Computational Analysis of Interleaving PN-Sequences with Different Polynomials

: Binary PN-sequences generated by LFSRs exhibit good statistical properties; however, due to their intrinsic linearity, they are not suitable for cryptographic applications. In order to break such a linearity, several approaches can be implemented. For example, one can interleave several PN-sequences to increase the linear complexity. In this work, we present a deep randomness study of the resultant sequences of interleaving binary PN-sequences coming from different characteristic polynomials with the same degree. We analyze the period and the linear complexity, as well as many other important cryptographic properties of such sequences.


Introduction
The rapid development and evolution of the internet have made possible the connectivity among many devices of daily use and, consequently, the irruption of the so-called Internet of Things (IoT). Moreover, many critical services as e-banking, e-govern, e-health or e-commerce are based on IoT infrastructures. As nowadays, the presence of such services grows exponentially, so do all risks associated with their security [1]. On the one hand, the IoT devices are currently characterized by their constrains in what processing power, size, memory and energy consumption are concerned [2]. On the other hand, they are also characterized by their minimum or non-existent security [3], since the vast majority of IoT devices have been designed without safety in mind. Combining the inherent lack of security of IoT infrastructures with their network dependability, the final effect is that IoT devices are a suitable target to compromise the whole network. This is the reason why 5G communications [4] or specific calls such as that of NIST for cryptography primitives [5] are addressing this essential topic. In this context, lightweight cryptography in general and stream ciphers in particular are the key stones on which certain communication protocols are being designed to guarantee security.
Stream ciphers are related with the idea of pseudo-randomness. In fact, the purpose of Pseudo-Random Numbers Generators (PRNGs) is to produce sequences of numbers that seem to behave as if they were generated randomly from a specified probability distribution. These numbers are sometimes called pseudo-random numbers to underline the fact that they are not truly random. The PRNGs must be fast and easy to be implemented in a computer, displaying small memory requirements and good statistical properties. The bit-wise Exclusive-OR logic operation between the original message and a pseudo-random bit sequence (key-stream sequence) preserves the confidentiality of the message in the traditional procedure of stream cipher. Other important security features, such as the integrity or authentication of the message, require additional mechanisms such as an MAC (Message Authentication Code) function to guarantee that the message is authentic and consequently its integrity checked. In brief, they are two different algorithms (confidentiality and authentication-integrity) that sometimes can be unified in the same scheme; see the requirements of the NIST call [5] for lightweight primitives. For this reason, the application of pseudo-random number generators for IoT is increasingly being studied [6,7]. In this work, we focus exclusively on the key-stream sequence and, consequently, on the confidentiality of the message.
Traditionally, the pseudo-random bit sequences with application in cryptography are generated by means of maximal-length Linear Feedback Shift Registers (LFSR) [8]. Their output sequences are the PN-sequences that exhibit good statistical properties. However, their linearity, i.e., their predictability, makes them vulnerable against cryptanalytic attacks. One common way to break this linearity is through irregular decimation, which has given rise to a wide family of decimation-based sequence generators. A representative element of this family is the shrinking generator, which decimates one PN-sequence according to the positions of the ones in another PN-sequence [9]. In [10], the authors proved that the output sequence of this generator, the so-called shrunken sequence, is made up of interleaving shifted versions of a single PN-sequence. Moreover, the shifts of the corresponding interleaved sequences can be easily deduced from the characteristic polynomials of the LFSRs, and this fact can be advantageously used to implement cryptanalytic attacks [11].
In [12], the authors proposed the interleaving of shifted versions of one single PNsequence considering these shifts (different from the ones used in the shrunken sequence) as part of the key. This idea makes even more difficult the cryptanalysis of such sequences. However, depending on the initial state of the LFSR, some of the resultant sequences showed a high predictability, i.e., a low linear complexity.
A natural way to deal with the vulnerabilities of interleaving shifted versions of the same PN-sequence is to interleave different PN-sequences coming from different LFSRs. In this work, we propose a similar analysis to the one developed in [12] but considering the interleaving of different PN-sequences instead. The sequences here analyzed present the same pseudo-randomness properties as those of [12]; however, their linear complexity is quite higher. Furthermore, given several maximal-length LFSRs with the same length, the linear complexity of the resultant interleaved PN-sequences is fixed regardless of the initial states considered. We also perform a randomness analysis on the resultant sequences that shows that our sequences are better than the sequences obtained interleaving PN-sequences from the same LFSR, that is, interleaving shifted versions of the same PN-sequence. This paper is organized as follows. In Section 2, we recall some basic concepts related to binary sequences, which are needed to understand the rest of the paper. In Section 3, we study the linear complexity and the characteristic polynomial of the sequences obtained interleaving PN-sequences from different LFSRs. Furthermore, in Section 4, we compare our sequences with the ones obtained from other sequence generators with similar parameters. In Section 5, we perform a deep randomness analysis of the obtained sequences. Finally, the paper ends in Section 6 with some conclusions and future work.

