Highly nonlinear balanced Boolean functions with a good correlation ...

Journal of Complexity 29 (2013) 173–181

Contents lists available at SciVerse ScienceDirect

Journal of Complexity journal homepage: www.elsevier.com/locate/jco

On the decomposition of an NFSR into the cascade connection of an NFSR into an LFSR✩ Zhen Ma, Wen-Feng Qi ∗ , Tian Tian Department of Applied Mathematics, Zhengzhou Information Science and Technology Institute, Zhengzhou, PR China

article

info

Article history: Received 16 April 2012 Accepted 24 September 2012 Available online 2 October 2012 Keywords: Stream ciphers Nonlinear feedback shift registers Cascade connection Boolean functions Linear complexity

abstract In this paper, we study the decomposition of an NFSR into a cascade connection of an NFSR into an LFSR which is a kind of concatenation of an NFSR and an LFSR. It is shown that this problem can be solved based on polynomial factorization in F2 [x], and a potential weakness of an NFSR that can be decomposed in such a way is further discussed. © 2013 Published by Elsevier Inc.

1. Introduction With the development of correlation attacks and algebraic attacks, stream ciphers based on linear feedback shift registers (LFSRs) are facing more and more security problems. To resist these attacks, many recently proposed stream ciphers are designed based on nonlinear feedback shift registers (NFSRs). For example, many eSTREAM finalists use NFSRs as a building block, such as Grain [4], Mickey [1] and Trivium [2]. In general, an NFSR can be implemented either in the Fibonacci configuration (called Fibonacci NFSR for simplicity) or in the Galois configuration (called Galois NFSR for simplicity), and the Fibonacci configuration can be seen as a special case of the Galois configuration. In this paper, we are only concerned with Fibonacci NFSRs and Galois NFSRs which are the cascade connections of two Fibonacci NFSRs. Let h(x0 , . . . , xr ) = h0 (x0 , . . . , xr −1 ) ⊕ xr be a Boolean function of r + 1 variables. A diagram of an r-stage Fibonacci NFSR with characteristic function h is given in Fig. 1, denoted by NFSR(h). An output

✩ This work was supported by NSF of China under Grant No. (61272042, 61100202).

∗

Corresponding author. E-mail addresses: [email protected] (Z. Ma), [email protected] (W.-F. Qi), [email protected] (T. Tian).

0885-064X/$ – see front matter © 2013 Published by Elsevier Inc. doi:10.1016/j.jco.2012.09.003

174

Z. Ma et al. / Journal of Complexity 29 (2013) 173–181

Fig. 1. An r-stage Fibonacci NFSR.

Fig. 2. The cascade connection of NFSR(f ) into NFSR(g).

sequence a of the NFSR(h) satisfies the following recurrence relation ak+r = h0 (ak , ak+1 , . . . , ak+r −1 ),

k ≥ 0.

