Counting Functions for the k-error Linear Complexity of 2 n -Periodic Binary Sequences

Transcription

1 Counting Functions for the k-error inear Complexity of 2 n -Periodic Binary Sequences amakanth Kavuluru and Andrew Klapper Department of Computer Science, University of Kentucky, exington, KY Abstract inear complexity is an important measure of the cryptographic strength of key streams used in stream ciphers. The linear complexity of a sequence can decrease drastically when a few symbols are changed. Hence there has been considerable interest in the k-error linear complexity of sequences which measures this instability in linear complexity. For 2 n -periodic sequences it is known that minimum number of changes needed per period to lower the linear complexity is the same for sequences with fixed linear complexity. In this paper we derive an expression to enumerate all possible values for the k-error linear complexity of 2 n -periodic binary sequences with fixed linear complexity, when k equals the minimum number of changes needed to lower the linear complexity below. For a certain set of these values we derive the expression for the corresponding number of 2 n -periodic binary sequences with fixed linear complexity and k-error linear complexity when k equals the minimum number of changes needed to lower the linear complexity. 1 Introduction The linear complexity of a sequence is the length of the shortest linear feedback shift register (FS) that can generate the sequence. The FS that generates a given sequence can be determined using the Berlekamp-Massey algorithm using only the first 2 elements of the sequence, where is the linear complexity of the sequence. The typical assumption in the analysis of the security of stream ciphers is that the attacker has access to a part of the key stream and wants to use this to predict the remainder of the key stream. Thus the problem of designing a good stream cipher is reduced to the problem of designing a fast key stream generator whose output is hard to predict from a prefix of the the output. Hence for cryptographic purposes sequences with high linear complexity are essential as an adversary This paper is accepted to appear in the proceedings of the 15th annual workshop on Selected Areas in Cryptography (SAC 2008). This material is based upon work supported by the National Science Foundation under Grant No. CCF Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation. 1

2 would then need large initial segments of the sequences to recover the FSs that generate them using the Berlekamp-Massey algorithm. A system is insecure if all but a few symbols of the key stream can be extracted. So for a cryptographically strong sequence, the linear complexity should not decrease drastically if a few symbols are changed. If it did, an attacker could modify the known prefix of the key stream and try to decrypt the result using the Berlekamp-Massey algorithm. If the resulting sequence differed from the actual key stream by only a few symbols, the attacker could extract most of the message. This observation gives rise to k-error linear complexity of sequences introduced in [10]. The k-error linear complexity of a periodic sequence is the smallest linear complexity achieved by making k or fewer changes per period. In addition to having large linear complexity, cryptographically strong sequences should, thus, also have large k-error linear complexity at least for small k. et S = (s 0,s 1,,s T 1 ) be a periodic binary sequence with period T. We associate the polynomial S(x) = s 0 + s 1 x + + s T 1 x T 1 and the corresponding T-tuple S (T) = (s 0,s 1,,s T 1 ) to S. The relationship between the linear complexity, denoted (S), of S and the associated polynomial S(x) is given by (S) = T deg(gcd(x T 1,S(x))). (1) et w H (S) denote the Hamming weight of the T-tuple S (T). For 0 k T, the k-error linear complexity of S, denoted k (S), is given by k (S) = min E (S + E), (2) where the minimum is over all T-periodic binary sequences E such that w H (E) k. Since we consider only 2 n -periodic sequences, we use T = 2 n and the observation x T 1 = x 2n 1 = (x 1) 2n (3) for the rest of the paper. et merr(s) denote the minimum value k such that the k-error linear complexity of a 2 n -periodic sequence S is strictly less than its linear complexity. That is merr(s) = min{k : k (S) < (S)}. (4) Kurosawa et al. [3] derived the formula for the exact value of merr(s). emma 1. For any nonzero 2 n -periodic sequence S, we have merr(s) = 2 w H(2 n (S)), where w H (j), 0 j 2 n 1, denotes the Hamming weight of the binary representation of j. The counting function of a sequence complexity measure gives the number of sequences with a given complexity measure value. ueppel [9] determined the counting function of linear complexity for 2 n -periodic binary sequences. Using equations (1) and (3) it is straightforward to obtain the number of 2 n -periodic binary sequences with fixed linear complexity. For the rest of the paper let N() and A() denote, respectively, the number of and the 2

