Commun Nonlinear Sci Numer Simulat 19 (2014) 887–895

Contents lists available at ScienceDirect

Commun Nonlinear Sci Numer Simulat

journal homepage: www.elsevier.com/locate/cnsns

Pseudo-random number generator based on mixing of three

chaotic maps
M. François a,b, T. Grosges a,⇑, D. Barchiesi a, R. Erra c
a
Group for Automatic Mesh Generation and Advanced Methods (Gamma3 UTT-INRIA), University of Technology of Troyes, 12 rue Marie Curie, CS 42060, F-10004
Troyes Cedex, France
b
Equipe-projet Digits, Architectures et Logiciels Informatiques (DALI), Université de Perpignan, 52 avenue Paul Alduy, F-66860 Perpignan cedex 9, France
c
Department of Network & Information Security, Ecole Supérieure d’Informatique, Electronique, Automatique (ESIEA), 9 rue Vésale, F-75005 Paris, France

a r t i c l e i n f o a b s t r a c t

Article history: A secure pseudo-random number generator three-mixer is proposed. The principle of the
Received 27 February 2013 method consists in mixing three chaotic maps produced from an input initial vector. The
Received in revised form 19 August 2013 algorithm uses permutations whose positions are computed and indexed by a standard
Accepted 20 August 2013
chaotic function and a linear congruence. The performance of that scheme is evaluated
Available online 31 August 2013
through statistical analysis. Such a cryptosystem lets appear significant cryptographic
qualities for a high security level.
Keywords:
Ó 2013 Elsevier B.V. All rights reserved.
Nonlinear chaotic function
Pseudo-random
Permutation
Cryptography
Statistical analysis

1. Introduction

The generation of pseudo-random numbers plays a critical role in large number of applications such as, numerical sim-
ulations, gaming industry, communications or cryptography [1]. A pseudo-random number generator (PRNG) is defined as
an algorithm enabling to generate sequences of numbers with some properties of randomness. The main advantages of such
generators are the rapidity and the repeatability of the produced pseudo-random sequences. In practice, the generation of
pseudo-random numbers is not trivial and the randomness quality of the produced sequence can be essential in the choice
of the application. One way to design such PRNG is connected to chaos theory [2]. That theory focuses primarily on the
description of these systems that are often very simple to define, but whose dynamics appears to be very confused. Chaotic
systems are characterized by their high sensitivity to initial conditions and some properties like ergodicity, pseudo-random
behavior and high complexity [2]. The extreme sensitivity to the initial conditions (i.e. a small deviation in the input can
cause a large variation in the output) makes chaotic system very attractive for cryptographic applications, specially for pseu-
do-random number generators. Therefore, several chaotic systems have been applied successfully to produce pseudo-ran-
dom sequences [3–7]. Many of these systems use the same standard chaotic function to generate efficiently pseudo-
random numbers [8–12].
In this paper, a new PRNG using a standard chaotic function is presented. The algorithm uses a degressive modulo to in-
dex progressively the positions of an initial vector before permuting their associated elements through the use of a xor oper-
ator. The chaotic permutations are achieved iteratively on the initial vector in order to produce three chaotic maps. These

⇑ Corresponding author. Tel.: +33 3 25 71 84 30; fax: +33 3 25 71 56 49.

E-mail address: thomas.grosges@utt.fr (T. Grosges).

1007-5704/$ - see front matter Ó 2013 Elsevier B.V. All rights reserved.
http://dx.doi.org/10.1016/j.cnsns.2013.08.032
888 M. François et al. / Commun Nonlinear Sci Numer Simulat 19 (2014) 887–895

maps are xored and the resulting sequence is the output of the algorithm. The choice of producing and xoring three chaotic
maps enlarges the complexity of the system and increases the difficulty for an attacker to extract sensitive informations from
the outputs. The advantage of the proposed PRNG is the free choice of the input vector and the randomnes quality of the
produced outputs. The paper is structured as follows, the description of the method is given in Section 2. Section 3, presents
the statistical analysis applied on a set of generated pseudo-random sequences. The security analysis of the PRNG is achieved
in Section 4, before concluding.

2. The generator

The PRNG algorithm is based on the construction of three chaotic maps obtained by permuting and shuffling the elements
of an initial input vector. The permutations are performed using a chaotic function to scramble the used positions. The cha-
otic function is given by the logistic function FðXÞ ¼ kXð1  XÞ (with 3:5699 < k < 4:0) and was already used in pseudo-ran-
dom number generation [8–12]. Here, we use the chaotic function with k ¼ 3:9999 which corresponds to a highly chaotic
case [13]. To initiate the permutation process, an input initial vector Iin of size N and a starting seed value X 0 are necessary.
The iterative form of the used chaotic function is:

X nþ1 ¼ 3:9999X n ð1  X n Þ 8n P 0; ð1Þ

where the starting seed X 0 is a real number belonging to 0; 1½. All the output elements X n are also real numbers belonging to
0; 1½. Due to the term ð1  XÞ in the Eq. (1), the distributions are symmetric about the mid point of the interval 0; 1½. To avoid
redundancy, the starting seed X 0 must be chosen in one of the two half-intervals. Here we consider that X 0 belongs to
0:0; 0:5½.

