The Massey algorithm iteratively solves the problem of finding the shortest shift register that produces a prescribed sequence of symbols . Therefore, it can be applied to finding the error locator polynomial or to problems in other areas, for instance cryptography.

A shift register is defined giving its length, L , and its connection polynomial, L (D ). Since the length may not be equal to the degree of L (D ), both L (D ) and L ≥ g are needed to specify the circuit.

Equivalently, the register is also described appending

L −

g leading zeros to

L (

D ), that is writing

$$ L(D)=1+{c}_1D+{c}_2{D}^2+\cdots +{c}_g{D}^g+0{D}^{g+1}+\cdots +0{D}^L $$

instead of

$$ L(D)=1+{c}_1D+\cdots +{c}_g{D}^g $$

It is a trivial task to find a register that produces the sequence s _{0} , s _{1} , … , s _{N} , namely: L = N + 1 and any L (D ) (In fact, we don’t care about the symbols the register generates, and therefore about the polynomial. They are irrelevant, since all the symbols we want to match are already loaded in the register!). However, to find a minimum length register requires a little work and much insight.

As stated, Massey algorithm works iteratively . So, say we have found some register (L _{n} (D ), L _{n} ) (not necessarily minimum length ) that produces the first n terms of s _{0} , s _{1} , … , s _{N} but not s _{n} . Let’s call \( {s}_n^{\prime}\ne {s}_n \) the symbol output by the register. Keeping up with the idea of employing prior computations, to find a register (L _{n + 1} (D ), L _{n + 1} ) that also generates s _{n} (and perhaps more terms, although this is not required), we’ll use L _{n} (D ) adding to it a correction term constructed utilizing the connection polynomial L _{m} (D ) of a previously obtained register (L _{m} (D ), L _{m} ) with which we produced s _{0} , s _{1} , …, s _{m − 1} but not s _{m} . Again, call \( {s}_m^{\prime } \) the register output.

The

discrepancies are (remember: subtraction is the same as addition)

$$ {d}_m={s}_m+{s}_m^{\prime}\ne 0,\kern1em {d}_n={s}_n+{s}_n^{\prime}\ne 0 $$

Then, the following correcting term does the job

$$ \frac{d_n}{d_m}{D}^{n-m}{L}_m(D) $$

Thus

$$ {L}_{n+1}(D)={L}_n(D)+\frac{d_n}{d_m}{D}^{n-m}{L}_m(D) $$

I show below that the register with the connection polynomial given above generates s _{0} , s _{1} , … , s _{n − 1} , s _{n} . It may even produce n ^{′} ≥ n + 1 symbols. However, we don’t care about that.

To avoid unnecessary complications, I’ll justify the above formula using an example. Say that (

L _{8} (

D ),

L _{8} ) and (

L _{5} (

D ),

L _{5} ) produce

only the first 8 and 5 symbols with 5 cells and 3 cells, respectively (see Fig.

4.21 ). I underlined “

only ” to emphasize that symbol

\( {s}_8^{\prime } \) , output by (

L _{8} (

D ),

L _{8} ), differs from

s _{8} , and the same happens with

s _{5} and

\( {s}_5^{\prime } \) , the symbol generated by (

L _{5} (

D ),

L _{5} ).

Fig. 4.21 The register (L _{8} (D ), L _{8} ), and (L _{5} (D ), L _{5} )

A

full description of the circuits is provided by the polynomials

L _{8} (

D ) and

L _{5} (

D )

$$ {L}_8(D)=1+\sum \limits_1^5{c}_i{D}^i\kern1em {L}_5(D)=1+\sum \limits_1^3{c}_i^{\prime }{D}^i $$

Recall that c _{5} and \( {c}_3^{\prime } \) (and other coefficients, as well) may be zero.

