Anand Thesis

SEARCH ALGORITHMS FOR FCSR
ARCHITECTURES AND PROPERTIES OF THE FCSR

COMBINER GENERATOR
A THESIS
submitted by
S. ANAND
in fulfillment for the award of the degree

of
MASTER OF SCIENCE (BY RESEARCH)
FACULTY OF ELECTRICAL ENGINEERING

ANNA UNIVERSITY : CHENNAI 600 025
DECEMBER 2005
ii
ANNA UNIVERSITY : CHENNAI 600025
BONAFIDE CERTIFICATE
Certified that this thesis titled ‘SEARCH ALGORITHMS FOR FCSR AR-
CHITECTURES AND PROPERTIES OF THE FCSR COMBINER GENERA-
TOR’ is the bonafide work of Mr. S. ANAND who carried out the research under
my supervision. Certified further that to the best of my knowledge the work reported
herein does not form part of any other thesis or dissertation on the basis of which a
degree or award was conferred on an earlier occasion on this or any other candidate.
Dr. Gurumurthi V. Ramanan

Supervisor
Member, Research Staff
AU-KBC Research Centre
MIT Campus of Anna University
Chennai – 600 025
iii
ABSTRACT
The feedback-with-carry shift register (FCSR) is an important primitive in the
design of stream ciphers. In the first part of this thesis, we propose efficient methods
to search for FCSR architectures of guaranteed period and 2-adic complexity. We de-
vise extended versions of these methods that yield architectures of guaranteed period
and 2-adic complexity, given additional design constraints such as a fixed number of
feedback tap connections. We also propose a search algorithm for a generalisation of
the basic FCSR architecture called the d-FCSR, and discuss the difficulty of finding
valid architectures for values of the parameter d other than d = 2.
In the second part of the thesis, we study the problem of improving the com-
plexity of FCSR sequences by combining the outputs of two or more FCSRs nonlin-
early. We then prove results that establish the period and bounds on the complexity
of sequences obtained by combining the outputs of two 2-adic FCSRs using the XOR
function.
iv
ACKNOWLEDGEMENTS
It is a pleasure to acknowledge the help and guidance I have received from

many people over the past four years. I would like to record my deepest appreciation
and thanks to my supervisor, Dr. Gurumurthi V. Ramanan, for all his help, inspiration,
and above all, for his faith in me. I was greatly inspired by a course on Discrete
and Algebraic Structures that he gave some four years ago, and it led directly to my
decision to join the M.S. programme. Whether it was prodding me on when I was
lazy, or encouraging me to bravely fight on when the research was going nowhere, or
exhorting me to be more ambitious, Guru was always trying to bring out the best in
me. For this and much more, many thanks.
I would like to express my profound gratitude to Prof. C. N. Krishnan for
allowing me to work at the AU-KBC Research Centre. His gesture came at a particu-
larly crucial time in my life, and if in the long run, my life is counted a success, then
it would be in no small measure due to the opportunity Prof. Krishnan provided me.
My thanks are also due to all the faculty members of the AU-KBC Research
Centre, especially, Mr. M. Sethuraman, my joint-supervisor, and Prof. S. V. Ra-
manan. I have learnt a great deal from both of them, and in many ways, I rather hope
to emulate their approach to problems and life in general.
I would also like to thank all my friends and colleagues at AU-KBC, especially,
Raja, Sujith, Vijayalakshmi, Satish, and Muthuraja, for their comradeship, all-round
help and good humour.
Finally, I thank my parents and family for their patience and understanding.
S. Anand
v
TABLE OF CONTENTS
CHAPTER NO. TITLE PAGE NO.
ABSTRACT iii
LIST OF TABLES vii
LIST OF FIGURES viii
1 INTRODUCTION 1
1.1 PSEUDORANDOM NUMBER GENERATORS 1
1.2 THE DESIGN OF STREAM CIPHERS 4
1.2.1 The requirements for a ‘good’ stream cipher 5
1.3 CONTRIBUTIONS OF THIS THESIS 7
2 FEEDBACK-WITH-CARRY SHIFT REGISTER SEQUENCES 9

2.1 THE PRECURSORS OF THE FCSR 9
2.1.1 The lagged Fibonacci generator (LFG) 10
2.1.2 The addition-with-carry generator (AWC) 11
2.1.3 The linear feedback shift register (LFSR) 13
2.2 REVIEW OF 2-ADIC NUMBERS 14
2.3 THE FEEDBACK-WITH-CARRY SHIFT REGISTER 16
2.3.1 Operation of the FCSR 16
2.4 ANALOGIES BETWEEN LFSR AND FCSR THEORY 18
2.5 PROPERTIES OF FCSR SEQUENCES 21
3 SEARCH ALGORITHMS FOR FCSR ARCHITECTURES 23

3.1 THE SEARCH ALGORITHMS 24
vi
3.1.1 Search algorithm for the LFG 25

3.1.2 Search algorithm for the AWC 26
3.1.3 The basic FCSR search algorithm 27
3.1.4 FCSR search with additional constraints 29
3.1.5 Search algorithm for d-FCSRs 32
4 FCSR COMBINER GENERATORS 37

4.1 NOTATION 41
4.2 MAIN RESULTS 42
4.2.1 Period of the FCSR XOR combiner 44
4.2.2 Symmetric complementarity 47
4.2.3 2-adic complexity of the FCSR XOR combiner 47
4.2.4 Linear complexity of the FCSR XOR combiner 49
5 CONCLUSIONS AND FUTURE DIRECTIONS 50

vii
LIST OF TABLES
TABLE NO. TABLE NAME PAGE NO.
4.1 Truth table for the XOR function 41

viii
LIST OF FIGURES
FIGURE NO. FIGURE NAME PAGE NO.
1.1 Diagrammatic representation of a stream cipher 4
2.1 The Lagged Fibonacci Generator 10

2.2 The Add-with-Carry Generator 12
2.3 Fibonacci-configured LFSR 13
2.4 Fibonacci-configured FCSR 17
4.1 2-adic FCSR Combiner with XOR combiner function 41

1
CHAPTER 1
INTRODUCTION
Pseudorandom sequences are required in a wide variety of applications such as

Monte-Carlo simulation, spread spectrum communication, radar ranging, randomised
algorithms and cryptography. Some of the desirable properties of pseudorandom se-
quences used in simulation are an extremely long period, uniform distribution of n-
tuples for all n, good lattice structure in high dimensions, and ease of computation
both in hardware and in software. In cryptographic applications, in addition to all
of these properties, the sequences must satisfy much more stringent requirements.
For example, the pseudorandom number generators (PRNGs) used in stream cipher
cryptography must be unpredictable. Since a PRNG forms the keystream generator
of a stream cipher, the unpredictability of its output sequence is crucial to the overall
security of the cipher system.
In this thesis, we present algorithms to efficiently generate ‘good’ architectures

for a general class of PRNGs called the feedback-with-carry shift register (FCSR) and
also investigate how the period and other important cryptographic properties of these
generators may be increased. In Section 1.1 we explore the notion of pseudoran-
domness from a practical point of view. In Section 1.2 of this chapter we take a
practitioner’s approach to stream cipher design and enumerate some desirable char-
acteristics of ‘good’ stream ciphers. In Section 1.3 we present an overview of our
contributions to the area of stream cipher design.
1.1 PSEUDORANDOM NUMBER GENERATORS
Everyone seems to have an intuitive conception of randomness. Philosophers

and mathematicians have grappled with the problem of defining randomness for cen-
2
turies. The subject has a long and rich history with some of the landmark theoretical
contributions of the last century coming from von Mises, Wald, Church, Kolmogorov,
Chaitin, Schnorr and Rissanen. Later Blum, Micali and Yao laid the foundations of
the theory of pseudorandom sequences and effective information.
From a practical standpoint, a large number of methods have been developed

to generate random sequences using the ordinary arithmetic operations of a computer.
These sequences are generated deterministically and are therefore called pseudoran-
dom or quasirandom sequences. When the method of generation has been carefully
selected, such sequences have been found to be useful in a wide variety of applica-
tions. Some of the historically significant pseudorandom generators in the literature
are von Neumann’s middle-square generator, the linear congruential generator (LCG),
the multiplicative congruential generator (MCG) and the additive number generator.
These generators produce uniformly distributed pseudorandom numbers. However, a
number of them have been shown to be relatively poor sources of randomness. For
example, Marsaglia (1968), in his landmark paper, showed that the numbers produced
by the LCG fall mainly on planes in a high dimensional space. For an account of the
theory of the LCG and the subsequent development of this subject we refer to Knuth
(1998).
For practical purposes, we need some clear definition of randomness and here
we will follow the exposition of Golomb (1967). In some sense, there is no truly
random finite sequence. At best we can identify certain properties as being associated
with randomness, and accept sequences that have these properties as random. When
an ideal coin is tossed, we notice that:
1. The number of heads is roughly equal to the number of tails.
2. Approximately one-half the runs have length 1, one-fourth have length 2, and
so on.
3. A sequence of coin tosses possesses a special kind of auto-correlation function

with a strong peak in the middle that tapers off rapidly at the ends.
3
The autocorrelation function may be defined as follows. Suppose (an ) = {a0 , a1 , . . .}

is a sequence of real terms, then the autocorrelation C(τ) is defined as
N
1X
C(τ) = lim an an+τ ,
N→∞ N
n=1
provided the limit exists. If (an ) is a periodic sequence with period T , this reduces to
T
1X
C(τ) = an an+τ .
T n=1
Here τ represents a ‘phase shift’ of the sequence and the autocorrelation is then a
measure of the similarity between the sequence and its phase shift.
From our observations on the coin-flipping phenomenon we are led to a def-

inition of randomness of periodic binary sequences that was first made precise by
Golomb (1967). These are called Golomb’s randomness postulates. Suppose a peri-
odic binary sequence of period T is represented using the symbols +1 and −1 rather
than the usual 1 and 0. Then, Golomb’s randomness postulates are:
R1: In every period, the number of +1s is nearly equal to the number of
P
−1s. Thus T a ≤ 1.
n=1 n
R2: In every period, half the runs have length one, one-fourth have length
two, one-eighth have length three, etc., as long as the number of runs so
indicated exceeds 1. Moreover, for each of these lengths, there are equally
many runs of +1s and −1s.
R3: The autocorrelation function C(τ) is two-valued.


T
 T if τ = 0
X 


TC(τ) = an an+τ = .
n=1
 K if 0 < τ < T


These three conditions are independent of each other. Any sequence that satisfies
these conditions is called a pseudonoise sequence or PN sequence.
4
1.2 THE DESIGN OF STREAM CIPHERS
Stream ciphers are private-key encryption algorithms that operate on the plain-
text one bit at a time. They are extremely fast and easy to implement in both hardware
and software. In addition, they usually have very minimal memory and hardware re-
source requirements and therefore find applications in memory-constrained or area-
constrained devices such as smart cards, etc. Stream ciphers have been especially
popular in military communications since they offer a practical alternative to the one-
time pad, albeit without its absolute security guarantee. In this section we present a
general introduction to stream cipher design using the terminology of Beker and Piper
(1982).
The structure of a stream cipher is shown diagrammatically in Figure 1.1. The

‘algorithm’ or keystream generator is usually a finite state machine such as one or
more LFSRs with additional boolean logic. The initial state of the pseudorandom
keystream generator represents the key of the stream cipher. The keystream when
‘XOR-ed’ with the binary plaintext gives the ciphertext. The cryptanalyst, although
not strictly a part of the system, is included in the diagram merely to indicate where
interception is likely to occur.
Key
Infinite binary sequence (keystream)

Algorithm
Ciphertext
Binary plaintext
Interceptor (cryptanalyst)
Figure 1.1: Diagrammatic representation of a stream cipher

5
Conventional block encryption algorithms such as AES can also be used like a
stream cipher by running them in one of the so-called feedback modes, namely, output
feedback mode (OFB) and cipher feedback mode (CFB). However, an important point
of difference between block ciphers used in feedback mode and the stream ciphers is
that in the latter, there is no error propagation: any error in one of the ciphertext bits
does not affect subsequent ciphertext bits. In many applications, the propagation of
errors is undesirable and in such situations, stream ciphers are preferable to block
ciphers.
As is usual in cryptography, we must never understimate the cryptanalyst and

this means we must assume:
C1: The cryptanalyst has a complete knowledge of the cipher system, and
all the security lies in the key.
C2: The cryptanalyst has obtained a considerable amount of ciphertext.

