Construction of Maximum Period Linear Feedback Shift Registers (LFSR) (Primitive Polynomials and Linear Recurring Relations)

_______________________________________________________________________________ Abstract Feedback Shift Register (FSR) is generally the basic element of pseudo random generators used to generate cryptographic channel or set of sequences for encryption keys. This type of generator is widely used in stream cipher and communication systems such as C.D.M.A (Code Division Multiple Access), mobile communication systems, ranging and navigating

• encryption equation (E ki =encryption function and D ki =decryption function) Encryption is reciprocal: we encrypt as we decrypt. The key stream generator may be regarded as a finite state machine.
• An error in y i affects only one bit x i • The loss or addition of a bit y i a affects all following bits (x i ) after decryption • if k i = 0, ∀i, X = Y • if the following key (k i ) is infinite and completely random, one obtain crypto system key-a-time crypto system (One-Time-Pad) also called VERNAM cipher, name of its inventor Gilbert VERNAM (1917) [2,5,6,9,10,17,[19][20][21] which is unconditionally secure against a cipher text only attack, the cryptogram contributes no information about the plaintext.
Generally, the stream cipher is based on the same principle as the "One-Time-Pad" with the only difference that it requires a real random sequence which cannot be produced unless you know the whole sequence.
In default, pseudo-random key sequences generated by a pseudo-random generator is therefore used [12] [ [22][23][24][25]. Good pseudo-random sequence is one for which, knowing a portion of the sequence, it is extremely difficult, in practice, to determine the rest of the sequence [26]. A classic method for generating a pseudo random sequence [27,28] is to use a feedback shift register [cf. paragraph 2].
The bit stream (Stream Key) or sequences of keys generated by the key stream generator constitutes a cryptographic chain.
The stream cipher is classified into two (2) categories: • Synchronous stream cipher: In synchronous stream cipher, the flow of bits of the key stream is generated independently both of the bits of the plaintext and the bit stream of the cipher text. The sender and receiver must be synchronized i.e. use the key stream and be in the same condition that the decryption can be done. If there's a loss or addition of bits, the decryption fails. However, changing a bit in the transmission does not interfere in the decryption of the following bits.
Examples [2,14]: Output Feedback Mode (OFB) for block cipher systems and CTR mode (Counter Mode) are examples of synchronous stream cipher.
• Self synchronizing stream cipher or asynchronous stream cipher: In self-synchronizing stream cipher (or asynchronous stream cipher) each bit of the stream generated by the key generator is a function of a fixed number of bits of the preceding cryptogram. In this method, the generators are synchronized automatically.
If some encrypted bits are lost or added in the cipher text, self synchronization is always possible. However, the system is subject to error propagation, and similarly, a modification of the cipher text by the descriptor can lead in an incorrect decryption of several bits.

LFSR (Linear Feedback Shift Register)
An example of this type of generator is the FSR (Feedback Shift Register=Shift Registers + a feedback function).

Définition: [14,27,31-33]
• A flip-flop (position on a delay line or other memory device) is an electronic device capable of storing binary information (bits 0 and 1).
• A shift register of length (n) consists of n-flops interconnected such that the binary state of the memory cell of rank (i) is transmitted to the memory cell of rank (i + 1) when a clock signal is applied to the all flip-flops. Each flip-flop may be seen as a stage of the register. The binary information of the last stage is always accessible physically.
A shift register is then constituted of: • An input which, in shift mode, will advance the bit of a flip-flop to a next flip-flop. • (n) flops constituting the register stages.
• And an output.
Example of a shift-register of 11 stages:
The Feedback Shift Registers constitute the base of pseudo-random generators used for generation of encryption key. This type of generator is largely used in stream cipher.
A Feedback Shift Register (FSR) of size (n) is an automate constructed by a boolean function (f) (ref: Definition 2.2) and a function (F) both with n variables over a field GF (p) such that F: {0,1} n →{0,1} n (often p = 2 for binary field where p = 2 w for some extension field of the binary field).
• F which is the function of the next state, gives the new state of the FSR from the prior state; • and (f) which is the feedback function calculates the n − th term of the next state; • If (x 1 ,x 2 ,.....,x n ) is the initial state then the application of (f) and (F) give the state sequence: satisfies the relation of recurrence: • A linear feedback shift register of n bit-length (LFSR n-bits) is composed of two parts: -One shift register containing a sequence of n bits (x 1 ,....,x n ) arranged from left to right which is the initial state of the register; -And, a linear feedback function f(x 1 ,x 2 ,....,x n )