After being initially loaded with

s _{0} ,

s _{1} ,

s _{2} ,

s _{3} ,

s _{4} , the first four symbols generated by (

L _{8} (

D ),

L _{8} ) are

$$ {\displaystyle \begin{array}{l}{s}_5={s}_4{c}_1+{s}_3{c}_2+{s}_2{c}_3+{s}_1{c}_4+{s}_0{c}_5\\ {}{s}_6={s}_5{c}_1+{s}_4{c}_2+{s}_3{c}_3+{s}_2{c}_4+{s}_1{c}_5\\ {}{s}_7={s}_6{c}_1+{s}_5{c}_2+{s}_4{c}_3+{s}_3{c}_4+{s}_2{c}_5\\ {}{s}_8^{\prime }={s}_7{c}_1+{s}_6{c}_2+{s}_5{c}_3+{s}_4{c}_4+{s}_3{c}_5\ne {s}_8\end{array}} $$

Similarly, with register (

L _{5} (

D ),

L _{5} ) we generate

$$ {\displaystyle \begin{array}{l}{s}_3={s}_2{c}_1^{\prime }+{s}_1{c}_2^{\prime }+{s}_0{c}_3^{\prime}\\ {}{s}_4={s}_3{c}_1^{\prime }+{s}_2{c}_2^{\prime }+{s}_1{c}_3^{\prime}\\ {}{s}_5^{\prime }={s}_4{c}_1^{\prime }+{s}_3{c}_2^{\prime }+{s}_2{c}_3^{\prime}\ne {s}_5\end{array}} $$

after initially loading it with

s _{0} ,

s _{1} ,

s _{2} .

The connection polynomial for the circuit that (as we shall see) also produces (at least)

s _{8} is:

$$ {\displaystyle \begin{array}{c}\ {L}_9(D)={L}_8(D)+\frac{d_8}{d_5}{D}^{8-5}{L}_5(D)\\ {}=\left(1+\sum \limits_1^5{c}_i{D}^i\right)+\frac{d_8}{d_5}{D}^3\left(1+\sum \limits_1^3{c}_i^{\prime }{D}^i\right)\\ {}=1+{c}_1D+{c}_2{D}^2+\left({c}_3+\frac{d_8}{d_5}\right){D}^3\\ {}\kern0.5em +\left({c}_4+\frac{d_8}{d_5}\ {c}_1^{\prime}\right){D}^4+\left({c}_5+\frac{d_8}{d_5}{c}_2^{\prime}\right){D}^5+\frac{d_8}{d_5}{c}_3^{\prime }{D}^6\end{array}} $$

The circuit is represented in Fig.

4.22 . Its length is 6, but its grade may be less than 6 (if

\( {c}_3^{\prime }=0 \) ).

Fig. 4.22 The register (L _{9} (D ), L _{9} )

To prove that the circuit generates

s _{8} also (at least!), we’ll begin by looking at the equivalent circuit in Fig.

4.23 . If the upper connections were not present, the lower connections would clearly produce the same symbols as (

L _{8} (

D ),

L _{8} ), although with a longer register. Therefore, the lower part of the circuit can be called the

generating part of the register.

Fig. 4.23 The register (L _{9} (D ), L _{9} ) generates S _{6}

Since the symbols produced by the upper and lower connections are added, let’s see what effect have the symbols that come from the upper connections.

From Fig.

4.23 , the first symbol generated by the upper connections is

$$ {s}_3+{s}_2{c}_1^{\prime }+{s}_1{c}_2^{\prime }+{s}_0{c}_3^{\prime } $$

But

$$ {s}_3={s}_2{c}_1^{\prime }+{s}_2{c}_1^{\prime }+{s}_2{c}_1^{\prime } $$

Therefore, the contribution is 0, and

s _{6} enters the register unchanged (as if the upper connections wouldn’t exist). The same happens with

s _{7} (see Fig.

4.24 ). Finally, from Fig.