3 set of 2 n -periodic binary sequences with given linear complexity, 0 2 n. ueppel [9] showed that N(0) = 1 and N() = 2 1 for 1 2 n. (5) Counting functions and expected values for linear complexity and k-error linear complexity were extensively explored by Meidl and Niederreiter [5, 6, 7]. ecently, using efficient algorithms to compute the linear complexity of p n periodic sequences over F p, Meidl [4] obtained the counting function and the expected value for the 1-error linear complexity of 2 n -periodic binary sequences. Meidl and Venkateswarlu [8] extended these results to p n - periodic sequences over F p. Fengxiang and Wenfeng [1] used Meidl s [4] approach of analyzing Games-Chan algorithm to obtain the counting functions and gave the exact expression for the expected value of the 2-error linear complexity of a random 2 n -periodic binary sequence with linear complexity 2 n 1. In this paper we perform a more rigorous analysis of Games-Chan algorithm to enumerate all the possible values of k-error linear complexity of sequences in A() for k = 2 w H(2 n ), that is when k is the minimum number of changes needed to lower the linear complexity below. For certain sets of these values, we also derive the corresponding number of sequences in A() whose k-error linear complexity equals the values in those sets. For the rest of the paper by k min () denote the minimum number of changes needed to lower the linear complexity of sequences in A(), that is k min () = 2 w H(2 n ). 2 Games-Chan Algorithm In this section we describe the Games-Chan algorithm and list some results using its analysis. By emma 1 for any 2 n -periodic sequence S with merr(s) = 2 m, m {0,,n}, the linear complexity (S) can be uniquely expressed as (S) = 2 n or (S) = 2 n m 2 n r i, where 0 < r 1 < < r m n. The Games-Chan algorithm [2] is a fast algorithm for computing the linear complexity of a 2 n -periodic binary sequence. For any S A() with period S (2n) = (s 0,,s 2 n 1), denote the left and right halves of S (2n) by S (2n 1 ) = (s 0,,s 2 n 1 1) and S (2n 1 ) = (s 2 n 1,,s 2 n 1). et S and S denote the 2 n 1 periodic sequences S = (s 0,,s 2 n 1 1) and S = (s 2 n 1,,s 2 n 1). (6) The Games-Chan algorithm can be described as in Figure 1. We make some observations and establish notation we use for the rest of the paper. We note that the for loop in the Games-Chan algorithm shown in Figure 1 is executed a total of n times to compute the linear complexity of any S A(). In the ith step, i = 0,,n 1, the algorithm computes the linear complexity of a 2 n i -periodic binary sequence. et ψ i (S), 3

4 Games Chan (S,n) begin := 0 for i := 0 to n 1 do if S = S then S := S else S := S + S := + 2 n i 1 fi od := + S 0 return end Figure 1: The Games-Chan Algorithm i = 0,,n 1, denote the first period of the 2 n i -periodic binary sequence considered in the ith step of the algorithm when run with input sequence S. et ψ i (S) and ψi (S) denote, respectively, the left and right halves of ψ i (S). et m i (S) denote the total value contributed to (S) in the algorithm during the execution from the 0-th step to the i-th step of the algorithm. For any two finite binary sequences, S and S, of same length let d H (S,S ) denote the Hamming distance between S and S. We slightly abuse the notation because we also use d H (S,S ) to denote the Hamming distance between the first periods of S,S A(). It is straightforward to derive the following lemma from the Games-Chan algorithm. emma 2. et S be a 2 n -periodic binary sequence. For any t integers r 1,,r t such that 0 < r 1 < r 2 < < r t n, we have if and only if ψ u 1 (S) = 2 n (2 n r n r n rt ) (7) (S) = ψu 1 (S) exactly when u {r 1,,r t }. For any S A() where is as in equation (7), the following properties of vectors ψ l (S), 0 l n, are straightforward to obtain. P1: If l = r i 1, for some i {1,,t}, then w H (ψ l (S)) = 2 w H (ψ l+1 (S)). P2: For any l r i 1, for all i {1,,t}, we have w H (ψ l (S)) w H (ψ l+1 (S)). By P l, 0 l n, denote the number of distinct possibilities, over all sequences in A(), for the 2 n l -vector during the l-th step such that the 2 n l 1 -vector during the (l + 1)-th step is fixed. It is straightforward to get the following properties. 4

