Applied Mathematics and Computation 167 (2005) 16–27

www.elsevier.com/locate/amc

An efficient binary sequence generator withcryptographic applications

Rafael Alvarez, Joan-Josep Climent *, Leandro Tortosa,Antonio Zamora

Departament de Ciencia de la Computacio i Intel Æ ligencia Artificial, Universitat d’Alacant,Campus de Sant Vicent del Raspeig, Ap. Correus 99, E-03080, Alacant, Spain

Abstract

As the Internet has become more and more important, the need for secure systems

has increased accordingly. Our proposal is an efficient sequence generator that can be

used in these secure systems. It is based on the powers of a block upper triangular matrix

and, besides achieving great statistical results and efficiency, it is very flexible and can be

easily adapted to different applications. The matricial techniques employed can also be

used in other kinds of cryptographic primitives.

� 2004 Elsevier Inc. All rights reserved.

Keywords: Pseudorandom generator; Blum–Blum–Shub generator; Binary sequence; Cipher;

Efficient; Cryptography; Security; Monobit test; Serial test; Poker test; Autocorrelation; Linear

complexity; Primitive polynomial; Companion matrix; Block upper triangular matrix; Order

0096-3003/$ - see front matter � 2004 Elsevier Inc. All rights reserved.

doi:10.1016/j.amc.2004.06.065

* Corresponding author.

E-mail addresses: afa@afaland.com (R. Alvarez), jcliment@dccia.ua.es (J.-J. Climent),

tortosa@dccia.ua.es (L. Tortosa), zamora@dccia.ua.es (A. Zamora).

R. Alvarez et al. / Appl. Math. Comput. 167 (2005) 16–27 17

1. Introduction

During the latest years, the Internet has become extremely popular. Every-

body seems to be present in one way or another: businesses setup facilities for

electronic commerce, governments provide services, and even individuals cre-

ate sites of the most diverse subjects.

Despite the immense possibilities, the Internet and the Web are vulnerable

to malicious attacks. The harmful results of these attacks are multiplied bythe fact that an attack not only implies a loss of service and money, or an

inconvenience to the end user, but it also implies a damage to the business rep-

utation that not many can afford. Businesses have taken this into account,

increasing the demand of more secure services.

Various approaches to the Internet security have been considered, differing

in the scope of applicability and the location within the TCP/IP stack. The IP-

Sec [6] system is a general purpose solution placed below the TCP protocol so it

is transparent to end users and applications; it includes a filtering system allow-ing that only the required traffic is processed by IPSec. The SSL (Secure Socket

Layer) [7] and TLS (Transport Layer Security) [5] systems are also relatively

general purpose, but are placed right over the TCP protocol, providing the

choice of being implemented either within the protocol suite (and accessible

to all applications) or by specific packages such as browsers and http servers.

Another approach is placing the security system within the application, tailor-

ing it to the specific needs and peculiarities of that given application; being SET

(Secure Electronic Transaction) [20] the most popular example of thisapproach.

All of these security systems use cryptography; generally using public key

cryptosystems to establish a session key and private key (symmetric) cryptosys-

tems to transfer data securely between both parties using that session key. For

example, SSL [7] uses RSA, Diffie-Hellman and Fortezza to exchange keys

(establish session keys); and RC4, RC2, DES, 3DES, DES40, IDEA and For-

tezza to transfer the data between client and server.

Most cryptographic systems are based on unpredictable quantities (see[16,19,21]). The keys, prime numbers or challenge values of many cryptosys-

tems need to be unpredictable enough so that the probabilities of all different

values are more or less the same, making impossible any search optimization

based on the reduction of the key space to the most probable values. These

are obtained from random sequences that can be either truly random or pseu-

dorandom, meaning that they are generated deterministically but appear to be

random enough for practical use.

A truly random generator is based on a natural source of randomness. Thissource is sampled and then postprocessed to make it free of biasing and ske-

wing. The system must be designed to prevent any observation or manipulation

by the opponent and also any non random external interference (such as

18 R. Alvarez et al. / Appl. Math. Comput. 167 (2005) 16–27

electromagnetic radiation from periodic sources, etc.). Proper function should

be tested periodically ensuring that the previous conditions hold true. Natural

sources of randomness include the thermal noise of a resistor, noise input from

a microphone or a camera, particle emission time during radioactive decay, etc;

software based events can also be useful, such as the system clock, the elapsed

time between keystrokes, mouse moves or network packets, operating system

statistics, etc. [16,19,21].

