The state diagram of χ

<jats:p>In symmetric cryptography, block ciphers, stream ciphers and permutations often make use of a round function and many round functions consist of a linear and a non-linear layer. One that is often used is based on the cellular automaton that is denoted by <jats:inline-formula><jats:alternatives><jats:tex-math>$$\chi $$</jats:tex-math><mml:math xmlns:mml="http://www.w3.org/1998/Math/MathML">
                <mml:mi>χ</mml:mi>
              </mml:math></jats:alternatives></jats:inline-formula> as a Boolean map on bi-infinite sequences, <jats:inline-formula><jats:alternatives><jats:tex-math>$${\mathbb {F}}_2^{{\mathbb {Z}}}$$</jats:tex-math><mml:math xmlns:mml="http://www.w3.org/1998/Math/MathML">
                <mml:msubsup>
                  <mml:mi>F</mml:mi>
                  <mml:mn>2</mml:mn>
                  <mml:mi>Z</mml:mi>
                </mml:msubsup>
              </mml:math></jats:alternatives></jats:inline-formula>. It is defined by <jats:inline-formula><jats:alternatives><jats:tex-math>$$\sigma \mapsto \nu $$</jats:tex-math><mml:math xmlns:mml="http://www.w3.org/1998/Math/MathML">
                <mml:mrow>
                  <mml:mi>σ</mml:mi>
                  <mml:mo>↦</mml:mo>
                  <mml:mi>ν</mml:mi>
                </mml:mrow>
              </mml:math></jats:alternatives></jats:inline-formula> where each <jats:inline-formula><jats:alternatives><jats:tex-math>$$\nu _i = \sigma _i + (\sigma _{i+1}+1)\sigma _{i+2}$$</jats:tex-math><mml:math xmlns:mml="http://www.w3.org/1998/Math/MathML">
                <mml:mrow>
                  <mml:msub>
                    <mml:mi>ν</mml:mi>
                    <mml:mi>i</mml:mi>
                  </mml:msub>
                  <mml:mo>=</mml:mo>
                  <mml:msub>
                    <mml:mi>σ</mml:mi>
                    <mml:mi>i</mml:mi>
                  </mml:msub>
                  <mml:mo>+</mml:mo>
                  <mml:mrow>
                    <mml:mo>(</mml:mo>
                    <mml:msub>
                      <mml:mi>σ</mml:mi>
                      <mml:mrow>
                        <mml:mi>i</mml:mi>
                        <mml:mo>+</mml:mo>
                        <mml:mn>1</mml:mn>
                      </mml:mrow>
                    </mml:msub>
                    <mml:mo>+</mml:mo>
                    <mml:mn>1</mml:mn>
                    <mml:mo>)</mml:mo>
                  </mml:mrow>
                  <mml:msub>
                    <mml:mi>σ</mml:mi>
                    <mml:mrow>
                      <mml:mi>i</mml:mi>
                      <mml:mo>+</mml:mo>
                      <mml:mn>2</mml:mn>
                    </mml:mrow>
                  </mml:msub>
                </mml:mrow>
              </mml:math></jats:alternatives></jats:inline-formula>. A map <jats:inline-formula><jats:alternatives><jats:tex-math>$$\chi _n$$</jats:tex-math><mml:math xmlns:mml="http://www.w3.org/1998/Math/MathML">
                <mml:msub>
                  <mml:mi>χ</mml:mi>
                  <mml:mi>n</mml:mi>
                </mml:msub>
              </mml:math></jats:alternatives></jats:inline-formula> is a map that operates on <jats:italic>n</jats:italic>-bit arrays with periodic boundary conditions. This corresponds with <jats:inline-formula><jats:alternatives><jats:tex-math>$$\chi $$</jats:tex-math><mml:math xmlns:mml="http://www.w3.org/1998/Math/MathML">
                <mml:mi>χ</mml:mi>
              </mml:math></jats:alternatives></jats:inline-formula> restricted to periodic infinite sequences with period that divides <jats:italic>n</jats:italic>. This map <jats:inline-formula><jats:alternatives><jats:tex-math>$$\chi _n$$</jats:tex-math><mml:math xmlns:mml="http://www.w3.org/1998/Math/MathML">
                <mml:msub>
                  <mml:mi>χ</mml:mi>
                  <mml:mi>n</mml:mi>
                </mml:msub>
              </mml:math></jats:alternatives></jats:inline-formula> is used in various permutations, e.g., <jats:sc>Keccak</jats:sc>-f (the permutation in SHA-3), ASCON (the NIST standard for lightweight cryptography), Xoodoo, Rasta and Subterranean (2.0). In this paper, we characterize the graph of <jats:inline-formula><jats:alternatives><jats:tex-math>$$\chi $$</jats:tex-math><mml:math xmlns:mml="http://www.w3.org/1998/Math/MathML">
                <mml:mi>χ</mml:mi>
              </mml:math></jats:alternatives></jats:inline-formula> on periodic sequences. It turns out that <jats:inline-formula><jats:alternatives><jats:tex-math>$$\chi $$</jats:tex-math><mml:math xmlns:mml="http://www.w3.org/1998/Math/MathML">
                <mml:mi>χ</mml:mi>
              </mml:math></jats:alternatives></jats:inline-formula> is surjective on the set of <jats:italic>all</jats:italic> periodic sequences. We will show what sequences will give collisions after one application of <jats:inline-formula><jats:alternatives><jats:tex-math>$$\chi $$</jats:tex-math><mml:math xmlns:mml="http://www.w3.org/1998/Math/MathML">
                <mml:mi>χ</mml:mi>
              </mml:math></jats:alternatives></jats:inline-formula>. We prove that, for odd <jats:italic>n</jats:italic>, the order of <jats:inline-formula><jats:alternatives><jats:tex-math>$$\chi _n$$</jats:tex-math><mml:math xmlns:mml="http://www.w3.org/1998/Math/MathML">
                <mml:msub>
                  <mml:mi>χ</mml:mi>
                  <mml:mi>n</mml:mi>
                </mml:msub>
              </mml:math></jats:alternatives></jats:inline-formula> (in the group of bijective maps on <jats:inline-formula><jats:alternatives><jats:tex-math>$${\mathbb {F}}_2^n$$</jats:tex-math><mml:math xmlns:mml="http://www.w3.org/1998/Math/MathML">
                <mml:msubsup>
                  <mml:mi>F</mml:mi>
                  <mml:mn>2</mml:mn>
                  <mml:mi>n</mml:mi>
                </mml:msubsup>
              </mml:math></jats:alternatives></jats:inline-formula>) is <jats:inline-formula><jats:alternatives><jats:tex-math>$$2^{\lceil {\text {lg}}(\frac{n+1}{2})\rceil }$$</jats:tex-math><mml:math xmlns:mml="http://www.w3.org/1998/Math/MathML">
                <mml:msup>
                  <mml:mn>2</mml:mn>
                  <mml:mrow>
                    <mml:mo>⌈</mml:mo>
                    <mml:mtext>lg</mml:mtext>
                    <mml:mrow>
                      <mml:mo>(</mml:mo>
                      <mml:mfrac>
                        <mml:mrow>
                          <mml:mi>n</mml:mi>
                          <mml:mo>+</mml:mo>
                          <mml:mn>1</mml:mn>
                        </mml:mrow>
                        <mml:mn>2</mml:mn>
                      </mml:mfrac>
                      <mml:mo>)</mml:mo>
                    </mml:mrow>
                    <mml:mo>⌉</mml:mo>
                  </mml:mrow>
                </mml:msup>
              </mml:math></jats:alternatives></jats:inline-formula>. A given periodic sequence lies on a cycle in the graph of <jats:inline-formula><jats:alternatives><jats:tex-math>$$\chi $$</jats:tex-math><mml:math xmlns:mml="http://www.w3.org/1998/Math/MathML">
                <mml:mi>χ</mml:mi>
              </mml:math></jats:alternatives></jats:inline-formula>, or it can be represented as a polynomial. By regarding the divisors of such a polynomial one can see whether it lies in a cycle, or after how many iterations of <jats:inline-formula><jats:alternatives><jats:tex-math>$$\chi $$</jats:tex-math><mml:math xmlns:mml="http://www.w3.org/1998/Math/MathML">
                <mml:mi>χ</mml:mi>
              </mml:math></jats:alternatives></jats:inline-formula> it will. Furthermore, we can see, for a given <jats:inline-formula><jats:alternatives><jats:tex-math>$$\sigma $$</jats:tex-math><mml:math xmlns:mml="http://www.w3.org/1998/Math/MathML">
                <mml:mi>σ</mml:mi>
              </mml:math></jats:alternatives></jats:inline-formula>, the length of the cycle in its component in the state diagram. Finally, we extend the surjectivity of <jats:inline-formula><jats:alternatives><jats:tex-math>$$\chi $$</jats:tex-math><mml:math xmlns:mml="http://www.w3.org/1998/Math/MathML">
                <mml:mi>χ</mml:mi>
              </mml:math></jats:alternatives></jats:inline-formula> to <jats:inline-formula><jats:alternatives><jats:tex-math>$${\mathbb {F}}_2^{{\mathbb {Z}}}$$</jats:tex-math><mml:math xmlns:mml="http://www.w3.org/1998/Math/MathML">
                <mml:msubsup>
                  <mml:mi>F</mml:mi>
                  <mml:mn>2</mml:mn>
                  <mml:mi>Z</mml:mi>
                </mml:msubsup>
              </mml:math></jats:alternatives></jats:inline-formula>, thus to include non-periodic sequences.</jats:p>

