Pseudorandom number generator based on enhanced Hénon map and its implementation

Int. J. Electron. Commun. (AEÜ) 107 (2019) 239–251

Contents lists available at ScienceDirect

International Journal of Electronics and Communications (AEÜ) journal homepage: www.elsevier.com/locate/aeue

Regular paper

Pseudorandom number generator based on enhanced Hénon map and its implementation M.O. Meranza-Castillón a, M.A. Murillo-Escobar a, R.M. López-Gutiérrez b, C. Cruz-Hernández a,⇑ a b

Electronics and Telecommunication Department, Scientific Research and Advanced Studies Center of Ensenada (CICESE), Ensenada, BC, Mexico Engineering, Architecture and Design Faculty, Autonomous University of Baja California (UABC), Ensenada, BC, Mexico

a r t i c l e

i n f o

Article history: Received 13 February 2019 Accepted 18 May 2019

Keywords: Chaos Pseudorandom number generator Security analysis Hardware implementation

a b s t r a c t This paper presents a pseudorandom number generator (PRNG) based on enhanced Hénon map (EHM) and its implementation in software and hardware for chaos-based cryptosystems with high processing such as image or video encryption. The proposed EHM presents better statistical properties and higher key sensitivity in comparison with classic Hénon map (CHM) by means of numerical tests such as bifurcation diagrams, largest Lyapunov exponent, Gottwald-Melbourne test, and histograms. The proposed 8bit PRNG-EHM algorithm is implemented in MATLAB (software) and in FPGA technology (hardware) for experimental results. In hardware implementation, we use VHDL language and the Altera DE2-115 FPGA board with RS-232 serial port communication for data extraction, which are analyzed with MATLAB. In both software and hardware level, the proposed PRNG-EHM passes the randomness NIST 800-22 statistical tests. For first time in literature, a comprehensive security analysis from a cryptographic point of view is presented for hardware implementation such as key space analysis, key sensitivity, floating frequency, histograms, autocorrelation, correlation, entropy, and performance. Comparisons of proposed PRNG-EHM with recent similar schemes show main advantages in security capabilities for cryptographic applications. According with the results, the proposed scheme can be used in chaos-based cryptographic applications at software or hardware implementation. Ó 2019 Elsevier GmbH. All rights reserved.

1. Introduction In recent years, chaos-based encryption schemes have been proposed in literature to provide confidentiality, since properties of chaotic systems such as ergodicity, sensitivity to the initial conditions and control parameter, data mixing, deterministic dynamics, behavior like ‘‘noise”, and with a simple or complex structure, are analogous with cryptography properties in confusion, sensitivity to the key, diffusion, deterministic pseudorandomness, and complexity of the algorithm [1]. The security level of chaos-based encryption algorithms is highly related with the quality of randomness produced by the chaotic systems, since the randomness is used as main source to design signal processing for diffusion and confusion in image encryption algorithms, e.g. see [2–4]. The randomness source in chaos-based cryptosystems can be considered as a pseudorandom number generator (PRNG) based on chaos, which is an algorithm with mathematical formulas to

⇑ Corresponding author. E-mail address: [email protected] (C. Cruz-Hernández). https://doi.org/10.1016/j.aeue.2019.05.028 1434-8411/Ó 2019 Elsevier GmbH. All rights reserved.

produce sequences of deterministic numbers with properties similar to the sequences of random numbers and it is generated from an initial value or seed. Flexibility, repeatability, and low implementation resources are the main advantages of PRNGs. Nevertheless, the generation of pseudorandom numbers with high randomness properties is not trivial [5]. Recent PRNGs based on chaotic maps have been proposed at software implementation (MATLAB), where control parameters and initial conditions of chaotic maps are considered as the seed of the PRNG, e.g. see [6–8]. On the other hand, hardware implementation of PRNGs based on chaos have been proposed for field programmable gate array (FPGA) in literature, since FPGAs have advantages such as flexibility, low power, rapid prototyping, and parallelism for high signal processing [9–16]. In 2019, Rezk et al. proposed a reconfigurable PRNG based on Lorenz and Lü systems with implementation in FPGA Xilinx XC5VLX50T by using VHDL (Very High-Speed Integrated Circuit Hardware Description Language), achieving an operating frequency of 78.149 MHz, and the pseudorandom sequences were tested with National Institute of Standards and Technology (NIST) 800-22 statistical test suite [9]. In [10], Elmanfaloty and Abou-Bakr examined the randomness effect of fixed-point arithmetic representation on

240

M.O. Meranza-Castillón et al. / Int. J. Electron. Commun. (AEÜ) 107 (2019) 239–251

