Journal of Network and Computer Applications 37 (2014) 282–292

Contents lists available at ScienceDirect

Journal of Network and Computer Applications

1084-80

http://d

n Corr

E-m

xiaole.fa

christop

qianxue

journal homepage: www.elsevier.com/locate/jnca

Suitability of chaotic iterations schemes using XORshiftfor security applications

Jacques M. Bahi, Xiaole Fang n, Christophe Guyeux, Qianxue Wang

University of Franche-Comte, FEMTO-ST Institute, UMR 6174 CNRS, Besanc-on, France

a r t i c l e i n f o

Article history:

Received 28 August 2012

Received in revised form

27 February 2013

Accepted 2 March 2013Available online 14 March 2013

Keywords:

Pseudorandom number generators

Chaotic sequences

Statistical tests

Discrete chaotic iterations

Information hiding

45/$ - see front matter & 2013 Elsevier Ltd. A

x.doi.org/10.1016/j.jnca.2013.03.001

esponding author. Tel.: þ33 381666948.

ail addresses: jacques.bahi@univ-fcomte.fr (J.M

ng@univ-fcomte.fr (X. Fang),

he.guyeux@univ-fcomte.fr (C. Guyeux),

.wang@univ-fcomte.fr (Q. Wang).

a b s t r a c t

The design and engineering of original cryptographic solutions is a major concern to provide secure

information systems. In a previous study, we have described a generator based on chaotic iterations,

which uses the well-known XORshift generator. By doing so, we have improved the statistical

performances of XORshift and make it behave chaotically, as defined by Devaney. The speed and

security of this former generator have been improved in a second study, to make its usage more

relevant in the Internet security context. In this paper, these contributions are summarized and a new

version of the generator is introduced. It is based on a new Lookup Table implying a large improvement

of speed. A comparison and a security analysis between the XORshift and these three versions of our

generator are proposed, and various new statistical results are given. Finally, an application in the

information hiding framework is presented, to give an illustrative example of the use of such a

generator in the Internet security field.

& 2013 Elsevier Ltd. All rights reserved.

1. Introduction

To use a pseudorandom number generator (PRNG) with a largelevel of security is it necessary to satisfy the Internet securityrequirements to support activities as e-Voting, information hiding,and the protection of intellectual property (Bahi and Guyeux, toappear; Liu et al., 2007; Yi and Okamoto, 2012). This level depends onthe proof of theoretical properties and results of numerous statisticaltests. Many PRNGs, based for instance on linear congruential methodsand feedback shift-registers (Knuth, 1998; L’ecuyer, 2008; Blaszczykand Guinee, 2009), have been proven to be secure, following aprobabilistic approach. More recently, several researchers haveexplored the idea of using chaotic dynamical systems to reinforcethe security of these important tools (Falcioni et al., 2005; Cecen et al.,2009; Li et al., 2001). But the number of generators claimed aschaotic, which actually have been proven to be unpredictable (as it isdefined in the mathematical theory of chaos) is very small.

This paper extends a study initiated in Bahi et al. (2009), Wanget al. (2010), and Bahi and Guyeux (2010), in which we tried to fillthis gap. In Bahi and Guyeux (2010), it is proven that chaoticiterations (CIs), a suitable tool for fast computing iterative algo-rithms, satisfy the topological chaotic property, as it is defined by

ll rights reserved.

. Bahi),

Devaney (1989). In Bahi et al. (2009) the chaotic behavior of CIsis exploited in order to obtain an unpredictable PRNG, whichdepends on two logistic maps. Lastly, in Wang et al. (2010), a newversion of this generator using decimations has been proposedand XORshift has replaced the logistic map. We have shown that,in addition to being chaotic, this generator can pass the NIST(National Institute of Standards and Technology of the U.S.Government) battery of tests (NIST Special Publication 800-22rev1a, 2010), widely considered as a comprehensive and stringentbattery of tests for cryptographic applications.

In this paper, a new version of this chaotic PRNG is introduced.It is based on a Lookup Table (LUT) method. After havingintroduced it, we will give a comparison of the speed, of thestatistical properties, and of the security for all of these generatorsbased on XORshift generator (Marsaglia, 2003). These resultsadded to its chaotic properties allow us to consider that thisnew generator has good pseudorandom characteristics and is ableto withstand attacks. After having presented the theoreticalframework of the study and a security analysis, we will givea comparison based on new statistical tests. Finally a concreteexample of how to use these pseudorandom numbers for infor-mation hiding through the Internet is detailed.

The remainder of this paper is organized in the following way.In Section 2, some basic definitions concerning chaotic iterationsand PRNGs are recalled. Then, the generator based on LUT discretechaotic iterations is presented in Section 3. In Section 4, varioustests are passed to make a statistical comparison between thisnew PRNG and other existing ones. In the next sections, a

J.M. Bahi et al. / Journal of Network and Computer Applications 37 (2014) 282–292 283

potential use of this PRNG in some Internet security field ispresented, namely in information hiding. The paper ends with aconclusion section where the contribution is summarized andintended future work is presented.

2. Review of basics

2.1. Notations

11;NU

-f1,2, . . . ,Ng Sn

- the nth term of a sequence S¼ ðS1,S2, . . .Þ

vi - the ith component of a vector: v¼ ðv1,v2, . . . ,vnÞ

fk

- kth composition of a function f

strategy

- a sequence which elements belong in 11;NU S - the set of all strategies

Ckn

- the binomial coefficient ðnkÞ ¼n!

k!ðn�kÞ!

4 - the bitwise exclusive or þ - the integer addition

5 and b

- the usual shift operators

ðX ,dÞ

- a metric space

bxc

- returns the highest integer smaller than x

n!

- the factorial n!¼ n� ðn�1Þ � � � � � 1

Nn

- the set of positive integers {1, 2, 3,y}

&

- the bitwise AND

2.2. Chaotic iterations

Definition 1. The set B denoting f0,1g, let f : BN�!BN be an

‘‘iteration’’ function and SAS be a chaotic strategy. Then, the so-called chaotic iterations are defined by Robert (1986)

x0ABN ,

8nANn, 8iA11;NU, xni ¼

xn�1i if Sna i

f ðxn�1ÞSn if Sn¼ i:

(8>><>>: ð1Þ

In other words, at the nth iteration, only the Sn-th cell is‘‘iterated’’. Note that in a more general formulation, Sn can be asubset of components and f ðxn�1ÞSn can be replaced by f ðxkÞSn , wherekon, describing for example delays transmission. For the generaldefinition of such chaotic iterations, see, e.g., Robert (1986).

