http://staffhome.ecm.uwa.edu.

au/~00007092/teaching/3CC/WW
W/chapter4.html

Chapter 4
Linear Feedback Shift Registers
4.1 Keystreams
In Example 2.6.1 (c) in Chapter 2 we introduced stream ciphers for which the plaintext,
ciphertext, and keystream elements are all integers modulo 2 (bits), and the keystream elements
are added to the plaintext elements to produce the ciphertext stream.

ez(x)=x+z mod 2, and dz(y)=y+z mod 2

To generate the keystream z=z1,z2,... we typically start with a short random bit-string (the key
K=(k1,k2,...,km), sometimes called the `seed' in this context) and expand it into a much longer bitstring, the keystream, which we hope is `random-looking'.
However, for a one-time pad the key or seed is as long as the plaintext message and no expansion
is needed; in this case the keystream is really random, and the one-time-pad cipher is
unbreakable. (That it is unbreakable is a result of Shannon, see later.) For other cipher machines
the keystream is at best pseudo-random, and defining what this means is rather difficult, see
Section 4.3.
If the keystream is generated independently of the plaintext string, then the stream cipher is
called synchronous. Starting with the key K=(k1,k2,...,km) of length m, we take z1=k1,
z2=k2, ...,zm=km, and generate the next keystream bit zm+1=f(z1,z2,...,zm) as a function of the
preceding elements. Such a function f is sometimes called a feedback function. We continue
in this way, generating zm+1+i=f(zi,zi+1,...,zm+i), for each i using the same function. There are only
2m bit strings of length m so sooner or later we will find a string zi,zi+1,...,zm+i that is equal to a
previous string zj,zj+1,...,zm+j (j < i), and then we will find zm+i+l=zm+j+l for all l > 0. Thus the
keystream for a synchronous stream cipher z=z1,z2,... is periodic and the least positive integer d
such that zi+d=zi for all integers i > 0 is called its period. From this discussion it's clear that the
period d is at most 2m where m is the length of the key. It would be nice if we could guarantee
that d was close to 2m, since short periods may lead to the cipher being easily broken.
One type of function used for keystream generation because it is easily implemented in computer
hardware is a function of the type

f(x1,x2,...,xm)=c1x1+c2x2+...+cmxm =

cjxj mod 2,

j=1

where the constants c1,...,cm Z2. Then if zi+m=f(zi,...,zi+m1), we get

zi+m=

c z

j i+j1

mod 2 for all i

1.

(4.1)

j=1

This is called a linear recurrence relation of degree m. With this type of function an all
zero key K=(0,0,...,0) would produce an all zero keystream, so we avoid this. However, it is
possible to choose the constants c1,c2,...,cm in such a way that for any other key K=(k1,k2,...,km)
with at least one non-zero ki, the keystream generated by the linear recurrence relation has period
equal to 2m1. Justifying this depends on the theory of linear recurrence relations and the
existence of primitive polynomials over Z2. We look at this in the next section. Recall that the
key K must be transmitted to the receiver Bob by a secure channel so having a relatively short
key (of length m) compared with the period of the keystream (of period 2m1) is highly
desirable, provided it is not at the expense of the security of the stream cipher.
Example 1 Suppose m=4 and the rule for generating the keystream is

zi+4=zi+zi+1 mod 2.
For any initial key K apart from (0,0,0,0) this gives a keystream of period 15. For example,
starting with the key K=(1,1,0,0) we get the keystream

1,1,0,0,0,1,0,0,1,1,0,1,0,1,1,1,1,0,0,...
The first time we get a repeat of a 4-bit string is the repeat of 1,1,0,0 starting at the 16th position,
that is, after 15 distinct 4-bit strings. Any other non-zero initial key will produce a cyclic
permutation of this keystream - always the period is 15.

Example 2 Suppose m=3 and the rule for generating the keystream is

zi+3=f(zi, zi+1, zi+2)=zi+zi+1+zi+2 mod 2.

For the key K=(1,0,1) this gives a keystream 10101010... of period 2; for the key K=(1,1,1) this
gives the keystream 11111... of period 1; for the key K=(0,0,1) this gives the keystream
00110011... of period 4. Thus in this case the period depends on the key.
Keystreams defined by linear recurrence relations can be generated by linear feedback shift
registers (LFSR's), and so are widely used in practice also.
Here the switches are closed if and only if ci=1 and indicates mod 2 addition (which can be
done very quickly in practice as an `exclusive-or'). Initial values k1,...,k2,...,km are placed in the
shift registers S1, S2,...,Sm. Then the machine is allowed to produce one output bit per clock cycle,
and the stored values move following the arrows to the next shift register once per clock cycle.
This is what happens on the first step.
1. k1 is tapped out as the first keystream bit;
2. k2, ...,km are each shifted to the shift register to the right;
3. the `new' value to be placed in shift register Sm would be computed to be j=1mcjkj.
This is the `linear feedback', and is computed `by' the electrical circuitry of the LFSR.
A diagram of an LFSR corresponding to this description is given below.

Example 3 The linear feedback shift register (LFSR) corresponding to the linear recurrence
relation of Example 4.1.1 is shown below.

Notice that we only show connections corresponding to the non-zero ci. Starting with
K=(1,1,0,0) we see the LFSR operating as below.

