Fast Multi-Sequence Shift-Register Synthesis with the Euclidean Algorithm

. Feng and Tzeng’s generalization of the Extended Euclidean Algorithm synthesizes the shortest–length linear feedback shift–register for s ≥ 1 sequences, where each sequence has the same length n . In this contribution, it is shown that Feng and Tzeng’s algorithm which solves this multi–sequence shift–register problem has time complexity O ( sn 2 ). An acceleration based on the Divide and Conquer strategy is proposed and it is proven that subquadratic time complexity is achieved.


Introduction
Multi-sequence linear feedback shift-register (LFSR) synthesis plays an important role in cryptography and coding theory, e.g. for decoding Interleaved Reed-Solomon (IRS) codes [3,8,9,12]. A codeword of an IRS code can be seen as s parallel codewords from Reed-Solomon codes of same length. Transmitting an IRS codes provides s syndrome sequences, which can be used to determine one common error locator polynomial for the s parallel codewords. This error locator polynomial can be interpreted as the connection polynomial of a shift register, which generates each of these s syndrome sequences. Another application is decoding of binary cyclic codes up to the Hartmann-Tzeng [7] bound, where multiple sets of consecutive roots result in multiple syndrome sequences of equal length.
Solving the multi-sequence LFSR synthesis problem for s ≥ 1 sequences means finding the shortest-length LFSR that generates each of the s sequences.
Mainly, there are two algorithms for finding the shortest-length LFSR for sequences of equal length n. Both were introduced by Feng and Tzeng: one based on the Berlekamp-Massey Algorithm [5] and one based on the Euclidean Algorithm [4]. A generalization of Feng and Tzeng's Euclidean Algorithm to Euclidean modules was considered in [14].
However, the complexity of [4] has not been analyzed so far. Many efficient algorithms are based on the so-called Divide and Conquer (DC) strategy. Assume, a problem of size M is given, then the DC strategy splits the problem into two halves, each of size M/2. The structure of these halves should be the same as the original problem. The calculation can be accelerated if [1,2,6] 1. there are algorithms with less than half of the complexity for the divided problems, 2. and they can be combined into the solution of the whole problem with low complexity.
In this contribution, we accelerate Feng and Tzeng's (Extended) Generalized Euclidean Algorithm ((E)GEA) [4] using the DC strategy. We show that the EGEA has complexity O(sn 2 ) when solving the multi-sequence shift-register problem. Our fast algorithm has subquadratic complexity O(s 2 n log 2 sn). This paper is organized as follows. In Section 2, we state the problem and explain Feng and Tzeng's original EGEA [4]. Section 3 provides and proves our fast algorithm for solving the multi-sequence LFSR synthesis problem for sequences of equal length. In Section 4, we analyze the complexity of both, the original and the fast algorithm and come to a conclusion in Section 5.
2. The (extended) generalized Euclidean algorithm 2.1. Problem statement. Let F q denote a finite field of order q and F q [x] stands for the set of all univariate polynomials in the indeterminate x over F q . Problem 2.1 (Multi-sequence shift-register synthesis of equal length). Given s ≥ 1 sequences of minimal degree such that: j− = 0 for all j = , + 1, . . . , n − 1 and for all i = 0, . . . , s − 1.
Similar to the well-known key equation for the single-sequence shift-register synthesis problem, Feng and Tzeng reformulated an equation for Problem 2.1 [4,Equation (3)]. An alternative derivation of this concatenated key equation can be found in [15]. Here, we give the basic idea. Let the assumptions of Problem 2.1 be fulfilled, define a polynomial S(x) ∈ F q [x] with deg S(x) < sn by In [4], it was shown that solving Problem 2.1 is equivalent to the following problem.
Note that for s = 1, Equation (3) is the classical key equation for single-sequence shift-register synthesis.