C3: The cryptanalyst knows the plaintext equivalent of a certain amount
of ciphertext.
These assumptions may seem pessimistic but they are, at any rate, realistic and any
cipher system must be secure under these assumptions. Naturally, the terms ‘consid-
erable amount’ and ‘certain amount’ in the assumptions would need to be quantified
and their precise values would depend upon the system and the level of security de-
sired.
1.2.1 The requirements for a ‘good’ stream cipher
If we accept the assumptions C1–C3 above, then the requirements for stream
ciphers may be stated as:
A1: The number of choices for the key must be large enough that the
cryptanalyst cannot try them all.
6
A2: The infinite keystream must have a guaranteed minimum length for its
period. We then only encipher plaintexts that are shorter than this period.
A3: The ciphertext must appear to be ‘random’.
A4: The system must appear to be nonlinear.
Loosely, we may say that a ‘random’ sequence is one in which knowledge of a num-
ber of consecutive elements does not help anyone trying to predict the next one. Since
the keystream generator is a finite state machine, its output is periodic, and therefore
the keystream sequence cannot be truly random. Nevertheless, if the period is large
enough, we can obtain sequences that are effectively random in the sense implied by
Golomb’s postulates. In practice, the cryptographer hopes that the length of the se-
quence obtained by the cryptanalyst is small compared to the period of the keystream.
Therefore it is important that the keystream sequence not only appear random over
the entire period, but it should also have ‘good’ local randomness properties. Statisti-
cal tests for investigating local randomness properties of sequences are thus a useful
tool in stream cipher cryptography.
It is important to realise that the requirements such as long period, high non-
linearity and good statistical properties only offer the necessary conditions for a good
sequence. By no means do they guarantee a secure system. Further, the properties
stated are independent in the sense that no two of them guarantee another, and there-
fore, they must all be separately and carefully checked. In practice, it is seen that
many of the pseudorandom generators suffer from a number of statistical defects.
This motivates our development of search algorithms for generating FCSRs with pre-
scribed characteristics such as period and distribution properties.
Practically speaking, the steps involved in the design of a stream cipher may
be outlined roughly as follows:
1. Choice of the pseudorandom keystream generator:
(a) the designer specifies some performance parameters for the keystream se-
7
quences such as period, complexity, and distribution.
(b) a large number of architectures that meet the requirements in (a) are gener-
ated, and a battery of statistical tests are performed on these architectures
to find any statistical flaws in the generators.
(c) those architectures that pass all or most of the statistical tests are accepted
as potential architectures for the stream cipher.
2. Choice of an appropriate boolean function to mask the structure of the keystream

generator. Shift registers cannot be used directly as keystream generators since
it is easy to recover their parameters from a small segment of their output se-
quences. Hence nonlinear boolean functions are used to hide the structure of
the shift register.
In the next chapter, we look at a number of shift register architectures that have been
proposed recently, and we develop a common framework to analyse their output se-
quences. In particular, we describe a common generalisation of these generators,
namely, the FCSR, and show how the theory of the FCSR parallels that of the well-
known LFSR.
1.3 CONTRIBUTIONS OF THIS THESIS
The pseudorandom generators found in most systems are realised as feedback

shift registers and in this thesis, we look at a nonlinear variant of the feedback shift
register called the feedback-with-carry shift register (FCSR). Our focus is on FCSRs
since they are a common generalisation of several previously proposed pseudorandom
number generators such as the linear congruential generation (LCG), the linear feed-
back shift register (LFSR), the add-with-carry generator (AWC), and the multiply-
with-carry generator (MWC). All of our algorithms and results can thus be applied to
sequences generated by any one of these generators as well.
In the first part of this thesis, we propose efficient algorithms to search for
FCSR architectures given a set of constraints on the period, complexity, and distribu-
8
tion properties of the output sequence. An FCSR architecture is completely charac-

terised by a parameter called the ‘connection integer’. Once the connection integer
is fixed, we can determine properties such as the period of the generated sequence,
the susceptibility of the sequence to cryptanalysis measured by ‘linear complexity’
and ‘2-adic complexity’, and the distribution properties of the sequence. These prop-
erties are independent of the initial seed and may be computed from the connection
integer. Our search algorithms can be used to generate connection integers of FCSRs
with guaranteed properties like period, complexity and distribution. These algorithms
ensure that a large numbers of PRNGs that satisfy at least two of the necessary con-
ditions (viz., A1 and A2) can be generated efficiently. The search algorithms are a
contribution towards step 1(b) of the stream cipher design process outlined in the
preceding section.
In the second part of this thesis we look at combiners using FCSRs as a prac-
tical method of meeting the requirements A3 and A4. We consider a combiner gen-
erator that use two 2-adic FCSRs as primitives and the bit-wise XOR operation as
the combining function. We study the periodicity, symmetric complementarity, and
bounds on the linear complexity and 2-adic complexity of FCSR XOR combiner gen-
erators. This forms our contribution towards step 2 in the stream cipher design pro-
cess.
The thesis is organised as follows. In Chapter 2, we present some basic results

in the theory of FCSRs. In the third chapter we propose algorithms to search for
FCSR architectures given a set of requirements such as period and number of tap
connections. We also propose a search algorithm for a generalisation of the 2-adic
FCSR called the delayed feedback-with-carry shift register (d-FCSR). In Chapter 4
of this thesis, we look at some methods of increasing the 2-adic complexity of FCSRs
and prove bounds on the complexity of a family of FCSR combiner generators. In
Chapter 5, we summarise our contributions and discuss some directions for future
research.
9
CHAPTER 2
FEEDBACK-WITH-CARRY SHIFT REGISTER SEQUENCES
In Section 1.1 of this chapter we briefly describe some precursors of the FCSR
such as the lagged Fibonacci generator (LFG), the add-with-carry (AWC) genera-
tor and the linear feedback shift register (LFSR) generator using a formalism due to
Marsaglia. Section 1.2 contains the elements of the theory of 2-adic numbers that is
required for the study of FCSRs. We also survey some basic results in the theory of
2-adic FCSR sequences in Section 1.3. In Section 1.4 of this chapter, we present three
alternative but equivalent ways of describing LFSR and FCSR sequences. Finally, in
Section 1.5, we collect all useful results about FCSR sequences.
2.1 THE PRECURSORS OF THE FCSR
The pseudorandom number generators described in this thesis can all be de-
scribed by means of a function acting iteratively on a set. Let X be a finite set and a
feedback function f : X → X. For a given initial seed value x ∈ X, the pseudorandom
sequence is generated using the sequence
x := f 0 (x), f (x), f 2 (x), f 3 (x), . . . , (2.1)
where f i+1 (x) = f ( f i (x)) for all i ≥ 0 (Marsaglia 1992).
We will show how this simple mechanism can be used to describe the lagged
Fibonacci generator (LFG), the Marsaglia and Zaman addition with carry generator
(AWC), and the 2-adic FCSR in sections (2.1.1), (2.1.2) and (2.3), respectively.
10
a n-1 a n-2 ... a n-r+1

a n-r
ai
q q r
s
Figure 2.1: The Lagged Fibonacci Generator
2.1.1 The lagged Fibonacci generator (LFG)
Let X be the set of 1×r vectors x = (x1 , x2 , x3 , . . . , xr ), with elements xi in some

finite set S endowed with a binary operation . For the lagged Fibonacci generators,
denoted by F(r, s, ), the feedback function f is defined by
f (x1 , x2 , . . . , xr ) = (x2 , x3 , . . . , xr , x1 xr+1−s ) (2.2)
where r > s. When S is the set of integers modulo a power of 2 with the binary
operations + or − or ∗, the following result of Marsaglia and Tsay (1985) enables
us to compute the period of the sequence generated using equation (2.2). It is clear
that x, f 0 (x), f (x), f 2 (x), f 3 (x), . . . , is a sequence of vectors generated by the matrix
of integers representing f.
Theorem 2.1.1 Let f be the r × r (companion) matrix of integers with odd determi-
nant representing the feedback function. Let S be the set of integers modulo 2n and
the binary operation be either + or −. In order that the sequence of vectors de-
termined by x, f 0 (x), f (x), f 2 (x), f 3(x), . . . , mod2n have period (2r − 1)2n−1 for every
n ≥ 1 and every initial vector of integers x not all even, it is necessary and sufficient
that f have order j = 2r − 1, in the group of non-singular matrices for mod 2, order
2 j for mod 4 and order 4 j for mod 8. If the F(r, s, +) generator has maximal period
(2r − 1)2n−1, for integers mod 2n , then the F(r, s, ∗) generator on the set S of odd
integers mod 2n has period (2r − 1)2n−3 .
11
Statistical performance of LFGs
When the operation is ⊕, the XOR operation, the performance of F(r, s, ⊕)

is very poor. Empirical studies have noted that they perform poorly with respect to
statistical tests and have very short periods. They fail many of the DIEHARD battery
of tests, namely the parking lot tests, mtuple test, OPSO test, birthday spacings tests,
OPERM test, runs test and the rank tests. In this sense they are similar to shift-register
sequences. The F(r, s, ±) is known to fail the birthday-spacings test. The F(r, s, ∗)
performs well and passes all the above tests as well as the lattice test.
Among the lagged Fibonacci generators the ones using multiplication on odd
integers modulo 232 are the best. F(r, s, +), F(r, s, −) and F(r, s, ⊕) do well on monkey
tests. F(r, s, ⊕)may fail for pairs (r, s) such as (31, 13) or (17, 5) because of their in-
adequate period, in contrast to other lagged Fibonacci generators, which have periods
about 232+r (Marsaglia 1984).
2.1.2 The addition-with-carry generator (AWC)
Marsaglia and Zaman (1991) proposed a new class of random number genera-
tors with enormous periods. They were broadly classified into add-with-carry (AWC)
and subtract-with-borrow (SWB) generators. Using the Marsaglia formalism, the
AWC generator can be easily described as follows.
Let b, r, s ∈ Z+ , be positive integers where b is the base, r > s, r and s are the
lags. Define X = {0, 1, . . . b − 1} × {0, 1}. Let x = (x1 , x2 , . . . , xr , c) ∈ X, be the seed
vector, where 0 ≤ xi < b and c ∈ {0, 1} is the carry bit. Define the feedback function
f : X → X as
12
m n-1 a n-1 a n-2 ... a n-r+1

a n-r
ai
q q r
div b mod b s
Figure 2.2: The Add-with-Carry Generator

 (x2 , x3 , . . . , xr , xr+1−s + x1 + c, 0) i f xr+1−s + x1 + c < b


f (x1 , x2 , . . . , xr , c) =  (2.3)
 (x2 , x3 , . . . , xr , xr+1−s + x1 + c, 1) i f xr+1−s + x1 + c ≥ b

