Review of the Lineal Complexity Calculation through Binomial Decomposition-Based Algorithms

The ubiquity of smart devices and IoT are the main forces behind the development of cryptographic primitives that preserve the security of this devices, with the resources constraints they face. In this sense, the development of lightweight cryptographic algorithms, where PRNGs are an essential part of them, provides security to all these interconnected devices. In this work, a family of sequence generators with hard characteristics to be analyzed by standard methods is described. Moreover, we introduce an innovative technique for sequence decomposition that allows one to extract useful information on the sequences under study. In addition, diverse algorithms to evaluate the strength of such binary sequences have been introduced and analyzed to show which performs better.


Introduction
Sensorization is only one of the latest trends which brings a net of communications around us, as Internet of Things (IoT), and it is said is one of main requirements for third technological revolution. Different critical sectors such as smart-grid, e-health or industrial automation will increase their dependence on this low-cost devices, and with the grow in dependence will also increase the security risks [1,2].

2.
The L-degree feedback or connection polynomial p(x) = x L + c 1 x L−1 + c 2 x L−2 + . . . + c L−1 x + c L with coefficients c i defined in the binary field c i ∈ F 2 .

3.
A non-zero initial state (stage contents) at the initial instant.
a n+L−1 a n+L−2 a n+L−3 · · · a n+1 a n In brief, LFSRs generate sequences by means of successive linear feedbacks and shifts. The output sequence of an LFSR is a binary sequence {a n } (n = 0, 1, 2, . . . ) with a n ∈ F 2 . When the polynomial p(x) is a primitive polynomial [18], then the output sequence is a PN-sequence (or Pseudo-Noise sequence); besides, a PN-sequence has length l = 2 L − 1 bits where 2 L−1 of them are ones and 2 L−1 − 1 are zeros.
The idea of pseudo-randomness in sequences of finite length implies the difficulty of predicting the subsequent digits of a sequence from the knowledge of the previous ones. A measure of unpredictability is the parameter linear complexity, notated LC. Roughly speaking, LC is related with the amount of sequence we need to process in order to recover all the sequence. In terms of security, this amount has to be as large as possible; the recommended value is half the length of the sequence.
The concept of linear complexity of a sequence is closely related to LFSRs. The formal definition of LC is now introduced: Definition 1. The linear complexity of a binary sequence {s n } (n = 0, 1, 2, . . . ) with s n ∈ F 2 is the length of the shortest LFSR able to generate such a sequence.
By definition, the LC of a PN-sequence generated by a LFSR with L stages is LC = L. Although LFSRs are in themselves excellent generators of pseudo-random sequence, they are essentially linear structures. This is the reason any kind of non-linearity must be introduced in the process of generation. Non-linear filters, clock-controlled generators, combination generators or dynamic LFSR-based generators are just some of the habitual examples of sequence generators involving non-linearity, see [19,20] and the references cited therein. Particular attention deserves the irregular decimation of PN-sequences as an efficient technique to erase the linearity inherent to LFSRs [21,22]. Among the different examples of decimation-based generators we can enumerate: (1) the shrinking generator [23] with two LFSRs for a mutual decimation, (2) the self-shrinking generator [24] with just one LFSR that decimates itself and (3) the generalized self-shrinking generator [25] that outputs a family of pseudo-random sequences, the so-called generalized self-shrunken sequences (GSS-sequences). Different cryptanalytic attacks against the previous generators can be found in the literature [26][27][28][29][30].
In this work, we focus on binary sequences whose length is a power of 2, characteristic exhibited by many of the sequences from the previous generators.

An LFSR-Based Sequence Generator
A characteristic design of LFSR-based sequence generator is the generalized selfshrinking generator (GSSG). In fact, it is the most representative element in the class of decimation-based generators as well as a practical design with application in low-cost passive RFID tags, see [14].
A GSSG consists of: (a) A PN-sequences {a n } generated by an L-stage LFSR and a shifted version of such a sequence, notated {b n }. Both sequences are related by the expression {b n } = {a n+p }, p being an integer. Thus, {b n } is nothing but the PN-sequence {a n } circularly rotated p positions with (p = 0, 1, 2 . . . , 2 L − 2). (b) A simple decimation rule defined as: If a n = 1 then b n is output, If a n = 0 then b n is discarded and no bit is output.
For every p, a new sequence {u n } p = {u 0 , u 1 , u 2 , . . .} p is generated. Each sequence {u n } p is called the generalized self-shrunken sequence associated with the rotation p. When p ranges in the interval [0, 1, . . . , 2 L − 2], then we obtain all the elements of the family of GSS-sequences (in total 2 L − 1 elements) based on the PN-sequence {a n }.
Some important facts essentially extracted from [25] are enumerated:

