ajout du chaos

[prng_gpu.git] / prng_gpu.tex

diff --git a/prng_gpu.tex b/prng_gpu.tex
index d95e87f0e69d9d47dab61d8e1e8cb708628cf177..90f00f82e8d6328d46fdf1cfe46fd9b80a35bd8f 100644 (file)
--- a/prng_gpu.tex
+++ b/prng_gpu.tex
@@ -1,4 +1,5 @@
-\documentclass{article}
+%\documentclass{article}
+\documentclass[10pt,journal,letterpaper,compsoc]{IEEEtran}

 \usepackage[utf8]{inputenc}
 \usepackage[T1]{fontenc}
 \usepackage{fullpage}
 \usepackage[utf8]{inputenc}
 \usepackage[T1]{fontenc}
 \usepackage{fullpage}


@@ -7,9 +8,11 @@
 \usepackage{amscd}
 \usepackage{moreverb}
 \usepackage{commath}
 \usepackage{amscd}
 \usepackage{moreverb}
 \usepackage{commath}

-\usepackage{algorithm2e}
+\usepackage[ruled,vlined]{algorithm2e}

 \usepackage{listings}
 \usepackage[standard]{ntheorem}
 \usepackage{listings}
 \usepackage[standard]{ntheorem}

+\usepackage{algorithmic}
+\usepackage{slashbox}

 
 % Pour mathds : les ensembles IR, IN, etc.
 \usepackage{dsfont}
 
 % Pour mathds : les ensembles IR, IN, etc.
 \usepackage{dsfont}


@@ -34,102 +37,199 @@
 
 \newcommand{\alert}[1]{\begin{color}{blue}\textit{#1}\end{color}}
 
 
 \newcommand{\alert}[1]{\begin{color}{blue}\textit{#1}\end{color}}
 

-\title{Efficient Generation of Pseudo-Random Numbers based on Chaotic Iterations
-on GPU}
+\title{Efficient and Cryptographically Secure Generation of Chaotic Pseudorandom Numbers on GPU}

 \begin{document}
 
 \begin{document}
 

-\author{Jacques M. Bahi, Rapha\"{e}l Couturier, and Christophe
-Guyeux\thanks{Authors in alphabetic order}}
-
-\maketitle
+\author{Jacques M. Bahi, Rapha\"{e}l Couturier,  Christophe
+Guyeux, and Pierre-Cyrille Héam\thanks{Authors in alphabetic order}}
+   

 
 

+\IEEEcompsoctitleabstractindextext{

 \begin{abstract}
 \begin{abstract}

+In this paper we present a new pseudorandom number generator (PRNG) on
+graphics processing units  (GPU). This PRNG is based  on the so-called chaotic iterations.  It
+is firstly proven  to be chaotic according to the Devaney's  formulation. We thus propose  an efficient
+implementation  for  GPU that successfully passes the   {\it BigCrush} tests, deemed to be the  hardest
+battery of tests in TestU01.  Experiments show that this PRNG can generate
+about 20 billion of random numbers  per second on Tesla C1060 and NVidia GTX280
+cards.
+It is then established that, under reasonable assumptions, the proposed PRNG can be cryptographically 
+secure.
+A chaotic version of the Blum-Goldwasser asymmetric key encryption scheme is finally proposed.
+

 
 \end{abstract}
 
 \end{abstract}

+}

 
 

-\section{Introduction}
+\maketitle

 
 

-Random  numbers are  used in  many scientific  applications and  simulations. On
-finite  state machines,  as computers,  it is  not possible  to  generate random
-numbers but only pseudo-random numbers. In practice, a good pseudo-random number
-generator (PRNG) needs  to verify some features to be used  by scientists. It is
-important  to  be  able  to  generate  pseudo-random  numbers  efficiently,  the
-generation  needs to  be reproducible  and a  PRNG needs  to satisfy  many usual
-statistical properties. Finally, from our point a view, it is essential to prove
-that  a PRNG  is  chaotic.  Concerning  the  statistical tests,  TestU01 is  the
-best-known public-domain statistical testing package.   So we use it for all our
-PRNGs, especially the {\it BigCrush}  which provides the largest serie of tests.
-Concerning  the  chaotic properties,  Devaney~\cite{Devaney}  proposed a  common
-mathematical formulation of chaotic dynamical systems.
-
-In a  previous work~\cite{bgw09:ip}  we have proposed  a new familly  of chaotic
-PRNG  based on  chaotic iterations  (IC). We  have proven  that these  PRNGs are
-chaotic in the Devaney's sense.  In this paper we propose a faster version which
-is also proven to be chaotic.
-
-Although graphics  processing units (GPU)  was initially designed  to accelerate
-the manipulation of  images, they are nowadays commonly  used in many scientific
-applications. Therefore,  it is important  to be able to  generate pseudo-random
-numbers inside a GPU when a scientific application runs in a GPU. That is why we
-also provide  an efficient  PRNG for  GPU respecting based  on IC.  Such devices
-allows us to generated almost 20 billions of random numbers per second.
+\IEEEdisplaynotcompsoctitleabstractindextext
+\IEEEpeerreviewmaketitle

 
 

-In order  to establish  that our  PRNGs are chaotic  according to  the Devaney's
-formulation, we extend what we have proposed in~\cite{guyeux10}. Moreover,  we define a new distance to measure the disorder in the chaos and we prove some interesting properties with this distance.

 
 

-The rest of this paper  is organised as follows. In Section~\ref{section:related
-  works}  we review  some GPU  implementions of  PRNG.  Section~\ref{section:BASIC RECALLS}  gives some  basic recalls  on  Devanay's formation  of chaos  and
-chaotic iterations. In Section~\ref{sec:pseudo-random} the proof of chaos of our
-PRNGs  is  studied.   Section~\ref{sec:efficient  prng}  presents  an  efficient
-implementation of  our chaotic PRNG  on a CPU.   Section~\ref{sec:efficient prng
-  gpu}   describes   the  GPU   implementation   of   our   chaotic  PRNG.    In
-Section~\ref{sec:experiments}     some    experimentations     are    presented.
-Section~\ref{sec:de  la  relativité du  désordre}  describes  the relativity  of
-disorder.  In Section~\ref{sec:  chaos order  topology} the  proof  that chaotic
-iterations can be described by iterations on a real interval is established. Finally, we give a conclusion and some perspectives.
+\section{Introduction}
+
+Randomness is of importance in many fields such as scientific simulations or cryptography. 
+``Random numbers'' can mainly be generated either by a deterministic and reproducible algorithm
+called a pseudorandom number generator (PRNG), or by a physical non-deterministic 
+process having all the characteristics of a random noise, called a truly random number
+generator (TRNG). 
+In this paper, we focus on reproducible generators, useful for instance in
+Monte-Carlo based simulators or in several cryptographic schemes.
+These domains need PRNGs that are statistically irreproachable. 
+In some fields such as in numerical simulations, speed is a strong requirement
+that is usually attained by using parallel architectures. In that case,
+a recurrent problem is that a deflation of the statistical qualities is often
+reported, when the parallelization of a good PRNG is realized.
+This is why ad-hoc PRNGs for each possible architecture must be found to
+achieve both speed and randomness.
+On the other side, speed is not the main requirement in cryptography: the great
+need is to define \emph{secure} generators able to withstand malicious
+attacks. Roughly speaking, an attacker should not be able in practice to make 
+the distinction between numbers obtained with the secure generator and a true random
+sequence. 
+Finally, a small part of the community working in this domain focuses on a
+third requirement, that is to define chaotic generators.
+The main idea is to take benefits from a chaotic dynamical system to obtain a
+generator that is unpredictable, disordered, sensible to its seed, or in other word chaotic.
+Their desire is to map a given chaotic dynamics into a sequence that seems random 
+and unassailable due to chaos.
+However, the chaotic maps used as a pattern are defined in the real line 
+whereas computers deal with finite precision numbers.
+This distortion leads to a deflation of both chaotic properties and speed.
+Furthermore, authors of such chaotic generators often claim their PRNG
+as secure due to their chaos properties, but there is no obvious relation
+between chaos and security as it is understood in cryptography.
+This is why the use of chaos for PRNG still remains marginal and disputable.
+
+The authors' opinion is that topological properties of disorder, as they are
+properly defined in the mathematical theory of chaos, can reinforce the quality
+of a PRNG. But they are not substitutable for security or statistical perfection.
+Indeed, to the authors' mind, such properties can be useful in the two following situations. On the
+one hand, a post-treatment based on a chaotic dynamical system can be applied
+to a PRNG statistically deflective, in order to improve its statistical 
+properties. Such an improvement can be found, for instance, in~\cite{bgw09:ip,bcgr11:ip}.
+On the other hand, chaos can be added to a fast, statistically perfect PRNG and/or a
+cryptographically secure one, in case where chaos can be of interest,
+\emph{only if these last properties are not lost during
+the proposed post-treatment}. Such an assumption is behind this research work.
+It leads to the attempts to define a 
+family of PRNGs that are chaotic while being fast and statistically perfect,
+or cryptographically secure.
+Let us finish this paragraph by noticing that, in this paper, 
+statistical perfection refers to the ability to pass the whole 
+{\it BigCrush} battery of tests, which is widely considered as the most
+stringent statistical evaluation of a sequence claimed as random.
+This battery can be found in the well-known TestU01 package~\cite{LEcuyerS07}.
+Chaos, for its part, refers to the well-established definition of a
+chaotic dynamical system proposed by Devaney~\cite{Devaney}.
+
+
+In a previous work~\cite{bgw09:ip,guyeux10} we have proposed a post-treatment on PRNGs making them behave
+as a chaotic dynamical system. Such a post-treatment leads to a new category of
+PRNGs. We have shown that proofs of Devaney's chaos can be established for this
+family, and that the sequence obtained after this post-treatment can pass the
+NIST~\cite{Nist10}, DieHARD~\cite{Marsaglia1996}, and TestU01~\cite{LEcuyerS07} batteries of tests, even if the inputted generators
+cannot.
+The proposition of this paper is to improve widely the speed of the formerly
+proposed generator, without any lack of chaos or statistical properties.
+In particular, a version of this PRNG on graphics processing units (GPU)
+is proposed.
+Although GPU was initially designed  to accelerate
+the manipulation of  images, they are nowadays commonly  used in many scientific
+applications. Therefore,  it is important  to be able to  generate pseudorandom
+numbers inside a GPU when a scientific application runs in it. This remark
+motivates our proposal of a chaotic and statistically perfect PRNG for GPU.  
+Such device
+allows us to generate almost 20 billion of pseudorandom numbers per second.
+Furthermore, we show that the proposed post-treatment preserves the
+cryptographical security of the inputted PRNG, when this last has such a 
+property.
+Last, but not least, we propose a rewriting of the Blum-Goldwasser asymmetric
+key encryption protocol by using the proposed method.
+
+The remainder of this paper  is organized as follows. In Section~\ref{section:related
+  works} we  review some GPU implementations  of PRNGs.  Section~\ref{section:BASIC
+  RECALLS} gives some basic recalls  on the well-known Devaney's formulation of chaos, 
+  and on an iteration process called ``chaotic
+iterations'' on which the post-treatment is based. 
+The proposed PRNG and its proof of chaos are given in  Section~\ref{sec:pseudorandom}.
+Section~\ref{sec:efficient    PRNG}   presents   an   efficient
+implementation of  this chaotic PRNG  on a CPU, whereas   Section~\ref{sec:efficient PRNG
+  gpu}   describes and evaluates theoretically  the  GPU   implementation. 
+Such generators are experimented in 
+Section~\ref{sec:experiments}.
+We show in Section~\ref{sec:security analysis} that, if the inputted
+generator is cryptographically secure, then it is the case too for the
+generator provided by the post-treatment.
+Such a proof leads to the proposition of a cryptographically secure and
+chaotic generator on GPU based on the famous Blum Blum Shub
+in Section~\ref{sec:CSGPU}, and to an improvement of the
+Blum-Goldwasser protocol in Sect.~\ref{Blum-Goldwasser}.
+This research work ends by a conclusion section, in which the contribution is
+summarized and intended future work is presented.

 
 
 
 
 \section{Related works on GPU based PRNGs}
 \label{section:related works}
 
 
 
 
 \section{Related works on GPU based PRNGs}
 \label{section:related works}

-In the litterature many authors have work on defining GPU based PRNGs. We do not
-want to be exhaustive and we just give the most significant works from our point
-of view. When authors mention the  number of random numbers generated per second
-we mention  it. We  consider that  a million numbers  per second  corresponds to
-1MSample/s and than a billion numbers per second corresponds to 1GSample/s.
-
-In \cite{Pang:2008:cec},  the authors define  a PRNG based on  cellular automata
-which  does   not  require  high  precision  integer   arithmetics  nor  bitwise
-operations. There is no mention of statistical tests nor proof that this PRNG is
-chaotic.  Concerning   the  speed  of   generation,  they  can   generate  about
-3.2MSample/s on a GeForce 7800 GTX GPU (which is quite old now).
+
+Numerous research works on defining GPU based PRNGs have already been proposed  in the
+literature, so that exhaustivity is impossible.
+This is why authors of this document only give reference to the most significant attempts 
+in this domain, from their subjective point of view. 
+The  quantity of pseudorandom numbers generated per second is mentioned here 
+only when the information is given in the related work. 
+A million numbers  per second will be simply written as
+1MSample/s whereas a billion numbers per second is 1GSample/s.
+
+In \cite{Pang:2008:cec}  a PRNG based on  cellular automata is defined
+with no  requirement to an high  precision  integer   arithmetic  or to any bitwise
+operations. Authors can   generate  about
+3.2MSamples/s on a GeForce 7800 GTX GPU, which is quite an old card now.
+However, there is neither a mention of statistical tests nor any proof of
+chaos or cryptography in this document.

 
 In \cite{ZRKB10}, the authors propose  different versions of efficient GPU PRNGs
 
 In \cite{ZRKB10}, the authors propose  different versions of efficient GPU PRNGs

-based on  Lagged Fibonacci, Hybrid  Taus or Hybrid  Taus.  They have  used these
+based on  Lagged Fibonacci or Hybrid  Taus.  They have  used these

 PRNGs   for  Langevin   simulations   of  biomolecules   fully  implemented   on
 PRNGs   for  Langevin   simulations   of  biomolecules   fully  implemented   on

-GPU. Performance of  the GPU versions are far better than  those obtained with a
-CPU and these PRNGs succeed to pass the {\it BigCrush} test of TestU01. There is
-no mention that their PRNGs have chaos mathematical properties.
+GPU. Performances of  the GPU versions are far better than  those obtained with a
+CPU, and these PRNGs succeed to pass the {\it BigCrush} battery of TestU01. 
+However the evaluations of the proposed PRNGs are only statistical ones.

 
 
 Authors of~\cite{conf/fpga/ThomasHL09}  have studied the  implementation of some
 
 
 Authors of~\cite{conf/fpga/ThomasHL09}  have studied the  implementation of some

-PRNGs on  diferrent computing architectures: CPU,  field-programmable gate array
-(FPGA), GPU and massively parallel  processor. This study is interesting because
-it  shows the  performance  of the  same  PRNGs on  different architeture.   For
-example,  the FPGA  is globally  the  fastest architecture  and it  is also  the
-efficient one because it provides the fastest number of generated random numbers
-per joule. Concerning the GPU,  authors can generate betweend 11 and 16GSample/s
-with a GTX 280  GPU. The drawback of this work is  that those PRNGs only succeed
-the {\it Crush} test which is easier than the {\it Big Crush} test.
+PRNGs on  different computing architectures: CPU,  field-programmable gate array
+(FPGA), massively parallel  processors, and GPU. This study is of interest, because
+the  performance  of the  same  PRNGs on  different architectures are compared. 
+FPGA appears as  the  fastest  and the most
+efficient architecture, providing the fastest number of generated pseudorandom numbers
+per joule. 
+However, we notice that authors can ``only'' generate between 11 and 16GSamples/s
+with a GTX 280  GPU, which should be compared with
+the results presented in this document.
+We can remark too that the PRNGs proposed in~\cite{conf/fpga/ThomasHL09} are only
+able to pass the {\it Crush} battery, which is far easier than the {\it Big Crush} one.
+
+Lastly, Cuda  has developed  a  library for  the  generation of  pseudorandom numbers  called
+Curand~\cite{curand11}.        Several       PRNGs        are       implemented, among
+other things 
+Xorwow~\cite{Marsaglia2003} and  some variants of Sobol. The  tests reported show that
+their  fastest version provides  15GSamples/s on  the new  Fermi C2050  card. 
+But their PRNGs cannot pass the whole TestU01 battery (only one test is failed).

 \newline
 \newline
 \newline
 \newline

-To the best of our knowledge no GPU implementation have been proven to have chaotic properties.
+We can finally remark that, to the best of our knowledge, no GPU implementation has been proven to be chaotic, and the cryptographically secure property has surprisingly never been considered.

 
 \section{Basic Recalls}
 \label{section:BASIC RECALLS}
 
 \section{Basic Recalls}
 \label{section:BASIC RECALLS}

+

 This section is devoted to basic definitions and terminologies in the fields of
 This section is devoted to basic definitions and terminologies in the fields of

-topological chaos and chaotic iterations.
+topological chaos and chaotic iterations. We assume the reader is familiar
+with basic notions on topology (see for instance~\cite{Devaney}).
+
+

 \subsection{Devaney's Chaotic Dynamical Systems}
 
 In the sequel $S^{n}$ denotes the $n^{th}$ term of a sequence $S$ and $V_{i}$
 \subsection{Devaney's Chaotic Dynamical Systems}
 
 In the sequel $S^{n}$ denotes the $n^{th}$ term of a sequence $S$ and $V_{i}$


@@ -142,7 +242,7 @@ Consider a topological space $(\mathcal{X},\tau)$ and a continuous function $f :
 \mathcal{X} \rightarrow \mathcal{X}$.
 
 \begin{definition}
 \mathcal{X} \rightarrow \mathcal{X}$.
 
 \begin{definition}

-$f$ is said to be \emph{topologically transitive} if, for any pair of open sets
+The function $f$ is said to be \emph{topologically transitive} if, for any pair of open sets

 $U,V \subset \mathcal{X}$, there exists $k>0$ such that $f^k(U) \cap V \neq
 \varnothing$.
 \end{definition}
 $U,V \subset \mathcal{X}$, there exists $k>0$ such that $f^k(U) \cap V \neq
 \varnothing$.
 \end{definition}


@@ -161,7 +261,7 @@ necessarily the same period).
 
 
 \begin{definition}[Devaney's formulation of chaos~\cite{Devaney}]
 
 
 \begin{definition}[Devaney's formulation of chaos~\cite{Devaney}]

-$f$ is said to be \emph{chaotic} on $(\mathcal{X},\tau)$ if $f$ is regular and
+The function $f$ is said to be \emph{chaotic} on $(\mathcal{X},\tau)$ if $f$ is regular and

 topologically transitive.
 \end{definition}
 
 topologically transitive.
 \end{definition}
 


@@ -169,12 +269,12 @@ The chaos property is strongly linked to the notion of ``sensitivity'', defined
 on a metric space $(\mathcal{X},d)$ by:
 
 \begin{definition}
 on a metric space $(\mathcal{X},d)$ by:
 
 \begin{definition}

-\label{sensitivity} $f$ has \emph{sensitive dependence on initial conditions}
+\label{sensitivity} The function $f$ has \emph{sensitive dependence on initial conditions}

 if there exists $\delta >0$ such that, for any $x\in \mathcal{X}$ and any
 neighborhood $V$ of $x$, there exist $y\in V$ and $n > 0$ such that
 $d\left(f^{n}(x), f^{n}(y)\right) >\delta $.
 
 if there exists $\delta >0$ such that, for any $x\in \mathcal{X}$ and any
 neighborhood $V$ of $x$, there exist $y\in V$ and $n > 0$ such that
 $d\left(f^{n}(x), f^{n}(y)\right) >\delta $.
 

