J.

Cryptology (1997) 10: I 11-147 Joumol of

CRYPTOLOGY
9 1997 International Association for
Cryptologic Research

Feedback Shift Registers, 2-Adic Span, and

Combiners with Memory*
Andrew Klapper
763H Anderson Hall, Department of Computer Science, University of Kentucky,
Lexington, KY 40506-0047, U.S.A.
[email protected]

Mark Goresky
School of Mathematics, Institute for Advanced Study,
Princeton, NJ, U.S.A.

Communicated by Rainer Rueppel and Gilles Brassard

Received 27 January 1995 and revised 1 July 1996

Abstract. Feedback shift registers with carry operation (FCSRs) are described, im-
plemented, and analyzed with respect to memory requirements, initial loading, period,
and distributional properties of their output sequences. Many parallels with the theory of
linear feedback shift registers (LFSRs) are presented, including a synthesis algorithm
(analogous to the Berlekamp-Massey algorithm for LFSRs) which, for any pseudo-
random sequence, constructs the smallest FCSR which will generate the sequence.
These techniques are used to attack the summation cipher. This analysis gives a unified
approach to the study of pseudorandom sequences, arithmetic codes, combiners with
memory, and the Marsaglia-Zaman random number generator. Possible variations on
the FCSR architecture are indicated at the end.
Key words. Binary sequence, Shift register, Stream cipher, Combiner with memory,
Cryptanalysis, 2-Adic numbers, Arithmetic code, 1/q Sequence, Linear span.

1. Introduction

Pseudorandom sequences, with a variety of statistical properties (such as high linear span,
low autocorrelation and pairwise cross-correlation values, and high pairwise hamming
distance) are important in many areas of communications and computing (such as cryp-
tography, spread spectrum communications, error correcting codes, and Monte Carlo

* Andrew Klapper was sponsored by the Natural Sciences and Engineering Research Council under Oper-
ating Grant OGP0121648, the National Security Agency under Grant Number MDA904-91-H-0012, and the
National Science Foundation under Grant Number NCR9400762. The United States Government is autho-
rized to reproduce and distribute reprints notwithstanding any copyright notation hereon. Mark Goresky was
partially supported by the Ellentuck Fund and National Science Foundation Grant Number DMS 9304580.

LIL
112 A. Klapperand M. Goresky

----~ a,~. I [ a h2I ''* an.r.i] a ,r t >

) )
@

Fig. l. Linearfeedbackshift register.

integration). Binary pseudorandom periodic sequences are often generated in hardware,

using linear feedback shift registers (LFSRs), and are referred to as "linear recurrence
sequences." Certain register cells are "tapped," their contents are added modulo 2, and
the sum is returned to the first cell of the shift register. (See Fig. 1. The qi ~ {0, 1}
indicate existence or nonexistence of a tap. The symbol @ refers to addition modulo 2.)
Many modern stream ciphers are designed by combining the output of several LFSRs
in various nonlinear ways (and hence ultimately depend on a deep understanding of
the linear feedback architecture). Since 1955, an enormous amount of effort has been
directed toward the study of other ("nonlinear") feedback architectures (e.g., [ 13], [44],
and [6]) which would give rise to fundamentally new or different kinds of pseudoran-
dom sequences. However, these other architectures have proven extremely resistant to
analysis: even simple properties such as the period of nonlinear feedback shift register
sequences are essentially unknown. Despite 40 years of research, it is still the case that
only the linear feedback architecture is adequately understood.
In this paper we introduce a new but very simple feedback architecture for shift
register generation of pseudorandom sequences, which we call "feedback with carry.'"
shift registers (FCSR). These are the shift register analogues of the Marsaglia-Zaman
pseudorandom number generators [36]. It turns out that sequences generated by an FCSR
share many of the important properties enjoyed by linear recurrence sequences. However,
the analysis of FCSR sequences involves a completely different mathematical toolkit:
instead of arithmetic in finite fields, we use arithmetic in the 2-adic numbers. Although
some of the results in this paper may be proven without the use of the 2-adic numbers,
we have been unable to find any alternate approach to the main results (Theorems 4.1.
9.5, 10.1, and 10.2).
An FCSR is a feedback shift register together with a small amount of auxiliary memory.
In its simplest form, the cells in the register consist of bits (0 or 1), while the memory
contains a nonnegative integer (see Fig. 2).
The contents (0 or 1) of the tapped cells of the shift register are added as integers
to the current contents of the memory to form a sum, a. The parity bit (~r (mod 2)) of
~r is fed back into the first cell, and the higher-order bits ([cr/2J) are retained for the
new value of the memory. (More details of the feedback procedure and simple hardware
implementation are described in Section 3).
The results in this paper are best described by exploiting the many parallels between
Feedback Shift Registers, 2-Adic Span, and Combiners with Memory 113

n-r 1 ~)

v2

T_,

Fig. 2. Feedback with carry shift register.

properties of LFSR sequences and those of FCSR sequences. Let us first recall the salient
features of the LFSR theory. Note: Throughout this paper, Z denotes the integers, I_xJ
denotes the greatest integer _< x, l-x1 denotes the least integer >_ x, and log denotes log 2 .

Properties of LFSR Sequences

1. The r taps q j, q2 . . . . . qr on the cells of an r-stage LFSR correspond to a connection
polynomial

q(X) = qrX r q-qr_lX r- 1 ~_ . . . +qlX __ 1

with coefficients qi in Z/(2). The period (and many other properties) of the LFSR
sequence may be expressed in terms of the Ga[ois theory of this polynomial.
2. Suppose a = (a0, al, a2 . . . . ) is a periodic sequence of bits obtained from a lin-
ear feedback shift register of length r with connection polynomial q(X). If q(X) is
irreducible, and if ~, ~ GF(2 r) is a root of q(X), then for all i = 0, 1,2 . . . . we have

ai = Tr(Ay i)

for some A E GF(2 r) (which corresponds to the choice of initial loading of the shift
register). Here, Tr: GF(2') ~ GF(2) denotes the trace function.
3. Any infinite binary sequence a = (a0, at, a2 . . . . ) may be identified with its gener-
ating function, A(X) = y~i~=oai X i which is an element of the ring Z/(2)[[XI] of formal
power series with coefficients in the integers modulo 2. It is well known (see I13]) that
the sequence a is eventually periodic if and only if its generating.function is equal to a
quotient of two polynomials,

r(X)
A(X) = - - c Z/(2)[[XI],
q(X)

in which case the denominator q( X) is the connection polynomial for a linear feedback
shift register which generates the periodic part of the sequence a. The sequence a is
strictly periodic if and only if deg(r) < deg(q).
4. The size of the smallest LFSR that generates a given periodic sequence a is called
the linear complexity or equivalent linear span of a; it is an important measure of
114 A. Klapper and M. Goresky

the cryptographic security of the sequence. Such a shift register (of minimum size)
may be found in an efficient way using the Berlekamp-Massey algorithm, which may
be interpreted as the continued fraction expansion of the fraction r ( X ) / q ( X ) in the
ring Z/(2)[[X]I of formal power series. This algorithm is optimal in two senses: (a) it
determines the smallest LFSR whose output coincides with a; and (b) it does so with
minimal information: only the first 2 - span(a) bits of the sequence a are needed.
5. The generating function of the bitwise sum of two binary pseudorandom sequences
a = (ao, al, a2 . . . . ) and b = (bo, bl, b2 . . . . ) is given by addition C(X) = A(X) +
B(X) ~ Z/(2)[[XII in the ring of formal power series. I f a and b are periodic, then so is
the bitwise sum c, and its equivalent linear span is no greater than the sum of the linear
spans of a and b.
6. An m-sequence is a LFSR sequence of maximum possible period T = 2 ~ - 1
(where the shift register has r stages). It is a remarkable but well-known fact that the
m-sequences are exactly those sequences generated by LFSRs whose taps correspond to
primitive connection polynomials. Such sequences are balanced and have the de Bruijn
property: in any single period of an m-sequence, every nonzero binary string of length r
occurs exactly once. The autocorrelation function of an m-sequence is two-valued; the
out-of-phase values are all equal to - 1 .
7. The 2 n - 1 cyclic permutations of a single period of an m-sequence form the
nonzero codewords of a ("punctured") first-order cyclic Reed-Muller code. These codes
are of fundamental importance in coding theory and are prototypes of the general "finite
geometry" codes.

Properties of FCSR Sequences

We now describe the main definitions and results of this paper.
1'. The r taps ql, q2 . . . . . qr on the cells of an r-stage FCSR define a connection
integer (see Definition 3.1)

q = qr 2r + q~_12 r-~ + . . . + q z 2 - 1.

The period (and many other properties) of the FCSR sequence may be expressed in terms
of number-theoretic properties of this integer.
2'. In Section 6 we prove that if a periodic sequence a = (a0, al, a2 . . . . ) is generated
by an FCSR with connection integer q, and if 2/ = 2 -I 6 Z / ( q ) is the (multiplicative)
inverse of 2 in the ring of integers modulo q, then there exists A c Z / ( q ) such that for
all i = 0, 1, 2 . . . . we have

ai = (Ay i (mod q))(mod 2).

3'. Any infinite binary sequence a = (a0, a j, a2 . . . . ) may be identified with the formal
power series, o~ = ~ i = o a i 2 i which is an element of the ring Z2 of 2-adic numbers (see
x--'~
Section 2). The sequence a is eventually periodic if and only if the 2-adic number o~ is
rational, i.e., if there exist integers r, q such that

r
~'=-- EZ2.
q
Feedback Shift Registers. 2-Adic Span. and Combiners with Memory 115

In this case, the denominator q is the connection integer for an FCSR which generates
the periodic part of the sequence a (see Theorem 4.1.) The sequence a is strictly periodic
if and only i f a < 0 and [rl < Iql (see Corollary 4.2).
4'. The size of the smallest FCSR that generates a given periodic sequence a we call
the 2-adic span of a (see Definition 9.1). Such a shift register (of minimum size) may
be found in an efficient way using 2-adic approximation theory (see Section 10). Our
algorithm is optimal in both of the above senses: it determines the smallest FCSR whose
output coincides with a, and it does so with knowledge of only 2M + 2 log(M) bits of
the sequence a (where M denotes the 2-adic span of a). Although our algorithm is based
on de Weger's theory [47] of approximation lattices, it differs from de Weger's algorithm
in that ours is adaptive: each time a new bit is determined (say, by a known plaintext
attack), it is used to quickly update the previously determined FCSR. Thus, the number
of bits need not be known ahead of time.
5'. Suppose two infinite, periodic sequences a = (ao, al,a2 . . . . ) and b =
(b0, bl, b2 . . . . ) are added with the caro' operation. This process is called the sum-
mation combiner; it was invented by Massey and Rueppel [37], [44], and was suggested
as a means for generating cryptographically secure binary sequences from insecure ones.
The resulting sequence c = (co, ca, c2 . . . . ) is given by addition y = ot + / 3 ~ Z2 in the
ring of 2-adic integers (where y = ~-~i~=oCi 2i ) (see Section 2). In Theorem 9.5 we prove
that the 2-adic span of the sequence c is approximately bounded by the sum of the 2-adic
spans of a and b.
6'. An g-sequence is an FCSR sequence of maximum possible period T = q - 1
(where q is the connection integer of the FCSR). The g-sequences are generated by
FCSRs with connection integers q for which 2 is a primitive root. A single period of
an/~ sequence is a cyclic shift of the sequence formed by reversing a single period of
the binary expansion of the fraction 1/q. These sequences have been studied since the
time of Gauss [ 12], [3, Theorem 1], 144, p. 219]. They have remarkable distribution and
correlation properties (see Section 13) which are parallel to those of m-sequences.
7'. The q - 1 cyclic permutations of a single period of an g-sequence form the nonzero
codewords of a Barrows-Mandelbaum 12], 133] arithmetic code. The generation of these
codes using FCSR circuitry is new.