the periodicity of a single skew tent map and coupled skew tent maps; based on results, authors proposed a PRNG based on coupled skew tent maps and its hardware FPGA implementation, where NIST 800-22 tests suite was verified. In [11], authors proposed three PRNGs based on three one-dimensional chaotic maps with hardware implementation in FPGA Spartan 3E by using VHDL language; bifurcation diagrams were used to calculate the largest positive Lyapunov exponent and the highest entropy of the information, in order to select the best parameter values of the chaotic maps. Madani et al. in [12] proposed an architecture that combines the regular SNOW-3G cipher with hyperchaotic PRNG based on fourdimensional Lorenz chaotic system to design a hyperchaotic SNOW-3G stream cipher providing good randomness, infinite period, and unpredictability. It was implemented in FPGA by using VHDL with fixed-point representation of 48 bits and some security analysis was presented such as correlation analysis, secret key space, key sensitivity, and NIST 800-22 statistical test. In [13], a chaotic quadratic map was used to generate pseudorandom sequences as key sequences for masking information with hardware implementation in Spartan 3E-XC3S1600E FPGA. Chaos of the quadratic map was verified with bifurcation diagram and largest Lyapunov exponent. They presented some security analysis such as histogram, autocorrelation, sensitivity to initial conditions, and NIST 800-22. In [14], authors proposed physical unclonable functions based on ring oscillator (RO-PUF) and chaotic logistic map to generate pseudorandom numbers. The generator was implemented in Altera FPGA EP4CE115F29C7 with VHDL language. The NIST 800-22 statistical tests was tested, as well as autocorrelation analysis. In 2019, Garcia-Bosque et al. in [15] proposed a new PRNG based on the logistic map that dynamically changes its chaotic parameter. It was implemented in Virtex 7 FPGA and tested with NIST 800-22 randomness test suit. In [16] a FPGA based cryptographically secured PRNG was proposed. They used a piecewise linear chaotic map (PWLCM) along with linear congruential generator to enhance the performance. The PRNG was implemented on Xilinx Virtex-2 FPGA by using VHDL and achieving an operating frequency of 373.218 MHz. The randomness of the algorithm was tested with NIST tests. Statistical analysis such as NIST 800-22 test suite, performance, and limited security analysis are presented in literature for PRNGs implemented in FPGAs (hardware implementation), but many aspects of great importance for cryptographic applications have not been reported before, e.g. chaotic validation of PRNG in FPGA and comprehensive security analysis from a cryptographic point of view for the hardware implementation. Therefore, it is of great interest to include such analysis to show the cryptographic capabilities of PRNGs based on chaos with FPGA implementation for applications in secure communications. In this work, we proposed an enhanced Hénon map (EHM) with cryptographic advantages over classic Hénon map (CHM) with numerical validation. Furthermore, we proposed a PRNG based on EHM with software (MATLAB) and hardware (FPGA) implementation. Both implementations pass the NIST 800-22 statistical test suite. The contributions of the proposed work are the proposed enhanced Hénon map with better cryptographic properties and the FPGA implementation of the PRNG-EHM with comprehensive security analysis from a cryptographic point of view by means of key space, key sensitivity, histograms, autocorrelation, correlation, floating frequency, information entropy, and performance. We show that PRNGs sequences at hardware implementation are chaotic and with excellent security properties, huge secret key space, high randomness, uniform histograms, high sensitivity to seed, without weak sections in random sequences, low correlation and autocorrelation, high entropy, and good performance to be used in chaos-based cryptosystems with software or hardware implementation.

This paper is organized as follows: Section 2 describes the classic Hénon map and the proposed enhanced Hénon map with chaos validation and comparisons to show cryptographic advantages. In Section 3, the proposed PRNG-EHM algorithm is presented with its software implementation in MATLAB with entropy and NIST 800-22 test analysis. The hardware implementation of the PRNGEHM in FPGA is described in Section 4 with chaos validation and NIST 800-22 randomness results. In Section 5, we present the comprehensive security analysis of proposed FPGA implementation of the PRNG-EHM. In Section 6, we appoint some comparisons of proposed scheme against recent similar schemes. Finally, this paper is concluded in Section 7. 2. Proposed enhanced Hénon map In this section, we describe the classic Hénon map (CHM) and the proposed enhanced Hénon map (EHM). The EHM presents better uniform statistical properties and higher sensitivity at initial conditions and control parameters according with numerical analysis with bifurcation diagrams, largest Lyapunov exponent, Gottwald-Melbourne test, and histograms. The Hénon map (CHM) was introduced by Michel Hénon in 1976, which is defined as follows

xnþ1 ¼ 1  ax2n þ yn ; ynþ1 ¼ bxn ;

ð1Þ

where ðxn ; yn Þ 2 R2 are the discrete states of the map, a and b are the control parameters, n ¼ 0; 1; 2; . . . ; N is the number of iterations, and x0 and y0 are the initial conditions of each state. According with Hénon in [17], the system shows chaotic behavior with a ¼ 1:4; b ¼ 0:3; x0 ¼ 0 and y0 ¼ 0. In Fig. 1, the chaotic attractor of the CHM is presented. Figs. 2 and 3 show the bifurcation diagrams of CHM with a 2 ½0:1; 1:43 and b ¼ 0:3, and with a ¼ 1:4 and b 2 ½0:32; 0:32, respectively. A 64-bit IEEE 754 double floatingpoint arithmetic is used at MATLAB simulation with maximum precision of 1015 decimals. Thus, we can use a 2 ð1:399; 1:4Þ and b 2 ð0:299; 0:3Þ to guarantee chaotic behavior for CHM. Furthermore, the chaotic dynamic is verified with the largest Lyapunov exponent (LE). In [18], the authors mention that the signs of Lyapunov exponents (LE) provide a qualitative picture of system’s dynamic. LE measures the average rate of divergence or convergence of two nearby trajectories in the phase space; in addition, positive LE indicates orbital divergence and chaos. In this sense, the largest LE of CHM should be positive to show high dependence on initial conditions [19] and chaos. The largest Lyapunov exponent, of a dynamic system in discrete time defined by a map f : IRm ! IRm , is given by

1 k1 ¼ lim lnkT nx uk; n!1 n

ð2Þ

for almost any vector u and

T nx ¼ Tðf

n1

xÞ    TðfxÞTðxÞ;

ð3Þ

and

TðxÞ ¼ Dx f ;

ð4Þ

where this is the partial derivatives matrix of m components of f ðxÞ with respect to the m components of x[20]. In Fig. 4, the spectrum of the largest Lyapunov exponent of CHM is presented with control parameters a 2 ½0:1; 1:43 and b ¼ 0:3, and initial conditions x0 ¼ 0 and y0 ¼ 0. If we estimate the largest LE of CHM according with Eq. (2) with a ¼ 1:4 and b ¼ 0:3, the largest Lyapunov exponent is k1  0:4184, which indicates chaos. The enhanced Hénon map is proposed to improve the chaotic dynamic of classic Hénon map, with the aim to produce more

M.O. Meranza-Castillón et al. / Int. J. Electron. Commun. (AEÜ) 107 (2019) 239–251

241

Fig. 1. Attractor of chaotic Hénon map.

Fig. 2. Bifurcation diagrams of CHM with b fixed: a state x and b state y.

