Deciding Irreducibility/Indecomposability of Feedback Shift Registers is
  NP-hard by Wang, Lin
ar
X
iv
:1
70
2.
01
42
3v
1 
 [c
s.C
C]
  5
 Fe
b 2
01
7
Deciding Irreducibility/Indecomposability of Feedback Shift
Registers is NP-hard
Lin WANG
Science and Technology on Communication Security Laboratory
Chengdu 610041, P. R. China
Email: linwang@math.pku.edu.cn
Abstract
Feedback shift registers(FSRs) are a fundamental component in electronics and secure communication.
An FSR f is said to be reducible if all the output sequences of another FSR g can also be generated by
f and the FSR g has less memory than f . An FSR is said to be decomposable if it has the same set
of output sequences as a cascade connection of two FSRs. It is proved that deciding whether FSRs are
irreducible/indecomposable is NP-hard.
Key words: feedback shift registers, irreducible, indecomposable, NP-hard, Boolean circuit, cycle
structure
1 Introduction
Feedback shift registers are broadly used in spread spectrum radio, control engineering and confidential
digital communication. Consequently, this subject has attracted substantial research over half a century.
Particularly, feedback shift registers play a significant role in the stream cipher finalists of the eSTREAM
project [10].
✻
✲
✻
✲ ✲ · · ·
✻
✲
✻
✲ ✲
☛
✡
✟
✠
xn−1 xn−2 x1 x0
f1(x0, x1, . . . , xn−1)
output
Figure 1: A feedback shift register with feedback logic f1
As shown in Figure 1, an n-stage feedback shift register(FSR) consists of n bit registers x0, x1, . . . , xn−1
and an n-input feedback logic f1. The vector (x0(t), x1(t), . . . , xn−1(t)) is called a state of this FSR, where
xi(t) is the value of xi at clock cycle t, 0 ≤ i < n. The state at clock cycle 0 is called the initial state. Along
with clock impulses the values stored in bit registers update themselves as
(x0(t+ 1), x1(t+ 1), . . . , xn−1(t+ 1)) = (x1(t), . . . , xn−1(t), f1(x0(t), x1(t), . . . , xn−1(t))) , (1)
and the map defined by Eq.(1) is called the state transformation of this FSR.
The (n + 1)-input Boolean function f(x0, x1, . . . , xn) = xn ⊕ f1(x0, x1, . . . , xn−1), where ⊕ denotes
exclusive-or, is called the characteristic function of the FSR in Figure 1, and without ambiguity we also
denote this FSR by f . Let G (f) denote the set of sequences generated by f , i.e.,
G (f) = {s ∈ {0, 1}∗ : ∀t, f(s(t), s(t+ 1), . . . , s(t+ n)) = 0} ,
1
2where {0, 1}∗ is the set of binary sequences. If f(x0, x1, . . . , xn) = xn ⊕ cn−1xn−1 ⊕ · · · ⊕ c1x1 ⊕ c0x0, where
c0, c1, . . . , cn−1 ∈ {0, 1}, then f is called a linear feedback shift register(LFSR), and p(x) = xn ⊕ cn−1xn−1 ⊕
· · · ⊕ c1x⊕ c0 is called its characteristic polynomial. Without ambiguity we also denote this LFSR by p(x).
An FSR which is not an LFSR is called a nonlinear feedback shift register(NFSR).
If there exists an m-stage FSR g such that m < n and G (g) ⊂ G (f), then g is called a subFSR of f
and f is said to be reducible. Otherwise, f is said to be irreducible.
✻
✲
✻
✲ ✲ · · ·
✻
✲
✻
✲ ✲
☛
✡
✟
✠
xn−1 xn−2 x1 x0
f1(x0, x1, . . . , xn−1)
❤❄ ✻✲ ✻✲ ✲ · · ·
✻
✲
✻
✲ ✲
☛
✡
✟
✠
ym−1 ym−2 y1 y0
g1(y0, y1, . . . , ym−1)
output
Figure 2: The cascade connection of f in g
Let f(x0, x1, . . . , xn) = xn ⊕ f1(x0, x1, . . . , xn−1) and g(y0, y1, . . . , ym) = ym ⊕ g1(y0, y1, . . . , ym−1) be
two FSRs. The finite state machine in Figure 2 is called the cascade connection of f into g. The Grain
family ciphers use the cascade connection of an LFSR into an NFSR [5]. Green and Dimond [4] defined the
product FSR1 of f and g to be
(f ∗ g)(x0, x1, . . . , xn+m) = f(g(x0, x1, . . . , xm), g(x1, x2, . . . , xm+1), . . . , g(xn, xn+1, . . . , xn+m)),
and showed G (f ; g) = G (f ∗ g), where G (f ; g) is the set of output sequences of the cascade connection
of f into g. Given an FSR h, if there exist two FSRs f and g satisfying h = f ∗ g, then h is said to be
decomposable. Otherwise, h is said to be indecomposable.
It is appealing to decide whether an FSR is (ir)reducible/(in)decomposable for the reasons below.
First, it offers a new perspective on analysis of stream ciphers. Notice that all sequences generated by
g is also generated by f ∗ g if f can output the 0-sequence. A reducible/decomposable FSR in unaware
use may undermine the claimed security of stream ciphers, e.g., causing inadequate period of the output
sequences. Particularly, if g is an LFSR and f can output the 0-sequence, then f ∗ g can generate a family of
linear recurring sequences, vulnerable to the Berlekamp-Massey algorithm. Second, it potentially improves
implementation of FSRs. On one hand, it costs less memory to replace an FSR with its large-stage subFSR,
if there is one, while generating a great part of its output sequences. On the other hand, similar to the idea
of Dubrova [2], substituting a decomposable FSR by its equivalent cascade connection as in Figure 2 possibly
reduces the circuit depth of the feedback logics, in favor of less propagation time and larger throughput.
Third, an algorithm testing (ir)reducibility/(in)decomposability helps to design useful FSRs. Because Tian
and Qi [12] proved that on average at least one among three randomly chosen NFSRs is irreducible, a
great number of irreducible NFSRs can be found if deciding irreducibility of FSRs is feasible. Besides,
FSRs generating maximal-length sequences were constructed based on inherent structure of decomposable
FSRs [9].
Two algorithms were proposed by [11] to find affine subFSRs of NFSRs. By [6], if an NFSR h is
decomposed as the cascade connection of an LFSR f into an NFSR g and f is primitive with stage no less
than that of g, then all affine subFSRs of h are actually those of g. (In)decomposability of LFSRs is completely
determined by their characteristic polynomials. By [4, 7, 13], an LFSR h, with its characteristic polynomial
p(x), is decomposed as h = f ∗g if and only if f and g are LFSRs and p(x) = l1(x)·l2(x), where l1(x) and l2(x)
are characteristic polynomials of f and g, respectively. In contrast, decomposing NFSRs seems much more
challenging, though some progress has been made recently. Using the language of algebraic normal forms of
Boolean functions, Ma et al [8] gave an algorithm to decompose NFSRs into the cascade connection of an
NFSR into an LFSR, and Tian and Qi [13] gave a series of algorithms to decompose NFSRs into the cascade
connection of two NFSRs. Noteworthily, Zhang et al [14] gained an algorithm decomposing an NFSR f into
the cascade connection of an NFSR into an LFSR, and the complexity of their algorithm is polynomial in
1 The product FSR of f and g is denoted by f.g in [4], while by f ∗ g in [9]. We follow the latter in order to avoid ambiguity
with periods or conventional multiplication.
3the size of the algebraic normal form of f and the size of the binary decision diagram of f if converting the
algebraic normal form of f to the binary decision diagram of f is polynomial-time computable.
Our contribution. This correspondence studies irreducibility and indecomposability from the perspec-
tive of computational complexity. NP is the class of all problems computed by polynomial-time nonde-
terministic Turing machines. A problem is NP-hard if it is at least as hard as all NP problems. This
correspondence proves that deciding whether an FSR is irreducible(indecomposable) is NP-hard.
The rest of this paper is organized as follows: In Section 2 we prepare some notations, basic facts on
Boolean circuits and some lemmas on the cycle structure of FSRs. NP-hardness of FSR irreducibility and
FSR indecomposability is shown in Sections 3 and 4, respectively. The last section includes a summary and
a comment on future work.
2 Preliminaries
2.1 Notations
Throughout this paper, Z denotes the set of integers, “+” addition of integers, and “⊕” the exclusive-
or(XOR) operation.
Denote 1m = (1, 1, . . . , 1) ∈ {0, 1}m, 0m = (0, 0, . . . , 0) ∈ {0, 1}m and ιm = (1, 0, . . . , 0) ∈ {0, 1}m. For
u ∈ {0, 1}m, denote u = u⊕ 1m and û = u⊕ ιm.
For u = (a1, a2, . . . , am) ∈ {0, 1}m and 1 ≤ k < m, let
⌈u⌉k =(a1, a2, . . . , ak) ∈ {0, 1}
k;
⌊u⌋k =(am−k+1, am−k+2, . . . , am−1, am) ∈ {0, 1}
k.
For u = (a1, . . . , ak) ∈ {0, 1}k and v = (b1, . . . , bm) ∈ {0, 1}m, denote u ‖ v = (a1, . . . , ak, b1, . . . , bm) ∈
{0, 1}k+m.
Without ambiguity a vector (a0, a1, . . . , am−1) ∈ {0, 1}m is uniquely taken as the nonnegative in-
teger
∑m−1
j=0 2
jaj . Thereby, the natural order relation on {0, 1}
m is imposed, i.e., (a0, a1, . . . , am−1) <
(b0, b1, . . . , bm−1) if and only if
∑m−1
j=0 2
jaj <
∑m−1
j=0 2
jbj .
2.2 Boolean circuits
An m-input Boolean circuit f is a directed acyclic graph with m sources and one sink [1]. The value(s)
of source(s) is(are) input(s) of the Boolean circuit; Any nonsource vertex, called a gate, is one of the logical
operations OR(¬), AND(∧) and NOT(¬), where the fan-in2 of OR and AND is 2 and that of NOT is 1;
The value outputted from a gate is obtained by applying its logical operation on the value(s) inputted into
it; The value outputted from the sink is the output of the Boolean circuit f . The size of the circuit f ,
denoted by SIZE (f), is the number of vertices in it. An m-input Boolean circuit f is satisfiable if there
exists v ∈ {0, 1}m such that f(v) = 1.
