Linear-feedback shift register

In , a linear-feedback shift register (LFSR) is a whose input bit is a of its previous state.

The most commonly used linear function of single bits is (XOR). Thus, an LFSR is most often a shift register whose input bit is driven by the XOR of some bits of the overall shift register value.

The initial value of the LFSR is called the seed, and because the operation of the register is deterministic, the stream of values produced by the register is completely determined by its current (or previous) state. Likewise, because the register has a finite number of possible states, it must eventually enter a repeating cycle. However, an LFSR with a can produce a sequence of bits that appears random and has a .

Applications of LFSRs include generating , , fast digital counters, and . Both hardware and software implementations of LFSRs are common.

The mathematics of a cyclic redundancy check, used to provide a quick check against transmission errors, are closely related to those of an LFSR.

1 Fibonacci LFSRs
2 Galois LFSRs
- 2.1 Non-binary Galois LFSR
3 Some polynomials for maximal LFSRs
4 Output-stream properties
5 Applications
6 Source
7 See Also on BitcoinWiki

Fibonacci LFSRs

The bit positions that affect the next state are called the taps. In the diagram the taps are [16,14,13,11]. The rightmost bit of the LFSR is called the output bit. The taps are XOR’d sequentially with the output bit and then fed back into the leftmost bit. The sequence of bits in the rightmost position is called the output stream.

The bits in the LFSR state that influence the input are called taps.
A maximum-length LFSR produces an (i.e., it cycles through all possible 2ⁿ − 1 states within the shift register except the state where all bits are zero), unless it contains all zeros, in which case it will never change.
As an alternative to the XOR-based feedback in an LFSR, one can also use . This function is an , not strictly a , but it results in an equivalent polynomial counter whose state is the complement of the state of an LFSR. A state with all ones is illegal when using an XNOR feedback, in the same way as a state with all zeroes is illegal when using XOR. This state is considered illegal because the counter would remain “locked-up” in this state.

The sequence of numbers generated by an LFSR or its XNOR counterpart can be considered a just as valid as or the natural binary code.

The arrangement of taps for feedback in an LFSR can be expressed in as a 2. This means that the coefficients of the polynomial must be 1s or 0s. This is called the feedback polynomial or reciprocal characteristic polynomial. For example, if the taps are at the 16th, 14th, 13th and 11th bits (as shown), the feedback polynomial is

x^{16} + x^{14} + x^{13} + x^{11} + 1.

The “one” in the polynomial does not correspond to a tap – it corresponds to the input to the first bit (i.e. x⁰, which is equivalent to 1). The powers of the terms represent the tapped bits, counting from the left. The first and last bits are always connected as an input and output tap respectively.

The LFSR is maximal-length if and only if the corresponding feedback polynomial is . This means that the following conditions are necessary (but not sufficient):

The number of taps is .
The set of taps is ; i.e., there must be no divisor other than 1 common to all taps.

Tables of primitive polynomials from which maximum-length LFSRs can be constructed are given below and in the references.

There can be more than one maximum-length tap sequence for a given LFSR length. Also, once one maximum-length tap sequence has been found, another automatically follows. If the tap sequence in an n-bit LFSR is , where the 0 corresponds to the x⁰ = 1 term, then the corresponding “mirror” sequence is . So the tap sequence has as its counterpart . Both give a maximum-length sequence.

An example in is below:

# include <stdint.h>  int main(void) {  uint16_t start_state = 0xACE1u; /* Any nonzero start state will work. */  uint16_t lfsr = start_state;  uint16_t bit; /* Must be 16bit to allow bit<<15 later in the code */  unsigned period = 0;   do  {  /* taps: 16 14 13 11; feedback polynomial: x^16 + x^14 + x^13 + x^11 + 1 */  bit = ((lfsr >> 0) ^ (lfsr >> 2) ^ (lfsr >> 3) ^ (lfsr >> 5) ) & 1;  lfsr = (lfsr >> 1) | (bit << 15);  ++period;  } while (lfsr != start_state);   return 0; }

This LFSR configuration is also known as standard, many-to-one or external XOR gates. The alternative Galois configuration is described in the next section.

Galois LFSRs

Named after the French mathematician , an LFSR in Galois configuration, which is also known as modular, internal XORs, or one-to-many LFSR, is an alternate structure that can generate the same output stream as a conventional LFSR (but offset in time). In the Galois configuration, when the system is clocked, bits that are not taps are shifted one position to the right unchanged. The taps, on the other hand, are XORed with the output bit before they are stored in the next position. The new output bit is the next input bit. The effect of this is that when the output bit is zero, all the bits in the register shift to the right unchanged, and the input bit becomes zero. When the output bit is one, the bits in the tap positions all flip (if they are 0, they become 1, and if they are 1, they become 0), and then the entire register is shifted to the right and the input bit becomes 1.

