FCSR Haguenau Players

In sequence design, a Feedback with Carry Shift Register (or FCSR) is the arithmetic or with carry analog of a linear-feedback shift register (LFSR). If $N >1$ is an integer, then an ''N''-ary FCSR of length $r$ is a finite state device with a state $(a;z) = (a_0,a_1,\dots,a_;z)$ consisting of a vector of elements $a_i$ in $\=S$ and an integer $z$. The state change operation is determined by a set of coefficients $q_1,\dots,q_n$ and is defined as follows: compute $s = q_r a_0+q_ a_1+\dots+q_1 a_ + z$. Express s as $s = a_r + N z'$ with $a_r$ in $S$. Then the new state is $(a_1,a_2,\dots,a_r; z')$. By iterating the state change an FCSR generates an infinite, eventually periodic sequence of numbers in $S$.

FCSRs have been used in the design of stream ciphers (such as the F-FCSR generator), in the cryptanalysis of the summation combiner stream cipher (the reason Goresky and Klapper invented them), and in generating pseudorandom numbers for quasi-Monte Carlo (under the name Multiply With Carry (MWC) generator - invented by Couture and L'Ecuyer,) generalizing work of Marsaglia and Zaman.

FCSRs are analyzed using number theory. Associated with the FCSR is a connection integer $q = q_r N^r + \dots + q_1 N^1 - 1$. Associated with the output sequence is the N-adic number $a = a_0 + a_1 N + a_2N^2+\dots$ The fundamental theorem of FCSRs says that there is an integer $u$ so that $a = u/q$, a rational number. The output sequence is strictly periodic if and only if $u$ is between $-q$ and $0$. It is possible to express u as a simple quadratic polynomial involving the initial state and the q_i.

There is also an exponential representation of FCSRs: if $g$ is the inverse of $N \pmod q$, and the output sequence is strictly periodic, then $a_i = (A g_i \bmod q) \bmod N$, where $A$ is an integer. It follows that the period is at most the order of in the multiplicative group of units modulo . This is maximized when is prime and is a primitive element modulo . In this case, the period is $q-1$. In this case the output sequence is called an l-sequence (for "long sequence").

l-sequences have many excellent statistical properties that make them candidates for use in applications, including near uniform distribution of sub-blocks, ideal arithmetic autocorrelations, and the arithmetic shift and add property. They are the with-carry analog of m-sequences or maximum length sequences.

There are efficient algorithms for FCSR synthesis. This is the problem: given a prefix of a sequence, construct a minimal length FCSR that outputs the sequence. This can be solved with a variant of Mahler and De Weger's lattice based analysis of N-adic numbers when $N=2$; by a variant of the Euclidean algorithm when is prime; and in general by Xu's adaptation of the Berlekamp-Massey algorithm. If L is the size of the smallest FCSR that outputs the sequence (called the N-adic complexity of the sequence), then all these algorithms require a prefix of length about $2L$ to be successful and have quadratic time complexity. It follows that, as with LFSRs and linear complexity, any stream cipher whose ''N''-adic complexity is low should not be used for cryptography.

FCSRs and LFSRs are special cases of a very general algebraic construction of sequence generators called Algebraic Feedback Shift Registers (AFSRs) in which the integers are replaced by an arbitrary ring and is replaced by an arbitrary non-unit in . A general reference on the subject of LFSRs, FCSRs, and AFSRs is the book.Table of contents

References

{{DEFAULTSORT:Feedback With Carry Shift Registers
Stream ciphers
Digital registers
Cryptographic algorithms
Pseudorandom number generators