Arxiv:1705.03150V3 [Cs.IT] 4 Jun 2019 Nanyang Technological University, 21 Nanyang Link, Singapore 637371 E-Mail: {Fredezerman,Adamas,Lingsan,Hxwang}@Ntu.Edu.Sg J

manuscript No. (will be inserted by the editor)

Binary de Bruijn Sequences via Zech’s Logarithms

Zuling Chang · Martianus Frederic Ezerman · Adamas Aqsa Fahreza · San Ling · Janusz Szmidt · Huaxiong Wang

Received: date / Accepted: date

Abstract The focus of this work is to show how to combine Zech’s logarithms and each of the cycle joining and cross-join pairing methods to construct binary de Bruijn sequences of any order. A basic implementation is supplied as a proof- of-concept. The cycles, in the cycle joining method, are typically generated by a linear feedback shift register. We prove a crucial characterization that determining Zech’s logarithms is equivalent to identifying conjugate pairs shared by any two distinct cycles. This speeds up the task of building a connected adjacency subgraph that contains all vertices of the complete adjacency graph. Distinct spanning trees in either graph correspond to cyclically inequivalent de Bruijn sequences. As the cycles are being joined, guided by the conjugate pairs, we track the changes in the feedback function. Certificates of star or almost-star spanning trees conveniently handle large order cases. The characterization of conjugate pairs via Zech’s logarithms, as positional markings, is then adapted to identify cross-join pairs. A modified m-sequence is initially used, for ease of generation. The process can be repeated on each of the resulting de Bruijn sequences. We show how to integrate an analytic tool, attributed to Fryers, in the process. Most prior constructions in the literature measure the complexity of the corresponding bit-by-bit algorithms. Our approach is different. We aim first to build a connected adjacency subgraph that is certified to contain all of the cycles as vertices. The ingredients are computed just once and concisely stored. Simple strategies are offered to keep the complexities low as the order grows.

Z. Chang School of Mathematics and Statistics, Zhengzhou University, Zhengzhou 450001, China E-mail: zuling [email protected] M. F. Ezerman · A. A. Fahreza · S. Ling · H. Wang Division of Mathematical Sciences, School of Physical and Mathematical Sciences, arXiv:1705.03150v3 [cs.IT] 4 Jun 2019 Nanyang Technological University, 21 Nanyang Link, Singapore 637371 E-mail: {fredezerman,adamas,lingsan,HXWang}@ntu.edu.sg J. Szmidt Military Communication Institute, ul. Warszawska 22 A, 05-130 Zegrze, Poland E-mail: [email protected] 2 Z. Chang et al.

Keywords Binary de Bruijn sequence · cycle structure · conjugate pair · cross-join pair · Zech’s logarithms Mathematics Subject Classiﬁcation (2010) 11B50 · 94A55 · 94A60

1 Introduction

n A binary de Bruijn sequence of order n ∈ N has period N = 2 in which each n- n−1 tuple occurs exactly once. Up to cyclic equivalence, there are 22 −n of them [4]. A naive approach capable of generating all of these sequences, e.g., by generating all Eulerian cycles in the de Bruijn graph, requires an exponential amount of space. Adding a 0 to the longest string of 0s in a maximal length sequence, also known as an m-sequence, of period 2n −1 produces a de Bruijn sequence of order n. There 1 n are Λn := n φ(2 − 1) such m-sequences where φ(·) is the Euler totient function. There is a bijection between the set of all m-sequences and the set of primitive polynomials of degree n in F2[x]. As n grows large, Λn soon becomes miniscule in n−1 comparison to 22 −n. In terms of applications, there is quite a diversity in the community of users. This results in varied criteria as to what constitute a good construction approach. Mainly for cryptographic purposes, there has been a sustained interest in efficiently generating a good number of de Bruijn sequences of large orders. For stream cipher applications (see, e.g., the 16 eSTREAM finalists in [34]), it is desirable to have high unpredictability, i.e., sequences with high nonlinearity, while still being somewhat easy to implement. This requires multiple measures of complexity to be satisfied. Due to their linearity, modified m-sequences are unsuitable for cryptographic applications. Bioinformaticians want large libraries of sequences to use in experiments [25] and in genome assembly [7]. Their design philosophy imposes some Hamming distance requirements, since a library must not have sequences which are too similar to one another or exhibiting some taboo patterns. Secrecy or pseudorandomness is often inconsequential. Designers of very large scale integrated circuits often utilize binary de Bruijn multiprocessor network [35]. Important properties include the di- ameter and the degree of the network. The objective here is to have a small layout that still allows for many complete binary trees to be constructed systematically for extensibility, fault-tolerance, and self diagnosability. Prior Literature Given its long history and numerous applications, the quest to efficiently generate de Bruijn sequences has produced a large literature and remains very active. Most known approaches fall roughly into three types, each to be briefly discussed below. In terms of complexity, it is customary to specify the memory and time requirements to generate the next bit, i.e., the last entry in the next state given a current state. Such an algorithm is called a bit-by-bit algorithm. As the name suggests, the cycle joining approach builds de Bruijn sequences by combining disjoint cycles of smaller periods [17]. One begins, for example, with a linear feedback shift register (LFSR) with an irreducible but nonprimitive characteristic polynomial of degree n. It produces disjoint cycles, each with a period that divides 2n − 1. We identify a conjugate pair between any two distinct cycles and combine the cycles into a longer cycle. We repeat the process until all Binary de Bruijn Sequences via Zech’s Logarithms 3

disjoint cycles have been combined into a de Bruijn sequence. The mechanism can of course be applied on all identifiable conjugate pairs. Fredricksen applied the method on pure cycling register of length n in [16]. The bit-by-bit routine took 6n bits of storage in n units of time. Etzion and Lempel in [13] considered a shift register that produced many short cycles which were then joined together. They proposed two constructions based on, respectively, pure cyclic registers (PCRs) and pure summing registers (PSRs). For a PCR, the number of produced sequence is exponential with base 2 (see [13, Theorem 2] for the exact formula), with time complexity O(n) to produce the next bit. It was quite expensive in memory, requiring approximately 3n plus the exponent of 2 in n2 the exact formula. For PSR, the number of produced sequence is ≈ 2 4 with its bit-by-bit algorithm costing O(n) in time and O(n2) in memory. Huang showed how to join all the pure cycles of the complementing circulating register f(x1, . . . , xn) = x1 in [23]. Its bit-by-bit algorithm took 4n bits of storage and 4n units of time. The resulting sequences tended to have a good local 0 and 1 balance. In the work of Jansen et al.[27], the cycles were generated by an LFSR with feedback function f(x) that can be factored into r irreducible polynomials of the same degree m. The number of produced de Bruijn sequences was approximately O(22n/ log(2n)). Its bit-by-bit complexity was 3n bits of storage and at most 4n FSR shifts. Numerous subsequent works, until very recently, are listed with the details on their input parameters and performance complexity in [6, Table 4]. The cross-join pairing method begins with a known de Bruijn sequence, usually a modified m-sequence. One then identifies cross-join pairs that allow the sequence, seen as a cycle of period 2n, to be cut and reconnected into inequivalent de Bruijn sequences from the initial one. Two representative works on this method were done by Helleseth and Kløve in [22] and by Mykkeltveit and Szmidt in [33]. The third method, where we collect rather distinct approaches, is less clear-cut than the first two. The defining factor is that they follow some assignment rules or preference functions in producing one symbol at a time using the previous n symbols. Some clarity can perhaps be given by way of several recent examples. A necklace is a string in its lexicographically smallest rotation. Stevens and Williams in [39] presented an application of the necklace prefix algorithm to construct de Bruijn sequences. Their loopless algorithm took O(n) time. They sig- nificantly simplified the FKM algorithm, attributed to Fredricksen, Kessler, and Maiorana, that concatenated the aperiodic prefixes of necklaces in lexicographic order. In [36], Sawada et al. gave a simple shift-rule, i.e., a function that maps each length n substring to the next length n substring, for a de Bruijn sequence of order n. Its bit-by-bit algorithm ran in costant time using O(n) space. Instead of concatenating necklaces in lexicographic order, Dragon et al. in [11] used the co-lexicographic order to construct a de Bruijn sequence in O(n) time. Natural subsequences of the lexicographically least sequence had been shown to be de Bruijn sequences for interesting subsets of strings. The lexicographically-least de Bruijn sequence, due to Martin in 1934, is affectionately known as the granddaddy. The use of preference functions is prevalent in many greedy algorithms for binary de Bruijn sequence. A general greedy algorithm, recently proposed by Chang et al. in [5], included a discussion on how such functions fit into a unifying picture.

Overview of our techniques 4 Z. Chang et al.

We pinpoint the respective exact states in any conjugate pair shared by any two distinct cycles to execute the cycle joining process. At the core of our method is the use of Zech’s logarithms to characterize the conjugate pairs as positional markings. The approach works particularly well when the characteristic polynomial of the LFSR is an irreducible polynomial or a product of distinct irreducible polynomials. One can identify and explicitly generate all of the component cycles with irreducible characteristic polynomial based on one special state. We take a different route in the implementation. Instead of generating one de Bruijn sequence on the fly by using a bit-by-bit procedure, our mechanism ensures that users have a ready access to a large supply of binary de Bruijn sequences. In its simplest form, the input consists of a primitive polynomial p(x) of degree n having α as a root and a positive integer t that divides 2n − 1 such that there exists a polynomial q(x) of degree n having β = αt as a root. The cycle joining method is then applied to the cycles whose characteristic polynomial is q(x). Preparatory computational tasks, that need to be done only once, supply the required ingredients to construct a connected adjacency subgraph Ge. The graph contains all vertices of the complete adjacency graph G whose vertices are the t + 1 cycles. To build de Bruijn sequences from the stored Ge, we can use Knuth’s Algorithm S [28, pp. 464 ff.] or an alternative algorithm [6, Algorithm 5], due to Chang et al. , to generate all of the spanning trees. The two algorithms share the same complexity, as detailed in [6, Section 8]. If so desired, one can quickly choose a spanning tree at random by running Broder’s Algorithm [3]. Certificates that guarantee the existence of particular spanning trees in G allow us to practically handle large orders, as will be demonstrated by examples. This simple strategy keeps the complexities low as the order grows. We then show how to adapt finding conjugate pairs shared by two smaller cycles in the cycle joining method to finding two conjugate pairs in a given de Bruijn sequence to use as a cross-join pair, showing how closely connected the two methods are. Our constructions bypass the need for “scaling,” which has been a common theme in the studies of NLFSRs since its introduction by Lempel in [29]. Some notable recent investigations include the work of Dubrova in [12] and that of Mandal and Gong in [31]. Relevant notions and results on FSRs and Zech’s logarithms are reviewed in Section 2, with new properties of the logarithms given towards the end. Section 3 characterizes conjugate pairs by Zech’s logaritms based on a carefully chosen representation of the states. Section 4 discusses the adjacency graph and methods to identify its spanning trees. A basic software impementation for the cycle joining method is given in Section 5. Section 6 integrates a recent proposal of using the product of irreducible polynomials as the characteristic polynomial of the starting LFSR into the current framework. Adapting the Zech’s logarithms approach to identify cross-join pairs in an m-sequence is the core of Section 7. We end with some conclusions and a general open problem in Section 8.