Using the Marsaglia formalism, we first generate the sequence of (r + 1)-tuples

x := f 0 (x), f (x), f 2 (x), f 3(x) . . . We generate the pseudorandom sequence (yi ), where
yi ∈ {0, 1, . . . , b − 1} using the sequence of (r + 1)-tuples in the following fashion. At
the ith iteration the first coordinate of the (r + 1)-tuple f i (x) is defined to be yi . The
period of (yi )i≥0 is the same as the period of the sequence of (r + 1)-tuples ( f i (x))i≥0
(Marsaglia and Zaman 1991). This means that the first r elements of the sequence are
precisely the first r coordinates of the seed vector x.
Theorem 2.1.2 The sequence of digits formed by the AWC generator is in reverse
k
order the same as the sequence of digits in the base -b expansion of a fraction br +b s −1 .
From this it is easy to see that the period of the sequence generated by equation (2.3)
∗
is the order of b in the multiplicative group (br +bZs−1)Z , when br + b s − 1 is a prime.
k
When br + b s − 1 is composite, let = dc , where (c, d) = 1. Then the period of
br +b s −1
∗
Z
the sequence is the order of b in the multiplicative group dZ .
This means that for b approximately 232 and r around 20, periods of 2640 are
attainable using only r memory locations and simple computer arithmetic. The other
carry/borrow generators introduced by Marsaglia and Zaman are simply variations of
the above function. The N-adic FCSR generalizes the AWC and the MWC generators.
13
Statistical performance of AWCs
Some of the statistical properties of the AWC and SWB generators were con-
sidered by Couture and L’Ecuyer (1994, 1997). One of their observations was that
the AWC generators failed the spectral test for some values of the lags. They are also
known to fail the birthday spacings test (Marsaglia 1993). The synthesis algorithm
for the AWC generator was given by Bach (1998). The approach is similar to the
synthesis of the 1/p generator given in Blum, Blum and Shub (1986).
2.1.3 The linear feedback shift register (LFSR)
Linear feedback shift registers have an architecture similar to FCSRs. Their

properties are well understood. We give below a description of the LFSR over F2 in
the same formalism used to describe the LFG and AWC.
Let qi ∈ {0, 1}, for i = 1, 2, . . . r, be the taps and let a = (a0 , a1 , . . . , ar−1 ), where
ai ∈ {0, 1}, be the seed vector. Define X = {0, 1}r . The feedback function f : X → X
is r
X
f (a0 , a1 , . . . , ar−1 ) = (a1 , a2 , . . . , ar−1 , qk ar−k ). (2.4)
k=1
Figure 2.3: Fibonacci-configured LFSR
During each iteration the register cells are tapped, their contents added modulo
14
2, the first coordinate is output (in Figure 2.3, the rightmost bit of the shift register),
the contents of the register are shifted to the right and the sum computed previously
is taken as the rth coordinate of the vector. In Figure 2.3, this sum is returned to the
leftmost bit of the register as the new entry.
The general theory of LFSRs is based on the algebra of finite fields. Excellent
accounts of this theory may be found in the books of Golomb (1967), Rueppel (1986)
and Beker and Piper (1982).
The theory of FCSRs is analogous to that of LFSRs. However, the analysis

of the 2-adic FCSR is based on the theory of 2-adic numbers. Before discussing the
theory of FCSRs we review the theory of 2-adic numbers in the next section.
2.2 REVIEW OF 2-ADIC NUMBERS
The analysis of FCSRs is based on the arithmetic of 2-adic numbers. In 1904,

Hensel introduced the concept of 2-adic, and in general, p-adic numbers for p prime.
A 2-adic number may be described as a binary number
α = . . . α3 α2 α1 α0 .α−1 α−2 . . . α−k (2.5)
where αi ∈ {0, 1}, whose representation extends infinitely to the left of the binary
point, but has only finitely many places to the right of the point. 2-adic numbers
represented by equation (2.5) may also be thought of as formal Laurent series
∞
X
α= αi 2i , (2.6)
i=−k
where αi ∈ {0, 1}.When there are no non-zero bits to the right of the binary point (i.e.
k = 0), the 2-adic numbers are called 2-adic integers.
∞
X
Z2 = { αi 2i |αi ∈ {0, 1}} (2.7)
i=0
15
The set of 2-adic integers is denoted by Z2 . The 2-adic integers form a ring with
additive identity 0 and multiplicative identity 1 = 1 · 20 . Addition in Z2 is performed
by ‘carrying’ overflow bits to higher order terms, so that 2i + 2i = 2i+1 . Using the fact
that in Z2 , 1 − 1 = 0, it is easy to see that,
−1 = 1 + 21 + 22 + 23 + · · · . (2.8)
From the binary (base-2) representation of positive integers, it is clear that Z2 contains
all positive integers. The identity
−α = (−1)α = (1 + 21 + 22 + 23 + · · · )(α0 + α1 2 + · · · + αr 2r ) (2.9)
shows that Z2 contains the negative integers. In general, for an arbitrary 2-adic num-
ber α, calculating the additive inverse −α, can be done as follows. Expressing α in
the form α = 2r (1 + ∞ i
P
i=0 αi 2 ), where r is an integer, we have
∞
X
r
−α = 2 (1 + αi 2i ) (2.10)
i=0
where αi denotes the complementary bit and αi +αi = 1. The 2-adic numbers, denoted
by Q2 form a field under addition and multiplication. Below are some examples of
2-adic expansions of integers and rationals.
Example 2.2.1 We give the 2-adic representation of the numbers 71 , − 71 , 29 , 1

10
1 1
= . . . 110110110110111.0, − = . . . 001001001001001.0,
7 7
9 1
= . . . 0000100.10, = . . . 1100111001100110.1 (2.11)
2 10
1
Note that 7 and − 71 , are 2-adic integers, while 9
2 and 1
10 are 2-adic rationals.
16
1
The rational number 7 = 0111.0 has an eventually periodic 2-adic expansion and
− 17 = 001.0 has a strictly periodic 2-adic expansion. In both these cases, note that the
Z
period is just the multiplicative order of 2 in the field 7Z .
In Z2 , the ring of 2-adic integers, every odd integer α ∈ Z has a unique multi-
plicative inverse. Thus, the ring Z2 contains every rational number p/q provided q is
odd. In fact
p
Z2 = { | p, q ∈ Z, q , 0 and q is odd}. (2.12)
q
This gives an alternative description of Z2 . These ideas may be extended to develop
the theory of p-adic and N-adic numbers.
We have given a very sketchy account of the theory of 2-adic numbers. For a
more comprehensive treatment of the theory, we refer to the books by Koblitz (1984),
Mahler (1973) and Gouvêa (2003).
2.3 THE FEEDBACK-WITH-CARRY SHIFT REGISTER
2.3.1 Operation of the FCSR
A generalization of the AWC generator and the multiply-with-carry (MWC)

generator was described independently by Marsaglia (1994), Couture and L’Ecuyer
(1997), and in a series of papers by Klapper and Goresky (1993, 1997). Klapper
and Goresky called them feedback-with-carry shift registers (Klapper and Goresky
1997). Using the same framework as before, the 2-adic FCSR can be described as
follows.
Fix taps qi ∈ {0, 1}, for i = 1, 2, . . . r and let q0 = −1. Define X = {0, 1}r × Z.
Let a = (a0 , a1, . . . , ar−1 , mr−1 ) ∈ X, be a seed vector, where mr−1 ∈ Z is the initial
P
memory and ai ∈ {0, 1}. Let σr = rk=1 qk ar−k + mr−1 . Define the feedback function
17
mn-1 an-1 an-2 ... an-r+1 an-r

ai
div 2 mod 2
q1 q2 ... qr-1 qr
Figure 2.4: Fibonacci-configured FCSR
f : X → X to be
 r  
X  
f (a0 , a1 , . . . , ar−1 , mr−1 ) = (a1 , a2 , . . . , ar−1 ,  qk ar−k  + mr−1  (mod 2), mr ),
k=1
(2.13)
where mr = bσr c. Here b c is the floor function. The above equation also makes it
clear how (2.13) generalises (2.4). As in the generators described earlier, the output
sequence yi ∈ {0, 1} is generated using the sequence of (r + 1) vectors a = f 0 (a),
f (a), f 2(a), . . . . For all i ≥ 0, yi is defined to be the first coordinate of the (r + 1)-
tuple f i (a). As before, this means that the first r output bits will be just the first r
coordinates of the seed vector and the period of the sequence (yi )i≥0 the same as that
of ( f i (a))i≥0 . The function described in (2.13) shows how the FCSRs differ from the
AWC generators defined in (2.3). The carry part in (2.3) which is denoted by c in the
(r + 1)-tuple is 0 or 1, whereas the analogous memory in (2.13) which is denoted by
mr−1 is allowed to take integer values. Klapper and Goresky proved that the memory
can be bounded in terms of the number of non-zero qi ’s. Much of the theory they
develop for their 2-adic FCSR parallels that of linear feedback shift registers (LFSR)
over F2.
The 2-adic FCSR may be generalised to the p-adic and the N-adic case, and
the analogues of equation (2.13) are obtained by replacing 2 by p and N respectively
and making the suitable allowances for the tap coefficients and the initial loadings.
An alternative description of the operation of the FCSR may be given as fol-

18
lows. Fix an odd positive integer q and let
q + 1 = q1 21 + q2 22 + . . . + qr 2r (2.14)
be the binary expansion of q + 1, where r = blog2 (q + 1)c and qi ∈ {0, 1}. Then the
2-adic FCSR with connection integer q has r stages and feedback connections given
by the bits {q1 , q2 , . . . , qr } in Equation 2.14. This is shown in Figure 2.4. By letting
q0 = −1, we may write q = ri=0 qi 2i . The contents of the register are denoted by
P
an−1 , an−2, . . . , an−r and the operation of the 2-adic FCSR is as follows:
Pr
A1. Form the integer sum σn = k=0 qk an−k + mn−1.
A2. Shift contents one step to the right, output the rightmost bit an−r .
A3. Place an = σn mod q into the leftmost cell of the shift register.
A4. Replace the memory integer mn−1with mn = (σn − an )/2 = bσn /2c.
Thus we see that an FCSR is a feedback shift register that is similar to the
LFSR except that it has a small amount of auxiliary memory. The difference is that
during each iteration, the memory which is an integer is added to the sum of the
P
r
tapped bits and the parity of this quantity, which is q a
k=1 k r−k + m r−1 (mod 2) ,
is taken to be the rth coordinate of the new vector (in the Figure 2.4, the leftmost bit).
The higher order bits are retained as the new value of the memory (i.e., mr ). Figure
2.3 and Figure 2.4 illustrate the equations (2.4) and (2.13) respectively. Note that in
both cases, the right-most bit corresponds to the first coordinate of the (r + 1)-tuple
and is the output at every loop.
2.4 ANALOGIES BETWEEN LFSR AND FCSR THEORY
From the discussions in the preceding sections, it should be clear that we can
formulate three different but equivalent descriptions of the LFSR and FCSR. Here we
compare the LFSR and FCSR and show how their theories are analogous.
19
Let F be a finite field and let q1, q2 , . . . , qr ∈ F. The linearly recurrent sequence
of order r with multipliers q1 , q2 , . . . , qr ∈ F and initial state (a0 , a1 , . . . , ar−1 ) is the
unique solution to the equations
a j = q1 a j−1 + q2 a j−2 + · · · + qr a j−r (2.15)
for j ≥ r. Such a sequence can be desribed in three equivalent ways. First, it is

the output of an LFSR with r register cells, tap coefficients qi ∈ F, and initial reg-
ister loading given by a0, a1 , . . . , ar−1 ∈ F. The connection polynomial q(x) ∈ F[x]
associated with the recurrence equation (2.15) and the LFSR is given by
r
X
q(x) = q0 + qi x i
i=1
where q0 = −1. Secondly, the sequence a0 , a1 , a2 , . . . is the coefficient sequence in the

power series expansion of a rational function p(x)/q(x):
p(x)
= a0 + a1 x + a2 x 2 + · · ·
q(x)
where the denominator polynomial is, as before, dependent only upon the taps of the
corresponding LFSR. The numerator polynomial is given by
j
r−1 X
X
p(x) = qi a j−i x j .
j=0 i=0
And thirdly, the LFSR sequences also have a trace representation given by
a j = T rL/F (aδ j )
where L is an extension field of F that contains all the roots of F, a ∈ L is dependent

upon the initial state of the LFSR, T rL/F is the trace function from L to F, and δ is an
appropriate root of q(x) in L.
Similarly, for the FCSR, let N be a positive integer. Let q1 , q2 , . . . qr ∈ Z/(N),

