Filtering Nonlinear Feedback Shift Registers using Welch-Gong Transformations for Securing RFID Applications

Pseudorandom number generators play an important role to provide security and privacy on radio frequency identification (RFID) tags. In particular, the EPC Class 1 Generation 2 (EPC C1 Gen2) standard uses a pseudorandom number generator in the tag identification protocol. In this paper, we first present a pseudorandom number generator, named the filtering nonlinear feedback shift register using Welch-Gong (WG) transformations (filtering WG-NLFSR) and the filtering WG7-NLFSR for EPC C1 Gen2 RFID tags. We then investigate the periodicity of a sequence generated by the filtering WG-NLFSR by considering the model, named nonlinear feedback shift registers using Welch-Gong (WG) transformations (WG-NLFSR). The periodicity of WG-NLFSR sequences is investigated in two ways. Firstly, we perform the cycle decomposition of WG-NLFSR recurrence relations over different finite fields by computer simulations where the nonlinear recurrence relation is composed of a characteristic polynomial and a WG transformation module. Secondly, we conduct an empirical study on the period distribution of the sequences generated by the WG-NLFSR. The empirical study states that a sequence with period bounded below by the square root of the maximum period can be generated by the WG-NLFSR with high probability for any initial state.


Introduction
A pseudorandom sequence generator is a heart of a stream cipher, which is used for generating a randomlooking binary keystream that is used to encrypt a binary message stream by XORing the plaintext with the keystream in a bit by bit fashion to produce the ciphertext.In practice, linear and nonlinear feedback shift registers (LFSRs/NLFSRs) have been widely used as basic building blocks for constructing stream ciphers.For instance, well-known stream ciphers, namely Grain, Trivium and Mickey in the eSTREAM project use NLFSRs as their building blocks [5].
The randomness properties of a sequence generated by an LFSR have been well studied and understood [6,7], however, the randomness properties of a sequence generated by an arbitrary NLFSR are not known and hard to determine.As an example, the cycle decomposition or cycle structure of an arbitrary NLFSR is not well understood and it is hard to determine the number of cycles and the lengths of the cycles in a cycle decomposition of an NLFSR.In the theory of NLFSRs, the cycle decomposition of NLFSRs is an important property to investigate first, since each cycle can be considered as a sequence and the cycles' lengths determine the periods of the sequences.
Several pseudorandom number generators have been proposed in the literature for EPC Class 1 Generation 2 RFID tags [1,14,16,20].Che et al.'s proposal [1] consists of an oscillator-based true random number generator (TRNG) and an LFSR of 16-stage where the TRNG is implemented using an analog circuit.In their design, one true random bit is added to each component of an LFSR generated 16-bit pseudorandom number.Due to having the linear structure, the PRNG has been attacked by Melia-Segui et al. [16] with high success probability 8n , where n is the length of the LFSR.To avoid such an attack, Melia-Segui et al. [16] proposed a design by employing eight primitive polynomials to an LFSR where in each clock cycle one primitive polynomial is chosen based on a true random number generator.In [20], Peris-Lopez et al. proposed a PRNG named LAMED for RFID tags, which can generate 32-bit random numbers as well as 16-bit random numbers.The internal state of LAMED is 64-bit including a 32-bit key and a 32-bit IV.LAMED always outputs a 32-bit random number, a 16-bit number is obtained by dividing 32-bit number into two equal halves and XORing these two halves together.Recently, Mandal et al. [14,15] designed a PRNG named Warbler based on nonlinear feedback shift registers for RFID tags.In their design, three NLFSRs are used, two of them work over the binary field and the other one is defined over a finite field.The internal state of Warbler consists of 65 bits and 16-bit random numbers are produced by taking disjoint sequences of 16 bits.
In this paper, we present a family of pseudorandom sequence generators, we call it the filtering nonlinear feedback shift registers using Welch-Gong (WG) transformations (henceforth called filtering WG-NLFSR).In particular, the filtering WG7-NLFSR is an instance of this family developed for EPC C1 Gen2 RFID tags and is composed of a nonlinear feedback shift register of length 23 and a WG transformation module over the field F 2 7 .Due to the nonlinear state update of the filtering WG-NLFSR, the period of a sequence generated by the filtering WG-NLFSR is not known in general.For the first time, we investigate the periodicity of a sequence generated by the filtering WG-NLFSR by considering the model, named nonlinear feedback shift registers using Welch-Gong (WG) transformations (WG-NLFSR).The design of the WG-NLFSR was inspired by the key initialization phase of the WG cipher, which was submitted to the eSTREAM project [5,19].In the WG-NLFSR, the nonlinear recurrence relation is composed of a primitive polynomial and a nonlinear WG permutation.Due to the nonlinear property of the recurrence relation, the WG-NLFSR will be resistant to the powerful cryptanalytic attacks such as algebraic attacks, cube attacks, correlation attacks, and discrete fourier transformation attacks.Another objective of this paper is to study the periodicity of an output sequence produced by the WG-NLFSR.The periodicity of WG-NLFSR sequences is investigated in two steps.Firstly, we perform the complete cycle decomposition for different nonlinear recurrence relations by computer simulations.It is observed that, for a proper selection of a characteristic polynomial, a sequence with period greater than the square root of the maximum period can be generated by the WG-NLFSR.Secondly, we conduct an empirical study for investigating the period distribution of WG-NLFSR sequences.In the empirical study, we consider different WG-NLFSR recurrence relations over different finite fields and compute the probability distribution for different cases.Our empirical study shows that, with high probability, the WG-NLFSR generates sequences with periods bounded below by the square root of the maximum period.Furthermore, we study the cycle decomposition of a composited recurrence relation and the randomness properties of a sequence produced by a composited recurrence relation over finite fields.
The remainder of the paper is organized as follows.
In Section 2, we define some terms and notations that will be used in the paper.In Section 3, we describe a general model of the filtering WG-NLFSR and a pseudorandom number generator, the filtering WG7-NLFSR.In Section 4, we study the periodicity of the WG-NLFSR sequences by performing the cycle decomposition of WG-NLFSR recurrence relations and by conducting an empirical study on the period Filtering WG-NLFSR for Securing RFID Applications distribution of WG-NLFSR sequences.Finally, in Section 5, we conclude the paper.

