Entropy and Security of Pseudorandom Number Generators based on
Chaotic Iterations
Luigi Marangio
1,2 a
and Christophe Guyeux
1 b
1
Department of Computer Science and Complex Systems, Universit
´
e Bourgogne Franche-Comt
´
e, Femto-St Institute, France
2
Department of Mathematics, Universit
´
a di Pisa, Italy
Keywords:
Pseudorandom Number Generators, Dynamical Systems, Security.
Abstract:
In the domain of cryptography, an important role is played by PseudoRandom Number Generators (PRNGs).
Designing such generators might be complicated for different reasons: an appropriate formal abstract notion
of randomness should be formulated, and after that, it may be hard to design an algorithm that produces such
random numbers on a finite state machine. A possible approach to tackle this problem has been proposed and
studied in recent works (for instance (Guyeux and Bahi, 2012)), where the authors considered to post-operate
on existing PRNGs, using the so-called chaotic iterations, i.e., specific iterations of a boolean function and a
shift operator that use the inputted generator. This process has at least two positive aspects : boolean functions
avoid the problem of numbers representation (e.g. floating point arithmetic), and it is possible to describe the
PRNGs based on chaotic iterations as dynamical systems, with a formal mathematical description. This class
of PRNGs has been proven to be useful also for cryptographical applications, after a suitable redefinition of
the generators in the cryptographical domain. In this article we propose a Markov chain model of the PRNGs
based on chaotic iterations and we will use it to compute the entropy of the proposed generators. Moreover we
will prove that the security property is preserved when a cryptographic PRNG is post processed with iterations
of a suitable boolean functions.
1 INTRODUCTION
To design a PseudoRandom Number Generator
(PRNG) is a delicate task which has a lot of appli-
cation in numerical simulation, information security
etc. It is logical to think that introducing elements of
chaos, such as well-known chaotic real functions (for
instance the logistic map), might improve the random-
like quality of the output of these algorithms. As far
as we know, no result states that the chaotic proper-
ties of a real function are preserved in floating point
arithmetic. Moreover, in the opposite direction, re-
sults indicate that numerical truncation may change
drastically the statistically property of a system, e.g.
(Galatolo et al., 2014).
A possible solution to this problem, is to consider
an asynchronous iteration scheme which includes a
boolean function coupled with a shift as core of a
PRNG (which is referred as chaotic iterations). In-
deed, the use of a boolean function avoids the issues
a
https://orcid.org/0000-0003-3503-2865
b
https://orcid.org/0000-0003-0195-4378
arising with floating point arithmetic, since only inte-
gers are involved in the process and the whole itera-
tion scheme can be represented as a discrete dynam-
ical system, which can be studied with many math-
ematical theoretical tools. For instance, in (Guyeux
and Bahi, 2012), the authors proved that these iter-
ations, viewed as a class of operators on a suitable
discrete space, satisfy various topological properties
of chaos like topological transitivity.
This process can be adapted in the cryptographi-
cal framework, in which the randomness quality of a
generator is of fundamental importance. It is reason-
able to think that there is some link between the no-
tion of chaos and security, and that a ”chaotic” PRNG
is also, in a certain extent, a ”secure” PRNG. In (Bahi
et al., 2015), authors presented a secure cryptographi-
cal PRNG (cPRNG) based on this asynchronous iter-
ation scheme, and in (Marangio et al., 2018) a first at-
tempt to study the collision-free property of this kind
of PRNG was made. There are two main contribu-
tions in this paper: we first propose a Markov Chain
model of the involved generators, which is slightly
different from the topological models already pre-
402
Marangio, L. and Guyeux, C.
Entropy and Security of Pseudorandom Number Generators based on Chaotic Iterations.
DOI: 10.5220/0007839304020407
In Proceedings of the 16th International Joint Conference on e-Business and Telecommunications (ICETE 2019), pages 402-407
ISBN: 978-989-758-378-0
Copyright
c
2019 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved
sented but allow us to explicitly compute the entropy
of the PRNG, under some suitable assumption. On
the other side, we prove that the security property for
cPRNG is preserved under chaotic iterations.
