A. PRNG Based on LFSR and S-Box (LS)

An N-bit LFSR is a sequence of N shift registers connected in series with a feedback function. This function determines the period of the LFSR, where the outputs from some selected registers are XORed to define the feedback polynomial. When the polynomial is primitive, the period of the LFSR achieves its maximum value $2^{N}-1$ . It is important to seed the LFSR with a non-zero value for proper operation [36]. For example, the feedback polynomial $x^{32}+x^{7}+x^{6}+x^{2}+1$ is a primitive polynomial for the 32-bit LFSR shown in Fig. 4(a). Table 3 shows some examples of primitive polynomials that achieve maximum period.

TABLE 3 Examples of Primitive Polynomials for a 32-bit LFSR

FIGURE 4.

(a) A 32-bit LFSR with feedback polynomial $x^{32}+x^{7}+x^{6}+x^{2}+1$ , (b) proposed PRNG, and (c) random behavior of the PRNG output.

Show All

Figure 4(b) shows a proposed new design of a PRNG, which uses three 32-bit LFSRs and 4 S-Boxes. The feedback polynomials for the three LFSRs are chosen as the first three polynomials in Table 3. The flowchart of the PRNG is shown in Fig. 3(a), where four 8-bit values $S_{1},S_{2}$ , $S_{3}$ , and $S_{4}$ are first used to dynamically generate four S-Boxes according to the Generate_SBox function described in [37]. The three LFSRs are initialized with three different 32-bit seeds, and three values ${Rd}_{1},{Rd}_{2}$ , and ${Rd}_{3}$ are initialized to zeros. Then, the three LFSRs are simultaneously clocked using the Next_Clock function to produce three new 32-bit values. The three new values of A, B, and C are XORed to generate one 32-bit value, D. Afterwards, each consecutive 8-bit numbers ($D_{1},D_{2}$ , $D_{3}$ , and $D_{4}$ ) are confused using the four S-Boxes to produce $V_{1},V_{2}$ , $V_{3}$ , and $V_{4}$ . Then, each of $V_{1},V_{2}$ , and $V_{3}$ are XORed with $V_{4}$ and ${Rd}_{3}$ , ${Rd}_{1}$ , and ${Rd}_{2}$ , respectively to produce three random 8-bit values $R_{1},R_{2}$ , and $R_{3}$ . Finally, ${Rd}_{1},{Rd}_{2}$ , and ${Rd}_{3}$ are set to $R_{1},R_{2}$ , and $R_{3}$ , respectively, and the resulting 24-bit random value is the concatenation of those three 8-bit values. The process continues by clocking the PRNG to produce new values.

The Generate_SBox algorithm used to generate the $8\times 8$ S-Box is based on an 8-bit LFSR with a feedback polynomial $x^{8}+x^{6}+x^{5}+x^{4}+1$ . This algorithm is capable of generating 255 different S-Boxes depending on the initial seed of the 8-bit LFSR. The $8\times 8$ S-Box is implemented as a $16\times 16$ matrix, where each element of the matrix contains one of the different states that the LFSR can take and the last element in the matrix is set to zero. The operation of the S-Box is simple, where the 4 least and most significant bits of the input value are used to select the row and column of the $16\times 16$ matrix, respectively, and the output of the S-Box is the element at this location.

While there are so many PRNG designs based on LFSR, the design shown in Fig. 4(b) represents one simple design. For instance, a PRNG has recently been designed through carefully selecting two LFSRs and XOR gates to improve the length of the generated bit sequences by a factor of 200X as compared to the single LFSR-based design [38]. Moreover, area efficient stochastic number generators are designed through sharing the output of the LFSR with two comparators to achieve a minimal area hardware overhead [39]. A staggered LFSR is also proposed, where a subordinate LFSR determines the number of feedback polynomial applications for the main LFSR to enhance the randomness of the generated bit sequence [40].

During the design process of the LS PRNG, the key sensitivity tests are performed by modifying one bit in one of the seed values used in generating the S-Boxes. If the delay element is not available, only one S-Box is changed and the results of the correlation tests are not good. By adding the delay element, the change is propagated from one iteration to the next iteration resulting in a completely different bitstream.

Because LFSRs are predictable and cannot be used alone in generating secure PRNGs, combining more than one LFSR is necessary for adding security to the produced bitstream. Furthermore, utilizing S-Boxes helps in making the bitstream random and enables passing the NIST SP-800-22 and TestU01 randomness tests. Finally, enhancing the key sensitivity is achieved by adding a delay element. Figure 4(c) shows the output values $R_{1},R_{2}$ , and $R_{3}$ for the first 20 iterations, and they are independent.

