Deciding Irreducibility/Indecomposability of Feedback Shift Registers is NP-hard

Feedback shift registers(FSRs) are a fundamental component in electronics and secure communication. An FSR $f$ is said to be reducible if all the output sequences of another FSR $g$ can also be generated by $f$ and the FSR $g$ has less memory than $f$. An FSR is said to be decomposable if it has the same set of output sequences as a cascade connection of two FSRs. It is proved that deciding whether FSRs are irreducible/indecomposable is NP-hard.


Introduction
Feedback shift registers (FSRs) are broadly used in spread spectrum radio, control engineering, and confidential digital communication.As a result, this subject has attracted comprehensive research over half a century.Particularly, FSRs play a significant role in the stream cipher finalists of the eSTREAM project [1].
As shown in Figure 1, an n-stage FSR consists of n-bit registers x 0 ; x 1 ; …; x n−1 and an n-input feedback logic f .A vector x 2 F n 2 is called a state of this FSR, and the values stored in bit registers update themselves along with clock impulses as follows: and the mapping defined by Equation ( 1) is called the state transformation of this FSR.As the stage n and the feedback logic f uniquely determine the FSR, we denote the FSR in Figure 1 by FSR n ð f Þ: .Let Seq n ð f Þ: denotes the set of sequences generated by FSR n ð f Þ: , i.e., where F 1 2 is the set of all binary sequences.The subscript n in FSR n ð f Þ: and Seq n ð f Þ: is neglected if the stage n is unambiguous or unnecessary in the context.
For FSR n ð f Þ: , if there exists FSR m ðgÞ: , such that m<n and SeqðgÞ: ⊆ Seqð f Þ: , then FSRð f Þ: is said to be reducible and FSRðgÞ: is called a subFSR of FSRð f Þ: .Otherwise, FSRð f Þ: is said to be irreducible.Informally, the subFSR FSRðgÞ: of FSRð f Þ: costs less memory than FSRð f Þ: and the sequences generated by FSRðgÞ: can also be generated by FSRð f Þ: .The finite state machine in Figure 2 is called the cascade connection of FSR n ð f Þ: into FSR m ðgÞ: .The Grain family ciphers use the cascade connection of a LFSR into a NFSR [2] and such cascade is called the grain-like structure, and the lightweight stream cipher LIZARD employs the cascade connection of two NFSRs [3].Green and Dimond [4] defined the product FSR (the product of FSRs is denoted by "." in [4], while by " * " in [5].We follow the latter in order to avoid ambiguity with the period or conventional multiplication.) of FSRð f Þ: and FSRðgÞ: , denoted by FSRð f Þ: * FSRðgÞ: , to be characterized by its feedback logic as follows: and showed that FSRð f Þ: * FSRðgÞ: generates exactly the same set of sequences as the device in Figure 2. Given any FSRðhÞ: , if there exist FSRð f Þ: and FSRðgÞ: satisfying FSRðhÞ: ¼ FSRð f Þ: * FSRðgÞ: , then FSRðhÞ: is said to be decomposable and FSRð f Þ: (resp.FSRðgÞ: ) is called its left (resp.right) * -factor [6].Otherwise, FSRðhÞ: is said to be indecomposable.It is known that decomposable FSRs outputting the zero sequence are also reducible [4].
It is appealing to decide whether a FSR is (ir)reducible or (in)decomposable for the following three reasons.First, it enables a new perspective on analysis of stream ciphers.A reducible/decomposable FSR in unaware use may undermine the claimed security of stream ciphers, e.g., causing inadequate period of the output sequences.Dependent on specific ciphers, the divide-and-conquer method [7,8] possibly decreases the cost of a brute force attack on a product FSR FSR n ð f Þ: * FSR m ðgÞ: .Moreover, note that all sequences generated by FSRðgÞ: is also generated by FSRð f Þ: * FSRðgÞ: if FSRð f Þ: outputs the zero sequence; and if FSRðgÞ: is particularly a LFSR in this case, then FSRð f Þ: * FSRðgÞ: generates a family of linear recurring sequences, vulnerable to the Berlekamp-Massey algorithm [9,10].Second, deciding (ir) reducibility/(in)decomposability is applied for efficiently implementing FSRs.On the one hand, it costs less memory to replace a FSR with its large-stage subFSR (if there is one) while generating part of its output sequences.On the other hand, similar to the idea of Dubrova [11], implementing a decomposable FSR by its corresponding cascade connection as in Figure 2 possibly reduces the circuit depth of the feedback logics, in favor of less propagation time and higher data throughput.Third, an algorithm testing (ir)reducibility/(in) decomposability helps to design useful FSRs.Since the density of irreducible FSRs is lower-bounded by 0:4461 for n ≥ 6 [12], a great number of irreducible NFSRs can be found if deciding irreducibility of FSRs is feasible; a kind of FSRs generating maximal-length sequences were also constructed based on the inherent structure of decomposable FSRs [5].
1.1.Our Contribution.This correspondence addresses irreducibility and indecomposability of FSRs from the perspective of worst-case computational complexity.Instead of representing FSRs by ANFs of their characteristic functions, we use Boolean circuits to characterize feedback logics of FSRs and measure the size of a FSR by the number of gates in its corresponding Boolean circuit.

