Research Status of Nonlinear Feedback Shift Register Based on Semi-Tensor Product

Abstract

Nonlinear feedback shift registers (NFSRs) are the main components of stream ciphers and convolutional decoders. Recent years have seen an increase in the requirement for information security, which has sparked NFSR research. However, the NFSR study is very imperfect as a result of the lack of appropriate mathematical tools. Many scholars have discovered in recent years that the introduction of semi-tensor products (STP) of matrices can overcome this issue because STP can convert the NFSR into a quasi-linear form. As a result of STP, new NFSR research has emerged from a different angle. In view of this, in order to generalize the latest achievements of NFSRs based on STP and provide some directions for future development, the research results are summarized and sorted out, broadly including the modeling of NFSRs, the analysis of the structure of NFSRs, and the study of the properties of NFSRs.

1. Introduction

As the information age has progressed, the nation, society, and people have become more concerned with information security, and cryptography has emerged as a key tool for doing so. Symmetric and asymmetric cryptosystems are the two basic types of cryptography used today. Block ciphers and stream ciphers are examples of symmetric cryptosystems. Due to its benefits for quick encryption and decryption, easy hardware implementation, minimal error propagation, and simple application protocol, stream cipher is frequently employed in vital departments and various mobile communication systems for confidential communication. The feedback shift register (FSR) is a primary structural component of stream cipher.

FSR, as a finite state automaton that can be represented by difference equations of a set of Boolean functions, in addition to its application in stream ciphers, is also widely used in communication systems, digital circuits and other fields [1,2,3]. The research of FSRs has a history of more than 50 years. In 1967, the famous scholar Golomb [4] introduced the fundamental characteristics of FSRs and the generation mechanism of the shift sequences, and these two concepts serve as the foundation for FSR study today. Different from linear FSR (LFSR), nonlinear FSR (NFSR) has received more attention due to its higher level of security. In stream ciphers, NFSR, as a generator of pseudo-random sequences, has been researched by numerous scholars. Especially after the European eSTREAM project, many NFSR-based stream cipher algorithms emerged, such as the hardware finalists Grain [5], Trivium [6], and Mickey [7]. In convolutional codes, NFSR is the main building block of decoding algorithms such as threshold decoding [8,9]. In the threshold decoding algorithm, the syndrome sequence formed by the received information symbols and the received supervisory symbols is used as the input of the NFSR, and the output of the NFSR is used as the error estimation, so that the correct information symbols can be obtained.

Over the years, NFSRs have received extensive attention due to their wide range of application scenarios. According to the structure, NFSRs can be divided into Fibonacci NFSRs [10,11], Galois NFSRs [11,12], Grain-like cascade NFSRs [13,14], Trivium-like cascade NFSRs [15,16] and so on. According to whether there is input, NFSRs can be divided into autonomous NFSRs and non-autonomous NFSRs. According to the research problems, in addition to stream cipher algorithm designs [17,18,19,20,21] and attacks [22,23], the theoretical study can be summarized into three parts: (1) equivalence and decomposition [24,25,26], irreducible NFSRs [27,28] and affine sub-families [14,29]; (2) nonsingularity [10,30,31]; (3) period [32,33,34] and de Bruijn sequences [35,36,37,38] and so on. However, due to the lack of suitable mathematical means, the research on NFSR still has a long way to go.

In order to break the limitation of the dimension of the traditional matrix product, Cheng et al. [39,40] proposed a new matrix product—the semi-tensor product (STP), which allows the multiplication of two matrices of any dimension. There are numerous significant applications in this field, including the original Boolean network (BN) [41,42,43,44,45,46,47], game theory [48,49,50], multi-agent synchronization and queue control [51,52], finite automata [53,54,55,56,57], fault diagnosis and digital circuit design [58,59], and even network query and teleoperation [60], internal combustion engine [61], intelligent Home [62] and other engineering problems [63]. STP helps to solve many challenging issues in various fields. Professor Guo [64] of the Chinese Academy of Sciences gave a high evaluation of STP, saying that “the STP may become one of the new mathematical tools called for in the computer age to realize the purpose of discovering new phenomena and solving new problems based on calculation”.