20
a1 , a1 , . . . , ar−1 ∈ Z/(N), and let the initial memory m j−1 ∈ Z. The FCSR sequence is
then the unique solution to the with-carry linear recurrence
a j + Nm j = q1 a j−1 + q2 a j−2 + · · · + qr a j−r + m j−1 (2.16)
for j ≥ r. Here, the right hand side of equation 2.16 is first computed as an integer σ ∈
Z. Then a j is obtained by reducing σ modulo N, and the new memory m j is computed
asb Nσ c. Again, we may give three alternative descriptions of such a sequence. First,
it is the output of an FCSR with r main register cells, tap coefficients given by the qi
and initial state given by the ai . The connection integer associated with the FCSR is
r
X
q = q0 + qi N i ∈ Z
i=1
where q0 (and hence q) is relatively prime to N. Secondly, it is the coefficient se-

quence of the N-adic expansion of the rational number
p
= a0 + a1 N + a2 N 2 + · · ·
q
where the numerator is given by
j
r−1 X
X
p= qi a j−i N j − mr−1 N r .
j=0 i=0
Thirdly, FCSR sequences also possess an exponential representation in which the

general term may be written as
a j = (aδ j (mod q)) (mod N)
where δ = N −1 (mod q) and a ∈ Z/(q) is an element that depends upon the initial
state. In the right hand side of the equation above, the quantity aδ j is first reduced
modulo q and represented as an integer in the range {0, 1, . . . , q − 1} and then this
integer is reduced modulo N.
21
2.5 PROPERTIES OF FCSR SEQUENCES
The purpose of this section is to collect in one place, all of the results on FCSRs
that are relevant to the later parts of the thesis. Here and in what follows, let Q2 denote
the field of 2-adic numbers. The following facts are known about the 2-adic FCSR:
1. (Klapper and Goresky 1997) If a sequence a = (ai )i≥0 is the output of a 2-adic
FCSR, and α ∈ Q2 is the 2-adic number associated with this sequence, then a
is eventually periodic and α = p/q, where q is the connection number of the
FCSR. Conversely, every eventually periodic binary sequence whose associated
2-adic number is α = p/q is the output of a 2-adic FCSR with connection integer
q.
2. (Klapper and Goresky 1997) If α = p/q ∈ Q2 is the 2-adic number associated

with the output sequence of a 2-adic FCSR, then the sequence is strictly periodic
if and only if −q < p ≤ 0. If this condition is not satisfied, then the sequence is
eventually periodic.
3. (Gauss 1801) If α = p/q ∈ Q2 is the 2-adic number associated with the output
sequence of a 2-adic FCSR, then the period of the sequence is the multiplicative
order of 2 modulo q.
4. (Klapper and Goresky 1997) If α = p/q ∈ Q2 , and if 2 is a primitive root modulo

q, then the period of the FCSR sequence with connection integer q is maximal

and equal to ( Z )∗ = ϕ(q), where ϕ denotes Euler’s totient function. Such a
qZ
sequence is called an `-sequence. This requires that q = pm for some odd prime
p and some positive integer m.
5. (Goresky and Klapper 1995) Every binary `-sequence possesses the property of
symmetrical complementarity: in any binary `-sequence of period 2t, where t
is a positive integer, the second half of any segment of length 2t is the bit-wise
complement of the first half. However, the converse of this statement is not
true. For example, the sequence generated by a 2-adic FCSR with connection
22
integer q = 17 is symmetrically complementary with period 8, but it is not an

`-sequence since 2 is not a primitive root modulo 17.
6. (Goresky and Klapper 1995) Every binary `-sequence possesses the nearly de
Bruijn property: if the `-sequence is generated by a 2-adic FCSR with connec-
tion integer q, then in any given period of the sequence, every binary string of
length of length blog2 (q)c occurs at least once and every binary string of length
blog2 (q)c + 1 occurs at most once.
7. (Mittelbach and Finger 2004) Any strictly periodic sequence generated by a 2-

adic FCSR with connection integer q is symmetrically complementary if and
only if q divides 2T/2 + 1, where T is the period of the sequence.
8. (Xu 2000) The linear complexity of an `-sequence of period 2t is at most t + 1.
For a more detailed account of the properties of FCSR sequences, including proofs of
these assertions, the reader is referred to the papers of Klapper and Goresky (1997),
Goresky and Klapper (1995), Mittelbach and Finger (2004), and the dissertation of
Xu (2000).
In this chapter we have briefly surveyed the theory of FCSR sequences and
seen how many of the results in this theory closely resemble those in the theory of
LFSR sequences. In the next chapter, we will use these results to devise simple but
effective algorithms to generate a large number of FCSR architectures. The algo-
rithms ensure that the output sequences of these architectures satisfy the necessary
conditions for keystream generators mentioned in Chapter 1.
23
CHAPTER 3
SEARCH ALGORITHMS FOR FCSR ARCHITECTURES
We have stated the requirements for pseudorandom sequences in Chapter 1

and studied some of their properties in Chapter 2. Now we turn to ways of finding ar-
chitectures that generate such sequences. In practice, while designing feedback shift
registers for use in stream ciphers, the cryptographer would like to start by specifying
a set of criteria on the minimum period, complexity, and distribution properties of
the output sequence of the shift register. The next step would be to generate a large
number of architectures that satisfy these criteria. This is followed by performing
extensive statistical tests on sequences generated by each of these architectures and
rejecting any that fail the tests. A number of statistical test suites are available for this
purpose such as the statistical testing suite developed by the NIST, the DIEHARD
battery of tests of George Marsaglia, and ENT of John Walker. If a particular archi-
tecture passes all or most of these tests, the cryptographer can then have a measure of
confidence in the quality of the sequence generated by the shift register architecture.
In this chapter, we devise simple, practical algorithms to generate a large num-

ber of FCSR architectures with specified properties. The cryptographer may specify
these desirable properties in terms of some performance parameters of the output
sequences such as:
1. the output sequences must have a period greater than some specified value,
2. the output sequences must have a 2-adic complexity greater than a specified
value,
3. the output sequences must have a specified distribution property, such as, for
example, the nearly de Bruijn property.
24
Hardware or memory resource limitations may give rise to additional constraints such
as:
1. the number of cells in the main register must not exceed a specified value,
2. the number of non-zero taps must not exceed a specified value, or must be ex-
actly equal to some value.
The search algorithms presented in this chapter solve some of these problems. These
algorithms are by no means the most computationally efficient, and we have not at-
tempted to analyse their computational complexity. Further, use of these algorithms
to generate parameters for FCSRs does not guarantee the security of a stream cipher.
However, they ensure that the necessary conditions for good quality output sequences
hold, and serve as effective and practical tools to aid the cryptographer in stream
cipher design.
3.1 THE SEARCH ALGORITHMS
The general idea of the search algorithms for FCSRs is as follows. Suppose
we require a number of FCSR architectures which must have a guaranteed minimum
period of T . We need to generate an integer q such that the multiplicative order of 2
modulo q is at least T . Our basic search algorithm does exactly this. Essentially, we
look for those cyclic groups in which the subgroup generated by 2 has a large enough
order. In order to ensure good distribution properties and complexity measures for the
FCSR sequences, we restrict our attention to cyclic groups Z/qZ, where q is either an
odd prime or a power of an odd prime, and test for the primitivity of 2 modulo q.
There may be additional constraints on q such as a fixed number of tap con-

nections. A moment’s consideration shows that if the register size is r and the number
of non-zero taps is h, then there are r−1Ch−1 potential connection integers that satisfy
the constraints on the register size and the number of non-zero taps. In this case, it
may not be feasible to exhaustively generate all the potential connection integers and
25
test whether they satisfy the specified criterion on the period. We therefore devise a
simpler ‘sliding window’-based approach to the problem. More complex algorithms
could be designed based on ideas developed by Knuth for generating n-tuples.
For the case of the d-FCSR, we develop an algorithm that generates connection
integers q of the form q = q0 + q1 π such that q20 − pq21 = N where p is a square-free
modulus, and where the norm N is a prime greater than the desired minimum period.
For this search problem, p, a square-free integer, d = 2, and T , the minimum period,
are specified and q0 and q1 are to be determined.
In the rest of this section we describe each of these search algorithms in detail.
The first two search algorithms for the LFG and the AWC are almost trivial, but we
present them here for the sake of completeness.
3.1.1 Search algorithm for the LFG
Input:
Minimum period, T > 0
Modulus or base, m = 2n , n > 0
Number of architectures to be generated, R > 0
Output:
R values of the long lag ri such that the period of the corresponding LFGs is
greater than T for every si , such that 0 < si < ri .
Algorithm L:
[1. Compute minimum r] Compute the smallest integer k such that 2k > T/2n−1 + 1.
Let this value of k be denoted kmin.
26
[2. Iterate] Every r > kmin is a valid long lag satisfying the given constraints. Output
kmin and the next R − 1 integers greater than kmin as valid long lags ri .
We assume that the diamond operator used in the LFG is the XOR operation.
For a modulus 2n , the period of an LFG with r stages is then given by (2r − 1)2n−1.
The period does not depend upon the short lag. Since we desire LFGs with period
greater than T , it suffices if the long lag is such that 2r > T/2n−1 + 1. Clearly, if any r
satisfies this inequality, any other integer greater than r also satisfies it. The algorithm
is then a trivial consequence of this observation.
Example 3.1.1 Let m = 22 and let minimum T = 134. Since 27 > T/22−1 , any r ≥ 7
will be sufficient. Thus the periods for r = 7, 8, 9, . . . are respectively, 258, 510, 1022,
. . ..
3.1.2 Search algorithm for the AWC
Input:
Modulus or base, b > 1
Output:
R values of the long lag ri and short lag si such that the order of b modulo each
bri + b si − 1 is greater than T .
Algorithm W:
[1.] Set i = 0.
27
[2.] Calculate the power of the base k such that bk < T < bk+1.
[3.] Set j = 1.
[4.] Compute m = bk + b j − 1.
[5.] If the order of b mod m ≥ T , set i = i + 1, ri = k and si = j; if i = n go to step 8.
[6.] Set j = j + 1; if j < k go to step 4.
[7.] Set k = k + 1 and go to step 3.
[8.] Output ri and si for i = 1, 2, . . . , n.
In this algorithm we generate integers of the form m = bk + b j − 1 where k > j

and ensure that the order of b modulo m is greater than T . The initial value for k is
chosen such that it is the greatest exponent of 2 for which 2k < T . Since j < k, if
the initial value of k is any smaller, then m cannot be greater than T . Therefore, we
eliminate the case of smaller starting values for k from our search.
Example 3.1.2 Let b = 10 and minimum T = 1123. Then the lags (4,1), (4, 2), (4, 3),
and (5, 2) give rise to sequences of periods 5004, 3366, 5768, and 1614, respectively.
3.1.3 The basic FCSR search algorithm
The basic strategy for this algorithm is as follows: generate a prime larger
than the specified period and compute the order of 2 modulo. If this is greater than
the specified period, we accept the prime as valid. Otherwise, we may proceed by
generating a smaller prime and check 2 is a primitive root modulo this smaller prime.
28
If 2 is also primitive modulo the square of this prime, then it follows that 2 is primitive
modulo any power of the prime. We can then choose that power of the prime as
connection integer for which the period is greater than the value specified.
Algorithm S:
Input:
Output:
R connection integers q such that the order of 2 modulo q > T
[0. Initialise] Set C ← 0; if T < POWERING_ THRESHOLD go to step 1;

else go to step 4.
[1. Generate prime] Generate a prime q larger than T .
[2. Compute order] If order of 2 mod q is less than T , set q ← q + 2 and

compute the next prime greater than q; else store q and order of 2 mod q and set
C ←C+1
[3. Is C < R?] If C < R, set q ← q + 2 and go to step 1; else if C = R, return

the C connection integers and the corresponding orders of 2 modulo each of these
connection integers.
[4. Powering] Set A ← START_ PRIME.
[5. Compute next prime] Generate a prime, q, greater than A.
[6. Check primitivity] If the order of 2 mod q is not equal to q − 1 (primitivity

