Linear Feedback Shift Register(RSLOS, eng. linear feedback shift register, LFSR) is a bit word shift register, in which the value of the input (inserted) bit is equal to a linear Boolean function from the values of the remaining bits of the register before the shift. It can be organized by both software and hardware. It is used to generate pseudo-random bit sequences, which finds application, in particular, in cryptography.
Description
Register control in hardware implementations is performed by applying a shift pulse (otherwise called clock or sync pulse) to all cells. The register is managed in software implementations by executing a loop. At each iteration of the loop, the feedback function is computed and the bits in the word are shifted.
Principle of operation
Linear complexity
Correlation independence
In an attempt to obtain high linear complexity of the generated sequence, cryptographers non-linearly combine the outputs of several shift registers. In this case, one or several output sequences (or even the outputs of individual RSLOS) can be connected by a common flow and opened by a cryptanalyst. Hacking based on such a vulnerability is called correlation autopsy... The main idea of such a hack is to find some correlation between the output of the generator and the outputs of its constituent parts. Then, by observing the output sequence, you can get information about these intermediate pins, and thus hack the generator. Thomas Sigenthaler showed that correlation independence can be accurately determined and that there is a trade-off between correlation independence and linear complexity.
Software implementation
RSLOS software implementations are rather slow and work faster if they are written in assembler. One of the solutions is the parallel use of 16 RSLOS (or 32, depending on the word length in the computer architecture). In such a scheme, an array of words is used, the size of which is equal to the length of the shift register, and each bit of the word refers to its own RSLO. Since the same tap sequence numbers are used, this can give a noticeable gain in generator performance.
Fibonacci configuration
Consider a 32-bit shift register. There is a diversion sequence for it (32, 31, 30, 28, 26, 1) (\ displaystyle \ left (32, \; 31, \; 30, \; 28, \; 26, \; 1 \ right))... This means that to generate a new bit, you must XOR the 31st, 30th, 29th, 27th, 25th and 0th bits. The received RSLO has a maximum period 2 32 - 1 (\ displaystyle 2 ^ (32) -1)... The C code for such a register is as follows:
int LFSR_Fibonacci (void) (static unsigned long S = 0x00000001; S = ((((S >> 31) ^ (S >> 30) ^ (S >> 29) ^ (S >> 27) ^ (S >> 25) ^ S) & 0x00000001)<< 31 ) | (S >> 1); return S & 0x00000001; )
Galois configuration
This generator does not have greater cryptographic strength, but it gives a performance gain: all XOR operations through parallelization can be performed in one action, and not sequentially one after another, as in the Fibonacci configuration. This scheme will also benefit from hardware implementation.
The C code for a 32-bit shift register is as follows:
int LFSR_Galois (void) (static unsigned long S = 0x00000001; if (S & 0x00000001) (S = (S ^ 0x80000057 >> 1) | 0x80000000; return 1;) else (S >> = 1; return 0;))
It is worth noting that a loop of a fixed number of calls to the LFSR_Galois function in the Galois configuration is approximately 2 times faster than the LFSR_Fibonacci function in the Fibonacci configuration (MS VS 2010 compiler on Intel Core i5).
An example of a generated sequence
Fibonacci configuration
Let RSLOS be given by the characteristic polynomial x 3 + x + 1 (\ displaystyle x ^ (3) + x + 1)... This means that the bits of the tap will be the 2nd and the 0th, and the one in the polynomial formula means that the 0th bit is the input. The feedback function has the form S j = S j - 1 ⊕ S j - 3 (\ displaystyle S_ (j) = S_ (j-1) \ oplus S_ (j-3))... Let's say the initial state of the shift register was a sequence. Further states of the register are shown in the table below:
| Step number | State | Generated bit |
|---|---|---|
| 0 | [0, 0, 1] (\ displaystyle \ left) | 1 |
| 1 | 0 | |
| 2 | 0 | |
| 3 | 1 | |
| 4 | 1 | |
| 5 | 1 | |
| 6 | 0 | |
| 7 | [0, 0, 1] (\ displaystyle \ left) | 1 |
Since the internal state at the seventh step returned to its original, then, starting from the next step, the beats will be repeated. That is, the generated sequence is as follows: [1, 0, 0, 1, 1, 1, 0, 1. ... ... ] (\ displaystyle \ left)(the order of the bits in the sequence corresponds to the order of their generation by RSLOS). Thus, the period of the sequence is 7, that is, the maximum possible value, which happened due to the primitiveness of the given polynomial.
Galois configuration
We take the same characteristic polynomial, that is c 3 = c 1 = 1 (\ displaystyle c_ (3) = c_ (1) = 1), c 2 = 0 (\ displaystyle c_ (2) = 0)... Only the 1st bit is added to the output bit. The initial state is the same. Further register states:
| Step number | State | Generated bit |
|---|---|---|
| 0 | [0, 0, 1] (\ displaystyle \ left) | - |
| 1 | [1, 0, 0] (\ displaystyle \ left) | 0 |
| 2 | [0, 1, 1] (\ displaystyle \ left) | 1 |
| 3 | [1, 0, 1] (\ displaystyle \ left) | 1 |
| 4 | [1, 1, 1] (\ displaystyle \ left) | 1 |
| 5 | [1, 1, 0] (\ displaystyle \ left) | 0 |
| 6 | [0, 1, 0] (\ displaystyle \ left) | 0 |
| 7 | [0, 0, 1] (\ displaystyle \ left) | 1 |
The internal state of the register at the seventh step returned to its original state, therefore, its period is also 7. Unlike the Fibonacci configuration, the internal states of the register turned out to be different, but the generated sequence is the same, only shifted by 4 clock cycles: [0, 1, 1, 1, 0, 0, 0, 0, 1, 1,. ... ... ] (\ displaystyle \ left)(the order of the bits in the sequence corresponds to the order of their generation by RSLOS).