The set of all output sequences of the NFSR(h) is denoted by G(h). In particular, if h is linear, then the NFSR(h) is actually an LFSR, and so it is also denoted by LFSR(h). The notion of the cascade connection of two Fibonacci NFSRs was first proposed by Green and Dimond in [3], which was also called the product-feedback shift register. Let f (x0 , . . . , xn ) = f0 (x0 , . . . , xn−1 ) ⊕ xn be an n-variable Boolean function and let g (x0 , . . . , xm ) = g0 (x0 , . . . , xm−1 ) ⊕ xm be an m-variable Boolean function. The Galois NFSR shown in Fig. 2 is called the cascade connection of NFSR(f ) into NFSR(g), which is denoted by NFSR(f , g). The output sequences of the register labeled x0 is called the output sequences of NFSR(f , g) and the set of all output sequences of the NFSR(f , g ) is denoted by G(f , g ). The multiplication denoted by a dot ‘‘·’’ in [3] and an asterisk ‘‘∗’’ in [6]–[7] was introduced to investigate the characteristic function of the cascade connection of two NFSRs. We shall use the symbol ‘‘∗’’ throughout the paper. For any two Boolean functions f (x0 , . . . , xn ) and g (x0 , . . . , xm ), define f ∗ g = f (g (x0 , . . . , xm ), g (x1 , . . . , xm+1 ), . . . , g (xn , . . . , xn+m )). If f and g are characteristic functions of two Fibonacci NFSRs, respectively, then it is easy to see that f ∗ g is of the form f ∗ g = h0 (x0 , . . . , xn+m−1 ) ⊕ xn+m , a characteristic function of an NFSR, and it was shown in [3]–[6] that the NFSR(f , g ) is equivalent to the NFSR(f ∗ g ), i.e., G(f , g ) = G(f ∗ g ). In this paper, we mainly study the decomposition of a Fibonacci NFSR into the cascade connection of a Fibonacci NFSR into an LFSR. Specifically, given a Boolean function h, we present a method to find all the linear Boolean functions l such that h = f ∗ l for some Boolean function f , where l is called a linear ∗-factor of h. Our result shows that all linear ∗-factors of h can be obtained by factoring a polynomial defined by h over the finite field F2 . Furthermore, a potential weakness of an NFSR(h) equivalent to a cascade connection of an NFSR(f ) into an LFSR(l) for cryptographic applications is discussed, i.e., h = f ∗ l. It is proved that if a sequence in G(f ) has small linear complexity, then a subset of sequences in G(f , l) = G(h) will have small linear complexities, whose number is equal to the number of sequences in G(l). In particular, if f (0, . . . , 0) = 0, then G(l) ⊆ G(f ∗ l). Therefore, for the sake of security, it is not advisable to design stream ciphers based on such NFSR(h). All our results are also true for an affine Boolean function l. The rest of the paper is organized as follows. In Section 2 we present some necessary preliminaries. Section 3 gives the main results of the paper. In detail, in Section 3.1, for a Boolean function h, we give a linear Boolean function lh defined by h such that the set of linear ∗-factors of h is contained in that

Z. Ma et al. / Journal of Complexity 29 (2013) 173–181

175

of lh . Then in Section 3.2, for a Boolean function h and a linear Boolean function l, we discuss how to determine whether l is a linear ∗-factor of h. Furthermore, in Section 3.3, the existence of subsets of sequences with small linear complexities in G (f ∗ l) is discussed. Finally, conclusions are drawn in Section 4. Throughout the paper, the symbol ‘‘·’’ and the symbol ‘‘⊕’’ denote the multiplication and the addition of Boolean functions. The symbol ‘‘+’’ and the symbol ‘‘−’’ denote the ordinary integer addition and subtraction. 2. Preliminaries Let n be a positive integer. An n-variable Boolean function f (x0 , x1 , . . . , xn−1 ) is a function from F2n into F2 and the set of all n-variable Boolean functions is denoted by Bn . A term in Bn is a product of k

k

the form x00 · · · xnn−−11 with ki ∈ {0, 1}, 0 ≤ i ≤ n − 1; in particular, 1 = x00 x01 · · · x0n−1 is a term. Then f is actually a finite F2 -linear combination of terms, and the set of all terms of f is denoted by T (f ). Throughout the paper, we fix a term order, denoted by ≼, namely d

d

e

e

x00 . . . xnn−−11 ≼ x00 . . . xnn−−11 if and only if one of the following holds: (1) dj = ej for j = 0, 1, . . . , n − 1, or

  (2) in=−01 di < ni=−01 ei , or n−1  (3) i=0 di = in=−01 ei and there exists an integer k, 1 ≤ k ≤ n, such that dj = ej for k ≤ j ≤ n − 1 and dk−1 < ek−1 . Furthermore, we write d

d

e

e

d

d

e

e

x00 . . . xnn−−11 ≺ x00 . . . xnn−−11 if x00 . . . xnn−−11 ≼ x00 . . . xnn−−11

and

d

d

e

e

x00 . . . xnn−−11 ̸= x00 . . . xnn−−11 .

For every Boolean function f ∈ Bn we denote by HT(f ) the head term of f with respect to the term order. The algebraic degree, deg(f ), is the number of variables in HT(f ). If deg(f ) ≤ 1, then we say f is affine, and if f is affine and the term 1 is not in T (f ), then we say f is linear. Next, we introduce some definitions and basic properties about the operation ‘‘∗’’ which will be used in what follows. Definition 1. Let h, f and g be Boolean functions. If h = f ∗ g, then g is called an ∗-factor of h. An ∗-factor of h other than x0 and h itself is called a nontrivial ∗-factor of h. Remark 1. For any Boolean function h, it can be seen that h = x0 ∗ h = h ∗ x0 . The following Lemma 1 immediately follows from the definition of the operation ‘‘∗’’. Lemma 1. The operation ‘‘ ∗’’ has the following properties: (1) The operation ‘‘ ∗’’ is left distributive, that is, for all f1 , f2 ∈ Bn and all g ∈ Bm , we have

