From Wikipedia, the free encyclopedia - View original article

"LFSR" redirects here. For the airport using that ICAO code, see Reims – Champagne Air Base.

This article needs additional citations for verification. (March 2009) |

This article includes a list of references, but its sources remain unclear because it has insufficient inline citations. (April 2009) |

In computing, a **linear-feedback shift register** (LFSR) is a shift register whose input bit is a linear function of its previous state.

The most commonly used linear function of single bits is XOR. Thus, an LFSR is most often a shift register whose input bit is driven by the exclusive-or (XOR) of some bits of the overall shift register value.

The initial value of the LFSR is called the seed, and because the operation of the register is deterministic, the stream of values produced by the register is completely determined by its current (or previous) state. Likewise, because the register has a finite number of possible states, it must eventually enter a repeating cycle. However, an LFSR with a well-chosen feedback function can produce a sequence of bits which appears random and which has a very long cycle.

Applications of LFSRs include generating pseudo-random numbers, pseudo-noise sequences, fast digital counters, and whitening sequences. Both hardware and software implementations of LFSRs are common.

The mathematics of a cyclic redundancy check, used to provide a quick check against transmission errors, are closely related to those of an LFSR.

The bit positions that affect the next state are called the taps. In the diagram the taps are [16,14,13,11]. The rightmost bit of the LFSR is called the output bit. The taps are XOR'd sequentially with the output bit and then fed back into the leftmost bit. The sequence of bits in the rightmost position is called the output stream.

- The bits in the LFSR state which influence the input are called
*taps*(white in the diagram). - A maximum-length LFSR produces an m-sequence (i.e. it cycles through all possible 2
^{n}− 1 states within the shift register except the state where all bits are zero), unless it contains all zeros, in which case it will never change. - As an alternative to the XOR based feedback in an LFSR, one can also use XNOR.
^{[1]}This function is an affine map, not strictly a linear map, but it results in an equivalent polynomial counter whose state of this counter is the complement of the state of an LFSR. A state with all ones is illegal when using an XNOR feedback, in the same way as a state with all zeroes is illegal when using XOR. This state is considered illegal because the counter would remain "locked-up" in this state.

The sequence of numbers generated by an LFSR or its XNOR counterpart can be considered a binary numeral system just as valid as Gray code or the natural binary code.

The arrangement of taps for feedback in an LFSR can be expressed in finite field arithmetic as a polynomial mod 2. This means that the coefficients of the polynomial must be 1's or 0's. This is called the feedback polynomial or reciprocal characteristic polynomial. For example, if the taps are at the 16th, 14th, 13th and 11th bits (as shown), the feedback polynomial is

The 'one' in the polynomial does not correspond to a tap — it corresponds to the input to the first bit (i.e. *x ^{0}*, which is equivalent to 1). The powers of the terms represent the tapped bits, counting from the left. The first and last bits are always connected as an input and output tap respectively.

Tables of primitive polynomials from which maximum-length LFSRs can be constructed are given below and in the references.

- The LFSR can be maximal-length only if the number of taps is even.
- The set of taps — taken all together,
*not*pairwise (i.e. as pairs of elements) — must be relatively prime. In other words, there must be no common divisor to all taps. - There can be more than one maximum-length tap sequence for a given LFSR length
- Once one maximum-length tap sequence has been found, another automatically follows. If the tap sequence, in an
*n*-bit LFSR, is [*n*,*A*,*B*,*C*, 0], where the 0 corresponds to the*x*^{0}= 1 term, then the corresponding 'mirror' sequence is [*n*,*n*−*C*,*n*−*B*,*n*−*A*, 0]. So the tap sequence [32, 7, 3, 2, 0] has as its counterpart [32, 30, 29, 25, 0]. Both give a maximum-length sequence.

Some example C code is below:

# include <stdint.h> int main(void) { uint16_t lfsr = 0xACE1u; unsigned bit; unsigned period = 0; do { /* taps: 16 14 13 11; feedback polynomial: x^16 + x^14 + x^13 + x^11 + 1 */ bit = ((lfsr >> 0) ^ (lfsr >> 2) ^ (lfsr >> 3) ^ (lfsr >> 5) ) & 1; lfsr = (lfsr >> 1) | (bit << 15); ++period; } while(lfsr != 0xACE1u); return 0; }

The above code assumes the most significant bit of `lfsr`

is bit 1, and the least significant bit is bit 16.