authors would like to thank Wieb Bosma and Marloes Venema for proofreading (parts of) the text and helpful suggestions.

Data availability statement
This manuscript has no associated data.

Introduction
Block ciphers or permutations are usually iterative, often they are SPNs. Those repeat a simple round function, that usually consists of a linear (affine) layer and a non-linear layer. This non-linear layer is often based on one of the Boolean maps χ n . For each n, the map χ n : F n 2 → F n 2 , x → y are defined by y i = x i + (x i+1 + 1)x i+2 , where the indices are taken modulo n. It is used as χ 5 in Keccak-f [1], the permutation in SHA-3 [10], and also χ 5 in ASCON [7], the NIST standard for lightweight cryptography [11]. In Xoodoo [4], the value of n is 3, i.e., χ 3 , while in Rasta [6], it is equal to the block length (always odd). The width of permutation in each of these permutations is larger than the circle length of χ n , so the bits of the sequence are partitioned in n-bit circles and χ n is applied to each of these circles in parallel. In Subterranean [2] and Subterranean 2.0 [5], χ 257 is applied on the entire state as one circle. We study these maps by considering the map on bi-infinite sequences, as the map χ : F Z 2 → F Z 2 , σ → ν that is defined by ν i = σ i + (σ i+1 + 1)σ i+2 . This map is actually the state updating transformation of a cellular automaton as in [15].
It is known from [3], that χ n is bijective if and only if n is odd. We revisit a proof of this in Section 4. The examples above use χ n for odd n, as iterating an invertible round function gives a permutation, but using a non-invertible round function will result in collisions. Having collisions might result in finding concrete distinguishers to attack ciphers.
However, it may just be interesting to have χ n where, e.g., n = 512, to have χ operate on states of lengths a power of 2. In this case, however, it is necessary to know how many collisions we have, or, equivalently, how many states have more than one preimages. If we characterize the state diagram of χ, we can observe this for each n. In particular χ n is the restriction of χ to sequences with period dividing n. For instance, the sequence that follows the pattern '01' infinitely in both directions is a sequence of period 2.
By randomizing the input, like in the Even-Mansour construction ( [8]), we can use that χ n is a "near-permutation" on, e.g., n = 512 bits. By a "nearpermutation", we mean that out of the 2 512 , only a negligible number of 2 257 − 1 states do not have a unique preimage. Since the inputs are randomized, there is only a very small probability (2 −257 ) of collisions.
Our contributions We show that the order of χ n (in the group of bijections on F n 2 ) is 2 lg( n+1 2 ) , when n is odd. An application is then that the inverse of χ n is just a composition of χ n with itself 2 lg( n+1 2 ) − 1 times. We furthermore prove that χ is surjective on F Z 2 . This is done with a linearization technique in Section 4 and extended to nonperiodic states with a topological argument in Section 7.
For each state whereupon χ has exactly one preimage, we can immediately observe by the degrees of associated polynomials what the length of its cycle (orbit) is. Furthermore, using linearization techniques similar to those in Section 4, we are able to deduce that the non-invertible component of the state diagram for states of period 2 k for any k is a binary tree, where the root is mapped to itself.
Lastly, we combine these techniques, to find the remaining components of the state diagram with the states of even period 2 k · m with m > 1. The states in the cycle of a component all have the same period. The further one goes away from the cycle (by taking preimages), the larger the period grows by factors 2.
We can determine whether a state lies in the cycle, by checking whether it is divisble by a certain polynomial or after how many applications of χ it will become part of the cycle. For the length of the cycle when n = 2m with m odd, we see that it always is a divisor of 2 o − 1, where o is the multiplicative order of 2 modulo n/2. The length of a cycle when n = 2 k · m is just 2 k−1 times the length of the cycle for n = 2m.

