#### Abstract

This paper proposes a pseudorandom sequence generator for stream ciphers based on elliptic curves (EC). A detailed analysis of various EC based random number generators available in the literature is done and a new method is proposed such that it addresses the drawbacks of these schemes. Statistical analysis of the proposed method is carried out using the NIST (National Institute of Standards and Technology) test suite and it is seen that the sequence exhibits good randomness properties. The linear complexity analysis shows that the system has a linear complexity equal to the period of the sequence which is highly desirable. The statistical complexity and security against known plain text attack are also analysed. A comparison of the proposed method with other EC based schemes is done in terms of throughput, periodicity, and security, and the proposed method outperforms the methods in the literature. For resource constrained applications where a highly secure key exchange is essential, the proposed method provides a good option for encryption by time sharing the point multiplication unit for EC based key exchange. The algorithm and architecture for implementation are developed in such a way that the hardware consumed in addition to point multiplication unit is much less.

#### 1. Introduction

Wireless sensor networks have a wide range of applications such as habitat monitoring, home automation, and military and medical applications [1, 2]. Compared to conventional wireless networks, wireless sensors have limited resources that demand cryptographic solutions with reduced complexity. Due to the resource constrained nature, WSNs employ symmetric key encryption techniques that necessitate key management schemes suitable for these constrained applications. A detailed analysis of the proposals available in literature for key distribution shows that only the one-way function based schemes can provide security when a node is compromised in the initialisation phase. The light weight cryptographic algorithms based on random key predistribution [3, 4], polynomial based key distribution [5], and so forth offer no security in this scenario. All these schemes assume that a node cannot be compromised in the initialisation phase which is not true. For such schemes the time-out period of the initialisation phase cannot be kept large because it increases the probability that a node is compromised in the initialisation phase. On the other hand if the time-out period is kept small, then the connectivity of the network is affected. So there exists a trade-off between security and connectivity in such schemes whereas for the one-way function based methods no such trade-off exists. Thus for high security applications like military or medical applications, the one-way function based key management schemes are preferred.

Elliptic curve cryptography (ECC) is a promising solution in such scenarios because of the increased security per bit of the key, compared to other one-way functions [6–8]. All sensor networks require a message authentication code (MAC) and pseudorandom generator for secret key establishment and data transfer. If these two functions are implemented using standalone algorithms like SHA and AES along with ECC for key exchange, then the overall hardware complexity of the system will be very high. If the point multiplication unit used for key exchange can be time shared to perform the other two functions, the complexity of the entire system can be reduced. In this paper, an EC based pseudorandom sequence generator is proposed. The proposed method is developed in such a way that the hardware required to build the pseudorandom bit sequence generator in addition to EC point multiplication unit is much less. So this provides a highly suitable option for light weight encryption in systems using EC based key exchange.

#### 2. Related Works

In [9] Blum and Micali introduced the concept of generating CSPBSG (cryptographically strong pseudorandom bit sequence generator) using a cryptographic one-way function. Since then there are several approaches which make use of the cryptographic one-way operation of EC point multiplication for constructing stream ciphers. The concept of linear congruential generator is extended to EC and a generator for pseudorandom bit sequence from points on the elliptic curve is described in [10]. The sequence is proved to have good randomness properties but the security is dependent on the secrecy of the base point . In 2000 Shparlinski introduced the Naor-Reigngold generator [11]. The seed is a vector of random integers given as . The key for the th iteration is where . The output bit sequence is generated by applying truncation function to the -coordinate of the point in each iteration. The security of the random number generator is vested in ECDLP but the number of input random bits required to generate the sequence is high. The elliptic curve power generator (ECPG) [12] published in 2005 makes use of an integer as the random seed. The th iteration key and the output point is . The bit sequence is generated by truncating the -coordinate of the output point. The periodicity of the generator is very low and the period reveals some of the properties of the seed . The pseudorandom sequence generator based on EC published in [13] makes use of a single point multiplication in each iteration. The output bit sequence is the -coordinate of the output point sequence which is generated as where . The sequence is proved to have good statistical properties but the security analysis is not done. The dual EC generator proposed by Elaine Barker and John Kelsey was chosen as standard random number generator by NIST [14]. The random seed is an integer and makes use of two points and on the EC. The iteration key and the output point is . The output of the generator is where is the truncation function. The periodicity of the generator is found to be very low because of the method used for generating the iterating key. To increase the periodicity the iterating key is modified as . But then it is found that as the sequence becomes independent of the seed. New stream cipher designs based on EC are proposed in [15]. The three algorithms proposed are derived from the dual EC generator, linear congruential generator, and the Naor-Reigngold generator. The authors have proved that the sequences generated using these algorithms have large periodicity, but the hardware complexity is high. A stream cipher based on ECDLP is described in [16]. The method consists of three stages of operation: (i) initialization stage, (ii) key stream generation, and (iii) encryption stage. The mapping of key to a point on the EC is carried out in the initialization stage which increases the hardware and computational complexity and makes it less suitable for resource constrained applications. A key generation based on EC over finite prime field is published in 2012 [17]. The output is generated by truncating the -coordinate of the point where is the random value from the LFSR and ’s are points on the EC. The method described requires a lot of parameters, that is, the feedback polynomial of LFSR, seed value, EC parameters, and so forth, to be kept secret. The security of the sequence depends entirely on the secrecy of these parameters.

