The shrinking generator consists of two LFSR over GF(2), an LFSR a = (a(0), a(1), . . .) and a second one (called the selector) s = (s(0), s(1), . . .). Now the output of the generator will be thex-sequence, which is a ”shrunken” version of thea-sequence, in the sense that the elementa(i) will be included in thex-sequence if s(i) = 1, otherwise it will be discarded. In other (more formal) words:
x(k) :=a(ik),
where ik denotes the position of the k-th 1 in the selector sequence s. The
shrinking generator is easy to implement and has, as we will see, good statisti- cal properties. First, we will investigate the period and the linear complexity
of the x-sequence. Let Ta, resp. |a|, denote the period, resp. length of the
LFSR a(and analogously forsandx).
Theorem 5.2.Ifaandshave primitive characteristic polynomials and ifTa
andTs are relatively prime, then
Tx= (2|a|−1)2|s|−1.
Proof:W.l.o.g. we may assume that
|a|>log2|s|. (5.4) Since thes-sequence has (due to the primitivity of its characteristic polyno- mial) 2|s|−1elements 1 in a full period, one observes that
x(i+j2|s|−1) =a(ki+jTs). (5.5)
Furthermore, if for any indexesk, k we have thata(k+jTs) = a(k+jTs)
for allj, then it follows that
Ta|k−k. (5.6)
[Since the characteristic polynomial ofais primitive and sinceTaandTsare
relatively prime, it follows that the characteristic polynomial of the sequence
{a(k+jTs}j≥0 is also primitive, hence this sequence also has period Ta.]
Clearly, we have
Tx|Ta2|s|−1.
Sincex(i+j2|s|−1) =x(i+T
z+j2|s|−1) for alli andj, together with (5.5)
and (5.6) we obtain that
Ta|ki+Tx−ki (5.7)
for alli. Or - in other words - for everyithere exists aji such that
ki+Tx =ki+jiTa. (5.8)
Replacingibyi+ 1 in (5.8) yields
ki+1+Tx=ki+1+ji+1Ta. (5.9)
Now we subtract (5.8) from (5.9), giving
ki+Tx+1−ki+Tx=ki+1−ki+ (ji+1−ji)Ta (5.10)
for alli. On the one handki+Tx andki+Tx+1, but on the other hand,ki and
ki+1are also positions of consecutive ones in thes-sequence. So ifji+1−ji= 0,
we would have at least Ta consecutive zeros somewhere in the s-sequence,
which by assumption (5.4) has been ruled out. Soji+1 =ji and hence
64 5 Pseudo-random Number Generators
for all i, which yields that the subsequences of s starting at the elements
s(ki), resp. s(ki +Tx), are identical. This is only possible if Ts|ki+Tx −ki,
hence the number of elements in thes-sequence betweens(ki) ands(ki+Tx)
is a multiple of the period 2|s|−1 ofs. However, then the number of ones in
this segment is a multiple of 2|s|−1. But on the other hand, this number is
alsoTx, so there exists a t∈IN such that
Tx=t2|s|−1. (5.12)
Relation (5.5) implies
a(k0) =x(0) =x(jTx) =x(jt2|s|−1) =a(k0+jtTs) (5.13)
for allj. ThusTa|tTsand hence (sinceTaandTsare supposed to be relatively
prime)Ta|t, which, by (5.12), entails thatTa2|s|−1|Tx.2
For the linear complexityLof thex-sequence, we get the following estimate:
Theorem 5.3.Under the hypotheses of Theorem 5.2, we have
|a|2|s|−2< L <|a|2|s|−1.
Proof: 1. Upper bound for L: In order to find an upper bound for L, we want to look for a polynomial p(.) such that (by a little abuse of notation)
p(z) = 0 for all possible outcomes of the sequence x (i.e., the coefficients of p(z) =nk=0cizi represent the linear relation
n
k=0cixi satisfied by the
elements of the x-sequence). Let x[s] denote the sequence {x(j2|s|−1)}j≥0.
From (5.5), the elements of this sequence are all of the form a(i+jTs).
By the hypothesis that Ta and Ts are relatively prime, the sequence just
described must have the same linear complexity as the original a-sequence, so it has to satisfy a polynomial equation Q(.) = 0 of degree|a|. But then also the sequence x[s] has to satisfy this equation, i.e., Q(x[s]) = 0 (with a
little abuse of notation). Now define P(z) :=Q(z2|s|−1). The polynomialP
satisfiesP(z) = 0 and has degree|a|2|s|−1, which is an upper bound forL.
2. Lower bound: Denote by M(z) the minimal polynomial for the sequence
x. SinceQ(x[s]) = 0, it follows that the polynomialM(z) is a divisor of the
polynomial Q(x[s]) =Q(z2 |s|−1 ) =Q(z)2|s|−1, hence M(z) =Q(z)t
for somet≤2|s|−1. Now assume that the lower bound asserted in Theorem
5.3 is not true and let t≤2|s|−2. ThenM(z) divides Q(z)2|s|−2. SinceQ(z)
is an irreducible polynomial of degree|a|, it divides the polynomial 1 +zTa, so it follows that the polynomialM(z) divides the polynomial
(1 +zTa)2|s|−2 = 1 +zTa2|s|−2
which entails that the period of thex-sequence can be at mostTa2|s|−2. But
this is a contradiction to Theorem 5.2, hence we must indeed havet >2|s|−2.
2
The next theorem, which we state without proof, gives statistical properties of the shrinking generator. The general assertion is that one can show that the distribution of the output sequence of a shrinking generator is ”near” to the distribution of a genuine unbiased random sequence in the following sense:
Theorem 5.4.Consider a shrinking generator as above. Denote byU a gen- uine unbiased random sequence of lengthn. Letb∈ {0,1,∗}nbe any template.
Then
|E(templateb(X(n))−E(templateb(U)|=O(
n
2|a|).
Furthermore, assume x(1) and x(2) are two elements of the x-sequence with
distance . Then the correlation betweenx(1) andx(2) is bounded byO(2|a|).
(See Coppersmith et al. (1994), Theorem 13 and Corollary 14).
A concept related to the shrinking generator is the so-called self-shrinking generator. There, one works with only one LFSR and consecutive (non- overlapping) pairs of its output bits. If the first bit of the pair is a 1, then the second bit of the pair is included in the x-sequence (output) of the self- shrinking generator, otherwise the pair is dicarded. For more information about the self-shrinking generator see Meier, Staffelbach (1995) and Black- burn (1999). In the latter paper, the maximum linear complexity conjectured by Meier and Staffelbach (1995) is proven.