1 %\documentclass{article}
2 \documentclass[10pt,journal,letterpaper,compsoc]{IEEEtran}
3 \usepackage[utf8]{inputenc}
4 \usepackage[T1]{fontenc}
11 \usepackage[ruled,vlined]{algorithm2e}
13 \usepackage[standard]{ntheorem}
14 \usepackage{algorithmic}
19 % Pour mathds : les ensembles IR, IN, etc.
22 % Pour avoir des intervalles d'entiers
26 % Pour faire des sous-figures dans les figures
27 \usepackage{subfigure}
30 \externaldocument{prng_gpu}
31 %\usepackage{hyperref}
34 \newtheorem{notation}{Notation}
36 \newcommand{\X}{\mathcal{X}}
37 \newcommand{\Go}{G_{f_0}}
38 \newcommand{\B}{\mathds{B}}
39 \newcommand{\N}{\mathds{N}}
40 \newcommand{\BN}{\mathds{B}^\mathsf{N}}
45 \title{Annex document of ``Efficient and Cryptographically Secure Generation of Chaotic Pseudorandom Numbers on GPU''}
48 \author{Jacques M. Bahi, Rapha\"{e}l Couturier, Christophe
49 Guyeux, and Pierre-Cyrille Héam\thanks{Authors in alphabetic order}}
54 \IEEEdisplaynotcompsoctitleabstractindextext
55 \IEEEpeerreviewmaketitle
58 \section{Proofs of Chaos of the General Formulation of the Chaotic Iterations}
60 Let us consider the discrete dynamical systems in chaotic iterations having
61 the general form: $\forall n\in \mathds{N}^{\ast }$, $ \forall i\in
62 \llbracket1;\mathsf{N}\rrbracket $,
67 x_i^{n-1} & \text{ if } i \notin \mathcal{S}^n \\
68 \left(f(x^{n-1})\right)_{S^n} & \text{ if }i \in \mathcal{S}^n.
73 In other words, at the $n^{th}$ iteration, only the cells whose id is
74 contained into the set $S^{n}$ are iterated.
76 Let us now rewrite these general chaotic iterations as usual discrete dynamical
77 system of the form $X^{n+1}=f(X^n)$ on an ad hoc metric space. Such a formulation
78 is required in order to study the topological behavior of the system.
80 Let us introduce the following function:
83 \chi: & \llbracket 1; \mathsf{N} \rrbracket \times \mathcal{P}\left(\llbracket 1; \mathsf{N} \rrbracket\right) & \longrightarrow & \mathds{B}\\
84 & (i,X) & \longmapsto & \left\{ \begin{array}{ll} 0 & \textrm{if }i \notin X, \\ 1 & \textrm{if }i \in X, \end{array}\right.
87 where $\mathcal{P}\left(X\right)$ is for the powerset of the set $X$, that is, $Y \in \mathcal{P}\left(X\right) \Longleftrightarrow Y \subset X$.
89 Given a function $f:\mathds{B}^\mathsf{N} \longrightarrow \mathds{B}^\mathsf{N} $, define the function:
90 $F_{f}: \mathcal{P}\left(\llbracket1;\mathsf{N}\rrbracket \right) \times \mathds{B}^{\mathsf{N}}
91 \longrightarrow \mathds{B}^{\mathsf{N}}$
94 (P,E) & \longmapsto & \left( E_{j}.\chi (j,P)+f(E)_{j}.\overline{\chi(j,P)}\right) _{j\in \llbracket1;\mathsf{N}\rrbracket}%
97 where + and . are the Boolean addition and product operations, and $\overline{x}$
98 is the negation of the Boolean $x$.
99 Consider the phase space:
101 \mathcal{X} = \mathcal{P}\left(\llbracket 1 ; \mathsf{N} \rrbracket\right)^\mathds{N} \times
102 \mathds{B}^\mathsf{N},
104 \noindent and the map defined on $\mathcal{X}$:
106 G_f\left(S,E\right) = \left(\sigma(S), F_f(i(S),E)\right), %\label{Gf} %%RAPH, j'ai viré ce label qui existe déjà avant...
108 \noindent where $\sigma$ is the \emph{shift} function defined by $\sigma
109 (S^{n})_{n\in \mathds{N}}\in \mathcal{P}\left(\llbracket 1 ; \mathsf{N} \rrbracket\right)^\mathds{N}\longrightarrow (S^{n+1})_{n\in
110 \mathds{N}}\in \mathcal{P}\left(\llbracket 1 ; \mathsf{N} \rrbracket\right)^\mathds{N}$ and $i$ is the \emph{initial function}
111 $i:(S^{n})_{n\in \mathds{N}} \in \mathcal{P}\left(\llbracket 1 ; \mathsf{N} \rrbracket\right)^\mathds{N}\longrightarrow S^{0}\in \mathcal{P}\left(\llbracket 1 ; \mathsf{N} \rrbracket\right)$.