Preliminaries
In this section, we define the terms and notations that will be used in this paper to describe the filtering WG-NLFSR.
-F 2 t : a finite field with 2 t elements, which is defined by α with g(α) = 0, where g(x) be a primitive polynomial of degree t over the field F 2 . - -N = 2 nt − 1 : the maximum period of a nonzero sequence generated by an n-stage NLFSR over

The Welch-Gong (WG) Transformation
Let Tr(x) = x + x 2 + x 2 2 + • • • + x 2 t−1 be the trace function mapping from F 2 t to F 2 .Let t be a positive integer with t mod 3 = 0 and 3k ≡ 1 mod t for some integer k.We define the function h from F 2 t to F 2 t by h(x) = x + x q1 + x q2 + x q3 + x q4 and the exponents are given by q is known as the WG permutation and the function, from is known as the WG transformation [9].The WG transformation has good cryptographic properties such as high nonlinearity, algebraic degree, and at least 1order resiliency for a proper choice of basis.Moreover, a WG sequence has high linear complexity.
For the basic definition of randomness properties of sequences, the reader is referred to [7].

The Filtering WG-NLFSR
In this section we first give a general description of the filtering WG-NLFSR, which has two components including a characteristic polynomial and a WG transformation module.Then we present a pseudorandom number generator named the filtering WG7-NLFSR for EPC C1 Gen 2 RFID tags.

General Description of the Filtering WG-NLFSR
The filtering WG-NLFSR is a family of word-oriented pseudorandom sequence generators, where an internal state consists of n cells, each of which contains t bits.The total number of bits in an internal state of the filtering WG-NLFSR is n • t.Moreover, the internal state is updated by a nonlinear recurrence relation, which is composed of a characteristic polynomial and a nonlinear WG permutation over F 2 t .A block diagram of the filtering WG-NLFSR is provided in Figure 1.
Let a = {a i } i≥0 , a i ∈ F 2 t be a sequence generated by the n-stage nonlinear recurrence relation, which is defined as where WGP(x) is the WG permutation and (a 0 , a 1 , ..., a n−1 ) is the initial state.The filtering WG-NLFSR sequence {b i } is defined by b i = W G(a i ), where W G(x) is the WG transformation.It is not hard to show that the period of {b i } produced by the filtering WG-NLFSR is the same as the period of a.We note that the output sequence a cannot directly be used without applying the filter function because after n clock cycles one can have access to the internal state of the NLFSR, which allows an attacker to generate the whole sequence for a key.

