ON LINEAR COMPLEXITY OF GENERALIZED SHRINKING-MULTIPLEXING GENERATOR

Transcription

1 Journal of Basic and Alied Research International 4(1): 8 17, 015 O LIEAR COMPLEXITY OF GEERALIZED SHRIKIG-MULTIPLEXIG GEERATOR ZHAETA. TASHEVA 1* 1 Faculty of Artillery, AAD and CIS, ational Military University V. Levski, Faculty of Technical Sciences, University of Shumen, Shumen, Bulgaria. AUTHOR S COTRIBUTIO This work was carried out by a single author. The author ZT designed the study, formulated and roved the theorem for linear comlexity of the GSMG outut sequence, erformed ractical data analysis and comarison with original Shrinking Generator. The author ZT managed the literature searches, wrote all versions of the manuscrit from the initial draft to the final one. Received: December 014; Acceted: January 015; Published: February 015 *Corresonding author: zh.tasheva@mail.bg; ABSTRACT The linear comlexity of the Generalized Shrinking-Multilexing Generator (GSMG), based on Linear Shift Feedback Registers (LFSRs), is investigated in this aer. The lower and uer bounds of linear comlexity of its outut binary Pseudo Random Sequences are established. It is roved that the linear comlexity increases exonentially with the length of the control -ary LFSR and the rime used. Some linear comlexity analysis is given. It is shown that the linear comlexity of the GSMG based on LFSRs is greater than the linear comlexity of the Shrinking Generator. Keywords: Stream Ciher, clock controlled generators, shrinking generator, LFSR, linear comlexity. 1. ITRODUCTIO In the era of mobile and wireless communication systems and Internet, security is commonly obtained by stream cihers. They are roven to rovide high seed encrytion, immunity from dictionary attacks, low error roagation and rotection against active wiretaing. Stream cihers encryt the message bit by bit (or character by character) using a keystream that is a time-varying function of the secret key. For synchronous stream cihers, the keystream is generated indeendently of the laintext and the cihertext using a keystream generator, commonly a Pseudo Random umber Generator (PRG) which roduces binary Pseudo Random Sequences (PRSs). On one hand, the PRGs high erformance velocity and cost-effective imlementation is based on their simle architecture which combines fast and chea elements like Linear Feedback Shift Registers (LFSRs) and Feedback with Carry Shift Registers (FCSRs) [1] with some nonlinear functions, like filter generators, combinatorial generators and clock controlled generators. On the other hand, the erformance quality of the clock controlled PRGs [], [3], [4], [5], [6] deends on their cryto resistance, which is connected with its ability to generate nonlinear PRS (PRS) with enormous eriod, uniform distribution and large linear comlexity. The irregular clocking of used LFSRs is a mechanism which roduces nonlinear keystream sequences with high linear comlexity. This contrivance allows avoiding most algebraic attacks by using LFSRs with small length, but these PRGs are more difficult to analyze and their seed is lower than the seed of regular clocked stream cihers. Some examles of such PRGs are Sto-and-Go Generator, Ste-Once- Twice Generator, Alternating Ste Generator, Shrinking Generator and Self-Shrinking Generator. The Sto-and-Go Generator [7] consists of two LFSRs. The outut of the first LFSR R 1 is the control

