Information Processing Letters 114 (2014) 268–272

Contents lists available at ScienceDirect

Information Processing Letters

www.elsevier.com/locate/ipl

Searching for nonlinear feedback shift registers with parallelcomputing

Przemysław Dabrowski, Grzegorz Łabuzek, Tomasz Rachwalik, Janusz Szmidt

Military Communication Institute, ul. Warszawska 22A, 05-130 Zegrze, Poland

a r t i c l e i n f o a b s t r a c t

Article history:Received 26 June 2013Received in revised form 28 October 2013Accepted 4 December 2013Available online 16 December 2013Communicated by V. Rijmen

Keywords:Nonlinear feedback shift registersMaximum periodParallel processing

Nonlinear feedback shift registers (NLFSRs) are used to construct pseudorandom generatorsfor stream ciphers. Their theory is not so complete as that of linear feedback shift registers(LFSRs). In general, it is not known how to construct all NLFSRs with maximum period. Thedirect method is to search for such registers with suitable properties. Advanced technologyof parallel computing has been applied both in software and hardware to search formaximum period NLFSRs having a fairly simple algebraic normal form.

© 2013 Elsevier B.V. All rights reserved.

1. Introduction

Feedback shift register (FSR) sequences have beenwidely used in many areas of communication theory, askey stream generators in stream ciphers cryptosystems,pseudorandom number generators in many cryptographicprimitives, in the design of correlators for spread spec-trum communication systems, global positioning systemsor radar systems, and as testing vectors in hardware de-sign. Golomb’s book [6] is a pioneering one that discussesthis type of sequences. A modern treatment of the subjectis contained in the book of Golomb and Gong [7].

The theory of linear feedback shift registers (LFSRs) isquite well understood. In particular, it is known how toconstruct LFSRs with maximum period; they correspondto primitive polynomials over the binary field F2. The or-der n of FSR is the number of its cells and an FSR cangenerate a binary sequence of period up to 2n . The maindrawback of primitive LFSRs is that their linear complexityis equal to their order. In recent years, nonlinear feed-back shift registers (NLFSRs) have received much attention

E-mail addresses: p.dabrowski@wil.waw.pl (P. Dabrowski),g.labuzek@wil.waw.pl (G. Łabuzek), t.rachwalik@wil.waw.pl(T. Rachwalik), j.szmidt@wil.waw.pl (J. Szmidt).

0020-0190/$ – see front matter © 2013 Elsevier B.V. All rights reserved.http://dx.doi.org/10.1016/j.ipl.2013.12.002

in designing numerous cryptographic algorithms such asstream ciphers and lightweight block ciphers to providesecurity in communication systems. In most cases, NLFSRshave much greater linear complexity than LFSRs of thesame period. However, there are no general methods ofdesigning maximum period NLFSRs. The construction of aspecial class of NLFSRs with maximum period has beengiven by Mykkeltveit et al. [10,11]. Recently, maximum pe-riod NLFSRs of order up to n = 64 have been constructed inthe paper of Mandal and Gong [8], but these NLFSRs havevery complicated algebraic normal form (ANF). Dubrova [3]has given an example of a Galois shift register of ordern = 100 generating a sequence with maximum period butthis sequence does not have the de Bruijn property; i.e.,some patterns of n-bits appear more than once in the se-quence.

In this article the approach from the papers of Gam-mel, Goettfert, and Kniffler [5] and Chan, Games, andRushanan [2] is followed. NLFSRs having a simple algebraicnormal form and maximum period are directly found byexhaustive searching. In particular, the conjecture posed in[2] on the existence of maximum period NLFSRs whosefeedback functions have linear terms and one quadraticterm has been experimentally investigated. Like the notionof linear m-sequences, these NLFSRs generate quadraticm-sequences. The conjecture has been verified up to order

P. Dabrowski et al. / Information Processing Letters 114 (2014) 268–272 269

n = 29. Quadratic m-sequences of this type up to ordern = 21 have been classified according to the weight (num-ber of terms) of primitive polynomials involved. These ex-perimental investigations support the Chan, Games andRushanan conjecture of the existence of one term quadraticm-sequences for each order n; they have some number oflinear terms and only one quadratic term in their ANF.

