Representations of Generalized Self-Shrunken Sequences

Output sequences of the cryptographic pseudo-random number generator, known as the generalized self-shrinking generator, are obtained self-decimating Pseudo-Noise (PN)-sequences with shifted versions of themselves. In this paper, we present three different representations of this family of sequences. Two of them, the p and G-representations, are based on the parameters p and G corresponding to shifts and binary vectors, respectively, used to compute the shifted versions of the original PN-sequence. In addition, such sequences can be also computed as the binary sum of diagonals of the Sierpinski’s triangle. This is called the B-representation. Characteristics and generalities of the three representations are analyzed in detail. Under such representations, we determine some properties of these cryptographic sequences. Furthermore, these sequences form a family that has a group structure with the bit-wise XOR operation.


Introduction
Most of the devices that form part of the Internet-of-Things (IoT) require cryptographic security features to prevent users from data losses and the risks related to an improper use of passwords. Putting into effect cryptographic security is complicated. Most of the security systems are based on true random numbers, but their generation is really a difficult task [1,2]. Many popular random "noise" algorithms, for example, algorithms that are part of IoT devices, end up to be imperfect, showing glitches that make them predictable and vulnerable. Some weaknesses are never (publicly) found out, creating a false sense of security. The devices in which flaws are detected are those with the most flagrant errors and those most popular, for example, algorithms A5 in GSM communications cryptanalyzed in [3,4], the generator RC4 for encrypting Internet traffic cryptanalyzed in [5] or the J3Gen generator for low-cost passive RFID tags cryptanalyzed in [6]. To sum up, it is hard to build a true random number generator that can provide a strong cryptographic foundation for system security, especially for IoT devices (see [7,8]).
Pseudo-Random Number Generators (PRNGs) are reproducible and deterministic algorithms [9,10] used to generate random number sequences for cryptographic applications, such as key and nonces generation, digital signatures, and IoT security. These applications require various statistical properties, such as low autocorrelation, large period and linear complexity, rich dimensional distribution of the output sequence, and uniformity of distribution for large quantities of generated numbers (see ([11], Chapter 2) for more details).
Binary sequences produced by maximal-length Linear Feedback Shift Registers (LFSRs), called Pseudo-Noise (PN)-sequences [12], have been widely used in many diverse applications such as digital broadcasting, mobile wireless communications, e-commerce or cryptography (stream ciphers) [13,14].
In order to ensure practical cryptographic stability, it is necessary to destroy the linearity inherent to PN-sequences via different non-linear procedures.
LFSRs play an important role in the design of cryptographic PRNGs [15,16]. Among the most popular families of cryptographic sequence generators based on PN-sequences we can enumerate: non-linear filters with only one LFSR, combination generators that involve several LFSRs, clock-controlled registers where one LFSR controls the clock of the others or irregular decimation-based generators [11]. We focus our attention on this latter family.
Generally speaking, the regular decimation [17] of a sequence {a i } i≥0 by distance d is a new sequence obtained by taking every d-th term of {a i } i≥0 , that is, {a d·i } i≥0 . Nevertheless, it is the irregular decimation of PN-sequences [18], which can be considered as a powerful PRNG, producing sequences with good cryptographic properties, such as long periods, good distribution of zeros and ones along the sequence, large linear complexity, and two-valued autocorrelation properties.
In the literature, there are three well-known irregularly decimated generators: the shrinking generator [19], made up of two LFSRs with different lengths, the self-shrinking generator [20], based on the self-decimation of one single PN-sequence, and the generalized self-shrinking generator (GSSG) [21], which produces a family of sequences that includes the sequence produced by the self-shrinking generator [22]. Moreover, the modified self-shrinking generator [23] and the t-modified self-shrinking generator [24] are also members of such a family. These generators are fast, easy to implement and they generate good cryptographic sequences. Therefore, they seem adequate for lightweight cryptography and, in general, low-cost applications. In [25], the authors studied the randomness of the family of sequences generated by the GSSG by means of several complete and powerful batteries of statistical tests and graphical tools. In fact, they provided a useful vision of the behavior of such sequences and proved their suitability for cryptographic applications. In [24], the relationship among the generalized self-shrinking generator and the t-modified self-shrinking generator is deeply analyzed. Furthermore, in [26], the authors studied the relationship between that generator and the modified self-shrinking generator. In [27], other authors presented an extension of the self-shrinking generator to the Galois field of p n elements with p a prime integer, that is, the p-ary Generalized Self-Shrinking Generator (p-GSSG). Furthermore, they proved that the sequences generated by this new generator have large periods and good statistical properties.
At any rate, there exist other ways to built irregularly decimated generators, for example, irregularly decimated generators based on Feedback with Carry Shift Registers (FCSRs) instead of the traditional LFSRs [28,29]. These variants of the previous generators unify in a unique structure the non-linearity inherent to the FCSRs with the irregular decimation technique. An FCSR is the arithmetic or with carry analog of an LFSR. The main difference is the fact that the elementary additions are not modulo 2 additions but with the propagation of carries. FCSRs have been used in the design of stream ciphers [30], generating pseudo-random numbers [31], and can be efficiently implemented in parallel architectures [32].
In modern algebra, group theory is the study of groups, which are sets of elements with an operation that satisfies certain axioms. The basic structure of groups can be found in many mathematical phenomena such as symmetry and certain types of transformations. Group theory has applications in robotics, computer vision/graphics and medical image analysis, physics, chemistry, computer science, and even puzzles like Rubik's cube can be represented using group theory [33][34][35][36][37]. As we show in this paper, group theory also has applications in cryptography, since the set of output sequences of the generalized self-shrinking generator has the structure of an additive group and some of the properties of this family of sequences can be deduced as a consequence of this fact.
In this work, we study in detail three different representations of the sequences produced by the GSSG: the G-representation (introduced in [21]), the new p-representation and the B-representation (introduced in [38]). As far as we know, there are no other known representations for this kind of generators in the literature. In addition, we introduce a new way to compute the B-representation. Such a representation relates the output sequences of our generator with shifted versions of the diagonals of the binary Sierpinski's triangle, named binomial sequences. In terms of this representation, the structural properties of some binary sequences are easily analyzed. In brief, we give a binomial expression of these sequences, providing a relation among binomial coefficients, binary sequences and group theory.

