Hardware Implementation of Chaotic Zigzag Map Based Bitwise Dynamical Pseudo Random Number Generator on Field-Programmable Gate Array

: In this study, successful real-time hardware implementation of discrete-time chaotic zigzag map as a random number generator (RNG) on field-programmable gate array (FPGA) environment is presented. For the hardware modelling of the application, ready-to-use modules defined on 32-bit floating-point numbers and hardware description language (VHDL) are used. In the study, the non-linear dynamic behaviour of the chaotic generator synthesized on the Altera Cyclone IV GX FPGA chip is examined in terms of critical cryptographic competences such as system reliability and statistical randomness quality. The random numbers with poor statistical quality in the system are obtained by passing 32-bit chaotic trajectory outputs through a simple comparison circuit. In order to improve the statistical sufficiency of these numbers, the H function post-processing technique is used. In addition, statistical verification and hardware performance analysis of the generator through NIST 800-22 tests and FPGA chip statistics are presented in the study. The obtained successful results show that the zigzag map can be used in different chaos-based engineering applications, including embedded cryptographic applications. In addition, the low area-energy requirement of PRNG in terms of modelling technique facilitates its practical applicability on resource-restricted applications and architectures.


Introduction
In addition to cryptography, randomness is a common statistical concept for many areas such as game theory, simulation, statistic, quantum mechanics, programming and entertainment. This common concept, un-like other fields, corresponds to randomly distributed bit-level random numbers acquired from a specific entropy source in cryptography are not reproducible and predictable. In cryptography, random numbers can be obtained from two different design classes, namely True Random Number Generators (TRNG) using physical noise sources and Pseudo Random Number Generators (PRNG) with deterministic structure. Although their output is unpredictable, TRNGs are susceptible to environmental changes and mostly offer hardwaredependent, slow and costly solutions [1][2][3].
Despite fulfilling an important cryptographic requirement such as unpredictability in terms of system security, statistical weakness is the most obvious deficiency of a physical TRNG. For PRNGs where random numbers with good statistical properties can be obtained at low cost, determinism and periodicity are the most important shortcomings of this design class. PRNGs are preferred due to their practical structure to obtain random numbers within cryptographic applications. However, due to the nature of determinism, the initial conditions and system parameters are decisive in the development of future states of PRNGs, unlike randomness. This case leading to predictability, limits the use of PRNGs for sensitive cryptographic applications. Furthermore, knowing the initial conditions (parameters) that contain all the entropy of the deterministic system, can completely remove the cryptographic confidentiality required for PRNGs [4][5].
Chaos theory is an important concept that has found application in many different disciplines such as biology, philosophy, meteorology, physics and sociology as well as different branches of engineering [4]. Chaos can be roughly defined as an irregular and unpredictable random behavior pattern observed in non-linear deterministic systems that are exponentially sensitive to initial conditions. The deterministic characteristic of chaotic systems is the most prominent feature distinguishing them from noise-based non-deterministic systems preferred for sensitive cryptographic applications. Due to their deterministic properties, the future states of chaotic systems can be predicted theoretically if the initial states are known exactly. However, in these systems characterized by a strong exponential dependence on the initial conditions, a very small error in the initial conditions due to the positive Lyapunov exponential can cause large deviations, also known as the butterfly effect, in the system trajectories evolving in time. Therefore, this divergent character can provide sufficient level of cryptographic secrecy by making the long-term estimation of dynamic system outputs in chaos state impossible [6][7].
Chaotic systems are divided into discrete and continuous time chaotic systems according to their mathematical modeling. In continuous chaotic systems, the evolution of the system is given by ordinary differential equations. It depends on the rate of change of the system's state variables. In discrete time, where the evolution of the system depends on the values of state variables, chaotic systems are expressed by simple non-linear equations [3,8]. For both chaotic system models, exponential sensitivity to the initial conditions and the ability to produce long-term non-periodic oscillations are the basic characteristics of these systems coinciding with the pattern of random behavior. These basic characteristics of chaos, which are similar to the confusion and diffusion properties, also known as Shannon principles, are used for different purposes in cryptography such as video [9], audio [10], image [11] encryption schemes, stream cipher [12], s-box design [13], post-processing techniques [14] and secure additional input [2]. Random number generation is another important use of chaos theory in cryptography. Chaotic systems can often be used as entropy source in hardware-based PRNG and TRNG designs, especially because they eliminate the need for difficult and complex processes, such as obtaining and processing noise signals based on physical randomness.