Therefore, the main design guidelines are summarized as follows:

• Combining two or more LFSRs enhances security and increases the key space.

• Incorporating a non-linear element, such as S-Box, adds and extra level of security.

• Adding a delay element enhances the key sensitivity.

B. PRNG Based on Primitive Roots (PR)

In number theory, g is said to be a primitive root for p if every integer that is non-zero $mod~p$ is congruent to a power of $g ~mod~p$ [41]. For example, if $g=3$ and $p=7$ , it can be easily shown that every power of $3 ~mod~7$ is unique, hence 3 is a primitive root for 7. On the other hand, if $g=2$ , then it is clear that $2^{1}~mod ~7= 2$ and $2^{4}~mod ~7=2$ , therefore 2 is not a primitive root for 7. Another useful property is that knowing one primitive root for p can help in finding all remaining primitive roots of p. If p is selected to be a prime, then there is $\Phi (p-1)$ primitive roots. The Euler function $\Phi (n)$ equals the number of integers j with $1\le j\le n$ such that $gcd\left ({{ j, n }}\right)=1$ , where $gcd$ is the greatest common divisor [41]. Hence, there is a large number of primitive roots that can be found for a large prime p.

Recently, a PRNG has been designed based on a prime number and its primitive roots [42]. A modified version of this PRNG is proposed in this section to increase the number of bits per iteration from 8 bits to 24 bits. Figure 3(b) shows the flowchart of the modified PRNG, which utilizes a prime number (p) and m of its primitive roots ($r_{1},r_{2}, \ldots.,r_{m}$ ). The number of selected primitive roots, m, should be a multiple of 3 so that the number of iterations required to scan all roots in groups of three is $L=m/3$ . The process starts by initializing the power counter i and the three values ${Rd}_{1},{Rd}_{2}$ , and ${Rd}_{3}$ to zeros. Then, i is incremented by 1, the primitive roots counter (k) is set to zero, and the condition $k\lt L$ is evaluated. If the condition is true, three new 8-bit values $R_{1},R_{2}$ , and $R_{3}$ are calculated from three consecutive roots $r_{3k+1}$ , $r_{3k+2}$ , and $r_{3k+3}$ , respectively.

Each root is raised to the $i^{th}$ power, the result is reduced $mod~p$ , the result is further reduced by $mod~2^{8}$ , and the three produced values are XORed with ${Rd}_{3},{Rd}_{1}$ , and ${Rd}_{2}$ , respectively. Finally, ${Rd}_{1},{Rd}_{2}$ , and ${Rd}_{3}$ are set to $R_{1}, R_{2}$ , and $R_{3}$ , respectively, and the resulting 24-bit random value is the concatenation of those three 8-bit values. The process continues by incrementing k by 1, then testing the condition $k\lt L$ , and so on. If the condition $k\lt L$ is false, k is reset to zero and i is incremented by 1. It should be noted that a delay is introduced in the XOR operation to pass the key sensitivity tests, similar to what is performed in the LS PRNG.

Figure 5(a) shows the generated values of $R_{1},R_{2}$ , and $R_{3}$ for the first 20 iterations and they are random. The main motivation behind this design is to exploit the special property of uniqueness found in primitive roots when raised to different powers and then reduced modp. Figure 5(b) demonstrates the uniqueness property using the prime number $p=23$ and three of its primitive roots (7, 10, and 20).

FIGURE 5.

(a) Values of $R_{1},R_{2}$ , and $R_{3}$ for the first 20 iterations, and (b) powers of primitive roots are unique $mod~p$ (7, 10, and 20 are primitive roots for the prime number 23).

Show All

Hence, the main design guidelines are summarized as follows:

• The special property of uniqueness found in primitive roots can be exploited.

• Adding a delay element enhances the key sensitivity.

