Pseudorandom Bit Sequence Generator for Stream Cipher Based on Elliptic Curves

This paper proposes a pseudorandom sequence generator for stream ciphers based on elliptic curves (EC). A detailed analysis of various EC based random number generators available in the literature is done and a newmethod is proposed such that it addresses the drawbacks of these schemes. Statistical analysis of the proposed method is carried out using the NIST (National Institute of Standards and Technology) test suite and it is seen that the sequence exhibits good randomness properties. The linear complexity analysis shows that the system has a linear complexity equal to the period of the sequence which is highly desirable. The statistical complexity and security against known plain text attack are also analysed. A comparison of the proposed method with other EC based schemes is done in terms of throughput, periodicity, and security, and the proposed method outperforms the methods in the literature. For resource constrained applications where a highly secure key exchange is essential, the proposed method provides a good option for encryption by time sharing the pointmultiplication unit for EC based key exchange.The algorithm and architecture for implementation are developed in such a way that the hardware consumed in addition to point multiplication unit is much less.


Introduction
Wireless sensor networks have a wide range of applications such as habitat monitoring, home automation, and military and medical applications [1,2].Compared to conventional wireless networks, wireless sensors have limited resources that demand cryptographic solutions with reduced complexity.Due to the resource constrained nature, WSNs employ symmetric key encryption techniques that necessitate key management schemes suitable for these constrained applications.A detailed analysis of the proposals available in literature for key distribution shows that only the one-way function based schemes can provide security when a node is compromised in the initialisation phase.The light weight cryptographic algorithms based on random key predistribution [3,4], polynomial based key distribution [5], and so forth offer no security in this scenario.All these schemes assume that a node cannot be compromised in the initialisation phase which is not true.For such schemes the time-out period of the initialisation phase cannot be kept large because it increases the probability that a node is compromised in the initialisation phase.On the other hand if the time-out period is kept small, then the connectivity of the network is affected.So there exists a trade-off between security and connectivity in such schemes whereas for the one-way function based methods no such trade-off exists.Thus for high security applications like military or medical applications, the oneway function based key management schemes are preferred.
Elliptic curve cryptography (ECC) is a promising solution in such scenarios because of the increased security per bit of the key, compared to other one-way functions [6][7][8].All sensor networks require a message authentication code (MAC) and pseudorandom generator for secret key establishment and data transfer.If these two functions are implemented using standalone algorithms like SHA and AES along with ECC for key exchange, then the overall hardware complexity of the system will be very high.If the point multiplication unit used for key exchange can be time shared to perform the other two functions, the complexity of the entire system can be reduced.In this paper, an EC based pseudorandom 2 Mathematical Problems in Engineering sequence generator is proposed.The proposed method is developed in such a way that the hardware required to build the pseudorandom bit sequence generator in addition to EC point multiplication unit is much less.So this provides a highly suitable option for light weight encryption in systems using EC based key exchange.

Related Works
In [9] Blum and Micali introduced the concept of generating CSPBSG (cryptographically strong pseudorandom bit sequence generator) using a cryptographic one-way function.Since then there are several approaches which make use of the cryptographic one-way operation of EC point multiplication for constructing stream ciphers.The concept of linear congruential generator is extended to EC and a generator for pseudorandom bit sequence from points on the elliptic curve is described in [10].The sequence is proved to have good randomness properties but the security is dependent on the secrecy of the base point .In 2000 Shparlinski introduced the Naor-Reigngold generator [11].The seed is a vector of random integers given as ( 0 ,  1 , . . .,  −1 ).The key for the th iteration is   = ( where  = ( 0 ,  1 , . . .,  −1 ).The output bit sequence is generated by applying truncation function to the -coordinate of the point (  ) in each iteration.The security of the random number generator is vested in ECDLP but the number of input random bits required to generate the sequence is high.The elliptic curve power generator (ECPG) [12] published in 2005 makes use of an integer  as the random seed.The th iteration key   =   and the output point is   .The bit sequence is generated by truncating the -coordinate of the output point.The periodicity of the generator is very low and the period reveals some of the properties of the seed .The pseudorandom sequence generator based on EC published in [13] makes use of a single point multiplication in each iteration.The output bit sequence is the -coordinate of the output point sequence which is generated as   =    where   =  −1 + ( − 1).The sequence is proved to have good statistical properties but the security analysis is not done.The dual EC generator proposed by Elaine Barker and John Kelsey was chosen as standard random number generator by NIST [14].The random seed is an integer  and makes use of two points  and  on the EC.The iteration key   = ( −1 ) and the output point is   .The output of the generator is ((  )) where  is the truncation function.The periodicity of the generator is found to be very low because of the method used for generating the iterating key.To increase the periodicity the iterating key is modified as   = ( −1 )+ .But then it is found that as (  ) ≪  the sequence becomes independent of the seed.New stream cipher designs based on EC are proposed in [15].The three algorithms proposed are derived from the dual EC generator, linear congruential generator, and the Naor-Reigngold generator.The authors have proved that the sequences generated using these algorithms have large periodicity, but the hardware complexity is high.A stream cipher based on ECDLP is described in [16].The method consists of three stages of operation: (i) initialization stage, (ii) key stream generation, and (iii) encryption stage.The mapping of key to a point on the EC is carried out in the initialization stage which increases the hardware and computational complexity and makes it less suitable for resource constrained applications.
A key generation based on EC over finite prime field is published in 2012 [17].The output is generated by truncating the -coordinate of the point   =     where   is the random value from the LFSR and   's are points on the EC.The method described requires a lot of parameters, that is, the feedback polynomial of LFSR, seed value, EC parameters, and so forth, to be kept secret.The security of the sequence depends entirely on the secrecy of these parameters.