PROBLEM: CIRCUIT SATISFIABILITY
INSTANCE: A Boolean circuit f with its size SIZE (f).
QUESTION: Is f satisfiable?
A decision problem in NP class is NP-complete if it is not less difficult than any other NP problem.
Lemma 1. [1] The CIRCUIT SATISFIABILITY problem is NP-complete.
2The fan-in of a gate is the number of bits fed into it.
4A decision problem P is polynomial-time Karp reducible to a decision problemQ if there is a polynomial-
time computable transformation T mapping instances of P to those of Q such that an instance x of P
answers yes if and only if T (x) answers yes [1]. A decision problem is NP-hard if a NP-complete problem
is polynomial-time Karp reducible to it [1].
An FSR is completely characterized by its feedback logic. We use Boolean circuits to characterize the
feedback logic of FSRs for the following two reasons3. First, FSRs are mostly implemented with silicon chips,
and the Boolean circuit is an abstract model of their feedback logic in silicon chips. Second, the Boolean
circuit is a generalization of Boolean formula [1]. Therefore, in this correspondence the size of an FSR is
measured by the size of its feedback logic as a Boolean circuit.
2.3 The cycle structure of FSRs
A binary sequence s is a map from Z to {0, 1}. If there exists some τ ∈ Z such that s(t+ τ) = s(t) for
any t ∈ Z, s is said to be periodic and the period of s is defined to be
per (s) = min {τ > 0 : s(t+ τ) = s(t) for all t ∈ Z} .
Let f be an m-stage FSR. The following three statements are equivalent [3]: (i) The state transfor-
mation of f is bijective. (ii) Any sequence generated by f is periodic. (iii) f(x0, x1, . . . , xm) = xm ⊕
g(x1, x2, . . . , xm−1)⊕ x0 for some (m− 1)-input Boolean function g. If any of (i)-(iii) holds, f is said to be
nonsingular.
In the rest of this section we only consider nonsingular FSRs.
A sequence s of period m determines a cyclic sequence θ (s) = [s(0), s(1), . . . , s(m− 1)]. We call θ (s)
to be an m-cycle and also denote per (θ (s)) = m. For the m-cycle θ (s), define the set
Sk (θ (s)) =
{
(s(i), s ((i+ 1) mod m) , . . . , s ((i+ k − 1) mod m)) ∈ {0, 1}k : 0 ≤ i < m
}
.
Actually, any shift of a periodic sequence determines the same cycle, and {s′ : θ (s′) = θ (s)} is exactly the
set of all shifts of s. Furthermore, if s ∈ G (f) for a k-stage FSR f , then each vector in Sk (θ (s)) plays as a
unique initial state and hence determines a unique sequence in {s′ : θ (s′) = θ (s)}.
The cycle structure of an FSR f , denoted by CycStr (f), is {θ (s) : s ∈ G (f)}.
Following this definition, we have the lemma below.
Lemma 2. Let f and g be FSRs. Then g is a subFSR of f if and only if CycStr (g) ⊂ CycStr (f).
Lemma 3. Let f be an m-stage FSR. Suppose c,d ∈ CycStr (f)(including c = d), u ∈ Sm (c) and
û ∈ Sm (d). Then min (Sm (c) ∪ Sm (d)) < min {u, û} or u ∈ {0m, ιm}.
Proof. Let F denote the state transformation of the FSR f . Then {F (u), F (û)} =
{
〈u/2〉, 〈u/2〉+ 2m−1
}
,
where 〈u/2〉 = max {i ∈ Z : i ≤ u/2}.
Notice that F (u) ∈ Sm (c), F (û) ∈ Sm (d) and {u, û} = {2〈u/2〉, 2〈u/2〉+ 1}. If 〈u/2〉 > 0, then
〈u/2〉 < min {u, û}, implying
min (Sm (c) ∪ Sm (d)) ≤ min {F (u), F (û)} < min {u, û} .
If 〈u/2〉 = 0, then u ∈ {0m, ιm}.
Lemma 4. Let C be a set of cycles. Then there exists an m-stage FSR f with CycStr (f) = C if and
only if the following two conditions hold: (i)
∑
c∈C per (c) = 2
m; (ii) The map v 7→ ⌊v⌋m is injective on⋃
c∈C Sm+1 (c).
3 Some theorists adopt the term “propositional directed acyclic graph(PDAG)”, and a PDAG is essentially the same as a
Boolean circuit.
5To prove Lemma 4, we use the following Lemma.
Lemma 5. Let C be a set of finitely many cycles. Then the following three statements are equivalent:
(i)
∣∣⋃
c∈C Sm (c)
∣∣ = ∑
c∈C per (c); (ii) The map v 7→ ⌊v⌋m is injective on
⋃
c∈C Sm+1 (c); (iii) The map
v 7→ ⌈v⌉m is injective on
⋃
c∈C Sm+1 (c).
Proof. First we prove that Statements (i) and (ii) are equivalent.
Let C = {c1, c2, . . . , ck} and ci = [ci,0, ci,1, . . . , ci,pi−1], 1 ≤ i ≤ k, where pi = per (ci). In this proof, a
tuple (i, j) denotes a pair of integers satisfying 1 ≤ i ≤ k and 0 ≤ j < pi. Denote
xi,j =(ci,(j+1) mod pi , ci,(j+2) mod pi , . . . , ci,(j+m) mod pi);
yi,j =(ci,j , ci,(j+1) mod pi , ci,(j+2) mod pi , . . . , ci,(j+m) mod pi).
Notice
⋃
c∈C Sm (c) =
⋃k
i=1 {xi,j : 0 ≤ j < pi} and
⋃
c∈C Sm+1 (c) =
⋃k
i=1 {yi,j : 0 ≤ j < pi}. It is sufficient
to consider cases below.
• Case
∣∣⋃
c∈C Sm (c)
∣∣ = ∑
c∈C per (c). Then xi,j = xi′,j′ if and only if (i, j) = (i
′, j′). Since xi,j =
⌊yi,j⌋m, yi,j = yi′,j′ occurs only if (i, j) = (i′, j′). That is, the map yi,j 7→ ⌊yi,j⌋m = xi,j is injective
on
⋃
c∈C Sm+1 (c).
• Case
∣∣⋃
c∈C Sm (c)
∣∣ 6=∑
c∈C per (c). Then xi0,j0 = xi′0,j′0 for some (i0, j0) 6= (i
′
0, j
′
0).
Claim: If xi,j0 = xi′,j′0 for some (i, j0) 6= (i
′, j′0), then there exists (i, j1) and (i
′, j′1) such that xi,j1 =
xi′,j′1 and yi,j1 6= yi′,j′1 .
Proof of the claim. Assume that this claim does not hold. Then for any (i, j1) and (i
′, j′1), if xi,j1 =
xi′,j′
1
then yi,j1 = yi′,j′1 . Notice that yi,j = yi′,j′ implies xi,(j−1) mod pi = xi′,(j′−1) mod pi′ . Then
xi,(j0−t) mod pi = xi′,(j′0−t) mod pi′ for any t ≥ 0. Hence, ci = ci′ and pi | (j
′
0 − j0), contradictory to
(i, j0) 6= (i
′, j′0). Therefore, our assumption is absurd and the claim is proved.
Following this claim, we assume xi0,j0 = xi′0,j′0 and yi0,j0 6= yi′0,j′0 for some (i0, j0) 6= (i
′
0, j
′
0). Thus, the
map v 7→ ⌊v⌋m is not injective on
⋃
c∈C Sm+1 (c).
The proof of equivalence of Statements (i) and (iii) is similar and we omit it here.
Proof of Lemma 4. By Lemma 5, it is sufficient to prove this statement: CycStr (f) = C if and only if∣∣⋃
c∈C Sm (c)
∣∣ =∑
c∈C per (c) = 2
m.
Suppose C = CycStr (f) for some m-stage FSR f . Then for any c ∈ C, a vector in Sm (c) is exactly an
initial state and uniquely determines a sequence in G (f). Thus,
⋃
c∈C Sm (c) = {0, 1}
k and
∣∣⋃
c∈C Sm (c)
∣∣ =∑
c∈C per (c).
Suppose
∣∣⋃
c∈C Sm (c)
∣∣ =∑
c∈C per (c) = 2
m. Then
⋃
c∈C Sm (c) = {0, 1}
m. Define anm-input Boolean
function f1 as follows. By Lemma 5, for any v = (a0, a1, . . . , am−1) ∈ {0, 1}m, there exists uniquely b ∈ {0, 1}
such that (a0, a1, . . . , am−1, b) ∈
⋃
c∈C Sm+1 (c). We define f1(v) = b. Immediately, C is the cycle structure
of an FSR whose feedback logic is logically equivalent to f1.
Lemma 6. Let f be an m-stage FSR and F the state transformation of f . Let c ∈ CycStr (f) and
per (c) = p. Then for any v ∈ Sm (c), min
{
i > 0 : F i(v) = v
}
= p and Sm (c) =
{
v, F (v), . . . , F p−1(v)
}
.
Proof. Let v ∈ Sm (c) and q = min
{
i > 0 : F i(v) = v
}
. Clearly, q ≤ p. Then
c = [⌈v⌉1, ⌈F (v)⌉1, . . . , ⌈F
q−1(v)⌉1],
and q = per (c) = p. Because
{
F i(v) : i ∈ Z
}
⊆ Sm (c) and |Sm (c)| ≤ per (c), we conclude that |Sm (c)| = p
and Sm (c) =
{
v, F (v), . . . , F p−1(v)
}
is a set of p vectors in {0, 1}m.