A pseudorandom generator [9,11–13,16,19,21] is a completely deterministicalgorithm, in the sense that the sequence it generates is a function of its inputs

and, unlike a truly random generator, its output can be reproduced. This

means that we only need the seed (the input to the pseudorandom generator)

in order to regenerate the complete output sequence. The output sequence is

much longer than the seed and it is not really random, it is just undistinguish-

able from a real random sequence.

For security applications we need to produce sequences with large periods,

high linear complexities and good statistical properties. Several statistical testsare applied; these tests include checking the frequency of single bits, pairs of

bits and of other bit patterns. Also, the autocorrelation and the linear complex-

ity of the sequence are used. [4,16,19,21].

Most available cryptographic generators are based on linear feedback shift

registers (LFSRs) (see [8,10,18]). The LFSRs are so popular because they can

be easily implemented in hardware, they produce sequences of large periods

and with good statistical properties, and have a simple structure that can be

analyzed easily. LFSRs by themselves are not very secure, but because theyare so efficient they are commonly enhanced with other techniques to improve

their cryptographic properties.

Another popular generator is the Blum–Blum–Shub (BBS) [3] generator. It

is based on two large prime numbers p and q that satisfy p � 3(mod4) and

q � 3(mod4), and a randomly chosen number s that is relatively prime to

n = pq. Let X0 = s2modn and Xi = (Xi�1)2modn. The output sequence is ob-

tained by taking the least significant bit of each Xi. The BBS generator is secure

due to the intractableness of factoring n.Other generators combine a block cipher in different ways to obtain a cryp-

tographically secure random bit sequence, such as the pseudorandom genera-

tor specified in ANSI X9.17 which performs three triple DES encryptions on

each iteration [22].

Our proposal is a new kind of generator which uses matricial techniques. It

can be used to generate session keys, random values in challenge/response sys-

tems, etc. It is a very flexible algorithm, which can be adjusted to satisfy mem-

ory and speed requirements and can also be modified to create other kinds ofcryptographic primitives.

The rest of the paper is organized as follows: the required linear algebra ba-

sics are given in Section 2; Section 3 describes the generator in detail; and Sec-

R. Alvarez et al. / Appl. Math. Comput. 167 (2005) 16–27 19

tion 4 includes the results obtained by our proposal in some standard tests and

a comparison with BBS; finally we give some conclusions in Section 5.

2. Preliminaries

In this section, we present some basic linear algebra notions and properties

that are needed for our proposals (see [14] for a more detailed description). Be-sides, we introduce the mathematical notation we are going to use in the

following.

Let

f ðxÞ ¼ a0 þ a1xþ � � � þ an�1xn�1 þ xn

be a monic polynomial in Zp½x. The companion matrix of f is the n · n matrix

A ¼

0 1 0 � � � 0 0

0 0 1 � � � 0 0

..

. ... ..

. ... ..

.

0 0 0 � � � 0 1

�a0 �a1 �a2 � � � �an�2 �an�1

26666664

37777775:

If f is irreducible over Zp½x, then the order of A is equal to the order of anyroot of f in Fpn and the order of A divides p

n�1. Furthermore, if we assume thatf is a primitive polynomial over Zp½x, then the order of A is exactly pn�1. Con-sequently, if we work with primitive polynomials over Zp½x, we can easily buildmatrices whose orders are maximal.

Odoni et al. [17], propose an extended scheme which is based on the con-

struction of the block matrix

A ¼

A1 0 � � � 0

0 A2 � � � 0

..

. ... ..

.

0 0 � � � Ak

266664

377775;

where Ai is the companion matrix of fi, being fi, for i = 1,2, . . ., k, distinct prim-itive polynomials over Zp½x of degrees ni, for i = 1,2, . . ., k, respectively. Theorder of Ai is p

ni�1, for i = 1,2, . . ., k, therefore, the order of A is given bylcmðpn1 � 1; pn2 � 1; . . . ; pnk � 1Þ:

With the aim of using a matrix of this kind in a public key distribution sys-

tem, they conjugate this matrix with an invertible matrix P, with

n = n1 + n2 + � � � + nk, obtaining a new matrix A ¼ PAP�1 which has the same

order as that of A.