112 Then the general chaotic iterations defined in Equation \ref{general CIs} can
113 be described by the following discrete dynamical system:
117 X^0 \in \mathcal{X} \\
123 Once more, a shift function appears as a component of these general chaotic
126 To study the Devaney's chaos property, a distance between two points
127 $X = (S,E), Y = (\check{S},\check{E})$ of $\mathcal{X}$ must be defined.
130 d(X,Y)=d_{e}(E,\check{E})+d_{s}(S,\check{S}),
133 \noindent where $ \displaystyle{d_{e}(E,\check{E})} = \displaystyle{\sum_{k=1}^{\mathsf{N}%
134 }\delta (E_{k},\check{E}_{k})}$ is once more the Hamming distance, and
135 $ \displaystyle{d_{s}(S,\check{S})} = \displaystyle{\dfrac{9}{\mathsf{N}}%
136 \sum_{k=1}^{\infty }\dfrac{|S^k\Delta {S}^k|}{10^{k}}}$,
137 %%RAPH : ici, j'ai supprimé tous les sauts à la ligne
140 %% \begin{array}{lll}
141 %% \displaystyle{d_{e}(E,\check{E})} & = & \displaystyle{\sum_{k=1}^{\mathsf{N}%
142 %% }\delta (E_{k},\check{E}_{k})} \textrm{ is once more the Hamming distance}, \\
143 %% \displaystyle{d_{s}(S,\check{S})} & = & \displaystyle{\dfrac{9}{\mathsf{N}}%
144 %% \sum_{k=1}^{\infty }\dfrac{|S^k\Delta {S}^k|}{10^{k}}}.%
148 where $|X|$ is the cardinality of a set $X$ and $A\Delta B$ is for the symmetric difference, defined for sets A, B as
149 $A\,\Delta\,B = (A \setminus B) \cup (B \setminus A)$.
153 The function $d$ defined in Eq.~\ref{nouveau d} is a metric on $\mathcal{X}$.
157 $d_e$ is the Hamming distance. We will prove that $d_s$ is a distance
158 too, thus $d$, as being the sum of two distances, will also be a distance.
160 \item Obviously, $d_s(S,\check{S})\geqslant 0$, and if $S=\check{S}$, then
161 $d_s(S,\check{S})=0$. Conversely, if $d_s(S,\check{S})=0$, then
162 $\forall k \in \mathds{N}, |S^k\Delta {S}^k|=0$, and so $\forall k, S^k=\check{S}^k$.
163 \item $d_s$ is symmetric
164 ($d_s(S,\check{S})=d_s(\check{S},S)$) due to the commutative property
165 of the symmetric difference.
166 \item Finally, $|S \Delta S''| = |(S \Delta \varnothing) \Delta S''|= |S \Delta (S'\Delta S') \Delta S''|= |(S \Delta S') \Delta (S' \Delta S'')|\leqslant |S \Delta S'| + |S' \Delta S''|$,
167 and so for all subsets $S,S',$ and $S''$ of $\llbracket 1, \mathsf{N} \rrbracket$,
168 we have $d_s(S,S'') \leqslant d_e(S,S')+d_s(S',S'')$, and the triangle
169 inequality is obtained.
174 Before being able to study the topological behavior of the general
175 chaotic iterations, we must first establish that:
178 For all $f:\mathds{B}^\mathsf{N} \longrightarrow \mathds{B}^\mathsf{N} $, the function $G_f$ is continuous on
179 $\left( \mathcal{X},d\right)$.
184 We use the sequential continuity.
185 Let $(S^n,E^n)_{n\in \mathds{N}}$ be a sequence of the phase space $%
186 \mathcal{X}$, which converges to $(S,E)$. We will prove that $\left(
187 G_{f}(S^n,E^n)\right) _{n\in \mathds{N}}$ converges to $\left(
188 G_{f}(S,E)\right) $. Let us remark that for all $n$, $S^n$ is a strategy,
189 thus, we consider a sequence of strategies (\emph{i.e.}, a sequence of
191 As $d((S^n,E^n);(S,E))$ converges to 0, each distance $d_{e}(E^n,E)$ and $d_{s}(S^n,S)$ converges
192 to 0. But $d_{e}(E^n,E)$ is an integer, so $\exists n_{0}\in \mathds{N},$ $%
193 d_{e}(E^n,E)=0$ for any $n\geqslant n_{0}$.\newline
194 In other words, there exists a threshold $n_{0}\in \mathds{N}$ after which no
195 cell will change its state:
196 $\exists n_{0}\in \mathds{N},n\geqslant n_{0}\Rightarrow E^n = E.$
198 In addition, $d_{s}(S^n,S)\longrightarrow 0,$ so $\exists n_{1}\in %
199 \mathds{N},d_{s}(S^n,S)<10^{-1}$ for all indexes greater than or equal to $%
200 n_{1}$. This means that for $n\geqslant n_{1}$, all the $S^n$ have the same
201 first term, which is $S^0$: $\forall n\geqslant n_{1},S_0^n=S_0.$
203 Thus, after the $max(n_{0},n_{1})^{th}$ term, states of $E^n$ and $E$ are
204 identical and strategies $S^n$ and $S$ start with the same first term.\newline
205 Consequently, states of $G_{f}(S^n,E^n)$ and $G_{f}(S,E)$ are equal,
206 so, after the $max(n_0, n_1)^{th}$ term, the distance $d$ between these two points is strictly less than 1.\newline
207 \noindent We now prove that the distance between $\left(
208 G_{f}(S^n,E^n)\right) $ and $\left( G_{f}(S,E)\right) $ is convergent to
209 0. Let $\varepsilon >0$. \medskip
211 \item If $\varepsilon \geqslant 1$, we see that the distance
212 between $\left( G_{f}(S^n,E^n)\right) $ and $\left( G_{f}(S,E)\right) $ is
213 strictly less than 1 after the $max(n_{0},n_{1})^{th}$ term (same state).