The Filtering WG7-NLFSR
We now give the mathematical details of the filtering WG7-NLFSR which is similar to the WG-7 stream cipher [12].The main difference between the WG-7 stream cipher and the filtering WG7-NLFSR is that the WG-7 stream cipher uses the nonlinear feedback only at the initialization phase, but the filtering WG7-NLFSR always uses the nonlinear feedback function.The filtering WG7-NLFSR is composed of a nonlinear feedback shift register of length 23 and the WG transformation over the finite field F 2 7 .The finite field F 2 7 is defined by the primitive polynomial t(x) = x 7 + x + 1 over F 2 .
Due to the nonlinear WG permutation WGP7(x) in recurrence relation (2), the period of the sequence {a i } is not known in general.In Section 4, we will see a general investigation of the periodicity of a sequence produced by a nonlinear recurrence relation of the above type.As the keystream bits are generated by purely nonlinear feedback function, it will be resistant to powerful cryptanalytic attacks such as algebraic attacks, correlation attacks, cube attacks and discrete fourier transformation attacks [2,3,8,17].
The mathematical functions used in the filtering WG7-NLFSR are the same as the functions used in the WG-7 stream cipher and the nonlinear WG permutation feedback does not increase any extra cost (as it is implemented for the key initialization), the implementation will be the same as the WG-7 stream cipher.For details of the WG-7 stream cipher implementation, we refer the reader to [12].For easy reference, we reproduce the comparison of the implementations given in [12] in Table 8 in Appendix A, which indicates a microcontroller implementation comparison of the WG-7 stream cipher with other ciphers.The implementation includes the 4-bit MARC4 ATAM893-D microcontroller (a in Table 8) and the 8bit AVR microcontroller ATmega8 (b in Table 8) from Atmel.

Application of the Filtering WG7-NLFSR
The EPCglobal Class 1 Generation 2 (EPC C1 Gen2) is an RFID standard.The tag identification protocol in the EPC C1 Gen2 standard uses a couple of 16-bit random numbers for identifying low cost passive RFID tags.Passive RFID tags get power from the reader at the beginning of the communication.Most of the existing random number generators are based on an LFSR and a true random number generator.Moreover, a true random number generator consumes more power, occupies more area and the throughput is low.For such resourceconstrained environments, the filtering WG7-NLFSR can be used as a pseudorandom number generator for generating 16-bit random numbers.The 16-bit random numbers are generated by taking disjoint 16-bit sequence from the filtering WG7-NLFSR sequence {s i }.Based on the implementation given in [11,12], it is confirmed that Filtering WG-NLFSR for Securing RFID Applications the filtering WG7-NLFSR is a suitable candidate for RFID tags.

Period Analysis of the WG-NLFSR
In order to study the periodicity of a filtering WG-NLFSR sequence, we need to investigate the period property of a sequence produced by recurrence relation (1).We redefine the nonlinear recurrence relation over the field F 2 t as follows.Let a = {a i } i≥0 , a i ∈ F 2 t be a sequence generated by an n-stage nonlinear recurrence relation, which is defined as where WGP(x) is the WG permutation, t mod 3 = 0, and (a 0 , a 1 , ..., a n−1 ) is the initial state.We call the nonlinear recurrence relation  3), the period of the sequence a is not equal to the period of the polynomial p(x).In particular, the period of a depends on three parameters: the characteristic polynomial p(x), the WG permutation WGP(x), and the initial state.To investigate the period of sequence a, we need to study the cycle decomposition of the recurrence relation.
Remark 1.In recurrence relation (3), any permutation over a finite field F 2 t can be used.We here used WG permutation as a WG transformation has excellent cryptographic properties and it can be used for both feedback and filtering purposes.

