SN Computer Science manuscript No. (will be inserted by the editor)

Binary de Bruijn Sequences via Zech’s Logarithms

Zuling Chang · Martianus Frederic Ezerman · Adamas Aqsa Fahreza · San Ling · Janusz Szmidt · Huaxiong Wang

Received: date / Accepted: date

Abstract The focus of this work is to show how to tially used, for ease of generation. The process can be combine Zech’s logarithms and each of the cycle joining repeated on each of the resulting de Bruijn sequences. and cross-join pairing methods to construct binary de Most prior constructions in the literature measure Bruijn sequences. Basic implementations are supplied the complexity of the corresponding bit-by-bit algo- as proofs of concept. rithms. Our approach is different. We aim first to build The cycles, in the cycle joining method, are typi- a connected adjacency subgraph that is certified to con- cally generated by a linear feedback shift register. We tain all of the cycles as vertices. The ingredients are prove a crucial characterization that determining Zech’s computed just once and concisely stored. Simple strate- logarithms is equivalent to identifying conjugate pairs gies are offered to keep the complexities low as the order shared by any two distinct cycles. This speeds up the grows. task of building a connected adjacency subgraph that Keywords Binary de Bruijn sequence · cycle struc- contains all vertices of the complete adjacency graph. ture · conjugate pair · cross-join pair · Zech’s logarithms Distinct spanning trees in either graph correspond to cyclically inequivalent de Bruijn sequences. As the cy- Subject Classification (2000) 11B50 · cles are being joined, guided by the conjugate pairs, we 94A55 · 94A60 track the changes in the feedback function. We show how to produce certificates of existence for spanning trees of certain types to conveniently handle large or- 1 Introduction der cases. A binary de Bruijn sequence of order n ∈ has pe- The characterization of conjugate pairs via Zech’s N riod N = 2n in which each n-tuple occurs exactly once. logarithms, as positional markings, is then adapted to n−1 Up to cyclic equivalence, there are 22 −n of them [5]. identify cross-join pairs. A modified m-sequence is ini- A naive approach capable of generating all of these se- quences, e.g., by generating all Eulerian cycles in the de Bruijn graph, requires an exponential amount of space. Z. Chang School of Mathematics and Statistics, Zhengzhou University, Adding a 0 to the longest string of 0s in a maximal Zhengzhou 450001, China length sequence, also known as an m-sequence, of pe- E-mail: zuling [email protected] riod 2n − 1 produces a de Bruijn sequence of order n. M. F. Ezerman ( ) · A. A. Fahreza · S. Ling · H. Wang 1 n There are Λn := n φ(2 − 1) such m-sequences where Division of Mathematical Sciences, School of Physical and φ(·) is the Euler totient function. There is a bijection Mathematical Sciences, Nanyang Technological University, 21 Nanyang Link, Singapore 637371 between the set of all m-sequences and the set of primi- E-mail: {fredezerman,adamas,lingsan,HXWang}@ntu.edu.sg tive polynomials of degree n in F2[x]. As n grows large, 2n−1−n J. Szmidt Λn soon becomes miniscule in comparison to 2 . Military Communication Institute, ul. Warszawska 22 A, 05- In terms of applications, there is quite a diversity in the 130 Zegrze, Poland community of users. This results in varied criteria as to E-mail: [email protected] what constitute a good construction approach. 2 Z. Chang et al.

Mainly for cryptographic purposes, there has been a bits of storage in n units of time. Etzion and Lempel sustained interest in efficiently generating a good num- in [14] considered a shift register that produced many ber of de Bruijn sequences of large orders. For stream short cycles which were then joined together. They pro- cipher applications (see, e.g., the 16 eSTREAM final- posed two constructions based on, respectively, pure cy- ists in [35]), it is desirable to have high unpredictability, cling registers PCRs and pure summing registers PSRs. i.e., sequences with high nonlinearity, while still being For a PCR, the number of produced sequence is expo- somewhat easy to implement. This requires multiple nential with base 2 (see [14, Theorem 2] for the exact measures of complexity to be satisfied. Due to their lin- formula), with time complexity O(n) to produce the earity, modified m-sequences are unsuitable for crypto- next bit. It was quite expensive in memory, requiring graphic applications. approximately 3n plus the exponent of 2 in the exact Bioinformaticians want large libraries of sequences formula. For PSR, the number of produced sequence n2 to use in experiments [26] and in genome assembly [8]. is ≈ 2 4 with its bit-by-bit algorithm costing O(n) in Their design philosophy imposes some Hamming dis- time and O(n2) in memory. tance requirements, since a library must not have se- Huang showed how to join the pure cycles of the quences which are too similar to one another or exhibit- complementing circulating register f(x1, . . . , xn) = x1 ing some taboo patterns. Secrecy or pseudorandomness in [24]. Its bit-by-bit algorithm took 4n bits of stor- is often inconsequential. Designers of very large scale age and 4n units of time. The resulting sequences tend integrated circuits often utilize binary de Bruijn mul- to have a good local 0 and 1 balance. In the work of tiprocessor network [36]. Important properties include Jansen et al. [28], the cycles were generated by an LFSR the diameter and the degree of the network. The objec- with feedback function f(x) that can be factored into tive here is to have a small layout that still allows for r irreducible polynomials of the same degree m. The many complete binary trees to be constructed system- number of produced de Bruijn sequences was approxi- atically for extensibility, fault-tolerance, and self diag- mately O(22n/ log(2n)). Its bit-by-bit complexity was 3n nosability. bits of storage and at most 4n FSR shifts. Numerous subsequent works, until very recently, are listed with 1.1 Prior Literature the details on their input parameters and performance complexity in [7, Table 4]. Given its long history and numerous applications, the The cross-join pairing method begins with a known quest to efficiently generate de Bruijn sequences has de Bruijn sequence, usually a modified m-sequence. One produced a large literature and remains very active. then identifies cross-join pairs that allow the sequence, Most known approaches fall roughly into three types, seen as a cycle of period 2n, to be cut and reconnected each to be briefly discussed below. In terms of com- into inequivalent de Bruijn sequences from the initial plexity, it is customary to specify the memory and time one. Two representative works on this method were requirements to generate the next bit, i.e., the last en- done by Helleseth and Kløve in [23] and by Mykkeltveit try in the next state given a current state. Such an and Szmidt in [34]. algorithm is called a bit-by-bit algorithm. Readers who The third method, where we collect rather distinct are interested in the hardware implementation of de approaches, is less clear-cut than the first two. The Bruijn sequence generators can find a recent in-depth defining factor is that they follow some assignment rules treatment in [42]. or preference functions in producing one symbol at a As the name suggests, the cycle joining approach time using the previous n symbols. Some clarity can builds de Bruijn sequences by combining disjoint cy- perhaps be given by way of several recent examples. cles of smaller periods [18]. One begins, for example, They typically yield only a few de Bruijn sequences. with a linear feedback shift register (LFSR) with an ir- A necklace is a string in its lexicographically small- reducible but nonprimitive characteristic polynomial of est rotation. Stevens and Williams in [40] presented degree n. It produces disjoint cycles, each with a pe- an application of the necklace prefix algorithm to con- riod that divides 2n − 1. One identifies a conjugate pair struct de Bruijn sequences. Their loopless algorithm between any two distinct cycles and combines the cy- took O(n) time. They significantly simplified the FKM cles into a longer cycle. The process is repeated until algorithm, attributed to Fredricksen, Kessler, and Maio- all disjoint cycles have been combined into a de Bruijn rana, that concatenated the aperiodic prefixes of neck- sequence. The mechanism can of course be applied on laces in lexicographic order. In [37], Sawada et al. gave a all identifiable conjugate pairs. simple shift-rule, i.e., a function that maps each length Fredricksen applied the method on pure cycling reg- n substring to the next length n substring, for a de ister of length n in [17]. The bit-by-bit routine took 6n Bruijn sequence of order n. Its bit-by-bit algorithm ran Binary de Bruijn Sequences via Zech’s Logarithms 3 in costant time using O(n) space. Instead of concate- demonstrated by examples. This simple strategy keeps nating necklaces in lexicographic order, Dragon et al. in the complexities low as the order grows. [12] used the co-lexicographic order to construct a de We then show how to adapt finding conjugate pairs Bruijn sequence in O(n) time. Natural subsequences of shared by two smaller cycles in the cycle joining method the lexicographically least sequence had been shown to to finding two conjugate pairs in a given de Bruijn se- be de Bruijn sequences for interesting subsets of strings. quence to use as a cross-join pair, showing how closely The lexicographically-least de Bruijn sequence, due to connected the two methods are. Our constructions by- Martin in 1934, is affectionately known as the grand- pass the need for “scaling,” which has been a common daddy. theme in the studies of NLFSRs since its introduction The use of preference functions is prevalent in many by Lempel in [30]. Some notable recent investigations greedy algorithms for binary de Bruijn sequence. A gen- include the work of Dubrova in [13] and that of Mandal eral greedy algorithm, recently proposed by Chang et and Gong in [32]. al. in [6], included a discussion on how such functions Relevant notions and results on FSRs and Zech’s fit into a unifying picture. logarithms are reviewed in Section 2, with new proper- ties of the logarithms given towards the end. Section 3 1.2 Overview of Our Techniques characterizes conjugate pairs in the cycle structure of irreducible polynomials by Zech’s logaritms based on a We pinpoint the respective exact states in any conju- carefully chosen representation of the states. Section 4 gate pair shared by any two distinct cycles to execute and 5 discuss the adjacency graph and some computa- the cycle joining process. At the core of our method is tional methods to quickly identify spanning trees. Sec- the use of Zech’s logarithms to characterize the conju- tion 6 integrates a product of irreducible polynomials as gate pairs as positional markings. The approach works the characteristic polynomial of the starting LFSR into particularly well when the characteristic polynomial of the current framework. Adapting the Zech’s logarithms the LFSR is an irreducible polynomial or a product of approach to identify cross-join pairs in an m-sequence distinct irreducible polynomials. One can identify and is the core of Section 7. Basic software impementations explicitly generate all of the component cycles with irre- for the cycle joining method, based on both a given irre- ducible characteristic polynomial based on one special ducible polynomial and a product of irreducible polyno- state. mials, as well as for the cross-join pairing on a modified We take a different route in the implementation. In- m-sequence, are given in Section 8. We end with some stead of generating one de Bruijn sequence on the fly conclusions and a general open problem in Section 9. by using a bit-by-bit procedure, our mechanism ensures that users have a ready access to a large supply of binary de Bruijn sequences. In its simplest form, the input con- 2 Preliminaries sists of a primitive polynomial p(x) of degree n having n α as a root and a positive integer t that divides 2 − 1 For integers k < `, let k, ` denote {k, k+1, . . . , `−1, `}. such that there exists a polynomial q(x) of degree n A cyclotomic coset ofJ 2K modulo 2n − 1 containing i t having β = α as a root. The cycle joining method is ni−1 is Di = {i, 2i, . . . , 2 i} with ni the least positive then applied to the cycles whose characteristic polyno- integer such that i ≡ 2ni i (mod 2n − 1). Obviously mial is q(x). ni | n. For each i, the least integer in Di is its coset Preparatory computational tasks, that need to be leader. The set of all coset leaders is called a complete done only once, supply the required ingredients to con- set of coset representatives, denoted by Rn. struct a connected adjacency subgraph Ge. The graph contains all vertices of the complete adjacency graph G whose vertices are the t + 1 cycles. To build de Bruijn sequences from the stored Ge, we can use Knuth’s Al- 2.1 Feedback Shift Registers gorithm S [29, pp. 464 ff.] or an alternative algorithm [7, Algorithm 5], due to Chang et al. , to generate all of An n-stage shift register is a clock-regulated circuit with the spanning trees. The two algorithms share the same n consecutive units, each storing a bit. As the clock complexity, as detailed in [7, Section 8]. If so desired, pulses, each bit is shifted to the next stage in line. A one can quickly choose a spanning tree at random by binary code is generated if one adds a feedback loop running Broder’s Algorithm [4]. Certificates that guar- that outputs a new bit sn based on the n bits s0 = antee the existence of particular spanning trees in G (s0, . . . , sn−1) called an initial state. The codewords are allow us to practically handle large orders, as will be the n-bit states. The Boolean function h that outputs 4 Z. Chang et al. sn on input s0 is called its feedback function. The alge- length that generates s. Given an LFSR with charac- braic normal form (ANF) of h is teristic polynomial f(x), the set Ω(h) is also denoted by Ω(f(x)). To f(x) in (2), one associates a matrix X ai1,i2,...,ik xi1 xi2 ··· xik , with ai1,i2,...,ik ∈ F2   0 0 ... 0 c0 1 0 ... 0 c1  and the sum is over all k-subsets {i1, i2, . . . , ik} of the   0 1 ... 0 c2  set 0, n − 1 . The degree of h is the largest k for which Af :=   . (3) J K ......  ai1,i2,...,ik 6= 0. . . . . .  A feedback shift register (FSR) outputs a sequence 0 0 ... 1 cn−1 s = s0, s1, . . . , sn,... satisfying the recursion On input state s0, the state vectors of the resulting j sequence are sj = s0A for j ∈ {0, 1, 2,...} and si+1 = sn+` = h(s`, s`+1, . . . , s`+n−1) for ` ≥ 0. siA = T si. If the minimal polynomial of a sequence is primitive If si+N = si for all i ≥ 0, then s is N-periodic or with with degree n and α as a root, then it can be obtained period N, denoted by s = (s0, s1, s2, . . . , sN−1). The i- by applying the trace map from F2n onto F2 on the th state of s is si = (si, si+1, . . . , si+n−1) and si+1 is the n sequence 1, α, α2, . . . , α2 −2. The sequence is said to be successor of si. To denote the all zero vector 0, 0,..., 0 or sequence (0) of period 1 we use 0 or 0k. The latter a maximal length sequnce or an m-sequence since it has is preferred when the length k needs to be specified. the maximal period among all sequences generated by Distinct initial states generate distinct sequences, any LFSR with minimal polynomial of degree n. Let m forming the set Ω(h) of 2n elements. A state operator denote an m-sequence. A sequence u is a d-decimation sequence of s, denoted by u = s(d) if u = s for all T turns si into si+1, i.e., si+1 = T si. If s has a state si j d·j (d) and period e, the e distinct states of s are j ≥ 0. A d-decimation m of m is also an m-sequence if and only if gcd(d, 2n − 1) = 1. More properties of e−1 si,T si = si+1,...,T si = si+e−1. sequences in relation to their characteristic and minimal polynomials can be found in [20, Chapter 4] and [31, The shift operator L sends s to Chapter 8].

