Interleaving Shifted Versions of a PN-Sequence

: The output sequence of the shrinking generator can be considered as an interleaving of determined shifted versions of a single PN -sequence. In this paper, we present a study of the interleaving of a PN-sequence and shifted versions of itself. We analyze some important cryptographic properties as the period and the linear complexity in terms of the shifts. Furthermore, we determine the total number of the interleaving sequences that achieve each possible value of the linear complexity.


Introduction
Stream ciphers are fast encryption algorithms since they consist of applying a bit-wise XOR operation among the bits of the keystream sequence and the message to obtain the ciphertext. The same bit-wise XOR operation between the ciphertext and the keystream is done to recover the original message.
Many keystream generators are based on maximal-length Linear Feedback Shift Registers (LFSRs) [1] because they offer several advantages due to their performance. They also have an easy hardware and software implementation in cryptographic applications. For example, some widely used stream ciphers based on LFSRs are the cryptosystem E0 for Bluetooth [2], the A5/1 for GSM use [3], or the SNOW 2.0 used in UMTS 3G networks [4].
The output sequences of a maximal-length LFSR, whose characteristic polynomial is primitive, are called PN -sequences [5]. These sequences have the largest period and present good randomness properties as balancedness, large period, low correlation, excellent runs distribution, and so forth. However, they are easily predictable due to their inherent linearity. In order to break this linearity, but at the same time maintaining the pseudorandomness characteristics, different design techniques are applied-non-linear filtering, combinational generators, clock-controlled generators or the irregular decimation of PN-sequences, among others.
We focus our attention on a particular kind of stream ciphers based on LFSRs where an irregular decimation is applied: the class of shrinking generators [6][7][8][9][10]. The shrinking generator is a pseudorandom number generator based on a simple combination of two LFSRs which are clocked synchronously [7]. Its simplicity and efficiency of implementation, in addition to the generation of sequences with good cryptographic properties, make it suitable for its real use in stream cipher cryptosystems. For example, the shrinking generator is part of the internal structure of different stream ciphers as the EP0619659A2 [11], an European patent application; or the Decim v 2 , a hardware oriented stream cipher submitted to the ECRYPT Stream CipherProject (eSTREAM) [12], among other applications [6,13].
From the shrinking generator emerged a great family of decimation-based sequence generators, which are improved versions of this or themselves-the self-shrinking generator [10], the generalized self-shrinking generator [8], the modified self-shrinking generator [9] and the t-modified self-shrinking generator [14]; there exists a complete guide in [6] that offers a thorough study of all these generators, their fundamentals and applications. These generators are fast, easy and with low implementation costs to generate good cryptographic sequences. The authors of [15] presented a statistical and graphical study of the randomness of the sequences generated by the generalized self-shrinking generator that prove their suitability for cryptographic applications.
The output sequences of a shrinking generator, called shrunken sequences, have been widely studied in several mathematical fields in the last decades. For instance, they have been considered particular solutions of a kind of linear difference equations [16,17]; they have also been studied as the output sequences of linear elementary cellular automata (CA) [18]. Furthermore, the shrunken sequences can be expressed as the interleaving of shifted versions of a PN-sequence [19,20]. In [18], the authors determined how to compute the shifts of the interleaved sequences that compose the shrunken sequence. This fact can be used advantageously to design cryptanalytic attacks against this generator [18,[21][22][23][24]. A natural way to deal with this vulnerability is to alter the shifts or interleave PN-sequences of different primitive polynomials. In this paper, we study the resultant sequences of interleaving shifted versions of the same PN-sequence with different shifts. We analyze the conditions that must satisfy these shifts to obtain interleaving sequences with high linear complexity and long period.
In Section 2, we introduce some preliminary concepts and results about the shrinking generator; we define the main concept of interleaving sequence and we check that the shrunken sequence can be expressed as an interleaving of PN-sequences. In Section 3, we analyze the period and the linear complexity of the resultant sequences of interleaving 2 t shifted versions of a given PN-sequence. We study, in depth, the cases of 2 and 4 interleaving sequences obtaining the amount of them which have certain values for linear complexity. In Section 4, we give some preliminary results about the case of interleaving t PN-sequences. In Section 6, we present the main conclusions of our research and the future work.