Our experiments have applied parallel computing.NLFSRs generating quadratic m-sequences have been foundby using three servers with 54 CPU cores. The investiga-tions from the previous paper [12] have also been con-tinued using the Field Programmable Gate Arrays to findmaximum period NLFSRs. Nonlinear feedback shift registershave been applied in [13] to construct modified alternatingstep generators.

2. Feedback shift registers

In this section, the definitions and basic facts aboutfeedback shift registers are given. We use F2 to denote thebinary finite field. F2[x] denotes the ring of polynomialsin the indeterminate x and with coefficients from F2. LetF

n2 be the n-dimensional vector space over F2 consisting

of all n-tuples of elements of F2. Any function from Fn2 to

F2 is referred to as a Boolean function of n variables. A se-quence of elements s = (s0, s1, . . .) of F2 is called a binarysequence. A sequence s = (si)

∞i=0 is called periodic if there

is a positive integer p such that si+p = si for all i � 0. Theleast positive integer with this property is called the periodof s.

A binary feedback shift register of order n is a mapping F

from Fn2 into F

n2 of the form

F : (x0, x1, . . . , xn−1)

�−→ (x1, x2, . . . , xn−1, f (x0, x1, . . . , xn−1)

),

where f is a Boolean function of n variables which iscalled the feedback function. The shift register is called alinear feedback shift register (LFSR) if F is a linear trans-formation from the vector space F

n2 into itself. Otherwise,

the shift register is called a nonlinear feedback shift regis-ter (NLFSR). The shift register is called nonsingular if themapping F is a bijection. Further, we will consider onlynonsingular and mostly nonlinear feedback shift registers.It can be proved (see e.g. [6]) that the feedback function ofa nonsingular feedback shift register has the form

f (x0, x1, . . . , xn−1) = x0 + g(x1, . . . , xn−1), (1)

where g is a Boolean function of n − 1 variables.Consider a binary sequence s = (si)

∞i=0 whose first

n terms s0, s1, . . . , sn−1 are given and whose remainingterms are uniquely determined by the recurrence relation

si+n = f (si, si+1, . . . , si+n−1) for all i � 0. (2)

We call s an output sequence of the feedback shift registergiven by (1). The binary n-tuple (s0, s1, . . . , sn−1) is calledthe initial state vector of the sequence s or the initial stateof the feedback shift register. The recurrence relation (2)can be implemented in hardware as a special electronicswitching circuit consisting of n memory cells which iscontrolled by an external clock to generate the sequence s.

Definition 1. A de Bruijn sequence of order n is a sequenceof period 2n of elements of F2 in which all different binaryn-tuples appear in each period exactly once.

It was proved by Flye Sainte-Marie [4] in 1894 and in-dependently by de Bruijn [1] in 1946 that the number ofcyclically non-equivalent sequences satisfying Definition 1is equal to

Bn = 22n−1−n.

Definition 2. A modified de Bruijn sequence of order n is asequence of period 2n − 1 obtained from the de Bruijn se-quence of order n by removing one zero from all tuples ofn consecutive zeros.

In 1990 Mayhew and Golomb [9] investigated se-quences satisfying Definition 2 and calculated their linearcomplexity. These sequences were called by Gammel et al.[5] primitive. In the case of linear feedback shift registerssuch sequences are generated by primitive polynomialsfrom the ring F2[x] and their theory is quite well un-derstood [6,7]. The task is to find primitive NLFSRs witha simple algebraic normal form and this is a time con-suming work. An effective method of constructing suchprimitive NLFSRs is not known and one has to search forthem. Gammel et al. [5] found simple primitive NLFSRs upto order 33 used in the design of the stream cipher Achter-bahn, but neither the method of searching nor the averagetime needed to find such good NLFSRs have been revealed.