2.
By construction, the family of generalized self-shrunken sequences consists of 2 L − 1 sequences of 2 L−1 bits each of them. Thus, the length of any generalized sequence will be 2 L−1 or divisors. At any rate, the length of these sequences will always be a power of 2.

3.
The family of generalized sequences plus the identically null sequence has structure of Abelian group where the group operation is the bit-wise sum mod 2. The neutral element is the identically null sequence and every sequence is its own inverse element [25] (Theorem 2). 4. The sequence produced by the self-shrinking generator is a member of this family for p = 2 L−1 , see [22]. Moreover, we can add that the LC of every GSS-sequence is upper-bounded by 2 L−1 − (L − 2) [31] (Theorem 2). A simple example of GSS-sequences is next introduced. Example 1. With a LFSR whose primitive polynomial is p(x) = x 3 + x + 1 and initial state (1, 0, 1), we can generate the GSS-sequences depicted in Table 1. Bits in bold in the sequences {b n } represent the digits of the corresponding GSS-sequence associated with the rotation p. The PNsequence {a n } with length l = 2 3 − 1 and ones in bold appears at the bottom of the table. Table 1. Family of generalized sequences for p(x) = x 3 + x + 1.

p-Rotation
{b n } Sequences GSS-Sequences

Binomial Sequences
A new representation of binary sequences in terms of the so-called binomial sequences is now introduced. Such a representation applies only to sequences whose length is a power of 2. Next, we analyze the representation of the GSS-sequences by means of binomial sequences.

Introduction to Binomial Sequences
The binomial number ( n k ) (n, k being non-negative integers) is the coefficient of the power x k in the expansion of the binomial power (1 + x) n . For n ≥ 0, it is a well-known fact that ( n 0 ) = 1 while ( n k ) = 0 for all k > n.
From the binomial coefficients reduced modulo 2, the concept of binomial sequence is defined as follows: Definition 2. The k-th binomial sequence ( n k ) (n = 0, 1, 2, . . .) is a binary sequence whose elements are binomial coefficients ( n k ) reduced modulo 2, i.e., where k is called the index of the binomial sequence.
The k first terms of the binomial sequence are zeros while the term ( k k ) corresponds to the first 1. Table 2 shows the binomial sequences {( n k )} (k = 0, 1, . . . , 7), with their lengths l k and linear complexities LC k , see [32].
Different properties of the binomial sequences are next enumerated.

1.
Given the binomial sequence ( n k ) with k = 2 m + i where m is a non-negative integer and the index i takes values in the interval 0 ≤ i < 2 m , then we have that [12] (Proposition 3): The binomial sequence {( n k )} has length l = 2 m+1 .
The formation rule of this binomial sequence is:

2.
The linear complexity of the binomial sequence ( n 2 m +i ) with m and i defined as above is LC = 2 m + i + 1, see [12] (Theorem 13).

3.
Every binary sequence {s n } n≥0 whose length is a power of 2 can be written as linear combination of binomial sequences [12] (Theorem 2). This combination is called the Binomial Decomposition of {s n } n≥0 . Such a decomposition allows us to analyze fundamental properties of the sequence, e.g., length and linear complexity.

5.
Given a sequence {s n } n≥0 with binomial decomposition {s n } = ∑ r i=1 ( n k i ) , where 0 ≤ k 1 < k 2 < · · · < k r are integer indices, then its length l is that of the binomial sequence ( n k r ) , i.e., the length of the binomial sequence of maximum index in its binomial decomposition, see [32] (Theorem 1).
All these properties will be used in the algorithms that compute the LC of every binary sequence {s n } n≥0 .
In addition, the binomial sequences can be found in the diagonals of the Sierpinski's triangle reduced modulo 2 [12] (Section 4) as well as in certain linear cellular automata (e.g., linear automata with rules 102 and 60) as it has been studied in [22] (Chapter 3). See the previous references for more details.

