An equivalence preserving transformation from the Fibonacci to the Galois NLFSRs

An Equiv alence Preser ving T ransf ormation fr om the Fibonacci to the Galois NLFSRs Elena Dubrova Royal Institute of T echnology (KTH), Electrum 229, 164 46 Kista, Sweden dubrova@kth.se Abstract. Con ventional Non-Linear Feedback Shift Re gisters (NLFSRs) u se the Fibonacci configuration in which the value of the first bit is updated accord- ing to some non-linea r feedback function of previous v alues of o ther bits, and each remaining bit repeats the v alue of its pre vious bit. W e sho w how to trans- form the f eedback function of a Fibonacci NLFSR into severa l smaller feedback functions of individual bits. Such a transformation reduces the propagation time, thus i ncreasing the speed of pseudo-rando m sequence generation. The practical significance of the presented technique is that is makes possible increasing the ke ystream generation speed of any Fibonacci NL FSR-based stream cipher wi th no penalty in area. Keywords: Fibonacc i NL FSR, Galois NLFSR, pseudo-ran dom sequence , keystream, stream cipher . 1 Intr oduction Non-Line ar Feed back Shift Registers (NLFSRs) have b een proposed as a n altern ativ e to Line ar Feedback Shift Registers (LFSRs) for g enerating pseud o-ran dom sequenc es for stream cip hers. NLFSR-based stream cipher s include Achterbah n [1], Dragon [2], Grain [3], Tri v ium [4], VEST [5], and [6]. NLFSRs h ave been shown to be more resis- tant to cryptanalytic attacks than LFSR s [7,8]. Howe ver, con struction of l arge NLFSRs with gua ranteed long per iods remains an op en prob lem. A systematic algorithm for NLFSR synthesis has not bee n discovered so far . Only some special cases h av e b een considered [9,10,11,12,13,14,15,16,17]. In general, th ere are two ways to impleme nt an NLFSR: in the Fibon acci c onfigu- ration, o r in the Galois con figuration . The F ibo nacci co nfiguratio n, sho wn in Figu re 1, is co nceptually m ore simple. Th e Fibon acci type of NLFSRs con sists of a number of bits numbered from left to right as n − 1 , n − 2 , . . . , 0 with feedback from each bit to the n − 1th bit. At ea ch clockin g instance, the value of the bit i is moved to the bit i − 1. The value of the bit 0 becomes th e output of the register . The new value o f the bit n − 1 is computed as some non-line ar functio n of the pre vious v alues of other bits. In the Galois ty pe of NLFSR, shown in Figur e 2, each bit i is up dated accord ing to its own feedba ck f unction. Thu s, in con trast to the Fibonacc i NLFSRs in which feed- back is ap plied to the n − 1th b it only , in th e Galois NLFSRs fe edback is po tentially applied to ev ery bit. Since the ne xt state functions of individual bits of a Galois NLFSR ... 0 n − 1 n − 2 n − 3 output feedback function Fig. 1. An Fibona cci type of NLFSR. are compu ted in parallel, the propag ation time is re duced to that of smaller functio ns of individual bits. This makes Galois NLFSR s particularly attractiv e for stream ciphers application in which high keystream generation speed is impor tant. Howe ver , Galois NLFSRs also ha ve the follo wing two drawbacks: 1. An n -b it Galois NLFSR with the period of 2 n − 1 does no t necessarily satisfy the 1st and the 2nd p ostulates of Golomb [1 8]. An n -bit Fib onacci NLFSR with th e period of 2 n − 1 always satisfy both postulates [9]. 2. The p eriod of the ou tput sequenc e of a Galois NLFSR is no t necessarily equal to the length of the longe st c yclic sequence of its consecu tiv e states [18]. The period of a Fibonacci NLFSR always equals to the lo ngest cyclic seq uence of its consecutive states [9]. These drawbacks do not create any pr oblems in the lin ear case b ecause, for LF- SRs, there exist a one-to-o ne map ping between the Fibonacci and Galois configu ra- tions. A Galois LFSR gener ating the same output sequence as a given Fibonacci LFSR (and theref ore possessing none of the ab ove mention ed drawbacks) can be obtained by reversing the order of the f eedback taps and adjusting the in itial state. F or example, Figure 3 shows the Fibo nacci and Galois configu rations for th e generator polyno mial x 3 + x + 1. If th e Fibonacci LFSR is initialized to the state 0 01 an d the Galois one is initialized to the