check), set A ← q + 2 and go to step 5.
29
[7. ] If 2(q−1) . 1 modulo q2, then 2 is primitive modulo q2 and also primitive
modulo qk with order qk − qk−1 .
Increment count R ← R + 1, store qk and order of 2 modulo qk ; if 2(q−1) ≡ 1

mod q2 set A ← q + 2 and go to step 5.
[8. Is C < R?] If C < R, set q ← q + 2 and go to step 1; else if C = R, return

the C connection integers and the corresponding orders of 2 modulo each of these
connection integers.
This algorithm uses two machine dependent constants, namely, START_PRIME

and POWERING_THRESHOLD. These constants are used to determine when to
switch from generating prime connection integers to prime power connection inte-
gers, and the value of the smallest prime base to choose for the powering subroutine.
Considerable tweaking may be required in order to find the right values for a given
machine.
Example 3.1.3 Let minimum T = 169. Then the following connection integers spec-
ify valid architectures: q = 173, 179, 181, 197. The respective periods are 172, 178,
180, 196. In this case, it turns out that the connection integers all have 2 as a primitive
root.
3.1.4 FCSR search with additional constraints
An important consideration in the implementation of FCSR circuits in hard-

ware is the number of multipliers required. The greater the number of multipliers
required, the greater the area, cost and power dissipation of the chip. Hardware de-
signers may therefore impose absolute limits on the number of multipliers that can
be used in the FCSR implementation. These limits constrain the number of non-zero
feedback connections that a valid FCSR architecture can have.
If the register size is r and the number of non-zero taps is h, where r ≥ h > 0,
30
r−1
then there are Ch−1 potential connection integers that satisfy the criteria on the
register size and the number of non-zero taps. For large r, and h approximately equal
to r/2, it may not be feasible to check every possible connection integer with h non-
zero taps. The strategy we adopt is as follows: we fix the tap at the right extremity
of the main register, that is the register cell closest to the output. Thus the minimum
value of q is br −1. This leaves h−1 taps to be assigned to r−1 register cells. We begin
by assigning a block or window of h − 1 1s to the leftmost taps. At every iteration this
block is moved right, and the corresponding connection integer is checked to see if it
meets the period requirement. When the block reaches the right extreme, we begin
again from the left end, but introduce a zero in the left-most position of the block.
This block is again slid towards the right until it reaches the right extreme. In the next
iteration, another zero is introduced to the left extreme of the block, and the block
is again slid towards the right. We repeat this procedure until we have the requisite
number of connection integers or until all the bits are zero in the window, in which
case, we may continue the search by repeating the procedure for r + 1, r + 2, and so
on.
We now describe the algorithm that returns FCSR architectures of a specified

minimum period and a specified number of non-zero taps.
Input:
Base, b > 1
Number of non-zero taps, h > 0
Minimum register size, r ≥ h
Number of architectures required, n > 0
Output:
31
n integers Qi such that the order of 2 modulo each Qi is greater than T , and
such that Qi + 1 has h non-zero coefficients in its base-2 expansion.
Algorithm F:
[1.] Set i = 0.
[2.] Let qmin = 2r − 1 and q0 = 2 + 22 + 23 + · · · + 2h−1 .
[3.] Set ` = 0.
[4.] Calculate q = qmin + 2` q0 .
[5.] If order of 2 modulo q ≥ T , set i = i + 1 and Qi = q. If i = n go to step 16.
[6.] Set ` = ` + 1; if ` < (r − h − 1) go to step 4.
[7.] Set k = 1.
[8.] Let s0 = 2(k+2) + 2(k+3) + · · · + 2(h+1) .
[9.] Compute s = qmin + 21 + 22 + · · · + 2k .
[10.] Set ` = 0.
[11.] Compute q = s + 2` s0 .
[12.] If order of 2 modulo q ≥ T , set i = i + 1 and set Qi = q. If i = n go to step 1.
[13.] Set ` = ` + 1; if ` < (r − h − 1), go to step 11.

32
[14.] Set k = k + 1; if k < h, go to step 8.
[15.] Set r = r + 1and go to step 2.
[16.] Output Qi , for i = 1, 2, . . . , n.
This algorithm is certainly not the most efficient way to generate connection
integers with a fixed number of non-zero taps. It should be noted, however, that the
general problem is hard. In fact, we cannot even be sure that there are sufficiently
many connection integers with the given number of non-zero taps in their binary ex-
pansion. This problem is related to much deeper questions in number theory concern-
ing the number of primes that have exactly k 1-bits or 0-bits in their binary expansion.
Wagstaff (2001) considered primes with a fixed number of 1s or 0s in their binary ex-
pansion and asked whether there exists any k for which we can prove that there are
infinitely many primes with exactly k 1-bits in their binary expansions. He also posed
the related question of whether there exists any k for which we can prove that there
are infinitely many primes with ≤ k 1-bits. Wagstaff conjectured that the answers to
both questions are positive, and that any k ≥ 3 is sufficient.
Example 3.1.4 Let minimum period be 1356 and let the number of non-zero taps be
7. Then the connection integers 3041, 2293, 2957 give rise to sequences of period
1520, 2292, 2956, respectively.
3.1.5 Search algorithm for d-FCSRs
Operation of the delayed-FCSR (d-FCSR)
The operation of the d-FCSR is similar to the 2-adic FCSR except that each
carried bit is delayed d − 1 steps before being added. In this section, we give a brief
desription of the theory of the d-FCSR after the fashion of Goresky and Klapper
(1995). A more detailed account of the theory may be found in Goresky and Klapper
33
(1995). Let p denote an integer and let d ≥ 1 such that πd − p is an irreducible

polynomial in π over the rational numbers. Note that this occurs only when p is not
a kth power, for any prime k dividing d. Let π ∈ R be the positive real solution to
πd = p. We define the ring Z[π] as the set of all real numbers of the form
u0 + u1 π + u2 π2 + · · · + ud−1πd−1 (3.1)
with ui ∈ Z. The fraction field of Z[π], denoted Q[π], is the set of all real numbers of
the form given by Equation 3.1 with ui ∈ Q. Every element of Q[π] may be expressed
as a fraction u/v with u, v ∈ Z[π]. We can also view Q[π] as a vector space over Q of
dimension d with the basis vectors given by {1, π, π2 , . . . , πd−1}, and the elements of
Z[π] in Q[π] are referred to as the lattice points of Q[π].
We define the ring Zπ as the set of all infinite formal expressions of the form
α = a0 + a1 π + a2 π 2 + · · ·
where ai ∈ T = {0, 1, . . . , p − 1} with the obvious operations of addition and multipli-

cation using πd = p. Note that when d = 1, Z[π] = Z, Q[π] = Q, and Zπ = Z p , the
p-adic numbers. Now any element u/q ∈ Q[π] where u, q ∈ Z[π] is also in Zπ if and
Pd−1 i
only if the denominator q = i=0 qi π is invertible modulo π, which is equivalent to
q0 being relatively prime to p. Then the π-adic expansion of u/q given by
∞
u X i
= ai π ∈ Z π
q i=0
where ai ∈ T is unique and we refer to the sequence a0 , a1, a2 . . . as the coefficient

sequence of u/q. The output of a d-FCSR is defined to be the coefficient sequence of
the π-adic expansion of the fraction u/q where u, q ∈ Z[π] and where q is invertible
modulo π.
34
Search algorithm for d = 2
The algorithm searches for a connection integer q of the form q = q0 + q1 π

such that
q20 − pq21 = N (3.2)
where p is a square-free modulus and N is a prime greater than the desired minimum
period. The equation
Input:
Degree or delay, d = 2.
Modulus or base, p, a square-free integer.
Minimum period required, T
Output:
q0 and q1 satisfying norm(q) = N(q) = q20 − pq21 = N
[0. Next prime] Generate the next prime N greater than T .

p
[1. Check Legendre symbol] If the Legendre symbol N = −1, go back to step 0 to
get the next prime. Continue until the prime N generated in the step 0 is such that
p p p
N = 1 . When N = 1, go to the next step (note: N , 0 since N is prime and
N p).
[2. Solve quadratic congruence] We solve the equation x2 ≡ p (mod N). Let the
solution be x0 .
[3. Subroutine: Modified Cornacchia’s algorithm]
Input: x0 , the solution of the quadratic congruence

35
Output: If there is a solution, the algorithm returns q0 and q1.
Given x0 and N, define two sequences (an )and (rn ) as follows:
x 0 = a 0 × N + r0
N = a 1 × r0 + r1
···
ri = ai+2 × ri+1 + ri+2
···
The algorithm stops at some k, where rk2 < N < rk−1

2
If the equation q20 − pq21 = N has a solution, it is
s
2
N − rk−1
q0 = rk−1 , q1 =
−p
If no solution is generated in this step go to step 0 else, proceed.
−pq1
[4. Compute m] Compute m = q0 . Compute the order of m modulo N. If order of
m < T , go to step 0 and generate next prime.
[5. Output q] Output q0 , q1 and order of m modulo N.

36
Example 3.1.5 Let p = 6 and let the minimum period be 133. Then connection
integers 193, 211, 283, 331 correspond to the elements 17 + 4π, 19 + 5π, 17 + π,
25 + 7π, respectively, and the periods of their output sequences are 192, 210, 141,
165, respectively.
The d-FCSR with d ≥ 3
The theory of the d-FCSR for d ≥ 3 is not well-understood. For instance, an

optimal estimate on the memory needed for implementing a d-FCSR is not known
when d ≥ 3 (Klapper and Goresky 1997). This makes the search algorithm impracti-
cal for the d-FCSR for d ≥ 3 with the approach taken by us. However, when d = 2,
an analogue of the analysis for N-adic FCSRs hold good. More work is needed on
d-FCSRs for d ≥ 3 in order that the search for architectures can be carried out in the
same manner we have outlined in this chapter.
37
CHAPTER 4
FCSR COMBINER GENERATORS
Linear feedback shift registers (LFSRs) have been the workhorses of stream
cipher design for the past several decades. They are well-understood, easy to imple-
ment both in hardware and software, and are extremely fast. An important measure of
the security of a classical stream cipher is the linear complexity of the pseudorandom
keystream generator used in its design. The linear complexity of a sequence is de-
fined as the size of the smallest LFSR that generates the given sequence. Sequences
of low linear complexity are susceptible to cryptanalysis via the Berlekamp-Massey
algorithm (Massey 1969). Hence the LFSR cannot directly be used as a keystream
generator in stream ciphers. By introducing suitable nonlinearities in the output or
feedback function of the LFSR, it is often possible to increase the linear complexity,
and thus reduce the predictability, of the output sequence.
A number of methods have been devised to increase the linear complexity of

sequences by including nonlinear feed-forward functions in an LFSR-based keystream
generator. For example, two LFSR sequences a and b of periods T 1 and T 2 respec-
tively may be combined using the XOR function to yield a new sequence c of period
T . In general, n LFSRs may be used and combined using some nonlinear boolean
function. Such a construction is called a combination generator or combiner. There
is a huge amount of literature on this subject and families of constructions such as
clock-controlled generators, combiners and filter generators have been studied exten-
sively over the last three decades. Here, we only mention the papers by Groth (1971),
Key (1976), Gollmann and Chambers (1989), and Massey and Serconek (1996). The
books by Rueppel (1986) and Schneier (1996) also provide good accounts of the the-
ory.
38
Key (1976) first studied the effect of combining two LFSR sequences using the
bit-wise AND operation as the combining function. He found that when the two LF-
SRs had distinct irreducible characteristic polynomials of degree r and s respectively,
1. the product sequence (bit-wise AND) has period equal to the LCM of the peri-
ods of the two LFSRs, and
2. the linear complexity of the product sequence is rs.
Key also proved bounds on the complexity of filtered LFSR sequences in which
shifted ‘phases’ of a single LFSR sequence are combined nonlinearly. These re-
sults have subsequently been improved by a number of investigators (Herlestam 1985,
Rueppel and Staffelbach 1987, Golić 1989, Göttfert and Niederreiter 1993, Kolokotro-
nis and Kalouptsidis 2003, and Lam and Gong 2004).
FCSR sequences share many of the important properties of LFSR sequences.