This research work is organized as follows. In
Section 2, we introduce chaotic iterations and the
PRNGs based on it, with an explicit example. In Sec-
tion 3 we recall how to model these PRNGs as dis-
crete dynamical systems and we present some of the
results about their randomness, by using various no-
tions taken form the field of mathematical topology.
In Section 4, we introduce a Markov chain model of
the chaotic iterations, we translate it in the measure
preserving system language, and we compute its en-
tropy. Then, in Section 5, we change the framework
and we introduce the cPRNG based on chaotic iter-
ations. We then provide a security analysis for such
generators. This research work ends by a conclusion
section, in which our contributions are summarized
and intended future work is outlined.
2 PRNGS BASED ON CHAOTIC
ITERATIONS
In this section we will show how to use an iteration of
a boolean function to post process a given PRNG. The
output of this procedure will be a new PRNG, which
may be modeled as a dynamical system. Let us first
introduce some notations.
Fix N ∈ N
∗
, which is the length of the string of
bits which we will consider, and let 2
N
be the space
of all the strings of length N.
Definition 2.1. Let f
0
: 2
N
→ 2
N
be the boolean nega-
tion, i.e. the function such that
f
0
(x
0
,...,x
n−1
) = (x
0
,...,x
n−1
),
where x = x + 1 mod 2.
We will use the following function:
Definition 2.2. Let σ : [1, N]
N
→ [1,N]
N
be the shift
function defined as
σ : (s
0
,s
1
,s
2
,...) 7→ (s
1
,s
2
,s
3
,...).
If x is a sequence of 0 and 1 of length N, produced
for instance by a PRNG, we may post process x with
an iterative application of a boolean function to some
of the digits of x, chosen accordingly to a strategy s,
which is a sequence of integers between 1 and N. The
following definition formalized this procedure:
Definition 2.3. Let N ∈ N
∗
, f : 2
N
−→ 2
N
be a func-
tion, and s ∈ [1,N]
N
be a sequence of integers between
1 and N called the chaotic strategy. The so-called
chaotic iterations are defined by x
0
∈ 2
N
and
∀n ∈ N
∗
,∀i ∈ [1,N],x
n
i
=
x
n−1
i
if s
n
6= i
f (x
n−1
)
s
n
if s
n
= i.
(1)
Let us explain it with an example:
Example. For the sake of concreteness, let us con-
sider that N = 3. Let s be the sequence s =
(123123123123...) and let f
0
be the Boolean nega-
tion. Start with input (000), then the chaotic iterations
will produce the following output
(000) → (100) → (110) → (111) → (011) → ...
At each iteration step, look at the correspondent ele-
ment of the sequence s (at the n-th step, look at the
n-th element of s), and then apply f
0
to the element of
the input sequence suggested by the element of s that
we are considering. In the example, for instance, at
step number 5, the second bit of the input will change
since the fifth element of s is 2.
We can thus define the algorithm CI
1
, which takes
as input a PRNG P and it post processes the output of
P with chaotic iterations:
Algorithm 1: A pseudo code for PRNG based
on chaotic iterations, the algorithm CI
1
.
Data: A seed x
0
; a PRNG s acting as a
chaotic strategy; a boolean function f ;
execution time n
Result: A pseudo random sequence x
n
for i = 0,..., n do
apply chaotic iterations ( f ,s) on x
i
to
obtain x
i+1
end
return x
n
3 A MATHEMATICAL MODEL
FOR CHAOTIC ITERATIONS
In this section we present a mathematical formaliza-
tion of the algorithm CI
1
and we will recall the most
relevant results about it.
Definition 3.1. Given a boolean function f : 2
N
→
2
N
, let us consider the function F
f
: 2
N
× [1, N] → 2
N
,
defined as
F
f
(x,i) = (x
1
,...,x
i−1
, f
i
(x),x
i+1
,...,x
N
).
