IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 46, NO. 2, MARCH 2000
; = Vi 2m+1 where Vi is some integer and let fi be the number
of ; = Vi 2m+1 . Thus,
M2s =
l
i=1
fi Vi2s 22s(m+1) :
(6)
From (5)
687
[18] J.-S. No, S. W. Golomb, G. Gong, H.-K. Lee, and P. Gaal, “Binary pseu1 with ideal autocorrelation,” IEEE
dorandom sequences of period 2
Trans. Inform. Theory, vol. 44, pp. 814–817, Mar. 1998.
[19] D. V. Sarwate and M. B. Pursley, “Crosscorrelation properties of pseudorandom and related sequences,” Proc. IEEE, vol. 68, pp. 593–619,
1980.
[20] T. Schaub, “A linear complexity approach to cyclic codes,” Ph.D. dissertation, Swiss Federal Ins. Technol., Zurich, Switzerland, 1988.
0
M60 0 10qM40 + 16q2 M20 = M6 0 10qM4 + 16q2 M2
= 8q
= 0:
3
l
fi Vi2 (Vi2 0 4)(Vi2 0 1)
i=1
Therefore, the only possible value of Vi are 0;
?
the case of CBCH
, for 6= ,
; 2
0;
6
2q;
6
61, and 62. Thus as in
8q
Fourier Transforms and the -Adic Span of Periodic
Binary Sequences
Mark Goresky, Associate Member, IEEE,
Andrew M. Klapper, Member, IEEE, and Lawrence Washington
:
Since the first three even moments M2s ; M20 s for s = 1; 2; 3 are the
same, it follows that the two codes have the same weight distribution.
Abstract—An arithmetic or with-carry analog of Blahut's theorem is presented. This relates the length of the smallest feedback with-carry shift register to the number of nonzero classical Fourier coefficients of a periodic
binary sequence.
REFERENCES
Index Terms—Blahut's theorem, feedback register, Fourier coefficients,
periodic binary sequence, 2-adic numbers.
[1] S. Boztaş and P. V. Kumar, “Binary sequences with Gold-like correlation but larger linear span,” IEEE Trans. Inform. Theory, vol. 40, pp.
532–537, Mar. 1994.
[2] A. Canteaut, P. Charpin, and H. Dobbertin, “Binary -sequences with
three-valued crosscorrelation: A proof of Welch’s conjecture,” IEEE
Trans. Inform. Theory, vol. 46, pp. 4–8, Jan 2000.
[3] A. Chang, “Minimum distance and decoding algorithm for cyclic
codes,” Ph.D. dissertation, Univ. So. Calif., Los Angeles, CA, 1998.
[4] A. Chang, P. Gaal, S. W. Golomb, G. Gong, and P. V. Kumar, “On a
sequence conjectured to have ideal 2-level autocorrelation function,”
in IEEE Int. Symp. Information Theory, Cambridge, MA, Aug. 16–21,
1998, p. 468.
[5] A. Chang, T. Helleseth, and P. V. Kumar, “Further results on a conjectured 2-level autocorrelation sequence,” in 36th Ann. Allerton Conf.
Communication, Control and Computing, Allerton, IL, Sept. 23–25,
1998.
[6] J. Dillon and H. Dobbertin, Cyclic difference sets with Singer parameters, to be published.
[7] H. Dobbertin, “Kasami power functions, permutation polynomials and
cyclic difference sets,” in NATO-A.S.I. Workshop, Bad Windsheim, Germany, Aug. 3–14, 1998.
[8] R. Gold, “Maximal recursive sequences with 3-valued recursive
cross-correlation functions,” IEEE Trans. Inform. Theory, vol. IT-14,
pp. 154–156, Jan. 1968.
[9] G. Gong and S. W. Golomb, “Hadamard transforms of three-term sequences,” IEEE Trans. Inform. Theory, vol. 45, pp. 2059–2060, Sept.
1999.
