816 IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS—I: REGULAR PAPERS, VOL. 54, NO. 4, APRIL 2007

A Class of Maximum-Period Nonlinear CongruentialGenerators Derived From the Rényi Chaotic Map

T. Addabbo, Student Member, IEEE, M. Alioto, Member, IEEE, A. Fort, Member, IEEE, A. Pasini,S. Rocchi, Member, IEEE, and V. Vignoli, Member, IEEE

Abstract—In this paper, a family of nonlinear congruential gen-erators (NLCGs) based on the digitized Rényi map is consideredfor the definition of hardware-efficient pseudorandom numbergenerators (PRNGs), and a theoretical framework for their studyis presented. The authors investigate how the nonlinear structureof these systems eliminates some of the statistical regularitiesspoiling the randomness of sequences generated with linear tech-niques. In detail, in this paper, a necessary condition that theconsidered NLCGs must satisfy to have maximum period lengthis given, and a list of such maximum period PRNGs for periodlengths up to 2

311 is provided. Referring to the NIST800-22

statistical test suite, two PRNG examples are presented andcompared to well-known PRNGs based on linear recurrenciesrequiring a similar amount of resources for their implementation.

Index Terms—Digital circuits, nonlinear systems, randomnumber generators (RNGs), sequences.

I. INTRODUCTION

RANDOM number generation is a key issue in manyapplications, such as cryptography, stochastic simula-

tions, testing of digital circuits and telecommunication systems[1]–[4]. In most of these applications, random numbers aregenerated by means of pseudorandom number generators(PRNGs), which are finite state machines that freely evolveafter being initialized by an initial state (seed), chosen withinthe state space. The aim of a PRNG is to emulate, within theperiod, an information source issuing mutually independentand evenly distributed symbols, thus generating sequences thatappear to be random [5]. As shown in Fig. 1, the basic architec-ture of a digital PRNG includes a memory block consisting of

flip-flops storing the present state , an input forming logicwhich evaluates the next state according to the recursiverelationship , and an output forming logic,which evaluates the current output . Typically,by means of a proper normalization, the function providesnumbers belonging to the unit interval [0, 1). When the output

get values belonging to , the PRNG is a pseudo-random bit generator (PRBG). The architecture of Fig. 1 can becomplicated introducing further memory dependencies in thedefinition of the state, i.e., .Nevertheless, in such cases, by rearranging the system state

Manuscript received July 21, 2006; revised October 20, 2006. This paper wasrecommended by Associate Editor L. Kocarev.

T. Addabbo, M. Alioto, A. Fort, S. Rocchi, and V. Vignoli are with the De-partment of Information Engineering, University of Siena, Siena, 53100 Italy(e-mail: vignoli@dii.unisi.it).

A. Pasini is with the Math Department “R.Magari,” University of Siena,Siena, 53100 Italy.

Digital Object Identifier 10.1109/TCSI.2007.890622

Fig. 1. General architecture of a digital PRNG.

space dimension with a proper expansion, the obtained systemcan be traced back to the architecture of Fig. 1.

For the definition of the input forming logic function , lineartransformations (or linear recurrences) are a popular choice. Anexample is the mixed multiple recursive generator

(1)

where the modulus and the order are positive integers,and the coefficients and are nonnegative integers[6], [7]. Expression (1) is used in a wide class of PRNG whichincludes the well-known families of linear feedback shift reg-isters (LFSRs) and linear congruential generators (LCGs) [5].The use of linear recurrences allows for the definition of PRNGswhich are very efficient in terms of both high throughput andlow hardware (or software) complexity implementations. As adrawback, as it is discussed in Section V, although nowadaysfor this kind of systems the theoretical background is strongand reliable, PRNGs based on linear recurrences typically gen-erate sequences whose randomness is affected by some unde-sired regularities, and therefore not suitable for a wide class ofapplications (e.g., cryptographic applications) [8].

Nonlinear generators have been widely investigated as al-ternatives to generators based on linear recurrences. One well-known example is the Blum, Blum, and Shub generator, whoseinput forming logic is , where

is the product of two distinct primes, both congruent to 3modulo 4, and for which the initial seed has to be chosen primewith respect to [6]. Several other nonlinear generators havebeen proposed, and typically they do not suffer from the regu-larity problems as much as PRNGs based on linear recurrences.Nevertheless, as a drawback, the nonlinear generators are typi-cally characterized by a higher computational complexity thanthe latter PRNGs, needing either more hardware resources ormuch more processor time [6], [7].

1549-8328/$25.00 © 2007 IEEE

ADDABBO et al.: CLASS OF MAXIMUM-PERIOD NLCGS DERIVED FROM RÉNYI CHAOTIC MAP 817

In the last few years, several authors suggested to investi-gate chaotic dynamical systems for generating pseudorandomsequences [9]–[11]. In these PRNGs the input forming logic isobtained by digitizing nonlinear maps of the form ,where is a system chaotic attractor. The digitization ofthe chaotic system is achieved discretizing the state space andresorting to a numerical approximated computation of the map

.According to this approach, in this paper, the family of one

dimensional digitized Rényi maps proposed in [11] is consid-ered. These maps allow for the definition of PRBGs that can beimplemented with low-complexity digital circuits, and whosegenerated sequences perform excellently in terms of “random-ness quality” [11], [12]. In this paper, these systems are classi-fied as nonlinear congruential generators (NLCGs), and a theo-retical framework for their study is presented. In detail, the au-thors provide a necessary condition that the proposed nonlinearPRNGs must satisfy to have maximum period length, and a listof maximum-period PRNGs for period lengths up tois given. Moreover, in this work the authors investigate howsome of the statistical regularities spoiling the randomness ofsequences generated with linear techniques are eliminated bythe nonlinear structure of these systems. In particular, referringto the theory of Minkowski [17], the geometrical structures ofgenerated numbers are analyzed and compared to those obtain-able from PRNGs based on linear recurrences.