2 clock for the second LFSR R as R is clocked at time when R 1 oututs 1. The Sto-and-Go Generator is not suitable for crytograhy because of its oor statistical roerties. Ste-Once-Twice Generator [3] has the same building registers, but has an imrovement in the way register R is clocked that solves the statistical roblem. Better solution is offered by Alternating Ste Generator [8] which has higher seed than the Ste-Once-Twice Generator. It consists of three LFSRs, one of which determines which of the others to be clocked. The Shrinking Generator was roosed by Coersmith, Krawczyk and Mansour at Eurocryt'93 in [9]. It is a variation of the Ste-Once- Twice Generator and also consists of two LFSRs, a control register R 1 and a generator register R. The outut sequence of Shrinking Generator is constructed from two outut m-sequences according to the following selection rule: If the i-th bit of the control sequence is 1, then the i-th bit of the generator sequence becomes a art of the outut. If the i-th bit of the control sequence is 0, then the corresonding bit of the generator sequence is shrunken. Unlike of the Ste-Once-Twice Generator the Shrinking Generator can delete several successive bits which define its advantage that the shrunken ortions are less regular, and thereby the correlation attacks are harder. A disadvantage of the Shrinking Generator is that the seed of generation is variable, which requires the use of a buffer to revent side channel attacks. It is shown that Shrinking Generator has good algebraic and statistical roerties [9], [10]. Andreas Klein states that it is a remarkably simle ciher which has now been unbroken for more than 15 years [3]. Another simle ciher is the Self-Shrinking Generator roosed by W. Meier and O. Staffelbach at Eurocryt'94 [11]. It is a variant of Shrinking Generator and contains only a single LFSR. U to now it has surrisingly good resistance to all known crytograhic attacks. In 004 the Generalized Self- Shrinking Generator was roosed by Hu and Xiao [1]. It can be reresented as a generalization of the Self-Shrinking Generator as well as a secial case of the Shrinking Generator. Later in the same year were roosed two attacks that show that the Generalized Self-Shrinking Generator can t be more secure than the Self-Shrinking Generator [13]. Due to its good crytograhic roerties the Shrinking and Self-Shrinking Generators are still obect of research [14], [15], [16], [17], [18] and alication in modern security systems [19], [0], [1], []. In recent years the develoment of ellitic curve crytograhy determines the need of new units to erform arithmetic oerations over Galois Field GF(). Some FPGA hardware imlementations of an arithmetic unit that comutes basic oerations such as addition, subtraction, multilication and multilicative inverse modulo rime have been roosed [3], [4], [5]. The FPGA arithmetic units over GF() can be used for easy imlementation of the LFSRs that roduce -ary m-sequences. Due to this reasons we have recently roosed some clock controlled generators which use a -ary PRS instead of binary PRS [6], [7], [8]. The aim of this aer is to investigate the linear comlexity of a Generalized Shrinking-Multilexing Generator (GSMG) based on LFSRs. The aer is organized as follows. First, the GSMG architecture based on LFSRs is described. Second, the linear comlexity of the GSMG based on LFSRs is established. After that some linear comlexity analysis and a comarison with the Shrinking Generator are given. Finally, the advantages and ossible alication areas of the GSMG based on LFSRs are discussed.. GSMG Architecture Based on LFSRs In this section the GSMG architecture based on LFSRs is recalled and the simlest ossible examle of Galois reresentation of GSMG architecture is discussed..1 The Basics of GSMG Architecture Based on LFSRs The roosed general architecture of the GSMG [6] can be realized by means of linear or nonlinear seudo random sequences. There are eight ossible variants of the GSMG architecture deending on the linear constructive elements, which most often are fast and chea LFSRs and FCSRs. Most