PROBLEM: FSR IRREDUCIBILITY INSTANCE:
A FSRð f Þ: with its feedback logic f as a Boolean circuit of size SIZEð f Þ: .QUESTION: Is FSRð f Þ: irreducible?
NP is the class of all problems computed by polynomialtime nondeterministic Turing machines.A problem is NPhard if it is at least as hard as all NP problems.This paper gives two polynomial-time computable algorithms transforming Boolean circuits to FSRs such that the input Boolean circuit is satisfiable if and only if the output FSR is, respectively, irreducible and indecomposable.Because the Boolean circuit satisfiability problem is NP-complete, the two transformations derive the main results of this paper: It is broadly believed that NP-hard problems could not be solved by quantum algorithms in the polynomial time [25], partially supported by some evidence [26].Under this Output FIGURE 1: A feedback shift register with feedback logic f .
Output FIGURE 2: The cascade connection of FSR n ð f Þ: into FSR m ðgÞ: .

IET Information Security
hypothesis, even a quantum computer cannot efficiently decide whether any given FSR is irreducible (or indecomposable).Additionally, infinitely many instances of FSRs are given to show that irreducible FSRs do not include all indecompsobale FSRs and vice versa.
It is a hot topic to address security issues of FSRs and their cascade connections, and progress has been made in recent years.Until now it is unknown how difficult deciding irreducible FSRs is, and special algorithms were proposed to search linear/affine subFSRs of NFSRs [13].By Jiang and Lin [14], if FSRðhÞ: ¼ LFSR n ð f Þ: * FSR m ðgÞ: , where n ≥ m and any nonzero s 2 Seqð f Þ: is of maximal period 2 n − 1, then all affine subFSRs of FSRðhÞ: are actually those of FSRðgÞ: .Whether a LFSR is indecomposable is completely determined by its characteristic polynomial [4,6,15].In contrast, decomposing NFSRs seems much more challenging.Ma et al. [16] proposed a decomposing algorithm for NFSRs with a linear right * -factor using algebraic normal forms (ANFs) of Boolean functions, and Zhong and Lin [17] characterized several properties of general cascade connection using the language of state transition matrices of Boolean networks.Noteworthily, Tian et al. [6] proposed a method to find nonlinear left and right * -factors of NFSRs, and their algorithm efficiently and successfully decomposed 80-stage NFSRs in their experiments.So far it remains open to determine the asymptotic computational complexity of the algorithm in [6].Instead of considering general decomposition, a practical algorithm has been proposed to find * -factors for the special case FSRðhÞ: ¼ FSRðgÞ: * FSRðgÞ: [18].Zhong and Lin [19] gave strong results on uniqueness of cascade decomposition FSRð f Þ: * FSRðgÞ: .Additionally, the periods of sequences generated by the grain-like structures are studied [20][21][22][23][24].
1.3.Organization.The rest of this paper is organized as follows: in Section 2, we prepare facts and results for our main theorems.Section 2.1 is some notations.Sections 2.2 and 2.3, respectively, present some basic facts on Boolean circuits and cycles of FSRs.Section 2.4 includes some results on the cascade connection into FSR 1 ðx 0 Þ: .In Section 2.5, we consider cycles and subFSRs of specific LFSRs.In Section 2.6, we use the cycle joining method to study subFSRs.Section 3 shows some relations between (ir)reducibility and (in)decomposability.NP-hardness of FSR irreducibility and FSR indecomposability is given in Sections 4 and 5, respectively.The last section includes a summary.
Vectors are written in bold and upright letters or digits.For u 2 F m 2 and k ≤ m, let ⌈u⌉ k denote the most significant k bits of u.
Let b denote the dual of a bit b, and this notation naturally extends to vectors, i.e., for Using the reverse lexicographic order, we take a vector u ¼ ðu 0 ; u 1 ; …; u m−1 Þ: as the nonnegative integer ∑ m−1 i¼0 2 i u i .In this way, Definition 1.For a Boolean logic f ðx 0 ; …; x n−1 Þ: , its associated logic is as follows: Following from Definition 1, we have: Theorem 3 (see [25], Lemma 6.10).The CIRCUIT SATISFIABILITY problem is NP-complete.
A FSR is completely characterized by its feedback logic.We use Boolean circuits to characterize the feedback logic of FSRs for the following two reasons.First, FSRs are mostly implemented with silicon chips, and the Boolean circuit is an abstract model of the feedback logics of FSRs in silicon chips [25].Second, the Boolean circuit is a generalization of Boolean formula [25].For example, the Boolean function f ðx 1 ; x 2 ; …; x n Þ: ¼ ∏ n i¼1 ðx i ⊕ 1Þ: can be implemented by a Boolean circuit with 2n − 1 gates, while expressing it with the ANF needs 2 n terms.Therefore, in this paper the size of a FSR is measured by the size of its feedback logic as a Boolean circuit.