In detail, the paper is organized as follows. In Section II,the criteria commonly used for PRNGs evaluation are brieflyreviewed. In Section III, a family of PRNGs based on the Rényimap is introduced, and several theoretical properties for thesePRNGs are proved. In Section IV the period of the proposedPRNGs is analyzed, whereas the ‘structures’ of the generatednumbers are discussed and compared to those of traditionalgenerators in Section V. In Section VI two examples based onthe proposed nonlinear generators are presented and discussed,from both the implementation complexity and the randomnessquality point of view. To improve the clarity of the paper, theproofs of several theorems presented in Sections III and IVwere moved in the Appendix, after the Conclusions section.

II. COMMON CRITERIA FOR PRNGS EVALUATION

In this section, the major requirements for a good general pur-pose PRNG are summarized. First of all, since PRNGs operateover finite domains, pseudorandom sequences are always even-tually periodic. Referring to the generic architecture of a digitalPRNG reported in Fig. 1, the eventual period length of thestate orbit is lower than or equal to the state space cardinality

, and in general it depends on the initial seed [5]. In mostcases, a steady state loop may be preceded by a transient runof length that also depends on , as depicted in Fig. 2. Asshown in this figure, depending on the initial seed, several typesof trajectories can be generated by a given PRNG.

Since the output of a PRNG is provided by the output forminglogic, an improper choice of function may lead to sequenceswith a period shorter than the period of the internal state. There-fore, the function , besides ensuring good statistical proper-ties of the generated sequences, must also preserve the period

Fig. 2. Typical state evolutions in PRNGs.

length. The periodicity of the output is one of the chief aspectsrevealing the nonrandomness of the sequence. In stochastic sim-ulations, a rule of thumb says that a pseudorandom sequencecan be considered “safe” (in the randomness sense) if it is usedwithin the square root of its period length [1]. Hence, when hugesimulations have to be performed, very long periods must be as-sured ( or more), and, to achieve such long periods,the combination of several different generators is normally ex-ploited [6].

Within the period (or rather, within an usable “safe” sequencelength), a good PRNG must generate sequences of symbols withwell defined statistical properties. In general, a sequence gener-ated by an ideal random source should satisfy the null hypoth-esis : “the output symbols are i.i.d. with an uniform distribu-tion”. It is obvious that for any sequence generated by a deter-ministic PRNG is false a priori. But such hypothesis maystill be assumed valid for practical purposes, if the generatedsequences perform adequately in terms of statistical properties.

The randomness degree of pseudorandom sequences is eval-uated by means of statistical tests devised for the verificationof the null hypothesis . There is a large number of tests [1],[6], [13], even though no specific finite test set can be deemed“complete,” or can assure a predefined ‘randomness’ level ofthe source. In practice, a battery of statistical tests should beselected in close relationship with the target of the application:when general purpose PRNGs are considered, the Diehard bat-tery of tests is often used [1]; otherwise, when cryptographic ap-plications are addressed, the NIST 800-22 test suite is the stan-dard reference for RNG testing [13] (few details about this testsuite are given in Section VI).

III. DIGITIZED RÉNYI MAP

In PRNGs based on the digitization of chaotic maps, the inputforming logic realizes a discretized version of a continuous map

, by both evaluating and representing the real-valued statewith a finite -bit precision. Even though both the map and therepresentation of the digitized state can be arbitrarily chosen,solutions requiring low hardware complexity implementationsare to be preferred. From this point of view, chaotic piecewise-linear maps are good candidates for implementing the inputforming logic, since their analytical structure involves simplemathematical operations. In this paper, we consider the chaoticRényi map defined as

(2)

818 IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS—I: REGULAR PAPERS, VOL. 54, NO. 4, APRIL 2007

Fig. 3. Plot of map (8) for � = 8:32125 and n = 5. The state space is partitioned in 11 sub-domains in which the restrictions of the map have a linear form.

where , and for any nonnegative real numbers. The floor function returns the

greatest integer lower than or equal to the argument.In the following, denotes the digitized state, i.e., an -bit

fixed-point representation of the system state such that

(3)

According to (3), the digitized state values are rational num-bers in [0,1), and the discretized state space cardinality is .

For the finite precision evaluation of (2), the truncation ap-proximation strategy is considered, i.e.,

(4)

Since (4) must be implemented on finite state machines, canbe in general any rational number greater than 1 and whose bi-nary representation requires a finite number of digits (this topic

is discussed in detail further on). By means of the isomorphism, the discretized state space defined in (3) can be re-

lated to the set of natural numbers

(5)

and a function can be defined as

(6)

From a dynamical point of view, function is equivalent to(4), and in the following we refer to (6) for the definition ofthe input forming logic of the PRNGs proposed in this paper.Moreover, being , the -plet

is the PRNG state value stored in the -bit registerin Fig. 1.

ADDABBO et al.: CLASS OF MAXIMUM-PERIOD NLCGS DERIVED FROM RÉNYI CHAOTIC MAP 819

A. The Analytical Structure of the Input Forming Logic

The rational parameter can be written as the sum of aninteger part and a fractional part . Accordingly, (6) can berewritten as

(7)

If , the previous expression can be rewritten as

if

if...

if

(8)

where . In Fig. 3, an example of map (8)with and is shown. As it can be seen, thediscrete domain is partitioned in sub-domains in which(8) has a linear form. It is worth noting that each one of thesesubsets contains at least one integer, since by construction thefirst sub-domains are subsets of integers included in realintervals with length , and the last sub-domain containsthe number . Since the function maps thefinite discrete domain into itself, it follows that the numberof different discrete systems achievable by varying the rationalparameter in (6) must be finite. In particular, in the Appendixwe prove the

Property 1: Given , there exists an infinitecountable set of rational values such that itresults .