2 Preliminaries

For integers k < `, let k, ` denote {k, k + 1, . . . , ` − 1, `}.A cyclotomic coset of 2 n J K ni−1 modulo 2 − 1 containing i is Di = {i, 2i, . . . , 2 i} with ni the least positive ni n integer such that i ≡ 2 i (mod 2 − 1). Obviously ni | n. For each i, the least Binary de Bruijn Sequences via Zech’s Logarithms 5

integer in Di is its coset leader. The set of all coset leaders is called a complete set of coset representatives, denoted by Rn.

2.1 Feedback Shift Registers

An n-stage shift register is a clock-regulated circuit with n consecutive units, each storing a bit. As the clock pulses, each bit is shifted to the next stage in line. A binary code is generated if one adds a feedback loop that outputs a new bit sn based on the n bits s0 = (s0, . . . , sn−1) called an initial state. The codewords are the n-bit states. The Boolean function h that outputs sn on input s0 is called its P feedback function. The algebraic normal form (ANF) of h is ai1,i2,...,ik xi1 xi2 ··· xik with ai1,i2,...,ik ∈ F2 and the sum is over all k-subsets {i1, i2, . . . , ik} ⊆ 0, n − 1 . J K The degree of h is the largest k for which ai1,i2,...,ik =6 0. A feedback shift register (FSR) outputs s = s0, s1, . . . , sn,... satisfying the re- cursion sn+` = h(s`, s`+1, . . . , s`+n−1) for ` ≥ 0. If si+N = si for all i ≥ 0, then s is N-periodic or with period N, denoted by s = (s0, s1, s2, . . . , sN−1). The i-th state k of s is si = (si, si+1, . . . , si+n−1) and si+1 is the successor of si. We use 0 or 0 to denote the all zero vector or sequence of period 1. The latter is preferred when the length k needs to be speciﬁed. Distinct initial states generate distinct sequences, forming the set Ω(h) of 2n elements. A state operator T turns si into si+1, i.e., si+1 = T si. If s has a state e−1 si and period e, the e distinct states of s are si,T si = si+1,...,T si = si+e−1. The shift operator L sends s to Ls = L(s0, s1, . . . , sN−1) = (s1, s2, . . . , sN−1, s0), with the convention that L0s = s. The set [s] := {s,Ls,L2s,...,LN−1s} is a shift equivalent class or a cycle in Ω(h). One partitions Ω(h) into cycles and writes the cycle structure as r [ [s1] ∪ [s2] ∪ ... ∪ [sr] if [si] = Ω(h). (1) i=1 An FSR with a linear feedback function is linear (or an LFSR) and nonlinear (or an NLFSR) otherwise. The characteristic polynomial of an n-stage LFSR is

n n−1 f(x) = x + cn−1x + ... + c1x + c0 ∈ F2[x] (2) Pn−1 when the feedback function is h(x0, . . . , xn−1) = i=0 cixi. To ensure that all generated sequences are periodic, c0 =6 0. A sequence s may have many characteristic polynomials. The one with the lowest degree is its minimal polynomial. It represents the LFSR of shortest length that generates s. Given an LFSR with characteristic polynomial f(x), the set Ω(h) is also denoted by Ω(f(x)). To f(x) in (2), one associates a matrix   0 0 ... 0 c0 1 0 ... 0 c1    0 1 ... 0 c2  Af :=   . (3) ......  . . . . .  0 0 ... 1 cn−1

j On input state s0, the state vectors of the resulting sequence are sj = s0A for j ∈ {0, 1, 2,...} and si+1 = siA = T si. 6 Z. Chang et al.

If the minimal polynomial of a sequence is primitive with degree n and α as a root, then it can be obtained by applying the trace map from 2n onto 2 on the n F F sequence 1, α, α2, . . . , α2 −2. The sequence is said to be a maximal length sequnce or an m-sequence since it has the maximal period among all sequences generated by any LFSR with minimal polynomial of degree n. Let m denote an m-sequence. (d) A sequence u is a d-decimation sequence of s, denoted by u = s if uj = sd·j for all j ≥ 0. A d-decimation m(d) of m is also an m-sequence if and only if gcd(d, 2n − 1) = 1. More properties of sequences in relation to their characteristic and minimal polynomials can be found in [19, Chapter 4] and [30, Chapter 8].

2.2 Zech’s Logarithms

Among computational tools over finite fields we have Zech’s logarithm (see e.g., [19, page 39]). The logarithm is often referred to as Jacobi’s logarithm [30, Exercise 2.8 and Table B]. It was Jacobi who introduced the notion and tabulated the values n for Fp with p ≤ 103 in [26]. For ` ∈ 1, 2 − 1 ∪ {−∞}, the Zech’s logarithm τ(`) relative to α is defined by 1+α` = ατJ(`) whereK α−∞ = 0. It induces a permutation on 1, 2n − 2 . Huber established the following properties of Zech’s logarithms over J K Fq and provided the Zech’s logarithm tables for F2n with 2 ≤ n ≤ 11 in [24]. 1. It suffices to find the logarithms relative to one primitive element. Let distinct primitive polynomials p(x) and q(x) be of degree n with respective roots α and b n δ. Then δ = α for some b with gcd(b, 2 − 1) = 1. Let τn,α(k) and τn,δ(k) denote the respective logarithms of k ∈ 1, 2n − 2 relative to α and δ. Then J K −1 −1 1 + δk = 1 + αb·k = ατn,α(b·k) = αbb τn,α(b·k) = δb τn,α(b·k).

−1 n Hence, τn,δ(k) ≡ b τn,α(b · k) (mod (2 − 1)). With a primitive element fixed, the notation is τ(k) or τn(k) to emphasize n. 2. The Flip map is given by τn(τn(k)) = k. Knowing τn(k) for any k in a cyclo- i tomic coset Dj is sufficient to find τn(2 k) by using the Double map n τn(2k) ≡ 2τn(k) (mod (2 − 1)). (4)

The Flip and Double maps send cosets onto cosets of the same size. 3. Let Inv(j) = 2n − 1 − j ≡ −j (mod (2n − 1)). Then n τn(Inv(j)) ≡ τn(j) − j (mod (2 − 1)). (5)

Inv(k) maps a coset onto a coset of the same size. 4. Let h(x) be a primitive polynomial of degree m having a root β. Let m | n and r (2n−1) β = α with r = (2m−1) . If the Zech’s logarithms relative to β are known, then 1 + αr·j = 1 + βj = βτm(j) = αr·τm(j). Hence, n τn(r · j) ≡ r · τm(j) (mod (2 − 1)). (6)

Repeatedly applying Flip and Inv induces a cycle of 6 cosets, except in rare cases (see [24]). Using the Double map, one then gets the value of τn(k) for all k in the union of these cosets. To complete the table, Huber suggested the use of key elements, each corresponding to a starting coset. Instead of following the suggestion, we introduce a more eﬃcient route that reduces the storage need. Binary de Bruijn Sequences via Zech’s Logarithms 7

Lemma 1 For known τn(i), τn(j), and τn(i + j),

n τn(τn(i + j) − τn(j)) ≡ τn(i) + j − τn(j) (mod (2 − 1)). (7)

Proof For i, j ∈ 1, 2n − 2 , 1 + αi = ατn(i) if and only if αj + αi+j = ατn(i)+j. This is equivalentJ to ατnK(j) + ατn(i+j) = ατn(i)+j. Thus, 1 + ατn(i+j)−τn(j) = ατn(i)+j−τn(j). ut

To apply Lemma 1, one looks for an (i, j) pair such that the respective Zech’s logarithms of i, j, and i + j are already known, i.e., the elements i, j, and i + j are in the union U of cosets with known Zech’s logarithms, but τ(i) − τ(j) ∈/ U. In many cases, a given Zech’s logarithm is suﬃcient to deduce all others values. We n can write Equation (7) as τn(τn(i) − τn(j)) ≡ τn(i − j) + j − τn(j) (mod (2 − 1)).

Example 1 We reproduce the table in [24, Appendix] for p(x) = x10 +x3 +1 without any key element. The computations are done modulo 210 − 1 with = replacing ≡ for brevity. There are 107 cyclotomic cosets of 2 modulo 1023: the trivial coset D0, a coset of cardinality 2, 6 cosets, each of cardinality 5, and 99 cosets, each of cardinality 10. The coset {341, 682} implies τ(341) = 682. The cycle of 6 cosets beginning from τ(3) = 10 is 3 ∈ D3 Flip 10 ∈ D5 Inv 1013 ∈ D383 Flip 1016 ∈ ←−→ ←→ ←−→ D 7 ∈ D 1020 ∈ D 3 ∈ D , giving the logarithms of all 60 127←→Inv 7 Flip 255 ←→Inv 3 S ←−→ elements in Dk with k ∈ {3, 5, 7, 127, 255, 383}. For the remaining logarithms, one searches for an (i, j) pair with τ(i) − τ(j) not in any of previously known cosets but i − j is. The task for the remaining cosets is summarized in Table 1. The rows follow chronological order. The approach may fail to yield the complete table. We tested all trinomials xn + xj + 1 with n ∈ {15, 17, 18, 20, 22} and j ≤ bn/2c since the reciprocals give identical conclusions. When n = 15, the full table is obtained for j ∈ {1, 4, 7}. When n = 17, Lemma 1 produces the full table for j ∈ {3, 5} but fails for j = 6. It also fails for n = 18, j = 7 but works for n = 20, j = 3 and n = 22, j = 1. In case of failure, the computation in (6) becomes necessary. ut

3 Zech’s Logarithms and Conjugate Pairs

A state v := (v0, v1, . . . , vn−1) and its conjugate v := (v0 + 1, v1, . . . , vn−1) form a conjugate pair. Cycles C1 and C2 in Ω(h) are adjacent if they are disjoint and there exists v in C1 whose conjugate v is in C2. Adjacent cycles merge into a single cycle by interchanging the successors of v and v. The feedback function of the resulting cycle is

n−1 Y eh(x0, . . . , xn−1) = h(x0, . . . , xn−1) + (xi + vi + 1). (8) i=1

Continuing this step, all cycles in Ω(h) join into a de Bruijn sequence. The feedback functions of the resulting de Bruijn sequences are completely determined once the corresponding conjugate pairs are found. 8 Z. Chang et al.

Table 1 Zech’s Logarithms for Elements in Remaining Cosets of Example 1.