Mathematical Background
Elliptic curves (EC) over a field  are set of points (, ) that satisfy the Weierstrass equation given as The variables ,  and the constants  1 ,  2 ,  3 ,  4 , and  6 are all elements of the field .The definition of EC also includes a single element called the "point at infinity" or the "zero point" denoted by .
The set of points on an EC is an abelian group under an addition operation, and  is the identity element.The addition operation is defined such that if , , and  are three points on EC lying on the same straight line, then  +  +  = .
The cryptographic operation on EC is point multiplication.Given an integer "" and a point  on the EC computing " = " where "" is a new point on the EC is called point multiplication.This is a one-way function because computing "" is easy but given  and  finding "" is difficult.This is known as the elliptic curve discrete logarithm problem (ECDLP).The EC defined over GF(2  ) (Galois field) are more suitable for hardware implementation.These curves are classified as super singular and nonsuper singular curves.The MOV (Menezes, Okamoto, and Vanstone) reduction method shows that ECDLP is harder in nonsuper singular curves [19].Point addition and point doubling are the two mathematical operations defined on an EC.The point multiplication is done by repeated point addition and doubling.
Rules for point addition and point doubling on nonsuper singular curves over GF(2  ) are as follows.
(1) Point addition: if  = ( 1 ,  1 ) and  = ( 2 ,  2 ), then  +  =  = ( 3 ,  3 ) is Mathematical Problems in Engineering 3 (2) Point doubling: if  = ( 1 ,  1 ), then 2 =  = ( 3 ,  3 ) is given by The security of EC point multiplication is increased by truncating the "" bit representation of the -coordinate of the point to "" bits and giving out as output.In [20] the authors have proved that, for an EC defined over GF(2  ), if the "" bit representation of the -coordinate is truncated to "" bits, the statistical distance between the output of truncation function and a random "" bit string is 2 − .Hence it is hard to determine whether a sequence is generated by truncating the -coordinate of a point on the EC or if it is chosen uniformly at random.This is known as truncation point problem (TPP).

Analysis of EC Based Pseudorandom Sequence Generators
In this section, the analysis of various EC based pseudorandom sequence generators available in literature is carried out.For analysis the EC chosen is  :  2 + =  3 + 2 +1 defined over GF(2  ).A point (3, 39) on the EC means ( 3 ,  39 ) where  is root of the polynomial used for constructing the finite field.

