Constructions of de Bruijn sequences from a full-length shift register and an irreducible LFSR

Finite Fields and Their Applications 60 (2019) 101574

Contents lists available at ScienceDirect

Finite Fields and Their Applications www.elsevier.com/locate/ffa

Constructions of de Bruijn sequences from a full-length shift register and an irreducible LFSR ✩ Lin-Lin Zhou, Tian Tian ∗ , Wen-Feng Qi, Zhong-Xiao Wang National Digital Switching System Engineering & Technological Research Center, P.O. Box 407, 62 Kexue Road, Zhengzhou, 450001, P. R. China

a r t i c l e

i n f o

Article history: Received 10 April 2019 Received in revised form 21 July 2019 Accepted 23 July 2019 Available online 12 August 2019 Communicated by Arne Winterhof MSC: 94A55 94A60

a b s t r a c t In this paper, we study the construction of de Bruijn sequences. A method is given to stretch a de Bruijn sequence of order n to a de Bruijn sequence of order n + k with the help of a k-stage irreducible LFSR. It is shown that there is a correspondence between the cycle structure of an LFSR(l) and that of an NFSR(f ∗ l), where f is the characteristic function of a de Bruijn sequence of order n and the LFSR(l) is a k-stage irreducible LFSR. Besides, an efficient algorithm is given to construct a class of de Bruijn sequences whose time complexity is 2n+1 O(k) and memory requirement is O(2n+1 ). © 2019 Elsevier Inc. All rights reserved.

Keywords: Nonlinear feedback shift registers De Bruijn sequences Conjugate states

1. Introduction In cryptography, linear feedback shift registers (LFSRs) have been widely used in stream ciphers for their good statistical properties and efficient implementations. Be✩ This work was supported by the National Natural Science Foundation of China (Grant no. 61672533, 61521003). * Corresponding author. E-mail addresses: [email protected] (L.-L. Zhou), [email protected] (T. Tian), [email protected] (W.-F. Qi), [email protected] (Z.-X. Wang).

https://doi.org/10.1016/j.ffa.2019.101574 1071-5797/© 2019 Elsevier Inc. All rights reserved.

2

L.-L. Zhou et al. / Finite Fields and Their Applications 60 (2019) 101574

cause many stream ciphers based on LFSRs were susceptible to correlation attacks and algebraic attacks, recently many cryptosystems use the nonlinear feedback shift register (NFSR) as a main building block, such as Trivium [1] and Grain [2]. It is an important problem in cryptography how to generate nonlinear sequences with large periods and good pseudo-random properties. For a positive integer n, a de Bruijn sequence of order n has the least period 2n and all n-tuple subsequences are distinct. De Bruijn sequences have attracted considerable attention and been studied for decades. Please refer to [3] for a detailed survey on early constructions of de Bruijn sequences. A well-known approach to construct de Bruijn sequences is the cycle joining method proposed by Golomb in [4]. The main idea is joining all the cycles of an NFSR into a single cycle by interchanging successors of a set of conjugate states. However, it is very difficult to study the cycle structure of a general NFSR and determine useful conjugate states. Hence, LFSRs are often used to construct de Bruijn sequences by the cycle joining method. In 1984, Etzion and Lempel discussed the cycle structure of pure cycling shift registers in [5]. Recently the cycle structure and adjacency graphs of several kinds of LFSRs were studied in [6–8]. By characterizing the adjacency graph of an LFSR, a large number of de Bruijn sequences could be constructed. Furthermore, Chang et al. extended previous work on special LFSRs to general LFSRs in [9]. Besides, LFSRs with irreducible characteristic polynomials were paid some independent attention. In [10], Hauge and Helleseth discussed the cycle structure of a general irreducible LFSR and described a close connection between the number of constructed de Bruijn sequences and cyclotomic numbers. Recently, Dong and Pei proposed the new concept of “correlated” cycle based on a given cycle and analyzed the distribution of conjugate states for an irreducible LFSR in [11]. The contribution of [12] was characterizing conjugate pairs for an irreducible LFSR via Zech’s logarithm to construct de Bruijn sequences. Note that de Bruijn sequences constructed from LFSRs with irreducible characteristic polynomials mentioned above have the advantage of large orders. Another well-known method of constructing de Bruijn sequences is the recursive construction, that is, stretching a de Bruijn of order n to a de Bruijn sequence of order n + k where n and k are both positive integers. In [13], Lempel proposed the D homomorphism and used it to construct two de Bruijn sequences of order n + 1 from a de Bruijn sequence of order n. For two Boolean functions f (y0 , y1 , . . . , yn ) and g(x0 , x1 , . . . , xm ), the ∗-product of f and g in [14] is defined by f ∗ g = f (g(x0 , x1 , . . . , xm ), g(x1 , x2 , . . . , xm+1 ), . . . , g(xn , xn+1 , . . . , xn+m )). In [15,16], a simple method was given to construct de Bruijn sequences of order n + 1 or n + 2 based on the ∗-product of the characteristic function of a de Bruijn sequence of order n and a linear function x0 ⊕ x1 or x0 ⊕ x2 . In [17], Alhakim and Nouiehed proposed a method to construct de Bruijn sequences of order n + k from an NFSR(f ∗ p) where f is the characteristic function of a de Bruijn sequence of order n and p is the characteristic function of a primitive LFSR.

L.-L. Zhou et al. / Finite Fields and Their Applications 60 (2019) 101574

3

Inspired by the result of [17], this paper studies how to construct de Bruijn sequences from an NFSR(f ∗ l), where f is the characteristic function of a de Bruijn sequence of order n and l is the characteristic function of an irreducible LFSR. Note that a primitive LFSR only has one nonzero cycle, but an irreducible LFSR may have many cycles. Thus, the cycle structure of the NFSR(f ∗l) involved in this paper is more complex than that of the NFSR(f ∗ p) studied in [17]. First, we determine a useful correspondence between the cycle structure of the NFSR(f ∗l) and that of the LFSR(l). Second, a method is proposed to construct de Bruijn sequences from the NFSR(f ∗l) by exploiting an inherent algebraic relation between cycles generated by NFSR(f ∗ l) and cycles generated by LFSR(l). Finally, an efficient algorithm for constructing de Bruijn sequences from NFSR(f ∗ l) is given, and its complexity is also discussed. The rest of this paper is organized as follows. In Section 2, we introduce some basic concepts of NFSRs and the cycle joining method. In Section 3, an algebraic relation between the cycle structure of an NFSR(f ∗ l) and that of an LFSR(l) is given. In Section 4, we study the construction of de Bruijn sequences from an NFSR(f ∗ l). In Section 5, an algorithm for describing our construction is proposed and a comparison with previous works is given. Section 6 concludes this paper. Throughout the paper we use the following notation. Let F2 denote the finite field of two elements. For a positive integer n, let F2n denote the n-dimensional vector space over F2 . The operations “+” and “−” denote the integer addition and substraction, respectively. The operation “⊕” denotes the exclusive or. Moreover, for two binary sequences ∞ a = (ai )∞ i=0 and b = (bi )i=0 , define the termwise exclusive or of a and b by a ⊕ b, i.e., ∞ a ⊕ b = (ai ⊕ bi )i=0 . 2. Preliminaries 2.1. Boolean functions A brief introduction to Boolean functions is given. First, for a positive integer n, an n-variable Boolean function f (x0 , x1 , . . . , xn−1 ) is a mapping from F2n to F2 , which is sometimes simply denoted by f . It is well known that f can be uniquely represented as f (x0 , x1 , . . . , xn−1 ) =

 I∈P S(n)



cI (

xi ), cI ∈ F2 ,

i∈I

where P S(n) is the power set of {0, 1, . . . , n −1}. Moreover, the expression above is called the algebraic normal form (ANF) of f . The algebraic degree of f is the global degree of the ANF of f , i.e., deg(f ) = max{|I| : cI = 0}. If deg(f ) = 1 and f (0, 0, . . . , 0) = 0, then we say that f is a linear Boolean function. If deg(f ) ≥ 1, the highest subscript i for which xi occurs in the ANF of f is called the order of f and is denoted by ord(f ). Example 1. Let f = x0 ⊕ x1 x2 ⊕ x2 x3 x4 ⊕ x5 be a Boolean function. Then we have deg(f ) = 3 and ord(f ) = 5.