215 \item If $\varepsilon <1$, then $\exists k\in \mathds{N},10^{-k}\geqslant
216 \varepsilon > 10^{-(k+1)}$. But $d_{s}(S^n,S)$ converges to 0, so
218 \exists n_{2}\in \mathds{N},\forall n\geqslant
219 n_{2},d_{s}(S^n,S)<10^{-(k+2)},
221 thus after $n_{2}$, the $k+2$ first terms of $S^n$ and $S$ are equal.
223 \noindent As a consequence, the $k+1$ first entries of the strategies of $%
224 G_{f}(S^n,E^n)$ and $G_{f}(S,E)$ are the same ($G_{f}$ is a shift of strategies) and due to the definition of $d_{s}$, the floating part of
225 the distance between $(S^n,E^n)$ and $(S,E)$ is strictly less than $%
226 10^{-(k+1)}\leqslant \varepsilon $.
229 %%RAPH : ici j'ai rajouté une ligne
230 %%TOF : ici j'ai rajouté un commentaire
233 \forall \varepsilon >0,$ $\exists N_{0}=max(n_{0},n_{1},n_{2})\in \mathds{N}
234 ,$ $\forall n\geqslant N_{0},$
235 $ d\left( G_{f}(S^n,E^n);G_{f}(S,E)\right)
236 \leqslant \varepsilon .
238 $G_{f}$ is consequently continuous.
242 It is now possible to study the topological behavior of the general chaotic
243 iterations. We will prove that,
246 \label{t:chaos des general}
247 The general chaotic iterations defined on Equation~\ref{general CIs} satisfy
248 the Devaney's property of chaos.
251 Let us firstly prove the following lemma.
253 \begin{lemma}[Strong transitivity]
255 For all couples $X,Y \in \mathcal{X}$ and any neighborhood $V$ of $X$, we can
256 find $n \in \mathds{N}^*$ and $X' \in V$ such that $G^n(X')=Y$.
260 Let $X=(S,E)$, $\varepsilon>0$, and $k_0 = \lfloor log_{10}(\varepsilon)+1 \rfloor$.
261 Any point $X'=(S',E')$ such that $E'=E$ and $\forall k \leqslant k_0, S'^k=S^k$,
262 are in the open ball $\mathcal{B}\left(X,\varepsilon\right)$. Let us define
263 $\check{X} = \left(\check{S},\check{E}\right)$, where $\check{X}= G^{k_0}(X)$.
264 We denote by $s\subset \llbracket 1; \mathsf{N} \rrbracket$ the set of coordinates
265 that are different between $\check{E}$ and the state of $Y$. Thus each point $X'$ of
266 the form $(S',E')$ where $E'=E$ and $S'$ starts with
267 $(S^0, S^1, \hdots, S^{k_0},s,\hdots)$, verifies the following properties:
269 \item $X'$ is in $\mathcal{B}\left(X,\varepsilon\right)$,
270 \item the state of $G_f^{k_0+1}(X')$ is the state of $Y$.
272 Finally the point $\left(\left(S^0, S^1, \hdots, S^{k_0},s,s^0, s^1, \hdots\right); E\right)$,
273 where $(s^0,s^1, \hdots)$ is the strategy of $Y$, satisfies the properties
274 claimed in the lemma.
277 We can now prove the Theorem~\ref{t:chaos des general}.
279 \begin{proof}[Theorem~\ref{t:chaos des general}]
280 Firstly, strong transitivity implies transitivity.
282 Let $(S,E) \in\mathcal{X}$ and $\varepsilon >0$. To
283 prove that $G_f$ is regular, it is sufficient to prove that
284 there exists a strategy $\tilde S$ such that the distance between
285 $(\tilde S,E)$ and $(S,E)$ is less than $\varepsilon$, and such that
286 $(\tilde S,E)$ is a periodic point.