(f1 ⊕ f2 ) ∗ g = (f1 ∗ g ) ⊕ (f2 ∗ g ) and

(f1 · f2 ) ∗ g = (f1 ∗ g ) · (f2 ∗ g ). (2) The operation ‘‘ ∗’’ is commutative for linear Boolean functions, that is, for all linear Boolean functions l1 and l2 , we have l1 ∗ l2 = l2 ∗ l1 .

176

Z. Ma et al. / Journal of Complexity 29 (2013) 173–181

(3) The operation ‘‘ ∗’’ is associative, that is, for any f1 , f2 , f3 ∈ Bn , we have f1 ∗ (f2 ∗ f3 ) = (f1 ∗ f2 ) ∗ f3 .

(4) Let f (x0 , x1 , . . . , xn ) = f0 (x0 , x1 , . . . , xn−1 ) ⊕ xn be an n + 1-variable Boolean function and g (x0 , x1 , . . . , xm ) = g0 (x0 , x1 , . . . , xm−1 ) ⊕ xm be an m + 1-variable Boolean function. Then f ∗ g = D (f ) ∗ (g ⊕ 1), where D (f ) = f (x0 ⊕ 1, x1 ⊕ 1, . . . , xn ⊕ 1). Remark 2. It follows from Lemma 1(4) that if g is a linear ∗-factor of a Boolean function h, then g ⊕ 1 is an affine ∗-factor of h, and vice versa. Thus in the rest of the paper, we only consider linear ∗-factors of a given Boolean function. Remark 3. In general, the operation ‘‘∗’’ is not commutative for nonlinear Boolean functions. Suppose f and g are characteristic functions of two Fibonacci NFSRs. We have G(f ∗ g ) ̸= G(g ∗ f ) in most cases. Let φ be a map from the set of all linear Boolean functions to F2 [x] given by

φ(c0 x0 ⊕ · · · ⊕ cn−1 xn−1 ) = c0 ⊕ c1 x ⊕ · · · ⊕ cn−1 xn−1 for every positive integer n and every linear Boolean function c0 x0 ⊕ · · · ⊕ cn−1 xn−1 ∈ Bn . Obviously, the map φ is a one-to-one correspondence. Furthermore, it is easily seen that the following Proposition 1 holds. Proposition 1. If l1 ∈ Bn and l2 ∈ Bm are linear Boolean functions, then φ(l1 ∗ l2 ) = φ(l1 ) · φ(l2 ). Proposition 1 implies that, for a given linear Boolean function l, the factorization of l into an

∗-product of linear Boolean functions is equivalent to the factorization of φ(l) in F2 [x]. 3. Main results 3.1. Finding linear ∗-factors of a Boolean function by factorizing a polynomial in F2 [x]

Let h be a Boolean function. If deg(h) = 1, then by Proposition 1, we can obtain all nontrivial linear ∗-factors of h by factoring φ(h) in F2 [x]. Thus, in this subsection, we focus on the case of deg(h) > 1. Before presenting our main result, we should introduce some necessary notation. For a Boolean function h = xi1 · · · xid ⊕ h0 (x0 , x1 , . . . , xr −1 ) ∈ Br with deg(h) = d > 1 where HT(h) = xi1 · · · xid and i1 < · · · < id , set

Ωh = {t ∈ T(h) | deg(t ) = d and t is divisible by xi2 · · · xid } and denote lh =



t /(xi2 · · · xid ).

t ∈Ωh

It is clear that lh is a linear Boolean function. The following Theorem 1 is the main result of the paper, which tells us that if a Boolean function h has a linear ∗-factor l, then l is a ∗-factor of lh or equivalently φ(l) is a factor of φ(lh ) in F2 [x].

Z. Ma et al. / Journal of Complexity 29 (2013) 173–181

177

Theorem 1. Let h be a Boolean function with deg(h) = d > 1. If h = f ∗ l for some Boolean function f and some linear Boolean function l, then deg(f ) > 1 and lh = lf ∗ l. Proof. Since l is linear, it is clear that deg(f ) = deg(h) > 1. Assume HT(f ) = xi1 xi2 · · · xid with i1 < i2 < · · · < id and f = xi2 · · · xid · lf ⊕ f ′ . By Lemma 1(1), we have that h = f ∗l

    = (xi2 · · · xid · lf ) ∗ l ⊕ f ′ ∗ l     = (xi2 · · · xid ) ∗ l · (lf ∗ l) ⊕ f ′ ∗ l .

