Linear Feedback Shift Registers (LFSRs)

• Efficient design for Test Pattern Generators &

Output Response Analyzers (also used in CRC)
– FFs plus a few XOR gates External Feedback LFSR
– better than counter
• fewer gates
• higher clock frequency D Q D Q D Q D Q

• Two types of LFSRs CK CK CK CK

– External Feedback Internal Feedback LFSR

– Internal Feedback
• higher clock frequency D Q D Q D Q D Q

• Characteristic polynomial CK CK CK CK
– defined by XOR positions
– P(x) = x4 + x3 + x + 1 in both examples

C. Stroud, Dept. of ECE, Auburn

Univ. 10/04
 LFSRs (cont)
Characteristic polynomial of LFSR
• n = # of FFs = degree of polynomial
• XOR feedback connection to FF i ⇔ coefficient of xi
– coefficient = 0 if no connection
– coefficient = 1 if connection
– coefficients always included in characteristic polynomial:
• xn (degree of polynomial & primary feedback)
• x0 = 1 (principle input to shift register)
• Note: state of the LFSR ⇔ polynomial of degree n-1
• Example: P(x) = x3 + x + 1 1x 1x 0x 0 1x 1 2 3

D Q D Q D Q
1 2 3
CK CK CK

C. Stroud, Dept. of ECE, Auburn

Univ. 10/04
 LSFRs (cont)
• An LFSR generates periodic sequence
– must start in a non-zero state,
• The maximum-length of an LFSR sequence is 2n -1
– does not generate all 0s pattern (gets stuck in that state)
• The characteristic polynomial of an LFSR generating a
maximum-length sequence is a primitive polynomial
• A maximum-length sequence is pseudo-random:
– number of 1s = number of 0s + 1
– same number of runs of consectuive 0s and 1s
– 1/2 of the runs have length 1
– 1/4 of the runs have length 2
– … (as long as fractions result in integral numbers of runs)
C. Stroud, Dept. of ECE, Auburn
Univ. 10/04
 LFSRs (cont)
• Example: Characteristic polynomial is P(x) = x3 + x + 1
• Beginning at all 1s state
– 7 clock cycles to repeat 1x0 1x1 0x2 1x3
D Q D Q D Q
– maximal length = 2n-1 1 2 3
CK CK CK
– polynomial is primitive
1 1 1 1
• Properties: 1 0 1 2
1 0 0 3
– four 1s and three 0s 0 1 0 4
0 0 1 5
– 4 runs: 1 1 0 6
• 2 runs of length 1 (one 0 & one 1) 0 1 1 7
1 1 1
• 1 run of length 2 (0s)
• 1 run of length 3 (1s)
• Note: external & internal LFSRs with same primitive
polynomial do not generate same sequence (only same length)
C. Stroud, Dept. of ECE, Auburn
Univ. 10/04
 LFSRs (cont)
• Reciprocal polynomial, P*(x)
– P*(x) = xn P(1/x)
• example: P(x) = x3 + x + 1
• then: P*(x) = x3 (x-3 + x-1 +1) = 1 + x2 + x3 = x3 + x2 +1
– if P(x) is primitive, P*(x) is also primitive
• same for non-primitive polynomials
• Polynomial arithmetic
Division
– modulo-2 (xn + xn = xn - xn = 0) x2 + x + 1
Multiplication x2 + 1 x4 + x3 + x + 1
Addition/Subtraction (x2 + x + 1) × (x2 + 1) x4 + x2
(x5 + x2 + 1) + (x4 + x2) x2 + x + 1 x3 + x2 + x + 1
x5 x2 1 × x2 + 1 x3 +x
+ x4 x2 x2 + x + 1 x2 + 1
x5 x4 1 x4 + x3 + x2 x2 + 1
= x5 + x4 + 1 = x4 + x3 + x + 1 0
C. Stroud, Dept. of ECE, Auburn
Univ. 10/04
 LFSRs (cont)
• Non-primitive polynomials produce sequences < 2n-1
– Typically primitive polys desired for TPGs & ORAs
• Example of non-primitive polynomial
– P(x) = x3 + x2 + x + 1
External Feedback LFSR Internal Feedback LFSR