In Section 11 we present a method for attacking the summation cipher. Suppose two
periodic binary sequences a and b are summation-combined to give a binary sequence
e. Although the linear span of c approaches the product of the linear spans of a and b, it
follows from (5') above that the 2-adic span of c is only of the order of the sum of the
2-adic spans of a and b. Furthermore, the rational approximation algorithm (4') above
will find an FCSR which generates the sequence c with knowledge (approximately)
2. span2(c) bits.
There is a huge variety of possible variations on the "feedback with carry" theme,
some of which we present at the end of this paper.
It is remarkable that sequences generated with the FCSR architecture can be analyzed
at all (although there still remains a number of interesting questions). It is even more
remarkable that this simple feedback circuitry leads immediately to a variety of deeper
number-theoretic issues. We believe that FCSR sequences (and their generalizations) are
likely to find many applications in stream cipher technology.
116 A. Klapper and M. Goresky

Related Literature
The authors have published announcements (with sketch of proofs, or with no proofs at
all) of some of these results, in various conference proceedings [23], [24], [25], [26]. Our
shift registers are nicely described in w17.4 and w17.5 of [45], where various architectures
for combining them with other shift register sequences are suggested. See also [10] (to
appear). We also wish to draw the reader's attention to the subsequent developments
[22], [271.
The closely related paper of Marsaglia and Zaman [36] (see [35]) was recently brought
to our attention: their random number generator may be described as an FCSR with two
taps. whose cells contain integers modulo b (rather than modulo 2). (Here, b is some
large integer.) Thus there is some overlap between their analysis and ours. In particular,
Marsaglia and Zaman prove: (a) that the period of their generator is given by the order
of b modulo q = b' + b ~ - 1 (where the taps occur on cells number r and s); and (b)
that the output sequence of their generator may be identified with the b-adic expansion
of a certain rational number a/q. These are the analogues of our Corollary 2.2 and
Theorem 4. I, respectively.
We also learned of the (apparently unpublished) manuscript [ 1] in which the Euclidean
algorithm is proposed as a possible method for the efficient prediction of the Marsaglia-
Zaman generator. We have relied heavily on the p-adic approximation theory of [47]
and [32]. Related results appear in [14], [30], [34].
Another important measure of (nonlinear) complexity is the "maximum order com-
plexity" [19], [20], [21] and its determination using the Blumer algorithm [4]. This is
discussed briefly in Section 9, however, we do not understand the relationship between
2-adic complexity and maximum order complexity.
The summation combiner was previously shown to be vulnerable to the "correlation
attack" of Meier and Staffelbach 138], [39].

2. Review of 2-Adic Numbers

In this section we briefly review some basic facts about 2-adic numbers, and fix a notation
for the 2-adic numbers; the interested reader may wish to consult one of the many
excellent references on p-adic numbers, for example, [11], [29], or [28, Section 4.1,
Example 31 ].
A 2-adic integer is a formal power series o~ = y~i=oai2,i with ai ~ {0, 1}. Such a
power series does not converge in the usual sense, but it can nevertheless be manipulated
as a formal object; the collection of all such power series forms the ring Z2 of 2-adic
integers. The main difference between the ring Z2 and the ring Z/(2)[[X]] of formal
power series in X, is that addition in Z2 is performed by "carrying" overflow bits to
higher-order terms, so that 2 i + 2 i = 2 i+1. Multiplication is defined by shift and add.
Using these operations, Z2 becomes a ring with additive identity 0 and multiplicative
identity 1 = 1 9 2 ~ (Some readers may find it less confusing to think of formal power
series in some indeterminate, Y, rather than 2, and to use the rule yi q_ yi = yi ~1. It
turns out that the use of the number 2 instead of Y facilitates many computations and
comparisons between the 2-adic integers and the usual integers.)
Feedback Shift Registers, 2-Adic Span. and Combiners with Memory 117

The first surprising fact is that the number - 1 is represented by

- 1 = 1-t-21 + 2 2 + 2 3 - t - . . .

as may be verified by adding 1 to both sides of the equation. It follows that Z2 contains
all the integers. The negative integer - q is associated to the product

-q=(1+2+2 2+2 3+...)(qo+ql2+...+qr2"). (1)

The inclusion Z C Z2 is compatible with addition and multiplication. There is a formula

for multiplication by - 1 which is much simpler than (1). If ot = 2 r ( 1 + y~i~=oai 2 i), then

where di denotes the complementary bit. (Just check that c~ .1. -oe = 0.) In other words,
the bit sequence for -c~ is obtained by keeping any leading string of O's as well as the
first nonzero bit, then by complementing all subsequent bits.
In the integers, only ,1,1 and - 1 have integer inverses. However, in Z2, any formal
power series
-- 1.20 ,1,at2 I + a 2 2 2 , 1 , - . - ,

which begins with 1 has a (multiplicative) inverse,

~ - t = 1.2O.+b~2 I + b 2 2 2 + . . . ,

as may be verified by long division. In particular, every odd integer q E Z has a unique
inverse in Z2. Thus, the ring Z2 contains every rational number p / q provided q is odd.
We make this explicit in the following statement.

T h e o r e m 2.1. There is a one-to-one correspondence between rational numbers ot -:

p / q (where q is odd) and eventually periodic binatw sequences a, which associates to
each such rational number 6~ the bit sequence (ao, al, a2 . . . . ) of its 2-adic expansion.
The sequence a is strictly periodic ~f and only if ct < 0 and let] < 1.

Proof. Although the proof is standard, we include it here because it is the basis for
many of the results in this paper. Let us first consider the strictly periodic case. Let
7X~
a = (ao, aj, a2 . . . . ) be a strictly periodic sequence of period T. Set ~ = Y~i=0 ai2i
Computing in Z2, we find

21"Or = ai2i,T = :L a i , T 2i+v = Z ai2i = at -- ai2 i.

i:0 i=0 i=T i:(]

Hence
( v "T-I ai2 i)
Z..~i=0
- (3)
(2 T -- 1)
118 A. Klapper and M. G o r e s k y

is a negative rational number. Let us write ~ = p / q as a fraction reduced to lowest terms

with q positive. Then q is odd, p < 0, and Ipl < q.
On the other hand, suppose that ot = p / q is given in lowest terms with q an odd
positive integer, p < 0 and [Pl < q. Let T = ordq(2) be the smallest integer such that
2 r --- 1 (mod q). Such a T exists because q is odd. Then 2 r - 1 is divisible by q, so
set s = (2 T - l ) / q , and write s 9 ( - p ) = y]r~l ai2 i. Thus ot = s p / ( 2 r - 1). The
calculations leading to (3) may be run backward to see that the segment a0, al . . . . . a r - l
is a single period of a strictly periodic sequence.
Now suppose that r = p / q is an arbitral, rational number. Let M = ]ot] be the next
largest integer. If M > 0, then its 2-adic expansion is finite (i.e., it ends in an infinite
string of O's). If M < 0, then its 2-adic expansion ends in an infinite string of l's (see
(2)). However, et = M + p ' / q where p' < 0 and IP'[ < q, so the 2-adic expansion
for p ' / q is periodic. It follows that the 2-adic expansion for the sum ~ = M + p ' / q is
eventually periodic (in fact, it is easy to see that the 2-adic sum of any two eventually
periodic sequences is again eventually periodic).
On the other hand, an eventually periodic sequence a = (a0, al, a2 . . . . ) corresponds to
a rational number ot = ~ i =czr0 ai2 i because it is given by a finite transient term y]/K~l ai2 i
0(3
(for some nonnegative integer K) plus a periodic term, ~ i % g ai2i = 2K Y-]j=0 aJ+k2J,
both of which are rational numbers. []

One simple consequence of the proof of Theorem 2.1 is the following old result of
Gauss [12], [3, Theorem 1], I44, p. 2191.

Corollary 2.2. If p and q are relatively prime, - q < p < O, and q is odd, then the
period o f the bit sequence f o r the 2-adic expansion o f ~t = p / q is T = ordq(2).

3. Feedback Shift Registers with Carry

In this section and the next, we give the definition and derive the basic properties of
FCSRs. Throughout this section, we fix an odd positive integer q e Z and let r --
Llog2( q + l)J (where / / denotes the floor or integer part). Write

q+l =q12+q222+."+qr2 r (4)

for the binary representation of the integer q + 1 (so qr = I). The shift register uses
r stages and Llog2(r)J additional bits of memory (or less: see below). The feedback
connections are given by the bits {ql, q2 . . . . . qr} appearing in (4).

Definition 3.1, The FCSR with connection integer q is the register depicted in Fig. 2.

(Notice that q0 = - 1 does not correspond to a feedback tap, and that the coef-
ficients of high powers of 2 are close to the output cell.) In Fig. 2, E denotes inte-
ger addition. The contents of the register at any given time consists of r bits, denoted
Feedback Shift Registers, 2-Adic Span, and Combiners with Memory 119

an-l. a,,-2 . . . . . a~-r+~, a,,-r. The operation of the shift register is defined as follows:

A1. Form the integer sum or, Z k = l qkan-k + m n - l .

=

A2. Shift the contents one step to the right, outputting the rightmost bit an_ r.
A3. Place a,, = cr, (mod 2) into the leftmost cell of the shift register.
A4. Replace the memory integer m,,_ I with m,, = (a,, - a , ) / 2 = Lan/2].

We refer to q as the connection integer because its binary expansion gives the analog
to the connection polynomial in the usual theory of linear feedback shift registers.

Implementation

Fast hardware implementation of this operation may be simplified by using a ripple adder
and by incorporating the memory m into the shift register as indicated in Fig. 3. (In this
figure, individual memory bits are labeled m 2, m I , m 0 although the memory could, of
course, be much larger. The symbol I] denotes integer sum and FA. denotes a full adder.)
The operation of the shift register may be described by replacing (AI) . . . . . (A4) with
the following steps (B 1) . . . . . (B3) which are easily seen to be equivalent.

B1. Form the integer sum ~r,~ = ~ = l qka,-k.

B2. Add cr,i to the memory contents m,,-I = Y] m i 2 i in the ripple adder.
B3. Move the answer back into the memory portion of the shift register.
B4. Shift the whole register one step to the right, outputting the rightmost bit an-r.

Memory. Requirements

The fast hardware generator in Fig. 3 is limited to nonnegative values of the memory
integer m. Moreover, we will see in Corollary 4.2 that any strictly periodic sequence o f
bits may be generated by an FCSR using only nonnegative memory values. However, in
order to generate efficiently a given eventually periodic sequence, it may be necessary
to allow negative values for the memory. Moreover, the analysis in Sections 4 to 10 is
valid whether the memory is positive or negative. So, for the remainder of the paper we
will consider FCSR architectures with signed memory values.
Let us consider an r-stage FCSR with odd positive connection integer q = - 1 +
ql2 + --- + qr2 r. Let w = w t ( q + 1) be the number of nonzero qi, i = 1. . . . . r, the
Hamming weight of q 4- 1. A state of the FCSR is a specification of the memory m and

Fig. 3. Shiftregister with ripple adder.

120 A. Klapper and M. Goresky

of all the cell contents. We shall say that a state is periodic if, left to run, the FCSR will
eventually return to that same state.

P r o p o s i t i o n 3.2. I f an FCSR is in a periodic state, then the memory, is in the range 0 <
m < w (which may therefore be a c c o m p l i s h e d b y using no more than [log2(w - l)J + 1
bits o f memory.,). I f the initial m e m o r y m , _ i > w, then it will monotonically decrease
and will arrive in the range 0 < m < w w i t h i n / l o g 2 ( m , _ t - w)J + r steps, l f the initial
memory, m,,-i < 0, then it will monotonically increase and will arrive in the range
0 < m < w within Vlog2(Imn_ 11)] + r steps.

Proof. First, o b s e r v e t h a t i f t h e i n i t i a l m e m o r y v a l u e m , , _ l lies in the range 0 < m,, l <

W, then the same will be true for all later values of the memory. This follows from (A 1)
and (A4) because or,, < w + m,,-i < 2w so m,, = [o',,/2J < w.
By the same argument, if the initial memory value is m,,_~ = w, then later values of
memory will be no greater than w; but in this case, within r steps, the memory will drop
below w (and will remain so thereafter) for the following reason. If the memory does
not decrease (i.e., if m,, = w), then this means that a 1 appeared at all the tapped cells,
that or,, = 2w, and that a,, = a,~ (rood 2) = 0 was fed into the register. The value of a
will fall below 2w when this 0 reaches the first tapped cell (if not before), at which time
we will have m = L~r/2J < w.
Moreover, if we initialize an FCSR with a larger memory value, m,,_ I > w. then with
each step, the excess e,,-i = m,_~ - w will become reduced by a factor of ~ that is,
e, _< [ i1e , , - l J . So after Llog2(m,,_l - w)J + 1 steps, the memory will be no more than
w. This follows from (A1) and (A4) which give

en =ran -- U) ~--- -- W < -- U) : .