Binomial Decomposition of GSS-Sequences
The number of binomial sequences, notated r, in the decomposition of any GSSsequence has not been previously analyzed in the literature. The parameter is decisive in the comparison among the algorithms of Section 4, since the BD-algorithm complexity depends on the number of binomial sequences. To study the asymptotic behavior of this parameter, some experiments were carried out.
The analyzed sequences in such experiments were all the GSS-sequences coming from LFSRs with primitive feedback polynomials of degree L with L taking values in the interval [5,10]. More precisely, we have considered the 6 primitive polynomials of degree 5, the 6 primitive polynomials of degree 6, the 18 primitive polynomials of degree 7, the 16 primitive polynomials of degree 8, the 48 primitive polynomials of degree 9 and the 60 primitive polynomials of degree 10. For each one of these primitive polynomials, the 2 L − 1 GSS-sequences have been generated and decomposed in terms of their binomial sequences. On average, we observed several binomial sequences given by 2 L−2 , ∀L ∈ [5,10].
The plots corresponding to the number of binomial sequences in the decomposition of all these GSS-sequences are depicted in Figure 2. For each chart, the x-axis represents the number of binomial sequences in a specific decomposition (parameter r) while the y-axis counts the number of times r occurs. For a given LFSR, each one of the colors represents all the sequences of the GSS-family generated by such an LFSR. In brief, for each value of L the chart represents the distribution of the parameter r for all the GSS-sequences generated by primitive polynomials of degree L. All these properties will be used in the algorithms that compute the LC of every binary sequence 170 {s n } n≥0 .

171
In addition, the binomial sequences can be found in the diagonals of the Sierpinski's triangle 172 reduced modulo 2 [12, Section 4] as well as in certain linear cellular automata (e.g. linear automata 173 with rules 102 and 60) as it has been studied in [22,Chapter 3]. See the previous references for more 174 details. The distribution of the number of binomial sequences in the GSS-sequences follows closely a normal distribution. Nevertheless, a smooth tail can be also noticed on the left of the figures, which means that for some GSS-sequences the density of binomial sequences will be lower.
The results of these experiments will be employed in some of the algorithms to compute the LC described in next section.

Different Algorithms to Compute the Linear Complexity of a Sequence
In this section, we introduce different algorithms (both novel and already known algorithms) to compute the LC of any binary sequence with length l = 2 m , m being a nonnegative integer. Analysis, foundations and characteristics of each algorithm are described in the subsequent sections.
Throughout the next sections, the following notation will be systematically used.

1.
For the sake of readability, in the sequel the binomial coefficient ( n k ) just denotes the k-th binomial sequence.

2.
The term ( n k ) i,j represents the sub-sequence of ( n k ) between the i-th and j-th bits. 3.
The term ( n k ) j stands for the sub-sequence corresponding to the j first bits of ( n k ).

Berlekamp-Massey Algorithm
The most general and well-known method of computing the linear complexity of binary sequences is the Berlekamp-Massey algorithm [11]. Such an algorithm can be applied to sequences of any length, not only to sequences whose length is a power of 2. For a fixed binary sequence, this algorithm processes bit-by-bit the successive digits until it finds the shortest LFSR able to generate the whole sequence. At each particular step, the Berlekamp-Massey algorithm computes the length and the feedback polynomial of the shortest LFSR that produces the sub-sequence analyzed up to that particular bit. Both LFSR length and feedback polynomial degree will always be greater than those of the previous step.
To get the final value of LC, this algorithm has to process several bits equal to twice the value of the linear complexity of the sequence under consideration. For sequences whose LC is close to their length l, e.g., the GSS-sequences [22], the Berlekamp-Massey algorithm will process approximately 2 * l bits of each sequence with a computational complexity of O(l 2 ), see [33].

Binomial Decomposition Algorithm or BD-Algorithm
To compute the LC of a given sequence, the BD-algorithm [12] provides one with a simple procedure to determine the binomial decomposition of such a sequence. The mathematical results enumerated in the Section 3.1 constitute the core of this algorithm. More precisely, two properties are taken into account: • According to Item 3 (in Section 3.1), the sequence seq of length l = 2 m can be decomposed into r binomial sequences of the form: • According to Item 4 (in Section 3.1), the lineal complexity of seq is that of the binomial sequence of maximum index ( n k r ) in its binomial decomposition. Since the indices of the binomial sequences are written in increasing order, then LC is computed by means of the following equation: The result of the previous properties is the algorithm described in Algorithm 1. Indeed, it takes as input the sequence seq and checks for the bits that equal 1. If seq i = 1, then it bit-wise sums the sequence seq with the binomial sequence ( n i ), so that seq = seq + ( n i ). The procedure stops when all the binomial sequences in the decomposition have been determined or, equivalently, when the resulting sequence seq is the identically null sequence. The algorithm outputs the binomial decomposition of the sequence under consideration as well as the value of its LC, via the Equation (1).