Fortunately, in recent years, many scholars have discovered that STP can also be used to model and study NFSRs fairly efficiently. Because NFSRs and BNs are both composed of finite Boolean functions and finite states, this motivates many scholars to use STP to model NFSR into a quasi-linear form similar to BN, and this quasi-linear form will help to simplify many research problems. From this idea, many significant results were born. These results are more novel than previous conclusions and are very helpful for the design of practical stream cipher algorithms and decoding algorithms. According to the specific research object, the main achievements can be roughly divided into the modeling of NFSRs [65,66,67], the analysis of the structure of NFSRs [68,69,70,71,72,73,74,75,76,77,78,79,80,81], and the study of the properties of NFSRs [82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97]. This paper will give an overview of the latest achievements in NFSR research based on STP from these three aspects.

The content of this paper is organized as follows: First, the definition and properties of STP are introduced, and several types of NFSR are briefly introduced. Then, the latest results in NFSR research based on STP are introduced, mainly including modeling problems, structural problems, properties and relevant criteria. Finally, a prospect and a summary of this paper are given.

2. Preliminaries

This section provides some notations, the definition and some properties of the STP. First of all, some notations used in this paper are listed as follows:

• ${\mathbb{R}}^{m\times n}$: set of real matrices of dimension $m\times n$.
• ${\mathbb{F}}_2$: Galois field of two elements.
• ${\mathbb{F}}_2^n$: set of all n-dimension vectors over ${\mathbb{F}}_2$.
• $I_n$: identity matrix of dimension n.
• ${\delta }_n^i$: the ith column of the identity matrix $I_n$.
• ${\Delta }_2:=\left\{{\delta }_2^i\right|i=1,2\}$.
• ${\Delta }_2^n$: set of all n-dimension vectors over ${\Delta }_p$.
• ${\mathcal{L}}_{n\times r}$: set of $n\times r$ logical matrices satisfying $Col\left(L\right)\subseteq {\Delta }_n$. For $L\in {\mathcal{L}}_{n\times r}$, write $L=[{\delta }_n^{i_1}{\delta }_n^{i_2}\cdots {\delta }_n^{i_r}]$ or $L={\delta }_n[i_1{i}_2\cdots i_r]$ for simplicity.
• $Co{l}_i\left(M\right)$: the i-th column of matrix M.
• $Ro{w}_i\left(M\right)$: the i-th row of matrix M.
• $M_{(i,j)}$: the element on the i-th row, j-th column of matrix M.
• $\lceil s\rceil$: the largest integer less than s.
• $\left|M\right|$: the determinant of matrix M.
• $ord\left(M\right)$: the order of matrix M.
• $W_{[m,n]}$: swap matrix, where $W_{[m,n]}=[{\delta }_n^1{\delta }_m^1,{\delta }_n^2{\delta }_m^1,\cdots ,{\delta }_n^n{\delta }_m^1,\cdots ,{\delta }_n^1{\delta }_m^m,{\delta }_n^2{\delta }_m^m,\cdots ,{\delta }_n^n{\delta }_m^m]$.

Definition 1

([98]). Let $A\in {\mathbb{R}}^{m\times n}$, $B\in {\mathbb{R}}^{p\times q}$, the Kronecker product of matrices A and B is defined as

$$A\otimes B=\left[\begin{array}{cccc}{A}_{(1,1)}B& A_{(1,2)}B& \cdots & A_{(1,n)}B\\ A_{(2,1)}B& A_{(2,2)}B& \cdots & A_{(2,n)}B\\ ⋮& ⋮& \ddots & ⋮\\ A_{(m,1)}B& A_{(m,2)}B& \cdots & A_{(m,n)}B\end{array}\right].$$

Definition 2

([99]). Let $A\in {\mathbb{R}}^{m\times n}$ and $B\in {\mathbb{R}}^{p\times n}$. The Khatri–Rao product of matrices A and B is defined as an $mp\times n$ matrix, given by

$$A\ast B=[Co{l}_1\left(A\right)\otimes Co{l}_1\left(B\right)Co{l}_2\left(A\right)\otimes Co{l}_2\left(B\right)\cdots Co{l}_n\left(A\right)\otimes Co{l}_n\left(B\right)].$$

(1)

Definition 3

([39]). Let $A\in {\mathbb{R}}^{m\times n}$, $B\in {\mathbb{R}}^{p\times q}$. The STP of matrices A and B is defined as

$$A⋉B:=(A\otimes I_{s/n})(B\otimes I_{s/p}),$$

(2)

where s is the least common multiple of n and p.