C. PRNG Based on Elliptic Curve (EC)

An elliptic curve equation takes the form $y^{2}=x^{3}+Ax+B$ , where A and B are constants, $4A^{3}+27B^{2}\ne ~0$ . In cryptography, elliptic curves are usually defined over a field p, where p is a large prime number, forming an additive abelian group. The point at infinity $\mathcal {O}$ is defined to be the identity element of the group and the group operations are point addition and multiplication [43]. Figure 6(a) shows the geometric interpretation for point addition as described by ${P_{3}=P}_{1}+P_{2}=(x_{3},y_{3})$ as follows: $$\begin{align*} & P_{3} = \\ & \begin{cases} \displaystyle \left ({{m_{1}^{2}-x_{1}-x_{2}, m_{1}\left ({{x_{1}-x_{3}}}\right)-y_{1}}}\right), & x_{1} \neq x_{2} \\ \displaystyle \left ({{m_{2}^{2}-2 x_{1}, m_{2}\left ({{x_{1}-x_{3}}}\right)-y_{1}}}\right), & P_{1}=P_{2}, y_{1} \neq 0 \\ \displaystyle \mathcal {O}, & x_{1}=x_{2}, y_{1} \neq y_{2} \\ \displaystyle \mathcal {O}, & P_{1}=P_{2}, y_{1}=0 \\ \displaystyle P_{1}, & P_{2}=\mathcal {O} \\ \displaystyle P_{2}, & P_{1}=\mathcal {O} \end{cases} \tag {1}\end{align*}$$ View Source\begin{align*} & P_{3} = \\ & \begin{cases} \displaystyle \left ({{m_{1}^{2}-x_{1}-x_{2}, m_{1}\left ({{x_{1}-x_{3}}}\right)-y_{1}}}\right), & x_{1} \neq x_{2} \\ \displaystyle \left ({{m_{2}^{2}-2 x_{1}, m_{2}\left ({{x_{1}-x_{3}}}\right)-y_{1}}}\right), & P_{1}=P_{2}, y_{1} \neq 0 \\ \displaystyle \mathcal {O}, & x_{1}=x_{2}, y_{1} \neq y_{2} \\ \displaystyle \mathcal {O}, & P_{1}=P_{2}, y_{1}=0 \\ \displaystyle P_{1}, & P_{2}=\mathcal {O} \\ \displaystyle P_{2}, & P_{1}=\mathcal {O} \end{cases} \tag {1}\end{align*} where $P_{1}=\left ({{ x_{1},y_{1} }}\right)$ , $P_{2}=(x_{2},y_{2})$ , $m_{1}=\frac {y_{2}-y_{1}}{x_{2}-x_{1}}$ , and ${m}_{2}=\frac {3x_{1}^{2}+A}{2y_{1}}$ . In general, a generator point G is defined to generate all the point on the curve. If the points of the elliptic curve form more than one group, each group should have its generator point. Figure 6(b) shows an example of a generator point $G=P_{1}=(4, 4)$ , highlighted in yellow, for the elliptic curve $y^{2}=x^{3}+2x+2~mod~19$ . All of the curve points can be calculated from $P_{1}$ . For example, the point $P_{2}=2P_{1}=(18, 13)$ is highlighted in yellow, and in general $P_{n}=nP_{1}$ .

FIGURE 6.

(a) Elliptic curve example and the first two cases for point addition, and (b) elliptic curve points example.

Show All

Although ECs are commonly used in cryptography, they are also utilized in PRNGs. Several EC-based PRNGs are introduced where the points of the EC are the source of random bits. Two design categories are generally used, namely iterative designs such as [44] and [45] and non-iterative designs such as [46] and [47]. Since EC points can be subjected to cryptanalysis as pointed out in [48], it is not recommended to use all the bits from each coordinate. Moreover, higher bits are not chaotic enough and using them reduces the entropy in the bitstream.

Recently, a PRNG design based on elliptic curves has been proposed [22], where the process of generating random numbers is shown in Fig. 3(c). After reading the parameter K and the curve generator point G, the process starts by calculating the base point $P_{0}=kG$ and initializing the points counter $n= 0$ . Then, a new point $P_{n+1}$ is produced by adding the base point $P_{0}$ to the previous point $P_{n}$ . Afterwards, the x-coordinate and y-coordinate of the point $P_{n+1}=(x,y)$ are reduced $mod~2^{96}$ , and a mixing process is performed using the Mix function defined in [22] to shuffle the bits of x and y forming a sequence of 192 random bits. In this Mix function, the final bit sequence is formed by joining each consecutive 24 bits from x and y until all of the 96 bits from each of x and y are used. The process continues by incrementing n by 1 and calculating a new point on the curve.

Curve-192 is selected from the NIST list of recommended secure curves [49], where its prime modulus p is 192 bits and the base point G has 189 bits and 187 bits in the x and y coordinates, respectively. In this design approach, it is important not to extract too many bits from the elliptic curve points because the lower significant bits are more chaotic than the higher significant bits. For instance, different values of the extracted number of bits were investigated during the design process of the EC PRNG. When more than 96 bits were extracted from any point coordinate to increase the bit rate, the produced bitstream did not pass the NIST test.

