Feedback with carry shift registers (FCSRs) are a class of finite state devices that are similar to linear feedback shift registers (LFSRs) in their simplicity and statistical randomness, and in that they have algebraic tools for the analysis of their output. In this paper we describe and analyze an alternative architecture for FCSRs that is similar to the Galois architecture for LFSRs. We also explore architectural considerations for d-FCSRs, a natural generalization of FCSRs. Finally, we describe a general framework for algebraically modeling LFSRs, FCSRs, and d-FCSRs in both their Fibonacci and Galois architectures.
Introduction
Pseudorandom binary sequences with various statistical properties (such as high linear span, low cross-correlation values, high pairwise Hamming distance) are important in many areas of communications and computing, such as cryptography, spread spectrum communications, error correcting codes, and Monte Carlo integration. Linear feedback shift registers (LFSRs) provide an economical, fast, and efficient method for generating a wide variety of pseudorandom sequences. During the last few years, the feedback-with-carry shift register (FCSR) architectures and a simple modification, the d-FCSR architectures, have been investigated as alternative methods for the efficient generation of long pseudorandom binary sequences ( [8, 10, 21, 1] ). The analysis of FCSR sequences has quite a different flavor from that of LFSR sequences, although they share an incredible list of parallel properties (see [8, 9, 11, 12, 5] ). The FCSR circuits described in these papers resemble the "Fibonacci" configuration of the linear feedback shift register. The current paper has three objectives:
1. to develop and analyze the "Galois" configuration architecture for FCSRs and d-FCSRs (cf. [18] ); 2. to analyze the output sequences of d-FCSR generators and to give a relatively simple procedure for choosing feedback parameters for a d-FCSR; and 3. following [13] , to formalize the notion of a mathematical "model" for a finite state machine with output, and to find such models for LFSR, FCSR, and d-FCSR generators, both in their Fibonacci and Galois configurations.
Even in the case of LFSR's, some of these results appear to be new. We now describe these three points in greater detail. (Figure 1 ) configuration has several tapped cells. With each clock cycle, the contents of the tapped cells are added and the sum (modulo 2) is returned to the first cell of the shift register. It is well known that if the corresponding connection polynomial is irreducible with degree r and if α ∈ F 2 r is a root, then the output sequence may be described by
Galois and Fibonacci configurations. (See Section 2.) Recall that a LFSR in the Fibonacci
where T r is the trace function from F2 r to F 2 . In the Galois representation ( Figure 2 ), with each clock pulse, the output of the last cell is introduced into each of the tapped cells simultaneously, where it is added (modulo 2) to the contents of the preceding cell. Appropriately configured, the same output may be obtained. In Section 2.1 and 2.2 we review the standard facts about these two configurations, including the "power series" method of analysis and the determination of the initial loading of the registers. In its simplest form (Figure 3 ), an FCSR consists of a shift register with a small amount of auxiliary memory containing a nonnegative integer. The contents (0 or 1) of the tapped cells are added as integers to the current contents of the memory to form a sum σ. The parity bit, σ mod 2 is fed back into the first cell while the higher order bits σ/2 are retained for the new value of the memory. The output is taken from the last cell and (for appropriate choice of feedback connections) the output sequence is given by a i = 2 −i (mod q)(mod 2).
In Section 2.3 we review the power series analysis of the FCSR in this "Fibonacci" configuration. One might ask whether there is an analogous "Galois" representation for the same FCSR sequences. Such a representation was first discussed in [18] . In Section 2.4 we carry out the power series analysis of the Galois architecture for FCSR sequences. It turns out that the Galois representation is more efficient than the Fibonacci representation since the additions occur simultaneously ("in parallel") and each individual sum involves no more than 3 bits. Moreover the analysis of the initial state is also simpler.
Algebraic Models. (See section 3.) Equations (1) and (2) amount to representations of the actions of certain LFSRs and FCSRs in their Fibonacci configurations by the action of multiplication by a fixed element in a ring. In Section 3 of this paper we formalize this notion as an algebraic model for a finite state automaton, and describe models for general LFSR's and FCSR's, both in their Galois and Fibonacci configurations. (We also describe models for d-FCSR's in Section 4.) In each case we discover the surprising fact that the natural model for the Fibonacci configuration involves a map from the ring to the set of states (that is, an injective model), while the model for the Galois configuration is simpler and involves a map from the set of states to the ring (that is, they a projective model). Even for the case of LFSR's, the model may be fairly subtle if the connection polynomial is reducible.
d-FCSR sequences. (See Section 4.) There is an enormous collection of variations on the basic FCSR architecture which have also been analyzed to varying degrees ( [7, 8, 10, 13, 14, 15] ). Perhaps the simplest of these variations is the d-FCSR ( Figure 5 ), in which the feedback bit is computed but is delayed for d − 1 clock cycles before being fed back. This architecture also has a "Galois" representation which we describe ( Figure 10 ) and for which we also construct models (see below).
In this paper we show how to configure these circuits so as to output pseudorandom sequences of the form k i (mod q)(mod 2) with choices for k other than k = 2 −1 . It is surprising that such complex feedback mechanisms can be analyzed at all, especially considering the tremendous but largely unsuccessful effort which has been directed toward the analysis of "nonlinear" feedback shift registers over the last thirty years. Throughout this paper, Z denotes the integers; Q denotes the rational numbers, and F q denotes the Galois field with q elements.
In this section we describe the architecture of LFSRs and FCSRs. In each case we describe both Fibonacci and Galois architectures. Although this material on linear feedback shift registers is classical [3] and well known [22] , it is repeated here so as to motivate the analysis of the FCSR and d-FCSR architectures. For the purposes of this article, the contents a i of each cell is a bit (a i ∈ F 2 ), as are the multipliers q i , although exactly the same analysis holds when a i , q j are considered to be elements of some finite field. (For this reason, we do not automatically convert all −1's to +1's.)