Fig. 3. General scheme of linear feedback shift register -
The registry is called by its acronym: LFSR (Linear Feedback Shift Register). -At periodic intervals determined by the clock, the content of the stage (i) is transferred into the stage (i + 1): A bit is required at any time, and all the bits in the register are shifted forward.

-
The new left most bit is obtained from the other bits in the register with the feedback function f(x 1 , Output register is 1 bit; the sequence generated is called derivation sequence (output stream) - The period of the LFSR is the length of the sequence generated before it repeats (Ref. The feedback function f(x 1 ,x 2 ,....,x n ) is such that: where a i = 0 or 1 ,∀i 1 ≤ i ≤ n, and addition (XOR operation) is over GF (2).
-The sequence produced by the LFSR satisfy the relation of linear recurrence:

Fig. 4. A scheme of LFSR
and the matrix A associated with the linear mapping is: • Such the configuration, which we'll be interested, is called FIBONACCI's configuration (Fibonacci generator)" [2,14,28,30,45,49]. It is efficient in hardware as it requires only one n-bits LFSR and XOR operations although inefficient in software implementation (LFSR in mode Fibonacci or External-XOR LFSR) unlike its other counterpart called GALOIS configuration (LFSR in mode Galois or internal-XOR LFSR) "discussed in [2,14,28,30].
• The Fibonacci generator or External-XOR LFSR is based on the Fibonacci's sequences modulo the maximum value desired: Alternatively, we can use this form called "generalized Fibonacci" recurrences to generate pseudorandom numbers [49][50][51]: The quality of the generator depends of the coefficients (k), (s) which must be carefully chosen and the values used for the initial state of the generator. This generator is against very simple to implement and consumes little resources.

Fig. 6. LFSR in mode Galois
• We must differentiate this one from the linear congruential generator [9,14,17,30,45,52,53] that produces pseudo-random sequences of the form: x n is the (n)-th bit in the sequence; x 0 = the seed, the period of the generator is less than m.
If a, b, and m are carefully chosen, then the generator will be said to be "maximum period (m) (e.g. If b ∧ m = 1,(b) and (m) are coprime), if b = 0, the generator is said to be homogeneous congruential multiplicative [45,52] The linear congruential generators are fast and require little bit operations, but it has been proved that they cannot be used in cryptography for stream cipher. Indeed, they can be predicted and therefore are decryptable [14]. It is valid for: -The Quadratic generators: -The cubic generators: (12) discussed in [14] who notes that the combination of linear congruential generator providing long periods were not also proved safe cryptographically.
• The LFSR are used extensively in stream cipher because they are easily implemented in hardware as well as in software. Referring to the above definitions, it is possible to generalize the LFSR, in any finite GF(p). On the software aspect, it is used finite field of the form GF (2 n ) with n = 8, 32, 64

Examples
Example 1: One maximal-period n-bits LFSR A maximal-period n-bits LFSR on GF (2) with maximal period T = 2 n − 1 is a register which can theoretically generate a pseudo-random sequence of length T = 2 n − 1 bits before the repetition (and not 2 n the null sequence (000...000) is not considered. The resulting output sequence is called an "m-sequence". The recurrence equation is: x n+1 = x n + x n−2 (mod 2). For an n-bits LFSR be maximal period, it is necessary that the polynomial formed from derivation sequence must be a primitive polynomial of degree (n) in GF (2).
• We thus associate with an n-bits LFSR, a primitive polynomial generator: • A primitive polynomial of degree (n) is an irreducible polynomial of degree (n) which divides ( + 1).
• if any polynomial f(x) associated to a LFSR is primitive over GF(2) then any non-zero initial state produces a sequence of maximal period T = 2 n − 1.