Consider the phase space X = 2
N
× [1,N]
N
and a
boolean function f : 2
N
→ 2
N
.
Entropy and Security of Pseudorandom Number Generators based on Chaotic Iterations
403
Definition 3.2. The map H
f
: X → X is defined as
H
f
: (x,s) 7→ (F
f
(x,s
0
),σ(s)).
The algorithm CI
1
can be model with the following
dynamical system (X ,H
f
):
x
0
∈ X
x
k+1
= H
f
(x
k
).
(2)
We can define a distance d on X ; let x = (e,s),y =
( ˇe, ˇs) ∈ X , let δ be the discrete Boolean metric, i.e.
δ(x,y) = 0 ⇔ x = y. Let d be the sum of two distances
d
1
and d
2
,
d(x,y) = d
1
(e, ˇe) + d
2
(s, ˇs),
defined as follows:
d
1
(e, ˇe) =
N
∑
k=1
δ(e
k
, ˇe
k
),
d
2
(s, ˇs) =
9
N
∞
∑
k=1
|s
k
− ˇs
k
|
10
k
.
(3)
The distance d has been introduced in order to satisfy
the following requirements.
• When the number of different cells between two
systems is increasing, then their distance should
increase too.
• In addition, if two systems present the same cells
and their respective strategies start with the same
terms, then the distance between these two points
must be small because the evolution of the two
systems will be the same for a while.
The distance d has been proven to be well defined on
X and the map H
f
is a continuous function with re-
spect to this metric. In this framework we can define
and possibly prove different notions of chaos; in par-
ticular in (Guyeux and Bahi, 2012) it has been shown:
Theorem 3.1. (X ,d, H
f
0
), where f
0
is the boolean
negation, is regular and topological transitive.
Theorem 3.2. (X ,d, H
f
0
), where f
0
is the boolean
negation, is topological mixing.
Thus in the particular case of the boolean negation,
the dynamical system associated to CI
1
is chaotic ac-
cording to some, standard, definition of chaos (e.g.
topological mixing). We can characterize all the
boolean functions which induce a topological transi-
tive dynamical systems:
Definition 3.3. Let f be a map from 2
N
to itself.
The asynchronous iteration graph associated with f
(shortly, the iteration graph of f ) is the directed graph
Γ( f ) defined by:
• The set of vertices is 2
N
;
• ∀x ∈ 2
N
, ∀i ∈ [1,N] the graph Γ( f ) contains an
arc from x to F
f
(i,x).
It has been proved in (Bahi et al., 2011):
Theorem 3.3. (X , d,H
f
) is regular and topological
transitive if and only if Γ( f ) is strongly connected.
This characterization theorem establishes the link be-
tween two mathematical models of the CI
1
genera-
tor: from one side, we have a topological dynami-
cal system, meanwhile on the other side we have the
Markov chain associated to the boolean function f ,
which is represented by the iteration graph Γ( f ). In
the next section we will use the Markov chain model
to compute, under suitable hypothesis, the entropy of
the proposed algorithm.
4 ENTROPY
In this section we will show how to build a Markov
chain model of the generator CI
1
and, to do so, we will
recall some basic result on Markov chains. Finally
we will apply standard ergodic theory to compute the
entropy of the system.
Let f : 2
N
→ 2
N
be a boolean function with Γ( f )
strongly connected. Let
ˇ
M be the adjacency matrix
associated to the graph Γ( f ).
Definition 4.1. The Markov matrix associated to the
boolean function f , is the n × n matrix M defined by
M
i j
=
1
n
ˇ
M
i j
if i 6= j and M
ii
= 1 −
1
n
n
∑
j=1, j6=i
ˇ
M
i j
other-
wise.
The matrix M is a double stochastic matrix, i.e. this
is a finite Markov chain, which models the genera-
tor CI
1
. In this framework, it is possible to introduce
(at least) two notions of chaos, namely ergodicity and
mixing. If a finite Markov chain is mixing, then we
have an explicit formula to compute its entropy, and
this is the path that we will follow.