Algorithm 1 The BD-algorithm.
Require: seq: the sequence to be analyzed end for return binom and LC = k r + 1: binomial decomposition and LC of seq.
A step-by-step application of Algorithm 1 to the binomial decomposition of seq 16 = {0001110110001011} with l = 2 4 is depicted in Table 3. Table 3. A step-by-step application of the BD-algorithm to seq 16 . Step Op Recall that the BD-algorithm computes LC after processing 13 bits of seq 16 while the Berlekamp-Massey algorithm needs 2 * 13 = 26 bits. In fact, the BD-algorithm performs the bit-wise sum of two sequences of l bits, i.e., l operations, for each binomial sequence that appears in the binomial decomposition. Thus, its computational complexity is O(r * l), where r is the number of binomial sequences in the decomposition of the analyzed sequence with r l. Next, we show how the BD-algorithm can be improved and its complexity reduced.

Improvement of the BD-Algorithm
If we avoid the sum of the sub-sequences identically null, then the performance of this algorithm clearly improved. Due to the properties of the binomial coefficients described in Section 3.1, we know that ( n k ) = 0 for all n < k. At the same time, notice that at the i-th step of the algorithm the k i first terms of seq are zeros.
Therefore, combining these two facts the number of operations is substantially reduced. When the first 1 in the i-th position of seq is detected, then the algorithm bit-wise sums both sequences exclusively between the i-th and (l − 1)-th bits, i.e., (seq i,l−1 + ( n i ) i,l−1 ), as the headers of both sequences (until the (i − 1)-th bit) are zeros.
In this way, the number of additions at each step is incrementally reduced: Moreover, for sequences whose LC is upper bounded the algorithm performance can be even improved. In fact, in that case we do not need to check any other bit after the index corresponding to this upper bound. For example, every sequence produced by a generalized self-shrinking generator with LFSR of length L has a LC upper bounded by LC max = 2 L−1 − (L − 2), [31]. In that case, the maximum index k max in its binomial decomposition is k max = l − log l, l = 2 L−1 being the sequence length. Hence, the final number of operations is again reduced to: The code of Algorithm 1 is just upgraded by converting the bit-wise sum of both sequences into the expression seq = seq i,k max + ( n i ) i,k max , with k max defined as before. In brief, for this family of sequences the BD-algorithm requires l − log l bits of each sequence to compute its LC with a computational complexity less than O(r * l).

Half-Interval Search Algorithm
In this subsection a novel algorithm to compute the LC, the so-called half-interval search algorithm, is described. Such an algorithm takes full advantage of the binomial sequence symmetry. A preliminary version of this algorithm by the same authors was introduced in [16,34]. First of all, we study the symmetry properties of the binomial sequences.

Symmetry of the Binomial Sequences
In fact, the symmetry of these sequences gives rise to the following results. Theorem 1. Let ( n k ) l denote the l first bits of the binomial sequence ( n k ) with l = 2 m , m being a positive integer. Such a sub-sequence can be divided into two new sub-sequences of length l 2 : then, two different configurations may appear: 1.
If k the index of the binomial sequence is k < l 2 , then the two sub-sequences in Equation (2) are equal.

2.
If k the index of the binomial sequence is k ≥ l 2 , then the two sub-sequences in Equation (2) are written as: where zeros l 2 represents the sub-sequence identically null of length l 2 and i is an integer satisfying 0 ≤ i < 2 m−1 .
Proof. Both cases are proved separately.

1.
Since k < l 2 , then k can be written as k = 2 j + i, where j and i are non-negative integers such that j < m − 1 and 0 ≤ i < 2 j . According to Item 1(a) in Section 3.1, the binomial sequence ( n k ) = ( n 2 j +i ) has lengthl = 2 j+1 where the maximum length isl max = 2 m−1 when j = m − 2 and the minimum lengthl min = 2 0 when j = 0. At any rate,l is a power of 2 as well asl < 2 m and, therefore, the first and second sub-sequences in Equation (2) are equal.