Lemma 1

([39]). Any logical function $y=f(x_1,x_2,\cdots ,x_n)$ with Boolean variables $x_i\in {\Delta }_2$, $i=1,2,\cdots ,n$, can be expressed as a multi-linear form as

$$y=f(x_1,x_2,\cdots ,x_n)=M_f{x}_1{x}_2\cdots x_n,$$

(3)

where $y\in {\Delta }_2$, and $M_f\in {\mathcal{L}}_{2\times 2^n}$ is unique, called the structural matrix of f.

3. Research Status of NFSRs Based on STP

The invention of the STP has brought new vitality into the research of NFSRs. This section will focus on the research status on applying STP to NFSRs.

3.1. Modeling Problems for NFSRs

This section will introduce several types of NFSRs and their algebraic forms established by STP. Identify 1 and 0 as ${\delta }_2^1\in {\Delta }_2$ and ${\delta }_2^2\in {\Delta }_2$, respectively. In the sequel, we say a variable $X\in {\mathbb{F}}_2$ is in a scalar form, and call the corresponding variable $x\in {\Delta }_2$ is in a vector form. Without loss of generality, we usually omit “⋉" in the following for simplicity.

3.1.1. Fibonacci NFSRs

Fibonacci NFSR is often adopted to design stream ciphers [19,21]. An n-stage Fibonacci NFSR can be expressed as:

$$\left\{\begin{array}{c}{X}_1(t+1)=X_2\left(t\right),\hfill \\ X_2(t+1)=X_3\left(t\right),\hfill \\ ⋮\hfill \\ X_{n-1}(t+1)=X_n\left(t\right),\hfill \\ X_n(t+1)=f(X_1\left(t\right),X_2\left(t\right),\cdots ,X_n\left(t\right)).\hfill \end{array}\right.$$

(4)

where the content of bit i is denoted as $X_i\left(t\right)$, $i=1,2,\cdots ,n$. The state of the NFSR at time t is denoted by $X\left(t\right)=[X_1\left(t\right)X_2\left(t\right)\cdots X_n\left(t\right)]$, and f is a nonlinear feedback function. Figure 1 represents an n-stage Fibonacci NFSR.

Using Lemma 1 and the vector forms, for $i=1,2,\cdots ,n$, there exists a structural matrix $L_i$ such that $x_i=L_{i}x\left(t\right)$, where $x\left(t\right)={⋉}_{k=1}^n{x}_k\left(t\right)\in {\Delta }_{2^n}$. Then, an equivalently linear form of Fibonacci NFSR [65] an be expressed as:

$$x(t+1)=Lx\left(t\right),$$

(5)

where $x\left(t\right)={⋉}_{k=1}^n{x}_k\left(t\right)\in {\Delta }_{2^n}$, and $L=L_1\ast L_2\ast \cdots \ast L_n\in {\mathcal{L}}_{2^n\times 2^n}$ is the state transition matrix of this NFSR.

More accurately, assume $[s_1,s_2,\cdots ,s_{2^n}]$ to be the truth table of f arranged in reverse alphabetical order and $L={\delta }_{2^n}[{\eta }_1\cdots {\eta }_{2^{n-1}}{\eta }_{2^{n-1}+1}\cdots {\eta }_{2^n}]$, then [66]

$$\left\{\begin{array}{c}{\eta }_i=2i-s_i,\hfill \\ {\eta }_{2^{n-1}+i}=2i-s_{2^{n-1}+i}\hfill \end{array}\right.$$