To generate the same output stream, the order of the taps is the counterpart (see above) of the order for the conventional LFSR, otherwise the stream will be in reverse. Note that the internal state of the LFSR is not necessarily the same. The Galois register shown has the same output stream as the Fibonacci register in the first section. A time offset exists between the streams, so a different startpoint will be needed to get the same output each cycle.

Galois LFSRs do not concatenate every tap to produce the new input (the XORing is done within the LFSR, and no XOR gates are run in serial, therefore the propagation times are reduced to that of one XOR rather than a whole chain), thus it is possible for each tap to be computed in parallel, increasing the speed of execution.
In a software implementation of an LFSR, the Galois form is more efficient, as the XOR operations can be implemented a word at a time: only the output bit must be examined individually.

Below is a code example for the 16-bit maximal-period Galois LFSR example in the figure:

# include <stdint.h> int main(void) {  uint16_t start_state = 0xACE1u; /* Any nonzero start state will work. */  uint16_t lfsr = start_state;  unsigned period = 0;   do {  unsigned lsb = lfsr & 1; /* Get LSB (i.e., the output bit). */  lfsr >>= 1; /* Shift register */  if (lsb) /* If the output bit is 1, apply toggle mask. */  lfsr ^= 0xB400u;  ++period;  } while (lfsr != start_state);   return 0; }

Note that

 if (lsb)  lfsr ^= 0xB400u;

can also be written as

 lfsr ^= (-lsb) & 0xB400u;

which may produce more efficient code on some compilers.

Non-binary Galois LFSR

Binary Galois LFSRs like the ones shown above can be generalized to any q-ary alphabet {0, 1, …, q − 1} (e.g., for binary, q = 2, and the alphabet is simply {0, 1}). In this case, the exclusive-or component is generalized to addition –q (note that XOR is addition modulo 2), and the feedback bit (output bit) is multiplied (modulo-q) by a q-ary value, which is constant for each specific tap point. Note that this is also a generalization of the binary case, where the feedback is multiplied by either 0 (no feedback, i.e., no tap) or 1 (feedback is present). Given an appropriate tap configuration, such LFSRs can be used to generate for arbitrary prime values of q.

Some polynomials for maximal LFSRs

The following table lists maximal-length polynomials for shift-register lengths up to 19. Note that more than one maximal-length polynomial may exist for any given shift-register length. A list of alternative maximal-length polynomials for shift-register lengths 4–32 (beyond which it becomes unfeasible to store or transfer them) can be found here: http://www.ece.cmu.edu/~koopman/lfsr/index.html.

Bits	Feedback polynomial	Period
n		$2^n - 1$
2	$x^2 + x + 1$	3
3	$x^3 + x^2 + 1$	7
4	$x^4 + x^3 + 1$	15
5	$x^{ 5 }+x^{ 3 }+1$	31
6	$x^{ 6 }+x^{ 5 }+1$	63
7	$x^{ 7 }+x^{ 6 }+1$	127
8	$x^{ 8 }+x^{ 6 }+x^{ 5 }+x^{ 4 }+1$	255
9	$x^{ 9 }+x^{ 5 }+1$	511
10	$x^{ 10 }+x^{ 7 }+1$	1023
11	$x^{ 11 }+x^{ 9 }+1$	2047
12	$x^{ 12 }+x^{ 11 }+x^{ 10 }+x^{ 4 }+1$	4095
13	$x^{ 13 }+x^{ 12 }+x^{ 11 }+x^{ 8 }+1$	8191
14	$x^{ 14 }+x^{ 13 }+x^{ 12 }+x^{ 2 }+1$	16383
15	$x^{ 15 }+x^{ 14 }+1$	32767
16	$x^{ 16 }+x^{ 15 }+x^{ 13 }+x^{ 4 }+1$	65535
17	$x^{ 17 }+x^{ 14 }+1$	131071
18	$x^{ 18 }+x^{ 11 }+1$	262143
19	$x^{ 19 }+x^{ 18 }+x^{ 17 }+x^{ 14 }+1$	524287
20–168	[1]
2–786, 1024, 2048, 4096	[2]

Output-stream properties

Ones and zeroes occur in “runs”. The output stream 1110010, for example, consists of four runs of lengths 3, 2, 1, 1, in order. In one period of a maximal LFSR, 2ⁿ⁻¹ runs occur (for example, a six-bit LFSR has 32 runs). Exactly half of these runs are one bit long, a quarter are two bits long, up to a single run of zeroes n − 1 bits long, and a single run of ones n bits long. This distribution almost equals the statistical for a truly random sequence. However, the probability of finding exactly this distribution in a sample of a truly random sequence is rather low.
LFSR output streams are . If the present state and the positions of the XOR gates in the LFSR are known, the next state can be predicted. This is not possible with truly random events. With maximal-length LFSRs, it is much easier to compute the next state, as there are only an easily limited number of them for each length.
The output stream is reversible; an LFSR with mirrored taps will cycle through the output sequence in reverse order.
The value consisting of all zeros cannot appear. Thus an LFSR of length n cannot be used to generate all 2ⁿ values.