2.
Since k ≥ l 2 = 2 m−1 , then k can be written as k = 2 m−1 + i with 0 ≤ i < 2 m−1 . According to Item 1(a) in Section 3.1, the binomial sequence ( n k ) = ( n 2 m−1 +i ) has length l = l = 2 m . Moreover, according to Item 1(b) in Section 3.1 Thus, the sub-sequence ( n k ) l satisfies the Equation (3) as well as the l 2 first terms are zeros.
In Table 4, where l 2 = 8, the binomial sequences ( n 3 ), ( n 4 ) and ( n 6 ) correspond to the condition (1) in Theorem 1, where the eight first bits are repeated, while the binomial sequences ( n 8 ), ( n 9 ), ( n 10 ) and ( n 12 ) correspond to the condition (2) in the same theorem with k ≥ 8.  Next result introduces an interesting characteristic of the sub-sequence ( n k ) l 2 ,l−1 , which can be converted into another binomial sequence. Proposition 1. The sub-sequence ( n k ) l 2 ,l−1 that is the second sub-sequence of ( n k ) l in Equation (2) with k ≥ l 2 can be written as: Proof. According to the previous properties of the binomial sequences, we write: This will be the notation used in the sequel. The sub-sequences ( n k ) l can be classified into two disjoint sets depending on the value of the index k, as explained in Algorithm 2. In the first case, only the first half of the sub-sequence must be computed (0 ≤ n < l 2 ) as the second half is exactly the same. In the second case, it is precisely the second half of the sub-sequence which has to be computed ( l 2 ≤ n < l), since the l 2 first bits are zeros.

Algorithm 2 Classification of the binomial sequences.
Given the sub-sequence ( n k ) l : According to the previous classification, a matrix representation of the binomial decomposition is now introduced: The different sub-matrices of the matrix representation in (4) are described as follows: • M 0 and M 1 are ((i − 1) × l 2 ) sub-matrices that, according to Theorem 1, satisfy the equality M 0 = M 1 . • M 2 is the ((r − i + 1) × l 2 ) identically null sub-matrix. • M 3 is the ((r − i + 1) × l 2 ) sub-matrix representing the decomposition of a new sequence of length l 2 coming from the bit-wise sum of the two halves of seq. Therefore, from M 3 the matrix representation can be extended recursively.
In fact, take M 3 and repeat the same process until the length of the resulting sequence equals 1 and, consequently, the sequence cannot be divided anymore.
Thus, the half-interval search algorithm takes fully advantage of the symmetry properties of the binomial sequences and reduces recursively the length of the sequence to be analyzed, see Equation (5).
A numerical example of the matrix representation is next introduced.

Example 2.
For the sequence seq 16 = {0001110110001011}, the matrix representation of its binomial decomposition is: When the two halves of seq are bit-wise summed, then the binomial sequences ( n 3 ), ( n 4 ) and ( n 6 ) with repeated sub-sequences are cancelled. Thus, we have a new seq of length l 2 = 8 including the binomial sequences ( n 8 ), ( n 9 ), ( n 10 ) and ( n 12 ). When the two halves of the resulting seq are bit-wise summed again, then we have a new seq of length l 4 = 4 and the binomial sequences ( n 8 ), ( n 9 ) and ( n 10 ) with repeated sub-sequences are cancelled. The only resulting binomial sequence is ( n 12 ) what means that LC = 12 + 1.

Description of the Half-Interval Search Algorithm
From the symmetry properties of the binomial sequences, the half-interval search algorithm locates the binomial sequence of maximum index to compute the LC. At each step, it bit-wise sums both halves of the sequence. If the result is different from zero, then it performs the same procedure with the resulting sequence. Otherwise, it takes half the sequence obtained in the previous step to apply the same procedure. When only one bit is left the algorithm stops.
The pseudo-code of the algorithm, for a given binary sequence of length l = 2 m can be found in Algorithm 3. At every step, the algorithm reduces by 2 the length of seq. The total number of steps is log l and the total number of operations for a sequence seq with length l = 2 m is:

Algorithm 3 The half-interval search algorithm
Next, an example of how the half-interval algorithm works is introduced.