Fundamentals and Basic Notation
In this section, we introduce some of the main concepts related to our work: the generalized self-shrinking generator and the binomial sequences.

PN-Sequences and GSSG
Traditionally, LFSRs implement linear recurring sequences [12]. LFSRs are electronic devices in which the information units are elements of binary field F 2 . They are made up of r interconnected memory cells (stages) that shift their contents to their next stages and a linear feedback to the empty stage. The register is shown in Figure 1. Generates the linear recurring sequence {u n } n≥0 (or denoted by {u n }) given by If the monic polynomial is a primitive polynomial, then the LFSR is called a maximal-length LFSR [12] and generates a PN-sequence (Pseudo Noise sequence) with maximum period T = 2 r − 1 with 2 r−1 ones and 2 r−1 − 1 zeros. This polynomial is known as the characteristic polynomial of the recurring sequence. A common metric of the security of a sequence for its possible cryptographic application is the linear complexity [39][40][41], denoted by LC. Roughly speaking, the parameter LC determines the portion of sequence we need in order to recover the whole sequence. In fact, LC is the length of the shortest LFSR that generates such a sequence ( [42], Chapter 5). Making use of the concept of recurrence, we can say that the LC of a sequence is the lowest order of its linear recurrence relationship. In cryptography, linear complexity clearly must take a large value, for example, half of the period: LC T/2. Nowadays, values of T in the range T ≥ 2 128 seem to be enough for cryptographic purposes (see specifications of the candidates in the call of NIST for lightweight cryptography primitives [43]).
Consider a PN-sequence {u i } i≥0 obtained from a maximal-length LFSR with L stages, an L-dimensional binary vector G = [g 0 , g 1 , g 2 , ..., g L−1 ] ∈ F L 2 and let {v i } i≥0 be the sequence defined as: Next, we define a decimation rule to generate a new sequence {s j } j≥0 as follows: The sequence {s j } i≥0 , denoted by S(G), is called the generalized self-shrunken sequence, GSS-sequence or simply generalized sequence associated with G, see [21]; and the sequence generator is called the generalized self-shrinking generator (GSSG).
Notice that when G runs over F L 2 \ {0 0 0} we obtain all the shifted versions of {u i } i≥0 (see Theorem 2). The set of sequences S = S(G) | G ∈ F L 2 is called the family of generalized sequences based on the PN-sequence {u i } i≥0 . This family S with the addition modulo 2, that is, with the bit-wise XOR operation, is an additive group [21]. In particular, the neutral element is the sequence S([0, 0, . . . , 0]) = {0 0 0 0 0 . . .} and the opposite of any sequence S(G) is the sequence itself. Moreover, the period of every generalized sequence is a divisor of 2 L−1 (the number of ones in the PN-sequence) and every sequence of this family is balanced except for the sequence identically of 1 and the null sequence ( [21], Theorem 1).
In Table 1, we can see the family of all generalized sequences generated by the PN-sequence {u i } i≥0 . Notice that the {v i } i≥0 sequences are shifted versions of the PN-sequence {u i } (which appears at the bottom of the table), a fact that we will prove later in Theorem 2. The bits in bold of each sequence {v i } i≥0 are the bits of the corresponding generalized sequence.  Notice that, since the number of ones in a PN-sequence of period 2 L − 1 is 2 L−1 (see [12]), the period of the generalized sequences is a divisor of 2 L−1 . We will see that there are always two sequences of period 1 (the identically 1 and 0 sequences), two sequences of period 2, {0 1 0 1 0 1 0 1} and {1 0 1 0 1 0 1 0 1}, and the remaining sequences have the maximum period 2 L−1 (although there is no mathematical proof for this last statement).
Relating to the linear complexity, in [39] Blackburn introduced an upper bound for the linear complexity of the self-shrinking generator. A generalization of this bound was introduced in [40] for the linear complexity of generalized sequences, that is, LC ≤ 2 L−1 − (L − 2). Furthermore, we know that for all generalized sequences, except for those with period 1 and 2, we have 2 L−2 ≤ LC (although there is no proof for this statement either).