5 P3: If l = r i 1, for some i {1,,t}, then P l = 1. P4: For any l r i 1, for all i {1,,t}, we have P l = 2 2n l 1. We also use the following result in the next section. emma 3. et S A() with 0 represented as (S) = 2 n (2 n r n r n rt ), (8) where 0 < r 1 < r 2 < < r t n. et S S be any other 2 n -periodic binary sequence such that m l 1 (S) = m l 1 (S ) for some l {1,,n}. If d H (ψ l (S),ψ l (S )) 0, then d H (S,S ) 2 b d H (ψ l (S),ψ l (S )), (9) where b, 1 b t, is the unique integer determined by the inequality r b l < r b+1 assuming r 0 = 0 and r t+1 = n + 1. Proof. Since m l 1 (S) = m l 1 (S ) and r b l < r b+1, from emma 2 during the first l 1 steps of the Games-Chan algorithm ψ u 1 (S) = ψu 1 (S) and ψu 1 (S ) = ψ u 1 (S ) if and only if u {r 1,,r b }. (10) The algorithm has a 2 n l -periodic sequence as input in the l-th step. So, let d H (ψ l (S),ψ l (S )) = g, for some 1 g 2 n l. (11) et p j, 0 p j 2 n l 1 1, j = 1,,g, be the positions where ψ l (S) and ψl (S) differ. If l r b > 0, for each p j, j = 1,,g, from equation (10) we have either or ψ l 1 (S) pj = ψ l 1 (S ) pj and ψ l 1 (S) pj +2 n l ψl 1 (S ) pj +2n l, (12) ψ l 1 (S) pj ψ l 1 (S ) pj and ψ l 1 (S) pj +2 = n l ψl 1 (S ) pj +2n l. (13) That is, for the g positions where ψ l (S) and ψ l (S ) differ, there are at least g positions where ψ l 1 (S) and ψ l 1 (S ) differ. Using a similar argument we see that d H (ψ l c (S),ψ l c (S )) g, 0 c l r b. (14) Equation (14) holds trivially if l = r b. We note that for each of S and S, the (r b 1)-th step has a 2 n r b+1 -periodic binary sequence whose left and right halves are equal and either half gets input to the r b -th step. Thus, from equation (14), we have d H (ψ r b 1 (S),ψ r b 1 (S )) 2g = 2 d H (ψ l (S),ψ l (S )). (15) Using equation (15), the lemma follows by induction on b. 5

6 3 Expression for k min ()-error inear Complexity In this section we analyze the structure of the Games-Chan algorithm to derive an expression to enumerate all possible values of k min ()-error linear complexity of sequences in A() in terms the coefficients in the binary expansion of 2 n. We handle the case when 1 < < 2 n as the results are simple when = 0 or 1 and as we already know the results when = 2 n [4]. We need the following generalization of [1, emma 2] whose proof is similar to that of emma 2 in [1]. emma 4. For any sequence S = (s 0,,s 2 n 1) A(), we have 2 n 2 n r, r = 1,,n, if and only if 2 r 1 i=0 s j+i 2 n r = 0 for j = 0,, 2 n r 1. We prove an auxiliary result that is used in the main result of this section. emma 5. et S A() with 1 < < 2 n. Consider the representation of as = 2 n (2 n r n r n rt ), (16) where r 0 = 0 < r 1 < r 2 < < r t < n + 1 = r t+1 and 1 t n 1. et S be any 2 n -periodic binary sequence such that d H (S,S ) = k min () = 2 t and (S ) = 2 t(s). Define the two integers and l 1 = min{i : 0 i n 1 and m i (S ) m i (S)} (17) l 2 = min{i : 0 i n 1 and d H (ψ i (S),ψ i (S)) = 2 t j with r j i < r j+1 }. (18) Then we have l 1 = l 2. Proof. From emma 1 we know k min () = 2 t which implies (S ) < (S). We note that there exists at least one integer i, 0 i n 1, such that m i (S ) m i (S) since otherwise (S) = (S ). Hence the set on the right hand side of equation (17) is not empty. From the procedure of the Games-Chan algorithm and using the fact (S ) < (S) equation (17) implies ψ l 1 (S) ψ l 1 (S) and ψ l 1 (S ) = ψ l 1 (S ). (19) From equation (19) we get d H (ψ l 1 (S )) d H (ψ l 1 (S)). (20) et b be the unique integer determined by the inequality r b l 1 < r b+1. Since ψ rt 1 (S) = (S) and because the vectors considered during all the steps, except the last one, of the ψ rt 1 6