Generating primitive polynomials
| Bits, n (\ displaystyle n) | Primitive polynomial | Period, 2 n - 1 (\ displaystyle 2 ^ (n) -1) | The number of primitive polynomials |
|---|---|---|---|
| 2 | x 2 + x + 1 (\ displaystyle x ^ (2) + x + 1) | 3 | 1 |
| 3 | x 3 + x 2 + 1 (\ displaystyle x ^ (3) + x ^ (2) +1) | 7 | 2 |
| 4 | x 4 + x 3 + 1 (\ displaystyle x ^ (4) + x ^ (3) +1) | 15 | 2 |
| 5 | x 5 + x 3 + 1 (\ displaystyle x ^ (5) + x ^ (3) +1) | 31 | 6 |
| 6 | x 6 + x 5 + 1 (\ displaystyle x ^ (6) + x ^ (5) +1) | 63 | 6 |
| 7 | x 7 + x 6 + 1 (\ displaystyle x ^ (7) + x ^ (6) +1) | 127 | 18 |
| 8 | x 8 + x 6 + x 5 + x 4 + 1 (\ displaystyle x ^ (8) + x ^ (6) + x ^ (5) + x ^ (4) +1) | 255 | 16 |
| 9 | x 9 + x 5 + 1 (\ displaystyle x ^ (9) + x ^ (5) +1) | 511 | 48 |
| 10 | x 10 + x 7 + 1 (\ displaystyle x ^ (10) + x ^ (7) +1) | 1023 | 60 |
| 11 | x 11 + x 9 + 1 (\ displaystyle x ^ (11) + x ^ (9) +1) | 2047 | 176 |
| 12 | x 12 + x 11 + x 10 + x 4 + 1 (\ displaystyle x ^ (12) + x ^ (11) + x ^ (10) + x ^ (4) +1) | 4095 | 144 |
| 13 | x 13 + x 12 + x 11 + x 8 + 1 (\ displaystyle x ^ (13) + x ^ (12) + x ^ (11) + x ^ (8) +1) | 8191 | 630 |
| 14 | x 14 + x 13 + x 12 + x 2 + 1 (\ displaystyle x ^ (14) + x ^ (13) + x ^ (12) + x ^ (2) +1) | 16383 | 756 |
| 15 | x 15 + x 14 + 1 (\ displaystyle x ^ (15) + x ^ (14) +1) | 32767 | 1800 |
| 16 | x 16 + x 14 + x 13 + x 11 + 1 (\ displaystyle x ^ (16) + x ^ (14) + x ^ (13) + x ^ (11) +1) | 65535 | 2048 |
| 17 | x 17 + x 14 + 1 (\ displaystyle x ^ (17) + x ^ (14) +1) | 131071 | 7710 |
| 18 | x 18 + x 11 + 1 (\ displaystyle x ^ (18) + x ^ (11) +1) | 262143 | 7776 |
| 19 | x 19 + x 18 + x 17 + x 14 + 1 (\ displaystyle x ^ (19) + x ^ (18) + x ^ (17) + x ^ (14) +1) | 524287 | 27594 |
| 20 - 168 | |||
| 2 - 786, 1024, 2048, 4096 | |||
Advantages and disadvantages
Advantages
- high speed of cryptographic algorithms created on the basis of RSLOS (for example, stream ciphers);
- the use of only the simplest bit operations of addition and multiplication, hardware implemented in almost all computing devices;
- good cryptographic properties (RSLOS can generate long period sequences with good statistical properties);
- due to its structure, RSLOS are easily analyzed using algebraic methods.
disadvantages
Methods for improving the cryptographic strength of generated sequences
Generators with multiple shift registers
This type of generator consists of several linear feedback shift registers that generate bits x 1, i, x 2, i,…, x M, i (\ displaystyle x_ (1, i), \; x_ (2, i), \; \ dots, \; x_ (M, i)) respectively. Further, the generated bits are transformed by some Boolean function f (x 1, i, x 2, i,…, x M, i) (\ displaystyle f (x_ (1, i), \; x_ (2, i), \; \ dots, \; x_ (M , i)))... It should be noted that for generators of this type, the register lengths L i (\ displaystyle L_ (i)), i = 1, 2,…, M (\ displaystyle i = 1, \; 2, \; \ dots, \; M) are mutually simple with each other.
The period of this generator is T = (2 L 1 - 1) ⋅ (2 L 2 - 1) ⋯ (2 LM - 1) ≲ 2 L (\ displaystyle T = (2 ^ (L_ (1)) - 1) \ cdot (2 ^ ( L_ (2)) - 1) \ cdots (2 ^ (L_ (M)) - 1) \ lesssim 2 ^ (L)), where L = ∑ i = 1 M L i (\ displaystyle L = \ sum \ limits _ (i = 1) ^ (M) L_ (i))- the total number of cells. Consequently, the use of several RSLOS increases the period of the generated sequence in comparison with one register, which increases the cryptographic strength of the generator. It also increases the linear complexity or length of the shortest register corresponding to a given generator. Such a register is found using the Berlekamp-Massey algorithm from the generated sequence. At best, its length is commensurate with the period of the generated sequence.
Generators with nonlinear transformations
The block diagram of such a generator is no different from that of the previous generator. The main difference is that the transform device is specified by a nonlinear Boolean function f (x 1, x 2,…, x M) (\ displaystyle f (x_ (1), x_ (2), \ dots, x_ (M)))... As such a function, we take, for example, the Zhegalkin polynomial (according to the Zhegalkin theorem, any Boolean function can be uniquely represented by the Zhegalkin polynomial).
The non-linear generator can also be implemented on nonlinear feedback shift register... He can give 2 2 L - 1 - L (\ displaystyle 2 ^ (2 ^ (L-1) -L)) variants of sequences of the maximum period, which is more than that of RSLOS.
The cryptographic resistance of this generator is increased due to the nonlinearity of the function used. Determining the state of the registers from the generated sequence of bits is a complex mathematical problem, because no algorithm is known that restores the original states.
This method is used, for example, in Geff generator and the generalized Geff generator, however such generators can be cracked by a correlation attack.
Oscillators with different timing of shift registers
Stop-and-go generator
Stop-and-go generator(English Stop-and-Go, Both-Piper) uses the output of RSLOS-1 to control the clock frequency of RSLOS-2, so that RSLOS-2 changes its state at a certain moment of time only if the output of RSLOS-1 at the moment of time was equal to unit. This scheme did not resist the correlation autopsy.
