linear feedback shift registers and complexity a survey

Linear Feedback Shift Registers and Complexity A survey

Linear Feedback Shift Registers and ComplexityA survey

Michele Elia (Politecnico di Torino)

Bunny TN 3

Trento, 12 marzo 2012

Outline

...1 Binary sequences and Complexity

...2 Finite State Machines and LFSR

...3 HW/SW Complexity

...4 LFSR structures

...5 LFSR ?

...6 Conclusions

Outline

...5 LFSR ?

...6 Conclusions

Outline

...5 LFSR ?

...6 Conclusions

Outline

...5 LFSR ?

...6 Conclusions

Outline

...5 LFSR ?

...6 Conclusions

Outline

...5 LFSR ?

...6 Conclusions

Outline

...5 LFSR ?

...6 Conclusions

Binary sequences

. . . , 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, . . .

. . . , 0, 1, 0, 1, 1, 1, 0, 0, 1, 0, 0, 0, 0, 0, 1, 1, . . .

. . . , 1, 1, 0, 0, 0, 1, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, . . .

. . . , 0, 1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1, 0, . . .

Cryptography

Testing of digital devices

Spread spectrum techniques

Navigation and localization systems

Simulation

Binary sequences

. . . , 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, . . .

. . . , 0, 1, 0, 1, 1, 1, 0, 0, 1, 0, 0, 0, 0, 0, 1, 1, . . .

. . . , 1, 1, 0, 0, 0, 1, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, . . .

. . . , 0, 1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1, 0, . . .

Cryptography

Simulation

Binary sequences

. . . , 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, . . .

. . . , 0, 1, 0, 1, 1, 1, 0, 0, 1, 0, 0, 0, 0, 0, 1, 1, . . .

. . . , 1, 1, 0, 0, 0, 1, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, . . .

. . . , 0, 1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1, 0, . . .

Cryptography

Simulation

Binary sequences

. . . , 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, . . .

. . . , 0, 1, 0, 1, 1, 1, 0, 0, 1, 0, 0, 0, 0, 0, 1, 1, . . .

. . . , 1, 1, 0, 0, 0, 1, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, . . .

. . . , 0, 1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1, 0, . . .

Cryptography

Simulation

Binary sequences

. . . , 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, . . .

. . . , 0, 1, 0, 1, 1, 1, 0, 0, 1, 0, 0, 0, 0, 0, 1, 1, . . .

. . . , 1, 1, 0, 0, 0, 1, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, . . .

. . . , 0, 1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1, 0, . . .

Cryptography

Simulation

Binary sequences

. . . , 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, . . .

. . . , 0, 1, 0, 1, 1, 1, 0, 0, 1, 0, 0, 0, 0, 0, 1, 1, . . .

. . . , 1, 1, 0, 0, 0, 1, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, . . .

. . . , 0, 1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1, 0, . . .

Cryptography

Simulation

Random sequences (Knuth, The art of Computer Programming, vol.2)

.Definition (D.H. Lehmer (1951))..

A random sequence x1, x2, x3, x4, . . . is a sequence such that

...1 embodies the idea that each term is unpredictable to theuninitiated observer;

...2 its digits pass a certain number of tests traditional withstatisticians and depending somewhat on the uses to whichthe sequence is to be put.

Examples of Tests

Average, Mean-square error, χ-square test

Monte Carlo tests

Kolmogorov-Smirnov test

Runs’ test, Auto-correlation function test

Linear Complexity Profile

A random sequence x1, x2, x3, x4, . . . is a sequence such that

...1 embodies the idea that each term is unpredictable to theuninitiated observer;

Examples of Tests

Monte Carlo tests

A random sequence x1, x2, x3, x4, . . . is a sequence such that...1 embodies the idea that each term is unpredictable to theuninitiated observer;

Examples of Tests

Monte Carlo tests

Examples of Tests

Monte Carlo tests

Examples of Tests

Monte Carlo tests

Examples of Tests

Monte Carlo tests

Examples of Tests

Monte Carlo tests

Examples of Tests

Monte Carlo tests

Examples of Tests

Monte Carlo tests

Examples of Tests

Monte Carlo tests

Random sequences and Information measures

The maximum amount of information carried by a binarysequence is equal to its length.

