Feedback with Carry Shift Registers: Difference between revisions

In sequence design, a Feedback with Carry Shift Register (or FCSR) is the arithmetic or with carry analog of a Linear feedback shift register (LFSR). If ${\displaystyle N>1}$ is an integer, then an N-ary FCSR of length ${\displaystyle r}$ is a finite state device with a state ${\displaystyle (a;z)=(a_{0},a_{1},\dots ,a_{r-1};z)}$ consisting of a vector of elements ${\displaystyle a_{i}}$ in ${\displaystyle \{0,1,\dots ,N-1\}=S}$ and an integer ${\displaystyle z}$.^[1][2][3][4] The state change operation is determined by a set of coefficients ${\displaystyle q_{1},\dots ,q_{n}}$ and is defined as follows: compute ${\displaystyle s=q_{r}a_{0}+q_{r-1}a_{1}+\dots +q_{1}a_{r-1}+z}$. Express s as ${\displaystyle s=a_{r}+Nz'}$ with ${\displaystyle a_{r}}$ in ${\displaystyle S}$. Then the new state is ${\displaystyle (a_{1},a_{2},\dots ,a_{r};z')}$. By iterating the state change an FCSR generates an infinite, eventually period sequence of numbers in ${\displaystyle S}$.

FCSRs have been used in the design of stream ciphers (such as the F-FCSR generator), in the cryptanalyis of the summation combiner stream cipher (the reason Goresky and Klapper invented them^[1]), and in generating pseudorandom numbers for quasi-Monte Carlo (under the name Multiply With Carry (MWC) generator - invented by Couture and L'Ecuyer,^[2]) generalizing work of Marsaglia and Zaman.^[5]

FCSRs are analyzed using number theory. Associated with the FCSR is a connection integer ${\displaystyle q=q_{r}N^{r}+\dots +q_{1}N^{1}-1}$. Associated with the output sequence is the N-adic number ${\displaystyle a=a_{0}+a_{1}N+a_{2}N^{2}+\dots }$ The fundamental theorem of FCSRs says that there is an integer ${\displaystyle u}$ so that ${\displaystyle a=u/q}$, a rational number. The output sequence is strictly periodic if and only if ${\displaystyle u}$ is between ${\displaystyle -q}$ and ${\displaystyle 0}$. It is possible to express u as a simple quadratic polynomial involving the initial state and the q_i.^[1]

There is also an exponential representation of FCSRs: if ${\displaystyle g}$ is the inverse of ${\displaystyle N\mod q}$, and the output sequence is strictly periodic, then ${\displaystyle a_{i}=(Ag_{i}\mod q)\mod N}$, where ${\displaystyle A}$ is an integer. It follows that the period is at most the order of N in the multiplicative group of units modulo q. This is maximized when q is prime and N is a primitive element modulo q. In this case, the period is ${\displaystyle q-1}$. In this case the output sequence is called an l-sequence (for "long sequence").^[1]

l-sequences have many excellent statistical properties^[1][3] that make them candidates for use in applications,^[6] including near uniform distribution of sub-blocks, ideal arithmetic autocorrelations, and the arithmetic shift and add property. They are the with-carry analog of m-sequences or maximum length sequences.

There are efficient algorithms for FCSR synthesis. This is the problem: given a prefix of a sequence, construct a minimal length FCSR that outputs the sequence. This can be solved with a variant of Mahler^[7] and De Weger's^[8] lattice based analysis of N-adic numbers when ${\displaystyle N=2}$;^[1] by a variant of the Euclidean algorithm when N is prime; and in general by Xu's adaptation of the Berlekamp-Massey algorithm.^[9] If L is the size of the smallest FCSR that outputs the sequence (called the N-adic complexity of the sequence), then all these algorithms require a prefix of length about ${\displaystyle 2L}$ to be successful and have quadratic time complexity. It follows that, as with LFSRs and linear complexity, any stream cipher whose N-adic complexity is low should not be used for cryptography.

FCSRs and LFSRs are special cases of a very general algebraic construction of sequence generators called Algebraic Feedback Shift Registers (AFSRs) in which the integers are replaced by an arbitrary ring R and N is replaced by an arbitrary non-unit in R.^[10] A general reference on the subject of LFSRs, FCSRs, and AFSRs is the book.^[4]

References

1. Klapper, Andrew; Goresky, Mark (March 1997). "Feedback Shift Registers, 2-Adic Span, and Combiners With Memory" (PDF). Journal of Cryptology. 10 (2): 111–147. CiteSeerX 10.1.1.37.5637. doi:10.1007/s001459900024.
2. Couture, Raymond; L’Ecuyer, Pierre (April 1994). "On the lattice structure of certain linear congruential sequences related to AWC/SWB generators" (PDF). Mathematics of Computation. 62 (206): 799–808. doi:10.2307/2153540.
3. Goresky, Mark; Klapper, Andrew (October 2003). "Efficient Multiply-with-Carry Random Number Generators with Optimal Distribution Properties" (PDF). ACM Transactions on Modeling and Computer Simulation. 13 (4): 310–321. CiteSeerX 10.1.1.22.9007.
4. M. Goresky and A. Klapper, Algebraic Shift Register Sequences, Cambridge University Press, 2012 ISBN 9781107014992
5. G. Marsaglia and A. Zaman, A new class of random number generators, Annals of Applied Probability, vol 1, pp. 462–480, 1991
6. B. Schneier, Applied Cryptography. John Wiley & Sons, New York, 1996
7. K. Mahler, On a geometrical representation of p–adic numbers, Ann. of Math., vol. 41, pp. 8–56, 1940
8. B. M. M. de Weger, Approximation lattices of p–adic numbers, J. Num. Th., vol 24, pp. 70–88, 1986
9. A. Klapper and J. Xu, Register Synthesis for Algebraic Feedback Shift Registers Based on Non-Primes, Designs, Codes, and Cryptography vo. 31, pp. 227-250", 2004
10. A. Klapper and J. Xu, Algebraic Feedback Shift Registers, Theoretical Computer Science, vol. 226, pp. 61-93, 1999, [1]