In practice, the prediction of the future state information of the chaotic system is limited by the measurement sensitivity of the initial state information. Whereas, the lack of infinite measurement sensitivity from the circuit nodes depending on the presence of electrical noise makes it almost impossible to accurately determine the initial conditions of the chaotic system for hardware implementations. Therefore, hardware modeled chaotic systems alone can provide the reliability (security) and unpredictability needed cryptographically, unlike a simple deterministic PRNG [8].
In the literature, there are different chaos-based PRNG and TRNG paradigms implemented with FPGA chips offering important facilities such as flexibility, ease of modelling, low power consumption, parallel processing and speed. Some of these studies can be summarized as follows: Özkaynak [7] proposed an easily applicable RNG model on FPGA chips, which could be an alternative to discrete time chaotic systems using the fractional order Chua system. Tuna et al. [15] modelled the autonomous Lü-Chen chaotic system on Xilinx Virtex-6 FPGA chip using the Heun numerical method and presented a high-speed chaotic oscillator design that can be used for embedded cryptographic applications. In another study, Tuna [16] presented a real-time implementation of a PRNG using an artificial neural network (ANN) based 2D chaotic oscillator on Xilinx Virtex 6 FPGA chip in four different scenarios. Koyuncu and Özcerit [17] modeled the continuous-time Sundarapandian -Pehlivan chaotic system using the Range-Kutta (RK4) numerical analysis method as RNG on the same FPGA chip. De la Fraga et al. [18] presented the hardware modeling of a PRNG based on four different discrete time chaotic system scenarios in their study used Xilinx FPGA Spartan 3E FPGA chip. Koyuncu et al. [19] proposed the use of a new chaos-RO based dual entropy core TRNG architecture using the Xilinx Virtex-6 FPGA chip. A new three-dimensional continuous-time autonomous chaotic oscillator (P3DS) has been used as the deterministic component of TRNG. In another study, Meranza-Castillón et al. [20] provided the hardware implementation of a chaotic enhanced Hénon map (EHM) based PRNG that can be used for image and video ecryption systems on the Altera DE2-115 FPGA chip. Garcia Bosque et al. [21] presented a logistic map based PRNG implementation on Xilinx Virtex 7 chip in which chaotic system parameters change dynamically to prevent the system to fall into short period orbits as well as increasing the statistical randomness quality. Kanzadi et al. [22] proposed a double entropy sourced PRNG architecture on the Xilinx Spartan 3 FPGA chip, combining the tent and logistic map outputs with the exclusive-OR (XOR) gate. In [23], another logistic map based study Tuncer proposed physical unclonable functions based on ring oscillator (RO-PUF) and logistic map to generate pseudorandom numbers. The generator was implemented in Altera Cyclone II FPGA chip with VHDL language. Çiçek et al. [24] proposed a TRNG architecture using a discrete time double entropy resource to overcome the intrinsic limited entropy problem of conventional single entropy core architectures by using hardware redundancy.
In this study, hardware implementation and performance evaluation of an FPGA-based PRNG using chaotic zigzag map as entropy source is given. The statistical and spectral properties of the chaotic time series obtained from the implemented system are analyzed cryptographically. The NIST 800-22 randomness test is used for statistical verification of random numbers obtained from chaotic time series. The presented study is important in terms of demonstrating the applicability of the modeled chaotic system for different chaosbased cryptographic purposes such as secure communication, video and image encryption and s-box design in addition to random number generation. Furthermore, chaotic PRNG can be easily used in resourcerestricted architectures and cryptographic applications due to its low area-energy consumption.
The rest of the paper is organized as follows: In Chapter 2, theoretical details of the chaotic system are given. Details of the digital implementation of proposed PRNG on FPGA environment are presented in Chapter 3. In Chapters 4 the hardware performance and statistical success of chaos-based RNG have been analyzed cryptographically, respectively. The study is concluded by interpreting the results obtained in Chapter 5.

