is defined. From a theoretical point of view, it is proven that it has fine
topological chaotic properties and that it is cryptographically secured (when
the initial PRNG is also cryptographically secured). From a practical point of
-view, experiments point out a very good statistical behavior. Optimized
-original implementation of this PRNG are also proposed and experimented.
+view, experiments point out a very good statistical behavior. An optimized
+original implementation of this PRNG is also proposed and experimented.
Pseudorandom numbers are generated at a rate of 20GSamples/s, which is faster
than in~\cite{conf/fpga/ThomasHL09,Marsaglia2003} (and with a better
statistical behavior). Experiments are also provided using BBS as the initial
-random generator. The generation speed is significantly weaker but, as far
-as we know, it is the first cryptographically secured PRNG proposed on GPU.
+random generator. The generation speed is significantly weaker.
Note also that an original qualitative comparison between topological chaotic
properties and statistical test is also proposed.
}
\begin{color}{red}
should improve the statistical properties of each
generator taken alone.
-Furthermore, the generator obtained by this way possesses various chaos properties that none of the generators used as input
-present.
+Furthermore, the generator obtained in this way possesses various chaos properties that none of the generators used as present input.
In order to make the Old CI PRNG usable in practice, we have proposed
an adapted version of the chaotic iteration based generator in~\cite{bg10:ip}.
-In this ``New CI PRNG'', we prevent from changing twice a given
-bit between two outputs.
+In this ``New CI PRNG'', we prevent a given bit from changing twice between two outputs.
This new generator is designed by the following process.
First of all, some chaotic iterations have to be done to generate a sequence
Then, at each iteration, only the $S^n$-th component of state $x^n$ is
updated, as follows: $x_i^n = x_i^{n-1}$ if $i \neq S^n$, else $x_i^n = \overline{x_i^{n-1}}$.
-Such a procedure is equivalent to achieve chaotic iterations with
+Such a procedure is equivalent to achieving chaotic iterations with
the Boolean vectorial negation $f_0$ and some well-chosen strategies.
Finally, some $x^n$ are selected
by a sequence $m^n$ as the pseudorandom bit sequence of our generator.
\subsection{Improving the Speed of the Former Generator}
Instead of updating only one cell at each iteration, \begin{color}{red} we now propose to choose a
-subset of components and to update them together, for speed improvements. Such a proposition leads \end{color}
+subset of components and to update them together, for speed improvement. Such a proposition leads \end{color}
to a kind of merger of the two sequences used in Algorithms
\ref{CI Algorithm} and \ref{Chaotic iteration1}. When the updating function is the vectorial negation,
this algorithm can be rewritten as follows:
\label{The generation of pseudorandom sequence}
-Let us now explain why we are reasonable grounds to believe that chaos
+Let us now explain why we have reasonable ground to believe that chaos
can improve statistical properties.
We will show in this section that chaotic properties as defined in the
mathematical theory of chaos are related to some statistical tests that can be found
the two following NIST tests~\cite{Nist10}:
\begin{itemize}
\item \textbf{Non-overlapping Template Matching Test}. Detect generators that produce too many occurrences of a given non-periodic (aperiodic) pattern.
- \item \textbf{Discrete Fourier Transform (Spectral) Test}. Detect periodic features (i.e., repetitive patterns that are near each other) in the tested sequence that would indicate a deviation from the assumption of randomness.
+ \item \textbf{Discrete Fourier Transform (Spectral) Test}. Detect periodic features (i.e., repetitive patterns that are close one to another) in the tested sequence that would indicate a deviation from the assumption of randomness.
\end{itemize}
-\item \textbf{Transitivity}. This topological property introduced previously states that the dynamical system is intrinsically complicated: it cannot be simplified into
+\item \textbf{Transitivity}. This topological property previously introduced states that the dynamical system is intrinsically complicated: it cannot be simplified into
two subsystems that do not interact, as we can find in any neighborhood of any point another point whose orbit visits the whole phase space.
