Feedback shift registers(FSRs) are a fundamental component in electronics and secure communication. An FSR f is said to be reducible if all the output sequences of another FSR g can also be generated by f and the FSR g has less memory than f . An FSR is said to be decomposable if it has the same set of output sequences as a cascade connection of two FSRs. It is proved that deciding whether FSRs are irreducible/indecomposable is NP-hard.
Introduction
Feedback shift registers are broadly used in spread spectrum radio, control engineering and confidential digital communication. Consequently, this subject has attracted substantial research over half a century. Particularly, feedback shift registers play a significant role in the stream cipher finalists of the eSTREAM project [10] . As shown in Figure 1 , an n-stage feedback shift register(FSR) consists of n bit registers x 0 , x 1 , . . . , x n−1 and an n-input feedback logic f 1 . The vector (x 0 (t), x 1 (t), . . . , x n−1 (t)) is called a state of this FSR, where x i (t) is the value of x i at clock cycle t, 0 ≤ i < n. The state at clock cycle 0 is called the initial state. Along with clock impulses the values stored in bit registers update themselves as (x 0 (t + 1), x 1 (t + 1), . . . , x n−1 (t + 1)) = (x 1 (t), . . . , x n−1 (t), f 1 (x 0 (t), x 1 (t), . . . , x n−1 (t))) ,
and the map defined by Eq. (1) is called the state transformation of this FSR.
The (n + 1)-input Boolean function f (x 0 , x 1 , . . . , x n ) = x n ⊕ f 1 (x 0 , x 1 , . . . , x n−1 ), where ⊕ denotes exclusive-or, is called the characteristic function of the FSR in Figure 1 , and without ambiguity we also denote this FSR by f . Let G (f ) denote the set of sequences generated by f , i.e., G (f ) = {s ∈ {0, 1} * : ∀t, f (s(t), s(t + 1), . . . , s(t + n)) = 0} , where {0, 1} * is the set of binary sequences. If f (x 0 , x 1 , . . . , x n ) = x n ⊕ c n−1 x n−1 ⊕ · · · ⊕ c 1 x 1 ⊕ c 0 x 0 , where c 0 , c 1 , . . . , c n−1 ∈ {0, 1}, then f is called a linear feedback shift register (LFSR) , and p(x) = x n ⊕ c n−1 x n−1 ⊕ · · · ⊕ c 1 x ⊕ c 0 is called its characteristic polynomial. Without ambiguity we also denote this LFSR by p(x).
An FSR which is not an LFSR is called a nonlinear feedback shift register(NFSR).
If there exists an m-stage FSR g such that m < n and G (g) ⊂ G (f ), then g is called a subFSR of f and f is said to be reducible. Otherwise, f is said to be irreducible. Let f (x 0 , x 1 , . . . , x n ) = x n ⊕ f 1 (x 0 , x 1 , . . . , x n−1 ) and g(y 0 , y 1 , . . . , y m ) = y m ⊕ g 1 (y 0 , y 1 , . . . , y m−1 ) be two FSRs. The finite state machine in Figure 2 is called the cascade connection of f into g. The Grain family ciphers use the cascade connection of an LFSR into an NFSR [5] . Green and Dimond [4] defined the product FSR 1 of f and g to be (f * g)(x 0 , x 1 , . . . , x n+m ) = f (g(x 0 , x 1 , . . . , x m ), g(x 1 , x 2 , . . . , x m+1 ), . . . , g(x n , x n+1 , . . . , x n+m )), and showed G (f ; g) = G (f * g), where G (f ; g) is the set of output sequences of the cascade connection of f into g. Given an FSR h, if there exist two FSRs f and g satisfying h = f * g, then h is said to be decomposable. Otherwise, h is said to be indecomposable. It is appealing to decide whether an FSR is (ir)reducible/(in)decomposable for the reasons below. First, it offers a new perspective on analysis of stream ciphers. Notice that all sequences generated by g is also generated by f * g if f can output the 0-sequence. A reducible/decomposable FSR in unaware use may undermine the claimed security of stream ciphers, e.g., causing inadequate period of the output sequences. Particularly, if g is an LFSR and f can output the 0-sequence, then f * g can generate a family of linear recurring sequences, vulnerable to the Berlekamp-Massey algorithm. Second, it potentially improves implementation of FSRs. On one hand, it costs less memory to replace an FSR with its large-stage subFSR, if there is one, while generating a great part of its output sequences. On the other hand, similar to the idea of Dubrova [2] , substituting a decomposable FSR by its equivalent cascade connection as in Figure 2 possibly reduces the circuit depth of the feedback logics, in favor of less propagation time and larger throughput. Third, an algorithm testing (ir)reducibility/(in)decomposability helps to design useful FSRs. Because Tian and Qi [12] proved that on average at least one among three randomly chosen NFSRs is irreducible, a great number of irreducible NFSRs can be found if deciding irreducibility of FSRs is feasible. Besides, FSRs generating maximal-length sequences were constructed based on inherent structure of decomposable FSRs [9] .