L.-L. Zhou et al. / Finite Fields and Their Applications 60 (2019) 101574

4

Second, for linear Boolean functions, the following mapping is very useful φ : c0 x0 ⊕ c1 x1 ⊕ · · · ⊕ ck xk → c0 ⊕ c1 x ⊕ · · · ⊕ ck xk , ci ∈ F2 , which is clearly a one-to-one correspondence from linear Boolean functions to univariate polynomials in F2 [x]. Consequently, l(x0 , x1 , . . . , xk ) is called an irreducible linear Boolean function if φ(l) is an irreducible polynomial in F2 [x]. Finally, for two Boolean functions f (y0 , y1 , . . . , yn ) and g(x0 , x1 , . . . , xm ), define the ∗-product of f and g by f ∗ g = f (g(x0 , x1 , . . . , xm ), g(x1 , x2 , . . . , xm+1 ), . . . , g(xn , xn+1 , . . . , xn+m )). It can be seen that the ∗-product is a kind of composition of Boolean functions. We remark that this operation is closely related to the cascade connection architecture of NFSRs. 2.2. Nonlinear feedback shift registers It is known that an NFSR can be uniquely described by a Boolean function called the characteristic function in this paper. Let f (x0 , x1 , . . . , xn ) = f1 (x0 , x1 , . . . , xn−1 ) ⊕ xn be a Boolean function. A diagram of an n-stage NFSR with the characteristic function f (x0 , x1 , . . . , xn ) is shown in Fig. 1, denoted by NFSR(f ). In particular, the NFSR(f ) is called a linear feedback shift register if f is linear, denoted by LFSR(f ). A sequence s = (si )∞ i=0 generated by NFSR(f ) satisfies the following recurrence relation st+n = f1 (st , st+1 , . . . , st+n−1 )

for all t ≥ 0,

i.e., f (st , st+1 , . . . , st+n ) = 0 for all t ≥ 0.

(1)

According to Fig. 1, we know that the 2n output sequences of x0 are all sequences generated by NFSR(f ), denoted by G(f ). For a binary sequence a = (a0 , a1 , a2 , . . .), if there exists an integer k ≥ 0 such that ai+k = ai for all i ≥ 0, then the sequence a is called a periodic sequence and k is called a period of a. The smallest number among all periods of a is called the least period of a, denoted by per(a). It is well known that every sequence s ∈ G(f ) is periodic if and only if f is nonsingular, namely f = x0 ⊕ g(x1 , x2 , . . . , xn−1 ) ⊕ xn (see [4, Chapter VI]). In the following discussions, all characteristic functions of NFSRs are assumed to be nonsingular. For a positive integer n, if a sequence s generated by an n-stage NFSR has the least period 2n , i.e., every n-tuple in F2n appears in a periodic portion of s exactly once, then s is called a de Bruijn sequence of order n. It was proved by de Bruijn that there

L.-L. Zhou et al. / Finite Fields and Their Applications 60 (2019) 101574

5

Fig. 1. An n-stage NFSR.

were in all 22 −n de Bruijn cycles of order n in [19], that is, cyclically distinct de Bruijn sequences of order n. However, how to construct NFSRs quickly and efficiently to generate de Bruijn sequences is still an open problem in cryptography. n−1

2.3. The cycle structure and the cycle joining method Let s = (si )∞ i=0 be a periodic sequence. For an integer j ≥ 0, the j-shifted sequence ∞ of s = (si )i=0 is denoted by Lj s = (si+j )∞ i=0 . Then two periodic sequences u and v generated by NFSR(f ) with the same least period T are said to be cyclically distinct if Lj u = v for any 0 ≤ j ≤ T − 1. Let f be the characteristic function of an n-stage NFSR and s be a sequence generated by NFSR(f ) with the least period T . Then we call si = (si , si+1 , . . . , si+n−1 ) the i-th state, i.e., the contents of registers labeled x0 , x1 , . . . , xn−1 in Fig. 1. In addition, the state si+1 is called the successor of si , where all the subscripts are taken modulo T . Thus the state sequence (s0 , s1 , . . . , sT −1 ) and every cyclically shift of this state sequence, say (si , si+1 mod T , . . . , si+T −1 mod T ), is called the (state) cycle of s or a (state) cycle of NFSR(f ), denoted by [s]. Furthermore, assume there are in all r pairwise cyclically distinct sequences in G(f ), say s1 , s2 , . . . , sr . Then the set consisting of r distinct cycles Gf = {[s1 ], [s2 ], . . . , [sr ]} corresponding to s1 , s2 , . . . , sr , respectively, is called the cycle structure of NFSR(f ). In particular, if f is a characteristic function of a de Bruijn sequence of order n, then Gf consists of only one cycle, called the de Bruijn cycle of order n. Let s = (s0 , s1 , . . . , sn−1 ) be a state of an n-stage NFSR. Then the conjugate state of s is defined by s∗ = (s0 ⊕ 1, s1 , . . . , sn−1 ), and (s, s∗ ) is called a pair of conjugate states or a conjugate pair. For a conjugate pair (s, s∗ ), define s

n−1 xs11 xs22 · · · xn−1 = (x1 ⊕ s1 ⊕ 1)(x2 ⊕ s2 ⊕ 1) · · · (xn−1 ⊕ sn−1 ⊕ 1).

6

L.-L. Zhou et al. / Finite Fields and Their Applications 60 (2019) 101574

Theorem 1. [4] Let f (x0 , x1 , . . . , xn ) be the characteristic function of an n-stage NFSR and (s, s∗ ) be a pair of conjugate states of NFSR(f ), where s = (s0 , s1 , . . . , sn−1 ). Set s

n−1 h(x0 , x1 , . . . , xn ) = f (x0 , x1 , . . . , xn ) ⊕ xs11 xs22 · · · xn−1 .