Interleaving Sequences in the Shrinking Generator
First of all, we recall the concept of decimation. The decimation of a sequence {v i } i≥0 by d is a new sequence obtained by taking every d-th term of {v i } i≥0 , that is, {v d·i } i≥0 [25].
Let F 2 be the Galois field of two elements. In this section, we consider two maximallength LFSRs, R 1 and R 2 , with characteristic polynomials p 1 (x), p 2 (x) ∈ F 2 [x], lengths L 1 and L 2 with L 1 < L 2 and gcd(L 1 , L 2 ) = 1, and T 1 = 2 L 1 − 1 and T 2 = 2 L 2 − 1 the periods of the corresponding PN-sequences, respectively. Besides, the PN-sequences generated by both registers are {a i } i≥0 and {b i } i≥0 , respectively, with a i , b i ∈ F 2 . From now on, we denote any sequence {v i } i≥0 by {v i }, without loss of generality.
The shrinking generator [7] is composed of two maximal-length LFSRs, R 1 and R 2 , with the properties mentioned before. The PN-sequence {a i } generated by R 1 decimates the PN-sequence {b i } produced by R 2 . The decimation rule is very simple-given two bits a i and b i , for i = 0, 1, 2, . . ., of both PN-sequences, the output sequence {s j } is obtained as follows: If The sequence {s j } is called the shrunken sequence and its period is T = (2 L 2 − 1)2 L 1 −1 . The linear complexity of this sequence, denoted by LC, satisfies L 2 2 L 1 −2 < LC ≤ L 2 2 L 1 −1 and its characteristic polynomial has the form p(x) m , where 2 L 1 −2 < m ≤ 2 L 1 −1 and p(x) is a primitive polynomial of degree L 2 [26].
Notice that the shrunken sequence is obtained by irregular decimation of a PNsequence, as we can see in the following example. Example 1. Consider R 1 the LFSR with characteristic polynomial p 1 (x) = 1 + x + x 2 and initial state {11}. Consider also R 2 the LFSR with characteristic polynomial p 2 (x) = 1 + x 2 + x 3 and initial state {111}. The shrunken sequence can be computed in the following way: The sequence has period 14 and it is not difficult to check that its characteristic polynomial is p(x) 2 = (1 + x + x 3 ) 2 , consequently its linear complexity is 6.
It is worth mentioning that all the results that appear in this work are valid for large values of L, where L is the length of the LFSR that generates the corresponding PN-sequences in each case. We use small examples in order to illustrate the ideas. In practical applications, the recommended values in the shrinking case are L 1 , L 2 ≥ 64, so the key has at least 128 bits.
The following definition introduces one of the main concepts of this paper.

Definition 1.
We say that the sequence {s j } is obtained interleaving the sequences {u i }, all of them of period T, if it has the following form: We call this sequence a t-interleaving sequence.
From now on, we always consider that these t sequences {u (j) i } for j = 1, 2, . . . , t, are (left circular) shifted versions of a given PN-sequence {u i }. Notice that, in this case, if the characteristic polynomial p(x) of {u i } is a primitive polynomial of degree L, then the resultant t-interleaving sequence is almost balanced as its number of 1s is t · 2 (L−1) .
The following result shows us that the shrunken sequence is an (2 L 1 −1 )-interleaving sequence.
Theorem 1 ([27] Theorem 3.1). The sequences obtained decimating by (distance) 2 L 1 −1 the shrunken-sequence are PN-sequences with period T 2 . We call these sequences the interleaved PN-sequences of the shrunken sequence.
It is worth noticing that the 2 L 1 −1 interleaved PN-sequences of the shrunken sequence correspond to shifted versions of the same PN-sequence. The following example illustrate the previous results.