A search for primitive NLFSRs with special purposehardware devices has been undertaken in [12]. The presentpaper is a continuation of the previous investigations withadditional application of software implementations on par-allel cores. The search is restricted to looking for nonlinearprimitive NLFSRs with a simple ANF.

3. Quadratic m-sequences

Chan, Games and Rushanan [2] have investigated thecase when the feedback function (1) is a quadratic Booleanfunction of n variables; i.e., it has the following algebraicnormal form:

f (x0, x1, . . . , xn−1) =∑

0�i� j�n−1

aijxi x j . (3)

Let us note that x2i = xi for all i � 0, hence the coefficients

aii correspond to the linear terms of the function f . Therecurrence (2) corresponding to the quadratic function (3)has the form

sn+k =∑

0�i� j�n−1

aij si+ks j+k (4)

for all k � 0. The authors of [2] have introduced a notionof quadratic m-sequences by analogy to the linear ones.

Definition 3. A binary sequence s is called a quadraticm-sequence of order n if it satisfies the quadratic recurrence(4) and has period 2n − 1. The quadratic recurrence (4) is

270 P. Dabrowski et al. / Information Processing Letters 114 (2014) 268–272

assumed to be minimal in the sense that the sequence sat-isfies no such recurrence on a smaller number of variables.

The authors of [2] have studied algorithmic genera-tion of some type of quadratic m-sequences and enumer-ated them up to degree n = 12. Namely, they consideredquadratic Boolean functions of the form

f (x0, x1, . . . , xn−1) = g(x0, x1, . . . , xn−1) + xi + xi x j, (5)

where i �= j, 1 � i, j � n − 1 and

g(x0, x1, . . . , xn−1) = x0 + c1x1 + · · · + cn−1xn−1

is a linear function which generates the m-sequence, i.e.,the corresponding polynomial in the ring F2[x]

p(x) = xn + cn−1xn−1 + · · · + c1x + 1 (6)

is primitive.

Definition 4. A maximum period sequence generated byfeedback function of the form (5) we call a one termquadratic m-sequence.

Primitive polynomials of degree n have their roots inthe finite Galois field GF(2n); these roots are primitive el-ements (generators) of the multiplicative group GF(2n)∗ . Itis known that there is a one-to-one correspondence be-tween linear m-sequences of period 2n − 1 and primitivepolynomials of degree n. The number of primitive polyno-mials of degree n is equal to ϕ(2n −1)/n, where ϕ(.) is theEuler function. The proofs of all these facts can be foundin the books [6,7].

The quadratic recurrences corresponding to Booleanfunctions (5) are modifications of the linear one. The termxi + xi x j introduces a non-linear perturbation to the givenm-sequence. The states of the LFSR for which the functionxi + xi x j equals 1 break or join the corresponding cycles ofthe LFSR. The case when after running over all states of theFSR we get only one cycle is the sought-for NLFSR. In fact,this is a random phenomenon. The relevant discussion hasbeen presented in [2]. In practice, not all primitive poly-nomials and terms xi + xi x j lead to a suitable coincidencegiving a one term quadratic m-sequence.

4. Software implementation

We have searched for quadratic m-sequences of order ngenerated by Boolean functions of the form (5) using oursoftware. The procedure is the following:

• one generates all primitive polynomials of a given de-gree n;

• for a given primitive polynomial all terms xi + xi x j arechecked to find a feedback function of NLFSR generat-ing a quadratic m-sequence.