#### 3. Mathematical Background

Elliptic curves (EC) over a field are set of points that satisfy the Weierstrass equation given asThe variables , and the constants , and are all elements of the field . The definition of EC also includes a single element called the “point at infinity” or the “zero point” denoted by .

The set of points on an EC is an abelian group under an addition operation, and is the identity element. The addition operation is defined such that if , , and are three points on EC lying on the same straight line, then .

The cryptographic operation on EC is point multiplication. Given an integer “” and a point on the EC computing “” where “” is a new point on the EC is called point multiplication. This is a one-way function because computing “” is easy but given and finding “” is difficult. This is known as the elliptic curve discrete logarithm problem (ECDLP). The EC defined over (Galois field) are more suitable for hardware implementation. These curves are classified as super singular and nonsuper singular curves. The MOV (Menezes, Okamoto, and Vanstone) reduction method shows that ECDLP is harder in nonsuper singular curves [19]. Point addition and point doubling are the two mathematical operations defined on an EC. The point multiplication is done by repeated point addition and doubling.

Rules for point addition and point doubling on nonsuper singular curves over are as follows.(1)Point addition: if and , then is(2)Point doubling: if , then is given by

The security of EC point multiplication is increased by truncating the “” bit representation of the -coordinate of the point to “” bits and giving out as output. In [20] the authors have proved that, for an EC defined over , if the “” bit representation of the -coordinate is truncated to “” bits, the statistical distance between the output of truncation function and a random “” bit string is . Hence it is hard to determine whether a sequence is generated by truncating the -coordinate of a point on the EC or if it is chosen uniformly at random. This is known as truncation point problem (TPP).

#### 4. Analysis of EC Based Pseudorandom Sequence Generators

In this section, the analysis of various EC based pseudorandom sequence generators available in literature is carried out. For analysis the EC chosen is defined over . A point on the EC means where is root of the polynomial used for constructing the finite field.

##### 4.1. EC Based Linear Congruential Generator

In EC based linear congruential generator, the output point sequence is generated as where is the iteration number and is a point on the elliptic curve which is kept secret. The sequence passes through the complete cyclic subgroup of point . Thus the period of the sequence reveals the order of point which reduces the search space to a smaller value. The symmetric properties of the generated sequence also help to make cryptanalysis easier. The detailed cryptanalysis of this generator is given in [15]. Though the sequence has a good linear span and statistical properties, it cannot be used as key stream for stream cipher because of reduced security.

##### 4.2. PBSG-B

PBSG-B in [15] is a modification of the EC based linear congruential generator such that the periodicity is independent of the order of point and the output sequence does not have any symmetric properties which makes the cryptanalysis easier. For security, the authors assume that both point and the seed of the LFSR are kept secret. But the analysis shows that the security is dependent only on secrecy of point , which cannot be quantified.

For analysis, assume point is known to the attacker. The attacker can generate the entire sequence by choosing an arbitrary value as seed of LFSR. As the LFSR passes through the same sequence of states, the output bit sequence generated will only be a shifted version of the original sequence. If a part of the key stream is known to the attacker (considering a known plain text attack), the shift can be easily computed from the plot of the cross-correlation of the generated sequence and the known bit sequence. Let the EC be defined over . The feedback polynomial of the LFSR is , , and the initial seed . Assume the attacker knows a few initial bits of the sequence, that is, 10100011010001010011110010110. Let the initial seed chosen by the attacker to generate the sequence be 42. The plot of cross-correlation between the sequence generated with and the known sequence is given in Figure 1. From the position of the peak value in the cross-correlation function, the position of the known sequence and hence the LFSR seed (LFSR value at the 31st iteration = 126) can be easily determined.

##### 4.3. Elliptic Curve Power Generator

The output point sequence in ECPG is generated as , where and is the initial secret key. The output point sequence is the truncated -coordinate of the point . Let be the order of point . The period of the sequence is determined by the order of point and the seed and is given as . Thus, the periodicity of the sequence is much less compared to the order of point . Moreover, knowledge of the periodicity of the sequence reduces the search space for the seed .