If [u] = (s, u1 , . . . , up−1 ) and [v] = (s∗ , v 1 , . . . , v q−1 ) are two distinct cycles in Gf , then Gh is obtained by joining [u] and [v] into one cycle, i.e., [u] ∪ [v] = (s, v 1 , . . . , v q−1 , s∗ , u1 , . . . , up−1 ), and keeping other cycles in Gf unchanged. Given a pair of conjugate states coming from two different cycles, by Theorem 1 we sn−1 know that adding xs11 xs22 · · · xn−1 to f interchanges the successors of s and s∗ , and so the two cycles in Gf can be joined into one cycle. Therefrom, we give the following important definition. Definition 1. The suitable conjugate states for an NFSR represents a set of conjugate states, where all the cycles generated by this NFSR can be joined into a de Bruijn cycle by interchanging successors of all conjugate states in this set. 2.4. The cycle structure of LFSR(l) For a nonzero polynomial p(x) in F2 [x], if p(0) = 0, then the least positive integer n0 such that p(x) divides xn0 − 1 is called the period of p(x), denoted by per(p(x)). Let l(x0 , x1 , . . . , xk ) be an irreducible linear Boolean function in this subsection. Since φ(l) is irreducible, it is known that per(φ(l)) divides 2k − 1 and per(a) = per(φ(l)) for every nonzero sequence a ∈ G(l), see [18, Chapter 8]. Therefore, let per(φ(l)) = e. Denote the cycle structure of LFSR(l) by Gl = {[a0 ], [a1 ], . . . , [ad ]}, d =

2k − 1 , e

where a0 = 0 and ai = (ai,0 , ai,1 , . . . , ai,e−1 ), i = 1, 2, . . . , d, are cyclically distinct sequences in G(l). Besides, the state of LFSR(l) is denoted by ai,j = (ai,j , ai,j+1 , . . . , ai,j+k−1 ) ∈ [ai ], where every subscript j of ai,j is taken modulo e. Let φ(l) = 1 ⊕ c1 x ⊕ · · · ⊕ ck−1 xk−1 ⊕ xk , ci ∈ F2 . Then, in linear recurring sequence theory, the companion matrix of φ(l) over F2 is defined to be the k × k matrix

L.-L. Zhou et al. / Finite Fields and Their Applications 60 (2019) 101574

⎡

0 ⎢1 ⎢ ⎢ 0 Tl = ⎢ ⎢. ⎢. ⎣. 0

0 0 1 .. . 0

7

⎤ ··· 0 1 ··· 0 c1 ⎥ ⎥ ⎥ ··· 0 c2 ⎥ . ⎥ .. .. ⎥ . . ⎦ · · · 1 ck−1

For two consecutive states ai,j and ai,j+1 of LFSR(l), we have ai,j+1 = ai,j · Tl . 3. A correspondence between Gf ∗l and Gl Let f (x0 , x1 , . . . , xn ) be the characteristic function of a de Brujin sequence of order n and l = l1 (x0 , x1 , . . . , xk−1 ) ⊕ xk be an irreducible linear Boolean function of order k > 1. This section will give a useful correspondence between the cycle structure of NFSR(f ∗ l) and that of LFSR(l). The following Lemmas 1 and 2 are preparations for Theorem 2. Lemma 1. Let p(x) be an irreducible polynomial in F2 [x] of degree greater than 1 and let a1 and a2 be two cyclically distinct sequences in G(p(x)). If a periodic sequence b satisfies gcd(per(b), per(p(x))) = 1, then the sequences b ⊕ a1 and b ⊕ a2 are cyclically distinct. Proof. If b ⊕ a1 and b ⊕ a2 are not cyclically distinct, then there exists a positive integer u such that Lu (b ⊕ a1 ) = b ⊕ a2 , that is, Lu b ⊕ b = Lu a1 ⊕ a2 .

(2)

Let us denote α = Lu a1 ⊕ a2 . On one hand, since a1 and a2 are cyclically distinct, it follows that α = 0. On the other hand, since a1 and a2 are in G(p(x)), it is clear that α is in G(p(x)) too. Note that p(x) is an irreducible polynomial, and so we have per(α) = per(p(x)). Then it follows from (2) that per(p(x)) is the least period of sequence β = Lu b ⊕ b. Besides, it is clear that per(b) is a period of the sequence β. Since every period of a periodic sequence is always divisible by the least period ([18, Lemma 8.4]), it follows that

8

L.-L. Zhou et al. / Finite Fields and Their Applications 60 (2019) 101574

per(p(x)) | per(b). Combining this with gcd(per(b), per(p(x))) = 1 leads to per(p(x)) = 1, which implies that p(x) = x ⊕ 1, a contradiction to deg(p(x)) > 1. Therefore b ⊕ a1 and b ⊕ a2 are cyclically distinct. 2 Lemma 2. [15, Theorem 3.15] Let g be a characteristic function of an NFSR and p be an irreducible linear Boolean function. If there is a sequence s ∈ G(g) such that per(s) is not divisible by per(φ(p)), then G(g ∗ p) contains one sequence of least period per(s). Next we introduce a notation which facilitates a judgment whether a sequence is generated by a given NFSR. For a Boolean function h(x0 , x1 , . . . , xm ) and a sequence a = (ai )∞ i=0 , we define h ◦ a = (h(ai , ai+1 , . . . , ai+m ))∞ i=0 , which is also a binary sequence. If h(x0 , x1 , . . . , xm ) is a characteristic function of an m-stage NFSR, then it follows from (1) that h ◦ a = 0 if and only if a ∈ G(h). After these preparations, a connection between cycles in Gf ∗l and those in Gl is given by the following theorem. Theorem 2. There exists a sequence b ∈ G(f ∗ l) of least period 2n such that Gf ∗l = {[b], [b ⊕ a1 ], [b ⊕ a2 ], . . . , [b ⊕ ad ]}, where Gl = {[0], [a1 ], [a2 ], . . . , [ad ]} and d =

2k −1 per(φ(l)) .

Proof. First, let s ∈ G(f ). Then s is a de Bruijn sequence of order n and we have per(s) = 2n . Since per(φ(l)) divides 2k − 1, it can be seen that gcd(per(φ(l)), per(s)) = 1. It immediately follows from Lemma 2 that there is a sequence b in G(f ∗ l) with per(b) = 2n . Second, since ai , i = 1, 2, . . . , d, is in G(l), it is clear that l ◦ ai = 0,

i = 1, 2, . . . , d.

Then we have (f ∗ l) ◦ (b ⊕ ai ) = f ◦ (l ◦ (b ⊕ ai )) = f ◦ (l ◦ b) = (f ∗ l) ◦ b = 0, which implies that b ⊕ ai ∈ G(f ∗ l) for i = 1, 2, . . . , d. Third, it is clear that per(b ⊕ ai ) = 2n · per(φ(l)) for i = 1, 2, . . . , d. Thus, b is cyclically distinct from b ⊕ ai , i = 1, 2, . . . , d, because of different least periods. Besides, the d sequences

L.-L. Zhou et al. / Finite Fields and Their Applications 60 (2019) 101574

9

b ⊕ a1 , b ⊕ a2 , . . . , b ⊕ ad are pairwise cyclically distinct by Lemma 1. Hence [b], [b ⊕ a1 ], . . . , [b ⊕ ad ]

(3)

are different cycles in Gf ∗l . Finally, since per(b) = 2n and per(b ⊕ ai ) = 2n · per(φ(l)) for i = 1, 2, . . . , d, it follows that there are in all 2n + 2n · per(φ(l)) ·

2k − 1 = 2n+k per(φ(l))

different states on these cycles given by (3). Therefore, they are all cycles generated by NFSR(f ∗ l). 2 It can be seen from Theorem 2 that there is a one-to-one correspondence between cycles in Gf ∗l and those in Gl . The key point to describe the correspondence lies in finding the unique sequence in G(f ∗ l) with least period 2n , i.e., the sequence b in Theorem 2. In the following discussion, such a sequence in G(f ∗ l) is called a primitive-like sequence. The following lemma provides a method for calculating the primitive-like sequence. n

2 +k−1 ∞ Lemma 3. [17] Let b = (bi )∞ i=0 and s = (si )i=0 be as in Theorem 2 and let v = (vi )i=0 be defined as

v0 = v1 = · · · = vk−1 = 0, vk+i = l1 (vi , vi+1 , . . . , vk+i−1 ) ⊕ si ,

i = 0, 1, . . . , 2n − 1.