Chaotic iterations generate a set of vectors (Boolean vectors inthis paper), they are defined by an initial state x0, an iterationfunction f and a chaotic strategy S.

Algorithm 1. An arbitrary round of the old CI(XORshift1,XORshift2) generator.

a’XORshift1ðÞ

m’a mod 2þc

while i¼ 0, . . . ,m

b’XORshift2ðÞ

S’b mod N

xS’xS

end whiler’x

Return r

2.3. Old CI(XORshift, XORshift) algorithm

The basic design procedure of the old CI generator (Bahi et al.,2009) is recalled in Algorithm 1. The internal state is x (N bits), the

output state is r (N bits), a and b are computed by two XORshiftgenerators. Finally, N and cZ3N are constants defined bythe user.

2.4. New CI(XORshift, XORshift) algorithm

Algorithm 2 summarizes (Wang et al., 2010) the basic designprocedure of the new generator. The internal state is x (a Booleanvector of size N), the output state is r (N bits). a and b are thosecomputed by the two XORshifts. The value f(a) is an integer,defined as in Eq. (2). Lastly, N is a constant defined by the user.

mn ¼ f ðynÞ ¼

0 if 0ryn

232o

C0N

2N

1 ifC0

N

2Nr

yn

232oP1

i ¼ 0

CiN

2N

2 ifP1

i ¼ 0

CiN

2Nr

yn

232oP2

i ¼ 0

CiN

2N

^ ^

N ifPN�1

i ¼ 0

CiN

2Nr

yn

232o1:

8>>>>>>>>>>>>>>>><>>>>>>>>>>>>>>>>:

ð2Þ

Algorithm 2. An arbitrary round of the new CI(XORshift1,XORshift2) generator.

1:

while i¼ 0, . . . ,N do 2: di’0 3: end while 4: a’XORshift1ðÞ 5: m’f ðaÞ

6:

k’m

7:

while i¼ 0, . . . ,K do 8: b’XORshift2ðÞmodN

9:

S’b

10:

if dS¼0 then 11: xS’xS

12:

dS’1 13: else if dS¼1 then 14: k’kþ1 15: end if 16: end while 17: r’x

18:

Return r

3. LUT CI(XORshift, XORshift) algorithms and example

3.1. Introduction

The LUT CI generator is an improved version of the new CIgenerator. The key-ideas are

�

To use a Lookup Table for a faster generation of strategies.These strategies satisfy the same property than the onesprovided by the decimation process. � And to use all the bits provided by the two inputted generators

(to discard none of them).

These key-ideas are put together by the following way.Let us firstly recall that in chaotic iterations, only the cells

designed by Sn-th are ‘‘iterated’’ at the nth iteration. Sn can beeither a component (i.e., only one cell is updated at each iteration,so SnA11;NU) or a subset of components (any number of cellscan be updated at each iteration, that is, Sn

�11;NU). The first

Table 1A LUT-1 table for N¼4.

bn 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

mn 0 1 1 1 1 2 2 2 2 2 2 3 3 3 3 4

J.M. Bahi et al. / Journal of Network and Computer Applications 37 (2014) 282–292284

kind of strategies is called ‘‘unary strategies’’ whereas the secondone is denoted by ‘‘general strategies’’. In the last case, each termSn of the strategy can be represented by an integer lower than 2N ,designed by Sn, for a system having N bits: the kth component ofthe system is updated at iteration number n if and only if the kthdigit of the binary decomposition of Sn is 1. For instance, let usconsider that Sn

¼ 5, and that we iterate on a system having 6 bits(N¼6). As the integer 5 has a binary decomposition equal to000101, we thus conclude that the cell numbers 1 and 3 will beupdated when the system changes its state from xn to xnþ1.In other words, in that situation, Sn

¼ 5A10,26�1U3 Sn

¼

f1,3g � 11,6U. To sum up, to provide a general strategy of11;NU is equivalent to give a unary strategy in 10;2N

�1U. Letus now take into account this remark.

Until now the proposed generators have been presented in thisdocument by using unary strategies (obtained by the firstinputted PRNG S) that are finally grouped by ‘‘packages’’ (the sizeof these packages is given by the second generator m): afterhaving used each term in the current package Smn

, . . . ,Smnþ 1�1, thecurrent state of the system is published as an output. Obviously,when considering the new CI version, these packages of unarystrategies defined by the couple ðS,mÞA11;NU� 10;NU corre-spond to subsets of 11;NU having the form fSmn

, . . . ,Smnþ 1�1g,

which are general strategies. As stated before, these lasts can berewritten as unary strategies that can be described as sequencesin 10;2N

�1U.The advantage of such an equivalency is to reduce the com-

plexity of the proposed PRNG. Indeed the new CI(S,m) generatorcan be written as

xn ¼ xn�14Sn, ð3Þ

where S is the unary strategy (in 10;2N�1U) associated to the

couple ðS,mÞA11;NU� 10,NU.The speed improvement is obvious, the sole issue is to under-

stand how to change (S, m) by S. The problem to consider is thatall the sequences of 10;2n

�1U are not convenient. Indeed, theproperties required for the couple (S, m) (S must not be uniformlydistributed, and a cell cannot be changed twice between twooutputs) must be translated into requirements for S if we wantto satisfy both speed and randomness. Such constrains are solvedby working on the sequence m and by using some well-definedLookup Tables presented in the following sections.

3.2. Sequence m

In order to improve the speed of the proposed generator,the first plan is to take the best usage of the bits generated by theinputted PRNGs. The problem is that the PRNG generating theintegers of mn does not necessary take its values into 10,NU,where N is the size of the system.

For instance, in the new CI generator presented previously, thissequence is obtained by a XORshift, which produces integersbelonging to 10,232

�1U. However, the iterated system has 4 cells(N¼4) in the example proposed previously thus, to define thesequence mn, we compute the remainder modulo 4 of eachinteger provided by the XORshift generator. In other words, onlythe last 4 bits of each 32 bits vector generated by the secondXORshift are used. Obviously this stage can be easily optimized,by splitting this 32-bits vector into 8 subsequences of 4 bits. Thus,a call of XORshift() will now generate 8 terms of the sequence m,instead of only one term in the former generator.