- 2

Now let us consider the case of negative initial memory, m,,-i < 0. By (AI), it is
possible that or, _> 0, in which case the next memory value will be m,, >_ 0 (where it will
remain thereafter). So let us suppose that a~ < 0. Then by (A4), Im, I _< (Ics,.I + 1)/2 _<
(Im,z-ll + 1)/2. Iterating this formula, we find that after K -- Vlog2(Im,,_~ I)] steps,
either the memory m has become nonnegative, or else
m n- I 1 1 1
Im[_< 2~ +~-E+2--U~_I+...+~<2,
in which case the memory must be m = - 1 . There is a single situation in which the
memory can remain at - 1 forever: if there are no feedback taps on the shift register
(so q --- - 1 ) . In this case, the memory will feed l ' s into the shift register forever. How-
ever, we assumed that q > 0 to rule out this possibility. If q > 0. then as soon as a
nonzero feedback occurs, the memory will become nonnegative, where it will remain
thereafter. []

4. A n a l y s i s o f F C S R s

In this section we use arithmetic in the 2-adic integers in order to determine the output
sequence of a given FCSR. Suppose we fix an r-stage FCSR with connection integer
Feedback Shift Registers, 2-Adic Span. and Combiners with Memory 121

q = - 1 + qt2 + q222 q- " " " q- q , U , with initial memory m r I. and with initial loading
ar-~, at- 2. . . . . a~, ao. (See Fig. 2.) The register will generate an infinite, eventually
periodic sequence a = (ao, a~, a2 . . . . ) of bits, to which we associate the 2-adic integer
= a0 + a t 2 + a222 + a323 q- . . . E Z2 which we call the 2-adic value of the FCSR
(with its initial loading and initial memory). Define

r 1 i

P = Z Z q j a i - j z i -- m,._ I T , (5)
i=0 j=0

r
where we have set qo = - 1 so that q = Y~i=o q i 2 i "

T h e o r e m 4.1. The output, a, ofan FCSR with connection integerq > 0, initialmemory
value mr . I, and initial loading a,_ I, ar-2 . . . . . a i, a0, is the bit sequence o f the 2-adic
representation o f the rational number e~ --- p / q . in other words.

w--,
"~ p
ot : .~ ai2 i = -- r Z2. (6)
i =o q

It follows that for a given FCSR. distinct initial states will result in distinct output
sequences, Theorems 4.1 and 2.1 and Proposition 3.2 give the following:

C o r o l l a r y 4.2. If a = (ao, al, a2 . . . . ) is an eventually periodic binary sequence, then

the associated 2-adic number c* = y~. ai 2i is a quotient o f two integers, ct = p / q , and
the denominator q is the connection integer of an FCSR which generates the sequence
a. The sequence a is strictly periodic if and only if p < 0 and [p] < q. ht this case. the
values o f the memoD, must lie in the range 0 <_ m < wt(q + 1).

P r o o f of T h e o r e m 4.1. The computations in this section parallel those in [13]. but

here they take place in Z2 rather than in Z / ( 2 ) [ [ X ] ] . Let us consider the transition
from one state of the shift register to the next. Suppose that, for some given state, the
value of the memory is m,,_~ and that the contents of the register is given by the r bits
a,,_~, a,,-2 . . . . . an-r, with a,, I the leftmost bit and a,,_, the rightmost bit, and where
the register shifts toward the right. The next state is determined by calculating (A l)
r

crn = mn-I +- Z qia,~-i, (7)

i=1

writing the new memory contents as m,, = LG,/2] 9 and writing the new contents of the
leftmost cell as a,, = or,, (mod 2) (see (A3) and (A4)). (The remaining bits are shifted
once to the right.) These equations may be combined into the expression

a,, = 2m,, + a,,.

It follows that
r

an = Z qia,,-i + (m,, 1 - 2 m , , ) . (8)

i=1
122 A. K l a p p e r a n d M. G o r e s k y

provided that n > r. Suppose the initial loading of the register consists of memory mr-1
and with register bit values at-l, at-2 al, ao. Now substitute (8) into (6) for a to
. . . . .

obtain

c~ = a 0 + a l 2 + . . . + a r - 1 2 ~-I+~a,,2"
n =r

-~ x q-
n=r \ i= I
qian-i ]
/
2" +
n=r
(mn_ 1 -- 2m,,)2", (9)

where

x = ao + al2 + ..- + at-12 r-j

is the integer represented by the initial loading of the register. The second summation in
(9) cancels except for the first term, m r - t , leaving

'3~ r
a = x + mr_12 ~ + qi2 a,,_i2

= x +m~_12 r + ~ q i 2 '
\n=r /
i-
: X +mr-m2r + y ~ q i 2 i ( c t - ( a o 2 ~ +al21 + ' " + a r i- 12r-i-I ))
i=1
r r-I r-i-I
~- X + m r - 1 2 r + o ~ Z q i 2 i - - Z Z q'2iaj2J
i=1 i=1 j=0

(where the inner sum is empty, hence zero, when i -= r in the third line). These equations
give
~',r-i- 1 ' '
x +m,._12 r -- • ; - I /--~j=0 qiZ'aJ 2J
1 - - Y~ri=l qi2 i

r-I r -i-I 2r
= Zi=0 ~'~j=0 qiaj2 i+j - mr I (10)
q

since qo = -- l. The double summation is over all pairs of integers 0 _<_i, j _< r - l with
i+j_<r- 1. S e t t i n g k = i + j g i v e s

2"
Z rk-=- 0! k
~-~i=o qi ak-i2k -- //zr- ] = -P. (]l)
q q

as claimed. []

C o r o l l a r y 4.3. Changing the memory by b changes the value of ~ by - b 2 r / q . If

el = p / q < 0, then the initial m e m o ~ m,_ I > 0 is nonnegative.
Feedback Shift Registers, 2-Adic Span, and Combiners with Memory 123

Remarks. There are three easy initial loadings which guarantee a strictly periodic
output:

1. set m ---- 1 and all the aj = 0 (SO p : - U ) ;

2. set m ---- 1, a0 ---- 1, and all the other a j : 0 (so p : q - 2r+l); and
3. s e t m = 0 , ar l : l , a n d a l l t h e o t h e r a j =0(sop:-2 r 1).

If - q < p < 0 and p is relatively prime to q, then by Corollary 2.2, the period of
the sequence is T = ordq (2). i f p a n d q have a common factor, then the period is a
divisor of ordq(2). If p > 0 or if p < - q , then the sequence has a transient prefix
before it drops into a periodic state. It appears to be difficult to determine which positive
fractions ot may be represented by (5) with mr-~ nonnegative. Most positive fractions
require negative initial values for the memory.

5. Initial Loading

In this section we answer the reverse question: Suppose we are given a fraction c~ = p / q
(with q an odd positive integer), how do we determine an FCSR and initial loading whose
output sequence coincides with the 2-adic expansion o f ~ ? Set r -- /log2( q + 1)]. Write
q = y ~ = o q i 2 i w i t h q 0 = - 1 a n d q i c {0,1} f o r i > 0. Consider an F C S R w i t h
r stages and with connection integer q. The initial memory mr I and initial loading
a0, al . . . . . ar 1 are related to p and q by (11) which may be solved using the following
procedure:

C1. Compute a0 + a l 2 + . . . + a r _ i 2 r-1 = p / q (mod 2r). (This is the first r bits

in the 2-adic expansion for p / q . ) In general, computing modular quotients is
apparently hard. However, when the modulus is a power of a prime they can be
computed efficiently. It is straightforward to do so in time O(r2).
r-I i i
C2. Compute y = ~ i = 0 Z j=0 q j a i - j 2 , say by a modified multiplication algorithm.
C3. Compute m = (y - p ) / 2 r in time O ( r ) .

Use ao . . . . . ar I as the initial loading and m as the initial memory in an F C S R with

connection integer q. This FCSR will output the 2-adic expansion of p / q .

Degenerate Initial Loadings

Let us say that an initial loading is degenerate if the 2-adic number ~ ---- p / q corre-
sponding to the output sequence is an integer (in the usual sense). In this case, after a
transient prefix, the FCSR outputs all O's (ifo~ > 0) or all l ' s ( i f ~ < 0). It is easy to see
that there are only two possible degenerate final states: (a) m = 0 and all ai = 0; and
( b ) m = wt(q + l) - 1 and all ai = 1. How long can the prefix be? (We wish to thank
one of the referees for helping us to sharpen the following statement.)

T h e o r e m 5.1. Consider an r-stage FCSR with a nontrivial tap on the last cell (i.e.,
with qr = 1). Suppose the initial loading is degenerate. I f the initial memo 9 m > 0 is
positive, then the output will stabilize to all 1 's after no more than [log2(1 + m)] steps
(and it cannot stabilize to all 0 's). I f the initial memo 9 m < O, then the output cannot
124 A. Klapper and M. Goresky

stabilize to all 1 's: if the register has at least two taps, then the output will stabilize to
all 0 's within I-log2 (wt(q + 1) + Iml - 1)] steps; if it has only one tap, then the output
will stabilize to all O's within [log2(Im 12r/(U - 1))] steps. I f the initial memo~, m = 0,
then the only degenerate initial loading is the trivial one consisting o f all 0 's.

Proof. Suppose the value c~ = p / q of the FCSR is an integer. First we consider the
case that the initial memory is m > 0. Let us consider the possibilities o~ > 0 and ot < 0
separately.
If a > 0 is an integer, eventually the FCSR will output all O's. However, this is not
possible: before the sequence has become all zero, the memory must have been cleared
(otherwise, once the register has cleared, the memory would eventually feed a 1 back
into the register). Now if the memory is cleared, when the last 1 in the register passes the
last tap, it will feed a I back to the beginning o f the register. So the register will never
be cleared.
If a < 0 is an integer, then eventually the FCSR will output all 1's. Since m _> 0 and
p < 0wehaveby(10),lp[ < x+m2 r < (l+m)2 r,wherex = a0+al2+...+ar_12 r-I
as in (9). If q 56 2 r -- 1, then q > 2 r and we conclude that Icel< 1 + m. The output,
which is the 2-adic expansion of the integer ot becomes all l ' s within Flog2(l + m)]
steps by (2). A special argument must be made when q = 2 r - 1.
Now consider the case of initial memory m < 0. We claim that the output string
cannot degenerate to all l's: if so, then a < 0 so p < 0. However, by (10) the only
negative contribution to p is from x, and x < q. So, if p < 0, then bc~l < x / q < 1 which
therefore cannot be an integer (other than 0).
Finally, if the initial memory m < 0 and if the output stream degenerates to all O's,
then a > 0 and p > 0. It follows from (10) (see Lemma 9.4) that

p < ([ml + w t ( q + 1) - l ) T . (12)

Provided q 56 2 r - 1, we have q > 2 r, s o a < wt(q + 1) + I m l - I. So in this

case, the output sequence is the (reverse of the) binary expansion for or, which takes
]-log2(wt(q + 1) + Iml - 1)] bits, after which we have all O's. (In the case of a single
tap, q = 2 r - 1, s o u = Iml2r/(2 r - 1).) []

6. Exponential Representation of FCSR Sequences

One o f the most powerful techniques for the analysis of shift register sequences is its
exponential representation. Suppose a = (a0, a~, a2 . . . . ) is a periodic sequence of bits
obtained from a linear feedback shift register of length r, with connection polynomial
q ( X ) . If q ( X ) is irreducible and if ?' c G F ( 2 ' ) is a root of q ( X ) in the finite field with
2 r elements, then for all i = 0, 1,2 . . . . we have

ai = T r ( A y i)

for some A e G F ( 2 r) (which corresponds to the choice of initial loading of the shift
register). Here. Tr: G F ( 2 r) ~ GF(2) denotes the trace function. In this section we
derive a similar representation for periodic sequences of bits obtained from feedback
shift registers with memory.
Feedback Shift Registers, 2-Adic Span. and Combiners with Memory 125

T h e o r e m 6.1. Suppose a periodic sequence a = (ao, aj, a2 . . . . ) is generated by an

FCSR with connection integer q. Let y = 2 -I E Z / ( q ) be the (multiplicative) inverse
o f 2 in the ring Z / ( q ) o f integers modulo q. Then there exists A ~ Z / ( q ) such that f o r
all i = O, 1,2 . . . . we have

ai = A y i (mod q)(mod 2).

Here the notation (rood q) (rood 2) means that first the number A y i should be reduced
modulo q to give a number between 0 and q - [, and then that number should be reduced
modulo 2 to give an element of Z/(2). (Notice that there is no group homomorphism
Z / ( q ) ~ Z/(2) ifq is odd, so the notation (rood q) (mod 2) needs a precise definition.)