Fig. 3. Bifurcation diagrams of CHM with a fixed: a state x and b state y.

uniform chaotic distribution, to increase the range of control parameters for chaos, and to increase the sensitivity at initial conditions and control parameters. In Ref. [6], the authors proposed a pseudorandomly enhanced logistic map with MATLAB implementation, where one multiplication and module 1 was used. Nevertheless, the cryptanalysis in [21] showed some vulnerabilities related with how the multiplication was designed. To overcome this issue, we propose a countermeasure by modifying the multiplication in EHM. In addition, the classic Hénon map is used since it has two states and two control parameters, which increase the key space without sacrifice processing time.

As result, this enhanced chaotic map is used in the proposed PRNG to produce pseudorandom numbers with high randomness and security capabilities, which is described in Section 3. The proposed enhanced Hénon map (EHM) is defined as follows

X nþ1 ¼ ðð1 þ aX 2n þ Y n Þ  10001Þ mod 1; Y nþ1 ¼ ððb  X n Þ  10001Þ mod 1;

ð5Þ

where ðX n ; Y n Þ 2 R2 are the discrete states of the map with X n 2 ð0; 1Þ and Y n 2 ð0; 1Þ; X 0 and Y 0 are the initial conditions of each state, a and b are the control parameters of CHM,

242

M.O. Meranza-Castillón et al. / Int. J. Electron. Commun. (AEÜ) 107 (2019) 239–251

Fig. 4. Spectrum of the largest LE of CHM.

n ¼ 0; 1; 2; . . . ; N is the number of iterations, and mod is the operation of module 1. In order to maintain the same complexity of 252 for each state in EHM and generate uniform chaotic data, the CHM is multiplied by 10,001 with module 1. This process does not reduce the key space as the cryptanalysis in [21]. For example, the number X nþ1 ¼ 0:d1 d2 d3 d4 d5 d6 d7 d8 d9 d10 d11 d12 d13 d14 d15 multiplied by 10,001 with module 1 generates X nþ1 ¼ 0:d16 d17 d18 d19 d20 d21 d22 d23 d24 d25 d26 d12 d13 d14 d15 , where the complexity of each state is preserved with 252 . In the proposed EHM architecture, another chaotic map could be used instead of CHM by modifying Eq. (5), since the multiplication design and module 1 are the process to improve the dynamics of the chaotic map with the restriction that initial conditions must be redefined into (0,1). In Figs. 5 and 6, the bifurcation diagrams of the EHM are presented with a 2 ½0:1; 1:43 and b ¼ 0:3, and with a ¼ 1:4 and b 2 ½0:32; 0Þ [ ð0; 0:32, respectively, where we can see greater chaotic range in control parameters than CHM. The chaos verification of proposed EHM is determined by the largest Lyapunov exponent by using time series [19]. Table 1 shows the most dominant LEs. Therefore, the trajectories of EHM are still chaotic. In Fig. 7, we present the divergence in time of two nearby trajectories for CHM and EHM, with initial conditions x10 ¼ 0:112233444720120 and y10 = 0.123456789192132, x20 = 0.112233444720121, and y20 = 0.123456789192132. Thus, the proposed EHM presents higher sensitivity than CHM. The 0-1 test of Gottwald-Melbourne [22] is applied to CHM and EHM, which determines whether a deterministic dynamic system

is chaotic or not chaotic. This method is applied directly to the data of the time series and does not require the reconstruction of the phase plane. Therefore, both the dimension of the dynamic system and the form of the equations that represent it are irrelevant. The input of the test is a sequence in time domain and the output of the test is between 0 and 1, i.e. non-chaotic or chaotic dynamic, respectively. For this test, the input is the time series of one dimension /ðnÞ for n ¼ 1; 2; 3; . . ., to obtain a next two-dimensional system

pnþ1 ¼ pn þ /n cos cn; qnþ1 ¼ qn þ /n sin cn;

ð6Þ

where c 2 ð0; 2pÞ. The mean square displacement (average time) is defined as follows

Mn ¼ lim

N 1X ð½pjþn  pj 2 þ ½qjþn  qj 2 Þ;

N!1 N

ð7Þ

j¼1

being n ¼ 1; 2; 3; . . . and its growth rate is defined as

K ¼ lim

n!1

log M n log n

ð8Þ

Under general conditions, it can be shown that the limits Mn and K exist, and K can take the value of 0 which means regular dynamics or K can take the value of 1 which means chaotic dynamics. The results of the 0–1 test of Gottwald-Melbourne are shown in Table 2, which indicates that the sequences of EHM are chaotic.

Fig. 5. Bifurcation diagrams of EHM with b fixed: a state X and b state Y.

243

M.O. Meranza-Castillón et al. / Int. J. Electron. Commun. (AEÜ) 107 (2019) 239–251

Fig. 6. Bifurcation diagrams of EHM with a fixed: a state X and b state Y.

Table 1 Largest Lyapunov exponent for CHM and EHM (a ¼ 1:3999; b ¼ 0:2999). CHM

Table 2 Gottwald-Melbourne results of CHM and EHM.

EHM

CHM

EHM

Initial conditions

xn

yn

Xn

Yn

Initial conditions

xn

yn

Xn

Yn

x10 ; y10 x20 ; y20

0.4164 0.4252

0.4233 0.4231

1.3896 1.3725

1.3839 1.3714

x10 ; y10 x20 ; y20

0.9977 0.9978

0.9979 0.9980

0.9982 0.9980

0.9981 0.9981

In Fig. 8, the histogram of 10,000 chaotic data are presented for both CHM and EHM. The results show better distribution of chaotic data in EHM. 3. Pseudorandom number generator based on EHM The proposed PRNG-EHM algorithm is defined with the next steps. In the first step, the seed must be determined by selecting two initial conditions (X 0 and Y 0 ) and two control parameters (a and b) for EHM (Eq. (5)), which are defined as digital word of 64-bits double (floating-point in software and fixed-point in hardware) architecture to allow a precision of 15 decimals. In the second step, the EHM is iterated n times. In the last step, chaotic sequences of step 2 are transformed from (0,1) to [0,255], i.e. sequences of 8-bits integers by using the following expression

PRNGEHMX n ¼ fixðX n  256Þ; PRNGEHMY n ¼ fixðY n  256Þ;

ð9Þ

where n ¼ 0; 1; . . . ; N is the number of iterations, fix rounds the elements to the nearest integer to zero, PRNGEHMX 2 ½0; 255, and PRNGEHMY 2 ½0; 255.