Binomial Sequences
The binomial number ( n i ) represents the coefficient corresponding to x i in the expansion of the polynomial (1 + x) n . For every integer n ≥ 0, we know that ( n 0 ) = 1 while ( n i ) = 0 for i > n. Now, binomial sequences are introduced as follows.
is named the k k k-th binomial sequence.
In the sequel, the sequence b (k) n n≥0 will be simply denoted by ( n k ) . Table 2 shows the first eight binomial coefficients as well as the first eight binomial sequences with their corresponding periods and linear complexities. To check the form of the first 32 binomial sequences, see reference [38]. Moreover, recall that binomial sequences are just shifted versions of the successive diagonals of the Sierpinski's triangle depicted in Figure 2.  Theorem 1 ([38], Proposition 3, Theorem 13). The binomial sequence ( n 2 r +l ) with 0 ≤ l < 2 r and r being a positive integer has period of value T = 2 r+1 and linear complexity of value LC = 2 r + l + 1.
Check [38] for more properties of binomial sequences.

Representation of Generalized Sequences
In this section, we present three different representations of the generalized self-shrunken sequences. From these representations we can obtain important information about the sequences. For instance, the binomial representation or B-representation of the generalized sequences allows us to examine the cryptographic parameters of these sequences and obtain their linear complexity; the p-representation and G-representation provide information about the shifted PN-sequences used in the decimation and allow us to define a partition of the family of generalized sequences.
It is worth saying that there exist certain advantages and disadvantages among these representations. On the one hand, the B-representation is more general and can be used for any binary sequence with a period of a power of two. On the other hand, the p-representation and the G-representation are specific representations for generalized sequences and, therefore, do not exist for other generators. However, both representations are related, being possible to get one from the other. In this section, we present some relations between the different representations.

The G-Representation of a Generalized Self-Shrunken Sequence
It is well known [12] that a PN-sequence {u i } i≥0 generated by an LFSR with primitive polynomial p(x) of degree L can be represented by the trace map as follows where A ∈ F 2 L with A = 0 and α is a root of p(x), that is, a primitive element of F 2 L . From now on, we consider {u i } i≥0 a PN-sequence obtained from a maximal-length LFSR with characteristic polynomial p(x) of degree L.
Next theorem proves that the sequence {v i } i≥0 given in (1) is a shifted version of the PN-sequence {u i } i≥0 .