In order to increase the cryptographic strength, it was proposed alternating stop-and-go generator... It uses three shift registers of different lengths. Here RSLOS-1 controls the clock frequency of the 2nd and 3rd registers, that is, RSLOS-2 changes its state when the RSLOS-1 output is equal to one, and RSLOS-3 - when the RSLOS-1 output is zero. The generator output is the operation of addition modulo two outputs of RSLOS-2 and RSLOS-3. This generator has a long period and a large linear complexity. There is a way of RSLOS-1 correlation attack, but this does not greatly weaken the cryptographic properties of the generator.
A complicated clocking scheme is used in two-way generator "stop-and-go", which uses 2 shift registers of the same length. If the output of RSLOS-1 at some point in time t i - 1 (\ displaystyle t_ (i-1))- one, then RSLOS-2 is not clocked at the time t i (\ displaystyle t_ (i))... If the output of RSLOS-2 at the time t i - 1 (\ displaystyle t_ (i-1)) is equal to zero, and at the moment of time t i - 2 (\ displaystyle t_ (i-2))- one, and if this register is clocked at the time t i (\ displaystyle t_ (i)), then at the same moment RSLOS-1 is not clocked. The linear complexity of this circuit is approximately equal to the period of the generated sequence.
Self-jetting generator
Multi-speed generator with internal product
This generator uses two shift registers RSLOS-1 and RSLOS-2. Clock frequency of RSLOS-2 in d (\ displaystyle d) times more than that of RSLOS-1. Certain bits of these registers are multiplied with each other using the AND operation. The results of the multiplications are XORed together to produce an output sequence. This generator has high linear complexity and good statistical properties. However, its state can be determined by the output sequence of length L 1 + L 2 + log 2 d (\ displaystyle L_ (1) + L_ (2) + \ log _ (2) (d)), where L 1 (\ displaystyle L_ (1)) and L 2 (\ displaystyle L_ (2))- lengths of RSLOS-1 and RSLOS-2, respectively, and d (\ displaystyle d)- the ratio of their clock frequencies.
Gollmann's cascade
This diagram is an improved version of the stop-and-go generator. It consists of a sequence of RSLOS, the clocking of each of which is controlled by the previous RSLOS. If the output of RSLOS-1 at the time t i (\ displaystyle t_ (i)) is 1, then RSLOS-2 is clocked. If the output of RSLOS-2 at the time t i (\ displaystyle t_ (i)) is 1, then RSLOS-3 is clocked, and so on. The output of the last RFLOS is the output of the generator. If the length of all RSLOS is the same and equal to L (\ displaystyle L), then the period of the system from M (\ displaystyle M) RSLO is equal to (2 L - 1) M (\ displaystyle (2 ^ (L) -1) ^ (M)) and the linear complexity is L (S) = L (2 L - 1) M - 1 (\ displaystyle L (S) = L (2 ^ (L) -1) ^ (M-1)) .
This idea is simple and can be used to generate sequences with huge periods, large linear complexities, and good statistical properties. But unfortunately, they are sensitive to an autopsy called locking(English lock-in) when
- "Tetromino tennis"). He created and solved countless mathematical puzzles and puns. About 20 years ago, I found out that he was very close to discovering my favorite rule of 30 for cellular automata back in 1959, when I was just born.
How I met Saul Golomb
Almost all the scientists and mathematicians I know I got to know through my professional connections. But not Sol Golomba. It was 1981, and I, a 21-year-old physicist (who became a little famous in the media because I was the youngest recipient of the MacArthur Prize at the first awards ceremony), was doing research at. There was a knock on the door of my office, and soon a young woman stepped into it. This was already unusual, because in those days there were hopelessly few women where they were engaged in theoretical high-energy physics. Although I lived in California for several years, I nevertheless did not leave the university, and therefore was ill-prepared for the surge of Southern California energy that burst into my office. The woman introduced herself to Astrid and said that she had attended Oxford and knew someone I was with in kindergarten. She explained that she was tasked with collecting information about interesting people in the Pasadena area. I think she considered me a difficult case, but nevertheless insisted on talking. And one day, when I was trying to tell something about what I do, she said: " You must meet my father. He is already an old man, but his mind is still razor sharp. "And it so happened that Astrid Golomb, the eldest daughter of Saul Golomb, introduced me to him.The Golomb family lived in a house located in the mountains near Pasadena. They had two daughters: Astrid - a little older than me, an ambitious Hollywood girl, and Beatrice - about my age and scientific mind. The Golomb sisters often hosted parties, usually at their homes. The themes were different: it was a garden party and croquet with flamingos and hedgehogs (" the winner will be the one whose costume most closely matches the stated theme"), or a Stonehenge-style party with instructions written in runes. At these parties, young and not so people crossed, including various local luminaries. And at them, a little to the side, there was always a small man with a big beard, a little on an elf and always wearing a dark coat - Solomon Golomb himself.
Gradually, I learned a little about him. What he was involved in " information theory". That he worked at the University of Southern California. That he had various vague, but apparently high-level government and other connections. I heard about shift registers, but knew almost nothing about them.
Here's what happens after a while:
As you can see, the shift register always shifts bits to the left, and other bits are added to the right, following a simple rule. The sequence of bits appears to be random, although, as shown in the figure, it eventually repeats itself. Sol Golomb found an elegant mathematical way to analyze such sequences and how they repeat themselves.
If the shift register is of size n, then he has 2 n possible states (corresponding to all possible sequences of 0 and 1 with length n). Since the rules for the shift register are deterministic, any given position must always arrive at another, the same position. This means that the maximum possible number of steps that the shift register can go through before the steps begin to repeat is 2 n(actually 2 n- 1, since a position with all 0s cannot evolve into anything else).
In the above example, the shift register is 7 and will repeat in exactly 2 7 - 1 = 127 steps. But which shift registers - with which branching locations - will produce maximum-length sequences? Solomon Golomb began to investigate this question in the summer of 1954. And his answer was simple and elegant.