288 Let $t_1=\lfloor-\log_{10}(\varepsilon)\rfloor$, and let $E'$ be the
289 configuration that we obtain from $(S,E)$ after $t_1$ iterations of
290 $G_f$. As $G_f$ is strongly transitive, there exists a strategy $S'$
291 and $t_2\in\mathds{N}$ such
292 that $E$ is reached from $(S',E')$ after $t_2$ iterations of $G_f$.
294 Consider the strategy $\tilde S$ that alternates the first $t_1$ terms
295 of $S$ and the first $t_2$ terms of $S'$:
296 %%RAPH : j'ai coupé la ligne en 2
298 S=(S_0,\dots,S_{t_1-1},S'_0,\dots,S'_{t_2-1},S_0,$$$$\dots,S_{t_1-1},S'_0,\dots,S'_{t_2-1},S_0,\dots).$$ It
299 is clear that $(\tilde S,E)$ is obtained from $(\tilde S,E)$ after
300 $t_1+t_2$ iterations of $G_f$. So $(\tilde S,E)$ is a periodic
301 point. Since $\tilde S_t=S_t$ for $t<t_1$, by the choice of $t_1$, we
302 have $d((S,E),(\tilde S,E))<\epsilon$.
309 \section{Statistical Improvements Using Chaotic Iterations}
311 \label{The generation of pseudorandom sequence}
314 Let us now explain why we have reasonable ground to believe that chaos
315 can improve statistical properties.
316 We will show in this section that chaotic properties as defined in the
317 mathematical theory of chaos are related to some statistical tests that can be found
318 in the NIST battery. Furthermore, we will check that, when mixing defective PRNGs with
319 chaotic iterations, the new generator presents better statistical properties
320 (this section summarizes and extends the work of~\cite{bfg12a:ip}).
324 \subsection{Qualitative relations between topological properties and statistical tests}
327 There are various relations between topological properties that describe an unpredictable behavior for a discrete
328 dynamical system on the one
329 hand, and statistical tests to check the randomness of a numerical sequence
330 on the other hand. These two mathematical disciplines follow a similar
331 objective in case of a recurrent sequence (to characterize an intrinsically complicated behavior for a
332 recurrent sequence), with two different but complementary approaches.
333 It is true that the following illustrative links give only qualitative arguments,
334 and proofs should be provided later to make such arguments irrefutable. However
335 they give a first understanding of the reason why we think that chaotic properties should tend
336 to improve the statistical quality of PRNGs.
338 Let us now list some of these relations between topological properties defined in the mathematical
339 theory of chaos and tests embedded into the NIST battery. %Such relations need to be further
340 %investigated, but they presently give a first illustration of a trend to search similar properties in the
341 %two following fields: mathematical chaos and statistics.
345 \item \textbf{Regularity}. As stated in Section~\ref{subsec:Devaney} of the main document, a chaotic dynamical system must
346 have an element of regularity. Depending on the chosen definition of chaos, this element can be the existence of
347 a dense orbit, the density of periodic points, etc. The key idea is that a dynamical system with no periodicity
348 is not as chaotic as a system having periodic orbits: in the first situation, we can predict something and gain a
349 knowledge about the behavior of the system, that is, it never enters into a loop. A similar importance for periodicity is emphasized in
350 the two following NIST tests~\cite{Nist10}:
352 \item \textbf{Non-overlapping Template Matching Test}. Detect generators that produce too many occurrences of a given non-periodic (aperiodic) pattern.
353 \item \textbf{Discrete Fourier Transform (Spectral) Test}. Detect periodic features (i.e., repetitive patterns that are close one to another) in the tested sequence that would indicate a deviation from the assumption of randomness.
356 \item \textbf{Transitivity}. This topological property previously introduced states that the dynamical system is intrinsically complicated: it cannot be simplified into
357 two subsystems that do not interact, as we can find in any neighborhood of any point another point whose orbit visits the whole phase space.
358 This focus on the places visited by the orbits of the dynamical system takes various nonequivalent formulations in the mathematical theory
359 of chaos, namely: transitivity, strong transitivity, total transitivity, topological mixing, and so on~\cite{bg10:ij}. A similar attention
360 is brought on the states visited during a random walk in the two tests below~\cite{Nist10}:
362 \item \textbf{Random Excursions Variant Test}. Detect deviations from the expected number of visits to various states in the random walk.
363 \item \textbf{Random Excursions Test}. Determine if the number of visits to a particular state within a cycle deviates from what one would expect for a random sequence.