2.2.
Overview of the algorithms. Figure 1 illustrates the connection between Feng and Tzeng's (E)GEA [4] and the classical (Extended) Euclidean Algorithm ((E)EA). The classical single-sequence shift-register synthesis problem (i.e., only one sequence is given) can be solved by the (E)EA [13]. Feng and Tzeng's generalization to the (E)GEA solves the multi-sequence shift-register synthesis problem (Problem 2.2) for s ≥ 1 sequences. In general, the EA is used to cal- Figure 1. Overview of Feng and Tzeng's algorithms. The two parts distinguish between the classical single-sequence problem, which can be solved by the (E)EA, and the multi-sequence problem, which can be solved by the (E)GEA. The basic algorithm of the (E)EA is the usual division of two polynomials. For the (E)GEA, the modified and the generalized division are the equivalent of the division. The EA calculates the GCD of two polynomials and the EEA additionally puts out coefficients to obtain a linear combination of the input polynomials in each step. The EGEA is an extension of the GEA to obtain such coefficients for each of the s + 1 input polynomials.
culate the Greatest Common Divisor (GCD) of two polynomials A 0 (x), B 0 (x). The EEA additionally calculates polynomials V j (x) and U j (x) to obtain a linear combination of the two input polynomials A 0 (x), B 0 (x) such that for the remainder R j (x) = V j (x) · A 0 (x) + U j (x) · B 0 (x) holds in each step j of the algorithm. The basic algorithm of the (E)EA is the usual division algorithm of two polynomials.
The GEA can be seen as the generalization of the EA to s ≥ 1 sequences. The EGEA extends the GEA by factors in the same way as the EEA extends the EA.

The EGEA solves Problem 2.2 and returns corresponding linear factors
i=0 as the EEA in the single-sequence case. Thereby, the basic algorithms of the EGEA are the so-called modified and generalized division. Note that Feng and Tzeng called the EGEA Alternative Version of the Generalized Euclidean Algorithm [4, Section II-D]. For s = 1, the EGEA is the EEA.
For a description of the (E)GEA, we give some definitions in the following and explain the subalgorithms shown in Figure 1. We focus on the most important parts and rewrite Feng and Tzeng's algorithms in a compact form. Additional properties (e.g. degree constraints) can be found in [4].
. Then, the congruence class A of degree ν represented by A(x) with deg A(x) mod s = ν, is the following set of polynomials: The modified division algorithm is the basic subalgorithm of the GEA and is given in Algorithm 1.

Theorem 2.3 (Modified Division [4]). Given two polynomials
, the modified division (Algorithm 1, ModDA) calculates unique polynomials Q(x s ) and R(x) such that We call Q(x s ) the quotient and R(x) the remainder.
In Line 4 of Algorithm 1, lc(R(x)), lc(B(x)) denotes the leading coefficients of The modified division of two polynomials consists of the first steps of a usual division of the same polynomials. The iterations of the modified division might stop earlier, but never later than the iterations of the usual division. For s = 1, the modified division is the same as the usual division of two polynomials.
In the following, we give an example of this modified division. This example is the same as the first step of [4, Section II, Example 1], but with more intermediate steps as explanation.
Example 2.1 (Modified Division). The example considers sequences over F 2 . Let the input be: The steps of the algorithm are as follows.
The so-called generalized division applies the modified division repeatedly. The generalized division (together with the modified division) can be seen as the equivalent in the EGEA to the usual division algorithm in the EEA (see Figure 1).
, where B is an element of the set of representatives (4) and Algorithm 2: Generalized Division Algorithm (GenDA) For an example of the generalized division see [4, Section II, Example 1]. Based on the previous definitions and algorithms, we now describe the GEA and extend it to the EGEA, which synthesizes the shortest-length multi-sequence LFSR. The GEA is defined as follows [4, Equation (8)].
An example of the GEA is given in [4, Section II, Example 2]. The EGEA additionally puts out linear factors for each input polynomial.
The EGEA repeatedly applies the generalized division (Algorithm 2) to obtain (7) and calculate polynomials V j (x) and {U such that for each j = 0, 1 . . .
Here, we do not explain in detail how V j (x s ) and {U j (x s )} s−1 i=0 are calculated, but we give the connection to the notation from [4]. Let d j (x s ), u j (x s ) be the polynomials from [4] that are calculated by [4,Equations (15.2)-(18.2)]. Then, the connection to our notation is as follows: In order to use the EGEA for multi-sequence shift-register synthesis of s sequences of equal length n, let the input of the EGEA be is calculated by (2). Let the EGEA run up to the first remainder is the shortest LFSR that generates each of the s sequences S (i) , i = 0, . . . , s − 1 where a is an arbitrary constant. Algorithm 3 shows the EGEA with the breaking condition for multi-sequence shift-register synthesis (Line 1). An example of the EGEA applied for multi-sequence shift-register synthesis is shown in [4, Section III, Example 3].