(1)

Assume HT(l) = xe . It is clear that HT (xi2 · · · xid ) ∗ l = xi2 +e · · · xid +e .





Thus, if we denote

(xi2 · · · xid ) ∗ l = xi2 +e · · · xid +e ⊕ q,

(2)

then we have that t ≺ xi2 +e · · · xid +e for all t ∈T(q). Taking (2) into (1) yields h = xi2 +e · · · xid +e · (lf ∗ l) ⊕ q · (lf ∗ l) ⊕ f ′ ∗ l .





(3)

First we show that HT(h) = xi1 +e xi2 +e · · · xid +e .

(4)

On one hand, since HT(lf ∗ l) = xi1 +e and i1 < i2 < · · · < id , it can be seen that HT xi2 +e · · · xid +e · (lf ∗ l) = xi1 +e xi2 +e · · · xid +e

(5)

HT q · (lf ∗ l) ≺ xi1 +e xi2 +e · · · xid +e .

(6)





and





On the other hand, since HT(f ′ ) ≺ HT(f ) = xi1 xi2 · · · xid , we have that HT(f ′ ∗ l) ≺ xi1 +e xi2 +e · · · xid +e .

(7)

Thus, it follows from (3), (5), (6) and (7) that (4) holds. Second, we show that lh = lf ∗ l. By (3) and (4) we know that it suffices to prove that xj xi2 +e · · · xid +e ̸∈ T(q · (lf ∗ l)) ∪ T f ′ ∗ l





(8)

for all xj ∈ T(lh ). Suppose xj xi2 +e · · · xid +e ∈ T(q · (lf ∗ l)) ∪ T f ′ ∗ l for some xj ∈ T(lh ). If xj xi2 +e · · · xid +e ∈ T(q · (lf ∗ l)), then note that



HT(lf ∗ l) = xi1 +e ≺ xi2 +e ≺ · · · ≺ xid +e , and so xi2 +e · · · xid +e | t for some term t ∈ T(q), a contradiction to HT(q) ≺ xi2 +e · · · xid +e . If xj xi2 +e · · · xid +e ∈ T f ′ ∗ l ,







178

Z. Ma et al. / Journal of Complexity 29 (2013) 173–181

then we have that xj−a1 xi2 +e−a2 · · · xid +e−ad ∈ T(f ′ ) and

deg(xj−a1 xi2 +e−a2 · · · xid +e−ad ) = d

for some integers a1 , a2 . . . , ad between 0 and e. Since HT(f ′ ) ≺HT(f ) = xi1 xi2 · · · xid , it follows that a2 = a3 = · · · = ad = e and

j − a1 < i1 ,

and so xj−a1 xi2 · · · xid ∈ T(f ′ ) ∩ T(xi2 · · · xid · lf ), a contradiction to T(f ′ ) ∩ T(xi2 · · · xid · lf ) = ∅. Thus (8) holds for all xj ∈ T(lh ).



The following Corollary 1 immediately follows from Theorem 1, which gives a sufficient condition that a Boolean function has no nontrivial linear ∗-factors. Corollary 1. Let h = xi1 xi2 · · · xid ⊕h0 (x0 , x1 , . . . , xr −1 ) be an r-variable Boolean function with deg(h) = d > 1 and HT(h) = xi1 xi2 · · · xid where i1 < i2 < · · · < id . If xi2 · · · xid doesn’t divide t for any t ∈ T (h0 ) with deg(t ) = d and x0 divides t for some t ∈ T(h), then h has no nontrivial linear ∗-factors. Proof. It is clear that lh = xi1 and so a linear ∗-factor of h is of the form xj where 0 ≤ j ≤ i1 by Theorem 1. The assertion is obviously true for i1 = 0. Suppose 0 < j ≤ i1 and xj is a linear ∗-factor of h. Then the minimal subscript of variables occurring in h is not less than j which is a contradiction to that x0 divides t for some t ∈ T(h).  3.2. Verification of linear ∗-factors Theorem 1 together with Proposition 1 implies that to get all nontrivial linear ∗-factors of a given Boolean function h with deg(h) > 1, we can do the following two steps: (1) factor φ(lh ) in F2 [x]; (2) for every nontrivial divisor l of φ(lh ) in F2 [x], verify whether φ −1 (l) is a linear ∗-factor of h. As for step (1), there are many feasible factorization algorithms for polynomials over finite fields, and one can refer to [5, Chapter 4]. Generally speaking, the number of the divisors of a polynomial over finite field is reasonable, and so the number of candidates that need verification in step (2) is not great. Thus in this subsection, we mainly discuss how to verify whether a given linear Boolean function l is an ∗-factor of a given Boolean function h, and moreover, find the Boolean function f such that h = f ∗ l if l is a linear ∗-factor of h. Before proceeding, we introduce a useful notation. For a Boolean function h, let µ (h) denote the minimal subscript of the variables occurring in HT(h), i.e.,