EC Based Linear Congruential Generator.
In EC based linear congruential generator, the output point sequence is generated as  where  is the iteration number and  is a point on the elliptic curve which is kept secret.The sequence passes through the complete cyclic subgroup of point .
Thus the period of the sequence reveals the order of point  which reduces the search space to a smaller value.The symmetric properties of the generated sequence also help to make cryptanalysis easier.The detailed cryptanalysis of this generator is given in [15].Though the sequence has a good linear span and statistical properties, it cannot be used as key stream for stream cipher because of reduced security.[15] is a modification of the EC based linear congruential generator such that the periodicity is independent of the order of point  and the output sequence does not have any symmetric properties which makes the cryptanalysis easier.For security, the authors assume that both point  and the seed of the LFSR are kept secret.But the analysis shows that the security is dependent only on secrecy of point , which cannot be quantified.For analysis, assume point  is known to the attacker.The attacker can generate the entire sequence by choosing an arbitrary value as seed of LFSR.As the LFSR passes through the same sequence of states, the output bit sequence generated will only be a shifted version of the original sequence.If a part of the key stream is known to the attacker (considering a known plain text attack), the shift can be easily computed from the plot of the cross-correlation of the generated sequence and the known bit sequence.Let the EC be defined over GF (2 7 ).The feedback polynomial of the LFSR is  7 + 4 +1,  = (3, 39), and the initial seed  0 = 126.Assume the attacker knows a few initial bits of the sequence, that is, 10100011010001010011110010110.Let the initial seed chosen by the attacker to generate the sequence be 42.The plot of crosscorrelation between the sequence generated with  0 = 42 and the known sequence is given in Figure 1.From the position of the peak value in the cross-correlation function, the position of the known sequence (316 − 254 = 62) and hence the LFSR seed (LFSR value at the 31st iteration = 126) can be easily determined.

Elliptic Curve Power
Generator.The output point sequence in ECPG is generated as   =   , where   =   and  ∈ GF(2  ) is the initial secret key.The output point sequence is the truncated -coordinate of the point   .Let  be the order of point .The period of the sequence is determined by the order of point  and the seed  and is given as  = ord  ().Thus, the periodicity of the sequence is much less compared to the order of point .Moreover, knowledge of the periodicity of the sequence reduces the search space for the seed .
The following analysis shows that the security of the generator is also very low.Let  be the primitive element of the finite field over which the EC is defined.Generate a lookup table with  and    as entries of the table.Let   be the initial seed .Assume that the attacker has identified two consecutive output points from its truncated version.Let   =   1 and  +1 =   2 be the corresponding iteration keys identified from the lookup table.Then,   2 =   1 *  =   1 *   .This implies  2 =  1 +  or  =  2 −  1 .Thus the initial secret seed  =   can be easily determined.

EC Based Random Number
Generator.The random number generator proposed in [13] has reduced latency and increased periodicity with a single point multiplication operation in each iteration.The output point sequence is   =    and   = ( − 1) +  −1 where  −1 is the -coordinate of  −1 .The random number generator has good statistical properties and high periodicity.But it is found that the output sequence becomes independent of the key as the iteration number increases.For illustration, an image is encrypted using the pseudorandom sequence generated with this algorithm.The EC is defined over GF (2 11 ) and the output is truncated to 5 bits.The initial key seed is chosen as  0 = 104.The original and encrypted images are shown in Figures 2(a) and 2(b), respectively.The encrypted image is now decrypted with a different seed  0 = 84.The decrypted image is shown in Figure 2(c).From the image it is clear that, except for a very small region, the image could be decrypted with a different key.This shows that the sequence generated with this algorithm becomes independent of the initial key seed after a few iterations and is insecure as key stream for stream cipher.[14] is published as a standard random number generator by NIST in 2007.The generator makes use of two points on the EC  and , one for generating the iterating key as   = ( −1 ) and the other for generating the output bit sequence as ((  )) where  is the truncation function.But it is found that if points  and  are not properly chosen, then the periodicity of the sequence is very low.Consider EC defined over GF( 2 7 ).Let  = (22,10) and  = (11,5).The output point sequence generated with initial key  0 = 9 is shown as follows:

PBSG-A.
A modification of the dual EC generator with increased periodicity named PBSG-A is published in [15].In PBSG-A the iteration key is modified as  +1 =    +  *  where  = () and "" is the seed value.In addition to two point multiplication operations the modified algorithm requires a finite field multiplication of iteration number "" and the value "" to be carried out in each iteration.This increases both the hardware complexity and the time complexity of the system.Though PBSG-A is a stream cipher algorithm which generates key stream with high periodicity in such a way that security depends on ECDLP, the structural complexity and latency are very high.