[10] C. R. P. Hartmann and K. K. Tzeng, “Generalization of the BCH bound,”
Inform. Contr., vol. 20, pp. 489–498, 1972.
[11] T. Helleseth and P. V. Kumar, “Pseudonoise sequences,” in The Mobile
Communications Handbook, J. Gibson, Ed. New York: CRC Press and
IEEE Press, 1996.
, “Sequences with low correlation,” in Handbook of Coding Theory,
[12]
V. Pless and C. Huffman, Eds. Amsterdam, The Netherlands: Elsevier,
1998.
[13] T. Kasami, “Weight distributions of Bose–Choudhary–Hochquengham
codes,” in Combinatorial Mathematics and its Applications. Chapel
Hill, NC: Univ. North Carolina Press, 1969.
[14] P. V. Kumar and C.-M. Liu, “On lower bounds to the maximum correlation of complex roots-of-unity sequences,” IEEE Trans. Inform. Theory,
vol. 36, pp. 633–640, May 1990.
[15] F. J. MacWilliams and N. J. A. Sloane, The Theory of Error-Correcting
Codes. Amsterdam, The Netherlands: North Holland, 1979.
[16] B. R. McDonald, Finite Rings with Identity. New York: Marcel
Dekker, 1974.
[17] R. J. McEliece, “On periodic sequences from GF ( ),” J. Combin.
Theory, vol. 10, no. 1, pp. 80–91, Jan. 1971.
m
q
I. INTRODUCTION
The purpose of this correspondence is to develop an arithmetic
analog of Blahut's theorem [1], [3], which relates the linear span of
a sequence to its discrete Fourier transform. For comparison, let us
recall this theorem. Let S = a0 ; a1 ; 1 1 1 be a periodic binary sequence
with period L. The linear span of S , denoted (S ), is the length of
the shortest linear recurrence satisfied by S or, equivalently, the size
of the smallest linear feedback shift register that generates S . It is an
important measure of the complexity of a sequence, and it is used in
a number of engineering applications. For example, suppose that S
is to be used as the key in a stream cipher. The Berlekamp–Massey
algorithm can be used by a cryptanalyst to recover the sequence once
2(S ) bits of S are known. Thus S is secure only if (S ) is large.
Let be a primitive Lth root of unity in some field extension F of
GF (2). (Such a exists if and only if L is odd. Various work has been
done to extend Blahut's theorem to the case when L is even, [4].) The
k th discrete Fourier coefficient of S is
ak =
L01
i=0
ai ki 2 F:
Blahut's remarkable theorem says that the linear span of S is equal
to the number of nonzero discrete Fourier coefficients of S . It makes
Manuscript received October 19, 1997; revised October 25, 1999. The work
of A. Klapper was supported in part by NSF under Grant NCR-9400762. The
work of L. Washington was supported in part by NSA under Grant MDA904-9610036.
M. Goresky is with the School of Mathematics, Institute for Advanced Study,
Princeton, NJ 08540 USA (e-mail: goresky@ias.edu).
A. M. Klapper is with the Department of Computer Science, 763H Anderson
Hall, University of Kentucky, Lexington, KY 40506-0046 USA (e-mail:
klapper@cs.engr.uky.edu).
L. Washington is with the Department of Mathematics, University of Maryland, College Park, MD 20742 USA (e-mail: lcw@math.umd.edu).
Communicated by D. Stinson, Associate Editor for Complexity and Cryptography.
Publisher Item Identifier S 0018-9448(00)01669-2.
0018–9448/00$10.00 © 2000 IEEE
688
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 46, NO. 2, MARCH 2000
precise the common observation that a “complex” signal is one with
many nonzero Fourier components.