Chaotic zigzag map
The discrete-time one-dimensional chaotic zigzag map whose mathematical definition is given in Eq. 1, is proposed by Nejati and Beirami in [5]. In Eq. 1, m is the state variable of the chaotic system and changes in the (-3,3) closed interval. The zigzag map can display stable or chaotic behavior for different m values in the defined interval. The bifurcation diagram given in Fig.  1 can be used to identify the chaotic behavior of the system for these changes. In Fig. 1, for |m| < 1 values its behavior is stable, while for intervals m ∈ (2,1), (1,2), [3,2) and (2,3] its behavior is chaotic. Especially for m ∈ [3,2) and (2,3] intervals, the x n output values of the system in chaos state occur with a large irregularity in the [-1,1] interval. For the same intervals, the x n output values of the chaotic system tend to infinity for large n values representing the iteration step. For |m| = 2, the map converges to 0 [5,18]. (1) In Eq. 1, the x n output values oscillating in the [-1,1] interval for the zigzag map are 32-bit floating-point (real number) format. Eq. 2 is used to obtain one-bit random numbers from these 32-bit numbers in each iteration. In Eq. 2, the x n output values normalized to the [0,1] interval, are compared with the threshold value and random bit sequences are attained.
3 Implementation details of FPGAbased real-time chaotic zigzag map The chaotic system in accordance with the 32-bit IEEE 754 floating-point number standard is designed to be operated on FPGA chips. The Quartus Prime Lite Edition 17.1 design software and the Altera Cyclone IV EP-C4GX150 FPGA chip are used together for synthesis and placement during the hardware implementation phase. In the chaotic system, Intel FPGA Intellectual Property (IP) cores library with ready-to-use circuit elements de-fined on floating-point numbers is used for multiplication, division, addition, subtraction and comparison operations. In addition to this, all other definitions and circuit elements needed in the system are designed by VHDL dataflow and behavioral coding technique.
The top-level block representation of the PRNG created by schematic and dataflow design techniques is shown in Fig. 2. The operating logic of the system given in Fig. 2 can be briefly described as follows: In Fig. 2, 32-bit x 0 and x n values represent the seed and output values of the chaotic system, respectively. When the chaotic system starts to work, the seed value x 0 is applied as input to the system and after a certain calculation time, the output value x 1 is obtained. This case is the initial position for the chaotic system and the output of the system is constant at value x 1 , in this position. In order to obtain random numbers from the chaotic system, starting from x 1 value, the generated all x n values should be applied as input to the system, respectively. This case is called the feedback position for the chaotic system.   from the initial position. A triggering signal (sel) obtained from the physical ambiance is used as the selection pin of the mux at the input of the chaotic system to enable the transition between these positions. In order to obtain bit-level random oscillations (numbers) at the output of the PRNG, the 32-bit chaotic x n random numbers are passed through the digitization and postprocessing blocks, respectively. Quartus modeling of PRNG whose schematic structure is given in Fig. 2 as in Fig. 3. Real-time simulation of 32-bit hexadecimal random outputs representing the chaotic trajectory for the modeled zigzag map is as in Fig. 4.
For the mathematical operations, two addition (fp_ add), one subtraction (fp_substract), one multiplication (fp_multiplication), and one absolute value (fp_ abs), ready-to-use IP core modules which are able to do calculations with floating-point numbers are used in Fig. 3. In addition to these ready-to-use circuit modules, two dataflow designed block circuit elements (multimod_control_block & post_processing_block) are used in Fig. 3