Example 2.
Consider R 1 the LFSR with characteristic polynomial p 1 (x) = 1 + x 2 + x 3 , L 1 = 3 and initial state {111}. The corresponding PN-sequence has period T 1 = 7. Consider also R 2 the LFSR with characteristic polynomial p 2 (x) = 1 + x 3 + x 4 , L 2 = 4 and initial state {1111}. The corresponding PN-sequence has period T 2 = 15. The shrunken-sequence is given by: This sequence has period T = (2 L 2 − 1)2 L 1 −1 = 60 and it is possible to check that the characteristic polynomial is p(x) 16  Notice that the characteristic polynomial of the four PN-sequences is p(x) = 1 + x + x 4 (the reciprocal polynomial of p 2 (x)), that is, the four PN-sequences are shifted versions of the same sequence.
The next theorem shows us how to obtain the characteristic polynomial of the interleaved PN-sequences.
where α ∈ F 2 L 2 is root of p 2 (x). If L 2 = L 1 + 1, then the polynomial p(x) is the reciprocal polynomial of p 2 (x).
Note that the characteristic polynomial of the shrunken sequence is p(x) m , and p(x) only depends on p 2 (x). The polynomial p 1 (x) only affects to the power m. In this way, given a fixed polynomial p 2 (x), every primitive polynomial with degree L 1 would provide the same p(x).

Example 3. Consider again Example 2. Notice that
It is worth noticing that if p(x) is the primitive polynomial that generates the interleaved PN-sequences of the shrunken sequence, then the polynomial p(x) 2 L 1 −1 also generates the shrunken sequence. However, this polynomial might not be the characteristic polynomial. In some cases, the characteristic polynomial has the form p(x) m , with 2 L 1 −2 < m < 2 L 1 −1 .
The interleaved PN-sequences of the shrunken sequence are shifted versions of the same PN-sequence, and these shifts can be determined [18]. Denote each one of the 2 L 1 −1 interleaved PN-sequences by: The shifts d j , with j = 1, 2, 3, . . . , 2 L 1 −1 − 1, depend on the positions of the ones in the PN-sequence {a i } generated by p 1 (x) in the shrinking process. The following theorem gives us a way to compute these shifts.

Theorem 3 ([18] Proposition 2).
Let δ ∈ {1, 2, 3, . . . , T 2 − 1}, such that T 1 · δ = 1 mod T 2 . Denote by I = {0, i 1 , i 2 , . . . , i 2 L 1 −1 −1 } the set of positions of the 1s in the PN-sequence {a i } generated by p 1 (x) in its first period. We have that d j = δ · i j mod T 2 , j = 1, 2, . . . , 2 L 1 −1 − 1. The four PN-sequences {s 4·j+i }, for i = 0, 1, 2, 3, have the same characteristic polynomial p(x) = 1 + x + x 4 , thus all of them are shifted versions of the same PN-sequence. We can rename them as: We consider, without loss of generality, that the last three PN-sequences are shifted versions of the first one. From Theorem 3, we know that these shifts d j , for j = 1, 2, 3, depend on the ones in the PN-sequence {a i } generated by p 1 (x) = 1 + x 2 + x 3 in the shrinking process. In order to obtain these values, we have to find a value δ such that 7 · δ = 1 mod 15. In this case, δ = 13. Now, we know that the ones in {a i } are in the positions {0, 1, 2, 4}, thus: It is easy to check (see Equation (1)) that the second PN-sequence {v i+d 1 } starts in the 13-th position of the first PN-sequence {v i } (underlined bit), the third {v i+d 2 } in the 11-th position (bit in bold) and the last one {v i+d 3 } in the 7-th position (overlined bit).
The weakness of the shrunken sequence lies in the fact that the shifts of the interleaved sequences can be determined. This means that, a shrunken sequence cannot be obtained from some random shifted versions of a given PN-sequence; on the contrary, the shifts are known as we saw before. In this fact our research begins.

Interleaving 2 t Shifted Versions of the Same PN-Sequence
In this section, we study the resultant sequences of interleaving any shifted versions of the same PN-sequence, that is, the so-called t-interleaving sequences. We determine certain conditions on the shifts in order to obtain interleaving sequences with high linear complexity, long period and good cryptographic properties.
In the following subsections, we analyze the cases of interleaving 2 and 4 shifted versions of a same PN-sequence with a view to establish general conditions for the 2 t PN-sequences case.

