Linear feedback shift register

From Wikipedia, the free encyclopedia

A 4-bit Fibonacci LFSR with its state diagram. The xor gate provides feedback to the register that shifts bits from left to right. The maximal sequence consists of every possible state except the "0000" state.
A 4-bit Fibonacci LFSR with its state diagram. The xor gate provides feedback to the register that shifts bits from left to right. The maximal sequence consists of every possible state except the "0000" state.

A linear feedback shift register (LFSR) is a shift register whose input bit is a linear function of its previous state.

The only linear functions of single bits are xor and inverse-xor; thus it is a shift register whose input bit is driven by the exclusive-or (xor) of some bits of the overall shift register value.

The initial value of the LFSR is called the seed, and because the operation of the register is deterministic, the sequence of values produced by the register is completely determined by its current (or previous) state. Likewise, because the register has a finite number of possible states, it must eventually enter a repeating cycle. However, an LFSR with a well-chosen feedback function can produce a sequence of bits which appears random and which has a very long cycle.

Applications of LFSRs include generating pseudo-random numbers, pseudo-noise sequences, fast digital counters, and whitening sequences. Both hardware and software implementations of LFSRs are common.

Contents

[edit] Fibonacci LFSRs

A 16-bit Fibonacci LFSR. The feedback tap numbers in white correspond to a primitive polynomial in the table so the register cycles through the maximal number of 65535 states excluding the all-zeroes state. The state ACE1 hex shown will be followed by 5670 hex.
A 16-bit Fibonacci LFSR. The feedback tap numbers in white correspond to a primitive polynomial in the table so the register cycles through the maximal number of 65535 states excluding the all-zeroes state. The state ACE1 hex shown will be followed by 5670 hex.

The list of the bits' positions that affect the next state is called the tap sequence. In the diagram the sequence is [16,14,13,11,0]. The taps are XOR'd sequentially with the output and then fed back into the leftmost bit.

  • The outputs that influence the input are called taps (white in the diagram).
  • A maximal LFSR produces an n-sequence (i.e. cycles through all possible 2n − 1 states within the shift register except the state where all bits are zero), unless it contains all zeros, in which case it will never change.

The sequence of numbers generated by an LFSR can be considered a binary numeral system just as valid as Gray code or the natural binary code.

The tap sequence of an LFSR can be represented as a polynomial mod 2. This means that the coefficients of the polynomial must be 1's or 0's. This is called the feedback polynomial or characteristic polynomial. For example, if the taps are at the 16th, 14th, 13th and 11th bits (as shown), the feedback polynomial is:

x^{16} + x^{14} + x^{13} + x^{11} + 1\,

The 'one' in the polynomial does not correspond to a tap - it corresponds to the input to the first bit (i.e. x0, which is equivalent to 1). The powers of the terms represent the tapped bits, counting from the left. The first and last bits are always connected as an input and tap respectively.

Tables of primitive polynomials from which maximal LFSRs can be constructed are given below and in the references.

  • The LFSR will only be maximal if the number of taps is even; just 2 or 4 taps can suffice even for extremely long sequences.
  • The set of taps must be relatively prime, and share no common divisor to all taps.
  • There can be more than one maximal tap sequence for a given LFSR length
  • Once one maximal tap sequence has been found, another automatically follows. If the tap sequence, in an n-bit LFSR, is [n,A,B,C,0], where the 0 corresponds to the x0 = 1 term, then the corresponding 'mirror' sequence is [n,n-C,n-B,n-A,0]. So the tap sequence [32,3,2,0] has as its counterpart [32,30,29,0]. Both give a maximal sequence.

[edit] Galois LFSRs

Named after the French mathematician Évariste Galois, a Galois LFSR, or an LFSR in Galois configuration, is an alternate structure that can generate the same output sequences as a conventional LFSR. In the Galois configuration, when the system is clocked, bits that are not taps are shifted as normal to the next flip-flop. The taps, on the other hand, are XOR'd with the new output, which also becomes the new input. These won't be shifted in until the next clock cycle.

A 16-bit Galois LFSR. The register numbers in white correspond to the same primitive polynomial as the Fibonacci example but are counted in reverse to the shifting direction. This register also cycles through the maximal number of 65535 states excluding the all-zeroes state. The state ACE1 hex shown will be followed by E270 hex.
A 16-bit Galois LFSR. The register numbers in white correspond to the same primitive polynomial as the Fibonacci example but are counted in reverse to the shifting direction. This register also cycles through the maximal number of 65535 states excluding the all-zeroes state. The state ACE1 hex shown will be followed by E270 hex.

To generate the same output sequence, the order of the taps is the counterpart (see above) of the order for the conventional LFSR, otherwise the sequence will be in reverse. Note that the internal state of the LFSR is not necessarily the same. The Galois register shown has the same output as the Fibonnacci register in the first section.

  • Galois LFSRs do not concatenate every tap to produce the new input (the XOR'ing is done within the LFSR and no XOR gates are run in serial, therefore the propagation times are reduced to that of one XOR rather than a whole chain), thus it is possible for each tap to be computed in parallel, increasing the speed of execution.
  • In a software implementation of an LFSR, the Galois form is more efficient as the XOR operations can be implemented a word at a time: only the output bit must be examined individually.