This common-sense action can be easily generalized to anysize Nr32 of the system by the procedure described in Algorithm3. The idea is simply to make a shift of the binary vector a

produced by the XORshift generator, by 0, N, 2N, . . . bits to theright, depending on the remainder c of n modulo bN=32c (that is,

abðN � cÞ), and to take the bits between the positions 32�N and32 of this vector (corresponding to the right part ‘‘&ð2N

�1Þ’’ of theformula). In that situation, all the bits provided by XORshift areused when N divide 32.

Algorithm 3. Generation of sequence bn.

1:

c¼ n modb32=Nc

2:

if c¼0 then 3: a’XORshiftðÞ

4:

end if 5: bn

’ðab ðN � cÞÞ&ð2N�1Þ

6:

Return bn

This Algorithm 3 produces a sequence ðbnÞnAN of integers

belonging to 10,2N�1U. It is now possible to define the sequence

m by adapting Eq. (2) as follows:

mn ¼ f ðbnÞ ¼

0 if 0rbnoC0N ,

1 if C0N rbno

P1i ¼ 0 Ci

N ,

2 ifP1

i ¼ 0 CiN rbno

P2i ¼ 0 Ci

N ,

^ ^

N ifPN�1

i ¼ 0 CiN rbno2N :

8>>>>>>><>>>>>>>:

ð4Þ

This common-sense measure can be improved another time ifN is not very large by using the first Lookup Table of thisdocument, which is called LUT-1. This improvement will be firstlyexplained through an example.

Let us consider that N¼4, so the sequence ðbnÞnAN belongs to

10,15U. The function f of Eq. (4) must translate each bn into aninteger mnA10,4U, in such a way that the non-uniformity exposedpreviously is respected. Instead of defining the function f analyti-cally, a table can be given containing all the images of the integersinto 10,15U (see Table 1 for instance). As stated before, thefrequencies of occurrence of the images 0, 1, 2, 3, and 4 must berespectively equal to C0

4=24, C14=24, C2

4=24, C34=24, and C4

4=24. Thisrequirement is equivalent to demand CN

i times the number i, whichcan be translated in terms of permutations. For instance, when N¼4,any permutation of the list [0, 1, 1, 1, 1, 2, 2, 2, 2, 2, 2, 3, 3, 3, 3, 4] isconvenient to define the image of [0, 1, 2,y, 14, 15] by f.

This improvement is implemented in Algorithm 4, whichreturns a table lut1 such that mn ¼ lut1½bn

�.

Algorithm 4. The LUT-1 table generation.

1:

i¼0 2: for j¼ 0 . . .N do 3: while ioCj

N do

4:

lut1½i� ¼ j

5:

i¼ iþ1 6: end while 7: end for 8: Return lut1

3.3. Defining the chaotic strategy S with a LUT

The definition of the sequence m allows to determine thenumber of cells that have to change between two outputs of theLUT CI generator. There are CN

m possibilities to change m bits in a

Table 2Results of DieHARD battery of tests.

No. Test name Generators

XORshift old CI new CI LUT CI

1 Overlapping Sum Pass Pass Pass Pass

2 Runs Up 1 Pass Pass Pass Pass

Runs Down 1 Pass Pass Pass Pass

Runs Up 2 Pass Pass Pass Pass

Runs Down 2 Pass Pass Pass Pass

3 3D Spheres Pass Pass Pass Pass

4 Parking Lot Pass Pass Pass Pass

5 Birthday Spacing Pass Pass Pass Pass

6 Count the ones 1 Pass Pass Pass Pass

7 Binary Rank 6�8 Pass Pass Pass Pass

8 Binary Rank 31�31 Pass Pass Pass Pass

9 Binary Rank 32�32 Pass Pass Pass Pass

10 Count the ones 2 Pass Pass Pass Pass

11 Bit Stream Pass Pass Pass Pass

12 Craps Wins Pass Pass Pass Pass

Throws Pass Pass Pass Pass

13 Minimum Distance Pass Pass Pass Pass

14 Overlapping Perm. Pass Pass Pass Pass

15 Squeeze Pass Pass Pass Pass

16 OPSO Pass Pass Pass Pass

17 OQSO Pass Pass Pass Pass

18 DNA Pass Pass Pass Pass

Number of tests passed 18 18 18 18

Table 3Example of a LUT for N¼4.

w m

m¼0 m¼1 m¼2 m¼3 m¼4

w¼0 0 1 3 7 15

w¼1 2 5 11

w¼2 4 6 13

w¼3 8 9 14

w¼4 10

w¼5 12

J.M. Bahi et al. / Journal of Network and Computer Applications 37 (2014) 282–292 285

vector of size N. As we have to choose between these CNm

possibilities, we thus introduce the following sequence:

wn ¼ XORshift2ðÞmodCmN ð5Þ

With this material it is now possible to define the LUT thatprovides convenient strategies to the LUT CI generator. If the sizeof the system is N, then this table has Nþ1 columns, numberedfrom 0 to N. The column number m contains CN

m values. All ofthese values have in common to present exactly m times the digit1 and N�m times the digit 0 in their binary decomposition. Theorder of appearance of these values in the column m has noimportance, the sole requirement is that no column contains asame integer twice. Let us remark that this procedure leads toseveral possible LUTs.

Algorithm 5. LUT21 procedure.

1:

Procedure LUT21(M,N,b,v,c) 2: count’c

3:

value’v

4:

if count¼ ¼M then 5: lut2½M�½num� ¼ value

6:

num¼ numþ1 7: else 8: for i¼ b . . .N do 9: value¼ valueþ2i

10:

count¼ countþ1 11: Call recurse LUT21(M,N,iþ1,value,count) 12: value¼v

13:

count¼c

14:

end for 15: end if 16: End Procedure

An example of such a LUT is shown in Table 3, when Algorithm6 gives a concrete procedure to obtain such tables. This proceduremakes recursive calls to the function LUT21 defined in Algorithm5. The LUT21 uses the following variables. b is used to avoid

overlapping computations between two recursive calls, v is tosave the sum value between these calls, and c counts the numberof cells that have already been processed. These parametersshould be initialized as 0. For instance, the LUT presented inTable 3 is the lut2 obtained in Algorithm 5 with N¼4.

Algorithm 6. LUT-2 generation.