Let us introduce the notion of ergodicity and mix-
ing for a measure preserving system; we stress on the
fact that a Markov chain can be always viewed as a
measure preserving system in a standard way.
Definition 4.2. Consider a probability space
(X ,E ,µ) and a measurable transformation
T : X → X which preserves the measure µ, i.e.
∀A ∈ E , µ(A) = µ(T
−1
(A)). In this case (X , E ,µ,T )
is said to be a measure preserving system.
• T is said to be ergodic, if for every A, B ∈ E of
positive measure, there exists n > 0 such that
µ(T
−n
(A) ∩ B) > 0;
SECRYPT 2019 - 16th International Conference on Security and Cryptography
404
• T is said to be mixing if, for any A,B ∈ E,
lim
n
µ(T
−n
(A) ∩ B) = µ(A)µ(B).
Since M is a stochastic matrix, from Perron-
Frobenius’s theorem, it follows that there exists a
probability distribution π = (π
1
,··· ,π
N
) on S invari-
ant for M, i.e. π = πM, where S = 2
N
. Moreover, if
there exists some k such that all the elements of M
k
are positive, then this vector is unique. To transform
a Markov chain in a measure preserving system, there
is the following standard method; consider Ω = S
N
and the σ-algebra of the cylinders:
Definition 4.3. For every k ∈ N and for every ω ∈ Ω,
a standard cylinder is
C
k
(ω) = {z ∈ Ω : z
i
= ω
i
, ∀i = 1,··· ,k};
Thus we can consider the σ-algebra generated by the
standard cylinders, denoted by C . Observe that if C is
a generic cylinder, i.e. is an element of the σ-algebra
C , then there are a
1
,··· ,a
s
∈ [1,N] such that
C = {ω : ω
i
1
= a
1
,··· ,ω
i
s
= a
s
}.
Now consider the following measure m on C :
m({ω : ω
1
= e
1
,...,ω
r
= e
r
}) = π
e
1
m
e
1
e
2
...m
e
r−1
e
r
.
In such a way the space (Ω, C ,m,σ), where σ :
Ω → Ω is the shift function, is a measure preserving
system. Before proving it, let us remark that the shift
“here” and the shift “inside” the H
f
are not linked at
all between them. Here, the shift function allows us
to visualize at each step an element of S (by shifting a
sequence in Ω), but the output depends on the proba-
bility of the cylinders, and they depend on the matrix
M that describes our dynamical system (X , H
f
). The
theorem below follows from standard arguments:
Theorem 4.1. (Ω, C ,m,σ) is a measure preserving
system.
For a finite state Markov chain the notions of ergodic-
ity and mixing can be characterized in the following
way:
Definition 4.4. A matrix M is said to be
• irreducible if for every i, j, there exists k ∈ N
∗
such
that M
k
i j
> 0;
• regular if there exists k ∈ N
∗
such that for every
i, j, M
k
i j
> 0.
It is well known that an irreducible Markov chain is
ergodic, meanwhile a regular Markov chain is mix-
ing. Thus we can deduce the following theorem on
the generator CI
1
Theorem 4.2. Let f : 2
N
→ 2
N
be a boolean function,
and let M be the adjacency matrix of Γ
f
.
1. If M is an irreducible stochastic matrix, then CI
1
is ergodic;
2. if M is a regular stochastic matrix, then CI
1
is mix-
ing.
Under the mixing hypotheses, we can compute the en-
tropy of a Markov chain, and thus of our generators.
Let us recall briefly what entropy is, before to state
the result. Let (X,E,µ,T) be a measure preserving
system; we say that P is a partition of X, if P is a
family of measurable and mutually disjoint subsets of
X. We will always assume that P is finite or countable
and we will write P = {P
0
,··· ,P
k
} with 2 ≤ k ≤ ∞.