Definition 3
Let f be a polynomial f(x) in F 2 [X]. Its order, denoted ord (f) is the smallest integer (t) such that x t ≡ 1 mod f(x).

Definition 4
Let f(x) be an irreducible polynomial of degree (n) in F 2 [X]. It is primitive if its order is (2 n − 1). So, we want to build an optimal n bit LFSR (in relation to the period after production), we must ensure that the feedback polynomial chosen is of degree n and primitive.
We will be sure to obtain a maximal period, but taking the precaution of using a non-zero initial state.
Another advantage of feedback primitive polynomials is the statistical quality of sequence produced.

Definition 6: [31,47]
In fact, we can define the order of an element α as the smallest (t) such that = 1. What we want to know is if the order of α is equal to 2 n −1 (f(x) = primitive polynomial) or not (f(x) = non-primitive polynomial); it must be remembered that for an n-bit LFSR, (2 n − 1) and f(x) divides ( + 1).
Let us determine the powers of α: We can conclude that the polynomial f(x) = x 3 + x + 1 is primitive.

Primitive Feedback Polynomials and Linear Recurrences for Constructing Maximal-period LFSR
With the primitive polynomial, we can identify the linear recurrence equation associated to the n−bits LFSR and vice versa.
Let the following register and the primitive polynomial defined in paragraph 2.4 (13):

Fig. 14. n-bits LFSR
Then, our linear recurrence can be expressed in this form: We will consider in our study, the simplest form corresponding to the single equation:

Maximal Period
In the case whether the polynomial generator is primitive, for all initial state of n non maximal period: T = 2 n − 1.

Identification Equation
With our primitive polynomial and the linear recurrence, the identification equation is: The identification equation help us to determine the coefficients from the polynomial (and vice versa).
x n+1 ⇔ f(x) recurrence can be expressed in this form:

Application to 4-bits LFSR
We will consider in our study, the simplest form corresponding to the single equation: In the case whether the polynomial generator is primitive, for all initial state of n non-zero bits, With our primitive polynomial and the linear recurrence, the identification equation is: The identification equation help us to determine the coefficients and therefore the recurrence equation from the polynomial (and vice versa).   (14) zero bits, T is the (15) and therefore the recurrence equation (16) (17) x n+1 = a 1 xn + a 4 xn−3 (mod 2) x n+1 = x n + x n − 3 (mod 2) we obtain the following maximal-period 4 bits LFSR: Remark: If we make this change of primitive, g (x) = ( ) is also primitive. Assuming The two polynomials can be used to build register for applications. (More generally and g (x) = +∑ ) With the polynomial By using the identification equation, we have: • a 4 = a 3 = 1 and a 2 = a 1 = 0 We obtain then the following maximal

Fig. 15. 4 bits LFSR
Remark: If we make this change of variable , we have another possible register. Indeed if ) is also primitive. Assuming f (x) = x n + x s +1 ) g (x) ) = which is also primitive (reciprocal polynomial).
The two polynomials can be used to build register for applications. (More generally f(x) = With the polynomial f(x) = x 4 + x + 1, we have g (x) =x 4 + a 4 x 4 .

The maximal-period 35 bits LFSR
Finally, it should be noted that [45 polynomials and give tables of polynomials available. LFSR ould be noted that [45,[54][55][56] recall some works that has been done on binary primitive polynomials and give tables of polynomials available.
; Article no. BJMCS.19442 14 (19) (20) (21) recall some works that has been done on binary primitive However, for the realization of LFSR, it is strongly recommended to use primitive polynomials with nonzero coefficients (dense primitives polynomials) rather than polynomials among which most of the coefficients are zero and which are weak cryptographically [14].