2.1. Description of the generator

The proposed cryptosystem integrates the chaotic function in the core of the PRNG and the algorithmic description of the
generator consists in the four following steps:

1. An initial vector Iin of size N is chosen (the choice is free). The vector Iin is transformed into the binary vector Ibin (i.e., by
taking the binary components in sequential order). The components of Ibin have only the values 0 or 1 and the vector
size is M ¼ N  log2 N (with N ¼ 2x and x  1).
2. A seed value X 0 is chosen in 0:0; 0:5½ and initiates the iterative relation of Eq. (1). The choice of the seed value is
arbitrary.
3. A loop is started on the index i of the vector Ibin , with 0 6 i < M  2. With the current position i in Ibin , a new position j is
computed using the chaotic function:

j ¼ i þ 1 þ ½Floor½bX iþ1 mod S; ð2Þ

c
with b ¼ 10 and the value of S is initialized to M  1 and decremented after each iteration. Due to the modular operation,
the value Floor½bX iþ1  is chosen to be greater than S. Therefore the value of c is related to the size M and is given by:

c ¼ Floor½log10 M þ 3: ð3Þ
At each iteration i, the new position j has a value i < j < M. The elements of Ibin are transformed into Ibin ½i ¼ Q 3 and Ibin ½j ¼ Q1
with

Q 1 ¼ Ibin ½i; ð4Þ

Q2 ¼ Ibin ½j ¼ Ibin ½i þ 1 þ ½Floor½bX iþ1 mod S; ð5Þ
Q 3 ¼ Q 1  Q 2; ð6Þ
where the symbol  represents the exclusive OR operation bit-by-bit. That process is achieved until the end of the loop
where the last iteration corresponds to i ¼ M  3. One can remark that the new computed positions j represent the value
of the old positions i already shuffled. Therefore, the value of a position can move several times before fixing.
4. The bits of Ibin are gathered per package of log2 N to construct a new vector I1 of size N. That constitutes the steps for
one round (i.e. T ¼ 1) in the vector Iin using the seed X 0 .

The construction of the three chaotic maps consists in transforming the initial vector Iin into Ik by applying iteratively the
algorithm (i.e., k ¼ T=3 and T mod 3 ¼ 0). From Ik , a second application of k rounds is achieved to produce I2k and finally I3k is
obtained from I2k with k supplementary rounds. The three constructed vectors Ik ; I2k and I3k are chaotic vectors and are mixed
to produce the sequence Iout of size N:
Iout ¼ Ik  I2k  I3k : ð7Þ
 M. François et al. / Commun Nonlinear Sci Numer Simulat 19 (2014) 887–895 889

The vector Iout corresponds to the output generated by the PRNG. It should be noted that, the idea consists in permuting
the binary values of positions i and j through a xoring operation on the vector Iin . Moreover, to improve the security of the
algorithm, the sequence Iout is obtained by xoring Ik ; I2k and I3k making the algorithm irreversible. As we should store three
vectors of size N at most, the memory space complexity is OðNÞ.

2.2. Optimization of the round number

The security of the PRNG strongly depends on the number of round T. Therefore, it is necessary to determine an optimized
and efficient number of round permitting to generate sequences with high cryptographic qualities and assuring the security
of the algorithm. In any cryptosystem, for poor keys or limited key space K, the cryptosystem can be easily broken. Indeed,
given today’s computer speed, it is generally accepted that a key space of size smaller than 2128 is not secure enough. Here,
the PRNG allows to produce a large number of pseudo-random sequences from chosen keys. These keys correspond to two
kinds of input data:

1. An initial input vector Iin of size N (or M in bits),

2. A set of seed values X i0 with 1 6 i 6 T initiating the chaotic function.

At each round, the corresponding seed X i0 belongs to the interval 0:0; 0:5½, with c digits of accuracy (i.e., 10c ). Therefore, the
T=3 T=3 T=3 T
total number of possibilities for the seed space is ½5  10c1  1  ½5  10c1  1  ½5  10c1  1 ¼ ½5  10c1  1
T
(i.e., excluding the seed f0:0    0g for each round). To satisfy the condition ½5  10c1  1 > 2128 avoiding any brute-force
attack, the minimum number of rounds T 1 is:
" #
128
T 1 ¼ Floor þ 1: ð8Þ
log2 ð5  10c1  1Þ

The condition T ¼ T 1 assures the minimum entropy limit for the seed space but not necessarily the randomness quality of
the output sequence Iout . Indeed, an initial vector Iin with very low entropy can necessitate T P T 1 rounds, to obtain a high
level of randomness in Iout . Therefore, the number of rounds T must also be related to the distribution of bits ‘0’ and ‘1’ in Iin .
ð0Þ ð1Þ ð0Þ
Let consider that, in the input vector Iin , the occurency of the bit ‘0’ has a probability p0 > 0 (resp. p0 ¼ ð1  p0 Þ > 0 for the
ð0Þ
bit ‘1’) then, at each new round t, the probability pt is iteratively modified by:
 2  2 
ð0Þ ð0Þ ð0Þ
pt ¼ pt1 þ 1  pt1 8t P 1 ð9Þ