Two algorithms were proposed by [11] to find affine subFSRs of NFSRs. By [6] , if an NFSR h is decomposed as the cascade connection of an LFSR f into an NFSR g and f is primitive with stage no less than that of g, then all affine subFSRs of h are actually those of g. (In)decomposability of LFSRs is completely determined by their characteristic polynomials. By [4, 7, 13] , an LFSR h, with its characteristic polynomial p(x), is decomposed as h = f * g if and only if f and g are LFSRs and p(x) = l 1 (x)·l 2 (x), where l 1 (x) and l 2 (x) are characteristic polynomials of f and g, respectively. In contrast, decomposing NFSRs seems much more challenging, though some progress has been made recently. Using the language of algebraic normal forms of Boolean functions, Ma et al [8] gave an algorithm to decompose NFSRs into the cascade connection of an NFSR into an LFSR, and Tian and Qi [13] gave a series of algorithms to decompose NFSRs into the cascade connection of two NFSRs. Noteworthily, Zhang et al [14] gained an algorithm decomposing an NFSR f into the cascade connection of an NFSR into an LFSR, and the complexity of their algorithm is polynomial in the size of the algebraic normal form of f and the size of the binary decision diagram of f if converting the algebraic normal form of f to the binary decision diagram of f is polynomial-time computable.
Our contribution. This correspondence studies irreducibility and indecomposability from the perspective of computational complexity. NP is the class of all problems computed by polynomial-time nondeterministic Turing machines. A problem is NP-hard if it is at least as hard as all NP problems. This correspondence proves that deciding whether an FSR is irreducible(indecomposable) is NP-hard.
The rest of this paper is organized as follows: In Section 2 we prepare some notations, basic facts on Boolean circuits and some lemmas on the cycle structure of FSRs. NP-hardness of FSR irreducibility and FSR indecomposability is shown in Sections 3 and 4, respectively. The last section includes a summary and a comment on future work.
Preliminaries

Notations
Throughout this paper, Z denotes the set of integers, "+" addition of integers, and "⊕" the exclusiveor(XOR) operation.
Denote
For u = (a 1 , a 2 , . . . , a m ) ∈ {0, 1} m and 1 ≤ k < m, let
Without ambiguity a vector (a 0 , a 1 , . . . , a m−1 ) ∈ {0, 1} m is uniquely taken as the nonnegative integer 
Boolean circuits
An m-input Boolean circuit f is a directed acyclic graph with m sources and one sink [1] . The value(s) of source(s) is(are) input(s) of the Boolean circuit; Any nonsource vertex, called a gate, is one of the logical operations OR(¬), AND(∧) and NOT(¬), where the fan-in 2 of OR and AND is 2 and that of NOT is 1; The value outputted from a gate is obtained by applying its logical operation on the value(s) inputted into it; The value outputted from the sink is the output of the Boolean circuit f . The size of the circuit f , denoted by SIZE (f ), is the number of vertices in it. An m-input Boolean circuit f is satisfiable if there exists v ∈ {0, 1} m such that f (v) = 1.
A decision problem P is polynomial-time Karp reducible to a decision problem Q if there is a polynomialtime computable transformation T mapping instances of P to those of Q such that an instance x of P answers yes if and only if T (x) answers yes [1] . A decision problem is NP-hard if a NP-complete problem is polynomial-time Karp reducible to it [1] .