Then n

(b0 , b1 , . . . , bk−1 ) = (v2n , v2n +1 , . . . , v2n +k−1 ) · (Ik ⊕ Tl 2 bk+i = l1 (bi , bi+1 , . . . , bk+i−1 ) ⊕ si ,

mod per(φ(l)) −1

)

,

i ≥ 0,

where Ik is the k × k identity matrix and Tl is the companion matrix of φ(l). Example 2. Let f (x0 , x1 , . . . , x4 ) = x0 ⊕ x1 x2 ⊕ x1 x2 x3 ⊕ 1 ⊕ x4 and l(x0 , x1 , . . . , x6 ) = x0 ⊕ x1 ⊕ x2 ⊕ x3 ⊕ x4 ⊕ x5 ⊕ x6 . It can be verified that every sequence in G(f ) is a de Bruijn sequence of order 4 and φ(l) is an irreducible polynomial of degree 6. Given a de Bruijn sequence s = (0, 0, 0, 0, 1, 1, 1, 1, 0, 1, 0, 0, 1, 0, 1, 1) ∈ G(f ), by Lemma 3 we have (v16 , v17 , v18 , v19 , v20 , v21 ) = (1, 1, 1, 1, 1, 1). Thus we obtain (b0 , b1 , b2 , b3 , b4 , b5 ) = (0, 1, 1, 0, 0, 1) and further have b = (0, 1, 1, 0, 0, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0).

L.-L. Zhou et al. / Finite Fields and Their Applications 60 (2019) 101574

10

4. Constructions of de Bruijn sequences from NFSR(f ∗ l) Let f (x0 , x1 , . . . , xn ) and l(x0 , x1 , . . . , xk ) be as in Section 3 and let per(φ(l)) = e ≥ k. This section contains three subsections. First, it explains the term “transition matrix” and its effect on state cycles in Gl . Then, we introduce extended states and cycles. Finally, it is shown how to construct de Bruijn sequences from NFSR(f ∗ l). A matrix induced by two bases of F2k over F2 is called the transition matrix, denoted by P . The irreducible linear Boolean function l = l1 (x0 , x1 , . . . , xk−1 ) ⊕ xk naturally induces a linear transformation Al from F2k to F2k defined by (ai,j , ai,j+1 , . . . , ai,j+k−1 ) → (ai,j+1 , ai,j+2 , . . . , l1 (ai,j , ai,j+1 , . . . , ai,j+k−1 )), namely Al (ai,j ) = ai,j+1 = ai,j · Tl .

4.1. The transition matrix P on cycles in Gl This section shows that the transition matrix P is a permutation function on cycles in Gl . Lemma 4. For two sets of consecutive states {au,i , au,i+1 , . . . , au,i+k−1 } and {av,j , av,j+1 , . . . , av,j+k−1 } of LFSR(l), there exists a unique k × k transition matrix P such that ⎛

av,j

⎞

⎛

au,i

⎞

⎜ ⎟ ⎜ ⎟ ⎜ av,j+1 ⎟ ⎜ au,i+1 ⎟ ⎜ ⎜ ⎟ ⎟·P .. .. ⎜ ⎟=⎜ ⎟ . . ⎝ ⎠ ⎝ ⎠ au,i+k−1 av,j+k−1 and Tl · P = P · Tl . Proof. Since deg(φ(l)) = k ≤ e and φ(l) is an irreducible polynomial, we know that a set consisting of k consecutive states of LFSR(l) is a basis of F2k over F2 . It follows that {au,i , au,i+1 , . . . , au,i+k−1 } and {av,j , av,j+1 , . . . , av,j+k−1 } are two different bases of F2k . Then there exists a k × k transition matrix P such that ⎛

av,j

⎞

⎛

au,i

⎞

⎜ ⎟ ⎜ ⎟ ⎜ av,j+1 ⎟ ⎜ au,i+1 ⎟ ⎜ ⎟ ⎜ ⎟ · P. .. .. ⎜ ⎟=⎜ ⎟ . . ⎝ ⎠ ⎝ ⎠ av,j+k−1 au,i+k−1

(4)

L.-L. Zhou et al. / Finite Fields and Their Applications 60 (2019) 101574

11

In addition, using the linear transformation Al on the left-hand side of (4) yields ⎛

av,j

⎞

⎛

⎛

⎞

au,i

⎞

au,i

⎜ ⎜ ⎟ ⎜ ⎟ ⎟ ⎜ au,i+1 ⎟ ⎜ av,j+1 ⎟ ⎜ au,i+1 ⎟ ⎜ ⎜ ⎟ ⎜ ⎟ ⎟ · Tl · P. Al ⎜ .. .. .. ⎟ = Al ⎜ ⎟·P =⎜ ⎟ . . . ⎝ ⎝ ⎠ ⎝ ⎠ ⎠ av,j+k−1 au,i+k−1 au,i+k−1

(5)

Besides, according to Al we have ⎛

av,j

⎞

⎛

av,j

⎞

⎛

au,i

⎞

⎜ ⎟ ⎜ ⎟ ⎟ ⎜ ⎜ av,j+1 ⎟ ⎜ av,j+1 ⎟ ⎜ au,i+1 ⎟ ⎜ ⎜ ⎟ ⎟ ⎟ · P · Tl . ⎜ Al ⎜ .. .. .. ⎟=⎜ ⎟ · Tl = ⎜ ⎟ . . . ⎝ ⎠ ⎝ ⎠ ⎠ ⎝ av,j+k−1 av,j+k−1 au,i+k−1

(6)

By comparing (5) and (6) we have Tl · P = P · T l . This completes the proof. 2 For a nonzero cycle [ai ], i = 1, 2, . . . , d, in Gl , define P ◦ [ai ] = (ai,0 · P, ai,1 · P, . . . , ai,e−1 · P ), where per(φ(l)) = e. By Lemma 4 we have P ◦ [ai ] = (ai,0 · P, ai,0 · Tl · P, . . . , ai,0 · Tl e−1 · P ) = (ai,0 · P, ai,0 · P · Tl , . . . , ai,0 · P · Tl e−1 ), which is also a cycle in Gl . Moreover, for two distinct cycles [ai1 ] and [ai2 ], since ai1 ,j1 = ai2 ,j2 for every 0 ≤ j1 , j2 ≤ e − 1, it is known that ai1 ,j1 · P = ai2 ,j2 · P for every 0 ≤ j1 , j2 ≤ e − 1. So P ◦ [ai1 ] and P ◦ [ai2 ] are two distinct cycles too. Thus, the matrix P maps a cycle in Gl to another cycle (not necessarily distinct in Gl ). Then, let the preimage of [ai ] under P be denoted by [aτ (i) ] = P −1 ◦ [ai ],

i = 0, 1, . . . , d,

(7)

where 0 ≤ τ (i) ≤ d, i = 0, 1, . . . , d, is a positive integer. We know that τ (·) induced by the transition matrix P is a permutation function on the set {0, 1, . . . , d}. Example 3. Let l be as in Example 2. The cycle structure of LFSR(l) is listed in Table 1, where commas in these sequences are omitted. Note that per(φ(l)) = 7 and d = 9. For