Proof. Suppose the FCSR is in a state S, meaning the memory has some value m and
the register is loaded with bits a0, al . . . . . a~-i. Let us also suppose that the FCSR is in
periodic mode, i.e., that the output sequence a = (ao, al . . . . . a r - l , a . . . . . ) is periodic
with no transient prefix. Let T = ordq(2) denote the period of this sequence (which
may be much less than q - 1 ). To such a state S we associate its 2-adic value, f ( S ) . By
Theorem 4.1, f ( S ) is a 2-adic integer of the form

f(S) - P - ~ _ a i 2 i,
q i=0
with 0 < p < q - 1. Now let S' denote the next state of the FCSR, so
7YG

f(S') - - 17' - - Zai_12i.

q i=0
Thus, 0 < p ' < q - 1 and
!

-2 p +a0 - P
q q"
or p = 2p' - aoq c Z. If we read this equation modulo 2, we see

p = a0 (mod 2).

Reading this equation modulo q we obtain

p' = 2 - i p (mod q).

This shows that the sequence of numerators (p, p ' , . . . ) is obtained by multiplying by y
and reducing rood q, and that the sequence of bits (ao, aj . . . . ) is obtained by reducing
the numerators modulo 2. Finally, the initial state is arbitrary and given by the choice of
some A c Z/(q). []

Although Peterson and Weldon [41 ] consider only the case where q is prime and 2 is
a primitive element modulo q, their proof of their Theorem 15.5 (p, 458) may be used in
this situation to give another proof of Theorem 6.1. The proof presented here is useful
because it extends verbatum to various generalizations of the FCSR architecture which
involve ramified field extensions of the 2-adic numbers.
126 A. Klapper and M. Goresky

Table 1. The states of an FCSR with q = 37.

Mem Register ao p n Mem Register ao p n

0 I0011 1 1 0 2 01100 0 36 18
1 01001 1 19 1 1 10110 0 18 19
1 10100 0 28 2 1 01011 1 9 20
1 01010 0 14 3 1 lOlO1 I 23 21
I 00101 1 7 4 1 11010 0 30 22
1 00010 0 22 5 1 11101 I 15 23
0 10001 l 11 6 2 01110 0 26 24
1 01000 0 24 7 1 10111 1 13 25
1 00100 0 12 8 I IlOll 1 25 26
0 1(~)10 0 6 9 2 01101 1 31 27
0 11001 1 3 10 2 00110 0 34 28
1 11100 0 20 11 1 00011 I 17 29
1 11110 0 10 12 1 00001 I 27 30
1 II111 1 5 13 1 00000 0 32 31
2 01111 1 21 14 0 IO000 0 16 32
2 00111 1 29 15 0 11000 0 8 33
1 10011 1 33 16 1 OllO0 0 4 34
1 11001 1 35 17 1 00110 t) 2 35

7. E x a m p l e

Let us consider the F C S R with connection integer q = 37 = 32 -t- 4 + 2 - 1. Then we

have a five-stage shift register with feedback connections on the first, second, and fifth
cells, counting from the left. The element y = 2 -1 6 Z / ( 3 7 ) is V = t 9 .
In Table 1 we consider the initial loading such that the output sequence is given by

a,, = yn (mod 37) (mod 2)

for n = 0, 1,2 . . . . . i.e., with the constant A = 1, in the notation of the preceding
section. The index n is recorded as the last c o l u m n of Table 1. The c o l u m n " m e m "
indicates the integer value of the memory, and a0 represents the output bit (i.e., the
rightmost bit in the register). Each state S of the shift register corresponds to a rational
n u m b e r f ( S ) = - p / 3 7 and the numerator p is also recorded in the table. The table
therefore lists all the strictly periodic states of the FCSR.

8. D i v i s i o n by q in the 2-Adic Integers

Consider the effect of driving an F C S R by introducing an input sequence b = (br, br+l,

br+2 . . . . ) to another input terminal of the adder Z in Fig. 2. The generating function
analysis in Section 4 is easily modified to incorporate this driving signal. Equation (7)
becomes

cr,, = b,, + m,,-i + ~--~ qia,z-i

i=1
Feedback Shift Registers, 2-Adic Span. and Combiners with Memory 127

and (10) becomes

r v~r-i-1
[~ + x + mr_12 r - ~-~i=l z..,j=O qi2iaj 2j
r
1 -- Y~i:I qi 2i

where/~ = ~-~iLr bi 2i ~ Z2 is the 2-adic number represented by the driving signal b.

This proves

Theorem 8,1. An FCSR with connection integer q and initial loading ai = 0 (i =

0, 1. . . . . r -- 1) and initial memory m r - I : 0 which is driven by a signal b =

bo, bl, be . . . . has an output sequence which is given by the 2-adic integer cL = fl/q.

Thus, if we interpret the Z-transform as a 2-adic number (rather than as a formal power
series), then the transfer "function" becomes interpreted as division by q. The analogous
result in the linear theory is the following: an LFSR with connection polynomial q (X)
and with initial loading 0 which is driven by a signal fl(X) = b r X r q- br+l Xr+l + . . .
has an output sequence which is given by the coefficients of the formal power series
expansion of f l ( X ) / q ( X ) .

9. 2-Adic Span and Complexity

As in the case of linear span, the 2-adic span of a sequence is intended to measure how
large an FCSR is required to output the sequence. In the case of LFSRs, this is given by
the number of bits in a register that outputs the sequence, and coincides with the degree
of the connection polynomial, i.e., the denominator of the rational function giving the
power series whose coefficients are the bits of the sequence.
In the 2-adic case, things are more complex. The number of bits in the connection
number coincides with the size of the basic register, but additional space is required for
the memory. For purely periodic sequences, this extra memory is small (at most the log
of the number of bits in the basic register), and if such sequences were our only concern
we could ignore it. However, an eventually periodic sequence may require a considerable
amount of memory. We would like to define the 2-adic span of an eventually periodic
sequence a to be the number of bits in the register + memory of an FCSR which outputs
the sequence a, however, even this definition must be approached with care because the
memory value may grow as the FCSR runs (see the discussion at the end of this section).
In the following paragraph we propose two natural notions: the span (an integer which
counts the number of bits in the register + memory) and the complexity (a real number)
of a sequence a. If a is strictly periodic, then the number of cells in the basic register
(not counting the memory) is rcomplexity(a)l. We show that these two complexity
measures differ at most by log2(complexity(a)). From the mathematical point of view,
the complexity is the more natural number; from the engineering point of view, the span
is the more natural number.
Let a -= (a0, al . . . . ) be an eventually period sequence of bits. Suppose an FCSR
with connection integer q = - 1 + ql21 + ... + qr2 r and initial memory m ouputs this
sequence, and that qr = 1 (i.e., that r = [log2( q + 1)1). We associate to this register the
128 A. Klapper and M. Goresky

number

~. --- r + max([log2(wt( q + l))J d- 1, Llog2(Iml) j + 1) + 1

of bits in the FCSR, where wt(q + 1) denotes the number of nonzero qi (for 1 < i < r).
(See "memory requirements" in Section 3: memory values within the range 0 < m <
wt(q + 1) may grow and shrink within this range; memory values outside this range will
move montonically toward this range. The second "+1" is a "sign bit" which allows for
possible negative memory values.)

Definition 9.1. The 2-adic span ~.2(a) of a binary, eventually period sequence a =
(ao, al . . . . ), is the smallest value of ,k which occurs among all FCSRs whose output is
the sequence a.

Now let ~ = ~ i ~ o a i 2i = p / q ~ Z2 be the fraction in lowest terms whose 2-adic

expansion agrees with the sequence a.

Definition 9.2. The 2-adic complexity of the sequence a is the real number ~02(a) =
l o g 2 ( ~ ( p, q)) where ~ ( p , q) = max(IPl, Iql).

Proposition 9.3. I f ct = ~-,i=o

~ ai2 i = p / q is the rational number, reduced to lowest
terms, corresponding to an eventually periodic sequence a, then the 2-adic span and
complexity are related by

](Z2(a) - 2) - ~2(a)l 5 log2(~2(a)). (13)

Remark. It is also possible to estimate the above quantity in terms of the 2-adic span
as follows:

IO.2(a) - 2) - ~02(a)l _< log2(,k2(a) - 2)) + 1. (14)

If ~02(a) > 4, then log2(~02(a)) < ~o2(a)/2 so (13) gives ~02(a) < 20.2(a) - 2), hence
log2(~o2(a)) < 1 + log2(~.2(a) - 2), which gives the above inequality. If q92(a) < 4, then
(14) may be checked directly (there are 240 cases with IPl _< 15 and q < 15).
For notational simplicity, let us write ~. = ~.2(a), ~0 = ~o2(a), w = wt(q + 1), and
= ~ ( p , q). We need to use the following estimates.

L e m m a 9 . 4 . Supposeq = - l + q l 2 + ' " + q r 2 r withq, = 1.Letm E Zbeaninteger.

Letai c {0, l } f o r O < i < r - 1 a n d s e t x = y ~ - ~ a i 2 i . a s i n ( 5 ) and(lO)define

r-t r-i-I
P= Z Z qiaj2i~-J-x-mZr" (15)
i=1 j=o

~-,r-i- I
The,, the double sum is bounded: Z ~ - I z_.,j=o qiaj 2i+j < (w - I)2 r. Furthermore,

1. if p > O, then m < w - 2 and

( - m - I ) U < p < (w - m - l)U; (16)

Feedback Shift Registers, 2-Adic Span, and Combiners with Memory 129

2. if p < O, then m > O and

m a x ( 0 , (m - w + 1)2 r) _< [Pl < (m k- 1)2 r. (17)

Proof. The proof is a direct calculation,

r 1 r-i-1 r-1 r-1

Z qi 2i Z aj2J < Z qi2i(2r-' -- 1) < Z q i 2 " = (wt(q + 1) -- 1)U,

i=1 j=0 i=1 i=1

since qr = 1 does not appear in the sum. The other estimates follow from this and the
fact t h a t O < x < 2 r. []

P r o o f of P r o p o s i t i o n 9.3. E x p a n d i n g the absolute value and exponentiating, (13) is

equivalent to

- - < 2 r m a x ( 2 kl~ 2 l~ ) 5 ~ log2(dP). (18)

log2 (dO) -

We do not know a uniform proof for this statement, and there are m a n y cases to consider.

Casel(a):lpl>qandp<O. By(15) and(17),wehavem> landlPl<(m+l)2 r.

Note that for m = 1,2 we have 2 LIC'g(''~j = m. So, for r > 2 we find

IPl < (nz-t- 1)2" < m2 r 2r'9' logtm)/

log2(IPl) - r

which verifies the first inequality in the cases m = 1,2. If m > 3 and r > 3, then

[Pl (m + 1)2' m2"

< < ---- < 2Ll~ r,
log2(]p [) - r - 2

which verifies the first inequality when r >_ 3. Finally, i f r = 2 and m >_ 3, then by (17),
log~(pl) >--r+log2(m-w+l) > _ r + l so

__1/91 < __(m+__1)2" < __m2~ <_ 20og~m}J2r"

log2(IPl) - r -t- 1 - 2

Now consider the second inequality under the same conditions: p < 0 and Ipl > q >
2" - 1. I f m _< r, then

2r2max(ll,,g( ..... Iog(u')j) < 2" m a x ( m , w) _< 2rr _< [Pl log2(lPl)

as desired. So suppose m > r + 1. S i n c e p < 0 we also have IPl >__ (m - w + 1)2 ~ (see
(17)). So

Ipl log2(IPl) > (m - u, + l ) 2 r ( r + log2(m - w + 1))

> (m-w+l)2 r(r+l)
> m 2 ' > 2Ll~

This concludes the proof of Proposition 9.3 in the Case l(a).

130 A. Klapper and M. Goresky

Casel(b):[pl >qandp>(). I f m >_0, t h e n b y ( 1 6 ) w e h a v c m < w-2. Also,

p u,,- 1 -m2,. < 2 ~ < 2 ;~-2 < 2"w < 2rr < plogz(pS.
log2(p) - r

I f m < 0 , then

P < q < 2 ~ < "~;--? _< 2"r < p log2(p).

log2(P) - log 2 (q) -

This concludes the p r o o f in Case 1(b).

Case 2(a): IPl 5 q and p < 0. Since q _< 2 r4-1,

q 2 '~-I
_ _ _ < - - < 2 r _< 2 ; ~ - 2
log2(@) log2(q) - r

which proves the first inequality. By Corollary 4.2 the sequence a is strictly periodic,
and the m e m o r y m may be taken to lie in the range 0 < m < w - 1. In particular,
max(lml, w) = u, < r. Then
9;"-2 = _9"+ll~ - < Uu,, < q log 2 q.

(This last inequality holds even i f q + 1 = 2" because u, = 1 in this case.) This concludes
the p r o o f in Case 2(a).