Preliminaries
Let F 2 = {0, 1} be the Galois field of two elements, i.e., the binary field. Let {u i } i≥0 = {u 0 , u 1 , u 2 , . . .} be a binary sequence, that is, each term satisfies that u i ∈ F 2 , for all i ≥ 0. The sequence {u i } i≥0 (or simply {u i }) is said to be periodic if there exists a positive integer T such that u i+T = u i , for all i ≥ 0. This number T is known as the period of the sequence.
Let L be a positive integer and a 0 , a 1 , . . . , a L−1 elements of F 2 . The sequence {u i } is a binary L-th order linear recurring sequence if it satisfies u i+L = a L−1 u i+L−1 + a L−2 u i+L−2 + · · · + a 1 u i+1 + a 0 u i , The expression in Equation (1) is known as an L-th order linear recurrence relationship. The polynomial of degree L given by is called the characteristic polynomial of the linear recurrence relationship as well as the characteristic polynomial of {u i }.
The generation of these linear recurrence sequences can be implemented by Linear Feedback Shift Registers (LFSRs) [8]. An LFSR of length L is a generator of binary sequence with L cell or stages interconnected. The terms {a 0 , a 1 , a 2 , . . . , a L−1 } are binary coefficients assigned to the corresponding stages. The initial state (stage contents at round zero) is the seed, and since the register operates in a deterministic form, the resultant sequence is completely determined by the initial state. At each clock pulse, the binary content of each stage shifts one position to the left, and one bit is output from the register. The input of each round is a bit resultant from applying a linear transformation function to a previous state (see Figure 1). If the characteristic polynomial p(x) is primitive, then the LFSR is said to be a maximal-length LFSR, and the resultant sequence, called a PN-sequence (or m-sequence), has period T = 2 L − 1 (with 2 L−1 ones and 2 L−1 − 1 zeros) [8].
characteristic polynomial of {u i }.
The generation of these linear recurrence sequences can be implemented by Feedback Shift Registers (LFSRs) [8]. An LFSR of length L is a generator of binary s with L cell or stages interconnected. The terms {a 0 , a 1 , a 2 , . . . , a L−1 } are binary coe assigned to the corresponding stages. The initial state (stage contents at round the seed, and since the register operates in a deterministic form, the resultant seq completely determined by the initial state. At each clock pulse, the binary conten stage shifts one position to the left and one bit is output from the register. The inpu round is a bit resultant from applying a linear transformation function to a previo (see Figure 1). If the characteristic polynomial p(x) is primitive, then the LFSR is sa a maximal-length LFSR and the resultant sequence, called PN-sequence (or m-se has period T = 2 L − 1 (with 2 L−1 ones and 2 L−1 − 1 zeros) [8].
The linear complexity of a sequence, denoted by LC, is defined as the lengt shortest LFSR that generates such a sequence, i.e., the degree of its characteristic pol In cryptography, LC must be as large as possible. The expected value is approxima the period LC T/2 (see [13]). Nowadays, values of T in the range T ≥ 2 128 , i.e., L seem to be enough for cryptographic purposes (see specifications of the candi the call of NIST for lightweight cryptography primitives [5]). Notice that all ex included in this work are merely illustrative, since they do not achieve the require for cryptographic applications. PN-sequences produced by maximal-length LFS large period but their LC is very low. This is due to the inherent linearity of these se thus, we need to do something to break it. One possible approach is implementing i decimation on the PN-sequences.

Shrinking generator
First, we need to recall the concept of decimation. The decimation of the seque by (distance) δ is the new sequence {u i } = {s δ·i }, obtained by taking every δ-th such a sequence [14].
The binary sequence generator known as the Shrinking Generator (SG) [9] is m of two maximal-length LFSRs, R 1 and R 2 , with lengths L 1 and L 2 , respectively, sa gcd(L 1 , L 2 ) = 1. Denote by p k ∈ F 2 [x], with degree L k , the characteristic polyno R k , and T k = 2 L k − 1, the period of the corresponding PN-sequence, for k = 1 PN-sequence {a i } generated by R 1 decimates the PN-sequence {b i } produced by t register R 2 . The decimation rule satisfies the following: given a i and b i , i = 0, 1, 2 output sequence {s } is obtained as The linear complexity of a sequence, denoted by LC, is defined as the length of the shortest LFSR that generates such a sequence, i.e., the degree of its characteristic polynomial. In cryptography, LC must be as large as possible. The expected value is approximately half the period LC T/2 (see [13]). Nowadays, values of T in the range T ≥ 2 128 , i.e., LC 2 64 , seem to be enough for cryptographic purposes (see specifications of the candidates in the call of NIST for lightweight cryptography primitives [5]). Notice that all examples included in this work are merely illustrative, since they do not achieve the required values for cryptographic applications. PN-sequences produced by maximal-length LFSRs have a large period, but their LC is very low. This is due to the inherent linearity of these sequences; thus, we need to do something to break it. One possible approach is implementing irregular decimation on the PN-sequences.

