 And to recap, in general, a LFSR based on an nth order recurrence relation has period at most 2 to the power n minus 1. But its output can be completely determined if we find 2n consecutive terms. And this means we don't gain much security by using higher order recurrence relations. But could we simulate higher order recurrence relations? And for this, we'll introduce this notion of linear complexity. Suppose we have a sequence that, after the first few terms, can be generated by a kth order linear recurrence relation. If no linear recurrence relation of smaller order can generate the sequence, then the sequence is said to have linear complexity k. On the other hand, if no linear recurrence relation can produce the sequence, we say the sequence has infinite linear complexity. A useful result in all of this is that every periodic sequence has finite linear complexity. The proof is actually pretty trivial. If the sequence has period p, the recurrence relation an is the pth term before n generates the sequence. So there's at least one p minus first order linear recurrence relation that generates the sequence, and consequently the linear complexity is no more than p minus 1. So how can we improve our LFSRs for cryptographic purposes? So remember, one feature of LFSRs is that each term is dependent on the previous terms. But remember, one of the things that Shannon identified as part of a good cryptographic system was confusion. And that's basically reducing the dependence of any one term on the preceding terms. So to reduce this dependence, we'll add some confusion. And an easy way of doing that is we'll produce the sequence, we'll break the sequence into blocks, and then transpose elements within the blocks. And this goes back to a key cryptographic principle, we are stronger together. Greater security is achieved by mixing cryptosystems. So for example we might use the recurrence relation an congruent an minus 1 plus an minus 2 with seed 1, 1, and the transposition. And we'll use this to produce a sequence of pseudo random numbers. So first, our recurrence relation produces the sequence, and you'll notice that this is period 3 with a repeating block 1, 1, 0. Now we'll apply our transposition, and permuting the elements give us a new sequence. And something worth noting here is that our new sequence is period 15. And ordinarily, if we wanted to generate a period 15 sequence, we'd need a recurrence relation of degree at least 4. And this leads to the following useful result. If we apply a transposition on blocks of n consecutive elements to the output of a period p sequence, the resulting sequence has period np the least common multiple of n and p. And this suggests a way we could make recovering the recurrence relation much harder. We'll begin with a kth order recurrence relation that gives a period 2k minus 1 sequence of 1s and 0s. We'll find a permutation on p elements where p is relatively prime to 2k minus 1. And then we'll use the LFSR to generate sets of p terms, and apply the permutation to produce p terms of the pseudo random sequence. Another way to expand the period is to chain two or more LFSRs. For example, if A produces this output and B produces this output, we can add the output's mod 2 to get a new sequence. And as before, the period of the new sequence is the least common multiple of the periods of the two sequences we're combining. One particularly important variation on the LFSRs of following will take two LFSRs with different periods, preferably co-prime, which will produce two sequences. And you can think about this first sequence as a control sequence. It will determine whether or not we output our B sequence. So we might output our BI value if our AI value is 1, otherwise we'll output nothing. And it's important to recognize we'll still compute the B value, but it doesn't get output. Because the output sequence is shorter than the input sequences, this is known as a shrinking generator. And it's worth noting that we can use any sequence of ones and zeros. So we don't even need to have these produced by LFSR. This could be produced by LFSR with a transposition. So for example, maybe I have these two sequences and let's find the output when B is used to determine whether output A and the sequence when A is used to determine whether to output B. So let's use B to decide whether to output A. So we'll put down our two sequences, and remember B is controlling. If B is 1, we'll output whatever A says. So here B is 1, so our output C is the A value. Next, B is 1, so again we output the A value. Next, B is 0, so we ignore the A value and go on to the next. And again importantly, nothing is output. The next B value is 1, so we output the A value. The next B value is 1, so we output the A value. The next two B values are 0, so we don't output anything and so on. Similarly, if we use A to decide whether to output B, we obtain the following sequence. Again, our first two A values are ones, so we output the B values. Our next A value is 0, so we ignore the B value. We have another two ones, so we output the B values. The next A value is 0, so we ignore. The next two A values are ones, so we output the B values, and so on. And finally, there's one useful variation is the self-shrinking generator, where we don't actually need a second sequence. So if the output of a sequence is A0, A1, A2, and so on, we can use the even numbered terms to control the output. In effect, the even numbered term tells us whether to write down the next term or to ignore it. And again, it's important to remember we're still computing that next term, but we might not be outputting it as part of our sequence. So let's take our sequence 110, 110, and so on, and we'll find the output for a self-shrinking generator using A. And so here it helps to split up our terms. We have our even terms and our odd terms. And so our terms of the sequence are going to be 110, 110, 110, 110, and so on. And so we'll use our even terms to decide whether to output our odd terms, which gives us our sequence.