(C) and (D).
In the initial position, the input values of the chaotic system x 0 and m are 0.4898 and 2.5, respectively. The parameter is the common factor of the three different equalities in Eq. 1. For this reason, instead of calculating the common (2/|m|) expression for the first and third equalities in Eq. 1 in each iteration, the mathematical equivalent of this expression is defined as constant (constant_1) as in Figure 3 (A). Therefore, the hardware equivalent of the equalities in Eq. 1 is (-m(x n + constant)), (m(x n + 0)) and (m(x n -constant)) respectively in Fig. 3. In the system, it is important that the calculation time is the same for all three equalities in terms of synchronization. For this purpose, for the second equality consisting of only multiplication, the addition with 0 (zero) constant is made as in Fig. 3 (B). Thus, the calculation times of the parallel connected (x n + constant), (x n + 0) and (x n -constant) expressions were equalized in 7 clock pulses. The calculated results at each 7 clock pulses are simultaneously applied to c 1 , c 2 and c 3 inputs of the multimode control circuit in Fig. 3 (C), respectively.
The outputs of the control circuit whose hardware modelling details are given in Fig. 5 are connected to the inputs of the multiplication circuit. The mathematical definition of the zigzag map consists of three different equations. Which equality will be used in the system is decided by looking at interval of the x n values. The main task of the multimode control circuit in Fig.  5 is to determine which equality result should be used by checking the x n interval and whether the common factor is positive or negative. For this, the dataflow designed circuit element (output_controller) in Figure 5 (A) is used. The task of this component is to determine the interval of x n by checking the c1 input to which the (x n + 0) addition result is connected. The multimode control circuit in Fig. 5 has two 32-bit vectorial outputs, out0 and m_value. The out0 output is switched to one of the input values c 1 , c 2 and c 3 in accordance with the x n interval. When out0 output is switched to c 1 input, m_ value output takes +m, in other cases (c 0 , c 2 ) -m values. The calculation time required for multiplication in the system takes 5 clock pulses. With the addition, the calculation time required to obtain a 32-bit x n random number in any iteration from the chaotic system is 12 clock pulses in total. The 32-bit random numbers whose absolute value is taken after the multiplication are applied as an input to the comparison circuit (fp_ comparator) in Fig.3. The calculation time of the comparison circuit is 1 clock pulse and performs bit-level transformations according to Eq. 2. However, the sta- tistical randomness quality of the random numbers obtained for the threshold value, selected as 0.5 in Eq. 2, is cryptographically insufficient. Random numbers obtained from the chaotic system are applied to the input of the post processing block in Fig. 3 (D) to remove this shortcoming. The hardware modeling details of this block circuit, in which H function [25] post-processing technique is used, are as in Fig. 6. The post-processing technique in Fig. 6. consists of two combiner circuits (pp_combiner1 & pp_combiner_2), used to obtain the desired bit-level logic vectorial inputs and outputs, in (A) and (B) and the H function in (C). The H function post-processing technique based on Quasigroup transformation needs 16-bit vectorial input obtained from chaotic system trajectory to produce 8-bit vectorial random output in each iteration. The task of the first combiner circuit (pp_combiner_1) in Fig. 6 (A) is to combine one-bit random numbers generated in every 13 clock pulses and to obtain 16bit logic vector inputs needed for the post-processing technique. Then, the random numbers passed through the XOR based H function block in Fig. 6 (C) are finally applied as an input to the other combiner circuit (pp_ combiner_2) in Fig. 6 (B). The 8-bit combined outputs of this circuit are also the hexadecimal outputs of PRNG.
The frequency of the clock signal applied to the input of the chaotic system is 200 MHz. The time to generate a 1-bit random sign / number for PRNG is 13 clock pulses depending on the calculation time of the chaotic system. In other words, for a 200 MHz clock sign with a period of 5 ns, the chaotic system produces a one-bit random number every 65 (13x5) ns. Hence, the output bit rate of PRNG is 200/13 = 15.4 Mbit/s without post-processing technique. However, the post-processing technique reduces the output bit rate of the chaos-based generator by 1/2. For this reason, the final output bit rate of chaotic PRNG drops to 15.4/2 = 7.7 Mbit/s after the post-processing technique is applied.
The time to obtain 16 bit-length random number sequences for the post-processing technique in the system is 208 (13x16) clock pulses. The 8-bit random numbers generated by PRNG every 208 clock pulses, and the 32-bit outputs of the zigzag map are recorded in two different memory architectures for testing purposes, as in Fig. 7 (A) and (B). Column widths of these memory architectures consisting of 65.536 rows are 8 and 32 bits, respectively. In both memory architectures, 16-bit counters are used for addressing. The memory architecture in Fig. 7

Experimental validation
Experimental analysis of the study is carried out in three stages. In the first stage, the existence of chaos in the system for zigzag map and exponential sensitivity of PRNG to initial conditions are analysed. In the second stage, statistical analysis of bit-level numbers obtained from chaotic time series is performed. In the last stage, the hardware design criteria of the proposed PRNG are examined and its performance based on these criteria is compared with other studies in the literature.

Lyapunov exponent analysis
The most distinctive feature distinguishing chaotic systems from other nonlinear systems is the exponential sensitivity to initial conditions, also known as the Butterfly Effect. The Lyapunov exponent is one of the frequently used method for analysing chaos in nonlinear systems and demonstrating the sensitive dependence of the system on initial conditions. The λ can be defined as the quantitative measurement of the amount of divergence and convergence in the phase space of two trajectories starting at very close points to each other. The existence of chaos in a nonlinear deterministic sys-tem can be determined by looking at the sign of the λ value calculated as in the Eq. 3 of at least one trajectory. For at least one Lyapunov exponent greater than zero, the behaviour of the analysed system is defined as chaotic [18,26]. The Lyapunov spectrum of the time series of the zigzag map obtained from the memory component in Fig. 7 (B) and the distributions of these series for the range [-1, 1] are as in Fig. 8 and 9 respectively.  The positive Lyapunov exponent in Fig. 8 confirms that the zigzag map for x 0 and m input values is in chaos and the system display a random-like behaviour. This case also shows that the chaotic system exhibits nonperiodic behaviour and that orbital outputs are unpredictable in long-term. This also shows that the orbital outputs of the chaotic system exhibiting non-periodic behaviour are unpredictable in the long-term and in this case, cryptographically reliable random numbers can be obtained from PRNG.

