences
$\left(\right)open="("\; close=")">\genfrac{}{}{0pt}{}{n}{8}$ and
$\left(\right)$. In contrast, the binomial sequences
$\left(\right)open="("\; close=")">\genfrac{}{}{0pt}{}{n}{2},\left(\right)open="("\; close=")">\genfrac{}{}{0pt}{}{n}{5}$ and
$\left(\right)$ satisfy the condition 2, where the eight first bits repeat themselves.
Putting together the facts regarding the symmetry of the binomial sequences, they can be classified in two groups depending on the value of their index. This fact is explained in Algorithm 2.
Algorithm 2 Binomial Sequences Classification. 
For a given sequence ${\left(\right)}_{\genfrac{}{}{0pt}{}{n}{k}}$: if$k<\frac{l}{2}$then $\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}{\left(\right)}_{\genfrac{}{}{0pt}{}{n}{k}}l)$ else $\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}{\left(\right)}_{\genfrac{}{}{0pt}{}{n}{k}}l$ end if

If the binomial sequences are divided as seen in Algorithm 2, then the binomial representation of a sequence results in a block matrix
$M=$$\left(\begin{array}{c}\begin{array}{cc}{M}_{0}& {M}_{1}\\ {M}_{2}& {M}_{3}\end{array}\end{array}\right)$, that is, a matrix representation of the BSD, as follows:
Three important characteristics about the matrix representation shown in (
5) are the core of the folding BSD algorithm.
${M}_{0}={M}_{1}$.
${M}_{2}=0$.
As the length of the sequence is of the form $l={2}^{m}$, the matrix representation can be extended in a recursive way, taking ${M}_{3}$ and repeating the same process until it cannot be divided anymore (length = 1).
The following expression (
7) is an example of the matrix representation of the sequence decomposition of
Table 4.
In order to calculate the
$LC$ of the given sequence, only the highest binomial sequence of its decomposition is needed. Thus, the fBSD algorithm will benefit from the symmetry of the binomial sequences, by reducing recursively the length of the sequence to analyze, as depicted in the matrix expression (
6).
4.4. Folding Binomial Sequence Decomposition Algorithm
The previous subsection described all the elements needed by the fBSD algorithm. In fact, the algorithm locates the maximum binomial sequence to calculate $LC$. At every step, it sums the first half of the sequence with the second half. If the result is different from zero, then it continues with the resulting sequence. Otherwise, it continues with half the previous sequence. The procedure ends when only one bit is left.
At every step, the folding mechanism reduces the length of the studied sequence by 2. It performs a bit sum of the successive halves of the sequence, with a total of
$logl$ steps. Given a sequence
$seq$ with length
l, the number of operations of the algorithm can be calculated as follows:
The final pseudocode of the algorithm, for a given binary sequence of length
l (although we can reduce it to (
$llogl$), as explained in
Section 4.2) and complexity O(
l), can be found in Algorithm 3. The way that this algorithm searches for the maximum binomial sequence is similar to that of the binary search algorithm. The difference results in the binary search only performing one comparison in each step, while our algorithms need to perform
$\frac{length\left(l\right)}{{2}^{i}}$ operations per step.
Let us see how it works with an example.
Example 2. Take the same sequence as before $se{q}_{16}=00100100\phantom{\rule{4pt}{0ex}}10111101$.
Step 1: $\begin{array}{ccc}& 0010& 0100\\ +& 1011& 1101\\ & 1001& 1001\end{array}$ As $aux$ = $1001\phantom{\rule{0.166667em}{0ex}}1001\ne {0}_{0,7}$, then $seq$ = $aux$ = $1001\phantom{\rule{0.166667em}{0ex}}1001$ and k = 8.
Step 2: $aux=\begin{array}{ccc}& 10& 01\\ +& 10& 01\\ & 00& 00\end{array}$ As $aux={0}_{0,3}$, then $seq=1001$.
Step 3: $aux=\begin{array}{ccc}& 1& 0\\ +& 0& 1\\ & 1& 1\end{array}$ As $aux\ne {0}_{0,1}$, then $seq=aux=1\phantom{\rule{4pt}{0ex}}1$ and $k=8+2$.
Step 4: $aux=\begin{array}{cc}& 1\\ +& 1\\ & 0\end{array}$ As $aux=0$, then $seq=aux=0$.
End: the maximum binomial sequence is $\left(\right)open="("\; close=")">\genfrac{}{}{0pt}{}{n}{10}$.
A representation of the algorithm workflow can be seen in
Figure 3.