Cycles of FSRs
Lemma 1 [27,28].The following three statements are equivalent: If any of the statements in Lemma 1 holds, FSRð f Þ: is said to be nonsingular.In the sequel, we only refer to nonsingular FSRs.
For vectors u ¼ ðu 0 ; Definition 2. (In this paper, cycles are written in bold and italic letters while vectors in bold and upright letters or digits.)[29] A k-cycle c in F n 2 is a ring sequence of k distinct n-bit vectors: such that u i precedes u ðiþ1Þmod k for all 0 ≤ i<k.
Cycles interpret the relation between FSRs and periodic binary sequences.
On the one hand, as in Figure 3, the first column lists the vectors u i 's in the cycle c; the second column shows the most significant bits of u i 's, representing a periodic sequence downwards in the boxes.Thus, the cycle c in Figure 3 is also written as the ring bit sequence: Two cycles represented by the same ring bit sequence are said to be equivalent, for they correspond to the same set of periodic sequences which are equivalent by shifting.
Example 1.The following two cycles: correspond to the same ring bit sequence ½0; 1; 1: , and are hence equivalent.
Without ambiguity in the context, we do not distinguish a cycle c from its ring bit sequence.Whether m ¼ n or not, an m-bit vector v occurring (contained) in the cycle Equation (7) means that v is consecutive m bits in the ring bit sequence Equation (8).Let lenðcÞ: denote the number of distinct vectors in the cycle c, i.e., the period of the binary sequence it represents.
On the other hand, if FSR n ð f Þ: , with its state transformation denoted by F, generates the periodic sequence Equation ( 8), then , and this is denoted by c 2 FSRð f Þ: .Actually, the cycle c is an orbit of the permutation F acting on F n 2 .In Figure 3, the second column is the bit outputted by FSRð f Þ: and the third column shows the sequences which FSRð f Þ: generates from the initial state u i 's.Since all the cycles of a FSR uniquely determine its state transformation and hence its feedback logic, we also use FSRð f Þ: to denote the set of all cycles of this FSR.
Example 2. Let c 1 and c 2 be cycles given in Example 1. Then Both LFSRðx 2 ⊕ x ⊕ 1Þ: and LFSRðx 3 ⊕ 1Þ: output the sequence ð0; 1; 1Þ: of period 3, and it is unambiguous to write c 1 2 LFSRðx 3 ⊕ 1Þ: .As explained above, cycles of a nonsingular FSR essentially characterize its periodic sequences, and the following statements Since the state transformation of an n-stage FSR is a permutation on F n 2 , all its cycles exhaust F n 2 once, and hence the lengths of its cycles sum to 2 n .) ) and its corresponding ring bit sequence.

IET Information Security
which is contradictory to Lemma 1.Thus, c 2 FSR k ðgÞ: is not true.

