6

I know it's possible with work backwards from the output bits of an LFSR to determine its feedback polynomial in a O(n) fashion. I'm also curious if, given an LFSR state and polynomial, is it possible to quickly work out how far the LFSR state is from a given epoch state (eg: the all-ones state). The only sure-fire method I know of is to run the LFSR forwards/backwards until the state is the epoch state and keep track with a counter.

Edit: thinking about this more, this would be equivalent to solving $S = M^NE$ quickly $N$, where $S$ is your current state, $E$ is the epoch state and $M$ is the companion matrix of the LFSR. Anyone have a fast solution to the discrete logarithm problem in the ring of $KxK$ $GF(2)$ matrices?

gct
  • 175
  • 6

2 Answers2

7

Well, one way to look at this is to notice that, if the feedback polynomial is prime, then the result of starting with state $E$, and then stepping the LFSR forward $N$ steps is the value $2^N \cdot E$, where we do the computation in $GF(2^K)$, using the polynomial representation (with the feedback polynomial being the polynomial). In addition, I believe that if the feedback polynomial is not prime, then it is possible to factor that polynomial into its primes, solve the equivalent solution modulo each prime factor, and then recombine them.

So, the solving the problem of finding $N$ is equivalent to solving $S = 2^N \cdot E$ in $GF(2^K)$, or in other words, $S/E = 2^N$; that is, this problem can be reduced to solving a discrete log problem in $GF(2^K)$.

What does that rewording of the problem buy us? Well, it turns out that there are recent results in this area; this paper shows us how this problem can be solved in "quasi-polynomial" time (by which they mean $K^{O(\log K)}$; technically supra-polynomial, but just barely); that paper tells us how to do discrete logs quickly over fields of small characteristic, and a characteristic of 2 is as small as it gets.

poncho
  • 154,064
  • 12
  • 239
  • 382
4

Don't know if this is still of interest. The fastest way I see is to precompute a basis $E_i=M^{2^i}*E$ for $i=1,...,n$ and then to solve the system of linear equations:

$$S = c_1*E_1 +...+c_n*E_n$$

The values $c_i$ give you the binary representation of $N$. The effort is $n^3$ (for the online step) and memory requirement should be roughly $n^3$ as well. The precomputation is a little bit more costly but still polynomial in $n$.

otus
  • 32,462
  • 5
  • 75
  • 167
Frederik Armknecht
  • 41
  • 1