Journal of Network and Computer Applications 37 (2014) 282–292
Contents lists available at ScienceDirect
Journal of Network and Computer Applications
1084-80
http://d
n Corr
E-m
xiaole.fa
christop
qianxue
journal homepage: www.elsevier.com/locate/jnca
Suitability of chaotic iterations schemes using XORshiftfor security applications
Jacques M. Bahi, Xiaole Fang n, Christophe Guyeux, Qianxue Wang
University of Franche-Comte, FEMTO-ST Institute, UMR 6174 CNRS, Besanc-on, France
a r t i c l e i n f o
Article history:
Received 28 August 2012
Received in revised form
27 February 2013
Accepted 2 March 2013Available online 14 March 2013
Keywords:
Pseudorandom number generators
Chaotic sequences
Statistical tests
Discrete chaotic iterations
Information hiding
45/$ - see front matter & 2013 Elsevier Ltd. A
x.doi.org/10.1016/j.jnca.2013.03.001
esponding author. Tel.: þ33 381666948.
ail addresses: [email protected] (J.M
[email protected] (X. Fang),
[email protected] (C. Guyeux),
[email protected] (Q. Wang).
a b s t r a c t
The design and engineering of original cryptographic solutions is a major concern to provide secure
information systems. In a previous study, we have described a generator based on chaotic iterations,
which uses the well-known XORshift generator. By doing so, we have improved the statistical
performances of XORshift and make it behave chaotically, as defined by Devaney. The speed and
security of this former generator have been improved in a second study, to make its usage more
relevant in the Internet security context. In this paper, these contributions are summarized and a new
version of the generator is introduced. It is based on a new Lookup Table implying a large improvement
of speed. A comparison and a security analysis between the XORshift and these three versions of our
generator are proposed, and various new statistical results are given. Finally, an application in the
information hiding framework is presented, to give an illustrative example of the use of such a
generator in the Internet security field.
& 2013 Elsevier Ltd. All rights reserved.
1. Introduction
To use a pseudorandom number generator (PRNG) with a largelevel of security is it necessary to satisfy the Internet securityrequirements to support activities as e-Voting, information hiding,and the protection of intellectual property (Bahi and Guyeux, toappear; Liu et al., 2007; Yi and Okamoto, 2012). This level depends onthe proof of theoretical properties and results of numerous statisticaltests. Many PRNGs, based for instance on linear congruential methodsand feedback shift-registers (Knuth, 1998; L’ecuyer, 2008; Blaszczykand Guinee, 2009), have been proven to be secure, following aprobabilistic approach. More recently, several researchers haveexplored the idea of using chaotic dynamical systems to reinforcethe security of these important tools (Falcioni et al., 2005; Cecen et al.,2009; Li et al., 2001). But the number of generators claimed aschaotic, which actually have been proven to be unpredictable (as it isdefined in the mathematical theory of chaos) is very small.
This paper extends a study initiated in Bahi et al. (2009), Wanget al. (2010), and Bahi and Guyeux (2010), in which we tried to fillthis gap. In Bahi and Guyeux (2010), it is proven that chaoticiterations (CIs), a suitable tool for fast computing iterative algo-rithms, satisfy the topological chaotic property, as it is defined by
ll rights reserved.
. Bahi),
Devaney (1989). In Bahi et al. (2009) the chaotic behavior of CIsis exploited in order to obtain an unpredictable PRNG, whichdepends on two logistic maps. Lastly, in Wang et al. (2010), a newversion of this generator using decimations has been proposedand XORshift has replaced the logistic map. We have shown that,in addition to being chaotic, this generator can pass the NIST(National Institute of Standards and Technology of the U.S.Government) battery of tests (NIST Special Publication 800-22rev1a, 2010), widely considered as a comprehensive and stringentbattery of tests for cryptographic applications.
In this paper, a new version of this chaotic PRNG is introduced.It is based on a Lookup Table (LUT) method. After havingintroduced it, we will give a comparison of the speed, of thestatistical properties, and of the security for all of these generatorsbased on XORshift generator (Marsaglia, 2003). These resultsadded to its chaotic properties allow us to consider that thisnew generator has good pseudorandom characteristics and is ableto withstand attacks. After having presented the theoreticalframework of the study and a security analysis, we will givea comparison based on new statistical tests. Finally a concreteexample of how to use these pseudorandom numbers for infor-mation hiding through the Internet is detailed.
The remainder of this paper is organized in the following way.In Section 2, some basic definitions concerning chaotic iterationsand PRNGs are recalled. Then, the generator based on LUT discretechaotic iterations is presented in Section 3. In Section 4, varioustests are passed to make a statistical comparison between thisnew PRNG and other existing ones. In the next sections, a
J.M. Bahi et al. / Journal of Network and Computer Applications 37 (2014) 282–292 283
potential use of this PRNG in some Internet security field ispresented, namely in information hiding. The paper ends with aconclusion section where the contribution is summarized andintended future work is presented.
2. Review of basics
2.1. Notations
11;NU
-f1,2, . . . ,Ng Sn- the nth term of a sequence S¼ ðS1,S2, . . .Þ
vi - the ith component of a vector: v¼ ðv1,v2, . . . ,vnÞfk
- kth composition of a function fstrategy
- a sequence which elements belong in 11;NU S - the set of all strategiesCkn
- the binomial coefficient ðnkÞ ¼n!
k!ðn�kÞ!
4 - the bitwise exclusive or þ - the integer addition5 and b
- the usual shift operatorsðX ,dÞ
- a metric spacebxc
- returns the highest integer smaller than xn!
- the factorial n!¼ n� ðn�1Þ � � � � � 1Nn
- the set of positive integers {1, 2, 3,y}&
- the bitwise AND2.2. Chaotic iterations
Definition 1. The set B denoting f0,1g, let f : BN�!BN be an
‘‘iteration’’ function and SAS be a chaotic strategy. Then, the so-called chaotic iterations are defined by Robert (1986)
x0ABN ,
8nANn, 8iA11;NU, xni ¼
xn�1i if Sna i
f ðxn�1ÞSn if Sn¼ i:
(8>><>>: ð1Þ
In other words, at the nth iteration, only the Sn-th cell is‘‘iterated’’. Note that in a more general formulation, Sn can be asubset of components and f ðxn�1ÞSn can be replaced by f ðxkÞSn , wherekon, describing for example delays transmission. For the generaldefinition of such chaotic iterations, see, e.g., Robert (1986).