Matrix Binomial Decomposition or m-BD Algorithm
This algorithm is based on the B-representation (or Binomial representation) [17] of a binary sequence {s n } n≥0 with length l = 2 m , m being a non-negative integer. Via the B-representation, the parameter LC of such a sequence is analyzed and computed.
We have seen that every sequence {s n } with length l = 2 m can be written in terms of its binomial decomposition as: where c i (0 ≤ i < l) are coefficients defined in the binary field F 2 and ( n i ) (0 ≤ i < l) the corresponding binomial sequences. The greatest value of i, notated i max , for which c i max = 0 while c i = 0 for i max < i < l, determines the value of the LC via the Equation (1), i.e., Recall that the maximum linear complexity of {s n } n≥0 with length l = 2 m will be LC max = 2 m when c 2 m −1 = 1 while the minimum complexity of this kind of sequences will be LC min = 1 when c 0 = 1 and c i = 0 for ∀i in the interval 0 < i < l.
The B-representation provides one with a matrix method of computing the binary coefficients c i . In fact, it defines a binary matrix, the so-called binomial matrix, constructed in a similar way to the construction of a binary Hadamard matrix.
In fact, consider H 0 = [1] the binomial matrix for m = 0, i.e., a (2 0 × 2 0 ) matrix with a unique entry. Next, we construct the binomial matrix for m = 1 as follows: where H 1 is a binary (2 1 × 2 1 ) matrix. Proceeding in the same way, we obtain the binomial matrix for m as where H m−1 is the binomial matrix of size (2 m−1 × 2 m−1 ) as well as 0 m−1 is the identically null matrix of the same size. Moreover, the matrix H m can be written in terms of its columns as H m = (h 0 ,h 1 , . . . ,h 2 m −1 ). As {s n } n≥0 is a binary sequence of length l = 2 m and given the (2 m × 2 m ) binomial matrix H m , we compute the vector c c c whose 2 m components are the coefficients c i by means of the equation (see [17] (Section 3.2)): that is, the sequence {s n } is multiplied by the successive columnsh i (0 ≤ i < 2 m ) of the binomial matrix and the resulting products reduced mod 2.
Let us see an illustrative example.

Example 4.
Let seq 16 = {0001110110001011} be a sequence of length 2 4 , so we must construct the binomial matrix for m = 4, i.e., From Equation (8) Therefore, the vector c c c = [c 0 , . . . , c 15 ] corresponding to the sequence seq 16 will have c 3 = c 4 = c 6 = c 8 = c 9 = c 10 = c 12 = 1 while the remaining components equal zero. The coefficients c i = 1 correspond to the binomial sequences ( n i ) that appear in the binomial decomposition of seq 16 . In that case, the value of i max = 12, or equivalently c i max = c 12 = 1 and the LC of seq 16 is LC = 13 as expected.
By construction, the binomial matrix is an upper triangular matrix closely related with the binomial sequences.

Remark 1.
The columns of the binomial matrix (read from right to left) correspond to the successive binomial sequences starting at the first 1. Thus, the binary vector c c c in Equation (8) is just the product of the sequence {s n }, written as a vector of 2 m components [s 0 , s 1 , . . . , s 2 m −1 ], multiplied by the 2 m first binomial sequences ( n i ) with 0 ≤ i < 2 m and n ≥ i.

Description of the m-BD Algorithm
To compute the LC of the sequence under consideration, the m-BD algorithm checks the successive coefficients c i calculated in (8) starting at c 2 m −1 and proceeding in decreasing order until the first coefficient c i = 1 is found. In that case, i max = i and the LC is easily computed by means of the Equation (7).
The final pseudo-code of the algorithm, for a given binary sequence of length l = 2 m can be found in Algorithm 4.

Sequences with maximum LC:
The characterization of binary sequences {s n } n≥0 with maximum linear complexity is described in the next result.
Hence, c 2 m −1 = 1 when the number of summands equal to 1 in Equation (9) is an odd number.
(⇐) If the number of terms s i = 1 in the sequence {s n } is an odd number, then by Equation (9) the coefficient c 2 m −1 = 1. Consequently, {s n } will exhibit maximum linear complexity of value LC max = 2 m .
Two corollaries follow directly from the previous theorem.