The shift register above has branches at positions 7, 6, and 1. Saul presented this algebraically using the polynomial NS 7 + NS 6 + 1. He then showed that the generated sequence will be of maximum length if this polynomial " irreducible modulo 2"; therefore, it cannot be factorized, which makes it analogous to a prime number among polynomials; and the presence of some other properties makes it a" primitive polynomial. "Today, this is easily verified using Mathematica and the Wolfram Language:
Then, in 1954, Saul had to do it all by hand; he compiled a rather long table of primitive polynomials corresponding to shift registers, which produced sequences of maximum length:
History of shift registers
The idea of maintaining RAM through " delay lines"that transmit digital pulses dates back to the early days of the computer. By the late 1940s, such delay lines were being applied digitally using a series of vacuum tubes and were called" shift registers"It is not yet clear when the first closed-loop shift registers were created. It may have been in the late 1940s. However, this event is still shrouded in mystery, because they were first used in military cryptography.The basic idea of cryptography is to change meaningful messages so that they cannot be recognized; however, if you know the key, you can recreate the encrypted message. The so-called stream ciphers work on the principle of creating long sequences of seemingly random elements, and are decoded using a receiver that independently generates the same sequence of elements.
Linear feedback shift registers were prized in cryptography due to their long retry periods. However, the mathematical analysis that Saul used to find these periods makes it clear that such shift registers are not suitable for secure cryptography. However, in the beginning they seemed to be quite good (especially when compared to the successive rotor positions in Enigma); there were persistent rumors that Soviet military cryptosystems were built on this basis.
Back in 2001 when I was working on historical notes for my book A new kind of science Saul and I had a long conversation on the phone about register shifts. Saul told me that when he started out, he knew nothing about cryptographic work on shift registers. He said that Bell Labs, Lincoln Labs, and JPL began working on shift registers around the same time he did; however, he managed to go a little further, which he noted in his 1955 report.
Over the following years, Saul gradually learned about the various predecessors of his work from the literature on pure mathematics. Already in 1202, Fibonacci spoke of what are now called Fibonacci numbers and which are generated by a recurrence relation (which can be seen as an analogue of a linear feedback shift register that works with arbitrary integers, not zeros and ones). There are also small works of the early 1900s on the cycles of 0 and 1, but the first large-scale study was the work of Oysten Ore from the University of Oslo. Ore had a student named Marshall Hall who advised the predecessor of the National Security Agency in the late 1940s. - probably on the topic of shift registers. However, everything he did was classified, and so he arranged with Saul to publish the history of linear feedback shift registers; Saul dedicated his book to Marshall Hall.
What are the sequences generated by the shift registers for?
I have noticed many times that systems governed by simple rules end up with many variations of applications; shift registers also follow this pattern. Both modern hardware and software are crammed with shift registers: in an ordinary mobile phone, there are probably a dozen or two of them, implemented, as a rule, at the hardware level, and sometimes in software (when I write "shift register" here, I I mean a linear feedback shift register - LFSR).In most cases, the shift registers are used that give the maximum length sequences (otherwise known as " M-sequences The reasons they are used are generally due to some of their properties that Sol discovered. They always contain the same number of 0s and 1s (although in reality there is always exactly one additional 1). the same number of sequences 00, 01, 10 and 11 is also characteristic - and for large blocks too. This property " balance"this in itself is already very useful - for example, if you test all possible combinations of bits as input.
However, Sol discovered another, even more important, property. Replace every 0 in the sequence with 1, then multiply each element in the shifted version of the sequence by the corresponding element in the original. Saul showed that when added, these elements will always be zero (unless there is no shift at all). That is, the sequence has no correlation with the shifted versions of itself.
These properties will be true for any sufficiently long random sequence of 0 and 1. Surprisingly, these properties are always true for sequences of maximum length. Sequences have some chaotic features, but they are not really chaotic at all: they have a well-defined, organized structure.
It is this structure inherent in linear feedback shift registers that makes them unsuitable for serious cryptography. But they are great for basic "element permutation" and cheap cryptography and are widely used for these purposes. Often the task is to simply "whiten" the signal (as in "white noise"). Sometimes it is necessary to transmit data with long sequences of 0. But the electronics in this case can get confused if the "silence" is too long. You can avoid this problem by scrambling the original data by combining it with the sequence generated by the shift register. This is exactly what has been done with Wi-Fi, Bluetooth, USB, digital TV, internet, etc.
A side effect of shift register scrambling is more complex decoding, which is sometimes used to improve security (DVD technology uses a combination of 16 and 24 bit shift registers to encode data; many GSM phones use a combination of three shift registers to encode all signals).
Saul created the mathematical foundation for all of this, and also introduced a number of key figures to one another. Back in 1959, he met Irwin Jacobs, who had recently received his Ph.D. from the Massachusetts Institute of Technology. He also knew Andy Viterbi, who worked at the Jet Propulsion Laboratory. Saul introduced them, and in 1968 they founded a company called Linkabit to work on coding systems (mostly for military purposes).
In 1985 Jacobs and Viterbi founded another company called Qualcomm. They weren't doing very well at first, but by the early 1990s, when they began making components for deploying CDMA in cell phones, the company was growing rapidly.
Well, where are these registers?
It is surprising that most people have never heard of shift registers and at the same time interact with them whenever they use modern communication systems, computers, etc. It is easy to get confused here, given that the same register sequences appear behind different names and abbreviations linear feedback shift (PN, pseudo noise, M-, FSR, LFSR sequences, MLS, SRS, PRBS, etc.).In mobile phones, the use of the sequences generated by the shift registers has changed over the years, sometimes increasing and sometimes decreasing. networks are based on TDMA so they do not use shift register sequences to encode their data, however, CRC (Cyclic Redundancy Check) is still often used to check data blocks. networks are the largest users of CDMA, so the sequences generated by the shift registers are involved in the transmission of each bit. networks typically use a combination of time and frequency slots that do not include shift register sequences, although CRCs are still used: for example, to interact with integral data when frequency windows overlap. has a more complex structure - with many antennas dynamically adapting to use the optimal time and frequency of slots. However, half of their channels are typically dedicated to "pilot" signals that are used to derive the local radio environment; they are also based on sequences generated by shift registers.
Electronics manufacturing typically strives to achieve the highest possible data transfer rate with the lowest power consumption, allowing the bits to overcome the noise floor. And, as a rule, this path leads to the automation of error detection - and therefore to the use of CRC (Cyclic Redundancy Check) and, therefore, the sequences generated by the shift register. This applies to almost all types of buses inside the computer (PCIe, SATA, etc.): providing interaction between parts of the central processor, or receiving data from devices, or connecting to a display with HDMI. In the case of disks or memory, CRCs and other codes based on the sequences generated by the shift registers are also almost universally used to operate at maximum speed.