Cycle Decomposition of the WG-NLFSR
It is not hard to show that the recurrence relation (3) generates sequences with no branch.Thus, the recurrence relation breaks the whole state space S into a finite number of disjoint cycles, which is known as the cycle decomposition of the recurrence relation [6].We denote by Ω the cycle decomposition of the recurrence relation (3), where For an arbitrary recurrence relation, the value of r is not determined.Let L i = |C i | be the number of states in C i , i = 1, 2, ..., r.Using any state of C i , all states in C i can be generated by recurrence relation (3).Thus, C i can be considered as a sequence with period L i .(For details of cycle decompositions, see [6].) x n be two polynomials over the field F 2 t .Two characteristic polynomials p(x) and q(x) in recurrence relation (3) have the same cycle decomposition with identical cycle lengths if Proof.The WG-NLFSR recurrence relation is given by Let {C i , i = 1, 2, ..., r} be the cycle decomposition of the recurrence relation for p(x).By taking 2 k -th power on both sides of the above recurrence relation, we obtain which has the same cycle decomposition as the original one for all initial states.Let which is the recurrence relation corresponding to the characteristic polynomial q(x).Hence, the polynomial p(x) and q(x) have the same cycle decomposition with identical cycle lengths.
We perform computer simulations for investigating the cycle structure of recurrence relation (3).By considering recurrence relation (3) over fields F 2 5 and F 2 7 , we present the cycle decompositions for different characteristic polynomials in Tables 1 -4, where Y denotes YES and N denotes NO.For smaller length cycles, we only provide distinct smaller length cycles in the cycle decompositions.In tables, the primitive elements α, β and the WG transformations over fields F 2 5 and F 2 7 are defined in Section 4. The computer simulations show that for a fixed WGP(x) and a proper selection of a characteristic polynomial, a sequence with period lower bounded by √ N can be generated by the recurrence relation (3), where a proper selection of a characteristic polynomial is meant by a characteristic polynomial in the recurrence relation (3) for which the lengths of all cycles are greater than or equal to √ N .It is noticed that the long period of a sequence generated by recurrence relation (3) does not depend on the irreducibility of the characteristic polynomial.In the recurrence relation, there exists a hidden relation between the coefficients of a characteristic polynomial and the exponents of the WG permutation and that hidden relation can determine a construction of a nonlinear feedback function, which will generate a sequence with a bounded period.Unfortunately, we are not yet able to explore the hidden relation.

Period Distribution of the WG-NLFSR
In this section, we conduct an empirical study on the period distribution of the recurrence relation (3)   empirical study is that it can convey a general behavior of this type of recurrence relations.
Procedure for Computing the Success Probability for Period ≥ √ N .We calculate the probability distribution of period as follows.For an WG-NLFSR recurrence relation, we perform the complete cycle decomposition by computer simulations.We first compute the complete cycle decompositions for different characteristic polynomials with the same WG permutation, where different characteristic polynomials are chosen randomly.Then, using the cycle decomposition we calculate the expected success probability and the standard deviation (SD) of the period greater than or equal to √ N .We note that the success probability is equal to one when the lengths of all the cycles are greater than or equal to √ N .The details of the success probability calculation is described in the following procedure.
Let D be a random variable which represents the number of distinct characteristic polynomials of the same degree.For each characteristic polynomial, the success probability of the period greater than or equal to √ N is computed as follows: Algorithm 1 Computing success probability 1: Compute {C 1 , C 2 , ..., C r }, which is the cycle decomposition of the characteristic polynomial with .., r. 2: Add all L j 's which are less than

√
N and let the sum be L sum .3: The success probability of the period bounded below by √ N for any initial state is 1 − Lsum N .
We then compute the expectation and standard deviation (SD) for the period of D success probabilities.Let D mean and D SD be the expectation and standard deviation, respectively.Then, we use the histogram with (D mean , D SD ) to represent the probability distribution of the period.In the following subsection, we present the experimental results by the above procedure.
Period Distribution of the WG-NLFSR over the Field F 2 5 and F 2 7 .In this subsection, we compute the expected success probability of period by the above Procedure 1 for the recurrence relation of length n = 3, 4 and 5 over the field F 2 5 and for the recurrence relation of length n = 3, 4 over the field F 2 7 .In Table 5, the WG permutations over fields F 2 5 and F 2 7 are defined.We consider the n-stage recurrence relation (3) with WGP5(x) and WGP7(x) as the WG permutation over the field F 2 5 and F 2 7 , respectively.Our simulation results for n = 3, 4 and 5 over the field F 2 5 are given in Table 6.Similarly, the simulation results for n = 3 and 4 over F 2 7 are given in Table 7.In Tables 6 and 7, we provide the number of characteristic polynomials (D), the expected success probability (D mean ), the standard deviation (D SD ), and the maximum value of the sum of all smaller length cycles which are less than √ N (L sum ).In addition, the average number of cycles in the cycle decomposition of the WG-NLFSR recurrence relation is presented.Our experimental results show that the numerical value for the average number of cycles is very close to the average number of cycles generated by the random sampling (let r s denote the expected number of cycles generated by the random sampling, then r s ≈ ln N , see [6]).For n = 3, the success probability of period lower bounded by √ N is depicted in Figure 3a in the of a histogram.In figures, the x-axis represents the success probability values and the y-axis represents the number of characteristic polynomials that have been taken.In the histogram, it can be observed that for most characteristic polynomials the recurrence relation produces sequences with period of at least √ N when the success probability is greater than 0.985.The empirical result for n = 3 in Table 6 says that if an arbitrary characteristic polynomial is chosen in the WG-NLFSR recurrence relation with WGP5(x), then, with expected probability 0.9945, the recurrence relation can generate a sequence with period lower bounded by √ N .In a similar fashion, the probability distributions of period for n = 4 and 5 over F 2 5 in Figures 3b and 3c, and n = 3 and 4 over F 2 7 in Figures 4a and 4b are depicted in the form of a histogram along with the expected probability.For n = 4 and 5, the expected success probabilities of the period are given by 0.990 and 0.9998, respectively, which are greater than the expected success probability for n = 3.
The empirical analysis shows that with a high probability the WG-NLFSR can generate a sequence with period at least √ N for a large length of the NLFSR.In particular, with very high probability, the filtering WG7-NLFSR can generate a sequence with period at least 2 80.5 .