It is also recommended to use a large prime number p and to carefully select the elliptic curve parameters such that the generator point of the curve forms a large group containing most of the curve points. For example, the curve $y^{2}=x^{3}-5x+3~mod~{149}$ forms 11 subgroups. The point $(1, 44)$ generates the largest subgroup with a total of 150 points, and the point $(2, 1)$ generates a subgroup of only 75 points. Hence, this curve is not secure because the number of points in the largest subgroup is very small.

Therefore, the main design guidelines are summarized as follows:

• A large prime number p should be chosen.

• Elliptic curve parameters should be carefully selected.

• It is not recommended to extract too many bits from the elliptic curve points.

D. PRNG Based on Discrete Chaos (DC)

Discrete maps are extensively utilized in PRNGs because of their simplicity and ease of implementation. Recently, several designs based on hyperchaotic systems are proposed such as the 3D discrete hyperchaotic system [50], a combination of the 2D Logistic map and Duffing map [51], and the 2D sine-cosine-logistic coupling [52]. In addition to those different design options, a simple and secure design is proposed using a modified logistic map.

The logistic map is well-known and studied in chaos theory, where it exhibits chaotic behavior for certain parameter values. This property makes it a candidate for use in cryptography as a source of randomness, and many research work has modified the logistic map to enhance its chaotic behavior and to introduce more controlling parameters [53], [54]. The positive logistic map is defined as: $$\begin{equation*} x_{n+1}=\lambda x_{n}\left ({{ a-bx_{n} }}\right), \tag {2}\end{equation*}$$ View Source\begin{equation*} x_{n+1}=\lambda x_{n}\left ({{ a-bx_{n} }}\right), \tag {2}\end{equation*} where $\lambda$ is the map parameter, a and b are the newly added parameters [54].

The process of generating random bytes, as shown in Fig. 3(d), starts by reading the map parameters and initial value, $\lambda$ , a, b and $x_{0}$ . After calculating $x_{n+1}$ from the map, it is scaled by ${10}^{12}$ to ensure randomness, the result is converted into an integer using the floor operation $\left \lfloor {{\cdot }}\right \rfloor$ , and reduced $mod~2^{24}$ to generate a 24-bit random value, R. Finally, three new random 8-bit values $R_{1},R_{2}$ , and $R_{3}$ are calculated where $R_{1}$ is the least significant 8 bits, $R_{2}$ is the middle significant 8 bits, and $R_{3}$ is the most significant 8 bits. The process continues by incrementing n by 1, and a new point is calculated from the map.

To elaborate the benefits of adding more control parameters, consider the original logistic map with one parameter ($\lambda$ ) and one initial condition ($x_{0}$ ). Assuming 32 bits for each parameter, the driving key length equals 64 bits. This length is insecure and can be attacked using brute-force attacks. On the other hand, the positive logistic map has three controlling parameters ($\lambda$ , a, b) and one initial condition ($x_{0}$ ). Assuming 32 bits for each parameter, the driving key length is 128 bits that can resist brute-force attacks. Therefore, the new controlling parameters enhance the security of the driving key for the logistic map.

The dynamics of the positive logistic map are explored in Fig. 7, where the map parameters are selected as $\lambda = 8/3$ , $a=1.5$ , $b=1.875$ , and $x_{0}=0.5$ . The cobweb diagram of Fig. 7(a) demonstrates the chaotic behavior of the map, whereas Fig. 7(b) shows the values of the map in the first 25 iterations. Because the maximum Lyapunov exponent of Fig. 7(c) has positive values, the positive logistic map with the two newly added parameters can exhibit chaotic behavior. Regarding the choice of the map parameters, if the parameters are selected as $\lambda = 3$ , $a=1$ , $b=1$ , and $x_{0}=0.5$ , the map will not exhibit chaotic behavior and it will oscillate between two points. Hence, the attractor can not be utilized in random number generation.

FIGURE 7.

(a) Cobweb diagram, (b) the first 25 iterations, and (c) maximum Lyapunov exponent of the positive logistic map.

Show All

Therefore, the main design guidelines are summarized as follows:

• Adding extra controlling parameters to the map enhances the key space.

• The choice of the map parameter values must ensure the chaotic behavior of the map.