state 101, then they generate the same periodic sequence 1001011 . In the n on-line ar case, howe ver , no ma pping between th e Fibo nacci and the Galois configur ations h as been k nown u ntil now . The pr oblem of findin g such a mapping is addressed in this paper . W e show that, for each Fibonacc i NLFSR , there exist a class of equiv alent Galois NLFSRs wh ich pro duce the same output sequen ce. W e show how to transform a giv en Fibonacci NLFSR into an equi valent Galois NLFSR. The most significant co ntribution o f the paper is a sufficient con dition fo r equiv a- lence of two NLFSRs befor e an d af ter th e tr ansformatio n. It is formulated an d proved for the g eneral c ase which covers not only th e equiv alence betwee n a Fibo nacci an d a Galois NLFSRs, but only the equi valence between two Galois NLFSRs . The paper is organized a s follows . Section 2 describes main notions and definitions used in the sequel. Section 3 f ormulate s a sufficient co ndition fo r existence of a no n- linear recurrence d escribing the ou tput sequence of an NLFSR. Section 4 presen ts a sufficient co ndition for the equiv alence of two N LFSRs. In Section 5, we define a Galois NLFSR which is unique for a given Fib onacci NLFSR an d show how to compute it. Section 6 conclude s t he paper and discusses open prob lems. ... ... ... ... n − 1 n − 2 f n − 2 f n − 1 0 f 0 output Fig. 2. A Galois ty pe of NLFSR. 2 Pr eliminaries In this section, we describe basic definitions and notation used in the sequel. The algebraic normal form (ANF) of a Boolean f unction f : { 0 , 1 } n → { 0 , 1 } is a polyno mial in GF ( 2 ) of type f ( x 0 , . . . , x n − 1 ) = 2 n − 1 ∑ i = 0 c i · x i 0 0 · x i 1 1 · . . . · x i n − 1 n − 1 , where c i ∈ { 0 , 1 } a nd ( i 0 i 1 . . . i n − 1 ) is the binary expansion of i with i n − 1 being the least significant bit. The dependenc e set (or suppo rt set ) of a Boolean fun ction f is d efined by d e p ( f ) = { i | f | x i = 0 6 = f | x i = 1 } , where f | x i = j = f ( x 0 , . . . , x i − 1 , j , x i + 1 , . . . , x n − 1 ) for j ∈ { 0 , 1 } . Let α min ( f ) ( α max ( f ) ) be the smallest (largest) index of variables in d e p ( f ) . Let f i : { 0 , 1 } n → { 0 , 1 } be a f eedback function o f the b it i , i ∈ { 0 , 1 , . . . , n − 1 } , of an N LFSR. All r esults in th is p aper as de riv ed for NLFSRs who se feed back f unctions are singular functio ns of type f i = x i + 1 ⊕ g i ( x 0 , . . . , x n − 1 ) , (1) where g i : { 0 , 1 } n − 1 → { 0 , 1 } , i + 1 6∈ d e p ( g i ) , and the sign “ + ” is modu lo n . Singularity guaran tees th at the state transition grap h of an NLFSR is “bra nchless”, i.e. that each state belongs to one of the state cycles [9]. Let s i ( t ) deno te the value of the bit i at tim e t . The sequ ence of states an n -b it NLFSR with the singular feed back fun ctions can be describ ed b y a sy stem of n non - linear equation s of type:        s n − 1 ( t ) = s 0 ( t − 1 ) ⊕ g n − 1 ( s 1 ( t − 1 ) , s 2 ( t − 1 ) , . . . , s n − 1 ( t − 1 )) s n − 2 ( t ) = s n − 1 ( t − 1 ) ⊕ g n − 2 ( s 0 ( t − 1 ) , s 1 ( t − 1 ) , . . . , s n − 2 ( t − 1 )) . . . s 0 ( t ) = s 1 ( t − 1 ) ⊕ g 0 ( s 0 ( t − 1 ) , s 2 ( t − 1 ) , . . . , s n − 1 ( t − 1 )) . (2) 2 1 0 1 0 2 Fig. 3 . T he Fibonacci LFSR (left) and the Galois LFSR (right) for the gener ator po ly- nomial x 3 + x + 1 . 3 A Condition for Existence of a Non-Linear Recurren ce In this sectio n, we f ormulate a c ondition for e xistence of a non-linear recurren ce de- scribing the ou tput sequence of an NLFSR. First, we intr oduce some definitio ns which are necessary for the presentation of main results. Definition 1. T wo NLFSRs are equivalen t if th er e are in itial states, p ossibly differ ent for each NLFSR, fr om which they generate the same output sequences. Definition 2. The feedback graph of an NL FSR has n vertices v 0 , . . . , v n − 1 r e pr esenting the bits 0 , . . . , n − 1 . Ther e is an edge fr om v i to v j if i ∈ d e p ( f j ) , i , j ∈ { 0 , 1 , . . . , n − 1 } . Definition 3. The terminal bit of an n- bit NLFS R is th e b it with th e larg est index i which satisfies the following condition: F or all b its j such that i > j ≥ 0 , the feedb ack function f j is of type f j = x j + 1 , i , j ∈ { 0 , 1 , . . . , n − 1 } . Definition 4. The operation substitution, denoted by sub ( v i , v j ) , is defined for any ver- tex v i which has a unique predecessor v j . The sub stitution sub ( v i , v j ) r emoves v i fr om the feedback graph and, for each successor v k of v i , replaces the edge ( v i , v k ) by a n edge ( v j , v k ) , i , j , k ∈ { 0 , . . . , n − 1 } . Definition 5. Given a feedb ack graph G, th e r educed feedback graph of G is a graph obtained by subsequ ently applyin g the sub stitution to all v ertices of G with the in put de gr ee 1. Since substitution merges a vertex with its unique p redecessor, the o rder o f app lying the substitution does not influence the resultin g redu ced fe edback graph, i.e. it is unique for a giv en G . Lemma 1. If the feed back graph of an n-bit NLFS R ca n b e reduced to a sing le vertex v i , i ∈ { 0 , 1 , . . . , n − 1 } , th en ther e exist a n on-linea r r ecurr e nce describing th e sequence of values of the bit i of type s i ( t ) = 2 n − 1 ∑ j = 0 ( a j · n − 1 ∏ k = 0 s j k ( t − n + k )) , (3) wher e a j ∈ { 0 , 1 } , ( j 0 j 1 . . . j n − 1 ) is th e b inary expansion of j with j n − 1 being the lea st significan t bit, and s j k ( t − n + k ) is defi ned as follows s j k ( t − n + k ) =  s ( t − n + k ) , for i = 1 , 1 , for i = 0 . (a) (b) (c) (d) 1 2 3 0 1 2 3 2 3 3 Fig. 4 . Reduction steps for the feedback graph of the Fibonacci NLFSR from the exam- ple: (a) initial graph ; (b) after sub ( v 0 , v 1 ) ; (c) after sub ( v 1 , v 2 ) ; (d) after sub ( v 2 , v 3 ) . Proof: Let v i be a vertex of the feedback gr aph wh ich has a unique pre decessor v j and m successors v k 1 , . . . , v k m , j , k p ∈ { 0 , 1 , . . . , n − 1 } , p ∈ { 0 , 1 , . . . , m } . By Df. 2, this implies that s i ( t ) = s j ( t − 1 ) and, for each p , s k p ( t ) depen ds on s i ( t − 1 ) . The substitution sub ( v i , v j ) is equivalent to replacin g the v ariable s i ( t − 1 ) in the equation of each s k p ( t ) by s j ( t − 2 ) . This r educes the number o f variables in the equa- tions (2) by one and reduces the number of equation s by one. If the feed back grap h of an NLFSR can be reduced to a s ingle vertex, say v r , then the substitution can be applied n − 1 times. So, the number of variables in the equations (2) can be red uced to a single v ariable an d the numbe r of equations can be reduced to a sin- gle equation . This equation corresponds to the non -linear r ecurren ce r elation describing the sequence of states of the bit r o f the NLFSR. ✷ Example 1: As an e xample, consider a 4-bit Fibonacci NLFSR with the feedback func- tion f 3 = x 0 ⊕ x 1 ⊕ x 2 ⊕ x 1 x 3 . Its sequen ce o f states can be describ ed b y th e following equations:        s 3 ( t ) = s 0 ( t − 1 ) ⊕ s 1 ( t − 1 ) ⊕ s 2 ( t − 1 ) ⊕ s 1 ( t − 1 ) s 3 ( t − 1 ) , s 2 ( t ) = s 3 ( t − 1 ) , s 1 ( t ) = s 2 ( t − 1 ) , s 0 ( t ) = s 1 ( t − 1 ) . This NLFSR gener ates the following output s equence with the perio d 15: 11101 1000 101001 . . . The feed back g raph o f th is NLFSR is shown in Figur e 4( a). I t can be red uced to a single vertex as follows: 1. sub ( v 0 , v 1 ) reduces the graph to Figure 4 (b). This is equiv a lent to substituting s 0 ( t ) by s 1 ( t − 1 ) into the equation of s 3 ( t ) : s 3 ( t ) = s 1 ( t − 2 ) ⊕ s 1 ( t − 1 ) ⊕ s 2 ( t − 1 ) ⊕ s 1 ( t − 1 ) s 3 ( t − 1 ) . 2. sub ( v 1 , v 2 ) reduces the graph to Figure 4(c). This is equiv alent to substituting s 1 ( t ) by s 2 ( t − 1 ) into the equation of s 3 ( t ) : s 3 ( t ) = s 2 ( t − 3 ) ⊕ s 2 ( t − 2 ) ⊕ s 2 ( t − 1 ) ⊕ s 2 ( t − 2 ) s 3 ( t − 1 ) . 3. sub ( v 2 , v 3 ) reduces the graph to Figure 4 (d). This is equiv a lent to substituting s 2 ( t ) by s 3 ( t − 1 ) into the equation of s 3 ( t ) : s 3 ( t ) = s 3 ( t − 4 ) ⊕ s 3 ( t − 3 ) ⊕ s 3 ( t − 2 ) ⊕ s 3 ( t − 3 ) s 3 ( t − 1 ) . This gi ves us a non-linear recur rence d escribing the sequ ence of values of the bit 3 . Since o ther bits re peat the co ntent of the 3rd bit, the recurren ce is identical f or all b its, and thus for the outpu t of the NLFSR. It is easy to see that the feed back graph of a Fibon acci NLFSR c an always b e re- duced to a single vertex v n − 1 . Therefor e, for a Fibona cci NLFSR, a non -linear recur- rence of type (3) always e xists. Its