7 Games-Chan algorithm have nonzero Hamming weight, we have w H (ψ rt 1 (S)) 2. So using properties P1 and P2 we get w H (ψ l 1+1 (S)) 2 t b and thus d H (ψ l 1 (S)) 2 t b. (21) Now we show that d H (ψ l 1 (S)) = 2 t b. If not, we have d H (ψ l 1 (S)) > 2 t b by equation (21). By equation (20) this implies d H (ψ l 1 (S )) > 2 t b. (22) But from emma 3 we know d H (S,S ) 2 b d H (ψ l 1 (S )). Since d H (S,S ) = 2 t, this implies d H (ψ l 1 (S )) 2 t b. This contradicts the inequality in (22). Thus we have d H (ψ l 1 (S)) = 2 t b. (23) From equation (23) we know that the set on the right hand side of equation (18) is not empty and l 2 l 1. By a denote the unique integer determined by the inequality r a l 2 < r a+1. Because there are a steps before the l 2 -th step where the left and right halves are equal it is evident from equation (27) that altering ψ l 2 (S) such that ψ l 2 (S) = ψ l 2 (S) and propagating these changes to the 0-th step of the Games-Chan algorithm will require exactly 2 a 2 t a = 2 t changes in S (2n). But if l 2 < l 1, forcing ψ l 2 (S) = ψ l 2 (S) will result in a 2 n -periodic binary sequence S such that d H (S,S ) = 2 t and (S ) < (S ). This contradicts the fact that (S ) = 2 t(s). Thus we have l 2 = l 1. Theorem 6. et S A() with 1 < < 2 n. Consider the representation of as = 2 n (2 n r n r n rt ), (24) where r 0 = 0 < r 1 < r 2 < < r t < n + 1 = r t+1 and 1 t n 1. Define the integer w = min{i : r i = n + i t, 1 i t + 1}. Then kmin ()(S) is 0 or is in one of the two forms or j 1 j,l,c := 2 n 2 n r i 2 n l + C, 1 j w 1, r j 1 l r j 2, and 1 C 2 n l 1 1, w 1 w,l,c := 2 n 2 n r i 2 n l + C, r w 1 l r w 3 and 1 C 2 n l 1 2 t w+1. (25) (26) Proof. From emma 1 and equation (24) merr(s) = k min () = 2 t. The sequences in A() whose 2 t -error linear complexity is 0 are those with exactly 2 t 1s per period. For any other sequence S in A() we show that the 2 t -error linear complexity is in one of the forms as stated in the theorem. 7

8 Define the integer l as in equation (18). That is l = min{i : 0 i n 1 and d H (ψ i (S),ψ i (S)) = 2 t j with r j i < r j+1 }. (27) We already know that the set on the right hand side of equation (27) is not empty due to the intermediate findings of emma 5. By b denote the unique integer determined by the inequality r b l < r b+1. From the proof of emma 5 we know that altering ψ l (S) such that ψ l (S) = ψl (S) and propagating these changes to the 0-th step of the Games-Chan algorithm will require exactly 2 t changes in S (2n). We also see that it is necessary to alter ψ l (S) so that ψ l (S) = ψl (S) to achieve the smallest linear complexity that can be obtained by making exactly 2 t errors in S (2n) since the remaining n l steps can only add a maximum of 2 n l 1 to the linear complexity of the modified sequence. Note that l r j 1, j = 1,,t, since ψ r j 1 (S) = ψ r j 1 (S), j = 1,,t. Next we show that l + 1 i n 1, w H (ψ i (S)) = 2 t j with r j i < r j+1. (28) If equation (28) does not hold, then let m be any integer such that l + 1 m n 1 and w H (ψ m (S)) 2 t a where a is uniquely determined by the inequality r a m < r a+1. Since ψ rt 1 (S) = ψ rt 1 (S), we have w H(ψ rt 1 (S)) 2. So using properties P1 and P2 we get w H (ψ m (S)) 2 t a. This implies w H (ψ m (S)) > 2 t a since we assumed w H (ψ m (S)) 2 t a. Again, using P1 and P2 we have w H (ψ l+1 (S)) > 2 a b 2 t a = 2 t b which contradicts the fact d H (ψ l (S),ψl (S)) = 2t b. Thus w H (ψ m (S)) = 2 t a and so equation (28) holds. To obtain the form of 2 t(s) we consider two cases based on the value of w. Case 1: w t First we show that n r i = t i for i = w,,t. From the definition of w in the theorem statement we have n r w = t w. et z, w < z t, be the smallest integer such that n r z t z. Since r i+1 < r i, i = 1,,t 1, using the definition of z we have n r z < t z. Using this we have n r t < n r t 1 < < n r t (t z) t z 1, which implies n r t (t z 1) (t z) = 1. This contradicts that fact that n r t 0 since 0 < r 1 < < r t n from the hypothesis. Thus we have n r i = t i for i = w,,t, which implies = 2 n (2 n r n r w t w + 2 t w ). (29) From equations (24), (29) and emma 2 this means that the left and right halves are equal from the (r w 1)-th step to (n 1)-th step of the execution of the Games-Chan algorithm. Using the fact that n r w = t w, this implies that the 2 t w+1 -vector considered during the (r w 1)-th step ψ rw 1 (S) = (ψ rw 1 (S) 0,,ψ rw 1 (S) 2 t w+1 1) = (1,, 1) (30) is an all 1 vector. From the definition of w, equation (30) also implies that w H (ψ rw 2 (S)) = 2 t w+1. That is d H (ψ rw 3 (S),ψ rw 3 (S)) = 2 t w+1. (31) 8