S4 S3 S2 S1 output
initial 0 0 1 1
last
0 0 0 1 1
S1+S2
1 0 0 0 1
0 1 0 0 0
0 0 1 0
0
1 0 0 1
0
1 1 0 0
1
etc.

4.2 Primitive polynomials

Exercise 4.1.2 and Question 3 in the Exercise Set 4.4demonstrate that some choices of the
constants ci in the linear recurrence relation (4.1) may give short periods for all initial keys K,
andthat these periods may be different for different keys. Let's try to find a partial explanation for
this behaviour.
Some of you may have met `linear recurrence relations', sometimes called `linear difference
equations' over the real or complex field. Just as with linear differential equations with constant
coefficients, the nature of their solutions depends on the solutions of an associated polynomial

(the auxhiliary polynomial). In the case of the linear recurrence relation (4.1) the polynomial
which is relevant is

f(x)=xm+cmxm1+... +c2x+c1
and is called the characteristic polynomial of the linear recurrence relation. Note that all the
ci Z2, and that all the signs are + signs because +1=1 in Z2. It turns out that the
corresponding LFSR to f(x) has keystream with the maximum possible period 2m1 if and only if
f(x) is a primitive polynomial over Z2.
Recall from Section 3.5 that a degree m polynomialf(x) Z2[x] is primitive if and only if f(x) is
irreducible and x is a primitive element of the field F constructed using f(x) (as described in
Section 3.5). Equivalently, f(x) is primitive if and only if f(x) is irreducible and the least positive
integer n such that f(x) divides xn1 is n=2m1. The main thing to remember is that these
polynomials exist for all values of m, and tables of them are available in the literature (see, for
example, tables in Beker and Piper's book on pages 195 and 404).
Example 1 In Example 4.1.1, the characteristic polynomial is f(x) = x4+x+1. It is irreducible
and indeed it is primitive. The associated LFSR has period 15 for all initial non-zero keys.
In Example 4.1.2, the characteristic polynomial is f(x) = x3+x2+x+1=(x+1)3 mod 2. As we saw,
different keys gave key-streams of periods 1, 2 or 4.
If the keystream from an LFSR has maximum period 2m1, then every one of the 2m1 possible
bit strings of length m (except the all-zero string) occurs as the contents of the m shift registers at
some stage, so it does not matter what our (not all-zero) initial key string is from the point of
view of getting a maximum period for the keystream. Of course it matters for decrypting the
ciphertext! A proof that we get this maximum period if and only if the characteristic polynomial
is primitive can be found in Section 5.8 of Beker and Piper's book. This proof is not required for
this unit.
The following is again not required for the unit. I developed it as a `game' to hint at how a
primitive polynomial f(x) might be linked to long periods of keystreams.
Suppose for some perverse reason that we play the following game: We imagine that the initial
key elements are polynomials in an indeterminate x, and in fact that the key is K=(1, x, x2, ...,
xm1). We imagine further that these polynomials are elements of a finite field constructed as in
Section 3.5 using a primitive polynomial f(x)=xm+cmxm1+...+c2x+c1, so that in this field we have
f(x)=0 and hence xm=cmxm1+...+c2x+c1. Now in an LFSR with characteristic polynomial f(x), the
initial contents of the m shift registers satisfy: S1 contains 1, S2 contains x, ..., Sm contains xm1.
After the first clock cycle we output the contents 1 of the shift register S1, we move the contents
of each other shift register into the shift register one step to the right, and we feed into the shift
register Sm the `feedback' which is c11 + c2 x+... +cmxm1=f(x)+xm=xm. Similarly after the second

clock cycle we output the contents x of S1, we move the contents of each other shift register into
the shift register one step to the right, and we feed into Sm the `feedback' which is c1x + c2x2+...
+cmxm=x(f(x)+xm)=xm+1. Thus the LFSR generates the following sets of states in the shift
registers:
Sm
initial xm1
feedback xm
xm+1
...
th
after i clock cycle xm+i
...
first repeat of initial states xm1

...
...
...
...
...
...
...
...

S2
x
x2
x3
...
xi+2
...
x

S1 output
1
x
1
2
x
x
... ...
xi+1 xi
... ...
1
xj

At some point we will get a repeat of the initial contents of the shift registers. If the first time this
happens is after the jth clock cycle, then the output element will be xj and we will have xj+1=1, and
this will be the first time this happens, that is, j will be the smallest positive integer such that
xj+1=1. This integer j is the period of the LFSR. By the definition of a primitive element in a field
of order 2m, the period is 2m1 x is a primitive element f(x) is a primitive polynomial.

4.3 Randomness
Clearly no periodic sequence, such as the keystream produced by a linear feedback shift register,
is truly random. In fact knowledge of any 2m consecutive output bits of a keystream with
characteristic polynomial f(x)=xm+cmxm1+...+c1 of degree m is sufficient to determine the
characteristic polynomial, and hence to determine the whole keystream. This is because we have
m equations

zm+i=c1zi+... +cmzm1+i
(i=1,...,m) in the unknowns c1,...,cm that can be solved by Gaussian elimination.
What we really want of the keystream is unpredictability rather than true randomness. If a
cryptanalyst intercepts part of the keystream then we want this knowledge to give the
cryptanalyst no information about what will come next in the keystream. Of course this is
impossible if the cryptanalyst had a whole cycle of the keystream. However if only a portion of
the keystream, considerably shorter than the period, is intercepted, then we want this to provide
no further information abut the rest of the keystream. Any keystream satisfying this general
property is called a pseudo-random sequence.
We saw that differing frequencies of the letters, or short strings of consecutive letters, in English
text enabled substitution ciphers to be broken easily with sufficient ciphertext. Similar ideas led

to the suggestion in 1967 by Solomon Golumb of several properties of the keystream which
might help to ensure that it could be used securely for encryption. To state these we need to
introduce some terminology. In a sequence of binary integers, a run is a string of consecutive
equal bits, for example the sequence 00011011 starts with a run of three 0's, followed by a run of
two 1's, then a run of one 0 and a run of two 1's. A run of 0's is called a gap while a run of 1's is
called a block.