An FSR is completely characterized by its feedback logic. We use Boolean circuits to characterize the feedback logic of FSRs for the following two reasons 3 . First, FSRs are mostly implemented with silicon chips, and the Boolean circuit is an abstract model of their feedback logic in silicon chips. Second, the Boolean circuit is a generalization of Boolean formula [1] . Therefore, in this correspondence the size of an FSR is measured by the size of its feedback logic as a Boolean circuit.
The cycle structure of FSRs
A binary sequence s is a map from Z to {0, 1}. If there exists some τ ∈ Z such that s(t + τ ) = s(t) for any t ∈ Z, s is said to be periodic and the period of s is defined to be per (s) = min {τ > 0 : s(t + τ ) = s(t) for all t ∈ Z} .
Let f be an m-stage FSR. The following three statements are equivalent [3] : (i) The state transformation of f is bijective. (ii) Any sequence generated by f is periodic.
In the rest of this section we only consider nonsingular FSRs. A sequence s of period m determines a cyclic sequence θ (s) = [s(0), s (1), . . . , s(m − 1)]. We call θ (s) to be an m-cycle and also denote per (θ (s)) = m. For the m-cycle θ (s), define the set
Actually, any shift of a periodic sequence determines the same cycle, and {s ′ : θ (s ′ ) = θ (s)} is exactly the set of all shifts of s. Furthermore, if s ∈ G (f ) for a k-stage FSR f , then each vector in S k (θ (s)) plays as a unique initial state and hence determines a unique sequence in {s
The cycle structure of an FSR f , denoted by CycStr (f ), is {θ (s) : s ∈ G (f )}. Following this definition, we have the lemma below.
Lemma 2. Let f and g be FSRs. Then g is a subFSR of f if and only if CycStr (g) ⊂ CycStr (f ).
Proof. Let F denote the state transformation of the FSR f . Then To prove Lemma 4, we use the following Lemma.
Lemma 5. Let C be a set of finitely many cycles. Then the following three statements are equivalent:
Proof. First we prove that Statements (i) and (ii) are equivalent.
Let
In this proof, a tuple (i, j) denotes a pair of integers satisfying 1 ≤ i ≤ k and 0 ≤ j < p i . Denote
It is sufficient to consider cases below.
• Case
That is, the map y i,j → ⌊y i,j ⌋ m = x i,j is injective on c∈C S m+1 (c).
Proof of the claim. Assume that this claim does not hold. Then for any (i, j 1 ) and (i ′ , j
. Therefore, our assumption is absurd and the claim is proved. Following this claim, we assume
The proof of equivalence of Statements (i) and (iii) is similar and we omit it here.
Proof of Lemma 4. By Lemma 5, it is sufficient to prove this statement: CycStr (f ) = C if and only if
Suppose C = CycStr (f ) for some m-stage FSR f . Then for any c ∈ C, a vector in S m (c) is exactly an initial state and uniquely determines a sequence in G (f ). Thus, c∈C S m (c) = {0, 1} k and c∈C S m (c) = c∈C per (c).
Immediately, C is the cycle structure of an FSR whose feedback logic is logically equivalent to f 1 .
Lemma 6. Let f be an m-stage FSR and F the state transformation of f . Let c ∈ CycStr (f ) and per (c) = p. Then for any v ∈ S m (c), min i > 0 :
Proof. Let v ∈ S m (c) and q = min i > 0 :
and q = per (c) = p. Because
For any u ∈ {0, 1} m−1 with f 3 (u) = 1, there exists b ∈ {0, 1} satisfying λ (b u) = 1.
(2)
A directed graph D f g is defined as follows: the set of vertices is CycStr (g), and an arc is incident from c 1 to c 2 if and only if {v ∈ S m (c 1 ) :
then the following two statements hold: (i) Any d ∈ CycStr (f ) is joined by all cycles in a weakly connected component
Proof. Statement (i) of this lemma follows from the idea of the cycle joining method [3] , and we leave its proof in Appendix 6.1. Below we prove Statement (ii) of this lemma.