6Lemma 7. Let g(x0, x1, . . . , xm) be an m-stage FSR and
f(x0, x1, . . . , xm) = g(x0, x1, . . . , xm)⊕ f3(x1, x2, . . . , xm−1),
where f3 is an (m− 1)-input Boolean logic. Let λ : {0, 1}m → {0, 1} be a map satisfying
|{v ∈ Sm (c) : λ (v) = 1}| ≤ 1 for any c ∈ CycStr (g) ;
λ (v) · λ (v̂) = 0 for any v ∈ {0, 1}m;
For any u ∈ {0, 1}m−1 with f3(u) = 1, there exists b ∈ {0, 1} satisfying λ (b ‖ u) = 1.
(2)
A directed graph Dfg is defined as follows: the set of vertices is CycStr (g), and an arc is incident from c1
to c2 if and only if
{v ∈ Sm (c1) : f3(⌊v⌋m−1) = 1, λ (v) = 1, v̂ ∈ Sm (c2)} 6= ∅.
If Dfg is acyclic, then the following two statements hold: (i) Any d ∈ CycStr (f) is joined by all cycles
in a weakly connected component4 C of Dfg and Sm (d) =
⋃
c∈C Sm (c). (ii) If h is a subFSR of f , then
CycStr (h) ⊂ CycStr (g).
Proof. Statement (i) of this lemma follows from the idea of the cycle joining method [3], and we leave its
proof in Appendix 6.1. Below we prove Statement (ii) of this lemma.
By Lemmas 2 and 4, it is sufficient to prove this statement: if C ⊂ CycStr (f) and C 6⊂ CycStr (g),
then for any 1 ≤ k < m, the map v 7→ ⌊v⌋k is not injective on
⋃
c∈C Sk+1 (c). Suppose d ∈ C \CycStr (g).
As proved in Statement (i), d is joined by the cycles composing a weakly connected componentD of the graph
Dfg . Since D ⊂ CycStr (g) and d /∈ CycStr (g), we have |D| > 1. Hence, by Statement (i) and the definition
of Dfg , there exists v ∈ {0, 1}
m satisfying {v, v̂} ⊂ Sm (d). Then for any 1 ≤ k < m, ⌈v⌉k+1, ⌈v̂⌉k+1 ∈
Sk+1 (d) satisfy ⌈v⌉k+1 6= ⌈v̂⌉k+1 and ⌊⌈v⌉k+1⌋k = ⌊⌈v̂⌉k+1⌋k. Therefore, the map v 7→ ⌊v⌋k is not injective
on Sk+1 (d), and hence is not injective on
⋃
c∈C Sk+1 (c).
Given an m-cycle c = [b0, b1, . . . , bm], let c denote the cycle [b0 ⊕ 1, b1 ⊕ 1, . . . , bm ⊕ 1].
The cycle structure of LFSRs is well understood.
Lemma 8. Let n = 3k, 0 ≤ k ∈ Z. Let p0(x) = x2n⊕xn⊕1, p1(x) = (x⊕1)·p0(x), and p2(x) = x4n⊕x2n⊕1
be polynomials over the binary field F2. Then p0 is irreducible over F2 and
CycStr (p0) =
{
[0],β1,β2, . . . ,β 22n−1
3n
}
,
CycStr (p1) =
{
[0],β1,β2, . . . ,β 22n−1
3n
, [1],β1,β2, . . . ,β 22n−1
3n
}
,
CycStr (p2) =
{
[0],β1,β2, . . . ,β 22n−1
3n
,γ1,γ2, . . . ,γ 24n−22n
6n
}
,
where per (βi) = per
(
βi
)
= 3n for 1 ≤ i ≤ 2
2n−1
3n , and per (γi) = 6n for 1 ≤ i ≤
24n−22n
6n .
Proof. Since p0(x) · (x3
k
⊕ 1) = x3
k+1
⊕ 1 and gcd(p0, x3
k
⊕ 1) = 1, the roots of p0 are exactly primitive
3k+1-th roots of unity. Thus, p0 is irreducible and min {0 < t ∈ Z : p0 | (xt − 1)} = 3n is the order of any
primitive 3k+1-th root of unity in the multiplicative group of the finite field F2[x]/(p0(x)).
The rest of this lemma directly follows from [7, Theorem 8.53, 8.55, 8.63].
4 Let D be a directed graph with its set of vertices V . An undirected graph H is obtained by taking each arc of D as an
edge of H. The weakly connected component(s) is(are) the connected component(s) of H. Formally, define a binary relation
R = {(a, b) ∈ V × V : there is an arc incident from a to b or there is an arc incident from b to a} ,
and then a weakly connected component of D is an equivalence class w.r.t. the equivalence closure of R.
73 NP-hardness of deciding irreducible FSRs
Below Algorithm 1 transforms a given Boolean circuit to an FSR.
In the rest of this section, we use notations f0, f3 and f defined in Algorithm 1.
Clearly, f is a nonsingular FSR.
Following Algorithm 1, the Boolean circuit f3 is described with Figures 3, 4, 5, 6 and 7. To ease our
presentation, from now on we also use operations with finite fan-in and fan-out for sketching a Boolean
circuit. For example, as x⊕y = ((¬x)∧y)∨((¬y)∧x), we allow XOR(⊕), logically equivalent to a subcircuit
consisting of five gates. In Figures 3, 4, 5 and 6, the operation “
?
=” decides whether two 4n-bit inputs are
input xq
❄✞
✝
☎
✆x 7→x̂
❄✞
✝
☎
✆L L(x̂)
❄...
❄✞
✝
☎
✆L L3n(x̂)✛
❄☛
✡
✟
✠?=
output
Figure 3: A diagram of the subcircuit CP
equal or not. In Figures 4 and 5, the operation “min” computes the minimum of two 4n-bit integers.
input xq
❄✞
✝
☎
✆x 7→x̂
✞
✝
☎
✆L
❄
L(x̂)✞
✝
☎
✆L
❄✲✞✝
☎
✆min
❄
L2(x̂)
...
❄ ...
❄
✞
✝
☎
✆L
❄✲✞✝
☎
✆min
❄
L3n(x̂)
...
❄ ...
❄
✞
✝
☎
✆L
❄✲✞✝
☎
✆min
❄
L6n(x̂)
☛
✡
✟
✠?=✛
❄
❄ ❄☛
✡
✟
✠?=✛❥¬✛❥∨ ✛output
Figure 4: A diagram of the subcircuit CMP
Lemma 9. Let f1 be the feedback logic of the FSR f given by Algorithm 1. Then SIZE (f1) < 37908 ·
SIZE (f0)
4 and Algorithm 1 is polynomial-time computable.
Proof. The operation x 7→ x̂ uses one NOT gate on ⌈x⌉1. Given the input (x0, x1, . . . , x4n−1) and (y0, y1, . . . , y4n−1),
the operation “
?
=” outputs ¬((x0 ⊕ y0)∨ (x1⊕ y1)∨ . . .∨ (x4n−1⊕ y4n−1)) and costs at most 24n gates. The
8Algorithm 1 Transforming a Boolean circuit to an FSR
Input: An r-input Boolean circuit f0.
Output: A 4n-stage FSR f , where k = min {i ∈ Z : i ≥ log3(r/2)} and n = 3
k.
1: {Construct a (4n − 1)-input Boolean circuit f3 with its pseudocode in Lines 2-37. In the rest of this
section, L denotes the state transformation of the LFSR x4n ⊕ x2n ⊕ 1. }
2: Let x ∈ {0, 1}4n−1 be the input of f3.
3: Let u0 = 0 ‖ x and v0 = 1 ‖ x.
4: for i = 1 to 6n do
5: ui = L(ui−1) and vi = L(vi−1).
6: ai = f0(⌊ui⌋r) and bi = f0(⌊vi⌋r).
7: if L3n(ûi) = ûi or L
6n(ûi) 6= min
{
Lj(ûi) : 1 ≤ j ≤ 6n
}
then
8: ci = 1.
9: else
10: ci = 0.
11: end if
12: if L3n(v̂i) = v̂i or L
6n(v̂i) 6= min
{
Lj(v̂i) : 1 ≤ j ≤ 6n
}
then
13: di = 1.
14: else
15: di = 0.
16: end if
17: end for
18: umin = min {ui : 1 ≤ i ≤ 6n} and vmin = min {vi : 1 ≤ i ≤ 6n}.
19: if c1 ∧ c2 ∧ · · · ∧ c6n = 1 and un = umin and L3n(ûmin) = ûmin then
20: q(u0) = 1.
21: else
22: q(u0) = 0.
23: end if
24: if d1 ∧ d2 ∧ · · · ∧ d6n = 1 and vn = vmin and L3n(v̂min) = v̂min then
25: q(v0) = 1.
26: else
27: q(v0) = 0.
28: end if
29: if u0 = u3n and u6n = umin and a1 ∨ a2 ∨ · · · ∨ a6n = 1 then
30: The Boolean circuit f3 returns 1.
31: else if v0 = v3n and v6n = vmin and b1 ∨ b2 ∨ · · · ∨ b6n = 1 then
32: The Boolean circuit f3 returns 1.
33: else if u0 6= u3n and v0 6= v3n and (u6n = umin or v6n = vmin or q(u0) = 1 or q(v0) = 1) then
34: The Boolean circuit f3 returns 1.
35: else
36: The Boolean circuit f3 returns 0.
37: end if
38: return the FSR f(x0, . . . , x4n) = x4n ⊕ x2n ⊕ x0 ⊕ f3(x1, x2, . . . , x4n−1).
9input xq
CMP✛
✞
✝
☎
✆L
❄
L(x)
❥∧
❄✛CMP✛
✞
✝
☎
✆L
❄✲✞✝
☎
✆min
❄
L2(x)
...
❄ ...
...
❄ ...
❄
❥∧
❄✛CMP✛
✞
✝
☎
✆L
❄✲✞✝
☎
✆min
❄
Ln(x)
...
❄ ...
...
❄ ...
❄
❥∧
❄✛CMP✛
✞
✝
☎
✆L
❄✲✞✝
☎
✆min
❄
L6n(x) ☛
✡
✟
✠?=
✄ 
❄❄☛
✡
✟
✠?= ✛ ✲❄
CP
❄❥∧✛❥∧✛ ✛
❄
m(x)❄
q(x)
Input: x ∈ {0, 1}4n
Output: m(x), q(x) ∈ {0, 1}
The subcircuits CP and CMP are given in Figures 3 and 4, respectively.