12

L.-L. Zhou et al. / Finite Fields and Their Applications 60 (2019) 101574

Table 1 The cycle structure of LFSR(l). [ai ] state cycle

[a0 ] [(0)]

[a1 ] [(1000001)]

[a2 ] [(0000101)]

[a3 ] [(0001001)]

[a4 ] [(0001111)]

[ai ] state cycle

[a5 ] [(0111111)]

[a6 ] [(0010111)]

[a7 ] [(0011011)]

[a8 ] [(0011101)]

[a9 ] [(0101011)]

Table 2 The correspondence between τ (i) and i. i

0

1

2

3

4

5

6

7

8

9

τ (i)

0

9

5

2

1

7

6

4

8

3

two bases {a9,5 , a9,6 , a9,0 , a9,1 , a9,2 , a9,3 } and {a1,0 , a1,1 , a1,2 , a1,3 , a1,4 , a1,5 } of F26 over F2 , by Lemma 4 the transition matrix P satisfying a9,j+5 · P = a1,j , j = 0, 1, . . . , 5, is given by ⎡

1 ⎢0 ⎢ ⎢1 ⎢ ⎢ ⎢0 ⎢ ⎣0 0

0 1 0 1 0 0

0 0 1 0 1 0

0 0 0 1 0 1

1 1 1 1 0 1

⎤ 1 0⎥ ⎥ 0⎥ ⎥ ⎥, 0⎥ ⎥ 0⎦ 1

where the subscript j of ai,j is taken modulo per(φ(l)). On this basis, we list the correspondence between i and τ (i) for i = 0, 1, . . . , d in Table 2. 4.2. The transition matrix P on extended cycles for the cycles in Gl In this subsection, we define extended states and extended state cycles for those of LFSR(l) and further use the transition matrix P to mark the correspondence between two extended states. Since f ∗ l is a characteristic function of order n + k, each state of NFSR(f ∗ l) is of length n + k. In order to represent the states of NFSR(f ∗ l) by those of LFSR(l), we define ai,j,m = (ai,j , ai,j+1 , . . . , ai,j+m−1 ) to be the extended state of length m for ai,j with m ≥ k. Then naturally [ai ]m = (ai,0,m , ai,1,m , . . . , ai,e−1,m ),

i = 1, 2, . . . , d,

is called the extended (state) cycle for [ai ], where per(φ(l)) = e. It can be seen that ai,j,m is a union of m − k + 1 consecutive states in {ai,j , ai,j+1 , . . . , ai,j+m−k } of LFSR(l). Note that the transition matrix P in Lemma 4 is invertible. Similarly,

L.-L. Zhou et al. / Finite Fields and Their Applications 60 (2019) 101574

13

Table 3 The preimage of state ai,j under P . ai,j state

a9,5 (110101)

a9,6 (101010)

a9,0 (010101)

a9,1 (101011)

a9,2 (010110)

ai,j · P −1 state

a3,3 (100100)

a3,4 (001000)

a3,5 (010001)

a3,6 (100010)

a3,0 (000100)

{ai,j · P −1 , ai,j+1 · P −1 , . . . , ai,j+m−k · P −1 } are also m −k +1 consecutive states of LFSR(l), which corresponds to a unique extended state, denoted by P −1 ◦ (ai,j,m ). Similar to (7), let the preimage of [ai ]n+k under P be denoted by [aτ (i) ]n+k = P −1 ◦ [ai ]n+k ,

i = 0, 1, . . . , d.

(8)

On the basis of Example 3, we give an example to explain extended states and extended state cycles. Example 4. Let l and P be as in Example 3. For the state a9,5 = (1, 1, 0, 1, 0, 1) ∈ [a9 ], its extended state of length 10 is a9,5,10 = (1, 1, 0, 1, 0, 1, 0, 1, 1, 0) which is a union of {a9,5 , a9,6 , a9,0 , a9,1 , a9,2 }. We list their preimages under P in Table 3. It naturally follows that P −1 ◦ (a9,5,10 ) = a3,3,10 = (1, 0, 0, 1, 0, 0, 0, 1, 0, 0). After these preparations, we will show the main contribution, i.e., an algebraic relation between the construction of de Bruijn sequences based on LFSR(l) and that based on NFSR(f ∗ l). 4.3. Constructions of suitable conjugate states for NFSR(f ∗ l) from LFSR(l) We first recall the suitable conjugate states for an NFSR, namely a set of conjugate states used to join all the cycles generated by this NFSR into a de Bruijn cycle, see Definition 1. In this subsection, given a set of suitable conjugate states for LFSR(l), we show how to construct the set of suitable conjugate states for NFSR(f ∗ l). Recall that the cycle structure of LFSR(l) and NFSR(f ∗ l) are Gl = {[a0 ], [a1 ], . . . , [ad ]}, d =

2k − 1 , per(φ(l))

and Gf ∗l = {[b], [b ⊕ a1 ], [b ⊕ a2 ], . . . , [b ⊕ ad ]},

14

L.-L. Zhou et al. / Finite Fields and Their Applications 60 (2019) 101574

respectively, where b is the primitive-like sequence in G(f ∗ l). For convenience, let [bi ] = [b ⊕ ai ], i = 1, 2, . . . , d, represent the cycle in Gf ∗l . Moreover, for the de Bruijn sequence s used to calculate the primitive-like sequence b in Lemma 3, we introduce another notation z(·). The subscript of the conjugate state of si is denoted by z(i) for i = 0, 1, . . . , 2n − 1. In other words, (si , sz(i) ) is a conjugate pair of NFSR(f ) which shows that z(·) is actually a permutation function on the set {0, 1, . . . , 2n − 1}. In the following discussion, let z(i) represent the subscript of the conjugate state of si for the de Bruijn sequence s in Lemma 3. Theorem 3. If there is a set of suitable conjugate states (xi , x∗i ), i = 0, 1, . . . , d − 1, which can be used to join all the cycles in Gl into a de Bruijn cycle of order k, then we can construct a set of suitable conjugate states (yi , y ∗i ), i = 0, 1, . . . , d − 1, which can be used to join all the cycles in Gf ∗l into a de Bruijn cycle of order n + k. Proof. Let Γ be a set of suitable conjugate states for LFSR(l). Since there are d + 1 cycles in Gl , we have |Γ| = d. Let Γ = {(x0 , x∗0 ), (x1 , x∗1 ), . . . , (xd−1 , x∗d−1 )}. Without loss of generality, we assume the starting conjugate pair of LFSR(l) is defined by1 x0 = a0,0 = (0, 0, . . . , 0) ∈ [0], x∗0 = a1,0 = (1, 0, . . . , 0) ∈ [a1 ], and other d − 1 conjugate states could be written in the form xi = x0 ⊕ ai,ti = ai,ti ∈ [ai ], x∗i = x∗0 ⊕ ai,ti ∈ [ai+1 ],

(9)

where i = 1, 2, . . . , d − 1 and 0 ≤ ti ≤ e − 1 are all positive integers. By interchanging successors of the conjugate states in Γ, all the cycles in Gl can be joined into a de Bruijn cycle in the following order [0] ∪ [a1 ] ∪ · · · ∪ [ad ]. According to the algebraic relationship between the structure of LFSR(l) and that of NFSR(f ∗ l), we present a method for constructing a set of suitable conjugate states for NFSR(f ∗ l). 1

Let (1, 0, . . . , 0) be the first state in [a1 ].