We know how to calculate the entropy of a parti-
tion of the system, and in order to link this entropy
to the entropy of the system, we would like to have a
“special” partition, the so-called generating partition;
its definition it is technical but standard and it will be
not reported here.
We can now define the entropy of a partition P =
{P
0
,...,P
k
} as
H(P ) :=
k
∑
i=0
φ(µ(P
i
)),
where φ is the function defined on [0, 1] by the for-
mula
φ(x) =
(
−x log(x) if 0 ≤ x ≤ 1
0 if x = 0.
Starting from a partition P one can prove that the fol-
lowing limit is well-defined
h
µ
(T, P ) := lim
n→∞
H(P
n−1
0
)
n
,
and we shall call this quantity, the entropy of P rela-
tive to T .
We can also define the metric entropy as
h
µ
(T ) = sup
P
h
µ
(T, P ).
Finally the Kolmogorov-Sinai theorem tells us
that if P is a generating partition, then
h
µ
(T ) = h
µ
(T, P ).
So far from now we saw that we can calculate the
entropy of CI
1
by calculating the entropy of a gener-
ating partition for this system. We are ready to prove
the following:
Theorem 4.3. Let f : 2
N
→ 2
N
be a boolean func-
tion with M, the Markov matrix of Γ
f
, irreducible and
aperiodic. Then the entropy of the measure preserv-
ing system (Ω,C ,m,σ) is
−
N−1
∑
j=0
N−1
∑
i=0
π
i
m
i j
logm
i j
.
Entropy and Security of Pseudorandom Number Generators based on Chaotic Iterations
405
Proof. Let (Ω,C ,m,σ) be the measure preserving
system previously defined which describes the CI
1
al-
gorithm. Let us define
P
0
i
:= {ω : ω
0
= i},
and thus the partition
P = {P
0
0
,...,P
0
N−1
}.
Recalling that P
0
−n+1
is by definition ∨
0
k=−n+1
σ
k
P ,
observe that any element of P
n−1
0
has the form
P
0
i
0
∩ σ
−1
P
1
i
1
∩ ...σ
−n+1
P
n−1
i
n−1
,
for some i
0
,...,i
n−1
, and the measure of such an ele-
ment is
π
i
0
m
i
0
i
1
...m
i
n−2
i
n−1
.
Thus
H(P
0
−n+1
) =
= −
∑
i
0
,...,i
n−1
π
i
0
m
i
0
i
1
...m
i
n−2
i
n−1
log(π
i
0
m
i
0
i
1
...m
i
n−2
i
n−1
) =
= −
∑
i
π
i
log(π
i
)−
∑
i
0
,...,i
n−1
π
i
0
m
i
0
i
1
...m
i
n−2
i
n−1
log(π
i
0
m
i
0
i
1
...m
i
n−2
i
n−1
) =
= −
∑
i
π
i
log(π
i
) −
∑
i j
π
i
m
i j
log(m
i j
)−
∑
i
1
,...,i
n−1
π
i
1
m
i
1
i
2
...m
i
n−2
i
n−1
log(m
i
1
i
2
...m
i
n−2
i
n−1
) =
= ... = −
∑
i
π
i
log(π
i
) + n
−
∑
i j
π
i
m
i j
log(m
i j
)
.
where we applied over and over again the properties
∑
j
m
i j
= 1 and
∑
i
π
i
m
i j
= π
j
.
But now P is a generating partition since it is build
up from cylinders and C is actually the σ-algebra
generated by the cylinders. By taking the limit on
n of the last quantity divided by n and applying the
Kolmogorov-Sinai theorem we obtain the thesis, i.e.
the entropy of CI
1
is
−
N−1
∑
j=0
N−1
∑
i=0
π
i
m
i j
logm
i j
.
5 SECURITY ANALYSIS
The definition of PRNG should be reviewed in
the cryptographic applications, see for instance
(Schindler, 2013). The goal of this section is to show
that chaotic iterations not only improve the random-
ness of the inputted generator, but they also preserve
the security property, in a cryptographic framework.