1:

for i¼ 0 . . .N do 2: Call LUT21(i,N,0,0,0) 3: end for 4: Return lut2

3.4. LUT CI(XORshift, XORshift) algorithm

The LUT CI generator is defined by the following dynamicalsystem:

xn ¼ xn�14Sn: ð6Þ

where xOA10,2N�1 is a seed and Sn

¼ lut2½wn�½mn� ¼ lut2½wn�

½lut1½bn��, in which bn is provided by Algorithm 3 and

wn ¼ XORshift2ðÞmodCmN . An iteration of this generator is written

in Algorithm 7. Let us finally remark that the two inputtedXORshift can be replaced by any other operating PRNG.

Algorithm 7. LUT CI (XORshift,XORshift) algorithm

1:

c¼ n modb32=Nc

2:

if c¼0 then 3: a’XORshift1ðÞ 4: end if 5: bn

’ðab ðN � cÞÞ&ð2N�1Þ

6:

mn ¼ lut1½bn�

7:

dn¼ XORshift2ðÞ

8:

wn ¼ bn modCmN

9:

Sn¼ lut2½m�½w�

10:

x¼ x4Sn

11:

Return x

3.5. LUT CI(XORshift, XORshift) example of use

In this example, N¼4 is chosen another time for easy under-standing. As before, the initial state of the system x0 can be seededby the decimal part t of the current time. With the same currenttime as in the examples exposed previously, we have x0 ¼ ð0,1,0,0Þ (or x0 ¼ 4).

Algorithm 4 provides the LUT-1 depicted in Table 1. The firstXORshift generator has returned y¼ 0,11,7,2,10,4,1,0,3,9, . . .. Byusing this LUT, we obtain m¼ 0,3,2,1,2,1,1,0,1,2, . . .. Then theAlgorithm 6 is computed, leading to the LUT-2 given by Table 3.

So chaotic iterations of Algorithm 7 can be realized, to obtainin this example 0100100101010001y or 4, 9, 5, 1y

J.M. Bahi et al. / Journal of Network and Computer Applications 37 (2014) 282–292286

4. Statistical analysis

In order to make a fair comparison, we decided to choose thebest parameters for each generator. According to the experiments,these values are N¼4 for the old CI, N¼32 for the new one, andfinally N¼8 for the LUT CI generator (see Sections IV-A, IV-B, andIV-C respectively) (Table 4).

4.1. NIST

In our experiments, 100 sequences (s¼100) of 1,000,000 bitsare generated and tested. If the value PT of any test is smallerthan 0.0001, the sequences are considered to be not good enoughand the generator is unsuitable. Table 5 shows PT of sequencesbased on discrete chaotic iterations using different schemes. Ifthere are at least two statistical values in a test, this test ismarked with an asterisk and the average value is computed tocharacterize the statistics. We can see in Table 5 that old, new,and LUT CI(XORshift, XORshift) generators have successfullypassed the NIST statistical test suite. In particular, the score ofthe XORshift generator is better when this last is embedded intoany of the three proposed scheme (indeed, XORshift alone failsone of the NIST tests).

4.2. Diehard

Table 2 gives the results derived from applying the DieHARDbattery (Marsaglia, 1996) of tests to the PRNGs considered in thiswork. As it can be observed, all the generator presented in thisdocument can pass the DieHARD battery of tests.

Table 4Example of a LUT CI(XORshift, XORshift) generation.

m 0 3 2 1

c 0 2 5 2

S 0 13 12 4

x0 x0 x1 x2 x3

0 0 1 0 0

1 1 0 1 0

0 0 0 0 0

0 0 1 1 1

Binary Output: x01x0

2x03x0

4x11x1

2x13x1

4x21x2

2 . . . ¼ 0100100101010001 . . .

Integer Output: x0 ,x1 ,x2 ,x3 . . . ¼ 4,11,8,1 . . .

Table 5NIST SP 800-22 test results (PT ).

Method XORshift

Frequency (Monobit) 0.779188

Frequency within a block 0.779188

Runs 0.514124

Longest run of ones in a block 0.883171

Binary matrix rank 0.851383

Discrete Fourier transform (Spectral) 0.834308

Non-overlapping template matchingn 0.506389

Overlapping template matching 0.534146

Maurer universal statistical 0.366918

Linear complexity 0.275709

Serialn (m¼10) 0.328499

Approximate entropy (m¼10) 0.000000

Cumulative sums (Cusum)n 0.720350

Random excursionsn 0.396803

Random excursions variantn 0.576643

Success 14/15

4.3. Comparative test parameters

We show in Table 6 a comparison in comparative test parameters(Wang et al., 2010) among the generators LUT CI(XORshift, XORshift),New CI(XORshift, XORshift), their old version: Old CI(XORshift, XOR-shift) and a PRNG based on a simple XORshift. Time (in seconds) isrelated to the duration needed by each algorithm to generate a 2�108 bits long sequence. The test has been conducted using the samecomputer and compiler with the same optimization settings for bothalgorithms, in order to make it as fair as possible. The results confirmthat the proposed LUT CI is the fastest CI PRNG, while the statisticalresults are better for most of the parameters, leading to the conclu-sion that this new PRNGs is more secure than the other ones.

In addition, a comparison of overall stability from 5� 104 to8� 105 for these generators has been given in Fig. 1. It can beseen that LUT CI and new CI are dominant in all, especially whenthe sequences are very long.

4.4. Varying the output size

The size of the outputs (N, in number of bits) produced by eachof the proposed generators only depends on the size of the initialstate x0. Moreover, as the ‘‘CI process’’ is fundamentally a nega-tion of bits, the size of the system does not really impact thespeed of these PRNGs, at least for reasonable values of N. Asvarious N values can be relevant, depending on the application,we thus investigate whether the statistical performances of the CIgenerators are impacted when N changes.

We can show in Table 7 that, for the three CI generators,various N leads to success for both the NIST and DIEHARD tests.Concerning the whole TestU01 (Simard and Montral, 2002),various consequences can be dressed. Firstly, the LUT CI generatoris unsuitable for N¼32, due to its too large consumption ofmemory resources when generating and using the LUTs. Secondly,this last generator is the only one capable to pass the whole

Old CI New CI LUT CI

0.145326 0.719747 0.657933

0.028817 0.071177 0.719747

0.739918 0.911413 0.224821

0.554420 0.779188 0.494392

0.236810 0.924076 0.023545

0.514124 0.911413 0.514124

0.512363 0.501621 0.437726

0.595549 0.275709 0.017912

0.122325 0.419021 0.897763

0.249284 0.779188 0.678686

0.495847 0.933624 0.444265

0.051942 0.262249 0.319084

0.074404 0.368618 0.171384

0.507812 0.518462 0.356105

0.289594 0.548078 0.587062

15/15 15/15 15/15

Table 6

Comparison between the presented PRNGs for a 2� 108 bits sequence.