coef ficients a i , i ∈ { 0 , 1 , . . . , 2 n − 1 } , are equal to the coefficients c i of the ANF of the feedback functio n f n − 1 . For Galois NLFSRs, a no n-linear recu rrence of typ e (3) m ay or may no t exist. I f it exists, it may be dif ferent for dif ferent bits. Example 2: As another example, con sider a Galois NLFSR w ith the following feedbac k function s: f 3 = x 0 ⊕ x 1 x 3 , f 2 = x 3 , f 1 = x 2 , f 0 = x 1 ⊕ x 2 ⊕ x 3 . Its feedbac k graph can be reduce d to the v ertex v 3 , gi ving us the following recurre nce: s 3 ( t ) = s 3 ( t − 4 ) ⊕ s 3 ( t − 3 ) ⊕ s 3 ( t − 2 ) ⊕ s 3 ( t − 3 ) s 3 ( t − 1 ) . This recurren ce is the same as the o ne of the Fibonacci NLFSR fr om the Examp le 1. Bits 2 and 1 r epeat the same recu rrence as th e bit 3, howe ver , the value of the bit 0 is the XOR o f the bits 1 , 2 and 3 . Thus, its seq uence of values differs from the on e of the 3rd bit. T herefor e, the output sequence of this Galo is NLFSR, is dif ferent the o utput sequence of the Fibonacci NLFSR from the Example 1. 4 A T ransformation fr om the Fibonacci to the Galois NLFSRs In this section, we show h ow to transfor m a Fibonacci NLFSR into an equi valent Galois NLFSR. Let P f denote the set of all pro duct-term s of the ANF of a functio n f : { 0 , 1 } n → { 0 , 1 } . Given an ANF produc t-term p ∈ P f , the notation p − k means that the index o f each variable x i of p is changed to x i − k , where “ − ” is modulo n . For e xample, if n = 4, and p = x 0 x 1 x 3 then p − 1 = x 3 x 0 x 2 , p − 2 = x 2 x 3 x 1 , p − 3 = x 1 x 2 x 0 . Definition 6. The o peration shifting, denoted by f a p → f b , p ∈ P f a , a , b ∈ { 0 , 1 , . . . , n − 1 } , b < a, r emoves th e p r od uct-term p fr om the ANF of the fu nction f a and add s the pr od uct-term p − ( a − b ) to the ANF of the function f b . As we can see form the defin ition, shifting subtracts ( a − b ) f rom the index of each variable in the shifted produ ct-term (modulo n ). F or example, if initially f 3 = x 0 ⊕ x 1 x 3 f 2 = x 3 then, after f 3 x 1 x 3 − → f 2 , we get f 3 = x 0 f 2 = x 3 ⊕ x 0 x 2 . Definition 7. An n-bit NLFSR is uniform if: (a) all its feedback functions ar e of type (1), and (b) for all its bits i such that n − 1 ≥ i > τ , the follo wing condition holds: α max ( g i ) ≤ τ , (4) wher e τ is the terminal bit of the NLFSR, τ ∈ { 0 , 1 , . . . , n − 1 } . Note that any F ibonacci NLFSR is unif orm. Lemma 2. If an NLFSR is uniform, then its feedback graph can be r educed to a single vertex. Proof: Suppo se that an NLFSR N is un iform. W e show that then we can alway redu ce the feedback graph of N to th e vertex v τ correspo nding to the terminal bit τ of N . By Df. 3, for i ∈ { 0 , 1 , . . . , τ − 1 } , ea ch vertex v i of the feedback graph h as input degree 1. So, fo r each i ∈ { 0 , 1 , . . . , τ − 1 } , we can apply the substitution su p ( v i , v i + 1 ) to rem ove v i from the feedb ack graph, an d, for ea ch successor v k of v i , to replace the the edge ( v i , v k ) by an edge ( v τ , v k ) . Therefo re, by applying a sequence of substitutions su p ( v 0 , v 1 ) , su p ( v 1 , v 2 ) , . . . , su p ( v τ − 1 , v τ ) we can remove v 0 , v 1 , . . . , v τ − 1 from the feed- back graph and change the origin of all outgoin g edges of v 0 , v 1 , . . . , v τ − 1 to v τ . Since the condition (4) holds and the orig in of all outgoing edges of v 0 , v 1 , . . . , v τ − 1 is changed to v τ , each o f the vertices v i for i ∈ { τ + 1 , τ + 2 , . . . , n − 1 } has no more th an two incomin g e dges: one from v i + 1 and one f rom v τ . This implies that each of them has the output degree 1. Clearly , v n − 1 has only o ne incoming edg e, from v τ . By ap plying the substitution su p ( v n − 1 , v τ ) , we can re move v n − 1 and r eplace the edge ( v n − 1 , v n − 2 ) by the edge ( v τ , v n − 2 ) . This make th e inpu t degree of v n − 2 one. Continu ing similarly with the sequence of substitutions su p ( v n − 2 , v τ ) , . . . , su p ( v τ + 1 , v τ ) we rem ove v n − 2 , . . . , v τ + 1 and red uce the graph to one vertex, v τ . ✷ The above condition is sufficient, b ut not necessary . For e xample, the NLFSR from the Example 2 is not uniform , but it can be reduced to a single verte x. The following theo rem is the main result of