□
For a cycle c, let min n ðcÞ: be the minimal n-bit vector occurring in c.Definition 3. Let c 1 and c 2 be two cycles in F n 2 .If there exists an n-bit vector u occurring in c 1 such that b u occurs in c 2 , then c 1 is said to be adjacent to c 2 (at u).If c 1 is adjacent to c 2 at min n ðc 1 Þ: , then c 1 is said to be min-adjacent to c 2 .
Proof.Let c 1 and c 2 be as in Lemma 5. Note that the proof of Lemma 5 also holds even if c 1 ¼ c 2 .If min n ðcÞ: ∉ f0 n ; 10 n−1 g: , then min n ðc 1 Þ: ¼ min n ðc 2 Þ: <minfu; b ug: does not hold, and we conclude that c is not min-adjacent to itself.
Furthermore, suppose min n ðcÞ: ¼ 10 n−1 .Then 0 n , the conjugate of 10 n−1 , is not contained in c.Thus, c is not min-adjacent to itself.□ Lemma 6.Let G be a directed graph defined as follows: the vertices of G are cycles of FSR n ð f Þ: , and an arc is incident from Proof.By Corollary 1, the only cycle min-adjacent to itself has 0 n as its minimal n-bit vector.Hence, G, as defined above, is loopless.Now assume that G is not acyclic.Then there is a cyclic walk of length m>1 in G, i.e., there exist cycles c i 's, such that c i is min-adjacent to c ðiþ1Þmod m at min n ðc i Þ: , 0 ≤ i<m.
As G is defined, we have min n ðc i Þ: ≠ 0 n for any 0 ≤ i<m.Additionally, we also have min n ðc i Þ: ≠ 10 n−1 for any 0 ≤ i<m.Otherwise, min n ðc i Þ: ¼ 10 n−1 for some 0 ≤ i<m, then min n ðc ðiþ1Þmod m Þ: ¼ 0 n and c ðiþ1Þmod m is hence a sink instead of a vertex in the cyclic walk.Thus, by Lemma 5: which does not hold.Therefore, G has no cyclic walk in it.□ The cycle c in Figure 3 is said to be even if Otherwise, c is said to be odd [29].For the cycle c in (7), let c denote the cycle ½u 0 ; u 1 ; …; u k−1 : .A cycle c is said to be self-dual if c ¼ c [29].The cycle c in Equation ( 7) is said to be primitive if c and c have no n-bit vector in common [29].
2.4.The D-Morphism.For any 0<n 2 Z, the D-morphism [29] is a mapping as below: Notice that if u precedes v, then DðuÞ: also precedes DðvÞ: .Hence, the D-morphism is also a natural mapping on cycles.
Lempel [29] gave the following results on D-morphism.

Cycles and Properties of Certain LFSRs.
In the rest of this paper, we use the following polynomials over F 2 : where n is a power of 3.For simplicity, let p 0 * denote the associated logic of the feedback logic of LFSRðp 0 Þ: , i.e., p 0 * ðx 0 ; In all that follows, L 0 , L 1 , and L 2 , respectively, denote the state transformations of LFSRðp 0 Þ: , LFSRðp 1 Þ: , and LFSRðp 2 Þ: as in Equation (20).
Then the cycles of LFSRðp 0 Þ: , LFSRðp In the rest of this paper, let B 6n denote the set of 6ncycles of LFSRðp 2 Þ: .
In the rest of Section 2.5, we give some properties of LFSRðp 0 Þ: and LFSRðp 1 Þ: in Lemma 9, and study their subFSRs in Theorems 5 and 6.

□
It is well-known that LFSRs with irreducible characteristic polynomials are also described using finite fields [15,Theorem 8.24].Lemma 8. Let pðxÞ: be an irreducible polynomial of degree n over F 2 , ρ a root of pðxÞ: in the finite field F 2 n , and P the state transformation of LFSRðpÞ: .Then there exists a linear-space isomorphism ϕ :

IET Information Security
Proof.Let Tr be the trace function of F 2 n and define a linear homomorphism: Since 1; ρ; …; ρ n−1 are a basis of F 2 n over F 2 , ψ is an isomorphism of linear spaces.Let ϕ to be the inverse of ψ and the rest of proof is by direct computation similar to [15,Theorem 8.24].
To prove Theorem 6, we prepare Lemma 10 and Corollary 3 below.Lemma 10.Let pðxÞ: be an irreducible polynomial of degree n over F 2 , and P the state transformation of LFSRðpÞ: .Then for any u 0 ; u n 2 F n 2 , there exist u 1 ; u 2 ; …; u n−1 such that for any 0 ≤ i<n, u iþ1 2 fPðu i Þ; Pðu i Þg: .Proof.Due to the isomorphism ϕ in Lemma 8, we consider the counterparts of u i 's in the finite field Using the commutative diagram in Lemma 8, for any 0 ≤ i<n, we have: Proof.See that S ≠ F n 2 and choose any u 0 2 S and u n 2 F n 2 \ S. By Lemma 10, there exist u 1 ; u 2 ; …; u n−1 such that for any [1] • 3rd row contraction

All cycles of LFSR (p 1 )
[0] [0] IET Information Security 0 ≤ i<n, either u iþ1 or u iþ1 is in the same cycle as u i .Note that if u i 2 S and u iþ1 is in the same cycle as u i , then u iþ1 2 S. Thus, there exist some 1 ≤ j ≤ n such that u j ∉ S and u j 2 S, implying fv : v 2 Sg: ⊈ S.
Assume FSRðhÞ: ≠ LFSRðp 0 Þ: .As shown in Figure 5, cycles in FSRðhÞ: are partitioned into A and FSRðhÞ: \ A and cycles in LFSRðp 0 Þ: are partitioned into A and LFSRðp 0 Þ: On the one hand, since a 2n-stage FSR exhausts F 2n 2 as its states: On the other hand, as the way A is defined, we have: implying fv : v 2 Sg: ⊆ S ∪ S 0 ¼ S, i.e., fv : v 2 Sg: ⊆ S, contradictory to fv : v 2 Sg: ⊈ S derived by Corollary 3.
All cycles of LFSR (p 1 )