Methods XORshift Old CI New CI LUT CI

Monobit 0.6055 0.5689 0.0029 0.0471

Serial 0.7021 1.5765 0.3845 0.2232

Poker 7.957 6.3683 5.882 5.166

RunS 26.1022 28.4237 24.8094 21.9861

Autocorrelation 1.1628 0.3403 1.4220 0.4410

Time 9.33 s 49.55 s 28.82 s 11.24 s

Fig. 1. Overall sequence stability comparison.

J.M. Bahi et al. / Journal of Network and Computer Applications 37 (2014) 282–292 287

TestU01 with only N¼4 cells. Finally, all the proposed generatorshave better scores than the XORshift they use.

4.5. Devaney’s chaos property

Generally, the quality of a PRNG depends, to a large extent, on thefollowing criteria: randomness, uniformity, independence, storageefficiency, and reproducibility. A chaotic sequence may satisfy theserequirements and also other chaotic properties, as ergodicity, entropy,and expansivity. A chaotic sequence is extremely sensitive to theinitial conditions. That is, even a minute difference in the initial stateof the system can lead to enormous differences in the final state, evenover fairly small timescales. Therefore chaotic sequences fit therequirements of pseudorandom sequences well. Contrary to XORshift,our generator possesses these chaotic properties (Bahi and Guyeux,2010; Bahi et al., 2009). However, despite a large number of paperspublished in the field of chaos-based pseudorandom generators, theimpact of this research is rather marginal. This is due to the followingreasons: almost all PRNG algorithms using chaos are based ondynamical systems defined on continuous sets (e.g., the set of realnumbers). So these generators are usually slow, requiring consider-ably more storage space and lose their chaotic properties duringcomputations. These major problems restrict their usage as genera-tors (Kocarev, 2001).

In this paper we do not simply integrate chaotic maps hopingthat the implemented algorithm remains chaotic. Indeed, thePRNG we conceive is just discrete chaotic iterations and we haveproven in Bahi and Guyeux (2010) that these iterations producea topological chaos as defined by Devaney: they are regular,transitive, and sensitive to initial conditions. This famous defini-tion of a chaotic behavior for a dynamical system impliesunpredictability, mixture, sensitivity, and uniform repartition.Moreover, as only integers are manipulated in discrete chaoticiterations, the chaotic behavior of the system is preserved duringcomputations, and these computations are fast.

5. Application example in digital watermarking

Information hiding has recently become a major informationsecurity technology, especially with the increasing importance

and widespread distribution of digital media through the InternetWu et al. (2007). It includes several techniques like digital water-marking. The aim of digital watermarking is to embed a piece ofinformation into digital documents, such as pictures or movies.This is for a large panel of reasons, such as, copyright protection,control utilization, data description, content authentication, anddata integrity. For these reasons, many different watermarkingschemes have been proposed in recent years. Digital watermark-ing must have essential characteristics, including security, imper-ceptibility, and robustness. Chaotic methods have been proposedto encrypt the watermark before embedding it in the carrier imagefor these security reasons. In this paper, a watermarking algorithmbased on the chaotic PRNG presented above is given, as anillustration of the use of this family of CI PRNG.

5.1. Most and least significant coefficients

Let us first introduce the definitions of most and leastsignificant coefficients.

Definition 2. For a given image, the most significant coefficients(in short MSCs), are the coefficients that allow the description ofthe relevant part of the image, i.e. its richest part (in terms ofembedding information), through a sequence of bits.

For example, in a spatial description of a grayscale image, adefinition of MSCs can be the sequence constituted by the firstthree bits of each pixel as shown in Fig. 2(b). In a discrete cosinefrequency domain description, each 8�8 block of the carrierimage is mapped to a list of 64 coefficients. The energy of theimage is contained in the first of them. After binary conversion,the first fourth coefficients of all these blocks can constitute apossible sequence of MSCs.

Definition 3. By least significant coefficients (LSCs), we mean atranslation of some insignificant parts of a medium in a sequenceof bits (insignificant can be understand as: ‘‘which can be alteredwithout sensitive damages’’).

These LSCs can be for example, the last three bits of the graylevel of each pixel, in the case of a spatial domain watermarkingof a grayscale image, as in Fig. 2(c).

Table 7TestU01 statistical test.

PRNG Battery Parameters Statistics N¼4 N¼8 N¼16 N¼32

SingleXORshift

Rabbit 32� 109

bits

40 – – – 3

Alphabit 32� 109

bits

17 – – – 0

Pseudo

DieHARD

Standard 126 – – – 3

FIPS_140_2 Standard 16 – – – 0

Small crush Standard 15 – – – 1

Crush Standard 144 – – – 29

Big crush Standard 160 – – – 44

Number of

failures

518 – – – 80

Old CI Rabbit 32� 109

bits

40 1 2 2 3

Alphabit 32� 109

bits

17 0 0 2 2

Pseudo

DieHARD

Standard 126 0 0 0 0

FIPS_140_2 Standard 16 0 0 0 0

Small crush Standard 15 0 0 1 0

Crush Standard 144 2 9 16 46

Big crush Standard 160 3 18 30 78

Number of

failures

518 6 29 51 129

New CI Rabbit 32� 109

bits

40 0 0 0 0

Alphabit 32� 109

bits

17 0 0 0 0

Pseudo

DieHARD

Standard 126 2 0 0 0

FIPS_140_2 Standard 16 0 0 0 0

Small crush Standard 15 0 0 0 0

Crush Standard 144 0 0 0 0

Big crush Standard 160 0 0 0 0

Number of

failures

518 2 0 0 0

LUT CI Rabbit 32� 109

bits

40 0 0 0 –

Alphabit 32� 109

bits

17 0 0 0 –

Pseudo

DieHARD

Standard 126 0 0 0 –

FIPS_140_2 Standard 16 0 0 0 –

Small crush Standard 15 0 0 0 –

Crush Standard 144 0 0 0 –

Big crush Standard 160 0 0 0 –

Number of

failures

518 0 0 0 –

J.M. Bahi et al. / Journal of Network and Computer Applications 37 (2014) 282–292288

Discrete cosine, Fourier, and wavelet transform can be used todefine LSCs and MSCs, in the case of frequency domain water-marking, among other possible choices. Moreover, these defini-tions are not limited to image media, but can easily be extendedto the audio and video media as well.

