Linear Complexity of Periodic Sequences: A General Theory James L Massey1 and Shirlei Scrconek2* Signal and Information Processing Laboratory Swiss Federal Institute of Technology ETTI-Zentrum, CH-8092 Zurich ([email protected]) 2 Instituto de Matematica e Fisica - IMF Universidade Federal de Goias - UFC Departamento de Matematica, Cx Postal 131 74001-970 Goiania GO, BRAZIL Abstract. The linear complexity of an /V-periodic sequence with com- ponents in a field of characteristic p, where A' = np" and gcd(ra,p) = 1, is characterized in terms of the nl' roots of unity and their multiplicities as zeroes of the polynomial whose cofficients are the first N digits of the sequence. Hasse derivatives are then introduced to quantify these multi- plicities and to define a new generalized discrete Fourier transform that can be applied to sequences of arbitrary length Ar with components in a field of characteristic p, regardless of whether or not gcd(Ar, p) = 1. This generalized discrete Fourier transform is used to give a simple proof of the validity of the well-known Games-Chan algorithm for finding the linear complexity of an /V-periodic binary sequence with N = flv and to gener- alize this algorithm to apply to Ar-periodic sequences with components in a finite field of characteristic p when N = pv. It is also shown how to use this new transform to study the linear complexity of Hadamard (i.e., component-wise) products of sequences. Keywords: discrete Fourier transform, 1)F'I\ Gomes-Chan algorithm, Hadamard •product, Hasse derivative, kyperderivative, linear complexity, stream ciphers 1 Introduction The main purpose of this paper is to provide a convenient framework for the study of the linear complexity of periodic sequences with an arbitrary period. In particular when the sequence is an A/-periodic sequence with components in a field of characteristic p and N — np" where gcd(«,p) ^ 1, we seek a formulation that is as convenient as that for the usually studied case when gcd(A/,p) = 1. In Section 2, we give such a formulation in terms of the n,lh roots of unity and their multiplicities as zeroes of the polynomial whose cofficients are the first N This work was done while the author was on leave al ttie F,Til Zurich from CEPFSC, Cx Postal 02976. Brasilia, IJF, BRASIL. CEP 70610-200. N. Koblitz (Ed.): Advances in Cryptology - CRYPTO '96, LNCS 1109, pp. 358-371, 1996. © Springer-Verlag Berlin Heidelberg 1996 359 digits of the sequence. This leads naturally to the use of the Hasse derivative as described in Section 3 to characterize linear complexity. Another purpose of this paper is to introduce a new generalization of the dis- crete Fourier transform that admits application to sequences of arbitrary length N. This is done in Section 4, where it is further shown that the linear complexity of an Ar-periodic sequence with components in a finite field of characteristic p is equal to the appropriately denned "weight" of its generalized discrete Fourier transform. To illustrate the usefulness of the approach in this paper, we give in Section 5.1 a simple proof of the validity of the well-known Games-Chan algorithm for finding the linear complexity of an iV-periodic binary sequence with N = 2V, and we generalize this algorithm to apply to TV-periodic sequences with components in a finite field of charactcrisitic p and N — p". Finally, in Section 5.2, we show how our techniques can be used to study the linear complexity of Hadamard products of sequences. 2 Linear Complexity of Periodic Sequences The linear complexity, £(s), of the semi-infinite F- ary sequence s — so, .si, s-2, • • • where each s, lies in the field F, is the smallest nonnegative integer L for which there exist coefficients c\, c->, • • •, C-Lm F such thai Sj + ciSj-i + • • • + ('!,»]-1. - 0 for all j > L or, equivalently, such that P(D) = (su + SlD + s2D- + ••• )C(D), (1) is a polynomial of degree strictly less than L where C(D) = 1 + cj I) + cnD + L • • • + C.JJD . In engineering terms, £(s) is the length L of the shortest linear fee,dback shift- register (LFSR) that can generate s when the first L digits of s arc initially loaded in the register; the polynomial C(D) is called the connection polynomial of the LFSR. Suppose now that the sequence s is A'-periodic, i.e., ,s,; = fti+N for all i > 0. 