(i, j) τ(τ(i) − τ(j)) Cosets Dks in the induced cycle |∪kDk| (12, 5) τ(550) = 512 k ∈ {77, 1, 511, 19, 251, 187} 60 (12, 7) τ(43) = 523 k ∈ {43, 23, 125, 63, 15, 245} 60 (76, 28) τ(11) = 200 k ∈ {11, 25, 223, 45, 189, 253} 60 (3, 1) τ(956) = 78 k ∈ {239, 39, 123, 439, 73, 49} 60 (3, 2) τ(879) = 948 k ∈ {447, 237, 75, 375, 69, 9} 60 (12, 2) τ(909) = 874 k ∈ {111, 347, 149, 35, 247, 57} 60 (12, 10) τ(37) = 161 k ∈ {37, 379, 31} 30 (37, 31) τ(426) = 316 k ∈ {213, 79, 59, 55, 121, 171} 60 (37, 6) τ(141) = 744 k ∈ {93, 105, 183} 30 (77, 43) τ(501) = 142 k ∈ {351, 71, 119, 235, 83, 21} 60 (77, 34) τ(402) = 958 k ∈ {147, 479, 17, 221, 89, 219} 60 (68, 12) τ(181) = 971 k ∈ {181, 191, 13, 157, 91, 173} 60 (749, 255) τ(29) = 566 k ∈ {29, 109, 151, 207, 51, 95} 60 (702, 136) τ(343) = 746 k ∈ {343, 85, 155} 30 (434, 109) τ(27) = 206 k ∈ {27, 103, 115, 205, 179, 159} 60 (349, 333) τ(33) = 660 k ∈ {33, 165, 363, 99, 231, 495} 30 (785, 151) τ(87) = 619 k ∈ {87, 215, 117, 367, 101, 41} 60 (274, 51) τ(107) = 376 k ∈ {107, 47, 175, 61, 167, 53} 60

3.1 Basic Notions and Known Results

Deﬁnition 1 (From [21]) The adjacency graph G of an FSR with feedback function h is an undirected multigraph whose vertices correspond to the cycles in Ω(h). There exists an edge between two vertices if and only if they are adjacent. A conjugate pair labels every edge. The number of edges between any pair of cycles is the number of conjugate pairs that they share.

Clearly G has no loops. There is a bijection between the spanning trees of G and the de Bruijn sequences constructed by the cycle joining method (see. e.g., [21] and [20]). The following well-known counting formula is a variant of the BEST (de Bruijn, Ehrenfest, Smith, and Tutte) Theorem from [1, Section 7]. Recall that i+j the cofactor of entry mi,j in M is (−1) times the determinant of the matrix obtained by deleting the i-th row and j-th column of M.

Theorem 1 (BEST) Let VG := {V1,V2,...,Vk} be the vertex set of the adjacency graph G of an FSR. Let M = (mi,j) be the k × k matrix derived from G in which mi,i is the number of edges incident to vertex Vi and mi,j is the negative of the number of edges between vertices Vi and Vj for i =6 j. Then the number of the spanning trees of G is the cofactor of any entry of M.

To generate de Bruijn sequences of a large order, eﬃcient identiﬁcation of conjugate pairs is crucial. A de Bruijn sequence generator has been recently proposed in [6]. Its basic software implementation [15] demonstrates a decent performance up to order n ≈ 20 when the characteristic polynomials are products of distinct irreducible polynomials. As the order grows the program soon runs into time complexity issues. Another recent contribution can be found in [10]. The work shows how to generate de Bruijn sequences of large orders, say 128, but without supply- ing time or space complexity analysis. The above examples indicates that dealing with large order demands much faster algorithmic tools. Binary de Bruijn Sequences via Zech’s Logarithms 9

n 1 P d Let µ(n) be the Möbiusfunction. There are n d|n µ(d)2 binary irreducible polynomials of degree n. All irreducible polynomials of (prime) degree n are primitive if and only if 2n − 1 is prime. Such an n is called a Mersenne exponent. Although not known to be finite, Mersenne exponents are sparse [37]. Thus, for most n, there are many more irreducible than primitive polynomials. Each such polynomial yields a number of de Bruijn sequences if one can efficiently identify the conjugate pairs. We show how to accomplish this task. A primitive polynomial p(x) ∈ F2[x] of degree n having a root α can be identi- fied in several ways, (see, e.g.,[?, Section 4.4]). Many computer algebra systems have routines that output primitive polynomial(s) of a specified degree. Combining a decimation technique and the Berlekamp-Massey algorithm on input p(x) and a suitable divisor t of 2n − 1 yields the associated irreducible polynomial f(x). It has degree n, order e, and a root β = αt with e · t = 2n − 1. Notice that n is the least integer satisfying 2n ≡ 1 (mod e). The t distinct nonzero cycles in Ω(f(x)) can be ordered in the language of cyclotomic classes and numbers using a method from [20]. The cyclotomic classes ∗ Ci ⊆ F2n , for 0 ≤ i < t, are i+s·t i s i Ci = {α | 0 ≤ s < e} = {α β | 0 ≤ s < e} = α C0. (9)

The cyclotomic numbers (i, j)t, for 0 ≤ i, j < t, are

(i, j)t = {ξ | ξ ∈ Ci, ξ + 1 ∈ Cj} . (10) n−1 n−1 j X i Using the basis {1, β, . . . , β } for F2n we write α = aj,iβ with aj,i ∈ F2 for i=0 j ∈ 0, 2n − 2 . In vector form, the expression becomes J K j α = (aj,0, aj,1, . . . , aj,n−1). (11) n Deﬁne the mapping ϕ : F2n → F2 by j ϕ(0) = 0, ϕ(α ) = (aj,0, aj+t,0, . . . , aj+(n−1)t,0), (12) where the subscripts are reduced modulo 2n − 1. By the recursive relation determined by (11), ϕ is a bijection. Let

ui := (ai,0, ai+t,0, . . . , ai+(e−1)t,0). (13) It is now straightforward to verify that

Ω(f(x)) = [0] ∪ [u0] ∪ [u1] ∪ ... ∪ [ut−1] (14) i with ϕ(α ) as the initial state of ui for i ∈ 0, t − 1 . In particular, the initial state n J K of u0 is (1, 0) ∈ F2 . Note that ϕ induces a correspondence between Ci and [ui] (see [20, Theorem 3]). In other words, ui and the sequence of states of ui, namely ((ui)0, (ui)1,..., (ui)e−1), where i j (ui)j = (ai+jt,0, ai+(j+1)t,0, . . . , ai+(j+n−1)t,0) = ϕ(α β ) for j ∈ 0, e − 1 , are equivalent. The state ϕ(αiβj) corresponds to the element i j J K α β ∈ Ci. Hence, ui ←→ Ci. This provides a convenient method to ﬁnd the exact n position of any state v = (v0, v1, . . . , vn−1) ∈ F2 in some cycle in Ω(f(x)). Proposition 1 [20, Corollary 2] The states ϕ(θ) and ϕ(θ + 1) form a conjugate pair for all θ ∈ F2n . 10 Z. Chang et al.

3.2 Eﬃcient Exact Determination of Conjugate Pairs

We extend Proposition 1 by explicitly determining the respective exact positions of the states in their corresponding cycles. This is far from trivial. First, one needs to fix a standard representation of the cycles and then uses algebraic tools to find the very location of ϕ(θ) in C1 and ϕ(θ + 1) in C2. Let v = ϕ(αiβj) = ϕ(αi+tj) for some i ∈ 0, t − 1 . Then v must be the j-th kJ K n−1 state of ui. Let k = i + tj and suppose that α = a0 + a1β + ... + an−1β . We k have a0 = v0 from the definition of ϕ(α ). Note that if f(x) in (2) is irreducible, t then c0 = 1. Since β = α ,

n−1 n−2 n−1 k+t X `+1 X `+1 X ` α = a`β = a`β + an−1c`β = `=0 `=0 `=0 n−1 an−1 + (a0 + an−1c1)β + ... + (an−2 + an−1cn−1)β .

Continuing inductively, it becomes clear that vj is the constant term in the linear combination of αk+tj in the β basis. Hence,  a0 = v0   an−1 = v1  an−2 = v1cn−1 + v2 . a = v c + v c + v  n−3 1 n−2 2 n−1 3 . . . . . .  a1 = v1c2 + ... + vn−2cn−1 + vn−1

n−1 Once a0 +a1β +...+an−1β and the Zech’s logarithms relative to α are known, one gets αk and, thus, v’s position. How can one eﬃciently generate the cycles in Ω(f(x))? Directly using the above deﬁnition is not practical since it requires costly computations over F2n . Simply generating them by the LFSR with characteristic polynomial f(x) may fail to guarantee that their respective initial states are ϕ(αi) for i ∈ 0, t − 1 . We show that decimation is the right tool. J K Equation (11) ensures that m = (a0,0, a1,0, . . . , a2n−2,0) is an m-sequence with characteristic polynomial p(x) [19, Chapter 5]. The trace function Tr maps δ ∈ F2n Pn−1 2i to i=0 δ ∈ F2. Recall, e.g., from [19, Section 4.6] that the entries in m are i n ai,0 = Tr γα : 0 =6 γ ∈ F2n for i ∈ 0, 2 − 2 . From m, construct t distinct t-decimation sequences of period e: J K

(t) (t) t−1 (t) u0 = m , u1 = (Lm) ,..., ut−1 = (L m) .

k+t·j The resulting sequences have (uk)j = Tr γα for k ∈ 0, t − 1 and j ∈ t J K 0, e − 1 . Each [ui] is a cycle in Ω(f(x)) since β = α . We need to ﬁnd an initial J K n state v of m such that the initial state of u0 is (1, 0) ∈ F2 . Let Ap be the associate matrix of p(x). Then the respective ﬁrst elements of (i·t) vAp for t ∈ 0, n − 1 must be 1, 0,..., 0. A system of equations to derive v can be constructed.J LetK κ be the number of 1s in the binary representation of Binary de Bruijn Sequences via Zech’s Logarithms 11

(i·t) i · t. Computing Ap is efficient using the square-and-multiply method, taking at most log2 bi · tc squarings and κ multiplications. We use v and p(x) to derive the first n · t entries of m. The respective initial 0 t−1 states ϕ(α ), . . . , ϕ(α ) of u0,..., ut−1 in Ω(f(x)) immediately follow by decimation. Thus, one gets ϕ(αj) for any j. This allows us to quickly find the desired i j initial state of any cycle, even for large n. Given the state (ui)j = ϕ(α β ), we k i j+k have T [(ui)j] = ϕ(α β ). At this point, given an irreducible polynomial f(x) 2n−1 with root β and order e = t , we need a primitive polynomial p(x) with the same degree as f(x) and a root α satisfying β = αt. In general, such a p(x) is not unique [6, Subsection 3.2]. Here we provide a method to find one. For k ∈ 1,Λn , let pk(x) be a primitive polynomial of degree n that generates J K the m-sequence mk. The set of all shift inequivalent m-sequences with period n 2 − 1 is {m1, m2,..., mΛn }. The elements are the dj-decimation sequences of n (t) any mk for all dj satisfying gcd(dj, 2 − 1) = 1. We derive mk of period e and check if it shares a common string of 2n consecutive elements with a sequence whose characteristic polynomial is f(x). If yes, then we associate pk(x) with f(x). Testing all ks guarantees a match between f(x) and some pk(x) without costly operations over F2n . As n or t grows, finding one such p(x) becomes more computationally involved. To work around this limitation, one starts instead with any primitive polynomial p(x) with a root α and find the corresponding irreducible f(x) having β = αt as a root. There are tools from finite fields (see, e.g., [30]) that can be deployed. We prefer another approach that does not require computations over F2n . Any primitive polynomial p(x) generates an m-sequence m. By t-decimation we get m(t). We input any 2n consecutive bits of m(t) into the Berlekamp-Massey Algorithm [32, Section 6.2.3] to get an irreducible polynomial f(x) having αt as a root. There are instances where f(x) has degree m | n with m < n. This implies that, for this t, there is no irreducible polynomial of degree n that can be associated with p(x). As k traverses Rn, by k-decimation and the Berlekamp-Massey algorithm, the process provides all irreducible polynomials with root αk. The resulting polynomials form the set of all irreducible polynomials with degree |Ck| = m | n. For t ∈ Rn, t is valid to use if and only if |Ct| = n.