E. PRNG Based on Continuous Chaos (CC)

In general, continuous systems have more parameters and system states than discrete maps. Those system states can serve as independent sources of randomness. Hence, many research efforts are based on continuous systems such as [55] and [56]. As an example for the different design options available in this category, the Lorenz system is utilized in PRNG using a simple and secure design.

The Lorenz system is a system of ordinary differential equations, which possesses chaos at certain system parameters. While being chaotic, the system state never repeats, and the dynamics of the system is sensitive to any change in the initial condition.

The Lorenz system is given by: $$\begin{align*} \frac {dx}{dt}& =\sigma \left ({{ x-y }}\right), \tag {3a}\\ \frac {dy}{dt}& =x\left ({{ \rho -z }}\right)-y, \tag {3b}\\ \frac {dz}{dt}& =xy-\beta z, \tag {3c}\end{align*}$$ View Source\begin{align*} \frac {dx}{dt}& =\sigma \left ({{ x-y }}\right), \tag {3a}\\ \frac {dy}{dt}& =x\left ({{ \rho -z }}\right)-y, \tag {3b}\\ \frac {dz}{dt}& =xy-\beta z, \tag {3c}\end{align*} where $\sigma, \rho$ , and $\beta$ are the system parameters. This system can be solved using many numerical methods, where the Euler approximation method is used in this work. The Lorenz system is utilized in designing a PRNG as shown in Fig. 3(e). The process of generating random bytes starts by reading the system parameter $\beta$ and the initial conditions $x_{0}$ , $y_{0}$ , and $z_{0}$ . The remaining system parameters $\sigma$ and $\rho$ are initialized to 10 and 28, respectively, the iteration step $h= 0.01$ , and the points counter $n=0$ . Then, the system is iterated to generate a new state $x_{n+1}$ , $y_{n+1}$ , and $z_{n+1}$ . Three new 8-bit values $R_{1},R_{2}$ , and $R_{3}$ are calculated from $x_{n+1}$ , $y_{n+1}$ , and $z_{n+1}$ , respectively, such that each state is scaled by a factor of ${10}^{12}$ and the result is converted to an integer followed by reduction $mod~2^{8}$ . The process continues by incrementing n by 1, and a new state is calculated from the system.

While Fig. 8(a) shows the generated random values for the first 20 iterations, Figs. 8(b) and 8(c) explore the dynamics of the Lorenz system where the system parameters are selected as $\sigma = 10$ , $\rho = 28$ , $\beta = 8/3$ , $x_{0}=0.1$ , $y_{0}=1$ , and $z_{0}=10$ . In Fig. 8(b), the Lorenz attractor in the X-Z plane shows that the system state does not repeat, whereas Fig. 8(c) shows the maximum Lyapunov exponent with positive values ensuring the chaotic behavior of the system. The Lorenz system contains many controlling parameters that help in expanding the key space driving the system. It is important to select the system parameters such that the system is chaotic. For example, if the parameters are selected as $\sigma = 10$ , $\rho = 13$ , $\beta = 8/3$ , the system becomes stable and converges to a fixed point. Hence, the attractor cannot be used in random number generation. Finally, to increase the bit rate, the 3 states are used to extract 24 bits per iteration; 8 bits from each state. Selecting only one state would reduce the bit rate by a factor of one third.

FIGURE 8.

(a) Values of $R_{1},R_{2}$ , and $R_{3}$ for the first 20 iterations, (b) strange attractor X-Z plane, and (c) maximum Lyapunov exponent of the Lorenz system.

Show All

Therefore, the main design guidelines are summarized as follows:

• Many system parameters should be selected to increase the key space.

• The choice of the system parameter values must ensure chaotic behavior.

• All system states should be utilized in the generation process to increase the bit rate.

F. PRNG Based on Fractional Chaos (FC)

As an extension to continuous systems, fractional-order systems add more system parameters by introducing the fractional-order powers. However, these extra options can have a negative effect on the system complexity and performance. Similar to continuous systems, one of the different design options available in this design category is proposed.