9 By equation (31) and using the definition of l in equation (27) we have l r w 3. We consider two cases based on the value of l. Case 1a: r w 1 l r w 3 We first note that this case occurs only when the binary expansion of as in equation (24) satisfies r w 1 r w 3. Throughout this case we use the fact that n r w = t w. From the definition of l in equation (27) we have d H (ψ l (S),ψl (S)) = 2t w+1. We already know that making 2 t w+1 changes in ψ l (S) so that ψ l (S) = ψl (S) is necessary to achieve the the smallest linear complexity possible by making k min () = 2 t changes in S (2n). But we have to decide for each of the 2 t w+1 positions where ψ l (S) and ψl (S) differ, whether the change should be made in ψ l (S) or at the corresponding position in ψl (S). In this case there is a unique of making these 2 t w+1 changes so that the linear complexity of the 2 n l 1 -periodic binary sequence with period equal to either of the equal halves obtained by forcing ψ l (S) = ψl (S) is as small as possible. Next we describe a unique way of making these changes. et ψ l+1 (S ) = ψ l (S) = ψl (S) be the 2n l 1 -vector obtained after forcing ψ l (S) = ψl (S) such that the linear complexity of the 2 n l 1 -periodic binary sequence with period ψ l+1 (S ) is as small as possible. The left and right halves of the vectors considered are not equal from the r w 1 -th step to the (r w 2)-th step of the Games-Chan algorithm when executed with input sequence S. From equation (30) ψ rw 1 (S) is a 2 t w+1 -vector with all 1s. Hence for all v = r w 1,r w 1 + 1,,r w 2 due to the procedure of the Games-Chan algorithm we have 2 rw v 1 1 j=0 ψ v (S) i+j2 t w+1 = 1 for i = 0,, 2 t w+1 1. (32) et p i, 0 p i 2 n l 1 1, i = 0,, 2 t w+1 1, be the positions where ψ l (S) and ψl (S) differ. This means w H (ψ l+1 ) = 2 t w+1 with 1s at positions p i, i = 0,, 2 t w+1 1. As equation (32) is valid for v = l+1, this implies that the mapping p i p i mod 2 t w+1 is oneone and onto since otherwise w H (ψ rw 1 (S)) < 2 t w+1. Hence for each p i, i = 0,, 2 t w+1 1, only one of the choices, that is, changing ψ l (S) p i or ψ l (S) p i results in the 2 n l 1 -vector ψ l+1 (S ) that satisfies 2 rw l 2 1 j=0 ψ l+1 (S ) i+j2 t w+1 = 0 for i = 0,, 2 t w+1 1. (33) The contribution to (S) during the first l 1 steps of the algorithm is w 1 w 1 (2 n n n l ) 2 n r i = 2 n 2 n l 2 n r i. Thus the 2 t -error linear complexity of S is of the form w 1 2 t(s) = 2 n 2 n l 2 n r i + C, (34) 9