ð0Þ
and the limit of the suite pt must converge to 0.50 to assure a maximum Shannon’s entropy in the output sequence Iout . The
purpose is to find the number of rounds T 2 satisfying the relation:
ð0Þ
lim pt ¼ 0:50  1 ð10Þ
t>T 2

with 1 a fixed numerical tolerance (here 1 ¼ 0:001). The value T 2 is computed iteratively and can be large for Iin with very
low Shannon’s entropy or small for Iin with Shannon’s entropy closed to its maximum (i.e., 1 in base 2). Finally, the algorithm
must also assure high sensitivity to the initial input vector Iin . With the same set of seed values and two nearby initial vectors
Iin and Iin 0, the produced output sequences Iout and I0out are highly correlated. In that context, the security level is not maxi-
mum because, the sensitivity is not guaranteed. To avoid such problems, an additional hypothesis must be made. As the
treatment is based on the binary components, two initial input vectors Iin and Iin 0 of size M (in bits) are considered. With
two vectors Iin and I0in differing by only one bit, the probability s0 of identical elements between these two vectors is exactly
s0 ¼ ðM  1Þ=M. The theoretical evolution of the internal bits in each vector is the same and follows the relation of Eq. (9).
The same seeds are used in both vectors, then the theoretical evolution of identical bits between Iin and I0in is the same as in a
simple binary vector with M  1 identical bits. This problem is similar to the previous one, but with a starting vector which is
completely unbalanced (i.e. M  1 bits ‘0’ and one bit to ‘1’). Therefore, the evolution of the probability s0 should follow the
relation of Eq. (9) such as:
 2  2 
ð0Þ ð0Þ
sr ¼ sr1 þ 1  sr1 8r P 1 ð11Þ

and must satisfy:

lim sr ¼ 0:50  2 ; ð12Þ
r>T 3

where 2 is equal to 1 . With these three indicators T 1 ; T 2 and T 3 , the relevant number of rounds T is:
T ¼ maxfT 1 ; T 2 ; T 3 g þ d; ð13Þ
with d ¼ ½3  maxfT 1 ; T 2 ; T 3 gmod 3 ensuring that T is a multiple of three. The number of rounds T is automatically computed
and adapted, from the characteristic of the initial vector Iin , to satisfy simultaneously the criteria of key space entropy,
890 M. François et al. / Commun Nonlinear Sci Numer Simulat 19 (2014) 887–895

maximum Shannon’s entropy and sensitivity to the initial conditions. By example, for an initial vector of size N ¼ 2048, (i.e.,
18
M ¼ 22528; T ¼ 18), the cryptosystem permits to produce exactly ð5  106  1Þ or approximately 2400 different pseudo-
random sequences. For the generation of any pseudo-random sequence, the parameters which must remained secret are:

1. The arbitrary initial input vector Iin of size N,

2. The set of T seed values, Sin ¼ fX 10 ; . . . ; X T0 g, where each seed X i0 has a value in the interval 0:0; 0:5½ and c digits of accuracy.

3. Statistical analysis

The output sequences of any secure PRNG must have a high level of randomness and be completely independent. There-
fore, a statistical analysis taking into account these aspects of the produced sequences should be carefully conducted. Here,
the two proposed statistical analysis focuse both on the randomness level and the correlation between the produced
sequences.

3.1. Randomness evaluation

The sequences are evaluated through statistical tests suite NIST. Such suite consists in a statistical package of fifteen tests
developed to quantify and to evaluate the randomness of binary sequences produced by cryptographic random or pseudo-
random number generators [14]. These tests assess the presence of a pattern which, if detected, would indicate that the se-
quence is not random. In each statistical test, a pv alue probability is computed. Each value summarizes the strength of the
evidence against the perfect randomness assumption. A pv alue of zero indicates that, the sequence appears to be completely
not random. A pv alue larger than 0.01 means that, the sequence is considered to be random with a confidence level of 99%. For
multiple tested sequences at the same time, each test defines a proportion g as the ratio of sequences passing successfully
the test relatively to the total number of tested sequences N k (i.e., g ¼ n½pv alue P 0:01=N k ). The proportion g is compared to
an acceptable proportion gaccept which corresponds to the ratio of sequences that should pass the test. The range of acceptable
proportions, excepted for the test ffi Random Excursion-Variant is determined by using the confidence interval defined as
pffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi
ð1  0:01Þ  3 0:01ð1  0:01Þ=N k [14]. The NIST tests are achieved on the three following classes of the sequences: individ-
ual sequences, concatenated sequence and resulting sequences.

1. Individual sequences: the N k sequences Ikout (with 1 6 k 6 N k ) are individually tested and the results are given as ratio of
success relatively to the threshold gaccept . That indicates the global randomness level of tested sequences.
2. Concatenated sequence: a new sequence is constructed by concatenating all the individual sequences: Icat 1 Nk
out ¼ fI out    I out g
of binary size N k  M. The randomness quality of the new sequence is also analysed with the NIST tests. For truly random
sequences Ikout (with 1 6 k 6 N k ), the concatenated sequence should also be random. Such analysis also gives an indication
about the potential correlation that can exist between the N k sequences Ikout .
3. Resulting sequences: N resulting sequences Ires of size N k are constructed by collecting, for each position 1 6 j 6 N, the
value of each sequence Iout . Therefore, Ijres ¼ fI1out ½j; . . . ; INoutk ½jg. The randomness of the resulting sequences is analysed
by applying the NIST tests. If truly random sequences are superimposed on each other, the resulting sequences should
also be random (with N k as large as N). The analysis is interesting especially for sequences produced with successive seeds
and shows the hidden linear structures between the produced sequences Ikout with 1 6 k 6 N k .