The fractional-order Lorenz system is introduced by applying fractional-order derivatives for the three differential equations given by: $$\begin{align*} \frac {d^{\alpha }x}{{dt}^{\alpha }}& = -10\left ({{ y-x }}\right), \tag {4a}\\ \frac {d^{\beta }y}{{dt}^{\beta }} & = -xz+\left ({{ 24-4~c }}\right)x+cy, \tag {4b}\\ \frac {d^{\gamma }z}{{dt}^{\gamma }}& =xy-\frac {8}{3}z, \tag {4c}\end{align*}$$ View Source\begin{align*} \frac {d^{\alpha }x}{{dt}^{\alpha }}& = -10\left ({{ y-x }}\right), \tag {4a}\\ \frac {d^{\beta }y}{{dt}^{\beta }} & = -xz+\left ({{ 24-4~c }}\right)x+cy, \tag {4b}\\ \frac {d^{\gamma }z}{{dt}^{\gamma }}& =xy-\frac {8}{3}z, \tag {4c}\end{align*} where c is a parameter and $\alpha, \beta$ , and $\gamma$ are positive real values that represent fractional orders. The fractional-order derivatives $\alpha, \beta$ , and $\gamma$ increase the system controlling parameters. This system can be solved using the Adams-Bashforth-Moulton predictor-corrector scheme [57]. The range of those added parameters that make the system exhibit chaos is studied in [58].

Recently, the fractional-order Lorenz system has been utilized in PRNG [27]. The process of generating random bytes is shown in Fig. 3(f), and it is similar to the corresponding process of the integer-order Lorenz system where the system parameter $\alpha$ and the initial conditions $x_{0}$ , $y_{0}$ , and $z_{0}$ are calculated from the system ke. Then, the remaining system parameters $\beta$ and $\gamma$ are both initialized to 1, $c= 4$ , the iteration step $h= 0.005$ , and the points counter $n=0$ . The system is solved to generate a new state $x_{n+1}$ , $y_{n+1}$ , and $z_{n+1}$ . Three new 8-bit values $R_{1},R_{2}$ , and $R_{3}$ are calculated from $x_{n+1}$ , $y_{n+1}$ , and $z_{n+1}$ , respectively, such that each state is scaled by a factor of ${10}^{12}$ and the result is converted to an integer followed by reduction $mod~2^{8}$ . The process continues by incrementing n by 1, and a new state is calculated from the system. While Fig. 9(a) shows the generated random values for the first 20 iterations, Figs. 9(b) and 9(c) explore the strange attractor in the X-Z plane for $\alpha = 0.8$ and $\alpha = 0.95$ , respectively. The system parameters are selected as $\beta = 1$ , $\gamma = 1$ , $C=4$ , $x_{0}=-8.3458$ , $y_{0}=-10.6753$ , and $z_{0}=12.3088$ .

FIGURE 9.

(a) Values of $R_{1},R_{2}$ , and $R_{3}$ for the first 20 iterations, and strange attractor in the X-Z plane for (b) $\alpha = 0.8$ , and (c) $\alpha = 0.95$ in the fractional-order Lorenz system.

Show All

The fractional-order Lorenz system adds three extra controlling parameters over the integer-order Lorenz system, which helps in expanding the key space driving the system. Those extra parameters come at the cost of reduced performance because the system state at iteration N is obtained by solving the system for the previous (N – 1) states. Hence, it is recommended to calculate a small number of states and then restart the system from the last reached state.

The effect of using different values of N on the system performance is investigated. The system is tested for different values of N, after which the system is restarted using the last state. The results show that doubling the value of N reduces the bit rate by a factor of 0.5. Accordingly, restarting the system after a selected number of iterations improves the performance and increases the bit rate.

Similar to the integer-order Lorenz system, it is important to select the system parameters such that the system is chaotic. For example, by selecting the system parameters as $\alpha = 0.7$ , $\beta = 1$ , $\gamma = 1$ , $C=4$ , the system becomes stable and converge to a stable point. Finally, all system states should be used to increase the bit rate as previously explained for the CC PRNG.

Therefore, the main design guidelines are summarized as follows:

• Many system parameters should be selected to increase the key space.

• The choice of the system parameter values must ensure chaotic behavior.

• The three states should be utilized in the generation process to increase the bit rate.

• Restart the system after a limited number of iterations (e.g., 100 iterations) to enhance the performance.

A. Statistical Tests

The statistical evaluation examines the bitstreams generated from the six PRNGs using different tests including NIST SP-800-22 test suite [5], TestU01 randomness tests [6], histogram, and entropy. For any PRNG that is intended to be used in cryptographic applications, the NIST statistical test suite is an important tool for determining whether a bitstream is cryptographically secure or not. The NIST test suite provides a significance level $\alpha$ for each test, and if P-value $\ge \alpha$ then the sequence passes this test. For cryptography applications $\alpha$ is set to 0.01, which means that 1% of the sequences are expected to be non-random. In addition, the distribution of the P-values is considered to be uniformly distributed when $PV\ge 0.0001$ , and nonuniform otherwise. The bitstream is considered to be random if the P-values distribution is uniform and PP passes the required value. Table 5 shows the NIST results of the six PRNGs, where they all succeeded in passing the NIST tests. Therefore, the presented PRNGs are considered cryptographically secure. However, the results in Table 5 and Table 6 can be improved by optimizing the design process for each PRNG category.

