Due to their simple construction, LFSRs are commonly used as building blocks in various random number generators. Nonlinear feedforward logic is incorporated in LFSRs to increase the linear complexity of the generated sequence. In this work, we extend the idea of nonlinear feedforward logic to LFSRs over arbitrary finite fields and analyze the statistical properties of the generated sequences.
I. INTRODUCTION
Pseudorandom number generators (PRNGs) [1] have a wide array of applications ranging from cryptography ( [1] , [2] ) and error correcting codes [3] to spread spectrum communication [4] . Due to their simple construction and ease of hardware implementation linear feedback shift registers (LFSRs) are commonly used as basic building blocks for PRNGs. For a given number of delay blocks, LFSRs with primitive characteristic polynomials generate sequences with maximum period. Such sequences have a balanced distribution of 0's and 1's and exhibit properties like the span-n property and 2-level autocorrelation which are desirable for randomness [5] . However, sequences generated by LFSRs are marred by their low linear complexity. One way of increasing the linear complexity of such sequences is by the use of nonlinear feedforward logic [6] . An analysis of the linear complexity of binary sequences generated by nonlinear feedforward generatetors (NLFGs) is given in [7] . Statistical properties of such sequences are investigated in [8] , [9] , [10] , [11] . In this paper, we have analyzed sequences generated by NLFGs where the underlying LFSR implements a linear recurring relation (LRR) in an arbitrary finite field.
Further, we have proposed a method of applying nonlinear feedforward logic to σ-LFSRs. We have then compared the statistical distribution of sequences generated by the proposed scheme with those generated by the scheme mentioned in [12] .
The remainder of this paper is organized as follows. Section II contains an introduction to LFSRs and motivates the use of NLFGs. Section III describes NLFGs and analyzes the properties of sequences generated by them. Section IV describes an implementation of NLFGs over wordbased σ-LFSRs and contains a statistical analysis of sequences generated by such a configuration.
Section V briefly summarizes the paper.
The notations used in this paper are as follows. The cardinality of a set S is denoted by |S|.
F q denote the finite field of order q = p n , where p is a prime number and n is a positive integer. 
The output of the LFSR shown in Figure 1 is a linear recurring sequence which satisfies the Figure 1 nonzero then a primitive-LFSR generates all the nonzero states in a single period [13] .
The linear complexity of a given sequence is the minimum degree of an LFSR which generates that sequence. Clearly, the linear complexity of a sequence generated by an LFSR is at most equal to the number of delay blocks in that LFSR. The linear complexity of such sequences can be increased by using nonlinear feedforward logic [6] . An NLFG consists of an LFSR along with a multiplier assembly having a set of 2-input multipliers. In this scheme, the output of some of the delay blocks are multiplied with each other and the resulting products are then added to generate the output sequence. The output of each delay block can act as an input to at most one multiplier. Multiplication and addition are as defined in F q . For q = 2, multiplication and addition translate to AND and XOR operations respectively.
An example of such a scheme is shown in Figure 2 . In the following section, we will discuss the statistical properties of sequences generated by NLFGs over arbitrary finite fields. Our arguments do not require the underlying FSR to be linear. However, we assume that all nonzero states occur once in every period (as in a primitive LFSR). 
Lemma 3.1:
Since there are q − 1 possible values for
Lemma 3.1 shows that ψ 1 (K) does not depend upon the value of K but only on whether K is zero or nonzero. Therefore, in the remainder of the paper we denote ψ 1 (K) by ψ nz when times. Therefore,
In the expression for N L m (0), one is deducted to account for the absence of the zero state. Thus, deriving an expression for N L m (·) reduces to finding a formula for ψ m (·). Definition 3.1: An m partition of K over F q is defined as an m-tuple of nonzero elements in F q whose sum (as defined in F q ) is K. We denote the set of m-partitions of K by S m (K). 
Using the above recursion, the closed-form expression for |S m (K)| is derived as follows.
Proof: We shall prove the lemma using induction.
. Thus, the statement of the lemma is true for m = 1.
Let the statement be true for
We now proceed to prove that the statement is true for m = l + 1.
Assume that at a particular time instant, the outputs of i of the m multipliers are zero. These 
Now, we simplify the above above formula to derive a closed form expression for ψ m (K).
Theorem 3.4:
For a multiplier assembly with m multipliers and for all K ∈ F q .
we get -
Therefore,
Substituting the values of ψ z and ψ nz from Equation 1 and Lemma 3.1 we get -
Since there are (q−1) nonzero elements in F q , there are (q−1)q m−1 (q m −1) input combinations that generate a nonzero output from the NLFG. Therefore,
This concludes the proof of our theorem.