Algorithm 3 Folding Binomial Sequences Classification. 
Require:$seq$: intercepted bits $k=0$ while $length\left(seq\right)>1$ do $l=length\left(seq\right)$ aux = $se{q}_{\frac{l}{2},l1}$ + $se{q}_{0,\frac{l}{2}1}$ if $aux\ne {0}_{\frac{l}{2}}$ then $seq=aux$ $k+=\frac{l}{2}$ else $seq=se{q}_{0,\frac{l}{2}1}$ end if end while return k: maximum binomial sequence

5. Algorithm Discussion
The three algorithms for linear complexity calculation we have visited in our work have different properties and capabilities. Thus, it is worth discussing all of them. In
Table 5, there is a simple comparison between the sequence length required and the computational complexity in each one of these algorithms.
The Berlekamp–Massey algorithm is the classic algorithm to calculate the linear complexity of any sequence. Nevertheless, for sequences whose $LC$ is near their length, e.g., the GSSsequences, it needs twice the length l of the sequence and its computational complexity is O(${l}^{2}$). When it is applied to LFSRbased sequences, this result can become impractical, particularly when these sequences may exhibit a length of ${2}^{128}$ bits, for instance, the GSSsequences in cryptographic applications.
Concerning the basic binomial sequence decomposition algorithm (bBSD), it allows an improvement in the amount of sequence required regarding the Berlekamp–Massey algorithm. Nevertheless, its computational complexity can be tricky to assess, because it depends on the number t of binomial sequences that appear in the BSD of the sequence under consideration.
5.1. Number of Sequences in the Decomposition
The number of sequences in the binomial decomposition, t, has not been studied previously in the literature. This is one of the facts that makes it difficult to measure the actual improvement of the bBSD algorithm, whose computational complexity depends on this specific parameter.
In order to study the behavior of t and its dependency on the original sequence, some experiments were carried out.
In our experiments, all the employed sequences were the GSSsequences coming from LFSRs with polynomials of degrees between five and ten. As a result, we observed on average a number of binomial sequences given by
${2}^{n2}$,
n being the degree of the LFSR polynomials
$\forall n\in [5,10]$. The plots corresponding to the number of binomial sequences in the decomposition of all these GSSsequences are depicted in the
Figure 4.
The distribution of the number of sequences in a binomial decomposition seems to be close to a normal distribution, although a thin tail on the left can be noticed, which means that for a few sequences, the number of binomial sequences will be lower. In those particular cases, this algorithm will perform better than in the general case.
At any rate, recall that this result $t\approx {2}^{n2}$ is backed up by experimental results and no mathematical proof exists regarding the t parameter behavior.
5.2. fBSD Performance
On the other hand, the folding binomial sequence decomposition algorithm (fBSD) has a set of characteristics that improves its performance when compared with both Berlekamp–Massey and bBSD algorithms. In fact, it requires the same length as that of the bBSD algorithm and improves considerably this requirement when it is compared with the Berlekamp–Massey algorithm. Another interesting characteristic is that its computational complexity does not depend on the number t of binomial sequences as the bBSD algorithm does, which introduces a penalty factor of about ${2}^{n2}$ in the bBSD algorithm performance.
The reason for its improvement is that, at each step of the algorithm, the length of the resulting sequence is divided by two, as can be seen in
Figure 3. Consequently, the number of operations to be performed and the memory needed are progressively reduced.
Although the final purpose of this work is not the implementation of the different algorithms, it is worth pointing out that the fBSD algorithm can be transformed into a concurrent algorithm for the linear complexity calculation. This fact theoretically improves its performance when the fBSD algorithm is implemented in an environment with concurrent computation capabilities, as opposed to the bBSD algorithm, which performs its calculations in a sequential way and cannot operate in a concurrent fashion.
Finally, a comparison of our work and previous works [
26,
27] can be summarized in
Table 6.
In such a table, we point out the main contributions of our current work compared to past works: the introduction of the fBSD algorithm, the complexity analysis of bBSD (already introduced in [
13]), backed up by our experiments on the number of sequences in the BSD, and the complexity analysis of fBSD, which in the end shows how the fBSD outperforms the previous algorithms.
6. Conclusions
In this work, a new algorithm, the folding BSD algorithm, has been introduced and developed. It exhibits a better performance than similar algorithms to compute the lineal complexity of a binary sequence, especially on sequences that are particularly difficult to be decomposed by the Berlekamp–Massey algorithm. This is a big step in the study of the binary sequences with period a power of two, and makes it easier to detect flaws in this kind of sequences. Detecting such vulnerabilities in a cipher implemented in practical applications could compromise the corresponding IoT devices and the services behind them.