10 where C is the linear complexity of the 2 n l 1 -periodic binary sequence with period ψ l+1 (S ). By equation (33) and emma 4 the value C in equation (34) satisfies C = ((ψ l+1 (S )) ) 2 n l 1 2 t w+1. (35) Also, ψ l+1 (S ) is not the all zero vector from the definition of l in equation (27), which implies C 1. Thus from equations (34) and (35) 2 t(s) is in the form w,l,c given in equation (26). Case 1b: r j 1 l r j 2, 1 j w 1 From the definition of l in equation (27) we have d H (ψ l (S),ψl (S)) = 2t j+1 Also, by equation (28) we have w H (ψ r j 1 (S)) = 2 t j+1. Since j w we have n r j > t j and so ψ r j 1 (S) is not an all 1 vector. More specifically if then G = {g : ψ r j 1 (S) g = 0,g = 0,, 2 n r j+1 1} Using a similar argument as that in Case 1a we have G = 2 n r j+1 2 t j+1. (36) j 1 2 t(s) = 2 n 2 n l 2 n r i + C, (37) where C is the linear complexity of the 2 n l 1 -periodic binary sequence with period ψ l+1 (S ), which is equal to either of the equal halves obtained by forcing ψ l (S) = ψl (S) such that the lowest possible linear complexity is achieved. The left and right halves of the vectors considered from the l-th step to the (r j 2)-th step are not equal. So by equation (36) due to the procedure of the Games-Chan algorithm we have and 2 r j l 1 1 f=0 2 r j l 1 1 f=0 ψ l (S) i+f2 n r j +1 = 0 for i G (38) ψ l (S) i+f2 n r j +1 = 1 for i {0,, 2 n r j+1 1} G. (39) et p i, 0 p i 2 n l 1 1, i = 0,, 2 t j+1 1, be the positions where ψ l (S) and ψl (S) differ. This means w H (ψ l+1 (S)) = 2 t j+1. By equations (38) and (39), this implies that the mapping p i p i mod 2 n rj+1 is one-one since otherwise w H (ψ rj 1 (S)) < 2 t j+1. We can see the mapping is not onto from equation (36). Also, each element in G does not occur as the inverse image of any element of the set {p i : i = 0,, 2 t j+1 }. We split the summation in equation (38) into two separate summations involving terms exclusively from ψ l (S) or 10

11 ψ l (S). For each i G we have Σ (l,i) = and Σ (l,i) = 2 r j l 2 1 f=0 2 r j l 2 1 f=0 ψ l (S) i+f2 n r j +1 ψ l (S) i+f2 n r j +1. (40) For each i G, from equations (38) and (40) we know that Σ (l,i) + Σ (l,i) = 0 which implies Σ (l,i) = Σ (l,i) = 0 or Σ (l,i) = Σ (l,i) = 1. Note that none of the terms involved in the summations of equation (38) can be altered when forcing ψ l (S) = ψl (S). Using these remarks we can see that by making appropriate changes at one of the positions p i or p i + 2 n l 1, for each i = 0,, 2 t j+1 in ψ l (S), we can only guarantee that w H (ψ l+1 (S )) is even by forcing ψ l (S) = ψl (S). Thus the value C in equation (37) satisfies 1 C 2 n l 1 1. Hence 2 t(s) is in the form j,l,c, 1 j w 1, as in equation (25). Case 2: w = t + 1 The proof in this case is similar to that for Case 1 and both forms in equations (25) and (26) are identical. This completes the proof of the theorem. 4 Counting Functions In this section we derive expressions for the number of sequences in A() with fixed k min ()- error linear complexity. We need some preliminary results to obtain the counting functions. Next we give a generalization of [1, emma 3] using a more straightforward approach. emma 7. et S A() such that 1 2 n 2 r, r = 1,,n 1. et S be a 2 n -periodic binary sequence corresponding to the polynomial S (x) = S(x) + g x it, t=0 where 0 g 2 r 1 and i t {0,, 2 n 1}, t = 0,,g. If the mapping i t i t mod 2 r is one-one, then we have (S ) > (S). Proof. Consider the two polynomials a(x) = g x it and a (x) = t=0 g x it mod 2r, (41) t=0 where the integers i t, t = 0,,g, are as given in the hypothesis. We have S (x) = S(x) + a(x). (42) 11