3.2. Correlation evaluation

The purpose of the second approach is to check the correlation between the produced sequences. The correlation is ana-
lysed globally by computing the correlation coefficients of each pair of sequences [15]. Let the two sequences
Ixout ¼ ½x1 ; . . . ; xN  and Iyout ¼ ½y1 ; . . . ; yN , we have:
PN
i¼1 ðxi  xÞ  ðyi  yÞ
C Ixout ;Iy ¼ h i1=2 hP i1=2 ð14Þ
out PN 2 N 2
i¼1 ðxi  xÞ  i¼1 ðyi  yÞ i
P P
where x ¼ Ni¼1 xi =N and y ¼ Ni¼1 yi =N are the mean values of Ixout and Iyout , respectively. For two uncorrelated sequences,
C Ixout ;Iy ¼ 0. A strong correlation occurs between Ixout and Iyout for C Ixout ;Iy ’ 1. The coefficients C Ixout ;Iy are computed for each
out out out
pair of produced sequences and the distribution of the values is presented by a histogram. The interests of such an approach
x y
is the correlation sensitivity for sequences Iout ; Iout produced from nearby or successive seed values.

3.3. Application on subspaces of sequences

The analysis of qualities of the produced PRNG outputs are achieved on two subspaces of sequences. The sequences are
produced by using two different initial vectors I1in ¼ ½0; 1; . . . ; 2047 and I2in ¼ ½2011; 0; . . . ; 0 of size N ¼ 2048. The Shannon’s
entropy are 1 and 0.0050 for the vector I1in and I2in , respectively. The choice of such two initial vectors allows to illustrate that
any kind of starting vector can be chosen, as long as it remains secret and different from the zero vector. For the generation of
 M. François et al. / Commun Nonlinear Sci Numer Simulat 19 (2014) 887–895 891

the two groups of sequences, the computed number of round is T ¼ 18 with c ¼ 7 digits for the accuracy. The sets of used
seed values are: fX 10 ; . . . ; X 18 1 17
0 g with fX 0 ; . . . ; X 0 g ¼ f0:0933309., 0.2491771, 0.4338708, 0.1548937, 0.0271939, 0.0109258,
0.2667414, 0.3798145, 0.3092353, 0.4284346, 0.4320174, 0.2817204, 0.3172682, 0.3517917, 0.298557, 0.0978801,
0:2465197g and X 18 0 in f0:4603520; . . . ; 0:4643519g. The seed values selected during the last round are consecutive with
an accuracy step equal to 107 . For each case, the number of generated sequences is N k ¼ 40000 and each sequence has a
size of 22528 bits. The seed values X i0 with 1 6 i 6 17 are arbitrarily chosen in the interval 0:0; 0:5½ with c digits of accuracy.
The analysis of randomness and correlation are achieved on the two subspaces of sequences.

3.3.1. Analysis of the randomness level

The results of NIST tests obtained on the two groups of 40,000 sequences (i.e., produced from the initial vectors I1in and I2in )
are given in Table 1 and Table 2, respectively. For the individual sequences (i.e. N k ¼ 40000), the acceptable proportion
should lie above gaccept ¼ 98:85%. With N ¼ 2048 resulting sequences, the corresponding threshold g0accept is equal to
98:34%. For the tests Non-Overlapping and Random Excursions-Variant the smallest percentage of all under tests are pre-
sented. Due to the size of the individual sequences, the Universal test is not applicable. We can remark that for the two
groups of sequences, all the tested sequences pass successfully the NIST tests (i.e., for the individual sequences, the con-
structed concatenated sequence and the resulting sequences). These results show a high randomness level of the produced
sequences for both input initial vectors (even with low Shannon’s entropy).

3.3.2. Analysis of the correlation

For each group, the coefficients of correlation between each pair of the 40,000 produced sequences are computed and the
distributions of the correlation coefficients C Ixout ;Iy are presented in Fig. 1. The two corresponding histograms have the same
out
shape and show that the computed coefficients are very close to 0. For the input vector I1in (resp. I2in ), around 97:65% (resp.
97:62%) of the coefficients have an absolute value smaller than 0.05. The histograms show that the correlation between the
produced outputs is very small.

4. Security analysis

With the design of a new cryptosystem, a global security analysis must be conducted. The analysis is based both on the
quality of the outputs of the PRNG and on the various existing attacks that can break the PRNG. Even if all the existing attacks
can not be tested, the PRNG must resist to some basic-known attacks and all the critical points related to the cryptosystem
should be analyzed properly [2]. The security element is a prerequisite which can necessitate to redesign a PRNG if a weak-
ness appears. Therefore, the investigated points are: the key sensitivity, the key choice and the quality of the produced out-
puts. Moreover, two basic attacks are also evaluated: brute-force attack [2] and differential attack [16].

4.1. Key sensitivity

A efficient PRNG based on a chaotic function, should be very sensitive with respect to the keys. Indeed, flipping one bit in
a key must give completely different pseudo-random sequence. Such a characteristic corresponds to the diffusion property

Table 1
Results of the NIST tests on the 40,000 generated sequences from the initial vector I1in . The ratio g of pv alue passing the tests are given for individual and resulting
sequences and the pv alue is given for the concatenated sequence.