  µ (h) = min j | xj is a divisor of HT (h) . For example, if h = x2 x4 x5 ⊕ x0 x4 x5 ⊕ x1 x4 ⊕ x3 ⊕ x0 , then µ (h) = 2. First we show the following Lemma 2. Lemma 2. Let h be a Boolean function, and let l be a linear Boolean function. If µ (l) > µ (h), then l is not an ∗-factor of h. Proof. It is clear that HT(lh ) = xµ(h) and HT(l) = xµ(l) . Recall that the degree of a polynomial in F2 [x] is the highest exponent of the variable x. Then we have deg(φ(lh )) = µ(h) and deg(φ(l)) = µ(l). Suppose l is an ∗-factor of h. By Theorem 1 and Proposition 1, φ(l) is a divisor of φ(lh ) and thus deg(φ(l)) is not greater than deg(φ(lh )), that is, µ(l) ≤ µ(h), a contradiction.  To determine whether l is a linear ∗-factor of h when µ (l) ≤ µ (h), we need a concept called ‘‘∗-reduction’’, and we make its definition explicit in the following statement.

Z. Ma et al. / Journal of Complexity 29 (2013) 173–181

179

Definition 2. Let h be a Boolean function with HT (h) = xi1 xi2 · · · xid , and let l be a linear Boolean function with HT (l) = xe . If µ (l) ≤ µ (h), then the term P (h, l) = xi1 −e xi2 −e · · · xid −e is called ∗-reduction term of h by l. Moreover, we call h → h ⊕ P (h, l) ∗ l l

the ∗-reduction of h by l. Note that HT(P (h, l) ∗ l) = HT(h) = xi1 xi2 · · · xid in Definition 2, and so we have that HT h ⊕ P



(h, l) ∗ l ≺ HT(h), which implies that an ∗-reduction always leads to a Boolean function with a smaller head term. Furthermore, in the following lemma, we shall show another useful property of ∗-reductions. 

Lemma 3. Let h be a Boolean function, and let l be a linear Boolean function such that µ (l) ≤ µ (h). Then l is an ∗-factor of h if only if l is an ∗-factor of h ⊕ P (h, l) ∗ l. Proof. (Necessity) If l is an ∗-factor of h, then h = f ∗ l for some Boolean function f , and so h ⊕ (P (h, l) ∗ l) = (f ∗ l) ⊕ (P (h, l) ∗ l) = (f ⊕ P (h, l)) ∗ l. Thus l is an ∗-factor of h ⊕ P (h, l) ∗ l. (Sufficiency) Similarly, if l is a linear ∗-factor of h ⊕ P (h, l) ∗ l, then l is a linear ∗-factor of h.



Based on ∗-reductions, we can determine whether a linear Boolean function l is an ∗-factor of a Boolean function h as follows. If h ⊕ P (h, l) ∗ l = 0, then h = P (h, l) ∗ l, and so l is an ∗-factor of h. Otherwise, by recursively doing ∗-reductions, we will get an ∗-reduction chain h = h0 → h1 → · · · . l

(9)

l

Since HT(hi+1 ) ≺ HT(hi ) for i ≥ 0, and the number of Boolean functions whose head term is smaller than HT(h) is finite, the ∗-reduction chain (9) will finally stop in finite steps, i.e., there exists an integer k ≥ 1 such that h = h0 → h1 → · · · → hk , l

l

(10)

l

where hk = 0 or µ (l) > µ (hk ). We remark that the ∗-reduction chain (10) is uniquely determined by h and l. (1) If hk = 0, then l is an ∗-factor of hk−1 , and so by Lemma 2 we know l is an ∗-factor of h. Furthermore, it can be seen that hk = hk−1 ⊕ P (hk−1 , l) ∗ l = 0,

(11)

hi−1 = hi ⊕ P (hi−1 , l) ∗ l

(12)

and for 0 ≤ i ≤ k.