(6)

for all $i=1,2,\cdots ,2^{n-1}.$

3.1.2. Galois NFSRs

Compared to Fibonacci NFSRs, Galois NFSRs may decrease the propagation time and increase the throughput [25], so that they are employed in several stream cipher designs [100]. An n-stage Galois NFSR can be expressed as:

$$\left\{\begin{array}{c}{X}_1(t+1)=f_1(X_1\left(t\right),X_2\left(t\right),\cdots ,X_n\left(t\right)),\hfill \\ X_2(t+1)=f_2(X_1\left(t\right),X_2\left(t\right),\cdots ,X_n\left(t\right)),\hfill \\ ⋮\hfill \\ X_n(t+1)=f_n(X_1\left(t\right),X_2\left(t\right),\cdots ,X_n\left(t\right)).\hfill \end{array}\right.$$

(7)

where $f_i$ are nonlinear feedback functions, $i=1,2,\cdots ,n$.

The Galois NFSR can also be equivalently expressed as a linear form using STP:

$$x(t+1)=Lx\left(t\right),$$

(8)

where $x\left(t\right)={⋉}_{i=1}^n{x}_i\left(t\right)\in {\Delta }_{2^n}$, and $L\in {\mathcal{L}}_{2^n\times 2^n}$ is called the state transition matrix of the Galois NFSR. Figure 2 represents an n-stage Galois NFSR.

3.1.3. Grain-Like Cascade NFSRs

In a Grain-like cascade FSR, one LFSR is used to control another NFSR (see Figure 3). Let $[X_1\left(t\right)\cdots X_n\left(t\right)Y_1\left(t\right)\cdots Y_m\left(t\right)]$ represents the state of the Grain-like cascade NFSR. Then they have the following relation:

$$\left\{\begin{array}{c}{Y}_1(t+1)=Y_2\left(t\right),\hfill \\ ⋮\hfill \\ Y_{m-1}\left(t\right)=Y_m\left(t\right),\hfill \\ Y_m(t+1)=g(Y_1\left(t\right),\cdots ,Y_m\left(t\right)),\hfill \\ X_1(t+1)=X_2\left(t\right),\hfill \\ ⋮\hfill \\ X_{n-1}(t+1)=X_n\left(t\right),\hfill \\ X_n(t+1)=f(X_1\left(t\right),X_2\left(t\right),\cdots ,X_n\left(t\right))\oplus Y_1\left(t\right).\hfill \end{array}\right.$$

(9)

Using Lemma 1, the multi-linear form of (9) can be obtained [86]:

$$\left\{\begin{array}{c}y(t+1)=L_{1}y\left(t\right),\hfill \\ x(t+1)=L_2{y}_1\left(t\right)x\left(t\right).\hfill \end{array}\right.$$

(10)

Figure 3 represents an n-stage Fibonacci NFSR. In general, a Grain-like cascade NFSR can be considered as an NFSR with input, where the output of the LFSR is used as input of the NFSR. From this idea, the algebraic form (9) can be reduced to

$$x(t+1)=L_{u}x\left(t\right)u\left(t\right),$$

(11)

where $x\left(t\right)\in {\Delta }_{2^n}$ is the state at time instant t, $u\left(t\right)\in {\Delta }_2$ is the input at time instant t. More precisely, assume $[s_1,s_2,\cdots ,s_{2^{n+1}}]$ to be the truth table of f arranged in the reverse alphabet order and $L={\delta }_{2^n}[{\eta }_1\cdots {\eta }_{2^n}{\eta }_{2^n+1}\cdots {\eta }_{2^{n+1}}]$, then [68]

$$\left\{\begin{array}{c}{\eta }_i=2\lceil i\rceil -s_i,\hfill \\ {\eta }_{2^n+i}=2\lceil i\rceil -s_{2^n+i}\hfill \end{array}\right.$$

(12)

for all $i=1,2,\cdots ,2^n.$

3.1.4. Multi-Valued NFSRs

It can be seen that the NFSRs introduced above are all binary, but in practical applications, in order to consider software implementation, some studies are based on multi-valued NFSRs. Consider a k-valued Fibonacci NFSR, whose form is the same as (4), except that the value of $X_i$ is from 0 to $k-1$ instead of {0,1}. Denote $L={\delta }_{k^n}[{\eta }_1{\eta }_2\cdots {\eta }_{k^n}]$ be the state transition matrix of this NFSR, then [67]

$${\eta }_m=\{\left[(m-1)mod{k}^{n-1}\right]+1\}k-s_m,m=1,2,\cdots ,k^n.$$

(13)

Similarly, other types of NFSRs can also be correspondingly extended to multi-valued NFSRs, which will not be repeated here.