DQ DQ DQ
DQ DQ DQ
CK CK CK
CK CK CK

0 0 0 1 1 1 1 0 0 0 1 0 0 0 0 1 1 1 1 1 0 1 0 1
0 0 0 1 1 1 1 1 0 1 0 1 0 0 0 1 0 0 0 1 1 1 0 1
0 1 1 0 1 0 0 1 0 1 1 0
0 0 1 0 0 1
1 0 0 1 1 1

C. Stroud, Dept. of ECE, Auburn

Univ. 10/04
 LFSRs (cont)
• Primitive polynomials with minimum # of XORs
Degree (n) Polynomial
2,3,4,6,7,15,22 xn + x + 1
5,11,21,29 xn + x2 + 1
8,19 xn + x6 + x5 + x + 1
9 xn + x4 + 1
10,17,20,25,28 xn + x3 + 1
12 xn + x7 + x4 + x3 + 1
13,24 xn + x4 + x3 + x + 1
14 xn + x12 + x11 + x + 1
16 xn + x5 + x3 + x2 + 1
18 xn + x7 + 1
23 xn + x5 + 1
26,27 xn + x8 + x7 + x + 1
30 xn + x16 + x15 + x + 1
C. Stroud, Dept. of ECE, Auburn
Univ. 10/04
 Stream Ciphers (contd.)

Debdeep Mukhopadhyay

Assistant Professor
Department of Computer Science and
Engineering
Indian Institute of Technology Kharagpur
INDIA -721302

Objectives
• Linear Complexity

• Berlekamp Massey Algorithm

Low Power Ajit Pal IIT Kharagpur 1

 The LFSR Structure

sj-1 sj-2 sj-L+1 sj-L

L
s j = ∑ ci s j −i , j = L, L + 1,...
i =1

An LFSR is said to generate a finite sequence

s0,s1,…,sN-1 when this sequence coincides with
the first N output digits of the LFSR for some
initial loading.

Generation of a sequence
• If L≥N, the LFSR always generates
the sequence.
• If L<N, it follows that the LFSR
generates the sequence if and only
if:
L
s j = ∑ ci s j −i , j = L, L + 1,..., N − 1
i =1

Low Power Ajit Pal IIT Kharagpur 2

 Theorem 1
If some LFSR of length L generates the sequence
s0 , s1 ,..., sN −1 but not the sequence s0 , s1 ,..., sN −1 , sN
then any LFSR that generates the latter sequence
has length L', satisfying:
L ' ≥ N +1− L

Proof
Case 1: L ≥ N, the theorem is trivially true.
Case 2: L<N, let c1 , c2 ,..., cL and c '1 , c '2 ,..., c 'L '
denote the connection coefficients of the two
LFSRs in question and assume that L' ≤ N-L.
L
∴ ∑c s
i =1
i j −i = s j , j = L, L + 1,..., N − 1

≠ sN , j = N
L'
∴ ∑c'
i =1
k s j − k = s j , j = L ', L '+ 1,..., N − 1, N

Low Power Ajit Pal IIT Kharagpur 3

 Proof (contd.)
L
Consider,∑ ci sN −i
i =1

Note that {sN − L , sN − L +1 ,..., sN −1} is a subset

of {sL ' , sL '+1 ,..., sN −1}.
L L L'
∴ ∑ ci sN −i = ∑ ci ∑ c 'k sN −i − k
i =1 i =1 k =1
Thus we have
L' L a contradiction.
= ∑ c 'k ∑ ci sN −i − k This proves the
k =1 i =1
L'
result.
= ∑ c 'k s N − k = s N
k =1

Note that {sN − L ' , sN − L '+1 ,..., sN −1} is a subset

of {sL , sL +1 ,..., sN −1}.

Linear Complexity
• Define LN(s) as the minimum length of all
LFSRs that generate s0, s1, …, sN-1
• Clearly, LN(s)≤N
• Moreover, LN(s) must be monotonically
decreasing with increasing N.
• Convention:
– all 0 sequence is generated by the LFSR with
L=0
– When s0, s1, …, sN-1 are all 0’s but sN=1, then
L=N+1

Low Power Ajit Pal IIT Kharagpur 4

 Lemma 1
If some LFSR of length L generates the sequence
s0 , s1 ,..., sN −1 but not the sequence s0 , s1 ,..., sN −1 , sN
then
LN +1 ( s ) ≥ max[ LN ( s ), N + 1 − LN ( s )]
From the monotonicity of LN +1 ( s ) ≥ LN ( s ).
From Theorem 1, LN +1 ( s ) ≥ N + 1 − LN ( s ).
Thus the lemma 1 follows.