-This focus on the places visited by orbits of the dynamical system takes various nonequivalent formulations in the mathematical theory
+This focus on the places visited by the orbits of the dynamical system takes various nonequivalent formulations in the mathematical theory
of chaos, namely: transitivity, strong transitivity, total transitivity, topological mixing, and so on~\cite{bg10:ij}. A similar attention
-is brought on states visited during a random walk in the two tests below~\cite{Nist10}:
+is brought on the states visited during a random walk in the two tests below~\cite{Nist10}:
\begin{itemize}
\item \textbf{Random Excursions Variant Test}. Detect deviations from the expected number of visits to various states in the random walk.
\item \textbf{Random Excursions Test}. Determine if the number of visits to a particular state within a cycle deviates from what one would expect for a random sequence.
\end{itemize}
-\item \textbf{Chaos according to Li and Yorke}. Two points of the phase space $(x,y)$ define a couple of Li-Yorke when $\limsup_{n \rightarrow +\infty} d(f^{(n)}(x), f^{(n)}(y))>0$ et $\liminf_{n \rightarrow +\infty} d(f^{(n)}(x), f^{(n)}(y))=0$, meaning that their orbits always oscillates as the iterations pass. When a system is compact and contains an uncountable set of such points, it is claimed as chaotic according
+\item \textbf{Chaos according to Li and Yorke}. Two points of the phase space $(x,y)$ define a couple of Li-Yorke when $\limsup_{n \rightarrow +\infty} d(f^{(n)}(x), f^{(n)}(y))>0$ et $\liminf_{n \rightarrow +\infty} d(f^{(n)}(x), f^{(n)}(y))=0$, meaning that their orbits always oscillate as the iterations pass. When a system is compact and contains an uncountable set of such points, it is claimed as chaotic according
to Li-Yorke~\cite{Li75,Ruette2001}. A similar property is regarded in the following NIST test~\cite{Nist10}.
\begin{itemize}
\item \textbf{Runs Test}. To determine whether the number of runs of ones and zeros of various lengths is as expected for a random sequence. In particular, this test determines whether the oscillation between such zeros and ones is too fast or too slow.
\end{itemize}
\item \textbf{Topological entropy}. The desire to formulate an equivalency of the thermodynamics entropy
-has emerged both in the topological and statistical fields. Another time, a similar objective has led to two different
-rewritten of an entropy based disorder: the famous Shannon definition of entropy is approximated in the statistical approach,
-whereas topological entropy is defined as follows.
+has emerged both in the topological and statistical fields. Once again, a similar objective has led to two different
+rewritting of an entropy based disorder: the famous Shannon definition of entropy is approximated in the statistical approach,
+whereas topological entropy is defined as follows:
$x,y \in \mathcal{X}$ are $\varepsilon-$\emph{separated in time $n$} if there exists $k \leqslant n$ such that $d\left(f^{(k)}(x),f^{(k)}(y)\right)>\varepsilon$. Then $(n,\varepsilon)-$separated sets are sets of points that are all $\varepsilon-$separated in time $n$, which
leads to the definition of $s_n(\varepsilon,Y)$, being the maximal cardinality of all $(n,\varepsilon)-$separated sets. Using these notations,
the topological entropy is defined as follows: $$h_{top}(\mathcal{X},f) = \displaystyle{\lim_{\varepsilon \rightarrow 0} \Big[ \limsup_{n \rightarrow +\infty} \dfrac{1}{n} \log s_n(\varepsilon,\mathcal{X})\Big]}.$$
This value measures the average exponential growth of the number of distinguishable orbit segments.
-In this sense, it measures complexity of the topological dynamical system, whereas
-the Shannon approach is in mind when defining the following test~\cite{Nist10}:
+In this sense, it measures the complexity of the topological dynamical system, whereas
+the Shannon approach comes to mind when defining the following test~\cite{Nist10}:
\begin{itemize}
-\item \textbf{Approximate Entropy Test}. Compare the frequency of overlapping blocks of two consecutive/adjacent lengths ($m$ and $m+1$) against the expected result for a random sequence.
+\item \textbf{Approximate Entropy Test}. Compare the frequency of the overlapping blocks of two consecutive/adjacent lengths ($m$ and $m+1$) against the expected result for a random sequence.