Notations and conventions
For a map F : X → Y and a subset A ⊂ X we write F |A : A → F (A) for the map F restricted to A. Given two maps F : X → Y and G : Y → Z, we write G • F : X → Z for the composition of the maps.
With Z we denote the ring of integers, and by N the set of natural numbers. We write N * for the set of positive integers. We denote an arbitrary field by F and the finite field of two elements by F 2 . Additionally, we have the notation F n 2 for the standard n-dimensional F 2 -vector space, obtained as the Cartesian product of n copies of F 2 . For the vector space of infinitely long binary sequences, we write F Z 2 , since we see infinitely long binary sequences as infinite in both directions. The elements of F 2 are called bits. The elements of F Z 2 , or (for any positive integer n), F n 2 we call states. For those in F n 2 , we use Latin lowercase symbols as x, y. For infinitely long states, we use Greek lowercase symbols as σ, ν, ρ.
We write 0 n ∈ F n 2 for a state of n bits 0, and 1 n for a state of n bits 1. A state σ ∈ F Z 2 that has a repeating part σ 0 , σ 1 , . . . , σ n−1 , for a certain n, we write σ = (σ 0 σ 1 · · · σ n−1 ) * . Most often we take the shortest possible n. For example, for the bi-infinite state of all zeroes we write 0 * . In the same fashion we can write (01) * for a bi-infinite state of repeating pattern '01' and not (0101) * . If we write ( * 1) n , we mean a state of length 2n where each second bit is 1 and each other bit can be either 0 or 1. A * denotes that it can be either 0 or 1.
The number of ones in a finite state x ∈ F n 2 is called the Hamming weight and is denoted as hw(x).
When V is a vector space over F, then we use [ [ v 1 , . . . , v n ] ] as notation for the set spanned by the vectors v 1 , . . . , v n ∈ V , i.e., Furthermore, we write F 2 [X] for the ring of polynomials in the indeterminate X with coefficients in F 2 . If we write F 2 [X]/(f (X)), we mean the quotient ring of F 2 [X] by the ideal generated by the polynomial f (X). For any commutative ring R, we write R * for its group of units.
Lastly, we write lg for the binary logarithm, i.e., the logarithm with base 2, gcd for the greatest common divisor in a Euclidean ring and lcm for the least common multiple.

Shift maps, periodicity and state diagrams
Here, we discuss shift maps, and from those define which states are periodic. Next, we discuss shift-invariant maps and their state diagrams. We start with giving the definition of χ, the subject of this paper.
We see that χ is a map of degree two, in particular nonlinear.

Shift maps and periodic states
To study the state diagram of χ, we will use shift maps, as they partition the vector space F Z 2 . The state diagram then consists of many isomorphic components, as per this partition.
Definition 2 (Shift maps) For any field F 2 we define a shift map τ on F Z 2 as: For any integer k > 0 we can define τ k by iteration τ . For k < 0, we define τ k on F Z 2 by iterating τ −1 (σ) = ν where ν i = σ i−1 .
These shift maps are linear. The group {τ k | k ∈ Z} under composition is isomorphic to (Z, +). Some of the infinite states in F Z 2 are invariant under a subgroup of shifts.
Definition 3 (Periodic states) A state σ ∈ F Z 2 is called periodic when there exists an integer n > 0 such that τ n (σ) = σ. The minimal such integer n for which σ is periodic, is called the period of σ. We then write per(σ) = n. We furthermore write P n for the set of all states of period n. We lastly denote the set of all periodic states by n P n = F 2 .
For example, P 1 = {0 * , 1 * } and P 2 = {(01) * , (10) * }. We define S n = d|n P d for the set of all states that have a period that divides n.

Lemma 1
The set S n is a linear subspace of the vector space F Z 2 and we have S n ∼ = F n 2 .
Proof Since τ k is a linear map for every k ≥ 1, and S n is the set of all vectors invariant under τ n , we find that S n is a linear subspace of F Z 2 . We have #S n = 2 n , and since S n is a vector space, the isomorphism holds.
We now see that In particular the sets P n form a partition of F 2 .
We can now define an equivalent of χ on F n 2 : The cryptographic functions mentioned in the introduction all use one of the maps χ n on some S n for some odd n.
The shift maps make for a further partition of the sets S n .
Definition 5 (Shift equivalent) Two states σ, ρ ∈ F Z 2 are shift equivalent if and only if σ = τ k (ρ) for some k ∈ Z.
Shift equivalence can be used it to partition each P n into equivalence classes of cardinality n. We call these necklaces. Example 1 Consider P 5 . Then (00101) * and (01010) * are shift equivalent. Since all states σ ∈ P 5 have period 5, their necklaces have 5 elements. The number of states in P 5 is 2 5 − 2 1 = 30 and therefore P 5 has six shift classes. A system of representatives is given by the states in Figure 1, that also contains their propagation under χ.
Let n be any positive integer, then the number of states in P n can be computed from the number of states in S d with d | n by the principle of inclusion-exclusion: The µ in this formula is the Möbius-function ( [9]).

Shift-invariant maps and state diagrams
We will now discuss maps that are invariant under shift maps. Such a map has a simplified state diagram, where several components are isomorphic and can be translated into each other by a shift map.
A shift-invariant map always maps elements in a certain necklace to elements in the same necklace. Any shift-invariant map can therefore be studied by studying the induced quotient map on these necklaces.
One finds that χ and χ n are shift invariant.
Lemma 2 Both χ : F 2 → F 2 and for each n, χ n : F n 2 → F n 2 are shift invariant.
One can recognize a shift-invariant map by seeing that for each y i we have the same formula with respect to i with y is the image under the function. Note that a shift-invariant map does not necessarily has to be given in this form, thus it cannot always be recognized as such. The image of a state of period n under a shift-invariant map will have a period that is a divisor of n: Then the period of ψ(σ) divides n.
Proof We have τ n (ψ(σ)) = ψ(τ n (σ)) = ψ(σ). When a map F is shift invariant, the state diagram can be depicted by giving the state diagram of the induced quotient map on necklaces. In that sense, Figure  1 represents the state diagram of χ 5 . When a necklace has k elements, then each (connected) component of the state diagram of the induced quotient map occurs k times in the state diagram of F . For instance, the 4-cycle and 2-cycle in Figure  1 each appear 5 times.
Orbits of elements are clearly visible in the state diagram of a map. Note that for any F : S → S, any orbit has cardinality at most #S. When F is a bijective map on a finite set, it is a standard result that the state diagram of F consists of disjoint cycles. In this case, all orbits are cycles. Hence, for bijective F , we can determine the order of F by looking at the state diagram and the lengths of the cycles: Any finite component of a graph, is either a cycle or of the form a cycle with trees on its vertices. We can therefore talk about the number k of applications of F needed on an element a ∈ S such that F k (a) is on the cycle. Definition 9 (Layer numbers) Let S be a set and F : S → S be a map. Let C be a component of the state diagram of F . We define the layers of the component as follows: Thus, for a bijective map F : S → S on a finite set, all components C have only one layer, L 0 (C). When it is clear about which component we speak, we may leave out the C, and just write L k .
We furthermore say that a component C is of period n if the elements in L 0 (C) all have period n. Note that all elements in L 0 (C) necessarily have the same period.