Recently, two of the authors have developed an approach to pseudorandom sequences which is based on feedback with carry shift registers
(or FCSR’s) [2]. It is in many ways analogous to the usual theory which
is based on linear feedback shift registers. We include here just enough
detail of the theory of FCSR's for our current purposes. An FCSR consists of a shift register and a small amount of auxiliary memory. For
any periodic sequence S , the size of the smallest FCSR that generates
S is called the 2-adic span and is denoted by 2 (S ). There is an algorithm which is an analog of the Berlekamp–Massey algorithm. Given
approximately 22 (S ) bits of S , it outputs the smallest FCSR that generates S . FCSR’s can be thought of as arithmetic or with-carry analogs
of linear feedback shift registers, and are related to arithmetic codes in
much the same way that linear feedback shift registers are related to
error-correcting codes.
The discrete Fourier transform (described above) does not appear
to be the “correct” transform for the study of sequences generated by
FCSR's, and it is not immediately obvious what the best replacement
should be. In this correspondence, we show that the usual (complex)
Fourier transform is an appropriate vehicle for the study of FCSR sequences, and we use it to describe an analog of Blahut's theorem for
the 2-adic span of a sequence. Not only does this give a “shift register”
interpretation for the usual (complex) Fourier transform of a periodic
binary sequence, but it also adds another entry to the long and growing
list of parallels between the theory of LFSR sequences and the theory
of FCSR sequences.
II. STATEMENT OF THE RESULT
where ! (L) denotes the number of distinct positive prime divisors of
L.
The “error” term 2!(L)01 is sharp, as the following result shows.
The obstacle to obtaining a corresponding lower bound is that it is very
difficult to estimate the cancelation between the numerator and denominator in the expression = 0h(2)=u(2) in Section III below. However, in Section V we derive a lower bound for 82 (S ) based on the
upper bound.
Proposition II.3: Let > 0. Then there exist periodic binary sequences S with ! (L) arbitrarily large such that
82 (S ) > (S ) + (1 0 )2!(L)01 :
Also, there exist periodic binary sequences
large such that
Definition II.1: For k
= 0; 1; 1 1 1 ; L 0 1, the kth Fourier coefficient
a^k =
L01
i=0
ai ki 2 C :
The set of Fourier coefficients is the Fourier transform of S . We denote
by (S ) the number of nonzero Fourier coefficients of S .
The sequence S can be interpreted as the coefficients of a 2-adic
integer
=
1
i=0
ai 2i :
Such a series does not converge in the usual sense. Nevertheless, the
set of such 2-adic integers forms a ring Z 2 . (An elementary review of
the 2-adic integers is presented in [2].) The ring Z 2 of 2-adic integers
contains all the (usual) rational numbers with odd denominator. It turns
out that, since S is periodic, the 2-adic integer is in fact a rational
number, which we may write in lowest terms as
= 0p
q
with p and q relatively prime, and 0 p < q . The 2-adic complexity
is 82 (S ) = log2 (q ). It differs from the 2-adic span by the number
of memory bits in the FCSR which is, in any case, no more than
log2 (82 (S )) and is completely analyzed in [2]. Our main result is
Theorem II.2: Let S be a periodic binary sequence of period
Then the 2-adic complexity 82 (S ) is bounded as follows:
82
(S ) < (S ) + 2!(L)01
L.
with
!(L) arbitrarily
82 (S ) < (S ) 0 (1 0 )2!(L)01 :
The proof is given in Section IV.
III. PRELIMINARIES TO THE PROOF
There is a useful polynomial that connects the 2-adic interpretation
of a sequence with the definition of the Fourier coefficients
f (x) =
L01
i=0
ai xi :
Here we think of f (x) as a polynomial with complex coefficients. Thus
the nth Fourier coefficient is f ( n ) and the associated 2-adic integer is
= f (2)20 + f (2)2L + f (2)22L + 1 1 1 = 0Lf (2) :
2 01
In what follows we let S = a0 ; a1 ; 1 1 1 be a periodic binary sequence
with period L and let 2 C be a complex primitive Lth root of unity.
is
S
Now reduce
log2 (q).
to lowest terms, say
=
(1)
0p=q, so that 8 (S ) =
2
We need to find a relation between gcd (f (2); 2L 0 1) (the greatest
common divisor) and the number of vanishing Fourier coefficients
f ( k ). In fact, we will relate both of these to the polynomial
gcd (f (x); xL 0 1) (which by Galois theory has integer coefficients).