-$\delta$ is called the \emph{constant of sensitivity} of $f$.
+The constant $\delta$ is called the \emph{constant of sensitivity} of $f$.

 \end{definition}
 
 Indeed, Banks \emph{et al.} have proven in~\cite{Banks92} that when $f$ is
 \end{definition}
 
 Indeed, Banks \emph{et al.} have proven in~\cite{Banks92} that when $f$ is


@@ -233,15 +333,15 @@ Let us now recall how to define a suitable metric space where chaotic iterations
 are continuous. For further explanations, see, e.g., \cite{guyeux10}.
 
 Let $\delta $ be the \emph{discrete Boolean metric}, $\delta
 are continuous. For further explanations, see, e.g., \cite{guyeux10}.
 
 Let $\delta $ be the \emph{discrete Boolean metric}, $\delta

-(x,y)=0\Leftrightarrow x=y.$ Given a function $f$, define the function:
-\begin{equation}
+(x,y)=0\Leftrightarrow x=y.$ Given a function $f$, define the function
+$F_{f}:  \llbracket1;\mathsf{N}\rrbracket\times \mathds{B}^{\mathsf{N}} 
+\longrightarrow  \mathds{B}^{\mathsf{N}}$
+\begin{equation*}

 \begin{array}{lrll}
 \begin{array}{lrll}

-F_{f}: & \llbracket1;\mathsf{N}\rrbracket\times \mathds{B}^{\mathsf{N}} &
-\longrightarrow & \mathds{B}^{\mathsf{N}} \\
-& (k,E) & \longmapsto & \left( E_{j}.\delta (k,j)+f(E)_{k}.\overline{\delta
-(k,j)}\right) _{j\in \llbracket1;\mathsf{N}\rrbracket},%
+& (k,E) & \longmapsto & \left( E_{j}.\delta (k,j)+ f(E)_{k}.\overline{\delta
+(k,j)}\right) _{j\in \llbracket1;\mathsf{N}\rrbracket}%

 \end{array}%
 \end{array}%

-\end{equation}%
+\end{equation*}%

 \noindent where + and . are the Boolean addition and product operations.
 Consider the phase space:
 \begin{equation}
 \noindent where + and . are the Boolean addition and product operations.
 Consider the phase space:
 \begin{equation}


@@ -297,9 +397,9 @@ their distance should increase too.
 \item In addition, if two systems present the same cells and their respective
 strategies start with the same terms, then the distance between these two points
 must be small because the evolution of the two systems will be the same for a
 \item In addition, if two systems present the same cells and their respective
 strategies start with the same terms, then the distance between these two points
 must be small because the evolution of the two systems will be the same for a

-while. Indeed, the two dynamical systems start with the same initial condition,
-use the same update function, and as strategies are the same for a while, then
-components that are updated are the same too.
+while. Indeed, both dynamical systems start with the same initial condition,
+use the same update function, and as strategies are the same for a while, furthermore
+updated components are the same as well.

 \end{itemize}
 The distance presented above follows these recommendations. Indeed, if the floor
 value $\lfloor d(X,Y)\rfloor $ is equal to $n$, then the systems $E, \check{E}$
 \end{itemize}
 The distance presented above follows these recommendations. Indeed, if the floor
 value $\lfloor d(X,Y)\rfloor $ is equal to $n$, then the systems $E, \check{E}$


@@ -308,7 +408,7 @@ measure of the differences between strategies $S$ and $\check{S}$. More
 precisely, this floating part is less than $10^{-k}$ if and only if the first
 $k$ terms of the two strategies are equal. Moreover, if the $k^{th}$ digit is
 nonzero, then the $k^{th}$ terms of the two strategies are different.
 precisely, this floating part is less than $10^{-k}$ if and only if the first
 $k$ terms of the two strategies are equal. Moreover, if the $k^{th}$ digit is
 nonzero, then the $k^{th}$ terms of the two strategies are different.

-The impact of this choice for a distance will be investigate at the end of the document.
+The impact of this choice for a distance will be investigated at the end of the document.

 
 Finally, it has been established in \cite{guyeux10} that,
 
 
 Finally, it has been established in \cite{guyeux10} that,
 


@@ -331,8 +431,7 @@ The relation between $\Gamma(f)$ and $G_f$ is clear: there exists a
 path from $x$ to $x'$ in $\Gamma(f)$ if and only if there exists a
 strategy $s$ such that the parallel iteration of $G_f$ from the
 initial point $(s,x)$ reaches the point $x'$.
 path from $x$ to $x'$ in $\Gamma(f)$ if and only if there exists a
 strategy $s$ such that the parallel iteration of $G_f$ from the
 initial point $(s,x)$ reaches the point $x'$.

-
-We have finally proven in \cite{bcgr11:ip} that,
+We have then proven in \cite{bcgr11:ip} that,

 
 
 \begin{theorem}
 
 
 \begin{theorem}


@@ -341,18 +440,38 @@ Let $f:\mathds{B}^\mathsf{N}\to\mathds{B}^\mathsf{N}$. $G_f$ is chaotic  (accord
 if and only if $\Gamma(f)$ is strongly connected.
 \end{theorem}
 
 if and only if $\Gamma(f)$ is strongly connected.
 \end{theorem}
 

-This result of chaos has lead us to study the possibility to build a
-pseudo-random number generator (PRNG) based on the chaotic iterations. 
+Finally, we have established in \cite{bcgr11:ip} that,
+\begin{theorem}
+  Let $f: \mathds{B}^{n} \rightarrow \mathds{B}^{n}$, $\Gamma(f)$ its
+  iteration graph, $\check{M}$ its adjacency
+  matrix and $M$
+  a $n\times n$ matrix defined by 
+  $
+  M_{ij} = \frac{1}{n}\check{M}_{ij}$ %\textrm{ 
+  if $i \neq j$ and  
+  $M_{ii} = 1 - \frac{1}{n} \sum\limits_{j=1, j\neq i}^n \check{M}_{ij}$ otherwise.
+  
+  If $\Gamma(f)$ is strongly connected, then 
+  the output of the PRNG detailed in Algorithm~\ref{CI Algorithm} follows 
+  a law that tends to the uniform distribution 
+  if and only if $M$ is a double stochastic matrix.
+\end{theorem} 
+
+
+These results of chaos and uniform distribution have led us to study the possibility of building a
+pseudorandom number generator (PRNG) based on the chaotic iterations. 

 As $G_f$, defined on the domain   $\llbracket 1 ;  \mathsf{N} \rrbracket^{\mathds{N}} 
 As $G_f$, defined on the domain   $\llbracket 1 ;  \mathsf{N} \rrbracket^{\mathds{N}} 

-\times \mathds{B}^\mathsf{N}$, is build from Boolean networks $f : \mathds{B}^\mathsf{N}
+\times \mathds{B}^\mathsf{N}$, is built from Boolean networks $f : \mathds{B}^\mathsf{N}

 \rightarrow \mathds{B}^\mathsf{N}$, we can preserve the theoretical properties on $G_f$
 \rightarrow \mathds{B}^\mathsf{N}$, we can preserve the theoretical properties on $G_f$

-during implementations (due to the discrete nature of $f$). It is as if
+during implementations (due to the discrete nature of $f$). Indeed, it is as if

 $\mathds{B}^\mathsf{N}$ represents the memory of the computer whereas $\llbracket 1 ;  \mathsf{N}
 $\mathds{B}^\mathsf{N}$ represents the memory of the computer whereas $\llbracket 1 ;  \mathsf{N}

-\rrbracket^{\mathds{N}}$ is its input stream (the seeds, for instance).
+\rrbracket^{\mathds{N}}$ is its input stream (the seeds, for instance, in PRNG, or a physical noise in TRNG).
+Let us finally remark that the vectorial negation satisfies the hypotheses of both theorems above.

 
 

-\section{Application to Pseudo-Randomness}
-\label{sec:pseudo-random}
-\subsection{A First Pseudo-Random Number Generator}
+\section{Application to Pseudorandomness}
+\label{sec:pseudorandom}
+
+\subsection{A First Pseudorandom Number Generator}

 
 We have proposed in~\cite{bgw09:ip} a new family of generators that receives 
 two PRNGs as inputs. These two generators are mixed with chaotic iterations, 
 
 We have proposed in~\cite{bgw09:ip} a new family of generators that receives 
 two PRNGs as inputs. These two generators are mixed with chaotic iterations, 


@@ -361,8 +480,9 @@ generator taken alone. Furthermore, our generator
 possesses various chaos properties that none of the generators used as input
 present.
 
 possesses various chaos properties that none of the generators used as input
 present.
 

+

 \begin{algorithm}[h!]
 \begin{algorithm}[h!]

-%\begin{scriptsize}
+\begin{small}

 \KwIn{a function $f$, an iteration number $b$, an initial configuration $x^0$
 ($n$ bits)}
 \KwOut{a configuration $x$ ($n$ bits)}
 \KwIn{a function $f$, an iteration number $b$, an initial configuration $x^0$
 ($n$ bits)}
 \KwOut{a configuration $x$ ($n$ bits)}


@@ -374,12 +494,16 @@ $s\leftarrow{\textit{XORshift}(n)}$\;
 $x\leftarrow{F_f(s,x)}$\;
 }
 return $x$\;
 $x\leftarrow{F_f(s,x)}$\;
 }
 return $x$\;

-%\end{scriptsize}
+\end{small}

 \caption{PRNG with chaotic functions}
 \label{CI Algorithm}
 \end{algorithm}
 
 \caption{PRNG with chaotic functions}
 \label{CI Algorithm}
 \end{algorithm}
 

+
+
+

 \begin{algorithm}[h!]
 \begin{algorithm}[h!]

+\begin{small}

 \KwIn{the internal configuration $z$ (a 32-bit word)}
 \KwOut{$y$ (a 32-bit word)}
 $z\leftarrow{z\oplus{(z\ll13)}}$\;
 \KwIn{the internal configuration $z$ (a 32-bit word)}
 \KwOut{$y$ (a 32-bit word)}
 $z\leftarrow{z\oplus{(z\ll13)}}$\;


@@ -387,7 +511,7 @@ $z\leftarrow{z\oplus{(z\gg17)}}$\;
 $z\leftarrow{z\oplus{(z\ll5)}}$\;
 $y\leftarrow{z}$\;
 return $y$\;
 $z\leftarrow{z\oplus{(z\ll5)}}$\;
 $y\leftarrow{z}$\;
 return $y$\;

-\medskip
+\end{small}

 \caption{An arbitrary round of \textit{XORshift} algorithm}
 \label{XORshift}
 \end{algorithm}
 \caption{An arbitrary round of \textit{XORshift} algorithm}
 \label{XORshift}
 \end{algorithm}


@@ -397,11 +521,11 @@ return $y$\;
 
 
 This generator is synthesized in Algorithm~\ref{CI Algorithm}.
 
 
 This generator is synthesized in Algorithm~\ref{CI Algorithm}.

-It takes as input: a function $f$;
+It takes as input: a Boolean function $f$ satisfying Theorem~\ref{Th:Caractérisation   des   IC   chaotiques};

 an integer $b$, ensuring that the number of executed iterations is at least $b$
 and at most $2b+1$; and an initial configuration $x^0$.
 It returns the new generated configuration $x$.  Internally, it embeds two
 an integer $b$, ensuring that the number of executed iterations is at least $b$
 and at most $2b+1$; and an initial configuration $x^0$.
 It returns the new generated configuration $x$.  Internally, it embeds two

-\textit{XORshift}$(k)$ PRNGs \cite{Marsaglia2003} that returns integers
+\textit{XORshift}$(k)$ PRNGs~\cite{Marsaglia2003} that return integers

 uniformly distributed
 into $\llbracket 1 ; k \rrbracket$.
 \textit{XORshift} is a category of very fast PRNGs designed by George Marsaglia,
 uniformly distributed
 into $\llbracket 1 ; k \rrbracket$.
 \textit{XORshift} is a category of very fast PRNGs designed by George Marsaglia,


@@ -410,19 +534,7 @@ with a bit shifted version of it. This PRNG, which has a period of
 $2^{32}-1=4.29\times10^9$, is summed up in Algorithm~\ref{XORshift}. It is used
 in our PRNG to compute the strategy length and the strategy elements.
 
 $2^{32}-1=4.29\times10^9$, is summed up in Algorithm~\ref{XORshift}. It is used
 in our PRNG to compute the strategy length and the strategy elements.
 

-
-We have proven in \cite{bcgr11:ip} that,
-\begin{theorem}
-  Let $f: \mathds{B}^{n} \rightarrow \mathds{B}^{n}$, $\Gamma(f)$ its
-  iteration graph, $\check{M}$ its adjacency
-  matrix and $M$ a $n\times n$ matrix defined as in the previous lemma.
-  If $\Gamma(f)$ is strongly connected, then 
-  the output of the PRNG detailed in Algorithm~\ref{CI Algorithm} follows 
-  a law that tends to the uniform distribution 
-  if and only if $M$ is a double stochastic matrix.
-\end{theorem} 
-
-This former generator as successively passed various batteries of statistical tests, as the NIST tests~\cite{bcgr11:ip}.
+This former generator has successively passed various batteries of statistical tests, as the NIST~\cite{bcgr11:ip}, DieHARD~\cite{Marsaglia1996}, and TestU01~\cite{LEcuyerS07} ones.

 
 \subsection{Improving the Speed of the Former Generator}
 
 
 \subsection{Improving the Speed of the Former Generator}
 


@@ -442,7 +554,7 @@ x^0 \in \llbracket 0, 2^\mathsf{N}-1 \rrbracket, S \in \llbracket 0, 2^\mathsf{N
 \label{equation Oplus}
 \end{equation}
 where $\oplus$ is for the bitwise exclusive or between two integers. 
 \label{equation Oplus}
 \end{equation}
 where $\oplus$ is for the bitwise exclusive or between two integers. 

-This rewritten can be understood as follows. The $n-$th term $S^n$ of the
+This rewriting can be understood as follows. The $n-$th term $S^n$ of the

 sequence $S$, which is an integer of $\mathsf{N}$ binary digits, presents
 the list of cells to update in the state $x^n$ of the system (represented
 as an integer having $\mathsf{N}$ bits too). More precisely, the $k-$th 
 sequence $S$, which is an integer of $\mathsf{N}$ binary digits, presents
 the list of cells to update in the state $x^n$ of the system (represented
 as an integer having $\mathsf{N}$ bits too). More precisely, the $k-$th 


@@ -466,28 +578,27 @@ where $f$ is the vectorial negation and $\forall n \in \mathds{N}$,
 $\mathcal{S}^n \subset \llbracket 1, \mathsf{N} \rrbracket$ is such that
 $k \in \mathcal{S}^n$ if and only if the $k-$th digit in the binary
 decomposition of $S^n$ is 1. Such chaotic iterations are more general
 $\mathcal{S}^n \subset \llbracket 1, \mathsf{N} \rrbracket$ is such that
 $k \in \mathcal{S}^n$ if and only if the $k-$th digit in the binary
 decomposition of $S^n$ is 1. Such chaotic iterations are more general

-than the ones presented in Definition \ref{Def:chaotic iterations} for 
-the fact that, instead of updating only one term at each iteration,
+than the ones presented in Definition \ref{Def:chaotic iterations} because, instead of updating only one term at each iteration,

 we select a subset of components to change.
 
 
 Obviously, replacing Algorithm~\ref{CI Algorithm} by 
 we select a subset of components to change.
 
 
 Obviously, replacing Algorithm~\ref{CI Algorithm} by 

-Equation~\ref{equation Oplus}, possible when the iteration function is
+Equation~\ref{equation Oplus}, which is possible when the iteration function is

 the vectorial negation, leads to a speed improvement. However, proofs
 of chaos obtained in~\cite{bg10:ij} have been established
 only for chaotic iterations of the form presented in Definition 
 \ref{Def:chaotic iterations}. The question is now to determine whether the
 the vectorial negation, leads to a speed improvement. However, proofs
 of chaos obtained in~\cite{bg10:ij} have been established
 only for chaotic iterations of the form presented in Definition 
 \ref{Def:chaotic iterations}. The question is now to determine whether the

-use of more general chaotic iterations to generate pseudo-random numbers 
+use of more general chaotic iterations to generate pseudorandom numbers 

 faster, does not deflate their topological chaos properties.
 
 \subsection{Proofs of Chaos of the General Formulation of the Chaotic Iterations}
 \label{deuxième def}
 Let us consider the discrete dynamical systems in chaotic iterations having 
 faster, does not deflate their topological chaos properties.
 
 \subsection{Proofs of Chaos of the General Formulation of the Chaotic Iterations}
 \label{deuxième def}
 Let us consider the discrete dynamical systems in chaotic iterations having 

-the general form:
+the general form: $\forall    n\in     \mathds{N}^{\ast     }$, $  \forall     i\in
+\llbracket1;\mathsf{N}\rrbracket $,

 
 \begin{equation}
 
 \begin{equation}

-\forall    n\in     \mathds{N}^{\ast     },    \forall     i\in
-\llbracket1;\mathsf{N}\rrbracket ,x_i^n=\left\{
+  x_i^n=\left\{

 \begin{array}{ll}
   x_i^{n-1} &  \text{ if  } i \notin \mathcal{S}^n \\
   \left(f(x^{n-1})\right)_{S^n} & \text{ if }i \in \mathcal{S}^n.
 \begin{array}{ll}
   x_i^{n-1} &  \text{ if  } i \notin \mathcal{S}^n \\
   \left(f(x^{n-1})\right)_{S^n} & \text{ if }i \in \mathcal{S}^n.


@@ -512,14 +623,13 @@ Let us introduce the following function:
 where $\mathcal{P}\left(X\right)$ is for the powerset of the set $X$, that is, $Y \in \mathcal{P}\left(X\right) \Longleftrightarrow Y \subset X$.
 
 Given a function $f:\mathds{B}^\mathsf{N} \longrightarrow \mathds{B}^\mathsf{N} $, define the function:
 where $\mathcal{P}\left(X\right)$ is for the powerset of the set $X$, that is, $Y \in \mathcal{P}\left(X\right) \Longleftrightarrow Y \subset X$.
 