Analysis of 2-Interleaving Sequences
Consider a primitive polynomial p(x) of degree L. If we interleave two shifted versions of the same PN-sequence of period T = 2 L − 1, then the period of the resultant 2-interleaving sequence, denoted by T , must be a divisor of 2T. Our main interest lies in the study of its linear complexity LC, since a large linear complexity it is an important cryptographic property in order to resist against cryptanalytic attacks.
By means of the following theorem we can narrow down the possible values of LC for the 2-interleaving sequences. Lemma 1. If we interleave two shifted versions of the same PN-sequence generated by the primitive polynomial p(x), then the resultant 2-interleaving sequence can be generated by p(x) 2 .
Proof. Assume that we have the PN-sequence {a i } with characteristic polynomial this means that the PN-sequence {a i } satisfies the linear recurrence relation: Consider now a shifted version of {a i }: We know that the PN-sequence {a i+k } also satisfies the linear recurrence relation (2) and the sequence obtained by interleaving {a i } and {a i+k } has the following form: Denote the two PN-sequences as We know that If we substitute the corresponding bits of {s j } in (3), we have that: Now, if we substitute j = 2i, we have that: This means that {s j } satisfies the linear recurrence relation: generates the sequence {s j }.
Notice that if p(x) 2 generates the 2-interleaving sequence, then its characteristic polynomial must be p(x) 2 or p(x). Thus, the linear complexity of the sequence must be LC = 2L or LC = L, respectively. Moreover, the total number of 2-interleaving sequences, using different shifts, is T 2 .
The following theorem shows that, given a PN-sequence {a i } and a shifted version of itself with shift k = 2 L−1 , the characteristic polynomial of the 2-interleaving sequence {s j } cannot be the same characteristic polynomial as that of {a i }. In other words, the shift k = 2 L−1 is the only shift that produces a 2-interleaving sequence with LC = L. Proof. Consider the PN-sequences: . . a 2 L −2 {a i+k } : a k a k+1 a k+2 a k+3 . . . a k+2 L −2 and the resultant 2-interleaving sequence We proceed by contradiction. Assume that p(x) is the characteristic polynomial of {s j }, thus {s j } would be the PN-sequence {a i } or a shifted version. In this case, we would have that {s j } = {a i+D } with D ∈ {0, 1, . . . , 2 L − 2}, that is, the PN-sequence {a i } shifted D positions and concatenated with itself. Therefore, we can equal one by one the corresponding terms of both subsequences: Rewriting these equalities, we have that: In a succinct way, we can write: where the elements of the first member in the equalities are the terms of {a i } while the elements of the second member are the terms of a k+(2 L−1 −1)+i , a shifted version of {a i }.
If we write d = k + (2 L−1 − 1), then Equation (4) can be expressed as: Therefore, in sequential notation where {0} is the identically null sequence. In order to satisfy Equation (5) d must satisfy , that is, Equation (5) can be rewritten as: which is true since the bit-wise XOR of any sequence with itself is the identically null sequence.
for some n ∈ Z. Since both k and n are integers, it is possible to check that the only possible solutions are k = 2 L−1 + n · T, n ∈ Z. Finally, we are working modulo T, therefore the only possible solution is k = 2 L−1 .
Next result proves that the interleaving of a PN-sequence with any shifted version of itself, except one, produces a new sequence with maximum period and LC = 2L. Proof. We have that the PN-sequences produce the 2-interleaving sequence given by: According to Lemma 1, {s j } can be generated by p(x) 2 . Now, according to Theorem 4, since k = 2 L−1 , we have that {s j } cannot be the PN-sequence {a i } (or a shifted version); therefore, p(x) 2 is the characteristic polynomial of {s j }.