Test name Indiv. seq. Concat. seq. Result. seq.

g Result pv alue Result g Result
Frequency 99.06 Success 0.728253 Success 98.63 Success
Block-Frequency 99.05 Success 0.285419 Success 98.68 Success
Cumulative Sums (1) 99.02 Success 0.696969 Success 98.73 Success
Cumulative Sums (2) 99.05 Success 0.887605 Success 98.82 Success
Runs 98.95 Success 0.606681 Success 98.97 Success
Longest Run 99.02 Success 0.010857 Success 98.82 Success
Rank 98.87 Success 0.739523 Success 98.82 Success
FFT 98.85 Success 0.848717 Success 98.87 Success
Non-Overlapping 98.85 Success 0.024195 Success 98.43 Success
Overlapping 98.89 Success 0.301107 Success 98.87 Success
Universal - - 0.585531 Success 98.38 Success
Approximate Entropy 98.91 Success 0.993853 Success 98.38 Success
Random Excursions 96.29 Success 0.247332 Success 98.66 Success
Random E-Variant 96.29 Success 0.195600 Success 98.90 Success
Serial (1) 98.96 Success 0.958829 Success 98.87 Success
Serial (2) 99.00 Success 0.484618 Success 98.38 Success
Linear Complexity 98.95 Success 0.873818 Success 98.92 Success
892 M. François et al. / Commun Nonlinear Sci Numer Simulat 19 (2014) 887–895

Table 2
Results of the NIST tests on the 40000 generated sequences from the initial vector I2in . The ratio g of pv alue passing the tests are given for individual and resulting
sequences and the pv alue is given for the concatenated sequence.

Test name Indiv. seq. Concat. seq. Result. seq.

g Result pv alue Result g Result
Frequency 99.00 Success 0.487744 Success 98.38 Success
Block-Frequency 99.06 Success 0.268933 Success 98.58 Success
Cumulative Sums (1) 98.98 Success 0.811419 Success 98.73 Success
Cumulative Sums (2) 98.98 Success 0.448794 Success 98.38 Success
Runs 98.94 Success 0.622288 Success 99.26 Success
Longest Run 99.05 Success 0.203578 Success 99.07 Success
Rank 98.95 Success 0.727767 Success 98.82 Success
FFT 98.87 Success 0.332820 Success 98.97 Success
Non-Overlapping 98.87 Success 0.018173 Success 98.38 Success
Overlapping 98.93 Success 0.421953 Success 98.53 Success
Universal - - 0.626846 Success 98.53 Success
Approximate Entropy 98.86 Success 0.785221 Success 99.02 Success
Random Excursions 90.90 Success 0.026813 Success 98.48 Success
Random E-Variant 95.45 Success 0.269245 Success 98.80 Success
Serial (1) 98.93 Success 0.535862 Success 98.73 Success
Serial (2) 98.97 Success 0.255917 Success 98.77 Success
Linear Complexity 98.63 Success 0.239633 Success 98.48 Success

14

12 I1in
I2in
Frequency (in %)

10

0
−0.08 −0.06 −0.04 −0.02 0 0.02 0.04 0.06 0.08
Correlation coefficient value

Fig. 1. Distribution of correlation coefficients C Ixout ;Iy on the interval [0.08, 0.08]. The tested sequences are produced from the two initial vectors I1in and I2in ,
out
using the same set of seed values.

for the chaos based system. In the proposed PRNG, the key is given by two kinds of inputs: an initial vector Iin and a set of
initial seed values Sin . Therefore, the key sensitivity analysis must be achieved on these two inputs.

4.1.1. Initial seed value sensitivity

The sensitivity related to the initial seed values is analysed and consists in choosing nearby seed values on the last round
of the algorithm. The correlation between the produced sequences are checked. Actually, due to the successive seed values,
the test of correlation (see Section 3.2), the seed sensitivity has already been tested. Here, an alternative analysis related to
the sensitivity is done. A new large sequence J 1;a
out of size N ¼ 8388608 (i.e., M ¼ 192937984; c ¼ 11 and T ¼ 30) is produced
from the input initial vector J in ¼ ½0; 1; . . . ; 8388607 and the set of seed values S1;a 1 30;a
in ¼ fX 0 ; . . . ; X 0 g. The thirty seed values are
chosen arbitrarily in the interval 0:0; 0:5½ with the last seed value X 30;a
0
1;b
¼ 0:37201638375. Two supplementary sequences J out
1;b 1;c
and J 1;c
out are produced by using slightly differing sets of seeds Sin and Sin , respectively. The modifications are made on the

seed corresponding to the last round and the sets are: S1;b 1 29 30;b
in ¼ fX 0 ; . . . ; X 0 ; X 0 g and S1;c 1 29 30;c
in ¼ fX 0 ; . . . ; X 0 ; X 0 g, where
X 30;b
0 ¼ 0:37201638374 and X 30;c
0 ¼ 0:37201638376. The seed values of the last round differ by only 1011 . To illustrate the
sensitivity related to the initial seed value, the correlation coefficients between the produced sequences J 1;a 1;b 1;c
out , J out and J out
are computed and the results are given in Table 3. The similar analysis is done with the input vector K in ¼ ½2011; 0; . . . ; 0,
producing K 1;a 1;b 1;c
out ; K out and K out (see Table 3). The two input vectors J in and K in have the same length N ¼ 8388608 and the cor-
relation coefficients are close to 0. That illustrate the uncorrelated tested sequences. An additional correlation test is
achieved on the three produced sequences J 1;a 1;b 1;c 1;a 1;b 1;c
out ; J out and J out (resp. K out ; K out and K out ) by using the NIST tests. The three se-
quences are concatenated to form one sequence J 1;abc
out (resp. K 1;abc
out ) of length 25165824 (i.e., 578813952 in bits). The results
of the NIST tests are given by Table 4. All the pv alue are larger than 0.01. The concatenated sequence can be viewed as a
 M. François et al. / Commun Nonlinear Sci Numer Simulat 19 (2014) 887–895 893