Golumb's Randomness Principles: For a keystream of binary integers having period n, say
z1,z2, ..., zn, ...,
G1 Each consecutive string of length n from the keystream should contain exactly n/2
ones (and n/2 zeros) if n is even, or it should contain (n1)/2 ones if n is odd.
G2 In each consecutive string of length n from the keystream, half the runs should have
length 1, a quarter should have length 2, an eighth should have length 3, and in general,
for each i for which there are at least 2i+1 runs, 1/2i should have length i. Moreover for
each of these lengths there should be equally many gaps and blocks.
G3 For each i=1,...,n1, let A(i) be the number of j such that 1 j n and zj=zi+j. Then
we should have A(1)=A(2)=... = A(n1).
A keystream that satisfies all of Golumb's Randomness Principles is called a pseudo-noise
sequence.
The most familiar truly random sequence is probably the sequence of heads and tails obtained
from independent tosses of a fair coin. In this context G1 says there should be about equally
many heads and tails; G2 says that after a run of heads (or a run of tails) there is a 50/50 chance
that the run will end with the next coin toss; G3 reflects the independence of the coin tosses knowing the result of a given coin toss gives no information about the result of the next coin
toss.
While finding pseudo-noise sequences, that is, sequences satisfying Golumb's Randomness
Principles exactly, seems difficult, the principles provide the basis for several statistical tests
which can be applied to keystreams to give a measure of some of their randomness properties.
Example 1 Consider the sequence (zi)i 1 in the text above of period 8, namely

0001101100011011...
Each consecutive string of length 8 contains 4 zeros so it satisfies G.1. Next if we consider the
first 8-bit string we have 4 runs of which 1 has length 1 and 2 have length 2; for the 8-bit string
z2... z9 = 00110110, there are 5 runs of which 2 have length 1 and 3 have length 2; etc. So G.2 is
not satisfied. Finally A(1)=A(7)=4, A(2)=A(6)=2, A(3)=A(5)=4, A(4)=3, so G.3 is not satisfied.

4.4 Exercise Set: LFSR's

1. Find the period of the linear recurrence relation

zi+3=zi+1+zi mod 2,
for i 1, and give the keystream generated from the seed K=(1,1,1). Write down the
characteristic polynomial for this linear recurrence. Is it a primitive polynomial?
2. Construct a linear feedback shift register to generate the keystream in Question 1.
3. Consider the linear recurrence

zi+4=zi+3+zi+1+zi mod 2,
of degree m=4. Find the keystreams and periods generated from the keys (i) (1,1,1,1), (ii)
(0,0,0,1), (iii) (1,0,1,0), (iv) (0,0,1,0), (v) (1,0,1,1).
What is the characteristic polynomial of this linear recurrence? In what way does it help explain
your answers to parts (i)-(v)?
4. The exercise set in class concerned the following binary sequence constructed by the class:

0110110111111001010011011001101101111110010100110110
Check-out the extent to which the three Golumb Randomness Principles hold for this sequence.

4.5 Solutions: LFSR's

1. K=(1,1,1) generates the keystream 1,1,1,0,0,1,0,1,1,1,.... This has period 7 since the first time
the 3-bit string 1,1,1 is repeated is in row 8 below.
S3 S2 S1 output
initial 1 1 1
last
0 1 1
1
S1+S2
0 0 1 1

1
0
1
1
1

0
1
0
1
1

0
0
1
0
1

1
0
0
1
0

The characteristic polynomial is f(x)=x3+x+1. Since the period of the sequence is 7=231 (the
maximum possible for the degree), this polynomial is primitive.
2. The LFSR has three shift registers S3, S2, S1, with connections going down from the output
side of S1 and S2.
3. (i) Keystream 1,1,1,1..., period 1; (ii) row 7 is the first repeat of the 4-bit string 1,0,0,0 so the
period is 6 and the keystream is 0,0,0,1,1,1 then repeated; (iii) row 3 is the first repeat of the 4-bit
string 0,1,0,1 so the period is 2 and the keystream is 1,0 then repeated; (iv) row 4 is the first
repeat of the 4-bit string 0,1,0,0 so the period is 3 and the keystream is 0,0,1 then repeated; (v)
row 4 is the first repeat of the 4-bit string 1,1,0,1 so the period is 3 and the keystream is 1,0,1
then repeated.
case (ii) S4 S3 S2 S1
initial 1 0 0 0
last
1 1 0 0
S1+S2+S4
1 1 1 0
0 1 1 1
0 0 1 1
0 0 0 1
1 0 0 0
case (iii) S4 S3 S2 S1
initial 0 1 0 1
last
1 0 1 0
S1+S2+S4
0 1 0 1
case (iv) S4 S3 S2 S1
initial 0 1 0 0
last
0 0 1 0
S1+S2+S4
1 0 0 1
0 1 0 0
case (v) S4 S3 S2 S1
initial 1 1 0 1

output
0
0
0
1
1
1
output
1
0
output
0
0
1
output

last
0 1 1 0
S1+S2+S4
1 0 1 1
1 1 0 1

1
0
1

The characteristic polynomial is f(x)=x4+x3+x+1. This polynomial is not primitive; in fact it is

not even irreducible since f(x)=(x+1)2(x2+x+1). Hence we do not get period 241=15.
4. [Solution from Wayne Griffiths] The binary sequence constructed by the class:

01101101111110010100110110
Golumb Randomness Principles:
G1. 10 zeros and 16 ones: not equal so Golumb's first principle fails, but not too badly.
G2. For this we need to look at lots of `windows' of length 26 in the sequence so we write
out the sequence twice.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
0 1 1 0 1 1 0 1 1 1 1 1 1 0 0 1
17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
0 1 0 0 1 1 0 1 1 0 0 1 1 0 1 1
33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
0 1 1 1 1 1 1 0 0 1 0 1 0 0 1 1
49 50 51 52
0 1 1 0
String No. Runs

G2

Condition Actual Numbers

length 1 length 2 length 1 length 2

1-26

15

7.5

3.75

2-27

14

3.5

3-28

15

7.5

3.75

4-29

14

3.5

5-30

14

3.5

6-31

15

7.5

3.75

7-32

14

3.5

8-33

14

3.5

9-34

15

7.5

3.75

10-35

15

7.5

3.75

11-36

15

7.5

3.75

12-37

15

7.5

3.75

13-38

15

7.5

3.75

14-39

14

3.5

15-40

15

7.5

3.75

16-41

14

3.5

17-42

14

3.5

18-43

14

3.5

19-44

14

3.5

20-45

15

7.5

3.75

21-46

14

3.5

22-47

15

7.5

3.75

23-48

14

3. 5

24-49

14

3. 5

25-50

15

7.5

3.75

26-35

14

3.5

There are too many runs of length 2 and not enough of length 1.
G3.
i 1 2 3 4 5 6 7 8 9 10 11 12 13
A(i) 12 10 18 14 10 14 16 12 10 16 12 12 18
This is not too bad. Five values reasonably well distributed.

Chng 4
Phn hi tuyn tnh phm Shift Registers
4.1 keystreams
Trong V d 2.6.1 (c) trong Chng 2, chng ti gii thiu thut ton m ha
dng m ch th, bn m, v cc yu t keystream l cc s nguyn modulo 2
(bit), v cc yu t keystream c thm vo cc yu t th sn xut cc dng
m.
ez (x) = x + z mod 2 v dz (y) = y + z mod 2
to ra keystream z = z1, z2, ... chng ta thng bt u vi mt cht ngu
nhin chui ngn (phm K = (k1, k2, ..., km), i khi c gi l 'ht ging' trong
bi cnh ny) v m rng n thnh mt bit-chui di hn nhiu, cc keystream,
m chng ti hy vng l `ngu nhin tm kim '.
Tuy nhin, i vi mt pad mt ln phm hoc ht di nh thng ip r v khng
m rng l cn thit; trong trng hp ny cc keystream thc s ngu nhin, v
cc thut ton m ha mt ln-pad l khng th ph v. ( l n khng th ph
v l kt qu ca Shannon, thy sau ny.) i vi my mt m khc keystream l
lc tt nht gi ngu nhin, v xc nh nhng g ny c ngha l kh kh khn,
xem Phn 4.3.
Nu keystream c to ra mt cch c lp ca chui ch th, sau mt m
dng c gi l ng b. Bt u vi kha K = (k1, k2, ..., km) c chiu di m,
chng ti a z1 = k1, z2 = k2, ..., ZM = km, v to ra keystream cht ZM tip
theo + 1 = f (z1, z2, ..., ZM) l mt chc nng ca cc yu t trc. Nh mt hm
f l i khi c gi l mt chc nng phn hi. Chng ti tip tc theo cch
ny, to ZM + 1 + i = f (zi, zi + 1, ..., ZM + i), vi mi i s dng cc chc nng
tng t. Ch c 2m chui bit di m nn sm hay mun chng ta s tm thy
mt chui zi, zi + 1, ..., ZM + i m l bng mt chui zj trc, zj + 1, ..., ZM + j
(j <i), v sau chng ta s tm ZM + i + l = ZM + j + l cho tt c cc l> 0.
Nh vy cc keystream cho mt dng ng b mt m z = z1, z2, ... l nh k v
nht l s nguyn dng d sao zi + d = zi cho tt c cc s nguyn i> 0 c gi
l thi k ca n. T cuc tho lun ny r rng l giai on d l nhiu nht 2m