Remark 1.
Since G = 3 is the decimal representation of the binary number [0, 0, 0, . . . , 0, 1, 1], we have that Recall that the Zech logarithm of t with a basis of the primitive element α is such that α Z α (t) = α t + 1. Check [44] for more properties of this discrete logarithm. 1 1 1 1 0 0 0 1 1 0 1 1 1 0 1 0 1 0 0 0 0 1 0 0 1 0 1 1 0 0} which generates the family of generalized sequences shown in Table 3. The bits in bold in each sequence {v i } i≥0 correspond to the positions of the ones of the PN-sequence {u i } i≥0 , which appears at the bottom of the table. Furthermore, these bits are the digits of the corresponding S(G) sequence. Thus, in Table 3, the sequence

Example 2. Consider the LFSR in which the characteristic polynomial is p
Next, we consider some properties of this representation (G-representation) of the generalized sequences. Proof. Since G = 2 L−1 corresponds to the vector G = [1, 0, 0, . . . , 0], from Expression (1) we have that v i = u i , for i ≥ 0, and according to the decimation rule defined in (2), the output sequence {s j } j≥0 is the identically 1 sequence. Theorem 4. For G = 0, 1, . . . , 2 L−1 − 1, the sequences S(G) and S G + 2 L−1 are complementary sequences, in the sense that S(G) + S G + 2 L−1 is the identically 1 sequence.
Proof. Since the L-dimensional vector representations of G and 2 L−1 (2), in order to obtain the generalized sequences S(G) and S G + 2 L−1 we only consider the case when u i = 1. Therefore, s j = 1 + s j , which means that the sequences S(G) and S G + 2 L−1 are complementary.

The B-Representation of a Generalized Self-Shrunken Sequence
Let E be the shifting operator that acts on the terms of a sequence {u n } n≥0 , that is: Let r be a positive integer. A sequence {s j } j≥0 , of which the period is T = 2 r is, in turn, a particular solution of equation: where its characteristic polynomial is (x + 1) 2 r . According to [38,45], the solutions of Equation (4) can be written as: where the coefficients c i ∈ F 2 , 1 is the unique root of the polynomial (x + 1) 2 r with multiplicity 2 r and ( n i ) is a binomial coefficient reduced modulo 2. Thus, {z n } n≥0 is the bit-wise XOR of T binary sequences ( n i ) weighted by T binary coefficients c i . Hence, all the solutions of the difference equation written in (4) are sums of binomial sequences. In particular, every solution {z n } n≥0 can be written as: Expression (5) is the binomial representation (or B-representation) of the sequence {z n } n≥0 . In terms of this representation, the parameters of the sequence {z n } n≥0 can be easily analyzed. Indeed, the period of {z n } n≥0 is the period of the binomial sequence ( n ν ) and the linear complexity of {z n } n≥0 is the linear complexity of the binomial sequence ( n ν ) , that is LC = ν + 1 (see Theorem 1). As a consequence we can recall the following result. Theorem 2). Given the binary sequence {z n } n≥0 with period T = 2 r , where r is a positive integer, and linear complexity LC, such sequence can be written as a linear combination of binomial sequences, that is, We will use indistinctly the notation Notice that, in the B-representation, the term with the highest index is ( n LC−1 ). This means that the last term provides the LC of the sequence. We denote by {0} the B-representation of the null sequence.
Since the binomial sequence ( n ν ) (the term with highest index) is ( n 5 ) , then the linear complexity of {z n } will be LC = 6. In the same way, its period T = 8 coincides with the period of the sequence ( n 5 ) .
In [38], the authors proposed an algorithm to compute the B-representation of any sequence with a period of the power of two. Here, our aim is to propose another method to compute the B-representation of a generalized sequence. Next, we give a method to obtain this representation from any binary sequence of period a power of two. For this, we need to define a binary matrix called the binomial matrix, which is similar to the construction of a binary Hadamard matrix. Consider H 0 = [1] the binomial matrix for t = 0, that is, a matrix of size 2 0 × 2 0 . We construct the binomial matrix for t = 1 as follows which has size 2 1 × 2 1 . In general, we obtain the binomial matrix for t as where H t−1 is the binomial matrix of size 2 t−1 × 2 t−1 and 0 t−1 is the null matrix of the same size. Let {s n } n≥0 be a binary sequence of period T = 2 t . Given the binomial matrix H t of size 2 t × 2 t , we construct the binary vector The support of the vector B, denoted by supp(B), is the set of indices of the nonzero entries of B, considering the first position as the 0 position. Then, we define the B-representation of {s n } n≥0 , denoted by B({s n }), as the sequence given by the addition of the binomial sequences ( n i ) , for i ∈ supp(B), that is Notice that, as a consequence of Expression (6), we can only compute the B-representation of binary sequences of period T = 2 t . In particular, we can always obtain the B-representation of any GSS-sequence since the family of generalized sequences consists of 2 L sequences with periods power of two (see [21]).
The following example helps us to understand this construction. . We check it using the method defined previously. The period of the sequence is 2 3 , so we must construct the binomial matrix for t = 3, that is From Expression (6) Recall that the columns of the binomial matrix (read from right to left) correspond to the successive diagonals of the Sierpinski's triangle in Figure 2. Thus, the binary vector B in Expression (6) is just the product of [s 0 , s 1 , . . . , s 2 t −1 ] by the diagonals of such a triangle.
We know that the generalized sequences have periods of the form 2 r , with r < L. Therefore, we can express the generalized sequences as a finite sum of binomial sequences.
The following result is an immediate consequence of Theorems 4 and 3. This means that if we have the B-representations of the first 2 L−1 generalized sequences, then the B-representations of the remaining 2 L−1 sequences are the same ones except for the term ( n 0 ). In this way, the computation of generalized sequences is half-reduced.