3.2. Structural Problems of NFSRs

This section will introduce some researches about structural problems of NFSRs that are studied by applying STP, including the equivalence, isomorphism, decomposition and period of NFSRs. In-depth study of the structural problems of NFSR can aid in the creation of stream cipher algorithms that are both more effective and safe.

3.2.1. The Equivalence Transition between Galois NFSRs and Fibonacci NFSRs

In Section 3.1, we introduced the structure of Galois NFSRs and Fibonacci NFSRs. Since both types have their own advantages and disadvantages, such as the period of output sequences in Fibonacci NFSR being equal to that of state sequences and Galois NFSR has higher speed of output sequences generation [25], it is necessary to study the equivalence of the two. If a Galois NFSR is euivalent to a Fibonacci NFSR, then this special Galois NFSR can have the advantages of Fibonacci NFSR in addition to its own advantages.

(1) Equivalence

Definition 4

([101]). Two NFSRs are equivalent if the sets of their output sequences are the same.

There are several studies on equivalence condition of Galois NFSR and Fibonacci NFSR using STP [74] was disclosed therein that if a Galois NFSR is equivalent to a Fibonacci NFSR, then its stage number is no less than that of the Fibonacci NFSR. The number of n-stage Galois NFSRs that are equivalent to a given n-stage Fibonacci NFSR is ${(2^{n-1}!)}^2$. The literature [75,76] gave a series of necessary and sufficient conditions for equivalence from the perspective of observability matrix and output tuple, respectively.

In addition, there are also some special cases of equivalence that have been studied. An n-stage $\tau$-terminal-bit Galois NFSR is equivalent to an n-stage Fibonacci NFSR when the feedback functions of the Galois NFSR satisfy certain conditions. If the output sequence set of an n-stage Fibonacci NFSR equal to its complementary set, then there are $2\times {(2^{n-1}!)}^2$ Galois NFSRs are equivalent to this Fibonacci NFSR. For details, see [73].

A property closely related to equivalence is isomorphism. Two NFSRs are said to be isomorphic if their state diagrams are isomorphic. Two state diagrams $G=(V,A)$ and $\overline{G}=(\overline{V},\overline{A})$ are isomorphic means that there exists a bijection mapping $\varphi :V\to \overline{V}$ such that for any edge $E\in A$ from state X to Y, there exists an edge $\overline{E}\in \overline{A}$ from $\varphi \left(X\right)$ to $\varphi \left(Y\right)$. About the relationship between isomorphism and equivalence, if an n-stage Fibonacci NFSR and an n-stage Galois NFSR are equivalent, then their state transition diagrams are isomorphic [70]. In more depth, the literature [73] explored the conditions that the feedback functions need to satisfy to make two NFSRs achieve anti-isomorphism, dual isomorphism and dual anti-isomorphism, respectively.

(2) Weak equivalence

Weak equivalence is a relation weaker than equivalence.

Definition 5

([80]). Fibonacci NFSR (5) is said to be weakly equivalent to Galois NFSR (8) if for any output sequence, denoted by $\mathcal{Y}$ of Fibonacci NFSR (5), there always exists an initial state denoted by z, such that the output sequence of Galois NFSR (8) with initial state z is the same as $\mathcal{Y}$.

According to the definition of weak equivalence, (5) is weakly equivalent to (8) if the set of output sequences of (5) is a subset of that of (8). If Fibonacci NFSR (5) is weakly equivalent to Galois NFSR (8), then (5) is also equivalent to (8). Conversely, if Galois NFSR (8) is weakly equivalent to Fibonacci NFSR (5), then (8) is not necessarily equivalent to (5). Moreover [80], pointed out that given any n-stage Fibonacci NFSR, their method can construct $\left(2^{n-1}\right){!}^2-1$ weakly equivalent n-stage Galois NFSRs, and conversely, given any n-stage Galois NFSR, it is possible to construct a weakly equivalent m-stage Fibonacci NFSR where $m<n$.