 Given a function $f:\mathds{B}^\mathsf{N} \longrightarrow \mathds{B}^\mathsf{N} $, define the function:

-\begin{equation}
-\begin{array}{lrll}
-F_{f}: & \mathcal{P}\left(\llbracket1;\mathsf{N}\rrbracket \right) \times \mathds{B}^{\mathsf{N}} &
-\longrightarrow & \mathds{B}^{\mathsf{N}} \\
-& (P,E) & \longmapsto & \left( E_{j}.\chi (j,P)+f(E)_{j}.\overline{\chi
-(j,P)}\right) _{j\in \llbracket1;\mathsf{N}\rrbracket},%
+$F_{f}:  \mathcal{P}\left(\llbracket1;\mathsf{N}\rrbracket \right) \times \mathds{B}^{\mathsf{N}} 
+\longrightarrow \mathds{B}^{\mathsf{N}}$
+\begin{equation*}
+\begin{array}{rll}
+ (P,E) & \longmapsto & \left( E_{j}.\chi (j,P)+f(E)_{j}.\overline{\chi(j,P)}\right) _{j\in \llbracket1;\mathsf{N}\rrbracket}%

 \end{array}%
 \end{array}%

-\end{equation}%
+\end{equation*}%

 where + and . are the Boolean addition and product operations, and $\overline{x}$ 
 is the negation of the Boolean $x$.
 Consider the phase space:
 where + and . are the Boolean addition and product operations, and $\overline{x}$ 
 is the negation of the Boolean $x$.
 Consider the phase space:


@@ -529,7 +639,7 @@ Consider the phase space:
 \end{equation}
 \noindent and the map defined on $\mathcal{X}$:
 \begin{equation}
 \end{equation}
 \noindent and the map defined on $\mathcal{X}$:
 \begin{equation}

-G_f\left(S,E\right) = \left(\sigma(S), F_f(i(S),E)\right), \label{Gf}
+G_f\left(S,E\right) = \left(\sigma(S), F_f(i(S),E)\right), %\label{Gf} %%RAPH, j'ai viré ce label qui existe déjà avant...

 \end{equation}
 \noindent where $\sigma$ is the \emph{shift} function defined by $\sigma
 (S^{n})_{n\in \mathds{N}}\in \mathcal{P}\left(\llbracket 1 ; \mathsf{N} \rrbracket\right)^\mathds{N}\longrightarrow (S^{n+1})_{n\in
 \end{equation}
 \noindent where $\sigma$ is the \emph{shift} function defined by $\sigma
 (S^{n})_{n\in \mathds{N}}\in \mathcal{P}\left(\llbracket 1 ; \mathsf{N} \rrbracket\right)^\mathds{N}\longrightarrow (S^{n+1})_{n\in


@@ -546,7 +656,7 @@ X^{k+1}=G_{f}(X^k).%
 \right.
 \end{equation}%
 
 \right.
 \end{equation}%
 

-Another time, a shift function appears as a component of these general chaotic 
+Once more, a shift function appears as a component of these general chaotic 

 iterations. 
 
 To study the Devaney's chaos property, a distance between two points 
 iterations. 
 
 To study the Devaney's chaos property, a distance between two points 


@@ -556,17 +666,21 @@ Let us introduce:
 d(X,Y)=d_{e}(E,\check{E})+d_{s}(S,\check{S}),
 \label{nouveau d}
 \end{equation}
 d(X,Y)=d_{e}(E,\check{E})+d_{s}(S,\check{S}),
 \label{nouveau d}
 \end{equation}

-\noindent where
-\begin{equation}
-\left\{
-\begin{array}{lll}
-\displaystyle{d_{e}(E,\check{E})} & = & \displaystyle{\sum_{k=1}^{\mathsf{N}%
-}\delta (E_{k},\check{E}_{k})}\textrm{ is another time the Hamming distance}, \\
-\displaystyle{d_{s}(S,\check{S})} & = & \displaystyle{\dfrac{9}{\mathsf{N}}%
-\sum_{k=1}^{\infty }\dfrac{|S^k\Delta {S}^k|}{10^{k}}}.%
-\end{array}%
-\right.
-\end{equation}
+\noindent where $ \displaystyle{d_{e}(E,\check{E})} = \displaystyle{\sum_{k=1}^{\mathsf{N}%
+ }\delta (E_{k},\check{E}_{k})}$  is once more the Hamming distance, and
+$  \displaystyle{d_{s}(S,\check{S})}  =  \displaystyle{\dfrac{9}{\mathsf{N}}%
+ \sum_{k=1}^{\infty }\dfrac{|S^k\Delta {S}^k|}{10^{k}}}$,
+%%RAPH : ici, j'ai supprimé tous les sauts à la ligne
+%% \begin{equation}
+%% \left\{
+%% \begin{array}{lll}
+%% \displaystyle{d_{e}(E,\check{E})} & = & \displaystyle{\sum_{k=1}^{\mathsf{N}%
+%% }\delta (E_{k},\check{E}_{k})} \textrm{ is once more the Hamming distance}, \\
+%% \displaystyle{d_{s}(S,\check{S})} & = & \displaystyle{\dfrac{9}{\mathsf{N}}%
+%% \sum_{k=1}^{\infty }\dfrac{|S^k\Delta {S}^k|}{10^{k}}}.%
+%% \end{array}%
+%% \right.
+%% \end{equation}

 where $|X|$ is the cardinality of a set $X$ and $A\Delta B$ is for the symmetric difference, defined for sets A, B as
 $A\,\Delta\,B = (A \setminus B) \cup (B \setminus A)$.
 
 where $|X|$ is the cardinality of a set $X$ and $A\Delta B$ is for the symmetric difference, defined for sets A, B as
 $A\,\Delta\,B = (A \setminus B) \cup (B \setminus A)$.
 


@@ -577,7 +691,7 @@ The function $d$ defined in Eq.~\ref{nouveau d} is a metric on $\mathcal{X}$.
 
 \begin{proof}
  $d_e$ is the Hamming distance. We will prove that $d_s$ is a distance
 
 \begin{proof}
  $d_e$ is the Hamming distance. We will prove that $d_s$ is a distance

-too, thus $d$ will be a distance as sum of two distances.
+too, thus $d$, as being the sum of two distances, will also be a distance.

  \begin{itemize}
 \item Obviously, $d_s(S,\check{S})\geqslant 0$, and if $S=\check{S}$, then 
 $d_s(S,\check{S})=0$. Conversely, if $d_s(S,\check{S})=0$, then 
  \begin{itemize}
 \item Obviously, $d_s(S,\check{S})\geqslant 0$, and if $S=\check{S}$, then 
 $d_s(S,\check{S})=0$. Conversely, if $d_s(S,\check{S})=0$, then 


@@ -594,7 +708,7 @@ inequality is obtained.
 
 
 Before being able to study the topological behavior of the general 
 
 
 Before being able to study the topological behavior of the general 

-chaotic iterations, we must firstly establish that:
+chaotic iterations, we must first establish that:

 
 \begin{proposition}
  For all $f:\mathds{B}^\mathsf{N} \longrightarrow \mathds{B}^\mathsf{N} $, the function $G_f$ is continuous on 
 
 \begin{proposition}
  For all $f:\mathds{B}^\mathsf{N} \longrightarrow \mathds{B}^\mathsf{N} $, the function $G_f$ is continuous on 


@@ -630,7 +744,7 @@ so, after the $max(n_0, n_1)^{th}$ term, the distance $d$ between these two poin
 G_{f}(S^n,E^n)\right) $ and $\left( G_{f}(S,E)\right) $ is convergent to
 0. Let $\varepsilon >0$. \medskip
 \begin{itemize}
 G_{f}(S^n,E^n)\right) $ and $\left( G_{f}(S,E)\right) $ is convergent to
 0. Let $\varepsilon >0$. \medskip
 \begin{itemize}

-\item If $\varepsilon \geqslant 1$, we see that distance
+\item If $\varepsilon \geqslant 1$, we see that the distance

 between $\left( G_{f}(S^n,E^n)\right) $ and $\left( G_{f}(S,E)\right) $ is
 strictly less than 1 after the $max(n_{0},n_{1})^{th}$ term (same state).
 \medskip
 between $\left( G_{f}(S^n,E^n)\right) $ and $\left( G_{f}(S,E)\right) $ is
 strictly less than 1 after the $max(n_{0},n_{1})^{th}$ term (same state).
 \medskip


@@ -645,14 +759,16 @@ thus after $n_{2}$, the $k+2$ first terms of $S^n$ and $S$ are equal.
 \noindent As a consequence, the $k+1$ first entries of the strategies of $%
 G_{f}(S^n,E^n)$ and $G_{f}(S,E)$ are the same ($G_{f}$ is a shift of strategies) and due to the definition of $d_{s}$, the floating part of
 the distance between $(S^n,E^n)$ and $(S,E)$ is strictly less than $%
 \noindent As a consequence, the $k+1$ first entries of the strategies of $%
 G_{f}(S^n,E^n)$ and $G_{f}(S,E)$ are the same ($G_{f}$ is a shift of strategies) and due to the definition of $d_{s}$, the floating part of
 the distance between $(S^n,E^n)$ and $(S,E)$ is strictly less than $%

-10^{-(k+1)}\leqslant \varepsilon $.\bigskip \newline
+10^{-(k+1)}\leqslant \varepsilon $.
+

 In conclusion,
 In conclusion,

-$$
-\forall \varepsilon >0,\exists N_{0}=max(n_{0},n_{1},n_{2})\in \mathds{N}%
-,\forall n\geqslant N_{0},
- d\left( G_{f}(S^n,E^n);G_{f}(S,E)\right)
+%%RAPH : ici j'ai rajouté une ligne
+$
+\forall \varepsilon >0,$ $\exists N_{0}=max(n_{0},n_{1},n_{2})\in \mathds{N}
+,$ $\forall n\geqslant N_{0},$
+$ d\left( G_{f}(S^n,E^n);G_{f}(S,E)\right)

 \leqslant \varepsilon .
 \leqslant \varepsilon .

-$$
+$

 $G_{f}$ is consequently continuous.
 \end{proof}
 
 $G_{f}$ is consequently continuous.
 \end{proof}
 


@@ -692,7 +808,7 @@ where $(s^0,s^1, \hdots)$ is the strategy of $Y$, satisfies the properties
 claimed in the lemma.
 \end{proof}
 
 claimed in the lemma.
 \end{proof}
 

-We can now prove the Theorem~\ref{t:chaos des general}...
+We can now prove the Theorem~\ref{t:chaos des general}.

 
 \begin{proof}[Theorem~\ref{t:chaos des general}]
 Firstly, strong transitivity implies transitivity.
 
 \begin{proof}[Theorem~\ref{t:chaos des general}]
 Firstly, strong transitivity implies transitivity.


@@ -710,8 +826,10 @@ and $t_2\in\mathds{N}$ such
 that $E$ is reached from $(S',E')$ after $t_2$ iterations of $G_f$.
 
 Consider the strategy $\tilde S$ that alternates the first $t_1$ terms
 that $E$ is reached from $(S',E')$ after $t_2$ iterations of $G_f$.
 
 Consider the strategy $\tilde S$ that alternates the first $t_1$ terms

-of $S$ and the first $t_2$ terms of $S'$: $$\tilde
-S=(S_0,\dots,S_{t_1-1},S'_0,\dots,S'_{t_2-1},S_0,\dots,S_{t_1-1},S'_0,\dots,S'_{t_2-1},S_0,\dots).$$ It
+of $S$ and the first $t_2$ terms of $S'$: 
+%%RAPH : j'ai coupé la ligne en 2
+$$\tilde
+S=(S_0,\dots,S_{t_1-1},S'_0,\dots,S'_{t_2-1},S_0,$$$$\dots,S_{t_1-1},S'_0,\dots,S'_{t_2-1},S_0,\dots).$$ It

 is clear that $(\tilde S,E)$ is obtained from $(\tilde S,E)$ after
 $t_1+t_2$ iterations of $G_f$. So $(\tilde S,E)$ is a periodic
 point. Since $\tilde S_t=S_t$ for $t<t_1$, by the choice of $t_1$, we
 is clear that $(\tilde S,E)$ is obtained from $(\tilde S,E)$ after
 $t_1+t_2$ iterations of $G_f$. So $(\tilde S,E)$ is a periodic
 point. Since $\tilde S_t=S_t$ for $t<t_1$, by the choice of $t_1$, we


@@ -719,807 +837,1116 @@ have $d((S,E),(\tilde S,E))<\epsilon$.
 \end{proof}
 
 
 \end{proof}
 
 

-
-\section{Efficient PRNG based on Chaotic Iterations}
-\label{sec:efficient prng}
-
-In  order to  implement efficiently  a PRNG  based on  chaotic iterations  it is
-possible to improve  previous works [ref]. One solution  consists in considering
-that the  strategy used contains all the  bits for which the  negation is
-achieved out. Then in order to apply  the negation on these bits we can simply
-apply the  xor operator between  the current number  and the strategy. In
-order to obtain the strategy we also use a classical PRNG.
-
-Here  is an  example with  16-bits numbers  showing how  the bitwise  operations
-are
-applied.  Suppose  that $x$ and the  strategy $S^i$ are defined  in binary mode.
-Then the following table shows the result of $x$ xor $S^i$.
-$$
-\begin{array}{|cc|cccccccccccccccc|}
-\hline
-x      &=&1&0&1&1&1&0&1&0&1&0&0&1&0&0&1&0\\
-\hline
-S^i      &=&0&1&1&0&0&1&1&0&1&1&1&0&0&1&1&1\\
-\hline
-x \oplus S^i&=&1&1&0&1&1&1&0&0&0&1&1&1&0&1&0&1\\
-\hline
-
-\hline
- \end{array}
-$$
-
-%% \begin{figure}[htbp]
-%% \begin{center}
-%% \fbox{
-%% \begin{minipage}{14cm}
-%% unsigned int CIprng() \{\\
-%%   static unsigned int x = 123123123;\\
-%%   unsigned long t1 = xorshift();\\
-%%   unsigned long t2 = xor128();\\
-%%   unsigned long t3 = xorwow();\\
-%%   x = x\textasciicircum (unsigned int)t1;\\
-%%   x = x\textasciicircum (unsigned int)(t2$>>$32);\\
-%%   x = x\textasciicircum (unsigned int)(t3$>>$32);\\
-%%   x = x\textasciicircum (unsigned int)t2;\\
-%%   x = x\textasciicircum (unsigned int)(t1$>>$32);\\
-%%   x = x\textasciicircum (unsigned int)t3;\\
-%%   return x;\\
-%% \}
-%% \end{minipage}
-%% }
-%% \end{center}
-%% \caption{sequential Chaotic Iteration PRNG}
-%% \label{algo:seqCIprng}
-%% \end{figure}
-
-
-
-\lstset{language=C,caption={C code of the sequential chaotic iterations based
-PRNG},label=algo:seqCIprng}
-\begin{lstlisting}
-unsigned int CIprng() {
-  static unsigned int x = 123123123;
-  unsigned long t1 = xorshift();
-  unsigned long t2 = xor128();
-  unsigned long t3 = xorwow();
-  x = x^(unsigned int)t1;
-  x = x^(unsigned int)(t2>>32);
-  x = x^(unsigned int)(t3>>32);
-  x = x^(unsigned int)t2;
-  x = x^(unsigned int)(t1>>32);
-  x = x^(unsigned int)t3;
-  return x;
-}
-\end{lstlisting}
-
-
-
+\begin{color}{red}
+\section{Improving Statistical Properties Using Chaotic Iterations}

 
 
 
 

-In listing~\ref{algo:seqCIprng}  a sequential version of  our chaotic iterations
-based PRNG is  presented.  The xor operator is  represented by \textasciicircum.
-This  function uses  three classical  64-bits PRNG:  the  \texttt{xorshift}, the
-\texttt{xor128}  and  the  \texttt{xorwow}.   In  the following,  we  call  them
-xor-like PRNGSs.   These three PRNGs are  presented in~\cite{Marsaglia2003}.  As
-each xor-like PRNG  used works with 64-bits and as our  PRNG works with 32-bits,
-the use of \texttt{(unsigned int)} selects the 32 least significant bits whereas
-\texttt{(unsigned int)(t3$>>$32)}  selects the 32 most significants  bits of the
-variable \texttt{t}.   So to produce a  random number realizes  6 xor operations
-with 6 32-bits  numbers produced by 3 64-bits PRNG.   This version successes the
-BigCrush of the TestU01 battery~\cite{LEcuyerS07}.
+\subsection{The CIPRNG family}

 
 

-\section{Efficient PRNGs based on chaotic iterations on GPU}
-\label{sec:efficient prng gpu}
+Three categories of PRNGs have been derived from chaotic iterations. They are
+recalled in what follows.

 
 

-In  order to benefit  from computing  power of  GPU, a  program needs  to define
-independent blocks of threads which  can be computed simultaneously. In general,
-the larger the number of threads is,  the more local memory is used and the less
-branching  instructions are  used (if,  while, ...),  the better  performance is
-obtained  on  GPU.  So  with  algorithm  \ref{algo:seqCIprng}  presented in  the
-previous section, it is possible to  build a similar program which computes PRNG
-on   GPU.  In  the   CUDA~\cite{Nvid10}  environment,   threads  have   a  local
-identificator, called \texttt{ThreadIdx} relative to the block containing them.
+\subsubsection{Old CIPRNG}

 
 

+Let $\mathsf{N} = 4$. Some chaotic iterations are fulfilled to generate a sequence $\left(x^n\right)_{n\in\mathds{N}} \in \left(\mathds{B}^4\right)^\mathds{N}$ of Boolean vectors: the successive states of the iterated system. Some of these vectors are randomly extracted and their components constitute our pseudorandom bit flow~\cite{bgw09:ip}.
+Chaotic iterations are realized as follows. Initial state $x^0 \in \mathds{B}^4$ is a Boolean vector taken as a seed and chaotic strategy $\left(S^n\right)_{n\in\mathds{N}}\in \llbracket 1, 4 \rrbracket^\mathds{N}$ is constructed with $PRNG_2$. Lastly, iterate function $f$ is the vectorial Boolean negation.
+At each iteration, only the $S^n$-th component of state $x^n$ is updated. Finally, some $x^n$ are selected by a sequence $m^n$, provided by a second generator $PRNG_1$, as the pseudorandom bit sequence of our generator.

 
 

-\subsection{Naive version for GPU}
+The basic design procedure of the Old CI generator is summed up in Algorithm~\ref{Chaotic iteration}.
+The internal state is $x$, the output array is $r$. $a$ and $b$ are those computed by $PRNG_1$ and $PRNG_2$.