Case2(b): [P[ < q a n d p > 0. The first inequality is p r o v e n j u s t as in Case 2(a) above.
The second inequality breaks into two further cases: m > 0 and m < 0. First, if m >_ (5,
then by L e m m a 9.4(1 ), m _< w - 2 so

2x-2 = 2,+ LIo.e(,,)l < 2"u, < q loge(q).

(The last inequality even holds if q + I = 2" because u, = 1.) Next suppose m < 0.
By (16), 2 ~+1 > q > p > (Im[ - 1)2 r. Thus, Iml < 3, i.e., m = - 1 or - 2 . A s s u m i n g
q >4, wehave

2 ~, -e < 2"max(u,, Iml) _< q Ioge(q).

The cases q < 3 may be checked separately. []

Proposition 9.3 allows us to relate the 2-adic spans of two sequences to the 2-adic
span of their with-carry sum.

Suppose a and b are periodic binary sequences. Let c denote tire binao'
T h e o r e m 9.5.
sequence obtained by adding the sequences a and b with carr3' (see [37] and 144]). Then
the 2-adic complexity of c is bounded as follows.

The 2-adic span is bounded as follows,

X2(c) _< )~2(a) + )~2(h) + 2 log2(X2(a)) + 2 logz()~2(b)) + 2.

Feedback Shift Registers, 2-Adic Span. and Cmnbiners with Memory 131

Proof. Suppose the binary sequences a and b correspond to 2-adic n u m b e r s a = p l/q=

and/4 = p2/q2, respectively. The sum-with-carry sequence c corresponds to the 2-adic
number
P2 Plq2 + P2ql
ev + / 4 = P-2-1+ -- (19)
ql q2 qlq2
SO

~p2(c) = Iog2(qb(plq2 + P2ql. qlq2))

< Iog2(2qb(Pl, ql)OP(P2, q2)) = 1 + q92(a) + ~02(b).

On the other hand, by Proposition 9.3

~._,(e) - 2 < ~02(c) + log2(~o2(e))

< ~2(a) q- q92(b) -F 1 -k log2(~2(a) Jr- cp2(b) q- 1)
_< <p2(a) + ,:p2(b) + 1 + log2(~2(a)) + log2(~o2(b))
< 2.2(a) + 2.2(b) -- 2 + Iog~(~.e(a) - 2) + Iog2(),.e(h) - 2)
+ Iogz(~0e(a)) + log2(cP2(b))

by (14). lt'ql >_ 4 and q2 > 4, then, as in the remark following Proposition 9.3, we have
log2(cPz(a)) 5 1 + Iog2()v2(a) - 2) and the result follows. A special a r g u m e n t must be
made for q l = 3 or q2 = 3. []

The span may be much less than this if the fraction (19) is not in lowest terms.
What is the 2-adic span of an m - s e q u e n c e ? Although we do not know, it is easy to
prove that there exist m - s e q u e n c e s of maximal 2-adic span.

Theorem 9.6. S u l ~ p o s e a is a periodic sequence with period T = 2Iv _ 1. Suppose that

2 r - 1 is prime. 7hen the 2-adic span o f a is T + 2.

Proof. Consider an FCSR which generates the sequence a, and let q denote the con-
nection integer. Then ordq(2) = T = 2 N - 1. Therefore 2 T _---- 1 (mod q). This says that
2 I - 1 is divisible by q. However. by assumption, 2 r - I is prime, hence q = 2 r - 1.
The 2-adic span is then at least log2( q + 1) + 1 = T + 1. However, any sequence of
period T can bc generated by an F C S R with 7" bits in the basic register and one bit of
carry (which is always zero) and one sign bit (which is always zero). []

More generally, the same proof shows that the 2-adic span of any periodic sequence
with period T is greater than or equal to Iog2(r + 1 ) + 1, where r is the smallest prime
divisor of 2 T - I.
We remark that if 7" = 2 'v - 1 and i f 2 T - 1 is prime, then both T and N are prime as
well. However, the hypotheses of this theorem may be difficult to verify in practice. It
is po~;sible that there are only finitely many primes of the tbrm 2 l - I, and in any case
the largest prime known to date is q = 2 1 - I where T = 8 5 9 . 4 3 3 . An m-sequence
generated by an LFSR with only 20 cells already has period T = 1. 0 4 8 , 5 7 5 . So, a
132 A. Klapper and M. Goresky

verification of the hypothesis of the theorem for any larger m-sequence would mean
discovering a new prime number.

Complexity Profile. Following Rueppel [44], we would like to define the 2-adic com-
plexity profile of a pseudorandom sequence a to be the function ~Pa whose value ~Pa(k)
is the 2-adic span of the finite sequence a0, al, 9 9 ak-~ consisting of the first k terms
of a. However, it is not completely clear how best to define the 2-adic span of a finite
sequence, since the memory may grow as the FCSR runs. A more meaningful notion
may be the 2-adic complexity of a finite sequence.
Let a = a0, al, as, ak-i be a finite binary sequence. Define

~ ( a ) = l ~ 1 7 6' U p , qUpq.) )

where the minimum is taken over all pairs (p, q) 6 Z • Z of integers, with q odd, such that
the first k bits in the 2-adic expansion of the fraction p/q is precisely a0, al . . . . . ak-i.
(In the language of Section 10, 7r(a) is the minimum value oflog2(q~ ( f ) ) as f is allowed
k-I
to vary in the kth approximation lattice Lk o f ~ = Y~/=o ai2i')
Now let a = a0, al . . . . be a possibly infinite binary sequence. The 2-adic complexity
profile ~a(k) is the function
lPa(k) = ~(a0, al . . . . . ak 1)

whose values are the 2-adic complexity of the first k terms in the sequence a. The
algorithm presented in Section 10 may be used to compute the complexity profile. In
fact (using the notation of Fig. 4), at the kth step in the algorithm we have ~Pa(k) --
log 2 (max(I f I, Ig I)). A highly random sequence a will exhibit a 2-adic complexity profile
~Pa(k) which grows approximately as k/2.

Maximum Order Complexity. The maximum order complexity of a sequence is the size
of the smallest (possibly nonlinear) feedback shift register (without memory) which may
be used to generate the sequence (see [ 19], [20], [21 ], and [4]). The relationship between
2-adic span and the maximum order complexity is unknown.

10. Rational Approximation Algorithm

Suppose a = (a0, al, a2 . . . . ) is an eventually periodic binary sequence. We wish to

consider the problem of finding an FCSR whose output sequence coincides with a. First
recall that the analogous problem for LFSRs is completely solved by the Berlekamp-
Massey algorithm. This algorithm is optimal in two senses:
1. It determines the smallest LFSR whose output coincides with a.
2. It does so with minimal information: only the first 2 9span(a) bits of the sequence
a are needed.
Furthermore, the algorithm is adaptive. Each time a new bit is determined (say by a
known plaintext attack), it can be used to quickly update the previously determined
LFSR. Thus the number of available bits does not need to be known ahead of time.
Feedback Shift Registers. 2-Adic Span, and Combiners with Memory 133

Rational ~-~.t)tm~ximat ion

begin
iui:,ut a , ' : mttil the first n o u z e r . -L-~ i~, f(,uud
r ~ r 1 " ~k I

./= (0.5)
.,/=(2 ~ ~,l)
while t h e r v are m o r e bits do
i u l m t a new bit .~
~ - - It -~- (tL. L)l:

if . g 2 - gl = (I (ulod 2 t~l } t h e n
f- 2f
else if 4)(g) < (l)(f) t h e n
I:,t d I., odd am{ m i n i n l i z e q)(J' f- dg)

(.,/~ .f) - (.f + ,Lq, -~g)

else
l:'t d ho o,hI aud m i n i m i z o qb(:1 ,t. d/')

{9, ,1} {g 9 i!l. 2.I')

tiff

L,=L~-[

od

return :1

end

Fig. 4. Rational approximation algorithm for 2-adk numbers.

The Berlekamp-Massey algorithm is equivalent to finding the continued fraction

expansion in the field Z/(2)[[X]] of formal power series, of the element A ( X ) =
~ _ , ~ o a i X i ~ Z/(2)[[XI] (see [7], [9], 140], and [48]). One might hope that the contin-
ued fraction expansion in the field Q2 of 2-adic numbers of the element ot ---- ~_,i=oai2C~i
would exhibit similar optimality properties, but this is false. In fact, the continued frac-
tion expansion may fail to converge properly (see [47]). There are a number of decoding
algorithms available in the context of Hensel and arithmetic codes [ 14], [30], [34]. How-
ever, there seem to be no published proofs that any of these algorithms satisfy both of
the optimality properties mentioned above.
In this section we present an analogue of the Berlekamp--Massey algorithm which has
both optimality properties: It constructs the smallest FCSR which generates the sequence
a (Theorem 10.1 ), and it does so using only a knowledge of the first 2M + 2 log M bits,
where M is the 2-adic span of a (Theorem 10.2). Our algorithm is based on p-adic
approximation theory. It is a modification of the procedure outlined by de Weger [47]
and Mahler [32], which has the advantage that it is adaptive in the same sense as the
134 A. Klapper and M. Goresky

Berlekamp-Massey algorithm. (De Weger's algorithm is recalled in Section 14 where it

is applied to pseudorandom sequences with base p.)
For any pair of integers f = (fl, f2) E Z x Z, we write

r = max(If1 [, l f21)-

Assume we have consecutive terms a0, al . . . . of a binary sequence a which is the

2-adic expansion of a number ~. We wish to determine a pair of integers f = (fl, f2)
so that ~ = f l / f 2 and so that ~ ( f ) is minimal among all such pairs of integers. The
corresponding FCSR may then be constructed as described in Section 5. In the rational
approximation algorithm, given in Fig. 4, and in the rest of this section, if f = (f~, f2)
is a pair of integers and if d ~ Z is an integer, write d f = (dfl, d f2).

Implementation Remarks. The congruence c~g2 - g j = 0 (mod 2 k+l) may be checked

without performing the full multiplication at each stage, by saving and updating the
previous values of oeg2 - gl and a f2 - f l . Inside the loop, in the second and third
cases, the number d is chosen so as to minimize ~ ( f + xg) (resp. ~ ( g + x f ) ) among
all possible odd integers x. As observed in [47], it may be computed by division. For
example, suppose we are in the second case: otg2 - g l ~ 0 (mod 2 k* 1) and 9 (g) < 9 ( f ) .
If g~ :fi +g2, then d is among the odd integers immediately less than or greater than
(fl - f2)/(gl - g2) and - ( f l + f2)/(gl + g2). Thus it suffices to consider the value
of r -4- dg) for these four values of d. When g~ = +g2, one or the other of these
quotients is not considered. If qb(g) > ~ ( f ) then the roles of f and g are switched.

T h e o r e m 10.1. Let g = (gl, g2) denote the output of the preceding algorithm when T
bits ai are used. Then gz is odd,

9g2 - gl = 0 (mod 27"),

and any other pair g' = (g'l, g2 ) which sati,~fies these two conditions has 9 (g') > 9 (g ).

T h e o r e m 10.2. Suppose a = (ao, al, a2 . . . . ) is an eventually periodic sequence with

associated 2-adic number a = Y~ ai2 i = p / q , with p, q E Z, and gcd(p, q) = 1. If
T > 12~(a)] + 2 bits ai are used, then the 2-adic Rational Approximation Algorithm
outputs g = (p, q). (Hence also i f T > 2~,2(a) + 2[log2(~.2(a))].)

The proofs of these two optimality results occupy the rest of this section, and utilize the
methods of [32] and [47]. Consider the kth approximation lattice for the 2-adic number

L~={heZxZ:ot.h2-h~ =0(mod2k)}.

Then Lk D Lk+l D " " . If f = (fl, f2) ~ Lk, then 2 f = (2fl, 2f2) c Lk+l. The
elements (fl, f2) e Lk with f2 odd represent fractions f l / f 2 whose 2-adic expansion
agrees with that of a in the first k places. Two pairs of integers f, g ~ L k form a basis
for Lk if every element h E L k may be written h = c f -4- dg for some integers c, d ~ Z.
Such bases exist and are described in the following lemma, which is a key observation
of [47]. Its proof is straightforward.
Feedback Shift Registers, 2-Adic Span, and Combiners with Memory 135

L e m m a 10.3. Two pairs of integers f, g E Lk form a basis for Lk if and only if

Ifig2 - f2gll = 2 k-

Proof. Suppose Ifig2 - f2gll = 2 k. Let h = ( h i , h2) c Lk. We search for c, d ~ Z

so that

cfl + d g j = hi,
c.f2 W dg2 = h2.