First, the PRNG-EHM is implemented at software level with MATLAB to verify the entropy of the information and the randomness with NIST 800-22 statistical test suite. The entropy of a message M, denoted by HðMÞ is the amount of average information contained in the data used, which can be estimated using the following expression

HðMÞ ¼ 

N 2X 1

pi log2 pi ;

ð10Þ

i¼0

where M 2 ½0; 255 is the sequence of data to evaluate and N ¼ 8 is the number of bits of each element of M, and pi is the probability of distribution of each element in the sequence M. For the proposed PRNG-EHM, entropy of 8 indicates that the sequence is highly unpredictable, but an entropy close to 0 the sequence can be completely predictable. In Fig. 9, the entropy of 100 PRNG-EHM sequences by using 100 different seeds (a; b; X 0 and Y 0 ) is showed. The average entropy is 7.9943 and 7.9942 for PRNGEHMX and PRNGEHMY, respectively. Thus, the PRNG-EHM generates unpredictable numbers at software level.

Fig. 7. Graphical sensitivity to the initial conditions between CHM and EHM: ax of CHM and bX of EHM.

244

M.O. Meranza-Castillón et al. / Int. J. Electron. Commun. (AEÜ) 107 (2019) 239–251

Fig. 8. Histograms of chaotic data: a state x of CHM, b state y of CHM, c state X of state EHM, and d state Y of EHM.

The most complete statistical test suite to analyze the randomness of binary sequences is the standard of National Institute of Standards and Technology NIST 800-22 suite [23]. This set of 15 tests is applied to 1000 sequences of the PRNG-EHM generated by 1000 different keys selected randomly. In each test, a probabil-

Table 3 Results of NIST 800-22 of 1000 binary sequences with n ¼ 106 bits for PRNG-EHM in MATLAB. Successful proportion

ity of P v alue is calculated from a sequence of length 106 bits. A P v alue equal to 1 means perfect randomness and for P v alue equal to 0 means non-randomness. The P v alue must be greater than a predefined threshold a to pass the test. If all the tests pass, the sequence would be considered random with a confidence of 1  a. Otherwise, the sequence is not considered random. In this analysis, a threshold of a ¼ 0:01 is considered. With a P v alue P 0:01the sequence is considered random with a confidence of 99%, otherwise it is considered non-random. In Table 3, the results of NIST 800-22 test at software level are presented for the 1000 sequences. The successful proportion must be greater than (980/1000)=0.98 to pass in each test according with [23], i.e. more than 980 sequences of 1 million bits in each sequence must pass all the 15 tests. Based on the results, the PRNG-EHM passes the NIST 800-22 test suite. The proposed PRNG-EHM has three main advantages over the PRNG-PELM recently proposed in [6]. First, the PRNG-EHM can avoid the cryptanalysis over the PRNG-PELM descrined in [21], since we use a multiplication design that does not eliminate any decimal number. Second, the PRNG-EHM has more complexity since it has two control parameters and two states, whereas the PRNG-PELM has just one control parameter and one state. Third, the PRNG-EHM is implemented in hardware to show the efficiency for secure embedded applications. 7.996

Entropy

7.9955

No. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

Test The Frequency (Monobit) Test Frequency Test within a Block The Runs Test Tests for the Longest-Run-of-Ones in a Block The Binary Matrix Rank Test The Discrete Fourier Transform (Spectral) Test The Non-overlapping Template Matching Test The Overlapping Template Matching Test Maurer’s ‘‘Universal Statistical” Test The Linear Complexity Test The Serial Test The Approximate Entropy Test The Cumulative Sums (Cusums) Test The Random Excursions Test The Random Excursions Variant Test

7.9945 7.994 7.9935 7.993

20

30

40

50

60

70

80

90

100

60

70

80

90

100

Sequence 7.996

Entropy

7.9955

(b)

7.995 7.9945 7.994 7.9935 7.993 7.9925

10

20

30

40

0.988 0.990 0.989 0.987

0.980 0.988

0.981 0.987

0.991

0.988

0.989 1.000 0.994 0.980 0.991 0.999 0.987 0.989

0.987 1.000 0.993 0.980 0.988 0.999 0.986 0.989

The proposed PRNG-EHM is implemented at hardware level in FPGA DE2-115 of Altera (see Fig. 10). It has the FPGA Cyclone IV family with device EP4CE115F29C7 at 50 MHz frequency operation, with 114,480 logical elements, up to 3.9 Mbits of RAM, 266 multipliers, memory devices, communication interfaces, among

(a)

10

PRNGEHMY

0.991 0.990 0.990 0.990

4. FPGA implementation of PRNG-EHM

7.995

7.9925

PRNGEHMX

50

Sequence

Fig. 9. Entropy of 100 sequences for PRNG-EHM in MATLAB: a PRNGEHMX and b PRNGEHMY.

M.O. Meranza-Castillón et al. / Int. J. Electron. Commun. (AEÜ) 107 (2019) 239–251

245

Fig. 12. Hardware resources of the PRNG-EHM in FPGA.