According to this property, two different parameters in(6) can be defined ‘equivalent’ if they define the same discretemap , and the infinite countable set of rational parameters

can be partitioned in equivalence classes, each one referred toa different map.

Determining the number of equivalence classes, and writinga complete set of lass-representative values, is a nontrivialproblem. To further investigate this issue, the author proved inthe Appendix the following.

Property 2: For any given rational (being thefractional part of ), there exist (and no more than ) dif-ferent discrete maps. Moreover, if (being the integerpart of ) such that , then

.Since Property 2 assures that given a value there exist ex-

actly different maps, the point now is to find, for a given value, a minimal set of values that identifies all the different maps

obtainable for that value. Concerning this issue, if we definethe set

(9)

from the above discussion it follows that the problem of writinga complete set of class-representative values is related to theproblem of determining the cardinality of the set

(see Fig. 4).

Fig. 4. Subset of the different sets b � c obtained for n = 6 and 2 f0:05p: p 2 N; 0 p < 20g.

In the following subsection, we introduce a special subset ofsystems (7) for which this problem is solved.

B. Class of Efficient NLCGs

Due to the nonlinear effect of the truncation, systems basedon (7) can be referred to as NLCGs [6], [7]. In this paper, theauthors focused on the subset of maps (7) in which the fractionalpart of can be written as

(10)

for some integer .Property 2 assures that one can analyze completely the system

family (7) by just considering for the integer part of values inthe range . Accordingly, by discarding the trivialcase and referring to assumption (10), expression (7) for

can be rewritten as

(11)

with positive integers and odd positive integer. The quan-tity is the factorization of in odd and even components,and odd values for the integer part of are obtainable by setting

.In what follows, for (11), it is shown that it is possible to

calculate the total number of different maps achievable varyingthe system parameters, and that efficient digital hardware im-plementations are achievable.

As far as this latter issue is concerned, the implementationof (11) requires one multiplier and one adder: indeed, since thequantity can be evaluated with a left shift of , onemultiplier is sufficient to evaluate , and just one adder is

820 IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS—I: REGULAR PAPERS, VOL. 54, NO. 4, APRIL 2007

necessary to evaluate the sum in (11) since is obtainedby a bit right shift of , and the modulo operation is directlyperformed by collecting the least significant bit of the sumresult.

As far as the calculation of the total number of different mapsachievable varying the system parameters in (11) is considered,since if then , it is immediate to verifythe following.

Property 3: If system (11) is an LCG.Furthermore, in the Appendix it is proved the followingProperty 4: By varying , and in (11), different maps

are defined.

IV. PERIOD OF THE PROPOSED NLCGS

While deriving benefits from the typical irregular behavior ofnonlinear dynamics, on the other hand nonlinear generators canbe hardly placed into a unique general theoretical framework.This is a well-known problem when discretized chaotic systemsare considered: in such situations, only heuristic results havebeen found about the effects on the dynamics of the state spacediscretization. In particular, it is worth to mention the seminalwork of Binder and Jensen and the study of Beck and Roepstorffabout the eventual period length of discretized chaotic systems,and other more recent publications, in which general heuristicconsiderations are presented [10], [14]–[16]. On the other hand,the contribution of this paper is to obtain some results derivedfrom a theoretical study, even if this approach forces to restrictthe research field to a special class of PRNGs. In particular, anecessary condition for achieving maximum period lengths isprovided for a family of nonlinear PRNGs based on (11).

By inspecting (11), it immediately follows that, regardless ofthe system parameters, the state is a fixed point that mustbe skipped in the choice of the initial seed (the same happens forseveral PRNGs based on linear recurrences, e.g., the LFSRs).Accordingly, for these systems the maximum achievable periodlength is lower than or equal to the quantity .

To give a better insight into the structure of these NLCGs,we now introduce a simple example in which, with referenceto (11), and , and therefore

. As shown in Fig. 5, with these parametervalues the system has maximum period ,regardless of the choice of the initial seed in the set .This example shows that a NLCG based on (11) exists such thatits period length reaches , and the authors were concernedwith determining how in general the parameters mustbe set to obtain such maximum period NLCGs. Despite the sim-plicity of the analytical form (11), due to the presence of trun-cation, the problem is not trivial, and a sufficient condition toensure this result is still unknown. In previous works, the sameauthors dealt with this problem resorting to computer simula-tions. With the present CPU speeds this approach is possibleonly for small values of as, in the general case (6), the numberof different maps to be analyzed is greater than .

In this paper, a necessary condition is found that systems (11)must satisfy in order to have maximum period, which reducesof a factor the number of maps to be investigated.

In detail, it is trivial that if a PRNG based on (11) has max-imum period , then (11) is invertible: indeed, if the NLCG

Fig. 5. Plot of the map (11) for � = 6:25 and n = 3. The point k = 0 is anisolated fixed point, and for any initial seed belonging to the set � =f0g thesystem has maximum period � = 2 � 1 = 7.

(11) has maximum period then the state is an iso-lated fixed point and each state in the orbit must have a singlepredecessor.

On this basis, the main theoretical result of this paper isgiven by the following proposition (the proof is reported in theAppendix).

Proposition 1: Function defined in (11) forand is invertible if and only if .