Figure 5: A diagram of the subcircuit MQ
input xq
☛
✡
✟
✠✛
✞
✝
☎
✆L
❄
f0
L(x)
❥∨
❄✛
☛
✡
✟
✠✛
✞
✝
☎
✆L
❄
f0
L2(x)
...
❄ ...
...
❄
❥∨
❄✛
☛
✡
✟
✠✛
✞
✝
☎
✆L
❄
f0
L3n(x)
...
❄ ...
...
❄
❥∨
❄✛
☛
✡
✟
✠✛
✞
✝
☎
✆L
❄
f0
L6n(x)
☛
✡
✟
✠?=✲
❄
❄
p(x)
❄
s(x)
Input: x ∈ {0, 1}4n
Output: p(x), s(x) ∈ {0, 1}
Figure 6: A diagram of the subcircuit PS
input xq
✛
✛
z=1‖xy=0‖x
✲
✲
✻
❥∧✻
❥∧
❄
MQ
✲
✲
PS
✲
✲❥¬
❥∨
✻
✲ ❥∨
❥∧
✻
❄
❥∧
✛
✻
❥∨
✛ ❥¬
✻
❥∧✻
❥∧
❄
MQ
✛
✛
PS
✛
✛❥∨✲ ❄❥∨
output
✄ ✲
p(z)
m(z)
q(z)
s(z)
p(y)
m(y)
q(y)
s(y)
The subcircuits MQ and PS are given in Figures 5 and 6, respectively.
Figure 7: A diagram of the Boolean circuit f3
10
state transformation L is performed by one XOR gate, i.e., 5 gates. By Appendix 6.2, the operation “min”
uses 104n2 + 66n− 22 gates.
Noticing r ≤ 2n ≤ 3r − 1, r ≤ SIZE (f0) and
f1(x0, . . . , x4n−1) = x0 ⊕ x2n ⊕ f3(x1, x2, . . . , x4n−1),
we count gates in Figure 7 and obtain
SIZE (f1) =11 + SIZE (f3)
=12n · SIZE (f0) + 7488n
4 + 4752n3 − 856n2 + 274n+ 69
<37908 · SIZE (f0)
4
.
The Boolean circuit f0 has SIZE (f0) vertices and less than 2 · SIZE (f0) arcs; The feedback logic f1
has at most 37908 · SIZE (f0)
4
vertices and at most 75816 · SIZE (f0)
4
arcs. The FSR f uses f0 and basic
polynomial-time computable operations for at most 37908 · SIZE (f0)
4 times and its main architecture is
given by Figures 3, 4, 5, 6 and 7. Therefore, Algorithm 1 is polynomial-time computable.
In the rest of this section, n is as given in Algorithm 1, p0 and p2 are the polynomials as defined in
Lemma 8, we also denote C6n = CycStr (p2) \CycStr (p0).
Lemma 10. Let v ∈ S4n (β), where β ∈ CycStr (p0). Then v̂ ∈ S4n (γ) for some γ ∈ C6n.
Proof. Suppose v̂ ∈ S4n (γ) for some γ ∈ CycStr (p0). By Lemmas 6 and 8, L3n(v̂) = v̂ and L3n(v) = v.
Since L is a linear transformation and ι4n = v ⊕ v̂, we have L3n(ι4n) = ι4n, contradictory to L3n(ι4n) =
(0n102n−110n−1), where this vector is written without commas between bits. Therefore, the supposition
above is absurd and γ ∈ C6n.
Because any v ∈ {0, 1}4n, as an initial state of the 4n-stage LFSR p2, determines a unique cycle, in the
rest of this section we denote ξ (v) = c ∈ CycStr (p2) such that v ∈ S4n (c).
Lemma 11. Let
D =
{
c ∈ CycStr (p2) : ξ
(
minS4n (c)⊕ ι
4n
)
∈ CycStr (p0) ,
{v ∈ S4n (c) : ξ (v̂) ∈ C6n and v̂ = minS4n (ξ (v̂))} = ∅}
and define a map ρ : CycStr (p2)→ {0, 1}4n as
ρ (c) =
{
minS4n (c) , if c ∈ CycStr (p2) \D;
L5n (minS4n (c)) , if c ∈ D.
Then the following two statements hold: (i) D ⊂ C6n and for any c ∈ D, ξ
(
ρ̂ (c)
)
∈ C6n \ D. (ii) If
c ∈ CycStr (p2) and ρ̂ (c) ∈ {ρ (e) : e ∈ CycStr (p2)}, then c ∈
{
[0], ξ
(
ι4n
)}
.
Proof. For convenience in this proof we may write a cycle or vector without commas between its bits.
Claim: If c ∈ CycStr (p2) satisfies ξ
(
minS4n (c)⊕ ι4n
)
∈ CycStr (p0), then c = [1u00u10u20u01u10u2],
where u0,u1,u2 ∈ {0, 1}n−1, u2 = u0 ⊕ u1 and (1u00u10u20u0) = minS4n (c).
Proof of the claim. By Lemma 10, c ∈ C6n. Denote c = [a0u0a1u1a2u2a3u3a4u4a5u5], where
ai ∈ {0, 1}, 0 ≤ i ≤ 5;
ui ∈ {0, 1}
n−1, 0 ≤ i ≤ 5;
(a0u0a1u1a2u2a3u3) = minS4n (c) .
11
Notice ξ
(
ι4n
)
= [104n−1102n−1]. Then a0u0a1u1a2u2a3u3a4u4a5u5 is concatenation of a same cycle in
CycStr (p0), implying where a2 = a0 ⊕ a1 ⊕ 1 and u2 = u0 ⊕ u1. By Lemma 8,
c = [a0u0a1u1a2u2a0u0a1u1a2u2].
By
(a0u0a1u1a2u2a0u0) ≤ (a0u0a1u1a2u2a0u0),
we have a0 = 1. By
(a0u0a1u1a2u2a0u0) ≤ (u0a1u1a2u2a0u0a1),
we have a1 = 0. Then a2 = 0. The proof of this claim is complete.
For a kn-cycle c = [b0, b1, . . . , bkn−1], we call
(bi, b(i+n) mod kn, b(i+2n) mod kn, . . . , b(i+(k−1)n))
an n-sampling of c, 0 ≤ i < kn.
Choose any c ∈ D. Because of the claim above, let c = [1u00u10u20u01u10u2], where u0,u1,u2 ∈
{0, 1}n−1, u2 = u0 ⊕ u1 and (1u00u10u20u0) = minS4n (c). Then
ρ̂ (c) = ι4n ⊕ L5n (minS4n (c)) = (1u21u00u10u2)
and hence
ξ
(
ρ̂ (c)
)
= [1u21u00u10u21u01u1].
First, 3n ∤ per
(
ξ
(
ρ̂ (c)
))
. By Lemma 8, ξ
(
ρ̂ (c)
)
∈ C6n. Second, as shown in the claim above, there is an n-
sampling (100010) of any cycle in D, while (100010) is not an n-sampling of ξ
(
ρ̂ (c)
)
. Hence, ξ
(
ρ̂ (c)
)
/∈ D.
By Lemma 10, c /∈ CycStr (p0). Till now Statement (i) of this lemma is proved.
Now we prove Statement (ii) of this lemma.
Denote v0 = (010
4n−2). Then ξ (v̂0) = [110
4n−21102n−2]. By Lemma 8, ξ (v̂0) ∈ C6n. Seeing
v̂0 = minS4n (ξ (v̂0)) and v0 ∈ S4n
(
ξ
(
ι4n
))
, we have ξ
(
ι4n
)
/∈ D and ι4n = ρ
(
ξ
(
ι4n
))
.
Denote Vc = {ρ (e) : e ∈ CycStr (p2)}. Notice that ρ (c) ∈ S4n (c), c ∈ CycStr (p2). It is sufficient to
consider the following cases.
1. If c ∈ D, by Statement (i), ξ
(
ρ̂ (c)
)
∈ C6n \D. By the definition of D,
ρ̂ (c) 6= minS4n
(
ξ
(
ρ̂ (c)
))
= ρ
(
ξ
(
ρ̂ (c)
))
and hence ρ̂ (c) /∈ Vc.
2. If ξ
(
ι4n
)
6= c ∈ C6n \D, then ρ (c) = minS4n (c) /∈
{
04n, ι4n
}
. By the definition of D, ξ
(
ρ̂ (c)
)
/∈ D,
yielding ρ
(
ξ
(
ρ̂ (c)
))
= minS4n
(
ξ
(
ρ̂ (c)
))
. By Lemma 3, ρ̂ (c) 6= minS4n
(
ξ
(
ρ̂ (c)
))
and hence
ρ̂ (c) /∈ Vc.
3. If [0] 6= c ∈ CycStr (p0) and ξ
(
ρ̂ (c)
)
/∈ D, then similar to Case (2), we also get ρ̂ (c) /∈ Vc.
4. If c ∈ CycStr (p0) and ξ
(
ρ̂ (c)
)
∈ D, then by the proved Statement (i) of this lemma,
c 6= ξ
(
ρ
(
ξ
(
ρ̂ (c)
))
⊕ ι4n
)
∈ C6n.
Because ξ (ρ (e)) = e for any e ∈ CycStr (p2), we have ρ̂ (c) 6= ρ
(
ξ
(
ρ̂ (c)
))
, yielding ρ̂ (c) /∈ Vc.
12
5. Besides, consider c ∈
{
[0], ξ
(
ι4n
)}
. We have ρ̂ ([0]) = ι4n = ρ
(
ξ
(
ι4n
))
since ξ
(
ι4n
)
∈ C6n \D.
Till now all cases are listed and Statement (ii) of this lemma holds.
Lemma 12. Let ρ be given in Lemma 11. Let the map λ : {0, 1}4n → {0, 1} be defined as
λ (v) =
{
1, if v ∈ {ρ (c) : c ∈ CycStr (p2)} and ξ (v̂) ∈ C6n;
0, otherwise.