LFSRs: Fibonacci Architecture
Let us recall some standard facts concerning the Fibonacci representation LFSRs [3] .
The register is initially loaded with bits a 0 , a 1 , . . . , a r−1 . With each clock cycle these bits are added (modulo 2) with weights given by the multipliers q i and the resulting bit
is fed back into the first cell. This equation is evidently a linear recurrence over the field F 2 . (See [16] §7 p. 454. The "Fibonacci" designation refers to the fact that the famous Fibonacci series 1, 1, 2, 3, 5, 8, . . . is generated by a similar linear recurrence a r = a r−1 + a r−2 over the integers.) To each LFSR of length r, one associates the connection polynomial
where q 1 , q 2 , . . . , q r correspond to the r taps on its cells. Some authors consider instead the polynomial
Then α is a root of q(X) if and only if α −1 is a root of b(X).
There are (at least) three different approaches to the analysis of the output sequence: the power series method, which is described in the next paragraph, and the Galois field and the ring-theoretic models, described in Section 3.1.
Power series method. Any infinite binary sequence a = (a 0 , a 1 , a 2 , . . .) may be identified with its generating function A(X) = ∞ i=0 a i X i which is an element of the ring F 2 [[X]] of formal power series with coefficients in the integers modulo 2. It is well known (and follows directly from the formula for the sum of a geometric series) that the sequence a is eventually periodic if and only if its generating function is equal to the quotient of two polynomials,
and it is strictly periodic if and only if deg(h(X)) < deg(q(X)). In this case, the denominator q(X) is the connection polynomial for a LFSR which generates the sequence a. The numerator h(X) corresponds to the initial loading; they are related by 
LFSRs: Galois Architecture
In the Galois representation ( Figure 2 ), with each clock cycle the output of the last cell is introduced into each of the tapped cells simultaneously, where it is added (modulo 2) to the contents of the preceding cell.
Let q 1 , q 2 , . . . , q r denote the feedback multipliers. The recurrence equations are then given by
As above, form the connection polynomial q(X) = −1 + r i=1 q i X i . The same three methods may be used to analyze the Galois configuration: the power series method (described in the next paragraph), the Galois field model, and the ring theoretic model (described in Section 3.2. However, there is a difference: in the Fibonacci representation the model is injective (cf §1) while in the Galois representation the model is projective. (See Theorems 3.1 and 3.2 of Section 3). Moreover, Formula (5) for the initial loading is considerably simpler than is formula (4) for the Fibonacci configuration.
Power series method. Suppose b = (b 0 , b 1 , b 2 , . . .) is a strictly periodic (infinite) binary sequence, so its generating function B(X) = b i X i is the quotient of two polynomials, B(X) = −h(X)/q(X) with deg(h) < deg(q).
Theorem 2.1
The denominator q(X) is the connection polynomial for a (Galois)-LFSR which generates the sequence b. The numerator −h(X) determines (and is determined by) the initial loading a 0 , a 1 , . . . , a r−1 ; they are related by
Proof: We briefly indicate how to prove this well-known result because a similar method will be needed when we consider the Galois FCSR and the Galois d-FCSR architectures. First observe that for any loading (a 0 , a 1 , . . . , a r−1 ) of the shift register, the first output bit b 0 equals the first coefficient a 0 in the power series expansion of −h(X)/q(X) (where h(X) = r−1 i=0 a i X i ). In particular qB + h has no constant term so it is divisible by X. Now run the shift register by one cycle to obtain a new loading a 0 , a 1 , . . . , a r−1 (5), a new function h (X) = ) and Xh = (h + a 0 q). Hence X(qB + h ) = qB + h. By the above observation, the constant term of qB + h vanishes as well, which is to say, qB + h is divisible by X 2 . By induction we find that X n (qB (n) + h (n) ) = qB + h, and so qB + h is divisible by X n for all n, which is to say, it equals 0. Hence B(X) = −h(X)/q(X). 2
FCSRs: Fibonacci Architecture
In the FCSR architecture (Figure 3 ), introduced in [8] , the basic shift register is provided with a small amount of auxiliary memory m which is a nonnegative integer. The contents (0 or 1) of the tapped cells are added as integers to the current contents of the memory to form an integer sum σ. The parity bit σ mod 2 is fed back into the first cell of the shift register while the higher order bits σ/2 are retained for the new value of the memory. So the new values (a 0 , a 1 , . . . , a r−1 ; m ) are related to the old values (a 0 , a 1 , . . . , a r−1 ; m) by
It was shown in [8] (and can be seen from the above equations) that, for any initial nonnegative memory value m, the memory will decrease exponentially until it lies within the range 0 ≤ m ≤ wt(q + 1) and will remain in that range forever after. (Here, wt(x) denotes the number of 1's in the binary expansion of the nonnegative integer x.) Therefore memory overflow will never occur provided the FCSR is equipped with at least 1 + log 2 (wt(q + 1)) memory bits.
To each FCSR one can associate a connection integer
To any infinite binary sequence a = (a 0 , a 1 , a 2 , . . .) one may associate the formal power series
The set of all such power series forms a ring under the obvious operations of addition and multiplication; this is the ring Z 2 of 2-adic integers (an elementary review of which is provided in [8] ). The ring Z 2 contains all fractions α = m/n with m, n ∈ Z, provided that n is odd. The following (number-theoretic) lemma characterizes those 2-adic numbers which are rational numbers. Although it is elementary and well-known, it is basic to the study of FCSR's so we provide a short proof (cf. [8] thm 2.1, thm. 6.1, [13] , [20] thm. 15.5 p. 458).
Lemma 2.2
The sequence a is eventually periodic if and only if its 2-adic integer α is a rational number, in which case it can be expressed as such with an odd denominator. The sequence is strictly periodic if and only if there exist nonnegative integers h and q, with q odd and 0 ≤ h ≤ q − 1 such that α = −h/q. In this case the period of the sequence a divides φ(q) (the number of positive integers between 1 and q which are relatively prime to q) and its i-th term is
The reverse of this sequence is the binary expansion of the fraction h/q.