 
 

-From the CPU version, it is possible  to obtain a quite similar version for GPU.
-The principe consists in assigning the computation of a PRNG as in sequential to
-each thread  of the  GPU.  Of course,  it is  essential that the  three xor-like
-PRNGs  used for  our computation  have different  parameters. So  we  chose them
-randomly with  another PRNG. As the  initialisation is performed by  the CPU, we
-have  chosen  to  use  the  ISAAC  PRNG~\ref{Jenkins96}  to  initalize  all  the
-parameters for  the GPU version  of our PRNG.   The implementation of  the three
-xor-like  PRNGs  is  straightforward  as  soon as  their  parameters  have  been
-allocated in  the GPU memory.  Each xor-like PRNGs  used works with  an internal
-number  $x$  which keeps  the  last  generated  random numbers.  Other  internal
-variables  are   also  used   by  the  xor-like   PRNGs.  More   precisely,  the
-implementation of the  xor128, the xorshift and the  xorwow respectively require
-4, 5 and 6 unsigned long as internal variables.

 
 \begin{algorithm}
 
 \begin{algorithm}

-
-\KwIn{InternalVarXorLikeArray: array with internal variables of the 3 xor-like
-PRNGs in global memory\;
-NumThreads: Number of threads\;}
-\KwOut{NewNb: array containing random numbers in global memory}
-\If{threadIdx is concerned by the computation} {
-  retrieve data from InternalVarXorLikeArray[threadIdx] in local variables\;
-  \For{i=1 to n} {
-    compute a new PRNG as in Listing\ref{algo:seqCIprng}\;
-    store the new PRNG in NewNb[NumThreads*threadIdx+i]\;
-  }
-  store internal variables in InternalVarXorLikeArray[threadIdx]\;
-}
-
-\caption{main kernel for the chaotic iterations based PRNG GPU naive version}
-\label{algo:gpu_kernel}
+\textbf{Input:} the internal state $x$ (an array of 4-bit words)\\
+\textbf{Output:} an array $r$ of 4-bit words
+\begin{algorithmic}[1]
+
+\STATE$a\leftarrow{PRNG_1()}$;
+\STATE$m\leftarrow{a~mod~2+13}$;
+\WHILE{$i=0,\dots,m$}
+\STATE$b\leftarrow{PRNG_2()}$;
+\STATE$S\leftarrow{b~mod~4}$;
+\STATE$x_S\leftarrow{ \overline{x_S}}$;
+\ENDWHILE
+\STATE$r\leftarrow{x}$;
+\STATE return $r$;
+\medskip
+\caption{An arbitrary round of the old CI generator}
+\label{Chaotic iteration}
+\end{algorithmic}

 \end{algorithm}
 
 \end{algorithm}
 

-Algorithm~\ref{algo:gpu_kernel}  presents a naive  implementation of  PRNG using
-GPU.  According  to the available  memory in the  GPU and the number  of threads
-used simultenaously,  the number  of random numbers  that a thread  can generate
-inside   a    kernel   is   limited,   i.e.    the    variable   \texttt{n}   in
-algorithm~\ref{algo:gpu_kernel}. For example, if  $100,000$ threads are used and
-if $n=100$\footnote{in fact, we need to add the initial seed (a 32-bits number)}
-then   the  memory   required   to  store   internals   variables  of   xor-like
-PRNGs\footnote{we multiply this number by $2$ in order to count 32-bits numbers}
-and  random  number of  our  PRNG  is  equals to  $100,000\times  ((4+5+6)\times
-2+(1+100))=1,310,000$ 32-bits numbers, i.e. about $52$Mb.
+\subsubsection{New CIPRNG}

 
 

-All the  tests performed  to pass the  BigCrush of TestU01  succeeded. Different
-number of threads, called \texttt{NumThreads} in our algorithm, have been tested
-upto $10$ millions.
+The New CI generator is designed by the following process~\cite{bg10:ip}. First of all, some chaotic iterations have to be done to generate a sequence $\left(x^n\right)_{n\in\mathds{N}} \in \left(\mathds{B}^{32}\right)^\mathds{N}$ of Boolean vectors, which are the successive states of the iterated system. Some of these vectors will be randomly extracted and our pseudo-random bit flow will be constituted by their components. Such chaotic iterations are realized as follows. Initial state $x^0 \in \mathds{B}^{32}$ is a Boolean vector taken as a seed and chaotic strategy $\left(S^n\right)_{n\in\mathds{N}}\in \llbracket 1, 32 \rrbracket^\mathds{N}$ is
+an \emph{irregular decimation} of $PRNG_2$ sequence, as described in Algorithm~\ref{Chaotic iteration1}.

 
 

-\begin{remark}
-Algorithm~\ref{algo:gpu_kernel}  has  the  advantage to  manipulate  independent
-PRNGs, so this version is easily usable on a cluster of computer. The only thing
-to ensure is to use a single ISAAC PRNG. For this, a simple solution consists in
-using a master node for the initialization which computes the initial parameters
-for all the differents nodes involves in the computation.
-\end{remark}
+Another time, at each iteration, only the $S^n$-th component of state $x^n$ is updated, as follows: $x_i^n = x_i^{n-1}$ if $i \neq S^n$, else $x_i^n = \overline{x_i^{n-1}}$.
+Finally, some $x^n$ are selected
+by a sequence $m^n$ as the pseudo-random bit sequence of our generator.
+$(m^n)_{n \in \mathds{N}} \in \mathcal{M}^\mathds{N}$ is computed from $PRNG_1$, where $\mathcal{M}\subset \mathds{N}^*$ is a finite nonempty set of integers.

 
 

-\subsection{Improved version for GPU}
+The basic design procedure of the New CI generator is summarized in Algorithm~\ref{Chaotic iteration1}.
+The internal state is $x$, the output state is $r$. $a$ and $b$ are those computed by the two input
+PRNGs. Lastly, the value $g_1(a)$ is an integer defined as in Eq.~\ref{Formula}.

 
 

-As GPU cards using CUDA have shared memory between threads of the same block, it
-is possible  to use this  feature in order  to simplify the  previous algorithm,
-i.e., using less  than 3 xor-like PRNGs. The solution  consists in computing only
-one xor-like PRNG by thread, saving  it into shared memory and using the results
-of some  other threads in the  same block of  threads. In order to  define which
-thread uses the result of which other  one, we can use a permutation array which
-contains  the indexes  of  all threads  and  for which  a  permutation has  been
-performed.  In Algorithm~\ref{algo:gpu_kernel2}, 2 permutations arrays are used.
-The    variable   \texttt{offset}    is    computed   using    the   value    of
-\texttt{permutation\_size}.   Then we  can compute  \texttt{o1}  and \texttt{o2}
-which represent the indexes of the  other threads for which the results are used
-by the  current thread. In  the algorithm, we  consider that a  64-bits xor-like
-PRNG is used, that is why both 32-bits parts are used.
-
-This version also succeeds to the {\it BigCrush} batteries of tests.
+\begin{equation}
+\label{Formula}
+m^n = g_1(y^n)=
+\left\{
+\begin{array}{l}
+0 \text{ if }0 \leqslant{y^n}<{C^0_{32}},\\
+1 \text{ if }{C^0_{32}} \leqslant{y^n}<\sum_{i=0}^1{C^i_{32}},\\
+2 \text{ if }\sum_{i=0}^1{C^i_{32}} \leqslant{y^n}<\sum_{i=0}^2{C^i_{32}},\\
+\vdots~~~~~ ~~\vdots~~~ ~~~~\\
+N \text{ if }\sum_{i=0}^{N-1}{C^i_{32}}\leqslant{y^n}<1.\\
+\end{array}
+\right.
+\end{equation}

 
 \begin{algorithm}
 
 \begin{algorithm}

-
-\KwIn{InternalVarXorLikeArray: array with internal variables of 1 xor-like PRNGs
-in global memory\;
-NumThreads: Number of threads\;
-tab1, tab2: Arrays containing permutations of size permutation\_size\;}
-
-\KwOut{NewNb: array containing random numbers in global memory}
-\If{threadId is concerned} {
-  retrieve data from InternalVarXorLikeArray[threadId] in local variables including shared memory\;
-  offset = threadIdx\%permutation\_size\;
-  o1 = threadIdx-offset+tab1[offset]\;
-  o2 = threadIdx-offset+tab2[offset]\;
-  \For{i=1 to n} {
-    t=xor-like()\;
-    t=t$\oplus$shmem[o1]$\oplus$shmem[o2]\;
-    shared\_mem[threadId]=t\;
-    x = x $\oplus$ t\;
-
-    store the new PRNG in NewNb[NumThreads*threadId+i]\;
-  }
-  store internal variables in InternalVarXorLikeArray[threadId]\;
+\textbf{Input:} the internal state $x$ (32 bits)\\
+\textbf{Output:} a state $r$ of 32 bits
+\begin{algorithmic}[1]
+\FOR{$i=0,\dots,N$}
+{
+\STATE$d_i\leftarrow{0}$\;

 }
 }

-
-\caption{main kernel for the chaotic iterations based PRNG GPU efficient
-version}
-\label{algo:gpu_kernel2}
+\ENDFOR
+\STATE$a\leftarrow{PRNG_1()}$\;
+\STATE$m\leftarrow{f(a)}$\;
+\STATE$k\leftarrow{m}$\;
+\WHILE{$i=0,\dots,k$}
+
+\STATE$b\leftarrow{PRNG_2()~mod~\mathsf{N}}$\;
+\STATE$S\leftarrow{b}$\;
+    \IF{$d_S=0$}
+    {
+\STATE      $x_S\leftarrow{ \overline{x_S}}$\;
+\STATE      $d_S\leftarrow{1}$\;
+
+    }
+    \ELSIF{$d_S=1$}
+    {
+\STATE      $k\leftarrow{ k+1}$\;
+    }\ENDIF
+\ENDWHILE\\
+\STATE $r\leftarrow{x}$\;
+\STATE return $r$\;
+\medskip
+\caption{An arbitrary round of the new CI generator}
+\label{Chaotic iteration1}
+\end{algorithmic}

 \end{algorithm}
 
 \end{algorithm}
 

-\subsection{Theoretical Evaluation of the Improved Version}
-
-A run of Algorithm~\ref{algo:gpu_kernel2} consists in three operations having 
-the form of Equation~\ref{equation Oplus}, which is equivalent to the iterative
-system of Eq.~\ref{eq:generalIC}. That is, three iterations of the general chaotic
-iterations are realized between two stored values of the PRNG.
-To be certain that we are in the framework of Theorem~\ref{t:chaos des general},
-we must guarantee that this dynamical system iterates on the space 
-$\mathcal{X} = \mathcal{P}\left(\llbracket 1, \mathsf{N} \rrbracket\right)^\mathds{N}\times\mathds{B}^\mathsf{N}$.
-The left term $x$ obviously belongs into $\mathds{B}^ \mathsf{N}$.
-To prevent from any flaws of chaotic properties, we must check that each right 
-term, corresponding to terms of the strategies,  can possibly be equal to any
-integer of $\llbracket 1, \mathsf{N} \rrbracket$. 
-
-Such a result is obvious for the two first lines, as for the xor-like(), all the
-integers belonging into its interval of definition can occur at each iteration.
-It can be easily stated for the two last lines by an immediate mathematical
-induction.
-
-Thus Algorithm~\ref{algo:gpu_kernel2} is a concrete realization of the general
-chaotic iterations presented previously, and for this reason, it satisfies the 
-Devaney's formulation of a chaotic behavior.
-
-\section{Experiments}
-\label{sec:experiments}
-
-Different experiments  have been  performed in order  to measure  the generation
-speed. We have used  a computer equiped with Tesla C1060 NVidia  GPU card and an
-Intel  Xeon E5530 cadenced  at 2.40  GHz for  our experiments  and we  have used
-another one  equipped with  a less performant  CPU and  a GeForce GTX  280. Both
-cards have 240 cores.
-
-In Figure~\ref{fig:time_gpu}  we compare the number of  random numbers generated
-per second. The xor-like prng  is a xor64 described in~\cite{Marsaglia2003}.  In
-order to obtain the optimal performance  we remove the storage of random numbers
-in the GPU memory. This step is time consumming and slows down the random number
-generation.  Moreover, if you are interested by applications that consome random
-numbers  directly   when  they  are  generated,  their   storage  is  completely
-useless. In this  figure we can see  that when the number of  threads is greater
-than approximately 30,000 upto 5 millions the number of random numbers generated
-per second  is almost constant.  With the  naive version, it is  between 2.5 and
-3GSample/s.   With  the  optimized   version,  it  is  approximately  equals  to
-20GSample/s. Finally  we can remark  that both GPU  cards are quite  similar. In
-practice,  the Tesla C1060  has more  memory than  the GTX  280 and  this memory
-should be of better quality.
-
-\begin{figure}[htbp]
-\begin{center}
-  \includegraphics[scale=.7]{curve_time_gpu.pdf}
-\end{center}
-\caption{Number of random numbers generated per second}
-\label{fig:time_gpu}
-\end{figure}
-

 
 

-In  comparison,   Listing~\ref{algo:seqCIprng}  allows  us   to  generate  about
-138MSample/s with only one core of the Xeon E5530.
+\subsubsection{Xor CIPRNG}

 
 

+Instead of updating only one cell at each iteration as Old CI and New CI, we can try to choose a
+subset of components and to update them together. Such an attempt leads
+to a kind of merger of the two random sequences. When the updating function is the vectorial negation,
+this algorithm can be rewritten as follows~\cite{arxivRCCGPCH}:

 
 

+\begin{equation}
+\left\{
+\begin{array}{l}
+x^0 \in \llbracket 0, 2^\mathsf{N}-1 \rrbracket, S \in \llbracket 0, 2^\mathsf{N}-1 \rrbracket^\mathds{N} \\
+\forall n \in \mathds{N}^*, x^n = x^{n-1} \oplus S^n,
+\end{array}
+\right.
+\label{equation Oplus}
+\end{equation}
+%This rewriting can be understood as follows. The $n-$th term $S^n$ of the
+%sequence $S$, which is an integer of $\mathsf{N}$ binary digits, presents
+%the list of cells to update in the state $x^n$ of the system (represented
+%as an integer having $\mathsf{N}$ bits too). More precisely, the $k-$th
+%component of this state (a binary digit) changes if and only if the $k-$th
+%digit in the binary decomposition of $S^n$ is 1.
+
+The single basic component presented in Eq.~\ref{equation Oplus} is of
+ordinary use as a good elementary brick in various PRNGs. It corresponds
+to the discrete dynamical system in chaotic iterations.

 
 

+\subsection{About some Well-known PRNGs}
+\label{The generation of pseudo-random sequence}

 
 
 
 

-\section{The relativity of disorder}
-\label{sec:de la relativité du désordre}
-
-In the next two sections, we investigate the impact of the choices that have
-lead to the definitions of measures in Sections \ref{sec:chaotic iterations} and \ref{deuxième def}.
-
-\subsection{Impact of the topology's finenesse}
-
-Let us firstly introduce the following notations.
-
-\begin{notation}
-$\mathcal{X}_\tau$ will denote the topological space
-$\left(\mathcal{X},\tau\right)$, whereas $\mathcal{V}_\tau (x)$ will be the set
-of all the neighborhoods of $x$ when considering the topology $\tau$ (or simply
-$\mathcal{V} (x)$, if there is no ambiguity).
-\end{notation}
-

 
 
 
 

-\begin{theorem}
-\label{Th:chaos et finesse}
-Let $\mathcal{X}$ a set and $\tau, \tau'$ two topologies on $\mathcal{X}$ s.t.
-$\tau'$ is finer than $\tau$. Let $f:\mathcal{X} \to \mathcal{X}$, continuous
-both for $\tau$ and $\tau'$.
+Let us now give illustration on the fact that chaos appears to improve statistical properties.

 
 

-If $(\mathcal{X}_{\tau'},f)$ is chaotic according to Devaney, then
-$(\mathcal{X}_\tau,f)$ is chaotic too.
-\end{theorem}
+\subsection{Details of some Existing Generators}

 
 

-\begin{proof}
-Let us firstly establish the transitivity of $(\mathcal{X}_\tau,f)$.
+Here are the modules of PRNGs we have chosen to experiment.

 
 

-Let $\omega_1, \omega_2$ two open sets of $\tau$. Then $\omega_1, \omega_2 \in
-\tau'$, becaus $\tau'$ is finer than $\tau$. As $f$ is $\tau'-$transitive, we
-can deduce that $\exists n \in \mathds{N}, \omega_1 \cap f^{(n)}(\omega_2) =
-\varnothing$. Consequently, $f$ is $\tau-$transitive.
+\subsubsection{LCG}
+This PRNG implements either the simple or the combined linear congruency generator (LCGs). The simple LCG is defined by the recurrence:
+\begin{equation}
+x^n = (ax^{n-1} + c)~mod~m
+\label{LCG}
+\end{equation}
+where $a$, $c$, and $x^0$ must be, among other things, non-negative and less than $m$~\cite{testU01}. In what follows, 2LCGs and 3LCGs refer as two (resp. three) combinations of such LCGs.
+For further details, see~\cite{combined_lcg}.

 
 

-Let us now consider the regularity of $(\mathcal{X}_\tau,f)$, \emph{i.e.}, for
-all $x \in \mathcal{X}$, and for all $\tau-$neighborhood $V$ of $x$, there is a
-periodic point for $f$ into $V$.
+\subsubsection{MRG}
+This module implements multiple recursive generators (MRGs), based on a linear recurrence of order $k$, modulo $m$~\cite{testU01}:
+\begin{equation}
+x^n = (a^1x^{n-1}+~...~+a^kx^{n-k})~mod~m
+\label{MRG}
+\end{equation}
+Combination of two MRGs (referred as 2MRGs) is also be used in this paper.

 
 

-Let $x \in \mathcal{X}$ and $V \in \mathcal{V}_\tau (x)$ a $\tau-$neighborhood
-of $x$. By definition, $\exists \omega \in \tau, x \in \omega \subset V$.
+\subsubsection{UCARRY}
+Generators based on linear recurrences with carry are implemented in this module. This includes the add-with-carry (AWC) generator, based on the recurrence:
+\begin{equation}
+\label{AWC}
+\begin{array}{l}
+x^n = (x^{n-r} + x^{n-s} + c^{n-1})~mod~m, \\
+c^n= (x^{n-r} + x^{n-s} + c^{n-1}) / m, \end{array}\end{equation}
+the SWB generator, having the recurrence:
+\begin{equation}
+\label{SWB}
+\begin{array}{l}
+x^n = (x^{n-r} - x^{n-s} - c^{n-1})~mod~m, \\
+c^n=\left\{
+\begin{array}{l}
+1 ~~~~~\text{if}~ (x^{i-r} - x^{i-s} - c^{i-1})<0\\
+0 ~~~~~\text{else},\end{array} \right. \end{array}\end{equation}
+and the SWC generator designed by R. Couture, which is based on the following recurrence:
+\begin{equation}
+\label{SWC}
+\begin{array}{l}
+x^n = (a^1x^{n-1} \oplus ~...~ \oplus a^rx^{n-r} \oplus c^{n-1}) ~ mod ~ 2^w, \\
+c^n = (a^1x^{n-1} \oplus ~...~ \oplus a^rx^{n-r} \oplus c^{n-1}) ~ / ~ 2^w. \end{array}\end{equation}

 
 

-But $\tau \subset \tau'$, so $\omega \in \tau'$, and then $V \in
-\mathcal{V}_{\tau'} (x)$. As $(\mathcal{X}_{\tau'},f)$ is regular, there is a
-periodic point for $f$ into $V$, and the regularity of $(\mathcal{X}_\tau,f)$ is
-proven. 
-\end{proof}
+\subsubsection{GFSR}
+This module implements the generalized feedback shift register (GFSR) generator, that is:
+\begin{equation}
+x^n = x^{n-r} \oplus x^{n-k}
+\label{GFSR}
+\end{equation}

 
 

-\subsection{A given system can always be claimed as chaotic}

 
 

-Let $f$ an iteration function on $\mathcal{X}$ having at least a fixed point.
-Then this function is chaotic (in a certain way):
+\subsubsection{INV}
+Finally, this module implements the nonlinear inversive generator, as defined in~\cite{testU01}, which is:

 
 

-\begin{theorem}
-Let $\mathcal{X}$ a nonempty set and $f: \mathcal{X} \to \X$ a function having
-at least a fixed point.
-Then $f$ is $\tau_0-$chaotic, where $\tau_0$ is the trivial (indiscrete)
-topology on $\X$.
-\end{theorem}
+\begin{equation}
+\label{INV}
+\begin{array}{l}
+x^n=\left\{
+\begin{array}{ll}
+(a^1 + a^2 / z^{n-1})~mod~m & \text{if}~ z^{n-1} \neq 0 \\
+a^1 & \text{if}~  z^{n-1} = 0 .\end{array} \right. \end{array}\end{equation}

 
 
 
 

-\begin{proof}
-$f$ is transitive when $\forall \omega, \omega' \in \tau_0 \setminus
-\{\varnothing\}, \exists n \in \mathds{N}, f^{(n)}(\omega) \cap \omega' \neq
-\varnothing$.
-As $\tau_0 = \left\{ \varnothing, \X \right\}$, this is equivalent to look for
-an integer $n$ s.t. $f^{(n)}\left( \X \right) \cap \X \neq \varnothing$. For
-instance, $n=0$ is appropriate.