The following analysis shows that the security of the generator is also very low. Let be the primitive element of the finite field over which the EC is defined. Generate a lookup table with and as entries of the table. Let be the initial seed . Assume that the attacker has identified two consecutive output points from its truncated version. Let and be the corresponding iteration keys identified from the lookup table. Then, . This implies or . Thus the initial secret seed can be easily determined.

##### 4.4. EC Based Random Number Generator

The random number generator proposed in [13] has reduced latency and increased periodicity with a single point multiplication operation in each iteration. The output point sequence is and where is the -coordinate of . The random number generator has good statistical properties and high periodicity. But it is found that the output sequence becomes independent of the key as the iteration number increases.

For illustration, an image is encrypted using the pseudorandom sequence generated with this algorithm. The EC is defined over and the output is truncated to 5 bits. The initial key seed is chosen as . The original and encrypted images are shown in Figures 2(a) and 2(b), respectively. The encrypted image is now decrypted with a different seed . The decrypted image is shown in Figure 2(c). From the image it is clear that, except for a very small region, the image could be decrypted with a different key. This shows that the sequence generated with this algorithm becomes independent of the initial key seed after a few iterations and is insecure as key stream for stream cipher.

**(a) Original image**

**(b) Encrypted image**

**(c) Image decrypted with wrong key**

##### 4.5. Dual EC Generator

The dual EC generator in [14] is published as a standard random number generator by NIST in 2007. The generator makes use of two points on the EC and , one for generating the iterating key as and the other for generating the output bit sequence as where is the truncation function. But it is found that if points and are not properly chosen, then the periodicity of the sequence is very low. Consider EC defined over . Let and . The output point sequence generated with initial key is shown as follows: , , , , , , , As seen from the above, the period of the output point sequence is only 5. The output point sequence generated with and with key = 9 is given as follows: , , , , , , .It can be clearly seen that, after three iterations, the output loops in two points on the EC.

##### 4.6. PBSG-A

A modification of the dual EC generator with increased periodicity named PBSG-A is published in [15]. In PBSG-A the iteration key is modified as where and “” is the seed value. In addition to two point multiplication operations the modified algorithm requires a finite field multiplication of iteration number “” and the value “” to be carried out in each iteration. This increases both the hardware complexity and the time complexity of the system. Though PBSG-A is a stream cipher algorithm which generates key stream with high periodicity in such a way that security depends on ECDLP, the structural complexity and latency are very high.

#### 5. Proposed Stream Cipher Design

The algorithm proposed in this paper addresses the drawbacks of the methods available in literature such as reduced periodicity, dependence on iteration number, security, and time complexity. The proposed method of stream cipher generation based on EC makes use of a single point on the EC and a single point multiplication operation in each iteration. This reduces the time complexity to a large extent in comparison with two point multiplication operations carried out in each iteration in dual EC and PBSG-A. In the proposed method, a blinded version of the iterating key is used to generate the output point sequence so that even solving ECDLP does not reveal the exact iterating key to the attacker there by increasing the security. Also the proposed method is designed to have reduced hardware complexity without compromising the security.

Each iteration in the proposed method consists of two stages: (i) generation of key for the th iteration and (ii) generation of the th output bit sequence. Various steps in algorithm can be detailed as follows. Let be the shared secret key. The value is the initial key for generating the iteration key and is the seed point of the LFSR. The LFSR is clocked once in each iteration. The key for the th iteration is taken as the sum of -coordinate of and the content of LFSR . That is, . The addition of the LFSR value in generating the iteration key introduces randomness in the key steam, increases the periodicity, and increases the attack complexity. Moreover, this makes the iteration key less dependent on the EC points generated in each iteration and the iteration number. Replacing the GF multiplication in PBSG-A with an LFSR results in reduced time and hardware complexity.

The output point for each iteration is computed as where the point multiplication “” is a precomputation stage. Providing this offset “” helps in blinding the exact iteration key from the attacker. An output point computation in the proposed method thus involves a point multiplication operation and a point addition, that is, . The -coordinate of the EC point is used to generate the key for th iteration. The truncated -coordinate of the point is given out as the bit sequence which further increases the security.

##### 5.1. Algorithm

Let be a point on the EC defined over . Let “” be the shared secret. Length of “” = 2 bits. Input: point , secret key “”. Output: bit sequence .(1)Get and from by truncating it to the required number of bits.(2)Generate .(3)Initial key and seed of LFSR .(4)Generate the key for th iteration .(5)Advance the LFSR count .(6)th output point .(7)Output bit sequence .(8)Return .(9)Go back to step (4).

#### 6. Period Analysis

In the proposed method the key advancement is done as where . The use of LFSR value increases the period of the generator. If this value is not added, then the output sequence will depend only on the point multiplication operation. The sequence will start repeating whenever where . But if LFSR value is added to the period will be governed by the period of the LFSR which is shown in the analysis below.