Then (11) and (12) yield

 h = h0 =

k−1 

 P (hi , l)

∗ l.

i=0

(2) If hk ̸= 0 and µ (l) > µ (hk ), then l is not an ∗-factor of hk , and so by Lemma 2 we know l is not an ∗-factor of h.

180

Z. Ma et al. / Journal of Complexity 29 (2013) 173–181

We conclude the above discussions by the following theorem. Theorem 2. Let h be a Boolean function, and let l be a linear Boolean function such that µ (l) ≤ µ (h). Then l is an ∗-factor of h if and only if there is an ∗-reduction chain h0 → h1 → · · · → hk = 0. l

l

l

Furthermore, if l is an ∗-factor of h, then h =



k−1 i=0



P (hi , l) ∗ l.

Example 1. Let h = x5 x6 ⊕ x4 x6 ⊕ x2 x6 ⊕ x1 x6 ⊕ x4 x5 ⊕ x3 x5 ⊕ x1 x5 ⊕ x3 x4

⊕ x2 x4 ⊕ x2 x3 ⊕ x1 x3 ⊕ x1 x2 ⊕ x7 ⊕ x6 ⊕ x5 ⊕ x2 ⊕ x1 ⊕ x0 be a characteristic function of a 7-stage NFSR. Since HT (h) = x5 x6 , we have lh = x5 ⊕ x4 ⊕ x2 ⊕ x1 and the ∗-factorization of lh is given by lh = (x2 ⊕ x1 ⊕ x0 ) ∗ (x1 ⊕ x0 ) ∗ (x1 ⊕ x0 ) ∗ x1 . It follows from Theorem 1 that a linear ∗-factor of h is a linear ∗-factor of lh . Since x0 ∈ T(h), there is no need to consider factors with the minimal subscript greater than 0. Therefore all possible linear ∗-factors of h are l1 = x1 ⊕ x0 , l2 = x2 ⊕ x0 , l3 = x2 ⊕ x1 ⊕ x0 , l4 = x3 ⊕ x0 , and l5 = x4 ⊕ x3 ⊕ x1 ⊕ x0 . As an example, the ∗-reduction chain of h by l5 is: h → x7 ⊕ x6 ⊕ x5 ⊕ x1 ⊕ x0 → x4 ⊕ x3 ⊕ x1 ⊕ x0 → 0. l5

l5

l5

By Theorem 2, l5 is a ∗-factor of h. Similarly, it can be verified that l1 , l2 , l3 , and l4 are also ∗-factors of h. Remark 4. If two linear Boolean functions are both ∗-factors of h, then the ∗-product of the two functions is not necessarily a linear ∗-factor of h. In the Example 1, l2 and l4 are ∗-factors of h, but l2 ∗ l4 = x5 ⊕ x3 ⊕ x2 ⊕ x0 is not an ∗-factor of h. 3.3. Discussions on the subsets of sequences with small linear complexity in G(f ∗ l) Let h = xr ⊕ h0 (x0 , . . . , xr −1 ) be a characteristic function of an r-stage NFSR. If there is a linear Boolean function l of m variables such that h = f ∗ l, then it can be seen that f is also of the form f = xn ⊕ f0 (x0 , . . . , xn−1 ), where n = r − m. This implies that NFSR(h) can be implemented as the cascade connection of the NFSR(f ) into the LFSR(l), namely G(h) = G(f , l). Furthermore, let us denote by G(b, l) the set of all output sequences of the NFSR(f , l) when the output sequence of the NFSR(f ) is b. Recall that the linear complexity LC (a) of a binary sequence a is given by the shortest length of all the LFSRs that can generate a. For cryptographical applications, it is desired that all sequences in G(h) should have large linear complexities. In the following, we shall show that if the linear complexity of b is small, then all sequences in G(b, l) have small linear complexities, that is, G(h) includes a subset of 2m sequences whose linear complexities are small. Theorem 3. Let f = xn ⊕ f0 (x0 , . . . , xn−1 ) be an n-variable Boolean function, and let l = xm ⊕ l0 (x0 , . . . , xm−1 ) be an m-variable linear Boolean function. If b ∈ G(f ), then G(b, l) = G(l) ⊕ β = {a ⊕ β | a ∈ G(l)} where β ∈ G(b, l) is the output sequence of the NFSR (f , l) such that the initial state of the LFSR (l) is all zero. Proof. Assume c ∈ G(b, l). Then according to the feedback mode of a cascade connection of two NFSRs shown in Fig. 2, it can be seen that cm+t = l0 (ct , . . . , cm−1+t ) ⊕ bt