Ls = L(s0, s1, . . . , sN−1) = (s1, s2, . . . , sN−1, s0), 2.2 Zech’s Logarithms with the convention that L0s = s. The set Among computational tools over finite fields we have [s] := {s,Ls,L2s,...,LN−1s} Zech’s logarithm (see e.g., [20, page 39]). The logarithm is often referred to as Jacobi’s logarithm [31, Exercise is a shift equivalent class or a cycle in Ω(h). One parti- 2.8 and Table B]. It was Jacobi who introduced the tions Ω(h) into cycles and writes the cycle structure as notion and tabulated the values for Fp with p ≤ 103 in [27]. For ` ∈ 1, 2n − 1 ∪{−∞}, the Zech’s logarithm r τ(`) relative toJ α is definedK by 1 + α` = ατ(`) where [ −∞ n [s1] ∪ [s2] ∪ ... ∪ [sr] if [si] = Ω(h). (1) α = 0. It induces a on 1, 2 − 2 . Hu- i=1 ber established the following propertiesJ of Zech’sK loga- rithms over and provided the Zech’s logarithm tables An FSR with a linear feedback function is linear (or Fq for n with 2 ≤ n ≤ 11 in [25]. an LFSR) and nonlinear (or an NLFSR) otherwise. The F2 characteristic polynomial of an n-stage LFSR is 1. It suffices to find the logarithms relative to one prim- itive element. Let distinct primitive polynomials p(x) n n−1 f(x) = x + cn−1x + ... + c1x + c0 ∈ F2[x] (2) and q(x) be of degree n with respective roots α and δ. Then δ = αb for some b with gcd(b, 2n − 1) = 1. when the feedback function is Let τn,α(k) and τn,δ(k) denote the respective loga- n n−1 rithms of k ∈ 1, 2 − 2 relative to α and δ. Then X J K h(x0, . . . , xn−1) = cixi. 1 + δk = 1 + αb·k = ατn,α(b·k) = i=0 −1 −1 αbb τn,α(b·k) = δb τn,α(b·k). To ensure that all generated sequences are periodic, −1 n c0 6= 0. A sequence s may have many characteristic Hence, τn,δ(k) ≡ b τn,α(b·k) (mod (2 −1)). With polynomials. The one with the lowest degree is its min- a primitive element fixed, the notation is τ(k) or imal polynomial. It represents the LFSR of shortest τn(k) to emphasize n. Binary de Bruijn Sequences via Zech’s Logarithms 5

2. The Flip map is given by τn(τn(k)) = k. Knowing the successors of v and v. The feedback function of the τn(k) for any k in a cyclotomic coset Dj is sufficient resulting cycle is i to find τn(2 k) by using the Double map n−1 n Y τn(2k) ≡ 2τn(k) (mod (2 − 1)). (4) eh(x0, . . . , xn−1) = h(x0, . . . , xn−1)+ (xi+vi+1). (8) i=1 The Flip and Double maps send cosets onto cosets of the same size. Continuing this step, all cycles in Ω(h) join into a de 3. Let Inv(j) = 2n − 1 − j ≡ −j (mod (2n − 1)). Then Bruijn sequence. The feedback functions of the resulting de Bruijn sequences are completely determined once the

n corresponding conjugate pairs are found. τn(Inv(j)) ≡ τn(j) − j (mod (2 − 1)). (5)

Inv(k) maps a coset onto a coset of the same size. 4. Let h(x) be a primitive polynomial of degree m hav- 3.1 Basic Notions and Known Results n r (2 −1) ing a root β. Let m | n and β = α with r = (2m−1) . If the Zech’s logarithms relative to β are known, Definition 1 (From [22]) The adjacency graph G of an then 1 + αr·j = 1 + βj = βτm(j) = αr·τm(j). Hence, FSR with feedback function h is an undirected multi- graph whose vertices correspond to the cycles in Ω(h). n τn(r · j) ≡ r · τm(j) (mod (2 − 1)). (6) There exists an edge between two vertices if and only if they are adjacent. A conjugate pair labels every edge. Repeatedly applying Flip and Inv induces a cycle The number of edges between any pair of cycles is the of 6 cosets, except in rare cases (see [25]). Using the number of conjugate pairs that they share. Double map, one then gets the value of τn(k) for all k in the union of these cosets. Clearly G has no loops. There is a bijection between We add the next result, which serves as a useful com- the spanning trees of G and the de Bruijn sequences putational tool, to the properties of Zech’s logarithms. constructed by the cycle joining method (see. e.g., [22] and [21]). The following well-known counting formula

Lemma 1 For known τn(i), τn(j), and τn(i + j), is a variant of the BEST (de Bruijn, Ehrenfest, Smith, and Tutte) Theorem from [1, Section 7]. Recall that n i+j τn(τn(i+j)−τn(j)) ≡ τn(i)+j−τn(j) (mod (2 −1)). the cofactor of entry mi,j in M is (−1) times the (7) determinant of the matrix obtained by deleting the i- th row and j-th column of M. Proof For i, j ∈ 1, 2n − 2 , 1 + αi = ατn(i) if and only j i+j Jτn(i)+j K τn(j) if α + α = α . This is equivalent to α + Theorem 1 (BEST) Let VG := {V1,V2,...,Vk} be the ατn(i+j) = ατn(i)+j. Thus, vertex set of the adjacency graph G of an FSR. Let M = (mi,j) be the k × k matrix derived from G in which mi,i 1 + ατn(i+j)−τn(j) = ατn(i)+j−τn(j).ut is the number of edges incident to vertex Vi and mi,j To apply Lemma 1, one looks for an (i, j) pair such is the negative of the number of edges between vertices that the respective Zech’s logarithms of i, j, and i + j Vi and Vj for i 6= j. Then the number of the spanning are already known, i.e., the elements i, j, and i+j are in trees of G is the cofactor of any entry of M. the union U of cosets with known Zech’s logarithms, but τ(i)−τ(j) ∈/ U. In many cases, a given Zech’s logarithm To generate de Bruijn sequences, especially when is sufficient to deduce all others values. We can write their orders are large, efficient identification of conju- gate pairs is crucial. A de Bruijn sequence generator was Equation (7) as τn(τn(i) − τn(j)) ≡ τn(i − j) + j − τn(j) (mod (2n − 1)). proposed in [7]. Its basic software implementation [16] demonstrates a decent performance up to order n ≈ 20 when the characteristic polynomials are products of dis- 3 Zech’s Logarithms and Conjugate Pairs tinct irreducible polynomials. As the order grows, the program soon runs into time complexity issues. Another A state v := (v0, v1, . . . , vn−1) and its conjugate v := contribution can be found in [11]. The work shows how (v0 + 1, v1, . . . , vn−1) form a conjugate pair. Cycles C1 to generate de Bruijn sequences of large orders, say 128, and C2 in Ω(h) are adjacent if they are disjoint and but without supplying time or space complexity anal- there exists v in C1 whose conjugate v is in C2. Adja- ysis. The above examples indicates that dealing with cent cycles merge into a single cycle by interchanging large order demands much faster algorithmic tools. 6 Z. Chang et al.