Proposed Stream Cipher Design
The algorithm proposed in this paper addresses the drawbacks of the methods available in literature such as reduced periodicity, dependence on iteration number, security, and time complexity.The proposed method of stream cipher generation based on EC makes use of a single point  on the EC and a single point multiplication operation in each iteration.This reduces the time complexity to a large extent in comparison with two point multiplication operations carried out in each iteration in dual EC and PBSG-A.In the proposed method, a blinded version of the iterating key is used to generate the output point sequence so that even solving ECDLP does not reveal the exact iterating key to the attacker there by increasing the security.Also the proposed method is designed to have reduced hardware complexity without compromising the security.
Each iteration in the proposed method consists of two stages: (i) generation of key   for the th iteration and (ii) generation of the th output bit sequence.Various steps in algorithm can be detailed as follows.Let  =  1 ‖  2 be the shared secret key.The value  1 is the initial key  0 for generating the iteration key and  2 is the seed point of the LFSR.The LFSR is clocked once in each iteration.The key for the th iteration is taken as the sum of -coordinate of  −1  and the content of LFSR  −1 .That is,   = ( −1 ) +  −1 .The addition of the LFSR value in generating the iteration key introduces randomness in the key steam, increases the periodicity, and increases the attack complexity.Moreover, this makes the iteration key less dependent on the EC points generated in each iteration and the iteration number.Replacing the GF multiplication  *  in PBSG-A with an LFSR results in reduced time and hardware complexity.
The output point   for each iteration is computed as   =    +  1  where the point multiplication " 1 " is a precomputation stage.Providing this offset " 1 " helps in blinding the exact iteration key   from the attacker.An output point computation in the proposed method thus involves a point multiplication operation    and a point addition, that is,    +  1 .The -coordinate of the EC point    is used to generate the key for ( + 1)th iteration.The truncated -coordinate of the point   is given out as the bit sequence which further increases the security.

Algorithm.
Let  be a point on the EC defined over GF(2  ).Let "" be the shared secret.Length of "" = 2 bits.

Period Analysis
In the proposed method the key advancement is done as  +1 = (  ) +   =   +   where   = (  ).The use of LFSR value increases the period of the generator.If this value is not added, then the output sequence will depend only on the point multiplication operation.The sequence will start repeating whenever   =  − where 1 ≤  < .But if LFSR value is added to   the period will be governed by the period of the LFSR which is shown in the analysis below.
Assume that the output in the th iteration is the same as the output in the th iteration where  > .That is,   =   .This implies    =    or   =   .In the th iteration,  +1 =   +   and in the th iteration  +1 =   +   .If the output of the ( + 1)th iteration is also equal to that of the ( + 1)th iteration, then  +1 =  +1 ; that is,  +1  =  +1  or  +1 =  +1 .This shows that   +   =   +   or   =   since   =   .
Since   and   are values of the LFSR, the same value will be repeated only after one period of the LFSR.For an LFSR of length "" bits the period is  = 2  − 1. Hence the output pattern will repeat only after integer multiples of the period "".In general, the period of the sequence can be represented as " * " where  ≥ 1.Thus the period of the point sequence in the proposed method is at least the period of LFSR.Consider the implementation of the proposed method done over GF (2 163 ).Let the 163-bit representation of the -coordinate of the output point sequence be truncated to 100 bits.Then the period of the output bit sequence is at least 100 *  = 100 * (2 163 − 1), that is, approximately 2 169 which is a large value when compared with other existing schemes.

Security Analysis
This section analyses the security of the proposed stream cipher against various attacks.The analysis is carried out with the assumption that the EC is defined over GF(2  ) and  is a generator point on the EC.The EC chosen, the underlying field, and point  are known to the attacker.

Known Plain Text Attack.
In the proposed method, the input secret is a random integer "".A part of this secret key ( 1 ) is used as the initial key for point multiplication and the other part ( 2 ) is used as the seed value of the LFSR.The iteration key  +1 = (  ) +   where   is the content of LFSR after "" clock cycles.In each iteration, the iteration key   is blinded by adding it with the secret key " 1 " and the output point   is computed as   =    +  1 .The coordinate of the point   is truncated to generate the output sequence.These output random bits are XORed with the message bits to generate the encrypted data.To break this cryptosystem the attacker needs to retrieve the iteration key and the internal state of the LFSR.
In a known plain text attack, we assume that attacker has knowledge about a part of the message stream.This reveals a part of the bit sequence generated by the algorithm.Thus an attacker possesses a truncated version of the -coordinate of the points on the EC generated in a few iterations.For a successful attack, the attacker needs to identify the EC point from its truncated -coordinate.The security for this stage is provided by the truncation point problem.The truncation point problem states that it is hard to identify whether a sequence is generated by truncating the -coordinate of a point on the EC or if it is chosen uniformly at random.
Once the attacker has identified the point   from its truncated version, the next step in the attack is to solve the ECDLP to identify the integer   +  1 for point multiplication.The most common attacks on ECDLP are the Pollard-rho attack and the baby step-giant step algorithm [21].
Pollard-Rho Attack.Let  be a point on the EC defined over GF(2  ).Let  be the order of point .Then the complexity of Pollard-rho attack is given as (/2) 1/2 .By Hasse's bound, if  is a generator point, then order of  is approximately the size of the field.Therefore, the complexity in solving ECDLP is approximately (2 (−1)/2 ).