th e paper . It pre sents a sufficient con - dition fo r equivalence of two NLFSRs. Note, that it is fo rmulated for shif tings o n sub- function s g i of the singular feedb ack fu nctions f i (see the expression 1), because th e variable x i + 1 should not be shifted in orde r to preserve the register s tructure. Theorem 1. G iven a un iform NLFS R, a shifting g a p → g b , a , b ∈ { 0 , 1 , . . . , n − 1 } , b < a, P ⊆ P g a , pr e serves the equivalence if the tr ansformed NLFSR is uniform as well. Proof: See Appendix. The conditio n of th e Theor em 1 is sufficient, but n ot necessary . For example, th e following NLFSR can be obtained fr om the NLFSR from th e Exam ple 1 by ap plying the shifting f 3 x 1 x 3 − → f 0 , f 3 x 1 − → f 1 and f 3 x 2 − → f 1 : f 3 = x 0 , f 2 = x 3 , f 1 = x 2 ⊕ x 0 ⊕ x 3 , f 0 = x 1 ⊕ x 0 x 2 . This NLFSR is no t unifo rm, howe ver, it is eq uiv alent to the NLFSR f rom the Exa mple 1. Next, we formula te a condition which shou ld b e satisfied in order to o btain a un i- form NLFSR after shifting. Theorem 2. G iven a un iform NLFS R N , an NLFS R obtained fr om N by a shifting g a p → g b , a , b ∈ { 0 , 1 , . . . , n − 1 } , b < a, P ⊆ P g a , is uniform only if b ≥ a − α min ( p ) . (5) Proof: If b < a − α min ( p ) , th en α min ( p ) < a − b . Ther efore, after the shifting g a p → g b , α min ( p ) becom es α min ( p ) + n − ( a − b ) = α min ( p ) + b + ( n − a ) . By Df. 6 , b < a , thus a is always gre ater th an 0 . So, for any a ∈ { 1 , 2 , . . . , n − 1 } , after shif ting th e fe edback function g b contains a produ ct-term wh ose index is grea ter than b by n − a . Sin ce the terminal bit of the NLFSR is smaller or equal to b , the conditio n (4) of Df. 7 is violated. ✷ Often an equivalent Galois NLFSR can b e obtaine d fr om a Fibon acci NLFSR by shifting produ ct-terms one-by -one. Sometimes, h owe ver, mo re than one produc t-term has to be shifted in o rder to pr eserve the equiv alence. F or example , if the feedback function g n − 1 has more than one product-term co ntaining the v ariable x n − 1 , then all such product-ter ms h av e to be shifted. The Lemma below describes two cases in which the produ ct-terms can be s hifted one-b y-on e. Lemma 3. Given a uniform NLFSR wi th the terminal bit τ and a sifting g a p → g b , a , b ∈ { 0 , 1 , . . . , n − 1 } , b < a, P ⊆ P g a , the following holds: (a) If b ≥ τ , then g a p → g b pr eserves the equivalence for any p ∈ P g a which satisfies the condition (5). (b) If b < τ and α max ( g i ) ≤ b fo r all i ∈ { n − 1 , n − 2 , . . . , b } , then g a p → g b pr eserves the equivalenc e for any p ∈ P g a which satisfies the condition (5). Proof: Case (a): By Df. 6, after the s hifting α min ( p ) beco mes α min ( p ) − ( a − b ) . Since the condition (5) is satisfied, α min ( p ) ≥ a − b , i.e. after shifting the indexes of v ariables of p are re duced by so me value between 1 and α min ( p ) . Therefore, after the shifting, none of the product-term s of p v iolates the cond ition ( 4). Since the initial NL FSR is unifor m and th e termin al bit is n ot chan ged, the transform ed NLFSR is unifo rm as well, and therefor e, by Theor em 1, the equi valence is p reserved. Case (b): Similarly to the case (a) we can show that, after the shifting, none of the produ ct-terms of p violates the con dition ( 4). Sinc e α max ( g i ) ≤ b fo r all i by a ssumption, the transform ed NLFSR is u niform and therefore , by Th eorem 1, the equiv alen ce is preserved. ✷ The above Lem ma implies that, f or any Fib onacci NLFSR, shiftin g can always re- duce the index of the initial terminal bit n − 1 at least by 1. It reduc es the index o f the term inal b it exactly by 1 if g n − 1 of the Fibonacci NLFSR co ntains a p roduct with α max ( g i ) = n − 1 and α min ( g n − 1 ) = 1 . The smaller the difference b etween α max ( g n − 1 ) and α min ( g n − 1 ) , the more the index of the initial terminal bit can be reduced. 