Berlekamp Massey’s Algorithm

• A recursive algorithm for producing one of
the LFSRs of length LN(s), which
generates s0, s1,…, sN-1 for N=1, 2, 3, …

• C(D)=1+C1D+…+CLDL which has degree at

most L in the indeterminate.

• Convention: C(D)=1 for the LFSR of length

L=0

Low Power Ajit Pal IIT Kharagpur 5

 Connection Polynomial
For a given s, let
C N ( D) = 1 + C1( N ) ( D) + ... + CL( NN ()S ) ( D) LN ( s )
denote the connection polynomial of a minimal
length L N ( s ) LFSR that generates s0 , s1 ,..., sN −1

Discrepancy
Lemma 1 is actually an equality. We have seen this
for the base case.
Assume an induction hypothesis for L N ( s).
The corresponding polynomial is C N ( D).
Ln ( s )
⎧ 0, j = Ln ( s ) ,..., n − 1
∴sj ⊕ ∑c =⎨
(n)
sj −i
⎩d n , j = n
i
i =1

d n : next discrepancy (between sn and the (n+1)st

bit generated by the minimal length LFSR, which
we have found to generate the first n bits of s.

Low Power Ajit Pal IIT Kharagpur 6

 Correcting the discrepancy
Case1: d n = 0
LFSR also generates the first n+1 bits of s. Thus,
L n +1 ( s ) = Ln ( s ), C ( n +1) ( D) = C n ( D)
Case1: d n = 1
Let m be the sequence length before the last
length change in the minimal length register,
i,e
L m ( s ) < Ln ( s )
L m +1 ( s ) = Ln ( s )

Proving the Induction Hypothesis

Since a length change was required <L m ( s ), c m ( D) >
could not generate s 0 , s1 ,..., sm
Ln ( s )
⎧ 0, j = Lm ( s ) ,..., m − 1
∴sj ⊕ ∑ c (n)
s j −i = ⎨
⎩d m , j = m
i
i =1

By induction hypothesis,
L m +1 ( s ) = L n ( s ) = max[L m ( s ), m + 1 − L m ( s )]
∵ L m ( s ) < Ln ( s ), L n ( s ) = m + 1 − L m ( s )

Low Power Ajit Pal IIT Kharagpur 7

 Recursive construction of
polynomial

Claim :
C ( D ) = C n (D) ⊕ D n − m C m (D) is a valid next choice for C n +1 ( D).
Note : degree of C(D)=max[L n ( s ), n − m + Lm ( s )]
=max[L n ( s ), n + 1 − Ln ( s )]
∴ C ( D ) is an allowable connection polynomial
for an LFSR of length L=max[L n ( s), n + 1 − Ln ( s )]

Proof that C(D) generates sn+1

L Ln ( s )
∴ s j ⊕ ∑ ci s j −i =s j ⊕ ∑c (n)
i s
j −i ⊕
i =1 i =1
Lm ( s )
[s j − n + m ⊕ ∑c
i =1
(m)
i s
j − n + m −i ]

⎧ 0, j = L, L + 1,..., n − 1
=⎨
⎩1 ⊕ 1 = 0, j = n

Low Power Ajit Pal IIT Kharagpur 8

 Conclusions
• The LFSR with length L and
connection polynomial C(D)
generates s0,s1,…,sn
• Since L satisfies Lemma 1 with
equality, the induction is also
proved.