By Lemmas 2 and 4, it is sufficient to prove this statement: if C ⊂ CycStr (f ) and 
, and hence is not injective on c∈C S k+1 (c).
The cycle structure of LFSRs is well understood.
, and p 2 (x) = x 4n ⊕x 2n ⊕1 be polynomials over the binary field F 2 . Then p 0 is irreducible over F 2 and
, the roots of p 0 are exactly primitive 3 k+1 -th roots of unity. Thus, p 0 is irreducible and min {0 < t ∈ Z : p 0 | (x t − 1)} = 3n is the order of any primitive 3
k+1 -th root of unity in the multiplicative group of the finite field
The rest of this lemma directly follows from [7, Theorem 8.53, 8.55, 8.63 ]. 
NP-hardness of deciding irreducible FSRs
Below Algorithm 1 transforms a given Boolean circuit to an FSR. In the rest of this section, we use notations f 0 , f 3 and f defined in Algorithm 1. Clearly, f is a nonsingular FSR. Following Algorithm 1, the Boolean circuit f 3 is described with Figures 3, 4 , 5, 6 and 7. To ease our presentation, from now on we also use operations with finite fan-in and fan-out for sketching a Boolean circuit. For example, as x ⊕ y = ((¬x) ∧ y) ∨ ((¬y) ∧ x), we allow XOR(⊕), logically equivalent to a subcircuit consisting of five gates. In Figures 3, 4 , 5 and 6, the operation " ? =" decides whether two 4n-bit inputs are Proof. The operation x → x uses one NOT gate on ⌈x⌉ 1 . Given the input (x 0 , x 1 , . . . , x 4n−1 ) and (y 0 , y 1 , . . . , y 4n−1 ), the operation "
) and costs at most 24n gates. The
Algorithm 1 Transforming a Boolean circuit to an FSR
Input: An r-input Boolean circuit f 0 . Output: A 4n-stage FSR f , where k = min {i ∈ Z : i ≥ log 3 (r/2)} and n = 3 k . 1: {Construct a (4n − 1)-input Boolean circuit f 3 with its pseudocode in Lines 2-37. In the rest of this section, L denotes the state transformation of the LFSR x 4n ⊕ x 2n ⊕ 1. } 2: Let x ∈ {0, 1} 4n−1 be the input of f 3 . 
6:
c i = 1.
9:
else 10:
13:
14:
else 15: The Boolean circuit f 3 returns 1. The Boolean circuit f 3 returns 1. The Boolean circuit f 3 returns 1. The Boolean circuit f 3 returns 0.
The subcircuits CP and CMP are given in Figures 3 and 4 , respectively. 
The subcircuits MQ and PS are given in Figures 5 and 6 , respectively. state transformation L is performed by one XOR gate, i.e., 5 gates. By Appendix 6.2, the operation "min" uses 104n 2 + 66n − 22 gates.
Noticing r ≤ 2n ≤ 3r − 1, r ≤ SIZE (f 0 ) and
we count gates in Figure 7 and obtain
The Boolean circuit f 0 has SIZE (f 0 ) vertices and less than 2 · SIZE (f 0 ) arcs; The feedback logic f 1 has at most 37908 · SIZE (f 0 )
4 vertices and at most 75816 · SIZE (f 0 ) 4 arcs. The FSR f uses f 0 and basic polynomial-time computable operations for at most 37908 · SIZE (f 0 ) 4 times and its main architecture is given by Figures 3, 4 , 5, 6 and 7. Therefore, Algorithm 1 is polynomial-time computable.
In the rest of this section, n is as given in Algorithm 1, p 0 and p 2 are the polynomials as defined in Lemma 8, we also denote C 6n = CycStr (p 2 ) \ CycStr (p 0 ).
Proof. Suppose v ∈ S 4n (γ) for some γ ∈ CycStr (p 0 ). By Lemmas 6 and 8,
, where this vector is written without commas between bits. Therefore, the supposition above is absurd and γ ∈ C 6n .
Because any v ∈ {0, 1} 4n , as an initial state of the 4n-stage LFSR p 2 , determines a unique cycle, in the rest of this section we denote ξ (v) = c ∈ CycStr (p 2 ) such that v ∈ S 4n (c).
and define a map ρ :
Then the following two statements hold:
Proof. For convenience in this proof we may write a cycle or vector without commas between its bits. 