2 Then the formal power series ,sn + s-\ I) + .s^/J) + • • • can be written 2 N N 2N .so + .s1/; + .s.,/; +••• =s (D)(\+O + D' + ••• ) where sN(D) = SQ + s\D + S2D2 -\- • • • + .s,v_]Z)A is the polynomial of degree v less than N determined by s' = [,s(), .si, • • • , .s,v-i], and hence 2 s N (.<>u + ,s, D + .s, D + ••• ) (I - D ) = s (D). Multiplying by 1 - DN in (1) thus gives P{D)(\ - DN) = sN{l))C(D), which ensures that deg(f'(/J)) < deg(C(D)). It follows that the necessary and sufficient condition for C(D) = l + ciD + e^D2 + • • +cjDL, with coefficients in F and with 360 CL ^ 0, to be the connection polynomial of the shortest LFSR that generates s, and hence for L = deg(C(D)) to be the linear complexity of s, is that sN(D)C(D)= P(D)(l-DN) (2) where P(D) is a polynomial satisfying gcd{P{D),C{D))=\. (3) The zeroes of 1 — DN are iVth roots of unity by definition and in general lie in some extension field E of F. When a primitive A'11' root of unity [i.e., one which is not also an n"1 root of unity for some ??. with 1 < n < N] does not exist, then the distinct zeroes of 1 — DN will have multiplicity greater than f. Suppose now that -y is a zero of 1 — DN with positive multiplicity k. It follows from (2) and (3) that j is a zero of C(D) with positive multiplicity m if and only if y is a zero of sN(D) with multiplicity //, = k - m > 0. But (2) and (3) also imply that •y can be a zero of ('(D) only when •) is a zero of 1 — DN, and hence we have proved the following useful lemma. Lemma 1. Let C(D) be the connection polynomial of the. shortest LFSR that generates the F-ary N-periodic sequence s. Then a zero, y, of 1 — D with positive multiplicity k is a zero of (J{D) with positive multiplicity m if and only if 7 is a zero of sN(D) with multiplicity j.i such thai 0 < \i < k, m which case m — Ic — fj,. Moreover, C{D) has no zeroes other than those determined in this manner. Consider now the case where the field F has characteristic p so that N may be written as TV = up" where gcd(»,/>) — 1. Then there exists a primitive nth root of unity, a, in some extension field of F so that ft', / = 0, 1, • • • , n. — 1, are the n distinct roots of unify. Moreover. I - DN = (1- Dnf" and hence a* is a zero of 1 — DN with multiplicity p" for i = 0, 1 ,--•,« — 1. Using these facts together with Lemma 1 yields the following result. Proposition 2. Let C(D) be the connection polynomial of the shortest LFSR, that generates the F-ary N-periodic sequence s, where F is a field of prune characteristic p and where N = up" with gcd(n,p) — 1, and let a be a primitive n root, of unity in F or some extension of F. Then a'', where 0 < i < n, is a zero of C(D) with positive multiplicity rn, if and only if a1 is a zero of sN(D) with multiplicity fi{ less than p". in which case rrn ~ p1' — fii. Moreover, these are all the zeroes of C(D) so that the linear complexity of s is C(s) — m0 + mi + • • • + ">n-i • Note that [i{ -= 0 or m, — 0 in the proposition indicates that a' is not a zero of s (D) or (J(D),, respectively. The usefulness of this proposition is that it characterizes the linear complexity of the TV-periodic sequence s entirely in terms of the multiplicities of the n roots of unity as zeroes of sN(D), a polynomiai 361 directly available from the sequence s. 01' course, as the lemma states, this is equivalent to determining the multiplicities of the nlh roots of unity as zeroes of C{D) or, again equivalcntly, of the reciprocal polynomial of C(D), which is often called the characteristic polynomial of the sequence. Determining the linear complexity of an iV-periodic sequence by ''counting zeroes" of its characteristic polynomial is a technique that has been used by many authors, cf. [8], [13] and particularly [15], p. 78, but the emphasis on "counting zeroes" in sN(D) appears to be novel. To proceed further with such zero-counting, we require the derivative described in the next section. 3 Hasse Derivatives and Hasse Matrices Let i'\D\ denote the ring of polynomials in the indeterminate I) with coefficients in a field /•' and let a(D) = J2iaiD' be a polynomial in F[D}. The jth formal derivative of a(D) is defined to be the polynomial £;)*"-'• The usefulness of the formal derivative m a field of prime characteristic p is greatly limited by the fact that a(j)(L>) = 0 for all j > p because then j\ = 0. Of greater utility in such fields is the jlh Hasse derivative [7] (sometimes called the jth hyperdcrivative [9], and, particularly when extended to rational functions, the Hasse-Teichmuller derivative [6], [16]).