Like the LFSRs, FCSRs cannot be used directly in stream ciphers: FCSR sequences
have high linear complexity and good statistical properties but they are synthesised
by a 2-adic analogue of the Berlekamp-Massey algorithm. This algorithm, due to
de Weger (1986) is based on the theory of approximation lattices of p-adic numbers
and gives rise to the notion of 2-adic complexity of a sequence. Upper bounds on
the linear and 2-adic complexity of `-sequences and lower bounds on some special
types of `-sequences were established in the work of Klapper and Goresky (1997),
Xu (2000), and Seo et al (2000). Stream ciphers using FCSRs still remain largely
unexplored (Schneier 1996). To our knowledge, there have been only a handful of
papers describing or analysing the properties of stream cipher designs based on FC-
SRs (Arnault, Berger and Necer 2002, Arnault and Berger 2004, Arnault and Berger
2005, Mittelbach and Finger 2004, Tasheva, Bedzhev and Stoyanov 2004). There
have been no previous attempts to determine the period, linear complexity and 2-adic
complexity of combiners using FCSRs. Mittelbach and Finger (2004) carried out a
large number of numerical experiments and conjectured upper bounds on the linear
complexity of particular type of generator called the Geffe generator in which 2-adic
39
FCSRs were used as primitives. Our results, on the other hand, are the first to prove
upper bounds on the 2-adic complexity of combiner generators.
According to Arnault and Berger (2005), the feedback function of the FCSR
is highly nonlinear and hence FCSR sequences are resistant to linear attacks such as
the Berlekamp-Massey algorithm. They claim that a linear filter function adequately
masks the 2-adic structure of the FCSR. Further, they state that linear functions are
optimal from the point of view of resilience and that linear functions provide protec-
tion against certain correlation attacks. Linear functions are also the easiest from the
implementation point of view. For this reason, we chose our combiner function to be
the XOR operation.
In this thesis, we study the periodicity, symmetric complementarity, linear

complexity and 2-adic complexity of combiner generators that use two 2-adic FC-
SRs as primitives and the XOR operation as the combining function. When the two
FCSRs have odd-prime power connection integers with 2 as a primitive root, we de-
termine the period of the output sequence (Theorem 4.2.3). We prove that when the
prime factors of the connection integers of the two FCSRs belong to different equiv-
alence classes modulo 4, the output sequence is symmetrically complementary. We
then use this property to derive upper bounds on the linear complexity and the 2-adic
complexity of the output sequence of the FCSR-combiner (Anand and Ramanan, to
appear in ASIACCS’06).
With the aim of proving results similar to those of Key and others for the case
of FCSRs, we conducted a large number of numerical experiments using FCSRs as
the primitives in a combiner generator (see Figure 4.1). The experimental procedure
that was used to obtain the observations was as follows:
1. Fix two distinct prime power connection integers q1 and q2 such that 2 is prim-
itive modulo q1 and q2 .
2. Generate all possible strictly periodic sequences with these connection integers.
Let the set of all strictly periodic sequences (excluding the all-zeroes and all-
40
ones sequences) with q1 as connection integer be denoted S q1 . (These sequences

correspond to all fractions p1 /q1 such that 0 > p1 > −q1 and gcd(p1 , q1 ) = 1.)
Clearly, |S q1 | = ϕ(q1 ) where ϕ is Euler’s totient function. Similarly, let S q2
denote the set of all strictly periodic sequences (excluding the all-zeroes and
all-ones sequences) with q2 as connection integer. Then, |S q2 | = ϕ(q2 ).
3. Compute the bit-wise XOR of every pair of sequences (a, b) ∈ S q1 × S q2 . There

are exactly ϕ(q1 )·ϕ(q2 ) such pairs corresponding to every pair of possible values
of p1 and p2 .
4. For each sequence output by step 3, synthesise the sequence using de Weger’s
algorithm. Observe the period, complexity, and structure of the connection in-
teger of the output sequence.
5. Repeat steps 1-4 for another pair of values of q1 and q2 .
Based on the observations made while conducting these experiments, we were able to
conjecture a number of results on the period, complementarity and 2-adic complexity
of combiner sequences. These results are proved in Theorems 4.2.3, 4.2.4 and 4.2.6.
Our aim in this chapter is to prove these results and derive useful design principles
from them.
Consider the truth table for the XOR function which is shown in Table 1. We
denote complementation by the symbol · . Let x, y ∈ {0, 1} and let the symbol ⊕
denote the XOR function or addition modulo 2. It is easy to verify the following two
facts from the truth table:
Fact 4.0.1 x ⊕ y = x ⊕ y = x ⊕ y
Fact 4.0.2 x ⊕ y = x ⊕ y
41
Table 4.1: Truth table for the XOR function

x y x⊕y x⊕y x⊕y x⊕y
0 0 0 1 1 0
0 1 1 0 0 1
1 0 1 0 0 1
1 1 0 1 1 0
Figure 4.1: 2-adic FCSR Combiner with XOR combiner function
4.1 NOTATION
With reference to the combiner in Figure 4.1, we now fix the notation for the
rest of this chapter. Let r1 and r2 be two odd primes, not necessarily distinct. Let
q1 = r1e1 and q2 = r2e2 be two prime powers where e1 , e2 > 0 and such that 2 is a
primitive root modulo q1 and q2 . Let a := (ai )i≥0 and b := (bi )i≥0 be two strictly
periodic binary sequences generated by 2-adic FCSRs with connection integers q1
and q2, respectively. Let T 1 = (r1 − 1)r1e1 −1 and T 2 = (r2 − 1)r2e2 −1 be the periods of
the two sequences a and b respectively and let L = lcm(T 1 , T 2 ). Let c := (ci )i≥0 :=
a ⊕ b := (ai ⊕ bi )i≥0 be the output sequence obtained by computing the element-wise
exclusive-OR of a and b. Let T be the period of the sequence c and let −p/q be the
rational number in lowest terms, whose 2-adic expansion coincides with the sequence
c.
42
4.2 MAIN RESULTS
Before we proceed to discuss the main theorems, we need a couple of useful

lemmas. The first of these is a well-known fact that can be easily derived from the
results in any introductory textbook on number theory such as, for example, from
Theorem 95 of Hardy and Wright (1979).
Lemma 4.2.1 Let q = re be a power of an odd prime r such that 2 is a primitive root
modulo q. Then r is of the form 4k ± 1 where k is odd.
Proof: (from Hardy and Wright (1979))
The proof is by contradiction. Suppose r = 4k ± 1 where k is even. Then

r = 4k ± 1 = 8k0 ± 1 for some integer k0 . Consider the quadratic character of 2 modulo
q. We know from Euler’s criterion on quadratic residues that ( 2p ) = 2ϕ(p)/2 ≡ ±1 mod
p for any prime p, where the sign is taken according as p ≡ ±1 (mod 8) or p ≡ ±3
(mod 8), and where ϕ denotes Euler’s totient function. Since r = 8k0 ± 1, this implies
that 2ϕ(r)/2 ≡ +1 (mod r) and that 2 is a quadratic residue modulo r. Therefore 2
is also a quadratic residue modulo q and 2ϕ(q)/2 ≡ +1 (mod q). But this contradicts
the fact that if 2 is a primitive root modulo q then 2i ≡ +1 (mod q) for no i < ϕ(q).
Hence k cannot be even.
Lemma 4.2.2 Let q1 = r1e1 and q2 = r2e2 be two powers of odd primes r1 and r2 such
that 2 is a primitive root modulo q1 and q2 . Let T 1 = (r1 − 1)r1e1 −1 , T 2 = (r2 − 1)r2e2 −1
and let L = lcm(T 1 , T 2 ).
i. If r1 . r2 (mod 4) and if r1 = 4k1 + 1 and r2 = 4k2 − 1, then L/T 1 is odd and

L/T 2 is even.
ii. If r1 ≡ r2 (mod 4), then both L/T 1 and L/T 2 are odd.
Proof:
43
(i.) We have
L = lcm(T 1 , T 2 ) = T 1 T 2 / gcd(T 1 , T 2 ).
Therefore,
T1 4k1 (4k1 + 1)e1 −1

L/T 2 = =
gcd(T 1 , T 2 ) gcd(4k1 (4k1 + 1)e1 −1 , (4k2 − 2)(4k2 − 1)e2 −1 )
2k1 (4k1 + 1)e1 −1

= .
gcd(2k1 (4k1 + 1)e1 −1 , (2k2 − 1)(4k2 − 1)e2 −1 )
This is clearly an even number since the denominator is odd and therefore divides
k1 (4k1 + 1)e1 −1 (by Lemma 4.2.1). By similar arguments, L/T 1 will be seen to be an
odd number.
(ii.) We can prove this for both r1 ≡ r2 ≡ 1 (mod 4) and r1 ≡ r2 ≡ −1 (mod 4)

by using Lemma 4.2.1 in an argument similar to the one above.
Case 1: r1 ≡ r2 ≡ +1 (mod 4)
T2 4k2 (4k2 + 1)e2 −1

L/T 1 = =
gcd(T 1 , T 2 ) gcd(4k1 (4k1 + 1)e2 −1 , 4k2 (4k2 + 1)e2 −1 )
k2 (4k2 + 1)e2 −1
= .
gcd(k1 (4k1 + 1)e2 −1 , k2 (4k2 + 1)e2 −1 )
This is odd since k1 and k2 are both odd by Lemma 4.2.1. Similarly, L/T 2 is also odd.
Case 2: r1 ≡ r2 ≡ −1 (mod 4)
T2 (4k2 − 2)(4k2 − 2)e2−1

L/T 1 = =
gcd(T 1 , T 2 ) gcd((4k1 − 2)(4k1 − 2)e2 −1 , (4k2 − 2)(4k2 − 2)e2−1 )
(2k2 − 1)(4k2 − 2)e2−1

= .
gcd((2k1 − 1)(4k1 − 2)e2 −1 , (2k2 − 1)(4k2 − 2)e2−1 )
This is clearly again an odd number. Similarly, L/T 2 is also odd.

44
Under the same assumptions as in Lemma 4.2.2, consider the expression (T 1 −

T 2 ) (mod 4). Without loss of generality, assume that r1 = 4k1 + 1 and r2 = 4k2 − 1.
Then,
T 1 = (r1 − 1)r1e1 −1 = 4k1 (4k1 + 1)e1 −1
and
T 2 = (r2 − 1)r2e2 −1 = (4k2 − 2)(4k2 − 1)e2−1 .
Therefore,
T 1 − T 2 = 2[2k1 (4k1 + 1)e1 −1 − (2k2 − 1)(4k2 − 1)e2−1 ].
The first term inside the square brackets is even while the second term is odd. This
implies that T 1 − T 2 = 2m where m is some odd integer. Therefore we must have
T1 − T2 ≡ 2 (mod 4). (4.1)
We will use equation (4.1) in the proof of Theorem 4.2.3.
4.2.1 Period of the FCSR XOR combiner
Theorem 4.2.3 Let q1 = r1e1 and q2 = r2e2 be two prime powers where e1 , e2 > 0 and
such that 2 is a primitive root modulo q1 and q2 . Let a := (ai )i≥0 and b := (bi )i≥0 be
two strictly periodic binary sequences generated by 2-adic FCSRs with connection
integers q1 and q2 , and c := (ci )i≥0 := a ⊕ b := (ai ⊕ bi )i≥0 . Let T 1 = (r1 − 1)r1e1 −1
and T 2 = (r2 − 1)r2e2 −1 be the periods of the two sequences a and b respectively and
let L = lcm(T 1 , T 2 ).
If r1 . r2 (mod 4), the sequence c has period L; if r1 ≡ r2 (mod 4), the