\end{itemize}
\item \textbf{Non-linearity, complexity}. Finally, let us remark that non-linearity and complexity are
x^n = (ax^{n-1} + c)~mod~m,
\label{LCG}
\end{equation}
-where $a$, $c$, and $x^0$ must be, among other things, non-negative and less than
-$m$~\cite{LEcuyerS07}. In what follows, 2LCGs and 3LCGs refer as two (resp. three)
+where $a$, $c$, and $x^0$ must be, among other things, non-negative and inferior to
+$m$~\cite{LEcuyerS07}. In what follows, 2LCGs and 3LCGs refer to two (resp. three)
combinations of such LCGs. For further details, see~\cite{bfg12a:ip,combined_lcg}.
-Secondly, the multiple recursive generators (MRGs) will be used, which
+Secondly, the multiple recursive generators (MRGs) which will be used,
are based on a linear recurrence of order
$k$, modulo $m$~\cite{LEcuyerS07}:
\begin{equation}
x^n = (a^1x^{n-1}+~...~+a^kx^{n-k})~mod~m .
\label{MRG}
\end{equation}
-Combination of two MRGs (referred as 2MRGs) is also used in these experiments.
+The combination of two MRGs (referred as 2MRGs) is also used in these experiments.
Generators based on linear recurrences with carry will be regarded too.
This family of generators includes the add-with-carry (AWC) generator, based on the recurrence:
\begin{array}{l}
1 ~~~~~\text{if}~ (x^{i-r} - x^{i-s} - c^{i-1})<0\\
0 ~~~~~\text{else},\end{array} \right. \end{array}\end{equation}
-and the SWC generator designed by R. Couture, which is based on the following recurrence:
+and the SWC generator, which is based on the following recurrence:
\begin{equation}
\label{SWC}
\begin{array}{l}
\begin{table}
\renewcommand{\arraystretch}{1.3}
-\caption{TestU01 Statistical Test}
+\caption{TestU01 Statistical Test Failures}
\label{TestU011}
\centering
\begin{tabular}{lccccc}
\begin{table}
\renewcommand{\arraystretch}{1.3}
-\caption{TestU01 Statistical Test for Old CI algorithms ($\mathsf{N}=4$)}
+\caption{TestU01 Statistical Test Failures for Old CI algorithms ($\mathsf{N}=4$)}
\label{TestU01 for Old CI}
\centering
\begin{tabular}{lcccc}
\subsection{Statistical tests}
\label{Security analysis}
-Three batteries of tests are reputed and usually used
+Three batteries of tests are reputed and regularly used
to evaluate the statistical properties of newly designed pseudorandom
number generators. These batteries are named DieHard~\cite{Marsaglia1996},
the NIST suite~\cite{ANDREW2008}, and the most stringent one called
\end{table*}
Table~\ref{NIST and DieHARD tests suite passing rate the for PRNGs without CI} shows the
-results on the two firsts batteries recalled above, indicating that all the PRNGs presented
+results on the two first batteries recalled above, indicating that all the PRNGs presented
in the previous section
cannot pass all these tests. In other words, the statistical quality of these PRNGs cannot
fulfill the up-to-date standards presented previously. We have shown in~\cite{bfg12a:ip} that the use of chaotic
\ref{NIST and DieHARD tests suite passing rate the for single CIPRNGs}.
The scores written in boldface indicate that all the tests have been passed successfully, whereas an
asterisk ``*'' means that the considered passing rate has been improved.
-The improvements are obvious for both the ``Old CI'' and ``New CI'' generators.
-Concerning the ``Xor CI PRNG'', the score is less spectacular: a large speed improvement makes that statistics
+The improvements are obvious for both the ``Old CI'' and the ``New CI'' generators.
+Concerning the ``Xor CI PRNG'', the score is less spectacular. Because of a large speed improvement, the statistics
are not as good as for the two other versions of these CIPRNGs.
However 8 tests have been improved (with no deflation for the other results).
\end{table*}
-We have then investigate in~\cite{bfg12a:ip} if it is possible to improve
+We have then investigated in~\cite{bfg12a:ip} if it were possible to improve
the statistical behavior of the Xor CI version by combining more than one
$\oplus$ operation. Results are summarized in Table~\ref{threshold}, illustrating
the progressive increasing effects of chaotic iterations, when giving time to chaos to get settled in.
correlation between topological properties and statistical behavior exists.