Linear Complexity
In terms of cryptographic security, the use of a single LFSR is not sure because this LFSR is predictable: -And if we know n consecutive bits produced by an n-bits LFSR and the primitive polynomial associated, we can deduce the (n + 1)-th bit range produced by the register; -If we also know (2n) consecutive bits produced by an n-bits LFSR without knowing the polynomial primitive associated, we can find this polynomial by the Berlekamp-Massey algorithm [28,30,44,47,48,57,58].
This algorithm permits us to determine the linear complexity of a random sequence i.e. the length of the smallest LFSR that can generate it (also called linear span) [30,59]. In 1969, James L. Massey [44] proved, in fact, the algorithm proposed in 1967 by Ralph Elwyn Berlekamp for decoding BCH codes [57] also allows the possibility to find the smallest LFSR generating a given sequence [39] and gives a range of results on the linear complexity of random sequences.

Recommendations-Perspectives
Pseudo-random generator based on FSR used to generate keys must have the following characteristics: [12] -A long period -A large linear complexity -Good statistical properties As we noted above, the major advantage of LFSR is the ease of hardware and software implementation coupled with their good mathematical conception. However, LFSR, used alone, are not safe an account of their linearity which is exploited to build cryptanalytic attacks foremost among them the Berlekamp-Massey algorithm.

Fig. 19. Nonlinear combined LFSRs
• Nonlinear filter generator [12,69,70]: A keystream generator consisting of a single LFSR and a nonlinear function (also called Nonlinear filtering function) whose inputs are taken from some shift register stages to produce the output.

Fig. 20. Nonlinear filter generator
• Clock-controlled generator [12,71,72]: A keystream generator in which an LFSR is used to determine which output symbols of second LFSR are used as the final output.

Fig. 21. Clock control
• It is also more than useful to mention the constructions concerning: -The shrinking generated invented in 1993, by D. Coopersmith, H. Krawczys and Y. Mansour [73] [74].
However, in spite of their large linear complexity, they are susceptible to attacks by the rational approximation algorithm [94] which is similar to that of Berlekamp-Massey.
Therefore they could be coupled with LFSR in the design of pseudo random generators.
to vectorial feedback with carry shift registers (VFCSR), vector design of the FCSR whose analysis has been extended to finite fields GF(p n ) [96].
to Filtered feedback with carry shift registers (F-FCSR), design of FCSR to counter the attack by the rational approximation algorithm [94,97,98].
to Algebraic feedback shift register (AFSR) when the mathematical basis is π−Adic ring (not specified as π−Adic numbers are generalizations of formal series and N−Adic integers). LFSR and FCSR are special cases of the AFSR [28].
It is useful to take a look also on the theory of stability of stream cipher cryptosystem i.e. the resistance of such systems to small variations in some of their parameters as regard in particular the linear complexity and nonlinear boolean functions used [3,59,99]: • For additive synchronous stream cipher, there are already techniques of control of the stability of the linear complexity. But, the problem of the stability of the local linear complexity seems for the moment di cult to solve (this is an open problem).
• For nonlinear combined registers and nonlinear filtered register, partial results were obtained on certain aspects of the theory of stability, but research should be carried further: A promising field of research.
Other ways of research could be explored in the field of studies made, in particularly, on metric spaces and series [100,101,102].
Finally, research is also conducted on the registers with Nonlinear Update (RNLUs) which are generalization of NLFSRs whose study is theoretical and should be further refined [103,104].

Conclusion
As indicated at the beginning of the article, the proposed method determines mathematically, from the primitive polynomial, linear recurring relation generating the LFSR (and vice versa), and thus facilitate its construction; it also helps to establish the corresponding reciprocal primitive polynomial which gives the possibility to build another LFSR as good as the first.
We have a design and a careful choice of maximum length LFSR to use, on the basis of the primitive polynomial, the reciprocal polynomial, and associated linear recurring relations, that do not show the methods used so far where the recurrences are established, without further details, from the primitive polynomial to draw the LFSR.
On the other hand, it seemed important to review the LFSR, and to emphasize their cryptographic security with recommendations in the above paragraph and in highlighting research opportunities in this area.