Shift registers are so ubiquitous that it is almost impossible to estimate how many bits they generate. There are roughly 10 billion computers, slightly less phones, and a huge number of devices in the embedded IoT (Internet of Things). Almost every car in the world (and there are more than a billion!) Has about 10 embedded microprocessors.
At what frequency do the shift registers work? In communication systems, there is a base carrier frequency in the hertz band, as well as a "chip rate" that tells how fast multiple access (we are talking about CDMA) is carried out in the MHz band. On the other hand, in buses inside computers, all data is transferred using shift registers - with the best transfer rate in the hertz range.
There are at least 10 billion communication lines running at least 1/10 billion seconds (about 3 years) that use at least 1 billion bits from the shift registers every second, which means that as of today, Sol's algorithm has been used at least an octillion times.
Is this the most commonly used algorithm? I think yes. I suspect that only arithmetic operations can compete. Processors these days are capable of performing a trillion arithmetic operations per second, and such operations are required for almost every bit generated by a computer. But how is arithmetic done? At some level, this is just a digital electronics implementation.
However, there are "algorithmic ideas" that remain incomprehensible to everyone except microprocessor designers. When Babbage was making his difference engine (see the article on Habré "Unraveling the story of Ada Lovelace (the first programmer in history)"), hyphens became a big hindrance in performing arithmetic operations (in fact, a shift register with linear feedback can be thought of as a system that does something like arithmetic but doesn't carry over). There are bearer propagation trees that optimize bearer. There are also little tweaks (like Booth's algorithm, Wallace trees, etc.) that reduce the number of bit operations required to create the internals of arithmetic. But, unlike linear feedback shift registers, there is simply no single algorithmic idea that can be used almost anywhere; therefore, I think that the longest sequences generated by linear feedback shift registers still wins out among the most used sequences.
Cellular automata and shift registers with nonlinear feedback
While this may not seem obvious at first glance, it turns out that there is a close relationship between closed-loop shift registers and cellular automata, which I have studied for many years. The basic organization for a feedback shift register is to compute one bit at a time. In a cellular automaton, there is one line of cells, and at each step, all cells are updated in parallel, based on a rule that depends, for example, on the values of their nearest neighbors.To see how they are related, we need to run the size feedback shift register n, and at the same time display its state only every n steps; in other words, let all bits be overwritten before reappearing. If each step of a linear feedback shift register (here - with two taps) is displayed, then at each step everything will shift to the left - and that's it. But if you make a compressed picture, showing only every n steps, a pattern will become visible.
This is a nested pattern; and this picture is very similar to the one that can be obtained if the cellular automaton takes a cell and its neighboring one and adds them modulo 2 (XOR). This is what happens to a cellular automaton if it arranges its cells so that they are in a circle of the same size as the shift register above:
In the beginning, cellular automata and shift register patterns turn out to be exactly the same. When you look at these pictures, it becomes less surprising that the mathematics of shift registers should have to do with cellular automata. And given the repetitiveness of nested patterns, it becomes clear why there should be an elegant mathematical theory of shift registers.
Typical shift registers used in practice do not have such overtly repetitive patterns. Here are some examples of shift registers that generate maximum-length sequences. The fact is that the branches are far apart, which makes it difficult to find visual traces of nesting.
How broad is the correspondence between shift registers and cellular automata? For cellular automata, the rules for generating new cell values can be anything you like. In linear feedback shift registers, they should always be modulo 2 addition (or XOR) based. This is what the "linear" portion of a "linear feedback shift register" means. It is also possible to use any rule for combining values for non-linear feedback shift registers (NFSR).
Indeed, when Saul developed his theory for linear feedback shift registers, he started with the nonlinear case. When he arrived at JPL in 1956, he received a laboratory complete with racks for small electronic modules. Saul said that the modules (each about the size of a cigarette pack) were built for the Bell Labs project to perform a certain logical operation (AND, OR, NOT, ...). Modules can be used together to implement any non-linear feedback shift registers desired, delivering about a million bits per second (Sol told me that someone tried to do the same with a general purpose computer, and what took 1 second when using hardware modules, required 6 weeks of work on a general-purpose computer).
When Saul began to study linear feedback shift registers, his first major discovery was the repetition periods. And in the case of nonlinear ones, he devoted most of his efforts to trying to understand the same thing. He collected all kinds of experimental data. He told me that he even tested sequences of length 245, which took a year. He made a summary like the picture below (note the visualization of the sequences shown on the waveform line). But he never came up with the general theory he had for linear feedback shift registers.
Unsurprisingly, he couldn't do it. Already in the 1950s, theoretical results appeared (in most cases based on the ideas of Turing's universal computation) on which programs, in principle, could do this. I don't think Sol or anyone else ever thought that very simple (non-linear) functions would be used in nonlinear feedback shift registers.
It was only later that it became clear how complex the behavior of even very simple programs can be. My favorite example is rule 30 for a cellular automaton, in which the values of neighboring cells are combined using a function that can be represented as R + q + r + q * r mod 2(or R XOR ( q OR r)). Incredibly, Saul considered non-linear feedback shift registers based on similar functions: R + G + s + q * r + q * s + r * s mod 2... Here, below, are illustrations of how the Sol function (which can be thought of as "rule 29070"), rule 30, and several other similar rules look in the shift register:
And here they, not limited to a fixed-size register, are like cellular automata:
Of course, Saul never made pictures like this (and that was almost impossible to do in the 1950s). Instead, he focused on the repetition period as a kind of cumulative characteristic.
Saul wondered if nonlinear feedback shift registers could be sources of chaos. From what is known today about cellular automata, it is clear that they can. For example, we used the 30 cellular automata rule to create randomness in Mathematica for 25 years (although we recently abandoned it in favor of a more efficient rule that we found after studying trillions of possibilities).