Assume that the output in the th iteration is the same as the output in the th iteration where . That is, . This implies or . In the th iteration, and in the th iteration . If the output of the th iteration is also equal to that of the th iteration, then ; that is, or . This shows that or since .

Since and are values of the LFSR, the same value will be repeated only after one period of the LFSR. For an LFSR of length “” bits the period is . Hence the output pattern will repeat only after integer multiples of the period “”. In general, the period of the sequence can be represented as “” where . Thus the period of the point sequence in the proposed method is at least the period of LFSR. Consider the implementation of the proposed method done over . Let the 163-bit representation of the -coordinate of the output point sequence be truncated to 100 bits. Then the period of the output bit sequence is at least , that is, approximately which is a large value when compared with other existing schemes.

#### 7. Security Analysis

This section analyses the security of the proposed stream cipher against various attacks. The analysis is carried out with the assumption that the EC is defined over and is a generator point on the EC. The EC chosen, the underlying field, and point are known to the attacker.

##### 7.1. Known Plain Text Attack

In the proposed method, the input secret is a random integer “”. A part of this secret key is used as the initial key for point multiplication and the other part is used as the seed value of the LFSR. The iteration key where is the content of LFSR after “” clock cycles. In each iteration, the iteration key is blinded by adding it with the secret key “” and the output point is computed as . The -coordinate of the point is truncated to generate the output sequence. These output random bits are XORed with the message bits to generate the encrypted data. To break this cryptosystem the attacker needs to retrieve the iteration key and the internal state of the LFSR.

In a known plain text attack, we assume that attacker has knowledge about a part of the message stream. This reveals a part of the bit sequence generated by the algorithm. Thus an attacker possesses a truncated version of the -coordinate of the points on the EC generated in a few iterations. For a successful attack, the attacker needs to identify the EC point from its truncated -coordinate. The security for this stage is provided by the truncation point problem. The truncation point problem states that it is hard to identify whether a sequence is generated by truncating the -coordinate of a point on the EC or if it is chosen uniformly at random.

Once the attacker has identified the point from its truncated version, the next step in the attack is to solve the ECDLP to identify the integer for point multiplication. The most common attacks on ECDLP are the Pollard-rho attack and the baby step-giant step algorithm [21].

*Pollard-Rho Attack*. Let be a point on the EC defined over . Let be the order of point . Then the complexity of Pollard-rho attack is given as . By Hasse’s bound, if is a generator point, then order of is approximately the size of the field. Therefore, the complexity in solving ECDLP is approximately .

*Baby Step-Giant Step Algorithm*. This is another common algorithm for attack on both DLP (discrete logarithm problem) and ECDLP. The complexity of this attack depends on the order of the point . For a point of order , the attack requires computation of points on the EC and memory to store these points. Thus the time complexity of solving ECDLP in the proposed method is point multiplication operations if point is a generator point.

The values retrieved by solving ECDLP are , , , and so forth where is the secret key. Assume that no blinding operation is done in generating the output sequence. Then the values retrieved by solving ECDLP are the iteration keys , , and so forth. These iteration keys are related as .

If two successive iteration keys are known to the attacker, that is, and , then the state of the LFSR can be easily found out as .

Thus by solving ECDLP for just two points in the output sequence the attacker can generate the whole key stream.

In the proposed method, because of the offset, the attacker can retrieve only the blinded iteration keys , , and so forth where ; that is, .

But neither nor are known to the attacker. For a successful attack, the attacker has to solve for . Let be the initial iteration key such that . Then , , and so forth. The output point sequence is generated as , , and so forth.

As can be seen from the above expressions, solving ECDLP for any number of output points yields little information about the offset and the iterating key . Thus given the only attack possible to find the value or is the brute force attack which has a complexity of . The key for the next iteration is computed as where is the content of the LFSR after “” clock cycles. This method of generating the iterating keys introduces randomness into the key sequences and increases the complexity of attack without much increase in hardware or computational complexity. For an attacker who has arbitrarily chosen the key for th iteration, generation of the key for the th iteration requires the knowledge of the content of the LFSR. For the randomly chosen value of or , the attacker has to find the LFSR state such that . The key stream is generated with these values of , , and and compared with the original key stream. This demands that the attacker has retrieved the output bit sequence of at least three consecutive iterations. If the generated key stream is different from the original then a new value for or is chosen and the above process is repeated. Thus the complexity of a known plain text attack on the proposed system is .

The various steps in the attack can be summarised as follows.(1)Get a few bits of the key stream from the known plain text.(2)Get from (TPP).(3)Solve for integer for th iteration, that is, (ECDLP).(4)Randomly choose and compute (brute force).(5)Find the LFSR state such that .(6)Generate the new key stream and compare with .(7)If go to step (4).