Here, 2 −i denotes the inverse of 2 in Z/(q), and x (mod q) (mod 2) means that first the number x ∈ Z/(q) is represented by an integer between 0 and q − 1, then this integer is reduced modulo 2. Proof: Proof. The statement about eventually periodic sequences follows from the statements about strictly periodic sequences, so suppose a is strictly periodic of some period,
i=0 a i be the sum of the first T terms. Then
which is a rational number with 0 ≤ α < 1. Every factor of 2 T − 1 is odd, so if this fraction is reduced to its lowest terms we find α = −h/q with q odd and 0 ≤ h ≤ q − 1. Conversely suppose that α = −h/q with 0 ≤ h ≤ q −1. Euler's function φ(q) is the number of integers x relatively prime to q with 1 ≤ x ≤ q − 1. Recall that q divides 2 φ(q) − 1 by Euler's theorem. (The multiplicative group of invertible elements in Z/(q) has order φ(q), so any invertible element raised to this power is equal to 1 (mod q).) Set B = (2 φ(q) − 1)/q so that
But 0 ≤ h < q so 0 ≤ Bh < 2 φ(q) − 1 hence the binary expansion of Bh has no more than φ(q) − 1 bits, so these binary expansions do not mix in the above expression. This shows that −h/q has a 2-adic expansion whose coefficient sequence a is strictly periodic of period φ(q), although this is not necessarily the minimal period. It follows that the minimal period of the sequence a divides φ(q). Now we verify equation (7). Let α = ∞ i=0 a i+1 2 i be the 2-adic number which corresponds to the strictly periodic sequence obtained from a by throwing away the first term. Then α = (α − a 0 )/2 or −h − qa 0 = 2qα , a statement which holds in Z 2 but for which the left hand side is an integer. Hence h + qa 0 is even, or, since q is odd,
is a rational number with the same denominator q and with numerator h = 2 −1 (h + qa 0 ). Reading this equation modulo q gives h = 2 −1 h (mod q). This shows that the sequence of numerators is given by h, 2 −1 h, 2 −2 h, . . . (mod q) and the output sequence is obtained by first realizing these numerators as integers between 0 and q, then reducing modulo 2, which verifies equation (7) . The last statement can be verified by direct computation using (8) . This completes the proof of Lemma 2.
2
Caution: The mapping Z/(q) → Z/(2) (given by z → z (mod 2)) is not a ring homomorphism, and depends on the particular choice of a complete set M of representatives {0, 1, 2, . . . , p − 1} ⊂ Z for the elements of Z/(p). These representatives were chosen because they have the property that for each h ∈ M , the 2-adic expansion of the fraction −h/q is strictly periodic.
The first statement in the following analog of the "power series method" follows immediately from Lemma 2.2. The identification of the numerator h is proven in [8] .
Theorem 2.3 Let a = a 0 , a 1 , . . . be a strictly period binary sequence. Let α = a i 2 i be the corresponding 2-adic number, say, α = −h/q with h, q ∈ Z and 0 ≤ h ≤ q − 1. Write q = r i=0 q i 2 i with q i ∈ {0, 1} for i > 0 and q 0 = −1. Then q is the connection integer for a (Fibonacci) FCSR which generates this sequence. The numerator h corresponds to the initial loading (a 0 , a 1 , . . . , a r ) of the register contents and initial memory m according to the following equation:
(It follows that the full sequence may then be described by a j = 2 −j (mod q) (mod 2).)
FCSRs: Galois Architecture
The Galois representation [18] for an FCSR is illustrated in the Figure 4 .
Here, the bits q 1 , q 2 , . . . , q r are multipliers. The cells denoted c 1 , c 2 , . . . , c r−1 are the memory (or "carry") bits. The Σ sign represents a full adder. At the j-th adder, the following input bits are received :
• a j from the preceding cell
• a 0 q j from the feedback line
• c j from the memory cell, which are added to form a sum σ j (with 1 ≤ j ≤ r − 1). At the next clock cycle, this sum modulo 2 is passed on to the next cell in the register,
and the higher order bit is used to replace the memory,
In other words, the new values a j−1 and c j are given by
To analyze the behavior of this circuit as before we define the connection integer
The following result is an analog of the power series method.
Theorem 2.4
Suppose an r-stage (Galois)-FCSR with connection integer q is initially loaded with register and memory contents (a 0 , a 1 , . . . , a r−1 ) and (c 1 , c 2 , . . . , c r−1 ) respectively. Set
Then the output sequence b 0 , b 1 , b 2 . . . of the FCSR is the coefficient sequence for the 2-adic expansion of the rational number α = −h/q.
Proof:
The proof is similar to that in the Galois-LFSR case. Given h and q as above, let B = ∞ i=0 b i 2 i denote the 2-adic integer which is represented by the output sequence. First we claim that qB + h ∈ Z 2 is divisible by 2 (meaning that it has no constant term). In fact,
The constant term in qB + h is −b 0 + a 0 (mod 2). However a 0 is also the first output bit, that is, By the above claim, the constant term of qB + h vanishes as well, which is to say that qB + h is divisible by 2 2 . By induction we find that 2 n (qB (n) + h (n) ) = qB + h, and so qB + h is divisible by 2 n for all n, which is to say that it equals 0. 2
Algebraic Models
Let M be a finite state machine with output whose state change function is denoted F . For simplicity we assume the possible output values are 0 and 1. We say that a state of M is periodic if the machine eventually returns to this state after finitely many iterations. This implies that the output from M starting from this state is strictly periodic. Following [13] we define a model for M to be a representation of M by an algebraic ring R. In such a representation, states correspond to elements of R and the state change operation corresponds to multiplication by a fixed element of R. Sometimes R represents only a subset of the states, and sometimes several states correspond to the same element of R. More specifically, we say a set of periodic states L is closed if it is closed under state change. It is complete if it consists of all the periodic states. A model consists of 1. a ring R together with an element β ∈ R and a mapping T : R → {0, 1}, 2. a function between R and a closed set L of periodic states of M so that 3. the state change on L is given by x → βx and 4. the output is given by T (x).