Fig. 10. Altera DE2-115 development platform.

other important features for applications in telecommunications, security systems, audio synthesizer, etc. The QUARTUS II version 14.1 is used as software tool to synthesize the VHDL (Very HighSpeed Integrated Circuit Hardware Description Language) code of PRNG-EHM, on a personal computer with Intel(R) Core(TM) i53340 at 3.10 GHz, 4.0 GB of RAM, Windows 8 and 64-bit operating system. The EHM is implemented in FPGA with 64-bits fixed-point arithmetic with one bit for the sign, 1 bit for the integer, and 62 bits for the fraction. The PRNG-EHM output is defined as 8-bits integer, which is transmitted from the DE2-115 to a personal computer (PC) through the RS-232 serial port and the serial capture program ‘‘RealTerm 2.0.0.70”. The Fig. 11 shows the transmission of a set of 8-bit data of the PRNG-EHM (values between 0 and 255), which are stored in a *.tex file to be analyzed in MATLAB. Fig. 12 shows the hardware resources of the FPGA, including the RS-232 serial communication. The performance in the proposed PRNG-EHM implemented in DE2-115 can achieve a throughput until 400 Mb/s considering the maximum frequency of 50 MHz and 8-bit data output of PRNG-EHM. Nevertheless, we use the RS-232 interface to extract the numbers and the speed is limited to 115,200 bits/s. The largest Lyapunov exponent [18] and the 0–1 test GottwaldMelbourne [22] are calculated for five PRNG-EHM sequences of 125,000 8-bit numbers extracted from FPGA by RS-232. We use the control parameters and the initial conditions of Table 4. Table 5 presents the results, which indicate chaos of PRNG-EHM implemented in FPGA.

The sequences generated by the PRNG-EHM implemented in FPGA are subjected to NIST 800–22 [23]. We extracted 21 sequences from the FPGA and the results are showed in Table 6. The 21 P v alues of each state are averaged. Since all has a P v alue P 0:01, the 21 sequences passes the NIST 800-22 statistical test suite. 5. Security analysis for FPGA implementation An important application of PRNGs is in cryptography based on digital embedded systems, where high processing encryption schemes are required such as high definition image encryption in telemedecine or video encryption in military. In this sense, the proposed PRNG-EHM implemented in FPGA (hardware level) is subject to several security analysis from a cryptographic point of view to show their capabilities for such applications. Security analysis are carried out such as key space, key sensitivity, histograms, autocorrelation, correlation, floating frequency, and entropy. 5.1. Key space According with [24], the size of the key space must be greater than 2100 to guarantee that it will resist an exhaustive attack. The key, for the PRNG-EHM implemented in FPGA, is given by the initial values, that is, the control parameters (a and b) and the initial conditions (X 0 and Y 0 ). 64-bit fixed-point arithmetic is used for each initial value with 1 bit for the sign, 1 bit for the integer part, and 62 bits for the fraction. In order to guarantee chaos of EHM, in the control parameters, the 10 most significant bits are predefined and only the 52 least significant bits are part of the key; in the initial conditions, the 3 most significant bits are predefined and the 59 least significant bits are considered part of the key (see Fig. 13). Therefore, the proposed PRNG-EHM has 2222 possible keys in hardware level. 5.2. Key sensitivity

Fig. 11. Extraction of PRNG-EHM sequences by RS-232 from FPGA.

A PRNG algorithm must present high sensitivity to the key or seed, even at bit level [24]. For the PRNG-EHM in FPGA, five secret keys are used to test the sensitivity to the key. In this analysis, the control parameters are the same and only the initial conditions with 1-bit difference between them are selected, see Table 4. Graphically, the results of the key sensitivity analysis are evident in Fig. 14. Other analysis that are used to measure the differences between two sequences are the NPCR (Net Pixel Change Rate) and the UACI (Unified Average Changing Intensity). These two quantities are the most commonly used to evaluate the robustness of image

246

M.O. Meranza-Castillón et al. / Int. J. Electron. Commun. (AEÜ) 107 (2019) 239–251 Table 4 Keys selected for chaos verification and key sensitivity analysis for FPGA. Sequence

S1 S2 S3 S4 S5

Secret key (2Q62) a = 01.01100110011000000000000000000001000000000000000000000000000001 b = 00.01001100101000000000000000000001000000000000000000000000000001 x0 = 00.10000000010000000000000000000001000000000000000000000000000001 y0=00.01100000010000000000000000000001000000000000000000000000000001 x0 = 00.10000000010000000000000000000001000000000000000000000000000011 y0 = 00.01100000010000000000000000000001000000000000000000000000000001 x0 = 00.10000000010000000000000000000001000000000000000000000000000001 y0 = 00.01100000010000000000000000000011000000000000000000000000000001 x0 = 00.10000000010000000000000000000001100000000000000000000000000001 y0 = 00.01100000010000000000000000000001000000000000000000000000000001 x0 = 00.10000000110000000000000000000001000000000000000000000000000001 y0 = 00.01100000010000000000000000000001000000000000000000000000000001

Table 5 Lyapunov exponent and Gottwald-Melbourne results for PRNG-EHM in FPGA. Lyapunov exponent

Gottwald-Melbourne

Sequence

PRNGEHMX

PRNGEHMY

PRNGEHMX

PRNGEHMY

S1 S2 S3 S4 S5

1.3653 1.3697 1.3450 1.3586 1.3450

1.3393 1.3578 1.3585 1.3739 1.3563

0.9968 0.9981 0.9979 0.9980 0.9981

0.9983 0.9981 0.9982 0.9982 0.9985

encryption algorithms with respect to differential attacks. The NPCR is obtained according to Eq. (11), which determines how many elements are different between sequences. The UACI is calculated by Eq. (13), which measures how much one sequence differs from another in magnitude on average.

PN

n¼1 WðnÞ

NPCR ¼ where

WðnÞ ¼

 100%

ð11Þ

0 S1 ðnÞ ¼ S2 ðnÞ 1 S1 ðnÞ – S2 ðnÞ

ð12Þ

N 

Table 6 Results of NIST 800-22 for PRNG-EHM in FPGA. No.