12 First we show that a(x) is not divisible by (1 + x) 2r. Since the mapping i t i t mod 2 r is one-one, the polynomial a (x) = g t=0 mod xit 2r is not equal to 0 and has degree less than r. Hence we have (1 + x) 2r a (x). (43) Any positive integer i can be uniquely represented as i = q 2 r + (i mod 2 r ) for some integer q. We have x i + x i mod 2r = x i mod 2r (1 + x q2r ) = x i mod 2r (1 + x q ) 2r. Thus x i + x i mod 2r is divisible by (1 + x) 2r. From equation (41), this implies (1 + x) 2r (a(x) + a (x)). (44) From equations (43) and (44) we know that a(x) is not divisible by (1 + x) 2r. Thus we have deg(gcd((1 + x) 2n,a(x))) 2 r 1. (45) Since S A(), we have S(x) = (1 +x) 2n b(x) for some polynomial b(x) F 2 [x] such that b(1) = 1. Since it is given that 2 n 2 r, we have From equations (42), (45), and (46) we have deg(gcd((1 + x) 2n,S(x))) = 2 n 2 r. (46) (S ) = 2 n deg(gcd(1 + x 2n,S (x))) = 2 n deg(gcd((1 + x) 2n,S(x) + a(x))) 2 n 2 r + 1 > (S). This completes the proof of the lemma. Theorem 8. et N kmin ()(C) be the number of sequences in A(), 1 < < 2 n, with fixed k min ()-error linear complexity C. et be represented as = 2 n (2 n r n r n rt ), where r 0 = 0 < r 1 < r 2 < < r t < n + 1 = r t+1 and 1 t n 1. et j,l,c be defined as in equations (25) and (26) and let w = min{i : r i = n + i t, 1 i t + 1}. Then for 1 j w, if 1 C 2 n l 1 2 n r j+1 then N kmin ()=2 t( j,l,c) = 2 ρ(j,l,c), where j 1 ρ(j,l,c) = 2 n 2 n l 2 n r i + w j 1 i=0 (r w i r w i 1 1)2 t w+i+1 + (r j l 1)2 t j+1 + C 1. (47) Also, N kmin ()=2 t(0) = 2ρ(0), where ρ(0) = w 2 i=0 (r w i r w i 1 1)2 t w+i+1 + (r 1 1)2 t and N kmin ()=2 t(c) = 0 for all C not in the form j,l,c as in equations (25) and (26). 12

13 Proof. From equations (25) and (26) the k min ()-error linear complexity of S A() is of the form j 1 j,l,c = 2 n 2 n r i 2 n l + C for 1 j w (48) where r j 1 l r j 2 (For l = r w 2, there exist no positive values for C in equation (26) and hence no valid values for w,l,c ). We determine the counting function for the number of sequences in A() with k min ()-error linear complexity equal to each of the values j,l,c in equation (48) when 1 C 2 n l 1 2 n r j+1. From the definition of l in equation (27) and by equation (28), for any S A() if r j 1 l r j 2 we know We consider two cases based on the value of w. w H (ψ l+1 (S)) = w H (ψ r j 1 (S)) = 2 t j+1. (49) Case 1: w t From equation (30) for any S A() the 2 t w+1 -vector ψ rw 1 (S) is an all 1 vector. et D 1 (j,l,c) be the number of distinct 2 n l 1 -vectors ψ l+1 (S) over all S A() such that the 2 n rw+1 -vector ψ rw 1 (S) is an all 1 vector. To determine D 1 (j,l,c) we make the following observations. (i) By equation (28) it is evident that during the execution of Games-Chan algorithm form the l + 1-th step to the (n 1)-th step the Hamming weight of the vectors considered does not change between two consecutive steps except when going from the (r i 1)-th step to the r i -th step for i = j,,t. (ii) Using (i) the procedure of the Games-Chan algorithm also implies that over all sequences in A() for any integer a such that l + 1 a < r j or r i a < r i 1 for some i {j,,t}, the number of distinct vectors in the a-th step that result in a fixed vector v in the (a + 1)-th step is 2 w H(v). (iii) The definition of w implies n r w = t w. From these observations and by using property P1 recursively we obtain D 1 (j,l,c) = w j 1 i=0 (2 r w i r w i 1 1 ) 2t w+i+1 (2 r j l 2 ) 2t j+1. (50) ecall that ψ l+1 (S ) is the 2 n l 1 -vector obtained by forcing ψ l (S) = ψl (S) so that the least linear complexity is achieved by making k min () errors in S (2n). et D 2 (j,l,c), 1 C 2 n l 1 2 n rj+1, be the number of choices for ψ l+1 (S ) such that the linear complexity of the 2 n l 1 -periodic sequence with period ψ l+1 (S ) is C. By equation (5), we have D 2 (j,l,c) = 2 C 1 for 1 C 2 n l 1 2 n rj+1. (51) Over all S A(), for a fixed ψ l+1 (S) = v with w H (v) = 2 n rw+1 and for a fixed choice of ψ l+1 (S ) with ((ψ l+1 (S )) ) = C, the number of possibilities, denoted by D 3 (w,l,c), for ψ l (S) such that ψ l (S) + ψl (S) = v and d H(ψ l (S),ψ l+1 (S ) ψ l+1 (S )) = 2 n rw+1 is D 3 (w,l,c) = 2 2t j+1, (52) 13