3.2.2. The Equivalence and Decomposition between Cascade NFSRs

Stream cipher design can benefit from examining the features of two equivalent cascade NFSRs, for example, to choose a better NFSR based on its quality metrics [69] showed that for any given cascade connection of an m-stage NFSR1 into an n-stage NFSR2, there exists only another one equivalent cascade connection of an m-stage NFSR3 into an n-stage NFSR4.

Decomposability and equivalence go hand in hand for cascaded NFSR. An NFSR is said to be decomposable if it is equivalent to a cascade connection of to NFSRs. By multiplying the state transition matrix by the permutation matrix, Zhong and Lin [70] obtained a sufficient and necessary condition that a Fibonacci NFSR can be decomposed into a cascade NFSR.

3.2.3. Minimum Period and Maximum Period

Minimum period is a concept in Grain-like cascade NFSRs. In 2011, Hu and Gong [102] confirmed that the period of the sequence generated by a Grain-like cascade NFSR is a multiple of the period of the sequence generated by its LFSR if the initial state of the LFSR is nonzero, and meanwhile proposed an open question: for fixed feedback functions of an NFSR and an LFSR, determine whether the sequences generated by the NFSR in a Grain-like structure can achieve the minimum period, i.e., the period of the LFSR. This question has attracted some scholars to discuss. Zhong and Lin [68] converted this open question into a problem of solving an integer equation based on the framework of STP. They verified that for any given initial state of an n-stage NFSR and any given nonzero initial state of an m-stage LFSR, the probability that the sequence produced by the Grain-like cascade NFSR achieves the minimum period $2^m-1$ is very small, which is at most $2^{-n}$.

As for maximum period, the sequences with maximum period can keep more cryptographical security than other sequences. The NFSR which can generate sequences with maximum period is usually called full-length NFSR. Literature [66,71] revealed that an n-stage NFSR is a full-length NFSR if and only if the state transition matrix L in (5) satisfies $ord\left(L\right)=2^n$, and for an n-stage full-length NFSR, $\left|L\right|=-1$ holds. The full-length NFSRs can be constructed through the cycles joining algorithm [65], and this algorithm can construct $2^{2^{n-2}-1}$ different n-stage full-length NFSRs.

Other studies on cycles via STP include cycle reconstruction [78], cycle decomposition [82], etc.

For the convenience of readers, the relevant results are presented in

Table 1. The existing results on period of NFSRs based on STP.

Year	Literature	Innovation Points	Object
2014	[65]	cycles joining algorithm	maximum period
2015	[66,71]	$ord\left(L\right)=2^n$ iff the NFSR is full-length	maximum period
2015	[82]	multi-valued NFSRs	cycle decomposition
2018	[78]	NFSRs with single input	cycle reconstruction
2018	[68]	the probability to achieve minimum period $\le 2^{-n}$	minimum period

in the order of the year of publication of the mentioned literature.

3.3. Properties and Correlative Criteria of NFSRs

The property of NFSRs plays a crucial role in reflecting its performance. Studying the properties of NFSRs can provide reference for stream cipher designers. This subsection will introduce the research status of different properties of NFSRs in recent years.

3.3.1. Nonsingularity

Nonsingularity is a fundamental demand to guarantee that the NFSRs avoid generating equivalent keys in stream cipher designing. The definition of nonsingularity is as follows:

Definition 6

([103]). An NFSR is said to be nonsingular if its state transition diagram contains only cycles.

Lemma 2

([103]). An NFSR is nonsingular if and only if each state has only one successor and one predecessor.