Chaotic iterations generate a set of vectors (Boolean vectors inthis paper), they are defined by an initial state x0, an iterationfunction f and a chaotic strategy S.
Algorithm 1. An arbitrary round of the old CI(XORshift1,XORshift2) generator.
a’XORshift1ðÞ
m’a mod 2þc
while i¼ 0, . . . ,m
b’XORshift2ðÞ
S’b mod N
xS’xS
end whiler’x
Return r
2.3. Old CI(XORshift, XORshift) algorithm
The basic design procedure of the old CI generator (Bahi et al.,2009) is recalled in Algorithm 1. The internal state is x (N bits), the
output state is r (N bits), a and b are computed by two XORshiftgenerators. Finally, N and cZ3N are constants defined bythe user.
2.4. New CI(XORshift, XORshift) algorithm
Algorithm 2 summarizes (Wang et al., 2010) the basic designprocedure of the new generator. The internal state is x (a Booleanvector of size N), the output state is r (N bits). a and b are thosecomputed by the two XORshifts. The value f(a) is an integer,defined as in Eq. (2). Lastly, N is a constant defined by the user.
mn ¼ f ðynÞ ¼
0 if 0ryn
232o
C0N
2N
1 ifC0
N
2Nr
yn
232oP1
i ¼ 0
CiN
2N
2 ifP1
i ¼ 0
CiN
2Nr
yn
232oP2
i ¼ 0
CiN
2N
^ ^
N ifPN�1
i ¼ 0
CiN
2Nr
yn
232o1:
8>>>>>>>>>>>>>>>><>>>>>>>>>>>>>>>>:
ð2Þ
Algorithm 2. An arbitrary round of the new CI(XORshift1,XORshift2) generator.
1:
while i¼ 0, . . . ,N do 2: di’0 3: end while 4: a’XORshift1ðÞ 5: m’f ðaÞ6:
k’m7:
while i¼ 0, . . . ,K do 8: b’XORshift2ðÞmodN9:
S’b10:
if dS¼0 then 11: xS’xS12:
dS’1 13: else if dS¼1 then 14: k’kþ1 15: end if 16: end while 17: r’x18:
Return r3. LUT CI(XORshift, XORshift) algorithms and example
3.1. Introduction
The LUT CI generator is an improved version of the new CIgenerator. The key-ideas are
�
To use a Lookup Table for a faster generation of strategies.These strategies satisfy the same property than the onesprovided by the decimation process. � And to use all the bits provided by the two inputted generators(to discard none of them).
These key-ideas are put together by the following way.Let us firstly recall that in chaotic iterations, only the cells
designed by Sn-th are ‘‘iterated’’ at the nth iteration. Sn can beeither a component (i.e., only one cell is updated at each iteration,so SnA11;NU) or a subset of components (any number of cellscan be updated at each iteration, that is, Sn
�11;NU). The first
Table 1A LUT-1 table for N¼4.
bn 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
mn 0 1 1 1 1 2 2 2 2 2 2 3 3 3 3 4
J.M. Bahi et al. / Journal of Network and Computer Applications 37 (2014) 282–292284
kind of strategies is called ‘‘unary strategies’’ whereas the secondone is denoted by ‘‘general strategies’’. In the last case, each termSn of the strategy can be represented by an integer lower than 2N ,designed by Sn, for a system having N bits: the kth component ofthe system is updated at iteration number n if and only if the kthdigit of the binary decomposition of Sn is 1. For instance, let usconsider that Sn
¼ 5, and that we iterate on a system having 6 bits(N¼6). As the integer 5 has a binary decomposition equal to000101, we thus conclude that the cell numbers 1 and 3 will beupdated when the system changes its state from xn to xnþ1.In other words, in that situation, Sn
¼ 5A10,26�1U3 Sn
¼
f1,3g � 11,6U. To sum up, to provide a general strategy of11;NU is equivalent to give a unary strategy in 10;2N
�1U. Letus now take into account this remark.
Until now the proposed generators have been presented in thisdocument by using unary strategies (obtained by the firstinputted PRNG S) that are finally grouped by ‘‘packages’’ (the sizeof these packages is given by the second generator m): afterhaving used each term in the current package Smn
, . . . ,Smnþ 1�1, thecurrent state of the system is published as an output. Obviously,when considering the new CI version, these packages of unarystrategies defined by the couple ðS,mÞA11;NU� 10;NU corre-spond to subsets of 11;NU having the form fSmn
, . . . ,Smnþ 1�1g,
which are general strategies. As stated before, these lasts can berewritten as unary strategies that can be described as sequencesin 10;2N
�1U.The advantage of such an equivalency is to reduce the com-
plexity of the proposed PRNG. Indeed the new CI(S,m) generatorcan be written as
xn ¼ xn�14Sn, ð3Þ
where S is the unary strategy (in 10;2N�1U) associated to the
couple ðS,mÞA11;NU� 10,NU.The speed improvement is obvious, the sole issue is to under-
stand how to change (S, m) by S. The problem to consider is thatall the sequences of 10;2n
�1U are not convenient. Indeed, theproperties required for the couple (S, m) (S must not be uniformlydistributed, and a cell cannot be changed twice between twooutputs) must be translated into requirements for S if we wantto satisfy both speed and randomness. Such constrains are solvedby working on the sequence m and by using some well-definedLookup Tables presented in the following sections.
3.2. Sequence m
In order to improve the speed of the proposed generator,the first plan is to take the best usage of the bits generated by theinputted PRNGs. The problem is that the PRNG generating theintegers of mn does not necessary take its values into 10,NU,where N is the size of the system.
For instance, in the new CI generator presented previously, thissequence is obtained by a XORshift, which produces integersbelonging to 10,232
�1U. However, the iterated system has 4 cells(N¼4) in the example proposed previously thus, to define thesequence mn, we compute the remainder modulo 4 of eachinteger provided by the XORshift generator. In other words, onlythe last 4 bits of each 32 bits vector generated by the secondXORshift are used. Obviously this stage can be easily optimized,by splitting this 32-bits vector into 8 subsequences of 4 bits. Thus,a call of XORshift() will now generate 8 terms of the sequence m,instead of only one term in the former generator.