ni m l di ca kho. N s l tt p nu chng ta c th m bo rng d l

gn 2m, v trong thi gian ngn c th dn n cc thut ton m ha c d
dng b ph v.
Mt loi chc nng s dng cho th h keystream bi v n c th d dng thc
hin trong phn cng my tnh l mt chc nng ca cc loi
f (x1, x2, ..., xm) = c1x1 + c2x2 + ... + cmxm = m
j = 1 cjxj mod 2,
ni c1 hng, ..., cm Z2. Sau , nu zi + m = f (zi, ..., zi + 1m), chng ti nhn
c
zi + m = m
j = 1 + cjzi 1j mod 2 cho tt c i 1.
(4.1)
iu ny c gi l mt mi quan h tuyn tnh ti pht ca cc bc m. Vi loi
hnh ny ca mt chc nng tt c s khng quan trng K = (0,0, ..., 0) s to ra
mt bi zero keystream, v vy chng ti trnh iu ny. Tuy nhin, n c th
chn cc c1 hng, c2, ..., cm trong mt cch nh vy m cho bt k khc chnh K
= (k1, k2, ..., km) vi t nht mt phi-zero ki, cc keystream to ra bi cc mi
quan h tuyn tnh ti pht c khong thi gian bng 12m. Lun chng ny ph
thuc vo cc l thuyt v mi quan h tuyn tnh ti pht v s tn ti ca cc
a thc nguyn thy trn Z2. Chng ti xem xt iu ny trong phn tip theo.
Nh li rng cha kha K phi c chuyn ti my thu Bob bi mt knh an
ton c mt phm tng i ngn (chiu di m) so vi thi k ca keystream
(k 12m) l rt mong mun, min l n khng phi l cc chi ph ca vic bo
mt mt m dng.
V d 1 Gi s m = 4 v cc quy tc to ra keystream l
zi + 4 = zi + zi + 1 mod 2.
i vi bt k phm K ban u ngoi (0,0,0,0) ny cho mt keystream k 15. V

d, bt u vi kha K = (1,1,0,0), chng ti nhn c keystream

1,1,0,0,0,1,0,0,1,1,0,1,0,1,1,1,1,0,0, ...
Ln u tin chng ti nhn c mt s lp li ca mt chui 4-bit l s lp li
ca 1,1,0,0 bt u t v tr th 16, c ngha l, sau 15 chui 4-bit ring bit. Bt
k quan trng ban u khc khng khc s sn xut mt hon v vng ca
keystream ny - lun lun khong thi gian l 15.
V d 2 Gi s m = 3 v cc quy tc to ra keystream l
zi + 3 = f (zi, zi + 1, zi + 2) = zi + zi + 1 + 2 + zi mod 2.
i vi cc kho K = (1,0,1) ny cho mt keystream 10101010 ... ca giai on
2; cho phm K = (1,1,1) ny cung cp cho cc keystream 11111 ... ca giai on
1; cho K key = (0,0,1) ny cung cp cho cc keystream 00.110.011 ... k 4. V vy,
trong trng hp ny thi gian ph thuc vo chnh.
Keystreams xc nh bi quan h tuyn tnh ti pht c th c to ra bi phn
hi tuyn tnh ghi dch (LFSR), v do c s dng rng ri trong thc t
cng c.
y cc chuyn mch c ng khi v ch khi ci = 1 v ch mod 2 Ngoi ra
(m c th c thc hin rt nhanh chng trong thc t l mt `c quyn hoc
'). Gi tr ban u k1, ..., k2, ..., km c t trong cc s ng k S1, S2, ..., Sm.
Sau , my c cho php sn xut mt sn lng bit trn mi chu k ng
h, v cc gi tr c lu tr di chuyn theo cc mi tn thay i ng k
tip theo mt ln trn mi chu k ng h. y l nhng g xy ra trn bc u
tin.
1. k1 c khai thc ra nh bit keystream u tin;
2. k2, ..., km l mi chuyn sang ghi dch v bn phi;
3. mi 'tr' c t trong thay i ng k Sm s c tnh l j = 1mcjkj. y l
thng tin phn hi tuyn tnh '', v c tnh bng '' cc mch in ca LFSR.
Mt s ca mt LFSR tng ng vi m t ny c a ra di y.

V d 3 tuyn tnh thay i ng k thng tin phn hi (LFSR) tng ng vi cc

mi quan h tuyn tnh ti pht ca V d 4.1.1 c hin th di y.

Ch rng chng ti ch hin th cc kt ni tng ng vi ci khc khng. Bt

u vi K = (1,1,0,0), chng ta thy cc LFSR hot ng nh di y.
S4 S3 S2 S1 u ra
ban u 0 0 1 1
S1 + S2 trc 0 0 0 1 1
10001
01000
00100
10010
11001
vv
4.2 a thc nguyn thy
Tp th dc v 4.1.2 Cu hi 3 trong 4.4demonstrate dc Set rng mt s s la
chn ca cc ci hng s trong cc mi quan h tuyn tnh ti pht (4.1) c th
cho khong thi gian ngn cho tt c cc phm ban u K, andthat nhng giai
on c th khc nhau cho cc phm khc nhau. Hy c gng tm thy mt
phn no gii thch cho hnh vi ny.
Mt s bn c th gp 'quan h tuyn tnh ti pht, i khi c gi l' tuyn
tnh phng trnh khc bit "trong lnh vc thc hay phc tp. Cng nh vi cc
phng trnh vi phn tuyn tnh vi h s khng i, bn cht ca gii php ca
h ph thuc vo cc gii php ca mt a thc c lin quan (a thc
auxhiliary). Trong trng hp ca cc mi quan h tuyn tnh ti pht (4.1) cc
a thc l c lin quan l
f (x) = xm + 1cmxm + ... + c2x + c1
v c gi l a thc c trng ca mi quan h tuyn tnh ti pht. Lu rng
tt c cc ci Z2, v rng tt c cc du hiu u + du hiu v + 1 = 1 trong Z2.