Invertibility and cycles in the state diagram of χ
In this section we are going to investigate the state diagram of χ on a certain large class of periodic states. Namely, those that have a unique preimage (or, where χ acts bijectively) occur in a cyclic component. As a corollary, we obtain a direct formula for the order of χ n for odd n.
Daemen showed that χ is invertible on states that have period dividing n when n is odd ( [3]). We give a new proof here, because this new proof gives a direct formula for the order of χ n .

Dynamic bits
For two bit positions i and j, we set d = j − i to be the distance from bit i to bit j. Furthermore the next 1-bit from a bit position i, is the smallest bit position j > i such that σ j = 1. Note that any bit position in a periodic state σ has a next 1-bit, as long as σ has period n > 1.

Definition 10 (Dynamic and static bits)
A bit is called dynamic if the distance to the next 1-bit is even. When the distance to the next 1-bit is odd, we call the bit static. A static bit that has the value 1 is called an anchor.
To explain the terminology for dynamic and static, we have the following lemma.

Lemma 4 Static bits are invariant under χ.
Proof A bit changes under χ if and only if the distance to the next 1-bit is 2. A static bit has odd distance to the next 1-bit, hence remains unchanged.
Definition 11 (Dynamicity pattern) Given a state σ of period n, then its dynamicity pattern is a string x ∈ {0, 1, * } n , where x i = σ i if σ i is static, and x i = * otherwise.
We show that the dynamicity pattern is invariant under applications of χ. For that we use a lemma, simplifying χ on dynamic bits: Lemma 5 Let σ ∈ F 2 and σ i be a dynamic bit. Let ν = χ(σ), then ν i = σ i + σ i+2 .

Proposition 1
The dynamicity pattern of a state is invariant under χ.
Proof Let σ ∈ F 2 be arbitrary non-zero and ν = χ(σ). Pick some σ i arbitrary. We make a case distinction on the basis of the distance to the next 1-bit.
1. First, assume that the distance is larger than 2. That means that σ i is followed by 0 n 1 for some n ≥ 2. Then ν i is followed by 0 n−2 10 * , where * is an undetermined value. Since n and n − 2 have the same parity, the dynamicity of σ i is the same as ν i . 2. Assume that the distance to the next 1-bit is equal to 2. That means that σ i is followed by 01, i.e., σ i is dynamic. Assume that ν i is static, thus ν i is followed by (00) n 1 for some n ≥ 0. By Lemma 5, we have two options for σ i , it is either followed by (00) n+1 1, or by (10) n 1. In both cases, σ i would be static, a contradiction. 3. Lastly, assume that the distance to the next 1-bit is 1. Now, σ i is static. Assume that ν i is dynamic, hence followed by 0(00) n 1 for some n ≥ 0. By Lemma 5, we now have two options for σ i , it is either followed by 0(00) n+1 1, or by 0(10) n 1.
In both cases, σ i is not followed by 1, a contradiction.
Example 2 (Dynamicity pattern) Take for example the state (001011110001) * , then we locate the dynamic bits and replace them by * : Here ν = χ(σ), and we see that the dynamicity pattern remains the same.
Lemma 6 (Distance to anchors -No. 1) Let σ ∈ F 2 be a periodic state with at least one anchor. Then the distance from a dynamic bit to the next anchor is even.
Proof Let σ i be an arbitrary dynamic bit. Then the next 1-bit has even distance from σ i by definition. If this bit is static, it is an anchor. If it is not an anchor, then the distance to the next 1-bit is even again. Iterate this process until one arrives at an anchor, all the while keeping an even distance. Since we have at least one anchor by hypothesis, this process will stop.
Lemma 7 (Distance to anchors -No. 2) Let σ ∈ F 2 be a periodic state with at least one anchor. Then the distance from an anchor to the next anchor is odd.
Proof Let σ i be an arbitrary anchor. Then by definition, the next 1-bit has odd distance from σ i by definition. Then either, this 1-bit is an anchor, in which case we are done. In the other case, this 1-bit is not an anchor, hence it is a dynamic bit and the result follows from applying Lemma 6.

Anchor polynomials and the uniqueness of preimages under χ
Since the dynamicity pattern is invariant under application of χ, and anchors are static bits, we can uniquely split up a state at its anchors. For example, if we take (11011) * , we can split it up like 101-1-1. On the other hand, the state (11010) * can only be split up as 10101. It is a single substring, as it has precisely one anchor.
For each anchor, we can create a corresponding polynomial: Definition 12 (Anchor polynomial) Let σ ∈ F 2 be a periodic state with at least one anchor. Let σ i be an anchor and let σ i−(2d i +1) be the previous anchor.
Note that a periodic state with at least one anchor can now be completely represented by the positions of its anchors and their corresponding anchor polynomials. Furthermore, using these anchor polynomials, we can describe the operation of χ in an elegant way: Proposition 2 (χ is multiplication by X + 1) Let σ ∈ F 2 be a periodic state with at least one anchor and ν = χ(σ). Let a (i) (X) be the anchor polynomial with anchor degree d i of the anchor Theorem 1 (States with an anchor have a unique preimage) Let ν ∈ F 2 be a periodic state with at least one anchor. Then ν has precisely one preimage.
Proof We need to show that there is a unique way to obtain the anchor polynomials of σ such that χ(σ) = ν. To do this, let b (i) (X) be an anchor polynomial of ν. Then a (i) (X) = (1 + X + X 2 + . . . + X k−1 )b (i) (X) mod X d i is the anchor polynomial for σ. The uniqueness follows from uniqueness of inverses in a ring.
We have reduced the question of finding states with unique preimages to finding states with at least one anchor. A first result is that all non-zero states of odd period have an anchor: Proposition 3 Let σ ∈ F 2 be non-zero and have odd period. Then it has at least one anchor.
Proof The sum of the distances between all 1-bits in σ together sum to the period. Since the period is odd, there has to be at least one of those distances that is odd, hence at least one anchor.
Secondly, we can concretely define the non-zero states of even period that have an anchor.
In addition, we define S 0 := ∞ n=2 S n,0 , S 1 := ∞ n=2 S n,1 , and T := ∞ n=1 T n . Then we have Lemma 8 Let σ be a nonzero state of even period n.
1. If σ ∈ T , then σ has an anchor. 2. If σ ∈ S 0 , then σ has no anchors. 3. If σ ∈ S 1 , then σ has no anchors. Proof 1. Let σ i = 1 and σ j = 1 be 1-bits, where i is even and j is odd or vice versa and i < j. In both cases, If there exists a σ k = 1 with i < k < j and i ≡ k (mod 2), then we can instead take σ k instead of σ i . If there exists a σ k = 1 with i < k < j and k ≡ j (mod 2), then we can instead take σ k instead of σ j . Hence all bits between σ i and σ j can be assumed to be 0. There is an even number of them, hence σ i is an anchor. 2. Let σ i = 1 be an arbitrary 1-bit in σ. By definition of S n,0 , it is followed by a repeating pattern of 0 * . Therefore, it cannot be followed by an even number of zeroes, and hence not an anchor. 3. Similar to the case for S 0 .