i Let µ(n) be the M¨obiusfunction. There are with ϕ(α ) as the initial state of ui for i ∈ 0, t − 1 . J n K In particular, the initial state of u0 is (1, 0) ∈ F2 . Note 1 X n µ(d)2 d that ϕ induces a correspondence between C and [u ] n i i d|n (see [21, Theorem 3]). In other words, ui and the se- quence of states of u , namely ((u ) , (u ) ,..., (u ) ), binary irreducible polynomials of degree n. All irre- i i 0 i 1 i e−1 where ducible polynomials of (prime) degree n are primitive if and only if 2n − 1 is prime. Such an n is called a (ui)j = (ai+jt,0, ai+(j+1)t,0, . . . , ai+(j+n−1)t,0) Mersenne exponent. Although not known to be finite, i j Mersenne exponents are sparse [38]. Thus, for most n, = ϕ(α β ) for j ∈ 0, e − 1 , J K there are many more irreducible than primitive poly- are equivalent. The state ϕ(αiβj) corresponds to the nomials. Each such polynomial yields a number of de element αiβj ∈ C . Hence, u ←→ C . This provides a Bruijn sequences if one can efficiently identify the con- i i i convenient method to find the exact position of any jugate pairs. We show how to accomplish this task. state v = (v , v , . . . , v ) ∈ n in some cycle in A primitive polynomial p(x) ∈ [x] of degree n 0 1 n−1 F2 F2 Ω(f(x)). having a root α can be identified in several ways, (see, e.g., [2, Section 4.4]). Many computer algebra systems Proposition 1 [21, Corollary 2] The states ϕ(θ) and have routines that output primitive polynomial(s) of ϕ(θ + 1) form a conjugate pair for all θ ∈ F2n . a specified degree. Combining a decimation technique and the Berlekamp-Massey algorithm on input p(x) and n a suitable divisor t of 2 − 1 yields the associated irre- 3.2 Efficient Exact Determination of Conjugate Pairs ducible polynomial f(x). It has degree n, order e, and t n a root β = α with e · t = 2 − 1. Notice that n is the We extend Proposition 1 by explicitly determining the n least integer satisfying 2 ≡ 1 (mod e). respective exact positions of the states in their corre- The t distinct nonzero cycles in Ω(f(x)) can be or- sponding cycles. This is far from trivial. First, one needs dered in the language of cyclotomic classes and num- to fix a standard representation of the cycles and then bers using a method from [21]. The cyclotomic classes uses algebraic tools to find the very location of ϕ(θ) in ∗ C ⊆ n , for 0 ≤ i < t, are i F2 C1 and ϕ(θ + 1) in C2. i j i+tj i+s·t i s i Let v = ϕ(α β ) = ϕ(α ) for some i ∈ 0, t − 1 . Ci = {α | 0 ≤ s < e} = {α β | 0 ≤ s < e} = α C0. J K Then v must be the j-th state of ui. Let k = i + tj and k n−1 (9) suppose that α = a0 + a1β + ... + an−1β . We have k a0 = v0 from the definition of ϕ(α ). Note that if f(x) The cyclotomic numbers (i, j)t, for 0 ≤ i, j < t, are t in (2) is irreducible, then c0 = 1. Since β = α ,

(i, j)t = |{ξ | ξ ∈ Ci, ξ + 1 ∈ Cj}| . (10) n−1 n−2 n−1 n−1 k+t X `+1 X `+1 X ` Using the basis {1, β, . . . , β } for F2n we write α = a`β = a`β + an−1c`β = `=0 `=0 `=0 n−1 j X i n a +(a +a c )β +...+(a +a c )βn−1. α = aj,iβ , with aj,i ∈ F2 for j ∈ 0, 2 − 2 . n−1 0 n−1 1 n−2 n−1 n−1 i=0 J K Continuing inductively, it becomes clear that vj is the In vector form, the expression becomes constant term in the linear combination of αk+tj in the j β basis. Hence, α = (aj,0, aj,1, . . . , aj,n−1). (11)

n  Define the mapping ϕ : n → by a0 = v0 F2 F2  a = v j  n−1 1 ϕ(0) = 0, ϕ(α ) = (aj,0, aj+t,0, . . . , aj+(n−1)t,0), (12)  an−2 = v1cn−1 + v2 where the subscripts are reduced modulo 2n −1. By the . an−3 = v1cn−2 + v2cn−1 + v3  recursive relation determined by (11), ϕ is a bijection. . . . . Let   a1 = v1c2 + ... + vn−2cn−1 + vn−1 ui := (ai,0, ai+t,0, . . . , ai+(e−1)t,0). (13) n−1 It is now straightforward to verify that Once a0 + a1β + ... + an−1β and the Zech’s loga- rithms relative to α are known, one gets αk and, thus, Ω(f(x)) = [0] ∪ [u0] ∪ [u1] ∪ ... ∪ [ut−1], (14) v’s position. Binary de Bruijn Sequences via Zech’s Logarithms 7

How can one efficiently generate the cycles in the As n or t grows, finding one such p(x) becomes more set Ω(f(x))? Directly using the above definition is not computationally involved. To work around this limita- practical since it requires costly computations over F2n . tion, one starts instead with any primitive polynomial Simply generating them by the LFSR with character- p(x) with a root α and find the corresponding irre- istic polynomial f(x) may fail to guarantee that their ducible f(x) having β = αt as a root. There are tools respective initial states are ϕ(αi) for i ∈ 0, t − 1 . We from finite fields (see, e.g., [31]) that can be deployed. show that decimation is the right toolJ. K We prefer another approach that does not require com- Equation (11) ensures that putations over F2n . An m-sequence m is generated by some primitive m = (a0,0, a1,0, . . . , a2n−2,0) polynomial p(x). By t-decimation we get m(t). We in- put any 2n consecutive bits of m(t) into the Berlekamp- is an m-sequence with characteristic polynomial p(x) [20, Massey Algorithm [33, Section 6.2.3] to get an irre- Chapter 5]. The trace function Tr maps δ ∈ F2n to t Pn−1 2i ducible polynomial f(x) having α as a root. There are i=0 δ ∈ F2. Recall, e.g., from [20, Section 4.6] that i instances where f(x) has degree m | n with m < n. This the entries in m are a = Tr γα : 0 6= γ ∈ n i,0 F2 implies that, for this t, there is no irreducible polyno- for i ∈ 0, 2n − 2 . From m, construct t distinct t- mial of degree n that can be associated with p(x). As decimationJ sequencesK of period e: k traverses Rn, by k-decimation and the Berlekamp- (t) (t) t−1 (t) Massey algorithm, the process provides all irreducible u0 = m , u1 = (Lm) ,..., ut−1 = (L m) . polynomials with root αk. The resulting polynomials k+t·j The resulting sequences have (uk)j = Tr γα for form the set of all irreducible polynomials with degree k ∈ 0, t − 1 and j ∈ 0, e − 1 . Each [ui] is a cycle in |Ck| = m | n. For t ∈ Rn, t is valid to use if and only if t Ω(f(Jx)) sinceK β = α .J We needK to find an initial state |Ct| = n. n v of m such that the initial state of u0 is (1, 0) ∈ F2 . Proposition 2 For a valid t, let the m-sequence m2, Let Ap be the associate matrix of p(x). Then the re- (i·t) whose characteristic polynomial is p2(x), be derived by spective first elements of vAp for t ∈ 0, n − 1 must d -decimating the m-sequence m , which is generated be 1, 0,..., 0. A system of equations toJ derive Kv can j 1 by p (x). Let Ψ be the mapping, induced by the dec- be constructed. Let κ be the number of 1s in the bi- 1 dj (i·t) imation, that sends p1(x) to p2(x). Let pi(x) be the nary representation of i · t. Computing Ap is efficient respective associated primitive polynomial of the irre- using the square-and-multiply method, taking at most ducible polynomial q (x), both of degree n. The mapping log bi · tc squarings and κ multiplications. i 2 Γ is induced by the mapping α 7→ β = αt. Then we We use v and p(x) to derive the first n · t entries t i i i have the commutative diagram of m. The respective initial states ϕ(α0), . . . , ϕ(αt−1) of u0,..., ut−1 in Ω(f(x)) immediately follow by dec- Ψdj imation. Thus, one gets ϕ(αj) for any j. This allows p1(x) p2(x) us to quickly find the desired initial state of any cy- Γt Γt . i j cle, even for large n. Given the state (ui)j = ϕ(α β ), Ψdj k i j+k q1(x) q2(x) we have T [(ui)j] = ϕ(α β ). At this point, given an irreducible polynomial f(x) with root β and order n e = 2 −1 , we need a primitive polynomial p(x) with the Proof Let αi be a primitive root of pi(x). Hence, there t t same degree as f(x) and a root α satisfying β = αt. In exists a root βi of qi(x) such that βi = αi. Applying the general, such a p(x) is not unique [7, Subsection 3.2]. trace map Tr shows that the two directions coincide by Here we provide a method to find one. the commutativity of the exponents in a multiplication. ut For k ∈ 1,Λn , let pk(x) be a primitive polyno- mial of degreeJ n thatK generates the m-sequence m . k We can now characterize the conjugate pairs shared The set of all shift inequivalent m-sequences with pe- by any two distinct cycles by Zech’s logarithms. In riod 2n −1 is {m , m ,..., m }. The elements are the 1 2 Λn fact, determining the respective initial states of [u ]: d -decimation sequences of any m for all d satisfying i j k j i ∈ 1, t − 1 is not even necessary since ensuring that n (t) gcd(dj, 2 − 1) = 1. We derive m of period e and Jn−1 K k (1, 0 ) is the initial state of [u0] is sufficient for im- check if it shares a common string of 2n consecutive plementation. elements with a sequence whose characteristic polyno- mial is f(x). If yes, then we associate pk(x) with f(x). Theorem 2 Let α be a root of a primitive polynomial Testing all ks guarantees a match between f(x) and p(x) of degree n and τ() be the Zech’s logarithm with some pk(x) without costly operations over F2n . respect to α. Let f(x) be the irreducible polynomial of 8 Z. Chang et al.

