Editing Linear-feedback shift register (section)

== Applications ==
LFSRs can be implemented in hardware, and this makes them useful in applications that require very fast generation of a pseudo-random sequence, such as [[direct-sequence spread spectrum]] radio. LFSRs have also been used for generating an approximation of [[white noise]] in various [[programmable sound generator]]s.

=== Uses as counters ===
The repeating sequence of states of an LFSR allows it to be used as a [[clock divider]] or as a counter when a non-binary sequence is acceptable, as is often the case where computer index or framing locations need to be machine-readable.<ref name="xilinx.com"/> LFSR [[Counter (digital)|counter]]s have simpler feedback logic than natural binary counters or [[Gray-code counter]]s, and therefore can operate at higher clock rates. However, it is necessary to ensure that the LFSR never enters a lockup state (all zeros for a XOR based LFSR, and all ones for a XNOR based LFSR), for example by presetting it at start-up to any other state in the sequence. It is possible to count up and down with a LFSR. LFSR have also been used as a [https://github.com/howerj/lfsr-vhdl Program Counter for CPUs], this requires that the program itself is "scrambled" and it done to save on gates when they are a premium (using fewer gates than an adder) and for speed (as a LFSR does not require a long carry chain).

The table of primitive polynomials shows how LFSRs can be arranged in Fibonacci or Galois form to give maximal periods. One can obtain any other period by adding to an LFSR that has a longer period some logic that shortens the sequence by skipping some states.

=== Uses in cryptography ===
LFSRs have long been used as [[pseudo-random number generator]]s for use in [[stream cipher]]s, due to the ease of construction from simple [[electromechanical]] or [[electronic circuits]], long [[periodic function|periods]], and very uniformly [[probability distribution|distributed]] output streams. However, an LFSR is a linear system, leading to fairly easy [[cryptanalysis]]. For example, given a stretch of [[known-plaintext attack|known plaintext and corresponding ciphertext]], an attacker can intercept and recover a stretch of LFSR output stream used in the system described, and from that stretch of the output stream can construct an LFSR of minimal size that simulates the intended receiver by using the [[Berlekamp-Massey algorithm]]. This LFSR can then be fed the intercepted stretch of output stream to recover the remaining plaintext.

Three general methods are employed to reduce this problem in LFSR-based stream ciphers:
* [[Non-linear]] combination of several [[bit]]s from the LFSR [[state (computer science)|state]];
* Non-linear combination of the output bits of two or more LFSRs (see also: [[shrinking generator]]); or using [[Evolutionary algorithm]] to introduce non-linearity.<ref>A. Poorghanad, A. Sadr, A. Kashanipour" Generating High Quality Pseudo Random Number Using Evolutionary Methods", IEEE Congress on Computational Intelligence and Security, vol. 9, pp. 331-335, May, 2008 [http://www.computer.org/csdl/proceedings/cis/2008/3508/01/3508a331.pdf]</ref>
* Irregular clocking of the LFSR, as in the [[alternating step generator]].

Important: LFSR-based stream ciphers include [[A5/1]] and [[A5/2]], used in [[GSM]] cell phones, [[E0 (cipher)|E0]], used in [[Bluetooth]], and the [[shrinking generator]]. The A5/2 cipher has been broken and both A5/1 and E0 have serious weaknesses.<ref>{{Citation
 | last1 = Barkam
 | first1 = Elad
 | last2 = Biham
 | first2 = Eli
 | last3 = Keller
 | first3 = Nathan
 | title = Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication
 | journal = Journal of Cryptology
 | volume = 21
 | issue = 3
 | year = 2008
 | pages = 392–429
 | url = https://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/2006/CS/CS-2006-07.pdf
 | doi = 10.1007/s00145-007-9001-y
 | s2cid = 459117
 | access-date = 2019-09-15
 | archive-date = 2020-01-25
 | archive-url = https://web.archive.org/web/20200125081932/http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/2006/CS/CS-2006-07.pdf
 | url-status = dead
 }}</ref><ref>{{cite book
 | first = Yi | last = Lu |author2=Willi Meier |author3=Serge Vaudenay
 | title = Advances in Cryptology – CRYPTO 2005 | chapter = The Conditional Correlation Attack: A Practical Attack on Bluetooth Encryption | year = 2005 | location = Santa Barbara, California, USA
 | url = http://www.terminodes.org/micsPublicationsDetail.php?pubno=1216 | volume = 3621 | pages = 97–117 | doi=10.1007/11535218_7
| series = Lecture Notes in Computer Science | isbn = 978-3-540-28114-6 | citeseerx = 10.1.1.323.9416 }}</ref>

The linear feedback shift register has a strong relationship to [[linear congruential generator]]s.<ref>
RFC 4086
section 6.1.3 "Traditional Pseudo-random Sequences"
</ref>

=== Uses in circuit testing ===
{{More citations needed section|date=November 2022}}
LFSRs are used in circuit testing for test-pattern generation (for exhaustive testing, pseudo-random testing or pseudo-exhaustive testing) and for signature analysis.

==== Test-pattern generation ====
Complete LFSR are commonly used as pattern generators for exhaustive testing, since they cover all possible inputs for an ''n''-input circuit. Maximal-length LFSRs and weighted LFSRs are widely used as pseudo-random test-pattern generators for pseudo-random test applications.