Proposition 1 provides a necessary condition for system(11) to have maximum period length, reducing the cardinalityof the set of nonlinear maps (11) to be analyzed from to

. Accordingly, system (11) with was simulated forranging from 2 to 31 and all the systems having maximum

period length are reported in Table I. In this table, the factor-ization of the period length is also given: as discussedin Section VI this is an useful information when two or morePRNGs are combined for the achievement of longer periodlengths.

V. GEOMETRY OF GENERATED NUMBERS

The name “Geometry of Numbers” was introduced byMinkowski [17] more than 100 years ago, and indicates abranch of mathematics involving both number theory andgeometry. When PRNGs are concerned, some of the theoreticalresults achieved within the Geometry of Numbers provideuseful tools for investigating and highlighting any regularstructure, which can be present in the generated sequences.This can be accomplished through the analysis of -tuples ofvalues taken from the trajectories described within the statespace by the PRNG [7].

On these bases, to better analyze and compare different kindsof generators, in this section the discrete state space is normal-

ADDABBO et al.: CLASS OF MAXIMUM-PERIOD NLCGS DERIVED FROM RÉNYI CHAOTIC MAP 821

TABLE IMAXIMAL PERIOD LENGTH SYSTEMS (11) FOR n RANGING FROM 3 TO 31

ized as to fit the unit interval [0, 1), and instead of (5) the fol-lowing set is considered:

(12)

In accordance with (12), and referring to a specific normal-ized state trajectory , for a given -tupleof integers , with if , the sequenceof -tuples is a trajectory of pointsbelonging to the unit hypercube . We now briefly recallsome fundamental definitions and basic results from the Geom-etry of Numbers [17].

Definition: Given an -tuple of linearlyindependent vectors in the Euclidean space , an (integer) lat-tice in is the set of all linear combinations with integercoefficients of . The -tuple is called a basis ofthe lattice .

A lattice admits an infinitely countable set of differentbases, called fundamental parallelotopes of . The vectors of

are usually represented as lattice points, and the origin isalways a lattice point. As a final remark, for a given vector

is the shift of by in , i.e.,.

A. Lattice Structures in Sequences Generated by LinearRecurrencies Based PRNGs

Integer lattices have a key role in the analysis of PRNGs basedon linear recurrences. In particular, with reference to (1), it is aknown result that for any system parameter values, and for any

-tuples of integers a shifted latticeexists, with , that contains the following sequence of

-tuples [6], [7]

(13)

As a result, the -tuples collected from the output ofPRNGs based on linear recurrencies always lie on a set ofparallel equidistant hyperplanes in . In Fig. 6 two examplesof these lattice structures in are presented for the LCG

. As it can be seen, dependingon the choice of the -tuple , the obtained regulardistributions can be more or less evenly distributed in theunit hypercube . The graphical results obtained in this

822 IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS—I: REGULAR PAPERS, VOL. 54, NO. 4, APRIL 2007

Fig. 6. Sets of two-dimensional points (~x ; ~x ) (above) and (~x ; ~x )(below) produced by ~x = k =128, where k = (17k + 127) mod 128.In the upper plot, a basis (v ; v ) and the correspondent fundamental parallelo-tope of the shifted two-dimenstional lattice structure (L +w) are highlighted.

example are typical for PRNGs based on linear recurrences.When the -tuple is equal to ,then -tuples (13) made of successive outputs are taken intoaccount. A special interest is addressed to those generators ableto generate almost uniform distribution of these points in thehypercube [0,1) [6], [7]. On the other hand, points that areuniformly distributed but too regularly placed (for instance ona lattice), fail to imitate randomness as well as points whosedistribution is too far from a uniform distribution. These issuesare well-known within the statisticians community, and specific

statistical tests (usually indicated as spectral tests) have beendevised for evaluating these features in sequences collected bypseudo and truly random number generators.

B. Distorted Lattice Structures of the NLCGs (11)

Since the analytical expressions of a NLCG based on (11)and of a LCG are similar, the authors investigated in this paperhow the nonlinear effects of truncation in (11) modifies the reg-ular lattice structures obtained with the LCGs. As an interestingresult, computer simulations have pointed out that the trunca-tion causes an asymmetrical deformation of the typical LCGlattice structure, and assures, in several cases, distributions ofpoints which appear to be random. Some examples of theseeffects are shown in Fig. 7, where different sets of points in

are plotted for the NLCG (11), chosen from Table I, with. At a first look, in the upper left plot, the

points seems to have a regular structure in the square. Actually, a deeper investigation highlights that several

of these points are slightly displaced with respect to a regularlattice. From this point of view, the effect of truncation has anamplified effect on the overall distribution when sets of points

, with , are considered (Fig. 7). On the otherhand, depending on the system parameters values, the overalldistribution of these points may present undesired defects in itsuniformity, as it is shown in Fig. 8.

These complex structures (which recall for their shapessimilar pattern formations achieved in the analysis of severalnonlinear dynamical systems or cellular automatons [18]–[20]),have been detected also for other nonlinear PRNGs, such asthe Inversive Congruential Generator [7]. The link between theshape of these structures and the choice of system parametersfor the maximum-period PRNGs derived by (11) is unknownto the authors, as actually it is to the scientific communityfor the majority of nonlinear PRNGs. This points out that theproposed maximum-period NLCGs randomness level dependson the parameter values, and that it has to be evaluated for eachdifferent generator by means of, e.g., standard statistical tests.