Proposition 2 For a valid t, let the m-sequence m2, whose characteristic polynomial is p2(x), be the dj-decimation sequence of the m-sequence m1, which is generated by

p1(x). Let Ψdj be the mapping, induced by the decimation, that sends p1(x) to p2(x). Let pi(x) be the respective associated primitive polynomial of the irreducible polynomial t qi(x), both of degree n. The mapping Γt is induced by the mapping αi 7→ βi = αi. Then we have the commutative diagram

Ψdj p1(x) p2(x)

Γt Γt .

Ψdj q1(x) q2(x)

Proof Let αi be a primitive root of pi(x). Hence, there exists a root βi of qi(x) such t that βi = αi. Applying the trace map Tr shows that the two directions coincide by the commutativity of the exponents in a multiplication. ut 12 Z. Chang et al.

We can now characterize the conjugate pairs shared by any two distinct cycles by Zech’s logarithms. In fact, determining the respective initial states of [ui]: i ∈ 1, t − 1 is not even necessary since ensuring that (1, 0) is the initial state of [u0] Jis suﬃcientK for implementation.

Theorem 2 Let α be a root of a primitive polynomial p(x) of degree n and τ() be the Zech’s logarithm with respect to α. Let f(x) be the irreducible polynomial of degree n 2n−1 t and order e = t having a root β = α , i.e., f(x) is associated with p(x). Let [ui] and [u`] be distinct nonzero cycles in Ω(f(x)) constructed above, i.e., j i i+tj i, ` ∈ 0, t − 1 with i =6 `. Let v := T ϕ(α ) = ϕ(α ) be the j-th state of [ui] and J k ` K `+tk v := T ϕ(α ) = ϕ(α ) be the k-th state of [u`]. Then (v, v) forms a conjugate pair if and only if ` + tk = τ(i + tj).

Proof Let η and γ be elements of F2n . Then ϕ(η) is a state of ui if and only if j η = α and j ∈ Ci. It is therefore clear that ϕ(η) + ϕ(γ) = ϕ(η + γ). Observe that ϕ(α0 = 1) and 0 are conjugate. The conjugate of ϕ(αj) with j ∈ 1, 2n − 2 is J K ϕ(αj) = ϕ(1) + ϕ(αj) = ϕ(1 + αj) = ϕ(ατ(j)) where ϕ(1) = (1, 0,..., 0).

j τ(j) The conjugate of any state ϕ(α ) in cycle [uj (mod t)] must then be ϕ(α ) in cycle [uτ(j) (mod t)]. In other words, the conjugate of the j-th state of cycle [ui], which is T jϕ(αi) = ϕ(αiβj) = ϕ(αi+tj), must be ϕ(ατ(i+tj)). Writing τ(i + tj) = kt + ` τ(i+tj) k ` with k ∈ 0, e − 1 and ` ∈ 0, t − 1 , ϕ(α ) = T ϕ(α ) belongs to [u`]. Thus,J knowingK the Zech’sJ logarithmsK relative to α enables us to easily determine all conjugate pairs between two arbitrary cycles in Ω(f(x)). By the deﬁnition of cyclotomic numbers, [ui] and [uj] share (i, j)t conjugate pairs. Conversely, knowing all of the conjugate pairs allows us to derive the Zech’s logarithms relative to α. Let a conjugate pair (v, v) with v = T jϕ(αi) = ϕ(αi+tj) and v = T kϕ(α`) = ϕ(α`+tk) be given. Then τ(i + tj) = ` + tk since v must be ϕ(ατ(i+tj)). If all of the conjugate pairs are known, a complete Zech’s logarithm table, relative to α, follows. ut

Example 2 Given f(x) = x4 + x3 + x2 + x + 1, which is irreducible, of order 5 with β as a root, choose p(x) = x4 + x + 1 with a root α satisfying α3 = β as the associated primitive polynomial. Let m be the corresponding m-sequence with initial state (1, 0, 0, 0). By 3-decimating one derives Ω(f(x)) = [0]∪[u0]∪[u1]∪[u2] with u0 = (1, 0, 0, 0, 1), u1 = (0, 1, 1, 1, 1), and u2 = (0, 0, 1, 0, 1). The nonzero 4-stage states are

0 0 0 8 2 2 ϕ(α = α β ) = (1, 0, 0, 0) = (u0)0 ϕ(α = α β ) = (1, 0, 1, 0) = (u2)2 1 1 0 9 0 3 ϕ(α = α β ) = (0, 1, 1, 1) = (u1)0 ϕ(α = α β ) = (0, 1, 1, 0) = (u0)3 2 2 0 10 1 3 ϕ(α = α β ) = (0, 0, 1, 0) = (u2)0 ϕ(α = α β ) = (1, 1, 0, 1) = (u1)3 3 0 1 11 2 3 ϕ(α = α β ) = (0, 0, 0, 1) = (u0)1 ϕ(α = α β ) = (0, 1, 0, 0) = (u2)3 4 1 1 12 0 4 . ϕ(α = α β ) = (1, 1, 1, 1) = (u1)1 ϕ(α = α β ) = (1, 1, 0, 0) = (u0)4 5 2 1 13 1 4 ϕ(α = α β ) = (0, 1, 0, 1) = (u2)1 ϕ(α = α β ) = (1, 0, 1, 1) = (u1)4 6 0 2 14 2 4 ϕ(α = α β ) = (0, 0, 1, 1) = (u0)2 ϕ(α = α β ) = (1, 0, 0, 1) = (u2)4 7 1 2 ϕ(α = α β ) = (1, 1, 1, 0) = (u1)2

The respective Zech’s logarithms are

{τ(i): i ∈ 1, 14 } = {4, 8, 14, 1, 10, 13, 9, 2, 7, 5, 12, 11, 6, 3}. J K Binary de Bruijn Sequences via Zech’s Logarithms 13

All conjugate pairs between any two nonzero cycles can be determined by The- orem 2. Knowing τ(3) = 14, for example, one concludes that [u0] and [u2] share the pair ϕ(α3) = (0, 0, 0, 1) and ϕ(α14) = (1, 0, 0, 1). Conversely, knowing a conjugate pair is suﬃcient to determine the corresponding Zech’s logarithm. Since 6 13 (0, 0, 1, 1) = ϕ(α ) and (1, 0, 1, 1) = ϕ(α ) form a conjugate pair between [u0] and [u1], for instance, one gets τ(6) = 13. The feedback function derived from f(x) is h = x0 + x1 + x2 + x3. By Equation (8), the merged cycle joining [u0] and [u2] based on the conjugate pair (0, 0, 0, 1) and (1, 0, 0, 1) has the feedback function x1 ·x2 ·x3 +x1 ·x3 +x2 ·x3 +x3. Appending [u1] to the resulting cycle using the conjugate pair (0, 0, 1, 1) and (1, 0, 1, 1) shared by [u0] and [u1], results in the feedback function eh = x0 + x1 + x2 + x1 · x3 that produces a sequence of period 15. Appending a 0 to the string of 3 zeroes in the sequence gives us the de Bruijn sequence (0000 1010 0111 1011). ut

Remark 1 If f(x) in Theorem 2 is primitive, then the output is an m-sequence m = (m0, m1, . . . , m2n−2). Let m0 := (m0, . . . , mn−1) = (1, 0). The i-th state mi and n the τ(i)-th state mτ(i) form a conjugate pair. To compute τ(i) for i ∈ 1, 2 − 2 J K it suﬃces to determine the position of the state m(τ(i)) = mi + m0 by searching. This fact can be used to ﬁnd the Zech’s logarithms when n is not very large. ut

4 Spanning Trees

4.1 Constructing Enough Number of Spanning Trees

When n or a valid t is large, building G completely is possible but very often unnecessary and consumes too much resources. It is desirable to ﬁnd just enough Zech’s logarithms to identify a required number of spanning trees. Since there is a unique pair that joins [0] and [u0] into one cycle, our focus is on the set of nonzero cycles {[ui]: i ∈ 0, t − 1 }. J K Let j = a1 · t + a2. If τn(j) = b1 · t + b2 with a2, b2 ∈ 0, t − 1 , then [ua2 ] and J K [ub2 ] are adjacent. They are joined into one cycle by the conjugate pair

v = ϕ(αj) = T a1 ϕ(αa2 ) and v = ϕ(ατn(j)) = T b1 ϕ(αb2 ), (15)

a2 b2 with ϕ(α ) the initial state of ua2 and ϕ(α ) that of ub2 . We continue the process by identifying some conjugate pair(s) between enough pairs of adjacent cycles until all of the cycles in Ω(f(x)) can be joined. Let τ(j) for some j ∈ 1, 2n − 2 be known. This induces a mapping from J K Dj onto Dτ(j) with nj := |Dj| = |Dτ(j)|. If j 6≡ τ(j) (mod t), then, for i ∈ 2ij 2iτ(j) q0, nj − 1y, states ϕ(α ) and ϕ(α ) belong to distinct cycles. These states join their corresponding cycles into one. Let mj be the least positive integer such mj that (2mj − 1)j ≡ 0 (mod t). Observe that ϕ(αj) and ϕ(αj·2 ) are states of the same cycle and m | n . Hence, given cosets D and D , one derives nj distinct j j j τ(j) mj conjugate pairs between each of the mj distinct pairs of cycles. The Zech’s logarithms supply the exact positions of the conjugate pair(s) in the relevant cycles. Once enough conjugate pairs to construct a spanning tree are identiﬁed, the precise positions to apply the cycle joining method, i.e., to exchange successors, appear. Thus, with (1, 0) as the initial state of u0, we just need to keep 14 Z. Chang et al.

track of the precise positions, in terms of the operator T and the power of α, governed by the (j, τn(j)) pair. The actual construction of the de Bruijn sequences no longer requires storing the initial states of the t nonzero sequences in Ω(f(x)). Example 3 Consider p(x) = x300 + x7 + 1 and let α be a root of p(x), implying τ(7) = 300. Choosing t = 31, the Berlekamp-Massey algorithm outputs f(x) = x300 + x194 + x176 + x158 + x97 + x88 + x79 + x52 + x43 + x25 + x16 + x7 + 1. S30 300 Hence, Ω(f(x)) = [0] ∪ i=0[ui]. Let (1, 0) ∈ F2 be the initial state of u0. Knowing a speciﬁc (i, τ(i)) pair gives us {(j, τ(j)) : j ∈ Di}. Note that |Di| = 300 for all i. Since τ(7) ≡ 21 (mod 31), there are 5 distinct pairs of cycles, each sharing 60 conjugate pairs. The (a2, b2) pairs (7, 21), (14, 11), (28, 22), (25, 13), (19, 26) are the indices of the cycles. One of the 60 conjugate pairs between [u7] and [u21] is 7 9 21 7 300 (ϕ(α ),T ϕ(α )) since 31 = 0 and 31 = 9. Computing a1 and b1 are easy given the relevant logarithms, so we omit them from the rest of this example. Since τ(1) ≡ τ(3) ≡ 0 (mod 31), [u0] shares 60 conjugate pairs each with [uj] for j ∈ {1, 2, 4, 8, 16} ∪ {3, 6, 12, 24, 17}. Similarly, each adjacent cycles in the list (i, τ(i) (mod 31)) Indices of Adjacent Cycles (5, 3) (3, 5), (6, 10), (12, 20), (24, 9), (17, 18) (15, 22) (21, 27), (11, 23), (22, 15), (13, 30), (26, 29) (35, 7) (4, 7), (8, 14), (16, 28), (1, 25), (2, 19)

shares 60 conjugate pairs. We order the cycles as [0], [u0], [u1],..., [u30] and build an adjacency subgraph Ge from the computational results. Applying Theorem 1 177.21 with G replaced by Ge, the approach produces ≈ 2 de Bruijn sequences. Fig- ure 1 is a spanning tree. ut