Shrinking Generator
First, we need to recall the concept of decimation. The decimation of the sequence {s i } by (distance) δ is the new sequence {u i } = {s δ·i }, which is obtained by taking every δ-th term of such a sequence [14].
The binary sequence generator known as the Shrinking Generator (SG) [9] is made up of two maximal-length LFSRs, R 1 and R 2 , with lengths L 1 and L 2 , respectively, satisfying gcd(L 1 , L 2 ) = 1. Denote by p k ∈ F 2 [x], with degree L k , the characteristic polynomial of R k , and T k = 2 L k − 1, the period of the corresponding PN-sequence, for k = 1, 2. The PN-sequence {a i } generated by R 1 decimates the PN-sequence {b i } produced by the other register R 2 . The decimation rule satisfies the following: given a i and b i , i = 0, 1, 2, . . ., the output sequence {s j } is obtained as The sequence {s j } is known as the shrunken sequence whose period is T = (2 L 2 − 1)2 L 1 −1 . Its linear complexity [10] satisfies the inequality L 2 2 L 1 −2 < LC ≤ L 2 2 L 1 −1 , and its charac- teristic polynomial has the form p(x) m , where 2 L 1 −2 < m ≤ 2 L 1 −1 and p(x) is a primitive polynomial of degree L 2 [15]. Notice that here, p(x) m denotes the power of the polynomial p(x) with coefficients modulo 2.
The shrunken sequence is almost balanced with 2 L 1 +L 2 −2 ones in its first period. This binary generator is suitable for applications in stream ciphers, since it is easy to implement and has nice cryptographic properties. Notice that the shrunken sequence is obtained by the irregular decimation of a PN-sequence according to the ones of another PN-sequence. Example 1. Consider R 1 and R 2 , LFSRs with characteristic polynomials p 1 (x) = 1 + x + x 2 and p 2 (x) = 1 + x 2 + x 3 , and initial states {11} and {111}, respectively. The shrunken sequence can be computed as The generated sequence has period 14, and it is easy to check that its characteristic polynomial is p(x) 2 = (1 + x + x 3 ) 2 , i.e., the linear complexity is LC = 6.
Let F 2 L 2 denote the extension field of F 2 , where α root of p 2 (x), is a primitive element [16]. The next results state that the shrunken sequence can be obtained interleaving shifted versions of one single PN-sequence. Theorem 1 ([10], Theorem 3.1). The sequences obtained decimating by 2 L 1 −1 , the shrunken sequence, are PN-sequences with period T 2 . We call these sequences the interleaved PN-sequences of the shrunken sequence.
In order to illustrate the previous results, we consider now another example with larger parameters. Example 2. Let R 1 and R 2 be two LFSRs with characteristic polynomials p 1 (x) = 1 + x 2 + x 3 and p 2 (x) = 1 + x 3 + x 4 , with L 1 = 3 and L 2 = 4, and initial states {111} and {1111}, respectively. The corresponding PN-sequences have periods T 1 = 7 and T 2 = 15, respectively. The shrunken sequence is given by It has period T = (2 L 2 − 1)2 L 1 −1 = 60 and characteristic polynomial p(x) 16  The characteristic polynomial of these four interleaving PN-sequences is where α ∈ F 2 L 2 is a root of p 2 (x) and p(x) is the reciprocal polynomial of p 2 (x). Notice that the four PN-sequences are shifted versions of the same PN-sequence.
The polynomial p(x) depends on L 1 (the degree of p 1 (x)) and p 2 (x). Thus, every primitive polynomial with degree L 1 produces the same polynomial p(x), once the polynomial Notice that if p(x) generates the interleaved PN-sequences of the shrunken sequence, then p(x) 2 L 1 −1 generates such a sequence. Nonetheless, although p(x) 2 L 1 −1 always generates the shrunken sequence, it might not be the characteristic polynomial. Sometimes, the characteristic polynomial has the form p(x) m , with 2 L 1 −2 < m < 2 L 1 −1 .