of these GSMG architectures are statistically analyzed by the authors of [7], [8], [9] but strong mathematical analyses have not been made yet. Here the linear comlexity of the fifth architecture [30] is analyzed. The GSMG architecture based on LFSRs (Fig. 1) uses as building modules 1 in number LFSRs and one -ary LFSR (briefly LFSR). Definition 1: A GSMG based on LFSRs comrises a LFSR R of length L and 1 in number slaved LFSRs each of length L 1, L,, L 1. The LFSR R roduces one -ary number at a time. The clock controls the movement of the data in all used LFSRs. The algorithm of GSMG based on LFSRs consists of the following stes: 9

3 1. The control LFSR and all slaved LFSRs are clocked.. If the -ary outut of the control LFSR R at a moment i is non-zero (b i =, 0), the binary outut of the slaved LFSRs R forms one art of the outut binary PRS S. 3. Otherwise, if the outut of the control LFSR R is equal to 0 (b i = 0), the oututs of all slaved LFSRs R 1, R,, R 1 are discarded. Therefore, the roduced binary PRS is a shrunken version of the slaved binary PRSs, generated by the LFSRs R 1 R -1, when the outut of the control -ary PRS (briefly PRS) B is zero, and a mixed version of the slaved PRSs, when the outut is nonzero. Due to this reason, the outut binary sequence S is nonlinear and unredictable with more comlexity than the sequences, roduced by the slaved LFSRs. The nonlinearity in the GSMG architecture based on LFSRs is a result of the fact that the linear algebraic structure of the slaved LFSR sequences is destroyed by means of the shrinking and multilexing.. Examle of GSMG Architecture Based on LFSRs The simlest ossible examle of GSMG architecture based on LFSRs is resented below. It uses the smallest non binary rime = 3, and consists of two LFSRs of length L 1 = 3 and L =, and a control 3-ary LFSR with length L =. Examle 1: The GSMG architecture consists of a control 3-ary LFSR with feedback rimitive olynomial q(x) = x + x 1 which roduces 3-ary PRS B with eriod T = 8 and two slaved LFSRs which generate binary sequences A 1 and A with lengths T 1 = 7 and T = 3 resectively. The feedback rimitive olynomials of LFSRs R 1 and R are q 1 (x) = x 3 + x + 1 and q (x) = x + x + 1. The GSMG architecture from Examle 1 is given in Fig.. Each element of the Galois reresentation of LFSRs R 1 and R can hold a bit in a time. The elements r 0 and r 1 of the Galois reresentation of a 3- ary LFSR R can remember one 3-ary number, i.e. digits 0, 1 and. The elements in registers R 1 and R realize the simle XOR oeration, but the element in register R erforms oeration add mod 3. The seed of the GSMG is determined by the initial states of the registers R 1, R and R. Register R 1 with initial state [ r 1, r11, r01] [0,1,1 ] generates binary PRS A 1 = [ ] with eriod T 1 = 7. Register R with initial state [ r 1, r0] [1,1 ] generates binary PRS A = [101] with eriod T = 3. Ternary LFSR R with initial state [ r 1, r0 ] [0, ] generates 3-ary PRS B = [10110] with eriod T = 8. As one can see in a eriod of 3-ary PRS B each nonzero 3-ary number 1 or occurs 3 times, and zero number occurs times, which corresonds to the balance roerty definition for this current PRS [31]. The selection rule of the GSMG outut sequence S is shown in Table 1. When the outut number b i of the control sequence B is b i = 1, the corresonding bit from slave sequence A 1 forms the outut bit s i = a i 1. When the outut number b i of the control sequence B is b i =, the corresonding bit from slave sequence A forms the outut bit s i = a i. These bits are underlined in Table 1. If number b i of the control sequence B is b i = 0, then there is a ga in the GSMG outut sequence S. Every odd eriod of the PRSs is given in bold. As one can see from Table 