As well as *Fibonacci*, this LFSR configuration is also known as **standard**, **many-to-one** or **external XOR gates**. LFSR has an alternative configuration.

Named after the French mathematician Évariste Galois, an LFSR in Galois configuration, which is also known as **modular**, **internal XORs** as well as **one-to-many LFSR**, is an alternate structure that can generate the same output stream as a conventional LFSR (but offset in time).^{[2]} In the Galois configuration, when the system is clocked, bits that are not taps are shifted one position to the right unchanged. The taps, on the other hand, are XOR'd with the output bit before they are stored in the next position. The new output bit is the next input bit. The effect of this is that when the output bit is zero all the bits in the register shift to the right unchanged, and the input bit becomes zero. When the output bit is one, the bits in the tap positions all flip (if they are 0, they become 1, and if they are 1, they become 0), and then the entire register is shifted to the right and the input bit becomes 1.

To generate the same output stream, the order of the taps is the *counterpart* (see above) of the order for the conventional LFSR, otherwise the stream will be in reverse. Note that the internal state of the LFSR is not necessarily the same. The Galois register shown has the same output stream as the Fibonacci register in the first section. A time offset exists between the streams, so a different startpoint will be needed to get the same output each cycle.

- Galois LFSRs do not concatenate every tap to produce the new input (the XOR'ing is done within the LFSR and no XOR gates are run in serial, therefore the propagation times are reduced to that of one XOR rather than a whole chain), thus it is possible for each tap to be computed in parallel, increasing the speed of execution.
- In a software implementation of an LFSR, the Galois form is more efficient as the XOR operations can be implemented a word at a time: only the output bit must be examined individually.

Below is a code example of a 32-bit maximal period Galois LFSR that is valid in C:

# include <stdint.h> int main(void) { uint32_t lfsr = 1; unsigned period = 0; do { /* taps: 32 31 29 1; feedback polynomial: x^32 + x^31 + x^29 + x + 1 */ lfsr = (lfsr >> 1) ^ (-(lfsr & 1u) & 0xD0000001u); ++period; } while(lfsr != 1u); return 0; }

And here is the code for the 16 bit example in the figure

# include <stdint.h> int main(void) { uint16_t lfsr = 0xACE1u; unsigned period = 0; do { /* taps: 16 14 13 11; feedback polynomial: x^16 + x^14 + x^13 + x^11 + 1 */ lfsr = (lfsr >> 1) ^ (-(lfsr & 1u) & 0xB400u); ++period; } while(lfsr != 0xACE1u); return 0; }

These code examples create a toggle mask to apply to the shifted value using the XOR operator. The mask is created by first removing all but the least significant bit (the output bit) of the current value. This value is then negated (two's complement negation), which creates a value of either all 0s or all 1s, if the output bit is 0 or 1, respectively. By ANDing the result with the tap-value (e.g., 0xB400 in the second example) before applying it as the toggle mask, it acts functionally as a conditional to either apply or not apply the toggle mask based on the output bit. A more explicit but significantly less efficient code example is shown below.

# include <stdint.h> int main(void) { uint16_t lfsr = 0xACE1u; unsigned period = 0; do { unsigned lsb = lfsr & 1; /* Get lsb (i.e., the output bit). */ lfsr >>= 1; /* Shift register */ if (lsb == 1) /* Only apply toggle mask if output bit is 1. */ lfsr ^= 0xB400u; /* Apply toggle mask, value has 1 at bits corresponding * to taps, 0 elsewhere. */ ++period; } while(lfsr != 0xACE1u); return 0; }

Binary Galois LFSRs like the ones shown above can be generalized to any *q*-ary alphabet {0, 1, ..., *q* − 1} (e.g., for binary, *q* is equal to two, and the alphabet is simply {0, 1}). In this case, the exclusive-or component is generalized to addition modulo-*q* (note that XOR is addition modulo 2), and the feedback bit (output bit) is multiplied (modulo-*q*) by a *q*-ary value which is constant for each specific tap point. Note that this is also a generalization of the binary case, where the feedback is multiplied by either 0 (no feedback, i.e., no tap) or 1 (feedback is present). Given an appropriate tap configuration, such LFSRs can be used to generate Galois fields for arbitrary prime values of *q*.