sequence c has period L/2.
Proof:
45
The sequence a is an `-sequence and has the following properties:
ai = ai+(2n)T1 /2 and ai = ai+(2n+1)T1 /2 , i = 0, 1, 2, . . . (4.2)
for any fixed integer n ≥ 0. Similarly, for the sequence b we have
bi = bi+(2n)T2 /2 and bi = bi+(2n+1)T2 /2 , i = 0, 1, 2, . . . (4.3)
for any fixed integer n ≥ 0. Let the period of the sequence c be denoted by T .
Case 1: (r1 ≡ r2 (mod 4))
L
We will prove that T = L/2 by first showing that T | 2
and then by proving
L
that 2 | T . By Lemma 4.2.2 when r1 ≡ r2 (mod 4), both L/T 1 and L/T 2 are odd.
Putting (2n + 1) = L/T 1 and (2n + 1) = L/T 2 in equations (4.2) and (4.3) respectively,
we have ai = ai+L/2 and bi = bi+L/2 for every i ≥ 0. That is,
ci = ai ⊕ bi = ai+L/2 ⊕ bi+L/2 = ai+L/2 ⊕ bi+L/2 = ci+L/2 . (4.4)
Hence T , which is the smallest period of the sequence c, must divide L/2. On the
other hand, if T is the period, ci = ci+T for every i ≥ 0. This implies that ai = ai+T
and bi = bi+T , or that ai = ai+T and bi = bi+T . In either case, T is a common multiple
of T 1 /2 and T 2 /2. Since L/2 is the least common multiple of T 1 /2 and T 2 /2, we must
L
have 2
| T . Therefore, T = L/2.
Case 2: (r1 . r2 (mod 4))
We will prove that T = L by first showing that T | L and then by showing that
L | T . First, note that since L is a multiple of both T 1 as well as T 2 , we must have
ai = ai+L and bi = bi+L for every i ≥ 0. Hence ci := ai ⊕ bi = ai+L ⊕ bi+L := ci+L for
every i ≥ 0, and since T is the (smallest) period of c, T | L.
On the other hand, if T is the period of the sequence c, then ci = ci+T for every
i ≥ 0, which implies either that ai ⊕ bi = ai+T ⊕ bi+T or that ai ⊕ bi = ai+T ⊕ bi+T (by
46
Fact 4.0.2) for every i ≥ 0. This implies either that ai = ai+T and bi = bi+T , or that
ai = ai+T and bi = bi+T , for all i ≥ 0. Suppose the latter holds. Then T must be an odd
multiple of T 1 /2 as well as of T 2 /2. That is, T = (2m1 +1)T 1/2 and T = (2m2 +1)T 2 /2
for some integers m1 and m2 . Hence, (2m1 + 1)T 1 /2 = (2m2 + 1)T 2 /2, which implies
2m1 T 1 + T 1 = 2m2 T 2 + T 2 . Therefore, we must have T 2 − T 1 = 2(m1T 1 − m2 T 2 ) = 0
(mod 4). Since T 1 and T 2 are even, this contradicts the fact that if r1 . r2 (mod 4),
we must have T 2 − T 1 ≡ 2 (mod 4) (by equation 4.1). Therefore, T cannot be an odd
multiple of T 1 /2 and T 2 /2. We consider the other possibility that T is an even multiple
of T 1 /2 and T 2 /2. This implies that T = 2m1 T 1 /2 and T = 2m2 T 2 /2 for some integers
m1 and m2 . Therefore, T is a common multiple of both T 1 and T 2 . Since L is the least
common multiple of T 1 and T 2 , it must divide any common multiple of T 1 and T 2 .
Therefore, L | T . Since we have already proved that T | L, this means that T = L.
We have established that the period T of the FCSR XOR-combiner is


 T 1 · T 2 / gcd(T 1 , T 2 ), if r1 . r2 (mod 4)



T = (4.5)
 T 1 · T 2 /2 · gcd(T 1 , T 2 ),

 if r1 ≡ r2 (mod 4)
We may say that combining two `-sequences using the XOR function yields a
sequence whose period, is approximately the product of the the individual `-sequences.
To obtain maximum period, r1 and r2 must be chosen so that they do not belong to the
same equivalence class modulo 4 and for proper choices of r1 and r2 , the period of the
XOR-combiner can be made as large as T 1 · T 2 /2.
In the next theorem, we prove that if r1 . r2 (mod 4), the output sequence of
the combiner considered in Figure 4.1 is symmetrically complementary.
47
4.2.2 Symmetric complementarity
Theorem 4.2.4 Let all assumptions be the same as in Theorem 4.2.3. If r1 . r2

(mod 4), then the sequence c is symmetrically complementary.
Proof:
When r1 . r2 (mod 4), L/T 1 is odd and L/T 2 is even by Lemma 4.2.2. There-
fore, from equation (4.2) and equation (4.3) ai = ai+L/2 and bi = bi+L/2 for every i ≥ 0,
which implies that
ci = ai ⊕ bi = ai+L/2 ⊕ bi+L/2 , i = 0, 1, 2, . . . . (4.6)
By Fact 4.0.1 of the bit-wise XOR operation we now have
ci = ai+L/2 ⊕ bi+L/2 = ai+L/2 ⊕ bi+L/2 = ci+L/2 , i = 0, 1, 2, . . . . (4.7)
Since we know from Theorem 4.2.3 that the sequence c has period L, equation (4.5)
we see from equation 4.7 that c is symmetrically complementary.
4.2.3 2-adic complexity of the FCSR XOR combiner
Before we prove upper bounds on the 2-adic complexity of the output se-
quence, we first define the 2-adic complexity of a binary sequence following Xu’s
definition of N-adic complexity (Xu 2000). Let s := s0 s1 s2 . . . be an infinite periodic
binary sequence and let ∞ i
P
i=0 si 2 = p/q ∈ Z2 be the fraction in lowest terms whose
2-adic expansion agrees with the sequence s.
Definition 4.2.5 The 2-adic complexity of the sequence s is defined to be the integer
φ(s) = max(blog2 (|p|)c, blog2 (|q|)c).
48
If the sequence s is strictly periodic, then p/q < 0 and |p| < |q|, so that φ(s) is
simply equal to blog2 (|q|)c. We determine an upper bound on the 2-adic complexity
of the FCSR XOR-combiner in the following theorem.
Theorem 4.2.6 Let all assumptions be the same as in Theorem 4.2.3. If r1 . r2

(mod 4), the 2-adic complexity of the output sequence c of the FCSR combiner, de-
noted by φ(c) satisfies φ(c) < L/2 + 1 = T/2 + 1. If r1 ≡ r2 (mod 4), the 2-adic
complexity of the sequence c satisfies φ(c) < L/2 = T .
Proof:
Let q be the denominator of that fraction expressed in lowest terms, whose

2-adic expansion agrees with the sequence c. Let T be the period of the sequence c.
If r1 . r2 (mod 4), then by Theorem 4.2.4 and by Fact 7 about FCSR se-
quences in Chapter 2, we must have q | 2T/2 + 1. We also know by theorem 4.2.3 that
T = L. Therefore, q | 2L/2 + 1. The maximum value of q occurs when q = 2L/2 + 1
and in such a case, φ(c) = blog2 (q)c < L/2 + 1.
If r1 ≡ r2 (mod 4), then the period of the output sequence c is T = L/2. We

know that for any sequence of period T , q | 2T − 1 and the maximum value of q for a
given T occurs when q = 2T − 1. Hence, φ(c) = blog2 (q)c < L/2.
Even though it seems to be difficult to prove a lower bound on the 2-adic

complexity of the XOR combiner, numerical experiments point to a lower bound of
L/2 − max(φ(a), φ(b)) when r1 . r2 (mod 4). In this context, we point out that for a
fixed pair of connection integers (q1 , q2 ) of the type considered in this chapter, most
of the output sequences attain the upper bound on the 2-adic complexity. Numerical
experiments also show that for most such pairs of connection integers, all output
sequences attain the upper bound.
We observe from Theorem 4.2.3 and Theorem 4.2.6 that for both cases r1 .
49
r2 (mod 4) and r1 ≡ r2 (mod 4) the period of the output sequence grows roughly
quadratically with the periods of the input sequences. However, for the case r1 .
r2 (mod 4), due to the symmetric complementarity of the output sequence, its 2-
adic complexity bound is half of the period; for the case r1 ≡ r2 (mod 4) the 2-adic
complexity bound is the period of the output sequence.
4.2.4 Linear complexity of the FCSR XOR combiner
We now turn to the problem of determining an upper bound on the linear com-
plexity of the FCSR combiner.
Theorem 4.2.7 The linear complexity of the FCSR XOR combiner in Figure 4.1 is
(T 1 + T 2 )/2 + 2.
Proof:
From the result of Xu (2000) specialised to the 2-adic case, we know that the
linear complexity of the individual `-sequences are upper bound by T 1 /2 + 1 and
T 2 /2 + 1, where T i ’s are the periods of the individual `-sequences. From the work
of Massey (1969) it is well-known that the linear complexity of a linear combination
of sequences is at most the sum of their linear complexities. Applying this result we
see that the linear complexity of the FCSR XOR combiner is at most the sum of the
linear complexities of the individual FCSRs.

50
CHAPTER 5
CONCLUSIONS AND FUTURE DIRECTIONS
We have proposed practical algorithms to search for good FCSR architectures

given a set of design constraints. We also proposed a search algorithm for d-FCSRs
when d = 2. These algorithms offer valuable aid to the stream cipher cryptographer
in choosing the keystream generator carefully. More work is needed on d-FCSRs for
d ≥ 3 in order that the search for architectures can be carried out in the same manner
we have outlined in this thesis.
We derived the exact period of a certain family of combiners using 2-adic

FCSRs as primitives. We also prove upper bounds on the 2-adic complexity and linear
complexity of these sequences. It must be emphasised here that our results give the
exact period of the combiner using two 2-adic FCSRs and not just a bound. These are
the only available results in the literature till date regarding combiners using 2-adic
FCSRs.
The results of Chapter 4 lead to the following design principle. If we desire

large period sequences without regard to 2-adic complexity, then it is better to choose
r1 . r2 (mod 4). If we desire sequences with 2-adic complexity that is large com-
pared to the period, then it is better to choose r1 ≡ r2 (mod 4).
It remains to be seen how far the search algorithms can be optimised for each
of the special cases of the FCSR architectures, especially the 2-adic FCSR and the
d-FCSR. The properties of more general classes of FCSR combiners using arbitrary
combining functions and an arbitrary number of FCSRs need to be investigated.
51
REFERENCES
1. Anand S. and Ramanan G. V. (2006) ‘Periodicity, complementarity and com-

plexity of 2-adic FCSR combiner generators’ (Accepted for publication in Pro-
ceedings of the ACM Symposium on Information, Computer and Communica-
tions Security, ASIACCS ’06, Taipei, Taiwan).
2. Arnault F. and Berger T.-P. (2004) ‘Design of new pseudorandom generators
based on a filtered FCSR automaton’, In Proceedings of the SASC Workshop,
pages 109–120.
3. Arnault F. and Berger T.-P. (2005) ‘F-FCSR: Design of a new class of stream
ciphers’, In Henri Gilbert and Helena Handschuh, editors, 12th. International
Workshop, Fast Software Encryption 2005, Paris, France. Lecture Notes in
Computer Science 3557, pages 83–97, Springer.
4. Arnault F., Berger T.-P. and Necer A. (2002) ‘A new class of stream ciphers
combining LFSR and FCSR architectures’, In Alfred Menezes and Palash
Sarkar, editors, Progress in Cryptology – INDOCRYPT 2002, Lecture Notes
in Computer Science, volume 2551, pages 22–33. Springer, New York.
5. Bach E. (1998) ‘Efficient prediction of Marsaglia-Zaman random number gen-
erators’, IEEE Transactions on Information Theory, 44:1253–1257, May 1998.
6. Beker, H. and Piper, F. (1982), Cipher Systems. John Wiley.
7. Blum L. Blum, M. and Shub M. (1986) ‘A simple unpredictable pseudo random
number generator’, SIAM Journal of Computing, 15:364–383.
8. Couture R. and L’Ecuyer P. (1994) ‘On the lattice structure of certain linear con-
gruential sequences related to AWC/SWB generators’, Mathematics of Compu-
tation, 62:799–808.
9. Couture R. and L’Ecuyer P.(1997) ‘Distribution properties of multiply-with-
carry random number generators’, Mathematics of Computation, 66:591–607.
10. de Weger B.M.M. (1986) ‘Approximation lattices of p-adic numbers’, Journal
of Number Theory, 24:70–88, 1986.
11. Arnault F., Berger T.-P. and Necer A. (2004) ‘Feedback with carry shift register
synthesis with the Euclidean algorithm’, IEEE Transactions on Information
Theory, 50:910–917, May 2004.
52
12. Gauss C.F. (1801) Disquisitiones Arithmeticæ. Reprinted English translation,