Increasing the Period of a Sequence by the Composition of FSRs
In this section, we study the cycle decomposition of a composited recurrence relation, which is composed of a NLFSR-WG recurrence relation and a linear recurrence relation.In particular, we take the characteristic polynomial of the linear recurrence relation to be the primitive polynomial for producing a maximum length cycle in the cycle decomposition.The randomness properties such as the period and linear complexity of a sequence generated by a composited recurrence relation are discussed.
of two over a Finite Field.Let g(y 0 , y 1 , ..., y m−1 , y m ) = 0 and f (x 0 , x 1 , ..., x n−1 , x n ) = 0 be a linear recurrence relation a WG-NLFSR recurrence relation, respectively and which are given by   g, denoted by f • g, is defined as [18] f where Note that f • g and g • f are not the same in general.The following proposition states a relation between the cycle decomposition of f and the cycle decomposition of f • g.Proof.The proof follows from Theorem 3.14-15 (a) in Section 3 of [18].
The linear complexities of the sequences generated by the recurrence relation f • g = 0 are given in the following proposition.Note that by performing the composition operation between a linear feedback shift register and a nonlinear feedback shift register, we can increase the lengths of the sequences.

Conclusions and Future Work
In this paper, we presented a family of pseudorandom number generators named the filtering WG-NLFSR and the filtering WG7-NLFSR for EPC C1 Gen2 RFID tags.Due to the nonlinear feedback for the state update, the filtering WG7-NLFSR will be resistant to the powerful cryptanalytic attacks.In order to investigate the periodicity of a filtering WG7-NLFSR sequence, we introduced the WG-NLFSR, which generates sequences over the finite field.The periodicity of WG-NLFSR sequences is investigated by performing the complete cycle decomposition of the WG-NLFSR recurrence relations and by conducting an empirical study on the period distribution of WG-NLFSR sequences.In the cycle decomposition, we observed that there are many characteristic polynomials in which the cycle lengths are close to the maximum period or bounded below by √ N and we listed some characteristic polynomials over the fields F 2 5 and F 2 7 .We conducted an empirical study on the period distribution of the WG-NLFSR over the field F 2 5 and F 2 7 for different lengths of the shift registers.The empirical study reveals that, with high probability, the filtering WG7-NLFSR can generate sequences with periods bounded below by 2 80.5 .To the best of our knowledge, this is the first study in the literature on the cycle decomposition and the distribution of a period of a sequence generated by the nonlinear feedback shift register over an extension field.Finally, we studied the randomness properties of the sequences produced by a composited recurrence relation over a finite field.
As a future work, we investigate the randomness properties, especially the linear complexity of a filtering sequence produced by a composited recurrence relation of WG-NLFSR.

γ 2 .
(3) an WG-NLFSR recurrence relation.A block diagram of the WG-NLFSR sequence generation is shown in Figure 2. Note that an WG-NLFSR recurrence relation is uniquely determined by the characteristic polynomial p(x) and the WG permutation.For a fixed WG permutation, the recurrence relation is different if the characteristic polynomial is different.Architecture of the WG-NLFSR Due to the nonlinear term WGP(•) in the recurrence relation (

). Then we rewrite the 5 EAI
European Alliance for Innovation EAI Endorsed Transactions on Security and Safety 11 2015 -12 2016 | Volume 3 | Issue 7 | e3 above equation as on Security and Safety 11 2015 -12 2016 | Volume 3 | Issue 7 | e3 . The composition of f and 8 EAI European Alliance for Innovation EAI Endorsed Transactions on Security and Safety 11 2015 -12 2016 | Volume 3 | Issue 7 | e3

Table 6 .
The summary of simulation results over F 25

Table 7 .
The summary of simulation results over F 27