By Cramer's rule. c = ( h l g 2 - gl h 2 ) / ( f l g2 - gl f2) while d = ( f l h 2 - h l f 2 ) / ( f l g2 -

g~ f2). Since f, g, h c Lk the numerators of these expressions are =-- 0 (mod 2k), so they
are multiples of 2 k. It follows that c and d are integers, and we conclude that f, g form a
basis of Lk, which proves the "if" part. In particular, f ' = (2 k, 0) and g' = (t~k, 1) form
a basis of Lk (where otk = a0 + cq2 + 9- 9 + otk_12k-l). Next, let us suppose that f, g is
any other basis of Lk. Then f and g may be written as integer linear combinations of f '
and g', i.e., there is a two-by-two matrix C of integers so that

(f~ g')=c.(f,', g'l"~

g2 ',fg_ g'2J
On the other hand, it is possible to write f ' and g' as integer linear combinations of
f and g using another two-by-two integer matrix C'. It follows that C' = C -~. So
both det(C) and det(C - l ) = det(C) -~ are integers. Hence det(C) = • Therefore
.fig2 - glf2 : +(f(g2 -- g'lf2) : • []

The proof of Theorem I 0.1 is an immediate consequence of the following lemma.

L e m m a 10.4. For each k, at the top of the loop the following conditions hold:
1. f and g are in Lk; .f~ and f2 are even; g2 is odd;
2. (f, g) is a basis for Lk;
3. f • Lk+l;
4. g minimizes dp(h) over all elements h E L k with h2 odd;
5. f minimizes ~ ( h ) over all elements h E Lk with hi and h2 even.

Proof. We prove this by induction on k. It is straightforward to check that the conditions

(1)-(5) hold initially. Let us suppose that the conditions hold at stage k. If g E Lk+j,
then after passing through the loop and returning to the top, the new values of f and
g are f ' = 2 f and g' = g, and it is straightforward to verify that the conditions hold.
Therefore, assume we are back at stage k, and that g ~ L k + l . Let f ' and g' be the new
values after updating. We treat the case when ~ ( g ) < ~ ( f ) . The other case is similar.
I. We have

~ ' g'2 -- g'l = or. (f2 + dg2) - (fl + dgl)

= (t~.f2-fl)+d(ot.gz-gl)
= 2 k + d 2 ~ ( m o d 2 k+l)
= 0 (mod 2k+l),
136 A_Klapper and M. Goresky

since f and g are in Lk -- L t t l and d is odd. Therefore g' E Lk+l. Also, g is in Lk, so
f ' = 2g is in Lk + I. The parity conditions on f and g are straightforward to check.
2. By Lemma 10.3, we have flg2 - f2gl = 4-2k. Therefore f(g~ - J2g'l = 2gl(f2 +
dg2) - 2gz(fl + dgl) = 2(fig2 - f2g~) = 4-2k+1. Again by Lemma 10.3, (g', f ' ) is a
basis for Lk+l.
3. We have g ~ Lk+l, so f ' = 2g ~ Lk+2.
4. Suppose that minimality fails. Since (f', g') form a basis for Lk ~I, there are integers
a and b so that
do(ag' + b f ' ) < do(g') (20)
and ag~ + bf4_ is odd. The latter condition is equivalent to a being odd since .~ is even and
g~ is odd. By possibly negating both a and b, we can assume a is nonnegative. Further,
if a = 1, then ag' + bf' = f + (d + 2b)g and this contradicts the choice of d in the
algorithm. Thus we can assume that a > 1. Equation (20) can be rewritten

9 (af + (ad + 2b)g) < ap (,/" + d g ) . (21)

Let c be the odd integer closest to d+2b/a. Since a is odd, the quantity x = c - (d+2b/a)
satisfies Ixl < 1 hence Ixl < (a - l)/a. Then

dp(af + acg) = C~(af + (ad + 2b + ax)g)

<_ ~ ( a f + (ad + 2b)g) + alxldo(g)

by the triangle inequality for ~. The first term may be bounded using (21) and the second
term is bounded by the induction hypothesis: ~(g) <_ ~ ( f + dg). Dividing by a gives
1
d o ( . / + cg) < - ~ ( f + dg) + I x l ~ ( f + d g ) < do(f + dg)
a
which contradicts the choice of d.
5. Suppose there is an element h' ~ Lk+j with h'l and h~ even, such that ~ ( h ' ) <
9 ( f ' ) : 2do(g). We can write h' = 2h for some h ~ Lk, so do(h) < ~ ( g ) < do(f).
If both hi and he are even, this contradicts the minimality of f . If h2 is odd, this
contradicts the minimality of g. It is impossible that h i is odd and h~ is even for k > 1
since ot 9 h 2 - hi ~ 0 ( m o d 2k). []

Remarks. The algorithm runs correctly if we always update g and f by the first method
((g, f ) = ( f + dg, 2 f ) ) , independent of the relation between ~ ( g ) and ~ ( f ) . The
relation 9 (g) < q~( f ) was only used to verify property (5) above, which is not necessary
for rapid convergence of the algorithm. However, property (5) ensures that the size of f
remains small, so it leads to better bounds on the complexity of the computations which
are involved in the algorithm. Since the algorithm is adaptive there is, of course, no need
to assume that the sequence a is eventually periodic.

Proof of T h e o r e m 1 0 . 2 . By assumption, a : p / q so q is odd and (p, q) ~ L~ for all

k. The output from the algorithm is a pair g --- (gj, g2) c L7 which is 4P-minimal, so
d o ( g 1 , g 2 ) --< do(P, q)- Hence

Iglq[ 5 Ig]l[ql _< ~ do(p,q) <_ eP(p,q) 2 < 2r-2,

Feedback Shift Registers. 2-Adic Span, and Combiners with Memory 137

since by assumption T > 2log 2 (b(p, q) + 2. Similarly, Ipgzl ~< 2 r-2. However, otg2 -
gl - 0 (mod 2 I) so glq - pg2 (mod 2T), which implies that glq -~ pg2. Therefore
(gl, g2) is some odd integer multiple of (p, q). By q~-minimality, this integer must be
+1 which gives gl = P and g2 = q (or else gj = - p and g2 = - q ) . []

Complexity Issues. Suppose the rational approximation algorithm is executed with a

sequence a which is eventually periodic, with rational associated 2-adic number a =
p/q. Then the rational approximation algorithm takes T = 21og2(dP( p, q)) § 2 <
2~.2(a) + 2 [log20~2(a))] - 2 steps to converge.
Consider the kth step. I f a g 2 - gl ~ 0 (mod 2 k+l ), then we say that a discrepancy has
occurred. The complexity of the algorithm depends on the number of discrepancies. To
simplify the computation ofeg2, we maintain ~f2 as well. When no discrepancy occurs,
these values and the value of f can be updated with k bit operations.
Suppose a discrepancy occurs. The minimization step can be done with two divisions
of k-bit integers. The remaining steps take time O(k). Then ag2 and ~f2 can be updated
with O(k)-bit operations and two multiplications of k-bit integers by d.
Let D be the number of discrepancies, and let M be the maximum time taken by
a multiplication or division of T-bit integers. The Sch6nhage-Strassen algorithm 146],
gives M = O ( T log T log log T). This can be improved to M ~ T log T using Pollard's
nonasymptotic algorithm and Newton interpolation for T < 23v on a 32-bit machine or
T < 27o on a 64-bit machine [42]. These are ranges that are typical in current usage.
The complexity of the algorithm is thus 4 D M + O(T2). Strictly in terms of T,
this is O ( T 2 log T log log T). However, if the sequence is chosen so that the number
of discrepancies is small, the complexity is lower. In particular, a cryptographer de-
signing a stream cipher should try to choose sequences for which many discrepancies
occur.

11. The Summation Cipher

In the summation cipher [37], [44], several m-sequences al, a2 . . . . . au are combined
using "addition with carry.'" The resulting sequence is used as a pseudo-one-time-pad.
These sequences have generated great interest since they appear to be resistant to attacks
based on the Berlekamp--Massey algorithm. If the constituent sequences ai have coprime
periods Ti, then the resulting sequence has linear span which is close to the period
L = Ti 9 T2-.. Tk of the combined sequence.
However, by a generalization of Theorem 9.5, the 2-adic complexity of the combined
sequence is no more than Ti § T2 + ... + 7~ + log2(k) so the 2-adic span is no more
than y~ Ti + log2(k) + log2()-~ T, + log2(k)). Thus if the T, are similar in magnitude,
the 2-adic span of the result is bounded by kL t/k + Iog2(k) § log2(kL l/k + log2(k))
and it may be much less. This throws considerable doubt on the security of these stream
ciphers.
Here is a more algorithmic description of the attack:

D1. Determine (perhaps by a known plaintext attack on a stream cipher system) 2. T

consecutive bits of the sequence b formed by applying the summation combiner
to a l , a2 . . . . . ak.
138 A. Klapper and M. Goresky

D2. Apply the rational approximation algorithm to this sequence of bits, to find q
and p.
D3. Construct the FCSR which outputs the bit stream corresponding to the 2-adic
number a = p / q using the methods in Sections 4 and 5.

The resulting FCSR uses at most T = Tr + ~ + . . . + 7~ + O(log(~-~i (~))) + O(log(k))

bits of storage and outputs the sequence h. The effectiveness of this attack may be
minimized by using only k = 2 constituent m-sequences, with periods 7;, chosen so that
27;' - 1 has no small prime factors, but then there is less benefit in the growth of the linear
span (see [38] and [39]).
For example, if we combine m-sequences of period 2 L - I with L = 7, I1, 13, 15,
16, and 17. then the period and linear span of the resulting sequence are nearly 279.
However, the 2-adic span is less than 2 is, so fewer than 2 I'~ bits suffice to find an FCSR
that generates the sequence. The maximum number of single word arithmetic operations
performed by the rational approximation algorithm on a 32-bit machine is about 242.

12. Relationship to Arithmetic Codes

Fix an odd, positive integer A. Recall that the codewords of the A N (arithmetic) code
consist of the binary representations of the integers A N , where the integers N are re-
stricted to lie in some suitable range [41 ], [43].
Suppose q > 0 is an odd integer which we use as the connection integer for an FCSR.
Set T = ordu(2). Then the output sequence of an FCSR with connection integer q is
periodic and the period divides T. If the value of a given state of the FCSR is ol = - p / q
and if this fraction is in lowest terms, then the period is exactly T.

Theorem 12.1. The single periods qfthe periodic sequences generated by the FCSR are
precisely the codewonts for the cyclic A N code where A = (2 r - I )/q and 0 < N < q.

Proof. If the output sequence (ao, al . . . . ) is periodic, then by (3) the 2-adic value of
the shift register is
p ZI'=-O 1 ai 2i
0[. --
q 2T- 1
Therefore,
T-I (2 I - 1
--~ai
2i = p 9 =p.A,
i =o q
which shows that the first 7" bits are precisely the binary expansion of the integer pA. []

13. Long Sequences

It is desirable to generate pseudorandom sequences with large periods using simple shift
register hardware. In the case of linear feedback shift registers, sequences of maximal
period are obtained by using a primitive connection polynomial. By Corollary 2.2, the
Feedback Shift Registers, 2-Adic Span. and Combiners with Memory 139

maximum possible period for an FCSR with connection integer q is T = q - I. This

period is attained if and only ifq is prime and 2 is a primitive root modulo q. In this case,
for any initial loading of the register, the output sequence will either degenerate into all
0's or all 1's. or else it will eventually drop into the big periodic state (see Section 5). To
emphasize the analogy with m-sequences, we make the following definition.

Definition 13.1. An &sequence is a periodic sequence (of period T = q - 1) which is

obtained from an FCSR with prime connection integer q for which 2 is a primitive root.