Test

1 2 3 4 5 6 7 8 9 10 11 12 13 14

Frequency Test Frequency test within a block Runs test The longest run of ones in a block Binary matrix rank Discrete Fourier transform Nonoverlapping template matching Overlapping template matching Maurer’s universal statistical Linear complexity Serial test Approximate entropy Cumulative sums Random excursions

15

Random excursions variant

4 3 2 1 1 2 3 4 9 8 7 6 5 4 3 2 1 1 2 3 4 5 6 7 8 9

PRNGEHMX P v alue

PRNGEHMY P v alue

Result

0.5178 0.4142 0.5134 0.5408 0.1136 0.5077 0.5270 0.5164 0.9994 0.4787 0.3267 0.4902 0.4944 0.4218 0.3952 0.5201 0.3958 0.4449 0.6057 0.5018 0.6410 0.4906 0.5259 0.5043 0.4952 0.4729 0.4768 0.5372 0.5166 0.4434 0.5711 0.5814 0.5642 0.5452 0.4966 0.4907 0.5158 0.5646 0.5394

0.5973 0.5583 0.3770 0.5804 0.2162 0.5393 0.4303 0.5524 0.9995 0.4300 0.3274 0.5624 0.5169 0.4852 0.5628 0.5028 0.4526 0.5907 0.4481 0.5032 0.5011 0.4363 0.4243 0.4739 0.5350 0.4808 0.4224 0.4317 0.4605 0.4785 0.4927 0.4603 0.4595 0.4614 0.4520 0.4419 0.4483 0.4540 0.4417

Passed Passed Passed Passed Passed Passed Passed Passed Passed Passed Passed Passed Passed Passed

Passed

247

M.O. Meranza-Castillón et al. / Int. J. Electron. Commun. (AEÜ) 107 (2019) 239–251

UACI ¼

N 1X jS1 ðnÞ  S2 ðnÞj  100% N n¼1 255

ð13Þ

where N is the size of the sequences to be evaluated S1 and S2 . According with the study made by [25], the value of NPCR and UACI depends of the test image size. For instance, a 256256 image size must have a NPCR value greater than 99.5693% and UACI between 33.2824% and 33.6447%. To perform this analysis, a sequence of 5000 elements (40,000 bits) of the PRNG-EHM in FPGA is taken as S1 with the secret key 1 of Table 4. Subsequently, twenty sequences of same length but with different secret keys in just one bit are generated for S2 twenty times, respectively. The analysis is applied in both PRNGEHMX and PRNGEHMY sequences. Table 7 shows the average results of this analysis. Also, Fig. 15 presents the values calculated for each test. The results show the high sensitivity to the secret key, since almost 100% of the numbers are different between the two tested sequences and more than 33.4% in magnitude on average. 5.3. Histograms A histogram is the graphic representation of a variable in the form of bars, where the area of each bar is proportional to the frequency or appearance of the values or elements in a sequence. For a PRNG to be considered statistically good, the histogram must be uniform for any key or seed, i.e. the standard deviation of the distribution must be small. In Fig. 16, the histograms of three sequences (S1 ; S2 and S3 ) of 5,000 numbers from the PRNG-EHM in FPGA with three different keys are presented. The distribution of the elements of each sequence is quite uniform. In addition,

Table 8 shows the standard deviations of the three sequences and the average of other 20 sequences. The standard deviation is small and remains similar in all sequences, so the distribution of the elements is uniform even with different keys. 5.4. Autocorrelation Autocorrelation (AC) is a statistical tool frequently used in signal processing. The autocorrelation function is defined as the cross-correlation of the signal with itself shifted in time k positions, and determines whether a sequence of data has repetitive patterns or not. The autocorrelation is calculated with Eq. (14) to determine if the PRNG-EHM generates sequences of pseudorandom numbers or repetitive patterns

ACðkÞ ¼

AD ; N

ð14Þ

where A are the matches between the original and the shifted sequence, D are the mismatches, N is the length of the sequence, and k is the bit shift. This function varies within the range [-1, 1], where 1 indicates a perfect correlation, that is, the signal perfectly

Table 7 Average results of NPCR and UACI of PRNG-EHM in FPGA. PRNG-EHM

NPCR UACI

PRNGEHMX

PRNGEHMY

99.6119% 33.4492%

99.6157% 33.4293%

Fig. 13. Digital word of 64-bits fixed-point for PRNG-EHM in FPGA.

Fig. 14. Graphical key sensitivity of first 30 iterations for PRNG-EHM in FPGA: a PRNGEHMX and b PRNGEHMY.

248

M.O. Meranza-Castillón et al. / Int. J. Electron. Commun. (AEÜ) 107 (2019) 239–251

Fig. 15. Numerical key sensitivity resutls of 20 sequeces for PRNG-EHM in FPGA: a NPCR of PRNGEHMX, b NPCR of PRNGEHMY, c UACI of PRNGEHMX, and d UACI of PRNGEHMY.

Fig. 16. Histograms of 3 sequences for PRNG-EHM in FPGA: a PRNGEHMX of S1 , b PRNGEHMY of S1 , c PRNGEHMX of S2 , d PRNGEHMY of S2 , e PRNGEHMX of S3 , f PRNGEHMY of S3 .

them. On the other hand, if the coefficient is closer to 1 or 1, there is a stronger correlation between the sequences,

Table 8 Standard deviation of the histograms. Standard Deviation Sequence

PRNGEHMX

PRNGEHMY

S1 S2 S3 S1 . . . S20

4.3790 4.3781 4.3040 4.4207

4.2692 4.2692 4.5035 4.3922

overlaps after a temporary shift of k, and 1 indicates a perfect anticorrelation. The expected AC is a value very close to 0, since this would indicate that the PRNG-EHM produces uniform pseudorandom numbers without periodicity patterns. This analysis is applied to the first three sequences generated by the initial values from Table 4 considering the first 16; 000 bits of each sequence and 500 circular shifts to the right. In Fig. 17, the results of AC are presented for the three sequences, which yield values very close to 0 with a standard deviation between 0:0074 and 0:0085.

5.5. Correlation The correlation determines if there is a relationship or link between two sequences of the same length and it is calculated with Eq. (15). The general correlation analysis results in a number between 1 and 1, called correlation coefficient. If the coefficient is 0, the sequences are independent without relationship between

P P P N Ni¼1 ðxi yi Þ  Ni¼1 xi Ni¼1 yi Cr ¼ rffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi  P Pn 2  PN Pn 2  N Ni¼1 ðxi Þ2  N i¼1 ðyi Þ2  i¼1 xi i¼1 yi

ð15Þ

where x and y are the sequences to be compared and N is the total number of elements in each sequence. Fig. 18 shows the results from the correlation of a sequence of the PRNG-EHM in FPGA with the key 1 of the Table 4 with another 20 sequences generated with different keys. The resulting average correlation is 0.00205 for PRNGEHMX and 0.00193 for PRNGEHMY, which indicates very low correlation between the sequences generated by the FPGA.