Hence, for a given initial state, the output sequence of the machine is given by
Sometimes the function in (2) above is a mapping S : R → L ⊆ {periodic states of M }. Condition (3) then says that for all x ∈ R we have S(βx) = F (S(x)). If this is the case and S is one to one, we say the model is an injective model. If moreover L is complete and S is onto, then we say the model is a complete injective model.
In other cases the function is a mapping E : L → R. Condition (3) then says that for all x ∈ L we have E(F (x)) = βE(x). If this is the case and E is onto, we say the model is a projective model. If moreover L is complete and E is one to one, then we say the model is a complete projective model.
For complete models, an inverse mapping can be described. However, it may require a nontrivial amount of computation to do so, particularly when attempting to describe the initial state of the machine, cf. (4), (5), (9), (12) .
The notion of models can be used to connect what are intuitively different architectures for the "same" type of register. We construct a projective model for one architecture and an injective model for a second architecture, using the same ring R and the same state change element β. The composition of the models then connects the operation of the two architectures and makes precise the relationship between the two.
LFSRs: Fibonacci Architecture
The Fibonacci architecture for LFSRs has traditionally been analyzed using representations of sequences by powers of elements in Galois fields. This works very well when the connection polynomial is irreducible and moderately well when it is a product of distinct irreducible polyomials. In general, however, such representations become quite complicated. In this subsection we first see that in the first two cases such representations fit into our notion of model. We then see that, using injective models based on more general rings, we obtain very simple representations of arbitrary LFSR sequences by powers of elements.
Galois field model. Suppose for the moment that the connection polynomial q(X) has degree r (that is, q r = 0), and is irreducible. Then its roots all lie in the Galois field F 2 r . Fix any surjective F 2 -linear mapping T : F 2 r → F 2 . (The usual choice is the trace, T r(x) = x + x 2 + x 2 2 + · · · + x 2 r−1 , but any linear mapping will do.) Choose a single root α ∈ F 2 r of the connection polynomial q(X). To each z ∈ F 2 r associate the following state S(z) of the LFSR:
Theorem 3.1 Every state of the LFSR is periodic. The ring R = F 2 r , the function T : F 2 r → Z/(2), and the mapping S : F 2 r → {periodic states} constitute a complete injective model for the operation of the LFSR. The state change is given by z → α −1 z. The output sequence is given by a j = T (α −j z).
Proof: The proof is standard (and elementary):
The injectivity and completeness follows from the fact that {1,
It is also possible to construct a projective model for the LFSR, namely E = S −1 : {states} → F 2 r . This mapping associates to each state of the LFSR an element z ∈ F 2 r of the finite field and the change of state is given by z → α −1 z. This may be accomplished under our assumption that q(X) is irreducible because the elements {1, α, α 2 , . . . , α r−1 } are linearly independent over F 2 , so the equations T (zα i ) = a i (0 ≤ i ≤ r − 1) may be solved uniquely for z ∈ F 2 r . However, solving for z involves some nontrivial computation which is equivalent to inverting a matrix or finding a dual basis for F 2 r .
Next, suppose that
is a product of irreducible factors g i (X) of degree d i , with no factor repeated, and that q(x) has degree r. The mapping S is no longer a one to one correspondence: it becomes necessary to change the definition of the ring R. The roots of g i (X) lie in the Galois field
be the product ring with addition and multiplication defined coordinate-wise. (It is not a field.) A choice α i ∈ F 2 d i of root of each g i (X) determines an element α = (α 1 , α 2 , . . . , α m ) ∈ R. This element is invertible and its inverse is
. . , z m ) ∈ R we may associate a state S(z) of the shift register,
Then, as in Theorem 3.1 above, every state is periodic and this mapping S : R → {states} is a complete injective model. The change of state is given by the mapping z → α −1 z. In summary, each output sequence of the shift register may be expressed as the well-known linear combination (cf. [16] thm. 8.21 p. 404),
If the connection polynomial q(X) has repeated factors, then the situation is more complicated (see [6] , [16] §8.23 p. 405, or [22] §5.3.3, §5.5.3). In the next subsection we follow [13] and display a model for the action of the shift register which holds for any connection polynomial q(X). This model is implicit in [20] §7.3 and in [19] .
Ring-theoretic model. Let F 2 [X] be the ring of polynomials in X with 0, 1 coefficients. Let us denote the mapping F 2 [X] → F 2 which assigns to each polynomial its constant term by z → z (mod X). It is a homomorphism of rings. The connection polynomial q(X) = −1 + q 1 X + q 2 X 2 + · · · + q r X r generates an ideal (q) in this ring, and we consider the quotient,
We assume q r = 0 so that, in this ring,
It follows that any element z ∈ R in this quotient may be uniquely represented as a polynomial z(X) = z 0 + z 1 X + · · · + z r−1 X r−1 of degree less than r, and for any such z ∈ R we will denote its constant term by z 0 = z (mod X) ∈ F 2 . We define the mapping T : R → F 2 by T (z) = z 0 (T (z) = z (mod X)). Caution: As in Section 2.3, the mapping T is not a ring homomorphism. For example, T (x · x r−1 ) = T (x r ) = 1, whereras T (x)T (x r−1 ) = 0 · 0 = 0. Its definition depends on the fact that we have first chosen a complete set of representatives in F 2 [X] for the elements of R, consisting of polynomials of degree < r. There are many other possible choices for a complete set of representatives, which may give different mappings R → F 2 .