Let Dfp2 be the graph defined as in Lemma 7(Recall that f and f3 are given in Algorithm 1). Then the
following statements hold: (i) Statements (i) and (ii) of Lemma 7 hold, where g in Lemma 7 is the LFSR
p2. (ii) Each c ∈ C6n is not an isolated vertex in Dfp2 . (iii) Every c ∈ CycStr (p0) is an isolated vertex in
Dfp2 if and only if f0 is unsatisfiable.
Proof. Since ρ (c) ∈ S4n (c) for any c ∈ CycStr (p2), we have
|{v ∈ S4n (c) : λ (v) = 1}| ≤ |{ρ (c)}| = 1.
Following from Statement (ii) of Lemma 11 and λ
(
ι4n
)
= 0, we have λ (v)·λ (v̂) = 0 for any v ∈ {0, 1}4n.
Use D defined in Lemma 11.
Let q(u0), q(v0), ui and vi be as in Algorithm 1, 0 ≤ i ≤ 6n. Denote e0 = ξ (u0) and e1 =
ξ (v0). By Lemmas 6 and 8, S4n (e0) = {ui : 1 ≤ i ≤ 6n}; S4n (e1) = {vi : 1 ≤ i ≤ 6n}; u0 = u6n;
v0 = v6n; u0 = u3n(resp. v0 = v3n) if and only if e0 ∈ CycStr (p0)(resp. e1 ∈ CycStr (p0));
L3n(ûi) = ûi(resp. L
3n(v̂i) = v̂i) if and only if ξ (ûi) ∈ CycStr (p0)(resp. ξ (v̂i) ∈ CycStr (p0));
L6n(ûi) 6= min
{
Lj(ûi) : 1 ≤ j ≤ 6n
}
(resp. L6n(v̂i) 6= min
{
Lj(v̂i) : 1 ≤ j ≤ 6n
}
) if and only if ûi 6=
minS4n (ξ (ûi))(resp. v̂i 6= minS4n (ξ (v̂i))); un = umin(resp. vn = vmin) if and only if u0 = L5n (minS4n (e0))
(resp. v0 = L
5n (minS4n (e1))); L
3n(ûmin) = ûmin(resp. L
3n(v̂min) = v̂min) is equivalent to ξ
(
ûmin
)
∈
CycStr (p0)(resp. ξ (v̂min) ∈ CycStr (p0)). Then q(u0) = 1(resp. q(v0) = 1) if and only if e0 ∈ D and
u0 = ρ (e0)(resp. e1 ∈ D and v0 = ρ (e1)). By Lemma 10, {e0, e1} 6⊂ CycStr (p0). Then f3(⌊u0⌋4n−1) =
f3(⌊v0⌋4n−1) = 1 if and only if one of the following cases holds:
1. e0 ∈ CycStr (p0), u0 = minS4n (e0) and {v ∈ S4n (e0) : f0(⌊v⌋r) = 1} 6= ∅;
2. e1 ∈ CycStr (p0), v0 = minS4n (e1) and {v ∈ S4n (e1) : f0(⌊v⌋r) = 1} 6= ∅;
3. e0 ∈ C6n, u0 = minS4n (e0) and ξ (û0) = e1 ∈ C6n;
4. e1 ∈ C6n, v0 = minS4n (e1) and ξ (v̂0) = e0 ∈ C6n;
5. e0, e1 ∈ C6n, e0 ∈ D and u0 = ρ (e0);
6. e0, e1 ∈ C6n, e1 ∈ D and v0 = ρ (e1).
Considering Statement (i) of Lemma 11, we have
f3(x) =

1, if x = ⌊v⌋4n−1, where v = ρ (c) and c, ξ (v̂) ∈ C6n; by Cases 3, 4, 5 and 6
1, if x = ⌊v⌋4n−1, where v = ρ (c) , c ∈ CycStr (p0)
and {u ∈ S4n (c) : f0(⌊u⌋r) = 1} 6= ∅; by Cases 1 and 2
0, otherwise.
(3)
By Eq.(3) and Lemma 10, f3(x) = 1 implies that there exists v ∈ {0, 1}4n satisfying x = ⌊v⌋4n−1 and
λ (v) = 1.
Hitherto we have shown that Eq.(2) holds, where g in Eq.(2) is the LFSR p2.
13
By Lemma 3 and Statement (i) of Lemma 11, Dfp2 is loopless. Assume that D
f
p2
is not acyclic. Then
in Dfp2 there is a walk (c0, c1, . . . , cm−1, cm) for some m ≥ 2. Specifically, ci ∈ CycStr (p2), 0 ≤ i < m, are
pairwise distinct, cm = c0, and for any 0 ≤ i < m there is an arc incident from ci to ci+1. By Lemma 10
and the definition of λ, any c ∈ CycStr (p0) is a source in Dfp2 . Additionally, for c ∈ D, by Statement (i) of
Lemma 11 and
{v ∈ S4n (c) : ξ (v̂) ∈ C6n and v̂ = minS4n (ξ (v̂))} = ∅,
no arc is incident from a cycle in C6n to c, i.e., any arc entering c leaves from a source in CycStr (p0).
Besides, as shown in the proof of Lemma 11, ρ
(
ξ
(
ι4n
))
= ι4n and ξ
(
ι̂4n
)
= [0], then ξ
(
ι4n
)
is a sink in
Dfp2 . Therefore, ξ
(
ι4n
)
6= ci ∈ C6n \D and ρ (ci) = minS4n (ci), 0 ≤ i < m. Noticing ρ̂ (ci) ∈ S4n (ci+1),
0 ≤ i < m, by Lemma 3, we have minS4n (ci+1) < minS4n (ci) for 0 ≤ i < m, implying minS4n (c0) <
minS4n (c0), which is ridiculous. Therefore, the assumption is absurd and D
f
p2
is acyclic.
Till now we have proved that Eq.(2) holds and Dfp2 is acyclic, where g is the LFSR p2. By Lemma 7,
Statement (i) of this lemma is proved.
Now we prove Statement (ii) of this lemma. Suppose c ∈ C6n.
• If ξ
(
ι4n ⊕minS4n (c)
)
∈ C6n, then c /∈ D, ρ (c) = minS4n (c) and λ (ρ (c)) = 1. By Eq.(3), an arc
leaves c.
• If ξ
(
ι4n ⊕minS4n (c)
)
∈ CycStr (p0) and
{v ∈ S4n (c) : ξ (v̂) ∈ C6n and v̂ = minS4n (ξ (v̂))} 6= ∅.
Let v0 ∈ S4n (c) satisfy ξ (v̂0) ∈ C6n and v̂0 = minS4n (ξ (v̂0)). Clearly, ξ (v̂0) /∈ D. Then ρ (ξ (v̂0)) =
minS4n (ξ (v̂0)) = v̂0 and λ (v̂0) = 1. By Eq.(3), an arc enters c.
• If ξ
(
ι4n ⊕minS4n (c)
)
∈ CycStr (p0) and
{v ∈ S4n (c) : ξ (v̂) ∈ C6n and v̂ = minS4n (ξ (v̂))} = ∅,
then c ∈ D. By Statement (i) of Lemma 11 and Eq.(3), an arc is incident from c to a cycle in C6n \D.
Till now Statement (ii) of this lemma is proved.
Now we prove Statement (iii) of this lemma. Since λ (v) = 1 occurs only if ξ (v̂) ∈ C6n, in Dfp2 no arc
enters any c ∈ CycStr (p0). Since r ≤ 2n and
⋃
c∈CycStr(p0)
S2n (c) = {0, 1}2n, we have⌊v⌋r : v ∈ ⋃
c∈CycStr(p0)
S4n (c)
 =
⌊v⌋r : v ∈ ⋃
c∈CycStr(p0)
S2n (c)
 = {0, 1}r.
By Lemma 10, λ (ρ (c)) = 1 for any c ∈ CycStr (p0). Then by Eq.(3), in D
f
P2
there exists an arc incident
from some c ∈ CycStr (p0) to some d ∈ C6n if and only if f0 is satisfiable. Thus, Statement (iii) of this
lemma is proved.
Lemma 13. If g is a subFSR of the FSR f , then g is of stage 2n.
Proof. Let g be of stage m. By Lemmas 4,
∑
d∈CycStr(g) per (d) = 2
m. By Lemmas 2, 8 and Statement
(i) of 12, for any d ∈ CycStr (g), per (d) ≡
∣∣{04n} ∩ S4n (d)∣∣ mod 3n. Then we have an integer equation
a+ 3nb = 2m, where a ∈ {0, 1} and 0 ≤ b < 24n/(3n). Since 2n = min
{
i > 0 : 3n | (2i − 1)
}
, where n = 3k
for some 1 ≤ k ∈ Z, we have a = 1 and 2n | m. Hence, m = 2n < 4n.
Lemma 14. The FSR f is irreducible if and only if the Boolean circuit f0 is satisfiable.
14
Proof. Suppose f0 to be unsatisfiable. By Statements (i) and (iii) of Lemma 12, CycStr (p0) ⊂ CycStr (f).
By Lemma 2, p0 is a subFSR of f and hence f is reducible.
Suppose f0 to be satisfiable. Assume that h is a subFSR of f . By Statement (i) of Lemma 12,
CycStr (h) ⊂ CycStr (p2) . (4)
Furthermore, by Statements (i) and (ii) of Lemma 12, any cycle in C6n joins with other cycles to combine a
cycle in CycStr (f), implying
(CycStr (p2) \CycStr (p0)) ∩CycStr (f) = ∅. (5)
Similarly, by Statements (i) and (iii) of Lemma 12, if f0 is satisfiable, then
CycStr (p0) 6⊂ CycStr (f) . (6)
By Eqs.(4), (5), (6) and Lemma 2, we get
CycStr (h) ⊂ CycStr (f) ∩CycStr (p2) ⊂ CycStr (f) ∩CycStr (p0) ( CycStr (p0) .
By Lemma 13, h is of stage 2n. However, by Lemma 4,
22n =
∑
c∈CycStr(h)
per (c) <
∑
c∈CycStr(p0)
per (c) = 22n,
which is absurd. Therefore, f is irreducible.
PROBLEM: FSR IRREDUCIBILITY
INSTANCE: An FSR f with its feedback logic f1 as a Boolean circuit of
size SIZE (f1).
