The decomposition of an NFSR into the cascade connection of two smaller NFSRs revisited

Abstract

The cascade connection of two NFSRs is an important class of NFSRs which has been used in the design of many recently proposed stream ciphers, such as Grain v1, Grain-128a, Fruit and Sprout. In this paper, we consider the decomposition of an NFSR into the cascade connection of two smaller NFSRs, which is equivalent to the factorization of a characteristic function h into \(f*g\) where f and g are both characteristic functions. Inspired by the problem of factoring a large integer, we firstly consider a special case—that is, factoring h into the form \(h=g*g\). Based on the idea of “finding derivatives”, we completely solve this case in theory, and present an algorithm to compute g from h. Moreover, if the characteristic function f is “close” to g, then one can also use the same algorithm to determine g and then get f by the existing method. For the general case, the idea of “finding derivatives” can also be used and some interesting results can be derived.

Appendices

Appendix A

In this section, we review the result that how to factor a Boolean function h into \(h=l*f\) where l is a linear function, see [15] for details.

Definition 31

For a term \(t=x_{i_{1}}x_{i_{2}}\cdots x_{i_{d}}\) with \(d\ge 1\) and \( i_{1}<i_{2}<\cdots <i_{d}\), the index distance tuple of t is defined as \( D(t)=(0,i_{2}-i_{1},i_{3}-i_{1},\ldots ,i_{d}-i_{1})\).

Let t be a term with the index distance tuple \(D=(0,u_{1},u_{2},\ldots ,u_{r}),r\ge 1\). Then it can be written uniquely as \(t=x_{i_{1}}*(x_{0}x_{u_{1}}\cdots x_{u_{r}})\). Let us denote the set of all terms containing the variable \(x_{0}\) by \(T_{0}\). By classifying the terms with the same index distance tuple, we have the following result.

Lemma 32

A Boolean function h which is not a constant can be written uniquely as

$$\begin{aligned} h=l_{1}*t_{1}\oplus l_{2}*t_{2}\oplus \cdots \oplus l_{k}*t_{k}, \end{aligned}$$

(7)

where \(l_{1},l_{2},\ldots ,l_{k}\) are linear functions and \( t_{1},t_{2},\ldots ,t_{k}\) are in \(T_{0}\) with pairwise distinct index distance tuples.

The representation given by Lemma 32 is called the \(*\)-product normal form of h.

Example 33

Let \(h=x_{0}\oplus x_{1}\oplus x_{3}\oplus x_{1}x_{3}\oplus x_{2}x_{3}\oplus x_{2}x_{4}\oplus x_{3}x_{4}\). Then the \(*\)-product normal form of h is given by

$$\begin{aligned} h=(x_{0}\oplus x_{1}\oplus x_{3})*x_{0}\oplus (x_{2}\oplus x_{3})*x_{0}x_{1}\oplus (x_{1}\oplus x_{2})*x_{0}x_{2}. \end{aligned}$$

For a linear function \(l=c_{0}x_{0}\oplus c_{1}x_{1}\oplus \cdots \oplus c_{n-1}x_{n-1}\), define

$$\begin{aligned} \phi (l)=c_{0}\oplus c_{1}x\oplus \cdots \oplus c_{n-1}x^{_{n-1}}\in {\mathbb {F}}_{2}[x]. \end{aligned}$$

The function \(\phi (\cdot )\) maps a linear function to a univariate polynomial over \( {\mathbb {F}}_{2}\), which is a one to one correspondence.

The uniqueness of the \(*\)-product normal form could yield the following result.

Theorem 34

Let h be a nonconstant Boolean function with \( *\)-product normal form given by (7). Then \(h=l*f\) for some Boolean functions l and f where l is a linear function if and only if \( \phi (l)\) is a divisor of \(\gcd (\phi (l_{1}),\phi (l_{2}),\ldots ,\phi (l_{k}))\).