1, the outut GSMG sequence S is nonlinear due to the used shrinking and multilexing method and its eriod T S is much more than the eriod of each used PRS. The GSMG outut sequence S is binary with eriod T S = 16 = = T 1. T. T 0, where T 0 = 6 is the number of the -ary integers different from 0 in one eriod of the control 3-ary PRS. 3. THE LIEAR COMPLEXITY OF THE SEQUECES GEERATED BY GSMG BASED O LFSRS In this section the lower and uer bounds of linear comlexity of the sequences generated by GSMG based on LFSRs are mathematically roven. Thereafter the ractical results of real linear comlexity of GSMG sequences tested by the Berlekam-Massey algorithm are calculated. Finally a comarison between linear comlexity of GSMG architecture based on LFSRs and Shrinking Generator is made. The imortance of the exonentially large PRS linear comlexity comes from the strong necessity of avoiding some oular attacks on PRSs or stream chiers. There is no need to know the way a PRS is generated in order to break it through its linear comlexity. In fact, any PRS with linear comlexity can be easily reconstructed if bits are known by the Berlekam-Massey algorithm [3], [33], which in time O( ) finds the shortest LFSR generating this PRS. 10

4 Selection Rule a i 1 LFSR R 1 LFSR R a i b i = 1 b i = Outut binary PRS S Clock LFSR R -1 a i -1 b i = 1 If b i = 0 Discards all a i LFSR R b i Fig. 1. Generalized shrinking multilexing generator based on LFSRs Selection Rule R 1 r 1 r 11 r 01 A 1 b i = 1 S R r 1 r 0 A b i = Clock R + mod 3 B b i = 0 r 1 r 0 Fig.. The GSMG architecture from examle 1 Table 1. The selection rule for outut sequence S of the GSMG from Examle 1 3PRS B PRS 1 A PRS A PRS S PRS B PRS 1 A PRS A PRS S PRS B PRS 1 A PRS A PRS S

5 Here, it should be mentioned that the high linear comlexity is only necessary but not sufficient condition PRG to have good crytograhic roerties. There are many other conditions like large eriod; uniform distribution of d-tules for a large range of d; good, usually lattice-liked, structure in high dimensions; good statistical roerties; resistance to known attacks and so on. 3.1 Theoretical Analysis of Linear Comlexity The linear comlexity, S, of the infinite sequence S = s 0, s 1, s,, where each s i lies in the field F, is the smallest nonnegative integer L for which there exist coefficients c 1, c,, c L in F such that (1) Seaking as engineers, it can be said that the S is the length L of the shortest LFSR that can generate S when the first L digits of S are initially loaded in this LFSR. In the following aragrah Theorem 1 that determines the eriod Т s of the sequence S is used to establish the uer and lower bound of the linear comlexity of sequence S generated by the GSMG based on LFSRs. Refer to [30] to see the roof of Theorem 1. Theorem 1: If the sequences A, = 1,, 1, generated by the slaved LFSRs R, and the sequence B, generated by the control LFSR R, have maximal length (i.e. all slaved LFSRs and LFSR have rimitive connection olynomials) and all eriods Т of the slaved LFSRs are co-rime with the eriod T of the control LFSR, i.e. the greatest common divisor (Т, Т) = 1 for = 1,,, 1, then the outut shrinking and multilexing sequence S, generated by the GSMG based on LFSRs, has maximal eriod T S defined by the equation: 1 1 L TS ( 0). T ( 0). where ( 0) () is the number of all nonzero elements in a eriod of the control PRS sequence and L, = 1,,, 1 are the lengths of the slaved LFSR R. The number ( 0) 1, of the nonzero elements in a eriod of the control PRS sequence can be calculated using the balance roerty of non-binary PRSs [31]. Balance roerty: In every eriod of non-binary PRSs, each nonzero element in F q occurs q L 1 times and the zero element in F q occurs q L 1 1 times. The