This common-sense action can be easily generalized to anysize Nr32 of the system by the procedure described in Algorithm3. The idea is simply to make a shift of the binary vector a
produced by the XORshift generator, by 0, N, 2N, . . . bits to theright, depending on the remainder c of n modulo bN=32c (that is,
abðN � cÞ), and to take the bits between the positions 32�N and32 of this vector (corresponding to the right part ‘‘&ð2N
�1Þ’’ of theformula). In that situation, all the bits provided by XORshift areused when N divide 32.
Algorithm 3. Generation of sequence bn.
1:
c¼ n modb32=Nc2:
if c¼0 then 3: a’XORshiftðÞ4:
end if 5: bn’ðab ðN � cÞÞ&ð2N�1Þ
6:
Return bnThis Algorithm 3 produces a sequence ðbnÞnAN of integers
belonging to 10,2N�1U. It is now possible to define the sequence
m by adapting Eq. (2) as follows:
mn ¼ f ðbnÞ ¼
0 if 0rbnoC0N ,
1 if C0N rbno
P1i ¼ 0 Ci
N ,
2 ifP1
i ¼ 0 CiN rbno
P2i ¼ 0 Ci
N ,
^ ^
N ifPN�1
i ¼ 0 CiN rbno2N :
8>>>>>>><>>>>>>>:
ð4Þ
This common-sense measure can be improved another time ifN is not very large by using the first Lookup Table of thisdocument, which is called LUT-1. This improvement will be firstlyexplained through an example.
Let us consider that N¼4, so the sequence ðbnÞnAN belongs to
10,15U. The function f of Eq. (4) must translate each bn into aninteger mnA10,4U, in such a way that the non-uniformity exposedpreviously is respected. Instead of defining the function f analyti-cally, a table can be given containing all the images of the integersinto 10,15U (see Table 1 for instance). As stated before, thefrequencies of occurrence of the images 0, 1, 2, 3, and 4 must berespectively equal to C0
4=24, C14=24, C2
4=24, C34=24, and C4
4=24. Thisrequirement is equivalent to demand CN
i times the number i, whichcan be translated in terms of permutations. For instance, when N¼4,any permutation of the list [0, 1, 1, 1, 1, 2, 2, 2, 2, 2, 2, 3, 3, 3, 3, 4] isconvenient to define the image of [0, 1, 2,y, 14, 15] by f.
This improvement is implemented in Algorithm 4, whichreturns a table lut1 such that mn ¼ lut1½bn
�.
Algorithm 4. The LUT-1 table generation.
1:
i¼0 2: for j¼ 0 . . .N do 3: while ioCjN do
4:
lut1½i� ¼ j5:
i¼ iþ1 6: end while 7: end for 8: Return lut13.3. Defining the chaotic strategy S with a LUT
The definition of the sequence m allows to determine thenumber of cells that have to change between two outputs of theLUT CI generator. There are CN
m possibilities to change m bits in a
Table 2Results of DieHARD battery of tests.
No. Test name Generators
XORshift old CI new CI LUT CI
1 Overlapping Sum Pass Pass Pass Pass
2 Runs Up 1 Pass Pass Pass Pass
Runs Down 1 Pass Pass Pass Pass
Runs Up 2 Pass Pass Pass Pass
Runs Down 2 Pass Pass Pass Pass
3 3D Spheres Pass Pass Pass Pass
4 Parking Lot Pass Pass Pass Pass
5 Birthday Spacing Pass Pass Pass Pass
6 Count the ones 1 Pass Pass Pass Pass
7 Binary Rank 6�8 Pass Pass Pass Pass
8 Binary Rank 31�31 Pass Pass Pass Pass
9 Binary Rank 32�32 Pass Pass Pass Pass
10 Count the ones 2 Pass Pass Pass Pass
11 Bit Stream Pass Pass Pass Pass
12 Craps Wins Pass Pass Pass Pass
Throws Pass Pass Pass Pass
13 Minimum Distance Pass Pass Pass Pass
14 Overlapping Perm. Pass Pass Pass Pass
15 Squeeze Pass Pass Pass Pass
16 OPSO Pass Pass Pass Pass
17 OQSO Pass Pass Pass Pass
18 DNA Pass Pass Pass Pass
Number of tests passed 18 18 18 18
Table 3Example of a LUT for N¼4.
w m
m¼0 m¼1 m¼2 m¼3 m¼4
w¼0 0 1 3 7 15
w¼1 2 5 11
w¼2 4 6 13
w¼3 8 9 14
w¼4 10
w¼5 12
J.M. Bahi et al. / Journal of Network and Computer Applications 37 (2014) 282–292 285
vector of size N. As we have to choose between these CNm
possibilities, we thus introduce the following sequence:
wn ¼ XORshift2ðÞmodCmN ð5Þ
With this material it is now possible to define the LUT thatprovides convenient strategies to the LUT CI generator. If the sizeof the system is N, then this table has Nþ1 columns, numberedfrom 0 to N. The column number m contains CN
m values. All ofthese values have in common to present exactly m times the digit1 and N�m times the digit 0 in their binary decomposition. Theorder of appearance of these values in the column m has noimportance, the sole requirement is that no column contains asame integer twice. Let us remark that this procedure leads toseveral possible LUTs.
Algorithm 5. LUT21 procedure.
1:
Procedure LUT21(M,N,b,v,c) 2: count’c3:
value’v4:
if count¼ ¼M then 5: lut2½M�½num� ¼ value6:
num¼ numþ1 7: else 8: for i¼ b . . .N do 9: value¼ valueþ2i10:
count¼ countþ1 11: Call recurse LUT21(M,N,iþ1,value,count) 12: value¼v13:
count¼c14:
end for 15: end if 16: End ProcedureAn example of such a LUT is shown in Table 3, when Algorithm6 gives a concrete procedure to obtain such tables. This proceduremakes recursive calls to the function LUT21 defined in Algorithm5. The LUT21 uses the following variables. b is used to avoid
overlapping computations between two recursive calls, v is tosave the sum value between these calls, and c counts the numberof cells that have already been processed. These parametersshould be initialized as 0. For instance, the LUT presented inTable 3 is the lut2 obtained in Algorithm 5 with N¼4.
Algorithm 6. LUT-2 generation.