It follows immediately from Theorem 34 that the linear left \(*\)-factor of h with the maximal \({{\,\textrm{maxsub}\,}}\) is unique. For the problem of factoring h into the form \(h=l*f\), although it is discussed clearly in theory, the authors do not present an algorithm in [15]. Here, we give an algorithm and its rough complexity analysis. Considering the simplicity in notation, for a linear function l, we make no distinction between l and \(\phi (l)\) in the following algorithm.

Remark 35

For a special case that l is known, then f can be determined directly by \(f=\frac{p}{l}*g\).

Let N be the number of terms in the ANF of h. Then the memory complexity of lines 1–4 of Algorithm 2 is bounded by O(N) and that of line 5 is bounded by \(O(N^{2})\). Thus, the memory complexity of Algorithm 2 is \( O(N^{2})\). For the time complexity, note that lines 2 and 4 is bounded by O(N), lines 3 and 5 is bounded by \(O(N^{2})\). Hence the time complexity of Algorithm 2 is \(O(N^{2})\).

Appendix B

In this section, a simple example is presented to show the process of Algorithm 1. Let \(g=x_{0}\oplus x_{1}x_{4}\oplus x_{2}x_{3}x_{4}\oplus x_{5}\) and \(h=g*g\) where \(d=\deg (g)=3.\) Then