Corollary 1.
A binary sequence {s n } n≥0 with length l = 2 m and an even number of ones will never attain the maximum linear complexity LC max = 2 m as c 2 m −1 = 0.

Corollary 2.
The linear complexity of every balanced binary sequence {s n } n≥0 with length l = 2 m is upper bounded by LC < 2 m .
Recall that, although balancedness is a suitable property for cryptographic sequences, a balanced sequence will never attain the maximum linear complexity.

Sequences with Quasi-Maximum LC
The characterization of binary sequences {s n } n≥0 with quasi-maximum linear complexity, i.e., LC = LC max − 1, is described in the next result. The sequence {s n } has an even number of ones.

2.
It satisfies the equality: Hence, c 2 m −2 = 1 when the number of terms (s 2·i ) (terms with even indices) equal to 1 is an odd number. (⇐) 1.
If the sequence {s n } has an even number of ones, then c 2 m −1 = 0.

Algorithm Comparison
All the algorithms explained in the previous section can be used to calculate the linear complexity of a given sequence with length a power of two. In this section, they will be compared in different ways. The schedule is as follows: First of all, the different computational features of these algorithms are discussed. Next, we describe the experiments we carried out to compare the actual performance of such algorithms. Finally, we consider diverse scenarios apart from LC calculation where each algorithm might be conveniently applied.

Algorithm Analysis
In Section 4, different algorithms for the computation of the linear complexity were presented (Berlekamp-Massey, BD, half-interval search and m-BD algorithms). Now, we will discuss the computational complexity and sequence length requirements for each one of them as shown in Table 5.
The length requirements (twice the length of the studied sequence) and complexity O(l 2 ) of the Berlekamp-Massey algorithm were already studied in the literature [11,33]. It is the only algorithm, among the considered algorithms, which can be applied to every sequence of any length, compared with the binomial decomposition methods that require a sequence of length a power of two.
Concerning the BD-algorithm, in order to calculate the linear complexity it needs at least l − log l bits of the original sequence and it runs with a computational complexity of O(r · l), l being the length of the sequence and r the number of binomial components in its decomposition. Although the parameter r has not been rigorously analyzed, in Figure 2 an experimental analysis of r was carried out for different GSS-sequences. The results show that such a parameter follows a normal distribution as well as it increases with the length of the sequence.

Algorithms
Length On the other hand, the half-interval search algorithm does not depend neither on the parameter r nor on the decomposition of the sequence. In fact, this algorithm just requires the same number of bits as that of the BD-algorithm, but it works in a binary search fashion. Consequently, its complexity is linear in the length of the sequence, which means the best performance among all the algorithms that can calculate LC.
The main difference between BD and half-interval search algorithms is that the latter does not depend on the number of binomial sequences in its binomial decomposition. That means that its performance will be better than that of the BD-algorithm, in particular when the length of the sequence increases and so does the value of the parameter r.
Finally, the m-BD algorithm computes the successive products between two binary vectors until it gets the value of LC. Nevertheless, the worst case would occur whether it needed to check all the columns of the binomial matrix. That is the reason we included in Table 5 both worst and best cases of computational complexity.
Although the Berlekamp-Massey algorithm is able to calculate the linear complexity of any sequence, it is not the best choice for particular sequences as the GSS-sequences with O(l 2 ). It is under such circumstances when the binomial decomposition algorithms can be really useful.