A genuine random binary sequence of statisticallyindependent and equiprobable symbols cannot be describedusing an amount of information smaller than its length.

The measure of information carried by a sequence can betaken as a measure of its complexity: it follows thatgenuine random binary sequences are sequences ofmaximum complexity.

Kolmogorov: the algorithmic complexity description of anobject is the length of the shortest binary computer programthat describe the object

Linear registers

0 1 1 0 0

��m

g(Z) = 1 + Z−2 + Z−5

Linear registers

0 1 1 0 0

��m

g(Z) = 1 + Z−2 + Z−5

Linear registers

0 1 1 0 0

��m

g(Z) = 1 + Z−2 + Z−5

Linear registers

0 1 1 0 0

��m

g(Z) = 1 + Z−2 + Z−5

Linear registers

0 1 1 0 0

��m

g(Z) = 1 + Z−2 + Z−5

Linear registers

0 1 1 0 0

��m

g(Z) = 1 + Z−2 + Z−5

Linear FINITE STATE MACHINE (FSM)

A FSM is a five-tuple {A,S, stat, out, so} where

A is the output finite set of symbols (e.g. F2) .

S = {s} is the finite set of states (e.g. s ∈ Fm2 )

stat is the transition function, that is a mapping from Sinto S

stat : S → S

(e.g. stat(s) = Ms where M is an m×m binary matrix).

out is the output function, that is a mapping from S into A

stat : S → A

(e.g. out(s) = sm ∈ F2, s is an m-dimensional binaryvector)

so is the initial state, i.e. a fixed element from S

stat : S → S

stat : S → A

stat : S → S

stat : S → A

stat : S → S

stat : S → A

stat : S → S

stat : S → A

stat : S → S

stat : S → A

stat : S → S

stat : S → A

Linear Sequences x(0), x(1), . . . , x(n), . . .

A linear sequence generated by a FSM may be specified in twoways

Using the matrix description

s(n+ 1) = Ms(n) , x(n+ 1) = sm(n+ 1)

Using linear recurrences, i.e. recurrent equations of order m

x(n) = a1x(n− 1) + a2x(n− 2) + · · ·+ amx(n−m)

s(n+ 1) = Ms(n) , x(n+ 1) = sm(n+ 1)

x(n) = a1x(n− 1) + a2x(n− 2) + · · ·+ amx(n−m)

s(n+ 1) = Ms(n) , x(n+ 1) = sm(n+ 1)

x(n) = a1x(n− 1) + a2x(n− 2) + · · ·+ amx(n−m)

s(n+ 1) = Ms(n) , x(n+ 1) = sm(n+ 1)

x(n) = a1x(n− 1) + a2x(n− 2) + · · ·+ amx(n−m)

Generating function

The generating function of an infinite sequence is

X(Z) =

∞∑n=0

x(n)Z−n

The generating function of a linear sequence is a rationalfunction, i.e.

X(Z) =b(Z)

b0 + b1Z−1 + · · ·+ bm−1Z

−m+1

am + am−1Z−1 + · · ·+ Z−m

where bi’s depend on the initial state (initial conditions).

g(Z) is the LFSR polynomial generator, and is also thecharacteristic polynomial of the transition matrix M.

Generating function

X(Z) =

∞∑n=0

x(n)Z−n

X(Z) =b(Z)

b0 + b1Z−1 + · · ·+ bm−1Z

−m+1

am + am−1Z−1 + · · ·+ Z−m

Generating function

X(Z) =

∞∑n=0

x(n)Z−n

X(Z) =b(Z)

b0 + b1Z−1 + · · ·+ bm−1Z

−m+1

am + am−1Z−1 + · · ·+ Z−m

Generating function

X(Z) =

∞∑n=0

x(n)Z−n

X(Z) =b(Z)

b0 + b1Z−1 + · · ·+ bm−1Z

−m+1

am + am−1Z−1 + · · ·+ Z−m

Period

The generating function of a periodic sequence of period τ , canbe written as

X(Z) =x(0) + x(1)Z−1 + · · ·x(τ − 1)Z−τ+1

1− Z−τ

There is a minimum τ such that Mτ = I therefore thegenerated sequences are periodic of period not greater thanτ .

