On affine sub-families of Grain-like structures

Abstract

Grain is one of eSTREAM hardware-oriented finalists. It contains a cascade connection of an 80-bit primitive linear feedback shift registers (\({{\mathrm{LFSR}}}\)) into an 80-bit nonlinear feedback shift register (\({{\mathrm{NFSR}}}\)). The variant Grain-128 has a cascade connection with both \({{\mathrm{LFSR}}}\) and \({{\mathrm{NFSR}}}\) of order 128. We consider Grain-like structures, i.e., the cascade connection of a primitive \({{\mathrm{LFSR}}}\) into an \({{\mathrm{NFSR}}}\) of the same order. It is easy to know that in such a structure, all the affine sub-families of the \({{\mathrm{NFSR}}}\) are also the affine sub-families of the cascade connection. We prove that if the degree of the characteristic function of the \({{\mathrm{NFSR}}}\) is bigger than 2, then affine sub-families of the cascade connection must also be affine sub-families of the \({{\mathrm{NFSR}}}\). The same result holds if the order of the primitive \({{\mathrm{LFSR}}}\) is bigger than the order of the \({{\mathrm{NFSR}}}\).

Appendix: Proof of Theorem 5

We introduce some notations first. For a nonnegative integer t, the weight of t is the number of 1’s in its 2-adic expansion, and denoted by w(t). We only consider \(0\le t\le 2^n-1\), where n is the same as in Theorem 5. The notation \([l]_{{{\mathrm{mod}}}k}\) represents the least nonnegative residue of l modulo k.

Lemma 12

Assume \(0\le j\le n\) and \(0\le t<2^n-1\). Then

$$\begin{aligned} w(t)=w([2^jt]_{{{\mathrm{mod}}}2^n-1}). \end{aligned}$$

Proof

Assume \(w(t)=k\) and \(t=2^{i_0}+2^{i_1}+\cdots +2^{i_k}\) with \(i_0<i_1<\cdots <i_k<n\). Then

$$\begin{aligned}{}[2^jt]_{{{\mathrm{mod}}}2^n-1}=2^{[i_0+j]_{{{\mathrm{mod}}}n}}+2^{[i_1+j]_{{{\mathrm{mod}}}n}}+\cdots +2^{[i_k+j]_{{{\mathrm{mod}}}n}}. \end{aligned}$$

So \(w([2^jt]_{{{\mathrm{mod}}}2^n-1})=w(t)=k\).\(\square \)

Now we can give the proof of Theorem 5.

Proof of Theorem 5

“\(\Leftarrow \)”. If \(d=2^i\), then \({{\mathrm{tr}}}(\beta ((x+1)^d+x^d))={{\mathrm{tr}}}(\beta )\) is a constant. If \(d=2^i(1+2^j)\), then

$$\begin{aligned} {{\mathrm{tr}}}(\beta ((x+1)^d+x^d))&={{\mathrm{tr}}}(\beta (x^{2^{i+j}}+x^{2^i}+1))\nonumber \\&={{\mathrm{tr}}}((\beta ^{2^{n-i-j}}+\beta ^{2^{n-i}})x)+{{\mathrm{tr}}}(\beta ). \end{aligned}$$

(8)

Since \(\beta \in \mathbb {F}_{2^r}\) with \(r=\gcd (j,n)\), we have \(\beta ^{2^{n-i-j}}+\beta ^{2^{n-i}}=0\). So the value is equal to \({{\mathrm{tr}}}(\beta )\) for all \(x\in \mathbb {F}_{2^n}\).

“\(\Rightarrow \)”. We divide the proof into three parts according to the value of w(d). If \(w(d)=1\), it is obvious. If \(w(d)=2\), let \(d=2^i(1+2^j)\) with \(j>0\) and \(d<2^n\). In (8), let \(\delta =\beta ^{2^{n-i-j}}+\beta ^{2^{n-i}}\), and then \({{\mathrm{tr}}}(\delta x)\) is a constant. Thus \(\delta =0\). So \(\beta ^{2^{n-i-j}}+\beta ^{2^{n-i}}=0\), which is equal to \(\beta +\beta ^{2^j}=0\). Then \(\beta \in \mathbb {F}_{2^j}\). We also have \(\beta \in \mathbb {F}_{2^n}\). Hence \(\beta \in \mathbb {F}_{2^r}\) with \(r=\gcd (j, n)\).