for all t ≥ 0.

(13)

Z. Ma et al. / Journal of Complexity 29 (2013) 173–181

181

Similarly, we also have that

βm+t = l0 (βt , . . . , βm−1+t ) ⊕ bt for all t ≥ 0.

(14)

Since l is a linear Boolean function, it follows from (13) and (14) that cm+t ⊕ βm+t = l0 (ct ⊕ βt , . . . , cm−1+t ⊕ βm−1+t ), which implies that a = c ⊕ β = (ct ⊕ βt )t ≥0 ∈ G(l). Therefore, c = a ⊕ β ∈ G(l) ⊕ β , and moreover, it is clear that the initial state (am−1 , . . . , a0 ) of a equals (cm−1 , . . . , c0 ).  In particular, if f (0, . . . , 0) = 0 in Theorem 3, then 0 ∈ G(f ) and G(0, l) = G(l), and so in such a case we have that G(f ∗ l) includes G(l). The following corollary immediately follows from Theorem 3. Corollary 2. Let f = xn ⊕ f0 (x0 , . . . , xn−1 ) be an n + 1-variable Boolean function, and let l = xm ⊕ l0 (x0 , . . . , xm−1 ) be an m + 1-variable linear Boolean function. If b ∈ G(f ), then LC (c ) ≤ LC (b) + m for all c ∈ G(b, l). Since so far there is no effective method to design NFSRs for which all the output sequences have large linear complexities, we suggest that the characteristic function h of an NFSR used in stream ciphers should have no linear ∗-factors. 4. Conclusion In this paper, we completely solve the problem of the decomposition of an NFSR(h) into a cascade connection of an NFSR(f ) into an LFSR(l). Moreover, if an NFSR(h) can be decomposed in such way, we show that a sequence in G(f ) with small linear complexity may result in a large number of output sequences of NFSR(h) that have small linear complexities. Thus, such an NFSR(h) should not be used in stream ciphers. A similar weakness may also exist for an NFSR(h) equivalent to a cascade connection of an NFSR(f ) into an NFSR(g ) where g is a nonlinear Boolean function of small degree. This will be one of the subjects of future work. Besides, constructions of NFSRs whose output sequences have both larger linear complexities and larger periods are also an important subject of future work. References [1] S. Babbage, M. Dodd, The MICKEY stream ciphers, in: New eStream Cipher Designs: The eSTREAM Finalists, in: Lecture Notes in Computer Science, vol. 4986, 2008, pp. 191–209. [2] C. Cannière, B. Preneel, Trivium, in: New Stream Cipher Designs: The eSTREAM Finalists, in: Lecture Notes in Computer Science, vol. 4986, 2008, pp. 244–266. [3] D.H. Green, K.R. Dimond, Nonlinear product-feedback shift registers, PROC. IEEE 117 (1970) 681–686. [4] M. Hell, T. Johansson, W. Meier, The Grain family of stream ciphers, in: New Stream Cipher Designs: The eSTREAM Finalists, in: Lecture Notes in Computer Science, vol. 4986, 2008, pp. 179–190. [5] R. Lidl, H. Niederreiter, Finite Fields, in: Encyclopedia of Mathematics and its Applications, vol. 20, Cambridge Univ. Press, Cambridge, U.K, 1983. [6] J. Mykkeltveit, Generalization of a theorem on linear recurrence to the nonlinear case, Internal Report, University of Bergen, Bergen, 1976. [7] J. Mykkeltveit, M. Siu, P. Tong, On the cycle structure of some nonlinear shift register sequences, Inf. Control 43 (2) (1979) 202–215.