Shifted Versions of the Same PN-Sequence
In Section 2.1, we saw that the shrunken sequence can be generated interleaving shifted versions of the same PN-sequence, and the characteristic polynomial of these PNsequences is obtained from the input polynomials of the shrinking generator. The shifts of the shifted versions can be also obtained via the input LFSRs (see [10,11]), and this fact is used to attack the SG [11]. One way to deal with this liability is to consider random shifts.
In this section, we briefly comment on the results obtained in [12]. First, we need to introduce the concept of t-interleaved sequence. We say that the sequence {s j } is obtained i }, all of them with period T, if it has the following form We call this sequence a t-interleaved sequence.
In [12], the authors consider that these t sequences {u (j) i } for j = 1, 2, . . . , t, are PNsequences obtained from the same primitive polynomial, that is, shifted versions of the same PN-sequence. If the corresponding LFSR has length L, then the resultant t-interleaved sequence is almost balanced, and its number of 1s is t · 2 (L−1) .
The linear complexity for this sequence satisfies LC ≤ t · L and its period T ≤ t · (2 L − 1). For a fixed value of t, almost 90% of the t-interleaved sequences (running over all possible shifted versions) achieve the maximal LC and period. In [12], the authors study more deeply the cases where t = 2 l , and they perform a preliminary analysis on the randomness of these sequences. They also provide some tools to identify the cases where the LC is low and the sequences are not suitable for cryptographic purposes. More information about these sequences and some comparison with the sequences constructed in this work can be found in Section 4.
In this work, we consider t-interleaved sequences obtained interleaving PN-sequences from different primitive polynomials with the same degree. Note that these t-interleaved sequences can be seen as the output sequences of a keystream generator where, at each clock pulse, we obtain at the same time the output of t different LFSRs. That is, at each instant t i , the output bits are {u t i }. Therefore, the interleaving method, in this case, could be considered as the concatenation of the output of t LFSRs at each instant of time. On the other hand, this interleaving method is very similar to the generation method of a DLFSR. A DLFSR (Dynamic Linear Feedback Shift Register) is a type of LFSR in which the characteristic polynomial changes at certain clock pulse [17,18]. In Figure 2, we represent a DLFSR that consists of a main LFSR and an additional control module. This module manages the characteristic polynomial used at each instant of time. The sequences generated by a DLFSR can be considered as the concatenation of segments of different PN- sequences. The purpose of a DLFSR is to generate sequences with larger periods and higher linear complexity than the ones produced by a single LFSR [19,20]. To carry out this task, the control module modifies different feedback parameters to generate a different sequence. Our interleaving method can be seen as a DLFSR where the characteristic polynomial changes depending on the counter module, i.e., at each clock pulse, we consider a different primitive polynomial. In Figure 3, we can check the generation of a four-interleaved sequence. At each clock pulse, one bit is generated from the corresponding LFSR in that instant, and then, we jump from the actual polynomial to the next one. Thus, we obtain our interleaved sequence concatenating the individual outputs of each one of the LFSRs at each instant of time.

Module of feedback control
sequences. The purpose of a DLFSR is to generate sequences with larger period and higher linear complexity than the ones produced by a single LFSR [19,20]. To carry out this task, the control module modifies different feedback parameters to generate a different sequence. Our interleaving method can be seen as a DLFSR where the characteristic polynomial changes depending on the counter module, i.e., at each clock pulse we consider a different primitive polynomial. In Figure 3, we can check the generation of a 4-interleaved sequence. At each clock pulse, one bit is generated from the corresponding LFSR in that instant and then we jump from the actual polynomial to the next one. Thus, we obtain our interleaved

Module of feedback control
sequences. The purpose of a DLFSR is to generate sequences with larger period and higher 171 linear complexity than the ones produced by a single LFSR [19,20]. To carry out this task, 172 the control module modifies different feedback parameters to generate a different sequence. 173 Our interleaving method can be seen as a DLFSR where the characteristic polynomial 174 changes depending on the counter module, i.e., at each clock pulse we consider a different 175 primitive polynomial. In Figure 3, we can check the generation of a 4-interleaved sequence. 176 At each clock pulse, one bit is generated from the corresponding LFSR in that instant and 177

Interleaving PN-Sequences with Different Characteristic Polynomials
In this section, we analyze the interleaving of PN-sequences obtained from different polynomials with the same degree.
Consider t maximal-length LFSRs, notated R 1 , R 2 ,. . ., R t , with primitive characteristic polynomials p 1 (x), p 2 (x), . . . , p t (x), respectively, and all of them with degree L. Given the i }, generated by R k , for k = 1, 2, . . . , t, the corresponding t-interleaved sequence {s j } is obtained as follows From now on, we only consider t-interleaved sequences obtained with different polynomials of the same degree.
The following result provides the value of the LC for the t-interleaved sequences. Moreover, it allows us to obtain their characteristic polynomials.

Theorem 3 ([21]
, Theorem 1). The linear complexity of the sequence generated interleaving t PNsequences produced by different primitive polynomials It is worth noticing that the LC and period are not affected by the initial states.
If we interleave these three PN-sequences, we obtain a sequence with period T = 93 and LC = 45: {111100101000111000100010001011001110011001101 001101110010011100100111111100010010010111110001} Using the Berlekamp-Massey algorithm [22], it is possible to check that the characteristic polynomial of this sequence is where all three polynomials of degree 5 are primitive and those of degree 10 are irreducible.
The next result is a particular case of Theorem 3 for the case in which t is a power of 2.
Corollary 2. Let t be a power of two. Then, the characteristic polynomial of a t-interleaved sequence produced by t different primitive polynomials p 1 (x), . . . , p t (x) of degree L is Proof. Let t = 2 r for r be a positive integer. The result is an immediate consequence of the fact that p i ( Next, we show different examples of the generation of t-interleaved sequences. We analyze their LC and their characteristic polynomials depending on the choice of the initial primitive polynomials.
In the following example, we obtain a f our-interleaved sequence corresponding to two primitive polynomials and their corresponding reciprocal polynomials.
Example 4. Consider f our registers with primitive polynomials p 1 ( We observe that p 2 (x) and p 4 (x) are the reciprocal polynomials of p 1 (x) and p 3 (x), respectively. We take the initial states {01101}, {10001}, {10001}, and {00110}, respectively. The corresponding PN-sequences are If we interleave these four PN-sequences, we obtain a sequence with period T = 124 and LC = 80:

{01101000100100011110110011100100111100101001011101000001010010 01001001101000000110111001010000111111101111111111110000100111}
Using the Berlekamp-Massey algorithm [22], it is easy to check that the characteristic polynomial of this sequence is In this example, the LC does not depend on the initial states; its value is always 80. Moreover, if we consider different primitive polynomials of degree 5, the value of LC remains the same.
The next example shows a case where there are no reciprocal polynomials.