5.6. Floating frequency The floating frequency analysis is used to determine if the sequences present weak sections or uniform sections. In the case of the PRNG-EHM, floating windows of 256 elements are evaluated, expecting to obtain a floating frequency of 256 as maximum, i.e. all 256 elements are different. Then, the floating window is shifted to the right one element and the floating frequency is obtained again until the end of the sequence. Fig. 19 shows the result of the floating frequency for 3 sequences of 5,000 elements from the PRNGEHM implemented in FPGA. The average floating frequency is 162.09 for both PRNGEHMX and PRNGEHMY, and they remain

M.O. Meranza-Castillón et al. / Int. J. Electron. Commun. (AEÜ) 107 (2019) 239–251

249

Fig. 17. Autocorrelation analysis of 3 sequences for PRNG-EHM in FPGA: a PRNGEHMX of S1 , b PRNGEHMY of S1 , c PRNGEHMX of S2 , d PRNGEHMY of S2 , e PRNGEHMX of S3 , and f PRNGEHMY of S3 .

Fig. 18. Correlation analysis of 20 sequences for PRNG-EHM in FPGA: a PRNGEHMX and b PRNGEHMY.

Fig. 19. Floating frequency analysis of 3 sequences for PRNG-EHM in FPGA: a PRNGEHMX of S1 , b PRNGEHMY of S1 , c PRNGEHMX of S2 , dPRNGEHMY of S2 , ePRNGEHMX of S3 , and fPRNGEHMY of S3 .

uniform with an average standard deviation of 4.8188 with respect to the average. 5.7. Information entropy Information entropy determines the unpredictable of some message, that is, it measures how much disorder the PRNG algorithm generates at output. It is important in security analysis because it provides a tool to assess the degree of randomness of the PRNG, since PRNG must produce highly unpredictable numbers. The information entropy is calculated for the PRNG-EHM with

Eq. (10). Since the numbers generated are 8-bits, the ideal entropy is 8. Fig. 20 shows the entropy of 21 sequences of the PRNG-EHM implemented in FPGA, where the average results are 7.9818 for the sequence of the state PRNGEHMX and 7.9820 for the PRNGEHMY. Thus, the sequences are unpredictable.

6. Comparison with literature Recently, some PRNGs based on chaos have been implemented in FPGA technology. In previous work in literature, experimental

250

M.O. Meranza-Castillón et al. / Int. J. Electron. Commun. (AEÜ) 107 (2019) 239–251

Fig. 20. Information entropy of 21 sequences for PRNG-EHM in FPGA: a PRNGEHMX and b PRNGEHMY.

Table 9 p Comparison of proposed PRNG-EHM in FPGA with literature, where means ‘‘achieved” and – means ‘‘not achieved”. Proposed PRNG-EHM

Ref. [14] (2016)

Ref. [11] (2017)

Ref. [12] (2017)

Ref. [16] (2018)

Ref. [9] (2019)

Enhanced Hénon map (EHM) p p p p

Bernoulli, Tent and Zigzag map – – – –

Logistic map p p

Lorenz HC system – – – p

PWLCM map – p – –

Lorenz and Lü systems – – – –

Randomness analysis NIST 800-22 Other

p

p

p

p

p

p

–

–

–

–

–

–

Security analysis Key space Key sensitivity NPCR and UACI Floating frequency Histogram Autocorrelation Information entropy Correlation

p p p p p p p p

p

– – p

– – – – – – – p

– – – – – – – –

Throughput Speed (Mb/s) Comparison analysis

p p

p p

p p

p p

Chaos properties Chaotic map Lyapunov exponent Bifurcation diagram Gottwald-Melbourne Histogram

– – – – p – p

– –

data are analyzed just with randomness tests such NIST 800-22 and performance analysis with satisfactory results. However, they do not present a security analysis as we present in this paper. Such analysis are of great importance in cryptographic applications, since the PRNG is used as main core for information encryption algorithms. In Table 9, the proposed PRNG-EHM implemented in FPGA is compared with other recent schemes. The main advantage of proposed implementation is the verification of security analysis, including success in NIST 800–22 test suite, and chaos validation of PRNG-EHM in FPGA.

7. Conclusions PRNGs based on chaos are widely applied in cryptography. Chaotic maps with high cryptographic properties such as uniform data, extreme sensitivity at initial conditions, high complexity, and low arithmetic resources are desirable to design efficient PRNG with applications in embedded security. On the other hand, randomness analysis such as NIST 800-22 suite and performance are indispensable analysis for PRNGs. Nevertheless, include security analysis can be of great interest for cryptographic designers.

– –

– – – – – – p – p p

p p – – p

In this paper, we proposed an enhanced Hénon map (EHM) with better cryptographic characteristics than classic Hénon map, such as better distribution of chaotic data, higher key sensitivity (i.e. higher Lyapunov exponent), and greater range of values for control parameters (a and b). The EHM design uses one multiplication 10,001 with module 1 instead of 100,000 with module 1 as in previous results; with this process, the complexity of the EHM can not be reduced and the key space still enough big to resist cryptanalysis. Then, we proposed a PRNG algorithm based on EHM with implementation at both software (MATLAB) and hardware level (FPGA). In both cases, the PRNG-EHM passed the randomness NIST 800-22 test suite. But more interesting results, the FPGA implementation was validated for first time in literature by means of: the chaotic dynamics was verified with Lyapunov exponent and Gottwald-Melbourne test; a comprehensive security analysis was presented with huge secret key space, highly uniform statistical data, high secret key sensitivity, very low correlation, low autocorrelation, high unpredictability, and high processing speed. Therefore, the proposed FPGA implementation can be used for secure embedded applications. In future work, encryption algorithms based on PRNG-EHM can be designed in FPGA for applications in high processing secure