Sol spoke little about encryption; although I think he did not work for the government for long. He told me that although in 1959 he discovered " multidimensional correlation attacks on nonlinear sequences"while he is" carefully avoided claims that the program was for cryptanalysis The point is that rule 30 for cellular automata (and possibly also nonlinear feedback shift registers) can be good cryptosystems - albeit because they seem to be equivalent to linear feedback shift registers (which are not so), they were never used as much as possible.
As an enthusiast, over the past several decades I have tried to study all the predecessors of my work on one-dimensional cellular automata. Two-dimensional cellular automata have been little studied, but in the case of one-dimensional automata, only one purely theoretical work was found. I think Solomon Golomb's nonlinear feedback shift registers came closest to what I ended up doing a quarter century later of anything I've seen.
Poliomino
Hearing the name " Golomb ", many will remember about shift registers. However, most will remember about polyomino... Sol did not invent poliomino, although he did come up with the name. He made systematic what previously appeared only in separate puzzles.The main question that Sol was interested in answering was how sets of poliominoes could be organized to cover a certain area. Sometimes it's pretty obvious, and sometimes it's quite difficult. Saul published his first article on polyomino in 1954, but Martin Gardner made it really popular in 1957 (he wrote a column on mathematical games in the journal Scientific american). As Saul explained in the introduction to his 1964 book, the result was " a constant stream of correspondents from all over the world and from all walks of life: chairmen of the board of directors of leading universities, residents of unknown monasteries, prisoners from famous prisons ...".
Game companies also took notice of new puzzles, and within a few months headlines like " new sensational puzzles"followed by decades of other polyomino-based puzzles and games (no, the sinister bald guy doesn't look like Saul):
Saul published articles on poliomino for another 50 years after the first publication. In 1961 he introduced "rep-tiles", which can be used to create fractal ("Infin-tile") patterns. But almost everything Sol did with poliomino involved solving specific problems.
I'm not really interested in the specifics of polyomino; I am interested in more general phenomena related to them. It seems that deciding whether it is possible to "pave" the entire plane with a few simple shapes is easy. But in the case of poliominoes (as well as all games and puzzles based on them), it becomes clear that things are not so simple. Indeed, in the 1960s it was proved that this problem is theoretically unsolvable.
If we are only interested in a limited area, then, in principle, we can simply list all the conceivable arrangements of the figures, and then see if they are located as it should. However, if we are interested in infinity, then this can not be done. Maybe someone will find a way to successfully place a million pieces, but there is no guarantee that this result can be extended further.
It turns out that it might look like a working Turing machine - or a cellular automaton. You start with a line of tiles. Then the question of whether infinite tiling is possible is equivalent to the question of whether a setting is possible for a Turing machine that will allow it to go on. The point is that if a Turing machine is universal (that is, it can be programmed to perform any possible computation), then the halting problem for it may be unsolvable, which means that the tiling problem will also be unsolvable.
Of course, this depends on the original set of forms. The question is how complex the forms must be in order to encode general-purpose computation and lead to the unsolvable tiling problem. Solomon Golomb knew about the literature on this topic, but was not particularly interested in it.
It is known that complex and elaborate sets of polyominoes actually support general-purpose computation. But what about a simple set? Is it simple enough to accidentally stumble upon it? If you look at all those systems that I have studied, then the simplest set really turns out to be simple. However, it is difficult to find it.
A much simpler task is to find polyominoes that successfully fill the planes, albeit only non-periodically. Roger Penrose found a suitable example in 1994. In my book A new kind of science I gave a slightly simpler example with 3 polyominoes:
The rest of the story
Saul was in his early thirties when he achieved notable success in the field of shift registers and polyomino ... He was a very active person. He wrote several hundred articles, some of which expanded on his earlier work, some were answers to questions that were asked to him, and some were written, it seems, just for fun - to find out interesting things about numbers, sequences, cryptosystems, etc. etc.Shift registers and polyomino are voluminous topics (they are even brought into separate categories in the AMS classification). In recent decades, they both received a new round of development, when they began to carry out computer experiments on their basis; Sol also took an active part in them. However, many questions remain unanswered. And if large Hadamard matrices can be found for shift registers with linear feedback, then even now little is known about shift registers with nonlinear feedback, not to mention all non-periodic and other exotic polyominoes.
Sol has always been interested in puzzles, both mathematical and word puzzles. For a while he ran a column of puzzles for Los Angeles Times, and for 32 years wrote " Golomb gambits to Johns Hopkins Alumni Magazine. He took part in the MegaIQ testing and won a trip to the White House when he and his boss were ranked in the top five in the country.
He invested tremendous efforts in his work at the university: not only taught students and supervised graduate students and climbed the administrative ladder (president of the university council, vice-vice-rector for research, etc.), but also expressed his opinion on the management of the university as a whole (for example, wrote an article entitled “Faculty Consulting: Remove or Keep?” Answer: No, this is good for the university!). He worked as a headhunter at the University of Southern California, and during his time there he helped the university rise from obscurity to the top of the rankings of educational programs.
And then there was consulting. Saul was meticulous and did not disclose what he did for government agencies. In the late 1960s, frustrated that everyone but him was selling polyomino games, Saul founded a company he called Recreational Technology, Inc. Things weren't going well, but Saul met Alvin Berlekamp, a Berkeley professor with a passion for coding theories and puzzles. Subsequently, they founded the Cyclotomics company (in honor of cyclotomic polynomials of the form x n- 1), which was eventually sold to Kodak for a lump sum (Berlekamp also created an algorithmic trading system, which he then sold to Jim Simons and which became the starting point for Renaissance Technologies - one of the largest hedge funds today).
More than 10,000 patents in one way or another are related to the work of Sol, but Sol himself received only one patent to cryptosystems based on quasigroups - and I think he did little to commercialize his work.
Sol worked for many years with the Technion, the Israel Institute of Technology. He spoke of himself as " non-religious Orthodox Jew", but at the same time sometimes led seminars for beginners on the Book of Genesis, and also worked on deciphering parts of the Dead Sea Scrolls (Qumran manuscripts).