Example 5.
Consider now four registers with primitive polynomials p 1 (x) = 1 + x + x 7 , p 2 (x) = 1 + x 3 + x 7 , p 3 (x) = 1 + x + x 2 + x 3 + x 7 and p 4 (x) = 1 + x 2 + x 3 + x 4 + x 7 , with initial states {1010001}, {0111011}, {1101001}, and{1100101}, respectively. If we interleave the four PN-sequences generated by the previous polynomials, we obtain a sequence with period 508 (the same as that of the SG with polynomials of degree 3 and 7) and LC = 112, which is four times higher than that of the SG: The characteristic polynomial of the sequence is given by The next example shows that the polynomials must be all different to achieve the maximal complexity.

{11010100100111111010011110000010101000100111001100001100001101 00110000111011110101010101110011111001101110100100011000011110}
This sequence has period T = 124 and LC = 60, which is not the maximal vale (80) for this parameter. The characteristic polynomial is given by: Notice that in this case, the primitive polynomial is not the product of all four polynomials; this is due to the fact that p 1 (x) = p 2 (x).
In Table 1, we can check the values of the LC of t-interleaved sequences using PNsequences from different polynomials of degree L. It is worth recalling that there are only six primitive polynomials of degree 5 and six of degree 6. It means that when we construct seven-interleaved sequences or eight-interleaved sequences, we have to consider at least one repeated polynomial. Therefore, the values in red in Table 1 are just upper bounds, since, as we saw in Example 6, when the polynomials are not different, we risk having a sequence without maximal LC.

Comparison with Other Sequence Generators
In this section, we analyze briefly the advantages of our t-interleaved sequences compared with the sequences obtained from generators with similar parameters.

1.
Shrinking generator Given two primitive polynomials of degree L 1 and L 2 , the linear complexity of the shrunken sequence satisfies: 2 L 1 −2 < LC ≤ L 2 · 2 L 1 −1 and T = (2 L 2 − 1)2 L 1 −1 . In this case, the sequence is obtained interleaving 2 L 1 −1 shifted versions of the same PN-sequence. If we interleave 2 L 1 −1 PN-sequences generated by different primitive polynomials of degree L 2 , the linear complexity of the resultant sequence is LC = L 2 · 2 2(L 1 −1) , which is much higher than that of the SG. Notice that the period and the number of ones remain the same. In the following example, we compare the shrunken sequence and the corresponding t-interleaved with similar parameters. We see that the LC of the t-interleaved sequence is greater.

Example 7.
Consider the SG composed of two registers of length L 1 = 3 and L 2 = 5. In this case, the shrunken sequence is made up by interleaving four shifted versions of the same PN-sequence generated by a primitive polynomial of degree 5. The period of the shrunken sequences in this case is T = 124 and LC ≤ 20.
If we consider again Example 4, we interleave four PN-sequences produced by primitive polynomials of degree 5. The resultant sequence has period 124 (the same as that of the SG with polynomials of degree 3 and 5) and LC = 80, which is four times higher than that of the SG.

t-interleaved sequences with the same polynomial
In [12], the authors analyze the t-interleaved sequences obtained interleaving shifted versions of the same PN-sequence produced by a primitive polynomial p(x) of degree L. They determine the period and the linear complexity of the t-interleaved sequences for some particular cases of t. They also study an upper bound for the LC and the period of t-interleaved PN-sequences. In [21], the authors study different cases of interleaving sequences, analyzing the LC and the characteristic polynomials of the resultant sequences. The next theorem is a consequence of Theorem 2 in [21] and the results obtained in [12].
Theorem 4. [12,21] Consider a primitive polynomial p(x) of degree L. If we interleave tshifted versions of the same PN-sequence of period T = 2 L − 1, then the resultant t-interleaved sequence has an LC ≤ t · L and period T ≤ t · 2 L − 1 .
In the following example, we compare a t-interleaved sequence obtained using one primitive polynomial p(x) of degree L with a corresponding t-interleaved sequence, with similar parameters, obtained using t different primitive polynomials p i (x) of degree L, i = 1, . . . , t. We see that the LC of the t-interleaved sequence with different polynomials is greater.

