Due to their simple construction, LFSRs are commonly used as building blocks in various random number generators. Nonlinear feedforward logic is incorporated in LFSRs to increase the linear complexity of the generated sequences. This work deals with Nonlinear Feedforward Generators (NLFGs) that generate sequences over arbitrary finite fields. We analyze the frequency of symbols in sequences generated by such configurations. Further, we propose a method of using nonlinear feedforward logic with word-based σ -LFSRs wherein vectors over a finite field are seen as elements of an extension field. We then briefly analyze sequences generated by an existing scheme and show that sequences generated by the proposed scheme are statistically more balanced.
Introduction
Pseudorandom number generators (PRNGs) have a wide array of applications ranging from cryptography [11, 13] and error correcting codes [14] to spread spectrum communication [15] . Due to their simple construction and ease of hardware implementation linear feedback shift registers (LFSRs) are commonly used as basic building blocks for PRNGs. For a given number of delay blocks, LFSRs with primitive characteristic polynomials generate sequences with maximum period. Such sequences have a balanced distribution of 0's and 1's and exhibit properties like the span-n property and 2-level autocorrelation which characterize randomness [4] . However, sequences generated by LFSRs are marred by their low linear complexity. One way of increasing the linear complexity of such sequences is by using nonlinear feedforward logic [5] . An analysis of the linear complexity of binary sequences generated by nonlinear feedforward generatetors (NLFGs) is given in [7] . Statistical properties of such sequences are investigated in [1] [2] [3] 17] . In this paper, we will analyze sequences generated by NLFGs where the underlying LFSR implements a linear recurring relation (LRR) in an arbitrary finite field. Further, we have proposed a method of applying nonlinear feedforward logic to σ -LFSRs, wherein the outputs of the delay blocks are considered as elements of an extension field. We have then analyzed the statistical distribution of symbols in sequences generated by both the proposed scheme and by the scheme mentioned in [6] and compared the two.
The remainder of this paper is organized as follows. Section 2 contains an introduction to LFSRs and motivates the use of NLFGs. Section 3 describes NLFGs and analyzes the properties of sequences generated by them. Section 4 describes an implementation of NLFGs over word-based σ -LFSRs and contains a statistical analysis of sequences generated by such a configuration. Section 5 briefly summarizes the paper.
The notations used in this paper are as follows. The cardinality of a set S is denoted by |S|. F q denotes the finite field of order q = p n , where p is a prime number and n is a positive integer. F n q denotes the n-dimensional vector space over F q .
Linear feedback shift registers
An L-stage feedback shift register (FSR) is a circuit consisting of L delay blocks along with a feedback function f . It generates a sequence {s i } ∞ i=0 = {s 0 , s 1 , s 2 . . .} where elements are related by a recurrence relation s j +L = f (s j , s j +1 , . . . , s j +L−1 ). If the function f is linear then the FSR is called a linear feedback shift register (LFSR). Figure 1 depicts an LFSR having L delay blocks with a linear feedback loop.
The output of the LFSR shown in Fig. 1 is a linear recurring sequence which satisfies the LRR s j +L = a 0 s j + a 1 s j +1 + . . . + a L−1 s j +L−1 , where a i ∈ F q for 0 ≤ i ≤ L − 1. With every LRR one can associate a polynomial having the same coefficients. Such a polynomial is called the characteristic polynomial of the LFSR. For example, the characteristic polynomial of the LFSR shown in Fig. 1 
The degree of the characteristic polynomial is known as the degree of the LFSR. If the characteristic polynomial of an LFSR is primitive then the LFSR is called a primitive-LFSR. The outputs of the delay blocks at any given instant constitute the state vector of the LFSR at that instant. If the initial state is nonzero then a primitive-LFSR generates all the nonzero states in a single period [10] .
Fig. 1 LFSR
The linear complexity of a given sequence is the minimum degree of an LFSR which generates that sequence. Clearly, the linear complexity of a sequence generated by an LFSR is at most equal to the number of delay blocks in that LFSR. The linear complexity of such sequences can be increased by using nonlinear feedforward logic [5] . An NLFG consists of an LFSR along with a multiplier assembly having a set of 2-input multipliers.