 
 

-Let us now consider $x \in \X$ and $V \in \mathcal{V}_{\tau_0} (x)$. Then $V =
-\mathcal{X}$, so $V$ has at least a fixed point for $f$. Consequently $f$ is
-regular, and the result is established.
-\end{proof}

 
 
 
 

+\subsection{Statistical tests}
+\label{Security analysis}

 
 

+%A theoretical proof for the randomness of a generator is impossible to give, therefore statistical inference based on observed sample sequences produced by the generator seems to be the best option.
+Considering the properties of binary random sequences, various statistical tests can be designed to evaluate the assertion that the sequence is generated by a perfectly random source. We have performed some statistical tests for the CIPRNGs proposed here. These tests include NIST suite~\cite{ANDREW2008} and DieHARD battery of tests~\cite{DieHARD}. For completeness and for reference, we give in the following subsection a brief description of each of the aforementioned tests.

 
 

-\subsection{A given system can always be claimed as non-chaotic}

 
 

-\begin{theorem}
-Let $\mathcal{X}$ be a set and $f: \mathcal{X} \to \X$.
-If $\X$ is infinite, then $\left( \X_{\tau_\infty}, f\right)$ is not chaotic
-(for the Devaney's formulation), where $\tau_\infty$ is the discrete topology.
-\end{theorem}

 
 

-\begin{proof}
-Let us prove it by contradiction, assuming that $\left(\X_{\tau_\infty},
-f\right)$ is both transitive and regular.
+\subsubsection{NIST statistical tests suite}

 
 

-Let $x \in \X$ and $\{x\}$ one of its neighborhood. This neighborhood must
-contain a periodic point for $f$, if we want that $\left(\X_{\tau_\infty},
-f\right)$ is regular. Then $x$ must be a periodic point of $f$.
+Among the numerous standard tests for pseudo-randomness, a convincing way to show the randomness of the produced sequences is to confront them to the NIST (National Institute of  Standards and Technology) statistical tests, being an up-to-date tests suite proposed by the Information Technology Laboratory (ITL). A new version of the Statistical tests suite has been released in August 11, 2010.

 
 

-Let $I_x = \left\{ f^{(n)}(x), n \in \mathds{N}\right\}$. This set is finite
-because  $x$ is periodic, and $\mathcal{X}$ is infinite, then $\exists y \in
-\mathcal{X}, y \notin I_x$.
+The NIST tests suite SP 800-22 is a statistical package consisting of 15 tests. They were developed to test the randomness of binary sequences produced by hardware or software based cryptographic pseudorandom number generators. These tests focus on a variety of different types of non-randomness that could exist in a sequence.

 
 

-As $\left(\X_{\tau_\infty}, f\right)$ must be transitive, for all open nonempty
-sets $A$ and $B$, an integer $n$ must satisfy $f^{(n)}(A) \cap B \neq
-\varnothing$. However $\{x\}$ and $\{y\}$ are open sets and $y \notin I_x
-\Rightarrow \forall n, f^{(n)}\left( \{x\} \right) \cap \{y\} = \varnothing$.
-\end{proof}
+For each statistical test, a set of $P-values$ (corresponding to the set of sequences) is produced.
+The interpretation of empirical results can be conducted in various ways.
+In this paper, the examination of the distribution of P-values to check for uniformity ($ P-value_{T}$) is used.
+The distribution of $P-values$ is examined to ensure uniformity.
+If $P-value_{T} \geqslant 0.0001$, then the sequences can be considered to be uniformly distributed.

 
 

+In our experiments, 100 sequences (s = 100), each with 1,000,000-bit long, are generated and tested. If the $P-value_{T}$ of any test is smaller than 0.0001, the sequences are considered to be not good enough and the generating algorithm is not suitable for usage.

 
 
 
 
 
 
 
 
 
 

-\section{Chaos on the order topology}
-\label{sec: chaos order topology}
-\subsection{The phase space is an interval of the real line}
+\subsubsection{DieHARD battery of tests}
+The DieHARD battery of tests has been the most sophisticated standard for over a decade. Because of the stringent requirements in the DieHARD tests suite, a generator passing this battery of
+tests can be considered good as a rule of thumb.

 
 

-\subsubsection{Toward a topological semiconjugacy}
+The DieHARD battery of tests consists of 18 different independent statistical tests. This collection
+ of tests is based on assessing the randomness of bits comprising 32-bit integers obtained from
+a random number generator. Each test requires $2^{23}$ 32-bit integers in order to run the full set
+of tests. Most of the tests in DieHARD return a $P-value$, which should be uniform on $[0,1)$ if the input file
+contains truly independent random bits.  These $P-values$ are obtained by
+$P=F(X)$, where $F$ is the assumed distribution of the sample random variable $X$ (often normal).
+But that assumed $F$ is just an asymptotic approximation, for which the fit will be worst
+in the tails. Thus occasional $P-values$ near 0 or 1, such as 0.0012 or 0.9983, can occur.
+An individual test is considered to be failed if the $P-value$ approaches 1 closely, for example $P>0.9999$.

 
 

-In what follows, our intention is to establish, by using a topological
-semiconjugacy, that chaotic iterations over $\mathcal{X}$ can be described as
-iterations on a real interval. To do so, we must firstly introduce some
-notations and terminologies. 

 
 

-Let $\mathcal{S}_\mathsf{N}$ be the set of sequences belonging into $\llbracket
-1; \mathsf{N}\rrbracket$ and $\mathcal{X}_{\mathsf{N}} = \mathcal{S}_\mathsf{N}
-\times \B^\mathsf{N}$.
+\subsection{Results and discussion}
+\label{Results and discussion}
+\begin{table*}
+\renewcommand{\arraystretch}{1.3}
+\caption{NIST and DieHARD tests suite passing rates for PRNGs without CI}
+\label{NIST and DieHARD tests suite passing rate the for PRNGs without CI}
+\centering
+  \begin{tabular}{|l||c|c|c|c|c|c|c|c|c|c|}
+    \hline\hline
+Types of PRNGs & \multicolumn{2}{c|}{Linear PRNGs} & \multicolumn{4}{c|}{Lagged PRNGs} & \multicolumn{1}{c|}{ICG PRNGs} & \multicolumn{3}{c|}{Mixed PRNGs}\\ \hline
+\backslashbox{\textbf{$Tests$}} {\textbf{$PRNG$}} & LCG& MRG& AWC & SWB  & SWC & GFSR & INV & LCG2& LCG3& MRG2 \\ \hline
+NIST & 11/15 & 14/15 &\textbf{15/15} & \textbf{15/15}   & 14/15 & 14/15  & 14/15 & 14/15& 14/15& 14/15 \\ \hline
+DieHARD & 16/18 & 16/18 & 15/18 & 16/18 & \textbf{18/18} & 16/18 & 16/18 & 16/18& 16/18& 16/18\\ \hline
+\end{tabular}
+\end{table*}

 
 

+Table~\ref{NIST and DieHARD tests suite passing rate the for PRNGs without CI} shows the results on the batteries recalled above, indicating that almost all the PRNGs cannot pass all their tests. In other words, the statistical quality of these PRNGs cannot fulfill the up-to-date standards presented previously. We will show that the CIPRNG can solve this issue.

 
 

-\begin{definition}
-The function $\varphi: \mathcal{S}_{10} \times\mathds{B}^{10} \rightarrow \big[
-0, 2^{10} \big[$ is defined by:
+To illustrate the effects of this CIPRNG in detail, experiments will be divided in three parts:
+\begin{enumerate}
+  \item \textbf{Single CIPRNG}: The PRNGs involved in CI computing are of the same category.
+  \item \textbf{Mixed CIPRNG}: Two different types of PRNGs are mixed during the chaotic iterations process.
+  \item \textbf{Multiple CIPRNG}: The generator is obtained by repeating the composition of the iteration function as follows: $x^0\in \mathds{B}^{\mathsf{N}}$, and $\forall n\in \mathds{N}^{\ast },\forall i\in \llbracket1;\mathsf{N}\rrbracket,$

 \begin{equation}
 \begin{equation}

- \begin{array}{cccl}
-\varphi: & \mathcal{X}_{10} = \mathcal{S}_{10} \times\mathds{B}^{10}&
-\longrightarrow & \big[ 0, 2^{10} \big[ \\
- & (S,E) = \left((S^0, S^1, \hdots ); (E_0, \hdots, E_9)\right) & \longmapsto &
-\varphi \left((S,E)\right)
-\end{array}
+\begin{array}{l}
+x_i^n=\left\{
+\begin{array}{l}
+x_i^{n-1}~~~~~\text{if}~S^n\neq i \\
+\forall j\in \llbracket1;\mathsf{m}\rrbracket,f^m(x^{n-1})_{S^{nm+j}}~\text{if}~S^{nm+j}=i.\end{array} \right. \end{array}

 \end{equation}
 \end{equation}

-where $\varphi\left((S,E)\right)$ is the real number:
-\begin{itemize}
-\item whose integral part $e$ is $\displaystyle{\sum_{k=0}^9 2^{9-k} E_k}$, that
-is, the binary digits of $e$ are $E_0 ~ E_1 ~ \hdots ~ E_9$.
-\item whose decimal part $s$ is equal to $s = 0,S^0~ S^1~ S^2~ \hdots =
-\sum_{k=1}^{+\infty} 10^{-k} S^{k-1}.$ 
-\end{itemize}
-\end{definition}
-
-
-
-$\varphi$ realizes the association between a point of $\mathcal{X}_{10}$ and a
-real number into $\big[ 0, 2^{10} \big[$. We must now translate the chaotic
-iterations $\Go$ on this real interval. To do so, two intermediate functions
-over $\big[ 0, 2^{10} \big[$ must be introduced:
-
-
-\begin{definition}
-\label{def:e et s}
-Let $x \in \big[ 0, 2^{10} \big[$ and:
-\begin{itemize}
-\item $e_0, \hdots, e_9$ the binary digits of the integral part of $x$:
-$\displaystyle{\lfloor x \rfloor = \sum_{k=0}^{9} 2^{9-k} e_k}$.
-\item $(s^k)_{k\in \mathds{N}}$ the digits of $x$, where the chosen decimal
-decomposition of $x$ is the one that does not have an infinite number of 9: 
-$\displaystyle{x = \lfloor x \rfloor + \sum_{k=0}^{+\infty} s^k 10^{-k-1}}$.
-\end{itemize}
-$e$ and $s$ are thus defined as follows:
+$m$ is called the \emph{functional power}.
+\end{enumerate}
+
+
+We have performed statistical analysis of each of the aforementioned CIPRNGs.
+The results are reproduced in Tables~\ref{NIST and DieHARD tests suite passing rate the for PRNGs without CI} and \ref{NIST and DieHARD tests suite passing rate the for single CIPRNGs}.
+The scores written in boldface indicate that all the tests have been passed successfully, whereas an asterisk ``*'' means that the considered passing rate has been improved.
+
+\subsubsection{Tests based on the Single CIPRNG}
+
+\begin{table*}
+\renewcommand{\arraystretch}{1.3}
+\caption{NIST and DieHARD tests suite passing rates for PRNGs with CI}
+\label{NIST and DieHARD tests suite passing rate the for single CIPRNGs}
+\centering
+  \begin{tabular}{|l||c|c|c|c|c|c|c|c|c|c|c|c|}
+    \hline
+Types of PRNGs & \multicolumn{2}{c|}{Linear PRNGs} & \multicolumn{4}{c|}{Lagged PRNGs} & \multicolumn{1}{c|}{ICG PRNGs} & \multicolumn{3}{c|}{Mixed PRNGs}\\ \hline
+\backslashbox{\textbf{$Tests$}} {\textbf{$Single~CIPRNG$}} & LCG  & MRG & AWC & SWB & SWC & GFSR & INV& LCG2 & LCG3& MRG2 \\ \hline\hline
+Old CIPRNG\\ \hline \hline
+NIST & \textbf{15/15} *  & \textbf{15/15} * & \textbf{15/15}   & \textbf{15/15}   & \textbf{15/15} * & \textbf{15/15} * & \textbf{15/15} *& \textbf{15/15} * & \textbf{15/15} * & \textbf{15/15} \\ \hline
+DieHARD & \textbf{18/18} *  & \textbf{18/18} * & \textbf{18/18} *  & \textbf{18/18} *  & \textbf{18/18}  & \textbf{18/18} * & \textbf{18/18} *& \textbf{18/18} * & \textbf{18/18} *& \textbf{18/18} * \\ \hline
+New CIPRNG\\ \hline \hline
+NIST & \textbf{15/15} *  & \textbf{15/15} * & \textbf{15/15}   & \textbf{15/15}  & \textbf{15/15} * & \textbf{15/15} * & \textbf{15/15} *& \textbf{15/15} * & \textbf{15/15} * & \textbf{15/15} \\ \hline
+DieHARD & \textbf{18/18} *  & \textbf{18/18} * & \textbf{18/18} * & \textbf{18/18} * & \textbf{18/18}  & \textbf{18/18} * & \textbf{18/18} * & \textbf{18/18} * & \textbf{18/18} *& \textbf{18/18} *\\ \hline
+Xor CIPRNG\\ \hline\hline
+NIST & 14/15*& \textbf{15/15} *   & \textbf{15/15}   & \textbf{15/15}   & 14/15 & \textbf{15/15} * & 14/15& \textbf{15/15} * & \textbf{15/15} *& \textbf{15/15}  \\ \hline
+DieHARD & 16/18 & 16/18 & 17/18* & \textbf{18/18} * & \textbf{18/18}  & \textbf{18/18} * & 16/18 & 16/18 & 16/18& 16/18\\ \hline
+\end{tabular}
+\end{table*}
+
+The statistical tests results of the PRNGs using the single CIPRNG method are given in Table~\ref{NIST and DieHARD tests suite passing rate the for single CIPRNGs}.
+We can observe that, except for the Xor CIPRNG, all of the CIPRNGs have passed the 15 tests of the NIST battery and the 18 tests of the DieHARD one.
+Moreover, considering these scores, we can deduce that both the single Old CIPRNG and the single New CIPRNG are relatively steadier than the single Xor CIPRNG approach, when applying them to different PRNGs.
+However, the Xor CIPRNG is obviously the fastest approach to generate a CI random sequence, and it still improves the statistical properties relative to each generator taken alone, although the test values are not as good as desired.
+
+Therefore, all of these three ways are interesting, for different reasons, in the production of pseudorandom numbers and,
+on the whole, the single CIPRNG method can be considered to adapt to or improve all kinds of PRNGs.
+
+To have a realization of the Xor CIPRNG that can pass all the tests embedded into the NIST battery, the Xor CIPRNG with multiple functional powers are investigated in Section~\ref{Tests based on Multiple CIPRNG}.
+
+
+\subsubsection{Tests based on the Mixed CIPRNG}
+
+To compare the previous approach with the CIPRNG design that uses a Mixed CIPRNG, we have taken into account the same inputted generators than in the previous section.
+These inputted couples $(PRNG_1,PRNG_2)$ of PRNGs are used in the Mixed approach as follows:

 \begin{equation}
 \begin{equation}

-\begin{array}{cccl}
-e: & \big[ 0, 2^{10} \big[ & \longrightarrow & \mathds{B}^{10} \\
- & x & \longmapsto & (e_0, \hdots, e_9)
+\left\{
+\begin{array}{l}
+x^0 \in \llbracket 0, 2^\mathsf{N}-1 \rrbracket, S \in \llbracket 0, 2^\mathsf{N}-1 \rrbracket^\mathds{N} \\
+\forall n \in \mathds{N}^*, x^n = x^{n-1} \oplus PRNG_1\oplus PRNG_2,

 \end{array}
 \end{array}

+\right.
+\label{equation Oplus}

 \end{equation}
 \end{equation}

-and
+
+With this Mixed CIPRNG approach, both the Old CIPRNG and New CIPRNG continue to pass all the NIST and DieHARD suites.
+In addition, we can see that the PRNGs using a Xor CIPRNG approach can pass more tests than previously.
+The main reason of this success is that the Mixed Xor CIPRNG has a longer period.
+Indeed, let $n_{P}$ be the period of a PRNG $P$, then the period deduced from the single Xor CIPRNG approach is obviously equal to:

 \begin{equation}
 \begin{equation}

- \begin{array}{cccc}
-s: & \big[ 0, 2^{10} \big[ & \longrightarrow & \llbracket 0, 9
-\rrbracket^{\mathds{N}} \\
- & x & \longmapsto & (s^k)_{k \in \mathds{N}}
+n_{SXORCI}=
+\left\{
+\begin{array}{ll}
+n_{P}&\text{if~}x^0=x^{n_{P}}\\
+2n_{P}&\text{if~}x^0\neq x^{n_{P}}.\\

 \end{array}
 \end{array}

+\right.
+\label{equation Oplus}

 \end{equation}
 \end{equation}

-\end{definition}
-
-We are now able to define the function $g$, whose goal is to translate the
-chaotic iterations $\Go$ on an interval of $\mathds{R}$.

 
 

-\begin{definition}
-$g:\big[ 0, 2^{10} \big[ \longrightarrow \big[ 0, 2^{10} \big[$ is defined by:
+Let us now denote by $n_{P1}$ and $n_{P2}$ the periods of respectively the $PRNG_1$ and $PRNG_2$ generators, then the period of the Mixed Xor CIPRNG will be:

 \begin{equation}
 \begin{equation}

-\begin{array}{cccc}
-g: & \big[ 0, 2^{10} \big[ & \longrightarrow & \big[ 0, 2^{10} \big[ \\
- & x & \longmapsto & g(x)
-\end{array}
-\end{equation}
-where g(x) is the real number of $\big[ 0, 2^{10} \big[$ defined bellow:
-\begin{itemize}
-\item its integral part has a binary decomposition equal to $e_0', \hdots,
-e_9'$, with:
- \begin{equation}
-e_i' = \left\{
+n_{XXORCI}=
+\left\{

 \begin{array}{ll}
 \begin{array}{ll}

-e(x)_i & \textrm{ if } i \neq s^0\\
-e(x)_i + 1 \textrm{ (mod 2)} & \textrm{ if } i = s^0\\
+LCM(n_{P1},n_{P2})&\text{if~}x^0=x^{LCM(n_{P1},n_{P2})}\\
+2LCM(n_{P1},n_{P2})&\text{if~}x^0\neq x^{LCM(n_{P1},n_{P2})}.\\

 \end{array}
 \right.
 \end{array}
 \right.