As the security of the proposed algorithm is vested in ECDLP, the elliptic curve must be chosen such that it can resist the MOV attack which uses Weil pairing to reduce the discrete logarithm problem on elliptic curves to the discrete logarithm problem (DLP) in finite field. This is due to the fact that various subexponential and quasipolynomial time algorithms for solving DLP are available in the literature. But studies reveal that MOV reduction is possible only for super singular curves and not for nonsuper singular curves. Therefore, a nonsuper singular curve needs to be chosen for secure implementations. The size of the finite field over which EC is defined can be determined based on the required security level as recommended by NIST. For example, NIST recommends the use of for 80-bit security. The family of NIST standard curves guarantees this security and hence can be used for implementing the proposed algorithm with a specific security level.

##### 7.2. Brute Force Attack

The complexity of brute force attack depends on the key space. In the proposed method the only secret is the value “” which is a binary string of length “” bits for an EC defined over . In the proposed algorithm, bits of the key is given as initial seed of the LFSR and the other bits is initial key for point multiplication. These initial seeds can take any value other than an all zero pattern. Hence, the key space available for the proposed algorithm is approximately and the complexity of the brute force attack is . Considering an implementation of the proposed algorithm over , the key space available is and the complexity of brute force attack is .

#### 8. Statistical Analysis

This section deals with the statistical analysis of the proposed pseudorandom sequence generator based on NIST randomness test suite and TestU01. For analysis based on NIST test suite, the EC chosen is defined over . is the primitive polynomial used for the construction of the finite field. A point on the EC means () where is root of the polynomial . A sequence of 50 points generated by running the algorithm with and two different key values is shown in Table 1. From the table it is clear that even for a single bit change in the key the sequences of points generated are entirely different. The output bit sequence is generated by truncating the -coordinate of each point in the sequence to 3 bits. The output bit sequence generated for and key = 1525 is shown as follows:Considering the theoretical analysis in Section 6, the expected period of the sequence is 381.

The bit sequence generated using the proposed method has been tested for its randomness properties based on five statistical tests. For Monobit test and runs test, the threshold value is 0.01 according to the NIST statistical test suite; that is, if the sample sequence gives a value greater than 0.01, then the sequence is accepted as random [22]. Serial test and Poker test were also carried out. The test statistics for these two tests are chosen such that reference distribution is distribution and if the test values of the sample sequence are less than the threshold, then the sequence is said to pass the test. For a significance value of 0.05 () the threshold values are 5.9915 and 24.9958, respectively [23]. The test result for various key values in Table 2 clearly demonstrates that the randomness property is satisfied. In addition, the autocorrelation function plotted in Figure 3 validates the randomness property and periodicity of the sequence.

TestU01 [24] is a software library implemented in ANSI C language which consists of utilities for statistical testing of uniform random number generators. It includes six predefined batteries as well as general implementation of classical statistical tests for pseudorandom sequences. Out of the six predefined batteries of TestU01, Crush, Big Crush, and Small Crush batteries are tests for sequences of real numbers and the batteries Rabbit, Alphabit, and Block Alphabit are for testing the binary sequences. Since the proposed pseudorandom sequence generator outputs a binary sequence, the sequence is subjected to Rabbit, Alphabit, and Block Alphabit test batteries. For analysis, EC is defined over and the output is truncated to 4 bits. A sequence of bits is generated and tested and the sequence passed all the three tests. The test results are given in Table 3.

#### 9. Statistical Complexity Analysis

In [25] the authors have shown that MPR statistical complexity can be used as a measure of randomness for pseudorandom sequence generators. Statistical complexity is defined as the product of disorder (entropy) of the system and the “distance” of the probability distribution from an equiprobable distribution in probability space. To analyse the MPR statistical complexity of a pseudorandom sequence, the normalised entropy and the complexity are plotted. The zero value of MPR statistical complexity indicates a truly random sequence and for pseudorandom sequences with good randomness, the complexity tends to zero and normalised entropy tends to 1. The expressions for computing normalised entropy () and complexity () are given as follows:where andHere represents the probability of symbol and is the number of symbols. The normalised entropy and the MPR statistical complexity of the proposed pseudorandom sequence generator are given in Figures 5 and 6, respectively. For analysis the output bit stream is grouped into 8-bit words. The analysis shows that the proposed pseudorandom sequence generator exhibits good randomness.

#### 10. Linear Complexity Analysis

Linear complexity and linear complexity profile of a pseudorandom sequence are two important characteristic parameters used to measure the security of the sequence when it is used as a key stream. The linear complexity of an ultimately periodic binary sequence is the length of the shortest LFSR that can generate with the convention that if is the zero sequence. Let be a finite sequence over . Denote the linear complexity of the first terms by . Then the linear complexity profile of is defined to be the sequence . For an LFSR of length “”, though the periodicity of the sequence generated is , the linear complexity is only “”. For a nonlinear sequence, the maximum possible linear complexity is the same as the period of the sequence.