Moreover, the binomial decomposition of sequences as a way to extract information from a given sequence is an innovative but powerful tool, and it is left for future work its application to other kinds of binary sequences.
An experimental approximation to the complexity of the bBSD algorithm based on the density of binomial sequences has been introduced, but this topic requires further research to find hard proof on the number of sequences that appear in a binomial decomposition.
In regard to the fBSD algorithm presented in this article, it shows better theoretical characteristics in both complexity and length of the sequence required. Future works may study the algorithm performance in real world scenarios by applying it to different binary sequences and taking advantage of the algorithm parallel capabilities.
To compare the performance of the novel fBSD algorithm with bBSD, we carried out experiments to analyze the number of decomposed sequences, as this parameter deeply affects the performance of the bBSD algorithm. As a result of our experiments, we were able to approximate the value of the parameter and the performance of bBSD, which helps to show how the new algorithm fBSD improves its performance when the length of the sequence starts to grow.
Author Contributions
Conceptualization, J.L.M.N. and A.F.S.; methodology, J.L.M.N. and A.F.S.; software, J.L.M.N.; validation, A.F.S.; formal analysis, A.F.S.; investigation, J.L.M.N.; resources, A.F.S.; data curation, J.L.M.N. and A.F.S.; writing—original draft preparation, A.F.S.; writing—review and editing, J.L.M.N. and A.F.S.; visualization, J.L.M.N.; supervision, A.F.S.; project administration, A.F.S.; funding acquisition, J.L.M.N. and A.F.S. All authors have read and agreed to the published version of the manuscript.
Funding
Research partially supported by Ministerio de Economía, Industria y Competitividad, Agencia Estatal de Investigación, and Fondo Europeo de Desarrollo Regional (FEDER, UE) under project COPCIS (TIN201784844C21R) and by Comunidad de Madrid (Spain) under project CYNAMON (P2018/TCS4566), also cofunded by European Union FEDER funds.
Conflicts of Interest
The authors declare no conflict of interest. The funders had no role in the design of the study; in the collection, analyses, or interpretation of data; in the writing of the manuscript, or in the decision to publish the results.
References
 Chin, W.L.; Li, W.; Chen, H.H. Energy big data security threats in IoTbased smart grid communications. IEEE Commun. Mag. 2017, 55, 70–75. [Google Scholar] [CrossRef]
 Meyer, D.; Haase, J.; Eckert, M.; Klauer, B. New attack vectors for building automation and IoT. In Proceedings of the IECON 2017 43rd Annual Conference of the IEEE Industrial Electronics Society, Beijing, China, 29 October–1 November 2017; pp. 8126–8131. [Google Scholar]
 GallegosSegovia, P.L.; BravoTorres, J.F.; ArgudoParra, J.J.; SacotoCabrera, E.J.; LariosRosillo, V.M. Internet of things as an attack vector to critical infrastructures of cities. In Proceedings of the 2017 International Caribbean Conference on Devices, Circuits and Systems (ICCDCS), Cozumel, Mexico, 5–7 June 2017; pp. 117–120. [Google Scholar]
 Rouf, I.; Miller, R.D.; Mustafa, H.A.; Taylor, T.; Oh, S.; Xu, W.; Gruteser, M.; Trappe, W.; Seskar, I. Security and Privacy Vulnerabilities of InCar Wireless Networks: A Tire Pressure Monitoring System Case Study. In Proceedings of the USENIX Security Symposium, Washington, DC, USA, 11–13 August 2010. [Google Scholar]
 Cynthia, J.; Sultana, H.P.; Saroja, M.; Senthil, J. Security protocols for IoT. In Ubiquitous Computing and Computing Security of IoT; Springer: Berlin/Heidelberg, Germany, 2019; pp. 1–28. [Google Scholar]
 Mavromoustakis, C.X.; Mastorakis, G.; Batalla, J.M. Internet of Things (IoT) in 5G Mobile Technologies; Springer: Berlin/Heidelberg, Germany, 2016; Volume 8. [Google Scholar]
 NIST Lightweight Cryptography Project. Available online: https://csrc.nist.gov/Projects/LightweightCryptography (accessed on 30 March 2020).