+\label{equation Oplus}

 \end{equation}
 \end{equation}

-\item whose decimal part is $s(x)^1, s(x)^2, \hdots$
-\end{itemize}
-\end{definition}

 
 

-\bigskip
+In Table~\ref{DieHARD fail mixex CIPRNG}, we only show the results for the Mixed CIPRNGs that cannot pass all DieHARD suites (the NIST tests are all passed). It demonstrates that Mixed Xor CIPRNG involving LCG, MRG, LCG2, LCG3, MRG2, or INV cannot pass the two following tests, namely the ``Matrix Rank 32x32'' and the ``COUNT-THE-1's'' tests contained into the DieHARD battery. Let us recall their definitions:

 
 

+\begin{itemize}
+ \item \textbf{Matrix Rank 32x32.} A random 32x32 binary matrix is formed, each row having a 32-bit random vector. Its rank is an integer that ranges from 0 to 32. Ranks less than 29 must be rare, and their occurences must be pooled with those of rank 29. To achieve the test, ranks of 40,000 such random matrices are obtained, and a chisquare test is performed on counts for ranks 32,31,30 and for ranks $\leq29$.
+
+ \item \textbf{COUNT-THE-1's TEST} Consider the file under test as a stream of bytes (four per  2 bit integer).  Each byte can contain from 0 to 8 1's, with probabilities 1,8,28,56,70,56,28,8,1 over 256.  Now let the stream of bytes provide a string of overlapping  5-letter words, each ``letter'' taking values A,B,C,D,E. The letters are determined by the number of 1's in a byte: 0,1, or 2 yield A, 3 yields B, 4 yields C, 5 yields D and 6,7, or 8 yield E. Thus we have a monkey at a typewriter hitting five keys with various probabilities (37,56,70,56,37 over 256).  There are $5^5$ possible 5-letter words, and from a string of 256,000 (over-lapping) 5-letter words, counts are made on the frequencies for each word.   The quadratic form in the weak inverse of the covariance matrix of the cell counts provides a chisquare test: Q5-Q4, the difference of the naive Pearson sums of $(OBS-EXP)^2/EXP$ on counts for 5- and 4-letter cell counts.
+\end{itemize}

 
 

-In other words, if $x = \displaystyle{\sum_{k=0}^{9} 2^{9-k} e_k + 
-\sum_{k=0}^{+\infty} s^{k} ~10^{-k-1}}$, then:
+The reason of these fails is that the output of LCG, LCG2, LCG3, MRG, and MRG2 under the experiments are in 31-bit. Compare with the Single CIPRNG, using different PRNGs to build CIPRNG seems more efficient in improving random number quality (mixed Xor CI can 100\% pass NIST, but single cannot).
+
+\begin{table*}
+\renewcommand{\arraystretch}{1.3}
+\caption{Scores of mixed Xor CIPRNGs when considering the DieHARD battery}
+\label{DieHARD fail mixex CIPRNG}
+\centering
+  \begin{tabular}{|l||c|c|c|c|c|c|}
+    \hline
+\backslashbox{\textbf{$PRNG_1$}} {\textbf{$PRNG_0$}} & LCG & MRG & INV & LCG2 & LCG3 & MRG2 \\ \hline\hline
+LCG  &\backslashbox{} {} &16/18&16/18 &16/18 &16/18 &16/18\\ \hline
+MRG &16/18 &\backslashbox{} {} &16/18&16/18 &16/18  &16/18\\ \hline
+INV &16/18 &16/18&\backslashbox{} {} &16/18 &16/18&16/18    \\ \hline
+LCG2  &16/18 &16/18 &16/18 &\backslashbox{} {}  &16/18&16/18\\ \hline
+LCG3  &16/18 &16/18 &16/18&16/18&\backslashbox{} {} &16/18\\ \hline
+MRG2 &16/18  &16/18 &16/18&16/18 &16/18 &\backslashbox{} {}  \\ \hline
+\end{tabular}
+\end{table*}
+
+\subsubsection{Tests based on the Multiple CIPRNG}
+\label{Tests based on Multiple CIPRNG}
+
+Until now, the combination of at most two input PRNGs has been investigated.
+We now regard the possibility to use a larger number of generators to improve the statistics of the generated pseudorandom numbers, leading to the multiple functional power approach.
+For the CIPRNGs which have already pass both the NIST and DieHARD suites with 2 inputted PRNGs (all the Old and New CIPRNGs, and some of the Xor CIPRNGs), it is not meaningful to consider their adaption of this multiple CIPRNG method, hence only the Multiple Xor CIPRNGs, having the following form, will be investigated.

 \begin{equation}
 \begin{equation}

-g(x) =
-\displaystyle{\sum_{k=0}^{9} 2^{9-k} (e_k + \delta(k,s^0) \textrm{ (mod 2)}) + 
-\sum_{k=0}^{+\infty} s^{k+1} 10^{-k-1}}. 
+\left\{
+\begin{array}{l}
+x^0 \in \llbracket 0, 2^\mathsf{N}-1 \rrbracket, S \in \llbracket 0, 2^\mathsf{N}-1 \rrbracket^\mathds{N} \\
+\forall n \in \mathds{N}^*, x^n = x^{n-1} \oplus S^{nm}\oplus S^{nm+1}\ldots \oplus S^{nm+m-1} ,
+\end{array}
+\right.
+\label{equation Oplus}

 \end{equation}
 
 \end{equation}
 

+The question is now to determine the value of the threshold $m$ (the functional power) making the multiple CIPRNG being able to pass the whole NIST battery.
+Such a question is answered in Table~\ref{threshold}.

 
 

-\subsubsection{Defining a metric on $\big[ 0, 2^{10} \big[$}

 
 

-Numerous metrics can be defined on the set $\big[ 0, 2^{10} \big[$, the most
-usual one being the Euclidian distance recalled bellow:
+\begin{table*}
+\renewcommand{\arraystretch}{1.3}
+\caption{Functional power $m$ making it possible to pass the whole NIST battery}
+\label{threshold}
+\centering
+  \begin{tabular}{|l||c|c|c|c|c|c|c|c|}
+    \hline
+Inputted $PRNG$ & LCG & MRG & SWC & GFSR & INV& LCG2 & LCG3  & MRG2 \\ \hline\hline
+Threshold  value $m$& 19 & 7  & 2& 1 & 11& 9& 3& 4\\ \hline\hline
+\end{tabular}
+\end{table*}

 
 

-\begin{notation}
-\index{distance!euclidienne}
-$\Delta$ is the Euclidian distance on $\big[ 0, 2^{10} \big[$, that is,
-$\Delta(x,y) = |y-x|^2$.
-\end{notation}
+\subsubsection{Results Summary}

 
 

-\medskip
+We can summarize the obtained results as follows.
+\begin{enumerate}
+\item The CIPRNG method is able to improve the statistical properties of a large variety of PRNGs.
+\item Using different PRNGs in the CIPRNG approach is better than considering several instances of one unique PRNG.
+\item The statistical quality of the outputs increases with the functional power $m$.
+\end{enumerate}
+
+\end{color}
+
+\section{Efficient PRNG based on Chaotic Iterations}
+\label{sec:efficient PRNG}
+
+Based on the proof presented in the previous section, it is now possible to 
+improve the speed of the generator formerly presented in~\cite{bgw09:ip,guyeux10}. 
+The first idea is to consider
+that the provided strategy is a pseudorandom Boolean vector obtained by a
+given PRNG.
+An iteration of the system is simply the bitwise exclusive or between
+the last computed state and the current strategy.
+Topological properties of disorder exhibited by chaotic 
+iterations can be inherited by the inputted generator, we hope by doing so to 
+obtain some statistical improvements while preserving speed.
+
+%%RAPH : j'ai viré tout ca
+%% Let us give an example using 16-bits numbers, to clearly understand how the bitwise xor operations
+%% are
+%% done.  
+%% Suppose  that $x$ and the  strategy $S^i$ are given as
+%% binary vectors.
+%% Table~\ref{TableExemple} shows the result of $x \oplus S^i$.
+
+%% \begin{table}
+%% \begin{scriptsize}
+%% $$
+%% \begin{array}{|cc|cccccccccccccccc|}
+%% \hline
+%% x      &=&1&0&1&1&1&0&1&0&1&0&0&1&0&0&1&0\\
+%% \hline
+%% S^i      &=&0&1&1&0&0&1&1&0&1&1&1&0&0&1&1&1\\
+%% \hline
+%% x \oplus S^i&=&1&1&0&1&1&1&0&0&0&1&1&1&0&1&0&1\\
+%% \hline
+
+%% \hline
+%%  \end{array}
+%% $$
+%% \end{scriptsize}
+%% \caption{Example of an arbitrary round of the proposed generator}
+%% \label{TableExemple}
+%% \end{table}
+
+
+
+
+\lstset{language=C,caption={C code of the sequential PRNG based on chaotic iterations},label=algo:seqCIPRNG}
+\begin{small}
+\begin{lstlisting}

 
 

-This Euclidian distance does not reproduce exactly the notion of proximity
-induced by our first distance $d$ on $\X$. Indeed $d$ is finer than $\Delta$.
-This is the reason why we have to introduce the following metric:
+unsigned int CIPRNG() {
+  static unsigned int x = 123123123;
+  unsigned long t1 = xorshift();
+  unsigned long t2 = xor128();
+  unsigned long t3 = xorwow();
+  x = x^(unsigned int)t1;
+  x = x^(unsigned int)(t2>>32);
+  x = x^(unsigned int)(t3>>32);
+  x = x^(unsigned int)t2;
+  x = x^(unsigned int)(t1>>32);
+  x = x^(unsigned int)t3;
+  return x;
+}
+\end{lstlisting}
+\end{small}

 
 
 
 
 
 

-\begin{definition}
-Let $x,y \in \big[ 0, 2^{10} \big[$.
-$D$ denotes the function from $\big[ 0, 2^{10} \big[^2$ to $\mathds{R}^+$
-defined by: $D(x,y) = D_e\left(e(x),e(y)\right) + D_s\left(s(x),s(y)\right)$,
-where:
-\begin{center}
-$\displaystyle{D_e(E,\check{E}) = \sum_{k=0}^\mathsf{9} \delta (E_k,
-\check{E}_k)}$, ~~and~ $\displaystyle{D_s(S,\check{S}) = \sum_{k = 1}^\infty
-\dfrac{|S^k-\check{S}^k|}{10^k}}$.
-\end{center}
-\end{definition}
+In Listing~\ref{algo:seqCIPRNG} a sequential  version of the proposed PRNG based
+on  chaotic  iterations  is  presented.   The xor  operator  is  represented  by
+\textasciicircum.  This function uses  three classical 64-bits PRNGs, namely the
+\texttt{xorshift},         the          \texttt{xor128},         and         the
+\texttt{xorwow}~\cite{Marsaglia2003}.  In the following, we call them ``xor-like
+PRNGs''.   As each  xor-like PRNG  uses 64-bits  whereas our  proposed generator
+works with 32-bits, we use the command \texttt{(unsigned int)}, that selects the
+32 least  significant bits  of a given  integer, and the  code \texttt{(unsigned
+  int)(t$>>$32)} in order to obtain the 32 most significant bits of \texttt{t}.

 
 

-\begin{proposition}
-$D$ is a distance on $\big[ 0, 2^{10} \big[$.
-\end{proposition}
+Thus producing a pseudorandom number needs 6 xor operations with 6 32-bits numbers
+that  are provided by  3 64-bits  PRNGs.  This  version successfully  passes the
+stringent BigCrush battery of tests~\cite{LEcuyerS07}.

 
 

-\begin{proof}
-The three axioms defining a distance must be checked.
-\begin{itemize}
-\item $D \geqslant 0$, because everything is positive in its definition. If
-$D(x,y)=0$, then $D_e(x,y)=0$, so the integral parts of $x$ and $y$ are equal
-(they have the same binary decomposition). Additionally, $D_s(x,y) = 0$, then
-$\forall k \in \mathds{N}^*, s(x)^k = s(y)^k$. In other words, $x$ and $y$ have
-the same $k-$th decimal digit, $\forall k \in \mathds{N}^*$. And so $x=y$.
-\item $D(x,y)=D(y,x)$.
-\item Finally, the triangular inequality is obtained due to the fact that both
-$\delta$ and $\Delta(x,y)=|x-y|$ satisfy it.
-\end{itemize}
-\end{proof}
+\section{Efficient PRNGs based on Chaotic Iterations on GPU}
+\label{sec:efficient PRNG gpu}

 
 

+In order to  take benefits from the computing power  of GPU, a program
+needs  to have  independent blocks  of  threads that  can be  computed
+simultaneously. In general,  the larger the number of  threads is, the
+more local  memory is  used, and the  less branching  instructions are
+used  (if,  while,  ...),  the  better the  performances  on  GPU  is.
+Obviously, having these requirements in  mind, it is possible to build
+a   program    similar   to    the   one   presented    in  Listing 
+\ref{algo:seqCIPRNG}, which computes  pseudorandom numbers on GPU.  To
+do  so,  we  must   firstly  recall  that  in  the  CUDA~\cite{Nvid10}
+environment,    threads    have     a    local    identifier    called
+\texttt{ThreadIdx},  which   is  relative  to   the  block  containing
+them. Furthermore, in  CUDA, parts of  the code that are executed by the  GPU, are
+called {\it kernels}.

 
 

-The convergence of sequences according to $D$ is not the same than the usual
-convergence related to the Euclidian metric. For instance, if $x^n \to x$
-according to $D$, then necessarily the integral part of each $x^n$ is equal to
-the integral part of $x$ (at least after a given threshold), and the decimal
-part of $x^n$ corresponds to the one of $x$ ``as far as required''.
-To illustrate this fact, a comparison between $D$ and the Euclidian distance is
-given Figure \ref{fig:comparaison de distances}. These illustrations show that
-$D$ is richer and more refined than the Euclidian distance, and thus is more
-precise.

 
 

+\subsection{Naive Version for GPU}

 
 

-\begin{figure}[t]
-\begin{center}
-  \subfigure[Function $x \to dist(x;1,234) $ on the interval
-$(0;5)$.]{\includegraphics[scale=.35]{DvsEuclidien.pdf}}\quad
-  \subfigure[Function $x \to dist(x;3) $ on the interval
-$(0;5)$.]{\includegraphics[scale=.35]{DvsEuclidien2.pdf}}
-\end{center}
-\caption{Comparison between $D$ (in blue) and the Euclidian distane (in green).}
-\label{fig:comparaison de distances}
-\end{figure}
+ 
+It is possible to deduce from the CPU version a quite similar version adapted to GPU.
+The simple principle consists in making each thread of the GPU computing the CPU version of our PRNG.  
+Of course,  the  three xor-like
+PRNGs  used in these computations must have different  parameters. 
+In a given thread, these parameters are
+randomly picked from another PRNGs. 
+The  initialization stage is performed by  the CPU.
+To do it, the  ISAAC  PRNG~\cite{Jenkins96} is used to  set  all  the
+parameters embedded into each thread.   
+
+The implementation of  the three
+xor-like  PRNGs  is  straightforward  when  their  parameters  have  been
+allocated in  the GPU memory.  Each xor-like  works with  an internal
+number  $x$  that saves  the  last  generated  pseudorandom number. Additionally,  the
+implementation of the  xor128, the xorshift, and the  xorwow respectively require
+4, 5, and 6 unsigned long as internal variables.

 
 
 
 

+\begin{algorithm}
+\begin{small}
+\KwIn{InternalVarXorLikeArray: array with internal variables of the 3 xor-like
+PRNGs in global memory\;
+NumThreads: number of threads\;}
+\KwOut{NewNb: array containing random numbers in global memory}
+\If{threadIdx is concerned by the computation} {
+  retrieve data from InternalVarXorLikeArray[threadIdx] in local variables\;
+  \For{i=1 to n} {
+    compute a new PRNG as in Listing\ref{algo:seqCIPRNG}\;
+    store the new PRNG in NewNb[NumThreads*threadIdx+i]\;
+  }
+  store internal variables in InternalVarXorLikeArray[threadIdx]\;
+}
+\end{small}
+\caption{Main kernel of the GPU ``naive'' version of the PRNG based on chaotic iterations}
+\label{algo:gpu_kernel}
+\end{algorithm}

 
 
 
 

-\subsubsection{The semiconjugacy}

 
 

-It is now possible to define a topological semiconjugacy between $\mathcal{X}$
-and an interval of $\mathds{R}$:
+Algorithm~\ref{algo:gpu_kernel}  presents a naive  implementation of the proposed  PRNG on
+GPU.  Due to the available  memory in the  GPU and the number  of threads
+used simultaneously,  the number  of random numbers  that a thread  can generate
+inside   a    kernel   is   limited  (\emph{i.e.},    the    variable   \texttt{n}   in
+algorithm~\ref{algo:gpu_kernel}). For instance, if  $100,000$ threads are used and
+if $n=100$\footnote{in fact, we need to add the initial seed (a 32-bits number)},
+then   the  memory   required   to  store all of the  internals   variables  of both the  xor-like
+PRNGs\footnote{we multiply this number by $2$ in order to count 32-bits numbers}
+and  the pseudorandom  numbers generated by  our  PRNG,  is  equal to  $100,000\times  ((4+5+6)\times
+2+(1+100))=1,310,000$ 32-bits numbers, that is, approximately $52$Mb.

 
 

-\begin{theorem}
-Chaotic iterations on the phase space $\mathcal{X}$ are simple iterations on
-$\mathds{R}$, which is illustrated by the semiconjugacy of the diagram bellow:
-\begin{equation*}
-\begin{CD}
-\left(~\mathcal{S}_{10} \times\mathds{B}^{10}, d~\right) @>G_{f_0}>>
-\left(~\mathcal{S}_{10} \times\mathds{B}^{10}, d~\right)\\
-    @V{\varphi}VV                    @VV{\varphi}V\\
-\left( ~\big[ 0, 2^{10} \big[, D~\right)  @>>g> \left(~\big[ 0, 2^{10} \big[,
-D~\right)
-\end{CD}
-\end{equation*}
-\end{theorem}
+This generator is able to pass the whole BigCrush battery of tests, for all
+the versions that have been tested depending on their number of threads 
+(called \texttt{NumThreads} in our algorithm, tested up to $5$ million).