Cycle lengths in the state diagram
In this subsection we investigate the lengths of the cyclic components in the state diagram of χ. We will prove Theorem 2 Periodic states that have an anchor lie in cycles in the state diagram of χ. These cycles have a length that is a power of two and this length ranges from 1 to the largest power of two not larger than n.
Recall that χ operates as multiplication of all anchor polynomials a (i) (X) by 1 + X modulo X d i . Since the dynamicity pattern is invariant under χ, the length of the cycle that contains σ is therefore the least common multiple of the order of 1 + X in the rings Since only positive powers of X are divisors of X d and all these are not divisors of f with f 0 = 1, we find that when f 0 = 1, that gcd(f, X d ) = 1. Thus, since f ∈ R * iff f 0 = 1, we find that #R * = 2 d−1 .
By Lagrange's Theorem, we now know that the order of X + 1 is a power of 2. Since (X + 1) 2 k = X 2 k + 1, we find that the order of X + 1 is the smallest power of 2 larger than or equal to d. This is then 2 lg(d) .
We can now prove Theorem 2.
Proof (of Theorem 2.) Let σ be a nonzero state in F 2 with an anchor. Let 2d i +1 be the distance from the (i − 1)th anchor to the ith anchor and consider {d 0 , . . . , d k }.
By the above, we have . . , k}. We now find that indeed a cycle of length any power of two exists.

Preimages for states without anchors
In this subsection, we study states with even period. Therefore, n is assumed to be a positive even integer. We are going to investigate χ on P n to see whether χ is surjective. This is a next step into understanding the full state diagram of χ.
We know from Theorem 1 that a state σ has a unique preimage if there is at least one anchor: σ ∈ T n . Therefore, the states where zero or multiple preimages may exists are exactly those in n (S n,1 ∪ S n,0 ) They fall into three categories: 1. The state has two preimages of the same period; 2. The state has two preimages of double period; 3. The state has one preimage of the same period and two preimages of double period.
The third case is only applicable to 0 * , as we shall see.

Linearization of χ
When n is fixed, we can omit it as an index, to obtain T := T n and S i := S n,i for i ∈ {0, 1}.
Since χ is invertible on T , we are mostly interested in χ S 0 and χ S 1 . Both of these are linear maps: By projecting S 0 (respectively S 1 ) on the subspace we find two maps of a similar form: Since χ L k is a linear map, we can investigate it using linear algebra. For instance, we can represent it by a k × k matrix: We can also easily determine its kernel: To return from a result about χ L k to results about χ S 0 , we can use: that are bijective when restricted to S 1 and S 0 respectively. Since we know Ker χ L k , we find that dim L k = k − 1 using the isomorphism theorem.
We have the following proposition to help us in achieving our goal.
Proposition 4 Let k ≥ 1. Then L k is the k−1-dimensional subspace of all vectors in F k 2 of even Hamming weight.
Proof We know that L k is spanned by the columns of χ L k . Therefore, we know that L k is spanned by vectors of Hamming weight 2. Since the sum of two vectors of even Hamming weight is again a vector of even Hamming weight, it follows that all elements in L k are vectors of even Hamming weight. Furthermore, since dim L k = k − 1 we see that L k contains half of the vectors of F k 2 , so all vectors of even Hamming weight.
From Proposition 4 it follows that χ(S n ) S n for even n.

Finding preimages for states of even period
We in this section explore some theoretical results that yield an efficient method to find all preimages to a give periodic state.
By Proposition 4, the elements not reached by χ L k are exactly the elements with odd Hamming weight.
We then immediately obtain: Theorem 3 Let n > 1 be even. Then S n \ χ(S n ) consists of states with odd Hamming weight such that either: all odd positions are 0; or, all even positions are 0.
We know that χ is not injective. Furthermore, since χ is bijective on n∈N * T n , we know that χ is not injective on (S 0 ∪ S 1 ) n∈N * .
For the linearized χ, we have that if χ L k (u) = χ L k (v) then u = v or u = v + 1 k , by Lemma 11. We also know that χ(S 0 ) ⊂ S 0 and χ(S 1 ) ⊂ S 1 by Lemma 10.
From this lemma, we conclude that every nonzero element in χ( F 2 ) has at most two preimages.
Proof If hw(σ) is odd, then ρ = σ +(01) * is the sum of two states of odd Hamming weight. Therefore hw(ρ) is even. If hw(σ) is even, then ρ = σ + (01) * is the sum a state of odd and a state of even Hamming weight. Therefore hw(ρ) is odd.
To explicitly find the preimages of a state σ ∈ χ( F 2 ), we use a method based on Daemen's seed-and-leap method [3].
Whenever an element in this preimage has all bits with odd (or all even) indices zero, one finds both preimages.
To do this, basically loop twice: once over the odd indices and once over the even indices. It makes a choice whenever there are no ones on an even (or odd) position and continues the cycle from that choice.
Example 3 Consider that we want to determine the preimages of (100010) * . We start by filling in blanks and look for a 1. We apply Lemma 13.1 to obtain (?????0) * . By applying Lemma 13.2 repeatedly we obtain (?0?0?0) * . Next we have to make a choice, because there are no ones in the even positions. We get (00?0?0) * and (10?0?0) * . By applying Lemma 13.2 repeatedly to both, we get Remark that by Lemma 12, it does not matter which choice is made, as the second preimage can be determined from the first.

Lemma 14
Let ν be a state of period n that has no preimages of period n. Let σ, ρ be the preimages of period 2n of ν. Then ρ = τ −n (σ).
Proof Since χ 2n is shift invariant and ν has period dividing n, we have The result then follows from Lemma 12.
Only one preimage needs to be determined by Lemma 14 and by Corollary 2 only half of the state needs to be constructed.
Remark that when using the method on length n, a preimage of double length can be found by just writing the wrong preimage of length n as a 0 and applying Corollary 2. To make this more clear, we present an example.
Example 4 Let us try to find the preimages of the state σ = (010000) * . Since the Hamming weight is odd, we expect double-length preimages. By Lemma 10, we know that the preimage should look like (0?0?0?) * . We now set the last position to be 0: (0?0?00) * and apply Lemma 13.2 two times again. We then obtain (010000) * . By Corollary 2 we now can conclude that the preimages of σ under χ are (010000000101) * and (000101010000) * .