4.25 we see that the third contribution from the upper part of the circuit is

$$ \frac{d_8}{d_5}\left({s}_5+{s}_4{c}_1^{\prime }+{s}_3{c}_2^{\prime }+{s}_2{c}_3^{\prime}\right)=\frac{d_8}{d_5}\left({s}_5+{s}_5^{\prime}\right)=\frac{d_8}{d_5}{d}_5={d}_8 $$

Fig. 4.24 The register (L _{9} (D ), L _{9} ) generates S _{7}

Fig. 4.25 The register (L _{9} (D ), L _{9} ) generates S _{8}

This is exactly what we need to correct the output provided by the lower part of the circuit. Thus, the upper part of the shift register can be called the correcting part of the circuit, in agreement with the name (correcting term) given to the second term of L _{9} (D ).

Let us recapitulate.

The construction just presented to synthesize a (

L _{n + 1} (

D ),

L _{n + 1} )

register capable of producing (at least) the first

n + 1 terms of a given sequence

works with any pair (

L _{n} (

D ),

L _{n} ), (

L _{m} (

D ),

L _{m} ) that only output the first

n and

m (

m <

n ) symbols, respectively. The feedback polynomial is

$$ {L}_{n+1}(D)={L}_n(D)+\frac{d_n}{d_m}{D}^{n-m}{L}_m(D) $$

with

$$ {L}_n(D)=1+\sum \limits_1^{L_n}{c}_i{D}^i\kern1em {L}_m(D)=1+\sum \limits_1^{L_m}{c}_i{D}^i $$

and the register length

$$ {L}_{n+1}=\max \left\{{L}_n,n-m+{L}_m\right\} $$

Suppose that the lengths of (L _{n} (D ), L _{n} ) and (L _{m} (D ), L _{m} ) are the shortest possible? Call these minimum lengths \( {\widehat{L}}_n \) and \( {\widehat{L}}_m \) .

Now, two questions

Is there anything we can say about \( {\widehat{L}}_n \) and \( {\widehat{L}}_m \) .

If we have several choices for \( \left({\widehat{L}}_m(D),{\widehat{L}}_m\right) \) , is there a choice that guarantees that (L _{n + 1} (D ), L _{n + 1} ) is also a shortest length register?

We’ll proceed in three steps.

Reg2 is initialized with the first 5 symbols output by Reg1. How many of the symbols produced by Reg1 can be matched by Reg2? Clearly, at least 5, but perhaps more symbols depending on the connections.

Let’s write the equations required by the matching

$$ {s}_4{c}_1^{\prime }+{s}_3{c}_2^{\prime }+{s}_2{c}_3^{\prime }+{s}_1{c}_4^{\prime }+{s}_0{c}_5^{\prime }={s}_5 $$

(4.1′)

$$ \kern0.5em {s}_5{c}_1^{\prime }+{s}_4{c}_2^{\prime }+{s}_3{c}_3^{\prime }+{s}_2{c}_4^{\prime }+{s}_1{c}_5^{\prime }={s}_6 $$

(4.2′)

$$ {s}_6{c}_1^{\prime }+{s}_5{c}_2^{\prime }+{s}_4{c}_3^{\prime }+{s}_3{c}_4^{\prime }+{s}_2{c}_5^{\prime }={s}_7 $$

(4.3′)

$$ {s}_7{c}_1^{\prime }+{s}_6{c}_2^{\prime }+{s}_4{c}_3^{\prime }+{s}_4{c}_4^{\prime }+{s}_3{c}_5^{\prime }={s}_8 $$

(4.4′)

$$ {s}_8{c}_1^{\prime }+{s}_7{c}_2^{\prime }+{s}_6{c}_3^{\prime }+{s}_5{c}_4^{\prime }+{s}_4{c}_5^{\prime }={s}_9 $$

(4.5′)

$$ {s}_9{c}_1^{\prime }+{s}_8{c}_2^{\prime }+{s}_7{c}_3^{\prime }+{s}_6{c}_4^{\prime }+{s}_5{c}_5^{\prime }={s}_{10} $$

(4.6′)

$$ {s}_{10}{c}_1^{\prime }+{s}_9{c}_2^{\prime }+{s}_8{c}_3^{\prime }+{s}_7{c}_4^{\prime }+{s}_6{c}_5^{\prime }={s}_{11} $$

(4.7′)

and so on.