 
 

-\begin{proof}
-$\varphi$ has been constructed in order to be continuous and onto.
-\end{proof}
+\begin{remark}
+The proposed algorithm has  the  advantage of  manipulating  independent
+PRNGs, so this version is easily adaptable on a cluster of computers too. The only thing
+to ensure is to use a single ISAAC PRNG. To achieve this requirement, a simple solution consists in
+using a master node for the initialization. This master node computes the initial parameters
+for all the different nodes involved in the computation.
+\end{remark}

 
 

-In other words, $\mathcal{X}$ is approximately equal to $\big[ 0, 2^\mathsf{N}
-\big[$.
+\subsection{Improved Version for GPU}

 
 

+As GPU cards using CUDA have shared memory between threads of the same block, it
+is possible  to use this  feature in order  to simplify the  previous algorithm,
+i.e., to use less  than 3 xor-like PRNGs. The solution  consists in computing only
+one xor-like PRNG by thread, saving  it into the shared memory, and then to use the results
+of some  other threads in the  same block of  threads. In order to  define which
+thread uses the result of which other  one, we can use a combination array that
+contains  the indexes  of  all threads  and  for which  a combination has  been
+performed. 

 
 

+In  Algorithm~\ref{algo:gpu_kernel2},  two  combination  arrays are  used.   The
+variable     \texttt{offset}    is     computed    using     the     value    of
+\texttt{combination\_size}.   Then we  can compute  \texttt{o1}  and \texttt{o2}
+representing the  indexes of  the other  threads whose results  are used  by the
+current one.   In this algorithm, we  consider that a 32-bits  xor-like PRNG has
+been chosen. In practice, we  use the xor128 proposed in~\cite{Marsaglia2003} in
+which  unsigned longs  (64 bits)  have been  replaced by  unsigned  integers (32
+bits).

 
 

+This version  can also pass the whole {\it BigCrush} battery of tests.

 
 

+\begin{algorithm}
+\begin{small}
+\KwIn{InternalVarXorLikeArray: array with internal variables of 1 xor-like PRNGs
+in global memory\;
+NumThreads: Number of threads\;
+array\_comb1, array\_comb2: Arrays containing combinations of size combination\_size\;}

 
 

+\KwOut{NewNb: array containing random numbers in global memory}
+\If{threadId is concerned} {
+  retrieve data from InternalVarXorLikeArray[threadId] in local variables including shared memory and x\;
+  offset = threadIdx\%combination\_size\;
+  o1 = threadIdx-offset+array\_comb1[offset]\;
+  o2 = threadIdx-offset+array\_comb2[offset]\;
+  \For{i=1 to n} {
+    t=xor-like()\;
+    t=t\textasciicircum shmem[o1]\textasciicircum shmem[o2]\;
+    shared\_mem[threadId]=t\;
+    x = x\textasciicircum t\;

 
 

-\subsection{Study of the chaotic iterations described as a real function}
+    store the new PRNG in NewNb[NumThreads*threadId+i]\;
+  }
+  store internal variables in InternalVarXorLikeArray[threadId]\;
+}
+\end{small}
+\caption{Main kernel for the chaotic iterations based PRNG GPU efficient
+version\label{IR}}
+\label{algo:gpu_kernel2} 
+\end{algorithm}

 
 

+\subsection{Theoretical Evaluation of the Improved Version}

 
 

-\begin{figure}[t]
-\begin{center}
-  \subfigure[ICs on the interval
-$(0,9;1)$.]{\includegraphics[scale=.35]{ICs09a1.pdf}}\quad
-  \subfigure[ICs on the interval
-$(0,7;1)$.]{\includegraphics[scale=.35]{ICs07a95.pdf}}\\
-  \subfigure[ICs on the interval
-$(0,5;1)$.]{\includegraphics[scale=.35]{ICs05a1.pdf}}\quad
-  \subfigure[ICs on the interval
-$(0;1)$]{\includegraphics[scale=.35]{ICs0a1.pdf}}
-\end{center}
-\caption{Representation of the chaotic iterations.}
-\label{fig:ICs}
-\end{figure}
+A run of Algorithm~\ref{algo:gpu_kernel2} consists in an operation ($x=x\oplus t$) having 
+the form of Equation~\ref{equation Oplus}, which is equivalent to the iterative
+system of Eq.~\ref{eq:generalIC}. That is, an iteration of the general chaotic
+iterations is realized between the last stored value $x$ of the thread and a strategy $t$
+(obtained by a bitwise exclusive or between a value provided by a xor-like() call
+and two values previously obtained by two other threads).
+To be certain that we are in the framework of Theorem~\ref{t:chaos des general},
+we must guarantee that this dynamical system iterates on the space 
+$\mathcal{X} = \mathcal{P}\left(\llbracket 1, \mathsf{N} \rrbracket\right)^\mathds{N}\times\mathds{B}^\mathsf{N}$.
+The left term $x$ obviously belongs to $\mathds{B}^ \mathsf{N}$.
+To prevent from any flaws of chaotic properties, we must check that the right 
+term (the last $t$), corresponding to the strategies,  can possibly be equal to any
+integer of $\llbracket 1, \mathsf{N} \rrbracket$. 

 
 

+Such a result is obvious, as for the xor-like(), all the
+integers belonging into its interval of definition can occur at each iteration, and thus the 
+last $t$ respects the requirement. Furthermore, it is possible to
+prove by an immediate mathematical induction that, as the initial $x$
+is uniformly distributed (it is provided by a cryptographically secure PRNG),
+the two other stored values shmem[o1] and shmem[o2] are uniformly distributed too,
+(this is the induction hypothesis), and thus the next $x$ is finally uniformly distributed.

 
 

+Thus Algorithm~\ref{algo:gpu_kernel2} is a concrete realization of the general
+chaotic iterations presented previously, and for this reason, it satisfies the 
+Devaney's formulation of a chaotic behavior.

 
 

+\section{Experiments}
+\label{sec:experiments}

 
 

-\begin{figure}[t]
+Different experiments  have been  performed in order  to measure  the generation
+speed. We have used a first computer equipped with a Tesla C1060 NVidia  GPU card
+and an
+Intel  Xeon E5530 cadenced  at 2.40  GHz,  and 
+a second computer  equipped with a smaller  CPU and  a GeForce GTX  280. 
+All the
+cards have 240 cores.
+
+In  Figure~\ref{fig:time_xorlike_gpu} we  compare the  quantity of  pseudorandom numbers
+generated per second with various xor-like based PRNGs. In this figure, the optimized
+versions use the {\it xor64} described in~\cite{Marsaglia2003}, whereas the naive versions
+embed  the three  xor-like  PRNGs described  in Listing~\ref{algo:seqCIPRNG}.   In
+order to obtain the optimal performances, the storage of pseudorandom numbers
+into the GPU memory has been removed. This step is time consuming and slows down the numbers
+generation.  Moreover this   storage  is  completely
+useless, in case of applications that consume the pseudorandom
+numbers  directly   after generation. We can see  that when the number of  threads is greater
+than approximately 30,000 and lower than 5 million, the number of pseudorandom numbers generated
+per second  is almost constant.  With the  naive version, this value ranges from 2.5 to
+3GSamples/s.   With  the  optimized   version,  it  is  approximately  equal to
+20GSamples/s. Finally  we can remark  that both GPU  cards are quite  similar, but in
+practice,  the Tesla C1060  has more  memory than  the GTX  280, and  this memory
+should be of better quality.
+As a  comparison,   Listing~\ref{algo:seqCIPRNG}  leads   to the  generation of  about
+138MSample/s when using one core of the Xeon E5530.
+
+\begin{figure}[htbp]

 \begin{center}
 \begin{center}

-  \subfigure[ICs on the interval
-$(510;514)$.]{\includegraphics[scale=.35]{ICs510a514.pdf}}\quad
-  \subfigure[ICs on the interval
-$(1000;1008)$]{\includegraphics[scale=.35]{ICs1000a1008.pdf}}
+  \includegraphics[width=\columnwidth]{curve_time_xorlike_gpu.pdf}

 \end{center}
 \end{center}

-\caption{ICs on small intervals.}
-\label{fig:ICs2}
+\caption{Quantity of pseudorandom numbers generated per second with the xorlike-based PRNG}
+\label{fig:time_xorlike_gpu}

 \end{figure}
 
 \end{figure}
 

-\begin{figure}[t]
+
+
+
+
+In Figure~\ref{fig:time_bbs_gpu} we highlight  the performances of the optimized
+BBS-based PRNG on GPU.  On  the Tesla C1060 we obtain approximately 700MSample/s
+and  on the  GTX 280  about  670MSample/s, which  is obviously  slower than  the
+xorlike-based PRNG on GPU. However, we  will show in the next sections that this
+new PRNG  has a strong  level of  security, which is  necessarily paid by  a speed
+reduction.
+
+\begin{figure}[htbp]

 \begin{center}
 \begin{center}

-  \subfigure[ICs on the interval
-$(0;16)$.]{\includegraphics[scale=.3]{ICs0a16.pdf}}\quad
-  \subfigure[ICs on the interval 
-$(40;70)$.]{\includegraphics[scale=.45]{ICs40a70.pdf}}\quad
+  \includegraphics[width=\columnwidth]{curve_time_bbs_gpu.pdf}

 \end{center}
 \end{center}

-\caption{General aspect of the chaotic iterations.}
-\label{fig:ICs3}
+\caption{Quantity of pseudorandom numbers generated per second using the BBS-based PRNG}
+\label{fig:time_bbs_gpu}

 \end{figure}
 
 \end{figure}
 

+All  these  experiments allow  us  to conclude  that  it  is possible  to
+generate a very large quantity of pseudorandom  numbers statistically perfect with the  xor-like version.
+To a certain extend, it is also the case with the secure BBS-based version, the speed deflation being
+explained by the fact that the former  version has ``only''
+chaotic properties and statistical perfection, whereas the latter is also cryptographically secure,
+as it is shown in the next sections.
+

 
 

-We have written a Python program to represent the chaotic iterations with the
-vectorial negation on the real line $\mathds{R}$. Various representations of
-these CIs are given in Figures \ref{fig:ICs}, \ref{fig:ICs2} and \ref{fig:ICs3}.
-It can be remarked that the function $g$ is a piecewise linear function: it is
-linear on each interval having the form $\left[ \dfrac{n}{10},
-\dfrac{n+1}{10}\right[$, $n \in \llbracket 0;2^{10}\times 10 \rrbracket$ and its
-slope is equal to 10. Let us justify these claims:

 
 

-\begin{proposition}
-\label{Prop:derivabilite des ICs}
-Chaotic iterations $g$ defined on $\mathds{R}$ have derivatives of all orders on
-$\big[ 0, 2^{10} \big[$, except on the 10241 points in $I$ defined by $\left\{
-\dfrac{n}{10} ~\big/~ n \in \llbracket 0;2^{10}\times 10\rrbracket \right\}$.
-
-Furthermore, on each interval of the form $\left[ \dfrac{n}{10},
-\dfrac{n+1}{10}\right[$, with $n \in \llbracket 0;2^{10}\times 10 \rrbracket$,
-$g$ is a linear function, having a slope equal to 10: $\forall x \notin I,
-g'(x)=10$.
-\end{proposition}

 
 
 
 

-\begin{proof}
-Let $I_n = \left[ \dfrac{n}{10}, \dfrac{n+1}{10}\right[$, with $n \in \llbracket
-0;2^{10}\times 10 \rrbracket$. All the points of $I_n$ have the same integral
-prat $e$ and the same decimal part $s^0$: on the set $I_n$,  functions $e(x)$
-and $x \mapsto s(x)^0$ of Definition \ref{def:e et s} only depend on $n$. So all
-the images $g(x)$ of these points $x$:
-\begin{itemize}
-\item Have the same integral part, which is $e$, except probably the bit number
-$s^0$. In other words, this integer has approximately the same binary
-decomposition than $e$, the sole exception being the digit $s^0$ (this number is
-then either $e+2^{10-s^0}$ or $e-2^{10-s^0}$, depending on the parity of $s^0$,
-\emph{i.e.}, it is equal to $e+(-1)^{s^0}\times 2^{10-s^0}$).
-\item A shift to the left has been applied to the decimal part $y$, losing by
-doing so the common first digit $s^0$. In other words, $y$ has been mapped into
-$10\times y - s^0$.
-\end{itemize}
-To sum up, the action of $g$ on the points of $I$ is as follows: first, make a
-multiplication by 10, and second, add the same constant to each term, which is
-$\dfrac{1}{10}\left(e+(-1)^{s^0}\times 2^{10-s^0}\right)-s^0$.
-\end{proof}

 
 

-\begin{remark}
-Finally, chaotic iterations are elements of the large family of functions that
-are both chaotic and piecewise linear (like the tent map).
-\end{remark}

 
 

+\section{Security Analysis}
+\label{sec:security analysis}

 
 
 
 

-\subsection{Comparison of the two metrics on $\big[ 0, 2^\mathsf{N} \big[$}

 
 

-The two propositions bellow allow to compare our two distances on $\big[ 0,
-2^\mathsf{N} \big[$:
+In this section the concatenation of two strings $u$ and $v$ is classically
+denoted by $uv$.
+In a cryptographic context, a pseudorandom generator is a deterministic
+algorithm $G$ transforming strings  into strings and such that, for any
+seed $s$ of length $m$, $G(s)$ (the output of $G$ on the input $s$) has size
+$\ell_G(m)$ with $\ell_G(m)>m$.
+The notion of {\it secure} PRNGs can now be defined as follows. 
+
+\begin{definition}
+A cryptographic PRNG $G$ is secure if for any probabilistic polynomial time
+algorithm $D$, for any positive polynomial $p$, and for all sufficiently
+large $m$'s,
+$$| \mathrm{Pr}[D(G(U_m))=1]-Pr[D(U_{\ell_G(m)})=1]|< \frac{1}{p(m)},$$
+where $U_r$ is the uniform distribution over $\{0,1\}^r$ and the
+probabilities are taken over $U_m$, $U_{\ell_G(m)}$ as well as over the
+internal coin tosses of $D$. 
+\end{definition}
+
+Intuitively, it means that there is no polynomial time algorithm that can
+distinguish a perfect uniform random generator from $G$ with a non
+negligible probability. The interested reader is referred
+to~\cite[chapter~3]{Goldreich} for more information. Note that it is
+quite easily possible to change the function $\ell$ into any polynomial
+function $\ell^\prime$ satisfying $\ell^\prime(m)>m)$~\cite[Chapter 3.3]{Goldreich}.
+
+The generation schema developed in (\ref{equation Oplus}) is based on a
+pseudorandom generator. Let $H$ be a cryptographic PRNG. We may assume,
+without loss of generality, that for any string $S_0$ of size $N$, the size
+of $H(S_0)$ is $kN$, with $k>2$. It means that $\ell_H(N)=kN$. 
+Let $S_1,\ldots,S_k$ be the 
+strings of length $N$ such that $H(S_0)=S_1 \ldots S_k$ ($H(S_0)$ is the concatenation of
+the $S_i$'s). The cryptographic PRNG $X$ defined in (\ref{equation Oplus})
+is the algorithm mapping any string of length $2N$ $x_0S_0$ into the string
+$(x_0\oplus S_0 \oplus S_1)(x_0\oplus S_0 \oplus S_1\oplus S_2)\ldots
+(x_o\bigoplus_{i=0}^{i=k}S_i)$. One in particular has $\ell_{X}(2N)=kN=\ell_H(N)$. 
+We claim now that if this PRNG is secure,
+then the new one is secure too.

 
 \begin{proposition}
 
 \begin{proposition}

-Id: $\left(~\big[ 0, 2^\mathsf{N} \big[,\Delta~\right) \to \left(~\big[ 0,
-2^\mathsf{N} \big[, D~\right)$ is not continuous. 
+\label{cryptopreuve}
+If $H$ is a secure cryptographic PRNG, then $X$ is a secure cryptographic
+PRNG too.

 \end{proposition}
 
 \begin{proof}
 \end{proposition}
 
 \begin{proof}

-The sequence $x^n = 1,999\hdots 999$ constituted by $n$ 9 as decimal part, is
-such that:
-\begin{itemize}
-\item $\Delta (x^n,2) \to 0.$
-\item But $D(x^n,2) \geqslant 1$, then $D(x^n,2)$ does not converge to 0.
-\end{itemize}
+The proposition is proved by contraposition. Assume that $X$ is not
+secure. By Definition, there exists a polynomial time probabilistic
+algorithm $D$, a positive polynomial $p$, such that for all $k_0$ there exists
+$N\geq \frac{k_0}{2}$ satisfying 
+$$| \mathrm{Pr}[D(X(U_{2N}))=1]-\mathrm{Pr}[D(U_{kN}=1]|\geq \frac{1}{p(2N)}.$$
+We describe a new probabilistic algorithm $D^\prime$ on an input $w$ of size
+$kN$:
+\begin{enumerate}
+\item Decompose $w$ into $w=w_1\ldots w_{k}$, where each $w_i$ has size $N$.
+\item Pick a string $y$ of size $N$ uniformly at random.
+\item Compute $z=(y\oplus w_1)(y\oplus w_1\oplus w_2)\ldots (y
+  \bigoplus_{i=1}^{i=k} w_i).$
+\item Return $D(z)$.
+\end{enumerate}
+
+
+Consider  for each $y\in \mathbb{B}^{kN}$ the function $\varphi_{y}$
+from $\mathbb{B}^{kN}$ into $\mathbb{B}^{kN}$ mapping $w=w_1\ldots w_k$
+(each $w_i$ has length $N$) to 
+$(y\oplus w_1)(y\oplus w_1\oplus w_2)\ldots (y
+  \bigoplus_{i=1}^{i=k_1} w_i).$ By construction, one has for every $w$,
+\begin{equation}\label{PCH-1}
+D^\prime(w)=D(\varphi_y(w)),
+\end{equation}
+where $y$ is randomly generated. 
+Moreover, for each $y$, $\varphi_{y}$ is injective: if 
+$(y\oplus w_1)(y\oplus w_1\oplus w_2)\ldots (y\bigoplus_{i=1}^{i=k_1}
+w_i)=(y\oplus w_1^\prime)(y\oplus w_1^\prime\oplus w_2^\prime)\ldots
+(y\bigoplus_{i=1}^{i=k} w_i^\prime)$, then for every $1\leq j\leq k$,
+$y\bigoplus_{i=1}^{i=j} w_i^\prime=y\bigoplus_{i=1}^{i=j} w_i$. It follows,
+by a direct induction, that $w_i=w_i^\prime$. Furthermore, since $\mathbb{B}^{kN}$
+is finite, each $\varphi_y$ is bijective. Therefore, and using (\ref{PCH-1}),
+one has
+$\mathrm{Pr}[D^\prime(U_{kN})=1]=\mathrm{Pr}[D(\varphi_y(U_{kN}))=1]$ and,
+therefore, 
+\begin{equation}\label{PCH-2}
+\mathrm{Pr}[D^\prime(U_{kN})=1]=\mathrm{Pr}[D(U_{kN})=1].
+\end{equation}

 
 

-The sequential characterization of the continuity concludes the demonstration.
-\end{proof}
+Now, using (\ref{PCH-1}) again, one has  for every $x$,
+\begin{equation}\label{PCH-3}
+D^\prime(H(x))=D(\varphi_y(H(x))),
+\end{equation}
+where $y$ is randomly generated. By construction, $\varphi_y(H(x))=X(yx)$,
+thus
+\begin{equation}%\label{PCH-3}      %%RAPH : j'ai viré ce label qui existe déjà, il est 3 ligne avant
+D^\prime(H(x))=D(yx),
+\end{equation}
+where $y$ is randomly generated. 
+It follows that 