20 R. Alvarez et al. / Appl. Math. Comput. 167 (2005) 16–27

3. Description of the generator

Our generator is based on the powers of block upper triangular matrices de-

fined over Zp, with p prime. As we take the different powers of these matrices

we have, as a result, a sequence of matrices of very long period that has great

properties in terms of randomness. Each element of the sequence (each block

upper triangular matrix) can be processed to obtain a series of values that con-

form an output sequence with great statistical values. This scheme is simple en-ough to be really fast but incorporates enough complexity to present great

cryptographic properties; it is also greatly adaptable for other cryptographic

primitives such as block ciphers, hash functions and public key cryptosystems.

Consider the block upper triangular matrix M defined as

M ¼A X

O B

� �; ð1Þ

whose entries lie in Zp, where A is an r · r matrix, B is an s · s matrix and X is

an r · s matrix, and O denotes the s · r zero matrix.The following result, which is the base of our generator, establishes the

expression of the different powers of matrix M. It also defines matrix X (h) in

terms of A, B and X.

Theorem 1. Let M be the block upper triangular matrix given by (1). Taking h

as a non negative integer then

Mh ¼ Ah X ðhÞ

O Bh

" #; ð2Þ

where

X ðhÞ ¼O if h ¼ 0;Phi¼1

Ah�iXBi�1 if h P 1:

8<: ð3Þ

Also, if 0 6 t 6 h then

X ðhÞ ¼ AtX ðh�tÞ þ X ðtÞBh�t: ð4Þ

Proof. We prove Eq. (2) first, using induction over h. For h = 0 and h = 1 the

result is obvious. We suppose that it is true for h�1 and check that it holdstrue for h.

Clearly,

Mh ¼ MMh�1 ¼A X

O B

� �Ah�1 X ðh�1Þ

O Bh�1

" #¼ Ah AX ðh�1Þ þ XBh�1

O Bh

" #:

R. Alvarez et al. / Appl. Math. Comput. 167 (2005) 16–27 21

From the induction hypothesis and from (3) we have that

AX ðh�1Þ þ XBh�1 ¼ AXh�1i¼1

Ah�1�iXBi�1 þ XBh�1 ¼Xh�1i¼1

Ah�iXBi�1 þ XBh�1

¼Xhi¼1

Ah�iXBi�1 ¼ X ðhÞ;

obtaining the same expression that in (2).

Also, if 0 6 t 6 h we have

Mh ¼ MtMh�t ¼ At X ðtÞ

O Bt

" #Ah�t X ðh�tÞ

O Bh�t

" #¼ Ah AtX ðh�tÞ þ X ðtÞBh�t

O Bh

" #:

Comparing this result with (2) we obtain (4). h

In order to generate the pseudorandom bit sequence, we fix matrices A

and B and choose randomly matrix X, which constitutes the seed of the se-

quence. Next we apply expression (4) to obtain the following sequence of

matrices:

X ð2Þ;X ð3Þ;X ð4Þ; . . . ð5ÞFor each matrix X(h), for h = 2,3, . . ., we establish a bit extraction operation

which can be as simple as adding all the elements of X(h) obtaining a new ele-ment x(h), for h = 2,3, . . ., in Zp from which we take the least significant bit,

b(h), of its binary expression; or as complex as required and taking as many bits

per iteration as needed. In this way, we have the sequence of bits

bð2Þ; bð3Þ; bð4Þ; . . .

This sequence is then filtered by the following process, improving security

and removing any bias from the sequence:

cðiÞ ¼ bðiÞXORcði�1Þ for i ¼ 2; 3; . . . and cð1Þ ¼ 0: ð6ÞOne of the basic properties that every pseudorandom sequence should hold

is that its period must be very long (at least a period of 2128). Now, we analyze

the way we can get long periods for the sequence given by (6). The key for the

solution of this problem is the construct appearing in Section 2.