By Theorem 2.1 and Corollary 2.2, such a sequence is (a shift of) the reverse of the
binary expansion,
1
- = b02 -I + bl2 -2 + b32 -3 + ...
q
of the fraction I/q (see, for example, 128, Section 4.1, Example 31 ]). This binary ex-
pansion is called a I/q-sequem:e in [3], any single period of which is a codeword in
the Barrows-Mandelbaum arithmetic code [2], [33]. These sequences are balanced [12]
and they have the generalized de Bruijn property I33], [3, Theorem 1, p. 370]: in any
given period of the sequence, every binary string of length Llog2(q)l occurs at least once
and every binary string of length I_log2(q)/ + 1 occurs at most once. The generation of
Barrows-Mandelbaum arithmetic codes using FCSR circuitry is new.
The autocorrelation function of a periodic binary &sequence a is in general quite
difficult to determine. However, there is a well-behaved autocorrelation function "with
end-around carry" [33], R,(a), which is an appropriate arithmetic analog to the usual
autocorrelation function. (If a = y~a,,2" and a[i] = ~a,z2 ''-i = 2i~ denotes the
2-adic numbers corresponding to the sequence a and to its shift by i steps, then Ri (a)
is the number of l's minus the number of O's in any period of the periodic tail of the
bit sequence for the sum a + ~1i1.) Mandelbaum proved that (for 0 < i < q - 1) this
function is two-valued with Ri(a) = 0 unless i = (q - I)/2, in which case Ri(a) = 1.
(See also [271.)
There are efficient techniques for finding large primes q for which 2 is a primitive root
(see 181) which are already implemented in current software systems such as Maple and
Pari. For example, an FCSR based on the prime number
q = 212x + 25 + 2 4 + 22 -- I

needs only two bits of memory and has maximal period T = q - 1. Heilbronn (revising
Artin's conjecture) conjectured, and Hooley [ 17] proved, that if an extension of the
Riemann hypothesis to the Dedekind zeta function over certain Galois fields is true, then
the number N(n) of primes q < n for which ordq(2) = q - 1 is

n ( n ln2 In2(n) ~
N(n) = A. ln2(n-----7+ O ln2(n) / .

where A ( = 0.3739558136 to ten decimals) is Artin's constant. In other words, 37.4%

of all prime numbers have this property.
There is another case in which large periods can be obtained. Suppose that q is a prime
number such that q = 2p + 1 with p a prime number. Then sequences generated by
140 A. Klapper and M. Goresky

an FCSR with connection integer q will have period T >_ (q - 1)/2, which is half the
maximum possible period. (This is because Fermat's congruence states that, if x is not
a multiple of q, then x q-I = 1 (rood q), so ordq(2) divides q - 1 = 2p and hence is
equal either to 2, which is impossible; to p; or to q - 1.) It is apparently easier to check
whether (q - 1)/2 is prime than it is to determine whether 2 is a primitive root modulo
q. It was conjectured by Hardy and Littlewood [15], and is widely believed by number
theorists, that the number of primes P(n) less than n of the form 2p + 1, p prime, is
asymptotically given by
n
P(n) ~ c2 . ln2(n),

where c2 ( = 0.0330080908 to ten decimal places) is a constant.

Finally, long pseudorandom sequences may be generated by FCSRs with nonprime
connection integer q. By Theorem 6.1 a large period is obtained if the powers of 2
constitute a large cyclic subgroup of (Z/(q))* (the collection of invertible elements in
Z/(q)). The order of (Z/(q))* is given by Euler's phi function, ~p(q) (the number of
integers less than q which are relatively prime to q). The group (Z/(q))* is cyclic if and
only i f q is a power of a prime, say q = p~. To determine whether 2 is primitive modulo
p~, it suffices to consider primitivity modulo p and p2 [t 8, w 4.1 Theorem 2].

P r o p o s i t i o n 13.2. Suppose q = pe with p an odd prime and e > 2. Then 2 is primitive

modulo q if and only if2 is primitive modulo p2. This holds if and only if2 is primitive
modulo p and p2 does not divide 2 p-I - 1. In this case, the period is qg(p ~) = pe-1 (p _
1) = q ( p - l ) / p .

One can ask about the abundance of primes p for which 2 is a primitive root modulo
p2. All of the primes p listed in Table 2 have this property. In fact, Hardy and Wright
point out that the condition that p2 divides 2 p-~ - 1 holds for only two primes p less
than 3 9 107 [16, p. 73], and by computer search Bombieri has extended this limit to
2 . 1 0 l~ [5]. (The two primes are 1093 and 3511 .) In both cases 2 is not primitive modulo
p. Thus for a large number of primes, we need only check the primitivity of 2 modulo p.
In fact, it is not known whether there are any primes p such that 2 is primitive modulo
p but not modulo p2, though there is no compelling reason to believe there are no such
primes.

Table 2. Valuesof q giving rise to f-sequences for length <_8.

Length Values of q giving e-sequences

1 3
2 5
3 11, 13
4 19, 29
5 37,53,59,61
6 67,83,101,107
7 131,139,149,163,173,179,181,197,211,227
8 269,293,317,347,349,373,379.389,419,421,443,461,467,491,509
Feedback Shift Registers, 2-Adic Span, and Combiners with Memory 141

Distributional Properties of ~-Sequences

We next show that the sequences based on prime power connection integers for which 2
is a primitive root have excellent distributional properties. That they are balanced follows
easily from the primitivity of 2.

Proposition 13.3. Let q be a power of a prime p, say q = pe, and suppose that 2
is primitive modulo q. Let a be any maximal period FCSR sequence, generated by an
FCSR with connection integer q. The number of zeros and the number of ones in one
period of a are equal.

Furthermore, we can consider higher-order distributions. We show next that these

sequences are close to having the de Bruijn property that each subsequence of length
log of the period occurs exactly once in each period. We show that for any two such
subsequences, their numbers of occurrences can differ by at most two.

T h e o r e m 13.4.Let q be a power of a prime p, say q = pe, and suppose that 2

is primitive modulo q. Let s be any nonnegative integer, and let A and B be s-bit
subsequences. Let a be any maximal period, purely periodic FCSR sequence, generated
by an FCSR with connection integer q. Then the numbers of occurrences of A and B in
a with their starting positions in afixed period of a differ by at most 2.

Proof. The purely periodic FCSR sequences with connection integer q are precisely
the 2-adic expansions of rational numbers - x / q , with 0 _< x < q. Such a sequence has
maximum period if and only if p does not divide x. Since 2 is primitive modulo q, the
cyclic shifts of a correspond to the set of all rational numbers - x / q , with 0 _< x < q.
Thus an s-bit subsequence A occurs in a if and only if it occurs as the first s bits in the
2-adic expansion of some rational number - x / q with 0 _< x < q and p not dividing
x. Two rational numbers - x l / q and --x2/q have the same first s bits if and only if
- x l / q - - x 2 / q ( m o d 2*), i.e., if and only i f x i --- x2 (rood 2s). Thus we want to count
the number of x with a given first s bits, 0 _< x < q, and x not divisible by p.
Let 2 r < q < 2 r+l . If s > r, there are either zero or one such x, so the result follows.
Thus we may assume s _< r.
We first count the number of x with the first s bits fixed and 0 < x < q, ignoring the
s- 1 r
divisibility condition. If A ----a0 . . . . . a s - l , we let ot = ~-~-i=0ai2i" Let q = ~i=oqi2 i,
and q' ---- X-,s
z..~i=0 I qi. 2i . If ~ < q', then every choice of a . . . . . . . ar with ~ 7 = ~ a i 2i <
r
~i=s qi 2i gives a unique x in the right range. Ifc~ >_ q', then every choice of a . . . . . . . ar
with Y~-~=sai 2i < ~-~-~=.~qi 2i gives a unique x in the right range. Thus for different
choices of A, the numbers of such x differ by at most one.
Next we consider those x for which 0 < x < q and p divides x. That is, x = py for
some y, and 0 _< y < q / p = pe I. As above, xi = PYl and x2 = py2 have the same
first s bits if and only if the same is true of yl and y2. The preceding paragraph shows
that the numbers of such y for different choices of the first s bits differ by at most one.
However, i f x = py, then y = A (mod 2 s) if and only i f x = pA (mod 2s), so for any
B and C, the number of xs divisible by p with first s bits equal to B differs from the
142 A. Klapper and M. Goresky

number of x's divisible by p with first s bits equal to C by at most 1. We have

I{x 9 0 < x < q, p Xx, a n d x =- o! (mod 2s)}l

= I{x ' 0 < x < q and x =oe (mod 2~)}]-I{x 9 0 < x < q , p l x , a n d x = a (rood 2s)}l.

As oe varies the two terms on the right-hand side vary by at most one from their values
for any fixed choice ofoe. Thus the difference varies by at most 2. []

It is easy to check that the difference can be as large as 2.

14. Related Constructions and Open Problems

In this section we hope to convince the reader that there is an endless assortment of
variations on the idea of the FCSR, most of which may be analyzed along the lines we
have outlined, perhaps by using more sophisticated mathematical tools.
Most of the results in this paper have straightforward generalizations to FCSRs with
cell contents and feedback coefficients in Z / ( p ) where p is a prime number, not neces-
sarily 2. Let
q=-l +qlp+qzp 2 +'''+q~pr

denote the base p expansion of a positive integer q -- - 1 (rood p). Then q is the
connection integer for an FCSR with feedback coefficients ql, q2 . . . . . qr in Z / ( p ) as in
Fig. 2. With each clock cycle, the integer sum an = Y~=l qkan-k + m n - 1 is accumulated,
the register contents are shifted one cell to the right, the quantity an = an (mod p) is
placed in the leftmost cell, and the new memory value is mn = kan/pJ 9
r
Let w = Y~i=l qi denote the sum of the coefficients in the base p expansion o f q + 1.
For any initial value of the memory m > 0, as the register runs, the memory will decrease
until it is < w, and then the memory will remain < w.
Suppose the FCSR is initially loaded with contents ar-1 . . . . . ao c Z / ( p ) and with
initial memory m c Z. Then the output of the FCSR is the p-adic expansion of the
rational number
r-I ~-,r-i i " "
Z i = 0 Z....~j=0 qi p ' a j p ) - - m P r
a = (22)
q
Ifq is prime, then the periodic part of the output sequence will have period T = ordq (p).
The output will be strictly periodic if the numerator in (22) lies between - q + 1 and 0. In
this case, if ?/ = p-J (mod q), then the successive values output by the FCSR are given
by ai = A y i (rood q) (rood p) for some constant A 6 Z/(q). If p is primitive modulo
q, then the output sequence has maximal period T = q - 1, is balanced, and has the
generalized de Bruijn property.
Some of these observations appear in the important article [36] where linear recur-
rences with carry are proposed, in the case that q + 1 = pa + pb is a sum of two pure
powers of p. There, the period of such a sequence is computed and it is observed that,
in this case, only one bit of memory is needed.
We may define the p-adic span of an eventually periodic pseudorandom sequence a =
a0, a j, a2 . . . . of elements a i C Z / ( p ) to be the size of the smallest FCSR which generates
Feedback Shift Registers, 2-Adic Span, and Combiners with Memory 143

de Weger(R0~ (LI,..., (17"-1)

begin
~' - - ao + (zip + .. 9+ (tT-1 9 pT-I
.f- (o,l;'-')
ff = (p~-~, l)
repeat
Let d E Z mi,imize O(f + d.q)
.f = .f+ ~#~
lr~terc}~ange ,/', g
until r <- r
return g
end

Fig. 5. De Weger's algorithm for p-adic numbers.

that sequence, and the p-adic complexity of the sequence to be logp (max (Id ], Iq ])) where

d ~
ot - - Z ai f f
q i=0
is the rational number (in lowest terms) whose p-adic expansion is the sequence a.
The p-adic span and p-adic complexity are related as in Proposition 9.3 (but with log 2
replaced by logp). The p-adic complexity of the (p-adic) sum of two sequences is no
greater than the sum of their p-adic complexities plus 1.
The algorithm in de Weger [47], which we briefly recall in Fig. 5, is an efficient way to
approximate any finite pseudorandom sequence (with elements in Z / ( p ) ) by a rational
number, from which an FCSR may be constructed which duplicates the given sequence.
It is not "adaptive": it assumes an input consisting of T elements a0, a l . . . . . aT-1 of the
sequence. It exhibits an optimality property analogous to that of Theorem 10.2, but we do
not know whether there is an adaptive algorithm which also exhibits the first optimality
property (Theorem 10.1). (Our analysis in Section l0 is strictly specific to base 2.) If
f ---- (fl, f 2 ) is a pair of integers, we use the previous notation qb ( f ) = max(Ifl I, l f21).
It is possible to design, analyze, and build feedback with carry shift registers for which
the cells contain elements of some other finite field GF(pm). We refer the reader to [22]
for further information.
A very interesting variant on the FCSR architecture (which we call a d-FCSR) is
shown in Fig. 6. Each cell contains 0 or 1. The operation is analogous to that of the
FCSR in Fig. 3 except that each "carried" bit is delayed d steps before being added.
There is an analogous d-step "combiner" which works just like the summation combiner
[44, Figure 9.5 p. 217], except that the single cell for memory is replaced by a shift
register of length d which delays the carry bit for d clock cycles before adding it back
in. We refer to this operation as a sum with d-step carry.
The key mathematical tool for analysis of the d-FCSR is the ring D of"zr-adic integers."
These consist of formal power series a0 § a~ zr § a27r 2 -I-. - 9in an indeterminate 7r, where
144 A. Klapper and M. Goresky

m a,.~ ar2 ... aj ac, >

c
++
Fig. 6. A d-FCSR with d = 2.

ai c {0, 1} and where rr satisfies the formal rule zr d = 2. Addition and multiplication
in this ring are performed just as in the ring Z2 of 2-adic integers. However, carried bits
are advanced d steps because

1+1 =0+0zr+...+0zr d-l+n d.