1:
for i¼ 0 . . .N do 2: Call LUT21(i,N,0,0,0) 3: end for 4: Return lut23.4. LUT CI(XORshift, XORshift) algorithm
The LUT CI generator is defined by the following dynamicalsystem:
xn ¼ xn�14Sn: ð6Þ
where xOA10,2N�1 is a seed and Sn
¼ lut2½wn�½mn� ¼ lut2½wn�
½lut1½bn��, in which bn is provided by Algorithm 3 and
wn ¼ XORshift2ðÞmodCmN . An iteration of this generator is written
in Algorithm 7. Let us finally remark that the two inputtedXORshift can be replaced by any other operating PRNG.
Algorithm 7. LUT CI (XORshift,XORshift) algorithm
1:
c¼ n modb32=Nc2:
if c¼0 then 3: a’XORshift1ðÞ 4: end if 5: bn’ðab ðN � cÞÞ&ð2N�1Þ
6:
mn ¼ lut1½bn�7:
dn¼ XORshift2ðÞ8:
wn ¼ bn modCmN9:
Sn¼ lut2½m�½w�10:
x¼ x4Sn11:
Return x3.5. LUT CI(XORshift, XORshift) example of use
In this example, N¼4 is chosen another time for easy under-standing. As before, the initial state of the system x0 can be seededby the decimal part t of the current time. With the same currenttime as in the examples exposed previously, we have x0 ¼ ð0,1,0,0Þ (or x0 ¼ 4).
Algorithm 4 provides the LUT-1 depicted in Table 1. The firstXORshift generator has returned y¼ 0,11,7,2,10,4,1,0,3,9, . . .. Byusing this LUT, we obtain m¼ 0,3,2,1,2,1,1,0,1,2, . . .. Then theAlgorithm 6 is computed, leading to the LUT-2 given by Table 3.
So chaotic iterations of Algorithm 7 can be realized, to obtainin this example 0100100101010001y or 4, 9, 5, 1y
J.M. Bahi et al. / Journal of Network and Computer Applications 37 (2014) 282–292286
4. Statistical analysis
In order to make a fair comparison, we decided to choose thebest parameters for each generator. According to the experiments,these values are N¼4 for the old CI, N¼32 for the new one, andfinally N¼8 for the LUT CI generator (see Sections IV-A, IV-B, andIV-C respectively) (Table 4).
4.1. NIST
In our experiments, 100 sequences (s¼100) of 1,000,000 bitsare generated and tested. If the value PT of any test is smallerthan 0.0001, the sequences are considered to be not good enoughand the generator is unsuitable. Table 5 shows PT of sequencesbased on discrete chaotic iterations using different schemes. Ifthere are at least two statistical values in a test, this test ismarked with an asterisk and the average value is computed tocharacterize the statistics. We can see in Table 5 that old, new,and LUT CI(XORshift, XORshift) generators have successfullypassed the NIST statistical test suite. In particular, the score ofthe XORshift generator is better when this last is embedded intoany of the three proposed scheme (indeed, XORshift alone failsone of the NIST tests).
4.2. Diehard
Table 2 gives the results derived from applying the DieHARDbattery (Marsaglia, 1996) of tests to the PRNGs considered in thiswork. As it can be observed, all the generator presented in thisdocument can pass the DieHARD battery of tests.
Table 4Example of a LUT CI(XORshift, XORshift) generation.
m 0 3 2 1
c 0 2 5 2
S 0 13 12 4
x0 x0 x1 x2 x3
0 0 1 0 0
1 1 0 1 0
0 0 0 0 0
0 0 1 1 1
Binary Output: x01x0
2x03x0
4x11x1
2x13x1
4x21x2
2 . . . ¼ 0100100101010001 . . .
Integer Output: x0 ,x1 ,x2 ,x3 . . . ¼ 4,11,8,1 . . .
Table 5NIST SP 800-22 test results (PT ).
Method XORshift
Frequency (Monobit) 0.779188
Frequency within a block 0.779188
Runs 0.514124
Longest run of ones in a block 0.883171
Binary matrix rank 0.851383
Discrete Fourier transform (Spectral) 0.834308
Non-overlapping template matchingn 0.506389
Overlapping template matching 0.534146
Maurer universal statistical 0.366918
Linear complexity 0.275709
Serialn (m¼10) 0.328499
Approximate entropy (m¼10) 0.000000
Cumulative sums (Cusum)n 0.720350
Random excursionsn 0.396803
Random excursions variantn 0.576643
Success 14/15
4.3. Comparative test parameters
We show in Table 6 a comparison in comparative test parameters(Wang et al., 2010) among the generators LUT CI(XORshift, XORshift),New CI(XORshift, XORshift), their old version: Old CI(XORshift, XOR-shift) and a PRNG based on a simple XORshift. Time (in seconds) isrelated to the duration needed by each algorithm to generate a 2�108 bits long sequence. The test has been conducted using the samecomputer and compiler with the same optimization settings for bothalgorithms, in order to make it as fair as possible. The results confirmthat the proposed LUT CI is the fastest CI PRNG, while the statisticalresults are better for most of the parameters, leading to the conclu-sion that this new PRNGs is more secure than the other ones.
In addition, a comparison of overall stability from 5� 104 to8� 105 for these generators has been given in Fig. 1. It can beseen that LUT CI and new CI are dominant in all, especially whenthe sequences are very long.
4.4. Varying the output size
The size of the outputs (N, in number of bits) produced by eachof the proposed generators only depends on the size of the initialstate x0. Moreover, as the ‘‘CI process’’ is fundamentally a nega-tion of bits, the size of the system does not really impact thespeed of these PRNGs, at least for reasonable values of N. Asvarious N values can be relevant, depending on the application,we thus investigate whether the statistical performances of the CIgenerators are impacted when N changes.
We can show in Table 7 that, for the three CI generators,various N leads to success for both the NIST and DIEHARD tests.Concerning the whole TestU01 (Simard and Montral, 2002),various consequences can be dressed. Firstly, the LUT CI generatoris unsuitable for N¼32, due to its too large consumption ofmemory resources when generating and using the LUTs. Secondly,this last generator is the only one capable to pass the whole
Old CI New CI LUT CI
0.145326 0.719747 0.657933
0.028817 0.071177 0.719747
0.739918 0.911413 0.224821
0.554420 0.779188 0.494392
0.236810 0.924076 0.023545
0.514124 0.911413 0.514124
0.512363 0.501621 0.437726
0.595549 0.275709 0.017912
0.122325 0.419021 0.897763
0.249284 0.779188 0.678686
0.495847 0.933624 0.444265
0.051942 0.262249 0.319084
0.074404 0.368618 0.171384
0.507812 0.518462 0.356105
0.289594 0.548078 0.587062
15/15 15/15 15/15
Table 6
Comparison between the presented PRNGs for a 2� 108 bits sequence.