366 \item \textbf{Chaos according to Li and Yorke}. Two points of the phase space $(x,y)$ define a couple of Li-Yorke when $\limsup_{n \rightarrow +\infty} d(f^{(n)}(x), f^{(n)}(y))>0$ et $\liminf_{n \rightarrow +\infty} d(f^{(n)}(x), f^{(n)}(y))=0$, meaning that their orbits always oscillate as the iterations pass. When a system is compact and contains an uncountable set of such points, it is claimed as chaotic according
367 to Li-Yorke~\cite{Li75,Ruette2001}. A similar property is regarded in the following NIST test~\cite{Nist10}.
369 \item \textbf{Runs Test}. To determine whether the number of runs of ones and zeros of various lengths is as expected for a random sequence. In particular, this test determines whether the oscillation between such zeros and ones is too fast or too slow.
371 \item \textbf{Topological entropy}. The desire to formulate an equivalency of the thermodynamics entropy
372 has emerged both in the topological and statistical fields. Once again, a similar objective has led to two different
373 rewritting of an entropy based disorder: the famous Shannon definition of entropy is approximated in the statistical approach,
374 whereas topological entropy is defined as follows:
375 $x,y \in \mathcal{X}$ are $\varepsilon-$\emph{separated in time $n$} if there exists $k \leqslant n$ such that $d\left(f^{(k)}(x),f^{(k)}(y)\right)>\varepsilon$. Then $(n,\varepsilon)-$separated sets are sets of points that are all $\varepsilon-$separated in time $n$, which
376 leads to the definition of $s_n(\varepsilon,Y)$, being the maximal cardinality of all $(n,\varepsilon)-$separated sets. Using these notations,
377 the topological entropy is defined as follows: $$h_{top}(\mathcal{X},f) = \displaystyle{\lim_{\varepsilon \rightarrow 0} \Big[ \limsup_{n \rightarrow +\infty} \dfrac{1}{n} \log s_n(\varepsilon,\mathcal{X})\Big]}.$$
378 This value measures the average exponential growth of the number of distinguishable orbit segments.
379 In this sense, it measures the complexity of the topological dynamical system, whereas
380 the Shannon approach comes to mind when defining the following test~\cite{Nist10}:
382 \item \textbf{Approximate Entropy Test}. Compare the frequency of the overlapping blocks of two consecutive/adjacent lengths ($m$ and $m+1$) against the expected result for a random sequence.
385 \item \textbf{Non-linearity, complexity}. Finally, let us remark that non-linearity and complexity are
386 not only sought in general to obtain chaos, but they are also required for randomness, as illustrated by the two tests below~\cite{Nist10}.
388 \item \textbf{Binary Matrix Rank Test}. Check for linear dependence among fixed length substrings of the original sequence.
389 \item \textbf{Linear Complexity Test}. Determine whether or not the sequence is complex enough to be considered random.
394 We have proven in our previous works~\cite{guyeux12:bc} that chaotic iterations satisfying Theorem~\ref{Th:Caractérisation des IC chaotiques} of the main document are, among other
395 things, strongly transitive, topologically mixing, chaotic as defined by Li and Yorke,
396 and that they have a topological entropy and an exponent of Lyapunov both equal to $ln(\mathsf{N})$,
397 where $\mathsf{N}$ is the size of the iterated vector.
398 These topological properties make that we are ground to believe that a generator based on chaotic
399 iterations will probably be able to pass all the existing statistical batteries for pseudorandomness like
400 the NIST one. The following subsections, in which we prove that defective generators have their
401 statistical properties improved by chaotic iterations, show that such an assumption is true.
403 \subsection{Details of some Existing Generators}
405 The list of defective PRNGs we will use
406 as inputs for the statistical tests to come is introduced here.
408 Firstly, the simple linear congruency generators (LCGs) will be used.
409 They are defined by the following recurrence:
411 x^n = (ax^{n-1} + c)~mod~m,
414 where $a$, $c$, and $x^0$ must be, among other things, non-negative and inferior to
415 $m$~\cite{LEcuyerS07}. In what follows, 2LCGs and 3LCGs refer to two (resp. three)
416 combinations of such LCGs. For further details, see~\cite{bfg12a:ip,combined_lcg}.
418 Secondly, the multiple recursive generators (MRGs) which will be used,
419 are based on a linear recurrence of order
420 $k$, modulo $m$~\cite{LEcuyerS07}:
422 x^n = (a^1x^{n-1}+~...~+a^kx^{n-k})~mod~m .