Notice ξ ι 4n = [10 4n−1 10 2n−1 ]. Then a 0 u 0 a 1 u 1 a 2 u 2 a 3 u 3 a 4 u 4 a 5 u 5 is concatenation of a same cycle in CycStr (p 0 ), implying where a 2 = a 0 ⊕ a 1 ⊕ 1 and u 2 = u 0 ⊕ u 1 . By Lemma 8,
we have a 0 = 1. By
we have a 1 = 0. Then a 2 = 0. The proof of this claim is complete.
an n-sampling of c, 0 ≤ i < kn.
Choose any c ∈ D. Because of the claim above, let c = [1u 0 0u 1 0u 2 0u 0 1u 1 0u 2 ], where u 0 , u 1 , u 2 ∈ {0, 1} n−1 , u 2 = u 0 ⊕ u 1 and (1u 0 0u 1 0u 2 0u 0 ) = min S 4n (c). Then
and hence
First, 3n ∤ per ξ ρ (c) . By Lemma 8, ξ ρ (c) ∈ C 6n . Second, as shown in the claim above, there is an n- Denote V c = {ρ (e) : e ∈ CycStr (p 2 )}. Notice that ρ (c) ∈ S 4n (c), c ∈ CycStr (p 2 ). It is sufficient to consider the following cases. 
If
Because ξ (ρ (e)) = e for any e ∈ CycStr (p 2 ), we have ρ (c) = ρ ξ ρ (c) , yielding ρ (c) / ∈ V c .
Besides, consider c ∈
Till now all cases are listed and Statement (ii) of this lemma holds.
Lemma 12. Let ρ be given in Lemma 11. Let the map λ : {0, 1} 4n → {0, 1} be defined as 
the graph defined as in Lemma 7(Recall that f and f 3 are given in Algorithm 1). Then the following statements hold: (i) Statements (i) and (ii) of Lemma 7 hold, where g in Lemma 7 is the LFSR
is equivalent to ξ u min ∈ CycStr (p 0 )(resp. ξ ( v min ) ∈ CycStr (p 0 )). Then q(u 0 ) = 1(resp. q(v 0 ) = 1) if and only if e 0 ∈ D and u 0 = ρ (e 0 )(resp. e 1 ∈ D and v 0 = ρ (e 1 )). By Lemma 10, {e 0 , e 1 } ⊂ CycStr (p 0 ). Then f 3 (⌊u 0 ⌋ 4n−1 ) = f 3 (⌊v 0 ⌋ 4n−1 ) = 1 if and only if one of the following cases holds:
1. e 0 ∈ CycStr (p 0 ), u 0 = min S 4n (e 0 ) and {v ∈ S 4n (e 0 ) : f 0 (⌊v⌋ r ) = 1} = ∅;
2. e 1 ∈ CycStr (p 0 ), v 0 = min S 4n (e 1 ) and {v ∈ S 4n (e 1 ) : f 0 (⌊v⌋ r ) = 1} = ∅;
3. e 0 ∈ C 6n , u 0 = min S 4n (e 0 ) and ξ ( u 0 ) = e 1 ∈ C 6n ; 4. e 1 ∈ C 6n , v 0 = min S 4n (e 1 ) and ξ ( v 0 ) = e 0 ∈ C 6n ; 5. e 0 , e 1 ∈ C 6n , e 0 ∈ D and u 0 = ρ (e 0 ); 6. e 0 , e 1 ∈ C 6n , e 1 ∈ D and v 0 = ρ (e 1 ).
Considering Statement (i) of Lemma 11, we have 
, which is ridiculous. Therefore, the assumption is absurd and D f p2 is acyclic. Till now we have proved that Eq. (2) holds and D f p2 is acyclic, where g is the LFSR p 2 . By Lemma 7, Statement (i) of this lemma is proved. Now we prove Statement (ii) of this lemma. Suppose c ∈ C 6n .
• If ξ ι 4n ⊕ min S 4n (c) ∈ C 6n , then c / ∈ D, ρ (c) = min S 4n (c) and λ (ρ (c)) = 1. By Eq. (3), an arc leaves c.