$$\begin{aligned} h= & {} x_{0}\oplus x_{1}x_{5}x_{8}\oplus x_{1}x_{6}x_{7}x_{8}\oplus x_{1}x_{9}\oplus x_{2}x_{3}x_{5}x_{8}\oplus x_{2}x_{3}x_{6}x_{7}x_{8}\oplus x_{2}x_{3}x_{9}\oplus x_{2}x_{4}x_{5}x_{6}x_{7} \\{} & {} \oplus x_{2}x_{4}x_{5}x_{7}x_{8}\oplus x_{2}x_{4}x_{5}\oplus x_{2}x_{4}x_{6}x_{7}x_{8}\oplus x_{2}x_{4}x_{7}x_{9}\oplus x_{2}x_{4}x_{7}\oplus x_{2}x_{4}x_{8}\oplus x_{2}x_{5}x_{6}x_{7}x_{8} \\{} & {} \oplus x_{2}x_{5}x_{6}x_{7}x_{9}\oplus x_{2}x_{5}x_{9}\oplus x_{2}x_{6}x_{7}x_{8}\oplus x_{2}x_{8}x_{9}\oplus x_{3}x_{4}x_{5}x_{6}x_{7}x_{8}\oplus x_{3}x_{4}x_{5}x_{6}x_{7} \\{} & {} \oplus x_{3}x_{4}x_{5}x_{6}x_{8}\oplus x_{3}x_{4}x_{5}x_{6}x_{9}\oplus x_{3}x_{4}x_{5}x_{6}\oplus x_{3}x_{4}x_{5}x_{8}\oplus x_{3}x_{4}x_{5}x_{9}\oplus x_{3}x_{4}x_{5} \\{} & {} \oplus x_{3}x_{4}x_{6}x_{7}x_{8}\oplus x_{3}x_{4}x_{6}x_{7}x_{9}\oplus x_{3}x_{4}x_{6}x_{7}\oplus x_{3}x_{4}x_{6}x_{8}\oplus x_{3}x_{4}x_{6}\oplus x_{3}x_{4}x_{7}\oplus x_{3}x_{5}x_{6}x_{7}x_{9} \\{} & {} \oplus x_{3}x_{5}x_{7}x_{8}\oplus x_{3}x_{6}x_{7}x_{8}\oplus x_{3}x_{6}x_{8}x_{9}\oplus x_{3}x_{6}x_{9}\oplus x_{3}x_{7}x_{9}\\{} & {} \oplus x_{4}x_{5}x_{6}x_{7}x_{8}\oplus x_{4}x_{5}x_{6}x_{7}\oplus x_{4}x_{5}x_{6}x_{8}x_{9} \\{} & {} \oplus x_{4}x_{5}x_{7}x_{8}\oplus x_{4}x_{6}x_{7}x_{8}\oplus x_{4}x_{6}\oplus x_{4}x_{7}x_{8}\\{} & {} \oplus x_{4}x_{7}x_{9}\oplus x_{4}x_{7}\oplus x_{5}x_{6}x_{7}x_{9}\oplus x_{5}x_{6}x_{8}\oplus x_{5}x_{7}x_{8}\oplus x_{10},\\ R(h_{0})= & {} R(g)*R(g) \\= & {} x_{0}\oplus \varvec{x}_{1}\varvec{x}_{2}\varvec{x}_{4}\varvec{x}_{5}\varvec{x}_{6}\oplus \varvec{x}_{1}\varvec{x}_{2}\varvec{x}_{4}\varvec{x}_{7}\oplus \varvec{x}_{1}\varvec{x}_{2}\varvec{x} _{8}\\{} & {} \oplus \varvec{x}_{1}\varvec{x}_{3}\varvec{x}_{4}\varvec{x}_{5}\varvec{x}_{7}\oplus \varvec{x} _{1}\varvec{x}_{3}\varvec{x}_{4}\varvec{x}_{5}\varvec{x}_{8}\oplus \varvec{x}_{1}\varvec{x}_{3}\varvec{x} _{4}\varvec{x}_{5}\oplus \varvec{x}_{1}\varvec{x}_{3}\varvec{x}_{4}\varvec{x}_{6}\varvec{x}_{7} \\{} & {} \oplus \varvec{x}_{1}\varvec{x}_{3}\varvec{x}_{6}\varvec{x}_{8}\oplus \varvec{x}_{1}\varvec{x}_{3} \varvec{x}_{6}\oplus \varvec{x}_{1}\varvec{x}_{3}\varvec{x}_{7}\oplus \varvec{x}_{1}\varvec{x}_{4} \varvec{x}_{5}\varvec{x}_{6}\varvec{x}_{7}\oplus \varvec{x}_{1}\varvec{x}_{4}\varvec{x}_{7}\\{} & {} \oplus \varvec{x}_{1}\varvec{x}_{5}\varvec{x}_{6}\varvec{x}_{7}\oplus \varvec{x}_{1}\varvec{x}_{5}\varvec{x} _{8}\oplus \varvec{x}_{1}\varvec{x}_{7}\varvec{x}_{8}\oplus \varvec{x}_{1}\varvec{x}_{9} \\{} & {} \oplus x_{2}x_{3}x_{4}x_{5}x_{6}x_{7}\oplus x_{2}x_{3}x_{4}x_{5}x_{6}\oplus x_{2}x_{3}x_{4}x_{5}x_{8}\oplus x_{2}x_{3}x_{4}x_{6}x_{7}\oplus x_{2}x_{3}x_{4}x_{6}x_{8}\oplus x_{2}x_{3}x_{4}x_{6} \\{} & {} \oplus x_{2}x_{3}x_{4}x_{7}x_{8}\oplus x_{2}x_{3}x_{4}x_{7}\oplus x_{2}x_{3}x_{4}x_{8}\oplus x_{2}x_{3}x_{4}x_{9}\oplus x_{2}x_{3}x_{5}x_{6}x_{8}\oplus x_{2}x_{3}x_{5}x_{6}\oplus x_{2}x_{3}x_{5}x_{7} \\{} & {} \oplus x_{2}x_{3}x_{5}\oplus x_{2}x_{3}x_{6}\oplus x_{2}x_{4}x_{5}x_{6}x_{7}\oplus x_{2}x_{4}x_{5}\oplus x_{2}x_{4}x_{6}x_{7}\oplus x_{2}x_{5}x_{6}x_{7} \\{} & {} \oplus x_{2}x_{5}x_{7}x_{8}\oplus x_{2}x_{5}x_{9}\oplus x_{2}x_{6}x_{8}\oplus x_{3}x_{4}x_{5}x_{6}x_{7}\oplus x_{3}x_{4}x_{5}x_{6}x_{8}\oplus x_{3}x_{4}x_{5}x_{6}\oplus x_{3}x_{4}x_{6}x_{7} \\{} & {} \oplus x_{3}x_{6}x_{7}\oplus x_{3}x_{6}x_{8}\oplus x_{3}x_{6}\oplus x_{4}x_{5}x_{6}x_{7}\oplus x_{4}x_{6}x_{7}\oplus x_{4}x_{6}\oplus x_{5}x_{6}x_{7}\oplus x_{5}x_{6}x_{8}\oplus x_{10}. \end{aligned}$$