Since 1 = q 1 X + · · · + q r X r (mod q) we see that X is invertible in R with
and that
For any z ∈ R we may associate the following state S(z) of the shift register,
where (q)(X) denotes (mod q)(mod X). The following is a special case of results in [13] .
Theorem 3.2 Every state of the LFSR is periodic. The association S between elements of R and states of the shift register is a one-to-one correspondence (whether or not q(X) is irreducible). The change of state is given by z → X −1 z. The collection {R, S, T } is a complete injective model for the LFSR. The output sequences of the LFSR may be described by the sequence a i = T (X −i z(X)) = X −i z(X) (mod q) (mod X).
Proof: Proof. The association S : R → {States} may be regarded as a map R → F r 2 , in which case it is linear (over F 2 ). We show this mapping is one-to-one. Suppose z = z 0 + z 1 X + · · · + z r−1 X r−1 maps to the zero state. Then z 0 = z (mod X) = 0 so the constant term is zero. Therefore z is divisible by X, and X −1 z = z 1 + z 2 X + · · · + z r−1 X r−2 and this is therefore the representation of X −1 z (mod q). But X −1 z (mod q) (mod X) = 0 so z 1 = 0. Continuing in this way we conclude that z = 0. Since R is a vector space of dimension r (over F 2 ), this shows that the above association is a one-to-one correspondence.
Next, consider the change of state. Fix z ∈ R and consider the associated state of the shift register, as described above. Then the element X −1 z is associated to the state with all cell contents shifted to the right by one step, except for the leftmost cell which contains X −r z = q 1 X −(r−1) z + q 2 X −(r−2) z + · · · + q r X 0 z. But this is the appropriate linear combination of the old contents of the cells.
The completeness is immediate from the fact that S is one-to-one. 2
If q is irreducible then the ring R = F 2 [X]/(q) is a field, isomorphic to F 2 r , from which one may recover Theorem 3.1. If q is reducible, say q(X) = g 1 (X) e 1 g 2 (X) e 2 · · · g m (X) em is its decomposition into irreducible factors, then R is isomorphic to the product
, from which one may recover equation (13).
LFSRs: Galois Architecture
In this subsection we construct models for the Galois architecture for LFSRs. As with the Fibonacci architecture, the classical analysis can be seen as based on models where R is a Galois field, but we obtain a simple model in the general case by using more general rings. In the Galois architecture case the models are projective.
Galois field model. Let us suppose that q(X) has degree r and is irreducible. Let α be a root of q(X) in the Galois field F 2 r . Define a mapping E : {states} → F 2 r which associates to any state
Define the linear mapping T :
Then we have the following analogue of Theorem 3.1.
Theorem 3.3 Every state of the shift register is periodic. The collection {R = F 2 r , E, T } is a complete projective model for the LFSR in its Galois configuration. The state change is given by z → α −1 z.
Proof:
The completeness follows from the facts that E is F 2 -linear and that the minimal polynomial of α has degree r.
2
Combining this with Theorem 3.2, we have the following.
Corollary 3.4
There is a one to one correspondence between periodic states of the Galois LFSR with connection polynomial q(x) and periodic states of the Fibonacci LFSR with connection polynomial q(x) so that corresponding states produce the same output.
This particular model was chosen to make the mapping E as simple as possible. One could just as easily construct a model in which the mapping T is simple. In fact, given any surjective linear mapping T :
where s = (a r−1 , . . . , a 1 , a 0 ) denotes the above state and where C ∈ F 2 r is the unique element such that T (x) = T (Cx) for all x ∈ F 2 r . Then the collection {R = F 2 r , E , T } constitutes a projective model for the Galois-LFSR. If q(X) is reducible, one may still choose a root α and construct the mapping (15) however it will fail to be one to one. In particular, the contents a 0 of the output cell may not be uniquely determined by z. If q(X) = h 1 (X)h 2 (X) · · · h m (X) is a product of irreducible factors with no repeated factors then, as in §3.
Corresponding to the state (a r−1 , a r−2 , . . . , a 1 , a 0 ) of the shift register, we may associate the element z = (z 1 , z 2 , . . . , z m ) ∈ R given by
j=1 a j α j where α = (α 1 , α 2 , . . . , α m ) ∈ R. Then, as in the Theorem 3.3, the mapping E : {states} → R is a one to one correspondence, the change of state is given by z → α −1 z, and the collection {R, E, T } is a projective model for the Galois-LFSR. Ring-theoretic model. As in Theorem 3.2, let R = F 2 [X]/(q), and define T : R → F 2 by T (z) = z (mod X). Assume deg(q) = r but do not necessarily assume that q is irreducible. Associate to each state s = (a r−1 , a r−2 , . . . , a 1 , a 0 ) of the shift register the following element
As in Theorem 3.2, every state of the shift register is periodic. The mapping E gives a one to one correspondence between the states of the shift register and elements z ∈ R; the change of state is given by z → X −1 z; the output sequence is given by
and the collection {R, E, T } forms a complete projective model of the LFSR.
FCSRs: Fibonacci Architecture
For FCSR sequences, the Galois field model and the Ring-theoretic models merge into a single model. Take R = Z/(q) with distinguished element β = 2 −1 . Define T : R → Z/(2) by T (z) = z (mod 2) and define S : R → {states} by assigning to any h ∈ Z/(q) the initial state with a i = 2 −i h (mod q) (mod 2) (for 0 ≤ i ≤ r − 1) and with initial memory
Let Γ q = {strictly periodic states of the FCSR with connection integer q}. Note that the state (1, 1, · · · , 1; wt(q + 1) − 1), where wt(q + 1) is the Hamming weight of q + 1, is a periodic state with output equal to the all 1s sequence. Its associated 2-adic number is −1.
Theorem 3.5 Let q be an odd positive integer. Then S is a one to one function from Z/(q) onto L = Γ q − {(1, 1, · · · , 1; wt(q + 1) − 1)}. The state change is given by h → 2 −1 h and the output sequence is a j = 2 −j h (mod q) (mod 2). The collection {R, S, T } constitute an injective model for the FCSR.