VI. IMPLEMENTATION OF TWO PRBGS BASED ON (11)

In this section two approaches for the implementation ofPRBGs based on the dynamical system (11) are discussed. Re-ferring to the NIST800-22 standard statistical test suite, the firstapproach has the objective of minimizing the implementationcomplexity while achieving adequate statistical performance,and it is based on the realization of (11) as it is, according tothe architecture of Fig. 1. In alternative, when the statisticalperformance of the PRBGs obtained with this approach is notsatisfactory, the combination of different systems implementing(11) can be adopted. Obviously, by selecting the second ap-proach, the requirements on the implementation complexitymust be relaxed.

A. A 24-Bit Nonlinear PRBG

Among the systems in Table I, let us focus on a PRBG basedon the unique system for , with period length equal to

bits, that is a reasonable period length

ADDABBO et al.: CLASS OF MAXIMUM-PERIOD NLCGS DERIVED FROM RÉNYI CHAOTIC MAP 823

Fig. 7. Sets of two-dimensional points (~x ; ~x ) (upper left), (~x ; ~x ) (upper right), (~x ; ~x ) (lower left), (~x ; ~x ) (lower right), produced by ~x =k =256, where k = b108:015625k c mod 256, which is obtained by setting q = 27; i = 6; n = 8 in (11).

in several practical applications [1], [5]. The input forminglogic results extremely simple both in hardware and softwareimplementations. An efficient software implementation for thissystem is provided by the following C code:unsigned long IFL(unsigned long k)

{

static unsigned long mask = 0x00FFFFFF;

static unsigned long B = 0x0059A564;

static unsigned long p;

p = k � B + (k � 22);

p = p & mask;

return p;

}

The digital hardware implementation is also simple: onemultiplier and one adder with few more logic. For the proposedPRBG, the output forming logic outputs the most significant bitof the state register containing the current state: as confirmedby the experimental results, this choice assures good statisticalproperties to the binary output sequences, and it does notrequire additional resources with respect to those required bythe input forming logic. The PRBG was tested by means of thestandard NIST 800-22 test suite for cryptographic applications.This standard comprise 16 tests, each one devised for analyzinga different statistical property of the source. The tests includedin this standard are: Frequency, block frequency, runs, longestruns, matrix rank, spectral, nonoverlapping template (NOT)matching, overlapping template (OT) matching, universal,Lempel–Ziv, linear complexity, serial, approximate entropy,

824 IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS—I: REGULAR PAPERS, VOL. 54, NO. 4, APRIL 2007

Fig. 8. Sets of two-dimensional points (~x ; ~x ) (left) and (~x ; ~x ) (right) produced by two NLCGs (11), selected within those in Table I, with parametersq = 3; i = 2; n = 9, and q = 3; i = 2; n = 11, respectively.

cumulative sums, random excursions, random excursion variant[13]. Each test must be performed on a finite sequence ofcontiguous bits and as an output it provides a P-value, which isa real number belonging to [0, 1], that expresses the probability,for an ideal random source, to generate an -bit sequence thatdeviates from its expected values more than the given -bitsequence. Accordingly, the lower is the obtained P-value, the“less random” an examined sequence is classified. Each testis successfully passed when the collected P-value is greaterthan a critical threshold . In this paper, was used(this means that an ideal random source fails the test once in100 trials, on the average), that is a commonly adopted choice[13]. Since the collected P-values are dependent on the inputsequences, they are assumed to be random variables whosedistribution in [0, 1] depends on the tested source. When thesequences are generated by an ideal random binary source,theory states that P-values must be distributed uniformly in [0,1].

Once different sequences have been tested with a giventest, even if the source is an ideal random source the numberof fails may deviate from the expected value , and typicallya three- criterion is adopted, accepting a tolerance range of

. After collecting P-values for each test,a Goodness-of-Fit Distributional Test is performed to check ifthese values are uniformly distributed in [0, 1]. This last com-putation provides an U-value, and U-values greater thanare assumed compatible with an ideal random source [13].

For the proposed PRBG, the 16 tests of the NIST 800-22suite were performed on 200 different sequences ofbits obtained by initializing the system with different randomseeds, and the results are summarized in the first two columnsof Table II. The column Ratio reports the ratio between thenumber of successes and the number of trials, whereas the

column U-value reports the output of the Goodness-of-FitDistributional Test performed on the collected P-values. When

= 200, according to the three- criterion mentioned above,the accepted range for the Ratio column is approximately[0.9689, 1.0000]. In Table II the test results for the proposedPRBG are compared with those obtained for a 24-bit LCGand a 24-bit LFSR. The LFSR and the LCG chosen for thiscomparison are characterized by a comparable amount ofresources required for their implementation: in particularthe considered LCG has an input forming logic of the form

, whereas the primitive polyno-mial of the LFSR is .Similarly to what is done for the proposed nonlinear PRBG,in both cases the most significant bit of the state register waspicked out for generating the binary sequences. It is worthnoting that the choice of the two specific systems does notaffect the general significance of the comparison with the pro-posed PRBG, since—as discussed in the following—the wholefamily of these systems based on linear recurrencies typicallyperform in the same way with respect to some critical tests. Byinspecting Table II, it is interesting to note that—with one singleexception—the proposed PRBG generates sequences whoseestimated passing ratios are always greater that 0.97 and thatno test is ever badly failed, that is, no test presents a Ratio valueequal to 0 (the same does not happen for the other two PRBGs).The only test for which the passing ratio is not satisfactory isthe Non Overlapping Templates. The purpose of this test is todetect generators that produce too many occurrences of givennonperiodic patterns of 9 bits. Among the 148 different patternsconsidered in the test, for 7 patterns only the ratio is belowthe acceptable minimum, and the value reported in Table II isthe worst. Moreover, the collected P-values are not uniformlydistributed in this and in other two tests. These results are

ADDABBO et al.: CLASS OF MAXIMUM-PERIOD NLCGS DERIVED FROM RÉNYI CHAOTIC MAP 825

TABLE IIRESULTS OF THE SP800-22 TEST SUITE FOR THE 24-BIT PROPOSED NONLINEAR PRBG. THE SAME TESTS WERE PERFORMED ON SEQUENCES COLLECTED

FROM A 24-BIT LCG AND A 24-BIT LFSR

particularly encouraging, especially when considering that theproposed PRBG has a very low implementation complexity. Infact it must be pointed out that much more complex generatorsproposed in literature perform in the same way or worse [13].