- In general the period depends on the initial state.- τ is the minimum integer such that g(Z) divides 1− Z−τ .The maximum value of τ is 2m − 1, and is attained byprimitive polynomial generators.The generated sequences are called m-sequences, in thiscase the period is independent of the initial state (theall-zeros state is excluded).

Period

X(Z) =x(0) + x(1)Z−1 + · · ·x(τ − 1)Z−τ+1

1− Z−τ

Period

X(Z) =x(0) + x(1)Z−1 + · · ·x(τ − 1)Z−τ+1

1− Z−τ

- In general the period depends on the initial state.- τ is the minimum integer such that g(Z) divides 1− Z−τ .

The maximum value of τ is 2m − 1, and is attained byprimitive polynomial generators.The generated sequences are called m-sequences, in thiscase the period is independent of the initial state (theall-zeros state is excluded).

Period

X(Z) =x(0) + x(1)Z−1 + · · ·x(τ − 1)Z−τ+1

1− Z−τ

LFSR and Cyclic codes

The block of symbols forming a period of an m-sequencegenerated by a given LFSR can be considered (are) ascodewords of a cyclic code which is the dual code

(2m − 1,m, 2m−1)

of an Hamming code (2m − 1, 2m − 1−m, 3).

Every non-zero code word of a dual Hamming code hasconstant weight 2m−1 (number of 1s), and the number of zerosis 2m−1 − 1.This interpretation is useful for computing the run distributionwithin a codeword.

(2m − 1,m, 2m−1)

of an Hamming code (2m − 1, 2m − 1−m, 3).Every non-zero code word of a dual Hamming code hasconstant weight 2m−1 (number of 1s), and the number of zerosis 2m−1 − 1.

This interpretation is useful for computing the run distributionwithin a codeword.

(2m − 1,m, 2m−1)

of an Hamming code (2m − 1, 2m − 1−m, 3).Every non-zero code word of a dual Hamming code hasconstant weight 2m−1 (number of 1s), and the number of zerosis 2m−1 − 1.This interpretation is useful for computing the run distributionwithin a codeword.

It also explains why their cyclic (or periodic) autocorrelationfunctions are ideal..Definition..

The periodic autocorrelation function of a binary sequence x(n)of length τ is defined as

c(δ) =1

τ∑i=1

(−1)x(i+δ)(−1)x(i)

The aucocorrelation function of a binary m-sequence is

c(δ) =1

τ∑i=1

(−1)x(i+δ)+x(i) =

{1 if δ = 0− 1

τ if δ ̸= 0 mod τ

It also explains why their cyclic (or periodic) autocorrelationfunctions are ideal.

.Definition..

c(δ) =1

τ∑i=1

(−1)x(i+δ)(−1)x(i)

c(δ) =1

τ∑i=1

(−1)x(i+δ)+x(i) =

{1 if δ = 0− 1

c(δ) =1

τ∑i=1

(−1)x(i+δ)(−1)x(i)

c(δ) =1

τ∑i=1

(−1)x(i+δ)+x(i) =

{1 if δ = 0− 1

c(δ) =1

τ∑i=1

(−1)x(i+δ)(−1)x(i)

c(δ) =1

τ∑i=1

(−1)x(i+δ)+x(i) =

{1 if δ = 0− 1

Run distribution

A run of 1s of length k in a binary sequence consists of kconsecutive 1s between two 0s

. . . 01111110 . . . . . . 0110 . . . 010 . . . 011111111110

and a run of 0s is similarly defined with the role of 0 and 1exchanged.Golomb derived the 0-1 run distributions, which are the same inany code word of a dual Hamming code:

− 1run of length m of ’1s’, and 0 runs of length m of ’0s’

− 0 run of length m− 1 of ’1s’, and 1 runs of length m− 1 of ’0s’

− 2m−k−2 runs of length k, of either ’0s’ or ’1s’,

for 1 ≤ k ≤ m− 2.(1)

LFSR: HW/SW complexity and classical structures

The complexity of circuits or software programs realizing aLFSR can be defined as the number of additions in F2 requiredto produce an output bit.The complexity is essentially equal to the number of 1s in thematrix defining the LFSR.Three structures are relevant

- Fibonacci LFSR obtained from the companion matrix ofg(Z)

- Galois LFSR obtained from the transpose of thecompanion matrix of g(Z)

- Tridiagonal LFSR obtained from a tridiagonal matrix with1s in the upper and lower sub-diagonals.