• If ξ ι 4n ⊕ min S 4n (c) ∈ CycStr (p 0 ) and 
Furthermore, by Statements (i) and (ii) of Lemma 12, any cycle in C 6n joins with other cycles to combine a cycle in CycStr (f ), implying
Similarly, by Statements (i) and (iii) of Lemma 12, if f 0 is satisfiable, then
By Eqs. (4), (5), (6) and Lemma 2, we get
By Lemma 13, h is of stage 2n. However, by Lemma 4,
which is absurd. Therefore, f is irreducible. 
NP-hardness of deciding indecomposable FSRs
Lemma 15. Let f 0 be an r-input Boolean logic and
otherwise.
Then the Boolean function f 2 is satisfiable if and only if f 0 is satisfiable.
Below Algorithm 2 transforms a given Boolean circuit to an FSR. Figure 8 is a sketch of f 2 . Following Algorithm 2, we describe f 3 with Figure 9 .
In the rest of this section, we use notations f 0 , f 2 , f 3 and f defined in Algorithm 2. Clearly, f is a nonsingular FSR. Similar to Lemma 9, we count gates in Figure 9 and derive the lemma below.
Input: An r-input Boolean circuit f 0 . Output: A (2n + 1)-stage FSR f , where k = min {i ∈ Z : i ≥ log 3 (r/2)} and n = 3 k . 1: Construct an r-input Boolean circuit f 2 defined by Eq.(7). 2: {Construct a 2n-input Boolean circuit f 3 with its pseudocode in Lines 3-13. In the rest of this section, L denotes the state transformation of the LFSR x 2n ⊕ x n ⊕ 1. } 3: Let (x 1 , x 2 , . . . , x 2n ) be the input of f 3 .
7:
The Boolean circuit f 3 returns 1. 11: else
12:
The Boolean circuit f 3 returns 0.
Here "¬r "(resp. "∧r ") denotes the logical NOT(resp. AND) of r bits. In the rest of this section, n is given in Algorithm 2, p 0 and p 1 are the polynomials as defined in Lemma 8, and we denote CycStr (p 0 ) = CycStr (p 1 ) \ CycStr (p 0 ). Moreover, let L 1 denote the state transformation of the LFSR p 1 .
The maps π and χ have the properties in Lemma 17.
Lemma 17. The following statements hold. (i) For
Proof. Statements (i) and (ii) of this lemma can be proved by direct computation.
Then Statement (iv) follows from Statement (i) and (iii).
Additionally, Statement (v) holds because
Lemma 18. Let the map λ : {0, 1} 2n+1 → {0, 1} be defined as
Let D 
Besides, by Statements (ii) of Lemma 17, there exists a unique vector u in S 2n+1 (c) satisfying π (u) = min {π (u) : u ∈ S 2n+1 (c)}. Thus, by Statement (iii) of Lemma 17, we have
By Statement (i) of Lemma 17,
In Algorithm 2, x = (x 1 , x 2 , . . . , x 2n ) and u 0 = π (y), where y = (x 2n ⊕x n , x 1 , x 2 , . . . , x 2n ) is the unique vector in {0, 1} 2n+1 satisfying χ (y) = 0 and ⌊y⌋ 2n = x. Let c be the cycle satisfying y ∈ S 2n+1 (c). By Lemmas 6, 8 and Eq.(8) 
Thus, by Algorithm 2, we have the following claim. By Lemma 8 and Statement (ii) of Lemma 17, the map π gives a bijection from c∈CycStr(p0) S 2n+1 (c) to {0, 1}
2n . Thus, seeing r ≤ 2n, we get
Therefore, on one hand, there exists v ∈ {0, 1} 2n+1 satisfying f 3 (⌊v⌋ 2n ) = 1 and χ (v) = 0; On the other hand, in D 
Since for any v ∈ {0, 1} 2n+1 , there exists a unique cycle c ∈ CycStr (f ) satisfying v ∈ S 2n+1 (c), we get an integer equation
where 1 ≤ m ≤ 2n, 0 ≤ a ≤ 2(2 2n − 1)/(3n) and b ∈ {0, 1, 2}. Since 2n = min 0 < i ∈ Z : 3n | (2 i − 1) , where n = 3 k for some 1 ≤ k ∈ Z, Eq. (10) 
Since b = 1 in Eq. 