IET Information Security
Example 4. Let FSR m ð f Þ: be nonsingular and Λ ¼ fmin m ðcÞ ≠ 0 m : c 2 FSRð f Þg: .Each cycle of FSRð f Þ: has a unique minimal m-bit vector.Furthermore, by Lemma 6, the associated graph Hence, a subset of a potential set of FSRðgÞ: is also potential for FSRðgÞ: .Theorem 8 is the key tool of this paper.
Theorem 8. Let FSR m ðgÞ: be nonsingular, Λ a potential set of FSRðgÞ: , λ the characteristic function of Λ, and f ðxÞ: ¼ gðxÞ: ⊕ λðxÞ: ⊕ λðb xÞ: .Then, the following statements hold: Then, the Boolean logic: is independent of the first coordinate x 0 of x.Thus, by Lemma 1, since f ðxÞ: Algorithm 1 obtains cycles of FSRð f Þ: from those of FSRðgÞ: .□ Notice that, the Boolean logic f differs from g only at the vectors in Λ and their conjugates.Use notations in Algorithm 1.On the one hand, cycles of FSRðgÞ: other than c j 's (0 ≤ j<ℓ) are isolated vertices in G Λ g , and are hence cycles both for FSRðgÞ: and for FSRð f Þ: .On the other hand, Algorithm 1 shows that each cycle of FSRð f Þ: with a state in fu : u 2 Λ or b u 2 Λg: is joined by at least two cycles of FSRðgÞ: .Specifically, those cycles in the set G i , in the list L i , or in FSRðgÞ: \ fc 0 ; c 1 ; …; c ℓ−1 g: are exactly cycles of FSRð f i Þ: , where the Boolean logic f i satisfies Equation (32).Notice that, u i 2 Λ occurs in c i and hence in c ð jÞ i for 0 ≤ j ≤ i.In Lines 6-8, Algorithm 1 changes valuation at u i in the cycle c i (also in c ðiÞ i ), and at its conjugate b u i , and hence derives f iþ1 from f i .
1: Let G 0 be an empty set.2: L 0 ← ½c 0 ; c 1 ; …; c ℓ−1 : is a list of cycles in a topological ordering of G Λ g , where L 0 exhaust cycles of FSRðgÞ: with a state in fu : u 2 Λ or b u 2 Λg: .3: Because G Λ g is acyclic and each vertex has at most one outdegree, G Λ g is a forest and a weakly connected component in it is a tree.Furthermore, due to the topological ordering, only cycle joining is used in Algorithm 1 and no cycle splitting occurs; and each vector in Λ causes a once joining.Thus, k cycles forming a tree in G Λ g is connected by k − 1 arcs, and k − 1 joinings compose them into a cycle in G ℓ , i.e., a cycle of FSRð f Þ: .Statement (ii) of Theorem 8 holds.
Furthermore, if a cycle c 2 FSRð f Þ: is derived from joining more than one cycles of FSRðcÞ: , then c includes conjugate m-vectors and is hence not a cycle of any subFSR of FSRð f Þ: by Lemma 4. Therefore, Statement (iii) of Theorem 8 is proved.
Corollary 4. Let FSRðgÞ: and FSRð f Þ: be defined as in Theorem 8. Then any subFSR of FSRð f Þ: is also a subFSR of FSRðgÞ: .

Some Relations between (Ir)Reducible and (In)Decomposable FSRs
Fisrt, we consider LFSRs.As for LFSRs, (note that in this paper LFSRs are defined to be homogeneous, i.e., their feedback logics in ANF do not have nonzero constant) reducibility is equivalent to decomposability.On the one hand, whether a LFSR is decomposable if and only if its characteristic polynomial is reducible [4,6,15].On the other hand, LFSRðqðxÞÞ: ⊂ LFSRðpðxÞÞ: if and only if qðxÞ: |pðxÞ: [15].Thus, deciding indecomposability of LFSRs completely converts to irreducibility of their chracteristic polynnomials.Second, we consider FSRs with the zero cycle.Figure 2 straightforwardly yields Proposition 1 below.