The complexity of circuits or software programs realizing aLFSR can be defined as the number of additions in F2 requiredto produce an output bit.

The complexity is essentially equal to the number of 1s in thematrix defining the LFSR.Three structures are relevant

The complexity of circuits or software programs realizing aLFSR can be defined as the number of additions in F2 requiredto produce an output bit.The complexity is essentially equal to the number of 1s in thematrix defining the LFSR.

Three structures are relevant

Fibonacci LFSR of order m = 5

0 1 0 0 00 0 1 0 00 0 0 1 00 0 0 0 11 0 1 0 0

��m

Galois LFSR of order L = 5

0 0 0 0 11 0 0 0 00 1 0 0 10 0 1 0 00 0 0 1 0

- m? -

Tridiagonal LFSR of order L = 5

1 1 0 0 01 1 1 0 00 1 1 1 00 0 1 1 10 0 0 1 0

HW/SW complexity

Fibonacci and Galois LFSRs have the same complexity,which is upper bounded by the length L.Note that, interesting generator polynomials have a smallnumber of coefficients equal to 1s, possibly 3 coefficients .Unfortunately binary irreducible trinomials does not existfor every L.

Tridiagonal LFSR have a slightly larger complexity, whichis upper bounded by 3L− 2, nevertheless, in somecircumstances may be preferred.

Note that not every binary polynomial of degree L is thecharacteristic polynomial of a tridiagonal matrix, however, ithas been proved that every binary irreducible polynomial is thecharacteristic polynomial of a tridiagonal matrix.

HW/SW complexity

Linear complexity profile

A linear sequence generated by a LFSR of length m has aperiod of length not greater than 2m − 1: that is ”The linearcomplexity of the sequence is small with respect to its length”.

.Definition..

The linear complexity ℓ(M) of a sequence X of length M is theminimum length of a LFSR that generates X .

If X is an m-sequence, then ℓ(M) = ⌈log2M⌉

If X is a genuine random sequence, then ℓ(M) = ⌈M2 ⌉

A linear sequence generated by a LFSR of length m has aperiod of length not greater than 2m − 1: that is ”The linearcomplexity of the sequence is small with respect to its length”..Definition..

Berlekamp-Massey’s algorithm

Given a sequence X of length N , the Berlekamp-Massey’salgorithm yields the length of the shortest LFSR generating X .

Question

Which is the linear complexity of a genuine random sequence?The approach is to compute for each subsequence of length n,for any n, its linear complexity, a task that yields the linearcomplexity profile.

ℓ(n)

Question

ℓ(n)

Question

Which is the linear complexity of a genuine random sequence?

The approach is to compute for each subsequence of length n,for any n, its linear complexity, a task that yields the linearcomplexity profile.

ℓ(n)

Question

ℓ(n)

Question

ℓ(n)

Self-Clock Controlled LFSR

A self-clock controlled LFSR is a linear feedback shift registersuch that some states are skipped depending on the statesthemselves .

Practically some states are shadowed (hidden) for the externalobserver. The result is that it is difficult to predict from thegenerated sequence which are the skipped states

- . . . J

. . . . . .I

. . . . . .@

��

��)� ��Figure: Clock-controlled LFSR Fibonacci-type: I output cell, J clockcontrol cell

Self-Clock Controlled LFSR

A self-clock controlled LFSR is a linear feedback shift registersuch that some states are skipped depending on the statesthemselves .

Practically some states are shadowed (hidden) for the externalobserver. The result is that it is difficult to predict from thegenerated sequence which are the skipped states

- . . . J

. . . . . .I

. . . . . .@

��

��)� ��Figure: Clock-controlled LFSR Fibonacci-type: I output cell, J clockcontrol cell

Self-Clock Controlled Fibonacci LFSR

An example is a Fibonacci LFSR in which a cell J is marked:any time that, in the transition to a new state, in cell J occursa 1, the new state is skipped and a second transition is operated(no further transition is done).Example

000011000001000 skipped state001001001001001 skipped state1010001010 skipped state0010100010

Period of a Clock-controlled LFSR sequence

The period is approximately 2/3 of τ :

3(2m − 1)− 2

(2m − 3− (−1)m

The generated sequences belong to a linear code: eachsequence can be seen as a code word of a punctured code(the punctured symbols correspond to the skipped states).