For \(w(d)\ge 3\), we will prove that \({{\mathrm{tr}}}(\beta ((x+1)^d+x^d))\) can not be a constant for any \(\beta \in \mathbb {F}_{2^n}^*\). Since \({{\mathrm{tr}}}(x^2)={{\mathrm{tr}}}(x)\), without loss of generality, we assume that d is odd. Let

$$\begin{aligned} d=2^{i_0}+2^{i_1}+\cdots +2^{i_k}, \end{aligned}$$

with \(0=i_0<i_1<\cdots <i_k<n\) and \(k\ge 2\). Then

$$\begin{aligned}&(x+1)^d+x^d\\&\quad =(x+1)(x^{2^{i_1}}+1)\cdots (x^{2^{i_k}}+1)+x^d\\&\quad =1+\sum _{i=1}^{k}w_i(x), \end{aligned}$$

where \(w_i(x)\) contains all the terms \(x^j\) with \(w(j)=i\). For example \(w_1(x)=x+x^{2^{i_1}}+\cdots +x^{2^{i_k}}\) and \(w_{k}(x)=x^{d_0}+x^{d_1}+\cdots +x^{d_k}\), where \(d_j=d-2^{i_j}\). Since \({{\mathrm{tr}}}(\beta ((x+1)^d+x^d))\) is a constant for all \(x\in \mathbb {F}_{2^n}\), then \({{\mathrm{tr}}}(\beta ((x+1)^d+x^d))\) modulo \(x^{2^n}+x\) is a constant polynomial. By Lemma 12, we have that all the terms in \({{\mathrm{tr}}}(\beta w_i(x))\) are of powers with weight i. Thus \({{\mathrm{tr}}}(\beta w_i(x))\) modulo \(x^{2^n}+x\) is 0 for all \(1\le i\le k\). Now we consider the polynomial \({{\mathrm{tr}}}(\beta w_k(x))\) modulo \(x^{2^n}+x\). The coefficient of \(x^{d_0}\) is zero. Then there must exist some \(0\le u\le k\) and \(1\le v\le n-1\) such that \([2^vd_u]_{{{\mathrm{mod}}}2^n-1}=d_0\).

If \(u=0\), then \(2^n-1\mid (2^v-1)d_0\). Since \(\gcd (2^n-1, 2^v-1)=2^{\gcd (n,v)}-1\), we can assume \(v\mid n\) and let \(n=vl\). Then \(d_0=n'(1+2^v+\cdots +2^{(l-1)v})\) with \(n'<2^v\). Let \(n'=2^{t_1}+\cdots +2^{t_m}\) with \(0\le t_1<t_2<\cdots <t_m\le v-1\). Then the set \(\{i_1, \ldots , i_k\}\) can be rearranged as

$$\begin{aligned}&\{\ t_1, t_1+v, \ldots , t_1+(l-1)v,\\&t_2, t_2+v, \ldots , t_2+(l-1)v,\\&\cdots \\&t_m, t_m+v, \ldots , t_m+(l-1)v \ \}. \end{aligned}$$

Now we consider the coefficient of x in \({{\mathrm{tr}}}(\beta w_1(x))\) modulo \(x^{2^n}+x\). Then

$$\begin{aligned} \beta ^{2^{n-i_0}}+\beta ^{2^{n-i_1}}+\cdots +\beta ^{2^{n-i_k}}=0. \end{aligned}$$

(9)

The coefficient of \(x^{1+2^v+\cdots +2^{(l-1)v}}\) in \({{\mathrm{tr}}}(\beta w_l(x))\) modulo \(x^{2^n}+x\) is also zero. This term appears in \({{\mathrm{tr}}}(\beta x^{2^{t_z}+2^{t_z+v}+\cdots +2^{t_z+(l-1)v}})\) for \(z=1, 2,\ldots , m\), each with coefficient

$$\begin{aligned} \delta _z=\beta ^{2^{n-t_z}}+\beta ^{2^{n-(t_z+v)}}+\cdots +\beta ^{2^{n-(t_z+(l-1)v)}}. \end{aligned}$$

Then \(\sum _{z}\delta _{z}=0\). Combined with (9), we have \(\beta ^{2^{n-i_0}}=\beta =0\), which contradicts to \(\beta \in \mathbb {F}_{2^n}^*\).