The following table lists maximal-length polynomials for shift-register lengths up to 19. Note that more than one maximal-length polynomial may exist for any given shift-register length. A list of alternative maximal-length polynomials for shift-register lengths 4-32 (beyond which it becomes unfeasible to store or transfer them) can be found here: http://www.ece.cmu.edu/~koopman/lfsr/index.html

Bits | Feedback polynomial | Period |
---|---|---|

n | ||

2 | 3 | |

3 | 7 | |

4 | 15 | |

5 | 31 | |

6 | 63 | |

7 | 127 | |

8 | 255 | |

9 | 511 | |

10 | 1023 | |

11 | 2047 | |

12 | 4095 | |

13 | 8191 | |

14 | 16383 | |

15 | 32767 | |

16 | 65535 | |

17 | 131071 | |

18 | 262143 | |

19 | 524287 | |

20-168 | [1] | |

2-786,1024,2048,4096 | [2] |

- Ones and zeroes occur in 'runs'. The output stream 0110100, for example consists of five runs of lengths 1,2,1,1,2, in order. In one period of a maximal LFSR, 2
^{n −1}runs occur (for example, a six bit LFSR will have 32 runs). Exactly half of these runs will be one bit long, a quarter will be two bits long, up to a single run of zeroes*n*− 1 bits long, and a single run of ones*n*bits long. This distribution almost equals the statistical expectation value for a truly random sequence. However, the probability of finding exactly this distribution in a sample of a truly random sequence is rather low^{[vague]}. - LFSR output streams are deterministic. If you know the present state as well as the positions of the XOR gates in the LFSR, you can predict the next state.
^{[3]}This is not possible with truly random events. With minimal-length LFSRs, it is much easier to compute the next state, as there are only an easily limited number of them for each length.^{[clarification needed]} - The output stream is reversible; an LFSR with mirrored taps will cycle through the output sequence in reverse order.

LFSRs can be implemented in hardware, and this makes them useful in applications that require very fast generation of a pseudo-random sequence, such as direct-sequence spread spectrum radio. LFSRs have also been used for generating an approximation of white noise in various programmable sound generators.

The repeating sequence of states of an LFSR allows it to be used as a clock divider, or as a counter when a non-binary sequence is acceptable as is often the case where computer index or framing locations need to be machine-readable.^{[4]} LFSR counters have simpler feedback logic than natural binary counters or Gray code counters, and therefore can operate at higher clock rates. However it is necessary to ensure that the LFSR never enters an all-zeros state, for example by presetting it at start-up to any other state in the sequence. The table of primitive polynomials shows how LFSRs can be arranged in Fibonacci or Galois form to give maximal periods. One can obtain any other period by adding to an LFSR that has a longer period some logic that shortens the sequence by skipping some states.

LFSRs have long been used as pseudo-random number generators for use in stream ciphers (especially in military cryptography), due to the ease of construction from simple electromechanical or electronic circuits, long periods, and very uniformly distributed output streams. However, an LFSR is a linear system, leading to fairly easy cryptanalysis. For example, given a stretch of known plaintext and corresponding ciphertext, an attacker can intercept and recover a stretch of LFSR output stream used in the system described, and from that stretch of the output stream can construct an LFSR of minimal size that simulates the intended receiver by using the Berlekamp-Massey algorithm. This LFSR can then be fed the intercepted stretch of output stream to recover the remaining plaintext.

Three general methods are employed to reduce this problem in LFSR-based stream ciphers:

- Non-linear combination of several bits from the LFSR state;
- Non-linear combination of the output bits of two or more LFSRs (see also: shrinking generator); or
- Irregular clocking of the LFSR, as in the alternating step generator.

Important LFSR-based stream ciphers include A5/1 and A5/2, used in GSM cell phones, E0, used in Bluetooth, and the shrinking generator. The A5/2 cipher has been broken and both A5/1 and E0 have serious weaknesses.^{[5]}^{[6]}

The linear feedback shift register has a strong relationship to linear congruential generators.^{[7]}

LFSRs are used in circuit testing, for test pattern generation(for exhaustive testing, pseudo random testing or pseudo exhaustive testing) and signature analysis.

Complete LFSRs are commonly used as a pattern generator for exhaustive testing, since they cover all possible inputs for an n input circuit. Maximum length LFSRs and weighted LFSRs are widely used as a pseudo-random test pattern generators for pseudo-random test applications.

In Built In Self Testing (BIST) techniques, storing all the circuit outputs on chip is not possible, but the circuit output can be compressed to form a signature which later will be compared to the golden signature (of the good circuit) to detect the faults. Since this compression is lossy, there is always a probability that a faulty output also generates the same signature as the golden signature and the faults can not be detected. This condition is called error masking or aliasing.