□
The idea of Proposition 2 was given by Green and Dimond [4] and here we reinterpret it.
Third, note that there are infinitely many irreducible and indecomposable FSRs, and below we answer the question whether all irreducible (resp.indecomposable) FSRs are indecomposable (resp.irreducible).
Proof.We give a family of reducible and indecomposable FSRs as below.
Proof.We construct a family of decomposable and irreducible FSRs as below.Consider any n>2.There exist FSR n ð f Þ: outputting a de Bruijn sequence [27], i.e., FSR n ð f Þ: has only one 2 n -cycle c.Let FSRðhÞ: ¼ FSRð f Þ: * FSR 1 ðx 0 Þ: .Clearly, FSRðhÞ: is decomposable.Furthermore, by Theorem 4 and Corollary 2, FSRðhÞ: has exactly two cycles d and d, implying that 0 nþ1 and 1 nþ1 do not occur in the same cycle.Since no FSR of stage less than n þ 1 generates 0 nþ1 or 1 nþ1 , neither d nor d defines a subFSR.Therefore, FSRðhÞ: is irreducible.

NP-Hardness of Deciding Irreducible FSRs
This section proves Theorem 1. Above all, we sketch our idea.Our way is to give a polynomial-time Karp reduction (detailed in Algorithm 2) from the CIRCUIT SATISFIABILITY problem to the FSR IRREDUCIBILITY problem.Using the cycle joining method in Theorem 8, we choose FSRðgÞ: ¼ LFSRðp 2 Þ: and construct a potential set Λ 2 such that in the associated graph G Λ 2 p 2 (i) all 6n-cycles of LFSRðp 2 Þ: are not isolated (by Lemma 15) and (ii) all cycles in LFSRðp 0 Þ: are sources (by Lemma 14).The Boolean circuit f 0 (the input of the Karp reduction) is used to tune Λ 2 such that all cycles in LFSRðp 0 Þ: are isolated in G Λ 2 p 2 if and only if f 0 is unsatisfiable.The parameters are chosen such that there exists no subFSR of stage less than 2n (by Theorem 5).Because a nonisolated cycle in G Λ 2 p 2 does not admit a subFSR of f (by Lemma 4), p 0 is the only possible subFSR of f and it occurs if and only if f 0 is unsatisfiable (by Lemma 16).Additionally, the transformation itself is polynomial-time computable (detailed in Lemma 17).Below we give details of this proof.
In this section, for v 2 F 4n 2 , CycleðvÞ: denotes the unique cycle of LFSRðp 2 Þ: containing v. Definition 7. Let C denote the set of cycles of LFSRðp 2 Þ: minadjacent to a cycle of LFSRðp 0 Þ: ; and let D denote the set of cycles c in C such that any cycle in B 6n is not min-adjacent to c. Formally, Lemma 11 shows that in LFSRðp 2 Þ: , a cycle c 2 LFSRðp 0 Þ: is adjacent only to 6n-cycles.
ALGORITHM 2: Transforming a Boolean circuit to a FSR (a reduction for Theorem 1).
On the other hand, by Lemma 12, ð100010Þ: occurs as an n-sampling of any cycle in C.However, as shown in (51), ð100010Þ: is not an n-sampling of Cycleðb vÞ: .Therefore, Cycle ðb vÞ: ∉ C.
Suppose f 0 to be unsatisfiable.Then Λ p 0 ; f 0 is empty as defined in (54), and hence the Boolean function λ is constant zero.In this case, FSRð f Þ: is equivalent to LFSRðp 1 Þ: ¼ LFSRðp 0 Þ: * FSR 1 ðx 0 Þ: and is hence decomposable.Now suppose f 0 to be satisfiable.Since r <2n and the nonzero cycles of LFSRðp 0 Þ: contain all r-bit vectors, there exists at least one nonzero cycle β 2 LFSRðp 0 Þ: such that DðβÞ: contains an r-bit vector x such that f 0 ðxÞ: ¼ 1.Then the ð2n þ 1Þ: -bit vector v in β with its D-morphic image DðvÞ: minimal in DðβÞ: is a vector in Λ p 0 ;f 0 .Thus, Λ p 0 ;f 0 is not empty and G Λ p 0 ;f 0 p 1 has at least one arc.Assume that FSRð f Þ: is decomposable.Note that 0 2nþ1 ∉ Λ p 0 ; f 0 and then ½0: is an isolated vertex in G Λ p 0 ; f 0 p 1 , implying ½0: 2 FSRð f Þ: by Theorem 8. Then by Proposition 2, FSRð f Þ: ¼ FSRðgÞ: * FSRðhÞ: , where FSRðhÞ: ⊂ FSRð f Þ: and ½0: 2 FSRðhÞ: .By Corollary 4, FSRðhÞ: is also a subFSR of LFSRðp 1 Þ: .Thus, by Theorem 6, FSRðhÞ: is either LFSRðp 0 Þ: or FSR 1 ðx 0 Þ: .Anyhow, as shown above, G Λ p 0 ; f 0 p 1 has at least one arc, i.e., at least one nonzero cycle of LFSRðp 