nonzero elements in a eriod of the control PRS are 1 in number in Galois Field GF() and each of them occurs L 1 times, consequently ( 0) ( 1) (3) The linear comlexity s of the sequence S generated by the GSMG based LFSRs satisfies the following Theorem. Theorem : If the sequences A, = 1,, 1, generated by the slaved LFSR R, and the sequence B, generated by the control LFSR R, have maximal lengths (i.e. all slaved LFSRs and LFSR have rimitive connection olynomials) and all eriods Т i of the slaved LFSRs are co-rime with the eriod T of the control LFSR, i.e. the greatest common divisor (Т, Т) = 1 for = 1,,, 1, then the outut shrinking and multilexing sequence S, generated by the GSMG based on LFSRs, has a linear comlexity s satisfied the inequality: 1 1 ( 1). (4) L S ( 1) L i Let a (i) be the i-th element of the sequence A, = 1,, 1, generated by the slaved LFSR R, b(i) denotes the i-th element of the sequence B, generated by the control LFSR R, and s(i) be the i-th element of the sequence S, generated by the GSMG based on LFSRs. The next roosition, which follow from the definition of the GSMG based on LFSRs, is used in the roof of Theorem. Proosition 1: The integers connected by equation and T are s( i n. ( 0) ) a ( ki nt), for n 0,1, (5) Proof: To determine an uer bound on the linear comlexity s of the sequence S, it is sufficed to find a olynomial P(.), for which P(s) = 0, i.e. the coefficients of P(.) reresents a linear deendency satisfied by the elements of a sequence S. Let s ( 0) be the sequence s( n( 0) ), n 0, 1,, i.e. the sequence S is decimated by ( 0). Proosition 1 states that this decimation results in transformation of every slaved sequence of the form a ( i nt), 1,,, 1. Since (Т, Т) = 1, = 1,,, 1, the above sequences. ( 0) 1

6 a ( i nt), 1,,, 1 have maximal length and have the same linear comlexity as the original sequences a ( i), 1,,, 1. Therefore, the olynomials Q (.) of degree L i exist for which Q (a ) = 0. But then the decimated sequence satisfies olynomials Q (.), i.e. Q Hence, a olynomial of degree ) ( s ( 0 ) 0, 1,,, 1 ( 0) P( s) Q ( s ). (6) (7) 1 ( 0) L i, such that P(s) = 0, is found. i 1 Consequently, the linear comlexity s of the sequence S generated by the GSMG based on LFSRs is at most (8) To determine a lower bound on the linear comlexity s of the sequence S, it is necessary to find the minimal olynomial m(s) for which m(s) = 0. Since the sequence S satisfied the equation (6), then the olynomial m(s) divides each olynomial ( 0) Q ( s ), 1,,, 1. After utting the equation (3) in (6), the following equations are obtained ( 0) ( 1) Q ( s ) Q ( s ). (9) ( 1) ( Q ( s)), 1,,, S ( 0) L ( 1) L. Therefore, the minimal olynomial m(s) must be in r the form ( Q ( s)) for r ( 1). The is a rime number and hence, 1 is even. s ( 0) The following assumtions is made ( 1) r. (10) Then the minimal olynomial m(s) divides each ( 1) olynomial ( Q ( s)), 1,,, 1. Since Q (s), 1,,, 1 are irreducible olynomials of degree L, they divide the olynomials 1 x T resectively. Consequently, olynomial m(s) divides ( 1) T (1 x ) ( 1) T. 1 x. (11) But then the eriod of the sequence S, generated by the GSMG based on LFSRs, is at most 1 ( 1) L TS. ( This contradicts to the Theorem 1, because 1). (1) ( 1) ( 0). (13) Therefore, the assumtion isn t true and ( 1) r, i.e. the lower bound on the linear comlexity s of the sequence S is 1 ( 1) S L. (14) This conclusion ends the roof of the Theorem. 3. Practical Analysis of Linear Comlexity The GSMG architecture based on LFSRs is modeled in Visual C# environment. The linear comlexity of the generated sequences by the LFSR based GSMG are ractically analyzed by means of the Berlekam- Massey algorithm. The theoretical lower and uer bounds of the linear comlexity S, given by the Theorem, and real S found by the Berlekam- Massey algorithm are given in Table. The eriod of the outut shrinking and multilexing sequence S also is shown in the Table. 13