2n−1 t ϕ(α0 = α0β0) = (1, 0, 0, 0) = (u ) degree n and order e = t having a root β = α , i.e., 0 0 1 1 0 f(x) is associated with p(x). ϕ(α = α β ) = (0, 1, 1, 1) = (u1)0 2 2 0 Let [ui] and [u`] be distinct nonzero cycles in Ω(f(x)) ϕ(α = α β ) = (0, 0, 1, 0) = (u2)0 3 0 1 constructed above, i.e., i, ` ∈ 0, t − 1 with i 6= `. Let ϕ(α = α β ) = (0, 0, 0, 1) = (u0)1 j i i+tj J K 4 1 1 v := T ϕ(α ) = ϕ(α ) be the j-th state of [ui] and ϕ(α = α β ) = (1, 1, 1, 1) = (u1)1 k ` `+tk 5 2 1 v := T ϕ(α ) = ϕ(α ) be the k-th state of [u`]. Then ϕ(α = α β ) = (0, 1, 0, 1) = (u2)1 6 0 2 (v, v) forms a conjugate pair if and only if ` + tk = ϕ(α = α β ) = (0, 0, 1, 1) = (u0)2 7 1 2 τ(i + tj). ϕ(α = α β ) = (1, 1, 1, 0) = (u1)2 8 2 2 ϕ(α = α β ) = (1, 0, 1, 0) = (u2)2 9 0 3 ϕ(α = α β ) = (0, 1, 1, 0) = (u0)3 Proof Let η and γ be elements of F2n . Then ϕ(η) is 10 1 3 j ϕ(α = α β ) = (1, 1, 0, 1) = (u1)3 a state of ui if and only if η = α and j ∈ Ci. It is 11 2 3 ϕ(α = α β ) = (0, 1, 0, 0) = (u2)3 therefore clear that ϕ(η) + ϕ(γ) = ϕ(η + γ). Observe 12 0 4 0 ϕ(α = α β ) = (1, 1, 0, 0) = (u0)4 that ϕ(α = 1) and 0 are conjugate. The conjugate of 13 1 4 j n ϕ(α = α β ) = (1, 0, 1, 1) = (u1)4 ϕ(α ) with j ∈ 1, 2 − 2 is 14 2 4 J K ϕ(α = α β ) = (1, 0, 0, 1) = (u2)4 ϕ(αj) = ϕ(1) + ϕ(αj) = ϕ(1 + αj) = ϕ(ατ(j)), The respective Zech’s logarithms are where ϕ(1) = (1, 0,..., 0). The conjugate of any state {τ(i): i ∈ 1, 14 } = j τ(j) J K ϕ(α ) in cycle [uj (mod t)] must then be ϕ(α ) in cycle {4, 8, 14, 1, 10, 13, 9, 2, 7, 5, 12, 11, 6, 3}. [uτ(j) (mod t)]. In other words, the conjugate of the j-th All conjugate pairs between any two nonzero cycles can state of cycle [ui], which is be determined by Theorem 2. Knowing τ(3) = 14,

j i i j i+tj for example, one concludes that [u0] and [u2] share T ϕ(α ) = ϕ(α β ) = ϕ(α ), the pair ϕ(α3) = (0, 0, 0, 1) and ϕ(α14) = (1, 0, 0, 1). Conversely, knowing a conjugate pair is sufficient to must be ϕ(ατ(i+tj)). Writing determine the corresponding Zech’s logarithm. Since (0, 0, 1, 1) = ϕ(α6) and (1, 0, 1, 1) = ϕ(α13) form a con- τ(i+tj) = kt+` with k ∈ 0, e − 1 and ` ∈ 0, t − 1 , jugate pair between [u0] and [u1], for instance, one gets J K J K τ(6) = 13.

τ(i+tj) k ` The feedback function derived from f(x) is h = x0 + we confirm that ϕ(α ) = T ϕ(α ) belongs to [u`]. x1 + x2 + x3. By Equation (8), the merged cycle joining Thus, knowing the Zech’s logarithms relative to α [u0] and [u2] based on the conjugate pair (0, 0, 0, 1) and enables us to easily determine all conjugate pairs be- (1, 0, 0, 1) has the feedback function tween two arbitrary cycles in Ω(f(x)). By the defini- tion of cyclotomic numbers, [ui] and [uj] share (i, j)t x1 · x2 · x3 + x1 · x3 + x2 · x3 + x3. conjugate pairs. Conversely, knowing all of the conjugate pairs allows Appending [u1] to the resulting cycle using the conju- us to derive the Zech’s logarithms relative to α. Let a gate pair (0, 0, 1, 1) and (1, 0, 1, 1) shared by [u0] and conjugate pair (v, v) with v = T jϕ(αi) = ϕ(αi+tj) [u1], results in the feedback function and v = T kϕ(α`) = ϕ(α`+tk) be given. Then τ(i + h = x + x + x + x · x tj) = ` + tk since v must be ϕ(ατ(i+tj)). If all of the e 0 1 2 1 3 conjugate pairs are known, a complete Zech’s logarithm that produces a sequence of period 15. Appending a 0 table, relative to α, follows. ut to the string of 3 zeroes in the sequence gives us the de Bruijn sequence (0000 1010 0111 1011).  Example 1 Given f(x) = x4 + x3 + x2 + x + 1, which is irreducible, of order 5 with β as a root, choose p(x) = Remark 1 If f(x) in Theorem 2 is primitive, then the 4 3 x + x + 1 with a root α satisfying α = β as the output is an m-sequence m = (m0, m1, . . . , m2n−2). Let associated primitive polynomial. Let m be the corre- m0 := (m0, . . . , mn−1) = (1, 0). The i-th state mi and sponding m-sequence with initial state (1, 0, 0, 0). By 3- the τ(i)-th state mτ(i) form a conjugate pair. To com- n decimating one derives Ω(f(x)) = [0] ∪ [u0] ∪ [u1] ∪ [u2] pute τ(i) for i ∈ 1, 2 − 2 it suffices to determine the J K with u0 = (1, 0, 0, 0, 1), u1 = (0, 1, 1, 1, 1), and u2 = position of the state m(τ(i)) = mi + m0 by searching. (0, 0, 1, 0, 1). The nonzero 4-stage states are listed be- This fact can be used to find the Zech’s logarithms when low. n is not very large.  Binary de Bruijn Sequences via Zech’s Logarithms 9

4 Spanning Trees Since τ(7) ≡ 21 (mod 31), there are 5 distinct pairs of cycles, each sharing 60 conjugate pairs. The (a2, b2) 4.1 Constructing Enough Number of Spanning Trees pairs (7, 21), (14, 11), (28, 22), (25, 13), (19, 26) are the in- dices of the cycles. One of the 60 conjugate pairs be- When n or a valid t is large, building G completely is 7 9 21  7  tween [u7] and [u21] is (ϕ(α ),T ϕ(α )) since 31 = 0 possible but very often unnecessary and consumes too  300  and 31 = 9. Computing a1 and b1 are easy given the much resources. Using just enough Zech’s logarithms to relevant logarithms, so we omit them from the rest of identify a required number of spanning trees is desir- this example. able. Since there is a unique pair that joins [0] and [u0] Since τ(1) ≡ τ(3) ≡ 0 (mod 31), [u0] shares 60 into one cycle, we focus on the set {[ui]: i ∈ 0, t − 1 }. conjugate pairs each with [u ] for j ∈ {1, 2, 4, 8, 16} ∪ J K j Let j = a1 · t + a2. If τn(j) = b1 · t + b2 with a2, b2 ∈ {3, 6, 12, 24, 17}. Similarly, each adjacent cycles in the

0, t − 1 , then [ua2 ] and [ub2 ] are adjacent. They are list, governed by (i, τ(i) (mod 31)), joinedJ intoK one cycle by the conjugate pair (i, τ(i)) Indices of Adjacent Cycles j a a v = ϕ(α ) = T 1 ϕ(α 2 ) and (5, 3) (3, 5), (6, 10), (12, 20), (24, 9), (17, 18) v = ϕ(ατn(j)) = T b1 ϕ(αb2 ), (15) (15, 22) (21, 27), (11, 23), (22, 15), (13, 30), (26, 29) (35, 7) (4, 7), (8, 14), (16, 28), (1, 25), (2, 19) a2 b2 with ϕ(α ) the initial state of ua and ϕ(α ) that of 2 shares 60 conjugate pairs. We order the cycles as ub2 . We continue the process by identifying some con- jugate pair(s) between enough pairs of adjacent cycles [0], [u0], [u1],..., [u30] until all of the cycles in Ω(f(x)) can be joined. Let τ(j) for some j ∈ 1, 2n − 2 be known. This and build an adjacency subgraph Ge from the computa- J K induces a mapping from Dj onto Dτ(j) with nj := tional results. Applying Theorem 1 with G replaced by 177.21 |Dj| = |Dτ(j)|. If j 6≡ τ(j) (mod t), then, for i ∈ Ge, the approach produces ≈ 2 de Bruijn sequences. 2ij 2iτ(j) Figure 1 is a spanning tree. 0, nj − 1 , states ϕ(α ) and ϕ(α ) belong to dis-  tinctJ cycles.K These states join their corresponding cy- cles into one. Let m be the least positive integer such j [u30] [u29] [u27] [u23] [u15] that (2mj − 1)j ≡ 0 (mod t). Observe that ϕ(αj) and j·2mj ϕ(α ) are states of the same cycle and mj | nj. nj [u ] [u ] [u ] [u ] [u ] Hence, given cosets Dj and D , one derives dis- 13 26 21 11 22 τ(j) mj tinct conjugate pairs between each of the mj distinct pairs of cycles. [u25] [u19] [u7] [u14] [u28] The Zech’s logarithms supply the exact positions of the conjugate pair(s) in the relevant cycles. Once enough conjugate pairs to construct a spanning tree are [u1] [u2] [u4] [u8] [u16] identified, the precise positions to apply the cycle join- ing method, i.e., to exchange successors, appear. Thus, [0] [u0] with (1, 0) as the initial state of u0, we just need to keep track of the precise positions, in terms of the operator [u ] [u ] [u ] [u ] [u ] T and the power of α, governed by the (j, τn(j)) pair. 3 6 12 24 17 The actual construction of the de Bruijn sequences no longer requires storing the initial states of the t nonzero [u5] [u10] [u20] [u9] [u18] sequences in Ω(f(x)). Fig. 1 A spanning tree in Ge of Ω(f(x)) from the primitive Example 2 Consider p(x) = x300 + x7 + 1 and let α be polynomial p(x) = x300 + x7 + 1 and t = 31. a root of p(x), implying τ(7) = 300. Choosing t = 31, the Berlekamp-Massey algorithm outputs

300 194 176 158 97 88 79 f(x) = x + x + x + x + x + x + x + 4.2 A Note on Dong and Pei’s Construction x52 + x43 + x25 + x16 + x7 + 1. Dong and Pei discussed a construction of de Bruijn se- S30 300 Hence, Ω(f(x)) = [0] ∪ i=0[ui]. Let (1, 0) ∈ F2 be quences with large order in [11]. Given an irreducible 2n−1 u0’s initial state. Knowing a specific (i, τ(i)) pair gives polynomial f(x) of degree n, order e, and t = e , us {(j, τ(j)) : j ∈ Di}. Note that |Di| = 300 for all i. they defined a shift register matrix T in the form of 10 Z. Chang et al.