Let
g(x) = gcd(f (x); xL 0 1)
and
f (x) = g(x)h(x)
and xL 0 1 = u(x)g (x). First, we claim that (S ) = deg (u). Note
that a
^n 6= 0 if and only if f ( n ) 6= 0 if and only if g( n ) 6= 0 if
and only if u( n ) = 0. The last equivalence follows from the fact that
u(x)g(x) = xL 0 1, and so each Lth root of unity n appears as a
root of exactly one of u(x) and g (x). Note also that u(x) has exactly
deg (u) complex roots, and all are of the form n . Hence the number
of nonzero Fourier coefficients satisfies
(S ) = deg (u):
(2)
Next we bound 82 (S ). Factoring g (2) out of the numerator and denominator in (1) we obtain
= 0h(2) :
u(2)
If h(2) and u(2) were relatively prime then we would have 82 (S ) =
log2 (u(2)). However, this is not always the case (even though the polynomials h(x) and u(x) are relatively prime, as polynomials with rational coefficients.) The best we can say is that
82 (S ) log2 (u(2)):
It remains then to bound log2 (u(2)).
(3)
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 46, NO. 2, MARCH 2000
Recall that the nth cyclotomic polynomial cn (x) is the minimal polynomial (with integer coefficients) of the primitive nth roots of unity
(that is, the monic polynomial of smallest degree that vanishes on the
complex number exp [2i=n]). Its degree is Euler's phi function (n),
the number of positive integers j n that are relatively prime to n.
Recall also [5, Proposition. 13.2.2] that
xL 0 1 =
njL
u(x) =
j =1
cn (x)
(4)
(2) leads to a bound for
nj dividing L. Thus a bound for cn
82 (S ).
with
Proposition III.1: Let n be a positive integer and let
m=
pjn
Proof: The logarithm of the left-hand side can be expanded as
1
j =d+1
Since
p = s(n)
j =d+1
if n has an even number of distinct positive prime divisors, and
1
j =d+1
j jn
ln(1 0 xj+1 ) > 0
(1 0 20j )(n=j) =
1
Following are four basic properties of (see [5, Sec. 2.2]).
1)
if n > 1
if n = 1:
(ab) = (a)(b) if a and b are relatively prime.
3)
j(n=j ) = (n).
4) cn (x) =
(xj 0 1)(n=j) .
j jn
The fourth property is obtained by applying the Möbius inversion formula [5, Sec. 2.2] to the relation xn 0 1 = djn cd (x).
The fourth and third properties imply that
cn (2) =
j jn
= 2(n)
j jn
(1 0 20j )(n=j)
so it remains to estimate the latter product. We first need the following.
Lemma III.2: Let d
1 and let 0 < x 1=2. Then
1
(1 0 xj ) > 1 0 xd :
j =d+1
i=1
i
(1 0 20qk )(m=k) :
kjm
20q )(m) = 1 0 20q . The
by Lemma 3.2. This yields
cn (2)
0j (n=j) < 1:
2(n) = jjn (1 0 2 )
(1 0 20qk )(m=k)
kjm
is when k = 1 and the second is when k is the smallest positive prime
factor p of m. Since m has an even number of positive prime factors,
m=p has an odd number of positive prime factors, so (m=p) = 01.
The product for the remaining values of k is bounded below by
(1 0 20qk ) > (1 0 20qp ):
k>p
j jn
0 1)(n=j)
1 xid
= ln(1 0 xd ):
k=2
2)
(2j
= 1 and x = 1=2,
(1 0 20qk )01 < (1 0 20q )01
otherwise:
j jn
xk xid
To get a lower bound, note that the first nontrivial factor in
prime factors, and
0;
1;
k=id+1
The first factor in this product is (1 0
remaining product is bounded above by
(n) = (01)k ; if n is square-free and has k distinct positive
(j ) =
1
i
Returning to the proof of Proposition 3.1, assume m has an even
number of distinct positive prime factors, so (m) = 1. Let q = n=m.