7 Table. Linear Comlexity of the PRSs, generated by GSMG based on LFSRs, with = 3 Used PRSs Primitive Polynomials Length Period T S Linear Comlexity of the PRSs, generated by the LFSR based GSMG Lower Bound Uer Bound Real 1 PRS A x + x 3 L 1 = = = = PRS A 1 + x + x 4 L = 3 3PRS B 1 + x + x 3 L = PRS A x + x L 1 = / 3 = = 7 7. = PRS A 1 + x + x 4 L = 4 3PRS B 1 + x + x 3 L = 3 3 PRS A x + x 3 L 1 = = = = PRS A 1 + x + x L = 3PRS B 1 + x + x 3 L = 3 4 PRS A x + x 3 L 1 = = = = 7 4 PRS A 1 + x + x 4 L = 4 3PRS B + x + x L = 5 PRS A x + x L 1 = / 3 = = 4 4. = PRS A 1 + x + x 4 L = 4 3PRS B + x + x L = 6 PRS A x + x 3 L 1 = = = = PRS A 1 + x + x L = 3PRS B + x + x L = 7 PRS A x + x 3 L 1 = = = = PRS A 1 + x + x L = 3PRS B + x + x 4 L = 4 8 PRS A x + x 3 L 1 = = = = PRS A 1 + x + x 5 L = 5 3PRS B + x + x L = 9 PRS A x + x L 1 = = = = 60 4 PRS A 1 + x + x 5 L = 5 3PRS B + x + x L = The ractical analysis of the linear comlexity and eriod of the sequences S, generated by the GSMG based on LFSRs, confirm that the real eriod and the linear comlexity of tested sequence fall into the bounds roven by Theorem 1 and Theorem, i.e. the exonential eriod and exonential bounds of the linear comlexity. 3.3 Comarison with Shrinking Generator Here, the linear comlexity of the sequences generated by the GSMG based on LFSRs is comared to the linear comlexity of the original Shrinking Generator. First, when =, Theorem states: Corollary 1: If the sequences A 1, generated by the slaved LFSR R 1, and the sequence B, generated by the control LFSR R, have maximal lengths (i.e. LFSR R 1 and LFSR R have rimitive connection olynomials) and eriod Т 1 of the slaved LFSR R 1 are co-rime with the eriod T of the control LFSR, i.e. the greatest common divisor (Т 1, Т) = 1, then the outut shrinking and multilexing sequence S, generated by the GSMG based on LFSRs, has a linear comlexity s satisfied the inequality: L1 S. L1. (15) These are the minimum bound L 1. L and maximum bound L 1. L 1 of the linear comlexity of the Shrinking Generator, given by Theorem in [9]. Here L is the length of the control LFSR and L 1 is the length of the generator register. By comaring the bounds of the linear comlexity of the two generators can be concluded that the linear comlexity of the sequences generated by the GSMG based on LFSRs is more than the one of the Shrinking Generator. This is because it increases exonentially with the length L of the control register and with base of the ower which is the value of the used rime. For examle, if the length of a 3-ary control register L is equal to that of the control LFSR in Shrinking Generator (L = L ), the bounds of the GSMG linear comlexity will be 14

8 3 L. L1 S.3 L. L1. (16) For the simlest ossible Examle 1 given in section., L =, L 1 = 3 and L = L =, the bounds for GSMG and Shrinking Generator are resectively 18 S GSMG 36 and 3 S SG 6. As one can see the lower and uer bounds of GSMG linear comlexity are 6 times higher than those of the Shrinking Generator. This, on the other hand, increases the comlexity of hardware or software imlementation of the GSMG based on LFSRs. In Examle 1, the hardware imlementation was increased by ternary control register. 