14 where ψ l+1 (S ) ψ l+1 (S ) is the 2 n l -vector formed by concatenating two copies of ψ l+1 (S ). et p i, 0 p i 2 n l 1 1, i = 0,, 2 t j+1 1, be the positions where ψ l (S) and ψl (S) differ. From Cases 1a and 1b of the proof of Theorem 6 the mapping p i p i mod 2 n r j+1 is one-one. Using this mapping and the condition 1 C 2 n l 1 2 n r j+1, by emma 7 for fixed ψ l+1 (S) and ψ l+1 (S ) each of the 2 2t j+1 possibilities for ψ l (S) satisfies (ψ l (S)) > C and (ψ l (S)) > C. (53) By equations (50)-(53), using properties P3 and P4 recursively we obtain We have N 2 t( j,l,c ) = P 0 P 1 P l 1 D 1 (j,l,c)d 2 (j,l,c)d 3 (j,l,c). (54) j 1 P 0 P 1 P l 1 = (P ri 1 P ri 2)(P rj 1 P l 1 ) = ( j 1 ) 2 Pr i r i 1 1 z=1 2 n r i +z 2 Pl r j 1 1 z=0 2 n l+z. By equations (50)-(53) and (55) a straightforward algebraic simplification of the right hand side of equation (54) gives N 2 t( j,l,c ) = 2 ρ(j,l,c) with ρ(j,l,c) as in equation (47). We note that the condition in equation (53) is necessary to avoid double counting in determining the number of distinct possibilities for ψ l (S) over all S A() such that ψ l+1 (S) and ψ l+1 (S ) are fixed. Case 2: w = t + 1 In this case we note that the two possibilities for vectors in the (n 1)-th step of the Games- Chan algorithm are 01 and 10. Using this it can be shown that the expression for D 1 (j,l,c) in equation (50) holds for w = t + 1. The remaining details are similar to those in Case 1. To obtain N 2 t(0) we only have to count the number of S A() with w H (S) = 2 t. By equation (28) and property P1 the expression for N 2 t(0) follows using an argument similar to that for finding D 1 (j,l,c) as in equation (50). This completes the proof of the theorem. 5 Conclusion In this paper we studied the k-error linear complexity of 2 n -periodic binary sequences by performing a rigorous analysis of the Games-Chan algorithm. We derived an expression for all the possible values of k-error linear complexities of 2 n -periodic binary sequences with fixed linear complexity when k is the minimum number of changes needed to the lower the linear complexity. For certain sets of these values, we obtained the corresponding number of sequences with fixed linear complexity and k-error linear complexity. Our results further research in analyzing the stability of linear complexity of 2 n -periodic binary sequences. These results, however, have limited importance for practical cryptography in part due to the restriction to 2 n -periodic sequences. (55) 14

15 Acknowledgements The first author thanks Dr. Zongming Fei for providing office space and resources while researching for this paper. eferences [1] Z. Fengxiang and Q. Wenfeng. The 2-error linear complexity of 2 n -periodic binary sequences with linear complexity 2 n 1. Journal of Electronics (China), 24(3): , [2]. A. Games and A. H. Chan. A fast algorithm for determining the complexity of a pseudo-random sequence with period 2 n. IEEE Trans. Inform. Theory, 29(1): , [3] K. Kurosawa, F. Sato, T. Sakata, and W. Kishimoto. A relationship between linear complexity and k-error linear complexity. IEEE Trans. Inform. Theory, 46(2): , [4] W. Meidl. On the stability of 2 n -periodic binary sequences. IEEE Trans. Inform. Theory, 51(3): , [5] W. Meidl and H. Niederreiter. Counting functions and expected values for the k-error linear complexity. Finite Fields and Applications, 8: , [6] W. Meidl and H. Niederreiter. inear complexity, k -error linear complexity, and the discrete fourier transform. J. Complexity, 18(1):87 103, [7] W. Meidl and H. Niederreiter. On the expected value of linear complexity and the k-error linear complexity of periodic sequences. IEEE Trans. Inform. Theory, 48(11): , [8] W. Meidl and A. Venkateswarlu. emarks on the k-error linear complexity of p n -periodic sequences. Design, Codes and Cryptography, 42(2): , [9]. A. ueppel. Analysis and Design of Stream Ciphers. Springer, [10] M. Stamp and C. F. Martin. An algorithm for the k-error linear complexity of binary sequences with period 2 n. IEEE Trans. Inform. Theory, 39(4): ,