In this scheme, the output of some of the delay blocks are multiplied with each other and the resulting products are then added to generate the output sequence. The output of each delay block can act as an input to at most one multiplier. Multiplication and addition are as defined in F q . For q = 2, multiplication and addition translate to AND and XOR operations respectively. An example of such a scheme is shown in Fig. 2 . In the following section, we will discuss the balance property of sequences generated by NLFGs over arbitrary finite fields. We assume that the underlying FSR generates a sequence wherein all nonzero states occur once in every period (as in a primitive LFSR). Our arguments do not require the FSR to be linear.
Statistical analysis of sequences generated from NLFG
Consider an NLFG having an FSR with L delay blocks and a multiplier assembly with m ≤ L 2 multipliers ( Fig. 3 ). Let ψ m (K) denote the number of possible inputs to the multiplier assembly that generate the number K at the output. When m = 1, the output of the multiplier will be 0 if either of its inputs are zero. Thus,
(1)
Proof Given any K 1 ∈ F q \{0}, there exists a unique K 2 ∈ F q \{0} such that K 1 .K 2 = K.
Since there are q − 1 possible values for K 1 , ψ 1 (K) = (q − 1).
Equation (1) and Lemma 1 show that ψ 1 (K) does not depend upon the value of K but only on whether K is zero or nonzero. Therefore, in the remainder of the paper we denote ψ 1 (K) by ψ nz when K = 0 and by ψ z when K = 0. Let N L m (K) be the number of nonzero state vectors of the underlying LFSR that generate K at the output. Each of the q 2m −1 nonzero inputs to the multiplier assembly occurs q L−2m times. Therefore,
Linear function
In the expression for N L m (0), one is deducted to account for the absence of the zero state. Thus, deriving an expression for N L m (·) reduces to finding a formula for ψ m (·).
Definition 1 An m partition of K over F q is defined as an m-tuple of nonzero elements in F q whose sum (as defined in F q ) is K. We denote the set of m-partitions of K by S m (K).
where i = 1, 2, . . . , m.
Clearly, |S 0 (K)| = 0and|S 1 (K)| = 1. For m > 1, |S m (K)| can be recursively calculated as follows.
Proof One can arbitrarily choose m − 1 nonzero elements from F q in (q − 1) m−1 possible ways. If the sum of these m − 1 elements is not equal to K then there exists a unique nonzero element in F q which gives K when added with this sum. If the sum of these m − 1 elements is equal to K then this (m − 1)-tuple is a member of the set S m−1 (K). Hence,
Using the above recursion, the closed-form expression for |S m (K)| is derived as follows.
Proof We shall prove the lemma using induction. Now, |S 1 (K)| = 1 = 1 q (ψ nz + 1). Thus, the statement of the lemma is true for m = 1. Let the statement be true for m = l, i.e., |S l (
We now proceed to prove that the statement is true for m = l + 1.
Assume that at a particular time instant, the outputs of i of the m multipliers are zero. These i multipliers can be chosen in m i ways. Each of these multipliers can have ψ z possible pairs of inputs. Now, there are |S m−i (K)| possible sets of outputs from the remaining m − i multipliers such that the output of the adder is K. For each such set each multiplier can have ψ nz possible pairs of inputs. Therefore,
Now, we simplify the above above formula to derive a closed form expression for ψ m (K). Theorem 1 For a multiplier assembly with m multipliers and for all K ∈ F q .
Therefore,
Substituting the values of ψ z and ψ nz from (1) and Lemma 1 we get -
Since there are (q − 1) nonzero elements in F q , there are (q − 1)q m−1 (q m − 1) input combinations that generate a nonzero output from the NLFG. Therefore,
This concludes the proof of our theorem.
Substituting the formula for ψ m (·) derived in Theorem 1 in (2) we get -
Remark 2
The Theorem 3 in [2] is a special case of the Theorem 1 where q = 2.
For K = 0, the ratio ξ(L, m, q) := N L m (0) N L m (K) is an indicator of how balanced a sequence is. For a completely balanced sequence ξ(L, m, q) = 1. We now go on to show that the distribution of elements in the output sequence of an NLFG tends to a balanced distribution as the number of delay blocks and the number of multipliers tends to infinity.