Sol and his wife traveled extensively, but Sol's "center of the world" was definitely his Los Angeles office at the University of Southern California, and the home he and his wife lived in for nearly 60 years. He was always surrounded by friends and students. And he had a family. His daughter Astrid played the role of a student in the play about Richard Feynman (she posed for him), and in the novel of my friend as one of the characters. Beatrice has devoted her career to applying mathematical precision to various types of medical indications and diagnostics (Gulf War related diseases, statin effects, hiccups, etc.). I even made a small contribution to Beatrice's life by introducing her to the man who later became her husband - Terry Seinovski, one of the founders of modern computational neuroscience.
Sol seemed to be involved in a lot of events, even if he did not elaborate on the details too much. From time to time I wanted to talk to him about science and mathematics, but he was more interested in telling stories (often very exciting) about both individuals and organizations (" Can you believe that [in 1985], after years of absence from conferences, Claude Shannon simply showed up unannounced in a bar at the annual conference on information theory?"; "do you know how much they had to pay the head of the California Institute of Technology to get him to go to Saudi Arabia?", etc.).
Looking back, I realize that I would like to interest Saul in solving some of the mathematical questions raised in my work. I don't think I understood to what extent he liked to solve problems suggested by other people. Despite his significant contribution to the development of the infrastructure of the computing world, Sol himself never seriously used computers. He was very proud that he could do calculations in his head with ease. Until the age of 70, he did not use e-mail and never used a computer at home, although he had a mobile phone (he almost never received regular e-mail. I mentioned once that about a year ago I was studying the story of Ada Lovelace; he replied: " Ada Lovelace's story as Babbage's programmer is so widespread that everyone seems to take it for granted, however I have never seen sources on the subject.").
Sol's daughters organized a party for his 80th birthday a few years ago and created these interesting invitations:
Saul had certain health problems, although this did not seem to affect his rhythm of life very much. His wife's health has been deteriorating, and quite dramatically in the past few weeks. On Friday Sol went to his office as usual, and on Saturday night he died in his sleep. His wife Bo survived him by just two weeks and died just two days before their 60th wedding anniversary.
Although Saul is gone, his work lives on in an octillionic bit in the digital world.
Goodbye Sol. And from all of us - thank you.
Shift register sequences are used in both cryptography and coding theory. Their theory is well developed, stream ciphers based on shift registers were the workhorse of military cryptography long before the advent of electronics.
The feedback shift register (hereinafter referred to as РгСсОС) consists of two parts: a shift register and a feedback function. The shift register is a sequence of bits. The number of bits is determined shift register length, if the length is n bits, then the register is called n-bit shift register... Whenever a bit needs to be extracted, all the bits of the shift register are shifted to the right by 1 position. The new leftmost bit is a function of all other register bits. The output of the shift register is one, usually least significant, bit. Shift register period is the length of the resulting sequence before the start of its repetition.
Figure 1. Feedback shift register
Shift registers found use very quickly in stream ciphers, as they were easily implemented using digital hardware. In 1965, Ernst Selmer, the chief cryptographer of the Norwegian government, developed a theory of shift register sequences. Solomon Golomb, an NSA mathematician, wrote a book outlining some of his results and those of Selmer. The simplest type of shift register with feedback is a linear feedback shift register (hereinafter LFSR or PrCCLOC). The feedback of such registers is simply XOR (modulo two addition) of some of the register bits, the list of these bits is called a tap sequence. This register is sometimes called the Fibbonacci configuration. Due to the simplicity of the feedback sequence, a fairly well-developed mathematical theory can be used for the analysis of PrCcVOC. By analyzing the resulting output sequences, you can verify that these sequences are random enough to be safe. PrCcLOC is the most commonly used shift register in cryptography.
Figure 2. Fibbonacci PrCcLOC
In general, an n-bit PrCcLOC can be in one of N = 2 n -1 internal states. This means that, theoretically, such a register can generate a pseudo-random sequence with a period of T = 2 n -1 bits. (The number of internal states and the period are equal to N = T max = 2 n -1, because filling PrCcLOC with zeros will cause the shift register to produce an infinite sequence of zeros, which is absolutely useless). Only for certain tap-off sequences, PrCcLOC will cyclically pass through all 2 n -1 internal states, such PrCcLOC are PrCcLOC with a maximum period... The resulting result is called M-sequence.
Example ... The figure below shows a 4-bit PrCCLOC tapped from the first and fourth bits. If it is initialized with the value 1111, then before repetition the register will assume the following internal states:
 Shift clock number (internal state) |
Register status |
Output bit |
|||
|
Initial value |
|||||
|
15 (return to initial state) |
|||||
|
16 (repeat states) |
The output sequence will be a string of least significant bits: 1 1 1 1 0 1 0 1 1 0 0 1 0 0 0 with a period of T = 15, the total number of possible internal states (except for zero), N = 2 4 -1 = 16-1 = 15 = T max, hence the output sequence is an M-sequence.
In order for a particular PrCcLOC to have a maximum period, the polynomial formed from the branch sequence and the constant 1 must be primitive modulo 2. The polynomial is represented as a sum of degrees, for example, a polynomial of degree n is represented as follows:
a n x n + a n-1 x n-1 +… + a 1 x 1 + a 0 x 0 = a n x n + a n-1 x n-1 +… + a 1 x + a 0 where a i = (0,1) for i = 1… n, a x i - indicates the digit.
The degree of the polynomial is the length of the shift register. A primitive polynomial of degree n is an irreducible polynomial that divides x 2n? 1 +1, but is not a divisor of x d +1 for all d that are divisors of 2 n -1. The corresponding mathematical theory can be found in.
In general, there is no easy way to generate primitive polynomials of a given degree modulo 2. The easiest way is to choose a polynomial at random and check if it is primitive. This is not easy and is a bit like checking if a randomly selected number is simple - but many mathematical software packages are able to solve this problem.
Some, but certainly not all, polynomials of various degrees, primitive mod 2, are given below. For example, the entry
(32, 7, 5, 3, 2, 1, 0) means that the following polynomial is primitive mod 2: x 32 + x 7 + x 5 + x 3 + x 2 + x + 1.
This can be easily generalized for a PrCCLOC with a maximum period. The first number is the length of PrCcLOC. The last number is always 0 and can be omitted. All numbers, except 0, define the finger sequence, counted from the left edge of the shift register. That is, members of a polynomial with a lower degree correspond to positions closer to the right edge of the register.