QUESTION: Is f irreducible?
By Lemmas 1, 9 and 14, Algorithm 1 is a polynomial-time Karp reduction from CIRCUIT SATISFIA-
BILITY to FSR IRREDUCIBILITY. Therefore, we conclude that
Theorem 1. The FSR IRREDUCIBILITY problem is NP-hard.
4 NP-hardness of deciding indecomposable FSRs
Lemma 15. Let f0 be an r-input Boolean logic and
f2(x) =

0, if x = 0r;
1, if x = 1r and f0(1
r) = 1;
f0(0
r), if x = 1r and f0(1
r) = 0;
f0(x), otherwise.
(7)
Then the Boolean function f2 is satisfiable if and only if f0 is satisfiable.
Below Algorithm 2 transforms a given Boolean circuit to an FSR.
Figure 8 is a sketch of f2. Following Algorithm 2, we describe f3 with Figure 9.
In the rest of this section, we use notations f0, f2, f3 and f defined in Algorithm 2.
Clearly, f is a nonsingular FSR.
Similar to Lemma 9, we count gates in Figure 9 and derive the lemma below.
15
Algorithm 2 Transforming a Boolean circuit to an FSR
Input: An r-input Boolean circuit f0.
Output: A (2n+ 1)-stage FSR f , where k = min {i ∈ Z : i ≥ log3(r/2)} and n = 3
k.
1: Construct an r-input Boolean circuit f2 defined by Eq.(7).
2: {Construct a 2n-input Boolean circuit f3 with its pseudocode in Lines 3-13. In the rest of this section,
L denotes the state transformation of the LFSR x2n ⊕ xn ⊕ 1. }
3: Let (x1, x2, . . . , x2n) be the input of f3.
4: u0 = (x2n ⊕ xn ⊕ x1, x1 ⊕ x2, x2 ⊕ x3, . . . , x2n−1 ⊕ x2n).
5: for i = 1 to 3n do
6: ui = L(ui−1).
7: ai = f2(⌊ui⌋r).
8: end for
9: if u3n = min {ui : 1 ≤ i ≤ 3n} and a1 ∨ a2 ∨ · · · ∨ a3n = 1 then
10: The Boolean circuit f3 returns 1.
11: else
12: The Boolean circuit f3 returns 0.
13: end if
14: return the FSR f(x0, . . . , x2n+1) = x2n+1 ⊕ x2n ⊕ xn+1 ⊕ xn ⊕ x1 ⊕ x0 ⊕ f3(x1, x2, . . . , x2n).
❄☛
✡
✟
✠∧r
✲
✲ ❥¬ ✄  ✲
❄✞
✝
☎
✆¬r
❄☛
✡
✟
✠f0
❄❥∧
❄❥⊕
❄❥∧ ✲
❥¬✛ ✛
inputs
❄☛
✡
✟
✠f0
❄
✛
❥∧
❄❥⊕✲
❄✞
✝
☎
✆¬r
❄☛
✡
✟
✠∧r
❄❥¬
❄❥∧
output
Here “¬r”(resp. “∧r”) denotes the logical NOT(resp. AND) of r bits.
Figure 8: A diagram of the Boolean circuit f2
16
input xq
❄✞
✝
☎
✆M
u0☛
✡
✟
✠✛
✞
✝
☎
✆L
❄
f2
L(u0)
❥∨
❄✛
☛
✡
✟
✠✛
✞
✝
☎
✆L
❄✲✞✝
☎
✆min
❄
f2
L2(u0)
...
❄ ...
...
❄ ...
❄
❥∨
❄✛
☛
✡
✟
✠✛
✞
✝
☎
✆L
❄✲✞✝
☎
✆min
❄
f2
L3n(u0)❄☛
✡
✟
✠?= ✛✛✲ ❥∧output
M is defined in Line 4 of Algorithm 2;
“
?
=” decides whether two 2n-bit inputs are equal or not;
“min” computes the minimum of two 2n-bit integers.
Figure 9: A diagram of the Boolean circuit f3
Lemma 16. Let f1 be the feedback logic of the FSR f given by Algorithm 2. Then SIZE (f1) ≤ 264 ·
SIZE (f0)
3
. Particularly, Algorithm 2 is polynomial-time computable.
In the rest of this section, n is given in Algorithm 2, p0 and p1 are the polynomials as defined in
Lemma 8, and we denote CycStr (p0) = CycStr (p1) \ CycStr (p0). Moreover, let L1 denote the state
transformation of the LFSR p1.
For v = (v0, v1, . . . , v2n) ∈ {0, 1}2n+1, define the map pi (v) = (v0⊕v1, v1⊕v2, . . . , v2n−1⊕v2n) ∈ {0, 1}2n
and χ (v) = v0 ⊕ vn ⊕ v2n.
The maps pi and χ have the properties in Lemma 17.
Lemma 17. The following statements hold. (i) For v ∈ {0, 1}2n+1, χ (v̂) = χ (v) = χ (v)⊕ 1, pi (v̂) = pi (v)
and L(pi (v)) = pi (L1(v)). (ii) For w = (w0, w1, . . . , w2n−1) ∈ {0, 1}2n,
{
v ∈ {0, 1}2n+1 : pi (v) = w
}
=
{u,u}, where
u = (0, w0, w0 ⊕ w1, . . . , w0 ⊕ w1 ⊕ · · · ⊕ w2n−1) .
(iii) For any v ∈ {0, 1}2n+1,
χ (v) =

0, if v ∈
⋃
c∈CycStr(p0)
S2n+1 (c) ,
1, if v ∈
⋃
c∈CycStr(p0)
S2n+1 (c) ,
(iv) For v ∈ {0, 1}2n+1, if
v ∈
⋃
c∈CycStr(p0)
S2n+1 (c) ,
then
v̂ ∈
⋃
c∈CycStr(p0)
S2n+1 (c) .
(v) For any v ∈ {0, 1}2n+1, ⌊L1(v)⌋2n = L(⌊v⌋2n)⊕w0, where w0 = (0, . . . , 0, χ (v)) ∈ {0, 1}2n.
Proof. Statements (i) and (ii) of this lemma can be proved by direct computation.
Denote v = (v0, v1, . . . , v2n).
17
If v ∈
⋃
c∈CycStr(p0)
S2n+1 (c). clearly, χ (v) = v0⊕vn⊕v2n = 0. Suppose v ∈
⋃
c∈CycStr(p0)
S2n+1 (c).
By Lemma 8, v ∈
⋃
c∈CycStr(p0)
S2n+1 (c). Then by Statement (i), χ (v) = 1⊕ χ (v) = 1. Statement (iii) is
proved.
By Lemma 8,  ⋃
c∈CycStr(p0)
S2n+1 (c)
⋃ ⋃
c∈CycStr(p0)
S2n+1 (c)
 = {0, 1}2n+1.
Then Statement (iv) follows from Statement (i) and (iii).
Additionally, Statement (v) holds because
⌊L1(v)⌋2n =(v2, . . . , v2n, v2n ⊕ vn+1 ⊕ vn ⊕ v1 ⊕ v0)
=(v2, . . . , v2n, vn+1 ⊕ v1 ⊕ χ (v))
=L((v1, v2, . . . , v2n))⊕w0
=L(⌊v⌋2n)⊕w0.
Lemma 18. Let the map λ : {0, 1}2n+1 → {0, 1} be defined as
λ (v) =
{
1, if χ (v) = 0 and pi (v) = min
{
Li(pi (v)) : 1 ≤ i ≤ 3n
}
;
0, otherwise.
Let Dfp1 be the graph defined as in Lemma 7(Recall that f and f3 are given in Algorithm 2). Then the
following statements hold: (i) Statements (i) and (ii) of Lemma 7 hold, where g in Lemma 7 is the LFSR
p1. (ii) If f2 is satisfiable, then CycStr (p0) 6⊂ CycStr (f) and there exists v ∈ {0, 1}2n+1 satisfying
f3(⌊v⌋2n) = 1 and χ (v) = 0.
Proof. Suppose v ∈ S2n+1 (c), where c ∈ CycStr (p1). By Statement (i) of Lemma 17, Lemmas 6 and 8, we
get {
Li(pi (v)) : 1 ≤ i ≤ 3n
}
=
{
pi
(
Li1(v)
)
: 1 ≤ i ≤ 3n
}
= {pi (u) : u ∈ S2n+1 (c)} . (8)
Besides, by Statements (ii) of Lemma 17, there exists a unique vector u in S2n+1 (c) satisfying pi (u) =
min {pi (u) : u ∈ S2n+1 (c)}. Thus, by Statement (iii) of Lemma 17, we have
|{v ∈ S2n+1 (c) : λ (v) = 1}| =
{
1, if c ∈ CycStr (p0) ;
0, if c ∈ CycStr (p0).
(9)
By Statement (i) of Lemma 17, λ (v) · λ (v̂) = 0 for any v ∈ {0, 1}2n+1.
In Algorithm 2, x = (x1, x2, . . . , x2n) and u0 = pi (y), where y = (x2n⊕xn, x1, x2, . . . , x2n) is the unique
vector in {0, 1}2n+1 satisfying χ (y) = 0 and ⌊y⌋2n = x. Let c be the cycle satisfying y ∈ S2n+1 (c). By
Lemmas 6, 8 and Eq.(8), u3n = min
{
Li(u0) : 1 ≤ i ≤ 3n
}
is equivalent to u0 = min {pi (v) : v ∈ S2n+1 (c)}.
By Eq.(8), {
1 ≤ i ≤ 3n : f2(⌊L
i(u0)⌋r) = 1
}
6= ∅
is equivalent to
{u ∈ S2n+1 (c) : f2(⌊pi (u)⌋r) = 1} 6= ∅.
Thus, by Algorithm 2, we have the following claim.
Claim. f3(x) = 1 if and only if λ (y) = 1 and {v ∈ S2n+1 (c) : f2(⌊pi (v)⌋r) = 1} 6= ∅.
If f3(x) = 1, then λ (y) = 1 and ⌊y⌋2n = x. Therefore, Eq.(2) holds, where g in Lemma 7 is the LFSR
p1.