425 The combination of two MRGs (referred as 2MRGs) is also used in these experiments.
427 Generators based on linear recurrences with carry will be regarded too.
428 This family of generators includes the add-with-carry (AWC) generator, based on the recurrence:
432 x^n = (x^{n-r} + x^{n-s} + c^{n-1})~mod~m, \\
433 c^n= (x^{n-r} + x^{n-s} + c^{n-1}) / m, \end{array}\end{equation}
434 the SWB generator, having the recurrence:
438 x^n = (x^{n-r} - x^{n-s} - c^{n-1})~mod~m, \\
441 1 ~~~~~\text{if}~ (x^{i-r} - x^{i-s} - c^{i-1})<0\\
442 0 ~~~~~\text{else},\end{array} \right. \end{array}\end{equation}
443 and the SWC generator, which is based on the following recurrence:
447 x^n = (a^1x^{n-1} \oplus ~...~ \oplus a^rx^{n-r} \oplus c^{n-1}) ~ mod ~ 2^w, \\
448 c^n = (a^1x^{n-1} \oplus ~...~ \oplus a^rx^{n-r} \oplus c^{n-1}) ~ / ~ 2^w. \end{array}\end{equation}
450 Then the generalized feedback shift register (GFSR) generator has been implemented, that is:
452 x^n = x^{n-r} \oplus x^{n-k} .
457 Finally, the nonlinear inversive (INV) generator~\cite{LEcuyerS07} has been studied, which is:
464 (a^1 + a^2 / z^{n-1})~mod~m & \text{if}~ z^{n-1} \neq 0 \\
465 a^1 & \text{if}~ z^{n-1} = 0 .\end{array} \right. \end{array}\end{equation}
470 \renewcommand{\arraystretch}{1.3}
471 \caption{TestU01 Statistical Test Failures}
474 \begin{tabular}{lccccc}
476 Test name &Tests& Logistic & XORshift & ISAAC\\
477 Rabbit & 38 &21 &14 &0 \\
478 Alphabit & 17 &16 &9 &0 \\
479 Pseudo DieHARD &126 &0 &2 &0 \\
480 FIPS\_140\_2 &16 &0 &0 &0 \\
481 SmallCrush &15 &4 &5 &0 \\
482 Crush &144 &95 &57 &0 \\
483 Big Crush &160 &125 &55 &0 \\ \hline
484 Failures & &261 &146 &0 \\
492 \renewcommand{\arraystretch}{1.3}
493 \caption{TestU01 Statistical Test Failures for Old CI algorithms ($\mathsf{N}=4$)}
494 \label{TestU01 for Old CI}
496 \begin{tabular}{lcccc}
498 \multirow{3}*{Test name} & \multicolumn{4}{c}{Old CI}\\
499 &Logistic& XORshift& ISAAC&ISAAC \\
501 &Logistic& XORshift& XORshift&ISAAC \\ \cmidrule(r){2-5}
502 Rabbit &7 &2 &0 &0 \\
503 Alphabit & 3 &0 &0 &0 \\
504 DieHARD &0 &0 &0 &0 \\
505 FIPS\_140\_2 &0 &0 &0 &0 \\
506 SmallCrush &2 &0 &0 &0 \\
507 Crush &47 &4 &0 &0 \\
508 Big Crush &79 &3 &0 &0 \\ \hline
509 Failures &138 &9 &0 &0 \\
518 \subsection{Statistical tests}
519 \label{Security analysis}
521 Three batteries of tests are reputed and regularly used
522 to evaluate the statistical properties of newly designed pseudorandom
523 number generators. These batteries are named DieHard~\cite{Marsaglia1996},
524 the NIST suite~\cite{ANDREW2008}, and the most stringent one called
525 TestU01~\cite{LEcuyerS07}, which encompasses the two other batteries.
529 \label{Results and discussion}
531 \renewcommand{\arraystretch}{1.3}
532 \caption{NIST and DieHARD tests suite passing rates for PRNGs without CI}
533 \label{NIST and DieHARD tests suite passing rate the for PRNGs without CI}
535 \begin{tabular}{|l||c|c|c|c|c|c|c|c|c|c|}
537 Types of PRNGs & \multicolumn{2}{c|}{Linear PRNGs} & \multicolumn{4}{c|}{Lagged PRNGs} & \multicolumn{1}{c|}{ICG PRNGs} & \multicolumn{3}{c|}{Mixed PRNGs}\\ \hline
538 \backslashbox{\textbf{$Tests$}} {\textbf{$PRNG$}} & LCG& MRG& AWC & SWB & SWC & GFSR & INV & LCG2& LCG3& MRG2 \\ \hline
539 NIST & 11/15 & 14/15 &\textbf{15/15} & \textbf{15/15} & 14/15 & 14/15 & 14/15 & 14/15& 14/15& 14/15 \\ \hline
540 DieHARD & 16/18 & 16/18 & 15/18 & 16/18 & \textbf{18/18} & 16/18 & 16/18 & 16/18& 16/18& 16/18\\ \hline
544 Table~\ref{NIST and DieHARD tests suite passing rate the for PRNGs without CI} shows the
545 results on the two first batteries recalled above, indicating that all the PRNGs presented
546 in the previous section
547 cannot pass all these tests. In other words, the statistical quality of these PRNGs cannot
548 fulfill the up-to-date standards presented previously. We have shown in~\cite{bfg12a:ip} that the use of chaotic
549 iterations can solve this issue.