Baby Step-Giant
Step Algorithm.This is another common algorithm for attack on both DLP (discrete logarithm problem) and ECDLP.The complexity of this attack depends on the order of the point .For a point  of order , the attack requires computation of  1/2 points on the EC and memory to store these  1/2 points.Thus the time complexity of solving ECDLP in the proposed method is (2 /2 ) point multiplication operations if point  is a generator point.
The values retrieved by solving ECDLP are   +  1 ,  +1 +  1 ,  +2 +  1 , and so forth where  1 is the secret key.Assume that no blinding operation is done in generating the output sequence.Then the values retrieved by solving ECDLP are the iteration keys   ,  +1 , and so forth.These iteration keys are related as  +1 = (  ) +   .
If two successive iteration keys are known to the attacker, that is,   and  +1 , then the state of the LFSR can be easily found out as   =  +1 − (  ).
Thus by solving ECDLP for just two points in the output sequence the attacker can generate the whole key stream.
As can be seen from the above expressions, solving ECDLP for any number of output points yields little information about the offset  1 and the iterating key   .Thus given   +  1 the only attack possible to find the value   or  1 is the brute force attack which has a complexity of (2 −1 ).The key for the next iteration is computed as (  ) +   where   is the content of the LFSR after "" clock cycles.This method of generating the iterating keys introduces randomness into the key sequences and increases the complexity of attack without much increase in hardware or computational complexity.For an attacker who has arbitrarily chosen the key for th iteration, generation of the key for the ( + 1)th iteration requires the knowledge of the content of the LFSR.For the randomly chosen value of    or   1 , the attacker has to find the LFSR state    such that (  ) +    +   1 =  +1 +  1 .The key stream is generated with these values of    ,   1 , and    and compared with the original key stream.This demands that the attacker has retrieved the output bit sequence of at least three consecutive iterations.If the generated key stream is different from the original then a new value for   or  1 is chosen and the above process is repeated.Thus the complexity of a known plain text attack on the proposed system is (2 −1 + 2 (+1)/2 ) ≈ (2 −1 ).
The various steps in the attack can be summarised as follows.
(1) Get a few bits of the key stream  from the known plain text.
(6) Generate the new key stream   and compare with .As the security of the proposed algorithm is vested in ECDLP, the elliptic curve must be chosen such that it can resist the MOV attack which uses Weil pairing to reduce the discrete logarithm problem on elliptic curves to the discrete logarithm problem (DLP) in finite field.This is due to the fact that various subexponential and quasipolynomial time algorithms for solving DLP are available in the literature.But studies reveal that MOV reduction is possible only for super singular curves and not for nonsuper singular curves.Therefore, a nonsuper singular curve needs to be chosen for secure implementations.The size of the finite field over which EC is defined can be determined based on the required security level as recommended by NIST.For example, NIST recommends the use of GF (2 163 ) for 80-bit security.The family of NIST standard curves guarantees this security and hence can be used for implementing the proposed algorithm with a specific security level.

Brute Force Attack.
The complexity of brute force attack depends on the key space.In the proposed method the only secret is the value "" which is a binary string of length "2" bits for an EC defined over GF(2  ).In the proposed algorithm,  bits of the key is given as initial seed of the LFSR and the other  bits is initial key  0 for point multiplication.These initial seeds can take any value other than an all zero pattern.Hence, the key space available for the proposed algorithm is approximately 2 2−1 and the complexity of the brute force attack is (2 2−2 ).Considering an implementation of the proposed algorithm over GF (2 163 ), the key space available is 2 325 and the complexity of brute force attack is 2 324 .

