The Decomposition of Cascade Connections of NFSRs: Old and New Results

Cascade connection architectures of nonlinear feedback shift registers (NFSRs) have been widely used as the main components in the design of cryptographic algorithms, such as the Grain family of stream ciphers. It is known that the cascade connection of an n-stage NFSR into an m-stage NFSR is equivalent to an $(n+m)$ -stage NFSR. However, the converse problem on decomposing an NFSR into the cascade connection of two smaller NFSRs has not been well addressed, which can be transformed to decomposing the characteristic function h of the NFSR into the form $h=f \ast g$ for some nonlinear $f,g$ , where “ $\ast $ ” is a special composition of Boolean functions. In this paper, we present a complete and efficient method for such decomposition problem based on previous works. The framework of the decomposition consists of two steps. The first is to construct a candidate set for g as precise as possible, and the second is to verify each candidate g and recover the corresponding f. We propose the notion of $\ast $ -multiples of Boolean functions, and present three ways to take derivatives of h to extract the low-degree $\ast $ -multiples of g, which are useful to determine g efficiently. Compared to existing methods, the new approach can provide a very small candidate set for g in most cases, with the size being $O(\deg (h))$ , thereby achieving lower and more stable time costs in determining whether h is $\ast $ -reducible and enumerating all pairs $(f,g)$ such that $h=f \ast g$ (if it is $\ast $ -reducible). Moreover, we show that the decomposition method also applies to shift-invariant maps, by establishing a connection between the $\ast $ -product of Boolean functions and the composition of shift-invariant maps.