One of the efficient methods to compute the linear complexity profile is the Berlekamp-Massey algorithm. The linear complexity profile of the proposed pseudorandom number generator computed using the Berlekamp-Massey LFSR synthesis algorithm is shown in Figure 4. The EC is defined over and the output is truncated to 3 bits. The period of the generated sequence is 381. From the plot it can be seen that the linear complexity profile is close to the line for the first period which is a property satisfied by unpredictable sequences. As seen in the linear complexity profile, the proposed random number generator has a linear complexity which is the same as the period of the sequence. Thus the proposed method exhibits very high linear complexity compared to LFSR based methods.

#### 11. Comparison with Other EC Based Stream Ciphers

The throughput (number of output bits per clock cycle), security, and hardware requirement of the proposed method are compared with EC based pseudorandom sequence generators available in literature.

##### 11.1. Throughput

In the proposed method, truncation function is applied to the -coordinate of the EC point to generate the output bit sequence. Consider an EC defined over . Let the -coordinate be truncated to “100” bits by the truncation function. Let “” be the number of clock cycles required for a point multiplication operation. Since each iteration involves only a single point multiplication operation, the throughput of the proposed system is approximately “” bits per clock cycle.

The output bit sequence in linear congruential generator [10] and its variant PBSG-B [15] are generated by applying trace function to the - and -coordinates of the output point sequence giving out two output bits in each iteration. This reduces the throughput of the system. In these two methods, generation of a single bit in the key stream requires “” clock cycles. This reduces the speed of operation of the encryption system and makes it not suitable for real time operations. Compared to “” for a linear congruential generator and its derivatives, the proposed method has a throughput of “” resulting in reduced latency and making it suitable for real time applications.

In dual EC generator [14] and various proposals based on this, each iteration consists of two point multiplication operations, one for generating the iteration key and the other for generating the output bit sequence. This highly increases the time complexity of the pseudorandom sequence generator. Assuming that “” clock cycles are required for a single point multiplication operation and the output is truncated to “100” bits as considered above, the system generates “” bits per clock cycle. The throughput of PBSG-A [15], which is a variant of the dual EC generator with increased periodicity and security, is similar to the dual EC because of the two point multiplications in each iteration. As each iteration in the proposed method consists of a single point multiplication operation, the time complexity is reduced to a large extent. In the proposed method the number of output bits per clock cycle is “.” This shows that the throughput of the proposed system is increased by a factor of “two” when compared to dual EC generator and PBSG-A.

The two methods available in literature with a throughput similar to the proposed method are ECPG and the pseudorandom sequence generator in [13]. Both methods make use of a single point multiplication in each iteration and the output bit sequence is generated by applying truncation function to the output point.

##### 11.2. Periodicity

This section analyses the period of various EC based pseudorandom sequence generators and compares it with the proposed method. Assume that the EC is defined over . Let be the order of point used for generating the sequence. The output is truncated to “” bits using the truncation function. From the period analysis given in Section 6 it is clear that the periodicity of the proposed pseudorandom sequence is independent of the order of point and is determined by the length of the LFSR or the size of the field over which the EC is defined. To analyse the dependence of the generated bit sequence on the initial seed, an image is encrypted using this sequence. The EC is defined over and the output is truncated to 5 bits. The initial key seeds chosen are and . The encrypted image is now decrypted with a wrong key . The original image, encrypted image, and image decrypted with the wrong key are shown in Figures 7(a), 7(b), and 7(c), respectively. This shows that the sequence generated is highly dependent on the initial seed.

**(a) Original image**

**(b) Image encrypted using the proposed method**

**(c) Image decrypted with wrong key**

For LCG and PBSG-A, the order of point determines the period of the sequence. Hence to achieve high periodicity, the order should be very large. However, determination of a point on the EC with high order for a large field size is computationally intensive and hence these approaches are not recommended. In case of ECPG, the periodicity is determined by the order of point and the value of the initial seed . The initial seed must be chosen such that is a large value. This limits the number of possible choices for and reduces the complexity of attack on the system. The period of a dual EC generator cannot be determined as it is dependent on points and used for generating the sequence. For certain values of and it is observed that the period is as small as 2. In PBSG-B, which is a variant of LCG, the period is determined by the length of the LFSR. In [13], the authors have shown that the period of the sequence is determined by the size of the field over which the EC is defined. But it is observed that the sequence becomes independent of the key seed after a few iterations. The output point sequence generated based on the algorithm in [13] for different values of key is given in Table 4. From the table it can be seen that after 20 iterations the system outputs the same sequence independent of the initial seed.