Example 5.
Consider again the generalized sequences obtained in Example 2. In Table 4, we can find the B-representation of each one of these generalized sequences. As we saw in Section 3.1, the last 16 generalized sequences in Table 3 are the complementary sequences of the first 16 sequences and then, from Theorem 6, the B-representation of them is the same except for the term ( n 0 ) . Furthermore, the B-representation of S(16) is ( n 0 ) , as expected.
Some other properties of the family of generalized sequences can be deduced from the B-representation. We study these properties in detail in Section 4.

The p-Representation of a Generalized Self-Shrunken Sequence
In this subsection, we define a new representation of generalized sequences which gives us information of the shifted sequences employed in the decimation rule defined in (2).
From Theorem 2, we have that the sequence {v i } i≥0 is a shifted version of the PN-sequence {u i } i≥0 . Therefore, instead of considering the vector G in Expression (1) to construct {v i } i≥0 , we can simply consider the successive shifted versions of {u i } i≥0 and apply in each case the decimation rule given in (2).
Let us consider the p-shifted version of the PN-sequence {u i } i≥0 with 0 ≤ p < 2 L − 1. Applying the decimation rule given in (2), we construct the corresponding generalized sequence, which we denote by S{p}. This new representation of a generalized sequence is called p-representation.
One of the consequences of the group structure of S is that the sum of two generalized sequences is another generalized sequence. The following theorem allows us to obtain the p-representation of the resulting generalized sequence from the p-representations of two generalized sequences given.

Theorem 7.
Consider that {u i } i≥0 is the PN-sequence of an LFSR with primitive characteristic polynomial p(x) of degree L and α ∈ F 2 L is a root of p(x). Then, the sum of two generalized sequences obtained with shifts d 1 and d 2 is another generalized sequence with shift d 1 + Z α (d 2 − d 1 ), i.e, where Z α (·) is as before the Zech logarithm with basis α.
Proof. Assume that S{d 1 } = {s j } and S{d 2 } = {s j } are two generalized sequences obtained from the PN-sequence {u i }.
We have seen in Expression (3) that every element of {u i } can be expressed as where A ∈ F 2 L with A = 0. Therefore, we have that:
It is worth mentioning that the self-shrinking generator is another cryptographic sequence generator based on irregular decimation [20]. In this case, a PN-sequence is self-decimated producing a new sequence with good cryptographic properties. In [22], authors proved that the sequence produced by this generator can also be obtained with the generalized self-shrinking generator and the same characteristic polynomial with shift p = 2 L−1 . As a consequence of this fact and the previous theorem, we can introduce the following result.
The following lemma proves that there exists an element m ∈ {L − 1, L, . . . , 2 L − 3} such that α m+1 = α m + 1. Later, we check that the generalized sequences associated to these values, S{m} and S{m + 1}, are the sequences with period T = 2.
Let G m the binary representation of the value of G associated to m, and G m its decimal representation. Next, we introduce a theorem whose proof helps us to prove Theorem 10. Proof. According to Theorem 8, we can express m and m + 1 as: where τ(G m ) and τ(G m+1 ) satisfy . . , g L−2 , g L−1 ] and G m+1 = g 0 , g 1 , . . . , g L−2 , g L−1 .
From Lemma 1 and Expression (8) we deduce that: Therefore, As a consequence, the relation between G m and G m+1 is Notice that (10) implies that, when As a consequence, the resulting generalized sequences, S(G m ) and S(G m+1 ), are complementary (their sum is the identically 1 sequence).