N ch ra rng cc LFSR tng ng vi f (x) c keystream vi 12m thi gian ti

a c th c nu v ch nu f (x) l mt a thc nguyn thy trn Z2.
Nh li t Phn 3.5 rng mt mc m polynomialf (x) Z2 [x] l nguyn thy khi
v ch khi f (x) l bt kh quy v x l mt yu t nguyn thy ca lnh vc xy
dng s dng F f (x) (nh m t trong mc 3.5). Mt cch tng ng, f (x) l
nguyn thy khi v ch khi f (x) l bt kh quy v cc s nguyn dng n sao cho
t nht l f (x) chia 1xn l n = 12m. Nhng iu cn nh l cc a thc tn ti
cho tt c cc gi tr ca m, v cc bng trong s l c sn trong vn hc
(xem, v d, cc bng trong Beker v Piper ca cun sch trn trang 195 v 404).
V d 1 Trong V d 4.1.1, cc a thc c trng l f (x) = x4 + x + 1. N l
khng th gin lc v thc s n l nguyn thy. Cc lin LFSR c khong thi
gian 15 cho tt c cc phm khc khng ban u.
Trong V d 4.1.2, a thc c trng l f (x) = x3 + x2 + x + 1 = (x + 1) 3 mod 2.
Nh chng ta thy, cc phm khc nhau cho chnh nhng dng sui trong giai
on 1, 2 hoc 4.
Nu keystream t mt LFSR c thi gian ti a 12m, sau mi mt trong
nhng 12m chui bit c th c chiu di m (tr cc-tt c s khng dy) xy ra
nh cc ni dung ca cc thanh ghi m ca ti mt s giai on, v vy n khng c
vn g chui key (khng phi tt c-zero) ban u ca chng ti l t im
nhn nhn c mt khong thi gian ti a cho cc keystream. Tt nhin n
quan trng gii m bn m! Mt bng chng m chng ti c c khong
thi gian ti a ny khi v ch khi cc a thc c trng nguyn thy c th c
tm thy ti mc 5.8 ca Beker v Piper ca cun sch. Bng chng ny l khng
cn thit cho n v ny.
Sau y l mt ln na khng cn thit cho cc n v. Ti pht trin n nh
l mt 'tr chi' gi nh th no mt a thc nguyn thy f (x) c th c
lin kt vi thi gian di ca keystreams.
Gi s v mt l do m chng ta ngoan c chi tr chi sau y: Chng ta tng
tng rng cc yu t quan trng u tin l cc a thc trong mt khng xc
nh x, v trong thc t chnh l K = (1, x, x2, ..., 1xm) . Chng ta tng
tng thm rng cc a thc l nhng yu t ca mt trng hu hn xy dng
nh trong phn 3.5 s dng mt a thc nguyn thy f (x) = xm + cm 1xm + ...
+ c2x + c1, do trong lnh vc ny, chng ti c f (x) = 0 v do xm = cm
1xm + ... + c2x + c1. By gi trong mt LFSR vi c im a thc f (x), cc

ni dung ban u ca cc thanh ghi m thay i p ng: S1 cha 1, S2 cha x,

..., Sm cha 1xm. Sau khi chng ti ra chu k ng h u tin ca ni dung 1
ca thay i ng k S1, chng ti di chuyn cc ni dung ca mi ca khc ng
k vo cc thay i ng k mt bc sang bn phi, v chng ta n vo thay i
ng k Sm cc `phn hi 'm l c1 1 + c2 x + ... + cm 1xm = f (x) + xm =
xm. Tng t nh vy sau khi xut ra chng ti chu k ng h th hai ni dung
ca x S1, chng ti di chuyn cc ni dung ca mi ca khc ng k vo cc thay
i ng k mt bc sang bn phi, v chng ta n vo Sm cc `phn hi 'm l
c1 x + c2 x2 + ... + cm xm = x (f (x) + xm) = xm + 1. V vy, cc LFSR to
ra cc b sau y ca cc quc gia trong s ng k thay i:
Sm ... S2 S1 u ra
1xm ban u ... x 1
phn hi xm ... x2 x 1
xm + 1 ... x3 x2 x
... ... ... ... ...
sau khi ng h th i chu xm + i ... xi + 2 xi + 1 xi
... ... ... ... ...
lp li u tin ca trng thi u 1xm ... x 1 xj
Ti mt s im chng ta s c c mt s lp li ca ni dung ban u ca s
ng k thay i. Nu ln u tin iu ny xy ra l sau khi chu k ng h th
j, sau cc yu t u ra s l xj v chng ti s c xj + 1 = 1, v y s l ln
u tin iu ny xy ra, l, j s l s nguyn dng nh nht nh vy m xj +
1 = 1. S nguyn j y l thi k ca LFSR. Theo nh ngha ca mt nguyn t
nguyn thy trong mt lnh vc 2m, thi hn l 12m x l mt yu t nguyn
thy f (x) l mt a thc nguyn thy.
4.3 Randomness
R rng khng c chui nh k, chng hn nh cc keystream sn xut bi mt
tuyn tnh thay i thng tin phn hi ng k, l s ngu nhin. Trong kin thc
thc t ca bt k bit u ra lin tip 2 triu ca mt keystream vi c im a
thc f (x) = xm + 1cmxm + ... + c1 bc m l xc nh cc a thc c
trng, v do xc nh ton b keystream. iu ny l bi v chng ti c m
phng trnh