Let f(x) = a0 + a1x + � � � + ar�1xr�1 + xr and g(x) = b0 + b1x + � � � +bs�1x

s�1 + xs be two primitive polynomial in Zp½x and let A and B be the cor-responding companion matrices. Let P and Q be two invertible matrices such

that A ¼ PAP�1 and B ¼ QBQ�1. With this construction, matrix M of (1), and

therefore the period of the sequence (5) is

lcmðpr � 1; ps � 1Þ:

Table 1

Order of M for different values of p, r and s

p r s Digits

3 32 31 30

48 47 39

64 63 47

5 32 31 38

30 33 39

64 63 61

7 24 27 39

32 31 43

64 63 70

11 22 21 39

32 31 50

64 63 67

19 16 19 39

32 31 57

64 63 98

31 16 15 40

32 31 64

64 63 111

251 12 13 46

32 31 76

64 63 168

257 9 10 40

32 31 93

64 63 169

22 R. Alvarez et al. / Appl. Math. Comput. 167 (2005) 16–27

The value of p or the sizes of A and B need not be very large in order to

achieve long periods, as seen in Table 1, which shows some results for the per-

iod in terms of the parameters p, r and s. The value appearing in the column

digits represents the number of decimal digits of the period of the binary se-quence (the integer 2128 has 39 decimal digits). Observe that the values taken

for r and s are relatively prime, in order to optimize the period.

Finally, it should be remarked that the generation of the sequence (6) is very

efficient if we consider t = 1 in expression (4); and that every output bit depends

on the seed X.

4. Results

4.1. Test parameters

The generator has been checked with five different statistics [2,16] (frequency

tests plus autocorrelation tests) and with the linear complexity of the sequence

[1,15]. In these tests, n is the length of the sequence.

R. Alvarez et al. / Appl. Math. Comput. 167 (2005) 16–27 23

The monobit test statistic is a single bit frequency test designed to check that

the number of zeros and ones of the sequence is more or less the same. The test

is expressed by the following equation, with n0 and n1 being the number of zero

bits and one bits respectively

X 1 ¼ðn0 � n1Þ2

n:

This test follows a v2 distribution with 1 degree of freedom.The serial test checks that the frequency of pairs of bits (00, 01, 10 and 11) is

also about the same. The parameters n00,n01,n10 and n11 are the number of

occurrences of such pairs allowing them to overlap.

X 2 ¼4

n� 1ðn200 þ n201 þ n210 þ n211Þ �

2

nðn20 þ n21Þ þ 1:

This follows a v2 distribution with 2 degrees of freedom.The poker test checks that patterns of length m appear the same number of

times in the sequence without overlapping. The value m is obtained withnm

� �¼ 5 � 2m, k is taken as k ¼ n

m

� �and ni is the number of occurrences of the

pattern i.

X 3 ¼2m

3

X2mi¼1

n2i

!� k:

X3 follows a v2 distribution with 2m�1 degrees of freedom.A run is a pattern of all zeros or all ones; a block is a run of ones and a gap

is a run of zeros. The expected number of runs of length i is ei = (n� i + 3)/2i+2.The value of k is taken as the largest integer i for which ei P 5 and is the length

limit for which runs are accounted; finally, Bi and Gi are the number of blocks

and gaps of length i (up to length k) of the sequence. The runs test is expressed

by

X 4 ¼Xki¼1

ðBi � eiÞ2

eiþXki¼1

ðGi � eiÞ2

ei;

following a v2 distribution with 2k�2 degrees of freedom.The autocorrelation checks for coincidences between the sequence and itself

displaced d bits. Taking A(d) as the amount of bits not equal between the

sequence and itself displaced by d bits, we have

X 5 ¼2 AðdÞ � n�d

2

� �ffiffiffiffiffiffiffiffiffiffiffin� d

p ;

which follows a N(0,1) distribution.

The linear complexity of a sequence of bits is the length of the shortest

LFSR that can generate that sequence. The expected linear complexity for a

24 R. Alvarez et al. / Appl. Math. Comput. 167 (2005) 16–27

random sequence is n/2. If we plot the linear complexity of a sequence against

its length (for n = 1,2,3. . .) we have the linear complexity profile which shouldfollow closely the line n/2 if the sequence is random. The linear complexity of a

sequence can be computed using the Berlekamp–Massey algorithm [1,15].