Experimental Results
To support the understanding of these algorithms and test them, we ran all the algorithms described in the previous section.
The setup of the experiments is as follows: we used Jupyter Labs as a running environment in a Windows 10 machine with Intel Core i7-1065G7 as CPU. The algorithms were implemented in Python 3. They ran to calculate the LC for the same sequences several times in order to get the performance metric of such algorithms.
The results of the experiments can be seen in Figures 3 and 4. Indeed, in Figure 3 where all algorithms are compared, we can see how as far as the length of the sequence increases, both the half-interval algorithm and the matrix binomial decomposition algorithm improve the performance exhibited by the Berlekamp-Massey algorithm. This proves that the binomial decomposition technique can be useful and a good alternative in the study of sequences that are particularly hard to be analyzed by the Berlekamp-Massey algorithm. About the Berlekamp-Massey and the Binomial Decomposition algorithm, there is a bounce in their performance depending on the length of the sequences of the experiment. According to the study of the BD complexity, it is known that its performance depends on the parameter r, or in other words, it depends on the number of binomial sequences in the decomposition for each sequence. After the preliminary study on the parameter r, seen in Figure 2, the parameter r is expected to behave in a normal distribution fashion. Altogether this means that the BD algorithm can slightly change its performance depending on the r value of the sequences it is studying.
In addition, the theoretical improvement of the half-interval algorithm studied in the previous section is confirmed. The huge performance gap between Berlekamp-Massey algorithm, BD-algorithm, m-BD and the half-interval search algorithm can be seen in Figures 3 and 5. Recall that this gap is particularly remarkable when the length of the sequence studied increases. For that reason we included Figure 3, scaled for a better comparison with the half-interval results (the best performant algorithm), and Figure 5, for a better comparison with m-BD (a novel contribution of this article). Furthermore, we wanted to compare the half-interval algorithm with the new m-BD algorithm, which has not been previously studied neither its performance is known. In Figure 4, a logarithmic scaled graph is depicted. We see how the half-interval search algorithm outperforms the m-BD algorithm provided that the length of the sequence studied is increased. This behaviour seems to reveal that the increment in the sequence length makes worse the m-BD algorithm performance, since m-BD requires more tries to calculate the LC. Although it is not the purpose of this work, it is worth noticing that the half-interval search algorithm can be parallelized in the computation of LC while the BD-algorithm performs the computation in a sequential way.
Another point that was not covered in the experiments is how the m-BD algorithm can take profit of some optimizations in the computation of matrix operations, which explain its great speed when the sequences are not too long. In addition, it could be enhanced while running in environments specially designed for it such as MATLAB.

Different Use-Cases
After the analysis and the experiments to test the performance of the algorithms, it is also worth exploring different application scenarios, not only the linear complexity calculation. All the algorithms that use the binomial decomposition calculate the LC with the maximum binomial component.
A different case for these algorithms could be the study in depth of other types of binary sequences. In fact, having their full decomposition can help to analyze more parameters related to the security of the sequences, e.g., to calculate the density of components in the decomposition or the balancedness of such sequences. It is in this case where the BD-algorithm outperforms the others, since the way it calculates the LC is by means of the computation of all the binomial components.
Another interesting use-case for these algorithms is, for instance, processing a large amount of sequences in order to discern as fast as possible which ones have better/worse security. In that case, the m-BD algorithm is the best one, because it can determine whether the highest binomial component is present in the binomial decomposition previously to complete the LC calculation. So the m-BD algorithm may not be the fastest algorithm to calculate the LC of a particular sequence but it may be used to quickly detect which sequence has a LC lower than the others.
Finally, the m-BD algorithm could be of great use if the range of the linear complexity is known. In that case, this parameter would avoid unnecessary tries of the algorithm, which otherwise will profit from the matrix optimizations that modern libraries support.

Conclusions
In this work, different algorithms to compute the linear complexity of binary sequences were introduced and analyzed. In general, they exhibit better performances than the wellknown Berlekamp-Massey algorithm when applied to sequences suitable for cryptography.
Concerning the half-interval search algorithm presented in this article, it shows excellent results in both computational complexity and amount of sequence required. It was also tested in comparison with other algorithms by applying it to GSS-sequences, showing an improved performance when the length of the sequences increases.
The matrix binomial decomposition algorithm showed a good performance with short sequences. Nevertheless, its main characteristic, i.e., the way in which it identifies the binomial components of a sequence, can be useful in other scenarios apart from the LC calculation, e.g., to discern between a large amount of sequences which ones have a better complexity than the others.
Moreover, the binomial decomposition of binary sequences seems to be an innovative technique to extract information from a given sequence. In particular, the fractal character of the binomial sequences can be employed to calculate diverse parameters of a sequence without knowing the whole sequence.
In brief, the analysis of these algorithms is quite useful to find weaknesses in this type of binary sequences. Indeed, detecting such weaknesses in a cipher with practical applications could compromise the corresponding IoT device and, consequently, the services that rely on it. Funding: Research partially supported by Ministerio de Economía, Industria y Competitividad, Agencia Estatal de Investigación, and Fondo Europeo de Desarrollo Regional (FEDER, UE) under project COPCIS (TIN2017-84844-C2-1-R) and by Comunidad de Madrid (Spain) under project CYNAMON (P2018/TCS-4566), also co-funded by European Union FEDER funds.