Table 3
Correlation coefficients between the output sequences V out produced from the initial vector Jin (resp. K in )
with slightly different seed sets S1;a 1;b 1;c
in ; Sin and Sin . The vector V out ¼ J out is produced by J in and V out ¼ K out is
produced by K in .

Initial vector Correlation coefficient

V 1;a 1;b
out =V out V 1;a 1;c
out =V out V 1;b 1;c
out =V out

Jin 0.000389 0.000047 0.000505

K in 0.000543 0.000330 0.000772

random sequence (in each case) and the produced sequences from nearby seed values are weakly correlated. These results
show the high sensitivity related to the initial seed value.

4.1.2. Initial input vector sensitivity

The sensitivity related to the initial vector is analysed and consists in choosing nearby initial input vectors. The correla-
tion coefficients between the produced output sequences are computed. Let the initial vector J 1;a in ¼ ½0; 1; 2; . . . ; 8388607 of
size N ¼ 8388608. A set of thirty seed values Sin ¼ fX 10 ; . . . ; X 30 1;a
0 g is used to produce the output sequence J out . Two supplemen-
tary input vectors J 1;b in ¼ ½1; 1; 2; . . . ; 8388607 and J 1;c
in ¼ ½0; 0; 2; . . . ; 8388607 are also considered and produce J 1;b 1;c
out and J out ,
1;a 1;b 1;c
respectively. If the cryptosystem is sensitive to the initial input vector, the produced outputs J out ; J out and J out with the same
set of seeds Sin must be completely different. The analysis consists in computing the correlation coefficients between the pro-
duced sequences and the results are given in Table 5. We can remark that with a small difference of only one bit in initial
vectors, the produced sequences J 1;a 1;b 1;c
out ; J out and J out are very different. The analysis is done by changing the starting vectors J in ,
1;a

J 1;b
in and J 1;c
in by K 1;a
in ¼ ½2011; 0; . . . ; 0, K 1;b
in ¼ ½2010; 0; . . . ; 0 and K 1;c
in ¼ ½2012; 0; . . . ; 0. The produced sequences are K 1;a
out ; K 1;b
out
1;c
and K out . The results of correlation analysis are given in Table 5. The computed coefficients of correlation are close to 0
and show the decorrelation between the tested sequences. The produced sequences J 1;a 1;b 1;c 1;a 1;b
out , Jout and J out (resp. K out ; K out and
K 1;c
out ) are concatenated to form one sequence J 1;abc
out (resp. K 1;abc
out ) of length 25165824. The results of the NIST tests on the con-
catenated sequence formed from nearby initial vectors are given by Table 6. The results of the NIST tests show that, the con-
catenated sequence satisfy all requirements of randomness and the sequences produced from nearby initial vectors are
weakly correlated. Finally, these results show the high sensitivity of the cryptosystem relatively to the initial input vector.

4.2. Inputs and outputs of the PRNG

The initial vector Iin and the set of seed values Sin are the input parameters of the PRNG and the choice of such parameters
must be adapted to the application domain and security requirement. criteria of randomness, decorrelation and sensitivity to
initial conditions. The outputs of the PRNG should have good cryptographic properties such as criteria of randomness, dec-
orrelation and sensitivity to initial conditions.

4.2.1. Inputs
The choice of the input parameters is completely free. In this paper, for the generation of pseudo-random sequences, the
initial vectors I1in ¼ ½0; 1; . . . ; 2047 and I2in ¼ ½2011; 0; . . . ; 0 were chosen to show that pseudo-random sequences can be

Table 4
1;abc
Results of the NIST tests on the concatenated sequence J out (resp. K 1;abc
out ) from the three produced sequences of initial vector J in (resp. K in ).

Test name Concat. seq. J1;abc Concat. seq. K 1;abc

out out

pv alue Result pv alue Result

Frequency 0.437588 Success 0.666929 Success
Block-Frequency 0.126398 Success 0.586920 Success
Cumulative Sums (1) 0.303798 Success 0.799673 Success
Cumulative Sums (2) 0.607642 Success 0.424338 Success
Runs 0.055369 Success 0.679496 Success
Longest Run 0.058908 Success 0.680846 Success
Rank 0.086416 Success 0.056460 Success
FFT 0.370917 Success 0.803068 Success
Non-Overlapping 0.019718 Success 0.021199 Success
Overlapping 0.334752 Success 0.470897 Success
Universal 0.996122 Success 0.434192 Success
Approximate Entropy 0.543108 Success 0.574272 Success
Random Excursions 0.365457 Success 0.033343 Success
Random E-Variant 0.218236 Success 0.068230 Success
Serial (1) 0.746829 Success 0.610942 Success
Serial (2) 0.798701 Success 0.581324 Success
Linear Complexity 0.810789 Success 0.887679 Success
894 M. François et al. / Commun Nonlinear Sci Numer Simulat 19 (2014) 887–895

Table 5
Correlation coefficients between the output sequences V out produced from slightly different initial input
vectors J 1;a 1;b 1;c 1;a 1;b 1;c
in , J in and J in (resp. K in , K in and K in ). The vector V out ¼ J out is produced by J in and V out ¼ K out is
produced by K in .