Equation (3) satisfying f ∗(T ) = 0, where f ∗(x) is the store the certificates is negligible and the yield in the reciprocal polynomial of f(x). Given the sequence u0 number of de Bruijn sequences that can be produced is with initial state α0 = (1, 0), one writes any sequence very high. as g(T )u0, where g(x) is some polynomial of degree In instances where [u0] is adjacent to [uj] for j ∈ k e < n. If (1 + x ) 6≡ 1 (mod f(x)), then [u0] and [(1 + 1, t − 1 , the theorem rapidly certifies the existence of k 2j J K T ) u0] are distinct cycles sharing the conjugate pair star spanning trees centered at [u0] in G. The main idea  k2j k 2j  k2j T α0, (1 + T ) α0 . Here T α0 is a state of [u0]. is to build Ge such that it becomes a star graph centered at [u0] with leaves [0] and [uj] for j ∈ 1, t − 1 when we The claim that [u0] shares a conjugate pair with each J K of the other nonzero cycles does not hold in general. replace all of the edges between [u0] and [uj] by a single edge. The certificate contains the following outputs of First, computing (1 + xk)e (mod f(x)) soon be- Algorithm 1. comes prohibitive as n and e grow large. Second, after (1 + xk)e 6≡ 1 (mod f(x)) is verified, it remains unclear 1.A witness W that generates ∆W := {i := k·t for k ∈ k 2j which cycle [(1 + T ) u0] corresponds to. One is left W}, satisfying unable to judge whether it is possible to join all of the [ 1, t − 1 ⊂ {j (mod t): j ∈ D }, cycles in Ω(f(x)) even after a lot of the conjugate pairs Yi J K i∈∆W have√ been determined. Third, and most importantly, t < 2n − 1 is a necessary condition for their method with Yi := τ(i) (mod t). (16) to work [11, Section 5]. In fact, a sufficient and neces- 2. The number #cp of identified conjugate pairs be- sary condition is (0, i)t > 0 for all i ∈ 1, t − 1 . This tween [u ] and [u ]. J K 0 j does not hold in general. Take, for example,√ n = 10 3. A matrix M built from the adjacency subgraph G. 10 3 f e with p(x) = x + x + 1 and t = 31 < 31 · 33. All 4. The exact number #dBSeqs of de Bruijn sequences 10 values 1 ≤ i ≤ 2 − 2 such that τ(i) ≡ 0 (mod t) form that can be constructed. the set

{85, 105, 141, 170, 210, 277, 282, 291, 325, 337, 340, 341, Algorithm 1 Certifying the Existence of a Star Span- 379, 420, 431, 493, 554, 564, 582, 650, 657, 674, 680, ning Tree 682, 701, 727, 758, 840, 862, 875, 949, 986}. Input: A primitive polynomial p(x) of degree n. Output: Witness W,#cp, Matrix Mf and #dBSeqs. 1: N ← 2n − 1 Hence, [u0] can be joined only to [u`] with 2: F2n := F2(α) ← the extension field of F2 defined by p(x) ` ∈ {3, 6, 7, 12, 14, 15, 17, 19, 23, 24, 25, 27, 28, 29, 30}. . α is a root of p(x) 3: Div ← {d : d | (2n − 1)}, where the degree of the minimal polynomial of αd is n Since only 15 out of 30 cycles can be joined with [u0], 4: for t ∈ Div do Dong and Pei’s approach fails here. The next section 5: f(x) ← the minimal polynomial of β := αt . by shows how our method handles such a situation. Berlekamp-Massey Algorithm 6: Initiate sets Done ← {0}, MinSet ← ∅, and W ← ∅ 7: Mf = (mi,j ) ← t × t zero matrix 8: for i ∈ {(2k − 1)t : 1 ≤ k ≤ z} do . Letting z = 2000 5 Certificates for Star and Almost-Star suffices for n ≤ 100 Spanning Trees 9: L ← τ(i) (mod t) 10: cL ← coset leader of DL The characterization in Theorem 2 is nice, but can we 11: if cL (mod t) ∈/ Done then build a huge number of de Bruijn sequences based on 12: MinSet ← {i} ∪ MinSet 13: W ← {2k − 1} ∪ W it? How large can n practically be? Section 4 tells us 14: Done ← Done ∪ {y (mod t): y ∈ DL} that identifying just enough Zech’s logarithms may al- 15: if |Done| = t then 16:# cp ← n ready yield spanning trees. This section examines the |DL| certification process of two types of simple spanning 17: m1,1 ← #cp · (t − 1) + 1 trees. We investigate a set of witnesses from whose val- 18: for r from 2 to t do 19: mr,r ← #cp ues of Zech’s logarithms one can readily build spanning 20: m1,r = mr,1 ← −#cp   trees whose form is either a star or an almost-star. Our 21: output W and #dBSeqs ← det Mf approach is computational, instead of theoretical. The 22: break i latter would require sophisticated tools from analytic number theory. A computational approach allows for a concrete resource allocation. One needs to run the cer- If no star spanning tree can be certified, one can tification procedure only once. The required memory to instead starts by finding an index ` ∈ 1, t − 1 such J K Binary de Bruijn Sequences via Zech’s Logarithms 11 that [u`] is the center of a star graph with [uj] for all and t, the chosen polynomial p(x) and its correspond- j ∈ 0, t − 1 \{`} as its leaves. We extend this star ing f(x) are presented as sets whose elements are the J K graph by appending vertex [0] and the unique edge E0 powers of x, from 1 to n − 1, whose coefficients are 1. 130 3 between [0] and [u0] into a spanning tree in G. We build Hence, for n = 130 and t = 31, p(x) = x + x + 1 Ge by collecting such trees. For convenience we call them and f(x) = x130 + x63 + x31 + x15 + x7 + x3 + 1. Its almost-star spanning trees centered at [u`] in G. witness W = {1, 3, 7, 9, 17, 45} builds A modified version of Algorithm 1 can be used to certify the existence of almost-star spanning trees. We ∆W = {31, 93, 217, 279, 527, 1395}, replace 0 by ` in Line 6 and replace (2k − 1)t in Line 8 implying by (2k − 1)t + `. The entries of Mf, defined in Lines 17 to 20, are now given as follow. {Yi = τ(i) (mod 31) : i ∈ ∆W } = {20, 16, 14, 13, 23, 12}. 1: m ← 1 + #cp, m = m ← −#cp 1,1 1,`+1 `+1,1 The corresponding sets {j (mod t): j ∈ D } are 2: for r from 2 to t do Yi 3: mr,r ← #cp, m`+1,r = mr,`+1 ← −#cp {20, 9, 18, 5, 10}, {16, 1, 2, 4, 8}, {14, 28, 25, 19, 7}, 4: m`+1,`+1 ← #cp · (t − 1) {13, 26, 21, 11, 22}, {23, 15, 30, 29, 27}, {12, 24, 17, 3, 6}.

