The goal of this book is to provide algebraic tools for the design of pseudo-random sequences. It is meant to be both a text book and a reference book. We present a unified approach based on algebraic methods, which allows us to simultaneously treat linear feedback shift registers, feedback with carry shift registers, and many other analogous classes of sequence generators. The requisite algebraic tools are developed in Appendices A through D.

Pseudo-random sequences

Applications of random numbers became so widespread in the early 1950s that eventually a table of one million random digits was generated and published [178] by the Rand corporation. It was soon found necessary to generate “random numbers” in real time using a computer algorithm. Sequences of numbers generated in this way are referred to as pseudo-random, see Section 8.1. Pseudorandom sequences have become ubiquitous in modern electronics and information technology. They are used, for example, as spreading codes in communications systems (such as cellular telephones and GPS signals), as components for generating keystreams for stream ciphers and other cryptographic applications, as sampling data for simulations andMonte Carlo integration, for timing measurements in radar and sonar signals and in GPS systems, as error correcting codes in satellite and other communications, as randomizers of digital signals to eliminate spectral lines, as counters in field programmable gate arrays, and in power on self tests.

Golomb's randomness postulates. In 1967 Golomb proposed three desirable criteria that one might ask of a binary pseudo-random sequence a [61, 62].

1. It should be balanced,

2. it should have the run property (Section 8.2.2), and

3. it should have an ideal autocorrelation function.

These concepts are described below. Since then, new applications have created an enormous demand for pseudo-random sequences that exhibit additional, more sophisticated randomness properties. Some of these requirements are known to be incompatible with others. Currently, for any given application, one generally draws up a list of required randomness properties and then goes about trying to find or to design a pseudo-random sequence that meets these requirements. Although Golomb's list looks rather minimal by today's standards, it is an amazing fact that there are still only a handful of known techniques for constructing sequences with all three of these properties. In this section we will describe some of the most common measures of randomness.

Why pseudo-random?

Random numbers (in one sense or another) have applications in computer simulation, Monte Carlo integration, cryptography, randomized computation, radar ranging, and other areas. In each case we need a sequence of numbers (or of bits) that “appears” to be “random”, yet is repeatable. Of course these are contradictory requirements. If we know the sequence beforehand, then it is not random.

Shift and add sequences are important because (a) they arise naturally as m-sequences (see Section 3.9.1 and Section 10) or related sequences (see Chapter 11 and Chapter 12), (b) they often have ideal autocorrelation properties (see Proposition 9.1.3), and (c) they are often (punctured) de Bruijn sequences (see Theorem 9.4.1). At one time it was thought that all shift and add sequences were m-sequences, but this has turned out to be false [13, 65, 211]. See the discussion in Section 9.2 below. In this chapter we develop a complete description of the set of all shift and add sequences. In Chapter 12 we describe a class of (algebraic) shift registers that may be used to generate “good” shift and add sequences over non-prime fields. In this chapter we also consider a “with carry” version of the shift and add property and develop a complete description of all sequences with this property.

Basic properties

Let G be a finite Abelian group and let a = (a0, a1, …) be a periodic sequence of elements from G. Let T be the minimal period of a. For any integer τ, 0 ≤ τ < T, let aτ be the τ shift of a, that is, aτ = (aτ, aτ+1, …). If b is another periodic sequence with period T, then let a+b be the sequence (a0+b0, a1+b1, …).

Abstract algebra and number theory provide the mathematical basis for many of the constructions used in modern communications. Finite fields play an especially important role, particularly in the design of sequence generators with various critical properties. In this appendix we describe the basic algebraic structures that are involved in these constructions, generally without proofs. There are many fine textbooks available on abstract algebra, both in general and about specific aspects [4, 45, 77, 90, 95, 96, 97, 98, 124, 131, 135, 156, 187].

Group theory

Basic properties

A group is a set G with an associative binary operation ⋆ (meaning that (a ⋆ b) ⋆ c = a ⋆ (b ⋆ c) for all a, b, c ∈ G), an identity element e ∈ G (meaning that e ⋆ a = a ⋆ e = a for all a ∈ G), and inverses (meaning that for any a ∈ G there exists b ∈ G such that a ⋆ b = e). From these axioms it follows that the identity e is unique, that the inverse, b = a-1 is uniquely determined by a, and that b ⋆ a = e as well. The group G is commutative or Abelian if a ⋆ b = b ⋆ a for all a, b ∈ G. It is common to use multiplicative notation, writing ab for a ⋆ b and a-1 for the inverse of a ∈ G.