The maximum period can only be verified by calculat-ing all states of the NLFSR for given i and j. The proce-dure has been implemented in standard C programming

language to speed up the search and portability. The num-bers (�) of one term quadratic m-sequences for orders nup to 21 are presented in Appendix A in Tables 1, 2 and 3,where k denotes the number of terms of primitive polyno-mials of a given degree. For n large checking the period isthe most time consuming part of the algorithm. It can beseen from the tables that for the number of terms of theprimitive polynomial (6) near n/2, the number of quadraticm-sequences found has a maximum. However, the algo-rithm can be computed in parallel, which speeds up thesearch. Nowadays multi-core and multi-thread computingenvironments are widespread even in desktop PCs. Theclient–server program has been developed to split the setof primitive polynomials with given weight k into parts.The parallel computations are used to explore the partsof the set of primitive polynomials with fixed weight. Thetime complexity of searching is proportional to the numberof involved threads. The checking of period of a particularNLFSR is done in one thread and here the parallel compu-tations are not applied.

The server program controls the distribution of subtasksand sends client programs jobs to perform using IP pack-ets. The client is a Linux/Windows program receiving sub-tasks from the server, doing its jobs and sending back theresults. The subtasks are performed as threads on multi-core computers. The server program collects results fromall clients over IP networks. It is worth noting that thesubtasks are distributed to platform independent clients(Windows, Linux, Mac OS X). The loss of a client due toe.g. power failure or no network connection is no problemfor our server program, because it sends the lost subtasksonce again to other clients. The feedback functions of oneterm quadratic m-sequences up to order n = 29 are givenin Appendix A.

The above results have been found by using threeservers with overall 54 threads connected through an IPnetwork at Military Communication Institute Interoperabil-ity Laboratory.1 This turned out to be a coarse-grain typework in parallel computing due to low communication be-tween clients and server and using distributed memory. Inthe future we hope our software can be ported to high-performance computing using Open MPI API to find morequadratic m-sequences for greater orders.

5. Hardware implementation

One way to search for NLFSRs in hardware is to dupli-cate a searching module. For this purpose, the hardwareplatform containing Field Programmable Gate Array (FPGA)of Altera EP3C80 and the microcontroller have been used.32 independent programmable searching modules in oneEP3C80 device have been fit. The duplicated modules aremanaged by the control machine which detects the mod-ule readiness and directs the result to the output interfaceof FPGA. The microcontroller transfers the resulting vectorto a computer by Ethernet interface. The diagram of a sin-gle module is shown in Fig. 1.

1 The equipment has been purchased thanks to a grant of the PolishMinistry of Science and Higher Education decision No. 6251/IA/690/2012.

P. Dabrowski et al. / Information Processing Letters 114 (2014) 268–272 271

Fig. 1. The diagram of a single module.

The former version [12] consisted of multiplexers andan XOR block called M&X which was configured by the co-efficients buffer CB. The present version adds a primitivepolynomial feedback PPF which helps to find a NLFSR feed-back functions faster.

In this search, random numbers for M&X are taken fromRNG. The coefficients are downloaded byte by byte into thecoefficient selector CS, where their values and repetitionsare checked. Then the bytes go to CB, whose task is tostore combinations of coefficients during the test. The mul-tiplexers partially define the random feedback function ofNLFSR according to the data buffered in CB. Their outputsare connected to the XOR gate with a feedback functionfrom PPF. The result of XOR feeds the shift register SR. TheSR is set with a seed value at the beginning of a search-ing process by the verification machine VM and it startsshifting. After the first repetition of the seed the test isfinished. An acceptable result is sent to the Ethernet inter-face EI by VM. An unacceptable result starts a new processof random generation and testing. The tests have been car-ried out on seven such platforms. The results of the searchare given in Appendix A.

6. Conclusion

In the paper, we have searched for NLFSRs generatingmodified de Bruijn sequences. Methods of parallel com-puting have been applied both in software and hardwareto perform the search. The software has been used to lookfor one term quadratic m-sequences. An enumeration ofall quadratic m-sequences up to order n = 21 generated byfeedback functions with the term xi +xi x j and linear termsdefined by primitive polynomials has been provided andclassified by the weights of these polynomials. The conjec-ture of Chan, Games and Rushanan [2] has been verifiednumerically up to order n = 29 for NLFSRs whose feedbackfunctions have the simple algebraic normal form.