Yale University Press, New Haven, 1966.
13. Golić J. Dj. (1989) ‘On the linear complexity of functions of periodic GF(q) se-
quences’, IEEE Transactions on Information Theory, 35:69–75, January 1989.
14. Gollman D. and Chambers W.G. (1989) ‘Clock-controlled shift registers: A
review’, IEEE Journal on Selected Areas in Communications, 7:525–533, May
1989.
15. Golomb S. (1967) Shift Register Sequences. Holden-Day, San Francisco.
16. Goresky M. and Klapper A. (1995) ‘Large period nearly de Bruijn FCSR se-
quences’, In Advances in Cryptology – EUROCRYPT’95, Lecture Notes in
Computer Science, volume 921, pages 263–273. Springer, New York.
17. Goresky M. and Klapper A. (1997) ‘Arithmetic crosscorrelations of feedback
with carry shift register sequences’, IEEE Transactions on Information Theory,
43:1342–1345, July 1997.
18. Goresky M. and Klapper A. (2002) ‘Fibonacci and Galois representations of
feedback-with-carry shift registers’, IEEE Transactions on Information Theory,
48:2826–2836.
19. Goresky M., Klapper A. and Washington L. (2000) ‘Fourier transforms and the
2-adic span of periodic binary sequences’, IEEE Transactions on Information
Theory, 46:687–691.
20. Göttfert R. and Niederreiter H. (1993) ‘On the linear complexity of products
of shift-register sequences’, In Advances in Cryptology – EUROCRYPT’93,
Lecture Notes in Computer Science, pages 151–158.
21. Gouvêa F. (2003) p-adic Numbers: An Introduction. Springer-Verlag, 2nd.
edition.
22. Groth E. J. (1971) ‘Generation of binary sequences with controllable complex-
ity’, IEEE Transactions on Information Theory, IT-17:288–296.
23. Hardy G. H. and Wright E. M. (1979) An Introduction to the Theory of Numbers.
Oxford University Press, 5th edition.
24. Herlestam T. (1982) ‘On the complexity of functions of linear shift register
sequences’, In International Symposium on Information Theory.
25. Herlestam T. (1986) ‘On the functions of linear shift register sequences’, In Ad-
vances in Cryptology – EUROCRYPT’85, Lecture Notes in Computer Science,
volume 219, pages 119–129.
26. Key E. L. (1976) ‘An analysis of the structure and complexity of nonlinear
binary sequence generators’, IEEE Transactions on Information Theory, IT-
22:732–736.
53
27. Klapper A. and Goresky M. (1993) 2-adic shift registers. In Fast Software
Encryption, Cambridge Security Workshop, Lecture Notes in Computer Science,
volume 809.
28. Klapper A. and Goresky M. (1997) ‘Feedback shift registers, 2-adic span and
combiners with memory’ Journal of Cryptology, 10:111–147.
29. Knuth D. E. (1998) The Art of Computer Programming, Volume 2: Seminumer-
ical Algorithms. Addison-Wesley, 3rd edition.
30. Koblitz N. (1984) p-adic Numbers, p-adic Analysis, and Zeta Functions. Springer-
Verlag, New York, GTM Vol. 58.
31. Kolokotronis N. and Kalouptsidis N. (2003) ‘On the linear complexity of non-
linearly filtered PN-sequences’, IEEE Transactions on Information Theory,
49:3047–3059.
32. Lam C. C.-Y. and Gong G. (2004) ‘A lower bound for the linear span of filtering
sequences’, In Proceedings of the SASC Workshop, pages 220–233.
33. Mahler K. (1973) Introduction to p-adic Numbers and their Functions. Cam-
bridge University Press.
34. Mandelbaum D. (1967) ‘Arithmetic codes with large distance’, IEEE Transac-
tions on Information Theory, IT-13:237–242.
35. Marsaglia G. (1968) ‘Random Numbers Fall mainly in Planes’, Proceedings of
the National Academy of Sciences, 61(1), 25–28.
36. Marsaglia G. (1984) ‘A current view of random number generators’ Keynote
address, In Proceedings of the 16th Symposium on the Interface between Com-
puter Science and Statistics, Atlanta.
37. Marsaglia G. (1992) ‘The mathematics of random number generators’, In The
Unreasonable Effectiveness of Number Theory, Proceedings of the Symposium
on Pure Mathematics, volume 46, pages 73–90.
38. Marsaglia G. (1993) ‘Monkey tests for random number generators’ Computers
and Mathematics with Applications, 9:1–10.
39. Marsaglia G. (1994) ‘yet another rng’, posted to the Usenet newsgroup
sci.stat.math, August 1, 1994.
40. Marsaglia G. and Tsay L. H. (1985) ‘Matrices and the structure of random
number sequences’, Linear Algebra and Its Applications, 67:145–156.
41. Marsaglia G. and Zaman A. (1991) ‘A new class of random number generators’,
The Annals of Applied Probability, 1:462–480.
42. Marsaglia G. ‘DIEHARD battery of statistical tests’.
54
43. Massey J. L. (1969) ‘Shift-register synthesis and BCH decoding’, IEEE Trans-
actions on Information Theory, IT-15:122–127.
44. Massey J. L. and Serconek S. (1996) ‘Linear complexity of periodic sequences:
A general theory’, In Neal Koblitz, editor, Advances in Cryptology – CRYPTO’96,
Lecture Notes in Computer Science, volume 1109, pages 358–371.
45. Mittelbach M. and Finger A. (2004) ‘Investigation of FCSR-based pseudo-
random sequence generators for stream ciphers’, In Proceedings of the 3rd.
International Conference on Networking.
46. National Institute of Standards Technology, http://csrc.nist.gov/
47. Rueppel R. A. (1986) Analysis and Design of Stream Ciphers. Springer-Verlag,
1986.
48. Rueppel R. A and Staffelbach O. J. (1987) ‘Products of linear recurring se-
quences with maximum complexity’, IEEE Transactions on Information The-
ory, IT-33:124–131.
49. Schneier B. (1996) Applied Cryptography. John Wiley & Sons, 2nd edition.
50. Seo C., Lee S., Sung Y., Han K. and Kim S. (2000) ‘A lower bound on the linear
span of an FCSR’, IEEE Transactions on Information Theory, 46:691–693.
51. Tasheva Z., Bedzhev B. and Stoyanov B. (2004) ‘N-adic summation shrinking
generator – basic properties and empirical evidences’ (submitted to the IACR
e-print archive).
52. Wagstaff, S. (2001), ‘Prime Numbers with a Fixed Number of One Bits or Zero
Bits in Their Binary Representation’, Experimental Mathematics, 10:2, 267–
273.
53. Walker J. ‘ENT statistical test suite’, http://www.fourmilab.ch/
54. Xu J. (2000) ‘Stream Cipher Analysis Based on FCSRs’. Ph.D. dissertation,
University of Kentucky, Lexington, Kentucky.
55. Zierler N. and Mills W.H (1973) ‘Products of linear recurring sequences’, Jour-
nal of Algebra, 27:147–157.

Anand Thesis

Caricato da

Informazioni sul documento

Descrizione originale:

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Anand Thesis

Caricato da

Copyright:

Formati disponibili

SEARCH ALGORITHMS FOR FCSR

ARCHITECTURES AND PROPERTIES OF THE FCSR

in fulfillment for the award of the degree

FACULTY OF ELECTRICAL ENGINEERING

ANNA UNIVERSITY : CHENNAI 600025

CHITECTURES AND PROPERTIES OF THE FCSR COMBINER GENERA-

Dr. Gurumurthi V. Ramanan

The feedback-with-carry shift register (FCSR) is an important primitive in the

feedback tap connections. We also propose a search algorithm for a generalisation of

valid architectures for values of the parameter d other than d = 2.

It is a pleasure to acknowledge the help and guidance I have received from

CHAPTER NO. TITLE PAGE NO.

LIST OF TABLES vii

LIST OF FIGURES viii

2 FEEDBACK-WITH-CARRY SHIFT REGISTER SEQUENCES 9

3 SEARCH ALGORITHMS FOR FCSR ARCHITECTURES 23

3.1.1 Search algorithm for the LFG 25

4 FCSR COMBINER GENERATORS 37

5 CONCLUSIONS AND FUTURE DIRECTIONS 50

TABLE NO. TABLE NAME PAGE NO.

4.1 Truth table for the XOR function 41

FIGURE NO. FIGURE NAME PAGE NO.

1.1 Diagrammatic representation of a stream cipher 4

2.1 The Lagged Fibonacci Generator 10

4.1 2-adic FCSR Combiner with XOR combiner function 41

Pseudorandom sequences are required in a wide variety of applications such as

In this thesis, we present algorithms to efficiently generate ‘good’ architectures

1.1 PSEUDORANDOM NUMBER GENERATORS

Everyone seems to have an intuitive conception of randomness. Philosophers

From a practical standpoint, a large number of methods have been developed

1. The number of heads is roughly equal to the number of tails.

3. A sequence of coin tosses possesses a special kind of auto-correlation function

The autocorrelation function may be defined as follows. Suppose (an ) = {a0 , a1 , . . .}

From our observations on the coin-flipping phenomenon we are led to a def-

R3: The autocorrelation function C(τ) is two-valued.

1.2 THE DESIGN OF STREAM CIPHERS

The structure of a stream cipher is shown diagrammatically in Figure 1.1. The

Infinite binary sequence (keystream)

Figure 1.1: Diagrammatic representation of a stream cipher

As is usual in cryptography, we must never understimate the cryptanalyst and

C2: The cryptanalyst has obtained a considerable amount of ciphertext.

1.2.1 The requirements for a ‘good’ stream cipher

A3: The ciphertext must appear to be ‘random’.

A4: The system must appear to be nonlinear.

1. Choice of the pseudorandom keystream generator:

quences such as period, complexity, and distribution.

2. Choice of an appropriate boolean function to mask the structure of the keystream

1.3 CONTRIBUTIONS OF THIS THESIS

The pseudorandom generators found in most systems are realised as feedback

tion properties of the output sequence. An FCSR architecture is completely charac-

The thesis is organised as follows. In Chapter 2, we present some basic results

FEEDBACK-WITH-CARRY SHIFT REGISTER SEQUENCES

2.1 THE PRECURSORS OF THE FCSR

x := f 0 (x), f (x), f 2 (x), f 3 (x), . . . , (2.1)

where f i+1 (x) = f ( f i (x)) for all i ≥ 0 (Marsaglia 1992).

a n-1 a n-2 ... a n-r+1

Figure 2.1: The Lagged Fibonacci Generator

2.1.1 The lagged Fibonacci generator (LFG)

Let X be the set of 1×r vectors x = (x1 , x2 , x3 , . . . , xr ), with elements xi in some

f (x1 , x2 , . . . , xr ) = (x2 , x3 , . . . , xr , x1  xr+1−s ) (2.2)

Statistical performance of LFGs

When the operation  is ⊕, the XOR operation, the performance of F(r, s, ⊕)

2.1.2 The addition-with-carry generator (AWC)

f (x1 , x2 , . . . , xr ) = (x2 , x3 , . . . , xr , x1 xr+1−s ) (2.2)

When the operation is ⊕, the XOR operation, the performance of F(r, s, ⊕)