ZM + i = c1zi + ... + 1cmzm + i

(i = 1, ..., m) trong c1 n s, ..., cm c th c gii quyt bng cch kh Gauss.
Khng th tin on ch khng phi ngu nhin ng nhng g chng ta thc s
mun ca keystream l. Nu mt cryptanalyst chn mt phn ca keystream sau
chng ti mun kin thc ny cung cp cho cc cryptanalyst khng c
thng tin v nhng g s n tip theo trong keystream. Tt nhin iu ny l
khng th nu cryptanalyst c mt chu k ton b cc keystream. Tuy nhin
nu ch mt phn ca keystream, ngn hn ng k so vi thi gian, b chn, sau
chng ti mun iu ny cung cp thm thng tin gip phn cn li ca
keystream. Bt k keystream tha mn s hu chung ny c gi l mt chui
gi ngu nhin.
Chng ti thy rng cc tn s khc nhau ca cc ch ci, hoc chui ngn ca
cc ch ci lin tip, ting Anh vn bn hot ng mt m thay th b ph v
mt cch d dng vi y bn m. Nhng tng tng t dn n vic
ngh vo nm 1967 bi Solomon Golumb mt s thuc tnh ca keystream m c
th gip m bo rng n c th c s dng mt cch an ton cho vic
m ha. Nu nhng chng ta cn phi gii thiu mt s thut ng. Trong mt
chui cc s nguyn nh phn, mt chy l mt chui cc bit bng lin tip, v d
chui 00011011 bt u vi mt hot ng trong ba s 0, tip theo l mt hot
ng ca hai 1, sau chy mt 0 v chy ca hai 1 ca . Mt chy t 0 c
gi l mt khong cch trong khi mt hot ng ca 1 c gi l mt khi.
Nguyn tc Randomness Golumb ca: i vi mt s nguyn nh phn keystream
c k n, ni z1, z2, ..., zn, ...,
G1 Mi chui lin tip ca di n t keystream nn cha chnh xc n / 2 ngi
(v n / 2 s khng) nu n l chn, hoc n phi cha (n1) / 2 ci nu n l s l.
G2 Trong mi chui lin tip ca di n t keystream, na chy nn c di
1, mt phn t nn c chiu di 2, mt th tm nn c chiu di 3, v ni chung,
vi mi i m c t nht 2i + 1 chy, 1 / 2i nn c chiu di i. Hn na cho mi
ngi trong cc di cn c nhau nhiu khong trng v cc khi.
G3 i vi mi i = 1, ..., 1n, cho A (i) l s j m 1 j = n v zj zi + j. Sau ,
chng ta nn c A (1) = A (2) = ... = A (1n).
Mt keystream tha mn tt c cc nguyn tc Randomness Golumb c gi l

mt chui gi nhiu.
Trnh t thc s ngu nhin quen thuc nht c l l trnh t ca ngi ng u
v ui thu c t tung c lp ca mt ng xu cng bng. Trong bi cnh ny
G1 ny th cn c khong khng km nhiu u v ui; G2 ni rng sau mt
ca ngi ng u (hoc chy ui) c mt c hi 50/50 l chy s kt thc vi
cc ng tin tip theo qung; G3 phn nh s c lp ca tung ng xu - bit
kt qu ca mt tr tung ng xu c cho khng c thng tin v kt qu ca cc
ng xu qung ti.
Trong khi tm kim cc chui gi nhiu, c ngha l, cc trnh t p ng nguyn
tc Randomness Golumb ca chnh xc, c v kh khn, cc nguyn tc cung cp
c s cho mt s kim tra thng k c th c p dng cho keystreams a
ra mt bin php khc v tnh cht ngu nhin ca h.
V d 1 Xt dy (zi) i 1 trong cc vn bn nu trn ca k 8, c th l
0001101100011011 ...
Mi chui lin tip ca di 8 cha 4 s khng n p ng G.1. Tip theo,
nu chng ta xem xt cc chui 8-bit u tin chng ta c 4 chy trong 1 c
chiu di 1 v 2 c chiu di 2; cho chui 8-bit z2 ... z9 = 00.110.110, c 5 chy
trong 2 c chiu di 1 v 3 c chiu di 2; vv V vy, G.2 l khng hi lng.
Cui cng A (1) = A (7) = 4, A (2) = A (6) = 2, A (3) = A (5) = 4, A (4) = 3, do
khng phi l G.3 hi lng.
4.4 Tp th dc Set: LFSR ca
1. Tm cc khong thi gian ca mi quan h tuyn tnh ti pht
zi + 3 = zi + 1 + zi mod 2,
cho ti 1, v cung cp cho cc keystream to ra t ht ging K = (1,1,1). Vit cc
a thc c trng cho s ti pht tuyn tnh ny. N l mt a thc nguyn thy?
2. Xy dng mt tuyn tnh thay i ng k thng tin phn hi to ra
keystream trong Cu hi 1.
3. Hy xem xt vic ti din tuyn tnh