The final Algorithm

Low Power Ajit Pal IIT Kharagpur 9

 Example
• Consider the sequence of periodicity
20:
10010011110001001110
• We plot the variation of the linear
complexity with N.
– this is obtained by the Berlekamp
Massey Algorithm
– this is called Linear Profile

Example

Low Power Ajit Pal IIT Kharagpur 10

 Exercise
• Reconstruct an LFSR (of the shortest
length) which generates the
sequence 00111011.

sn d T(D) C(D) L m B(D) N

- - - 1 0 -1 1 0
0 0 - 1 0 -1 1 1
0 0 - 1 0 -1 1 2
1 1 1 1+D3 3 2 1 3
1 1 1+D3 1+D+D3 3 2 1 4

1 0 1+D3 1+D+D3 3 2 1 5
0 0 1+D3 1+D+D3 3 2 1 6
1 0 1+D3 1+D+D3 3 2 1 7
1 1 1+D+D3 1+D+D3 5 7 1+D+D3 8
+ D5

Low Power Ajit Pal IIT Kharagpur 11

 Further Reading
• James Massey, “Shift-Register Synthesis
and BCH Decoding”, IEEE Transactions
on Information Theory, 1969
• D. Stinson, Cryptography: Theory and
Practice, Chapman & Hall/CRC
• A. Menezes, P. Van Oorschot, Scott
Vanstone, “Handbook of Applied
Cryptography” (Available online)

Next Days Topic

• Stream Ciphers (contd.)

Low Power Ajit Pal IIT Kharagpur 12

The ElGamal Public Key Encryption Algorithm
The ElGamal Algorithm provides an alternative to the RSA
for public key encryption.
1) Security of the RSA depends on the (presumed)
difficulty of factoring large integers.
2) Security of the ElGamal algorithm depends on the
(presumed) difficulty of computing discrete logs in a
large prime modulus.
Bob encrypts a short message M (M < pA) and sends it to
Alice like this:
i) Bob chooses a random integer k (which he keeps
secret).
k k
ii) Bob computes r ≡ αA (mod pA) and t ≡ βA M (mod
pA), and then discards k.
Bob sends his encrypted message (r, t) to Alice.

ElGamal has the disadvantage that the ciphertext is twice as When Alice receives the encrypted message (r, t), she
−d
long as the plaintext. decrypts (using her private key dA) by computing t r A.
It has the advantage the same plaintext gives a different Note tr
−dA k
≡ βA M (αA )
k −dA
(mod pA)
ciphertext (with near certainty) each time it is encrypted. dA k k −dA
≡ (αA ) M (αA ) (mod pA)
≡ M (mod pA)
Alice chooses
i) A large prime pA (say 200 to 300 digits), Even if Eve intercepts the ciphertext (r, t), she cannot
ii) A primitive element αA modulo pA, perform the calculation above because she doesn’t know dA.
iii) A (possibly random) integer dA with 2 ≤ dA ≤ pA –2. dA
βA ≡ αA (mod pA), so dA ≡ LαA (βA)
Alice computes
dA Eve can find dA if she can compute a discrete log in the large
iv) βA ≡ αA (mod pA).
prime modulus pA, presumably a computation that is too
difficult to be practical.
Alice’s public key is ( pA, αA, βA ). Her private key is dA.

Caution: Bob should choose a different random integer k

for each message he sends to Alice.
If M is a longer message, so it is divided into blocks, he
should choose a different k for each block.
Say he encrypts two messages (or blocks) M1 and M2, using
the same k, producing ciphertexts
(r1, t1) = (αAk, βAk M1), (r2, t2) = (αAk, βAk M2 ).

Then t2 t1−1 ≡ M2 M1−1 (mod p), M2 ≡ t2 t1−1M1 (mod p). If

Eve intercepts both ciphertext messages and discovers one
plaintext message M1, she can compute the other plaintext
message M2.

Example: Alice chooses pA = 107, αA = 2, dA = 67, and she

computes βA = 267 ≡ 94 (mod 107). Her public key is
( pA, αA, βA ) = (2,67,94), and her private key is dA = 67.

Bob wants to send the message "B" (66 in ASCII) to Alice.

He chooses a random integer k = 45 and encrypts M = 66 as
(r, t) = (αAk, βAk M) ≡ ( 245, 9445 66) ≡ (28, 9) (mod 107). He
sends the encrypted message (28, 9) to Alice.

Alice receives the message (r, t) = (28, 9), and using her
private key dA = 67 she decrypts to
−dA
tr = 9 ⋅28−67 ≡ 9 ⋅28106−67 ≡ 9 ⋅43 ≡ 66 (mod 107).