Main article: scrambler

To prevent short repeating sequences (e.g., runs of 0's or 1's) from forming spectral lines that may complicate symbol tracking at the receiver or interfere with other transmissions, linear feedback registers are often used to "randomize" the transmitted bitstream. This randomization is removed at the receiver after demodulation. When the LFSR runs at the same bit rate as the transmitted symbol stream, this technique is referred to as scrambling. When the LFSR runs considerably faster than the symbol stream, expanding the bandwidth of the transmitted signal, this is direct-sequence spread spectrum.

Neither scheme should be confused with encryption or encipherment; scrambling and spreading with LFSRs do *not* protect the information from eavesdropping. They are instead used to produce equivalent streams that possess convenient engineering properties to allow for robust and efficient modulation and demodulation.

Digital broadcasting systems that use linear feedback registers:

- ATSC Standards (digital TV transmission system – North America)
- DAB (Digital Audio Broadcasting system – for radio)
- DVB-T (digital TV transmission system – Europe, Australia, parts of Asia)
- NICAM (digital audio system for television)

Other digital communications systems using LFSRs:

- INTELSAT business service (IBS)
- Intermediate data rate (IDR)
- SDI (Serial Digital Interface transmission)
- Data transfer over PSTN (according to the ITU-T V-series recommendations)
- CDMA (Code Division Multiple Access) cellular telephony
- 100BASE-T2 "fast" Ethernet scrambles bits using an LFSR
- 1000BASE-T Ethernet, the most common form of Gigabit Ethernet, scrambles bits using an LFSR
- PCI Express 3.0
- SATA
^{[8]} - Serial attached SCSI (SAS/SPL)
- USB 3.0
- IEEE 802.11a scrambles bits using an LFSR
- Bluetooth Low Energy Link Layer is making use of LFSR (referred to as whitening)

The German time signal DCF77, in addition to amplitude keying, employs phase-shift keying driven by a 9-stage LFSR to increase the accuracy of received time and the robustness of the data stream in the presence of noise.^{[9]}

The Global Positioning System uses an LFSR to rapidly transmit a sequence that indicates high-precision relative time offsets.

LFSRs are also used in Communications System Jamming systems in which they are used to generate pseudo random noise to raise the noise floor of a target communication system.

- Pinwheel
- Mersenne twister
- Maximum length sequence
- Analog feedback shift register
- NLFSR, Non-Linear Feedback Shift Register

**^**Linear Feedback Shift Registers in Virtex Devices**^**Beker, Henry; Piper, Fred (1982).*Cipher Systems: The Protection of Communications*. Wiley-Interscience. p. 212.**^**http://www.xilinx.com/support/documentation/application_notes/xapp052.pdf**^**http://www.xilinx.com/support/documentation/application_notes/xapp052.pdf**^**Barkam, Elad; Biham, Eli; Keller, Nathan (2008), "Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication",*Journal of Cryptology***21**(3): 392–429**^**Lu, Yi; Willi Meier; Serge Vaudenay (2005). "The Conditional Correlation Attack: A Practical Attack on Bluetooth Encryption".*Crypto 2005*(Santa Barbara, California, USA)**3621**: 97–117. doi:10.1007/11535218_7.**^**RFC 4086 section 6.1.3 "Traditional Pseudo-random Sequences"**^**Section 9.5 of the SATA Specification, revision 2.6**^**Hetzel, P. (16 March 1988). "Time dissemination via the LF transmitter DCF77 using a pseudo-random phase-shift keying of the carrier". 2nd European Frequency and Time Forum. Neuchâtel. pp. 351–364. Retrieved 11 October 2011.

- LFSR Reference LFSR theory and implementation, maximal length sequences, and comprehensive feedback tables for lengths from 7 to 16,777,215 (3 to 24 stages), and partial tables for lengths up to 4,294,967,295 (25 to 32 stages).
- International Telecommunications Union Recommendation O.151 (August 1992)
- Maximal Length LFSR table with length from 2 to 67.
- Pseudo-Random Number Generation Routine
- http://www.ece.ualberta.ca/~elliott/ee552/studentAppNotes/1999f/Drivers_Ed/lfsr.html
- http://www.quadibloc.com/crypto/co040801.htm
- Simple explanation of LFSRs for Engineers
- Feedback terms
- General LFSR Theory
- An implementation of LFSR in VHDL.
- Simple VHDL coding for Galois and Fibonacci LFSR.