Analysis of 4-Interleaving Sequences
Consider a primitive polynomial p(x) of degree L. If we interleave four shifted versions of the same PN-sequence of period T = 2 L − 1, then the period of the 4-interleaving sequence must be a divisor of 4T. However, in this subsection, we go in depth in the study of the linear complexity of these sequences by its importance in cryptography.
As a consequence of the previous lemma, the only possibilities for the characteristic polynomial of the 4-interleaving sequence are p(x), p(x) 2 , p(x) 3 or p(x) 4 , that is, its linear complexity is L, 2L, 3L or 4L, respectively. Moreover, the total number of 4-interleaving sequences, using different shifts, is T 4 .

Analysis of 4-Interleaving Sequences with LC = L
In this subsection, we do an exhaustive study on the linear complexity of the 4interleaving sequences. Furthermore, we count the total number of 4-interleaving sequences for different values of LC.
The following theorem provides the shifts that produce 4-interleaving sequences with linear complexity LC = L.
Proof. Consider the four PN-sequences: where indices are considered modulo T. The resultant 4-interleaving sequence has the form: Notice that: so, we can express: that is, the sequence {s j } can be also obtained decimating {a i } by distance d = 2 L−2 . According to Golomb [1] (page 76), if we decimate a PN-sequence with distance a power of two, we obtain the same PN-sequence except for a phase shift. Therefore, {s j } is a shifted version of {a i } and LC = L.
Next, we present two examples to illustrate the previous result.

Example 5.
Consider the primitive polynomial p(x) = 1 + x + x 4 , that is, L = 4. We consider the initial state {1111} for the PN-sequence {a i } and, the shifts  The resultant 4-interleaving sequence is: Proof. Since k 1 , k 2 and k 3 are fixed, the resultant sequence depends on the initial state of {a i }. We have T = 2 L − 1 possible non-zero initial states for {a i }, therefore we have T different interleaving sequences with LC = L.

Interleaving Sequences with LC = 2L
As we did in the previous subsection, here we study which shifts provide 4-interleaving PN-sequences with linear complexity LC = 2L. Theorem 6. If we interleave 4 shifted versions of the same PN-sequence of period T = 2 L − 1, with shifts k 1 = 2 L−2 , k 2 = 2 L−1 and k 3 = k 1 + 2 L−1 mod T, the resultant 4-interleaving sequence has LC = 2L and period T = 2T.
Proof. Consider the four PN-sequences: where the indices are considered modulo T. The resultant interleaving sequence has the form: Notice that {s j } is also obtained interleaving the two sequences:  i+d } with d = 2 L−1 (the phase shift between both PN-sequences is 2 L−1 ), then the 2-interleaving sequence is a shifted version of the same PN-sequence and has LC = L.
According to Theorem 4, the only shift that gives us a 2-interleaving sequence with LC = L is d = 2 L−1 , which we have seen that is impossible. Thus, according to Lemma 1, the polynomial p(x) 2 generates {s j } and must also be the characteristic polynomial.
Through the following example, we illustrate the previous result.

Example 7.
Consider the primitive polynomial p(x) = 1 + x 2 + x 5 , that is, L = 5. We consider the initial state {11111} for {a i } and k 1 = 6 = 2 3 , k 2 = 2 4 = 16, k 3 = 6 + 2 4 which has period equal to 62 and LC = 10. Moreover, its characteristic polynomial is p( As a consequence of Theorem 6, we can count the number of 4-interleaving sequences with LC = 2L. Proof. The shift between the first and third sequences (and the second and the fourth) is fixed. Therefore, the resultant sequence depends on the initial state of {a i } and k 1 . We have T = 2 L − 1 possible non-zero initial states for {a i } and T − 1 possible values for k 1 , thus, we have T(T − 1) different 4-interleaving sequences with LC = 2L.
Until now, we have characterized the 4-interleaving sequences with linear complexities L and 2L. For the cases LC = 3L and LC = 4L we do not have any conclusive results. We have analyzed them computationally, obtaining expressions to count the number of interleaving sequences with these linear complexities. We need only to compute one of both cases, since that the other one would be immediate. Table 1 shows the total number of 4-interleaving sequences that are generated for each possible value of LC. Observe that the number of the 4-interleaving sequences does not depend on the characteristic polynomial, only on its degree. The expression at the bottom of the table represents the total number of 4-interleaving sequences.