Surjectivity of χ
Here, we prove that χ is surjective on F 2 , while we know that χ(S n ) S n .
Proof From Corollary 1, we know that a non-zero state has at most two preimages. From Theorem 4, the result then follows.
In particular, a state of period 30, say, cannot be mapped onto a state of period 3 or 5, no matter how often χ is (re-)applied.
Furthermore, we know that for an arbitrary state of period n = 2 k · m in S n,0 , after enough iterations of χ, will end up in a cycle. This is due to Corollary 3, where the period will decrease until it is 2m, with m > 0 odd: Lemma 15 Let m > 1 be an odd integer and let σ be a state of period 2m. Then χ(σ) is also a state of period 2m.
Proof We know that χ(σ) has period dividing 2m, since χ is shift invariant (Lemma 2). By Corollary 3, what remains to show is that χ(σ) does not have period m. Suppose that χ(σ) has period m. We know, by Theorem 1, that since m is odd, χ operates bijectively on S m . That means that χ(σ) has a unique preimage that has period m, a contradiction.
6 Full characterization of the state diagram of χ Before we have dealt will all cyclic components of the state diagram of χ. In this section, we will deal with the other components, that all have the shape of a cycle with (binary) trees on those cycles. The arrows point inwards to the cycle.
We start with choosing a suitable linearization in Section 6.1, then follow that with a treatment of the states of period 2 k in Section 6.2. In Section 6.3 we will take on the components with states of period 2 k · m with m > 1.

Polynomial linearization of χ on states of even period
Since χ operates cyclically on states in T n , we only need to understand how χ operates on states in S n,0 (as S n,1 is just S n,0 shifted and χ is shift invariant).
In Figure 3 we depict what χ L 3 looks like on S 6,0 . (Note that we leave out the part that has period 1 or 2.) Before we give an explicit description of these, we consider a new representation of the vector space F n 2 as a quotient of a polynomial ring. We consider the vector space isomorphism ϕ : F n 2 → F 2 [X]/(X n + 1) defined by (a 0 , . . . , a n−1 ) → Under this isomorphism, a left shift τ n corresponds to a multiplication by X modulo X n + 1. Similarly, since χ L k = Id +τ n , we find that the corresponding χ L k : F 2 [X]/(X n + 1) → F 2 [X]/(X n + 1) is just a multiplication by 1 + X modulo X n + 1 Definition 14 (Polynomial representation of states) Let n > 0 be an even integer. Let σ ∈ S n,0 and write σ ∈ F n 2 under the isomorphism from Lemma 1. Then we write f σ (X) := ϕ(π 1 (σ )).

Remark 1
In particular, if σ = (x) * is given, we then remove the zeroes in odd positions of x by appling ϕ, to obtain a state of length n 2 . That, we then make into a univariate polynomial.
From Theorem 3, we can conclude the following corollary: Corollary 4 Let n > 0 be an even integer and σ ∈ S n,0 . Then σ has two preimages of the same period if and only if X + 1 | f σ (X).
Proof σ has two preimages of the same period iff hw(σ ) ≡ 0 (mod 2) iff f σ (X) has an even number of terms For a given state that has period dividing n, we can now express that the state has period dividing n 2 as well: Proposition 5 Let n = 2 k · m for positive integers k > 1 and m odd. Let σ ∈ S n,0 and let f σ (X) be the polynomial representation of σ. Then σ has period dividing which is a state of period dividing n 2 . ⇒:) Consider that the state σ can be written as σ = (σ 0 , σ 1 , . . . , σ n−1 ). Then since σ has period dividing n 2 , we know that σ n 4 +i = σ i for i ∈ {0, . . . , n 4 − 1}. We can write σ i = c i + c i+ n 4 and solve the gained system for the c i . This will give two possible solutions that are each other's complement. Then f σ (X) = c(X)·(X n 4 +1) for any of the c(X).

States of period 2 k
Another component of the state diagram looks like a binary tree on a 1-cycle, that we will find in the states that have period a power of 2. Therefore, assume in this section that σ is a state of period n = 2 k for some k ≥ 0. We split up S n into T n , S n,0 and S n,1 , where we recall that we already discussed the components of states in T n . For the states in S n,0 and S n,1 , we have seen that χ behaves like a (linear) multiplication of f σ (X) by X + 1. In Corollary 4, we found that a state The component for S 2 k ,0 and S 2 k ,1 for k ≥ 3. At 0 * , there is a cycle. The notation with parentheses and asterisks has been ommitted to make the figure fit better.
in S n,0 or S n,1 has two preimages of the same period, exactly when X + 1 is a divisor of f σ (X). The states in S 2 3 ,0 and S 2 3 ,1 are depicted in Figure 4. One can see from the polynomial representation f σ (X) in what layer σ is in this tree. Therefore, one also knows how often χ has to be applied to σ for χ k (σ) = 0 * . To do this, we define the following: Definition 15 (Rooted sets) Let d ≥ 0 be an integer and define the set of polynomials of degree less than d as We define the i-th rooted subset in 0 as N (i) d for the subset of P d that consists of those polynomials that have at least i roots at 0 ∈ F 2 .

Example 6 For d = 3, we have eight polynomials
Only the polynomials 0, X, X 2 , X 2 + X have a root at 0, hence we find that N Proof Let i ≥ 1 and d ≥ 0 be arbitrary. For any i, the zero polynomial has i roots in 0. When d < i − 1, then it is impossible to have i roots, because of the degree of the polynomial being < d. So assume d ≥ i − 1.
In order for f (X) to have a root at 0 with multiplicity i, we need to have X i | f (X). This implies that the coefficients for X i−1 , . . . , X, 1 must be equal to 0. The remaining d − i coefficients can be arbitrary elements from F 2 . Proof The automorphism ϕ : and the result follows.
Remark 2 Definition 15 up to (and including) Lemma 16 can be generalized for We saw in Corollary 4 that the states σ whose corresponding polynomial f σ (X) has no root at 1 have two preimages of double period.
We see that there are four rows in the tree that contain states of period 16, two rows that contain states of period 8, and one row (each) of states of period 4, 2 and 1. This observation is formalized in the following corollary, where we define S n = n k=1 S 2 k ,0 ∪ S 2 k ,1 and S := ∞ n=1 S n .

Snowflakes in the state diagram of χ
All the remaining components of the state diagram of χ look like snowflakes. A snowflake in this sense is a short cycle where on each state in the cycle grows a (binary) tree of preimages. Here, let n be an even integer of the form 2 k m, where m > 1 is odd. We investigate the state diagram of χ over S n,0 . For the states in S n,0 (or S n,1 ), we find that their components have a shape as in Figures 3 and 5.
By the previous discussion, from the cycle there is first one preimage fanning out (the other one is in the cycle itself), and after that always two preimages.
In this subsection, for a component C, we give formulas for the lengths of the cycle (#L 0 ), as well for a state σ, for which k ≥ 0 we have σ ∈ L k .

Remark 3
The diagram for S n,0 is equivalent to S n,1 since τ (S n,0 ) = S n,1 . If we have states σ and τ (σ), then the component that contains τ (σ) has the same shape and size as the component of σ.