Initial vectors Correlation coefficient

V 1;a 1;b
out =V out V 1;a 1;c
out =V out V 1;b 1;c
out =V out

J1;a ; J 1;b ; J1;c 0.000021 0.000013 0.000113

in in in
K 1;a 1;b 1;c 0.000174 0.000181 0. 000174
in ; K in ; K in

Table 6
Results of the NIST tests on the concatenated sequence J 1;abc 1;abc 1;a 1;b 1;c 1;a 1;b
out (resp. K out ) from the three produced sequences of initial vectors J in ; J in and J in (resp. K in ; K in and
K 1;c
in ).

Test name Concat. seq. J1;abc Concat. seq. K 1;abc

out out

pv alue Result pv alue Result

Frequency 0.103237 Success 0.476714 Success
Block-Frequency 0.061846 Success 0.749649 Success
Cumulative Sums (1) 0.158174 Success 0.599641 Success
Cumulative Sums (2) 0.121081 Success 0.814641 Success
Runs 0.018766 Success 0.036883 Success
Longest Run 0.389648 Success 0.085130 Success
Rank 0.233246 Success 0.406557 Success
FFT 0.416581 Success 0.610019 Success
Non-Overlapping 0.010539 Success 0.022115 Success
Overlapping 0.293514 Success 0.652104 Success
Universal 0.485834 Success 0.296147 Success
Approximate Entropy 0.473604 Success 0.986573 Success
Random Excursions 0.365457 Success 0.054925 Success
Random E-Variant 0.218236 Success 0.010419 Success
Serial (1) 0.194033 Success 0.955149 Success
Serial (2) 0.172534 Success 0.577354 Success
Linear Complexity 0.773177 Success 0.732659 Success

generated from initial vectors with low Shannon’s entropy. For applications requiring a maximum level of security, both the
set of seeds Sin and the initial vector Iin are parts of the secret key and can be chosen from a complex ‘‘source’’ (e.g., function,
image, physical process, etc.). The set of seeds Sin and the initial vector Iin should not be easily founded without informations.
The choice of these inputs (complex and secret) for the generation of pseudo-random sequences is an asset to the
cryptosystem.

4.2.2. Outputs
One of the major aspects of any kind of PRNG is the randomness level of the produced sequences. According to Kerckhoffs’
principle [17], the security of a cryptosystem only depends on its keys. Nowadays, various statistical tests are available to
evaluate a PRNG for cryptographic purposes. In fact, the National Institute of Standards & Technology (NIST) proposes a bat-
tery of tests that must be performed on the generated outputs [14]. Others tests exist in the litterature, such as TestU01 [18]
or the DieHARD suites [19]. These three are commonly used even if, the NIST tests are the most applied. Here, the NIST tests
were used to quantify and to evaluate the randomness level of the produced pseudo-random sequences. Moreover, all the
produced sequences pass successfully the statistical tests and the correlation between sequences are also been evaluated.
The sensitivity to the key (seed and initial vector) is also analysed and the results have shown that the proposed PRNG is
very sensitive to these initial parameters. The statistical analysis clearly show the quality of produced sequences and the
proposed PRNG does not present weak or degenerate outputs.

4.3. The attacks

Any new PRNG must be analysed against attacks in order to check if the generator can resist. Here, the resistance of the
produced sequences is evaluated against both basic attacks as the brute-force attack and differential attack.

4.3.1. Brute-force attack

A brute-force attack [2] is a standard attack that can be used against any bloc cipher. The strategy consists in checking
systematically all possible keys until the correct key is found. In the worst case, all the combinations are tested, that neces-
sitates to expand all the key space. Such an attack might be utilized when it is not possible to find any weakness in the PRNG,
that would make the task easier. To resist brute-force attack, the size of the key space must be large. It is generally accepted
 M. François et al. / Commun Nonlinear Sci Numer Simulat 19 (2014) 887–895 895

that a key space of size smaller than 2128 is not secure enough. For the generation of pseudo-random sequences, we assume
that the initial vector Iin is chosen and fixed. Therefore, the key space consists in considering all the combinations of T sets of
seeds (each seed being in the interval 0:0; 0:5½ with c digits of accuracy). The algorithm takes into account the constraint of
T
128 bits of entropy and allows to generate ð5  10c1  1Þ distinct sequences, with T ¼ maxfT 1 ; T 2 ; T 3 g þ d and
d ¼ ½3  maxfT 1 ; T 2 ; T 3 gmod 3 (see Eq. (13)). By example, for N ¼ 2048 (i.e., c ¼ 7 and T ¼ 18), the algorithm enables to pro-
duce about 2400 (i.e., larger than 2128 Þ differents pseudo-random sequences. Therefore, the entropy of the key space is larger
than 128 bits which avoids brute-force attack.