Example 3 There is no star spanning tree centered at Their union is 1, 30 . Note that [u0] and [u`] share [u ] for p(x) = x10 + x3 + 1 and t = 31. There are ≈ 130 J K 0 5 = 26 conjugate pairs for ` ∈ 1, 30 . Computing for 99.66 2 almost-star spanning trees centered at [u6] with #dBSeqs is then straightforward.J TheK other entries can witness W = {1, 3, 7, 9, 13, 17, 21} and f(x) = x10 + be similarly interpreted. The recorded running time is x9 + x5 + x + 1. for the specified (n, p(x), t) with ` added for cases where If n = 20, then there are 38 choices for t, with 23 the center of the almost-star trees is [u`]. of them being less than 1000. There is no star span- The certificates are easily computable, assuming com- ning tree certificate for p(x) = x20 + x3 + 1 and t ∈ monly available resources in modern PCs. We performed K := {165, 341, 451, 465, 615, 775, 825}. Going through the computations for all of the examples above on a ` ∈ 2, t − 1 produces certificates for almost-star span- laptop with Ubuntu 16.04 OS powered by an Intel i7- ningJ trees forK all t ∈ K. Based on the ` values that yield 7500U CPU 2.90GHz, running Magma V2.24-5 [3] on the most number of de Bruijn sequences, we choose 11.6 GB of available memory. In fact, we computed the ` = 2 for t ∈ {165, 341, 451, 465}, ` = 4 for t = 775, and certificates on input p(x) = x128 + x7 + x2 + x + 1 ` = 10 for t ∈ {615, 825}. Among these combinations and t ∈ {1, 3, 5, 15, 17, 51, 85} on the online calcula- of t and `, the smallest number of de Bruijn sequences tor http://magma.maths.usyd.edu.au/calc/ to show produced is ≈ 2708.80 from (t = 165, ` = 2). The largest, how cheap it is to run. Each t takes less than the 120s 3345.17 which is ≈ 2 , comes from (t = 775, ` = 4).  time restriction when z is set to 100. To get a better sense of the complexities, we imple- There are parameter sets for which there is a unique mented Algorithm 1 and its modification on all n ≤ 300. star spanning tree, yielding only a single de Bruijn se- One can use Magma’s Logarithm Database 20 3 quence. Examples include p(x) = x + x + 1 with (libs/data/FldFinLog) of size 1.61 GB to handle n ≤ t ∈ {41, 123, 205, 275} as well as p(x) = x29 + x2 + 1 4401. Except for a few cases, it suffices to bound t ≤ 100 with t ∈ {233, 1103, 2089} and p(x) = x130 +x3 +1 with on Line 4 and set z in Line 8 to 2000 to guarantee a very t = 131. There are certificates for almost-star span- large number of spanning trees. This keeps the running ning trees for all of them, yielding a large number of de time and memory demand low. On the described ma- Bruijn sequences in each case. chine, with the added restrictions, the simulation for all One can of course utilize both types of certificates n and t combinations took less than 72 hours to com- from the same input parameters. Counting the num- plete. Without loss of generality, due to Proposition 2, ber of, respectively, star and almost-star spanning trees we use the default choice of p(x) in Magma. Interested with ` = 2, for p(x) = x128 +x7 +x2 +x+1 and t = 255 readers may contact the corresponding author for the gives us 21524 + 21778 inequivalent de Bruijn sequences simulation data. while [11, Example 3] yields 21032 sequences. What about the exceptional cases? For Table 1 lists more examples. We emphasize that any primitive polynomial p(x) can be used. For brevity n ∈ {5, 7, 13, 17, 19, 31, 61, 89, 107, 127} we use sparse primitive polynomials. They are either 1 The tables for characteristic 2 are included in the current n k n p(x) = x + x + 1 with 1 ≤ k < n, or p(x) = x + standard distribution as well as in the online calculator for xk + xj + xi + 1 with 1 ≤ i < j < k < n. Given n n ≤ 300 12 Z. Chang et al. al 1 Table No. No. 29 6 130 8 128 7 20 5 300 4 130 3 128 100 2 1 p n p n xmlso tradAms-trSann reCricts o tr h etri [ is center the Star, For Certificates. Tree Spanning Almost-Star and Star of Examples { { 7 7 { { { { { { , , 37 ( ( 2 3 2 3 7 3 2 x x } } , } } } , } ) ) 1 1 } } 233 131 205 5 e nr above 2 Entry See 255 255 25 77 93 f t f t { { { { { { { 10 24 96 96 18 273 97 128 ( ( 30 52 83 110 109 x x , ) ) , , , , , , , , 9 22 68 72 17 89 , , 29 51 82 , , , 220 127 86 108 8 , , , , , , , , , 20 64 65 15 64 28 50 81 , 7 , , 85 , , , 219 , , , , 126 , , , 106 5 18 37 48 14 63 27 46 74 , , 83 4 , , , , , , , , , , , , 16 36 36 9 48 193 125 26 45 70 2 105 , , 82 } 8 , , , , , , , 15 32 34 , 47 , , 44 68 25 , , 4 192 123 30 103 , , , , , , , , 2 14 4 24 43 24 43 67 , , } , , 29 1 , , , , 191 122 , , , 99 } 13 17 42 22 42 66 , 28 , , , , , , , , , 98 12 12 21 165 119 15 41 65 , 7 , , , , , , , , 96 11 10 11 13 40 63 6 , , 164 118 , , , , , 5 , , , 94 5 10 11 39 60 , , 4 , , , 4 , , 139 117 , , , 93 5 , 3 10 38 59 2 , , , 3 } 2 , , , , , 91 , , 9 36 56 111 114 2 1 , , , } 6 , , 89 1 , 31 53 , , } 4 112 , , , , 87 1 } , , { { { { Witness Almost-Star { { { { Witness Star 1 1 1 1 1 1 1 1 343 139 67 29 41 35 141 79 43 19 , , , , , , , , 171 3 3 3 3 3 3 15 , , , , , , , , , , , , , 89 31 53 43 83 45 21 , , , 5 5 5 5 5 5 } 465 143 145 , , , , , , } , , , , , , , 7 9 7 97 9 7 , 91 33 155 73 101 47 27 , , , , , ` } , , 9 15 9 11 9 , 159 , , , 177 , , , 130 2 = 125 , , , 103 37 101 53 29 } , 11 11 11 , , ` u 107 , 17 15 2 = 0 , , , W , , , , , ` } 45 57 31 hl o lotSa h etri [ is center the Almost-Star for while ] 201 , } 187 13 21 13 , , 2 = 107 , 19 23 , 123 , , , , , 49 65 33 17 23 15 , , , , 237 , 929 33 31 111 , , , , , , , 53 77 37 133 19 25 17 , , W 79 33 , } , , , 251 , , , , 55 119 23 , and } , , , , , ` 57 25 , 29 2 = ` , , # # 100 2 2 128 25 26 20 2 64 cp cp ≈ ≈ ≈ ≈ ≈ ≈ # # 2 dBSeqs dBSeqs 2 2 2 2 2 1127 1778 1524 111 912 504 432 881 ...... 45 91 93 44 67 05 u ` ]. 0 0 Time 0 5m41s 0 Time 1m24s 0 1m13s . . . . . 14s 08s 86s 78s 02s Binary de Bruijn Sequences via Zech’s Logarithms 13

γi there is simply no valid t > 1. Table 2 lists n ≤ 128 ai = ϕ(αi ) is computed using the method from Sec- and its smallest t > 1. The memory demand for the tion 3 or by an exhaustive search when ni is small. The shaded entries exceeds 16 GB. The rest of the entries conjugate state v = (b1,..., bs)P of v must then be can be easily handled to obtain the relevant star and ji γi ji γi almost-star certificates. bi = ϕ(αi ) + ϕ(αi ) = ϕ(αi + αi ) A star spanning tree in G exists if and only if the γi ji−γi γi+τi(ji−γi) = ϕ(αi (1 + αi )) = ϕ(αi ), (18) n cyclotomic number (0, j)t > 0 for the given n and t and with τ based on p (x). If b is the j -th state of ui for for all j ∈ 1, t − 1 . Similarly, an almost-star spanning i i i i ki J K all i, then v must be in cycle tree centered at [u`] exists if and only if the cyclotomic number (`, j)n > 0 for the given n and t and for all t Lj1 u1 + Lj2 u2 + ··· + Ljs us  . j ∈ 0, t − 1 \{`}. There are a few cases for which k1 k2 ks J K neither a star nor an almost-star certificate is found. Thus, given any nonzero cycle Γ1 in Ω(f(x)) we can Some of the examples are n = 10 with t = 93, n = 11 determine any of its state v, find the conjugate state v, with t = 89, and n = 12 with t ∈ {91, 105, 117, 315}. and the cycle Γ2 that v is a state of. The insight here We have just seen that, for almost all 4 ≤ n ≤ is that the components (ai, bi) for all i in the conju- 300, there are efficient computational tools to explic- gate pair (v, v) can be rapidly determined by using the itly build star or almost-star spanning trees. In the few Zech’s logarithms, each with respect to the correspond- cases where such certificates are either nonexistent or ing polynomial pi(x) and a suitable ti. If so desired, all too costly to compute, one still has several options at conjugate pairs shared by any adjacent cycles can be hand. Some other types of spanning trees with carefully determined explicitly. Finally, the steps detailed in [7, chosen structures can be certified and stored. The cy- Sections IV and VI] yield actual de Bruijn sequences. cles can also be produced by a product of irreducible Using f(x) in (17) may become crucial when sub- polynomials, which we discuss next. stantially more than Λn de Bruijn sequences of order a Mersenne exponent n need to be produced. The sim- plest choice is to use s = 2 with f1(x) an irreducible 6 Product of Irreducibles polynomial of a small degree d ≥ 2, e.g., 1 + x + x2, and f2(x) any irreducible non-primitive polynomial of The approach via Zech’s logarithms can be used in tan- degree n − d. If even more de Bruijn sequences are re- dem with the one in [7] to generate de Bruijn sequences quired, one should use s ≥ 3 and choose a small ni for of even larger orders. To keep the exposition brief, we i ∈ 1, s − 1 since computing the Zech logarithm table retain the notations from the said reference. J K relative to a small ni is easy. Let {f1(x), f2(x), . . . , fs(x)} be a set of s pairwise distinct irreducible polynomials over F2. Each fi(x) has 2ni −1 degree ni, order ei with ti = , and a root βi. ei 7 Zech’s Logarithms and Cross-Join Pairs Let the respective associated primitive polynomials be pi(x) with degree ni and root αi. Hence, Ω(fi(x)) = Mykkeltveit and Szmidt showed in [34] that, starting [0] ∪ [ui ] ∪ [ui ] ∪ ... ∪ [ui ]. Let the initial state of ui 0 1 ti−1 0 from any de Bruijn sequence of order n, one can con- ni be (1, 0) ∈ F2 . The initial states of uj for j ∈ 1, ti − 1 struct all de Bruijn sequences of that order by repeated J K follows by decimating the appropriate m-sequence mi applications of the cross-join pairing method. We now generated by pi(x). For the rest of this section, let use Zech’s logarithms to find the cross-join pairs of

s s states. This enables us to construct the feedback func- Y X tions of NLFSRs of maximum period. The Fryers for- f(x) := fi(x) and n := ni. (17) i=1 i=1 mula for an m-sequence is a new analytic tool, from which we derive a few combinatorial consequences. We use the expression for the cycle structure of Ω(f(x)) given in [7, Lemma 2 Eq. (7)]. For any cy- cle Γ := [u1 + L`2 u2 + ··· + L`s us ] containing a 1 i1 i2 is 7.1 Zech’s Logarithms as Positional Markings state v the goal is to identify a cycle Γ2 that con- tains v. Letting P be the matrix defined in [7, Section There exists a Boolean function g on n − 1 variables ji III.B], we have v = (v1,..., vs)P with vi := ϕ(αi ) such that any non-singular feedback function h satis- for i ∈ 1, s . One then gets a state ai of some nonzero fies h(x0, x1, . . . , xn−1) = x0 + g(x1, . . . , xn−1) [19]. A J K 0 sequence in Ω(fi(x)) satisfying (a1,..., as)P = (1, 0). modified de Bruijn sequence S of order n is a sequence n The exact position of each ai in the corresponding cy- of length 2 − 1 obtained from a de Bruijn sequence S cle in Ω(fi(x)), i.e., the exact value of γi satisfying by removing a 0 from S’s tuple of n consecutive zeros. 14 Z. Chang et al.