Proof In the case, when K = 0 then -
In the case, when K = 0 then -
.
. lim
. Thus, the ratio of the number of occurrences of the zero vector to that of any nonzero vector in a single period approaches 1 at a rate which is exponential in m. 
NLFGs over σ -LFSRs
A σ -LFSR is an LFSR configuration with multi-input multi-output delay blocks that aims to utilize the parallelism provided by modern word based processors. σ -LFSRs can be seen as a realization of the multiple-recursive matrix method due to Niederreiter [12] . A detailed description of σ -LFSRs can be found in [18] . Figure 4 depicts an L-stage σ -LFSR with r-input r-output delay blocks. The feedback gain matrices B 0 , B 1 , . . . , B L−1 are elements in F r×r q . The output sequence of a σ -LFSR satisfies the following linear recurring relation where j =0,1,. . . and s j ∈ F r q . At the k-th time instant, let s i (k) be the output of the B i -th delay block. The state vector s(k) of an σ -LFSR at that instant can be obtained by stacking the outputs of the delay blocks one below the other. For instance,
. . .
Observe that,
Thus, the relation between two consecutive state vectors of a σ -LFSR is as follows:
where A rL is given as follows.
Here, 0 ∈ F r×r q is the zero matrix and I ∈ F r×r q is the identity matrix. The matrix A rL is called the state transition matrix of the σ -LFSR. The characteristic polynomial of the state transition matrix is called the characteristic polynomial of the σ -LFSR. As in a conventional LFSR, for a nonzero initial state, if the characteristic polynomial of the σ -LFSR is primitive then all nonzero states are covered in a single period (Theorem 4 of [12] ). Given positive integers r and L and a primitive polynomial p(x) of degree rL, the number of σ -LFSR configurations having characteristic polynomial p(x) has been calculated in [8, 9] .
The output sequence of a σ -LFSR with r-input r-output delay blocks is a sequence in F r q . Now, each entry of this vector sequence constitutes a scalar sequence. We shall call these sequences the component sequences of the vector sequence. If the characteristic polynomial of a σ -LFSR is primitive then these component sequences are always linearly independent (Lemma 1 of [16] ).
Since F r q is known to be isomorphic to F q r , a σ -LFSR can be seen as an FSR over the field F q r [10] . Thus, each state vector of a σ -LFSR can be seen as a vector in F L q r . The characteristic polynomial of the σ -LFSR being primitive ensures that all non zero vectors in F L q r occur as state vectors exactly once in every period. Similar to conventional LFSRs, vector sequences generated by primitive σ -LFSRs have some desirable properties associated with randomness such as large period, balance property, span-n property etc. However, they have low linear complexity. [6] and [16] deal with the extension of the nonlinear feedforward logic to word-based LFSRs (σ -LFRSs). In both [6] and [16] , outputs of delay blocks are multiplied bit-wise. However, in [16] , the outputs of some of the delay blocks are permuted before multiplication. In this section, we have proposed a nonlinear feedforward logic configuration wherein the outputs of the delay blocks of a σ -LFSR are multiplied as elements in F q r . This is in contrast to the scheme given in [6, 16] wherein multiplication is done element-wise. Note that element-wise multiplication is not equivalent to multiplication over a finite field. For example, in F 4 2 the element-wise product of two nonzero vectors v 1 = [1001] T , v 2 = [0110] T is zero which is not possible over a finite field.
Let p(x) be a primitive polynomial of degree r. Now, F q r can be seen as the residue class ring
denotes the equivalence class of x. Given a polynomial f (x) ∈ F q [x], the equivalence class of f (x) has a unique representative element with degree less than r. We therefore have the following map M : F q r → F r q .
Clearly, the above map is a vector space homomorphism. Using this map, we define multiplication of two elements in F r q , denoted as ×, as follows.