[u30] [u29] [u27] [u23] [u15]

[u13] [u26] [u21] [u11] [u22]

[u25] [u19] [u7] [u14] [u28]

[u1] [u2] [u4] [u8] [u16]

[0] [u0]

[u3] [u6] [u12] [u24] [u17]

[u5] [u10] [u20] [u9] [u18]

Fig. 1 A spanning tree in an adjacency subgraph Ge of Ω(f(x)). Binary de Bruijn Sequences via Zech’s Logarithms 15

4.2 A Note on Dong and Pei’s Construction

Dong and Pei recently proposed a construction of de Bruijn sequences with large order in [10]. Given an irreducible polynomial f(x) of degree n, order e, and t = 2n−1 ∗ e , they deﬁned a shift register matrix T in the form of (3) satisfying f (T ) = 0 ∗ where f (x) is the reciprocal polynomial of f(x). Given the sequence u0 with initial state α0 = (1, 0), one can write any sequence as g(T )u0, where g(x) is some k e k 2j polynomial of degree < n. If (1+x ) 6≡ 1 (mod f(x)), then [u0] and [(1+T ) u0] k2j k 2j k2j are distinct cycles sharing the conjugate pair T α0, (1 + T ) α0 . Here T α0

is a state of [u0]. Their claim that [u0] shares some conjugate pairs with each of the other nonzero cycles does not hold in general. First, as n and e grow large, computing (1 + xk)e (mod f(x)) soon becomes prohibitive. Second, after (1 + xk)e 6≡ 1 (mod f(x)) is veriﬁed, it remains unclear k 2j which cycle [(1+ T ) u0] corresponds to. One is left unable to judge whether it is possible to join all of the cycles in Ω(f(x)) even after a lot√ of the conjugate pairs have been determined. Third, and most importantly, t < 2n − 1 is a necessary condition for their method to work [10, Section 5]. In fact, a suﬃcient and necessary condition is (0, i)t > 0 for all i ∈ 1, t − 1 . This does not hold√ in general. Take, for example, n = 10 with p(x) = xJ10 + x3K + 1 and t = 31 < 31 · 33. All values 1 ≤ i ≤ 210 − 2 such that τ(i) ≡ 0 (mod t) form the set

X := {85, 105, 141, 170, 210, 277, 282, 291, 325, 337, 340, 341, 379, 420, 431, 493, 554, 564, 582, 650, 657, 674, 680, 682, 701, 727, 758, 840, 862, 875, 949, 986}.

Hence, [u0] can be joined only to [u`] with

` ∈ {3, 6, 7, 12, 14, 15, 17, 19, 23, 24, 25, 27, 28, 29, 30}.

Since only 15 out of the required 30 cycles can be joined with [u0], Dong and Pei’s approach fails to produce de Bruijn sequences here. We show in the next subsection that our method handles such a situation perfectly.

4.3 Star and Almost-Star Spanning Trees

In cases where [u0] is adjacent to [uj] for j ∈ 1, t − 1 we can use Theorem 2 to J K rapidly certify the existence of star spanning trees centered at [u0] in G. The main idea is to build Ge such that it becomes a star graph centered at [u0] with leaves [0] and [uj] for j ∈ 1, t − 1 when we replace all of the edges between [u0] and [uj] by a single edge. TheJ certiﬁcateK contains the following outputs of Algorithm 1.

1.A witness W that generates ∆W , {i := k · t for k ∈ W} satisfying [ 1, t − 1 ⊂ {j (mod t): j ∈ DYi } with Yi := τ(i) (mod t). (16) J K i∈∆W

2. The number #cp of identiﬁed conjugate pairs between [u0] and [uj]. 3. A matrix Mf derived from the adjacency subgraph Ge. 4. The exact number #dBSeqs of de Bruijn sequences that can be constructed. 16 Z. Chang et al.

Algorithm 1 Certifying the Existence of a Star Spanning Tree Input: A primitive polynomial p(x) of degree n. Output: Witness W,#cp, Matrix Mf and #dBSeqs. 1: N ← 2n − 1 2: F2n := F2(α) ← the extension field of F2 defined by p(x) . α is a root of p(x) 3: Div ← {d such that d | 2n − 1 and the minimal polynomial of αd is of degree n} 4: for t ∈ Div do 5: f(x) ← the minimal polynomial of β := αt 6: Initiate sets Done ← {0}, MinSet ← ∅, and W ← ∅ 7: Mf = (mi,j ) ← t × t zero matrix 8: for i ∈ {(2k − 1)t : 1 ≤ k ≤ z} do . Letting z = 2000 suffices for n ≤ 100 9: L ← τ(i) (mod t) 10: cL ← coset leader of DL 11: if cL (mod t) ∈/ Done then 12: MinSet ← {i} ∪ MinSet 13: W ← {2k − 1} ∪ W 14: Done ← Done ∪ {y (mod t): y ∈ DL} 15: if |Done| = t then 16:# cp ← n |DL| 17: m1,1 ← #cp · (t − 1) + 1 18: for r from 2 to t do 19: mr,r ← #cp 20: m1,r = mr,1 ← −#cp 21: end for 22: output W and #dBSeqs ← det Mf 23: break i 24: end if 25: end if 26: end for 27: end for

If no star spanning tree can be certified, one can instead starts by finding an index ` ∈ 1, t − 1 such that [u`] is the center of a star graph with [uj] for all j ∈ 0, t − 1J \{`} asK its leaves. We extend this star graph by appending vertex [0] J K and the unique edge E0 between [0] and [u0] into a spanning tree in G. We build Ge by collecting such trees. For convenience we call them almost-star spanning trees centered at [u`] in G. A modified version of Algorithm 1 can be used to certify the existence of almost-star spanning trees. We replace 0 by ` in Line 6 and replace (2k − 1)t in Line 8 by (2k − 1)t + `. The entries of Mf defined in Lines 17 to 21 are now given as follow.

1: m1,1 ← 1 + #cp, m1,`+1 = m`+1,1 ← −#cp 2: for r from 2 to t do 3: mr,r ← #cp, m`+1,r = mr,`+1 ← −#cp 4: end for 5: m`+1,`+1 ← #cp · (t − 1)

10 3 Example 4 There is no star spanning tree centered at [u0] for p(x) = x + x + 1 99.66 and t = 31. There are ≈ 2 almost-star spanning trees centered at [u6] with witness W = {1, 3, 7, 9, 13, 17, 21} and f(x) = x10 + x9 + x5 + x + 1. If n = 20, then there are 38 choices for t, with 23 of them being less than 1000. There is no star spanning tree certiﬁcate for p(x) = x20 + x3 + 1 and t ∈ K := {165, 341, 451, 465, 615, 775, 825}. Going through ` ∈ 2, t − 1 produces certiﬁcates J K Binary de Bruijn Sequences via Zech’s Logarithms 17

for almost-star spanning trees for all t ∈ K. Based on the ` values that yield the most number of de Bruijn sequences, we choose ` = 2 for t ∈ {165, 341, 451, 465}, ` = 4 for t = 775, and ` = 10 for t ∈ {615, 825}. Among these combinations of t and `, the smallest number of de Bruijn sequences produced is from t = 165 and ` = 2, which is ≈ 2708.80. The largest, which is ≈ 23345.17, comes from t = 775 and ` = 4. ut

There are parameter sets for which there is a unique star spanning tree, yielding only 1 de Bruijn sequence. Examples include

p(x) = x20 + x3 + 1 with t ∈ {41, 123, 205, 275}, p(x) = x29 + x2 + 1 with t ∈ {233, 1103, 2089}, and p(x) = x130 + x3 + 1 with t = 131.

There are certificates for almost-star spanning trees for all of them, ensuring the existence of a large number of de Bruijn sequences in each case. One can of course utilize both types of certificates from the same input parameters. Counting the number of, respectively, star and almost-star spanning trees with ` = 2, for p(x) = x128 + x7 + x2 + x + 1 and t = 255 gives us 21524 and 21778 de Bruijn sequences while [10, Example 3] yields 21032 sequences. Table 2 lists more examples. For a compact presentation we use sparse primitive polynomials. They are either trinomials, i.e., p(x) = xn + xk + 1 with 1 ≤ k < n, or p(x) = xn + xk + xj + xi + 1 with 1 ≤ i < j < k < n. Given n and t, the chosen polynomial p(x) and its corresponding f(x) are presented as sets whose elements are the powers of x, from 1 to n − 1, whose coefficients are 1. Hence, for n = 130 and t = 31, p(x) = x130 + x3 + 1 and f(x) = x130 + x63 + x31 + x15 + x7 + x3 + 1. Its witness W = {1, 3, 7, 9, 17, 45} builds ∆W = {31, 93, 217, 279, 527, 1395}, implying {Yi = τ(i) (mod 31) : i ∈ ∆W } = {20, 16, 14, 13, 23, 12}. The corresponding sets

{j (mod t): j ∈ DYi } are

{20, 9, 18, 5, 10}, {16, 1, 2, 4, 8}, {14, 28, 25, 19, 7}, {13, 26, 21, 11, 22}, {23, 15, 30, 29, 27}, {12, 24, 17, 3, 6}.