Regarding nonsingularity, there are some classical theories, such as the proof in [4] that a binary NFSR is nonsingular if and only if its feedback function $f(x_1,x_2,\cdots ,x_n)=x_1\oplus f_0(x_2,\cdots ,x_n)$, where $f_0$ is independent of the variable $x_1$. However, the paper [82] pointed that this method cannot be applied directly with multi-valued NFSRs. Therefore [82], proposed another method to judge nonsingularity, that is, an n-stage k-valued NFSR is nonsingular if and only if $|M_i|\ne 0$, $i=1,2,\cdots ,k^{n-1}$, where $M_i\in {\mathcal{L}}_{k\times k}$ satisfying $L{W}_{[k,k]}\cdots W_{[k,k^{n-1}]}=[M_1{M}_2\cdots M_{k^{n-1}}]$ and L is the state transition matrix of the NFSR obtained by STP.

For Grain-like cascade NFSR (10), Lu et al. [86] regarded it as an NFSR with input (11) and put forward some sufficient conditions for nonsingularity, for example, NFSR (11) is nonsingular if $L_u=\left[L_{u1}{L}_{u2}\right]$ with $L_{u1}$ and $L_{u2}$ are both nonsingular. Lu also pointed that if in NFSR (11) $Col\left(L_u\right)\ne {\Delta }_{2^n}$, then this NFSR is singular. Meanwhile, some other properties of $L_u$ are also given in this paper.

3.3.2. Stability and Driven Stability

During the decoding process of convolutional codes, decoding errors may occur due to channel attacks and other reasons, and decoding errors may propagate to cause more decoding errors. To limit error propagation, Massey [104] found that stability as well as driven stability helps a lot in this regard. Stability is a concept in autonomous NFSRs, indicating that NFSR has a kind of “reconvergence" ability, which can make NFSRs with decoding error return to correct decoding. Driven stability is a property weaker than stability, defined in non-autonomous NFSRs with input. Driven stability only requires that the states which can be reached from the equilibrium point driven by input can achieve reconvergence.

Definition 7

([84]). An n-stage autonomous NFSR is globally stable to the equilibrium state 0 (${\delta }_{2^n}^{2^n}$), if for any state $X\in {\mathbb{F}}_2^n$ ($x\in {\Delta }_{2^n}$), there exists an integer $N>0$, such that $F^N\left(X\right)=0$ ($L^{N}x={\delta }_{2^n}^{2^n}$).

Definition 8

([85]). An n-stage NFSR with input is driven stable to the equilibrium state 0 (state ${\delta }_{2^n}^{2^n}$), if for every state X (state x) that can be reached from 0 (${\delta }_{2^n}^{2^n}$) by driving the NFSR with an input sequence, there exists a positive integer N such that $F^N\left(X\right)=0$ ($L^{N}x={\delta }_{2^n}^{2^n}$), where F and L are the state transition function and state transition matrix of the corresponding autonomous NFSR.

The stability of NFSRs can be evaluated by iteration of the state transition matrix L via STP [84].

Theorem 1

([84]). An n-stage Fibonacci NFSR (5) is globally stable if and only if there exists a positive integer $N⩽2^n-1$ such that each column of the matrix $L^N$ is equal to ${\delta }_{2^n}^{2^n}$.

In addition to this, there are several works that studied the stability in special cases based on STP. Gao et al. [78] researched the stability of NFSRs with periodic input, including limited length and unlimited length. Lu and his team [87] focused on the stability in the case where NFSR is monotonous, which is called reliable NFSR. Their method for constructing reliable FSRs indicated that the number of reliable FSRs is $\frac{2^{2^n-4}}{\Phi \left(n\right)}(n>5)$ times of that constructed by the previous method. The methods given in [91,92] can be applied to multi-valued NFSRs, and can construct stable NFSRs. Furthermore, the literature [93,95] addressed the stability issues of $(n,k)$ NFSR and Grain-like cascade NFSRs, respectively.

As for the driven stability, the researchers found that it is only necessary to examine whether the state that the equilibrium point can reach can achieve reconvergence, which is also the origin of the driven stability [104]. We can turn the driven stability question into whether the reachable set of the equilibrium point is a subset of the basin [85] provided algorithms for finding the reachable set and the basin using STP, which reduces the computational complexity of the previous algorithms.