5 Fully Shifted Galois NLFSRs Usually , th ere are multiple ways to tra nsform a Fibonacci NLFSR into a Galois NLFSR. Next, we define a “fully shifted ” Galois NLFSR wh ich is u nique for a given Fibonacci NLFSR and show ho w to com pute it. Definition 8. An NLFSR is fully shifted if no pr od uct-term of any function g i can b e shifted to a function g j with th e in dex j < i without violating the cond ition (4), i , j ∈ { 0 , 1 , . . . , n − 1 } . In the linear case, a fully shifted NLFSR red uces to a Galois L FSR, i.e. it is a generalizatio n o f the Galois LFSR . Note that this is not the case for NLFSRs which are not fully shifted. Algorithm 1: Giv en a u niform n -b it Fibo nacci NL FSR N , the f ully shif ted Galois NLFSR ˆ N whic h is equiv alent to N is o btained as follows. First, the terminal bit τ of ˆ N is com puted as: τ = max ( α max ( p ) − α min ( p )) , ∀ p ∈ P g n − 1 with | p | > 1 (6) where | p | denotes the number of v ariables in the product-ter m p . Then, each prod uct-term p ∈ P g n − 1 with α min ( p ) ≤ ( n − 1 ) − τ is sh ifted to g n − 1 − α min ( p ) : g n − 1 p − → g n − 1 − α min ( p ) . and each prod uct-term p ∈ P g n − 1 with α min ( p ) > ( n − 1 ) − τ is shifted to g τ : g n − 1 p − → g τ . Theorem 3. A lgorithm 1 corr ectly computes th e fu lly shifted G alois NLFS R fo r a given F ibo nacci NLFSR. Proof: For each produ ct p such that α min ( p ) ≤ ( n − 1 ) − τ , the indexes are red uces b y α min ( p ) . So, after the shifting , the smallest ind ex becomes 0 a nd th e la rgest become s α max ( p ) − α min ( p ) . By equ ation (6), α max ( p ) − α min ( p ) ≤ τ . For each p rodu ct p such that α min ( p ) > ( n − 1 ) − τ , the indexes are reduc es by ( n − 1 ) − τ . Since α min ( p ) < α max ( p ) ≤ n − 1 , the largest index after the shifting is 0 < α max ( p ) − (( n − 1 ) − τ ) ≤ τ . Since ( n − 1 ) − τ < α min ( p ) < α max ( p ) , th e smallest index after the shifting is 0 < α min ( p ) − (( n − 1 ) − τ ) < τ . So, the transform ed NLFSR ˆ N is unifor m and theref ore, by Th eorem 1, two NLFSRs are equiv alent. It remain s to prove that ˆ N is fully shifted. By Df 6, index o f each v ariable of p is reduced b y α min ( p ) after the s hifting. There- fore, for each pro duct-ter m p ∈ P g n − 1 such that α min ( p ) ≤ τ , p after the sh ifting co n- tains a variable x 0 . If p is shifted f urther from g n − 1 − α min ( p ) to g n − 1 − α min ( p ) − i for some 1 ≤ i ≤ n − 1 − α min ( p ) , the index of x 0 increases to n − i . For every value of i in th e range 1 ≤ i ≤ n − 1 − α min ( p ) , n − i > n − 1 − α min ( p ) , so the condition (4) is v iolated and the resulting NLFSR is not equiv alent to the initial Fibon acci NLFSR. Each produ ct-term p ∈ P g n − 1 such that α min ( p ) > τ is shifted to the term inal bit τ . If p is shifted to some i < τ , then, according to the equation (6), there is a prod uct-term p ∗ which ha s α max ( p ∗ ) > i after shiftin g. Th us, th e co ndition (4) is violated and the resulting NLFSR is not equiv alent to t he initial Fibonacc i NLFSR . ✷ Example 4: As an example, consider th e following 32-bit Fibo nacci NLFSR whic h is used in the NLFSR-based stream cipher from [6]: f 31 = x 0 ⊕ x 2 ⊕ x 6 ⊕ x 7 ⊕ x 12 ⊕ x 17 ⊕ x 20 ⊕ x 27 ⊕ x 30 ⊕ x 3 x 9 ⊕ x 12 x 15 ⊕ x 4 x 5 x 16 Its co rrespon ding f ully shifted Galois N LFSR has the terminal b it τ = 1 2 an d the following feedback functions: f 31 = x 0 f 29 = x 30 ⊕ x 0 f 28 = x 29 ⊕ x 0 x 6 f 27 = x 28 ⊕ x 0 x 1 x 12 f 25 = x 26 ⊕ x 0 f 24 = x 25 ⊕ x 0 f 19 = x 20 ⊕ x 0 ⊕ x 0 x 3 f 14 = x 15 ⊕ x 0 f 12 = x 13 ⊕ x 1 ⊕ x 8 ⊕ x 11 The functions which ar e omitted are of typ e f i = f i + 1 . This NLFSR has 7 feedba ck variables: x 0 , x 1 , x 3 , x 6 , x 8 , x 11 and x 12 , wh ile the Fibonacc i NLFSR ha s 15 feedbac k variables. W e can fur ther r educe the dep th of circuits implemen ting feedb ack fu nctions and the number of feedb ack variables as follo ws: f 31 = x 0 f 29 = x 30 ⊕ x 0 f 28 = x 29 ⊕ x 0 x 6 f 27 = x 28 ⊕ x 0 x 1 x 12 f 25 = x 26 ⊕ x 0 f 24 = x 25 ⊕ x 0 f 20 = x 21 ⊕ x 1 x 4 f 19 = x 20 ⊕ x 0 f 16 = x 17 ⊕ x 12 f 14 = x 15 ⊕ x 0 f 13 = x 14 ⊕ x 12 f 12 = x 13 ⊕ x 1 This NLFSR has 5 feedback variables: x 0 , x 1 , x 4 , x 6 and x 12 . 6 Conclusion In this paper , we sho w ho w t o transform a Fibonacci NLFSR into the Galois configura- tion. The most important open prob lem is finding an algorithm for co nstructing NLFSRs with a g uaranteed long p eriod. This pro blem is hard b ecause ther e seem s to be no simple algebraic theory su pporting it. Sp ecifically , primitive generato r polyn omials fo r LFSR have no analog in the nonlinear case. Refer ences 1. B. Gammel, R. G ¨ ottfert, and O. Kniffler , “ Achterbahn-1 28/80: Design and analysis, ” in SASC’2007: W orkshop Recor d of The State of the Art o f Str eam Ciphers , pp. 152–165, 2007. 