Recall that (n=j ) 6= 0 only when n=j is square-free, which is equivalent to q dividing j . Write j = qk . The condition j jn becomes kjm,
and we have
1 < 2(n) < (1 0 20q )01
= 0;
i=1 j =d+1
This yields the lemma.
cn (2)
if n has an odd number of distinct positive prime divisors.
Proof: Recall the Möbius function , which is defined for positive integers n by
xij
1 xij
:
with both inequalities being equalities only when i
we obtain
(the product taken over all positive prime divisors p of n) denote the
largest square-free integer dividing n. Let q = n=m. Then
1 0 20q < c2n(2)
<1
(n)
1
ln(1 0 xj ) = 0
1
cn (x)
(where njL means that n is a divisor of L).
Since u(x) divides xL 01, it must be a product of distinct cyclotomic
polynomials
t
689
This yields
cn (2)
0q
0qp 01
0qp
2(n) > (1 0 2 )(1 0 2 ) (1 0 2 )
which yields the result.
The case when m has an odd number of positive prime factors is
similar.
Proposition III.3: Fix a positive square-free integer m 1. Then
log2 c2n(2)
= 0(m)
(n)
s(n)=m
and all terms in the sum have the same sign.
690
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 46, NO. 2, MARCH 2000
Proof: The fact that all terms have the same sign follows immediately from Proposition 3.1.
Observe that two integers m and n have exactly the same prime factors if and only if each divides a power of the other. For simplicity, we
write mjn to mean that m divides some power of n. For a square-free
integer m, this is equivalent to mjn.
Now fix a positive squarefree integer m. We have s(n) = m if and
only if mjn and njm . Moreover, a positive integer q occurs as n=m
for some n with s(n) = m if and only if q jm .
As in the proof of Proposition 3.1
IV. PROOF OF THEOREM 2.2
It follows from (2) that
1
1
2
j
(1 0 20jq )(m=j)
j m
= n=m. Therefore,
cn (2) =
2(n)
s(n)=m
j
q m
j
(1 0 20jq )(m=j) :
j m
We want to rewrite this product as a product of factors (1 0 20k ),
each occuring to some power. No such factor occurs more than m
(actually, no more than the number of positive divisors of m) since
each occurence corresponds to a distinct divisor j of k . Moreover,
1 (1020k )m converges to a nonzero number. Therefore, the above
k=1
products converge “absolutely” (i.e., their logarithms are absolutely
convergent series), so the rearrangement of the factors in the above infinite products is justified.
Next we determine the exponent with which a factor (1 0 20k ) occurs. The integer k occurs as a product jq , with q jm1 and j jm, exactly
when kjm1 . Fix such a k . The condition k = jq automatically implies
qjm1 . The values of j that yield k (i.e., k = jq for some q ) are therefore exactly those that satisfy both j jm and j jk . This is equivalent to
j jgcd (m; k). Therefore, the factor (1 0 20k ) occurs in the last product
with exponent
j
(m=j ):
Write m = gcd (m; k)m0 . Since m is square-free, gcd (m; k) and m0
are relatively prime, so (m=j ) = (gcd (m; k)=j )(m0 ), by Property 2 of . Therefore, we obtain
j
(gcd (m; k)=j ) = 0;
j gcd (m;k)
t
log2 cn (2)
j =1
t
cn (2)
(nj ) + log2
2(n )
t
c (2)
= deg(u) + log2 n(n ) :
2
j =1
j =1
Let s(nj ) = mj . Let E and O denote the sets of positive square-free
divisors of L with (mj ) = 1 and (mj ) = 01, respectively. We
obtain
log2 (u(2)) deg(u) +
c (2)
log2 2n(n )
m 2O
since the terms with mj 2 E are negative by Proposition 3.1. If there
are two or more nj with the same mj , then group them together. We
obtain a subsum of the sum in Proposition 3.3. Since all the terms in
the sum of Proposition 3.3 are positive, the proposition gives the upper
bound of 1 for our subsum. By Lemma 3.4, there are at most 2s(L)01
distinct values of mj 2 O . Therefore,
log2 (u(2)) < deg (u) + 2!(L)01 :
Theorem II.2 then follows from (2) and (3).