Continuing with the example, writing (32, 7, 5, 3, 2, 1, 0) means that for the taken 32-bit shift register, a new bit, a new bit is generated by XORing the thirty-second, seventh, fifth, third, second and first bits. , the resulting PrCcLOC will have a maximum length, cycling through 2 32 -1 values until it repeats.
Figure 4. 32-bit PrCcLOC with maximum length
Let us consider the program code PgCCLOC, in which the branch sequence is characterized by the polynomial (32, 7, 5, 3, 2, 1, 0). In C language it looks like this:
static unsigned long ShiftRegister = 1;
/ * Everything except 0. * /
ShiftRegister = ((((ShiftRegister >> 31)
^ (ShiftRegister >> 6)
^ (ShiftRegister >> 4)
^ (ShiftRegister >> 2)
^ (ShiftRegister >> 1)
^ ShiftRegister))
| (ShiftRegister >> 1);
return ShiftRegister & 0x00000001;)
If the shift register is longer than a computer word, the code becomes more complex, but not much. Appendix B contains a table of some primitive polynomials modulo 2, we will use it in the future to identify some of the properties of these polynomials, as well as in the software implementation to define the branch sequence.
Please note that all elements of the table have an odd number of coefficients. Such a long table is provided for further work with PrCcLOC, since PrCcLOC is often used for cryptography with stream ciphers and in pseudo-random number generators. In our case, you can use polynomials with the highest degree of at most seven.
If p (x) is primitive, then x n p (1 / x) is also primitive, so each element of the table actually defines two primitive polynomials. For example, if (a, b, 0) is primitive, then so is (a, a-b, 0). If it is primitive (a, b, c, d, 0), then it is also primitive (a, a-d, a-c, a-b, 0). Mathematically:
if x a + x b +1 is primitive, then x a + x a-b +1 is also primitive,
if x a + x b + x c + x d +1 is primitive, then x a + x a-d + x a-c + x a-b +1. Primitive trinomials are implemented most quickly in software, since only two bits of the shift register need to be XORed to generate a new bit (the zero term is not taken into account, i.e. x 0 = 1, see the example above). Indeed, all the feedback polynomials shown in the table are sparse, that is, they have few coefficients. Sparseness is always a source of weakness, which is sometimes enough to crack an algorithm. For cryptographic algorithms, it is much better to use dense primitive polynomials, those with many coefficients. By using dense polynomials, especially as part of the key, much shorter PsCLOCs can be used.
Generating dense primitive polynomials mod 2 is not easy. In general, to generate primitive polynomials of degree k, you need to know the factorization of 2 k -1.
By themselves, PrCcLOCs are good pseudo-random sequence generators, but they have some undesirable non-random (deterministic) properties. Consecutive bits are linear, making them useless for encryption. For a PrCLOC of length n, the internal state is the previous n output bits of the generator. Even if the feedback scheme is kept secret, it can be determined from the 2n output bits of the generator using the highly efficient Berlekamp-Massey algorithm.
In addition, the large random numbers generated using the consecutive bits of this sequence are highly correlated and, for some types of applications, are not random at all. Despite this, PgCsLOCs are often used to create encryption algorithms as components of encryption systems and algorithms.
Feedback shift register consists of two parts: shift register and feedback functions.
Figure 19. Feedback shift register.
In general, a shift register is a sequence of some elements of a ring or field. Most commonly used bit shift registers. The length of such a register is expressed in the number of bits. Each time a bit is retrieved, all bits of the register are shifted right one position. The new most significant bit is calculated as a function of all other register bits. The output is usually the least significant bit. The period of the shift register is the length of the output sequence before the start of its repetition.
The simplest type of shift registers is a linear feedback shift register (RSLOS or LRS). Feedback is a simple XOR operation on some register bits. The list of these bits is defined characteristic polynomial and called sequence of bends... This scheme is sometimes called Fibonacci configuration.
Fig. 20. RLOS Fibonacci configuration.
In the software implementation of RSLOS, a modified scheme is used: to generate a new significant bit, instead of using the bits of the tap sequence, an XOR operation is performed on each bit of it with the generator output, replacing the old bit of the tap sequence. This modification is sometimes called Galois configuration.
Fig. 21. RSLOS Galois configuration.
n-bit RSLOS can be in one of 2 n- 1 internal states. This means that, in theory, such a register can generate a pseudo-random sequence with a period of 2 n- 1 bits (padding with zeros is completely useless). Pass all 2 n- 1 internal states only possible with certain taps sequences. Such registers are called RSLOS with a maximum period. To ensure the maximum period of the RSLOS, it is necessary that its characteristic polynomial be primitive modulo 2. The degree of the polynomial is the length of the shift register. Primitive polynomial of degree n- it's such irreducible a polynomial that is a divisor but not a divisor x d+ 1 for all d that are divisors of 2 n- 1. (When discussing polynomials, the term Prime number is replaced by the term irreducible polynomial). The characteristic polynomial given in the figures of the RSLOS:
x 32 + x 7 + x 5 + x 3 + x 2 + x + 1
is primitive modulo 2. The period of such a register will be maximum, cycling through all 2 32 - 1 values until they are repeated. The most commonly used are thinned polynomials, i.e. which only have some coefficients. the most popular are trinomials.
An important parameter of the generator based on RSLOS is linear complexity... It is defined as the length n the shortest RSLO that can simulate the generator output. Linear complexity is important because with a simple Berlenkamp-Massey algorithm you can recreate such an RSLOS by checking only 2 n gamma bits. With the determination of the desired RSLOS, the stream cipher is actually broken.
In addition to RSLOS, shift registers with nonlinear feedback, carry feedback, etc. are also used.
A number of generators have been developed on the basis of a number-theoretic approach (Bloom-Micali generators, RSA, BBS, compressive, additive generators, etc.).
The software for the synthesis of stream cryptographic algorithms has been developed in more detail and in comparison with block cryptoalgorithms. Nevertheless, to create stream ciphers, block cryptoalgorithms are often used in OFB or CFB modes.
Scanning Atomic Force Microscope The laboratory report should include
Selection of racks of overhead contact network supports
Design and calculation of AC catenary
Development of microprocessor systems Stages of design of microprocessor systems
Microcontrollers of the mcs51 family