Proof: That {R, S, T } is a model follows from Section 6 and Theorem 11.1 of [8] . To see that S is injective, suppose to the contrary that (a 0 , · · · , a r−1 ; m) = S(g) = S(h) = (b 0 , · · · , b r−1 ; n). Then
But a i = b i for every i, so g/2 r = h/2 r and thus g = h.
It is known that the 2-adic numbers associated with the periodic outputs from the FCSR with connection integer q are precisely the rational numbers −p/q with 0 ≤ p ≤ q [8] . Thus there are precisely q + 1 periodic states. It follows that in order to see that S maps onto L, it suffices to show that the state (1, 1, · · · , 1; wt(q + 1) − 1) is not in the image of S.
Suppose to the contrary that there is an integer h such that 1 = 2 −j h (mod q) (mod 2) for every j. Since h(mod q) is odd if and only if −h(mod q) is even, this is equivalent to saying there is an h such that all 2 −j h(mod q) are even. Since 2 is invertible mod q, we can let m = 2 ordq(2) h and conclude that there is some m such that all 2 j m(mod q) are even. Let j be maximal so that 2 j m < q. Then q < 2 j+1 m < 2q, so 2 j+1 m(mod q) = 2 j+1 m − q, which is odd. This contradiction proves the theorem.
2 Remark 1. Although the mapping S always gives a strictly periodic state of the FCSR, we do not know a simple characterization of these states. The initial loading of the register portion is simply the lower order r bits in the binary expansion of the number
(however we do not know a similar simple formula for the initial value of the memory). To see this, let B = (2 φ(q) − 1)/q as in the proof of lemma 2.2. Then Bq ≡ −1 (mod 2 φ(q) ). But r < φ(q) so Bq ≡ −1 (mod 2 r ) which gives
So the lower order r bits in the binary expansion of W coincides with the first r bits in the 2-adic expansion of −h/q, which is also the first r bits to be output by the FCSR. However these first r bits also coincide with the initial loading of the register portion of the FCSR.
Remark 2. If q is prime then Z/(q) is a field and its multiplicative group (Z/(q))
* is cyclic. In this case, 2 −1 is a generator of (Z/(q)) * if and only if 2 is a primitive root modulo q. (Such a choice of q gives rise to maximal length sequences, or -sequences.) If q is composite, say q = g Remark 3. This model is not complete. As seen in the proof of Theorem 3.5, the state (1, 1, · · · , 1; wt(q + 1) − 1) is not in the image of S. One can construct a different model that contains this state in its image by using {1, 2, · · · , q} as a set of representatives for the residue classes modulo q in the definition of z(mod q)(mod 2) however the image of S will omit the zero state.
FCSRs: Galois Architecture
Now we wish to describe a model for the (Galois)-FCSR. Define R = Z/(q) and T : R → Z/(2) as in Theorem 3.5. Define E : {states} → Z/(q) to be the mapping which assigns to any state (a 0 , a 1 , . . . , a r−1 ; c 1 , . . . , c r−1 ) the element h (mod q), where h is defined in (12) . Notice that if q j = 0 then the memory cell c j will eventually drop to 0 and will remain 0 forever after. So for every periodic state there is a periodic state that produces the same output and satisfies c j = 0 whenever q j = 0. Let us say that a state satisfying this condition is an "admissible" state. (So the admissible states may be thought of as representing a Galois-FCSR in which memory cells c j are provided only when the corresponding feedback tap q j is nonzero.) Let Γ q be the set of admissible states. Note that the state (1, . . . , 1; q 1 , . . . , q r−1 ) is always admissible and produces the all 1 sequence as output.
Theorem 3.6 The collection {R, E, T } is a projective model for the Galois-FCSR. For any admissible initial loading, the output of the Galois FCSR is strictly periodic. The mapping E is a surjection from Γ q − { (1, . . . , 1; q 1 , . . . , q r−1 )} to Z/(q) such that the change of state is given by h → 2 −1 h. Hence the output sequence is b j = h2 −j (mod q) (mod 2).
Proof: The greatest possible value for h is when all a i = 1 and all the admissible c j = 1. In this case c j = q j for all j, so h = 1 + (1 + q 1 )2 + · · · + (1 + q r−1 )2 r−1 = 2 r − 1 + q + 1 − q r 2 r = q. So for any admissible state s, we have: 0 ≤ h = E(s) ≤ q and hence the 2-adic expansion for −h/q (which is the output sequence of the shift register) is strictly periodic. Reducing equation (11) modulo q and multiplying by 2 −1 gives
which describes the change of state. Finally, to show that the output function is correct, we must show that for any admissible state 
Corollary 3.7
There is an onto function from the set of admissible periodic states of the Galois FCSR with connection integer q to the set of periodic states of the Fibonacci FCSR with connection integer q such that corresponding states produce the same output. Remark 1. We do not know a simple formula describing the contents of the kth cell as a function of time. Despite Theorem 3.6, we do not know how to intrinsically characterize the periodic states of the Galois-FCSR, (other than to say that they must be admissible states) because there may be several different states corresponding to the same number h. However, there is only one way to obtain h = 1 (namely, by a 0 = 1 and all other a s and c s are 0), so this state is necessarily a periodic state. If 2 is primitive modulo q, then all the other periodic states are obtained from this one by running the shift register.
Remark 2. This is not a complete model. Any state for which a i = 1 and c i = 0 has the same image under E as the state that is identical, except that a i = 0 and c i = 1.
d-FCSR Architectures
The d-FCSR architecture was introduced in [8] and [10] , where its basic properties are listed. (See also [13] .) In this section we first recall the operation of these shift registers and summarize the results from [4] which explain how to design them so as to give predictable outputs. We then describe a Galois architecture for d-FCSRs. We also describe models for both architectures.