Proof of Proposition II.3: We finish by proving Proposition II.3.
Let N be a natural number and let p1 < p2 < 1 1 1 < pN be primes
such that 1 0 210p > 20 . Let L = p1 p2 1 1 1 pN and let n1 ; 1 1 1 ; nt
run through all positive divisors of L such that (ni ) = 01. Then
t = 2N 01 by Lemma 3.4. Let
=
01
cn (2) 1 1 1 cn (2)
in the notation of Section II, and let
binary sequence. Then
j gcd(m;k)
(m0 )
=
1
cn (2) =
(n)
where q
log2 (u(2)) =
(S ) =
S be the corresponding periodic
deg cn (X ) =
i
= 0qp
i
(ni )
and
82 (S ) =
when gcd (m; k) 6= 1
i
log2 (cn (2)) :
We have
cn (2) =
(n )
by Property 3 of , since gcd (m; k)=j runs though all the positive
divisors of gcd (m; k). Since kjm1 , we have gcd (m; k) = 1 if and
only if k = 1, which corresponds to q = j = 1. Therefore, the product
reduces to
2
> (1 0 201 )01
Lemma III.4: Any integer L > 1 has 2!(s(L))01 positive
square-free divisors with an odd number of positive prime factors.
Proof: The positive square-free divisors of L are in one-to-one
correspondence with the subsets of the set of positive prime divisors
of L. There are 2!(L) such subsets in all, half of which have even
cardinality.
j p
(1 0 20j )
> 2(1 0 210p ) by Lemma 3.2
> 210 :
(1 0 201 )(m) = 20(m) :
This completes the proof of Proposition 3.3.
j
j n
(1 0 20j )(n =j)
Therefore,
82 (S ) >
t
i=1
((ni ) + (1 0 )) = (S ) + (1 0 )2N 01 :
Since N = ! (L), we are done. The proof of the second half of Proposition 2.3 is obtained in a similar way by using ni with (ni ) = 1.
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 46, NO. 2, MARCH 2000
691
V. LOWER BOUNDS
A Lower Bound on the Linear Span of an FCSR
In this section we derive a lower bound for 8(S ) using the upper
bound in Theorem II.2. Let T = b0 ; b1 ; 1 1 1 be the sequence derived
from S by complementing the first bit in every period. That is,
Changho Seo, Sangjin Lee, Yeoulouk Sung, Keunhee Han, and
Sangchoon Kim
bi =
1 0 ai ;
if Lji
else:
ai ;
We let
=
1
i=0
Abstract—We have derived a lower bound on the linear span of a binary
sequence generated by a Feedback with Carry Shift Register (FCSR) under
(
the following condition: is a power of a prime such that =
2) and
(= 2 + 1) where both and are 2-prime. This allows
us to design FCSR stream ciphers similar to previously proposed Linear
Feedback Shift Register (LFSR) stream ciphers.
bi 2i
Index Terms—Feedback with carry shift register (FCSR), linear feedback shift register (LFSR), linear span, 2-adic span.
be the 2-adic integer associated with T . We have
I. INTRODUCTION
= 0x=y = 0xw=(2L 0 1)
for some integers x, y , and z with wy
Theorem II.2
= 2L 0 1. T is periodic so, by
82 (T ) < (T ) + 2!(L)01 :
For the Fourier coefficients of T we have ^bk = 1 0 2a0 + a
^k . For
any integer c, we let
c (S ) = jfk : a^k 6= cgj:
Then we have
(T ) = 102a (S ):
To estimate the 2-adic complexity of T , note that
= 0 1 L0 2a0 = 0 1 0 2La0 + pz :
2 01
2 01
Thus 1 0 2a0 + pz = xw . Since 1 0 2a0 is plus or minus one, it follows
that z is relatively prime to w . However, z divides 2L 0 1 = yw , so z
divides y . Hence
82 (T ) = log2 (y) log2 (z) = log2 ((2L 0 1)=q)
= log2 (2L 0 1) 0 log2 (q):
We have proved the following lower bound.