Methods XORshift Old CI New CI LUT CI
Monobit 0.6055 0.5689 0.0029 0.0471
Serial 0.7021 1.5765 0.3845 0.2232
Poker 7.957 6.3683 5.882 5.166
RunS 26.1022 28.4237 24.8094 21.9861
Autocorrelation 1.1628 0.3403 1.4220 0.4410
Time 9.33 s 49.55 s 28.82 s 11.24 s
Fig. 1. Overall sequence stability comparison.
J.M. Bahi et al. / Journal of Network and Computer Applications 37 (2014) 282–292 287
TestU01 with only N¼4 cells. Finally, all the proposed generatorshave better scores than the XORshift they use.
4.5. Devaney’s chaos property
Generally, the quality of a PRNG depends, to a large extent, on thefollowing criteria: randomness, uniformity, independence, storageefficiency, and reproducibility. A chaotic sequence may satisfy theserequirements and also other chaotic properties, as ergodicity, entropy,and expansivity. A chaotic sequence is extremely sensitive to theinitial conditions. That is, even a minute difference in the initial stateof the system can lead to enormous differences in the final state, evenover fairly small timescales. Therefore chaotic sequences fit therequirements of pseudorandom sequences well. Contrary to XORshift,our generator possesses these chaotic properties (Bahi and Guyeux,2010; Bahi et al., 2009). However, despite a large number of paperspublished in the field of chaos-based pseudorandom generators, theimpact of this research is rather marginal. This is due to the followingreasons: almost all PRNG algorithms using chaos are based ondynamical systems defined on continuous sets (e.g., the set of realnumbers). So these generators are usually slow, requiring consider-ably more storage space and lose their chaotic properties duringcomputations. These major problems restrict their usage as genera-tors (Kocarev, 2001).
In this paper we do not simply integrate chaotic maps hopingthat the implemented algorithm remains chaotic. Indeed, thePRNG we conceive is just discrete chaotic iterations and we haveproven in Bahi and Guyeux (2010) that these iterations producea topological chaos as defined by Devaney: they are regular,transitive, and sensitive to initial conditions. This famous defini-tion of a chaotic behavior for a dynamical system impliesunpredictability, mixture, sensitivity, and uniform repartition.Moreover, as only integers are manipulated in discrete chaoticiterations, the chaotic behavior of the system is preserved duringcomputations, and these computations are fast.
5. Application example in digital watermarking
Information hiding has recently become a major informationsecurity technology, especially with the increasing importance
and widespread distribution of digital media through the InternetWu et al. (2007). It includes several techniques like digital water-marking. The aim of digital watermarking is to embed a piece ofinformation into digital documents, such as pictures or movies.This is for a large panel of reasons, such as, copyright protection,control utilization, data description, content authentication, anddata integrity. For these reasons, many different watermarkingschemes have been proposed in recent years. Digital watermark-ing must have essential characteristics, including security, imper-ceptibility, and robustness. Chaotic methods have been proposedto encrypt the watermark before embedding it in the carrier imagefor these security reasons. In this paper, a watermarking algorithmbased on the chaotic PRNG presented above is given, as anillustration of the use of this family of CI PRNG.
5.1. Most and least significant coefficients
Let us first introduce the definitions of most and leastsignificant coefficients.
Definition 2. For a given image, the most significant coefficients(in short MSCs), are the coefficients that allow the description ofthe relevant part of the image, i.e. its richest part (in terms ofembedding information), through a sequence of bits.
For example, in a spatial description of a grayscale image, adefinition of MSCs can be the sequence constituted by the firstthree bits of each pixel as shown in Fig. 2(b). In a discrete cosinefrequency domain description, each 8�8 block of the carrierimage is mapped to a list of 64 coefficients. The energy of theimage is contained in the first of them. After binary conversion,the first fourth coefficients of all these blocks can constitute apossible sequence of MSCs.
Definition 3. By least significant coefficients (LSCs), we mean atranslation of some insignificant parts of a medium in a sequenceof bits (insignificant can be understand as: ‘‘which can be alteredwithout sensitive damages’’).
These LSCs can be for example, the last three bits of the graylevel of each pixel, in the case of a spatial domain watermarkingof a grayscale image, as in Fig. 2(c).
Table 7TestU01 statistical test.
PRNG Battery Parameters Statistics N¼4 N¼8 N¼16 N¼32
SingleXORshift
Rabbit 32� 109
bits
40 – – – 3
Alphabit 32� 109
bits
17 – – – 0
Pseudo
DieHARD
Standard 126 – – – 3
FIPS_140_2 Standard 16 – – – 0
Small crush Standard 15 – – – 1
Crush Standard 144 – – – 29
Big crush Standard 160 – – – 44
Number of
failures
518 – – – 80
Old CI Rabbit 32� 109
bits
40 1 2 2 3
Alphabit 32� 109
bits
17 0 0 2 2
Pseudo
DieHARD
Standard 126 0 0 0 0
FIPS_140_2 Standard 16 0 0 0 0
Small crush Standard 15 0 0 1 0
Crush Standard 144 2 9 16 46
Big crush Standard 160 3 18 30 78
Number of
failures
518 6 29 51 129
New CI Rabbit 32� 109
bits
40 0 0 0 0
Alphabit 32� 109
bits
17 0 0 0 0
Pseudo
DieHARD
Standard 126 2 0 0 0
FIPS_140_2 Standard 16 0 0 0 0
Small crush Standard 15 0 0 0 0
Crush Standard 144 0 0 0 0
Big crush Standard 160 0 0 0 0
Number of
failures
518 2 0 0 0
LUT CI Rabbit 32� 109
bits
40 0 0 0 –
Alphabit 32� 109
bits
17 0 0 0 –
Pseudo
DieHARD
Standard 126 0 0 0 –
FIPS_140_2 Standard 16 0 0 0 –
Small crush Standard 15 0 0 0 –
Crush Standard 144 0 0 0 –
Big crush Standard 160 0 0 0 –
Number of
failures
518 0 0 0 –
J.M. Bahi et al. / Journal of Network and Computer Applications 37 (2014) 282–292288
Discrete cosine, Fourier, and wavelet transform can be used todefine LSCs and MSCs, in the case of frequency domain water-marking, among other possible choices. Moreover, these defini-tions are not limited to image media, but can easily be extendedto the audio and video media as well.