Statistical Analysis
This section deals with the statistical analysis of the proposed pseudorandom sequence generator based on NIST randomness test suite and TestU01.For analysis based on NIST test suite, the EC chosen is  2 +  =  3 +  2 + 1 defined over GF( 2 7 ). 7 +  3 + 1 is the primitive polynomial used for the construction of the finite field.A point (11,19) on the EC means ( 11 ,  19 ) where  is root of the polynomial  7 +  3 + 1.A sequence of 50 points generated by running the algorithm with  = [3,39] and two different key values is shown in Table 1.From the table it is clear that even for a single bit change in the key the sequences of points generated are entirely different.The output bit sequence is generated by truncating the -coordinate of each point in the sequence to 3 bits.The output bit sequence generated for  = [3,39] and key = 1525 is shown as follows: 0 1 1 1 1 0 1 1 1 0 1 0 0 0 0 0 1 1 0 0 0 0 0 1 0 1 0 0 0 1 0 1 1 0 1 1 0 0 0 0 0 0 0 0 0 1 0 1 0 0 1 1 1 0 Considering the theoretical analysis in Section 6, the expected period of the sequence is 381.
The bit sequence generated using the proposed method has been tested for its randomness properties based on five statistical tests.For Monobit test and runs test, the threshold value is 0.01 according to the NIST statistical test suite; that is, if the sample sequence gives a value greater than 0.01, then the sequence is accepted as random [22].Serial test and Poker test were also carried out.The test statistics for these two tests are chosen such that reference distribution is  2 distribution and if the test values of the sample sequence are less than the threshold, then the sequence is said to pass the test.For a significance value of 0.05 (( > ) = 0.05) the threshold values are 5.9915 and 24.9958, respectively [23].The test result for various key values in Table 2 clearly demonstrates that the randomness property is satisfied.In addition, the autocorrelation function plotted in Figure 3 validates the randomness property and periodicity of the sequence.
TestU01 [24] is a software library implemented in ANSI C language which consists of utilities for statistical testing of uniform random number generators.It includes six predefined batteries as well as general implementation of classical statistical tests for pseudorandom sequences.Out of the six predefined batteries of TestU01, Crush, Big Crush, and Small Crush batteries are tests for sequences of real numbers and the batteries Rabbit, Alphabit, and Block Alphabit are for testing the binary sequences.Since the proposed pseudorandom sequence generator outputs a binary sequence, the sequence is subjected to Rabbit, Alphabit, and Block Alphabit test batteries.For analysis, EC is defined over GF (2 17 ) and the output is truncated to 4 bits.A sequence of 2 20 bits is generated and tested and the sequence passed all the three tests.The test results are given in Table 3.

Statistical Complexity Analysis
In [25] the authors have shown that MPR statistical complexity can be used as a measure of randomness for pseudorandom sequence generators.Statistical complexity is defined as the product of disorder (entropy) of the system and the "distance" of the probability distribution from an equiprobable distribution in probability space.To analyse the MPR statistical complexity of a pseudorandom sequence, the normalised entropy and the complexity are plotted.The zero value of MPR statistical complexity indicates a truly random sequence and for pseudorandom sequences with good randomness, the complexity tends to zero and normalised entropy tends to 1.The expressions for computing normalised entropy ( norm ) and complexity ( MPR ) are given as follows: where  0 = 1/cos −1 (1/) 1/2 and Here   represents the probability of symbol  and  is the number of symbols.The normalised entropy and the MPR statistical complexity of the proposed pseudorandom sequence generator are given in Figures 5 and 6, respectively.For analysis the output bit stream is grouped into 8-bit words.The analysis shows that the proposed pseudorandom sequence generator exhibits good randomness.

Linear Complexity Analysis
Linear complexity and linear complexity profile of a pseudorandom sequence are two important characteristic parameters used to measure the security of the sequence when it is used as a key stream.The linear complexity () of an ultimately periodic binary sequence  is the length of the shortest LFSR that can generate  with the convention that () = 0 if  is the zero sequence.Let  = ( 1 ,  2 , . . .,   ) be a finite sequence over GF (2).Denote the linear complexity of the first  terms ( 1 ,  2 , . . .,   ) by (  ).Then the linear complexity profile of  is defined to be the sequence (( 1 ), ( 2 ), . . ., (  )).For an LFSR of length "", though the periodicity of the sequence generated is 2  − 1, the linear complexity is only "".For a nonlinear sequence, the maximum possible linear complexity is the same as the period of the sequence.
One of the efficient methods to compute the linear complexity profile is the Berlekamp-Massey algorithm.The linear complexity profile of the proposed pseudorandom number generator computed using the Berlekamp-Massey LFSR synthesis algorithm is shown in Figure 4.The EC is defined over GF (2 7 ) and the output is truncated to 3 bits.The period of the generated sequence is 381.From the plot it can be seen that the linear complexity profile is close to the /2 line for the first period which is a property satisfied by unpredictable sequences.As seen in the linear complexity profile, the proposed random number generator has a linear complexity which is the same as the period of the sequence.Thus the proposed method exhibits very high linear complexity compared to LFSR based methods.