2. K. Chen, M. Henricken, W . Millan, J. Fuller , L. Simpson, E. Dawson, H. Lee, and S. Moon, “Dragon: A fast word based stream cipher , ” in eSTREM, ECRYPT Strea m Cipher Pr oject , 2005. Report 2005/006. 3. M. Hell, T . Johansson, and W . Meier , “Grain - a stream cipher for constrained en vironments, ” citeseer .ist. psu.edu/732 342.html. 4. C. D. Canniere an d B. Preneel, “TRIVIUM specifications, ” citeseer .ist.psu.edu/734144 .html. 5. B. Gittins, H. A. L andman, S. O’Nei l, and R. Kelson, “ A presentation on VEST hardware performance, chip area measurements, power consumption estimates and benchmarking in relation to the aes, sha-256 and sh a-512. ” Cryptology ePrint Archiv e, R eport 2005/415, 20 05. http://eprint.iacr . org/. 6. B. M. Gammel, R. G ¨ ottfert, and O. Kniffler , “ An NLFSR -based stream cipher , ” in ISCAS , 2006. 7. B. Preneel, “ A survey of recent de velo pments in cryptographic algorithms for smart cards, ” Comput. Networks , vol. 51 , no. 9, pp. 2223–2233 , 2007. 8. A. Canteaut, “Open problems related to algebraic attacks on stream ciphers, ” in WCC , pp. 120–13 4, 2005. 9. S. Golomb, Shift Reg ister Sequences . Aegean Park Press, 19 82. 10. J. Mykkeltv eit, “Nonlinear recurrences and arithmetic codes, ” Information and Contr ol , vol. 3 3, no. 3, pp. 193–209, 1977. 11. J. Mykk eltve it, M.-K. S iu, and P . T ong, “On the cycle structu re of some nonlinear shift register sequen ces, ” Information and Contr ol , vol. 43, no . 2, pp. 202–215, 1979. 12. C. A. Ronce, F eedbac k Shift Re gisters , vo l. 169. 1984. 13. C. J. Jansen, In vestigations On Nonlinear Str eamcipher Systems: Construction and Evalua- tion Methods . Ph.D. Thesis, T echnical Univ ersity of Delft, 1989. 14. M. J. B. Robshaw , On Binary Seque nces with Certain Pr operties . Ph.D. Thesis, Univ ersity of London, 1992. 15. D. Linardatos and N. Kalouptsidis, “Synthesis of minimal cost no nlinear feedback shift reg- isters, ” Signal Pr ocess. , v ol. 82, no. 2, pp. 157–17 6, 2002 . 16. A. Ahmad, M. J. Al-Mushrafi, and S . Al-Busaidi, “Design and study of a strong crypto- system model f or e-commerce, ” in ICCC ’02: P r oceedin gs of the 15th international con- fer ence on Computer communication , (W ashington, DC, USA), pp. 619–630, International Council for Computer Communication, 2002. 17. J. S. I. Janicka-Lipska, “Boo lean feedbac k functions for full-length nonlinear shift registers, ” T elecommu nications and Informatioin T ec hnolog y , vo l. 5, pp. 28–29, 2004. 18. E. Dubrov a, M. T eslenko, and H. T enhun en, “On analysis and synthesis of ( n , k ) -non-linear feedback shift registers, ” in Design and T est in Eur ope , 2008. to appear . 7 Ap pendix: Proof of th e Theor em 1 Suppose that the transfo rmed NLFSR is unifo rm. T hen, by Lem ma 2, its feedback grap h can be reduced to the vertex v b correspo nding to the ter minal bit b of the transfor med NLFSR after the s hifting g a p → g b . So, by Lemma 1, ther e exists a non-linear recu rrence describing the s equenc e of v alues of the bit b . It remains to prove that this recurrence is the same as the one of the initial NLFSR. It is suf ficient t o consider the case when the shifting g a p → g b moves a pro duct-ter m of type x k x a for some k < a . For product-terms with more variables or the produ ct-term without x a the proof is similar . If th e shif ted p roduct is x k x a , the n th e fu nction g a can be rep resented as g a = g ∗ a ⊕ x k x a , where g ∗ a = g a ⊕ x k x a . So, the NLFSR befor e the shiftin g can be rep resented by the following s ystem of equation s:                s n − 1 ( t ) = s 0 ( t − 1 ) ⊕ g n − 1 ( s 0 ( t − 1 ) , s 1 ( t − 1 ) , . . . , s b ( t − 1 )) . . . s a ( t ) = s a + 1 ( t − 1 ) ⊕ g ∗ a ( s 0 ( t − 1 ) , s 1 ( t − 1 ) , . . . , s b ( t − 1 )) ⊕ s k ( t − 1 ) s a ( t − 1 ) s a − 1 ( t ) = s a ( t − 1 ) . . . s 0 ( t ) = s 1 ( t − 1 ) Since i + 1 6∈ d e p ( g i ) for i ∈ { 0 , 1 , . . . , n − 1 } , each g i does not d epends o f s i + 1 ( t − 1 ) . Howe ver , we keep this redu ndant