p(x) m
x 5 + x + 1 13 Remark 2. Given the value of m for a primitive polynomial p(x), we can find the value of m * for p * (x) without computing any logarithm.

Partitions of the Family of Generalized Sequences
In this section, we study the family of generalized sequences as a partition of cosets of the quotient set given by S and a subgroup of generalized sequences. This partition will help us in the analysis of the structure of the family of generalized sequences and their cryptographic properties. Their different representations, presented in the previous section, will facilitate us in this study.

Additive Group Structure
We know that the family S of generalized sequences with the bit-wise XOR operation + is an Abelian additive group of order 2 L . Therefore, we can see it as an F 2 -vector space of dimension L. Furthermore, the additive group structure of (S, +) and Theorem 7 allows us to define the following group isomorphism, where S{p} denotes the p-representation.
Suppose that S comes from an LFSR of L stages and define K the set of the generalized sequences with periods 1 and 2; that is where m is given in Lemma 1. We have that (K, +) is a subgroup of S of order 4; therefore, K can be considered as a vector subspace of S of dimension 2.

Subsets of S of Order 2 2
From the groups S and K, we can define the quotient group S/K = {s + K | s ∈ S} , in which the order |S/K| is, by the Lagrange's Theorem (see ( [46], Section 6.8)), For each s ∈ S, the set s + K is called cosets of S modulo K and s is known as the representative of the coset. Due to the properties of the cosets of a group ( [47], Section 5.2) we know that any two cosets are either disjoint or identical, the union of the cosets is the own group and any subgroup is the coset defined by the neutral element. Although derived from a subgroup, cosets are not usually themselves subgroups of S, only subsets. So, we have a partition of the set of generalized sequences S into 2 L−2 cosets of size 4, denoted by S (i) 4 ; that is, In the following example, we construct the quotient group of a family of generalized sequences and their cosets, using the p-representations.

Example 9.
Consider the set of GSS-sequences S given in Table 5  From the group isomorphism between F 2 L and S given in (11) and by Theorem 10, we know that is isomorphic to K; therefore, the cosets of F 2 L modulo K can be written as α p + K, where φ(α p ) = S{p} = s ∈ S is the representative of the coset. Furthermore, each coset will be isomorphic to Example 10. Consider Example 9 again. We know that, in this case, m = 13. Therefore, the cosets of F 2 5 modulo K are K = 0, 1, α 13 , α 14 , 19 , α 11 , α 16 , α 9 , α 20 + K = α 20 , α 8 , α 10 , α 4 , Next, we study the B-representation of the cosets of order 4. We focus our attention in this representation because we can obtain the LC of a generalized sequence directly from it (see Theorem 5).
Recalling that we denote by {0 0 0} the B-representation of the null sequence, we have that the B-representation of φ(K) = {S(∞), S(0), S(m), S(m + 1)} is Therefore, the B-representation of the corresponding sequences of each coset will have the following form , with c i ∈ F 2 , denotes the B-representation of the sequence associated to the representative of the coset s + K, denoted by s. From Expression (7), we can obtain ∆ s taking {s n } = S{p} = s and the binomial matrix H L−1 in Expression (6). Notice that for a sequence with linear complexity equal to LC, we have that c LC−1 = 1 and c i = 0, for i ≥ LC (see Theorem 5). As we know that LC ≤ 2 L−1 − (L − 2) for the generalized sequences [40], then we consider the coefficients c i , for i = 0, 1, . . . , 2 L−1 − (L − 2), even though the last ones could be zeros.
Example 11. Consider again the set of generalized sequences S given in Table 5 and the cosets given in Example 9. In Table 7, we have the B-representation of each generalized sequence. Consider the coset α 6 + K = {α 6 , α 27 , α 26 , α 28 }. The B-representation of the set of generalized sequences {S{6}, S{27}, S{26}, S{28}} is given by where ∆ 6 = ( n 2 ) + ( n 10 ) + ( n 12 ) is the common term in the four representations. We have considered α 6 as the representative of the coset, but we could choose any element of the coset, since that α 6 + K = α 26 + K = α 27 + K = α 28 + K. In this example, we consider α 6 the representative of the coset, and the B-representation of S{6} is denoted by ∆ α 6 = ( n 2 ) + ( n 10 ) + ( n 12 ) .