Example 8.
Consider any f our-interleaved sequence obtained with a primitive polynomial of degree 5 and f our shifted versions of the corresponding PN-sequence. In this case, the period of the sequences is T ≤ 124 and LC ≤ 20.
Consider the primitive polynomials of degree 5 given in Example 4 and interleave f our different PN-sequences produced by these polynomials. The resultant sequences have period 124 and LC = 80. If we compare both types of f our-interleaved sequence, we have that using different polynomials for the construction provides higher values for the LC, in this case, four times larger.
In Table 2, we have a comparison between the values of LC and T for our t-interleaved sequences and the values for the sequences obtained in [12] (using shifted versions of the same PN-sequence, that is, with the same characteristic polynomial). First of all, notice that the values for the same polynomial are upper bounds (it depends on the initial state), while the values for our sequences are exact (regardless the initial state). Note that values of LC are higher in our sequences.
In order to complete this comparison, in the next section, we perform a statistical study on the randomness of our t-interleaved sequences, and we compare these results with the ones obtained for t-interleaved sequences obtained with shifted versions of the same PN-sequence (which includes the shrunken sequence), that is, using always the same characteristic polynomial.

Statistical Analysis of T-Interleaved Sequences
RNGs should be designed and selected based on a solid theoretical analysis of their mathematical structure. In our algorithm, we interleave PN-sequences to hide and delete their linearity. Once our generator is designed and implemented, the next step is to submit it to empirical statistical tests in order to detect statistical deficiencies. In the study of RNGs, different quality criteria can be used. However, three basic properties of a random bit sequence {s i } should be achieved: 1.
Unpredictability: Having k consecutive elements of {s i } should not give any information about the next element k + 1 of the sequence.

2.
Uniformity: Given any subsequence of {s i }, there should be nearly equal number of 1's and 0's.

3.
Independence: Each element of {s i } is independent from other elements. There is no mathematical proof that ensures the randomness of a bit sequence; however, there exists a huge number of empirical tests to determine if a sequence is random enough and secure to be used in cryptography [23]. If the sequences produced by a particular generator pass the statistical tests, then this could be accepted as a generator of random sequences. Otherwise, if any of the tests fail, then it means the generator is not good and must be rejected.

Golomb's Randomness Postulates
Golomb's postulates constitute a base for randomness tests, since they were one of the first attempts to establish some necessary conditions for a periodic pseudo-random sequence to look random. Sequences satisfying the three properties are called PN-sequences. The sequences produced by LFSRs are PN-sequences in these terms. At present, these conditions are far from being sufficient for such sequences to be considered random. However, there are diverse ways and tools that allow us to analyze the randomness of the sequences.
>From now on, we consider {s i } a binary sequence of period T. A run of {s i } is defined as a maximal subsequence of consecutive bits of either all ones or all zeros. A run of zeroes is called a gap, and a run of ones is called a block. Golomb's postulates are defined as follows: (R1) In a period of {s i }, the number of ones should differ from the number of zeros by at most 1. In other words, the sequence should be balanced. (R2) In a period of {s i }, at least 1 2 of the all runs of zeroes or ones should have length one, at least 1 4 should have length 2, at least 1 8 should have length 3, and so on. Moreover, for each one of these lengths, there should be (almost) equally many gaps and blocks. (R3) The autocorrelation function C(τ) should be two valued. That is, for some integer k and for all τ = 0, 1, 2, . . . , T − 1 Any of Golomb's randomness postulates are analyzed through the statistical tests package FIPS 140-2 [24], as we study in Section 5.2.
In this section, we include diverse ways to analyze the randomness of our sequences. On the one hand, in Section 5.1, we present some visual results where, through different graphs, we could understand the behavior of the generated sequences. On the other hand, in Section 5.2, we evaluate various batteries of statistical tests, which help us to determine if our generator could be considered random. The generator and the battery of tests were implemented with Matlab R2020b in a Windows 10 environment in a 64 bits PC with CPU Intel Core i7, at 3 GHz. We check a great quantity of t-interleaved sequences, with 3 ≤ t ≤ 8 and with polynomials of degree up to 27.

Simple Visual Analysis
In this subsection, we examine our random number generator creating a visualization of the sequences it produces. We study the autocorrelation, the return map, the chaos game, and the Lyapunov exponent. This type of approach should not be considered as an exhaustive or formal analysis. However, it is an interesting and easy way to get a rough impression of the performance of the generator.

• Autocorrelation
The autocorrelation function, defined in expression (2), measures the amount of similarity between the sequence {s i } and its shifted version by τ positions. If {s i } is a random periodic sequence of period T, then |T · C(τ)| can be expected to be quite small for all values of τ with 0 < τ < T.
This function is a mathematical tool very useful for finding repeated patterns. It analyzes different sections of a message and compares them to find similarities. Moreover, it allows measuring the linear relationship between random variables of processes separated a certain distance. The first autocorrelation coefficient is always equal to 1, and the other coefficients must have the smallest amplitude possible, so that the sequence can be considered random.
In Figure 4, we compare the autocorrelation values for two 8-interleaved sequences. In Figure 4a, we show the results for an eight-interleaved sequence with eight different primitive polynomials of degree L = 16. We observe that the values are almost zero except for the first value which is 1, as would be expected for a random sequence. Obtaining these results provides an indication about the randomness of the sequence but not the certainty. That is, this does not guarantee that it was indeed produced by a random bit generator, but it means that we can continue checking it. However, in Figure 4b, we represent the results for a eight-interleaved sequence with the same polynomial of degree L = 16. We can observe in the graph how the values increase for some shifts of the sequence with itself. This allows us to deduce the existence of certain autocorrelation in this sequence. •