-Next subsection will now give a concrete original implementation of the Xor CI PRNG, the
+The next subsection will now give a concrete original implementation of the Xor CI PRNG, the
fastest generator in the chaotic iteration based family. In the remainder,
-this generator will be simply referred as CIPRNG, or ``the proposed PRNG'', if this statement does not
+this generator will be simply referred to as CIPRNG, or ``the proposed PRNG'', if this statement does not
raise ambiguity.
\end{color}
\begin{color}{red}
This section is dedicated to the security analysis of the
- proposed PRNGs, both from a theoretical and a practical points of view.
+ proposed PRNGs, both from a theoretical and from a practical point of view.
\subsection{Theoretical Proof of Security}
\label{sec:security analysis}
an attacker can realize $10^{12}$ clock cycles.
We thus wonder whether, during the PRNG's
lifetime, the attacker can distinguish this
-sequence from truly random one, with a probability
+sequence from a truly random one, with a probability
greater than $\varepsilon = 0.2$.
We consider that $N$ has 900 bits.
Predicting the next generated bit knowing all the
-previously released ones by Eq.~\eqref{equation Oplus} is obviously equivalent to predict the
+previously released ones by Eq.~\eqref{equation Oplus} is obviously equivalent to predicting the
next bit in the BBS generator, which
is cryptographically secure. More precisely, it
is $(T,\varepsilon)-$secure: no
to both the generation and transmission times.
It is true that the prime numbers used in the last
section are very small compared to up-to-date
-security recommends. However the attacker has not
+security recommendations. However the attacker has not
access to each BBS, but to the output produced
-by Algorithm~\ref{algo:bbs_gpu}, which is quite
+by Algorithm~\ref{algo:bbs_gpu}, which is far
more complicated than a simple BBS. Indeed, to
determine if this cryptographically secure PRNG
on GPU can be useful in security context with the
$(T,\varepsilon)-$security must be determined, and
a formulation similar to Eq.\eqref{mesureConcrete}
must be established. Authors
-hope to achieve to realize this difficult task in a future
+hope to achieve this difficult task in a future
work.
\end{color}
secure, then it is the case too for the PRNG we propose, thus leading to
the possibility to develop fast and secure PRNGs using the GPU architecture.
\begin{color}{red} An improvement of the Blum-Goldwasser cryptosystem, making it
-behaves chaotically, has finally been proposed. \end{color}
+behave chaotically, has finally been proposed. \end{color}
In future work we plan to extend this research, building a parallel PRNG for clusters or
grid computing. Topological properties of the various proposed generators will be investigated,
\textit{Section 9:
The authors say they replace the xor-like PRNG with a cryptographically secure one, BBS, but then proceed to use extremely small values, as far as a cryptographer is concerned (modulus of $2^{16}$), in the computation due to the need to use 32 bit integers in the GPU and combine bits from multiple BBS generated values, but they never prove (or even discuss) how this can be considered cryptographically secure due to the small individual values. At the end of 9.1, the authors say $S^n$ is secure because it is formed from bits from the BBS generator, but do not consider if the use of such small values will lead to exhaust searches to determine individual bits. The authors either need to remove all of section 9 and or prove the resulting PRNG is cryptographically secure.}
-A new section (namely, the Section 8.2) and a discussion at the end of Section 9.1 have been added to measure practically the security of the generator.
+A new section (namely, Section 8.2) and a discussion at the end of Section 9.1 have been added to measure practically the security of the generator.
\bigskip
\textit{In the conclusion:
\bigskip
\textit{There seems to have been no effort in showing how the new PRNG improves on a single (say) xorshift generator, considering the slowdown of calling 3 of them per iteration (cf. Listing 1). This could be done, if not with the mathematical rigor of chaos theory, then with simpler bit diffusion metrics, often used in cryptography to evaluate building blocks of ciphers.}
-A large section (Section 5) has been added, using and extending some previous works. It explains with more detail why topological chaos
+A large section (Section 5) has been added, using and extending some previous works. It explains with more details why topological chaos
is useful to pass statistical tests. This new section contains both qualitative explanations and quantitative (experimental) evaluations.