Hardware search of NLFSRs is a continuation of the pre-vious work [12]. The feedback functions of the registers oforders n = 29,30 and 31 we found are expressed in termsof negations of some arguments; this gives simpler formu-lae than ANFs and it is suitable for implementation.

We have calculated the linear complexities (LC) of oneterm quadratic m-sequences up to order n = 26. They arenear or equal to the maximum possible value 2n − 2. Thelinear complexity was calculated with the help of extendedEuclid algorithm for polynomials. It takes about 7 days onPC to calculate the LC of one NLFSR of order n = 26.

Acknowledgement

The authors would like to thank the referee for indicat-ing the corrections and improvements in the paper.

Appendix A

The feedback functions of the form (5) generatingquadratic m-sequences up to order n = 29 and the linear

Table 1The number of one term quadratic m-sequences of orders 4 � n � 9.

n = 4 n = 5 n = 6 n = 7 n = 8 n = 9

k � k � k � k � k � k �

3 4 3 4 3 6 3 12 3 0 3 25 6 5 6 5 8 5 16 5 12

7 4 7 4 7 109 0

Total 4 Total 10 Total 12 Total 24 Total 20 Total 24

Table 2The number of one term quadratic m-sequences of orders 10 � n � 15.

n = 10 n = 11 n = 12 n = 13 n = 14 n = 15

k � k � k � k � k � k �

3 0 3 2 3 0 3 0 3 0 3 05 14 5 14 5 4 5 14 5 6 5 87 12 7 26 7 16 7 40 7 20 7 129 8 9 14 9 6 9 36 9 36 9 42

11 0 11 2 11 12 11 22 11 2013 0 13 0 13 6

15 0

Total 34 Total 56 Total 28 Total 96 Total 84 Total 88

272 P. Dabrowski et al. / Information Processing Letters 114 (2014) 268–272

Table 3The number of one term quadratic m-sequences of orders 16 � n � 21.

n = 16 n = 17 n = 18 n = 19 n = 20 n = 21

k � k � k � k � k � k �

3 0 3 0 3 0 3 0 3 0 3 05 0 5 0 5 0 5 2 5 0 5 07 14 7 18 7 6 7 8 7 4 7 69 24 9 50 9 20 9 32 9 8 9 34

11 10 11 46 11 46 11 74 11 28 11 3613 2 13 10 13 26 13 46 13 18 13 5415 0 15 0 15 6 15 18 15 14 15 32

17 0 17 0 17 0 17 0 17 1019 0 19 0 19 0

Total 50 Total 124 Total 104 Total 180 Total 72 Total 172

complexity (LC) of the generated modified de Bruijn se-quences up to order n = 26:

• n = 22, x0 + x3 + x7 + x9 + x13 + x14 + x18 + x19 + x20 +x5x11,LC = 222 − 13

• n = 23, x0 + x6 + x8 + x9 + x11 + x13 + x14 + x15 + x17 +x19 + x20 + x21 + x22 + x2x10,LC = 223 − 2

• n = 24, x0 + x9 + x10 + x14 + x16 + x17 + x19 + x10x15,LC = 224 − 2

• n = 25, x0 + x1 + x3 + x5 + x8 + x10 + x12 + x15 + x16 +x18 + x19 + x22 + x23 + x5x12,LC = 225 − 7

• n = 26, x0 + x2 + x4 + x5 + x8 + x15 + x19 + x21 + x22 +x6x16,LC = 226 − 2

• n = 27, x0 + x1 + x2 + x4 + x8 + x10 + x11 + x14 + x17 +x19 + x21 + x6x10

• n = 28, x0 + x4 + x5 + x6 + x8 + x11 + x14 + x18 + x19 +x21 + x22 + x26 + x27 + x8x27