18
Furthermore, by Statement (iv) of Lemma 17 and Eq.(9), any arc of Dfp1 is incident from a cycle in
CycStr (p0) to a cycle in CycStr (p0). Hence, D
f
p1
is acyclic.
Till now we have proved that Eq.(2) holds and Dfp1 is acyclic, where g in Eq.(2) is the LFSR p1. By
Lemma 7, Statements (i) and (ii) of Lemma 7 hold and Statement (i) of this lemma is proved, where g in
Lemma 7 is the LFSR p1.
Now we prove Statement (ii) of this lemma. Suppoe that f2 is satisfiable. Since D
f
p1
is acyclic, by
Statement (i) of Lemma 7, it is sufficient to prove that not every c ∈ CycStr (p0) is isolated in Dfp1 .
Following from Eq.(9) and the claim above, for c ∈ CycStr (p0), there exists v ∈ S2n+1 (c) satisfying
λ (v) = 1 and f3(⌊v⌋2n) = 1 if and only if {v ∈ S2n+1 (c) : f2(⌊pi (v)⌋r) = 1} 6= ∅.
By Lemma 8 and Statement (ii) of Lemma 17, the map pi gives a bijection from
⋃
c∈CycStr(p0)
S2n+1 (c)
to {0, 1}2n. Thus, seeing r ≤ 2n, we get⌊pi (v)⌋r : v ∈ ⋃
c∈CycStr(p0)
S2n+1 (c)
 = {⌊v⌋r : v ∈ {0, 1}2n} = {0, 1}r.
Therefore, on one hand, there exists v ∈ {0, 1}2n+1 satisfying f3(⌊v⌋2n) = 1 and χ (v) = 0; On the other
hand, in Dfp1 there exists at least one arc incident from a cycle in CycStr (p0), i.e., some c ∈ CycStr (p0)
is not isolated in Dfp1 . By Statement (i) of this lemma, c joins with other cycles in CycStr (p1) to combine
one cycle in CycStr (f), and hence c /∈ CycStr (f), yielding CycStr (p0) 6⊂ CycStr (f).
Lemma 19. If f2 is satisfiable and g is a subFSR of f satisfying [0] ∈ CycStr (g), then g is the LFSR
x1 ⊕ x0, i.e., CycStr (g) = {[0], [1]}.
Proof. Let g be an m-stage subFSR of f .
By Lemma 4, we have 2m =
∑
d∈CycStr(g) per (d). Furthermore, by Lemma 8 and Statement (i) of 18,
we have
per (d) ≡
∣∣{02n+1,12n+1} ∩ S2n+1 (d)∣∣ mod 3n.
Since for any v ∈ {0, 1}2n+1, there exists a unique cycle c ∈ CycStr (f) satisfying v ∈ S2n+1 (c), we get an
integer equation
3na+ b = 2m, (10)
where 1 ≤ m ≤ 2n, 0 ≤ a ≤ 2(22n − 1)/(3n) and b ∈ {0, 1, 2}. Since 2n = min
{
0 < i ∈ Z : 3n | (2i − 1)
}
,
where n = 3k for some 1 ≤ k ∈ Z, Eq.(10) holds only if (i) b = 1 and m = 2n or (ii) b = 2 and m = 1. So,
we only have to consider two possible cases below.
Case (i): g is of stage 2n. By Statement (i) of Lemma 18, CycStr (g) ⊂ CycStr (p1). Denote
V0 =
{
v ∈ {0, 1}2n : v ∈ S2n (c) , c ∈ CycStr (g) ∩CycStr (p0)
}
;
V1 =
{
v ∈ {0, 1}2n : v ∈ S2n (c) , c ∈ CycStr (g) ∩CycStr (p0)
}
.
Since b = 1 in Eq.(10), by Lemma 8, CycStr (g) consists of [0] and (22n − 1)/(3n) 3n-cycles. Moreover, by
Statement (ii) of Lemma 18, we have ∣∣∣CycStr (g) ∩CycStr (p0)∣∣∣ ≥ 1,
implying V1 6= ∅. Besides, as the states of the 2n-stage FSR g, V0 ∪ V1 = {0, 1}2n and V0 ∩ V1 = ∅. For
V ⊂ {0, 1}2n, denote L(V ) = {L(v) : v ∈ V }. On one hand, by Lemma 6, L(V0) = V0. Because L is
bijective on {0, 1}2n, we have L(V1) = V1. Denote w0 = (0, . . . , 0, 1) ∈ {0, 1}2n. On the other hand, by
Statements (iii) and (v) of Lemma 17, we have L(v) ⊕w0 ∈ V1 for any v ∈ V1. Thus, both v 7→ L(v) and
19
v 7→ L(v) ⊕w0 are closed on V1. Since the linear transformation L has its irreducible minimal polynomial
p0 of degree 2n, L
i(w0), i = 0, . . . , 2n − 1, is a basis of the linear space {0, 1}2n. Then for any v0 ∈ V1,
there exist bi ∈ {0, 1}, 1 ≤ i ≤ 3n, satisfying v0 =
⊕3n
i=1 bi · L
3n−i(w0). Let vi = L(vi−1) ⊕ (bi · w0),
1 ≤ i ≤ 3n. Then vi ∈ V1, 1 ≤ i ≤ 3n. However, by Lemmas 6 and 8, L
3n is an identity map. Hence,
v3n = L
3n(v0) ⊕
(⊕3n
i=1 bi · L
3n−i(w0)
)
= 02n ∈ V0, yielding 02n ∈ V0 ∩ V1 = ∅, which is ridiculous.
Therefore, Case (i) does not occur.
Case(ii). g is of stage 1. Since [0] ∈ CycStr (g), we have CycStr (g) = {[0], [1]}, i.e., g is the the LFSR
x1 ⊕ x0.
Lemma 20. If f2 is satisfiable, then for any FSR h, f 6= h ∗ (x1 ⊕ x0).
Proof. Assume f = h∗(x1⊕x0). Then h is a 2n-stage FSR and h(x0, x1, . . . , x2n) = x2n⊕h1(x0, x1, . . . , x2n−1),
where h1 is a 2n-input Boolean logic. By Statement (ii) of Lemma 18, if f2 is satisfiable, then there ex-
ists v0 ∈ {0, 1}2n+1 satisfying f3(⌊v0⌋2n) = 1 and χ (v0) = 0. Let f1 denote the feedback logic of f
and v0 = (a0, a1, . . . , a2n). Then f1(v0) = a1 ⊕ an+1 ⊕ χ (v0) ⊕ f3(⌊v0⌋2n) = a1 ⊕ an+1 ⊕ 1. Thus,
f(v0 ‖ f1(v0)) = h (pi (v0) ‖ (a2n ⊕ a1 ⊕ an+1 ⊕ 1)) = 0, yielding
h1(pi (v0)) = a2n ⊕ a1 ⊕ an+1 ⊕ 1. (11)
Let u0 = v̂0. By Statements (i) and (ii) of Lemma 17, χ (u0) = 0 and pi (u0) = pi (v0). If
pi (u0) 6= min
{
Li(pi (u0)) : 1 ≤ i ≤ 3n
}
,
then f3(⌊v0⌋2n) = f3(⌊u0⌋2n) = 0. Otherwise, assume pi (u0) = min
{
Li(pi (u0)) : 1 ≤ i ≤ 3n
}
. Since
f3(⌊v0⌋2n) = 1, we get
pi (v0) = min
{
Li(pi (v0)) : 1 ≤ i ≤ 3n
}
.
As pi (u0) = pi (v0), by Lemmas 3 and 8, we have {pi (v0) , pi (u0)} =
{
02n, ι2n
}
. Considering χ (v0) =
χ (u0) = 0, we have
{v0,u0} =
{
02n+1, ι2n+1
}
.
Because f3(⌊v0⌋2n) = 1 while f3(02n) = 0, we have u0 = 02n+1, yielding f3(⌊v0⌋2n) = f3(⌊u0⌋2n) = 0.
We have proved f3(⌊v0⌋2n) = 0. Then F (v0) = L1(v0), where F is the state transformation of f .
Using χ (v0) = 0 and Statements (i)-(ii) of Lemma 17, we get
f(v0 ‖ (a1 ⊕ an+1 ⊕ χ (v0)⊕ f3(⌊v0⌋2n))) = h(pi (v0) ‖ (a2n ⊕ a1 ⊕ an+1)) = 0,
implying
h1(pi (v0)) = a2n ⊕ a1 ⊕ an+1. (12)
Our assumption f = h∗(x1⊕x0) leads to contradictory Eqs. (11) and (12). The proof is completed.
Lemma 21. [4] Let h be an m-stage decomposable FSR satisfying h(0m+1) = 0. Then there exist two FSRs
h1 and h2 such that h = h1 ∗ h2, where h2 is a k-stage FSR for some 1 ≤ k < m and [0] ∈ CycStr (h2).
Particularly, h2 is a subFSR of h and h is reducible.
Proof. Since h is decomposable, we assume h = h′1 ∗ h
′
2, where h
′
2 is a k-stage FSR, 1 ≤ k < m. If
h′2(0
k+1) = 0, let h1 = h
′
1 and h2 = h
′
2. Assume h
′
2(0
k+1) = 1. Let h2 = h
′
2 ⊕ 1 and h1(x0, x1, . . . , xm−k) =
h′1(x0 ⊕ 1, x1 ⊕ 1, . . . , xm−k ⊕ 1). Then h = h
′
1 ∗ h
′
2 = h1 ∗ h2 and h2(0
k+1) = h′2(0
k+1) ⊕ 1 = 0. Besides,
h2(0
k+1) = 0 is equivalent to [0] ∈ CycStr (h2).
Because h1(0
m−k+1) = h1(h2(0
k+1), h2(0
k+1), . . . , h2(0
k+1)) = h(0m+1) = 0, we have G (h2) ⊂
G (h1;h2) = G (h), where G (h1;h2) is the set of sequences generated by the cascade connection of h1
into h2. Therefore, h2 is a subFSR of h and h is reducible.
20
The idea of Lemma 21 was given by [4] and here we reinterpret it for readability.