. Therefore, v 1 × v 2 is a vector whose entries are the coefficients of the polynomial g(x) = f 1 f 2 modp(x). If f 1 and f 2 are the unique elements in their respective equivalence classes having degree less than r then f 1 (x)f 2 (x) is a polynomial with degree less than 2r. Let v ∈ F 2r−1 q be a vector whose entries are the coefficients of 
As shown in Fig. 5 , in the proposed scheme the underlying FSR is a σ -LFSR and the multiplier assembly has m ≤ L 2 multipliers. Each multiplier takes the output of two distinct r-input r-output delay blocks, convolves them and multiplies the result with the matrix Q given in (6) . It thus implements the map '×' described above. The outputs of the multipliers are then added to generate the output vector sequence. As in a conventional NLFG, the output of each delay block can act as an input to at most one multiplier. Since the proposed scheme views a σ -LFSR as an FSR over F q r and the outputs of the delay blocks are multiplied as elements of F q r , the analysis given in Section 3 is valid for this scheme. Let N L m (v) 
In order to draw a comparison between the proposed scheme and the scheme described in [6] , we now briefly analyse the distribution of vectors in sequences generated by the latter. The schematic diagram for the scheme described in [6] is similar to the one shown in Fig. 5 . However, as stated earlier, the outputs of the delay blocks are multiplied element-wise as shown in Fig. 6 . Although [6] deals only with the binary case, in our analysis we consider the NLFG to be over an arbitrary finite field F q . In the remainder of this section, we shall refer to NLFGs that use the scheme given in [6] as element-wise NLFGs.
Theorem 2
Consider an element-wise NLFG having L r-input r-output delay blocks and m ≤ L 2 multipliers. For a given nonzero vector v ∈ F r q , the number m (v) of inputs to the multiplier assembly that generate v at the output is given by
where κ v is the number of nonzero elements in v.
Proof Since addition and multiplication are performed element-wise, the i-th entry v i of the output vector sequence is a function of only the i-th outputs of the delay blocks of the σ -LFSR. Further, from Lemma 1 in [12] , it can be inferred that each component sequence of the σ -LFSR can be seen to be generated by a scalar LFSR whose characteristic polynomial is the same as that of the σ -LFSR. Therefore, the i-th bit of the output sequence of the Fig. 6 Element-wise multiplication operation NLFG can be seen to be generated by a scalar NLFG with a primitive scalar LFSR having rL delay blocks and a multiplier assembly with m multipliers. From Theorem 1, the number of inputs to this multiplier assembly that generates v i at the output is given by
Therefore, the total number of possible inputs to the multiplier assembly that generates a given vector v having κ v nonzero elements is given by
Remark 4 Clearly, in the case when r = 1, κ v = 1 and r = 1, κ v = 0, Theorem 2 translates to Theorem 1 .
For an NLFG having L r-input r-output delay blocks and m ≤ L/2 multipliers, let N L m (v) denote the number of times the vector v ∈ F r q occurs at the output of the NLFG in a single cycle.
Corollary 3
Proof Since every nonzero state vector occurs exactly once in every period of the underlying primitive σ -LFSR, N L m (v) is equal to the number of nonzero states of the σ -LFSR that generate v ∈ F r q at the output of the NLFG. Clearly, for each input to the multiplier assembly there are q L−2m possible state vectors of the σ -LFSR (since L − 2m of the delay blocks are not connected to the multiplier assembly). Therefore, the number of times a nonzero vector v occurs at the output of the NLFG in a single period is equal to q r(L−2m) m (v). Now, among the states of the σ -LFSR that result in zero at the output of the NLFG is the zero state. However, this state does not occur in any nonzero cycle. Therefore, the number of times the zero vector occurs at the output of the NLFG in a single period is equal to q r(L−2m) m (0) − 1. Thus, Comparing the formulae derived in Corollary 3 with those in (7) , it is clearly seen that the output sequence of an element-wise NLFG has a bias towards vectors having a greater number of zeros which is not the case with sequences generated by the proposed scheme (with the exception of the all-zero vector). 
Conclusion
In this paper, we have extended the notion of NLFGs to arbitrary finite fields and have analyzed the balance property of the sequences generated by such NLFGs. Further, we have proposed an implementation of NLFGs over σ -LFSRs and have shown that the sequences generated by such proposed scheme are more balanced than the sequences generated by the existing scheme given in [6] .