LSCs are used during the embedding stage: some of the leastsignificant coefficients of the carrier image will be chaotically chosenand replaced by the bits of the mixed watermark. With a largenumber of LSCs, the watermark can be inserted more than once andthus the embedding will be more secure and robust, but also moredetectable.

The MSCs are only useful in the case of authentication:encryption and embedding stages depend on them. Hence, acoefficient should not be defined at the same time, as a MSCand a LSC, the last can be altered, while the first is needed toextract the watermark.

5.2. Stages of the algorithm

Our watermarking scheme consists of two stages: (1) mixtureof the watermark and (2) its embedding.

5.2.1. Watermark mixture

Firstly, for safety reasons, the watermark can be mixed beforeits embedding into the image. A common way to achieve thisstage is to use the bitwise exclusive or (XOR), for example,between the watermark and the above PRNG. In this paper, wewill use another mixture scheme based on chaotic iterations. Itschaotic strategy, defined with our PRNG, will be highly sensitiveto the MSCs, in the case of an authenticated watermark, as statedin Bahi and Guyeux (2010).

5.2.2. Watermark embedding

Some LSCs will be substituted by all bits of the possibly mixedwatermark. To choose the sequence of LSCs to be altered, anumber of integers, less than or equal to the number N of LSCscorresponding to a chaotic sequence ðUk

Þk, is generated from thechaotic strategy used in the mixture stage. Thus, the Uk-th leastsignificant coefficient of the carrier image is substituted by thekth bit of the possibly mixed watermark. In the case of authenti-cation, such a procedure leads to a choice of the LSCs which arehighly dependent on the MSCs. For the detail of this stage seeSection 6.1.2.

5.2.3. Extraction

The chaotic strategy can be regenerated, even in the case of anauthenticated watermarking because the MSCs have not beenchanged during the stage of embedding the watermark. Thus, thefew altered LSCs can be found, the mixed watermark can then berebuilt, and the original watermark can be obtained. If thewatermarked image is attacked, then the MSCs will change.Consequently, in the case of authentication and due to the highsensitivity of the embedding sequence, the LSCs designed toreceive the watermark will be completely different. Hence, theresult of the recovery will have no similarity with the originalwatermark: authentication is reached.

6. Evaluation of the proposed scheme

In this section, a complete application example of the abovechaotic watermarking method is given and its robustness to someattacks is studied. This case study enables us to precise the detailsof the algorithm and evaluate it.

6.1. Stages and details

6.1.1. Images description

Carrier image is Lena, a 256 grayscale image of size 256�256(see Fig. 2(a)). The watermark is the 64�64 pixels binary imagedepicted in Fig. 3(a). The embedding domain will be the spatialdomain. The selected MSCs are the four most significant bits ofeach pixel and the LSCs are the three last bits (a given pixel will atmost be modified of four levels of gray by an iteration). Before itsembedment, the watermark is mixed with chaotic iterations.The system to iterate chaotic strategy Sn and iterate function aredefined below.

6.1.2. Embedding of the watermark

To embed the watermark, the sequence ðUkÞkAN of altered bits

taken from the M LSCs must be defined. To do so, the strategy

Fig. 3. Watermarked Lena and differences. (a) Watermark, (b) Watermarked Lena,

(c) Differences with original.

Fig. 2. Spatial MSCs and LSCs of Lena. (a) Lena, (b) MSCs of Lena and (c) LSCs of Lena.

J.M. Bahi et al. / Journal of Network and Computer Applications 37 (2014) 282–292 289

ðSkÞkAN of the encryption stage is used as follows:

U0¼ S0

Unþ1¼ Snþ1

þ2� Unþnðmod MÞ

(ð7Þ

to obtain the result depicted in Fig. 4(b). The map y/2y of thetorus, which is a famous example of topological Devaney’s chaos

(Devaney, 1989), has been chosen to make ðUkÞkAN highly

sensitive to the chaotic strategy ðSkÞkAN. As a consequence,

ðUkÞkAN is highly sensitive to the alteration of the MSCs. In case

of authentication, any significant modification of the water-marked image will lead to a completely different extractedwatermark.

6.2. Robustness results

To prove the efficiency and the robustness of the proposedalgorithm, some attacks are applied to our chaotically water-marked image. For each attack, a similarity percentage with theoriginal watermark is computed. This percentage is the number ofequal bits between the original and the extracted watermark,shown as a percentage. A result less than or equal to 50% impliesthat the image has probably not been watermarked.

6.2.1. Cropping attack

In this kind of attack, a watermarked image is cropped. In thiscase, the results in Table 8 have been obtained. In Fig. 4, thedecrypted watermarks are shown after a crop of 50 pixels andafter a crop of 10 pixels, in the authentication case.

By analyzing the similarity percentage between the originaland the extracted watermark, we can conclude that in the case ofunauthentication, the watermark still remains after a croppingattack. The desired robustness is reached. It can be noticed thatcropping sizes and percentages are rather proportional. In thecase of authentication, even a small change of the carrier image(a crop by 10�10 pixels) leads to a really different extractedwatermark. In this case, any attempt to alter the carrier imagewill be signaled, thus the image is well authenticated.

Table 8Robustness again attacks.

Attacks UNAUTHENTICATION AUTHENTICATION

Cropping Size (pixels) Similarity (%) Size (pixels) Similarity (%)

10 99.48 10 49.68

50 97.63 50 54.54

100 91.31 100 52.24

200 68.56 200 51.87

Rotation Angle (1) Similarity (%) Angle (1) Similarity (%)

2 97.41 2 70.01

5 94.67 5 59.47

10 91.30 10 54.51

25 80.85 25 50.21

JPEG compression Compression Similarity (%) Compression Similarity (%)

2 82.95 2 54.39

5 65.23 5 53.46

10 60.22 10 50.14

20 53.17 20 48.80

Gaussian noise Standard dev. Similarity (%) Standard dev. Similarity (%)

1 74.26 1 52.05

2 63.33 2 50.95

3 57.44 3 49.65

Fig. 4. Extracted watermark after a cropping attack (zoom �2). (a) Unauthentication (10�10), (b) Authentication (10�10) and (c) Unauthentication (50�50).