Using several examples, this section illustrates that defective PRNGs are always improved, according
to the NIST, DieHARD, and TestU01 batteries.
\bigskip
\textit{The generator of Listing 1, despite being proved chaotic, has several problems. First, it doesn't seem to be new; using xor to mix the states of several independent generators is standard procedure (e.g., [1]).}
-The novelty of the approach is not in the discovery of a new kind of operator, but on the way to combine existing PRNGs. We propose
-to realize a post-treatment based on chaotic iterations on these generators, in order to add topological properties that improve
-their statistics while preserving their cryptographical security. In this document, generators that use XOR or BBS are only
-illustrative examples using the vectorial negation as iterative function in the chaotic iterations. Theorems 1 and 2 explain how to
-replace this negation function, that leads to well known forms of generators, by more exotic ones. However, the choice of the vectorial
-negation for illustrations has been motivated for speed.
-
-Indeed, to the best of our knowledge, all the generators proposed in the literature mix only a few operations on previously obtained states:
-arithmetic operations, exponentiation, shift, exclusive or. It is impossible to define a fast PRNG or to prove its security when
-using more complicated operations, and the number of such operations that are mixed is necessary very low. Thus almost all
- up-to-date fast or secure generators are very simple, like the BBS or all the XORshift-like ones. In a certain extend, they are all similar,
-due to the very reduced number of efficient elementary operations offered to define them.
+The novelty of the approach is not in the discovery of a new kind of operator,
+but consists in the combination of existing PRNGs. We propose to realize a
+post-treatment based on chaotic iterations on these generators, in order to add
+topological properties that improve their statistics while preserving their
+cryptographical security. In this document, generators that use XOR or BBS are
+only illustrative examples using the vectorial negation as iterative function in
+the chaotic iterations. Theorems 1 and 2 explain how to replace this negation
+function, that leads to well known forms of generators, by more exotic
+ones. However, the choice of the vectorial negation to illustration our work has been
+motivated by speed.
+
+Indeed, to the best of our knowledge, all the generators proposed in the
+literature mix only a few operations on previously obtained states: arithmetic
+operations, exponentiation, shift, exclusive or. It is impossible to define a
+fast PRNG or to prove its security when using more complicated operations, and
+the number of such operations that are mixed is necessarily very low. Thus
+almost all up-to-date fast or secure generators are very simple, like the BBS or
+all the XORshift-like ones. To a certain extend, they are all similar, due to
+the very reduced number of efficient elementary operations offered to define
+them.
\bigskip
We agree with the reviewer in the fact that using coprimes here will improve
the period of the resulted PRNG. Nevertheless the goal of this section was to
-pass the Big Crush battery, and we achieve that with proposed combination of
+pass the Big Crush battery, and we achieved that with the proposed combination of
the three XORshifts.
\bigskip
\textit{Thirdly, by combining 3 linear generators with xor, another linear operation, you still get a linear generator, potentially vulnerable to stringent high-dimensional spectral tests.}
-This first generator has not been designed for security reasons, but for speed: the
-idea was to provide a very efficient version of our former generator that can pass
-TestU01, and linear
-operations are a necessity when speed with pseudorandomness are desired. If the desire is to use a fast and statistically perfect PRNG, then simulations
-proposed in this document show that this first PRNG is suitable. However, we have neither
-claimed nor proved that this generator is secure. Indeed, we have only shown that some
-chaotic iteration based post-treatment, like the one that use the vectorial negation,
-can preserve the cryptographically secure property (while adding chaos), if this property has been established
-for the inputted generator. As the inputted generator is not
-cryptographically secure in the example disputed by the reviewer, we cannot apply this
-result. Indeed the first part of the document does not deal with security,
-but it investigates the speed, chaos, and statistical quality of PRNGs.
-A sentence has been added to clarify this point at the end of Section 5.4.