4.2. Test results

The expected value for the linear complexity of a sequence is LC = n/2, beingn the length of the sequence. For the rest of the tests, the results are compared

with the threshold values given in Table 2, passing the test those below the

threshold; a is the significance level or, more exactly, the probability that a se-quence fails the test even if it should have passed that test. The higher the sig-

nificance level, the more restrictive we are with the results.

In our experimentation we have considered different values for p, r and s,

obtaining in all cases excellent results for the six tests described in this section.

As an example, in Table 3 we show the results for p = 257, r = 8 and s = 9. Theprimitive polynomials used to obtain matrices A and B, as described in Section

3, are f(x) = x8 + x + 19 and g(x) = x9 + x + 6 respectively. The seed X is an

8 · 9 matrix obtained using a white noise based random generator. We have

performed each test with different sequences of lengths 2 · 103, 2 · 104,2 · 105 and 2 · 106 bits; and different values of X.We can see that the results are particularly good, much better than the

threshold values for a = 0.100 in Table 2; they are also highly regular, showing

Table 2

Statistics threshold values

a Monobit Serial Poker Runs Autocorrelation

2 · 103 2 · 104 2 · 105 2 · 106

0.001 10.830 13.820 330.5 29.59 39.25 51.18 59.70 3.090

0.005 7.870 10.590 316.9 25.19 34.27 45.56 53.67 2.576

0.010 6.635 9.210 310.5 23.21 32.00 42.98 50.89 2.326

0.025 5.024 7.378 301.1 20.48 28.85 39.36 46.98 1.960

0.050 3.842 5.992 293.2 18.31 26.30 36.42 43.77 1.645

0.100 2.706 4.605 284.3 15.99 23.54 33.20 40.26 1.282

Table 3

Statistical test results

Length Monobit Serial Poker Runs Autocorrelation LC

2 · 103 1.352 1.514 251.7 11.260 0.800 1001

2 · 104 0.012 1.579 243.1 8.441 0.800 10001

2 · 105 1.095 1.451 239.1 26.550 0.789 100000

2 · 106 0.814 3.313 207.2 37.590 0.807 1000000

Fig. 1. Linear complexity profile of the sequence of length 2000.

R. Alvarez et al. / Appl. Math. Comput. 167 (2005) 16–27 25

no strange values and with all values passing the tests equally well. As we in-

crease the number of bits produced we see that there is no direct relation be-

tween the length of the sequence and the values for the tests, there being

differences mostly due to the fact that distinct X matrices were used for each

sequence.

The linear complexity test also yields excellent results, reaching in all three

tests the n/2 mark. This means that the sequence presents about the same non-

linearity as that of a truly random sequence, avoiding predictability due to highlinearity. The linear complexity profile is plotted in Fig. 1, showing how good

the linear complexity follows n/2.

4.3. Comparison with the BBS generator

We show in Table 4 a comparison between our algorithm and the well

known BBS generator. The time shown is the time in seconds consumed by

each algorithm to generate a 2 · 105 bits long sequence; not counting any pre-computation or key setup, only the actual bit generation. The test has been

conducted using the same computer and compiler with the same optimization

settings for both algorithms, in order to make the test as fair as possible. Sim-

ilar results have been achieved for different sequence lengths.

The results confirm that the proposed generator is a lot faster than BBS,

while the statistical results are better for most of the parameters. The main

Table 4

Comparison with BBS for a 2 · 105 bits sequence

Algorithm Monobit Serial Poker Runs Autocorrelation LC Time

Matricial 0.041 0.657 237.5 20.798 0.784 100000 0.013 s

BBS 0.776 1.188 272.9 10.342 0.792 100000 1.020 s

26 R. Alvarez et al. / Appl. Math. Comput. 167 (2005) 16–27

advantage of our algorithm lies in its flexibility, allowing to choose matrix sizes

and bit extraction schemes for a given application, therefore optimizing for

higher speeds, better security or low memory requirements.