130 Their union is 1, 30 . Note that [u0] and [u`] share 5 = 26 conjugate pairs for ` ∈ 1, 30 . ComputingJ K for #dBSeqs is then straightforward. The other entries can be similarlyJ K interpreted. The recorded running time is for the specified (n, p(x), t) with ` added for cases where the center of the almost-star trees is [u`]. The certificates are easily computable, assuming commonly available resources in modern PCs. We performed the computations for all of the examples above on a laptop with Ubuntu 16.04 OS powered by an Intel i7-7500U CPU 2.90GHz, running MAGMA V2.24-5 [2] on 11.6 GB of available memory. In fact, we computed the certificates on input p(x) = x128 + x7 + x2 + x + 1 and t ∈ {1, 3, 5, 15, 17, 51, 85} on the online calculator http://magma.maths.usyd.edu.au/calc/. Each t takes less than the 120s time restriction when z is set to 100. To get a better sense of the complexities, we implemented Algorithm 1 and its modification on all 4 ≤ n ≤ 100 and n ∈ {113, 119, 128, 130, 256, 300, 512}. We use the Finite Field Logarithm Database (libs/data/FldFinLog) of MAGMA to handle n > 130. Except for a number of cases, it suffices to bound t ≤ 100 on Line 4 and set z in Line 8 to 2000. Doing so already guarantees us a very large number 18 Z. Chang et al. al 2 Table No. No. 130 8 128 7 29 6 20 5 300 4 130 3 128 100 2 1 p n p n xmlso tradAms-trSann reCricts o tr h etri [ is center the Star, For Certificates. Tree Spanning Almost-Star and Star of Examples { { 7 7 { { { { { { , , 37 ( ( 3 2 3 7 3 2 2 x x } } } } } , , } ) ) 1 1 } } 131 233 205 5 e nr above 2 Entry See 255 255 77 93 25 f t f t { { { { { { { 10 96 24 18 273 97 96 128 ( ( 110 109 30 52 83 x x , , , , , , ) ) , , , 9 72 22 17 89 68 , , 29 51 82 , , , 220 127 86 108 8 , , , , , , , , , 65 20 15 64 64 28 50 81 , 7 , , 85 , , 219 126 , , , , , , , , 106 5 48 18 14 63 37 27 46 74 , , 83 4 , , , , , , , , , , , , 36 16 9 48 36 193 125 26 45 70 , 105 2 , 82 } 8 , , , , , , , 34 15 47 32 , , , 25 44 68 , , 4 192 123 30 103 , , , , , , , , 2 24 14 43 4 24 43 67 , , } , , 29 , 1 , , , 191 122 , , , 99 } 17 13 42 42 66 22 , 28 , , , , , , , , , 98 12 12 21 165 119 41 65 15 , 7 , , , , , , , , 96 10 11 11 40 63 6 , 13 , 164 118 , , , , , 5 , , , 94 5 10 39 60 , 11 , 4 , , , 4 , , 139 117 , , , 93 , 5 3 38 59 10 2 , , , } 3 2 , , , , , 91 , , 36 56 111 9 114 2 1 , , , } 6 , , 89 1 31 53 , , , } 4 112 , , , , 87 1 } , , { { { { Witness Almost-Star { { { { Witness Star 1 1 1 1 1 1 1 1 343 139 67 29 41 35 141 79 43 19 , , , , , , , , 171 3 3 3 3 3 3 15 , , , , , , , , , , , , , 89 31 53 43 83 45 21 , , , 5 5 5 5 5 5 } 465 143 145 , , , , , , } , , , , , , , 7 9 7 97 9 7 , 91 33 155 73 101 47 27 , , , , , ` } , , 9 15 9 11 9 , 159 177 , , , , , u , 130 2 = , , 125 , 103 37 101 53 29 } , 11 11 11 ` 0 , , 107 , hl o lotSa h etri [ is center the Almost-Star for while ] 17 15 2 = W , , , , , ` , , , } 45 57 31 201 187 , } 13 21 13 , , 2 = 107 , 19 23 123 , , , , , , 49 65 33 , , 17 23 15 , , 237 929 , 33 31 111 , , , , , , , 53 77 37 133 W 19 25 17 , , , } 79 33 , , , 251 , , , , 55 119 and , 23 } , , , , , ` 57 , 25 ` 29 2 = , , # # 2 2 128 100 26 20 2 64 25 cp cp ≈ # # ≈ ≈ ≈ ≈ ≈ dBSeqs dBSeqs 2 2 2 2 2 2 1127 1778 1524 432 912 881 504 111 . . . . . u . 44 91 67 93 45 05 ` ]. 0 0 0 1m24s 0 5m41s 1m13s Time 0 Time . . . . . 08s 78s 86s 02s 14s Binary de Bruijn Sequences via Zech’s Logarithms 19

of spanning trees. This keeps the running time and memory demand low. On the already described machine, with the added restrictions, the entire simulation for all n and t combinations took less than 50 hours to complete. Without loss of generality, due to Proposition 2, we use the default choice of p(x) in MAGMA. Interested readers may contact the corresponding author for the simulation data. What about the exceptional cases? For n ∈ {5, 7, 13, 17, 19, 31, 61, 89, 107, 127} there is simply no valid t > 1. Table 3 lists n ≤ 128 and its smallest t > 1. The memory demand for the shaded entries exceeds 16 GB. The rest of the entries can be easily handled to obtain the relevant star and almost-star certiﬁcates.

Table 3 Exceptional n for which the smallest t > 1 is larger than 100 n t n t n t n t 29 233 49 127 73 439 101 7432339208719 37 223 53 6361 79 2687 103 2550183799 41 13367 59 179951 83 167 109 745988807 43 431 67 193707721 91 127 113 3391 47 2351 71 228479 97 11447 119 127

n A star spanning tree in G exists if and only if the cyclotomic number (0, j)t > 0 for the given n and t and for all j ∈ 1, t − 1 . Similarly, an almost-star spanning J K n tree centered at [u`] exists if and only if the cyclotomic number (`, j)t > 0 for the given n and t and for all j ∈ 0, t − 1 \{`}. There are a few cases for which neither a star nor an almost-star certiﬁcateJ K is found. Some of the examples are n = 10 with t = 93, n = 11 with t = 89, and n = 12 with t ∈ {91, 105, 117, 315}.

5 A Basic Software Implementation for Cycle Joining

We make a basic implementation of the cycle joining method via Zech’s logarithms available online in [14]. It requires python 2.7 equipped with sympy and some access to MAGMA, either locally or through internet connection to its online calculator. Many users care more about the speed of generation and need only a relatively small numbers of de Bruijn sequences. Others may prefer completeness and would like to produce all de Bruijn sequences that can be generated from the given input polynomial and a stipulated number t of cycles. We cater to both types of users. Given an order n, the software takes as input a primitive polynomial p(x) of order n supplied by a user or let MAGMA choose such a p(x). The set Div of all valid t is computed. When one such t is chosen by the user, the routine generates the corresponding irreducible polynomial f(x) and a complete set of coset representatives Rn. It seems that there is no closed formula for |Rn|, which 2n−1 is the number of monic irreducible factors of x − 1 over F2. Based on f(x), the cycle structure is now completely determined once the program ensures that (1, 0) is the initial state of [u0]. Depending on the user’s requirements, there are several options on oﬀer.

1. For small orders, say n ≤ 30, the program stores the Zech’s logarithms of the elements in Rn in a dictionary form. The ﬁlesize is in tens of MB for n = 30 20 Z. Chang et al.

and tends to double from n to n+1. The complete adjacency graph G can then be generated by using the Double map. 2. Given combinations of n and t for which it is practical to produce witnesses for enough number of star or almost-star spanning trees, the program finds the Zech’s logarithms of the elements in the witness set W and stores the corresponding adjacency subgraph Ge. 3. The program asks MAGMA for the Zech’s logarithms of a few random entries, based on p(x), and applies the maps in Subsection 2.2 to generate a partial Zech’s logarithm table. It attempts to build Ge from the table. If not all vertices are connected, it identifies pairs of vertices that still need to be connected and uses the information to get the required Zech’s logarithms. It stops when a connected adjacency subgraph containing all vertices is obtained. Finally, it chooses the required number of spanning trees in Ge or, in Option 1, those in G, and produces de Bruijn sequences using the procedure explained in [6, Section VI]. Various modifications can be done on the routine to make it run faster, e.g., if generating only a few de Bruijn sequences is all a user wants. Example 5 There are ≈ 2145.73 de Bruijn sequences that can be produced on input p(x) = x10 + x3 + 1 and t = 31. It takes 0.072 seconds and a negligible amount of memory to output one of them. The simplified adjacency subgraph, where multiple edges between two vertices is presented as one, is in Figure 2 with vertex i ∈ 1, 31 22 J K representing [ui] and 0 representing [0]. On input p(x) = x + x + 1 and t = 89, it takes 5 minutes 30 seconds and 680 MB of memory to print one of the ≈ 2425.42 resulting sequences out to a file. The program comes with an option to produce the ANF, instead of the actual sequence. Here is such an instance on input p(x) = x6 + x + 1 and t = 7. We have f(x) = x6 + x3 + 1. One of the resulting de Bruijn sequences is (00000011 01110011 10110001 11111000 01011110 10101101 00010010 10011001), whose ANF is

x0 + x1x2x3x4x5 + x1x2x3x5 + x1x2x4x5 + x1x2x5 + x1x3x4

+ x1x3 + x1x4 + x1 + x2x3 + x2 + x3x4x5 + x4x5 + 1. ut Harvesting the cyclotomic numbers So far there is no closed formula for cyclotomic numbers deﬁned in (10), except in several limited classes. Storer’s textbook [40] and a more recent one by Ding [9] have more details. Determining the values computationally is a by-product of our implementation in which we obtain the respective cyclotomic numbers on the input parameters speciﬁed in Table 4. They are available for download in our online repository [14].

6 Product of Irreducibles

The approach via Zech’s logarithms can be used in tandem with the one in [6] to generate de Bruijn sequences of even larger orders. To keep the exposition brief, we retain the notations from the said reference. Binary de Bruijn Sequences via Zech’s Logarithms 21

Fig. 2 A simpliﬁed adjacency subgraph Ge for f(x) = x10 + x3 + 1 with t = 31.

n Table 4 The Input Parameters of the Computed (i, j)t for 0 ≤ i, j ≤ t n Set of feasible t A suitable p(x) 4 {3} x4 + x + 1 6 {3, 7} x6 + x + 1 8 {3, 5, 15} x8 + x5 + x3 + x + 1 9 {7} x9 + x4 + 1 10 {3, 11, 31, 93} x10 + x3 + 1 11 {23, 89} x11 + x2 + 1 12 {3, 5, 7, 9, 13, 15, 21, 35, 39, 45, 63, 91, 105, 117, 315} x12 + x8 + x2 + x + 1 14 {3, 43, 127, 381} x14 + x12 + x2 + x + 1 15 {7, 31, 151, 217} x15 + x4 + x2 + x + 1 16 {3, 5, 15, 17, 51, 85, 255} x16 + x12 + x3 + x + 1

Let {f1(x), f2(x), . . . , fs(x)} be a set of s pairwise distinct irreducible polyno- 2ni −1 mials over 2. Each f (x) has degree n , order e with t = , and a root β . F i i i i ei i Let the respective associated primitive polynomials be pi(x) with degree ni and i i i i root αi. Hence, Ω(fi(x)) = [0] ∪ [u0] ∪ [u1] ∪ ... ∪ [uti−1]. Let the initial state of u0 ni be (1, 0) ∈ F2 . The initial states of uj for j ∈ 1, ti − 1 follows by decimating the J K appropriate m-sequence mi generated by pi(x). For the rest of this section, let s s Y X f(x) := fi(x) and n := ni. (17) i=1 i=1 We use the expression for the cycle structure of Ω(f(x)) given in [6, Lemma 3 Eq. (7)]. For any cycle Γ := [u1 + L`2 u2 + ··· + L`s us ] containing a state v 1 i1 i2 is the goal is to identify a cycle Γ2 that contains v. Letting P be the matrix deﬁned ji in [6, Section III.B], v = (v1,..., vs)P with vi := ϕ(αi ) for i ∈ 1, s . One then gets J K 22 Z. Chang et al. a state ai of some nonzero sequence in Ω(fi(x)) satisfying (a1,..., as)P = (1, 0). The exact position of each ai in the corresponding cycle in Ω(fi(x)), i.e., the exact γi value of γi satisfying ai = ϕ(αi ) is computed using the method from Section 3 or by an exhaustive search when ni is small. The conjugate state v = (b1,..., bs)P of v must then be

ji γi ji γi γi ji−γi γi+τi(ji−γi) bi = ϕ(αi )+ ϕ(αi ) = ϕ(αi + αi ) = ϕ(αi (1+ αi )) = ϕ(αi ), (18) with τ based on p (x). If b is the j -th state of ui for all i, then v must be in i i i i ki cycle Lj1 u1 + Lj2 u2 + ··· + Ljs us . k1 k2 ks Thus, given any nonzero cycle Γ1 in Ω(f(x)) we can determine any of its state v, ﬁnd the conjugate state v, and the cycle Γ2 that v is a state of. If so desired, all conjugate pairs shared by any adjacent cycles can be determined explicitly. Finally, the steps detailed in [6, Sections IV and VI] yield actual de Bruijn sequences. Using f(x) in (17) may become crucial when substantially more than Λn de Bruijn sequences of order a Mersenne exponent n need to be produced. The simplest choice is to use s = 2 with f1(x) an irreducible polynomial of a small degree, 2 e.g., 1 + x or 1 + x + x , and f2(x) any irreducible non-primitive polynomial of degree n − 1 or n − 2, respectively. If even more de Bruijn sequences are required, one should use s ≥ 3 and choose a small ni for i ∈ 1, s − 1 since computing the J K Zech logarithm table relative to a small ni is easy.