0 Þ: is not an isolated vertex in G Λ p 0 ; f 0 p 1 .Then it follows from Theorem 8 that LFSRðp 0 Þ: is not a subFSR of FSRð f Þ: .Therefore, below we only have to consider FSRðhÞ: ¼ FSR 1 ðx 0 Þ: , i.e., FSRð f Þ: ¼ FSRðgÞ: * FSR 1 ðx 0 Þ: .First, we claim that each odd cycle (i.e.any cycle in FSRðp 0 * Þ: ) has indegree at most 1.Otherwise, suppose that β j has indegree >1 in G Λ p 0 ; f 0 p 1 .Let A ⊂ LFSRðp 1 Þ: be the weakly connected component containing β j and denote the set of the dual cycles A ¼ fc : c 2 Ag: .On the one hand, recall that each even cycle (i.e., any cycle in LFSRðp 0 Þ: ) has outdegree ≤ 1 in G Λ p 0 ; f 0 p 1 .Hence, even cycles outnumber odd cycles in A. On the other hand, by Theorem 4 and Corollary 2, since cycles in A and those in A have the same D-morphic images, A is also a weakly connected component in G Λ p 0 ; f 0 p 1 and its cycles are joined into one cycle of FSRð f Þ: since we have assumed FSRð f Þ: ¼ FSRðgÞ: * FSR 1 ðx 0 Þ: .However, odd cycles outnumber even cycles in A, and cycles in A are hence not weakly connected since each even cycle has outdegree at most 1, yielding contradiction.So, the claim is proved.
Second, we conclude that for any 1 ≤ k ≤ ð2 2n − 1Þ: =ð3nÞ: , β k and β k are in different weakly connected components.Otherwise, there is an undirected path connecting β k with β k .In G Λ p 0 ; f 0 p 1 , each cycle in LFSRðp 0 Þ: has 0 indegree and at most 1 outdegree, and each cycle in FSRðp 0 * Þ: has 0 outdegree and at most 1 indegree as in the above claim.Thus, the only possible undirected path from β k to β k is an arc from β k to β k .However, there exists no arc from β k to β k .Otherwise, in the contraction graph G there is a self-loop of Dðβ k Þ: (see Figure 4), contradictory to Lemma 6.So, by Theorem 8, there are no self-dual cycles in FSRð f Þ: .Therefore, a weakly connected component in G Λ p 0 ; f 0 p 1 (as shown in Figure 4) is of the form fβ i ; β j g: with an arc incident from β i to β j , where β i and β j are distinct nonzero cycles of LFSRðp 0 Þ: .Notice that, The same as above, because we assume FSRð f Þ: ¼ FSRðgÞ: * FSR 1 ðx 0 Þ: , by Equation (56), Theorem 4 and Corollary 2, we conclude that β j and β i also join into one cycle of FSRð f Þ: , i.e., there is an arc from β j to β i .Consider the contraction graph G.If so, in G, an arc goes from Dðβ i Þ: to Dðβ j Þ: and another from Dðβ j Þ: to Dðβ i Þ: , implying that G is not acyclic, contradictory to Lemma 6.
Thus, our assumption does not hold and FSRð f Þ: is indecomposable.□ Lemma 20.There exists a polynomial-time algorithm for the transformation defined by Algorithm 3.
Note that x ¼ ðx 0 ; x 1 ; …; x 2n Þ: occurs in a cycle of LFSRðp 0 Þ: if and only if x 0 ⊕ x n ⊕ x 2n ¼ 0. Then Figure 10 presents the peudocode of the characteristic function of Λ p 0 ;f 0 .The proof of Lemma 20 is similar to that of Lemma 17, and we omit it here.

Conclusion
Deciding irreducibility/indecomposability of FSRs is interesting for sophisticated circuit implementation and security analysis of stream ciphers.We studied both problems from the standing point of the worst-case computational complexity, and by now have proved that both the decision problems are NP-hard.Constructive examples are also given to show that there exist infinitely many irreducible (resp.indecomposable) FSRs that are decomposable (resp.reducible).We hope that this theoretical work serves as an inspiration to further explore the underlying obstacles to generally finding subFSRs or decomposing FSRs.To find subFSRs and * -factors of FSRs with no help of groundbreaking computing, it is therefore recommended to make good use of their specific feedback logics.Additionally, it is also interesting and challenging to study the average-case computational complexity of irreducibility and indecomposability of FSRs in future.