Now assume \(u\ne 0\). Then

$$\begin{aligned}{}[2^vd_u]_{{{\mathrm{mod}}}2^n-1}=\sum _{y\ne u}2^{[y+v]_{{{\mathrm{mod}}}n}}=d_0. \end{aligned}$$

In this equation, let \(y=0\), and then we know v is equal to some \(i_j\). If \(j\ne u\), i.e, \(2^{i_j}\) appears in \(d_u\), then let \(y=i_j\), and \([2v]_{{{\mathrm{mod}}}n}=i_{j'}\). Finally we can get that the set \(\{i_0, i_1, \ldots , i_{k}\}\) can be rearranged as

$$\begin{aligned}&\{ 0, v, \ldots , [yv]_{{{\mathrm{mod}}}n}\\&r_1, [r_1+v]_{{{\mathrm{mod}}}n}, \ldots , [r_1+(l-1)v]_{{{\mathrm{mod}}}n},\\&\cdots \\&r_m, [r_m+v]_{{{\mathrm{mod}}}n}, \ldots , [r_m+(l-1)v]_{{{\mathrm{mod}}}n} \ \}, \end{aligned}$$

where \(r_i\)’s are integers less than n and l is the smallest positive integer such that \(n\mid lv\). Then we have \(y<l-1\). If not, let \(\gcd (n,v)=j\), then \((1+2^j+\cdots +2^{(l-1)j})\mid d\), which contradicts to \(\gcd (d, 2^n-1)=1\). Moreover, we have \(u=[yv]_{{{\mathrm{mod}}}n}\ne 0\). So \(1\le y<l-1\).

If \(m\ne 0\), then \(k>l>y\). We consider the coefficient of \(x^{1+2^v+\cdots +2^{[(l-1)v]_{{{\mathrm{mod}}}n}}}\) in \({{\mathrm{tr}}}(\beta w_{l}(x))\). This term appears in

$$\begin{aligned} {{\mathrm{tr}}}(\beta x^{2^{r_z}+2^{[r_z+v]_{{{\mathrm{mod}}}n}}+\cdots +2^{[r_z+(l-1)v]_{{{\mathrm{mod}}}n}}}) \end{aligned}$$

for \(1\le z\le m\) with coefficient

$$\begin{aligned} \delta _z=\beta ^{2^{n-r_z}}+\beta ^{2^{n-[r_z+v]_{{{\mathrm{mod}}}n}}}+\cdots +\beta ^{2^{n-[r_z+(l-1)v]_{{{\mathrm{mod}}}n}}}. \end{aligned}$$

Then \(\sum _{z}\delta _z=0\). We also consider the coefficient of \(x^{1+2^v+\cdots +2^{[yv]_{{{\mathrm{mod}}}n}}}\) in \({{\mathrm{tr}}}(\beta w_{y+1}(x))\). This term appears in \({{\mathrm{tr}}}(\beta x^{2^{w}+2^{[w+v]_{{{\mathrm{mod}}}n}}+\cdots +2^{[w+yv]_{{{\mathrm{mod}}}n}}})\) with coefficient \(\beta ^{2^{n-w}}\), where w can be zero and all elements except the first row in the above set. Thus

$$\begin{aligned} \beta +\sum _{z}\delta _z=0. \end{aligned}$$

Again we have \(\beta =0\) and get a contradiction.

If \(m=0\), then \(y=k\) and \(\{i_0, i_1, \ldots , i_k\}=\{0, v, \ldots , [kv]_{{{\mathrm{mod}}}n}\}\). First we can get (9) by the fact that the coefficient of x in \({{\mathrm{tr}}}(\beta w_1(x))\) is zero. Then we consider the coefficient of \(x^{1+2^v}\) in \({{\mathrm{tr}}}(\beta w_2(x))\). This term appears in \({{\mathrm{tr}}}(x^{2^{[jv]_{{{\mathrm{mod}}}n}}+2^{[(j+1)v]_{{{\mathrm{mod}}}n}}})\) for \(0\le j\le k-1\), each with coefficient \(\delta _j=\beta ^{2^{n-[jv]_{{{\mathrm{mod}}}n}}}\). Then \(\sum _{j=0}^{k-1}\delta _j=0\). Together with (9), we have \(\beta ^{2^{n-[kv]_{{{\mathrm{mod}}}n}}}=0\). Hence \(\beta =0\), which is a contradiction. The proof is complete. \(\square \)