+This first generator has not been designed for security reasons, but for speed:
+the idea was to provide a very efficient version of our former generator that
+can pass TestU01, and linear operations are a necessity when speed with
+pseudorandomness is desired. If what is needed is to use a fast and
+statistically perfect PRNG, then simulations proposed in this document show that
+this first PRNG is suitable. However, we have neither claimed nor proved that
+this generator is secure. Indeed, we have only shown that some chaotic iteration
+based post-treatment, like the one that uses the vectorial negation, can
+preserve the cryptographically secure property (while adding chaos), if this
+property has been established for the inputted generator. As the inputted
+generator is not cryptographically secure in the example disputed by the
+reviewer, we cannot apply this result. Indeed the first part of the document
+does not deal with security, but it investigates the speed, chaos, and
+statistical quality of PRNGs. A sentence has been added to clarify this point
+at the end of Section 5.4.
\bigskip
question of key size.
-Most of theoretical cryptographic definitions are somehow an extension of the
+Most theoretical cryptographic definitions are somehow an extension of the
notion of one-way function. Intuitively a one way function is a function
easy to compute but which is practically impossible to
inverse (i.e. from $f(x)$ it is not possible to compute $x$).
attack, that is computing $f(y)$ for all $y$'s of the good size until
$f(y)\neq f(x)$. Informally, if a function is one-way, it means that every
algorithm that can compute $x$ from $f(x)$ with a good probability requires
-a similar amount of time than the brute force attack. It is important to
+a similar amount of time to the brute force attack. It is important to
note that if the size of $x$ is small, then the brute force attack works in
-practice. The theoretical security properties do not guaranty that the system
-cannot be broken, it guaranty that if the keys are large enough, then the
+practice. The theoretical security properties do not guarantee that the system
+cannot be broken, it guarantees that if the keys are large enough, then the
system still works (computing $f(x)$ can be done, even if $x$ is large), and
cannot be broken in a reasonable time. The theoretical definition of a
secure PRNG is more technical than the one on one-way function but the
keys/seeds are large enough.
-Nevertheless, new arguments have been added in several places of the revision of our paper,
-concerning more concrete and practical aspects of security, like the
-$(T,\varepsilon)-$security notion of Section 8.2. Such a practical evaluation
-has not yet been performed for the GPU version of our PRNG, and the reviewer
-has true when thinking that these aspects are fundamentals to determine whether
-the proposed PRNG can face or not attacks in practice. A formula similar to what
-has been computed for the BBS (as in Section 8.2) must be found in future work,
-to measure how much time an attacker must have to break the proposed generator
-when considering the parameters we have chosen (this computation is a difficult
-task).
-Sentenses have been added in several places (like at the end of Section 9.1)
-summarizing this.
+Nevertheless, new arguments have been added in several places of the revision of
+our paper, concerning more concrete and practical aspects of security, like the
+$(T,\varepsilon)-$security notion of Section 8.2. Such a practical evaluation
+has not yet been performed for the GPU version of our PRNG, and the reviewer is
+right to think that these aspects are fundamental to determine whether the
+proposed PRNG can or cannot face the attacks. A similar formula to what has been
+computed for the BBS (as in Section 8.2) must be found in future work, to
+measure the amount of time need by an attacker to break the proposed generator when
+considering the parameters we have chosen (this computation is a difficult
+task). Sentences have been added in several places (like at the end of Section
+9.1) summarizing this.
\bigskip
\textit{To sum it up, while the theoretical part of the paper is interesting, the practical results leave much to be desired, and do not back the thesis that chaos improves some quality metric of the generators.}
-We hope now that, with the new sections added to the document (like the Section 5), we have convinced the reviewers that to add chaotic properties in
+We hope now that, with the new sections added to the document (like Section 5), we have convinced the reviewers that adding chaotic properties in
existing generators can be of interest.
\bigskip
\textit{Typos and other nitpicks:\\
- Blub Blum Shub is misspelled in a few places as "Blum Blum Shum";}
-These misspells have been corrected (sorry for that).
+These mistakes have been corrected (sorry for that).
\bigskip
\textit{ - Page 12, right column, line 54: In "$t<<=4$", the $<<$ operation is using the `` character instead.}