L.-L. Zhou et al. / Finite Fields and Their Applications 60 (2019) 101574

15

First, let us start from the starting conjugate pair of NFSR(f ∗ l) given by y 0 = bp ∈ [b], y ∗0 = bz(p) ⊕ aw,r,n+k ∈ [bw ], where 1 ≤ w ≤ d, 0 ≤ r ≤ e − 1 and 0 ≤ p, z(p) ≤ 2n − 1 are all integers. Therefrom, we know that the primitive-like cycle [b] and [bw ] can be joined into one cycle by interchanging successors of (y 0 , y ∗0 ). Besides, it should be pointed out that z(p) is determined by sp , namely (sp , sz(p) ) is a conjugate pair of NFSR(f ). Since aw,r,n+k is the extended state of length n + k for aw,r , we carefully select two bases of F2k , which are {aw,r , aw,r+1 , . . . , aw,r+k−1 } and {a1,0 , a1,1 , . . . , a1,k−1 }. According to Lemma 4, we know that there exists a k × k transition matrix P such that ⎛ ⎜ ⎜ ⎜ ⎜ ⎝

a1,0 a1,1 .. .

⎞

⎛

aw,r

⎞

⎟ ⎜ ⎟ ⎟ ⎜ aw,r+1 ⎟ ⎟=⎜ ⎟ · P. .. ⎟ ⎜ ⎟ . ⎠ ⎝ ⎠ aw,r+k−1 a1,k−1

Then, by (7) we have [aτ (1) ] = [aw ] and aw,r,n+k = P −1 ◦ (a1,0,n+k ).

(10)

Note that τ , closely related to the matrix P , is a permutation function on the set {0, 1 . . . , d}. Second, define other d − 1 conjugate states of NFSR(f ∗ l) as y i = y 0 ⊕ P −1 ◦ (ai,ti ,n+k ), y ∗i = y ∗0 ⊕ P −1 ◦ (ai,ti ,n+k ), where ai,ti ,n+k is the extended state for ai,ti ∈ [ai ]. Combining (8) and (9) leads to P −1 ◦ (ai,ti ,n+k ) ∈ [aτ (i) ]n+k , which implies y i ∈ [b ⊕ aτ (i) ] = [bτ (i) ]. Besides, by (10) we have y ∗i = bz(p) ⊕ aw,r,n+k ⊕ P −1 ◦ (ai,ti ,n+k ) = bz(p) ⊕ P −1 ◦ (a1,0,n+k ⊕ ai,ti ,n+k ).

16

L.-L. Zhou et al. / Finite Fields and Their Applications 60 (2019) 101574

Since (a1,0,n+k ⊕ ai,ti ,n+k ) is the extended state for x∗i = a1,0 ⊕ ai,ti ∈ [ai+1 ], it follows from (8) and (9) that P −1 ◦ (a1,0,n+k ⊕ ai,ti ,n+k ) ∈ [aτ (i+1) ]n+k , which implies y ∗i ∈ [b ⊕ aτ (i+1) ] = [bτ (i+1) ]. Finally, for the set of conjugate pairs {(y 0 , y ∗0 ), (y 1 , y ∗1 ), . . . , (y d−1 , y ∗d−1 )}, we have y i ∈ [bτ (i) ] and y ∗i ∈ [bτ (i+1) ] for i = 0, 1, . . . , d − 1. Consequently, by interchanging successors of conjugate states in this set, all the cycles in Gf ∗l can be joined into a de Bruijn cycle in the following order [b] ∪ [bτ (1) ] ∪ · · · ∪ [bτ (d) ], where τ (·) is a permutation function determined by the transition matrix P . Thus, {(y 0 , y ∗0 ), (y 1 , y ∗1 ), . . . , (y d−1 , y ∗d−1 )} forms a set of suitable conjugate states for NFSR(f ∗ l). 2 Remark 1. Choosing different starting conjugate pairs (y0 , y ∗0 ) leads to distinct sets of suitable conjugate states for NFSR(f ∗ l). In this way, we could construct a number of cyclically distinct de Bruijn sequences. Remark 2. Theorem 3 includes the case that φ(l) is a primitive polynomial in F2 [x]. This special case was studied in [17]. 5. Complexity and comparisons In this section, an algorithm for constructing de Bruijn sequences from NFSR(f ∗ l) is proposed. Then we discuss its complexity and the number of constructed de Bruijn sequences. Moreover, a comparison with previous work is given. In Algorithm 1, it is shown how to construct a set of suitable conjugate states for NFSR(f ∗ l) based on LFSR(l). Let us investigate the time complexity of our method by the number of exclusive-ors. Algorithm 1 mainly involves linear iterations and matrix multiplications, see Steps 2, 4, 3, and 7. First, the number of exclusive-ors to generate one bit for a polynomial of degree k is about O(k). Then the total complexity of constructing the primitive-like sequence b in Steps 2 and 4 is 2n+1 O(k). Second, the complexity of Step 3 is per(φ(l))O(k3 ) since the multiplication of two k ×k matrices and calculating the inverse of a k ×k matrix both need O(k3 ) exclusive-ors. Compared with the steps discussed above, the complexity of

L.-L. Zhou et al. / Finite Fields and Their Applications 60 (2019) 101574

17

Algorithm 1 Find a set of suitable conjugate states for NFSR(f ∗ l). Input: s = (s0 , s1 , . . . , s2n −1 ) ∈ G(f ) is a de Bruijn sequence of order n. An irreducible linear Boolean function l = l1 (x0 , x1 , . . . , xk−1 ) ⊕ xk . A set of suitable conjugate states (xi , x∗ i ), i = 0, 1, . . . , d − 1, for LFSR(l). Output: ∗ A set of suitable conjugate states (y i , y i ), i = 0, 1, . . . , d − 1, for NFSR(f ∗ l). 1: (v0 , v1 , . . . , vk−1 ) ← (0, 0, . . . , 0) 2: for i = 0 to 2n − 1 do vk+i ← l1 (vi , vi+1 , . . . , vk+i−1 ) ⊕ si end for n 3: (b0 , b1 , . . . , bk−1 ) ← (v2n , v2n +1 , . . . , v2n +k−1 ) · (Ik ⊕ Tl 2 mod per(φ(l)) )−1 4: for i = 0 to 2n − k − 1 do bk+i ← l1 (bi , bi+1 , . . . , bk+i−1 ) ⊕ si end for 5: for i = 0 to i = 2n − 1 do if (bi , bz(i) ) is not a conjugate pair then ∗ (y 0 , y ∗ 0 ) ← the starting conjugate pair (bi , bi ) of NFSR(f ∗ l) and break else i ← i + 1 end if end for 6: aw,r,n+k ← b∗ i ⊕ bz(i) 7: P ← the transition matrix determined by two bases {aw,r , aw,r+1 , . . . , aw,r+k−1 } and {a1,0 , a1,1 , . . . , a1,k−1 } of F2k over F2 8: for i = 1 to d do ai,ti ,n+k ← the extended state of length n + k for xi end for 9: for i = 1 to d do ∗ −1 y i ← y 0 ⊕ P −1 ◦ (ai,ti ,n+k ) and y ∗ ◦ (ai,ti ,n+k ) i ← y0 ⊕ P end for 10: return a set of suitable conjugate states (y i , y ∗ i ), i = 0, 1, . . . , d, for NFSR(f ∗ l)