J.M. Bahi et al. / Journal of Network and Computer Applications 37 (2014) 282–292290

6.2.2. Rotation attack

Let ry be the rotation of angle y around the center ð128,128Þof the carrier image. So, the transformation r�yJry is applied tothe watermarked image. The results in Table 8 have beenobtained. The same conclusion as above can be declaimed.

6.2.3. JPEG compression

A JPEG compression is applied to the watermarked image,depending on a compression level. This attack leads to a change ofthe representation domain (from spatial to DCT domain). In thiscase, the results in Table 8 have been obtained, illustrating a goodauthentication through JPEG attack. As for the unauthenticationcase, the watermark still remains after a compression level equalto 10. This is a good result if we take into account the fact that weuse spatial embedding.

6.2.4. Gaussian noise

A watermarked image can be also attacked by the addition of aGaussian noise, depending on a standard deviation. In this case,the results in Table 8 are obtained.

6.3. Security study of the proposed information hiding scheme

For the sake of completeness, and to show the effectiveness ofthe method, we will now introduce two other strategies different

from the one given in Eq. (7). The proposed scheme will berewritten too, in order to give a more theoretical evaluation of thesecurity of the proposed information hiding algorithm.

6.3.1. Reformulation of the scheme

Let us consider the phase space X ¼11;NUN�BN and the

map Gf ðS,EÞ ¼ ðsðSÞ,Ff ðiðSÞ,EÞÞ, where s is defined bys : ðSn

ÞnANAS-ðSnþ1ÞnANAS, and i is the map i : ðSn

ÞnANAS-

S0A11;NU. Using this rewriting of the chaotic iterations pre-sented previously, let

�

ðK ,NÞA ½0;1� �N be an embedding key, � XABN be the N least significant coefficients (LSCs) of a given

cover media C,

� ðSn

ÞnANA11,NUN be a strategy, which depends on the mes-sage to hide MA ½0;1� and K,

� f 0 : B

N-BN be the vectorial logical negation.

So the watermarked media is C whose LSCs are replaced byYK ¼ XN , where Friot et al. (2011)

X0¼ X

8noN, Xnþ1¼ Gf 0

ðXnÞ:

(

J.M. Bahi et al. / Journal of Network and Computer Applications 37 (2014) 282–292 291

6.3.2. New examples of strategies

CIIS strategy. Let us first introduce the Piecewise Linear ChaoticMap (PLCM, see Shujun et al., 2001), defined by

Definition 4 (PLCM).

Fðx,pÞ ¼

x=p if xA ½0; p�

ðx�pÞ=ð12�pÞ if xA ½p; 12�

Fð1�x,pÞ else,

8><>:

where pA �0; 12 ½ is a ‘‘control parameter’’. Then, we can define the

general term of the strategy ðSnÞn in Chaotic Iterations with

Independent Strategy (CIIS) setup by the following expression:Sn¼ N� Kn� �

þ1, where

pA ½0; 12�

K0¼M � K

Knþ1¼ FðKn,pÞ, 8nrN0

8>>>><>>>>:in which � denotes the bitwise exclusive or (XOR) between twofloating part numbers (i.e., between their binary digits represen-tation). Lastly, to be certain to enter into the chaotic regime ofPLCM (Shujun et al., 2001), the strategy can be preferably definedby Sn

¼ bN� KnþDcþ1, where DAN large enough: we thus iterate

the PLCM a certain number of times before taking terms of thestrategy.CIDS strategy. The same notations as above are used. We defineChaotic Iterations with Dependent Strategy (CIDS) strategy asfollows: 8krN,

�

if krN and Xk¼1, then Sk

¼ k,

� else Sk

¼1.

In this situation, if NZN, then only two watermarked contentsare possible with the scheme proposed previously, namelyYK ¼ ð0,0, . . . ,0Þ and YK ¼ ð1,0, . . . ,0Þ. Indeed, in CIIS, the strategyis independent from the cover media X, whereas in CIDS thestrategy will be dependent on X.

6.3.3. Evaluation of the stego-security

Let K be the set of embedding keys, p(X) the probabilisticmodel of N0 initial host contents, and pðY9K1Þ the probabilisticmodel of N0 watermarked contents. We suppose that each hostcontent has been watermarked with the same key K1 and thesame embedding function e.

Definition 5. The embedding function e is stego-secure if andonly if Cayre et al. (2008): 8K1AK,pðY9K1Þ ¼ pðXÞ.

Let us now study the stego-security of the scheme. We willprove that,

Proposition 1. The information hiding scheme using the CIIS

strategy is stego-secure,whereas CIDS is not stego-secure.

Proof. Let us suppose that X UðBNÞ in a CIIS setup. We will

prove by a mathematical induction that 8nAN, XnUðBN

Þ. Thebase case is immediate,as X0

¼ X UðBNÞ. Let us now suppose

that the statement XnUðBN

Þ holds for some n. Let eABN andBk ¼ ð0, . . . ,0,1,0, . . . ,0ÞABN (the digit 1 is in position k). SoPðXnþ1

¼ eÞ ¼PN

k ¼ 1 PðXn¼ eþBk,Sn

¼ kÞ: These two events areindependent in CIIS setup,thus: PðXnþ1

¼ eÞ ¼PN

k ¼ 1 PðXn¼ eþ

BkÞ� PðSn¼ kÞ. According to the inductive hypothesis:

PðXnþ1¼ eÞ ¼ ð1=2N

ÞPN

k ¼ 1 PðSn¼ kÞ. The set of events fSn

¼ kg for

kA11;NU is a partition of the universe of possible, soPN

k ¼ 1

PðSn¼ kÞ ¼ 1.

Finally, PðXnþ1¼ eÞ ¼ 1=2N ,which leads to Xnþ1

UðBNÞ. This

result is true 8nAN,we thus have proven that,

8KA ½0;1�,YK ¼ XN0 UðBNÞ when X UðBN

Þ,

which concludes the first claim of the proposition. Let us now

prove the second part of it.