Subgroups of S of Order 2 3
In the previous subsection, we give a partition of the family of generalized sequences using the cosets of S modulo K which do not have to be subgroups. In this subsection, we give a partition of S using subgroups of S obtained from these cosets and the subgroup K.
We can construct subgroups of S of order 8, denoted by S (i) 8 for i = 1, 2, . . . , 2 L−2 − 1, from the union of K and the cosets of S, s + K, for any s ∈ S.
From the isomorphism given in Expression (11), if we assume that φ(α p ) = s, then these subgroups can be expressed by The B-representation of the corresponding sequences of each of the subgroups S (i) 8 for i = 1, 2, . . . , 2 L−2 − 1 will have the following form is the binomial representation of the representative of the coset s + S.

Example 12. Consider again Example 11 and
In conclusion, from a primitive polynomial of degree L, we can obtain 2 L generalized sequences which can be divided into 2 L−2 disjoint subsets, including the trivial group K = 0 0 0, ( n 0 ) , ( n 1 ) , ( n 0 ) + ( n 1 ) and the cosets of size four constructed by bit-wise XORing a given generalized sequence with K; or into 2 L−2 − 1 subgroups of order eight, formed by the union of K and the cosets of order four.
At this point, a question that arises in a natural way is whether it would be possible to obtain a generalized sequence from other sequences contained in other groups. Due to the additive group structure, the answer is affirmative.

Study of LC of Generalized Sequences
Linear complexity is a measure of unpredictability of pseudo-random sequences and it is a very important cryptographic property ( [48], Section 2.3.5). Our aim in this section is to study the properties of the linear complexity of the family of generalized sequences, derived from their representations.
Cardell and Fúster-Sabater proved in [38] that we can deduce the linear complexity of any binary sequence with a period of the power of two from its B-representation. Theorem 12 ([38], Corollary 3). Given a sequence with B-representation ∑ t k=1 ( n i k ) , where i 1 < i 2 < · · · < i t are integer indexes, then the linear complexity of such a sequence is i t + 1.
As a consequence, we can introduce the following result. Proof. This result is immediate using the B-representation in the cosets. The LC of any generalized sequence in a given coset can be determined by the B-representation of the representative, denoted by ∆ s , since the rest of the sequences only differ from ∆ s in the binomial terms ( n 0 ) , ( n 1 ) , ( n 0 ) + ( n 1 ) , which will not affect the value of LC.
From a high number of computational examples and as a consequence of the structure of the additive group, it is possible to observe that for a family of generalized sequences coming from a PN-sequence with a characteristic polynomial of degree L, we get L − 2 different linear complexities with LC i > 2 L−2 , for i = 1, 2, . . . , L − 2; apart from the trivial ones, LC ∈ {0, 1, 2}, obtained in K. There are 2 L−(i+2) cosets, each of them with four sequences and each sequence with linear complexity LC i . The following example shows this fact.
Example 13. Table 7 shows the family of generalized sequences obtained for the primitive polynomial p(x) = x 5 + x 2 + 1. We distinguish with different colors the 2 5−2 = 8 different cosets of S of order 4. According to Theorem 12, we can determine the LC of a generalized sequence from its B-representation; and, from Theorem 13 we have that the LC for all the generalized sequences in a coset is the same. In this example, we obtain three different linear complexities LC 1 = 13, LC 2 = 12, and LC 3 = 11, which allows us to classify the cosets of S according to their complexities as follows