• n = 29, x0 + x3 + x5 + x6 + x11 + x12 + x16 + x19 + x22 +x23 + x27 + x20x28

The nonlinear feedback functions of shift registers up toorder n = 31 found with the FPGA devices:

• n = 26, x0 + x13 + x14 + x19 + x23 + x18x22x23x25,LC = 226 − 2

• n = 27, x0 + x3 + x5 + x9 + x10 + x11 + x18 + x20 + x24 +x9x11x23x26

• n = 28, x0 + x1 + x8 + x17 + x18 + x19 + x21 + x22 + x23 +x4x11x14x18

• n = 29, x0 + x1 + x3 + x4 + x13 + x16 + x18 + x19 + x20 +x22 + x23 + x27 + x6x10x19x20x21x24x26x27 + x6x10x19 ×x20x21x24x26x27

• n = 30, x0 + x4 + x7 + x8 + x9 + x10 + x11 + x12 + x13 +x14 + x15 + x22 + x27 + x28 + x1x3x7x9x11x13x15x19x20 ×x24x25x27 + x1x3x7x9x11x13x15x19x20x24x25x27

• n = 31, x0 + x2 + x6 + x7 + x8 + x9 + x10 + x14 + x15 +x16 + x20 + x21 + x26 + x29 + x4x5x7x9x12x19x21x22x24 ×x25x26x29 + x4x5x7x9x12x19x21x22x24x25x26x29, wherexi = xi + 1

References

[1] N.G. de Bruijn, A combinatorial problem, Indag. Math. 8 (1946)461–467.

[2] A.H. Chan, R.A. Games, J.J. Rushanan, On the quadratic m-sequences,in: Proceedings of Fast Software Encryption, in: LNCS, vol. 809,Springer-Verlag, 1994, pp. 166–173.

[3] E. Dubrova, A scalable method for constructing Galois NLFSRs withperiod 2n − 1 using cross-join pairs, IEEE Trans. Inf. Theory 59 (1)(2013) 703–709.

[4] C. Flye Sainte-Marie, Solution to question nr. 48, L’IntermédiaireMath. 1 (1894) 107–110.

[5] B.M. Gammel, R. Goetffert, O. Kniffler, Achterbahn 128/80. TheeSTREAM project, www.ecrypt.eu.org/stream, www.matpack.de/achterbahn.

[6] S.W. Golomb, Shift Register Sequences, Holden-Day, San Francisco,1967, Revised edition, Aegean Park Press, Laguna Hills, CA, 1982.

[7] S.W. Golomb, G. Gong, Signal Design for Good Correlation: For Wire-less Communication, Cryptography, and Radar, Cambridge UniversityPress, 2005.

[8] K. Mandal, G. Gong, Cryptographic D-morphism analysis and fast im-plementation of composited de Bruijn sequences, CACR Technical Re-port, CACR 2012-27, 2012.

[9] G.L. Mayhew, S.W. Golomb, Linear spans of modified de Bruijn se-quences, IEEE Trans. Inf. Theory 36 (5) (1990) 1166–1167.

[10] J. Mykkeltveit, M-K. Siu, P. Tong, On the cyclic structure of some non-linear shift register sequences, Inf. Control 43 (1979) 202–215.

[11] J. Mykkeltveit, J. Szmidt, On cross joining de Bruijn sequences, Cryp-tology ePrint Archive, 2013/760, www.iacr.org.

[12] T. Rachwalik, J. Szmidt, R. Wicik, J. Zabłocki, Generation of nonlinearfeedback shift registers with special purpose hardware, in: MilitaryCommunications and Information Systems Conference, MCC 2012,IEEE Xplore Digital Library, 2012, pp. 151–154, Cryptology ePrintArchive, 2013/314.

[13] R. Wicik, T. Rachwalik, Modified alternating step generators, in: Mil-itary Communications and Information Systems Conference, MCC2013, Malto, France, 2013, pp. 203–215.