Theorem V.1: Let S be a periodic binary sequence of period L: Then
The forthcoming information society requires ultra-high speed data
communications. It also demands the communication channel to be
secure. One of the most common technology is to use stream cipher.
Hence the development of a good random number generator has been a
hot topic in cryptology. Linear Feedback Shift Register (LFSR) [2] has
been widely used as fast random number generators. A good stream
cipher [1], should have good randomness, high period, linear span,
and security against any known attack such as correlation attack. The
size of the smallest LFSR that generates a given periodic sequence is
called the linear span; it is an important measure of the cryptographic
security of sequences. Such a shift register may be found efficiently
using Berlekamp–Massey algorithm [1], which may be interpreted as
the continued fraction expansion of f (x)=g (x) in the ring Z=(2)[x] of
formal power series. Thereby, LFSR has some weakness with respect
to the linear span.
In 1994, Klapper and Goresky [4] proposed a new type of random
number generator called Feedback with Carry Shift Register (FCSR).
This register is equipped with an algebraic framework for analysis analogous to that that in LFSR. This algebraic structure is based on algebra
over the 2-adic numbers [6] in which the sequences generated by FCSR
can be analyzed, in the same way as the algebra over finite fields can
be used to analyze LFSR sequences.
In this correspondence, we have derived a lower bound on the linear
span of a binary sequence generated by a Feedback with Carry Shift
Register (FCSR) with connection integer q; q is a power of a prime
such that q = re (e 2) and r (= 2p + 1); where both r and p are
2-prime.
In Section II, we briefly review FCSR and derive the linear span of
an FCSR in Section III. Finally, Section IV contains the conclusion.
82 (S ) > log2 (2L 0 1) 0 102a (S ) 0 2!(L)01 :
REFERENCES
[1] R. Blahut, “Transform techniques for error-control codes,” IBM J. Res.
Develop., vol. 23, pp. 299–315, 1979.
[2] A. Klapper and M. Goresky, “Feedback shift registers, 2-adic span, and
combiners with memory,” J. Crypt., vol. 10, pp. 111–147, 1997.
[3] J. Massey, “Cryptography and system theory,” in Proc. 24th Allerton
Conf. Communication, Control, and Computers, Oct. 1–3, 1986.
[4] J. Massey and S. Serconek, “Linear complexity of periodic sequences: A
general theory,” in Advances in Cryptology—CRYPTO 97, N. Koblitz,
Ed., pp. 358–371. (Springer Lecture Notes in Computer Science, vol.
1109, New York: Springer Verlag, 1997.).
[5] K. Ireland and M. Rosen, “A classical introduction to modern number
theory (second edition),” in Graduate Texts in Mathematics. New
York: Springer Verlag, 1990, vol. 84.
Manuscript received May 4, 1998; revised August 12, 1999. The work of Y.
Sung was supported in part by the Research Institute of Basic Sciences, Kongju
National University.
C. Seo and Y. Sung are with the Department of Applied Mathematics, Kongju
National University, Kongju-city, 314–110, South Korea.
S. Lee is with the Department of Mathematics, Korea University, Chochiwon,
339-800, South Korea.
K. Han and S. Kim are with the Coding Technology Section, Electronics and
Telecommunications Research Institute, Taejeon, 305–350, South Korea.
Communicated by D. Stinson, Associate Editor for Complexity and Cryptography.
Publisher Item Identifier S 0018-9448(00)01674-6.
0018–9448/00$10.00 © 2000 IEEE