Below is a code example of a 32-bit maximal period Galois LFSR that is valid in C and C++, (assuming that unsigned int has 32 bit precision):

 unsigned int lfsr = 1;
 unsigned int period = 0; 
 do {
   lfsr = (lfsr >> 1) ^ (-(lfsr & 1u) & 0xd0000001u); /* taps 32 31 29 1 */
   ++period;
 } while(lfsr != 1u);

And here is the code for the 16 bit example in the figure.

unsigned short lfsr = 0xACE1u;
unsigned int period = 0; 
do {
  lfsr = (lfsr >> 1) ^ (-(short)(lfsr & 1u) & 0xB400u); 
  ++period;
} while(lfsr != 0xACE1u);


[edit] Some Polynomials for Maximal LFSRs

Bits Feedback polynomial Period
n 2n − 1
4 x4 + x3 + 1 15
5 x5 + x3 + 1 31
6 x6 + x5 + 1 63
7 x7 + x6 + 1 127
8 x8 + x6 + x5 + x4 + 1 255
9 x9 + x5 + 1 511
10 x10 + x7 + 1 1023
11 x11 + x9 + 1 2047
12 x12 + x11 + x10 + x4 + 1 4095
13 x13 + x12 + x11 + x8 + 1 8191
14 x14 + x13 + x12 + x2 + 1 16383
15 x15 + x14 + 1 32767
16 x16 + x14 + x13 + x11 + 1 65535
17 x17 + x14 + 1 131071
18 x18 + x11 + 1 262143
19 x19 + x18 + x17 + x14 + 1 524287
25 to 168 [1]

[edit] Output-stream properties

  • Ones and zeroes occur in 'runs'. The output stream 0110100, for example consists of five runs of lengths 1,2,1,1,2, in order. In one period of a maximal LFSR, 2n − 1 runs occur (for example, a six bit LFSR will have 32 runs). Exactly 1 / 2 of these runs will be one bit long, 1 / 4 will be two bits long, up to a single run of zeroes n − 1 bits long, and a single run of ones n bits long. This same property is statistically expected in a truly random sequence.
  • LFSR output streams are deterministic. If you know the present state, you can predict the next state. This is not possible with truly random events such as nuclear decay.
  • The output stream is reversible; an LFSR with mirrored tap sequence will cycle through the states in reverse order.

[edit] Applications

LFSRs can be implemented in hardware, and this makes them useful in applications that require very fast generation of a pseudo-random sequence, such as direct-sequence spread spectrum radio.

The Global Positioning System uses an LFSR to rapidly transmit a sequence that indicates high-precision relative time offsets. The Nintendo Entertainment System video game console also has an LFSR as part of its sound system. ([2])

[edit] Uses as Counters

The repeating sequence of states of an LFSR allows it to be used as a divider, or as a counter when a non-binary sequence is acceptable as is often the case where computer index or framing locations need to be machine-readable. LFSR counters have simpler feedback logic than natural binary counters or Gray code counters, and therefore can operate at higher clock rates. However it is necessary to ensure that the LFSR never enters an all-zeros state, for example by presetting it at start-up to any other state in the sequence. The table of primitive polynomials shows how LFSR's can be arranged in Fibonacci or Galois form to give maximal periods. One can obtain any other period by adding to an LFSR that has a longer period some logic that shortens the sequence by skipping some state(s), e.g. as tabulated in [3].

[edit] Uses in cryptography

An LFSR can generate an extremely long sequence which can be used to encrypt valuable information, for example by combining bits from the LFSR with information bits in an xor gate. The resulting bit stream can only be decrypted by a receiver equipped with the same LFSR, starting at the same state. Although an attacker might know or discover the LFSR construction, as long as the starting state is kept as a secret key the attacker confronts a monstrous search problem.

LFSRs have long been used as pseudo-random number generators for use in stream ciphers (especially in military cryptography), due to the ease of construction from simple electromechanical or electronic circuits, long periods, and very uniformly distributed outputs. However, an LFSR is a linear system, leading to fairly easy cryptanalysis. For example, given a stretch of known plaintext and corresponding ciphertext, a stretch of LFSR output used in the system described above can be recovered, and from the output sequence one can construct an LFSR of minimal size by using the Berlekamp-Massey algorithm, which with the known output can be used to simulate the intended receiver to recover the remaining plaintext.

Three general methods are employed to reduce this problem in LFSR-based stream ciphers:

Important LFSR-based stream ciphers include A5/1, A5/2, E0, and the shrinking generator.

[edit] Uses in digital broadcasting and communications

To prevent short repeating sequences (e.g., runs of 0's or 1's) from forming spectral lines that may complicate symbol tracking at the receiver or interfere with other transmissions, linear feedback registers are often used to "randomize" the transmitted bitstream. This randomization is removed at the receiver after demodulation. When the LFSR runs at the same rate as the transmitted symbol stream, this technique is referred to as scrambling. When the LFSR runs considerably faster than the symbol stream, expanding the bandwidth of the transmitted signal, this is direct-sequence spread spectrum.

Neither scheme should be confused with encryption or encipherment; scrambling and spreading with LFSRs do not protect the information from eavesdropping.

Digital broadcasting systems that use linear feedback registers:

Other digital communications systems using LFSRs:

  • IBS (INTELSAT business service)
  • IDR (Intermediate Data Rate service)
  • SDI (Serial Digital Interface transmission)
  • Data transfer over PSTN (according to the ITU-T V-series recommendations)
  • CDMA (Code Division Multiple Access) cellular telephony

[edit] See also

[edit] External links