Observe that Eq. (

4.3′ ) is a linear combination of Eqs. (

4.1′ ) and (

4.2′ ). In fact, we have

$$ \left({4.3}^{\prime}\right)={c}_1\left({4.2}^{\prime}\right)+{c}_2\left({4.1}^{\prime}\right) $$

as can be seen from the Eqs. (

4.29 )–(

4.34 ). Similarly, we have:

$$ {\displaystyle \begin{array}{l}\left({4.4}^{\prime}\right)={c}_1\left({4.3}^{\prime}\right)+{c}_2\left({4.2}^{\prime}\right)\\ {}\left({4.5}^{\prime}\right)={c}_1\left({4.4}^{\prime}\right)+{c}_2\left({4.3}^{\prime}\right)\\ {}\left({4.6}^{\prime}\right)={c}_1\left({4.5}^{\prime}\right)+{c}_2\left({4.4}^{\prime}\right)\\ {}\left({4.7}^{\prime}\right)={c}_1\left({4.6}^{\prime}\right)+{c}_2\left({4.5}^{\prime}\right)\end{array}} $$

and so on.

This means that, not only Eq. (4.3′ ), but also Eqs. (4.4′ )–(4.7′ )… are linear combinations of Eqs. (4.1′ ) and (4.2′ ). Therefore, if Eqs. (4.1′ ) and (4.2′ ) are satisfied, all the other equations are satisfied. In other words, if the coefficients of Reg2 are chosen to output s _{5} and s _{6} , then Reg2 produces not only the first 7(=5 + 2) symbols output by Reg1, but all of them.

Expressing this more generally, we can say that whenever the outputs of two registers of length L _{1} and L _{2} coincide in the first L _{1} + L _{2} symbols, they always coincide.

This is the key result needed to prove the lower bound on L _{n + 1} . But before we do that, here is a numerical example to illustrate the preceding argument.

Let’s proceed now to prove the lower bound on L _{n + 1} .

Assume the contrary, that is

$$ {L}_{n+1}<n+1-{L}_n $$

Then

$$ {L}_{n+1}+{L}_n\le n $$

Since the outputs of registers (L _{n} (D ), L _{n} ) and (L _{n + 1} (D ), L _{n + 1} ) coincide in n symbols, and n is greater than or equal to the sum of the two lengths, their outputs must always coincide, which contradicts that (L _{n + 1} (D ), L _{n + 1} ) generates s _{n} and (L _{n} (D ), L _{n} ) does not.

We, then, have

$$ {\widehat{L}}_m<{\widehat{L}}_n\kern1em \mathrm{and}\kern1em {\widehat{L}}_{m^{\prime }}={\widehat{L}}_n\kern0.75em \left({m}^{\prime}\ge m+1\right) $$

Now, since (

\( {\widehat{L}}_{m^{\prime }}(D),{\widehat{L}}_{m^{\prime }} \) ) is minimum length and generates

s _{m} , we can write

$$ {\widehat{L}}_{m^{\prime }}=\max \left({\widehat{L}}_m,m+1-{\widehat{L}}_m\right) $$

Therefore

$$ {\widehat{L}}_n={\widehat{L}}_{m^{\prime }}=\max \left({\widehat{L}}_m,m+1-{\widehat{L}}_m\right)=m+1-{\widehat{L}}_m $$

(The last equality holds because \( {\widehat{L}}_n>{\widehat{L}}_m \) ).

Hence

$$ {\widehat{L}}_m=m+1-{\widehat{L}}_n $$

as desired.

Summarizing:

As we did in the examples of this chapter, we start the algorithm with two minimum length registers of different lengths, say L ^{″} and L ^{′} with L ^{″} < L ^{′} , such that the register of length L ^{″} generates more symbols than any other register of length less than L ^{′} . Then, the algorithm guaranties that the registers will be minimum length at every step.