Period Number of 4-Interleaving Sequences
Notice that when L is large the number of interleaving sequences with maximal linear complexity, LC = 4L, tends to the total amount of interleaving sequences; that is, Therefore, we can ensure that the great majority of the 4-interleaving sequences have the maximal linear complexity.
In Appendix A, we present several examples where we compute the number of 4interleaving sequences for each possible value of the linear complexity using polynomials with different degrees (see Table A2).

Analysis of 2 t -Interleaving Sequences
In this section, we generalize some of the results obtained in Sections 3.1 and 3.2. Consider a primitive polynomial p(x) of degree L. If we interleave 2 t shifted versions of the same PN-sequence of period T = 2 L − 1, then the period of the resultant interleaving sequence must be a divisor of (2 t · T). We determine the period and the linear complexity of 2 t -interleaving sequences.
The following result is a generalization of Lemmas 1 and 2 and narrows down the possible values of LC. The proof can be implemented using a similar method as that used in the proof of Lemma 2.

Lemma 3.
If we interleave 2 t shifted versions of the same PN-sequence generated by the primitive polynomial p(x), the resultant 2 t -interleaving sequence can be generated by p(x) 2 t .
As a consequence of the previous lemma, we have that the possibilities for the characteristic polynomial are p(x), p(x) 2 , p(x) 3 , . . ., p(x) 2 t , that is, the possible values for the linear complexity are L, 2L, 3L, . . . , or 2 t L 3.3.1. Analysis of 2 t -Interleaving Sequences with LC = L Next theorem determines the shifts that provide 2 t -interleaving sequences with LC = L. Theorem 7. If we interleave 2 t shifted versions of the same PN-sequence of period T = 2 L − 1 with shifts k 1 = 2 L−t , k 2 = 2 · 2 L−t , k 3 = 3 · 2 L−t ,. . ., k 2 t −1 = (2 t − 1) · 2 L−t , then the resultant 2 t -interleaving sequence has LC = L and period T = 2 L − 1.
Proof. Applying induction in the proof of Theorem 5.
Through the following example, we reflect the previous result.
As a result of the previous theorem, we can count the number of 2 t -interleaving sequences with LC = L.

Corollary 4.
If we interleave 2 t PN-sequences of period T and LC = L, produced by the same LFSR, then there are T resultant 2 t -interleaving sequences with linear complexity LC = L and period T.
Proof. Since k 1 , k 2 , . . . k 2 t −1 are fixed, the resultant 2 t -interleaving sequence depends only on the initial state of {a i }. We have T = 2 L − 1 possible non-zero initial states for {a i }, therefore, we have T different 2 t -interleaving sequences with LC = L.

Analysis of 2 t -Interleaving Sequences with LC = 2L
Next, we present the shifts that produce 2 t -interleaving sequences with LC = 2L.
Proof. We first analyze the mentioned shifts: . . .
According to (9) we have that {u i+2 L−1 }, this means that the PN-sequence {u (2) i } starts in the 2 L−1 -th position of {u (1) i }, that is: The shift k 1 = 2 L−t is the only one that gives us an interleaving sequence with LC = L. Now, according to Lemma 1, the polynomial p(x) 2 generates {s j }. Since k 1 = 2 L−t , the polynomial p(x) 2 must also be the characteristic polynomial.