Lemma 22. The FSR f is indecomposable if and only if the Boolean circuit f0 is satisfiable.
Proof. Consider two cases below.
Case (i): f0 is satisfiable. By Lemma 15, f2 is satisfiable. Assume f to be decomposable. Since
f2(0
r) = 0, by Algorithm 2, we have f3(0
2n) = 0 and f(02n+1) = 0, implying [0] ∈ CycStr (f). By Lemma
21, there exist FSRs h and g such that f = h ∗ g, where g is a subFSR of f satisfying [0] ∈ CycStr (g). By
Lemma 19, g is the LFSR x1 ⊕ x0. However, by Lemma 20, f 6= h ∗ (x1 ⊕ x0). Hence, the assumption is
absurd and f is indecomposable.
Case (ii): f0 is unsatisfiable. By Lemma 15, f2 is unsatisfiable. By Algorithm 2, f3(x) = 0 for any
x ∈ {0, 1}2n. Then f is exactly the LFSR p1 and f(x0, x1, . . . , x2n) = (x2n ⊕ xn ⊕ x0) ∗ (x1 ⊕ x0). So, f is
decomposable.
PROBLEM: FSR INDECOMPOSABILITY
INSTANCE: An FSR f with its feedback logic f1 as a Boolean circuit of
size SIZE (f1).
QUESTION: Is f indecomposable?
By Lemmas 1, 16 and 22, Algorithm 2 is a polynomial-time Karp reduction from CIRCUIT SATISFI-
ABILITY to FSR INDECOMPOSABILITY. Therefore, we conclude that
Theorem 2. The FSR INDECOMPOSABILITY problem is NP-hard.
5 Conclusion
Deciding irreducibility/indecomposability of FSRs is meaningful for sophisticated circuit implementa-
tion and security analysis of stream ciphers. Here we have proved both the decision problems are NP-hard.
Assuming P6=NP, where P is the class of decision problems computed by polynomial-time deterministic
Turing machines, it is intractable to find a polynomial-time computable algorithm for either problem.
Furthermore, it is still of theoretical interests to determine the computational complexity of search
versions of FSR reducibility/decomposability, i.e., to find a subFSR/factor of a given FSR, where g and h
are called factors of f if f = h ∗ g. Besides, provided that the input Boolean circuit is satisfiable, Algorithm
1(resp. Algorithm 2) constructs an irreducible(resp. indecomposable) FSR. Since it is easy to efficiently find
satisfiable Boolean circuits, it remains a question whether Algorithm 1(resp. Algorithm 2) can be modified
to construct a family of irreducible(resp. indecomposable) FSRs with desirable properties in practice.
6 Appendices
6.1 Appendix: the proof of Statement (i) of Lemma 7
Proof. Let F denote the state transformation of the FSR f .
By Lemma 6, it is sufficient to prove the following claim.
Claim: For any u,v ∈ {0, 1}m, there exists i ≥ 0 satisfying F i(u) = v if and only if u,v ∈
⋃
c∈C Sm (c),
where C is a weakly connected component of Dfg .
We prove this claim by induction on the number of arcs in Dfg .
If Dfg has no arc, then by Eq.(2), f3(⌊v⌋m−1) = 0 for any v ∈ {0, 1}
m. Thus, CycStr (g) = CycStr (f)
and the claim holds.
21
Now suppose that Dfg has at least one arc.
Because Dfg is acyclic, there exists a source c0 ∈ CycStr (g) with positive outdegree. Denote V =
{v ∈ Sm (c0) : f3(⌊v⌋m−1) = 1, λ (v) = 1}. By Eq.(2), |V | = 1 and there is a unique arc leaving c0. Denote
V = {v0}. Let c1 denote the unique successor of c0, and let C denote the weakly connected component
containing c0. We have c1 6= c0 because Dfg is acyclic.
Let v0 = (v0, v1, . . . , vm−1) and
f ′3(x1, . . . , xm) =f3(x1, . . . , xm)⊕
m−1∏
i=1
(xi ⊕ vi ⊕ 1);
f ′(x0, x1, . . . , xm) =g(x0, x1, . . . , xm)⊕ f
′
3(x1, . . . , xm).
Define a directed graph Df
′
g with the set of vertices CycStr (g) such that an arc is incident from a to b if
and only if
{v ∈ Sm (a) : f
′
3(⌊v⌋m−1) = 1, λ (v) = 1, v̂ ∈ Sm (b)} 6= ∅.
See that f ′3 differs from f3 only at (v1, . . . , vm−1) with f
′
3(v1, . . . , vm−1) = 0. Then D
f ′
g is obtained by
removing the arc leaving c0 in D
f
g . Besides, Eq.(2) also holds for f
′
3.
Denote F ′ as the state transformation of f ′. The cycle joining method gives
F ′(v) =
{
F (v̂), if v ∈ {v0, v̂0} ;
F (v), otherwise.
(13)
By induction, the claim above is assumed to hold for f ′. We only have to consider states in
⋃
c∈C Sm (c).
In Df
′
g , C\{c0} and {c0} are weakly connected components. Denoting p = per (c0) and q =
∑
c0 6=c∈C
per (c),
and using Lemma 6, we have 
{
F ′i(F (v0)) : 0 ≤ i < q
}
=
⋃
c0 6=c∈C
Sm (c) ;{
F ′i(F (v̂0)) : 0 ≤ i < p
}
= Sm (c0) ;
F ′q−1(F (v0)) = v̂0;
F ′p−1(F (v̂0)) = v0.
(14)
By Eqs. (13) and (14), F p+q(v0) = v0 and{
F i(v0) : 0 ≤ i < p+ q
}
=
⋃
c∈C
Sm (c) .
Thus, the claim also holds for f .
The proof of this claim is complete by induction.
6.2 Appendix: The operation min
The operation “min” outputs the minimum of two integers.
Let minm denote the operation computing the minimum of two m-bit nonnegative integers. Recall that
a vector v = (v0, v1, . . . , vm−1) is identified as the integer
∑m−1
i=0 vi2
i. For m = 1, we have min1(x0, y0) =
x0 ∧ y0. For m ≥ 2, x = (x0, x1, . . . , xm−1) and y = (y0, y1, . . . , ym−1), we have
minm(x,y) =(xm−1 ⊕ ym−1 ⊕ 1)× (minm−1(⌈x⌉m−1, ⌈y⌉m−1) ‖ xm−1)
⊕ (((xm−1 ⊕ ym−1) ∧ (xm−1 ⊕ 1))× x)
⊕ (((xm−1 ⊕ ym−1) ∧ (ym−1 ⊕ 1))× y),
22
input x
⌈x⌉m−1 x
xm−1
t
t✄ 
input y
ym−1
⌈y⌉m−1
y
output minm(x,y)
♥⊕
❄
✻
♥✲ ¬
♥¬✲
♥✲ ∧
♥∧✲
❄
✻
r
r
♥×
❄
♥×
✻
✲
✲
♥⊕
❄
✻
✛♥¬✛♥×
❄♥⊕ ✛
✲z
❄♥‖✲
☛
✡
✟
✠minm−1
❄
✻
Figure 10: A recursive construction of the Boolean circuit minm
and thereby give a recursive description of minm in Figure 10, where z = minm−1(⌈x⌉m−1, ⌈y⌉m−1) ‖ xm−1.
Here the multiplying operation “×” has a one-bit input a and an m-bit input w = (w0, w1, . . . , wm−1),
and outputs (a ∧ w0, a ∧ w1, . . . , a ∧ wm−1). Thus, the multiplying operation “×” costs m gates. By
Figure 10, we have SIZE (minm) = 12 + 13m+ SIZE (minm−1) for any m ≥ 2, and hence SIZE (minm) =
(13m2 + 37m− 44)/2.
References
[1] S. Arora and B. Barak, Computational complexity: a modern approach, Cambridge University Press,
2012.
[2] E. Dubrova: A transformation from the Fibonacci to the Galois NLFSRs, IEEE Trans. Inf. Theory,
55(11):5263–5271, 2009.
[3] S. W. Golomb: Shift Register Sequences. Laguna Hills, CA, USA: Aegean Park Press, 1981.
[4] D. H. Green and K. R. Dimond, Nonlinear product-feedback shift registers, Proc. IEE, 117(4):681–686,
1970.
[5] M. Hell, T. Johansson and W. Meier: The Grain family of stream ciphers, in: New Stream Cipher
Designs: The eSTREAM Finalists, in: Lecture Notes in Computer Science, vol. 4986, 2008, pp. 179–
190.
[6] Y. Jiang and D. Lin: On affine subfamilies of Grain-like structure, Des. Codes Cryptogr., 82(3):531–542,
2017. DOI:10.1007/s10623-016-0178-7
[7] R. Lidl and H. Niederreiter: Finite Fields, Cambridge Univ. Press, Cambridge, U.K, 1997.
[8] Z. Ma, W. Qi and T. Tian: On the decomposition of an NFSR into the cascade connection of an NFSR
into an LFSR, J. Complex., 29(2): 131–181, 2013. DOI:10.1016/j.jco.2012.09.003.
[9] J. Mykkeltveit, M. Siu and P. Tong: On the cycle structure of some nonlinear shift register sequences,
Inf. Control, 43(2):202–215, 1979.
[10] M. Robshaw and O. Billet (Eds.): New stream cipher designs the eStream finalists, Springer-Verlag,
Berlin, Heidelberg, 2008.
[11] T. Tian and W. Qi: On the largest affine sub-families of a family of NFSR sequences, Designs, Codes
Cryptograph., 71(1):163–181, 2014.
23
[12] T. Tian and W. Qi: On the density of irreducible NFSRs, IEEE Trans. Inf. Theory, 59(6):4006–4012,
Jun. 2013.
[13] T. Tian and W. Qi: On decomposition of an NFSR into a cascade connection of two smaller NFSRs,
Cryptoplogy ePrint Archive: Report 2014/536.
[14] J. Zhang, W. Qi, T. Tian and Z. Wang: Further results on the decomposition of an NFSR into the
cascade connection of an NFSR into an LFSR, IEEE Trans. Inf. Theory, 61(1):645–654, 2015.