Table 2 Exceptional n for which the smallest t > 1 is larger than 100

n t n t n t n t 29 233 49 127 73 439 101 7432339208719 37 223 53 6361 79 2687 103 2550183799 41 13367 59 179951 83 167 109 745988807 43 431 67 193707721 91 127 113 3391 47 2351 71 228479 97 11447 119 127

Theorem 3 ([19]) Let S = (s0, s1, . . . , s2n−1) be a de by using the pair (A = 1011, B = 0100) on T. The Bruijn sequence of order n. Then there exists a Boolean respective feedback functions function g(x1, . . . , xn−1) such that hS = x0 + x1 (x2 · x3 · x4 + x2 · x4 + x3 · x4 + x3 + 1)

n + x2 (x3 · x4 + x3) + x3 + 1, st+n = st + g(st+1, . . . , st+n−1) for t ∈ 0, 2 − n − 1 . J K hT = x0 + x1 (x2 · x3 · x4 + x2 · x3 + x2

Let + x3 · x4 + x3 + 1) + x2 · x3 + x3 + 1,

hR = x0 + x1 (x2 · x3 · x4 + x2 · x4 + x3 + 1) (α = (a0, A), α = (a0 + 1, A)) and + x2 (x3 · x4 + x4 + 1) + x3 + 1, (β = (b0, B), β = (b0 + 1, B)) satisfy Equation (19).  be two conjugate pairs from a feedback function h, given The keen reader must have recognized by now that only a simple adaptation is required to determine cross- join pairs by using Zech’s logarithms. Instead of identi- A = (a1, a2, . . . , an−1) 6= B = (b1, b2, . . . , bn−1). fying conjugate pairs whose respective components be- Then (A, B) is the corresponding cross-join pair gener- long to distinct cycles, we use Zech’s logarithms to iden- ated by the FSR if the states α, β, α, β occur in exactly tify states α, β, α, β that occur in that exact order in that order. Let S be a de Bruijn sequence of order n a given (modified) de Bruijn sequence S. We retain the generated by the feedback function h. Let (A, B) be standard representation of states based on the ϕ map n−1 the cross-join pair. Then the feedback function with (1, 0 ) as the initial state of any m-sequence of order n. We demonstrate, by way of examples, how to use eh(x0, . . . , xn−1) = h(x0, x1, . . . , xn−1) Zech logarithms to recursively identify cross-join pairs n−1 n−1 Y Y in an m-sequence to generate numerous feedback func- + (xi + ai + 1) + (xi + bi + 1) (19) tions of the NLFSRs that produce modified de Bruijn i=1 i=1 sequences. The procedure applies to any primitive poly- nomial, as shown in Proposition 2. For a concise pre- generates a new de Bruijn sequence R. The modified sentation we use sparse polynomials. The fact stated in sequences S0 and R0 are similarly connected. Remark 1 comes in handy here. Theorem 4 ([34, Theorem 3.1]) Let S and R be dis- Example 5 Let α be a root of p(x) = x31 + x3 + 1. The tinct de Bruijn sequences of order n. Then S can be Double map gives τ(3) = 31 and τ(6) = 62. We use the obtained from R by repeatedly applying the cross-join notation c = (3, 6, 31, 62) to refer to two pairs of states method. (ϕ(α3), ϕ(1 + α3 = α31)) and (ϕ(α6), ϕ(1 + α6 = α62)).

Example 4 Consider the de Bruijn sequences of order 5 Hence, the states of the LFSR, with p(x) as the char- acteristic polynomial, at the crossover jumps are gov- erned by α = (0, 027, 1, 0, 0) and β = (0, 024, 1, 05). S = (0000 0110 1100 0100 1011 1110 0111 0101) and Thus, a28 = 1 and b25 = 1 while aj = bk = 0 for R = (0000 0110 1110 1010 0101 1001 1111 0001). 1 ≤ j 6= 28 ≤ 30 and 1 ≤ k 6= 25 ≤ 30. The feedback function of the constructed NLFSR of period 231 − 1 is, Applying the method on S using the pair (A = 1100, B = therefore, 0111) results in an intermediate de Bruijn sequence −→ −→ −→ −→ 30 30 T := (0000 0110 1100 111 11000 1001 0111 0101) where Y Y eh = x0 + x3 + (xj + aj + 1) + (xk + bk + 1) a right arrow indicates a crossover jump. We obtain R j=1 k=1 Binary de Bruijn Sequences via Zech’s Logarithms 15 with algebraic degree 29. The number of cross-join pairs for an m-sequence, by Now, let p(x) = x127 + x + 1. From τ(1) = 127 and Helleseth and Kløve in [23], τ(2) = 254, one obtains the following set of mutually disjoint cross-join pairs (2n−1 − 1)(2n−1 − 2) N(`; 3) =  8i 1+8i 8i 1+8i 3! ci = 2 , 2 , 127 · 2 , 127 · 2 for i ∈ 0, 15 . J K From this family we construct 216 −1 NLFSRs. Each of follows from Equation (21). The analogous formula for them generates a modified de Bruijn sequence of period higher k 2127 − 1 whose feedback function has algebraic degree k−1 125. The process can be repeated to produce even more 1 Y N(`; k = 2j + 1 ≥ 5) = (2n−1 − i) (22) sequences from additional Zech’s logarithms.  k! i=1

gives the number of de Bruijn sequences obtained after 7.2 Fryers’ Formula for m-Sequences the j-th application of cross-join method. One starts n−1 from m and append 0 to the longest string of zeroes Let S(n) be the set of functions f : F2 → F2 such to obtain a de Bruijn sequence S. One then finds all of that x0 + f(x1, . . . , xn−1) generate de Bruijn sequences n−1 its cross-join pairs and use them to construct new de of order n. For a function f : F2 → F2, let Bruijn sequences. For each of the sequences repeat the S(f; k) := cross-join method j − 1 times. Using (21) we easily obtain the number of de Bruijn {g ∈ S(n) : the weight of the function f + g is k}. sequences of order n: The number of inputs for which the functions f and 2n−1−1 g are different equals k. Let N(f; k) denote the car- X P k G(`; 1) = N(`; k) dinality of S(f; k) and G(f; y) := k N(f; k)y . Let n−1 k=1 a linear function ` : F2 → F2 be such that x0 + n−1 `(x , . . . , x ) generates an m-sequence m. In [9], Cop- 2 −1  n−1 1 n−1 1 X 2 n−1 = = 22 −n, (23) persmith, Rhoades, and Vanderkam proved the formula 2n−1 k k=1 | {z } :=Υ 1  2n−1 2n−1  G(`; y) = n (1 + y) − (1 − y) , (20) 2 n−1 since Υ = 22 −1 is the sum of the odd entries in which they attributed to M. J. Fryers. The coefficients row 2n−1 of the Pascal Triangle. Note that the positive N(`; k) can be calculated by expanding the powers in coefficients of G(`; y) are symmetric. Equation (20). The value N(`; 1) = 1 implies that from m we ob- P7 Example 6 For n = 4, one gets k=1 N(`; k) = 1 + 7 + tain a unique de Bruijn sequence and joining the cycle 7+1 = 24. Hence, from a de Bruijn sequence S, modified of the zero state corresponds to one change in the truth from m, there are 7 de Bruijn sequences each that can table of the function `. In general, N(`; k) = 0 for all be constructed by using 1, respectively 2, application(s) even k since an even number of changes in the truth of the cross-join method. There is a unique de Bruijn table of ` always lead to disjoint cycles. sequence that requires 3 applications. For n = 5, we We discover an interesting combinatorial view on know the number of de Bruijn sequences of distance the non-vanishing (> 0) coefficients of the polynomial j = 2k + 1 cross-join pairs from a fixed m-sequence of G(`; y). Recall that ` generates an m-sequence of period order 5 from the formula 2n−1. Sequence A281123 in OEIS [39] gives the formula for the positive coefficients of the polynomial 15 X n−1 n−1 N(`; k) = (1 + y)2 − (1 − y)2 G(`; y) = q(n − 1, y) = . 2n k=1 ; k odd 1 + 35 + 273 + 715 + 715 + 273 + 35 + 1 = 211. Hence, for odd 1 ≤ k ≤ 2n−1 − 1, the formula is

1 2n−1 The Fryers formula for n ≥ 6 can be easily generated N(`; k) = for n ≥ 2. (21) 2n−1 k from Equation (21).  16 Z. Chang et al.

8 Basic Software Implementations

We make the following basic implementations available online in [15]. They require python 2.7 equipped with sympy and some access to Magma for n > 20, either locally or through internet connection to its online cal- culator. For small orders n ≤ 20, the GitHub repository already contains the Zech’s logarithms.

1. The cycle joining method on input either an irre- ducible polynomial f(x), as treated in Sections 3 and 4, or a set of distinct irreducible polynomials {fi(x) : 1 ≤ i ≤ s}, each of degree ni > 1, described in Section 6. 2. The cross-join pairings on input an m-sequence from Section 7.

Fig. 2 A simplified adjacency subgraph Ge on input the poly- There is a lot of flexibility in terms of output choices, nomial p(x) = x10 + x3 + 1 with t = 31. as the interested readers can explore for themselves. Many users care more about the speed of generation and need only a relatively small numbers of de Bruijn So far there is no closed formula for cyclotomic num- sequences. Others may prefer completeness and would bers defined in (10), except in several limited classes. like to produce all de Bruijn sequences that can be gen- Storer’s textbook [41] and a more recent one by Ding [10] erated from the given input. We cater to both types have more details. Determining the values computation- of users. One may also opt to generate the algebraic ally is a by-product of our implementation. We obtain normal forms, instead of printing an entire sequence. the respective cyclotomic numbers on the input param- eters specified in Table 3 and make them available for Example 7 There are ≈ 2145.73 de Bruijn sequences that download in [15]. can be produced on input p(x) = x10 + x3 + 1 and t = 31. It takes 0.072 seconds and a negligible amount n Table 3 The Input Parameters of the Computed (i, j)t for of memory to output one of them. The simplified ad- 0 ≤ i, j ≤ t jacency subgraph, where multiple edges between two n Set of feasible t n Set of feasible t vertices is presented as one, is in Figure 2 with vertex 4 {3} 12 {3, 5, 7, 9, 13, 15, 21, 35, 39, i ∈ 1, 31 representing [u ] and 0 representing [0]. On i 6 {3, 7} 45, 63, 91, 105, 117, 315} p(x)J = xK22 + x + 1 and t = 89, it takes 5.5 minutes 8 {3, 5, 15} 14 {3, 43, 127, 381} and 680 MB of memory to print one of the ≈ 2425.42 9 {7} 15 {7, 31, 151, 217} sequences out. 10 {3, 11, 31, 93} 16 {3, 5, 15, 17, 51, 85, 255} The program comes with an option to produce the 11 {23, 89} ANF, instead of the actual sequence. Here is such an instance on input p(x) = x6 + x + 1 and t = 7. We have f(x) = x6 + x3 + 1. One of the resulting de Bruijn The option of specifying a t is optional. One may sequences and its ANF are, respectively, want to just get a (randomly) generated de Bruijn se- quences for a specified set of irreducible polynomials, (00000011 01110011 10110001 11111000 as illustrated in the next example. 01011110 10101101 00010010 10011001), Example 8 Choosing, as the input, a set {x4 + x3 + x2 + x + 1, x3 + x + 1, x + 1} and of distinct irreducible polynomials, the routine gener- x0 + x1x2x3x4x5 + x1x2x3x5 + x1x2x4x5+ ates the complete adjacency graph and, then, print one of the resulting sequences, of period 512. The sequence x x x + x x x + x x + x x + x + 1 2 5 1 3 4 1 3 1 4 1 can be chosen either in a deterministic or random man- x2x3 + x2 + x3x4x5 + x4x5 + 1. ner, without affecting the running time significantly. The entire task took around 30 seconds. Binary de Bruijn Sequences via Zech’s Logarithms 17

