Linear-feedback shift register

A linear feedback shift register (LFSR) is a shift register whose input bit is a linear function of its previous state.

The only linear functions of single bits are xor and inverse-xor; thus it is a shift register whose input bit is driven by the exclusive-or (xor) of some bits of the overall shift register value.

The initial value of the LFSR is called the seed, and because the operation of the register is deterministic, the sequence of values produced by the register is completely determined by its current (or previous) state. Likewise, because the register has a finite number of possible states, it must eventually enter a repeating cycle. However, a LFSR with a well-chosen feedback function can produce a sequence of bits which appears random and which has a very long cycle.

Applications of LFSRs include generating pseudo-random numbers, pseudo-noise sequences, fast digital counters, and whitening sequences. Both hardware and software implementations of LFSRs are common.

How it works

The list of the bits positions that affect the next state is called the tap sequence. In the diagram below, the sequence is [16,14,13,11].

The outputs that influence the input are called taps (blue in the diagram below).
A maximal LFSR produces an n-sequence (i.e. cycles through all possible $2^{n}-1$ states within the shift register except the state where all bits are zero), unless it contains all zeros, in which case it will never change.

The sequence of numbers generated by a LFSR can be considered a binary numeral system just as valid as Gray code or the natural binary code.

The tap sequence of an LFSR can be represented as a polynomial mod 2. This means that the coefficients of the polynomial must be 1's or 0's. This is called the feedback polynomial or characteristic polynomial. For example, if the taps are at the 16th, 14th, 13th and 11th bits (as below), the resulting LFSR polynomial is

x^{11}+x^{13}+x^{14}+x^{16}+1

The 'one' in the polynomial does not correspond to a tap. The powers of the terms represent the tapped bits, counting from the left.

If (and only if) this polynomial is a primitive, then the LFSR is maximal
The LFSR will only be maximal if the number of taps is even
The tap values in a maximal LFSR will be relatively prime
There can be more than one maximal tap sequence for a given LFSR length
Once one maximal tap sequence has been found, another automatically follows. If the tap sequence, in an n-bit LFSR, is [n,A,B,C,0], where the 0 corresponds to the $x^{0}=1$ term, then the corresponding 'mirror' sequence is [n,n-C,n-B,n-A,0]. So the tap sequence [32,3,2,0] has as its counterpart [32,30,29,0]. Both give a maximal sequence.

Output-stream properties

Ones and zeroes occur in 'runs'. The output stream 0110100, for example consists of five runs of lengths 1,2,1,1,2, in order. In one period of a maximal LFSR, $2^{n-1}$ runs occur (for example, a six bit LFSR will have 32 runs). Exactly $1/2$ of these runs will be one bit long, $1/4$ will be two bits long, up to a single run of zeroes $n-1$ bits long, and a single run of ones $n$ bits long. This same property is statistically expected in a truly random sequence.
LFSR outputs streams are deterministic. If you know the present state, you can predict the next state. This is not possible with truly random events such as nuclear decay.
The output stream is reversible; applying an LFSR with mirrored tap sequence will cycle through the states in reverse order.

Applications

LFSRs can be implemented in hardware, and this makes them useful in applications that require very fast generation of a pseudo-random sequence, such as direct-sequence spread spectrum radio.

The Global Positioning System uses a LFSR to rapidly transmit a sequence that indicates high-precision relative time offsets.

A drop in replacement for Gray Code counters

Some applications need to mark individual locations along a certain distance with unique values. For example, most tape measures mark each inch or centimeter with a unique number using the decimal numeral system. When computer index or framing locations need to be machine-readable, they are often marked using a LFSR sequence, because LFSR counters are simpler and faster than any other kind of binary counter. LFSRs are faster than natural binary counters and Gray code counters. Given an output sequence you can construct a LFSR of minimal size by using the Berlekamp-Massey algorithm.

Galois LFSRs

A Galois LFSR, or a LFSR in Galois configuration, is an alternate structure that can generate the same sequences as a conventional LFSR.

In Galois configuration, when the system is clocked, bits that are not taps are shifted as normal. The taps, on the other hand, are XOR'd with the new output, which also becomes the new input. To generate the same sequence, the order of the taps is the reverse of the order for the conventional LFSR.

Galois LFSRs do not concatenate every tap to produce the new input (the XOR'ing is done within the LFSR and no XOR's are run in serial, therefore the propagation times are reduced to that of one XOR rather than a whole chain), thus it is possible for each tap to be computed in parallel, increasing the speed of execution.
In a software implementation of an LFSR, the Galois form is more efficient as the XOR operations can be implemented a word at a time: only the output bit must be examined individually.

C code example of 32-bit maximal period Galois LFSR:

 unsigned int lfsr = 1; 
 while(1)
   lfsr = (lfsr >> 1) ^ (-(signed int)(lfsr & 1) & 0xd0000001u); /* taps 32 31 29 1 */

Uses in cryptography

LFSRs have long been used as a pseudo-random number generator for use in stream ciphers (especially in military cryptography), due to the ease of construction from simple electromechanical or electronic circuits, long periods, and very uniformly distributed outputs. However the outputs of LFSRs are completely linear, leading to fairly easy cryptanalysis.

Three general methods are employed to reduce this problem in LFSR based stream ciphers

Non-linear combination of several bits from the LFSR state;
Non-linear combination of the outputs of two or more LFSRs; or
Irregular clocking of the LFSR.

Important LFSR-based stream ciphers include A5/1, A5/2, E0 and the shrinking generator.

Uses in digital broadcasting and communications

To prevent short repeating sequences (e.g., runs of 0's or 1's) from forming spectral lines that may complicate symbol tracking at the receiver or interfere with other transmissions, linear feedback registers are often used to "randomize" the transmitted bitstream. This randomization is removed at the receiver after demodulation. When the LFSR runs at the same rate as the transmitted symbol stream, this technique is referred to as scrambling. When the LFSR runs considerably faster than the symbol stream, expanding the bandwidth of the transmitted signal, this is direct-sequence spread spectrum.

Neither scheme should be confused with encryption or encipherment; scrambling and spreading with LFSRs do not protect the information from eavesdropping.

Digital broadcasting systems that use linear feedback registers

ATSC (HDTV transmission system – North America)
DAB (Digital audio broadcasting system -- for radio)
DVB-T (HDTV transmission system – Europe, Australasia)
NICAM (digital audio system for television)

Other digital communications systems using LFSR:

IBS (INTELSAT business service)
IDR (Intermedaite Data Rate service)
SDI (Serial Digital Interface transmission)
Data transfer over PSTN (according to the ITU-T V-series recommendations)

External links