##### 11.3. Security

In the proposed method, the security analysis shows that the security is as high as solving ECDLP many times. The iteration key is blinded by adding an offset value so that only the blinded value can be retrieved by the attacker after solving ECDLP. From the security analysis of the proposed method it is clear that solving ECDLP for any number of points does not provide information about the iteration key or the secret value . Thus even after solving ECDLP, which has a complexity of for an EC defined over , the attacker has to go for a brute force attack to break the cryptosystem. Thus, the computational complexity of an attack on the proposed system is . From the analysis in Section 7.1, it can be seen that, to mount an attack on the proposed system, the attacker should have the output bit sequence corresponding to at least three consecutive iterations.

The linear congruential generator described in [10] and PBSG-B in [15] are proved to have good randomness properties but the security is dependent on the secrecy of point and not on ECDLP. Thus the computational complexity of an attack on the system cannot be quantified. Moreover, in LCG the period of the sequence reveals the order of point and the symmetric properties of the sequence make the cryptanalysis easier [15].

The random number generator in [13] has a throughput and periodicity similar to the proposed method. But the analysis in Sections 4.4 and 11.2 shows that the sequence becomes independent of the initial key seed after a few iterations. Thus the system is insecure and no security analysis is to be done.

The output point sequence and iteration key in ECPG [12] are computed as and where is the initial secret seed. A successful cryptanalysis can be mounted on ECPG by preparing a lookup table with and as entries, as a precomputation step. If two consecutive output points are known, then the initial secret key can be easily found out using this lookup table as explained in Section 4.3. Thus, security of ECPG is only due to the truncation function and is not dependent on ECDLP.

In dual EC generator, the iteration key and output point sequence are generated as and . If we assume that an attacker has retrieved the th iteration key by solving ECDLP, the iteration key can be easily found out as . Thus for a successful attack on the above system, solving ECDLP for a single point in the output sequence is sufficient. Hence, the attack complexity is .

PBSG-A [15] is a modification of the dual EC generator with increased periodicity. The output point sequence and iteration key are generated as and where and is the secret key. Assume that the attacker solved ECDLP and computed the iteration keys , and . These iteration keys are related as and . Using the above two equations, the attacker can compute and .

The difference of the above two expressions gives the value of the secret constant “”. Then the successive iteration keys can be easily found out as , and so forth.

Thus solving ECDLP for 3 consecutive output points results in a successful attack on the PBSG-A algorithm. The computational complexity can be expressed as .

A summary of these comparisons is given in Table 5. Here it is assumed that the EC is defined over and the truncation function truncates “” bits of the -coordinate of the output point sequence to “” bits of output bit sequence, for each point multiplication operation. Let be the order of point and let “” be the number of clock cycles required for point multiplication. The comparison results in Table 5 clearly indicate that the proposed method has increased security, periodicity, and throughput compared to other EC based systems available in literature.

##### 11.4. Structural Complexity

In this section, the approximate hardware resources required for the implementation of the proposed method are analysed.

The hardware requirement of various pseudorandom sequence generators is basically dependent on the method of generating the iteration key. In the proposed method, the generation of the iteration key involves the GF addition of contents of LFSR and the output of point multiplication unit. A basic structure of the proposed stream cipher is given in Figure 8. The hardware requirement in addition to the point multiplication unit is a register to store the initial seed, LFSR, a finite field addition unit, buffer to store the result of GF addition, multiplexer, and truncation unit. By properly choosing the basis for representing the field elements, the GF addition becomes a simple bitwise XOR operation so that the hardware complexity is reduced.

From Table 5, the only method with a security and periodicity comparable to the proposed method is PBSG-A. In PBSG-A the iteration key where “” is a constant. The hardware for computing can be implemented using a GF addition circuit and two buffers for storing and values so that . Thus computing the iteration key involves two finite field addition operations. These two operations can be done using the same GF addition unit by giving the input values through a mux. The various hardware units required for implementing the PBSG-A algorithm are (i) EC point multiplication unit, (ii) multiplexers to input values to the GF addition unit and to input points and alternately to the point multiplication unit, and (iii) buffers to store seed value, , , and values.

Various optimised implementation methods of elliptic curve point multiplication unit in terms of area utilisation and speed are available in literature. Approximate gate equivalent of various hardware units in the proposed method and PBSG-A is shown in Table 6 [26]. This is done under the assumption that the implementation is done over . From the table it is clear that hardware implementation of the proposed method requires 1,630 gates less compared to PBSG-A. Moreover there is only a marginal increase in the hardware requirement for implementing the proposed pseudorandom number generator compared to the point multiplication unit. If the point multiplication unit is time shared for both key exchange and stream cipher generation, then the overall hardware complexity of the system can be reduced and makes it suitable for applications with limited resources.