LSCs are used during the embedding stage: some of the leastsignificant coefficients of the carrier image will be chaotically chosenand replaced by the bits of the mixed watermark. With a largenumber of LSCs, the watermark can be inserted more than once andthus the embedding will be more secure and robust, but also moredetectable.
The MSCs are only useful in the case of authentication:encryption and embedding stages depend on them. Hence, acoefficient should not be defined at the same time, as a MSCand a LSC, the last can be altered, while the first is needed toextract the watermark.
5.2. Stages of the algorithm
Our watermarking scheme consists of two stages: (1) mixtureof the watermark and (2) its embedding.
5.2.1. Watermark mixture
Firstly, for safety reasons, the watermark can be mixed beforeits embedding into the image. A common way to achieve thisstage is to use the bitwise exclusive or (XOR), for example,between the watermark and the above PRNG. In this paper, wewill use another mixture scheme based on chaotic iterations. Itschaotic strategy, defined with our PRNG, will be highly sensitiveto the MSCs, in the case of an authenticated watermark, as statedin Bahi and Guyeux (2010).
5.2.2. Watermark embedding
Some LSCs will be substituted by all bits of the possibly mixedwatermark. To choose the sequence of LSCs to be altered, anumber of integers, less than or equal to the number N of LSCscorresponding to a chaotic sequence ðUk
Þk, is generated from thechaotic strategy used in the mixture stage. Thus, the Uk-th leastsignificant coefficient of the carrier image is substituted by thekth bit of the possibly mixed watermark. In the case of authenti-cation, such a procedure leads to a choice of the LSCs which arehighly dependent on the MSCs. For the detail of this stage seeSection 6.1.2.
5.2.3. Extraction
The chaotic strategy can be regenerated, even in the case of anauthenticated watermarking because the MSCs have not beenchanged during the stage of embedding the watermark. Thus, thefew altered LSCs can be found, the mixed watermark can then berebuilt, and the original watermark can be obtained. If thewatermarked image is attacked, then the MSCs will change.Consequently, in the case of authentication and due to the highsensitivity of the embedding sequence, the LSCs designed toreceive the watermark will be completely different. Hence, theresult of the recovery will have no similarity with the originalwatermark: authentication is reached.
6. Evaluation of the proposed scheme
In this section, a complete application example of the abovechaotic watermarking method is given and its robustness to someattacks is studied. This case study enables us to precise the detailsof the algorithm and evaluate it.
6.1. Stages and details
6.1.1. Images description
Carrier image is Lena, a 256 grayscale image of size 256�256(see Fig. 2(a)). The watermark is the 64�64 pixels binary imagedepicted in Fig. 3(a). The embedding domain will be the spatialdomain. The selected MSCs are the four most significant bits ofeach pixel and the LSCs are the three last bits (a given pixel will atmost be modified of four levels of gray by an iteration). Before itsembedment, the watermark is mixed with chaotic iterations.The system to iterate chaotic strategy Sn and iterate function aredefined below.
6.1.2. Embedding of the watermark
To embed the watermark, the sequence ðUkÞkAN of altered bits
taken from the M LSCs must be defined. To do so, the strategy
Fig. 3. Watermarked Lena and differences. (a) Watermark, (b) Watermarked Lena,
(c) Differences with original.
Fig. 2. Spatial MSCs and LSCs of Lena. (a) Lena, (b) MSCs of Lena and (c) LSCs of Lena.
J.M. Bahi et al. / Journal of Network and Computer Applications 37 (2014) 282–292 289
ðSkÞkAN of the encryption stage is used as follows:
U0¼ S0
Unþ1¼ Snþ1
þ2� Unþnðmod MÞ
(ð7Þ
to obtain the result depicted in Fig. 4(b). The map y/2y of thetorus, which is a famous example of topological Devaney’s chaos
(Devaney, 1989), has been chosen to make ðUkÞkAN highly
sensitive to the chaotic strategy ðSkÞkAN. As a consequence,
ðUkÞkAN is highly sensitive to the alteration of the MSCs. In case
of authentication, any significant modification of the water-marked image will lead to a completely different extractedwatermark.
6.2. Robustness results
To prove the efficiency and the robustness of the proposedalgorithm, some attacks are applied to our chaotically water-marked image. For each attack, a similarity percentage with theoriginal watermark is computed. This percentage is the number ofequal bits between the original and the extracted watermark,shown as a percentage. A result less than or equal to 50% impliesthat the image has probably not been watermarked.
6.2.1. Cropping attack
In this kind of attack, a watermarked image is cropped. In thiscase, the results in Table 8 have been obtained. In Fig. 4, thedecrypted watermarks are shown after a crop of 50 pixels andafter a crop of 10 pixels, in the authentication case.
By analyzing the similarity percentage between the originaland the extracted watermark, we can conclude that in the case ofunauthentication, the watermark still remains after a croppingattack. The desired robustness is reached. It can be noticed thatcropping sizes and percentages are rather proportional. In thecase of authentication, even a small change of the carrier image(a crop by 10�10 pixels) leads to a really different extractedwatermark. In this case, any attempt to alter the carrier imagewill be signaled, thus the image is well authenticated.
Table 8Robustness again attacks.
Attacks UNAUTHENTICATION AUTHENTICATION
Cropping Size (pixels) Similarity (%) Size (pixels) Similarity (%)
10 99.48 10 49.68
50 97.63 50 54.54
100 91.31 100 52.24
200 68.56 200 51.87
Rotation Angle (1) Similarity (%) Angle (1) Similarity (%)
2 97.41 2 70.01
5 94.67 5 59.47
10 91.30 10 54.51
25 80.85 25 50.21
JPEG compression Compression Similarity (%) Compression Similarity (%)
2 82.95 2 54.39
5 65.23 5 53.46
10 60.22 10 50.14
20 53.17 20 48.80
Gaussian noise Standard dev. Similarity (%) Standard dev. Similarity (%)
1 74.26 1 52.05
2 63.33 2 50.95
3 57.44 3 49.65
Fig. 4. Extracted watermark after a cropping attack (zoom �2). (a) Unauthentication (10�10), (b) Authentication (10�10) and (c) Unauthentication (50�50).