TABLE 5 NIST Results for the Six PRNGs

TABLE 6 TestU01 Results for the Six PRNGs

Furthermore, TestU01 is widely used in literature because of its built-in test batteries that cover many aspects of randomness tests. Three test batteries are selected for testing the randomness of the generated bitstreams, namely Rabbit, Alphabit, and Block Alphabit. Table 6 shows the results of the six PRNGs for the selected batteries, and they all succeeded in passing all of the 157 tests.

A histogram shows the distribution of the generated bytes from the PRNG, where a good PRNG should produce a uniform histogram with equally distributed numbers. On the other hand, a poor PRNG shows a nonuniform histogram indicating biases in the generated numbers. As shown in Fig. 10, all of the six PRNGs show uniform distributions for the output values. Moreover, the generated bytes from each PRNG are converted into an image as shown in Fig. 10. Visual inspection of the images reveals the randomness of the generated bytes, which is consistent with the results of previous tests. Finally, a good PRNG should have an entropy value that approaches its maximum value of 8. This indicates that the produced numbers cannot be predicted from previously generated ones. The entropy values for LS, PR, EC, DC, CC, and FC are 7.99994, 7.99994, 7.99994, 7.99995, 7.99995, and 7.99994, respectively. Since these values approach the maximum value, the generated bitstreams are not predictable.

FIGURE 10.

Histogram and output bitstream represented as an image: (a) LS, (b) PR, (c) EC, (d) DC, (e) CC, and (f) FC.

Show All

B. Correlation Tests

The correlation of the generated bitstreams is examined in two different scenarios. In the first scenario, the autocorrelation coefficient is calculated between the original bitstream and 1000 shifted versions from itself. In the second scenario, each PRNG is derived by five keys that are different from the original key. Then, the cross-correlation coefficients between the original bitstream and the other five bitstreams are calculated. Autocorrelation indicates whether or not the bitstream exhibits dependency, periodicity, or repeated patterns. A good PRNG should produce a bitstream that is not dependent, periodic, or repeated. A value close to 1 or -1 represents poor bitstreams, whereas a value close to 0 represents a good bitstream.

As shown in Fig. 11, the autocorrelation values for different shift values are very close to zero as required. In addition, a cross-correlation coefficient value close to 0 indicates non-associated bitstreams whereas a value close to 1 or -1 indicates highly associated bitstreams.

FIGURE 11.

Autocorrelation coefficient values for different shift values in the six PRNGs: (a) LS, (b) PR, (c) EC, (d) DC, (e) CC, and (f) FC.

Show All

Figure 12 shows five different keys as well as the cross-correlation coefficient values between the resulting bitstreams and the original bitstream. The close to zero values imply that the generated bitstreams have high dependency on the system key, and a completely different bitstream is generated for a different system key.

FIGURE 12.

(a) Five different system keys, and (b) the resulting cross-correlation coefficient values for the six PRNGs.

Show All

C. Key Sensitivity

Key sensitivity is examined by changing the Least Significant Bit (LSB) of each parameter and initial condition. Then, the generated bitstreams are compared with the original bitstream generated using the original key. Table 7 summarizes the different sensitivity test cases for each system, and the resulting correlation coefficient values. The close to zero values demonstrate that even the slightest change in the system key changes the output bitstream significantly.

TABLE 7 Sensitivity Test Cases

D. Algorithm Complexity

The algorithm complexity for the six PRNGs is studied using the big O notation. For the first five algorithms (LS, PR, EC, DC, and CC), only one loop exists as shown in Figs. 3(a)-(e). Hence, the complexity of the algorithm is $\text {O}(N)$ , where N is the number of iterations. On the other hand, the FC algorithm performs two nested loops as required by the numerical method of Fig. 3(f). One inner loop is used to calculate a predicted value, and the other outer loop is required to calculate the final value for the system state variables. Hence, the FC algorithm complexity is $\text {O}(N^{2})$ .