551 %illustrate the effects of chaotic iterations on these defective PRNGs, experiments have been divided in three parts~\cite{bfg12a:ip}:
553 % \item \textbf{Single CIPRNG}: The PRNGs involved in CI computing are of the same category.
554 % \item \textbf{Mixed CIPRNG}: Two different types of PRNGs are mixed during the chaotic iterations process.
555 % \item \textbf{Multiple CIPRNG}: The generator is obtained by repeating the composition of the iteration function as follows: $x^0\in \mathds{B}^{\mathsf{N}}$, and $\forall n\in \mathds{N}^{\ast },\forall i\in \llbracket1;\mathsf{N}\rrbracket, x_i^n=$
560 %x_i^{n-1}~~~~~\text{if}~S^n\neq i \\
561 %\forall j\in \llbracket1;\mathsf{m}\rrbracket,f^m(x^{n-1})_{S^{nm+j}}~\text{if}~S^{nm+j}=i.\end{array} \right. \end{array}
563 %$m$ is called the \emph{functional power}.
566 The obtained results are reproduced in Table
567 \ref{NIST and DieHARD tests suite passing rate the for single CIPRNGs}.
568 The scores written in boldface indicate that all the tests have been passed successfully, whereas an
569 asterisk ``*'' means that the considered passing rate has been improved.
570 The improvements are obvious for both the ``Old CI'' and the ``New CI'' generators.
571 Concerning the ``Xor CI PRNG'', the score is less spectacular. Because of a large speed improvement, the statistics
572 are not as good as for the two other versions of these CIPRNGs.
573 However 8 tests have been improved (with no deflation for the other results).
577 \renewcommand{\arraystretch}{1.3}
578 \caption{NIST and DieHARD tests suite passing rates for PRNGs with CI}
579 \label{NIST and DieHARD tests suite passing rate the for single CIPRNGs}
581 \begin{tabular}{|l||c|c|c|c|c|c|c|c|c|c|c|c|}
583 Types of PRNGs & \multicolumn{2}{c|}{Linear PRNGs} & \multicolumn{4}{c|}{Lagged PRNGs} & \multicolumn{1}{c|}{ICG PRNGs} & \multicolumn{3}{c|}{Mixed PRNGs}\\ \hline
584 \backslashbox{\textbf{$Tests$}} {\textbf{$Single~CIPRNG$}} & LCG & MRG & AWC & SWB & SWC & GFSR & INV& LCG2 & LCG3& MRG2 \\ \hline\hline
585 Old CIPRNG\\ \hline \hline
586 NIST & \textbf{15/15} * & \textbf{15/15} * & \textbf{15/15} & \textbf{15/15} & \textbf{15/15} * & \textbf{15/15} * & \textbf{15/15} *& \textbf{15/15} * & \textbf{15/15} * & \textbf{15/15} \\ \hline
587 DieHARD & \textbf{18/18} * & \textbf{18/18} * & \textbf{18/18} * & \textbf{18/18} * & \textbf{18/18} & \textbf{18/18} * & \textbf{18/18} *& \textbf{18/18} * & \textbf{18/18} *& \textbf{18/18} * \\ \hline
588 New CIPRNG\\ \hline \hline
589 NIST & \textbf{15/15} * & \textbf{15/15} * & \textbf{15/15} & \textbf{15/15} & \textbf{15/15} * & \textbf{15/15} * & \textbf{15/15} *& \textbf{15/15} * & \textbf{15/15} * & \textbf{15/15} \\ \hline
590 DieHARD & \textbf{18/18} * & \textbf{18/18} * & \textbf{18/18} * & \textbf{18/18} * & \textbf{18/18} & \textbf{18/18} * & \textbf{18/18} * & \textbf{18/18} * & \textbf{18/18} *& \textbf{18/18} *\\ \hline
591 Xor CIPRNG\\ \hline\hline
592 NIST & 14/15*& \textbf{15/15} * & \textbf{15/15} & \textbf{15/15} & 14/15 & \textbf{15/15} * & 14/15& \textbf{15/15} * & \textbf{15/15} *& \textbf{15/15} \\ \hline
593 DieHARD & 16/18 & 16/18 & 17/18* & \textbf{18/18} * & \textbf{18/18} & \textbf{18/18} * & 16/18 & 16/18 & 16/18& 16/18\\ \hline
598 We have then investigated in~\cite{bfg12a:ip} if it were possible to improve
599 the statistical behavior of the Xor CI version by combining more than one
600 $\oplus$ operation. Results are summarized in Table~\ref{threshold}, illustrating
601 the progressive increasing effects of chaotic iterations, when giving time to chaos to get settled in.
602 Thus rapid and perfect PRNGs, regarding the NIST and DieHARD batteries, can be obtained
603 using chaotic iterations on defective generators.