The size of L 0 in snowflake components
In this section we will reuse the polynomial representation f σ (X) for a state σ as in Section 6. Let σ be an anchorless state of period n. Under this representation, we find that an application of χ to σ corresponds to multiplying f σ (X) by X + 1 modulo X n 2 + 1. We can apply χ multiple times at once, by looking at substrings of σ. Figure 5 and take for each of the 6-tuples the even or odd bits. Furthermore, take the composition of two arrows every time. This coincides with χ 2 . It yields three times the left diagram and once the right diagram: The latter diagram can be simplified to 111

Example 7 Consider
G G 000 f f . The former diagram will be simplified to the diagram of χ L 3 on S 6,0 in Figure 3. We thus see, that for n = 12, we have a component of the diagram of period 2, and a component of period 6, if we apply χ twice.
To go back from the smaller diagrams to the big one, we define an intertwining map I. The intertwining map combines several polynomials into one bigger polynomial in the following way.
Proof Writing f 0 (X) 2 + Xf 1 (X) 2 = a i X i , the coefficients a i with odd index specify the coefficients of f 1 (X) and the coefficients a i with even index specify the coefficients of f 2 (X). Therefore, I is bijective.
Since intertwining is bijective, we will give the name detwining to the inverse operation. This detwining operation behaves exactly like in Example 7.
To illustrate this proposition, we have the following example.
We can use Proposition 9 to understand the cycle lengths in snowflakes.
We may assume that f σ (X) is invertible, since χ is shift invariant. So we find (X + 1) k ≡ 1 (mod X m + 1). When k = 2 o − 1, we find: Thus we may conclude that the length of the cycle is a divisor of 2 o − 1.
There are many values for m where this length is exactly 2 o − 1, but also many values of m where it is a proper divisor of 2 o − 1. In Tables 2 and 3 in Appendix 9.1 we list several of these values.
We now give the number of states in the cyclic parts: Proposition 11 Let n = 2m with m odd. Then from the states in S n,0 that have period n, exactly half lie in L 0 (C) for each component C.
Proof We know that the states σ such that X + 1 | f σ (X) have two preimages. One of those preimages ρ is such that X + 1 | f ρ (X), while the other, ρ has X + 1 f ρ (X). (See Corollary 1.) If we restrict χ to {σ ∈ C : X + 1 | f σ (X)}, then this restriction is bijective, as every element has a unique preimage. Therefore these elements lie on disjoint cycles, hence in L 0 (C). Thus at least half of the states in S n,0 lie in L 0 (C). If X + 1 f σ (X), then σ has no preimage of the same period (see Corollary 4). Therefore, σ ∈ L 0 (C). Hence at most half of the states in S n,0 lie in L 0 (C).
We can use Proposition 9 to figure out the same for larger periods.
Corollary 7 Let n = 2 k m with m odd. Then from the states in S n,0 that have period n, exactly one in every 2 2 k −1 lies in a cycle.
Proof For k = 1, we have Proposition 11. Using Proposition 9, we find that if we replace in S 2m,0 every application of χ by 2 k−1 applications of χ, we get the snowflake in S n,0 . This means that only the inner part is in a cycle, but there are 2 k−1 layers of states outside the cycle. Furthermore, since all but the last layer has states with two preimages inside S n,0 , these layers get twice as big each layer.
The outer layer has half of S n,0 in it. Then each new layer decreases the number by another half. There are 2 k−1 layers.
We can also express when a state appears in a cycle in a diagram like in Figure  3.

Proposition 12
Let n = 2 k · m where m is an odd integer and k ≥ 0. Let σ be a state of period n in S n,0 , and f σ (X) its polynomial representation. If we have , then σ appears in a cycle.
Proof For k = 1, this follows from Proposition 11. When k > 1, we find from Corollary 7, that one in every 2 2 k −1 lies in a cycle. By counting, the higher power of X+1, the polynomial f σ (X) is divisible by, the closer it is to a cycle. By Proposition 6, we then find that the one in every 2 2 k −1 occurs exactly at X 2 k−1 +1 | f σ (X).
Lastly, we show that components are isomorphic (as graphs).
Proposition 13 Let n be an arbitrary even integer and let C 0 , C 1 be components of the state diagram of χ restricted to S n,0 ∪ S n,1 . Then #L 0 (C 0 ) = #L 0 (C 1 ).
Proof Since S n,0 = τ (S n,1 ), we know that the components in S n,0 also appear once in S n,1 . Therefore, we may assume C 0 and C 1 be components in the state diagram of χ restricted to S n,0 . Let σ ∈ L 0 (C 0 ) and τ ∈ L 0 (C 1 ) be arbitrary. Write f σ (X) and f τ (X) as the univariate polynomial representation for σ and τ . Applying χ to σ is just multiplying f σ (X) by X + 1 modulo X n + 1. We know that f σ (X) is divisible by X + 1. Therefore, we can also regard f σ (X) as f σ (X)/(X + 1). Then applying χ is multiplying f σ (X) by X + 1 modulo X n−1 + X n−2 + . . . + X + 1. Now in this ring F 2 [X]/(X n−1 + X n−2 + . . . + X + 1), we have that X + 1 is invertible. Furthermore, f σ (X) and f τ (X) differ by unit factor. I.e., there exists some u(X) ∈ F 2 [X]/(X n−1 + X n−2 + . . . + X + 1) such that f σ (X) = u(X)f τ (X). Multiplication with a unit u(X) is an automorphism. Hence the behaviour of f σ (X) under (repeated) multiplication by X + 1 is the same as the behaviour of f τ (X) under (repeated) multiplication by X + 1. Hence the behaviours of σ and τ under repeated application of χ are the same.

Towards the cycle
Next, it is interesting to know for a state that is not on a cycle in which layer it is.
Proof The first statement follows from Proposition 12 as an application of χ to σ is the same as a multiplication of f σ (X) by X + 1. Since every state has exactly two preimages, the latter statement follows from this immediately.
Corollary 8 Let n be an arbitrary even integer and let C 0 and C 1 be components of the state diagram of χ restricted to S n,0 ∪ S n,1 . Then #L k (C 0 ) = #L k (C 1 ) for all k ≥ 0.
Proof By Proposition 13 we know the statement for k = 0. For other k, this follows from Proposition 14.

Decreasing period under application of χ
We have seen that sometimes a state propagates to a state of smaller period under χ. If this happens, this decrease in period is only by a factor 2 (Corollary 3) per application of χ. In this subsection, we give a criterion to recognize whether this will happen. For any integer d, we can associate the integer ζ(d) to d, by setting all bits after the first zero bit in its binary expansion to 0. For example, if we have d = 53, then ζ(d) = 48, as 53 = 2 11010 in binary will be translated to 11000 = 2 48.
Since application of χ to σ corresponds to multiplication of f σ (X) by X +1, we deduct c from η * to obtain the number of iterations s of χ needed ere χ s (σ) ∈ L 0 . This proves the second statement.
Lemma 17 The set of periodic states F 2 is countable, hence F Z 2 \ F 2 is uncountable.
Proof We have #S n = 2 n . In particular, each S n is finite. Since F 2 = n∈N * S n , we find that As a result, if one would to pick one arbitrary element of F Z 2 uniformly random, then it is almost certainly an element in F Z 2 \ F 2 . For practical reasons, we never need them, as the uses in cryptography always work with something that can be constructed. We do give an example of a state that has no finite period and see how χ operates on a state like this.