5. Conclusions

With the aim of contributing tools useful in secure systems, we have pre-sented a new cryptographic pseudorandom generator based on the powers of

a block upper triangular matrix. It is remarkable that, using primitive polyno-

mials to generate the diagonal blocks and taking very small primes and matrix

sizes, we can produce bit sequences of very high periods, great statistical prop-

erties and high linear complexities; in this way, the sequence can be generated

very efficiently since no time consuming computations are required as it would

be necessary for large primes or huge matrices. Even with such small sizes, the

algorithm assures a high level of security due to the fact that the key space isvery large and that the seed participates in the generation of each bit. The algo-

rithm appears even more useful if we take into account that the size of the

matrices and the number of bits taken per iteration can be chosen precisely

for a given application, satisfying low memory requirements or obtaining very

high speeds.

References

[1] E.R. Berlekamp, Algebraic Coding Theory, McGraw Hill, New York, 1968.

[2] H. Beker, F. Piper, Cipher Systems: The Protection of Communications, John Wiley and Sons,

New York, 1982.

[3] L. Blum, M. Blum, M. Shub, A simple unpredictable pseudorandom number generator,

SIAM J. Comput. 15 (1986) 364–383.

[4] M. Blaze, W. Diffie, R. Rivest, B. Schneier, T. Shimomura, E. Thompson, M. Weiner,

Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Commercial Security,

Counterpane Labs Publications, 1996, Available on http://www.counterpane.com/

keylength.html.

[5] T. Dierks, C. Allen, The TLS Protocol. Internet Draft, www.ietf.org, RFC2246 (1999).

[6] N. Ferguson, B. Schneier, A Cryptographic Evaluation of IPSec, Counterpane Labs

Publications, 1999, Available on http://www.counterpane.com/ipsec.html.

[7] A.O. Freier, P. Karlton, P.C. Kocher, The SSL Protocol, Version 3.0. Internet Draft,

Netscape, March 1996.

[8] A. Fuster, J. Garcıa, An efficient algorithm to generate binary sequences for cryptographic

purposes, Theor. Comput. Sci. 259 (2001) 679–688.

[9] J. Garcıa, M. Rodrıguez, A family of keystream generators with large linear complexity, Appl.

Math. Lett. 14 (2001) 545–547.

[10] S.W. Golomb, Shift Register Sequences, Aegean Park Press, California, 1982.

[11] J. Kelsey, B. Schneier, N. Ferguson, Yarrow-160: notes on the design and analysis of the

Yarrow cryptographic pseudorandom number generator, Sixth Annual Workshop on Selected

R. Alvarez et al. / Appl. Math. Comput. 167 (2005) 16–27 27

Areas in Cryptography, Lecture Notes in Computer Science, Springer-Verlag, Berlin, Vol.

1758 (1999) 13–33.

[12] J. Kelsey, B. Schneier, D. Wagner, C. Hall, Cryptanalitic attacks on pseudorandom number

generators, Fast Software Encryption, Fifth International Workshop, Springer-Verlag, 1998.

[13] J.C. Lagarias, Pseudorandom number generators in cryptography and number theory. in: C.

Pomerance (Ed.), Proc. Symposia in Applied Mathematics, Cryptography and Computational

Number Theory. 42 (1990) 115–143.

[14] R. Lidl, H. Niederreiter, Introduction to Finite Fields and their Applications, Cambridge

University Press, Cambridge, 1994.

[15] J.L. Massey, Shift-register synthesis and BCH decoding, IEEE Trans. Inf. Theory 15 (1969)

122–127.

[16] A. Menezes, P. van Oorschot, S. Vanstone, Handbook of Applied Cryptography, CRC Press,

Florida, 2001.

[17] R.W.K. Odoni, V. Varadharajan, P.W. Sanders, Public key distribution in matrix rsings,

Electron. Lett. 20 (1984) 386–387.

[18] R.A. Rueppel, Analysis and Design of Stream Ciphers, Springer-Verlag, Berlin, 1986.

[19] B. Schneier, Applied Cryptography: Protocols, Algorithms and Source Code in C, second ed.,

John Wiley and Sons, New York, 1996.

[20] SET Book 3: Formal Protocol Definition. SET Secure Electronic Transaction LLC (SETCo),

1999.

[21] W. Stallings, Cryptography and Network Security: Principles and Practice, Third ed., Prentice

Hall, New Jersey, 2003.

[22] Accredited Standards Committee, X9 – Financial Services: American National Standard,

Financial Institution Key Management. X9––Secretariat, American Bankers Association,

ANSI X9.17. 1995.