The second implementation follows the discussion especially the one whose characteristic polynomial is a in Section 7, with some randomness added in the pro- trinomial or a pentanomial. This enables us to deter- cedure. The routine executes the following steps. mine the feedback functions of the NLFSRs that gen- erate the resulting modified de Bruijn sequences. We 1. Choose a primitive polynomial p(x) of degree n and present some consequences of the Fryers formula. generate the m-sequence with (1, 0n−1) as the ini- Our work also points to many open directions in the tial state. studies of NLFSRs that generate de Bruijn sequences 2. Build the Zech’s logarithm table based on p(x) us- or their modified sequences. A comprehensive analysis ing the approach suggested in Remark 1. For larger on their algebraic structure and complexity remains a values of n it is more efficient to use Magma. worthy challenge. 3. Pick random distinct integers a and b satisfying a < b < τ(a) < τ(b). 4. Construct the matrix Ap from Equation (3) and use Ethical Statements the square-and-multiply technique based on the bi- nary representations of a and b to quickly find The authors declare that they have no conflict of inter- a b est. α = (1, 0, 0,..., 0) Ap and β = (1, 0, 0,..., 0) Ap. 5. The resulting feedback function of the modified de Bruijn sequence follows from applying Equation (19), Acknowledgements using α and β, with h derived from p(x). M. F. Ezerman gratefully acknowledges the hospitality Here is a small instance to illustrate the process. of the School of Mathematics and Statistics of Zhengzhou University, in particular Prof. Yongcheng Zhao, during Example 9 On input n = 5, the routine selected p(x) = several visits. x5 + x2 + 1. The chosen pair was (a, b) = (3, 17) with The work of Z. Chang is supported by the National (τ(a), τ(b)) = (22, 25). Hence, α = (0, 1, 0, 1, 1) and Natural Science Foundation of China Grant 61772476 β = (0, 1, 1, 0, 1). The feedback function is eh = x0 + and the Key Scientific Research Projects of Colleges x1 · x2 · x4 + x1 · x3 · x4 + x2 for the modified de Bruijn and Universities in Henan Province Grant 18A110029. sequence (10000 10010 11101 10011 11100 01101 0).  Grants TL-9014101684-01 and MOE2013-T2-1-041 support the research carried out by M. F. Ezerman, 9 Conclusions S. Ling, and H. Wang. Singapore Ministry of Education Grant M4011381 This work approaches the constructions of binary de provides a partial support for A. A. Fahreza. Bruijn sequences via Zech’s logarithms and demonstrates J. Szmidt’s work is funded by the Polish Ministry their practical feasibility. Many such sequences of large of Science and Higher Education, Decision No. 6663/E- orders are produced by both the cycle joining method 294/S/2018. and the cross-join pairing within reasonable time and memory expenditures. As computational tools we es- tablish further properties of Zech’s logarithms as well References as a rapid method to generate irreducible polynomials 1. van Aardenne-Ehrenfest, T., de Bruijn, N.G.: Circuits of degree m | n from a primitive polynomial of degree and trees in oriented linear graphs. Simon Stevin 28, n. We have also shown how to generate de Bruijn se- 203–217 (1951) quences by using LFSRs whose characteristic polyno- 2. Arndt, J.: Matters Computational: Ideas, Algorithms, mial are products of distinct irreducible polynomials. Source Code, 1st edn. Springer-Verlag., New York (2010) 3. Bosma, W., Cannon, J., Playoust, C.: The Magma alge- For a large n, storing a de Bruijn sequence of order bra system. I. The user language. J. Symbolic Comput. n is not feasible. Our proof-of-concept implementation 24(3-4), 235–265 (1997) determines the feedback functions of the resulting NLF- 4. Broder, A.: Generating random spanning trees. In: Foun- SRs explicitly. This makes the approach highly adaptive dations of Computer Science, 1989., 30th Annual Sym- posium on, pp. 442–447 (1989). to application-specific requirements. In the cycle joining 5. de Bruijn, N.G.: A combinatorial problem. Koninklijke framework one may opt to output subsequent states up Nederlandse Akademie v. Wetenschappen 49, 758–764 to some length, e.g., measured in file size. The initial (1946) state and the spanning tree(s) can also be randomly 6. Chang, Z., Ezerman, M.F., Fahreza, A.A.: On greedy algorithms for binary de Bruijn sequences. CoRR chosen. We show how to use the Zech logarithms to pdf/1902.08744 (2019). URL http://arxiv.org/pdf/ quickly identify the cross-join pairs in any m-sequence, 1902.08744 18 Z. Chang et al.

7. Chang, Z., Ezerman, M.F., Ling, S., Wang, H.: On binary 29. Knuth, D.E.: The Art of Computer Programming. de Bruijn sequences from LFSRs with arbitrary charac- Vol. 4A., Combinatorial Algorithms. Part 1. Addison- teristic polynomials. Des. Codes Cryptogr. 87(5), 1137– Wesley, Upple Saddle River (N.J.), London, Paris (2011) 1160 (2019) 30. Lempel, A.: On a homomorphism of the de Bruijn graph 8. Compeau, P., Pevzner, P., Tesler, G.: How to apply de and its applications to the design of feedback shift regis- Bruijn graphs to genome assembly. Nat. Biotechnol. ters. IEEE Trans. Comput. C-19(12), 1204–1209 (1970) 29(11), 987–991 (2011) 31. Lidl, R., Niederreiter, H.: Finite Fields. Encyclopaedia 9. Coppersmith, D., Rhoades, R.C., VanderKam, J.M.: of Mathematics and Its Applications. Cambridge Univ. Counting de Bruijn sequences as perturbations of lin- Press, New York (1997) ear recursions. CoRR pdf/1705.07835 (2017). URL 32. Mandal, K., Gong, G.: Cryptographically strong de http://arxiv.org/pdf/1705.07835 Bruijn sequences with large periods. In: L.R. Knudsen, 10. Ding, C.: Codes from Difference Sets. World Scientific, H. Wu (eds.) Selected Areas in Cryptography, pp. 104– Singapore (2014) 118. Springer, Berlin, Heidelberg (2013) 11. Dong, J., Pei, D.: Construction for de Bruijn sequences 33. Menezes, A.J., Vanstone, S.A., Oorschot, P.C.V.: Hand- with large stage. Des. Codes Cryptogr. 85(2), 343–358 book of Applied Cryptography, 1st edn. CRC Press, Inc., (2017) Boca Raton, FL, USA (1996) 12. Dragon, P.B., Hernandez, O.I., Sawada, J., Williams, 34. Mykkeltveit, J., Szmidt, J.: On cross joining de Bruijn A., Wong, D.: Constructing de Bruijn sequences with sequences. Contemporary Mathematics 632, 333–344 co-lexicographic order: The k-ary grandmama sequence. (2015) Eur. J. Comb. 72, 1–11 (2018) 35. Robshaw, M., Billet, O. (eds.): New Stream Cipher De- 13. Dubrova, E.: A scalable method for constructing Galois signs. Springer Berlin (2008) NLFSRs with period 2n − 1 using cross-join pairs. IEEE 36. Samatham, M.R., Pradhan, D.K.: The de Bruijn mul- Trans. on Inf. Theory 59(1), 703–709 (2013) tiprocessor network: A versatile parallel processing and 14. Etzion, T., Lempel, A.: Algorithms for the generation sorting network for VLSI. IEEE Trans. Comput. 38(4), of full-length shift-register sequences. IEEE Trans. Inf. 567–581 (1989) Theory 30(3), 480–484 (1984) 37. Sawada, J., Williams, A., Wong, D.: Generalizing the 15. Ezerman, M.F., Fahreza, A.A.: A binary de Bruijn se- classic greedy and necklace constructions of de Bruijn quence generator from Zech’s logarithms. https:// sequences and universal cycles. Electr. J. Comb. 23(1), github.com/adamasstokhorst/ZechdB (2017) P1.24 (2016) 16. Ezerman, M.F., Fahreza, A.A.: A binary de Bruijn 38. Sloane, N.J.A.: The Online Encyclopedia of Integer Se- p sequence generator from product of irreducible poly- quences: Mersenne exponents, primes p such that 2 − 1 nomials. https://github.com/adamasstokhorst/debruijn is (Mersenne) prime. URL https://oeis.org/A000043 (2018) 39. Sloane, N.J.A.: The Online Encyclopedia of Integer Se- 17. Fredricksen, H.: A class of nonlinear de Bruijn cycles. J. quences: Triangle T read by rows. URL https://oeis. Combinat. Theory, Ser. A 19(2), 192 – 199 (1975) org/A281123 18. Fredricksen, H.: A survey of full length nonlinear shift 40. Stevens, B., Williams, A.: The coolest way to generate register cycle algorithms. SIAM Rev. 24(2), 195–221 binary strings. Theory Comput. Syst. 54(4), 551–577 (1982) (2014) 19. Golomb, S.W.: Shift Register Sequences. Aegean Park 41. Storer, T.: Cyclotomy and Difference Sets. Lectures in Press, Laguna Hills (1981) Advanced Mathematics. Markham Pub. Co., Chicago, 20. Golomb, S.W., Gong, G.: Signal Design for Good Corre- USA (1967) lation: for Wireless Communication, Cryptography, and 42. Yang, B., Mandal, K., Aagaard. M. D., Gong, G.: Effi- Radar. Cambridge Univ. Press, New York (2004) cient composited de Bruijn sequence generators. IEEE 21. Hauge, E.R., Helleseth, T.: De Bruijn sequences, irre- Trans. Comput. 66(8), 1354–1368 (2017) ducible codes and cyclotomy. Discrete Math. 159(1-3), 143–154 (1996) 22. Hauge, E.R., Mykkeltveit, J.: On the classification of de Bruijn sequences. Discrete Math. 148(13), 65 – 83 (1996) 23. Helleseth, T., Kløve, T.: The number of cross-join pairs in maximum length linear sequences. IEEE Trans. on Inf. Theory 37(6), 1731–1733 (1991) 24. Huang, Y.: A new algorithm for the generation of binary de bruijn sequences. J. Algorithms 11(1), 44 – 51 (1990) 25. Huber, K.: Some comments on Zech’s logarithms. IEEE Trans. on Inf. Theory 36(4), 946–950 (1990) 26. Hume, M.A., Barrera, L.A., Gisselbrecht, S.S., Bulyk, M.L.: UniPROBE, update 2015: new tools and content for the online database of protein-binding microarray data on protein–DNA interactions. Nucleic Acids Re- search 43(D1), D117–D122 (2014) 27. Jacobi, C.: Uber¨ die kreistheilung und ihre anwendung auf die zahlentheorie. J. Reine Angew. Math. 30, 166– 182 (1846) 28. Jansen, C.J.A., Franx, W.G., Boekee, D.E.: An efficient algorithm for the generation of de Bruijn cycles. IEEE Trans. on Inf. Theory 37(5), 1475–1478 (1991)