4.3.2. Differential attack

Such a technique of cryptanalysis was introduced by Biham and Shamir [16]. As a chosen-plaintext attack, its principle is
to analyze and exploit the effect of a small difference in input pairs on the difference of corresponding output pairs. The tech-
nique allows to find the most probable key that was used to produce the pseudo-random sequence. Given two inputs x and x0
and their corresponding outputs y and y0 , the difference can be used as:

1. Subtraction modulus: the differences related to both input and output are defined by Dx ¼ jx  x0 j and Dy ¼ jy  y0 j,
respectively.
2. The xor difference defined by Dx ¼ x  x0 and Dy ¼ y  y0 .

For nearby seed values used with the same input vector, the sequences are intended to be completely different. The only weak
point would happen when two nearby vectors are used with the same seed values. Nevertheless, such a situation was already
considered in the design of the algorithm in order to produce secure outputs and avoiding such a type of attack. Indeed, in the
subSection 2.2, the computation of the number of rounds T includes hypothesis on T 3 and permits to produce decorrelated
outputs from two nearby inptut vectors. Therefore, for every size of the initial vector, the algorithm assures to generate very
different pseudo-random sequences. That is also illustrated through the example given in subSection 4.1.2, highlighting the
sensitivity related to nearby initial input vectors.

5. Conclusions

A new cryptographically secure pseudo-random number generator was described. The algorithm is based on the combina-
tion of three chaotic maps. The maps are determined from an initial input vector by combining a chaotic function and the xor
operator during the generation process. The coupling of chaotic function with the xor operation, drastically disrupts the internal
structure of the initial vector and induces progressively an unpredictable randomness effect. Such a PRNG has shown its ability
to produce a very large number of pseudo-random sequences which can be useful in several cryptographic applications. The
advantages of the PRNG are: a large key space, a high sensitivity related to the input vector or chosen seed values, the unpre-
dictability of pseudo-random sequences, the security level against several attacks and the simplicity of implementation.

Acknowledgements

Authors thank the Centre de Calcul Intensif ROMEO II for computational facilities, the Région Champagne-Ardennes and
the Conseil Régional de l’Aube for financial supports.

References

[1] Sun F, Liu S. Cryptographic pseudo-random sequence from the spatial chaotic map. Chaos Solitons Fractals 2009;41:2216–9.
[2] Álvarez G, Li S. Some basic cryptographic requirements for chaos-based cryptosystems. Int J Bifur Chaos 2006;16:2129–51.
[3] Guyeux C, Wang Q, Bahi JM. A pseudo random numbers generator based on chaotic iterations: application to watermarking. Web Inf Syst Min
2010;6318:202–11.
[4] Zheng F, Tian X, Song J, LI X. Pseudo-random sequence generator based on the generalized Henon map. J Chin Univ Posts Telecommun 2008;15:64–8.
[5] Pareek NK, Patidar V, Sud KK. A random bit generator using chaotic maps. Int J Netw Sect 2010;10:32–8.
[6] Patidar V, Sud KK. A novel pseudo random bit generator based on chaotic standard map and its testing. Electron J Theor Phys 2009;6:327–44.
[7] Orúe AB, Álvarez G, Guerra A, Pastor G, Romera M, Montoya F. Trident, a new pseudo random number generator based on coupled chaotic maps.
Comput Intell Secur Inf Syst Adv Intell Soft Comput 2010;85:183–90.
[8] Bose R, Banerjee A. Implementing symmetric cryptography using chaos functions. In: Proc. 7th int. conf. on adv. comput. commun.; 1999. p. 318–21.
[9] Baptista MS. Cryptography with chaos. Phys Lett A 1998;240:50–4.
[10] Patidar V, Sud KK. A pseudo random bit generator based on chaotic logistic map and its statistical testing. Informatica 2009;33:441–52.
[11] Cecen S, Demirer RM, Bayrak C. A new hybrid nonlinear congruential number generator based on higher functional power of logistic maps. Chaos
Solitons Fractals 2009;42:847–53.
[12] Xuan L, Zhang G, Liao Y. Chaos-based true random number generator using image. IEEE Int Conf Nanjing Comput Sci Inf Syst 2011:2145–7.
[13] Pareek NK, Patidar V, Sud KK. Image encryption using chaotic logistic map. Image Vision Comput. 2006;24:926–34.
[14] Rukhin A, Soto J, Nechvatal J, Smid M, Barker E, Leigh S, et al. A statistical test suite for random and pseudorandom number generators for
cryptographic applications. NIST Spec Pub Rev 2010;1a.
[15] Cheng G, Mao Y, Chui C. A symmetric image encryption scheme based on 3D chaotic cat maps. Chaos Solitons Fractals 2004;21:749–61.
[16] Biham E, Shamir A. Differential cryptanalysis of the data encryption standard. London: Springer-Verlag; 1993.
[17] Menezes AJ, Oorschot PCV, Vanstone SA. Handbook of appliyed cryptography. CRC Press; 1996.
[18] L’ecuyer P, Simard R. TestU01: A C library for empirical testing of random number generators. ACM Trans Math Soft 2007;33:40 (Article 22).
[19] Marsaglia G. Diehard: a battery of tests of randomness; 1996. http://stat.fsu.edu/geo/diehard.html.