606 \renewcommand{\arraystretch}{1.3}
607 \caption{Number of $\oplus$ operations to pass the whole NIST and DieHARD batteries}
610 \begin{tabular}{|l||c|c|c|c|c|c|c|c|}
612 Inputted $PRNG$ & LCG & MRG & SWC & GFSR & INV& LCG2 & LCG3 & MRG2 \\ \hline\hline
613 Threshold value $m$& 19 & 7 & 2& 1 & 11& 9& 3& 4\\ \hline\hline
617 Finally, the TestU01 battery has been launched on three well-known generators
618 (a logistic map, a simple XORshift, and the cryptographically secure ISAAC,
619 see Table~\ref{TestU011}). These results can be compared with
620 Table~\ref{TestU01 for Old CI}, which gives the scores obtained by the
621 Old CI PRNG that has received these generators.
622 The obvious improvement speaks for itself, and together with the other
623 results recalled in this section, it reinforces the opinion that a strong
624 correlation between topological properties and statistical behavior exists.
627 The next subsection will now give a concrete original implementation of the Xor CI PRNG, the
628 fastest generator in the chaotic iteration based family. In the remainder,
629 this generator will be simply referred to as CIPRNG, or ``the proposed PRNG'', if this statement does not
634 \section{Practical Security Evaluation}
635 \label{sec:Practicak evaluation}
637 Pseudorandom generators based on Eq.~\eqref{equation Oplus} of the main document are thus cryptographically secure when
638 they are XORed with an already cryptographically
639 secure PRNG. But, as stated previously,
640 such a property does not mean that, whatever the
641 key size, no attacker can predict the next bit
642 knowing all the previously released ones.
643 However, given a key size, it is possible to
644 measure in practice the minimum duration needed
645 for an attacker to break a cryptographically
646 secure PRNG, if we know the power of his/her
647 machines. Such a concrete security evaluation
648 is related to the $(T,\varepsilon)-$security
649 notion, which is recalled and evaluated in what
650 follows, for the sake of completeness.
652 Let us firstly recall that,
654 Let $\mathcal{D} : \mathds{B}^M \longrightarrow \mathds{B}$ be a probabilistic algorithm that runs
656 Let $\varepsilon > 0$.
657 $\mathcal{D}$ is called a $(T,\varepsilon)-$distinguishing attack on pseudorandom
661 $\left| Pr[\mathcal{D}(G(k)) = 1 \mid k \in_R \{0,1\}^\ell ]\right.$
665 $ - \left. Pr[\mathcal{D}(s) = 1 \mid s \in_R \mathds{B}^M ]\right| \geqslant \varepsilon,$
668 \noindent where the probability is taken over the internal coin flips of $\mathcal{D}$, and the notation
669 ``$\in_R$'' indicates the process of selecting an element at random and uniformly over the
673 Let us recall that the running time of a probabilistic algorithm is defined to be the
674 maximum of the expected number of steps needed to produce an output, maximized
675 over all inputs; the expected number is averaged over all coin flips made by the algorithm~\cite{Knuth97}.
676 We are now able to define the notion of cryptographically secure PRNGs:
679 A pseudorandom generator is $(T,\varepsilon)-$secure if there exists no $(T,\varepsilon)-$distinguishing attack on this pseudorandom generator.
688 Suppose now that the PRNG of Eq.~\eqref{equation Oplus} of the main document will work during
689 $M=100$ time units, and that during this period,
690 an attacker can realize $10^{12}$ clock cycles.
691 We thus wonder whether, during the PRNG's
692 lifetime, the attacker can distinguish this
693 sequence from a truly random one, with a probability
694 greater than $\varepsilon = 0.2$.
695 We consider that $N$ has 900 bits.
697 Predicting the next generated bit knowing all the
698 previously released ones by Eq.~\eqref{equation Oplus} of the main document is obviously equivalent to predicting the
699 next bit in the BBS generator, which
700 is cryptographically secure. More precisely, it
701 is $(T,\varepsilon)-$secure: no
702 $(T,\varepsilon)-$distinguishing attack can be
703 successfully realized on this PRNG, if~\cite{Fischlin}
705 T \leqslant \dfrac{L(N)}{6 N (log_2(N))\varepsilon^{-2}M^2}-2^7 N \varepsilon^{-2} M^2 log_2 (8 N \varepsilon^{-1}M)
706 \label{mesureConcrete}
708 where $M$ is the length of the output ($M=100$ in
709 our example), and $L(N)$ is equal to
711 2.8\times 10^{-3} exp \left(1.9229 \times (N ~ln~ 2)^\frac{1}{3} \times (ln(N~ln~ 2))^\frac{2}{3}\right)
713 is the number of clock cycles to factor a $N-$bit
719 A direct numerical application shows that this attacker
720 cannot achieve its $(10^{12},0.2)$ distinguishing
721 attack in that context.
728 \bibliographystyle{plain}
729 \bibliography{mabase}