other steps can be omitted. Hence, the total complexity of our method is roughly given by 2n+1 O(k) + per(φ(l))O(k3 ) ≈ 2n+1 O(k). As for the memory requirement, we need to store the de Bruijn sequence s and the primitive-like sequence b, each of which is O(2n ) bits. Thus, the total memory requirement of Algorithm 1 is O(2n+1 ). Next we discuss the number of constructed de Bruijn sequences by Algorithm 1. It depends on the number of (y 0 , y ∗0 ) in Step 5 and the number of the set of suitable conjugate states for LFSR(l). On one hand, some experimental results are listed in Table 4 to obtain a rough estimation of the number of (y 0 , y ∗0 ). It can be seen that (y 0 , y ∗0 ) has 2n choices with a large probability. On the other hand, considering Example 3 in [11] and [12], there are 21032 and 2177.21 distinct sets of suitable conjugate states for 128-stage and 300-stage irreducible LFSR(l), respectively. Then we have that the total number of de Bruijn sequences constructed from NFSR(f ∗ l) is 2n N (l), where N (l) is the number of the set of suitable conjugate states for LFSR(l). Finally, a rough summary of methods for constructing de Bruijn sequences is given in Table 5. We remark that [11] and [12] are not listed in Table 5 because there is no explicit formula for the time complexity and the number of constructed sequences. In

L.-L. Zhou et al. / Finite Fields and Their Applications 60 (2019) 101574

18

Table 4 The number of starting conjugate pair (y 0 , y ∗ 0 ) of NFSR(f ∗ l). (y 0 , y ∗ 0)

f

n1 = 4

n2 = 5

n3 = 6

{37, 41, 47, 55, 59, 61}(k=5)

{14, 16, 16, 16, 16, 16}

{32, 32, 32, 32, 30, 32}

{60, 60, 60, 60, 62, 60}

{67, 73, 87, 91, 97, 103, 109, 115, 117}(k=6)

{16, 16, 14, 16, 16, 16, 16, 16, 14}

{32, 32, 32, 32, 32, 32, 32, 32, 32}

{64, 64, 64, 64, 62, 62, 60, 64, 64}

{131, 137, 143, 145, 157, 167, 171, 185, 191, 193, 203, 211, 213, 229, 239, 241, 247, 253}(k=7)

{16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, }

{32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32}

{64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64}

l

4

f = x1 x2 x3 ⊕ x1 x2 ⊕ x0 ⊕ 1 ⊕ x4 . f = x1 x2 x3 x4 ⊕ x2 x3 x4 ⊕ x3 x4 ⊕ x0 ⊕ x2 ⊕ x3 ⊕ x4 ⊕ 1 ⊕ x5 . f = x1 x2 x3 x4 x5 ⊕ x1 x2 x3 x5 ⊕ x1 x3 x4 x5 ⊕ x2 x3 x4 ⊕ x1 x3 x5 ⊕ x2 x3 x5 ⊕ x2 x4 x5 ⊕ x3 x4 x5 ⊕ x2 x4 ⊕ x3 x4 ⊕ x4 x5 ⊕ x0 ⊕ x1 ⊕ x2 ⊕ x4 ⊕ 1 ⊕ x6 . 4 37(k=5) stands for 100101 which means that l = x5 ⊕ x2 ⊕ x0 . 1 2 3

Table 5 The comparison of different methods. Type

Number n2 4

Time

Memory

Method [5]

x0 ⊕ x1 ⊕ · · · ⊕ xn

2

O(n)

n2 2

(1 + x)3 p(x), deg(p(x)) = n − 3

O(24n )

—

—

[6]

(1 + x + x3 + x4 )p(x), deg(p(x)) = n k (1 n+ x) i=1 pi (x), i=1 deg(pi (x)) = n − 1

O(26n )

O(n)

—

[7]

O(2k kn)

—

[8]

f ∗ (x0 ⊕ x1 ), ord(f ) = n − 1

2

O(2n )

—

[20]

f ∗ (x0 ⊕ x1 )n−k , ord(f ) = k

2n−k

O(k · 2n+W (n−k)1 )

—

[21]

f ∗ l, ord(f ) = n, deg(φ(l)) = k

N (l)2 O(2n )

2n+1 O(k)

O(2n+1 )

This paper

1 2

O(2(2

k

−1)n

)

W (n − k) is the number of one’s in the binary representation of n − k. N (l) is the number of de Bruijn sequences constructed from an irreducible LFSR(l).

Table 5, it can be seen that the time complexity of a construction method based on an NFSR is larger than that of a construction method based on an LFSR. For example, the time complexity of Algorithm 1 is larger than the time complexity of every method in [5–8]. However, the linear complexity profile of a de Bruijn sequence constructed from an LFSR is generally not very good. Recall that the linear complexity profile of a sequence is the sequence of linear complexities of all the prefixes of the sequence. Rueppel pointed out that a good linear complexity profile closely follows l/2 line as the sequence length l increases in [22]. Although de Bruijn sequences have large linear complexities, not all of

L.-L. Zhou et al. / Finite Fields and Their Applications 60 (2019) 101574

19

them have good linear complexity profiles. For example, the linear complexity profile of a de Bruijn sequence of order n obtained by adding a zero to an m-sequence of order n is almost the same as that of an m-sequence. In general, a long segment of a de Bruijn sequence constructed by the cycle joining method from a family of an LFSR sequences behaves like an LFSR sequence in linear complexities. Algorithm 1 constructs de Bruijn sequences based on an NFSR(f ∗ l), where f is the characteristic function of a de Brujin sequence of order n and φ(l) is an irreducible polynomial of degree k. By selecting a good nonlinear function f , it is expected that Algorithm 1 could construct de Bruijn sequences with better linear complexity profiles than those constructed from an LFSR as in [5–8]. 6. Conclusion In this paper, it is shown how to construct de Bruijn sequences of order n + k from an NFSR(f ∗ l), where the NFSR(f ) generates de Bruijn sequences of order n and the LFSR(l) is an n-stage irreducible LFSR. The main idea behind our construction is reducing this problem to the problem of constructing de Bruijn sequences from an irreducible LFSR(l) which has been well studied. Whether this new idea could be generalized to reducible LFSRs will be studied in the future. Appendix A Let f and l be as in Example 2. In the following, we show how to construct de Bruijn sequences according to Algorithm 1. i) set a set of suitable conjugate states for LFSR(l), see Table 6. ii) construct the primitive-like sequence b, see Example 2. iii) since the states b0 = (0, 1, 1, 0, 0, 1, 1, 0, 1, 1) and bz(0) = b15 = (0, 0, 1, 1, 0, 0, 1, 1, 0, 1) are not conjugate, we have a9,5,10 = b∗0 ⊕ bz(0) = (1, 1, 0, 1, 0, 1, 0, 1, 1, 0). iv) calculate the transition matrix P , see Example 3. v) list extended states ai,ti ,n+k and P −1 ◦ (ai,ti ,10 ) in Table 7. vi) obtain a set of suitable conjugate states for NFSR(f ∗ l), i.e., {(y 0 , y ∗0 ), (y 1 , y ∗1 ), . . . , (y 8 , y ∗8 )}, see Table 7. By interchanging the successors of {(y 0 , y ∗0 ), (y 1 , y ∗1 ), . . . , (y 8 , y ∗8 )}, all the cycles in Gf ∗l can be joined into a de Bruijn cycle in the following order [b] ∪ [b9 ] ∪ [b5 ] ∪ [b2 ] ∪ [b1 ] ∪ [b7 ] ∪ [b6 ] ∪ [b4 ] ∪ [b8 ] ∪ [b3 ].