J.M. Bahi et al. / Journal of Network and Computer Applications 37 (2014) 282–292290
6.2.2. Rotation attack
Let ry be the rotation of angle y around the center ð128,128Þof the carrier image. So, the transformation r�yJry is applied tothe watermarked image. The results in Table 8 have beenobtained. The same conclusion as above can be declaimed.
6.2.3. JPEG compression
A JPEG compression is applied to the watermarked image,depending on a compression level. This attack leads to a change ofthe representation domain (from spatial to DCT domain). In thiscase, the results in Table 8 have been obtained, illustrating a goodauthentication through JPEG attack. As for the unauthenticationcase, the watermark still remains after a compression level equalto 10. This is a good result if we take into account the fact that weuse spatial embedding.
6.2.4. Gaussian noise
A watermarked image can be also attacked by the addition of aGaussian noise, depending on a standard deviation. In this case,the results in Table 8 are obtained.
6.3. Security study of the proposed information hiding scheme
For the sake of completeness, and to show the effectiveness ofthe method, we will now introduce two other strategies different
from the one given in Eq. (7). The proposed scheme will berewritten too, in order to give a more theoretical evaluation of thesecurity of the proposed information hiding algorithm.
6.3.1. Reformulation of the scheme
Let us consider the phase space X ¼11;NUN�BN and the
map Gf ðS,EÞ ¼ ðsðSÞ,Ff ðiðSÞ,EÞÞ, where s is defined bys : ðSn
ÞnANAS-ðSnþ1ÞnANAS, and i is the map i : ðSn
ÞnANAS-
S0A11;NU. Using this rewriting of the chaotic iterations pre-sented previously, let
�
ðK ,NÞA ½0;1� �N be an embedding key, � XABN be the N least significant coefficients (LSCs) of a givencover media C,
� ðSnÞnANA11,NUN be a strategy, which depends on the mes-sage to hide MA ½0;1� and K,
� f 0 : BN-BN be the vectorial logical negation.
So the watermarked media is C whose LSCs are replaced byYK ¼ XN , where Friot et al. (2011)
X0¼ X
8noN, Xnþ1¼ Gf 0
ðXnÞ:
(
J.M. Bahi et al. / Journal of Network and Computer Applications 37 (2014) 282–292 291
6.3.2. New examples of strategies
CIIS strategy. Let us first introduce the Piecewise Linear ChaoticMap (PLCM, see Shujun et al., 2001), defined by
Definition 4 (PLCM).
Fðx,pÞ ¼
x=p if xA ½0; p�
ðx�pÞ=ð12�pÞ if xA ½p; 12�
Fð1�x,pÞ else,
8><>:
where pA �0; 12 ½ is a ‘‘control parameter’’. Then, we can define the
general term of the strategy ðSnÞn in Chaotic Iterations with
Independent Strategy (CIIS) setup by the following expression:Sn¼ N� Kn� �
þ1, where
pA ½0; 12�
K0¼M � K
Knþ1¼ FðKn,pÞ, 8nrN0
8>>>><>>>>:in which � denotes the bitwise exclusive or (XOR) between twofloating part numbers (i.e., between their binary digits represen-tation). Lastly, to be certain to enter into the chaotic regime ofPLCM (Shujun et al., 2001), the strategy can be preferably definedby Sn
¼ bN� KnþDcþ1, where DAN large enough: we thus iterate
the PLCM a certain number of times before taking terms of thestrategy.CIDS strategy. The same notations as above are used. We defineChaotic Iterations with Dependent Strategy (CIDS) strategy asfollows: 8krN,
�
if krN and Xk¼1, then Sk¼ k,
� else Sk¼1.
In this situation, if NZN, then only two watermarked contentsare possible with the scheme proposed previously, namelyYK ¼ ð0,0, . . . ,0Þ and YK ¼ ð1,0, . . . ,0Þ. Indeed, in CIIS, the strategyis independent from the cover media X, whereas in CIDS thestrategy will be dependent on X.
6.3.3. Evaluation of the stego-security
Let K be the set of embedding keys, p(X) the probabilisticmodel of N0 initial host contents, and pðY9K1Þ the probabilisticmodel of N0 watermarked contents. We suppose that each hostcontent has been watermarked with the same key K1 and thesame embedding function e.
Definition 5. The embedding function e is stego-secure if andonly if Cayre et al. (2008): 8K1AK,pðY9K1Þ ¼ pðXÞ.
Let us now study the stego-security of the scheme. We willprove that,
Proposition 1. The information hiding scheme using the CIIS
strategy is stego-secure,whereas CIDS is not stego-secure.
Proof. Let us suppose that X UðBNÞ in a CIIS setup. We will
prove by a mathematical induction that 8nAN, XnUðBN
Þ. Thebase case is immediate,as X0
¼ X UðBNÞ. Let us now suppose
that the statement XnUðBN
Þ holds for some n. Let eABN andBk ¼ ð0, . . . ,0,1,0, . . . ,0ÞABN (the digit 1 is in position k). SoPðXnþ1
¼ eÞ ¼PN
k ¼ 1 PðXn¼ eþBk,Sn
¼ kÞ: These two events areindependent in CIIS setup,thus: PðXnþ1
¼ eÞ ¼PN
k ¼ 1 PðXn¼ eþ
BkÞ� PðSn¼ kÞ. According to the inductive hypothesis:
PðXnþ1¼ eÞ ¼ ð1=2N
ÞPN
k ¼ 1 PðSn¼ kÞ. The set of events fSn
¼ kg for
kA11;NU is a partition of the universe of possible, soPN
k ¼ 1
PðSn¼ kÞ ¼ 1.
Finally, PðXnþ1¼ eÞ ¼ 1=2N ,which leads to Xnþ1
UðBNÞ. This
result is true 8nAN,we thus have proven that,
8KA ½0;1�,YK ¼ XN0 UðBNÞ when X UðBN
Þ,
which concludes the first claim of the proposition. Let us now
prove the second part of it.