term in the equ ations in o rder to be a ble to late r introdu ce the same abbreviations for all g i . Note, th at each of g n − 1 , g n − 2 , . . . , g ∗ a depend s on variables with indexes smaller or equal than b only since, by assumption, the condition (4) holds after the shifting. A substitution sub ( v i , v i + 1 ) is equivalent to replacin g the v ariable s i ( t − 1 ) in the equation of ea ch successor of v i by s i + 1 ( t − 2 ) . After th e sequen ce of a substitutions su p ( v 0 , v 1 ) , . . . , su p ( v a − 1 , v a ) , each s i ( t − 1 ) gets rep laced by s a ( t − 1 − ( a − i )) , so th e above equations reduce to:          s n − 1 ( t ) = s a ( t − a − 1 ) ⊕ g n − 1 ( s a ( t − a − 1 ) , s a ( t − a ) , . . . , s a ( t − 1 − ( a − b ))) . . . s a ( t ) = s a + 1 ( t − 1 ) ⊕ s a ( t − 1 − a + k ) s a ( t − 1 ) ⊕ g ∗ a ( s a ( t − a − 1 ) , s a ( t − a ) , . . . , s a ( t − 1 − ( a − b ))) T o shorten the expressions, let us introd uce an ab breviation ˜ s a : = ( s a ( t − a − 1 ) , s a ( t − a ) , . . . , s a ( t − 1 − ( a − b ))) and let the no tation ˜ s a ( i ) mean that each element s a ( x ) ˜ s a of is r eplaced b y s a ( x + i ) . For example, ˜ s a ( − 1 ) = ( s a ( t − a − 2 ) , s a ( t − a − 1 ) , . . . , s a ( t − 2 − ( a − b ))) . Then, the above equations can be re-written us:    s n − 1 ( t ) = s a ( t − a − 1 ) ⊕ g n − 1 ( ˜ s a ) . . . s a ( t ) = s a + 1 ( t − 1 ) ⊕ g ∗ a ( ˜ s a ) ⊕ s a ( t − 1 − a + i ) s a ( t − 1 ) After a sequence of n − a − 1 substitutions su b ( v n − 1 , v n − 2 ) , . . . , sub ( v a + 1 , v a ) , we get a non- linear recurrence describing the sequence of values of the bit a : s a ( t ) = s a ( t − n ) ⊕ g n − 1 ( ˜ s a ( − n + a + 1 )) ⊕ g n − 2 ( ˜ s a ( − n + a )) ⊕ . . . ⊕ g ∗ a ( ˜ s a ) + s a ( t − 1 − a + i ) s a ( t − 1 ) After expanding the abbre viation ˜ s a , the above recurren ce become s: s a ( t ) = s a ( t − n ) ⊕ g n − 1 ( s a ( t − n ) , s a ( t − n + 1 ) , . . . , s a ( t − n + b )) ⊕ g n − 2 ( s a ( t − n − 1 ) , s a ( t − n ) , . . . , s a ( t − n + b − 1 )) . . . ⊕ g ∗ a ( s a ( t − a − 1 ) , s a ( t − a ) , . . . , s a ( t − 1 − a + b )) ⊕ s a ( t − 1 − a + i ) s a ( t − 1 ) (7) On the other h and, the NLFSR after the shifting can be represented by the following system of equations:                        s n − 1 ( t ) = s 0 ( t − 1 ) ⊕ g n − 1 ( s 0 ( t − 1 ) , s 1 ( t − 1 ) , . . . , s b ( t − 1 )) . . . s a ( t ) = s a + 1 ( t − 1 ) ⊕ g a ( s 0 ( t − 1 ) , s 1 ( t − 1 ) , . . . , s b ( t − 1 )) s a − 1 ( t ) = s a ( t − 1 ) . . . s b ( t ) = s b + 1 ( t − 1 ) ⊕ s i − ( a − b ) ( t − 1 ) s b ( t − 1 ) . . . s 0 ( t ) = s 1 ( t − 1 ) After the sequence of b substitutions su p ( v 0 , v 1 ) , . . . , su p ( v b − 1 , v b ) we get:                    s n − 1 ( t ) = s b ( t − b − 1 ) ⊕ g n − 1 ( s b ( t − b − 1 ) , s 1 ( t − b ) , . . . , s b ( t − 1 )) . . . . . . s a ( t ) = s a + 1 ( t − 1 ) ⊕ g ∗ a ( s b ( t − b − 1 ) , s 1 ( t − b ) , . . . , s b ( t − 1 )) s a − 1 ( t ) = s a ( t − 1 ) . . . s b ( t ) = s b + 1 ( t − 1 ) ⊕ s b ( t − 1 + i − a ) s b ( t − 1 ) Introd ucing an abbreviation ˜ s b : = ( s b ( t − b − 1 ) , s b ( t − b ) , . . . , s b ( t − 1 )) we can r e- write the above equation s us:                s n − 1 ( t ) = s b ( t − b − 1 ) ⊕ g n − 1 ( ˜ s b ) . . . s a ( t ) = s a + 1 ( t − 1 ) ⊕ g ∗ a ( ˜ s b ) s a − 1 ( t ) = s a ( t − 1 ) . . . s b ( t ) = s b + 1 ( t − 1 ) ⊕ s b ( t − 1 + i − a ) s b ( t − 1 ) After th e sequ ence of n − b − 1 substitutions sub ( v n − 1 , v n − 2 ) , . . . , sub ( v b + 1 , v b ) , we get a non-lin ear recurrence describing the sequen ce of v alues of the bit b : s b ( t ) = s b ( t − n ) ⊕ g n − 1 ( ˜ s b ( − n + b + 1 )) ⊕ g n − 2 ( ˜ s b ( − n + b )) ⊕ . . . ⊕ g ∗ b ( ˜ s b ( − ( a − b )) ⊕ s b ( t − 1 + i − a ) s b ( t − 1 ) After expanding the abbre viation ˜ s b , the above recurren ce become s: s b ( t ) = s b ( t − n ) ⊕ g n − 1 ( s b ( t − n ) , s b ( t − n + 1 ) , . . . , s b ( t − n + b )) ⊕ g n − 2 ( s b ( t − n − 1 ) , s b ( t − n ) , . . . , s b ( t − n + b − 1 )) . . . ⊕ g ∗ b ( s b ( t − a − 1 ) , s b ( t − a ) , . . . , s b ( t − 1 − a + b )) ⊕ s b ( t − 1 − a + i ) s b ( t − 1 ) (8) The non-linear rec urrences (7) and (8) are the same, so two NLFSRs are equiv alent. ✷