4. COCLUSIO AD FUTURE WORK In this aer the linear comlexity of the Generalized Shrinking-Multilexing Generator based on LFSRs is investigated mainly through algebraic techniques. It is roved that the lower and uer bounds of the linear comlexity S of GSMG outut sequence S are exonential in length of control -ary LFSR and used rime. Previously in [30] has been roven that the bounds of the GSMG eriod are exonential of both the length of control -ary LFSR and the lengths of the used 1 in number slaved LFSRs. Also have been shown that the GSMG outut sequence S have good statistical roerties. The GSMG based on LFSRs similarly to the Shrinking generator can delete several successive bits in the outut sequence which defines its advantage in its less regular shrunken ortions, and thereby its correlation attacks are harder. Furthermore, besides that the GSMG outut sequence is shrunken, it is a multilexed version of slaved LFSRs sequences and both define unredictable nonlinearity of the outut sequence. A disadvantage of the GSMG is that the seed of generation is variable, which requires the use of a buffer to revent side channel attacks. As indicated above, the comlexity of hardware and software imlementation increases with the chosen rime, but the roosed architecture allows arallel imlementation of used registers as in a hardware FPGA imlementation, as in a software imlementation in a various rocessor cores. Thus, the roosed GSMG architecture based on LFSRs allows roducing binary seudo random sequences with good roerties like unredictable nonlinearity, enormous eriod, large linear comlexity, and good statistical roerties. This shows that the main goals of the seudo random number generators are achieved by GSMG architecture based on LFSRs. Consequently, it satisfies the minimal conditions for the construction of stream cihers in the high-seed communication alications. evertheless, there are some theoretical and ractical issues that need to be addressed. From a theoretical oint of view, imroved crytanalysis of the GSMG architecture based on LFSRs keystream sequences is necessary to be done. On the ractical side, the real hardware arallel FPGA imlementation must be designed. Aroriate choice for software imlementation are GSMG architectures with = 3 and = 5, which can be easily arallelized with dual and quad core rocessors resectively. ACKOWLEDGEMETS I wish to exress my acknowledgments to the anonymous referees whose remarks heled me make this aer as best as ossible. DECLARATIO Some art of this manuscrit was reviously resented and ublished in the following conference. Conference name: International conference on Comuter systems and technologies ComSysTech 07. Dates: June 14-15, 007. Location: Rousse, Bulgaria. Web Link of the roceeding: The eriod of the LFSR based generalized shrinking-multilexing generator, htt://dl.acm.org/citation.cfm?id= COMPETIG ITERESTS Authors have declared that no cometing interests exist. REFERECES 1. Goresky M., A. Klaer, Fibonacci and Galois Reresentations of Feedback-With-Carry Shift Registers, IEEE Trans. on Inform. Theory, vol. 48, , ovember 00.. Kanso, A. Clock-controlled generators. University of London, Klein, A. Stream cihers. London: Sringer, Menezes A., P. Oorschot, S. Vanstone, Handbook of Alied Crytograhy, CRC Press,. 780, 1997, 15

9 5. Rueel R., Analysis and Design of Stream Cihers, Sringer Verlag,. Y., Schneier B., Alied Crytograhy, John Wiley & Sons, ew York, Beth, T., and F. Pier. The Sto-and-Go Generator. In EUROCRYPT, vol. 84, Günther, Christoh G. "Alternating ste generators controlled by de Bruin sequences." In Advances in Crytology EUROCRYPT 87, Sringer Berlin Heidelberg, Coersmith D., H. Krawczayk, Y. Mansour, The Shrinking Generator, Cryto 93, htt:// 84_009/ShrinkingGenerator.df 10. Sharlinski, I. On some roerties of the shrinking generators. In Designs, Codes and Crytograhy, vol. 3 Issue, 001, Meier, W., and O. Staffelbach. The selfshrinking generator. In Communications and Crytograhy, Sringer US, Hu, Y., and G. Xiao. Generalized selfshrinking generator. Information Theory, IEEE Transactions on 50, o. 4, 