Due to the definition of CIDS, we have PðYK ¼ ð1,1, . . . ,1ÞÞ ¼ 0. So
there is no uniform repartition for the stego-contents YK. &
7. Conclusion and future work
In this paper, the pseudorandom generator proposed in ourprevious works has been improved in terms of speed andrandomness. By using some well-defined Lookup Tables and dueto a rewrite of the way to generate strategies, the generator basedon chaotic iterations works faster and is more secure. The speedand randomness of this new LUT CI PRNG has been compared toits former versions and to XORshift. This comparison shows thatLUT CI(XORshift, XORshift) offers a sufficient speed and level ofsecurity for a whole range of Internet usages as cryptography anddata hiding. This generator has been used to develop a scheme inthe information hiding domain, whose robustness and securityhas been detailed in the previous section. Further readings aboutthe security of such a chaos-based watermarking scheme can befound in, e.g., Bahi et al. (2011, 2012).
In future work, we will continue to explore new strategies anditeration functions. Its chaotic behavior will be deepened by usingthe various tools provided by the mathematical theory of chaos.New statistical tests will be used to compare this PRNG to existingones. Additionally a probabilistic study of its security will bedone. Lastly, new applications in computer science will beproposed, especially in the Internet security field.
References
Bahi JM, Guyeux C. A new chaos-based watermarking algorithm. In: SECRYPT2010, International conference on security and cryptography, Athens, Greece.p. 1–4, to appear.
Bahi JM, Guyeux C. Topological chaos and chaotic iterations, application to hashfunctions. In: WCCI’10, IEEE world congress on computational intelligence.Barcelona, Spain: IEEE; Jul. 2010. p. 1–7.
Bahi J, Guyeux C, Wang Q. A novel pseudo-random generator based on discretechaotic iterations. In: INTERNET’09, 1-st international conference on evolvinginternet, Cannes, France; Aug. 2009. p. 71–6. [Online]. Available: /http://dx.doi.org/10.1109/INTERNET.2009.18S.
Bahi J, Couchot J-F, Guyeux C. Steganography: a class of algorithms having secureproperties. In: IIH-MSP-2011, 7-th international conference on intelligentinformation hiding and multimedia signal processing, Dalian, China; Oct.2011. p. 109–12.
Bahi J, Friot N, Guyeux C. Lyapunov exponent evaluation of a digital watermarkingscheme proven to be secure. In: IIH-MSP’2012, 8-th international conferenceon intelligent information hiding and multimedia signal processing. Piraeus-Athens, Greece: IEEE Computer Society; Jul. 2012. p. 359–62. [Online].Available: /http://dx.doi.org/10.1109/IIH-MSP.2012.93S.
Blaszczyk M, Guinee R. Experimental validation of a true random binary digitgenerator fusion with a pseudo random number generator for cryptographicmodule application. In: IET conference publications, vol. 2009, no. CP559;2009. p. 31. [Online]. Available: /http://link.aip.org/link/abstract/IEECPS/v2009/iCP559/p31/s1S.
Cayre F, Fontaine C, Furon T. Kerckhoffs-based embedding security classes forWOA data hiding. IEEE Transactions on Information Forensics and Security2008;3(1):1–15.
Cecen S, Demirer RM, Bayrak C. A new hybrid nonlinear congruential numbergenerator based on higher functional power of logistic maps. Chaos, Solitonsand Fractals 2009;42:847–53.
Devaney RL. An introduction to chaotic dynamical systems. 2nd ed. Redwood City:Addison-Wesley; 1989.
Falcioni M, Palatella L, Pigolotti S, Vulpiani A. Properties making a chaotic system agood pseudo random number generator, arXiv, vol. nlin/0503035, 2005.
Friot N, Guyeux C, Bahi J. Chaotic iterations for steganography—stego-security andchaos-security. In: Lopez J, Samarati P, editors, SECRYPT’2011, international
J.M. Bahi et al. / Journal of Network and Computer Applications 37 (2014) 282–292292
conference on security and cryptography. SECRYPT is part of ICETE—theinternational joint conference on e-business and telecommunications. Sevilla,Spain: SciTePress; Jul. 2011. p. 218–27.
Knuth DE. The art of computer programming, volume 2: seminumerical algo-rithms, reading, mass. 3rd ed. Addison-Wesley; 1998.
Kocarev L. Chaos-based cryptography: a brief overview. IEEE Circuits and SystemsMagazine 2001;7:6–21.
L’ecuyer P. Comparison of point sets and sequences for quasi-Monte Carlo and forrandom number generation. In: SETA 2008, vol. LNCS 5203; 2008. p. 1–17.
Li SJ, Mou XQ, Cai YL. Pseudo-random bit generator based on couplechaotic systems and its applications in stream-cipher cryptography. In:Proceedings of second international conference on cryptology, vol. 2247;2001. p. 316–29.
Liu S, Yao H, Gao W, Liu Y. An image fragile watermark scheme based on chaoticimage pattern and pixel-pairs. Applied Mathematics and Computation2007;185:869–82.
Marsaglia G. Diehard: a battery of tests of randomness. [Online]. 1996 Available:/http://stat.fsu.edu/geo/diehard.htmlS.
Marsaglia G. Xorshift RNGs. Journal of Statistical Software 2003;8(14):1–6.
NIST Special Publication 800-22 rev1a, A statistical test suite for random andpseudorandom number generators for cryptographic applications; April 2010.
Robert F. Discrete iterations. A metric study, vol. 6. Mathematics: Springer Seriesin Computational; 1986.
Shujun J, Qi L, Wenmin L, Xuanqin M, Yuanlong C. Statistical properties of digitalpiecewise linear chaotic maps and their roles in cryptography and pseudo-random coding. In: Proceedings of the eighth IMA international conference oncryptography and coding, vol. 1; 2001. p. 205–21.
Simard R, Montral UD. Testu01: a software library in ANSI C for empirical testingof random number generators. software users guide; 2002.
Wang Q, Bahi JM, Guyeux C, Fang X. Randomness quality of CI chaotic generators.application to internet security. In: INTERNET’2010. The second internationalconference on evolving internet. Valencia, Spain: IEEE section ESPANIA; Sep.2010. p. 125–30.
Wu X, Guan Z. A novel digital watermark algorithm based on chaotic maps.Physical Letters A 2007;365:403–6.
Yi X, Okamoto E. Practical internet voting system, Journal of Network andComputer Applications, no. 0; 2012. [Online]. Available: /http://www.sciencedirect.com/science/article/pii/S108480451200135XS.
Top Related