Although the first five algorithms (LS, PR, EC, DC, and CC) have similar complexity, the performance for each is different since they apply different mathematical operations with different computation times. Hence, the bit rate is calculated for all PRNGs to investigate the differences between the different methods. Table 8 shows the average bit rate for the six PRNGs, where the DC algorithm performs much better than the other algorithms. The reason behind this stems from the simple equation of the positive logistic map, which requires few mathematical operations per iteration.

TABLE 8 Comparison Between the Six PRNGs

For the LS algorithm, most of the operations are XOR, bit-shift, and bit-AND which are fairly fast operations in C#. Therefore, the bit rate is very good and outperforms reported bit rates in the literature such as [17] and [18]. Similarly for the CC algorithm, the reported bit rate is very good because few mathematical operations are required per iteration.

In case of the PR algorithm, although there are few operations per iteration, the power operation takes more time especially as the power starts to grow. Hence, the reported bit rate is fairly good but less than other PRNGs. For the FC algorithm, the reported bit rate is much lower than other PRNGs because of two factors. The first factor is the complexity of the algorithm, and the second factor is the large number of mathematical operations required per iteration. In case of the EC algorithm, although there is only one addition operation per iteration, the use of big integers to support very large numbers used by the elliptic curve adds extra processing time for performing simple addition and multiplication operations. Therefore, the reported bit rate is the minimum among the presented PRNGs.

E. Key Expansion

The potential of increasing the length of the system key is investigated with respect to different factors such as the number of parameters, parameter size, and the effect of those changes on the validity of the system. For the LS system, it is possible to increase the number of parameters as needed by adding more LFSRs and/or S-Boxes. In such cases, a new PRNG design is required to utilize the extra bits available from the new parameters. The new design should also be evaluated using the aforementioned tests before using it in any cryptographic application. Therefore, the LS system key cannot be expanded for the current design.

In the case of PR, all system key parameters can be expanded as long as a prime number and some of its primitive roots are selected. Because the size of a primitive root can be at most the size of the prime number, the maximum length of the system key equals $n(m+1)$ , where n is the number of bits for the selected prime number and m is the number of primitive roots. Hence, the PR system key can be expanded using the same design.

For an elliptic curve defined over a field $F_{p}$ where p is a large prime number, the order of the curve (i.e., the number of points on the curve) is bounded by $\left ({{ p+1+2\sqrt {p} }}\right)$ as given by Hasse theorem [43]. The order of a point P on the curve is the smallest positive integer z such that $zP = \mathcal {O}$ , where $\mathcal {O}$ is the point at infinity. Since the order of any point P can not exceed the order of the curve, the order of P is bounded by $\left ({{ p+1+2\sqrt {p} }}\right)$ . For EC, the structure of the algorithm does not depend on the value of k, but k is used in calculating the base point $P_{0}=kG$ and the only restriction applied on k is not to make $P_{0}= \mathcal {O}$ . Hence, k must be less than the order of the generator point G. Therefore, the system key length can reach up to n bits where $n=\log _{2}{(p+1+2\sqrt {p})\approx }\log _{2}{(p)}$ .

For the DC system, it is assumed that each of the key parameters is 32 bits in length. Because this length can be extended to 64 bits, the system key can be doubled to reach $4\times 64=256$ bits. In such a case, the PRNG must be revalidated to pass all the previous tests. As for the CC, the two system parameters $\sigma$ and $\rho$ can be used in the key and all parameters can be extended to 64 bits. Hence, the system key can reach up to $6\times 64=384$ bits. Similar to DC, a revalidation of the system is required. Similarly, the FC system has two system parameters $\beta$ and $\gamma$ that can be used in the key and all parameters can be expanded to 64 bits. Hence, the system key can reach $6\times 64=384$ bits. The system must also be revalidated to pass all the required tests.

F. Comparing the Six PRNGs

The six PRNGs are compared based on security tests, algorithm performance, and key expansion. Table 8 summarizes the PRNG results and it is clear that each of the currently proposed designs has its advantages and disadvantages, where a tradeoff between performance and security exists. For instance, DC has the highest bit rate but its key is limited to 256 bits. Hence, it might not be suitable for applications that require high security. On the other hand, EC has the least bit rate but its system key can be expanded to the size of the selected prime number. Hence, EC is more suitable than DC from the security point of view. It should be mentioned that for a fair comparison between the six designs, the key length is fixed to 128 bits. If the key length is not fixed, proper comparisons would not be possible and the analysis outcomes of Table 8 would be changed.