It is interesting making a further comparison between the pro-posed PRBG and the other two generators. In particular, both theconsidered LFSR and LCG badly fail the Spectral test, whosepurpose is to detect periodic features. When LCGs are used, thepresence of periodic templates is directly related to the period-icity of the lattice structure, as discussed in Section V, whereasthis problem is absent for the proposed Nonlinear CongruentialPRBG.

According to the author knowledge, among the PRBGs pro-posed in literature, this nonlinear one is the best (in terms of sta-tistical test passing capabilities) that can be implemented with aso limited amount of resources, and this is particularly relevantespecially when hardware implementations are considered [13].

B. A 32-Bit Combined PRBG

The second example of PRBG presented in this paper is basedon the combined use of two of the systems presented in Table I.The advantages of designing a PRBG by combining two dynam-ical systems according to, e.g., the block scheme of Fig. 9, arethe possibility of achieving a global period equal to the productof the periods of the single systems, and, more generally, thepossibility of achieving a better global statistical performancethan the one obtainable from each single stand alone system [6].

In general, the simplest way to combine two or more gen-erators is to build the output sequence by means of a functionof the different internal states. When the period lengths of thecombined generators are prime to each other, an overall period

Fig. 9. Architecture of a digital PRNG obtained from the combination of twoautonomous systems.

length which is equal to the product of the single ones can beobtained. Typically, the output forming logic performs the bit-wise addition modulo 2 of the different states (i.e., by exclusiveor).

Combining different systems does not always improve thequality of the generated sequences: conversely in some cases itcan also make things worse, and therefore an analysis of the be-havior of the combined systems has to be performed [5]. Whilea theoretical analysis is possible for generators based on linearrecurrences that in any case represent good candidates for im-plementing fast and reliable (from a theoretical point of view)long period PRNGs [6], for non linear dynamical systems thebehavior of the combined system can not in general be predictedstarting from a theoretical analysis. For this reason the design ofsuch systems must exploit heuristic strategies such as computersimulations or a posteriori analysis with statistical tests. This

826 IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS—I: REGULAR PAPERS, VOL. 54, NO. 4, APRIL 2007

TABLE IIIRESULTS OF THE SP800-22 TEST SUITE FOR THE

32-BIT COMBINED GENERATOR

approach was used in this work to analyze the behavior of thesystems presented in Table I.

On these bases, in this subsection a 32-bit combined generatorbased on the architecture of Fig. 10 is presented. The PRBG isobtained by combining two systems in Table I, characterized by

and by ,respectively. With this choice the global internal state is storedin a 32-bit register (the initializing seed is also a 32-bit integer).The output forming logic of each subsystem picks up the mostsignificant bit of the sub-state, and the output bit sequence isobtained from the exclusive or of the two sub-sequences.

Since and are relatively prime, as it can be seenfrom the factorization reported in Table I, the combined gener-ator has a period length of bits. The obtained sequenceswere tested by the NIST SP800-22 standard suite, similarly towhat done for the 24-bit PRBG of the previous example. In thiscase all of the tests are successfully passed, both satisfying theaccepted ratio between success and trials and satisfying the uni-formity distribution of collected P-values. The results are sum-marized in Table III.

VII. CONCLUSION

In this paper, a family of maximum-period NLCGs based onthe digitized Rényi map is presented within an original theo-retical framework. The authors investigated how the nonlinearstructure of these systems eliminates some of the statistical reg-ularities spoiling the randomness of sequences generated withlinear techniques. A list of maximum-period generators for pe-riod lengths up to , is presented. These NLCGs can beused to design efficient PRBGs both from the implementationand the statistical performance point of view, as it is proved bythe examples reported in the paper.

APPENDIX

Several intermediate points gathered in this Appendix are adirect consequence of well-known results achieved in numbertheory and modular arithmetic. For an introductory review ofthis subject the reader is referred to [21], [22]. In the following,for any two integers we write if an integer exists suchthat , i.e., we say that divides .

Property 1: (from Section III). Given ,there exists an infinite countable set of rational valuessuch that it results .

Proof: Since is countable, it is sufficient to show that forany there exists an infinite set of values such that

. In detail, if for eachwe write , it results

.Property 2: (from Section III). For any given rational

(being the fractional part of ), there exist (andno more than ) different discrete maps. Moreover, if(being the integer part of ) such that , then

.Proof: Since then and

. Accordingly, if then (7) implies thatand . On the

other hand, since if an integer always exists suchthat , then the natural existssuch that , .

Property 4: (from Section III). By varying , and in (11),different maps are defined.Proof: Since then it immediately follows

that if then , and assuming isequivalent to assuming in (7). On the other hand,in the proof of Property 2, we have shown that for each

the natural exists such that. Accord-

ingly, let now consider and suchthat , and let suppose ,that implies either or, if . In the firstcase, regardless the choice of and , in the proof of Property2 it is shown that .If instead and , we have that

if andonly if . Accordingly, if

then for any integer we haveand

. Summa-rizing, by varying and such that , andby varying in the range different maps aredefined.