7 Zech’s Logarithms and Cross-Join Pairs

Mykkeltveit and Szmidt showed in [33] that, starting from any de Bruijn sequence of a given order n, one can construct all de Bruijn sequences of that order by repeated applications of the cross-join pairing method. We now use Zech’s logarithms to ﬁnd the cross-join pairs of states. This enables us to construct the feedback functions of NLFSRs of maximum period. The Fryers Formula for an m-sequence is a new analytic tool in the theory. We use the coeﬃcients in the formula as an algorithmic tool here.

7.1 Basic Notions and Results

There exists a Boolean function g on n − 1 variables such that any non-singular feedback function h satisﬁes h(x0, x1, . . . , xn−1) = x0 + g(x1, . . . , xn−1) [18]. A modiﬁed de Bruijn sequence S0 of order n is a sequence of length 2n − 1 obtained from a de Bruijn sequence S of order n by removing one zero from S’s tuple of n consecutive zeros.

Theorem 3 ([18]) Let S = (s0, s1, . . . , s2n−1) be a de Bruijn sequence of order n. Then there exists a Boolean function g(x1, . . . , xn−1) such that

n st+n = st + g(st+1, . . . , st+n−1) for t ∈ q0, 2 − n − 1y .

Let (α = (a0, A), α = (a0 + 1, A)) and (β = (b0, B), β = (b0 + 1, B)) be two conjugate pairs from a feedback function h, given A = (a1, a2, . . . , an−1) =6 B = (b1, b2, . . . , bn−1). Then (A, B) is the corresponding cross-join pair generated by Binary de Bruijn Sequences via Zech’s Logarithms 23

the FSR if the states α, β, α, β occur in exactly that order. Let S be a de Bruijn sequence of order n generated by the feedback function h. Let (A, B) be the cross- join pair. Then the feedback function

n−1 n−1 Y Y eh(x0, . . . , xn−1) = h(x0, x1, . . . , xn−1) + (xi + ai + 1) + (xi + bi + 1) (19) i=1 i=1 generates a new de Bruijn sequence R. The modiﬁed sequences S0 and R0 are similarly connected.

Theorem 4 ([33, Theorem 3.1]) Let S and R be distinct de Bruijn sequences of order n. Then S can be obtained from R by repeatedly applying the cross-join method.

Example 6 Consider the de Bruijn sequences of order 5

S = (0000 0110 1100 0100 1011 1110 0111 0101) and R = (0000 0110 1110 1010 0101 1001 1111 0001).

Applying the method on S using the pair (A = 1100, B = 0111) results in an −→ −→ −→ −→ intermediate de Bruijn sequence T := (0000 0110 1100 111 11000 1001 0111 0101) where a right arrow indicates a crossover jump. We obtain R by using the pair (A = 1011, B = 0100) on T. The respective feedback functions

hS = x0 + x1 (x2 · x3 · x4 + x2 · x4 + x3 · x4 + x3 + 1) + x2 (x3 · x4 + x3) + x3 + 1,

hT = x0 + x1 (x2 · x3 · x4 + x2 · x3 + x2 + x3 · x4 + x3 + 1) + x2 · x3 + x3 + 1,

hR = x0 + x1 (x2 · x3 · x4 + x2 · x4 + x3 + 1) + x2 (x3 · x4 + x4 + 1) + x3 + 1,

satisfy Equation (19). ut

7.2 Zech’s Logarithms as Positional Markings

The keen reader must have recognized by now that only a simple adaptation is required to determine cross-join pairs by using Zech’s logarithms. Instead of identifying conjugate pairs whose respective components belong to distinct cycles, we use Zech’s logarithms to identify states α, β, α, β that occur in that exact order in a given (modiﬁed) de Bruijn sequence S. We retain the standard representation of states based on the ϕ map with 1, 0n−1 as the initial state of any m-sequence of order n. We demonstrate how to use Zech logarithms to recursively identify cross-join pairs in an m-sequence to generate numerous feedback functions of the NLFSRs that produce modiﬁed de Bruijn sequences. Remark 1 comes in handy here. Let α be a root of the primitive trinomial p(x) = x31 +x3 +1. Using the Double map, one gets τ(3) = 31 and τ(6) = 62. We use the notation c = (3, 6, 31, 62) to refer to two pairs of states (ϕ(α3), ϕ(1 + α3 = α31)) and (ϕ(α6), ϕ(1 + α6 = α62)). Hence, the states of the LFSR, with p(x) as the characteristic polynomial, at the crossover jumps are governed by α = (0, 027, 1, 0, 0) and β = (0, 024, 1, 05). Thus, 24 Z. Chang et al.

a28 = 1 and b25 = 1 while aj = bk = 0 for 1 ≤ j =6 28 ≤ 30 and 1 ≤ k =6 25 ≤ 30. The feedback function of the constructed NLFSR of period 231 − 1 is, therefore,

30 30 Y Y eh = x0 + x3 + (xj + aj + 1) + (xk + bk + 1) j=1 k=1 with algebraic degree 29. Now, consider the primitive trinomial p(x) = x127 + x + 1. From τ(1) = 127 and τ(2) = 254 one obtains the following set of mutually disjoint cross-join pairs

n 8i 1+8i 8i 1+8i o ci = 2 , 2 , 127 · 2 , 127 · 2 for i ∈ 0, 15 . J K From this family we construct 216 −1 NLFSRs. Each of them generates a modified de Bruijn sequence of period 2127 −1 whose feedback function has algebraic degree 125. As in the cycle joining method, we give a basic software implementation in [14] with some randomness added in the procedure. The routine executes the following steps for any order n. 1. Choose a primitive polynomial p(x) of degree n and generate the m-sequence from the initial state 1, 0n−1. 2. Build the Zech’s logarithm table based on p(x). Note that in this simple implementation we use the approach suggested in Remark 1. For larger values of n it is more efficient to obtain the logarithms from MAGMA or its alternatives. 3. Pick random distinct integers a and b satisfying a < b < τ(a) < τ(b). 4. Construct the matrix Ap from Equation (3) and use the square-and-multiply technique based on the binary representations of a and b to quickly find

a b α = (1, 0, 0,..., 0) Ap and β = (1, 0, 0,..., 0) Ap.

5. The resulting feedback function of the modiﬁed de Bruijn sequence follows from applying Equation (19), using α and β, with h derived from p(x). Here is a small instance to illustrate the process.

Example 7 On input n = 5, the routine selected p(x) = x5 +x2 +1. The chosen pair was (a, b) = (3, 17) with (τ(a), τ(b)) = (22, 25). Hence, α = (0, 1, 0, 1, 1) and β = (0, 1, 1, 0, 1). The feedback function of the resulting modiﬁed de Bruijn sequence (10000 10010 11101 10011 11100 01101 0) is eh = x0 + x1 · x2 · x4 + x1 · x3 · x4 + x2. ut

7.3 Fryers’ Formula for m-Sequences

n−1 Let S(n) be the set of functions f : F2 → F2 such that x0 + f(x1, . . . , xn−1) n−1 generate de Bruijn sequences of order n. For a function f : F2 → F2, we deﬁne the set S(f; k) , {g ∈ S(n) : the weight of the function f + g is k}. The number of inputs for which the functions f and g are diﬀerent equals k. Let P k N(f; k) denote the cardinality of S(f; k) and G(f; y) , k N(f; k)y . Let a linear Binary de Bruijn Sequences via Zech’s Logarithms 25

n−1 function ` : F2 → F2 be such that x0 + `(x1, . . . , xn−1) generates an m-sequence m. In [8], Coppersmith, Rhoades, and Vanderkam proved the formula

1 n−1 n−1 G(`; y) = (1 + y)2 − (1 − y)2 (20) 2n which they attributed to M. J. Fryers. The coefficients N(`; k) can be calculated by expanding the powers in Equation (20). The value N(`; 1) = 1 implies that from m we obtain a unique de Bruijn sequence and joining the cycle of the zero state corresponds to one change in the truth table of the function `. In general, N(`; k) = 0 for all even k since an even number of changes in the truth table of ` always lead to disjoint cycles. We discover an interesting combinatorial view on the non-vanishing (> 0) coefficients of the polynomial G(`; y). Recall that ` generates an m-sequence of period 2n−1. Sequence A281123 in OEIS [38] gives the formula for the positive coefficients of the polynomial

n−1 n−1 (1 + y)2 − (1 − y)2 G(`; y) = q(n − 1, y) = . 2n Hence, for odd 1 ≤ k ≤ 2n−1 − 1, the formula for N(`; k) is ! 1 2n−1 N(`; k) = for n ≥ 2. (21) 2n−1 k

The number of cross-join pairs for an m-sequence, given by the Helleseth and Kløve [22] formula (2n−1 − 1)(2n−1 − 2) N(`; 3) = , 3! follows from (21). The analogous formula for higher k

k−1 1 Y N(`; k = 2j + 1 ≥ 5) = (2n−1 − i) (22) k! i=1 gives the number of de Bruijn sequences obtained after the j-th application of cross-join method. One starts from m and append 0 to the longest string of zeroes to obtain a de Bruijn sequence S. One then ﬁnds all of its cross-join pairs and use them to construct new de Bruijn sequences. For each of the sequences repeat the cross-join method j − 1 times. Using (21) we easily obtain the number of de Bruijn sequences of order n:

n−1 n−1 2 −1 2 −1 n−1! X 1 X 2 n−1 G(`; 1) = N(`; k) = = 22 −n, (23) 2n−1 k k=1 k=1 | {z } :=Υ

n−1 since Υ = 22 −1 is the sum of the odd entries in row 2n−1 of the Pascal Triangle. Note that the positive coeﬃcients of G(`; y) are symmetric. Let us examine some small orders. P7 4 For n = 4, one gets k=1 N(`; k)=1+7+7+1=2 . Hence, from a de Bruijn sequence S, modiﬁed from m, there are 7 de Bruijn sequences each that can be 26 Z. Chang et al.