Example 9.
Consider the primitive polynomial p(x) = 1 + x + x 2 + x 3 + x 5 , that is, L = 5 and T = 31. We consider the initial state {11111} for {a i } and the shifts k 1 = 3 = 2 5−3 , It is possible to check that the period of this sequence is T = 64, the characteristic polynomial is p(x) = 1 + x 2 + x 4 + x 6 + x 10 and, thus, LC = 10. Proof. The shifts between the odd sequences (and the even sequences) are fixed. Therefore, the resultant 2 t -interleaving sequence depends on the initial state of {a i } and k 1 . We have T = 2 L − 1 possible non-zero initial states for {a i } and T − 1 possible values for k 1 , thus, we have T(T − 1) different interleaving sequences with LC = 2L.
As in the case of 4-interleaving sequences, we obtain expressions on the total number of 8-interleaving sequences for each possible value of LC (see Table 2). The formulas for the cases LC = 6L and LC = 7L have not been determined yet. The expression at the bottom of the table represents the total number of 8-interleaving sequences.

Interleaving t Sequences
Our main aim is to characterize the interleaving sequences using any number of interleaved PN-sequences. In this section, we present some preliminary results.
As in the previous sections, we present some results on the shifts in order to obtain t-interleaving sequences with LC = L. Theorem 9. Consider a primitive polynomial p(x) of degree L. If we interleave t shifted versions of the same PN-sequence of period T = 2 L − 1 with shifts (modulo T) k 1 = k, k 2 = 2 · k, k 3 = 3 · k,. . ., k t−1 = (t − 1) · k, gcd(T, k) = 1 and (k · t) = 1 mod T, the resultant t-interleaving sequence has LC = L and period T = 2 L − 1.
In the next example we apply the results of the previous theorem.

Corollary 6.
Consider a primitive polynomial p(x) of degree L. Assume that T = 2 L − 1 is not a prime integer and let t be a divisor of T. If we interleave t shifted versions of any PN-sequence of period T, the resultant t-interleaving sequence has LC > L and period T > 2 L − 1.
Proof. If t is a divisor of T, then there is no multiplicative inverse of t modulo T, i.e., there is no k such that (k · t) = 1 mod T. Therefore, according to Theorem 9, there are no tinterleaving sequences with LC = L.
In the next example, we present a case where we cannot construct any 5-interleaving sequence with LC = L. Example 11. Consider the primitive polynomial p(x) = 1 + x + x 4 , that is, L = 4 and T = 15. Assume that we want to interleave 5 PN-sequences. It is possible to check that there is no k such that gcd(15, k) = 1 and k · 5 = 1 mod T (since 5 is a divisor of T). Therefore, if we interleave 5 shifted versions of the same PN-sequence generated by p(x), the resultant interleaving sequence has LC > 4.
Other examples that illustrate the previous result can be found in Appendix A. For instance, observe the case L = 6 in Table A1, where there are no 3-interleaving sequences of LC = 6. This is a consequence of the fact that T = 63 is not a prime number and 3 is a divisor of T.
Next result computes the number of t-interleaving sequences with linear complexity equals to L. Corollary 7. Consider a primitive polynomial p(x) of degree L. If we interleave t shifted versions of the same PN-sequence of period T = 2 L − 1 with the shifts given in Theorem 9, there are T possible resultant t-interleaving sequences of LC = L and period T.
Proof. Since the shifts are fixed and k is unique (k is the multiplicative inverse of t modulo T), the resultant sequence depends only on the initial state of {a i }. We have T = 2 L − 1 possible non-zero initial states for {a i }, therefore, we have T different t-interleaving sequences with LC = L.
Although we do not provide a characterization of the t-interleaving sequences for the other values of LC, it can be seen (computationally) that the majority of interleaving sequences achieve the maximum linear complexity. The percentage of interleaving sequences with the maximum LC is approximately or greater than 90%.
In Tables A1-A3 of Appendix A, we show some examples that motivate us to continue deepening on this research. For instance, we observe that there exist particular cases where all the interleaving sequences obtained achieve the maximum value of the linear complexity. It would be interesting to characterize this kind of sequences, since that they are the ones with best cryptographic properties.