Substituting the formula for ψ m (·) derived in Theorem 3.4 in Equation 2 we get - We now go on to show that the distribution of elements in the output sequence of an NLFG tends to a balanced distribution as the number of delay blocks and the number of multipliers tends to infinity.
Proof: In the case, when
In the case, when
. lim
IV. NLFGS OVER σ-LFSR
A σ-LFSR is an LFSR configuration with multi-input multi-output delay blocks that aims to utilize the parallelism provided by modern word based processors. A detailed description of σ-LFSRs can be found in [14] . Figure 4 depicts an L-stage σ-LFSR with r-input r-output delay blocks. 
where j=0,1,. . . and s j ∈ F r q . At the k-th time instant, let s i (k) be the output of the B i -th delay block. The state vector s(k) of an σ-LFSR at that instant can be obtained by stacking the outputs of the delay blocks one below the other. For instance,
. . .
Observe that,
Thus, the relation between two consecutive state vectors of a σ-LFSR is as follows:
where
Here, 0 ∈ F r×r q is the zero matrix and I ∈ F the number of σ-LFSR configurations having characteristic polynomial p(x) has been calculated in [15] , [16] .
The output sequence of a σ-LFSR with r-input r-output delay blocks is a sequence in F r q . Now, each entry of this vector sequence constitutes a scalar sequence. We shall call these sequences the component sequences of the vector sequence. Since F r q is known to be isomorphic to F q r , a σ-LFSR can be seen as an FSR over the field F q r [13] . Thus, each state vector of a σ-LFSR can be seen as a vector in F L q r . The characteristic polynomial of the σ-LFSR being primitive ensures that all non zero vectors in F L q r occur as state vectors exactly once in every period. In the proposed scheme, the outputs of delay blocks of a σ-LFSR are multiplied as elements in F q r . This is in contrast to the scheme given in [12] wherein multiplication is done element-wise. Note that element-wise multiplication is not equivalent to multiplication over a finite field. For example, in F T is zero which is not possible over a finite field.
Let p(x) be a primitive polynomial of degree r. Now, F q r can be seen as the residue class
, the equivalence class of f (x) has a unique representative element with degree less than r. We therefore have the following map
Clearly, the above map is a vector space homomorphism. Using this map, we define multiplication of two elements in F r q , denoted as ×, as follows.
is a vector whose entries are the coefficients of the polynomial g(x) = f 1 f 2 mod p(x). If f 1 and f 2 are the unique elements in their respective equivalence classes having degree less than r then
is a polynomial with degree less than 2r. Let v ∈ F 2r−1 q be a vector whose entries are the
is the following matrix.
Example 4.1:
From Equation 7
, the Q matrix is as follows.
As shown in Figure 5 , in the proposed scheme the underlying FSR is a σ-LFSR and the multiplier assembly has m ≤ 
In order to draw a comparison between the proposed scheme and that given in [12] , we now briefly analyse the distribution of vectors in sequences generated by the latter. Although [12] deals only with the binary case, in our analysis we consider the NLFG to be over an arbitrary finite field F q . The only difference between the scheme given in [12] and the one proposed here is that there the output of the delay blocks are multiplied element-wise. In the remainder of this section, we shall refer to NLFGs that use the scheme given in [12] as element-wise NLFGs.
Element-wise multiplication operation in a multiplier assembly is depicted in Figure 6 . multipliers. For a given nonzero vector v ∈ F r q , the number Ψ m (v) of inputs to the multiplier assembly that generate v at the output is given by
where κ is the number of nonzero elements in v.
Proof: Since addition and multiplication are performed element-wise, the i-th entry v i of the output vector sequence is a function of only the i-th outputs of the delay blocks of the σ-LFSR. Further, from Lemma 4.1 it can be inferred that each component sequence of the σ-LFSR can be seen to be generated by a scalar LFSR whose characteristic polynomial is the same as that of the σ-LFSR. Therefore, the i-th bit of the output sequence of the NLFG can be seen to be generated by a scalar NLFG with a primitive scalar LFSR having rL delay blocks and a multiplier assembly with m multipliers. From Theorem 3.4, the number of inputs to this multiplier assembly that generates v i at the output is given by
Therefore, the total number of possible inputs to the multiplier assembly that generates a given vector v having κ nonzero elements is given by 
V. CONCLUSION
In this paper, we have extended the notion of NLFGs to arbitrary finite fields and have analyzed the statistical properties of the sequences generated by such NLFGs. Further, we have proposed an implementation of NLFGs over σ-LFSRs and have shown that the sequences generated by such proposed scheme are more balanced than the sequences generated by the existing scheme given in [12] .