Different sequences produced by the same LFSR belong todifferent linear codes.

3(2m − 1)− 2

(2m − 3− (−1)m

3(2m − 1)− 2

(2m − 3− (−1)m

3(2m − 1)− 2

(2m − 3− (−1)m

0-1 Distributions in clock-controlled LFSR sequences

The numbers N0I and N1I of ’0s’ and ’1s’, in a sequencegenerated by a self-clock controlled LFSR, depend on both therelative position of control and output cells, and theimplementation LFSR-type, namely Fibonacci, Galois, orTridiagonal. For the Fibonacci LFSR N0I and N1I can becomputed in closed form.

Using the closed form of N0I and N1I , it is immediately seenthat the clocked sequence is perfectly balanced, i.e. N0I = N1I ,if and only if I = 1 if m is odd, and I = 2 if m is even.

The Linear complexity profile of a clock controlled LFSRsequence is practically optimal as it can be theoretically shown

��

slope 12

Figure: LCP for a clock controlled Fibonacci LFSR of length 22

Conclusions

1) LFSR are good generators of random sequences, which areeasy to implement and may work fast.However, in cryptography, the use of these linear sequencesneeds further artifices to counteract the weaknesses implicitin the linearity.

2) Self-clock controlled LFSR have optimal linear complexityprofile, indistinguishable from that of genuine randomsequences, thus may be (more) directly used incryptographic applications.

Conclusions

1) LFSR are good generators of random sequences, which areeasy to implement and may work fast.

However, in cryptography, the use of these linear sequencesneeds further artifices to counteract the weaknesses implicitin the linearity.

Conclusions

1) LFSR are good generators of random sequences, which areeasy to implement and may work fast.

However, in cryptography, the use of these linear sequencesneeds further artifices to counteract the weaknesses implicitin the linearity.

Conclusions

3) The observations collected in this talk have the modest aimof giving a quick view of the context in which is set thesearch for inexpensive mechanisms generating (binary)sequences that are good for cryptographic applications.

An endeavor that was and remains a source of challengingproblems for engineers and mathematicians.

Conclusions

References

...1 S.W. Golomb, Shift Register Sequences, Aegean Park Press,Laguna Hills, 1982.

...2 D.E. Knuth, The Art of Computer Programming,Seminumerical algorithms, vol. II, Addison-Wesley,Reading Massachussetts, 1981.

...3 R. Lidl, and H. Niederreiter, Finite Fields, Addison-Wesley,Reading, Mass., 1983.

...4 J. Hoffstein, J. Pipher, J.H. Silverman, An introduction tomathematical cryptography, Springer, New York, 2008.

References

...1 M. Elia, G. Morgari, M. Spicciola, On Binary SequencesGenerated by Self-clock Controlled LFSR, MTNS 2010,Budapest, Hungary.

...2 M. Elia, On Tridiagonal Binary Matrices and LFSRs,Contemporary Eng. Sciences, Vol. 3, no. 4, p167-182.

...3 R.A. Rueppel, Analysis and Design of Stream Cipher,Springer, New York, 1986.

...4 J.L. Massey, Shift-Register Synthesis and BCH decoding,IEEE Trans. on Inform. Th., IT-15, 1969, pp.122-127.

linear feedback shift registers and complexity a survey

Documents

4-bit bidirectional universal shift registers (rev. a)

registers shift registers

linear feedback shift registers...

shift registers -...

lsn 12 shift registers - university of...

1 ee365 sequential pld timing registers counters shift...

74hc165 8-bit parallel-load shift registers

practica 7: shift registers

galois fields, linear feedback shift registers and their

chapter 9: shift registers

engin112 l26: shift registers november 3, 2003 engin 112...

feedback shift registers and linear complexity

instructables led matrix using shift registers

shift registers and shift register counters

digital electronics electronics technology landon johnson...

parallel in/serial out shift registers

6-1 chapter 6 registers and counters. 6-2 outline registers...

parallel-load 8-bit shift registers (rev. d)

shift registers(2)

shift registers