Preliminary Randomness Study and Comparison with Other Sequences
Given a shrunken sequence obtained from two registers of lengths, L 1 and L 2 (with the characteristics seen in Section 3.1), we know that the linear complexity satisfies and the period is T = (2 L 2 − 1)2 L 1 −1 . This sequence can be also generated interleaving 2 L 1 −1 shifted versions of the same PN-sequence with characteristic polynomial p(x) of degree L 2 (see Theorem 2) and period 2 L 2 − 1. Therefore, the shrunken sequence is an 2 L 1 −1 -interleaving sequence. If we fix the polynomial p 2 (x) and range over all the possible primitive polynomials of degree L 1 , then we can construct a family of shrunken sequences where all of them are 2 L 1 −1 -interleaving sequences (by interleaving PN-sequences generated by p(x)). Notice that with the shrinking process, we can only construct families of t-interleaving sequences with t equal to 2 L 1 −1 , a power of two, with additional restrictions on the values of L 1 and L 2 . Using the method presented in this paper, we can construct families of t-interleaving sequences with no restriction on t or L (the length of the LFSR).
In Tables A4 and A5 of Appendix A, we present a comparison between the number of shrunken sequences generated by polynomials of degrees L 1 and L 2 and the number of t-interleaving sequences (obtained interleaving t = 2 L 1 −1 shifted versions of the PNsequence generated by the polynomial p(x) of degree L 2 given in Theorem 2), and their corresponding values of LC in each case. Specifically, we present the results for t = 4, 8 where we can observe that the number of t-interleaving sequences, with maximum linear complexity is clearly greater than that of the shrunken sequences. It is worth noticing that if a shrunken sequence and a 2 L−1 -interleaving sequence have the same LC, then they have the same period. Hence we focus on the parameter linear complexity better than on the period.
For a practical use of the t-interleaving sequences in cryptographic algorithms, it is important to analyse the quality of this random number generator and to focus on other randomness properties beyond linear complexity. As a first approach, we have carried out a preliminary study of the randomness of these sequences through the statistical tests package FIPS 140-2 [28]. It is a U.S. government computer security standard used to approve cryptographic modules issued by the National Institute of Standards and Technology (NIST). Moreover, it has been widely used for the verification of the statistical properties of pseudorandom numbers generated by PRNGs.
In RUNS TEST: Passed. The test is passed if the runs (for both the runs of zeros, red line, and the runs of ones, blue line) that occur (of lengths 1 through 6) are each within the corresponding interval specified in the Figure 1 by the green line.

Conclusions
The output sequence of the shrinking generator, the shrunken sequence, is obtained decimating the bits of a PN-sequences in terms of the bits of another PN-sequence. Besides, the shrunken sequence can be also obtained interleaving shifted versions of a unique PN-sequence. In this paper, we use the same idea of interleaving shifted versions of the same PN-sequence in order to obtain a new family of sequences with the same features as those of the shrunken sequences, that is, large period and linear complexity. We study their periods, linear complexities and the number of sequences obtained for any possible value of LC. Furthermore, we present a preliminary study of the randomness of t-interleaving sequences with the application of the standard FIPS, a statistical test suite for the validation of pseudorandom number generators. Through the analysis of a great number of these sequences, for different values of t and different primitive polynomials, we point out a good random behaviour.
As future work, we would like to study the open cases that we have not solved in this paper. For instance, we would like to find an analytical proof for the expressions we found on the total number of 4-interleaving sequences with LC = 3L and LC = 4L; complete the study of 2 t -interleaving sequences; and increase our knowledge about the case of t-interleaving sequences. Furthermore, we would like to do a statistical randomness analysis of these new sequences using several statistical test batteries as the Diehard battery of tests, the packet FIPS 140-2, CRYPT-X or TestU01, among others. Until now, our research is focused on the use of a PN-sequence and shifted versions of itself. A natural step would be the study of the resultant sequences of interleaving PN-sequences of different primitive polynomials (with same or different degree).
Author Contributions: Investigation, S.D.C., A.F.-S. and V.R. All authors have read and agreed to the published version of the manuscript.

Data Availability Statement: Not applicable.
Acknowledgments: The support of D. Arroyo is gratefully acknowledged by the authors.

Conflicts of Interest:
The authors declare no conflict of interest. The funders had no role in the design of the study; in the collection, analyses, or interpretation of data; in the writing of the manuscript, or in the decision to publish the results.