Comparison with Other EC Based Stream Ciphers
The throughput (number of output bits per clock cycle), security, and hardware requirement of the proposed method are compared with EC based pseudorandom sequence generators available in literature.
11.1.Throughput.In the proposed method, truncation function is applied to the -coordinate of the EC point to generate the output bit sequence.Consider an EC defined over GF (2 163 ).Let the -coordinate be truncated to "100" bits by the truncation function.Let "" be the number of clock cycles required for a point multiplication operation.Since each iteration involves only a single point multiplication operation, the throughput of the proposed system is approximately "100/" bits per clock cycle.
The output bit sequence in linear congruential generator [10] and its variant PBSG-B [15] are generated by applying trace function to the and -coordinates of the output point sequence giving out two output bits in each iteration.This reduces the throughput of the system.In these two methods, generation of a single bit in the key stream requires "/2" clock cycles.This reduces the speed of operation of the encryption system and makes it not suitable for real time operations.Compared to "2/" for a linear congruential generator and its derivatives, the proposed method has a throughput of "100/" resulting in reduced latency and making it suitable for real time applications.
In dual EC generator [14] and various proposals based on this, each iteration consists of two point multiplication operations, one for generating the iteration key and the other for generating the output bit sequence.This highly increases the time complexity of the pseudorandom sequence generator.Assuming that "" clock cycles are required for a single point multiplication operation and the output is truncated to "100" bits as considered above, the system generates "100/2" bits per clock cycle.The throughput of PBSG-A [15], which is a variant of the dual EC generator with increased periodicity and security, is similar to the dual EC because of the two point multiplications in each iteration.As each iteration in the proposed method consists of a single point multiplication operation, the time complexity is reduced to a large extent.In the proposed method the number of output bits per clock cycle is "100/."This shows that the throughput of the proposed system is increased by a factor of "two" when compared to dual EC generator and PBSG-A.
The two methods available in literature with a throughput similar to the proposed method are ECPG and the pseudorandom sequence generator in [13].Both methods make use of a single point multiplication in each iteration and the output bit sequence is generated by applying truncation function to the output point.11.2.Periodicity.This section analyses the period of various EC based pseudorandom sequence generators and compares it with the proposed method.Assume that the EC is defined over GF(2  ).Let  be the order of point  used for generating the sequence.The output is truncated to "" bits using the truncation function.From the period analysis given in Section 6 it is clear that the periodicity of the proposed pseudorandom sequence is independent of the order of point  and is determined by the length of the LFSR or the size of the field over which the EC is defined.To analyse the dependence of the generated bit sequence on the initial seed, an image is encrypted using this sequence.The EC is defined over GF (2 11 ) and the output is truncated to 5 bits.The initial key seeds chosen are  0 = 104 and  0 = 43.The encrypted  respectively.This shows that the sequence generated is highly dependent on the initial seed.
For LCG and PBSG-A, the order of point  determines the period of the sequence.Hence to achieve high periodicity, the order  should be very large.However, determination of a point on the EC with high order for a large field size is computationally intensive and hence these approaches are not recommended.In case of ECPG, the periodicity is determined by the order of point  and the value of the initial seed .The initial seed  must be chosen such that ord  () is a large value.This limits the number of possible choices for  and reduces the complexity of attack on the system.The period of a dual EC generator cannot be determined as it is dependent on points  and  used for generating the sequence.For certain values of  and  it is observed that the period is as small as 2. In PBSG-B, which is a variant of LCG, the period is determined by the length of the LFSR.In [13], the authors have shown that the period of the sequence is determined by the size of the field over which the EC is defined.But it is observed that the sequence becomes independent of the key seed after a few iterations.The output point sequence generated based on the algorithm in [13] for different values of key is given in Table 4. From the table it can be seen that after 20 iterations the system outputs the same sequence independent of the initial seed.11.3.Security.In the proposed method, the security analysis shows that the security is as high as solving ECDLP many times.The iteration key   is blinded by adding an offset value  1 so that