Statistical randomness analysis
In the presented study, NIST SP 800-22 statistical randomness test suite [27] is used to verify the statistical sufficiency of PRNG. The test technique consists of 15 separate subtest criteria and calculates the α and pvalue parameters for each test criterion. The p-value parameter, which is the probability random numbers are generated from an ideal RNG, varies in the range [0-1]. If p-value equals 1 for a test criterion, the sequence of numbers for the relevant test criterion is considered to be perfectly random. Otherwise, there is no randomness for the relevant test criterion. The α parameter, corresponding to the typical significance level, is in the [0.001-0.01]. range. For α = 0.01, TRNG is considered to correctly produce 99 out of every 100 random number sequences. For the numbers testing, the p-value parameter for each test criterion must be greater than the α parameter [3,28]. The sample length of each random number sequence tested is equivalent to the memory capacity in Fig. 7 (A). In other words, a random number sequence obtained from the PRNG for testing purposes at once time, consists of 524.288 (65.536x8) bits. The measured NIST 800-22 test results for PRNG are given in Table 1. In order for the outputs of any PRNG or TRNG to be used directly in cryptography, the randomness quality of the generator must be verified by statistical testing tools. In Table 1, the p-value > α condition has been fulfilled in all of the test criteria for the post-processed random numbers. In this case, where the test criteria are considered successful, it can be said that the proposed zigzag map-based generator fulfils cryptographic requirements in terms of statistical randomness. The obtained results are important in terms of showing that the zigzag map can be used for different cryptographic purposes, especially random number generation methods.

Hardware performance analysis
The area-energy requirement of any cryptographic RNG is important in terms of evaluating the applicability of the generator on today's cryptographic applications and devices, where area-energy consumption is a major problem [3,14]. Despite having statistically impressive results, solutions with high structural complexity applied for security requirement can often make an RNG dysfunctional. Therefore, hardware cost analysis of any RNG is important in respect to evaluating the practical usefulness of the generator. For this reason, it is important for an RNG to fulfil the security-related statistical requirements with minimum hardware cost in terms of the efficiency of the cryptographic applications they are used.
Although based on simple mathematical definitions, the fact that chaotic orbital outputs consist of three different equalities increases the complexity of the zigzag map in terms of hardware implementation. However, besides the ready IP modules, the dataflow designed circuit elements in Fig. 3 (C) and (D) reduce this complexity as much as possible in terms of hardware. Especially since the (m . x n ) factor is common in all three equalities, only one multiplication circuit is used with the help of the control circuit in Fig. 3 (C) instead of three different multiplication circuits. In addition, in Eq.1, 2/|m| expression is common for the first and third equalities. For any initial value of the system parameter m, the value of this expression will not change during the running time of the PRNG. Therefore, instead of using extra division and absolute value circuits to calculate the value of this expression in the implementation phase, the mathematical equivalent of this expression is defined as constant circuit element as in Fig. 3 (A). This also simplifies the implementation of the chaotic generator as well as reducing the area-energy demand. The area-energy consumption parameters of the proposed zigzag map-based generator after the place-routing process is performed on FPGA chip are shown in Table 2.  The results given in Table 2 show that besides its good statistical properties, PRNG can be used easily in resourcerestricted embedded cryptographic applications. PRNG architecture, based on general principles in terms of modelling technique, is a device independent generator model with low area-energy consumption, so it can be easily applied on resource restricted architectures. In addition, the generator's being based on digital design techniques and easy re-configurability feature are other important advantages in terms of hardware implementation.
The output bit rate performance of the proposed zigzag map based PRNG has been compared with other hardware based chaotic RNGs in the literature. Comparison results are as in Table 3. When the results in Table 3 are examined, it can be seen that PRNG offers a higher output bit rate compared to other studies, although the output bitrate decreases by 1/2 due to the post processing technique.

Conclusion
In this study, the hardware implementation of a new PRNG using the chaotic Zigzag map as entropy source on FPGA environment is presented. The bit-level random outputs of PRNG are obtained from the trajectory produced by the chaotic zigzag map for the initial value of x 0 . The outputs representing the 32-bit chaotic orbit in the system are transformed into bit-level random numbers / signs with the help of a simple comparison circuit and subjected to post-processing technique. While the Zigzag map is in chaos state, PRNG's post-processed outputs successfully pass the NIST 800-22 tests. Statistical randomness results confirm that the chaotic system modelled can be used for different cryptographic purposes as well as random number generation methods. In addition, the low hardware resource requirement makes PRNG easily applicable in resource-constrained hardware architectures and applications. In another aspect, the study is important in terms of showing the usability of the zigzag map in different chaos-based engineering applications and being a source for these studies.