==== Signature analysis ====
In [[built-in self-test]] (BIST) techniques, storing all the circuit outputs on chip is not possible, but the circuit output can be compressed to form a signature that will later be compared to the golden signature (of the good circuit) to detect faults. Since this compression is lossy, there is always a possibility that a faulty output also generates the same signature as the golden signature and the faults cannot be detected. This condition is called error masking or aliasing. BIST is accomplished with a multiple-input signature register (MISR or MSR), which is a type of LFSR. A standard LFSR has a single XOR or XNOR gate, where the input of the gate is connected to several "taps" and the output is connected to the input of the first flip-flop. A MISR has the same structure, but the input to every flip-flop is fed through an XOR/XNOR gate. For example, a 4-bit MISR has a 4-bit parallel output and a 4-bit parallel input. The input of the first flip-flop is XOR/XNORd with parallel input bit zero and the "taps". Every other flip-flop input is XOR/XNORd with the preceding flip-flop output and the corresponding parallel input bit. Consequently, the next state of the MISR depends on the last several states opposed to just the current state. Therefore, a MISR will always generate the same golden signature given that the input sequence is the same every time.
Recent applications<ref>Martínez LH, Khursheed S, Reddy SM. LFSR generation for high test coverage and low hardware overhead. IET Computers & Digital Techniques. 2019 Aug 21.[https://livrepository.liverpool.ac.uk/3052312/ UoL repository]</ref> are proposing set-reset flip-flops as "taps" of the LFSR. This allows the BIST system to optimise storage, since set-reset flip-flops can save the initial seed to generate the whole stream of bits from the LFSR. Nevertheless, this requires changes in the architecture of BIST, is an option for specific applications.

=== Uses in digital broadcasting and communications ===

==== Scrambling ====
{{Main | Scrambler}}
To prevent short repeating sequences (e.g., runs of 0s or 1s) from forming spectral lines that may complicate symbol tracking at the
receiver or interfere with other transmissions, the data bit sequence is combined with the output of a linear-feedback register before modulation and transmission. This scrambling is removed at the receiver after demodulation. When the LFSR runs at the same [[bit rate]] as the transmitted symbol stream, this technique is referred to as [[scrambler|scrambling]]. When the LFSR runs considerably faster than the symbol stream, the LFSR-generated bit sequence is called ''chipping code''. The chipping code is combined with the data using [[exclusive or]] before transmitting using [[binary phase-shift keying]] or a similar modulation method. The resulting signal has a higher bandwidth than the data, and therefore this is a method of [[spread-spectrum]] communication. When used only for the spread-spectrum property, this technique is called [[direct-sequence spread spectrum]]; when used to distinguish several signals transmitted in the same channel at the same time and frequency, it is called [[code-division multiple access]].

Neither scheme should be confused with [[encryption]] or [[encipherment]]; scrambling and spreading with LFSRs do ''not'' protect the information from eavesdropping. They are instead used to produce equivalent streams that possess convenient engineering properties to allow robust and efficient modulation and demodulation.

Digital broadcasting systems that use linear-feedback registers:
* [[ATSC standards|ATSC Standards]] (digital TV transmission system – North America)
* [[Digital Audio Broadcasting|DAB]] ([[Digital Audio Broadcasting]] system – for radio)
* [[DVB-T]] (digital TV transmission system – Europe, Australia, parts of Asia)
* [[NICAM]] (digital audio system for television)

Other digital communications systems using LFSRs:
* Intelsat business service (IBS)
* Intermediate data rate (IDR)
* [[HDMI]] 2.0
* [[Serial digital interface|SDI]] (Serial Digital Interface transmission)
* Data transfer over [[Public switched telephone network|PSTN]] (according to the [[ITU-T]] V-series recommendations)
* [[Code-division multiple access|CDMA]] (Code Division Multiple Access) cellular telephony
* [[Fast Ethernet#100BASE-T2|100BASE-T2 "fast" Ethernet]] scrambles bits using an LFSR
* [[Gigabit Ethernet#1000BASE-T|1000BASE-T Ethernet]], the most common form of Gigabit Ethernet, scrambles bits using an LFSR
* [[PCI Express]]
* [[SATA]]<ref>Section 9.5 of the SATA Specification, revision 2.6</ref>
* [[Serial Attached SCSI]] (SAS/SPL)
* [[USB 3.0]]
* [[IEEE 802.11a-1999|IEEE 802.11a]] scrambles bits using an LFSR
* [[Bluetooth Low Energy]] Link Layer is making use of LFSR (referred to as whitening)
* [[Satellite navigation|Satellite navigation systems]] such as [[Global Positioning System|GPS]] and [[GLONASS]]. All current systems use LFSR outputs to generate some or all of their ranging codes (as the chipping code for CDMA or DSSS) or to modulate the carrier without data (like GPS&nbsp;L2&nbsp;CL ranging code). GLONASS also uses [[frequency-division multiple access]] combined with DSSS.

==== Other uses ====
LFSRs are also used in [[radio jamming]] systems to generate pseudo-random noise to raise the noise floor of a target communication system.

The German time signal [[DCF77]], in addition to amplitude keying, employs [[phase-shift keying]] driven by a 9-stage LFSR to increase the accuracy of received time and the robustness of the data stream in the presence of noise.<ref name="phasemod">{{cite conference |url=https://www.ptb.de/cms/fileadmin/internet/fachabteilungen/abteilung_4/4.4_zeit_und_frequenz/pdf/5_1988_Hetzel_-_Proc_EFTF_88.pdf |title=Time dissemination via the LF transmitter DCF77 using a pseudo-random phase-shift keying of the carrier |first=P. |last=Hetzel |date=16 March 1988 |conference=2nd European Frequency and Time Forum |location=Neuchâtel |pages=351–364 |access-date=11 October 2011}}</ref>