Algorithm 3: Extended Generalized Euclidean Algorithm (EGEA)
3. Fast extended generalized Euclidean algorithm 3.1. Idea. In order to apply the DC strategy, we want to break the EGEA into two halves. To reduce the complexity, we have to find an efficient way to calculate the modified division (Algorithm 1) and the generalized division (Algorithm 2). Together with a DC strategy of the EGEA (Algorithm 3), the overall complexity can be reduced. The modified division algorithm (Algorithm 1) of two polynomials A(x), B(x) with A(x) ∼ B(x) and deg A(x) ≥ B(x) consists of the first steps of a usual division of the same two polynomials. The iterations of the modified division either stop if the remainder is in another congruence class or if the remainder is still in the same congruence class and deg R(x) < deg B(x). For an efficient calculation of the modified division we can truncate the input polynomials as shown in the following. A similar strategy was used by Aho and Hopcroft [1] to accelerate the EA and by Blahut [2] to accelerate the EEA. Let us rewrite the input polynomials A(x), B(x) by: where both deg A(x), deg B(x) < k for some k satisfying If the modified division is applied to both pairs, A(x), B(x) and A(x), B(x), then the quotients and some leading coefficients of the remainders coincide.

Theorem 3.1 (Truncation and the Modified Division). Given two pairs of polynomials
Let us rewrite these polynomials as in (11) and let k satisfy (12). Let be the results of the modified divisions (Algorithm 1). Then, the quotients and remainders satisfy Proof. In [2, Theorem 10.7.1], Blahut shows that (13) is fulfilled when the usual division of two polynomials and their truncated polynomials is calculated. The modified division is a usual division that might stop earlier than the usual division, but never later. Therefore, at most the same number of coefficients of the input polynomials influence the result compared to a usual division. Hence, we can truncate (at least) the same number of coefficients as for a usual division and [2, Theorem 10.7.1] can also be applied for the modified division. The following lemma proves that the missing part of the remainder R(x) has no impact on half of the iterations of the generalized division (and hence of the EGEA).

Lemma 3.2 (Truncation and the Generalized Division). Let
j (x s ) are the quotients of the generalized division in step j for the input polynomials A(x), B (i) (x) and A(x), B (i) (x), respectively. Then, then the quotients of the usual divisions of both inputs coincide. Since the modified division stops not later than a usual division, this also holds for the quotients of the modified division. Hence, the results for the generalized divisions are the same and P j (x) = P j (x).
Hence, about half of the iterations can be calculated correctly without knowing this part. By means of this fact, a fast recursive generalized division algorithm and fast recursive EGEA can be designed that both use truncated polynomials.