Proposition 1: (from Section IV). Functiondefined in (11) for and is invertible if andonly if .

Proof: We first prove that if then (11) isinvertible. Secondly, we show that if either or

then (11) in not invertible. Accordingly, let’sfirst assume . If then (11) is equalto the expression of a LCG of the form .

ADDABBO et al.: CLASS OF MAXIMUM-PERIOD NLCGS DERIVED FROM RÉNYI CHAOTIC MAP 827

Since , is invertible. On the other hand,if let’s notice that if for some

then

(A1)If we divide both terms of (A1) by we have

which implies, sinceis an integer, that and

that a positive integer must exist such that

(A2)

Since we have that fromwhich . From the assumption itfollows that and that (A1) is equal to

(A3)

Since , (A3) implies that a nonnegative in-teger must exist such that , which is equivalentto writing . Using this result in (A2) withwe have

(A4)

which implies that and that .We have now to prove that if either or

then (11) in not invertible. Let’s first startassuming , and let be equal toand . Accordingly and

, and (11) is not invertible. Finally,to complete the proof, let’s assume . We showthat two natural numbers exist, with

, such that . When thenand (A1), (A2) are equal to

(A5)

(A6)where . Equation (A6) implies that

(A7)

and that a nonnegative integer exists such that

(A8)

Substituting (A6) and (A8) in (A5), dividing both terms bywe obtain

(A9)

Since , an odd naturalexists such that .

Accordingly, (A9) can be rewritten as

(A10)

By defining the odd integer ,(A10) admits a solutions , with , if it existsa value, with , such that

(A11)As it has been shown before, if (A10) implies that

and this is a trivial result. Since we are interested inproving that (11) is non invertible when , weprove now that for some (A11) is satisfied.First, it is worth noting that since is odd ,and function is invertible over . To con-clude the proof, we proceed ab absurdo, assuming that for

(A11) is not satisfied, i.e.,

(A12)

Since is invertible, by varying we collectdifferent elements in the set . Let’s chose twodifferent integers such that

, and let’s define . In general, it is eitheror , and in both cases .

In the first case, it results

. In the second case, it re-sults

, that is. Therefore, in both cases it results and, as a

consequence, the minimum distancemust be greater than or equal

to . On the other hand, since according to our hypothesisthe function identifies, by varying and for each

different values within the interval ,the minimum distance which separates two consecutive mappedelements must satisfy the relationship

(A13)

where is the number of intervals identifiedby the different values of .

Expression (A13) involves , and therefore the re-sulting constraint for is , which implies

. In other words, the above result implies that thedifferent results of within the in-

terval must be exactly spaced by ,with the lowest value exactly set to . Accordingly it shouldbe ,but this is an absurd since is always odd andcannot be divided by .

REFERENCES

[1] J. E. Gentle, Random Number Generation and Monte Carlo Methods,2nd ed. New York: Springer, 2003.

[2] R. David, Random Testing of Digital Circuits: Theory and Applica-tion. New York: Dekker Inc., 1998.

[3] A. Menezes, P. Van Oorschot, and S. Vanstone, Handbook of AppliedCryptography. Boca Raton, FL: CRC, 1997.

[4] M. P. Kennedy, R. Rovatti, and G. Setti, Eds., Chaotic Electronics inTelecommunications. Boca Raton, FL: CRC, Jun. 2000.

828 IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS—I: REGULAR PAPERS, VOL. 54, NO. 4, APRIL 2007

[5] D. Knuth, The Art of Computer Programming vol 2: SeminumericalAlgorithms, 2nd ed. Reading, MA: Addison-Wesley, 1981.

[6] P. L’Ecuyer, “Uniform random number generation,” Ann. Operat. Res.,vol. 3, no. 1, pp. 77–120, Dec. 1994.

[7] S. Tezuka, Uniform Random Numbers: Theory and Practice. Nor-well, MA: Kluwer, 1995.

[8] A. M. Frieze, J. Hastad, R. Kannan, J. C. Lagarias, and A. Shamir, “Re-constructing truncated integer variables satisfying linear congruences,”SIAM J. Comput., vol. 17, no. 2, pp. 262–280, Apr. 1988.

[9] M. Jessa and M. Walentynowicz, “Statistical properties of numbersequences generated by 1-D chaotic maps considered as a potentialsource of pseudorandom number sequences,” Proc. ICECS 2001, vol.1, pp. 449–455, 2001.

[10] L. Kocarev, G. Jakimoski, and Z. Tasev, “Chaos and pseudo-random-ness,” in Chaos Control. New York: Springer, 2003.

[11] T. Addabbo, M. Alioto, A. Fort, S. Rocchi, and V. Vignoli, “Low hard-ware complexity PRBGs based on a piecewise-linear chaotic map,”IEEE Trans. Circuits Syst. II, Exp. Briefs, vol. 53, no. 5, pp. 329–333,May 2006.

[12] M. Alioto, S. Bernardi, A. Fort, S. Rocchi, and V. Vignoli, “An efficientimplementation of PRNGs based on the digital sawtooth map,” Int. J.Circuit Theory App., vol. 32, pp. 615–627, 2004.

[13] National Institute for Standards and Technology, A Statistical Test Suitefor Random and Pseudorandom Number Generators for CryptographicApplications Special publication 800-22, 2001.

[14] P. M. Binder and R. V. Jensen, “Simulating chaotic behavior with fi-nite-state machines,” Phys. Rev. A, vol. 34, pp. 4460–4463, 1986.

[15] C. Beck and G. Roepstorff, “Effects of phase space discretization on thelong-time behavior of dynamical systems,” Phys. D25, pp. 173–180,1987.