According to (3), we have

$$\begin{aligned} h_{1}= & {} \Delta _{3}(R(h_{0}))=\Delta (R(g))*R(g)\oplus \Delta (R(g)) \\= & {} x_{2}x_{4}x_{5}x_{6}\oplus x_{2}x_{4}x_{7}\oplus x_{2}x_{8}\oplus x_{3}x_{4}x_{5}x_{7}\oplus x_{3}x_{4}x_{5}x_{8}\oplus x_{3}x_{4}x_{5}\oplus x_{3}x_{4}x_{6}x_{7} \\{} & {} \oplus x_{3}x_{6}x_{8}\oplus x_{3}x_{6}\oplus x_{3}x_{7}\oplus x_{4}x_{5}x_{6}x_{7}\oplus x_{4}x_{7}\oplus x_{5}x_{6}x_{7}\oplus x_{5}x_{8}\oplus x_{7}x_{8}\oplus x_{9} \end{aligned}$$

and

$$\begin{aligned} h_{2}=\Delta _{3}(R(h_{1}))=x_{7}\oplus x_{6}x_{5}x_{4}\oplus x_{6}x_{3}\oplus x_{4}\oplus x_{2}, \end{aligned}$$

where \(\deg (h_{2})=\deg (g)=3\). Thus, \(s=2\) and it follows from Theorem 18 that

$$\begin{aligned} \Delta (R(h_{2}))=x_{2}x_{3}\oplus x_{4}=\Delta (R(g)). \end{aligned}$$

It follows from Theorem 11 that

$$\begin{aligned} h_{1}\oplus \Delta (R(g))= & {} \Delta (R(g))*R(g) \\= & {} x_{2}x_{4}x_{5}x_{6}\oplus x_{2}x_{4}x_{7}\oplus x_{2}x_{8}\oplus x_{3}x_{4}x_{5}x_{7}\oplus x_{3}x_{4}x_{5}x_{8}\oplus x_{3}x_{4}x_{5}\oplus x_{3}x_{4}x_{6}x_{7} \\{} & {} \oplus x_{3}x_{6}x_{8}\oplus x_{3}x_{6}\oplus x_{3}x_{7}\oplus x_{4}x_{5}x_{6}x_{7}\oplus x_{4}x_{7}\oplus x_{5}x_{6}x_{7}\oplus x_{5}x_{8}\oplus x_{7}x_{8}\oplus x_{9} \\{} & {} \oplus x_{2}x_{3}\oplus x_{4} \end{aligned}$$

and

$$\begin{aligned} Q_{x_2}(h_{1}\oplus \Delta (R(g)))=x_{4}x_{5}x_{6}\oplus x_{4}x_{7}\oplus x_{8}\oplus x_{3}=x_{3}*R(g). \end{aligned}$$

In this case, it means that we can get \(R(g)=x_{1}x_{2}x_{3}\oplus x_{1}x_{4}\oplus x_{5}\oplus x_{0}\) easily by Algorithm 2. Moreover, we have \(g=R^{2}(g)=x_{0}\oplus x_{1}x_{4}\oplus x_{2}x_{3}x_{4}\oplus x_{5}\).