M.O. Meranza-Castillón et al. / Int. J. Electron. Commun. (AEÜ) 107 (2019) 239–251

communications, such as image encryption, audio encryption, or video encryption for stand alone devices in applications for telemedecine, biometric systems, military affairs, and others. Declaration of Competing Interest The authors declare that there are no conflicts of interest regarding the publication of this paper. Acknowledgement This work was supported by the CONACYT, México under Research Grant 166654 (A1-S-31628). The authors would like to thank Altera company for the donation of the FPGA DE2-115 board by University Program. Appendix A. Supplementary material Supplementary data associated with this article can be found, in the online version, at https://doi.org/10.1016/j.aeue.2019.05.028. References [1] García-Martínez M, Campos-Cantón E. Pseudo-random bit generator based on multi-modal maps. Nonlinear Dyn 2015;82:2119–31. https://doi.org/10.1007/ s11071-015-2303-y. [2] Diab H. An efficient chaotic image cryptosystem based on simultaneous permutation and diffusion operations. IEEE Access 2018;6:42227–44. https:// doi.org/10.1109/ACCESS.2018.2858839. [3] Hua Z, Jin F, Xu B, Huang H. 2D Logistic-Sine-coupling map for image encryption. Signal Process 2018;149:148–61. https://doi.org/10.1016/j. sigpro.2018.03.010. [4] Murillo-Escobar MA, Cruz-Hernández C, Abundiz-Pérez F, López-Gutiérrez RM, Acosta Del Campo OR. A RGB image encryption algorithm based on total plain image characteristics and chaos. Signal Process 2015;109:119–31. https://doi. org/10.1016/j.sigpro.2014.10.033. [5] François M, Grosges T, Barchiesi D, Erra R. Pseudo-random number generator based on mixing of three chaotic maps. Commun Nonlinear Sci Numer Simulat 2014;19:887–95. https://doi.org/10.1016/j.cnsns.2013.08.032. [6] Murillo-Escobar MA, Cruz-Hernández C, Cardoza-Avendaño L, MéndezRamírez R. A novel pseudorandom number generator based on pseudorandomly enhanced logistic map. Nonlinear Dyn 2017;87:407–25. https://doi.org/10.1007/s11071-016-3051-3. [7] Wang Y, Liu Z, Ma J, He H. A pseudorandom number generator based on piecewise logistic map. Nonlinear Dyn 2016;83:2373–91. https://doi.org/ 10.1007/s11071-015-2488-0.

251

[8] Lambic´ D, Nikolic M. Pseudo-random number generator based on discretespace chaotic map. Nonlinear Dyn 2017;90:223–32. https://doi.org/10.1007/ s11071-017-3656-1. [9] Rezk AA, Madian AH, Radwan AG, Soliman AM. Reconfigurable chaotic pseudo random number generator based on FPGA. AEU-Int J Electron C 2019;98:174–80. https://doi.org/10.1016/j.aeue.2018.10.024. [10] Elmanfaloty RA, Abou-Bakr E. Random property enhancement of a 1D chaotic PRNG with finite precision implementation. Chaos Soliton Fract 2019;118:134–44. https://doi.org/10.1016/j.chaos.2018.11.019. [11] De la Fraga LG, Torres-Pérez E, Tlelo-Cuautle E, Mancillas-López C. Hardware implementation of pseudo-random number generators based on chaotic maps. Nonlinear Dyn 2017;90:1661–70. https://doi.org/10.1007/s11071-0173755-z. [12] Madani M, Benkhaddra I, Tanougast C, Chitroub S, Sieler L. Digital implementation of an improved LTE stream cipher snow-3G based on hyperchaotic PRNG. Secur Commun Netw 2017;2017:1–15. https://doi.org/ 10.1155/2017/5746976. [13] Og˘ras H, Türk M. FPGA implementation of a chaotic quadratic map for cryptographic applications. Turk J Sci Technol 2017;12:113–9. [14] Tuncer T. The implementation of chaos-based PUF designs in field programmable gate array. Nonlinear Dyn 2016;86:975–86. https://doi.org/ 10.1007/s11071-016-2938-3. [15] Garcia-Bosque M, Pérez-Resa A, Sánchez-Azqueta C, Aldea C, Celma S. Chaosbased bitwise dynamical pseudorandom number generator on FPGA. IEEE Trans Instrum Measur 2019;68:291–3. [16] Thane A, Chaudhari R. Hardware Design and Implementation of Pseudorandom Number Generator Using Piecewise Linear Chaotic Map. 2018 International Conference on Advances in Computing, Communications and Informatics (ICACCI) IEEE 2018;456–459. [17] Hénon M. A two-dimensional mapping with a strange attractor. Commun Math Phys 1976;50:69–77. https://doi.org/10.1007/BF01608556. [18] Wolf A, Swift JB, Swinney HL, Vastano JA. Determining Lyapunov exponents from a time seires. Physica 1985;16D(1985):285–317. , https://chaos.utexas. edu/manuscripts/1085774778.pdf. [19] Wolf A. Quantifying chaos with Lyapunov exponents. Princeton University Press 1986;Ch. 13:273–89. [20] Sprott JC. Lyapunov exponents. Chaos and time-series analysis, cap. 5. Oxford University Press; 2003. [21] Lambic´ D. Cryptanalyzing a novel pseudorandom number generator based on pseudorandomly enhanced logistic map. Nonlinear Dyn 2017;89:2255–7. [22] Gottwald GA, Melbourne I. A new test for chaos in deterministic systems. Proceedings of the Royal Society of London A: Mathematical, Physical and Engineering Sciences. The Royal Society 2004;460:603–11. [23] Rukhin A, Soto J, Nechvatal J, Smid M, Barker E, Leigh S, et al. A statistical test suite for random and pseudorandom number generators for cryptographic applications. NIST special publication 800-22; 2001. [24] Alvarez G, Li S. Some basic cryptographic requirements for chaos-based cryptosystems. Int J Bifurcat Chaos 2006;16:2129–51. [25] Wu Y, Noonan JP, Agaian S. NPCR and UACI randomness tests for image encryption. Cyber J: Multidiscipl J Sci Technol (J Select Areas Telecommun (JSAT)) 2011;1:31–8.