[16] N. Masuda and K. Aihara, “Dynamical characteristics of discretizedchaotic permutations,” Int. J. Bifurc. Chaos, vol. 12, no. 10, pp.2087–2104, Oct. 2002.

[17] P. M. Gruber and C. G. Lekkerkerker, Geometry of Numbers, 2nd ed.Amsterdam, The Netherlands: North-Holland, 1987.

[18] CNN: A paradigm for complexity. Singapore: World Scientific, 1998.[19] P. Thiran, G. Setti, and C. Serpico, “Dynamics pattern formation in

cellular neural networks,” in Proc. Int. IEE Symp. on Neuro-Fuzzy Syst.,1996, pp. 1–7.

[20] S. Wolfram, A New Kind of Science. Champaign, NC: WolframMedia, 2002.

[21] G. H. Hardy and E. M. Wright, An Introduction to the Theory of Num-bers, 5th ed. New York: Oxford Univ. Press, 1983.

[22] R. Lidl and H. Niederreiter, Introduction to Finite Fields and TheirApplications. Cambridge, U.K.: Cambridge Univ. Press, 1986.

Tommaso Addabbo (S’04) received the Dr. Eng. de-gree in telecommunication engineering in 2003 fromthe University of Siena, Siena, Italy, where he is cur-rently working toward the Ph.D. degree in informa-tion engineering.

His main research interests include nonlinear cir-cuits and systems, stochastic aspects of dynamics andanalog circuits design. In 2005, he spent half an yearas a Visiting Scholar at the Institute of Nonlinear Sci-ence at the University of California in San Diego.

Massimo Alioto (M’01) was born in Brescia, Italy,in 1972. He received the laurea degree in electronicsengineering and the Ph.D. degree in electrical engi-neering from the University of Catania, Catania, Italyin 1997 and 2001, respectively.

In 2002, he joined the Dipartimento di Ingegneriadell’Informazione (DII) of the University of Siena,Siena, Italy, as a Research Associate and in the sameyear as an Assistant Professor. Since 2001, he hasbeen teaching undergraduate and graduate courses onbasic electronics, microelectronics and digital elec-

tronics. His primary research interests include the modeling and optimized de-sign of bipolar and CMOS high-performance digital circuits in terms of high-speed or low-power dissipation, as well as arithmetic circuits. He has authoredor co-authored more than 50 journals and conference papers. He is coauthor ofthe book Model and Design of Bipolar and MOS Current-Mode Logic: CML,ECL and SCL Digital Circuits (Springer, 2005).

Ada Fort (S’92–M’94) received the laurea degreein electronic engineering from the University of Flo-rence, Florence, Italy, in 1989, and the Ph.D. degreein nondestructive testing from the same university in1992.

She is currently an Associate Professor in the De-partment of Information Engineering, University ofSiena, Siena, Italy. Her interests concern the devel-opment of measurement systems based on chemicaland ultrasonic sensors, and the development of auto-matic fault diagnosis systems. Recently she has been

involved in the study and the development of random number generators basedon chaotic maps.

Antonio Pasini was born in Faenza, Ravenna, Italy,in 1947. He received the Laurea degree in mathe-matics from the University of Bologna, Bologna,Italy, in 1970.

From 1971 to 1972, he served in the Italian Army.He worked at the University of Florence, Florence,Italy, from 1972 to 1974 and at the Universityof Siena, Siena, Italy, from 1974 to 1986. From1986 to 1993 he has worked at the University ofNaples “Federico II” (Faculty of Engineering) asFull Professor. From 1993 till today, he has been

with the University of Siena (Faculty of Engineering), as Full Professor. Hismain research interests have been in universal algebra (firstly, during theseventies) and diagram geometry (later, from the early eighties till now). Heis author and coauthor of more than 130 research papers and a book DiagramGeometry (Oxford University Press, 1994). He is also editor and coeditor ofthree volumes, devoted to Groups and Geometries, Diagram Geometry andPoint-Line Geometries, respectively.

Dr. Pasini belongs to the Editorial Boards of four mathematical journals: Eu-ropean Journal of Combinatorics, Advances in Geometry, Beitraege zur Algebraund Geometrie, and Innovations in Incidence Geometry.

Santina Rocchi (M’96) was born in Riolunato,Modena, Italy, in 1952. She received the laureadegree in electronic engineering from the Universityof Florence, Florence, Italy, in 1978.

From 1978 to 1981, she was with the ElectronicInstitute, University of Florence, and worked in col-laboration with the European Research Centre, Ispra,Italy, on acoustic signal and image processing. From1981 to 1992, she was at the University of Florence asAssistant Professor in Electronics. During this periodshe was mainly involved in the development of pro-

totype systems for ultrasonic applications in medical diagnosis, nondestructivetesting and robotics. In 1992, she was at the University of Perugia, Perugia, Italy,as an Associate Professor in Electronics. Since 1993 she has been with the Uni-versity of Siena, Siena, Italy, where she is currently Full Professor in Electronics.Her main research interests are in sensor front-end and processing electronicsdesign, with particular emphasis on chemical and piezoelectrical sensors. She isauthor or coauthor of more than 90 scientific papers published in internationaljournals and international conference proceedings.

Valerio Vignoli (S’92–M’94) was born in 1964. Hereceived the laurea degree in electronic engineeringfrom the University of Florence, Italy, in 1989, andthe Ph.D. degree in nondestructive testing from thesame university in 1994.

Since 1997, he has been with the Department ofInformation Engineering, University of Siena, Siena,Italy, where he is currently an Associate Professorin Electronics. His recent research interests includethe design of data acquisition and processing systemsbased on chemical sensors, and the design of analog

and mixed-signal electronic circuits.