#### 12. Application of the Proposed Algorithm for Image Encryption

Image encryption is a potential application where stream cipher is highly preferred over block cipher due to the bulky nature of the data and high correlation between the adjacent pixels. The pseudorandom sequence used for image encryption must have good randomness properties and high periodicity so that the encrypted image is secure. In addition to the standard tests which check the randomness of pseudorandom sequences, the robustness and security of the sequence generator as a stream cipher for encrypting an image can be analysed by performing the security analysis of the ciphered image through evaluation of various parameters [27]. In this section, the pseudorandom sequence generated by the proposed algorithm is used for encrypting a 256 × 256 gray scale image and the security analysis of the ciphered image is carried out. The time required for encrypting a 256 × 256 image is evaluated on Intel Xeon 3.7 GHz CPU with 1 GB RAM as approximately 0.006 s.

The plain image is shown in Figure 9 and the encrypted image is shown in Figure 10. The various parameters analysed are distribution of the cipher text, correlation of two adjacent pixels, information entropy, avalanche criterion, and resistance to differential attack.

##### 12.1. Distribution of the Cipher Text

The histogram of the plain image and the encrypted image are given in Figures 11 and 12 respectively. From Figure 12 it can be clearly seen that the pixels in the encrypted image are uniformly distributed.

##### 12.2. Correlation of Adjacent Pixels

The adjacent pixels of the plain image are highly correlated as shown in Figure 13 and are prone to statistical attacks. To resist these attacks, the adjacent pixels of an encrypted image must be highly uncorrelated. The correlation of vertically adjacent pixels in the encrypted image is shown in Figure 14. It can be clearly seen that the pixels are uncorrelated and can resist the attacks. The vertical, horizontal, and diagonal correlations of adjacent pixels are computed using the following expressions and the results are summarised in Table 7:Here, is the variance of and is the expectation of .

##### 12.3. Information Entropy

Information entropy of a source is defined aswhere is the probability of symbol . For a gray scale image, the number of possible symbols is and hence the maximum entropy we can get is 8. The entropy of an encrypted image must be close to 8 to ensure that the information leakage is zero. The entropy of the encrypted image in Figure 10 is computed and the value obtained is 7.9968 which ensures that the encryption algorithm is secure.

##### 12.4. Sensitivity Analysis

In this section, the key sensitivity and plain text sensitivity of the proposed method are analysed. In key sensitivity, the change in the encrypted image for a change in single bit of the key is analysed and in plain text sensitivity the change in cipher image for a change in single pixel of the plain image is analysed. The two common measurements used to analyse the sensitivity are NPCR (number of pixels change rate) and UACI (unified average changing intensity). The NPCR and UACI values are computed using the following expressions:Here and are the two cipher images, , if , and , if ; and are the width and length of the image.

For key sensitivity analysis and are obtained by encrypting the plain image with two different keys and such that and differ only in a single bit. In the proposed algorithm, the pseudorandom sequence generated is independent of the plain text. To analyse the plain text sensitivity and the resistance of the algorithm against the differential attack, the input key of the pseudorandom sequence generator is made dependent on the plain image. This is done by generating the key to the sequence generator as the residue obtained by passing the plain text through a modular division circuit. The NPCR and UACI values are computed for both cases and are summarized in Table 8.

##### 12.5. Avalanche Criterion

The avalanche criterion is used to prove the sensitivity of the algorithm to plain text. Two images with one pixel difference and their corresponding cipher images are generated. The effects of one bit change in the plain image and cipher image are shown in Figures 15 and 16, respectively. From Figure 16 it can be clearly seen that one pixel change in the plain image produces considerable change in the encrypted images.

#### 13. Conclusion

Resource constrained applications like WSNs demand new algorithms for encryption which can offer reduced time complexity, structural complexity, increased security, and throughput. As ECC is a promising solution for key exchange with increased security, the point multiplication unit will be already available in the system as a part of key exchange. This paper describes a hardware efficient EC based random bit stream generator in which the point multiplication unit used for key exchange can be time shared to generate the pseudorandom sequence so that the overall hardware complexity is reduced. Five basic tests are done to check the randomness of the bit sequence generated and the sequence is found to have good statistical properties. The sequence exhibits very high periodicity and throughput in comparison with the EC based pseudorandom sequence generators available in literature. Similarly, compared to other EC based approaches, the computational complexity of known plain text attack on the system increases exponentially with the size of the key resulting in high security.

#### Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

#### Acknowledgment

This work is partially funded by the E-Security Division of the Department of Electronics and Information Technology under Ministry of Communication and Information Technology of Government of India, as per order no. 12(16)/2012-ESD dated 01-08-2013.