Fibonacci Architecture for d-FCSR
The operation of a d-FCSR is similar to that of the FCSR except that each "carried" bit is delayed d − 1 steps before being added (see Figures 5 and 6 ). This is best understood using the ring Z[π] which consists of polynomials in π (with integer coefficients), subject to the formal relation 
so it is best not to think of these coefficients as lying in the field F 2 . The operations (mod π) and (div π) make sense in this ring.
and we say that z is odd if z (mod π) = 1. (For example,
A d-FCSR consists of a shift register with cell contents a 0 , a 1 , . . . , a r−1 , feedback connections q r , q r−1 , . . . , q 1 , and memory cells m 0 , m 1 , . . . , m s , each of which is a 0 or 1. We represent the memory by the nonnegative element m = m 0 + m 1 π + · · · + m s π s ∈ Z[π]. Associated to the feedback connections we define the connection "number"
Then q ∈ Z[π] is odd, and q + 1 is nonnegative. The operation of the d-FCSR may be described as follows: Form the integer sum σ = (a 0 , a 1 , . . . , a r−1 ; m) by
Implementation. The block diagram for a d-FCSR is the same as that of an FCSR, but since addition in Z[π] is needed, it is slightly more convenient to break the addition into two parts. The part labeled Σ adds the 0,1 inputs as integers and outputs the result σ according to its binary expansion. The part labeled Π is an adder in
adder Π, together with the memory m may be described as follows ( Figure  6 ). Each symbol Σ represents a full adder with 3 inputs, cascaded so as to form a ripple counter. With each clock cycle the current contents m of the memory is added to the integer σ which is presented at the input to the adder according to its binary expansion. The result σ is returned to the memory (which involves modifying only the even numbered memory cells). Then the contents of the memory are shifted one step to the right, thus outputting the lowest order bit σ (mod π) and retaining the higher order bits, σ div π (with the highest order bit, m 6 in the following example, set to 0).
Let wt(q + 1) denote the number of nonzero q's involved in the feedback. It can be seen from Figure 6 (or from the change of state equations above) that the memory will decrease until m i = 0 for all i > d log 2 (wt(q + 1)) + d, so no memory overflow will occur provided the shift register is provided with memory cells m 0 , m 1 , . . . , m s where s ≥ d log 2 (wt(q + 1)) + d. The deeper analysis of a d-FCSR is completely parallel to that of an FCSR however some less familiar mathematics is needed.
Power series method. Let Z π be the ring of "π-adic integers" consisting of all formal power series in π
with a i = 0, 1. Addition and multiplication are performed in the obvious way, using the relation π d = 2 whenever necessary; in particular Z π contains the 2-adic integers Z 2 . Since
provided that b is odd, (meaning that b (mod π) = 1) in which case we shall refer to (19) as "the" π-adic expansion of a/b. Such fractions are precisely the elements of Z π whose π-adic expansions are eventually periodic. The following result was proven in [10] . 
Proof:
2 A surprising consequence is that not every periodic binary sequence may be realized as the output sequence of a d-FCSR: only those for which q + 1 is nonnegative. This deficiency (if indeed it is such) can be rectified by considering a "polarized" d-FCSR in which the cells q i , m i are permitted to take values in {±1, 0}. It can be seen that no "overflow" will ever occur and that any q ∈ Z[π] may be realized as the connection number of such a polarized d-FCSR. If E = {e 1 , e 2 , . . . , e k } is a finite collection of linearly independent vectors in Euclidean space Q d , let us denote the half-open parallelepiped spanned by E to be the set
Let
be the set of lattice points in the parallelepiped (in Q[π]) which is spanned by the set of vectors {q, qπ, qπ 2 , . . . , qπ d−1 }. Also let us denote the closed parallelepiped spanned by E to be the set
In [4] we prove the following result. 
(In other words, the set ∆ q is a complete set of representatives for the elements of Z[π]/(q).) For such an h ∈ ∆ q the π-adic expansion of α = −h/q = ∞ i=0 b i π i is given by
Here, (as in Theorem 3.1 and Lemma 2.2), for any z ∈ Z[π]/(q) the symbol z (mod π) means that z must first be replaced by the corresponding element in the complete set of representatives ∆ q , then this element is reduced modulo π to obtain an element of Z It is possible to give a much more down-to-earth description of these sequences when the norm N = |N (q)| is an odd prime, which we henceforth assume. In [4] we prove the following: 
which is therefore a field. and as such, it turns out to be divisible by π (see [4] ). Define s i ∈ Z by expanding
The following result is proven in [4] .
. Suppose that N = |N (q)| is an odd prime number and that h ∈ ∆ q lies in the strictly periodic region described in Theorem 4.2. Let m = ψ(π) and let s 0 be defined by equation (25) . Then, for all j, the following equation holds,
In other words, the output sequence (23) may be simply described as Ab j (mod N )(mod 2) for appropriately chosen A = ψ(h)s 0 ∈ Z/(N ) and b = m −1 ∈ Z/(N ). The numbers m and s 0 can be computed directly from knowledge of q, although sometimes just knowing that m d ≡ 2 (mod N ) nearly determines m. For d = 2 and d = 3 these computations are tabulated in Figure 7 .
An Example Consider the d-FCSR with d = 2 and q = 5 + 2π. The shift register is 4-stage with feedback coefficients q 1 = 0, q 2 = q 3 = q 4 = 1 (so that q + 1 = 6 + 2π). Then N (q) = 17 which is prime, so the parallelogram contains 16 elements in its interior, see Figure 8 . The isomorphism ψ : Z[π]/(q) → Z/(17) maps π to m = 6, which is primitive modulo 17, so we obtain a maximal length output sequence. The constant s 0 = 5 and computations for the table (Figure 9 ) may be simplified by observing that 6 −1 ≡ 3 (mod 17). Each element in Z[π]/(q) has a unique representative h in the above parallelogram; these representatives are listed in the second column of the following table. The corresponding element in Z/(17) is listed in the third column. The fourth column (which is the d-FCSR sequence under consideration) is the third column modulo 2, and it concides with the second column modulo π as predicted by Theorem 4.5. 
