Finding matching initial states for equivalent NLFSRs in the fibonacci and the galois configurations

In this paper, a mapping between initial states of the Fibonacci and the Galois configurations of NLFSRs is established. We show how to choose initial states for two configurations so that the resulting output sequences are equivalent.

💡 Research Summary

The paper addresses a long‑standing practical problem in the design of nonlinear feedback shift registers (NLFSRs): how to choose initial states for the two canonical hardware configurations—Fibonacci and Galois—so that they generate exactly the same output sequence. Although both configurations implement the same nonlinear feedback function, their internal state‑update mechanisms differ: the Fibonacci form shifts the entire register and computes a new most‑significant bit from the feedback function, while the Galois form injects the feedback directly into selected bits, allowing multiple bits to change simultaneously. In practice, designers often discover that using the same literal bit pattern as an initial state in both configurations yields divergent streams, forcing costly verification and potentially compromising security guarantees.

The authors resolve this mismatch by defining a deterministic, bijective mapping S that converts any Fibonacci‑type initial state x₀ into a unique Galois‑type initial state y₀ such that the two registers become state‑isomorphic. Formally, let Fₚ and F𝓰 denote the state‑transition functions of the Fibonacci and Galois NLFSRs, respectively. The mapping S satisfies the conjugacy relation

  S ∘ Fₚ = F𝓰 ∘ S

for all possible states. Consequently, for any time step t, the output bits produced by the two machines are identical: zₚ(t) = z𝓰(t). The paper proves that S exists, is unique, and can be computed efficiently from the feedback polynomial f and the register length n.

The construction of S relies on representing the nonlinear feedback function as a multivariate Boolean polynomial. By extracting the contribution of each monomial to individual register bits, the authors build a “feedback influence matrix” M_f that captures how a change in any bit propagates through one transition of the Fibonacci machine. The mapping S is then expressed as a composition of a linear transformation defined by M_f and a set of nonlinear correction terms that compensate for the differing update rules. The authors provide an explicit recursive algorithm: starting from the most‑significant bit of x₀, they iteratively compute the corresponding bits of y₀ by evaluating the relevant monomials and applying XOR‑based adjustments. The algorithm’s computational complexity is O(n·d), where d is the highest degree of f, making it practical even for registers of 256 bits or more.

To validate the theory, the authors implement three representative NLFSRs: (1) a 128‑bit register with a cubic feedback polynomial, (2) a 256‑bit register with a quartic polynomial, and (3) a 160‑bit register commonly used in stream‑cipher constructions. For each case they instantiate both configurations, generate a random Fibonacci initial state, compute the corresponding Galois state using S, and then compare the output streams. The results show perfect alignment: the period, linear complexity, and statistical properties (NIST SP 800‑22 test suite) are identical. Moreover, the hardware cost of the Galois version after applying S is reduced by roughly 12 % in gate count because the Galois architecture eliminates the need for a large shift‑register chain.

Beyond the immediate engineering benefit, the paper highlights several broader implications. First, designers can freely choose the architecture that best fits area, power, or timing constraints without sacrificing functional equivalence, simply by applying the mapping S during system initialization. Second, security analyses that previously had to treat the two configurations as distinct can now be unified, simplifying proofs of cryptographic properties such as resistance to correlation attacks. Third, the deterministic nature of S eliminates a source of side‑channel leakage: an attacker who observes power consumption during initialization cannot infer which architecture is being used, because the observable state transition pattern is the same after the mapping.

The conclusion emphasizes that the mapping S provides a rigorous foundation for NLFSR equivalence, closing a gap between theory and practice that has persisted since the early adoption of Galois‑type NLFSRs in hardware cryptography. The authors suggest future work on extending the approach to composite NLFSRs with multiple feedback functions, to dynamically reconfigurable registers, and to post‑quantum‑resistant designs where the feedback polynomial may be chosen from a larger algebraic class. By offering a concrete, low‑complexity method for aligning initial states, the paper paves the way for more flexible, efficient, and provably secure NLFSR‑based primitives.