 McGinthy, J.M. Solutions for Internet of Things Security Challenges: Trust and Authentication. Ph.D. Thesis, Virginia Tech, Blacksburg, VA, USA, 2019. [Google Scholar]
 Peinado, A.; Munilla, J.; FústerSabater, A. EPCGen2 Pseudorandom Number Generators: Analysis of J3Gen. Sensors 2014, 14, 6500–6515. [Google Scholar] [CrossRef] [PubMed] [Green Version]
 Peinado, A.; Munilla, J.; FústerSabater, A. Revision of J3Gen and Validity of the Attacks by Peinado et al. Sensors 2015, 15, 11988–11992. [Google Scholar] [CrossRef] [PubMed] [Green Version]
 Cardell, S.D.; Requena, V.; FústerSabater, A.; Orúe, A.B. Randomness Analysis for the Generalized SelfShrinking Sequences. Symmetry 2019, 11, 1460. [Google Scholar] [CrossRef] [Green Version]
 Massey, J. Shiftregister synthesis and BCH decoding. IEEE Trans. Inf. Theory 1969, 15, 122–127. [Google Scholar] [CrossRef] [Green Version]
 Cardell, S.D.; FústerSabater, A. Binomial Representation of Cryptographic Binary Sequences and Its Relation to Cellular Automata. Complexity 2019, 2019, 2108014. [Google Scholar] [CrossRef] [Green Version]
 Chang, K.Y.; Lee, M.K.; Lee, H.R.; Do Won, H.O.N.G.; Kang, J.S.; Cho, H.S.; Chung, K.I. Method and Apparatus for Generating Keystream. U.S. Patent 7,587,046, 8 September 2009. [Google Scholar]
 Kang, Y.S.; Kim, H.W.; Chung, K.I. Apparatus and Method for Protecting RFID Data. U.S. Patent 8,386,794, 26 February 2013. [Google Scholar]
 Golomb, S.W. Shift Register Sequences; Aegean Park Press: Laguna Hills, CA, USA, 1967. [Google Scholar]
 Cardell, S.D.; FústerSabater, A. The tModified selfshrinking generator. In Proceedings of the International Conference on Computational Science, Krakow, Poland, 16–18 June 2021; Springer: Berlin/Heidelberg, Germany, 2018; pp. 653–663. [Google Scholar]
 Cardell, S.D.; FústerSabater, A. Cryptography with Shrinking Generators: Fundamentals and Applications of Keystream Sequence Generators Based on Irregular Decimation; Springer: Berlin/Heidelberg, Germany, 2019. [Google Scholar]
 Coppersmith, D.; Krawczyk, H.; Mansour, Y. The shrinking generator. In Proceedings of the Annual International Cryptology Conference, Santa Barbara, CA, USA, 22–26 August 1993; Springer: Berlin/Heidelberg, Germany, 1993; pp. 22–39. [Google Scholar]
 Meier, W.; Staffelbach, O. The selfshrinking generator. In Communications and Cryptography; Springer: Berlin/Heidelberg, Germany, 1994; pp. 287–295. [Google Scholar]
 Hu, Y.; Xiao, G. Generalized selfshrinking generator. IEEE Trans. Inf. Theory 2004, 50, 714–719. [Google Scholar] [CrossRef]
 FústerSabater, A.; Cardell, S.D. Linear complexity of generalized sequences by comparison of PNsequences. Rev. Real Acad. Cienc. Exactas Fis. Nat. Ser. A Matemáticas 2020, 114, 79. [Google Scholar] [CrossRef]
 Cardell, S.D.; Climent, J.J.; FústerSabater, A.; Requena, V. Representations of Generalized SelfShrunken Sequences. Mathematics 2020, 6, 1006. [Google Scholar] [CrossRef]
 FústerSabater, A. Generation of cryptographic sequences by means of difference equations. Appl. Math. Inf. Sci. 2014, 8, 475. [Google Scholar] [CrossRef]
 Cusick, T.W.; Stanica, P. Cryptographic Boolean Functions and Applications; Academic Press: Cambridge, MA, USA, 2017. [Google Scholar]
 MartinNavarro, J.L.; FústerSabater, A. FoldingBSD Algorithm for Binary Sequence Decomposition. In Proceedings of the International Conference on Computational Science and Its Applications, Santa Barbara, CA, USA, 22–26 August 2020; Springer: Berlin/Heidelberg, Germany, 2020; pp. 345–359. [Google Scholar]
 MartínNavarro, J.L.; FústerSabater, A.; Cardell, S.D. An Innovative Linear Complexity Computation for Cryptographic Sequences. In Proceedings of the Conference on Complex, Intelligent, and Software Intensive Systems, Loze, Poland, 1–3 July 2020; Springer: Berlin/Heidelberg, Germany, 2020; pp. 339–349. [Google Scholar]
 Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. 
© 2020 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).