only the blinded value   +  1 can be retrieved by the attacker after solving ECDLP.From the security analysis of the proposed method it is clear that solving ECDLP for any number of points does not provide information about the iteration key or the secret value  1 .Thus even after solving ECDLP, which has a complexity of (2 (−1)/2 ) for an EC defined over GF(2  ), the attacker has to go for a brute force attack to break the cryptosystem.Thus, the computational complexity of an attack on the proposed system is (2 −1 ).From the analysis in Section 7.1, it can be seen that, to  12.2.Correlation of Adjacent Pixels.The adjacent pixels of the plain image are highly correlated as shown in Figure 13 and are prone to statistical attacks.To resist these attacks, the adjacent pixels of an encrypted image must be highly uncorrelated.The correlation of vertically adjacent pixels in the encrypted image is shown in Figure 14.It can be clearly seen that the pixels are uncorrelated and can resist the attacks.The vertical, horizontal, and diagonal correlations of adjacent pixels are computed using the following expressions and the results are summarised in Table 7: Here, () = 1/ ∑  =1 (  − ()) 2 is the variance of  and () = 1/ ∑  =1   is the expectation of .
12.3.Information Entropy.Information entropy of a source  is defined as  where   is the probability of symbol .For a gray scale image, the number of possible symbols is 2 8 and hence the maximum entropy we can get is 8.The entropy of an encrypted image must be close to 8 to ensure that the information leakage is zero.The entropy of the encrypted image in Figure 10 is computed and the value obtained is 7.9968 which ensures that the encryption algorithm is secure.
Here  1 and  2 are the two cipher images, (, ) = 1, if  1 (, ) ̸ =  2 (, ), and (, ) = 0, if  1 (, ) =  2 (, );  and  are the width and length of the image.For key sensitivity analysis  1 and  2 are obtained by encrypting the plain image with two different keys  1 and  2 such that  1 and  2 differ only in a single bit.In the proposed algorithm, the pseudorandom sequence generated is independent of the plain text.To analyse the plain text sensitivity and the resistance of the algorithm against the differential attack, the input key of the pseudorandom sequence generator is made dependent on the plain image.This is done by generating the key to the sequence generator as the residue obtained by passing the plain text through a modular division circuit.The NPCR and UACI values are computed for both cases and are summarized in Table 8.
12.5.Avalanche Criterion.The avalanche criterion is used to prove the sensitivity of the algorithm to plain text.Two images with one pixel difference and their corresponding cipher images are generated.The effects of one bit change in the plain image and cipher image are shown in Figures 15 and  16, respectively.From Figure 16 it can be clearly seen that one pixel change in the plain image produces considerable change in the encrypted images.complexity, structural complexity, increased security, and throughput.As ECC is a promising solution for key exchange with increased security, the point multiplication unit will be already available in the system as a part of key exchange.This paper describes a hardware efficient EC based random bit stream generator in which the point multiplication unit used for key exchange can be time shared to generate the pseudorandom sequence so that the overall hardware complexity is reduced.Five basic tests are done to check the randomness of the bit sequence generated and the sequence is found to have good statistical properties.The sequence exhibits very high periodicity and throughput in comparison with the EC based pseudorandom sequence generators available in literature.Similarly, compared to other EC based approaches, the computational complexity of known plain text attack on the system increases exponentially with the size of the key resulting in high security.

Figure 2 :
Figure 2: Original image, encrypted image, and image decrypted with the wrong key.
(a) Original image (b) Image encrypted using the proposed method (c) Image decrypted with wrong key

Figure 7 :
Figure 7: Original image, encrypted image, and image decrypted with the wrong key (based on the proposed method).

Figure 13 :
Figure 13: Correlation analysis of plain image.

12. 4 .
Sensitivity Analysis.In this section, the key sensitivity and plain text sensitivity of the proposed method are analysed.In key sensitivity, the change in the encrypted image for a change in single bit of the key is analysed and in plain text sensitivity the change in cipher image for a change in single pixel of the plain image is analysed.The two common measurements used to analyse the sensitivity are NPCR (number of pixels change rate) and UACI (unified average changing intensity).The NPCR and UACI values are computed using the following expressions: NPCR = ∑ ,  (, )      1 (, ) −  2 (, )

Figure 14 :
Figure 14: Correlation analysis of encrypted image.

Mathematical
Resource constrained applications like WSNs demand new algorithms for encryption which can offer reduced time

Table 7 :
Correlation coefficient of two adjacent pixels.