Basic properties of m-sequences

Let R be a finite commutative ring and let a be a periodic sequence of elements in R. Let T be the period of a.

Definition 10.1.1 The sequence a is an m-sequence (over the ring R) of rank r (or degree r or span r) if it can be generated by a linear feedback shift register with r cells, and if every nonzero block of length r occurs exactly once in each period of a.

In other words, the sequence a is the output sequence of an LFSR that cycles through all possible nonzero states before it repeats. The second condition in the definition also says that a is a punctured de Bruijn sequence. See Section 8.2.4. In this section we recall standard results about m-sequences which have been known since the early 1900s [41] and which may be found in Golomb's book in the binary case [61, 62].

Proposition 10.1.2Suppose a is an m-sequence of rank r over a (finite commutative) ring R, generated by an LFSR with connection polynomial q(x) ∈ R[x] of degree r. Then the following hold.

1. 1. The ring R is a field and the connection polynomial q(x) is a primitive polynomial.

2. […]

In this chapter we study the register synthesis problem for FCSRs. We describe two approaches to this problem, one based on the Euclidean algorithm and one based on the theory of approximation lattices. First we must make sense of the notion of the size of an FCSR.

N-adic span and complexity

As in the case of linear span, the N-adic span of a sequence is intended to measure how large an FCSR is required to output the sequence. In the LFSR case, this is given by the number of cells in an LFSR that outputs the sequence, and coincides with the degree of the connection polynomial, i.e., the denominator of the rational function giving the power series whose coefficients are the elements of the sequence.

In the N-ary FCSR case, things are more complicated. The number of N-ary coefficients in the connection integer equals the size of the basic register, but additional space is required for the memory. For purely periodic sequences, this extra memory is small (at most the logN of the number of cells in the basic register), and if such sequences were our only concern we could ignore the extra memory. However, an eventually periodic sequence may require a considerable amount of extra memory. We would like to define the N-adic span of an eventually periodic sequence a to be the number of cells in the register plus the number of elements needed for the memory of an FCSR which outputs the sequence a.

A feedback with carry shift register is a feedback shift register with a small amount of auxiliary memory. In its simplest form, the cells of the register consist of bits (0 or 1) while the memory contains a nonnegative integer. The contents (0 or 1) of the tapped cells of the shift register are added as integers to the current contents of the memory to form a sum σ. The parity bit, σ (mod 2) of σ is fed back into the first cell, and the higher order bits, └σ/2┘ are retained for the new value of the memory. See Figure 4.1. There are many parallels between LFSR sequences and FCSR sequences, some of which we list in Table 4.1.

The output sequences generated by an FCSR are examples of multiply with carry sequences. They enjoy many of the useful statistical properties of linearly recurrent sequences. As with linearly recurrent sequences, several algebraic structures are available for the analysis of multiply with carry sequences, including ordinary integer arithmetic, N-adic numbers, and an analog of the trace function. Multiply with carry sequences have been applied in such areas as pseudo-random number generation, cryptanalysis, stream cipher design, and arithmetic codes.

FCSRs were first described in the early 1990s [67, 115, 119]. These devices were suggested as a method for high speed hardware generation of binary sequences with enormous periods, as might be used in a stream cipher or digital communication system.

Besides being interesting fundamental mathematical objects in their own right, linearly recurrent sequences have proved to be useful in many applications, including pseudo-random number generation, error correcting codes, private key cryptosystems, radar ranging, code division multiple access communications, and many other areas. They provide a fast and simple method of generating statistically random sequences. Moreover, many of their properties can be analyzed using various algebraic structures. The primary algebraic tools used to analyze linearly recurrent sequences are polynomials, power series, and trace functions on finite fields. The results in this section are all classical, many of them having been known for over 100 years. However we have organized this section in a slightly unusual way (from the modern perspective) in order to better illustrate how they are parallel to the FCSR and AFSR theory which will be described in later chapters.

There are many ways to describe the output sequence of an LFSR, each of which has its merits. In this chapter we discuss the matrix presentation (Section 3.2), the generating function presentation (Theorem 3.5.1), the algebraic presentation (Proposition 3.7.1), the trace representation (Theorem 3.7.4), and the sums of powers representation (Theorem 3.7.8).

Definitions

In this section we give the definitions and describe the basic properties of linear feedback shift registers and linearly recurrent sequences. Throughout this chapter we assume that R is a commutative ring (with identity denoted by 1).