Thus, the sum with d step carry, described above, is precisely the sum operation in the
ring D.
The operations div rr and (mod re) make sense in this ring: If cr = % + ~rlzr +
9 . . + OrsJr ~ 6 D is a finite sum of powers of zr with coefficients a i ~ {0, 1 }, define
~r(modJr) = oo E Z/(2) andcr (div 7r) = al + a 2 n + - . . + o ~ J r '~-l. A formal
description of a d-FCSR may be given using this language.
A connection "integer" q = - 1 + q l n + q27r 2 + ..- + qrn r (where qi ~ {0, 1})
determines taps on a shift register, just as in Fig. 2. The contents of the memory m form
a polynomial, m = mo + m l n + m2zr 2 + ... + m~rr s with m i C {0, 1}. The register
operates as follows:
1. Form the integer sum a ' Z i =r-1
0 aiqr-i.
2. Write cr' as a polynomial (with {0, 1} coefficients) in zr using 2 = rcd.
3. Using addition in D, form the sum cr = m + ~r' 6 D.
4. Shift the contents of the register to the right one step.
5. Place the bit a r = o" (mod Jr) into the leftmost cell.
6. Replace the memory with m' = ~r (div 7r) = ( a - a r ) / r c .

There are notions of rr-adic span and complexity; the zr-adic complexity adds when
two binary sequences are combined using the d-step carry combiner. Many of the con-
structions and results in this paper have analogs in this more general setting, which we
have described and analyzed briefly in [24], however there remain many interesting open
problems concerning these registers.
It is also possible to design and build shift register architectures in which the cells
contain elements from some finite field G F ( p r) and in which the addition involves a
d-step carry, thus combining all of the above ideas. The appropriate mathematical tool
for the analysis of this sort of architecture involves the theory of p-adic fields and their
ramified extensions, which goes beyond the scope of the present paper.
There are many relations between FCSR sequences and LFSR sequences which should
be studied: What is the linear complexity (profile) of an e-sequence? What is the 2-
adic complexity (profile) of an m-sequence? When e-sequences and m-sequences are
Feedback Shift Registers, 2-Adic Span, and Combiners with Memory 145

combined (e.g., by bitwise sum or by summation combiner) does the complexity of the
result approach the period? Schneier's book [45] proposes a number of combiners which
should be analyzed for 2-adic and linear complexity. Similar questions may be posed
concerning d - F C S R sequences.
For an L F S R with a fixed connection polynomial, the set of output sequences forms a
vector space; in fact, they form the codewords of a first-order R e e d - M u l l e r code. We do
not know any simple characterization of the set of output sequences of a given FCSR.
Adaptive versions of de Weger's algorithm should be developed for other prime bases,
and for the d - F C S R architecture. The rate of convergence of de Weger's algorithm (for
other prime bases) should be studied. As mentioned in the Introduction and in Section 9,
the appropriate connections with maximum order complexity [19], [20], [21], [4] should
be made.

Acknowledgments

We wish to thank Hugh Williams for his help in tracking down the various conjectures and
results on primes q With large ordq (2) which are discussed in Section 13. We are grateful
to Bruce Schneier for directing our attention to a number of important implementation
issues, especially those concerning degenerate initial loadings. We have profited from
useful conversations with Mark McConnell, and we would like to thank two anonymous
referees for their careful reading and many thoughtful comments on an earlier version
of this paper. The second author would like to thank the Institute for Advanced Study in
Princeton, NJ, for their hospitality and support while this paper was being revised.

References

[1] E. Bach, Efficient prediction of Marsaglia-Zaman random number generators, Draft, University of Wis-
consin, 1993.
[2] J. T. Barrows, Jr., A new method for constructing multiple error correcting linear residue codes, Report
R-277, Coordinated Science Laboratory, Universityof illinois, Urbana, 1966.
[3] L. Blum, M. Blum, and M. Shub, A simple unpredictable pseudo-random number generator, SIAM
J. Comput., vol. 15, 1986, pp. 364-383.
[4] A. Blumer and J. Blumer, Linear size finite automata for the set of all subwords of a word: An outline of
results, Bull. European Assoc. Theoret. Comput. Sci., vol. 21, 1983, pp. 68-77.
[5] E. Bombieri, Personal communication.
[6] A. Chan and R. Games, On the quadratic span of de Bruijn sequences, IEEE Trans. Inform. Theory,
vol. 36, 1990, pp. 822-829.
[7] U. Cheng, On the continued fraction and Berlekamp's algorithm, IEEE Trans. Inform. Theory, vol. 30,
1984, pp. 541-544.
[8] H. Cohen, A Course in Computational Algebraic Number Theory, Springer-Verlag,New York, 1993.
[9] Z. D. Dai and K. C. Zeng, Continued fractions and the Berlekamp-Massey algorithm, Advances in
Cryptology--AUSCRYPT '90. Lecture Notes in Computer Science, vol. 453. Springer-Verlag,Berlin,
1990.
[10] C. Ding, Stream Ciphers and Number Theory, to appear.
[ 11] H.D. Ebbinghaus et al., Numbers, Graduate Texts in Mathematics,vol. 123, Springer-Verlag,New York,
1990.
[ 12] C. E Gauss, Disquisitiones A rithmeticae, 1801; reprinted in English translation by YaleUniversityPress,
New Haven, CT, 1966.
[ 13] S. Golomb, Shift Register Sequences, Aegean Park Press, Laguna Hills, CA, 1982.
146 A. Klapper and M. Goresky

[ 14] R.T. Gregory and E. V. Krishnamurthy, Methods andApplications of Error-Free Computation, Springer-
Verlag, New York, 1984.
[15] G. H. Hardy and J. E. Littlewood, Some problems of "Partitio Numerorum"; lII: On the expression of a
number as a sum of primes, Acta Mathematica, vol. 44, 1922, pp. 1-70.
[16] G. Hardy and E. Wright, An Introduction to the Theory of Numbers, Oxford University Press, Oxford,
1979.
[17] C. Hooley, On Artin's conjecture, J. Reine Angew. Math., vol. 22, 1967, pp. 209-220.
[18] K. Ireland and M. Rosen, A Classical Introduction to Modern Number Theory, Springer-Verlag, New
York, 1990.
[19] C. J. A. Jansen, Information theory of shift registers, In: Proceedings of the Tenth S~'mposium on h ~ r -
mation Theory in the Benelux (A. M, Barbe, ed.), Werkgemeenschap voor Inf.- & Communicatietheorie,
Enschede, 1989, pp. 153-160.
[20] C.J.A. Jansen and D. E. Boekee, The shortest feedback shift register that can generate a given sequence,
In: Advances in Cryptology--CRYPTO '89 (G. Brassard, ed.). Lecture Notes in Computer Science,
vol. 435, Springer-Verlag, Berlin, 1990, pp. 9(I-99.
[21] C. J. A. Jansen and D. E. Boekee, On the significance of the directed acyclic word graph in cryptology,
In: Advances in Cryptalogy -AUSCRYPT '90. Lecture Notes in Computer Science, vol. 453, Springer-
Verlag, Berlin, 1990, pp. 318-326.
[22] A. Klapper, Feedback with carry shift registers over finite fields, Fast Software Enco'ption, Second
International Workshop. Lecture Notes in Computer Science, vol. 10(18, Springer-Verlag, Berlin, 1995,
pp. 170-178.
[23] A. Klapper and M. Goresky, 2-adic shift registers, Fast SoJh*'areEncryption. Lecture Notes in Computer
Science, vol. 809, Springer-Verlag, Berlin, 1994, pp. 174-178.
[24] A. Klapper and M. Goresky, Feedback registers based on ramified extensions of the 2-adic numbers,
Advances in Crvptology--Eurocr~,pt 1994, Perugia, Italy. Lecture Notes in Computer Science, vol. 950,
Springer-Verlag, Berlin, 1995, pp. 215-222.
[25] A. Klapper and M. Goresky, Large period nearly deBruijn FCSR sequences, Advances in Cr~'ptologv--
Eurocrypt 1995. Lecture Notes in Computer Science, vol. 921, Springer-Verlag, Berlin, 1995, pp. 263-
273.
[26] A. Klapper and M. Goresky, Cryptanalysis based on 2-adic rational approximation, Advances in
Cryptology--CRYPTO '95. Springer Lecture Notes in Computer Science, vol. 963, Springer-Verlag,
Berlin, 1995, pp. 262-273.
[27] A. Klapper and M. Goresky, Arithmetic cross-correlation of FCSR sequences. University of Kentucky,
Technical Report, no. 262-96, 1996.
[28] D. Knuth, The Art of Computer Programming, vol. 2, Seminumerical Algorithms, Addison-Wesley,
Reading, MA, 1981.
[29] N. Koblitz, p-Adic Numbers, p-Adic Analysis, and Zeta Functions, Graduate Texts in Mathematics,
vol. 58, Springer-Verlag, New York, 1984.
[30] E. V. Krishnamurthy and R. T. Gregory, Mapping integers and Hensel codes onto Farey fractions, BIT,
vol. 23, 1983, pp. 9-20.
[31 ] A. Lempel, M. Cohn, and W. Eastman, A class of balanced binary sequences with optimal autocorrelation
properties, IEEE Trans. Inform. Theon', vol. IT-23, 1977, pp. 38-42.
[32] K. Mahler, On a geometrical representation of p-adic numbers, Ann. c~fMath., vol. 41, 1940, pp. 8-56.
[33] D. Mandelbaum, Arithmetic codes with large distance, IEEE Trans. Inform. Theory, vol. IT-13, 1967,
pp. 237-242.
[34] D. Mandelbaum, An approach to an arithmetic analog of Berlekamp's algorithm, IEEE Trans. Inform.
Theoo', vol. IT-30, 1984, pp. 758-762.
[35] G. Marsaglia, The mathematics of random number generators, The Unreasonable F~[/'ectivenessof Number
Theory, American Mathematical Society, Providence, RI, 1992, pp. 73-90.
[36j G. Marsaglia and A. Zaman, A new class of random number generators, Ann. Appl. Probab., vol. 1, 1991,
pp. 462-480.
[37] J. Massey and R. Rueppel, Method oil and apparatus for, transforming a digital data sequence into an
encoded form, U.S. Patent No. 4,797,922, 1989.
[38] W. Meier and O. Staffelbach, Correlation properties of combiners with memory in stream ciphers,
Advances in Cn,ptology--EUROCRYPT '90. Workshop on the Theo O' and Application of Cryptographic
Techniques Proceedings, Springer-Verlag, Berlin, 1991, pp. 204-213.
Feedback Shift Registers, 2-Adic Span, and Combiners with Memory 147

[39] W. Meier and O. Staffelbach, Correlation properties of combiners with memory in stream ciphers,
J. Crypto/ogy vol. 5, 1992, pp. 67-86.
[40] W. H. Mills, Continued fractions and linear recurrences, Math. Comput., vol. 29, 1975, pp. 173-180.
[41] W. W. Peterson and E. J. Weldon, Jr., Error-Correcting Codes, 2nd edn., MIT Press, Cambridge, MA,
1972.
[42] J. Pollard, The fast Fourier transform in a finite field, Math. Comput., vol. 25, 1971, pp. 365-374.
[43] T. R. N. Rao, Error Coding For Arithmetic Processors, Academic Press, New York, 1974.
[44] R. Rueppel, Analysis and Design of Stream Ciphers, Springer-Verlag, New York, 1986.
[45] B. Schneier, Applied Cryptography, Wiley, New York, 1996.
[46] A. Sch6nhage and V. Strassen, Schne••e Mu•tip•ikati•n Gr•sser Zah•en, C•mputin g, v••. 7 • • 97 •, pp• 28 ••
292.
[47] B. M. M. de Weger, Approximation lattices of p-adic nmnbers, J. Number Theory, vol. 24, 1986, pp. 70-
88.
[48] L. R. Welch and R. A. Scholtz, Continued fractions and Berlekamp~s algorithm, IEEE Trans. lrl[i)rm.
Theory, vol. 25, 1979 pp. 19-27.