Due to the definition of CIDS, we have PðYK ¼ ð1,1, . . . ,1ÞÞ ¼ 0. So

there is no uniform repartition for the stego-contents YK. &

7. Conclusion and future work

In this paper, the pseudorandom generator proposed in ourprevious works has been improved in terms of speed andrandomness. By using some well-defined Lookup Tables and dueto a rewrite of the way to generate strategies, the generator basedon chaotic iterations works faster and is more secure. The speedand randomness of this new LUT CI PRNG has been compared toits former versions and to XORshift. This comparison shows thatLUT CI(XORshift, XORshift) offers a sufficient speed and level ofsecurity for a whole range of Internet usages as cryptography anddata hiding. This generator has been used to develop a scheme inthe information hiding domain, whose robustness and securityhas been detailed in the previous section. Further readings aboutthe security of such a chaos-based watermarking scheme can befound in, e.g., Bahi et al. (2011, 2012).

In future work, we will continue to explore new strategies anditeration functions. Its chaotic behavior will be deepened by usingthe various tools provided by the mathematical theory of chaos.New statistical tests will be used to compare this PRNG to existingones. Additionally a probabilistic study of its security will bedone. Lastly, new applications in computer science will beproposed, especially in the Internet security field.

References

Bahi JM, Guyeux C. A new chaos-based watermarking algorithm. In: SECRYPT2010, International conference on security and cryptography, Athens, Greece.p. 1–4, to appear.

Bahi JM, Guyeux C. Topological chaos and chaotic iterations, application to hashfunctions. In: WCCI’10, IEEE world congress on computational intelligence.Barcelona, Spain: IEEE; Jul. 2010. p. 1–7.

Bahi J, Guyeux C, Wang Q. A novel pseudo-random generator based on discretechaotic iterations. In: INTERNET’09, 1-st international conference on evolvinginternet, Cannes, France; Aug. 2009. p. 71–6. [Online]. Available: /http://dx.doi.org/10.1109/INTERNET.2009.18S.

Bahi J, Couchot J-F, Guyeux C. Steganography: a class of algorithms having secureproperties. In: IIH-MSP-2011, 7-th international conference on intelligentinformation hiding and multimedia signal processing, Dalian, China; Oct.2011. p. 109–12.

Bahi J, Friot N, Guyeux C. Lyapunov exponent evaluation of a digital watermarkingscheme proven to be secure. In: IIH-MSP’2012, 8-th international conferenceon intelligent information hiding and multimedia signal processing. Piraeus-Athens, Greece: IEEE Computer Society; Jul. 2012. p. 359–62. [Online].Available: /http://dx.doi.org/10.1109/IIH-MSP.2012.93S.

Blaszczyk M, Guinee R. Experimental validation of a true random binary digitgenerator fusion with a pseudo random number generator for cryptographicmodule application. In: IET conference publications, vol. 2009, no. CP559;2009. p. 31. [Online]. Available: /http://link.aip.org/link/abstract/IEECPS/v2009/iCP559/p31/s1S.

Cayre F, Fontaine C, Furon T. Kerckhoffs-based embedding security classes forWOA data hiding. IEEE Transactions on Information Forensics and Security2008;3(1):1–15.

Cecen S, Demirer RM, Bayrak C. A new hybrid nonlinear congruential numbergenerator based on higher functional power of logistic maps. Chaos, Solitonsand Fractals 2009;42:847–53.

Devaney RL. An introduction to chaotic dynamical systems. 2nd ed. Redwood City:Addison-Wesley; 1989.

Falcioni M, Palatella L, Pigolotti S, Vulpiani A. Properties making a chaotic system agood pseudo random number generator, arXiv, vol. nlin/0503035, 2005.

Friot N, Guyeux C, Bahi J. Chaotic iterations for steganography—stego-security andchaos-security. In: Lopez J, Samarati P, editors, SECRYPT’2011, international

J.M. Bahi et al. / Journal of Network and Computer Applications 37 (2014) 282–292292

conference on security and cryptography. SECRYPT is part of ICETE—theinternational joint conference on e-business and telecommunications. Sevilla,Spain: SciTePress; Jul. 2011. p. 218–27.

Knuth DE. The art of computer programming, volume 2: seminumerical algo-rithms, reading, mass. 3rd ed. Addison-Wesley; 1998.

Kocarev L. Chaos-based cryptography: a brief overview. IEEE Circuits and SystemsMagazine 2001;7:6–21.

L’ecuyer P. Comparison of point sets and sequences for quasi-Monte Carlo and forrandom number generation. In: SETA 2008, vol. LNCS 5203; 2008. p. 1–17.

Li SJ, Mou XQ, Cai YL. Pseudo-random bit generator based on couplechaotic systems and its applications in stream-cipher cryptography. In:Proceedings of second international conference on cryptology, vol. 2247;2001. p. 316–29.

Liu S, Yao H, Gao W, Liu Y. An image fragile watermark scheme based on chaoticimage pattern and pixel-pairs. Applied Mathematics and Computation2007;185:869–82.

Marsaglia G. Diehard: a battery of tests of randomness. [Online]. 1996 Available:/http://stat.fsu.edu/geo/diehard.htmlS.

Marsaglia G. Xorshift RNGs. Journal of Statistical Software 2003;8(14):1–6.

NIST Special Publication 800-22 rev1a, A statistical test suite for random andpseudorandom number generators for cryptographic applications; April 2010.

Robert F. Discrete iterations. A metric study, vol. 6. Mathematics: Springer Seriesin Computational; 1986.

Shujun J, Qi L, Wenmin L, Xuanqin M, Yuanlong C. Statistical properties of digitalpiecewise linear chaotic maps and their roles in cryptography and pseudo-random coding. In: Proceedings of the eighth IMA international conference oncryptography and coding, vol. 1; 2001. p. 205–21.

Simard R, Montral UD. Testu01: a software library in ANSI C for empirical testingof random number generators. software users guide; 2002.

Wang Q, Bahi JM, Guyeux C, Fang X. Randomness quality of CI chaotic generators.application to internet security. In: INTERNET’2010. The second internationalconference on evolving internet. Valencia, Spain: IEEE section ESPANIA; Sep.2010. p. 125–30.

Wu X, Guan Z. A novel digital watermark algorithm based on chaotic maps.Physical Letters A 2007;365:403–6.

Yi X, Okamoto E. Practical internet voting system, Journal of Network andComputer Applications, no. 0; 2012. [Online]. Available: /http://www.sciencedirect.com/science/article/pii/S108480451200135XS.