16
IET Information Security

Lemma 4 .
If both u and its conjugate b u occur as n-bit vectors in the same cycle c, then for any k<n, c is not a cycle of any nonsingular k-stage FSR.Proof.Assume c 2 FSR k ðgÞ: , k<n.Note that the cycle c contains two n-bit vectors ðu 0 ; u 1 ; …; u n−1 Þ: and ðu 0 ; u 1 ; …; u n−1 Þ: .Since k<n, the state transformation G of FSRðgÞ: satisfies:

2
under which d ¼ DðcÞ: ¼ DðcÞ: .There exists a one-to-one correspondence between the odd k-cycles d in F n 2 and the self-dual 2k-cycles c in F nþ1 2 under which d ¼ DðcÞ: .The D-morphism connects FSRð f Þ: * FSR 1 ðx 0 Þ: and its left * -factor.

Lemma 9 .
Let pðxÞ: ¼ x n ⊕ c n−1 x n−1 ⊕ ⋯ ⊕ c 1 x ⊕ 1 be an irreducible polynomial of degree n>1 over F 2 .Denote the logic p* ¼ c n−1 x n−1 ⊕ ⋯ ⊕ c 1 x 1 ⊕ x 0 ⊕ 1.Then the following statements hold: (i) Any cycle of LFSRðpÞ: is even and any cycle in FSRðp * Þ: is odd.(ii) The D-morphism is a permutation on cycles of LFSRðpÞ: .(iii) For any pair of ðn þ 1Þ: -bit conjugate vectors v; b v 2 F nþ1 2 , one occurs in some cycle c 2 LFSRðpÞ: and the other occurs in some cycle d 2 FSRðp * Þ: .
FSR m ðgÞ: differs from FSR m ð f Þ: only by interchanging the next-states of u and b u.Specifically, as shown in Figure 6, if u and b u are in the same cycle c 2 FSRð f Þ: , then c is split into two adjacent cycles of FSRðgÞ: ; if u and b u are in two distinct cycles c 1 ; c 2 2 FSRð f Þ: , then c 1 and c 2 are joined into a single cycle of FSRðgÞ: .Definition 4. Given FSR m ðgÞ: and a set Λ ⊂ F m 2 , the associated graph, denoted by G Λ g , is a directed graph defined as follows: the vertices are cycles of FSRðgÞ: , and an arc is incident from c 1 to c 2 if and only if c 1 is adjacent to c 2 at u 2 Λ.Definition 5. Λ ⊂ F m 2 is said to be a potential set of FSR m ðgÞ: if the following two statements hold: (i) Any cycle of FSRðgÞ: has at most one vector in Λ; (ii) The associated graph G Λ g is acyclic.

FIGURE 6 :
FIGURE 6: Interchanging next-states of u and b u.
by cycles of FSRðgÞ: which form a weakly connected component in G Λ g .(iii) If FSRðhÞ: is a subFSR of this FSR m ð f Þ: , then any cycle of FSRðhÞ: is equivalent to a cycle c of FSRðgÞ: such that c contains no vectors in fu : u 2 Λ or b u 2 Λg: .Proof.Let

if c i has a state u i 2 Λ then 6 :
As in Theorem 7, let c ðiÞ i and c ðiÞ k join into c ðiþ1Þ k by interchanging the next-states of u i and b u i , where c k (i<k ≤ ℓ − 1) contains b u i G iþ1 ← G i ∪ fc ðiÞ i g: 12: end if 13: end for 14: return G ℓ ∪ ðFSRðgÞ \ fc 0 ; c 1 ; …; c ℓ−1 gÞ.ALGORITHM 1: Cycle transition from FSR gÞ ð to FSR f Þ ð .

□
By Definition 7 and Lemma 11, we have D ⊆ C ⊆ B 6n .

□
Lemma 13  describes in which cycles the conjugates of vectors in Λ D are located.Lemma 13.For any v 2 Λ D , b v is contained in a cycle in B 6n \ C. Proof.Let c 2 D and v ¼ L 5n 2 ðmin 4n ðcÞÞ: .Since D ⊆ C, c is of the form Equation (43) given in Lemma 12.Then, b

Proof of Theorem 2 .
By Theorem 3, Lemmas 19 and 20, Algorithm 3 gives a polynomial-time Karp-reduction from the NP-complete problem CIRCUIT SATISFIABILITY to FSR INDECOMPOSABILITY.Therefore, we conclude that FSR INDECOMPOSABILITY is NP-hard.