Chaos Game
Chaos game [25][26][27] is a method that converts a one-dimensional sequence into a sequence in two dimensions providing a very provocative visual representation, which reveals some of the statistical properties of the sequence under study. >From this graphical tool, we can visually look for patterns in the sequences generated by a random number generator. Figure 5 shows the Chaos maps of two eight-interleaved sequences with polynomials of degree 16. In Figure 5b, we have the Chaos map of an eight-interleaved sequence generated with one single polynomial. We can observe the lack of randomness in this sequence, since it presents a clear pattern. However, in Figure 5a, we have the Chaos map of an eight-interleaved sequence using different polynomials where we observe a disordered cloud, without patterns. It means that there is an indication of a Chaos map but not certainty. That is, it does not assure the randomness of our sequence, but we can continue with the analysis of this generator.
A practical method of determining whether a system is chaotic or not is the calculation of the Lyapunov exponent, which we study in the next section.    •

Lyapunov exponent
Lyapunov exponent is an essential tool and a useful analytical metric to characterize the chaos. An important property of chaos is its very sensitive dependence on initial condition. Lyapunov exponent is used as a quantitative measure for this dependence.
Lyapunov exponent of a dynamical system is a quantity that characterizes the rate of separation of infinitesimally close trajectories Z(t) and Z 0 (t) in phase space The exponent λ measured for a long period of time (ideally t → ∞) is the Lyapunov exponent.
Next, we consider the definition of Lyapunov exponent given for sequences in [28]. Let d 0 be the measure of the initial distance between two sequences and d t be the distance between the same sequences but after t iterations. We define Lyapunov exponent (LE) as: Cryptography 2022, 6, 21

of 22
It is desirable that two very close initial conditions provide very different trajectories (sequences). If LE is greater than zero, the distance between two close initial conditions rapidly increases in the time, which means there exists an exponential divergence of the trajectories of a chaotic system. This value gives an idea of how different the sequences are generated by similar seeds, which is a very important feature to avoid attacks on the key of the generator. However, if LE = 0, the sequences decrease their distance, and they tend to join and be confused in one. The system converges, and it is not at all random.
We can use the Hamming distance (which indicates the number of bit positions in which both sequences differ) instead of the logarithm of the Euclidean distance in the Lyapunov exponent, and it is called the Lyapunov Hamming Exponent (LHE). If two numbers are identical, then its LHE value will be 0. Nevertheless, if all the bits of both numbers are different, then its LHE will be LHE = log 2 m = log 2 2 n = n, where n is the number of bits with which the numbers are encoded.
Obtaining the Lyapunov Hamming exponent for the chosen sequence is done by calculating the average of the LHE between every two consecutive numbers of the sequence. The best value will be n/2.
For this case, we take n = 8, so the best value is 4. Next, we show the value obtained for a eight-interleaved sequence with polynomials of degree L = 20 Lyapunov Hamming exponent, ideal = 4 Lyapunov Hamming exponent, real = 4.0001 Absolute desviation from ideal = 2.2889 × 10 −5 Hence, the proposed generator passes this test. All the t-interleaved sequences with different polynomials analyzed have passed this test. •

Return map
In Information Theory, the entropy of a sequence is a measure of the amount of information of a process in bits; or it is a measure of the diversity of the elements in the sequence. It is computed from the frequencies of each element of the alphabet in the sequence.
The return map is useful to visually measure the entropy of the sequence above defined; that is, it allows us to detect the existence of some useful information about the parameters used in the design of pseudo-random generators [29].
The return application consists of drawing a two-dimensional graph of the points of the sequence {s i } as a function of {s i−1 }. The result should be a distribution of points where you can guess no trend, no shape, no line, no symmetry, and no pattern, as happens in the Chaos map.
In Figure 6, we represent the return maps of two eight-interleaved sequences with polynomials of degree 16. In Figure 6a, we have the return map of an eight-interleaved sequence using different polynomials. We observe a disordered cloud, without patterns, which, in principle, does not provide any useful information for the cryptanalysis of the sequence. It does not mean that our sequence is random, simply that it is not rejected in the randomness analysis. However, in Figure 6b, we represent the return application of an eight-interleaved sequence generated with one single polynomial. We can check that this graph presents a pattern of defined curves, which are repeated. It indicates non-randomness in the sequence.

Battery of Statistical Tests
Next, we present two of the most important batteries of statistical tests used to evaluate the randomness of the sequences generated by pseudo-random number generators, Diehard and NIST. However, if one of the algorithms fails any of these tests, then the other tests are not even applied, and we can not consider our sequence sufficiently random; and, therefore, our generator is not secure in cryptographic terms. Each test needs a binary sequence of 10 6 bits. All our sequences have the required length for this analysis.

FREQUENCY (MONOBIT) TEST:
The focus of the test is the proportion of zeros and ones along the whole sequence. The purpose of this test is to determine whether the number of ones and zeros in a sequence are approximately the same as would be expected for a truly random sequence. The test assesses the closeness of the fraction of ones to 1 2 ; that is, the number of ones and zeros in a sequence should be about the same. All subsequent tests depend on the approval of this test.