 
 

+\begin{equation}\label{PCH-4}
+\mathrm{Pr}[D^\prime(H(U_{N}))=1]=\mathrm{Pr}[D(U_{2N})=1].
+\end{equation}
+ From (\ref{PCH-2}) and (\ref{PCH-4}), one can deduce that
+there exists a polynomial time probabilistic
+algorithm $D^\prime$, a positive polynomial $p$, such that for all $k_0$ there exists
+$N\geq \frac{k_0}{2}$ satisfying 
+$$| \mathrm{Pr}[D(H(U_{N}))=1]-\mathrm{Pr}[D(U_{kN}=1]|\geq \frac{1}{p(2N)},$$
+proving that $H$ is not secure, which is a contradiction. 
+\end{proof}

 
 
 
 

-A contrario:
+\section{Cryptographical Applications}
+
+\subsection{A Cryptographically Secure PRNG for GPU}
+\label{sec:CSGPU}
+
+It is  possible to build a  cryptographically secure PRNG based  on the previous
+algorithm (Algorithm~\ref{algo:gpu_kernel2}).   Due to Proposition~\ref{cryptopreuve},
+it simply consists  in replacing
+the  {\it  xor-like} PRNG  by  a  cryptographically  secure one.  
+We have chosen the Blum Blum Shub generator~\cite{BBS} (usually denoted by BBS) having the form:
+$$x_{n+1}=x_n^2~ mod~ M$$  where $M$ is the product of  two prime numbers (these
+prime numbers  need to be congruent  to 3 modulus  4). BBS is known to be
+very slow and only usable for cryptographic applications. 
+
+  
+The modulus operation is the most time consuming operation for current
+GPU cards.  So in order to obtain quite reasonable performances, it is
+required to use only modulus  on 32-bits integer numbers. Consequently
+$x_n^2$ need  to be lesser than $2^{32}$,  and thus the number $M$ must be
+lesser than $2^{16}$.  So in practice we can choose prime numbers around
+256 that are congruent to 3 modulus 4.  With 32-bits numbers, only the
+4 least significant bits of $x_n$ can be chosen (the maximum number of
+indistinguishable    bits    is    lesser    than   or    equals    to
+$log_2(log_2(M))$). In other words, to generate a  32-bits number, we need to use
+8 times  the BBS  algorithm with possibly different  combinations of  $M$. This
+approach is  not sufficient to be able to pass  all the tests of TestU01,
+as small values of  $M$ for the BBS  lead to
+  small periods. So, in  order to add randomness  we have proceeded with
+the followings  modifications. 
+\begin{itemize}
+\item
+Firstly, we  define 16 arrangement arrays  instead of 2  (as described in
+Algorithm \ref{algo:gpu_kernel2}), but only 2 of them are used at each call of
+the  PRNG kernels. In  practice, the  selection of   combination
+arrays to be used is different for all the threads. It is determined
+by using  the three last bits  of two internal variables  used by BBS.
+%This approach  adds more randomness.   
+In Algorithm~\ref{algo:bbs_gpu},
+character  \& is for the  bitwise AND. Thus using  \&7 with  a number
+gives the last 3 bits, thus providing a number between 0 and 7.
+\item
+Secondly, after the  generation of the 8 BBS numbers  for each thread, we
+have a 32-bits number whose period is possibly quite small. So
+to add randomness,  we generate 4 more BBS numbers   to
+shift  the 32-bits  numbers, and  add up to  6 new  bits.  This  improvement is
+described  in Algorithm~\ref{algo:bbs_gpu}.  In  practice, the last 2 bits
+of the first new BBS number are  used to make a left shift of at most
+3 bits. The  last 3 bits of the  second new BBS number are  added to the
+strategy whatever the value of the first left shift. The third and the
+fourth new BBS  numbers are used similarly to apply  a new left shift
+and add 3 new bits.
+\item
+Finally, as  we use 8 BBS numbers  for each thread, the  storage of these
+numbers at the end of the  kernel is performed using a rotation. So,
+internal  variable for  BBS number  1 is  stored in  place  2, internal
+variable  for BBS  number 2  is  stored in  place 3,  ..., and finally, internal
+variable for BBS number 8 is stored in place 1.
+\end{itemize}

 
 

-\begin{proposition}
-Id: $\left(~\big[ 0, 2^\mathsf{N} \big[,D~\right) \to \left(~\big[ 0,
-2^\mathsf{N} \big[, \Delta ~\right)$ is a continuous fonction. 
-\end{proposition}
+\begin{algorithm}
+\begin{small}
+\KwIn{InternalVarBBSArray: array with internal variables of the 8 BBS
+in global memory\;
+NumThreads: Number of threads\;
+array\_comb: 2D Arrays containing 16 combinations (in first dimension)  of size combination\_size (in second dimension)\;
+array\_shift[4]=\{0,1,3,7\}\;
+}

 
 

-\begin{proof}
-If $D(x^n,x) \to 0$, then $D_e(x^n,x) = 0$ at least for $n$ larger than a given
-threshold, because $D_e$ only returns integers. So, after this threshold, the
-integral parts of all the $x^n$ are equal to the integral part of $x$. 
-
-Additionally, $D_s(x^n, x) \to 0$, then $\forall k \in \mathds{N}^*, \exists N_k
-\in \mathds{N}, n \geqslant N_k \Rightarrow D_s(x^n,x) \leqslant 10^{-k}$. This
-means that for all $k$, an index $N_k$ can be found such that, $\forall n
-\geqslant N_k$, all the $x^n$ have the same $k$ firsts digits, which are the
-digits of $x$. We can deduce the convergence $\Delta(x^n,x) \to 0$, and thus the
-result.
-\end{proof}
+\KwOut{NewNb: array containing random numbers in global memory}
+\If{threadId is concerned} {
+  retrieve data from InternalVarBBSArray[threadId] in local variables including shared memory and x\;
+  we consider that bbs1 ... bbs8 represent the internal states of the 8 BBS numbers\;
+  offset = threadIdx\%combination\_size\;
+  o1 = threadIdx-offset+array\_comb[bbs1\&7][offset]\;
+  o2 = threadIdx-offset+array\_comb[8+bbs2\&7][offset]\;
+  \For{i=1 to n} {
+    t$<<$=4\;
+    t|=BBS1(bbs1)\&15\;
+    ...\;
+    t$<<$=4\;
+    t|=BBS8(bbs8)\&15\;
+    \tcp{two new shifts}
+    shift=BBS3(bbs3)\&3\;
+    t$<<$=shift\;
+    t|=BBS1(bbs1)\&array\_shift[shift]\;
+    shift=BBS7(bbs7)\&3\;
+    t$<<$=shift\;
+    t|=BBS2(bbs2)\&array\_shift[shift]\;
+    t=t\textasciicircum  shmem[o1]\textasciicircum     shmem[o2]\;
+    shared\_mem[threadId]=t\;
+    x = x\textasciicircum   t\;

 
 

-The conclusion of these propositions is that the proposed metric is more precise
-than the Euclidian distance, that is:
+    store the new PRNG in NewNb[NumThreads*threadId+i]\;
+  }
+  store internal variables in InternalVarXorLikeArray[threadId] using a rotation\;
+}
+\end{small}
+\caption{main kernel for the BBS based PRNG GPU}
+\label{algo:bbs_gpu}
+\end{algorithm}

 
 

-\begin{corollary}
-$D$ is finer than the Euclidian distance $\Delta$.
-\end{corollary}
+In Algorithm~\ref{algo:bbs_gpu}, $n$ is for  the quantity of random numbers that
+a thread has to  generate.  The operation t<<=4 performs a left  shift of 4 bits
+on the variable  $t$ and stores the result in  $t$, and $BBS1(bbs1)\&15$ selects
+the last  four bits  of the  result of $BBS1$.   Thus an  operation of  the form
+$t<<=4; t|=BBS1(bbs1)\&15\;$  realizes in $t$ a  left shift of 4  bits, and then
+puts the 4 last bits of $BBS1(bbs1)$  in the four last positions of $t$.  Let us
+remark that the initialization $t$ is not a  necessity as we fill it 4 bits by 4
+bits, until  having obtained 32-bits.  The  two last new shifts  are realized in
+order to enlarge the small periods of  the BBS used here, to introduce a kind of
+variability.  In these operations, we make twice a left shift of $t$ of \emph{at
+  most}  3 bits,  represented by  \texttt{shift} in  the algorithm,  and  we put
+\emph{exactly} the \texttt{shift}  last bits from a BBS  into the \texttt{shift}
+last bits of $t$. For this, an array named \texttt{array\_shift}, containing the
+correspondence between the  shift and the number obtained  with \texttt{shift} 1
+to make the \texttt{and} operation is used. For example, with a left shift of 0,
+we  make an  and operation  with 0,  with  a left  shift of  3, we  make an  and
+operation with 7 (represented by 111 in binary mode).
+
+It should  be noticed that this generator has once more the form $x^{n+1} = x^n \oplus S^n$,
+where $S^n$ is referred in this algorithm as $t$: each iteration of this
+PRNG ends with $x = x \wedge t$. This $S^n$ is only constituted
+by secure bits produced by the BBS generator, and thus, due to
+Proposition~\ref{cryptopreuve}, the resulted PRNG is cryptographically
+secure.
+
+
+
+\begin{color}{red}
+\subsection{Practical Security Evaluation}
+
+Suppose now that the PRNG will work during 
+$M=100$ time units, and that during this period,
+an attacker can realize $10^{12}$ clock cycles.
+We thus wonder whether, during the PRNG's 
+lifetime, the attacker can distinguish this 
+sequence from truly random one, with a probability
+greater than $\varepsilon = 0.2$.
+We consider that $N$ has 900 bits.
+
+The random process is the BBS generator, which
+is cryptographically secure. More precisely, it
+is $(T,\varepsilon)-$secure: no 
+$(T,\varepsilon)-$distinguishing attack can be
+successfully realized on this PRNG, if~\cite{Fischlin}
+$$
+T \leqslant \dfrac{L(N)}{6 N (log_2(N))\varepsilon^{-2}M^2}-2^7 N \varepsilon^{-2} M^2 log_2 (8 N \varepsilon^{-1}M)
+$$
+where $M$ is the length of the output ($M=100$ in
+our example), and $L(N)$ is equal to
+$$
+2.8\times 10^{-3} exp \left(1.9229 \times (N ~ln(2)^\frac{1}{3}) \times ln(N~ln 2)^\frac{2}{3}\right)
+$$
+is the number of clock cycles to factor a $N-$bit
+integer.

 
 

-This corollary can be reformulated as follows:
+A direct numerical application shows that this attacker 
+cannot achieve its $(10^{12},0.2)$ distinguishing
+attack in that context.

 
 

-\begin{itemize}
-\item The topology produced by $\Delta$ is a subset of the topology produced by
-$D$.
-\item $D$ has more open sets than $\Delta$.
-\item It is harder to converge for the topology $\tau_D$ inherited by $D$, than
-to converge with the one inherited by $\Delta$, which is denoted here by
-$\tau_\Delta$.
-\end{itemize}
+\end{color}

 
 

+\subsection{Toward a Cryptographically Secure and Chaotic Asymmetric Cryptosystem}
+\label{Blum-Goldwasser}
+We finish this research work by giving some thoughts about the use of
+the proposed PRNG in an asymmetric cryptosystem.
+This first approach will be further investigated in a future work.

 
 

-\subsection{Chaos of the chaotic iterations on $\mathds{R}$}
-\label{chpt:Chaos des itérations chaotiques sur R}
+\subsubsection{Recalls of the Blum-Goldwasser Probabilistic Cryptosystem}

 
 

+The Blum-Goldwasser cryptosystem is a cryptographically secure asymmetric key encryption algorithm 
+proposed in 1984~\cite{Blum:1985:EPP:19478.19501}.  The encryption algorithm 
+implements a XOR-based stream cipher using the BBS PRNG, in order to generate 
+the keystream. Decryption is done by obtaining the initial seed thanks to
+the final state of the BBS generator and the secret key, thus leading to the
+ reconstruction of the keystream.

 
 

+The key generation consists in generating two prime numbers $(p,q)$, 
+randomly and independently of each other, that are
+ congruent to 3 mod 4, and to compute the modulus $N=pq$.
+The public key is $N$, whereas the secret key is the factorization $(p,q)$.

 
 

-\subsubsection{Chaos according to Devaney}

 
 

-We have recalled previously that the chaotic iterations $\left(\Go,
-\mathcal{X}_d\right)$ are chaotic according to the formulation of Devaney. We
-can deduce that they are chaotic on $\mathds{R}$ too, when considering the order
-topology, because:
+Suppose Bob wishes to send a string $m=(m_0, \dots, m_{L-1})$ of $L$ bits to Alice:
+\begin{enumerate}
+\item Bob picks an integer $r$ randomly in the interval $\llbracket 1,N\rrbracket$ and computes $x_0 = r^2~mod~N$.
+\item He uses the BBS to generate the keystream of $L$ pseudorandom bits $(b_0, \dots, b_{L-1})$, as follows. For $i=0$ to $L-1$,
+\begin{itemize}
+\item $i=0$.
+\item While $i \leqslant L-1$:

 \begin{itemize}
 \begin{itemize}

-\item $\left(\Go, \mathcal{X}_d\right)$ and $\left(g, \big[ 0, 2^{10}
-\big[_D\right)$ are semiconjugate by $\varphi$,
-\item Then $\left(g, \big[ 0, 2^{10} \big[_D\right)$ is a system chaotic
-according to Devaney, because the semiconjugacy preserve this character.
-\item But the topology generated by $D$ is finer than the topology generated by
-the Euclidian distance $\Delta$ -- which is the order topology.
-\item According to Theorem \ref{Th:chaos et finesse}, we can deduce that the
-chaotic iterations $g$ are indeed chaotic, as defined by Devaney, for the order
-topology on $\mathds{R}$.
+\item Set $b_i$ equal to the least-significant\footnote{As signaled previously, BBS can securely output up to $\mathsf{N} = \lfloor log(log(N)) \rfloor$ of the least-significant bits of $x_i$ during each round.} bit of $x_i$,
+\item $i=i+1$,
+\item $x_i = (x_{i-1})^2~mod~N.$
+\end{itemize}

 \end{itemize}
 \end{itemize}

+\item The ciphertext is computed by XORing the plaintext bits $m$ with the keystream: $ c = (c_0, \dots, c_{L-1}) = m \oplus  b$. This ciphertext is $[c, y]$, where $y=x_{0}^{2^{L}}~mod~N.$
+\end{enumerate}

 
 

-This result can be formulated as follows.

 
 

-\begin{theorem}
-\label{th:IC et topologie de l'ordre}
-The chaotic iterations $g$ on $\mathds{R}$ are chaotic according to the
-Devaney's formulation, when $\mathds{R}$ has his usual topology, which is the
-order topology.
-\end{theorem}
+When Alice receives $\left[(c_0, \dots, c_{L-1}), y\right]$, she can recover $m$ as follows:
+\begin{enumerate}
+\item Using the secret key $(p,q)$, she computes $r_p = y^{((p+1)/4)^{L}}~mod~p$ and $r_q = y^{((q+1)/4)^{L}}~mod~q$.
+\item The initial seed can be obtained using the following procedure: $x_0=q(q^{-1}~{mod}~p)r_p + p(p^{-1}~{mod}~q)r_q~{mod}~N$.
+\item She recomputes the bit-vector $b$ by using BBS and $x_0$.
+\item Alice finally computes the plaintext by XORing the keystream with the ciphertext: $ m = c \oplus  b$.
+\end{enumerate}

 
 

-Indeed this result is weaker than the theorem establishing the chaos for the
-finer topology $d$. However the Theorem \ref{th:IC et topologie de l'ordre}
-still remains important. Indeed, we have studied in our previous works a set
-different from the usual set of study ($\mathcal{X}$ instead of $\mathds{R}$),
-in order to be as close as possible from the computer: the properties of
-disorder proved theoretically will then be preserved when computing. However, we
-could wonder whether this change does not lead to a disorder of a lower quality.
-In other words, have we replaced a situation of a good disorder lost when
-computing, to another situation of a disorder preserved but of bad quality.
-Theorem \ref{th:IC et topologie de l'ordre} prove exactly the contrary.
- 

 
 

+\subsubsection{Proposal of a new Asymmetric Cryptosystem Adapted from Blum-Goldwasser}

 
 

+We propose to adapt the Blum-Goldwasser protocol as follows. 
+Let $\mathsf{N} = \lfloor log(log(N)) \rfloor$ be the number of bits that can
+be obtained securely with the BBS generator using the public key $N$ of Alice.
+Alice will pick randomly $S^0$ in $\llbracket 0, 2^{\mathsf{N}-1}\rrbracket$ too, and
+her new public key will be $(S^0, N)$.

 
 

+To encrypt his message, Bob will compute
+%%RAPH : ici, j'ai mis un simple $
+%\begin{equation}
+$c = \left(m_0 \oplus (b_0 \oplus S^0), m_1 \oplus (b_0 \oplus b_1 \oplus S^0), \hdots, \right.$
+$ \left. m_{L-1} \oplus (b_0 \oplus b_1 \hdots \oplus b_{L-1} \oplus S^0) \right)$
+%%\end{equation}
+instead of $\left(m_0 \oplus b_0, m_1 \oplus b_1, \hdots, m_{L-1} \oplus b_{L-1} \right)$. 

 
 

+The same decryption stage as in Blum-Goldwasser leads to the sequence 
+$\left(m_0 \oplus S^0, m_1 \oplus S^0, \hdots, m_{L-1} \oplus S^0 \right)$.
+Thus, with a simple use of $S^0$, Alice can obtain the plaintext.
+By doing so, the proposed generator is used in place of BBS, leading to
+the inheritance of all the properties presented in this paper.

 
 

+\section{Conclusion}

 
 
 
 

-\section{Conclusion}
-\bibliographystyle{plain}
+In  this  paper, a formerly proposed PRNG based on chaotic iterations
+has been generalized to improve its speed. It has been proven to be
+chaotic according to Devaney.
+Efficient implementations on  GPU using xor-like  PRNGs as input generators
+have shown that a very large quantity of pseudorandom numbers can be generated per second (about
+20Gsamples/s), and that these proposed PRNGs succeed to pass the hardest battery in TestU01,
+namely the BigCrush.
+Furthermore, we have shown that when the inputted generator is cryptographically
+secure, then it is the case too for the PRNG we propose, thus leading to
+the possibility to develop fast and secure PRNGs using the GPU architecture.
+\begin{color}{red} An improvement of the Blum-Goldwasser cryptosystem, making it 
+behaves chaotically, has finally been proposed. \end{color}
+
+In future  work we plan to extend this research, building a parallel PRNG for  clusters or
+grid computing. Topological properties of the various proposed generators will be investigated,
+and the use of other categories of PRNGs as input will be studied too. The improvement
+of Blum-Goldwasser will be deepened. Finally, we
+will try to enlarge the quantity of pseudorandom numbers generated per second either
+in a simulation context or in a cryptographic one.
+
+
+
+\bibliographystyle{plain} 

 \bibliography{mabase}
 \end{document}
 \bibliography{mabase}
 \end{document}