Example 14.
Consider the 64 generalized sequences obtained from the primitive polynomial p(x) = x 6 + x 5 + 1. In Appendix A we show a partition of the group of these generalized sequences S into 2 6−2 = 16 cosets of order 4. Note that we represent in bold the group K and then we add the representative of each coset of S. Binomial numbers, marked with different colors, provide the complexities of the sequences in each coset. Recall that the binomial number with the highest index in the B-representation is ( n LC−1 ). As we can see in Table 8, each term ( n LC i −1 ), i = 1, 2, 3, 4 appears in the B-representation of eight cosets. Furthermore, for every value of LC i , i = 1, 2, 3, 4, there exist a coset, the B-representation of which only contains one of the four terms ( n LC i −1 ) but not the others. In this example, these cosets are A 7 , B 2 , C 1 and D. Therefore, if we have four sequences, each one of them in one of the cosets above, we can obtain the 64 generalized sequences.
In general, given a primitive polynomial of degree L, we generate 2 L generalized sequences which can be divided into 2 L−2 cosets and with L − 2 different linear complexities LC i , i = 1, 2, . . . , L − 2. Each term ( n LC i −1 ) appears 2 L−3 times in the B-representations of the generalized sequences. As we checked previously, there are L − 2 groups that have one element ( n LC i −1 ), i = 1, 2, . . . , L − 2, but not the others. Therefore, we only need L − 2 sequences to generate the 2 L generalized sequences. We already knew this fact, since that S/K is a vector space of dimension 2 L−2 and thus can be generated by L − 2 cosets modulo the subspace K of dimension 2.

Conclusions
In this work, we introduce and analyze new ways to represent the generalized sequences, from which we study different properties of the sequences. We introduce the B-representation that allows us to express such sequences by means of binomial sequences, that is, shifted versions of the diagonals of the Sierpinski's triangle. Furthermore, this representation lets us generate binary sequences with controllable parameters such as the period and the linear complexity. We have also defined the G and p-representation, both related between them. From the p-representation we can obtain the shifted version of the corresponding input PN-sequence of the GSSG and vice versa. Using this p-representation, we can define an isomorphism between the family of generalized sequences produced by a primitive polynomial of degree L and the additive group F 2 L . As a consequence, we can create a partition of the sequences into subsets of cardinal 4, known as the cosets. Moreover, the B-representations of the four generalized sequences in each coset exhibit a well defined pattern and similar characteristics. This fact might be exploited in the cryptanalysis of this generator.
We still have different open problems to solve. In Section 4.2, we have analyzed the linear complexity of generalized sequences, but some results are just conjectures. The partition of generalized sequences into cosets of the quotient group S/K and the study of the linear complexity of the sequences in each coset have brought new questions to be solved. Furthermore, we want to prove that the period of any generalized sequence obtained from a primitive polynomial of degree L, except from the sequences with period 1 and 2, is always 2 L−1 and that 2 L−2 is a lower bound on the linear complexity. Finally, another interesting future line would be to study the generalized shelf-shrinking generator based on FCSRs (or similar structures), analyze their cryptographic properties and adapt all three representations to this new model. Funding: This research is partially supported by Ministerio de Economía, Industria y Competitividad (MINECO), Agencia Estatal de Investigación (AEI), and Fondo Europeo de Desarrollo Regional (FEDER, UE) under project COPCIS, reference TIN2017-84844-C2-1-R. It is also supported by Comunidad de Madrid (Spain) under project CYNAMON (P2018/TCS-4566), co-funded by FSE and European Union FEDER funds. The first author is supported by CAPES (Brazil). Finally, the second and fourth author are partially supported by Spanish grant VIGROB-287 of the Universitat d'Alacant.

Conflicts of Interest:
The authors declare no conflict of interest. The funders had no role in the design of the study; in the collection, analyses, or interpretation of data; in the writing of the manuscript, or in the decision to publish the results.

Abbreviations
The following abbreviations are used in this manuscript:

LFSR
Linear Feedback Shift Register PN-sequence Pseudo-Noise sequence LC Linear Complexity GSSG Generalized Self-Shrinking Generator GSS-sequence Generalized Self-Shrunken Sequence PRNG Pseudo-Random Number Generator FCSR Feedback with Carry Shift Register