L.-L. Zhou et al. / Finite Fields and Their Applications 60 (2019) 101574

20

Table 6 A set of suitable conjugate states (xi , x∗ i ) for LFSR(l). (xi , x∗ i) joined cycle

(000000, 100000) [0] ∪ [a1 ]

(000001, 100001) [a1 ] ∪ [a2 ]

(000010, 100010) [a2 ] ∪ [a3 ]

(010001, 110001) [a3 ] ∪ [a4 ]

(011110, 111110) [a4 ] ∪ [a5 ]

(110111, 010111) [a5 ] ∪ [a6 ]

(111001, 011001) [a6 ] ∪ [a7 ]

(110011, 010011) [a7 ] ∪ [a8 ]

(111010, 011010) [a8 ] ∪ [a9 ]

Table 7 A set of suitable conjugate states for NFSR(f ∗ l). P −1 ◦ (ai,ti ,n+k )

y i = y 0 1 ⊕ P −1 ◦ (ai,ti ,n+k )

Joined cycles

a9,6,10 a5,1,10 a2,1,10 a1,3,10 a7,1,10 a6,5,10 a4,1,10 a8,6,10

y1 y2 y3 y4 y5 y6 y7 y8

[b9 ] ∪ [b5 ] [b5 ] ∪ [b2 ] [b2 ] ∪ [b1 ] [b1 ] ∪ [b7 ] [b7 ] ∪ [b6 ] [b6 ] ∪ [b4 ] [b4 ] ∪ [b8 ] [b8 ] ∪ [b3 ]

1

= = = = = = = =

(1010101101) (1111110111) (0001010000) (0001100000) (0110110011) (1100101110) (0011110001) (1001110100)

= = = = = = = =

(1100110110) (1001101100) (0111001011) (0111111011) (0000101000) (1010110101) (0101101010) (1111101111)

y 0 = (0110011011).

Thus, a de Bruijn sequence of order 10 generated by this NFSR(f ∗ l) is (00000000001000111111110110111100000011000101111111001011000110001 10110001010110010001000000011011100101010001000110000001001110011 10100011001100010010011000111011001100100001001101101110001100101 11011010011010011100001001011001101000101001100000100001100111100 01011011000011000011101111001101110111001100110110010011110010010 00110101101101100111110100100111010111110110001111010110011100011 11100100011100101111010000110101011110110010101101000111010100111 01101101011000001110001001111110111011000000010100000010111010110 10101001001001010000111001101011100100110101000111100111101110000 01101000001111101111100110000100010011001110111010011001010001011 10011111110100010010101010111011111111110001000010101001101111011 11010100000100100000011110110101001011010010111000011011010000101 10000101111000110100100001111000011111100001010010100111101001111 10000010110101111001010010001011001011011111100111001000001100100 10111110001110000000011101001010111000101000110111110101011000100 0101010110111010101010000100000101011111101011101).

L.-L. Zhou et al. / Finite Fields and Their Applications 60 (2019) 101574

21

References [1] C. Canniere, B. Preneel, Trivium in New Stream Cipher Designs: The eSTREAM Finalists, Lecture Notes in Computer Science, Berlin, Germany, vol. 4986, 2008, pp. 244–266. [2] M. Hell, T. Johansson, A. Maximov, W. Meier, The Grain family of stream ciphers, in: New Stream Cipher Designs: The eSTREAM Finalists, in: Lecture Notes in Computer Science, vol. 4986, Springer, Berlin, Germany, 2008, pp. 179–190. [3] H. Fredricksen, A survey of full length nonlinear shift register cycle algorithms, SIAM Rev. 24 (1982) 195–221. [4] S.W. Golomb, Shift Register Sequences, Holden-Day, San Francisco, 1967. [5] T. Etzion, A. Lempel, Algorithms for the generation of full-length shift-register sequences, IEEE Trans. Inf. Theory 30 (1984) 480–484. [6] C. Li, X. Zeng, T. Helleseth, C. Li, L. Hu, The properties of a class of linear FSRs and their applications to the construction of nonlinear FSRs, IEEE Trans. Inf. Theory 60 (2014) 3052–3061. [7] M. Li, D. Lin, The adjacency graphs of linear feedback shift registers with primitive-like characteristic polynomials, IEEE Trans. Inf. Theory 63 (2017) 1325–1335. [8] C. Li, X. Zeng, C. Li, T. Helleseth, M. Li, Construction of de Bruijn sequences from LFSRs with reducible characteristic polynomials, IEEE Trans. Inf. Theory 62 (2016) 610–624. [9] Z. Chang, M. Ezerman, S. Ling, H. Wang, On binary de Bruijn sequences from LFSRs with arbitrary characteristic polynomials, Des. Codes Cryptogr. 87 (5) (2019) 1137–1160. [10] E.R. Hauge, T. Helleseth, De Bruijn sequences, irreducible codes and cyclotomy, Discrete Math. 159 (1996) 143–154. [11] J. Dong, D. Pei, Construction for de Bruijn sequences with large stage, Des. Codes Cryptogr. 85 (2017) 343–358. [12] Z. Chang, M. Ezerman, A. Fahreza, S. Ling, H. Wang, Large order binary de Bruijn sequences via Zech’s logarithms, CoRR, arXiv:1705.03150 [abs], 2017. [Online]. Available: http://arxiv.org/pdf/ 1705.03150. [13] A. Lempel, On a homomorphism of the de Bruijn graph and its applications to the design of feedback shift registers, IEEE Trans. Comput. 19 (1970) 1204–1209. [14] D.H. Green, K.R. Dimond, Nonlinear product-feedback shift registers, Proc. IEEE 117 (1970) 681–686. [15] J. Mykkeltveit, M. Siu, P. Tong, On the cycle structure of some nonlinear shift register sequences, Inf. Control 43 (1979) 202–215. [16] M.K. Siu, P. Tong, Generation of some de Bruijn sequences, Discrete Math. 31 (1980) 97–100. [17] A. Alhakim, M. Nouiehed, Stretching de Bruijn sequences, Des. Codes Cryptogr. 85 (2017) 381–394. [18] R. Lidl, H. Niederreiter, P.M. Cohn, Finite Fields, Cambridge University Press, 1997. [19] N.G. de Bruijn, A combinatorial problem, Ned. Akad. Wet. Proc. 49 (1946) 758–764. [20] F.S. Annexstein, Generating de Bruijn sequences: an efficient implementation, IEEE Trans. Comput. 46 (1997) 198–200. [21] T. Chang, B. Park, Y.H. Kim, I. Song, An efficient implementation of the D-homomorphism for generation of de Bruijn sequences, IEEE Trans. Inf. Theory 45 (1999) 1280–1283. [22] R.A. Rueppel, Linear complexity and random sequences, in: Advances in Cryptology-Eurocrypt’85, in: Lecture Notes in Computer Science, vol. 219, Springer, Berlin, 1986, pp. 167–188.