On ideal t-tuple distribution of filtering de Bruijn sequence generators

Abstract

A binary de Bruijn sequence is a sequence of period 2ⁿ in which every n-tuple occurs exactly once in one period. A de Bruijn sequence is attractive because of having good statistical properties such as long period, balance, high linear complexity and ideal n-tuple distribution. A nonlinear feedback shift register (NLFSR) can be used to generate a de Bruijn sequence. A filtering de Bruijn sequence generator (FDBG) is an NLFSR-based filtering generator constructed by applying a filter function to the internal state of the NLFSR generating a de Bruijn sequence. If the filtering function is balanced, then an FDBG inherits the properties long period, balance, and the lower bound of linear complexity, but its ideal t-tuple distribution property is unknown. In this paper we study ideal t-tuple distribution of filtering de Bruijn (DB) sequence generators. First, we present a construction of a q-ary de Bruijn sequence from a binary de Bruijn sequence. Then, we describe the construction of the FDBG and investigate the ideal t-tuple distribution for two types of the FDBGs. The conditions on the filtering functions for having the ideal t-tuple distribution in the filtering sequences are presented. Finally, we perform an experiment on FDBGs with WG transformations as filtering functions to validate our result and find filtering functions with good cryptographic properties.

Appendix: The WG transformation

Let \(\mathbb {F}_{2}\) be the Galois field with two elements and \(\mathbb {F}_{2^{s}}\) be a finite field with 2^s elements. Let \(\text {Tr}(x) = x + x^{2} + {\cdots } + x^{2^{s-1}}, x \in \mathbb {F}_{2^{s}}\) be the trace function defined from \(\mathbb {F}_{2^{s}}\) to \(\mathbb {F}_{2}\). Let s be a positive integer with s ≢ 0 mod 3 and 3k ≡ 1 mod s for some integer k. The Welch-Gong (WG) transformation from \(\mathbb {F}_{2^{s}}\) to \(\mathbb {F}_{2}\) with decimation d [12, 13] is defined by

$$f(x^{d}) = \text{Tr}(h(x^{d}+1)+1)$$

where \(h(x) = x + x^{q_{1}} + x^{q_{2}} + x^{q_{3}} + x^{q_{4}}\) and \(q_{1} = 2^{k} + 1, q_{2} = 2^{2k} + 2^{k} + 1, q_{3} = 2^{2k} - 2^{k} + 1, q_{4} = 2^{2k} + 2^{k} - 1\) and d is a coset leader co-prime to 2^s − 1. Cryptographic properties of WG transformations have been studied in [13]. For the details, the reader is referred to [13].