NLFSR (thing)

Short for "nonlinear feedback shift register".

A nonlinear feedback shift register is a particular type of shift register, similar to a LFSR but where the state update is a nonlinear function of part of its own state (rather than a linear function of part of its own state).

These are often used as components in (hardware-efficient) stream ciphers, displaying a higher resistance towards correlation attacks than LFSR. On the other hand, unlike for LFSR, construction of large NLFSR with guaranteed long periods is not a trivial problem. An example of such NLFSR-based hardware-efficient cipher is Trivium.

Similar to what happens with a LFSR, a N-stage NLFSR contains N delay elements which store N bits of state (x₀, x₁, x₂... x_(N-2), x_(N-1)). Each time the NLFSR is clocked, the bit stored in x₀ is output, every other bit is shifted down a stage (x₀ becomes the old x₁, x₁ becomes the old x₂, etc.) and the last bit (x_(N-1)) becomes the result of the nonlinear update function. This way of expressing a NLFSR is termed "Fibonacci configuration" (it can also be equivalently expressed in "Galois configuration", but that's beyond the scope of this writeup).

The properties of a specific N-stage NLFSR boil down to the chosen state update function. For example, the 24-stage NLFSR defined by the update function:

x_(N-1) = x₀ ⊕ x₁ ⊕ x₈ ⊕ x₉ ⊕ x₁₅ ⊕ (x₇ AND x₁₈)
(where ⊕ denotes XOR)

has the quasi-maximum period of 2²⁴-1 (where every state is in a big cycle, except for the all-zero state, which is a fixed point).

If wanted, this can be increased to 2²⁴ by changing the state update function to:

x_(N-1) = x₀ ⊕ x₁ ⊕ x₈ ⊕ x₉ ⊕ x₁₅ ⊕ (x₇ AND x₁₈) ⊕ z
(where z = (¬x₁ AND ¬x₂ AND ... AND ¬x₂₂ AND ¬x₂₃), and ¬ denotes the NOT operation)

which ensures every possible state (including the all-zero state) is in the same single maximal cycle.

Even though it's not easy to figure out which specific state update functions generate maximum (or quasi-maximum) period NLFSR (without actually running them through every state to verify), it's not difficult to guarantee that a certain state update function generates branchless state transitions (i.e. that every step is reversible and, therefore, the dynamic structure consists of pure cycles without state collisions). Particularly, it's enough to ensure that the state update function is of the form:

x_(N-1) = x₀ ⊕ g( x₁, x₂, ..., x_(N-2), x_(N-1) )
(where g() is an arbitrary boolean function with N-1 inputs and 1 output)

Reference:

• E. Dubrova, "A List of Maximum Period NLFSRs", Cryptology ePrint Archive, Report 2012/166, March 2012.

• nonlinear
• feedback
• shift register
• shift register
• Linear Feedback Shift Register
• state
• nonlinear
• function
• linear
• hardware
• stream cipher
• correlation attack
• Linear Feedback Shift Register
• Linear Feedback Shift Register
• NLFSR
• trivial
• cipher
• Trivium
• LFSR
• stage
• delay
• bits
• state
• NLFSR
• bit
• output
• bit
• bit shift
• nonlinear
• function
• Fibonacci
• Galois LFSR
• scope
• writeup
• NLFSR
• function
• AND
• XOR
• quasi
• maximum
• period
• cycle
• fixed point
• NOT
• state
• single
• maximal
• cycle
• difficult
• maximum
• quasi
• period
• brute force
• easy
• function
• branchless
• reversible
• dynamic
• structure
• collision
• arbitrary
• boolean function
• output

• nonlinear feedback shift register
• periods
• clocked
• all-zero
• making the state update function something terribly inefficient like
• all-zero state
• state transition
• cycles
• inputs