constructed by using 1, respectively 2, application(s) of the cross-join method. There is a unique de Bruijn sequence that requires 3 applications. For n = 5, we know the number of de Bruijn sequences of distance j = 2k + 1 cross-join pairs from a ﬁxed m-sequence of order 5 from the formula

15 X N(`; k) = 1 + 35 + 273 + 715 + 715 + 273 + 35 + 1 = 211. k=1 ; k odd

The Fryers formula for n ≥ 6 can be easily generated by using Equation (21). It tells us when to stop searching for more j cross-join pairs and suggests the following naive approach to generating all de Bruijn sequences of order n. 1. Choose an m-sequence m of period 2n − 1 and the corresponding linear recur- sion `. Find all cross-join pairs in m and use Equation (19) to construct the corresponding feedback fuctions for the resulting N(`; 3) modified de Bruijn sequences. 2. Find all cross-join pairs for each of the just constructed modified de Bruijn sequences and obtain feedback functions from those cross-join pairs. It may happen that some of the NLFSRs produced by different cross-join pairs are identical. A sieving mechanism is put in place in the second application to retain only distinct feedback functions. There are N(`; 5) of them. 3. Repeat the application of the method to the end where only one new NLFSR appears. This ensures that the feedback functions of all modified de Bruijn sequences of order n have been explicitly determined. This naive approach soon becomes impractical. Depending on the specific de- ployment needs, one can certainly throw in some random choices and various measures of stoppage to efficiently produce the feedback functions of only some de Bruijn sequences. The route via Zech’s logarithms allows us to determine the algebraic degree of the resulting feedback function.

8 Conclusions

This work approaches the constructions of binary de Bruijn sequences for all orders n via Zech’s logarithms and demonstrates their practical feasibility. Many such sequences of large orders are produced by both the cycle joining method and the cross-join pairing within reasonable time and memory expenditures. As computational tools we establish further properties of Zech’s logarithms as well as a rapid method to generate irreducible polynomials of degree m | n from a primitive polynomial of degree n. We have also shown how to generate de Bruijn sequences by using LFSRs whose characteristic polynomial are products of distinct irreducible polynomials. For a large n, storing a de Bruijn sequence of order n is not feasible. Our proof-of-concept implementation determines the feedback functions of the resulting NLFSRs explicitly. This makes the approach highly adaptive to application-speciﬁc requirements. In the cycle joining framework one may opt to output subsequent states up to some length, e.g., measured in ﬁle size. The initial state and the spanning tree(s) can be randomly chosen. We also demonstrate how to use the Zech logarithms to quickly identify the cross-join pairs in any m-sequence, especially the Binary de Bruijn Sequences via Zech’s Logarithms 27

one whose characteristic polynomial is a trinomial or a pentanomial. This enables us to determine the feedback functions of the NLFSRs that generate the resulting modiﬁed de Bruijn sequences. We present some consequences of the Fryers formula and use them as computational tools. Our work also points to many open directions in the studies of NLFSRs that generate de Bruijn sequences or their modiﬁed sequences. A comprehensive analysis on their algebraic structure and complexity remains a worthy challenge to undertake.

Acknowledgements M. F. Ezerman gratefully acknowledges the hospitality of the School of Mathematics and Statistics of Zhengzhou University, in particular Prof. Yongcheng Zhao, during several visits. The work of Z. Chang is supported by the National Natural Science Foundation of China Grant 61772476 and the Key Scientiﬁc Research Projects of Colleges and Universities in Henan Province Grant 18A110029. Research Grants TL-9014101684-01 and MOE2013-T2-1-041 support the research carried out by M. F. Ezerman, S. Ling, and H. Wang. Singapore Ministry of Education Grant M4011381 provides a partial support for A. A. Fahreza. J. Szmidt’s work is supported by the Polish Ministry of Science and Higher Education Decision No. 6663/E-294/S/2018.

References

1. van Aardenne-Ehrenfest, T., de Bruijn, N.G.: Circuits and trees in oriented linear graphs. Simon Stevin 28, 203–217 (1951) 2. Bosma, W., Cannon, J., Playoust, C.: The Magma algebra system. I. The user language. J. Symbolic Comput. 24(3-4), 235–265 (1997) 3. Broder, A.: Generating random spanning trees. In: Foundations of Computer Science, 1989., 30th Annual Symposium on, pp. 442–447 (1989). 4. de Bruijn, N.G.: A combinatorial problem. Koninklijke Nederlandse Akademie v. Weten- schappen 49, 758–764 (1946) 5. Chang, Z., Ezerman, M.F., Fahreza, A.A.: On greedy algorithms for binary de Bruijn sequences. CoRR pdf/1902.08744 (2019). URL http://arxiv.org/pdf/1902.08744 6. Chang, Z., Ezerman, M.F., Ling, S., Wang, H.: On binary de Bruijn sequences from LFSRs with arbitrary characteristic polynomials. Des. Codes Cryptogr. 87(5), 1137–1160 (2019) 7. Compeau, P., Pevzner, P., Tesler, G.: How to apply de Bruijn graphs to genome assembly. Nat. Biotechnol. 29(11), 987–991 (2011) 8. Coppersmith, D., Rhoades, R.C., VanderKam, J.M.: Counting De Bruijn sequences as perturbations of linear recursions. CoRR pdf/1705.07835 (2017). URL http://arxiv. org/pdf/1705.07835 9. Ding, C.: Codes from Diﬀerence Sets. World Scientiﬁc, Singapore (2014) 10. Dong, J., Pei, D.: Construction for de Bruijn sequences with large stage. Des. Codes Cryptogr. 85(2), 343–358 (2017) 11. Dragon, P.B., Hernandez, O.I., Sawada, J., Williams, A., Wong, D.: Constructing de Bruijn sequences with co-lexicographic order: The k-ary grandmama sequence. Eur. J. Comb. 72, 1–11 (2018) 12. Dubrova, E.: A scalable method for constructing Galois NLFSRs with period 2n − 1 using cross-join pairs. IEEE Trans. on Inf. Theory 59(1), 703–709 (2013) 13. Etzion, T., Lempel, A.: Algorithms for the generation of full-length shift-register sequences. IEEE Trans. Inf. Theory 30(3), 480–484 (1984) 14. Ezerman, M.F., Fahreza, A.A.: A binary de Bruijn sequence generator from Zech’s logarithms. https://github.com/adamasstokhorst/ZechdB (2017) 15. Ezerman, M.F., Fahreza, A.A.: A binary de Bruijn sequence generator from product of irreducible polynomials. https://github.com/adamasstokhorst/debruijn (2018) 16. Fredricksen, H.: A class of nonlinear de Bruijn cycles. J. Combinat. Theory, Ser. A 19(2), 192 – 199 (1975) 17. Fredricksen, H.: A survey of full length nonlinear shift register cycle algorithms. SIAM Rev. 24(2), 195–221 (1982) 28 Z. Chang et al.

18. Golomb, S.W.: Shift Register Sequences. Aegean Park Press, Laguna Hills (1981) 19. Golomb, S.W., Gong, G.: Signal Design for Good Correlation: for Wireless Communica- tion, Cryptography, and Radar. Cambridge Univ. Press, New York (2004) 20. Hauge, E.R., Helleseth, T.: De Bruijn sequences, irreducible codes and cyclotomy. Discrete Math. 159(1-3), 143–154 (1996) 21. Hauge, E.R., Mykkeltveit, J.: On the classification of de Bruijn sequences. Discrete Math. 148(13), 65 – 83 (1996) 22. Helleseth, T., Kløve, T.: The number of cross-join pairs in maximum length linear sequences. IEEE Trans. on Inf. Theory 37(6), 1731–1733 (1991) 23. Huang, Y.: A new algorithm for the generation of binary de bruijn sequences. J. Algorithms 11(1), 44 – 51 (1990) 24. Huber, K.: Some comments on Zech’s logarithms. IEEE Trans. on Inf. Theory 36(4), 946–950 (1990) 25. Hume, M.A., Barrera, L.A., Gisselbrecht, S.S., Bulyk, M.L.: UniPROBE, update 2015: new tools and content for the online database of protein-binding microarray data on protein–DNA interactions. Nucleic Acids Research 43(D1), D117–D122 (2014) 26. Jacobi, C.: Uber¨ die kreistheilung und ihre anwendung auf die zahlentheorie. J. Reine Angew. Math. 30, 166–182 (1846) 27. Jansen, C.J.A., Franx, W.G., Boekee, D.E.: An efficient algorithm for the generation of de Bruijn cycles. IEEE Trans. on Inf. Theory 37(5), 1475–1478 (1991) 28. Knuth, D.E.: The Art of Computer Programming. Vol. 4A., Combinatorial Algorithms. Part 1. Addison-Wesley, Upple Saddle River (N.J.), London, Paris (2011) 29. Lempel, A.: On a homomorphism of the de Bruijn graph and its applications to the design of feedback shift registers. IEEE Trans. Comput. C-19(12), 1204–1209 (1970) 30. Lidl, R., Niederreiter, H.: Finite Fields. Encyclopaedia of Mathematics and Its Applica- tions. Cambridge Univ. Press, New York (1997) 31. Mandal, K., Gong, G.: Cryptographically strong de Bruijn sequences with large periods. In: L.R. Knudsen, H. Wu (eds.) Selected Areas in Cryptography, pp. 104–118. Springer, Berlin, Heidelberg (2013) 32. Menezes, A.J., Vanstone, S.A., Oorschot, P.C.V.: Handbook of Applied Cryptography, 1st edn. CRC Press, Inc., Boca Raton, FL, USA (1996) 33. Mykkeltveit, J., Szmidt, J.: On cross joining de Bruijn sequences. Contemporary Mathe- matics 632, 333–344 (2015) 34. Robshaw, M., Billet, O. (eds.): New Stream Cipher Designs. Springer Berlin Heidelberg (2008) 35. Samatham, M.R., Pradhan, D.K.: The de Bruijn multiprocessor network: A versatile par- allel processing and sorting network for VLSI. IEEE Trans. Comput. 38(4), 567–581 (1989) 36. Sawada, J., Williams, A., Wong, D.: Generalizing the classic greedy and necklace constructions of de Bruijn sequences and universal cycles. Electr. J. Comb. 23(1), P1.24 (2016) 37. Sloane, N.J.A.: The Online Encyclopedia of Integer Sequences: Mersenne exponents, primes p such that 2p − 1 is (Mersenne) prime. URL https://oeis.org/A000043 38. Sloane, N.J.A.: The Online Encyclopedia of Integer Sequences: Triangle T read by rows. URL https://oeis.org/A281123 39. Stevens, B., Williams, A.: The coolest way to generate binary strings. Theory Comput. Syst. 54(4), 551–577 (2014) 40. Storer, T.: Cyclotomy and Difference Sets. Lectures in Advanced Mathematics. Markham Pub. Co., Chicago, USA (1967)