Galois architecture for d-FCSRs
In the Galois architecture for a d-FCSR, the carried bits are delayed d − 1 steps before being fed back, so the output of the memory or "carry" cell c i is fed into the register cell a i+d−2 . (Recall that the register cells are numbered starting from a 0 .) If there are r feedback multipliers q 1 , . . . , q r and r carry cells c 1 , . . . , c r then r +d−1 register cells a 0 , . . . , a r+d−2 are evidently needed since c r will feed into a r+d−1 . This is illustrated in Figure 10 for d = 2. If d ≥ 3 the situation is more complicated and t "additional" memory cells c r+1 , . . . , c r+t are needed, which feed into t "additional" register cells a r+d−1 , . . . , a r+t+d−2 . It is not at all obvious at first glance whether the amount t of extra memory can be chosen to be finite without incurring a memory overflow during the operation of the shift register. However (see Theorem 4.8 below) we show that this is indeed the case and henceforth we suppose that t has been chosen as described there, to be sufficiently large so as to avoid any memory overflow. Suppose a Galois d-FCSR is initially loaded with given values (a 0 , a 1 , . . . , a r+t+d−2 ; c 1 , c 2 , . . . , c r+t ). The register operates as follows. (To simplify notation, set q j = 0 for j ≥ r + 1, set c j = 0 for j ≤ 0 and also for j ≥ r + t + 1, and set a j = 0 for j ≥ r + t + d − 1.) For each j (with 1 ≤ j ≤ r + t + d − 1) form the integer sum σ j = a 0 q j + a j + c j−d+1 ; it is between 0 and 3. The new values are given by a j−1 = σ j (mod 2) and c j = σ j (div 2), that is,
(Note, for example, that these equations say a r+t+d−2 = c r+t .) For such a Galois d-FCSR define the connection integer
For a given initial loading (a 0 , . . . , a r+t+d−2 ; c 1 , c 2 , . . . , c r+t ) using the same conventions as above,
Theorem 4.6 If t is large enough that no memory overflow occurs (as described in Theorem 4.8 below), then the output sequence {b 1 , b 1 , . . .} of the d-FCSR coincides with the π-adic expansion of the fraction α = −h/q ∈ Z π . Thus if the Galois FCSR is in a purely periodic state,
Proof: The proof is similar to that of Theorem 2.4. Given h and q as above, let B = By the same argument as above, the constant term of qB + h vanishes. Hence qB + h is divisible by π 2 . By induction we find that qB+h is divisible by π n for all n, which is to say, qB+h = 0. 2 Using Theorem 4.5 we have the following corollary. 
Memory considerations
In the following analysis we make use of some ideas from [13] . 
then no memory overflow will occur and in fact, for any initial loading of the shift register the memory will decrease until the value (27) of h satisfies |h| ≤ |q| |π| − 1
and it will remain within this range thereafter.
Here, as in [13] , the fact that |π| > 1 is crucial. Proof: First suppose the initial loading (a 0 , . . . , a r+t+d−2 ; c 1 , . . . , c r+t ) satisfies (29). Then the same will be true for every subsequent state of the shift register. Consequently, if t is chosen so that (28) holds then no memory overflow will occur. 2
A deeper result of Klapper and Xu [13] states that even if negative coefficients are permitted in the register contents, the memory will nevertheless remain bounded.
Model for Galois d-FCSR Now we wish to describe a model for the Galois d-FCSR. Define R = Z[π]/(q) and T : R → Z/(2) as in Theorem 4.3. Define E : {states} → Z/(q) to be the mapping which assigns to any state (a 0 , a 1 , . . . , a r+t+d−2 ; c 1 , . . . , c r+t ) the element h (mod q), where h is defined in (27).
Unfortunately, we do not have a clear notion of "admissible states" for the Galois d-FCSR architecture when d ≥ 2. The best we can do is to let L denote the set of states for which h is in the open parallelipiped P (q, qπ, · · · , qπ d−1 ). Then Theorem 4.6 gives us the following result. Theorem 4.9 The collection {R, E, T } is a projective model for the Galois-FCSR. For any initial loading in L, the output of the Galois FCSR is strictly periodic. The mapping E is a surjection from L to Z[π]/(q) such that the change of state is given by h → π −1 h. Hence the output sequence is b j = hπ −j (mod q) (mod π). This association induces a one to one correspondence between the strictly periodic states of the d-FCSR and the elements h ∈ Z/N (q).
By choosing different complete sets of representatives for Z[π]/(q) in∆ q we obtain different models with the same ring R. Every periodic state is accounted for by at least one such model. Thus we have the following corollary to Theorems 4.9 and 4.3. Unfortunately our understanding of the Galois d-FCSR architecture still leaves much to be desired. We do not know how to find a class of "admissible" states for which the output is strictly periodic (as we did in the case of the FCSR). We do not know an optimal estimate on the amount of memory needed for the d-FCSR (except in the case d = 2). We do not know how to describe the output of the kth cell.
Conclusions
We have found a "Galois" representation for FCSR and d-FCSR pseudorandom sequence generators. We have constructed "models" for the behavior of LFSR, FCSR, and d-FCSR generators, both in their Fibonacci and Galois representations. In each case, we find the Galois representation to be simpler, especially with regard to the computation of the initial loading of the register. Moreover, in the FCSR and d-FCSR cases, the Galois circuitry is faster since the arithmetic operations occur in parallel. We have analyzed the operation of the d-FCSR circuit using some rather sophisticated number theory, and have shown how it can be configured so as to give output sequences of the form a i = Ab i (mod N ) (mod 2).