Example 10
We create a one-ended infinite string, recursively, by creating a sequence of finite states: The endresult, ∆ := lim n→∞ ∆ (n) is then a string in F N 2 that has no finite period. To make a string that is actually in F Z 2 , we just set ∆ n = ∆ −n for n < 0. For clarity, we print some bits of ∆, namely ∆ 0 until ∆ 56 . ∆ = · · · 110100100010000100000100000010000000100000000100000000010 · · · When we apply χ to ∆, we obtain the following, where -upon repeating -one observes where the anchors for χ are. χ(∆) = · · · 100110101010010100010100001010000010100000010100000001010 · · · χ 2 (∆) = · · · 110100000011000101000100100010001000100001000100000100010 · · · χ 3 (∆) = · · · 100100001011010001010110101010101010100101010100010101010 · · · χ 4 (∆) = · · · 110100100010010100000100000000000000110000000101000000010 · · · We proved in Theorem 4 that χ is surjective on F 2 . In fact, we can prove that χ is surjective on F Z 2 . This requires some topological discussion: Theorem 5 Let (X, T ) be a compact Hausdorff space and let A ⊂ X be dense. Let f : X → X be a continuous map such that f |A : A → A is surjective. Then f is surjective.
Proof Since the image under a continuous map of a compact set has to be compact again, the image of f needs to be compact (see [14], Theorem 17.7). Since (X, T ) is Hausdorff, this means that the image of f needs to be closed (see [14], Theorem 17.5(b)). As the image of f contains A by hypothesis, we find that the image of f is the entire space X, and hence f is surjective.
Theorem 6 The map χ : F Z 2 → F Z 2 is continuous and surjective.
Proof We bestow the discrete topology on F 2 and create from that the product topology on F Z 2 . Then by Tychonoff's Theorem (first proved in [12], [13], in more modern terminology [14], Theorem 17.8), we find that F Z 2 is compact. Next, F Z 2 is Hausdorff, as any product of Hausdorff spaces is again Hausdorff (see [14], Theorem 13.8(b)). We still have to show that F 2 is dense in F Z 2 w.r.t. the product topology and that χ is continuous, then the result follows from Theorem 5. Since F Z 2 has the product topology, to show that χ is continuous, we only need to show that for every i ∈ Z the map is continuous (see [14], Theorem 8.8). (Here π i is the projection on the ith coordinate.) Let i be arbitrary. We need to show that for each of the four open sets in Then to show that F 2 is dense in F Z 2 , we use the criterion that a subset is dense if and only if it intersects each base element of the topology.
The base sets of F Z 2 are of the form B = i∈Z U i with each U i open and U i = F 2 for at most finitely many i. Take one such base set arbitrarily.
Without loss of generality, we may assume that U i = ∅ for all i. Fix all (finitely many) i such that U i = F 2 . This gives us a finite set I = {i 0 , . . . , i n−1 } ⊂ Z. We may assume i 0 < . . . < i n−1 . Write = i n − i 0 .
We construct (z k ) i n k=i 0 by setting z k ∈ U i when k ∈ {i 0 , . . . , i n }. Then we have constructed a finite element (z k ) i n k=i 0 ∈ F 2 that we can extend to a periodic element by repeated this (z k ) i n k=i 0 on both sides. Write (z k ) ∞ k=−∞ for this periodic element. Then (z k ) ∞ k=−∞ ∈ F 2 . Since z k ∈ U k for each i 0 < k < i n and outside of these bounds U k = F 2 , we find that (z k ) ∞ k=−∞ ∈ B. Hence B ∩ F 2 = ∅, and F 2 is dense in F Z 2 .

Applications
In this section we describe two applications of the results obtained before. One is the formula for the order of χ n where n is odd. The other is to use χ n as non-linear layer in ciphers for even n.
8.1 Order of χ n for odd n Since χ maps states of odd period bijectively onto states of the same period, the corresponding map χ n is an element of the finite group of bijective maps on F n 2 . Therefore χ n has a finite order. as required. The last step follows from the fact that the distance between two anchors is maximal if the entire state contains just one anchor.
Now that we have this formula ord(χ n ) = 2 lg( n+1 2 ) , we see that this is just the smallest power of 2 that is greater than or equal to n+1 2 , or in other words, the largest power of 2 that is smaller than n.
We conclude this subsection by referring to Table 1 for some values of the order of χ n .  8.2 Using χ n for even n as non-linear layer in ciphers We can count the number of states in S n := d|n (S d,0 ∪ S d,1 ) for any n.
We know that #S n = 2 n and furthermore that d|n S d,0 contains precisely all elements that have period dividing n with zeroes on each even position. Therefore, there are 2 n 2 such elements. The same holds for d|n S n,1 , hence #S n = 2 n 2 +1 − 1. If we draw an element uniformly random out of S n has a probability of 2 n 2 +1 −1 2 n ≤ 2 1− n 2 to be inside S n . For instance, when n = 256, we have a probability of 2 −127 to draw an element in S 256 . We remark that when n goes to infinity, this expression converges exponentially to 0.
One way to randomize the inputs is by applying the Even-Mansour construction ( [8]) to build a block cipher from a iterated permutation that has as its non-linear layer χ n .
The Even-Mansour construction is built on a permutation F . On input P , one round in the Even-Mansour construction outputs C := F (P ⊕ K 1 ) ⊕ K 2 . The additions of K 1 to P randomizes the input bits to F . When Even-Mansour is a block cipher, the function F often needs to be a permutation. However, certain block cipher modes do not use the invertibility property of the function F . In these cases, one could use (a function built on) a single circle χ n where n is an even number of bits, possibly 2 k for some k ≥ 1. The probability of obtaining a collision after a single round -when taking two inputs uniformly random -is ≈ 2 n/2 2 2n , which for n = 128 is 2 −192 . However, an attacker can choose their queries specifically to obtain a probability of a collision as large as possible. For instance, with the Even-Mansour construction where the internal function is χ n with n = 256 bits, the attacker can choose two inputs with an input difference equal to (01) n 2 . Thus one takes some inputs P and P ⊕(01) n 2 . From Lemma 12, we know that if P ⊕ K 1 ∈ S n,0 , then χ n (P ⊕ K 1 ) = χ n (P ⊕ (01) n 2 ⊕ K 1 ), hence we find a collision. For a fixed key K 1 , this happens in precisely 2 n 2 choices for P . Therefore, one just needs to take n = 256 when striving for 128 bits of security.