For the convenience of readers, the relevant results are presented in

Table 2. The existing results on stability of NFSRs based on STP.

Year	Literature	Innovation Points	Object
2016	[84]	NFSRs, iteration method shown in Theorem 1	stability
2016	[85]	NFSRs, reduce the computational complexity	driven stability
2017	[93]	$(n,k)$ NFSRs	stability
2018	[78]	NFSRs with periodic input	stability
2019	[91,92]	multi-valued NFSRs, construct stable NFSRs	stability
2020	[95]	Grain-like cascade NFSRs	stability
2021	[87]	monotonous FSRs, construct reliable FSRs	stability

in the order of the year of publication of the literature. These results are helpful to the theoretical analysis of NFSRs, and have reference significance for the design of decoding algorithm.

3.3.3. Observability

Observability is a fundamental property in control theory which can ensure that any two distinct initial states can be uniquely determined by their outputs. That is, starting from two distinct initial states, the NFSR does not produce two identical outputs.

Definition 9.

(1) ([105]) Two initial states $x_0\ne x_0^{\prime }\in {\Delta }_{2^n}$ are said to be indistinguishable, if their corresponding output sequences are equal. Otherwise, the two distinct initial states are said to be distinguishable.

(2) An NFSR is said to be observable if every two distinct initial states are distinguishable.

In [76] the authors investigated the equivalence transformation between Galois NFSRs and Fibonacci NFSRs based on observability matrix based on STP. According to the definition of observability of sequence generators, the NFSR-based stream ciphers should avoid unobservable Galois NFSRs from the security viewpoint and select observable ones. In [90], the authors studied the observability of binary Galois NFSRs using a new observability matrix which is constructed by putting the output sequences generated by the initial states on the same branch and its concatenated cycles into a block via STP. Further, [97] researched the observability of multi-value Galois NFSRs and gave the relevant criterion using the state pair table method and the matrix method, respectively.

Theorem 2

([90]). Let ${\mathcal{N}}_k$ be the number of distinct columns of the observability matrix ${\mathcal{O}}_k$ of an n-stage Galois NFSR (8). Then (8) is observable if and only if ${\mathcal{N}}_{k+1}-{\mathcal{N}}_k⩾1$ for all positive integer k satisfying ${\mathcal{N}}_k<2^n$.

4. Summary and Prospect of NFSRs

With the help of STP, NFSR research is getting ever more complete and comprehensive, and the results on theoretical problems have significant reference value for the design of stream cipher algorithms and decoding algorithms. However, there are still many unresolved theoretical issues.

(1)

Reduce the computational complexity. Using STP to process these actual network models, the more network nodes, the higher the dimension of the system and the higher the computational performance requirements of the computer. How to reduce the computational complexity of the system is a big challenge in theoretical research of NFSR. At present, there are some methods to reduce computational complexity: approximation method [106], network aggregation method [107], logic matrix decomposition [108], pinning control [109], model order reduction [110] and block decoupling [111], etc. Based on these methods, it is a future research direction to continue to explore more effective methods to reduce computational complexity.

(2)

The existing related research is not perfect, and many issues have no exact result yet, such as the study of observability and driven stability in multi-valued NFSRs, the modeling of Trivium-like cascade NFSR and study of its related properties, the maximum and minimum period problems in multi-valued NFSRs. In addition, there are very few studies on non-autonomous NFSR, which can also provide a very valuable research idea to improve related research.

(3)

Explore more comprehensive theoretical issues of NFSRs, and provide theoretical support for the design of stream cipher algorithms and decoding algorithms. Thanks to the STP as a tool, many indicators can be easily studied. In addition to nonsingularity, observability, and stability, whether there are more indicators that can characterize the performance and security strength of NFSRs can also be used as follow-up research directions.

(4)

Based on the above theoretical analysis, it is the ultimate goal to give more effective stream cipher algorithms with higher security.

This paper reviews and summarizes the most recent developments in NFSR based on STP at this stage. The combination of STP and NFSR is still slowly maturing, and there are still a lot of problems to be solved. We believe this paper can provide researchers interested in STP and NFSR with a thinking direction.