Applications

LFSRs can be implemented in hardware, and this makes them useful in applications that require very fast generation of a pseudo-random sequence, such as radio. LFSRs have also been used for generating an approximation of in various .

Uses as counters

The repeating sequence of states of an LFSR allows it to be used as a or as a counter when a non-binary sequence is acceptable, as is often the case where computer index or framing locations need to be machine-readable.

Irregular clocking of the LFSR, as in the .

Important LFSR-based stream ciphers include and , used in cell phones, , used in , and the . The A5/2 cipher has been broken and both A5/1 and E0 have serious weaknesses.

The linear feedback shift register has a strong relationship to .

Uses in circuit testing

LFSRs are used in circuit testing for test-pattern generation (for exhaustive testing, pseudo-random testing or pseudo-exhaustive testing) and for signature analysis.

Test-pattern generation

Complete LFSR are commonly used as pattern generators for exhaustive testing, since they cover all possible inputs for an n-input circuit. Maximal-length LFSRs and weighted LFSRs are widely used as pseudo-random test-pattern generators for pseudo-random test applications.

Signature analysis

In (BIST) techniques, storing all the circuit outputs on chip is not possible, but the circuit output can be compressed to form a signature that will later be compared to the golden signature (of the good circuit) to detect faults. Since this compression is lossy, there is always a possibility that a faulty output also generates the same signature as the golden signature and the faults cannot be detected. This condition is called error masking or aliasing. BIST is accomplished with a multiple-input signature register (MISR or MSR), which is a type of LFSR. A standard LFSR has a single XOR or XNOR gate, where the input of the gate is connected to several “taps” and the output is connected to the input of the first flip-flop. A MISR has the same structure, but the input to every flip-flop is fed through an XOR/XNOR gate. For example, a 4-bit MISR has a 4-bit parallel output and a 4-bit parallel input. The input of the first flip-flop is XOR/XNORd with parallel input bit zero and the “taps”. Every other flip-flop input is XOR/XNORd with the preceding flip-flop output and the corresponding parallel input bit. Consequently, the next state of the MISR depends on the last several states opposed to just the current state. Therefore, a MISR will always generate the same golden signature given that the input sequence is the same every time.

Uses in digital broadcasting and communications

Scrambling

To prevent short repeating sequences (e.g., runs of 0s or 1s) from forming spectral lines that may complicate symbol tracking at the receiver or interfere with other transmissions, the data bit sequence is combined with the output of a linear-feedback register before modulation and transmission. This scrambling is removed at the receiver after demodulation. When the LFSR runs at the same as the transmitted symbol stream, this technique is referred to as . When the LFSR runs considerably faster than the symbol stream, the LFSR-generated bit sequence is called chipping code. The chipping code is combined with the data using before transmitting using or a similar modulation method. The resulting signal has a higher bandwidth than the data, and therefore this is a method of communication. When used only for the spread-spectrum property, this technique is called ; when used to distinguish several signals transmitted in the same channel at the same time and frequency, it is called .

Neither scheme should be confused with or ; scrambling and spreading with LFSRs do not protect the information from eavesdropping. They are instead used to produce equivalent streams that possess convenient engineering properties to allow robust and efficient modulation and demodulation.

Digital broadcasting systems that use linear-feedback registers:

(digital TV transmission system – North America)
( system – for radio)
(digital TV transmission system – Europe, Australia, parts of Asia)
(digital audio system for television)

Other digital communications systems using LFSRs:

INTELSAT business service (IBS)
Intermediate data rate (IDR)
(Serial Digital Interface transmission)
Data transfer over (according to the V-series recommendations)
(Code Division Multiple Access) cellular telephony
scrambles bits using an LFSR
, the most common form of Gigabit Ethernet, scrambles bits using an LFSR
3.0
(SAS/SPL)
scrambles bits using an LFSR
Link Layer is making use of LFSR (referred to as whitening)
such as and . All current systems use LFSR outputs to generate some or all of their ranging codes (as the chipping code for CDMA or DSSS) or to modulate the carrier without data (like GPS L2 CL ranging code). GLONASS also uses combined with DSSS.

Other uses

LFSRs are also used in systems to generate pseudo-random noise to raise the noise floor of a target communication system.

The German time signal , in addition to amplitude keying, employs driven by a 9-stage LFSR to increase the accuracy of received time and the robustness of the data stream in the presence of noise.

Source

http://wikipedia.org/