004, Zhang, B., H. Wu, D. Feng, and F. Bao. Security analysis of the generalized selfshrinking generator. In Information and Communications Security, Sringer Berlin Heidelberg, Arshad, Ghoosia, Aihab Khan, Malik Sikandar Hayat Khiyal, and Mina Masood. "Analysis and Design of Alternating Ste Shrinking Generator (ASSG) for Imroved Security." International Journal of Comuter Theory and Engineering 3, no. 4, Fúster-Sabater, A. "Generation of Crytograhic Sequences by means of Difference Equations." Al. Math 8, no., 014, Fúster-Sabater, A. Characterization of the Least Periods of the Generalized Self- Shrinking Sequences. arxiv rerint arxiv: , Huiuan, W., W. Qiaoyan, and J. Zhang. The Proerties of the FCSR-Based Self-Shrinking Sequence. IEICE TRASACTIOS on Fundamentals of Electronics, Communications and Comuter Sciences 96, o., 013, Salam, M., and H. Lee. Algebraic Analysis of Shrinking Generator. Int. Journal of Math. Analysis, Vol. 6, no. 50, 01, Kanso, A. "Self-shrinking chaotic stream cihers." Communications in nonlinear science and numerical simulation 16, no., 011, Kanso, A. Modified self-shrinking generator. Comuters & Electrical Engineering 36, o. 5, 010, Sundaresan, S., R. Doss, S. Piramuthu, and W. Zhou. "A Robust Grouing Proof Protocol for RFID EPC C1G Tags." Information Forensics and Security, IEEE Transactions on. Vol. 9, Issue 6, 014, Sundaresan, S., R. Doss, S. Piramuthu, and W. Zhou. "Secure Tag Search in RFID Systems Using Mobile Readers." Deendable and Secure Comuting, IEEE Transactions on. 014: Bertoni, G., J. Guaardo, S. Kumar, G. Orlando, C. Paar, and T. Wollinger. Efficient GF( m ) arithmetic architectures for crytograhic alications. In Toics in Crytology CT-RSA 003, Sringer Berlin Heidelberg, Daly, A., W. Marnane, T. Kerins, and E. Poovici. An FPGA imlementation of a GF() ALU for encrytion rocessors. Microrocessors and Microsystems 8, o , Hlaváč, J., and R. Lórencz. Arithmetic unit for comutations in GF() with the left-shifting multilicative inverse algorithm. In Architecture of Comuting Systems ARCS 013, Sringer Berlin Heidelberg, Tashev T., B. Bedzhev, Zh. Tasheva, The Generalized Shrinking-Multilexing Generator, In Proceedings of the 007 international conference on Comuter systems and technologies,. 48. ACM, Tasheva A. T., Zh.. Tasheva, A. P. Milev (011). Generalization of the Self-Shrinking Generator in the Galois Field GF( n ). Advances in Artificial Intelligence, vol. 011, Article ID , 10 ages, 011. doi: /011/ Tasheva Zh., B. Bedzhev, V. Mutkov, A Shrinking Data Encrytion Algorithm with - adic Feedback with Carry Shift Register. Conference Proc. of XII Int. Sym. on Theoretical Electrical Engineering, ISTET 03, July 6-9, 003, Warsaw, Poland, Volume II, , Tasheva Zh., B. Bedzhev, B. Stoyanov, adic Summation-Shrinking Generator. Basic roerties and emirical evidences. Crytology eprint Archive, Co-Editors: Mihir Bellare, UCSD Christian Cachin, IBM Zurich, 16

10 Acceted and osted with umber 005/068, htt://erint.iacr.org/005/068.df. 30. Tashev T., The eriod of the LFSR based generalized shrinking-multilexing generator. In Proceedings of the 007 international conference on Comuter systems and technologies,. 55. ACM, Gong G., Sequence Analysis. University of Waterloo, 1999, s. 137, htt://callioe.uwaterloo.ca/~ggong. 3. Atti. B., G. M. Diaz Toca, H. Lombardi, The Berlekam-Massey Algorithm revisited. Alicable Algebra in Engineering, Communication and Comuting, Vol. 17, umber 1, 006, Sringer Berlin, Heidelberg, htt:// /. 33. Greenberg S.,. Feldblum, G. Melamed, Imlementation of the Berlekam-Massey algorithm using a DSP. Proceedings of the th IEEE International Conference Electronics, Circuits and Systems, ICECS 004, ISB: , , 004. Coyright International Knowledge Press. All rights reserved. 17