zi + 4 = zi + 3 + zi + 1 + zi mod 2,
bc m = 4. Tm cc keystreams v thi gian to ra t cc phm (i) (1,1,1,1), (ii)
(0,0,0,1), (iii) (1,0,1,0), (iv ) (0,0,1,0), (v) (1,0,1,1).
Cc a thc c trng ca s ti tuyn tnh ny l g? Bng cch no n gip
gii thch cu tr li ca bn n cc b phn (i) - (v)?
4. Vic thit lp trong lp hc lin quan cc dy nh phn sau y c xy dng
bi cc lp:
0110110111111001010011011001101101111110010100110110
Kim tra-ra mc m ba nguyn tc Randomness Golumb gi cho chui ny.
4.5 Gii php: ca LFSR
1. K = (1,1,1) to ra keystream 1,1,1,0,0,1,0,1,1,1, .... iu ny c thi hn 7 k
t khi ln u tin 3-bit chui 1,1,1 c lp i lp li hng 8 di y.
S3 S2 S1 u ra
ban u 1 1 1
S1 + S2 cui cng 0 1 1 1
0011
1001
0100
1010
1101
1110
Cc a thc c trng l f (x) = x3 + x + 1. K t thi k ca dy l 7 = 123
(ti a c th cho cc mc ), a thc ny l nguyn thy.
2. LFSR c ba s thay i ng k S3, S2, S1, vi cc kt ni i xung t pha
u ra ca S1 v S2.
3. (i) keystream 1,1,1,1 ..., giai on 1; (ii) lin tip 7 l lp li u tin ca
chui 1,0,0,0 4-bit, do thi gian l 6 v keystream l 0,0,0,1,1,1 sau lp i
lp li; (iii) hng 3 l lp li u tin ca chui 0,1,0,1 4-bit, do khong thi
gian l 2 v keystream l 1,0 sau lp i lp li; (iv) lin tip 4 l lp li u

tin ca chui 0,1,0,0 4-bit, do thi gian l 3 v keystream l 0,0,1 sau lp

i lp li; (v) lin tip 4 l lp li u tin ca chui 1,1,0,1 4-bit, do thi
gian l 3 v keystream c 1,0,1 sau lp i lp li.
trng hp (ii) S4 S3 S2 S1 u ra
ban u 1 0 0 0
S1 + S2 cui + S4 1 1 0 0 0
11100
01110
00111
00011
10001
trng hp (iii) S4 S3 S2 S1 u ra
ban u 0 1 0 1
S1 + S2 cui + S4 1 0 1 0 1
01010
trng hp (iv) S4 S3 S2 S1 u ra
ban u 0 1 0 0
S1 + S2 cui + S4 0 0 1 0 0
10010
01001
trng hp (v) S4 S3 S2 S1 u ra
ban u 1 1 0 1
S1 + S2 cui + S4 0 1 1 0 1
10110
11011
Cc a thc c trng l f (x) = x4 + x3 + x + 1. a thc ny khng phi l
nguyn thy; trong thc t, n khng phi l thm ch khng th rt gn t f (x) =
(x + 1) 2 (x2 + x + 1). Do , chng ti khng c c khong thi gian 124 =
15.
4. [Gii php t Wayne Griffiths] Chui nh phn c xy dng bi cc lp:
01101101111110010100110110
Golumb Nguyn tc Ngu nhin:

G1. 10 s khng v 16 ngi: khng bng nhau v vy nguyn tc u tin

Golumb ca tht bi, nhng khng phi l qu xu.
G2. i vi iu ny chng ta cn phi nhn vo nhiu 'ca s' chiu di 26
trong chui v vy chng ti vit ra trnh t hai ln.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
0110110111111001
17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
0100110110011011
33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
0111111001010011
49 50 51 52
0110
Chui s Chy Condition G2 s thc t
chiu di 1 chiu di 2 chiu di 1 chiu di 2
1-26 15 7,5 3,75 8 6
27/02 14 7 3,5 6 7
3-28 15 7,5 3,75 8 6
29/04 14 7 3,5 6 7
5-30 14 7 3,5 6 7
6-31 15 7,5 3,75 8 6
7-32 14 7 3,5 6 7
8-33 14 7 3,5 6 7
9-34 15 7,5 3,75 7 7
10-35 15 7,5 3,75 6 8
11-36 15 7,5 3,75 6 7
12-37 15 7,5 3,75 6 8
13-38 15 7,5 3,75 7 7
14-39 14 7 3,5 6 7
15-40 15 7,5 3,75 8 6
16-41 14 7 3,5 6 7
17-42 14 7 3,5 6 7
18-43 14 7 3,5 6 7
19-44 14 7 3,5 6 7
20-45 15 7,5 3,75 8 6

21-46 14 7 3,5 6 7
22-47 15 7,5 3,75 8 6
23-48 14 7 3. 5 6 7
24-49 14 7 3. 5 6 7
25-50 15 7,5 3,75 8 6
26-35 14 7 3,5 6 7
C qu nhiu ngi chy c chiu di 2 v khng di 1.
G3.
i 1 2 3 4 5 6 7 8 9 10 11 12 13
A (i) 12 10 18 14 10 14 16 12 10 16 12 12 18
y khng phi l qu xu. Nm gi tr hp l phn phi tt.