However, by Lemmas 6 and 8, L 3n is an identity map. Hence, 
Proof. Assume f = h * (x 1 ⊕x 0 ). Then h is a 2n-stage FSR and h(x 0 , x 1 , . . . , x 2n ) = x 2n ⊕h 1 (x 0 , x 1 , . . . , x 2n−1 ), where h 1 is a 2n-input Boolean logic. By Statement (ii) of Lemma 18, if f 2 is satisfiable, then there exists v 0 ∈ {0, 1} 2n+1 satisfying f 3 (⌊v 0 ⌋ 2n ) = 1 and χ (v 0 ) = 0. Let f 1 denote the feedback logic of f and v 0 = (a 0 , a 1 , . . . , a 2n ). Then
Let u 0 = v 0 . By Statements (i) and (ii) of Lemma 17, χ (u 0 ) = 0 and π
As π (u 0 ) = π (v 0 ), by Lemmas 3 and 8, we have {π
, where F is the state transformation of f . Using χ (v 0 ) = 0 and Statements (i)-(ii) of Lemma 17, we get
Our assumption f = h * (x 1 ⊕x 0 ) leads to contradictory Eqs. (11) and (12 Proof. Since h is decomposable, we assume h = h
Because
is the set of sequences generated by the cascade connection of h 1 into h 2 . Therefore, h 2 is a subFSR of h and h is reducible.
The idea of Lemma 21 was given by [4] and here we reinterpret it for readability. x 0 ) . Hence, the assumption is absurd and f is indecomposable.
Case (ii): f 0 is unsatisfiable. By Lemma 15, f 2 is unsatisfiable. By Algorithm 2, f 3 (x) = 0 for any x ∈ {0, 1} 2n . Then f is exactly the LFSR p 1 and f (x 0 , x 1 , . . . , x 2n ) = (x 2n ⊕ x n ⊕ x 0 ) * (x 1 ⊕ x 0 ). So, f is decomposable. 
Conclusion
Deciding irreducibility/indecomposability of FSRs is meaningful for sophisticated circuit implementation and security analysis of stream ciphers. Here we have proved both the decision problems are NP-hard. Assuming P =NP, where P is the class of decision problems computed by polynomial-time deterministic Turing machines, it is intractable to find a polynomial-time computable algorithm for either problem.
Furthermore, it is still of theoretical interests to determine the computational complexity of search versions of FSR reducibility/decomposability, i.e., to find a subFSR/factor of a given FSR, where g and h are called factors of f if f = h * g. Besides, provided that the input Boolean circuit is satisfiable, Algorithm 1(resp. Algorithm 2) constructs an irreducible(resp. indecomposable) FSR. Since it is easy to efficiently find satisfiable Boolean circuits, it remains a question whether Algorithm 1(resp. Algorithm 2) can be modified to construct a family of irreducible(resp. indecomposable) FSRs with desirable properties in practice.
6 Appendices 6.1 Appendix: the proof of Statement (i) of Lemma 7 Proof. Let F denote the state transformation of the FSR f .
By Lemma 6, it is sufficient to prove the following claim. 
By induction, the claim above is assumed to hold for f ′ . We only have to consider states in c∈C S m (c).
In D 
By Eqs. (13) and (14), F p+q (v 0 ) = v 0 and
Thus, the claim also holds for f . The proof of this claim is complete by induction.
Appendix: The operation min
The operation "min" outputs the minimum of two integers. Here the multiplying operation "×" has a one-bit input a and an m-bit input w = (w 0 , w 1 , . . . , w m−1 ), and outputs (a ∧ w 0 , a ∧ w 1 , . . . , a ∧ w m−1 ). Thus, the multiplying operation "×" costs m gates. By Figure 10 , we have SIZE (min m ) = 12 + 13m + SIZE (min m−1 ) for any m ≥ 2, and hence SIZE (min m ) = (13m 2 + 37m − 44)/2.