3.2.
Algorithms. We use the DC strategy combined with a truncation of the polynomials to design a fast EGEA.
To apply the DC strategy, we split the EGEA into two halves. The first half is given in Algorithm 5 (FH-EGEA). As typical for DC algorithms, Algorithm 5 contains two recursive calls with the truncated polynomials (Lines 7 and 21) and a generalized division in between. The if-conditions are necessary to check if a truncation is possible. Finally, in Line 24, we calculate the remainder. Note that we use the symbol to denote that the output of an algorithm is not used further (see Lines 7, 21 of Algorithm 5).
Algorithm 4 (F-EGEA) is the complete fast EGEA that consists of two halves. The first degree condition in Line 1 decides whether the problem can immediately be truncated in Algorithm 5 (FH-EGEA) or if a usual generalized division is done. If deg B (ν) (x) ≤ deg A(x)/2, the truncation cannot be applied yet, since k ≤ 0 and we call the usual generalized division. However, we do not lose the reduction of complexity, since in this case one normal generalized division divides the size of the problem in half. The second part of Algorithm 4 has the same form as the original problem and hence, Algorithm 4 is called recursively in Line 8.
The algorithm terminates if deg In the recursions, the current values are used. Note that in contrast to the original algorithms from Section 2, the polynomials do not have the index j since it changes during the recursive calls.
Remark 1 (Truncation in the Recursions). The choice of k = 1 2 deg A(x) is motivated by the fact that a Divide and Conquer approach requires that the problem is halved. We now explain how this choice of k agrees with Theorem 3.1. In this remark, we index the polynomials with the recursion level, e.g. A j (x). Let the current recursion level of Algorithm FH-EGEA be j = 0 and k = 1 2 deg A 0 (x) . Let the first if-condition be fulfilled, i.e., deg B (see Line 2) are returned. One level higher (where j = 1), we calculate in Line 8 of Algorithm FH-EGEA A 1 (x) ← A 1 (x) and we know from the lower recursion level that deg is true and due to Theorem 3.1, the generalized division GenDA can be applied (see Line 12).
4. Complexity analysis 4.1. Complexity of the EGEA. Feng and Tzeng did not analyze the complexity of the EGEA in [4]. Based on the idea of Lipson [10,Chapter 7] for the complexity analysis of the EEA, we give a bound on the time complexity of the EGEA (Definition 2.6).
We count the number of multiplications in the finite field F q of order q. Let i=0 . Let us consider the GEA first. In the general case, the GEA runs up to R j (x) = 0 (see (7)). For simplicity, we assume that in every jth step the degree of the polynomial R j (x) (see (7)) decreases by one. Consider Equation (7) of Definition 2.5. A simple division has the same complexity as a multiplication of two polynomials with some scalar factor. The number of operations T j in F q for the jth step of the GEA is: where the factor 1/s comes from the "sparsity" (only every sth coefficient is considered) of the polynomials Q We know from [4,Equations (8.3), (8.4)] that: . Hence, we have: As we assume that the degree of the remainder decreases by one, we obtain T ≤ cN 2 .
The additional calculations to extend the GEA to the EGEA do not affect this bound on the time complexity and we conclude with the following theorem for the EGEA. If Algorithm 3 is applied to Problem 2.2 at most n iterations (instead of sn) have to be performed. Therefore, we have the following theorem. Let us first analyze the complexity of the fast half EGEA, Algorithm 5 (FH-EGEA). Let N ≥ deg A 0 (x) and let T F HEGEA (N ) denote the maximum running time of Algorithm 5. The complexity of the splitting operations and the additions is negligible. The generalized division can be implemented by (at most) s parallel modified divisions, i.e., it requires c 1 · s · MD(N ) operations, for a constant c 1 . In addition, Algorithm 5 includes two recursive calls with half size. Hence, T F HEGEA (N ) is upper bounded by: It is well-known that this linear recurrence relation implies (see e.g.   For multi-sequence shift-register synthesis of equal length, each sequence has length n and the overall length of the sequences is N = sn. With worst case assumptions, we have MD(N ) = MD(sn) ≤ O(N log N ) = O(sn log(sn)).
Thus, the complexity of the fast EGEA is given by the following theorem. This complexity is subquadratic, i.e., for large sequence lengths (and as usual, small numbers of s), the complexity is reduced by our accelerated algorithms.

Conclusion
We investigated the multi-sequence shift-register synthesis problem for sequences of equal length, which can be solved by Feng and Tzeng's EGEA. The complexity of the EGEA was analyzed and we reduced the time complexity to subquadratic complexity by application of a DC strategy.