2.
POKER (SERIAL) TEST: Let m be an integer number such that T m ≥ 5 · 2 m and let k = T m . The sequence {s i } is divided into k non-overlapping parts each one of length m, and let m i be the number of occurrences of the i-th type of sequence of length m, for 1 ≤ i ≤ 2 m . The Poker Test determines if each stream of length m appears approximately the same number of times in {s i }, as would be expected for a random sequence. Note that for m = 1, the Poker Test is equivalent to the Frequency Test. 3.
RUNS TEST: The incidences of runs (for both consecutive zeros and consecutive ones) of all lengths (≥1) in the sample stream should be counted and stored. The purpose of the Runs Test is to determine if the number of runs of different lengths in the sequence {s i } is as expected for a random sequence. In particular, this test determines whether the oscillation between zeros and ones is too fast or too slow. 4.
LONG RUNS TEST: A long run is defined to be a run of length 26 or more (of either zeros or ones). The focus of this test is the longest run of ones within M-bit blocks. Its purpose is to determine whether the length of the longest run of ones within the sequence is consistent with the length of the longest run of ones that would be expected in a random sequence. Note that one irregularity in the expected length of the longest run of ones implies that there is also an irregularity in the expected length of the longest run of zeros. Therefore, only a test for ones is necessary. The focus of this test is the number of bits between matching patterns (a measure that is related to the length of a compressed sequence). The purpose of the test is to detect whether or not the sequence can be significantly compressed without loss of information. A significantly compressible sequence is considered to be non-random. • Lempel-Ziv Compression Test The focus of this test is the number of cumulatively distinct patterns (words) in the sequence. The purpose is to determine how far the tested sequence can be compressed; it is considered to be non-random if it can be significantly compressed. A random sequence will have a characteristic number of distinct patterns. This test works by reading a sequence of symbols, grouping the symbols into strings, and converting the strings into codes. We get compression because the codes take up less space than the strings they replace. No data are lost when compressing.
In Table 3, we present a small sample of the results obtained in the NIST tests here presented. All these values are the average of the results obtained for any sample of t-interleaved sequences studied. PARKING LOT TEST: Randomly place unit circles in a 100 × 100 square. A circle is successfully parked if it does not overlap an existing successfully parked one. After 12,000 tries, the number of successfully parked circles should follow a certain normal distribution. 10. MINIMUM DISTANCE TEST: In a square of size 10,000 × 10,000, randomly select 8000 points. Find the minimum distance between the pairs. The square of this distance should be exponentially distributed with a mean close to 0.995. This is repeated for 100 random selections of 8000 points. 11. RANDOM SPHERES TEST: Randomly choose 4000 points in a cube of edge 1000.
Center a sphere on each point, whose radius is the minimum distance to another point. The smallest sphere's volume should be exponentially distributed with a certain mean. 12. SQUEEZE TEST: Multiply 2 31 by random floats on (0, 1) until you reach 1. Repeat this 100,000 times. The number of floats needed to reach 1 should follow a chisquare distribution. 13. OVERLAPPING SUMS TEST: Generate a long sequence of random floats on (0, 1). Add sequences of 100 consecutive floats. The sums should be normally distributed with characteristic mean and variance. 14. RUNS TEST: Generate a long sequence of random floats on a [0, 1) distribution.
Ascending and descending runs should follow a certain covariance matrix. This is repeated 10 times for sequences of length 10,000. 15. CRAPS TEST: Play 200,000 games of craps, counting the wins and the number of throws per game. Each count should follow a chi-square distribution.
Note that The Count-The-1s and the OPSO tests are both sometimes known as the Monkey Test. These statistical tests are designed to test the null hypothesis H 0 , which states that the input sequence is randomly generated. If the hypothesis is not rejected in all the tests, then it is implied that the input sequences are random. Most of the tests in DIEHARD return a p-value or the KS p-value (given by the Kolmogorov-Smirnov test), which should be uniform on [0, 1) if the input file contains truly independent random bits. It is considered that a bit stream really fails when it obtains p-values of 0 or 1 to six or more places. Testing Diehard battery of tests for a hundred eight-interleaved sequences with different polynomials of degree 24, we say that Diehard does not show any weakness. >From the results of Table 4 of a particular sequence, we can check that all the values are in the appropriate range.

Conclusions
Interleaving sequences is a way to increase the linear complexity of such sequences and to break the linearity just in case of working with PN-sequences. In this paper, we analyze the randomness of the sequences obtained by interleaving PN-sequences generated by different characteristic polynomials with the same degree. According to the obtained results, these sequences achieve the maximal possible linear complexity and, in terms of randomness, they are better than the sequences obtained interleaving PN-sequences with the same polynomial. Therefore, they seem to be suitable for applications in cryptography. As future work, we would like to apply more batteries of tests to our sequences and study what happens if we interleave PN-sequences with different periods. In this last case, we are not sure how the different periods can affect the resultant sequence. We need to perform a deep study in order to achieve some conclusions.