In this section, if u, v are two strings, then uv denotes
the concatenation of the two strings (when it is neces-
sary, we will write (u)(v)).
Definition 5.1. Let 0 < l
1
≤ l
2
two integers; a crypto-
graphic PRNG (cPRNG) is an algorithm G that takes
in input a seed s ∈ 2
l
1
and produce an output t ∈ 2
l
2
such that:
A1 there should be a high probability that for dif-
ferent seeds the generated sequences of random
numbers are different from each other;
A2 the output should be indistinguishable from a
”true” random sequence, according to specified
statistical tests (NIST, TestU01...);
A3 it should be impossible for any attacker (for all
practical purposes) to calculate, or otherwise
guess, from any given sub sequence, any previous
or future values in the sequence, nor any inner
state of the generator;
A4 it should be impossible, for all practical purposes,
for an attacker to calculate, or guess from an in-
ner state of the generator, any previous numbers
in the sequence or any previous inner generator
states
The empirical properties which define a secure
cPRNG can be summarized, for instance, in the fol-
lowing definitions (see (Bahi et al., 2015))
Definition 5.2. A cryptographic PRNG (cPRNG) is
a deterministic algorithm G transforming strings into
strings and such that, for any seed s of length m, G(s)
(the output of G on the input s) has size l
G
(m) with
l
G
(m) > m.
Definition 5.3. A cPRNG G is secure if for any proba-
bilistic polynomial time algorithm D, for any positive
polynomial p, and for all sufficiently large m ’s,
|P[D(G(δ
m
)) = 1] − P[D(δ
l
G
(m)
) = 1]| <
1
p(m)
,
where δ
m
is the uniform distribution on B
m
and the
probabilities P are taken over δ
m
, δ
l
G(m)
as well as
over the internal coin tosses of D.
Intuitively, it means that there is no polynomial
time algorithm that can distinguish a perfect uniform
random generator from G with a non negligible prob-
ability.
A secure cPRNG based on CI
1
was presented for
instance in (Bahi et al., 2015); let us recall, given a
cPRNG, how to post process it with chaotic iterations:
Definition 5.4. Let K be a cPRNG, and let f : 2
N
→
2
N
be a boolean function. Let us define a new cPRNG
K
f
, in the following way:
• K takes as input any string x
0
S
0
of length 2N, with
|x
0
| = |S
0
| = N;
• assume, without loss of generality, that for any
string S
0
of length N, the length of K(S
0
) = kN,
with k ≥ 2;
SECRYPT 2019 - 16th International Conference on Security and Cryptography
406
• let S
1
,...,S
k
be the strings of length N, such that
K(S
0
) = S
1
...S
k
;
• K
f
returns as output the following string of length
kN
( f
S
1
(x
0
))( f
S
2
(x
0
))...( f
S
k
(x
0
)),
where, for instance,
f
S
3
(x
0
) = F
f
(S
3
,F
f
(S
2
,F
f
(S
1
,x
0
))).
Now we claim that if K is a secure cPRNG, then K
f
defined above, is secure too.
Theorem 5.1. Let K be a cPRNG, with l
K
(N) =
kN, k ≥ 2. For any y ∈ 2
kN
let Φ
y
: 2
kN
→
2
kN
be the function mapping ω = ω
1
...ω
k
into
( f
ω
1
(y))( f
ω
2
(y))...( f
ω
k
(y)). If K is secure and for ev-
ery y, Φ
y
is bijective, then K
f
is secure too.
Proof. Assume that K
f
is not secure. Then by defi-
nition there exists a polynomial time probabilistic al-
gorithm D and a positive polynomial p, such that for
every ε > 0 there exists L ≥ ε/2 satisfying:
|P[D(K
f
(δ
2L
)) = 1] − P[D(δ
kL
) = 1]| ≥
1
p(2L)
.
Let us define a new probabilistic polynomial time al-
gorithm, say D
0
:
• takes as input a string ω = ω
1
...ω
k
of length kL,
where for all i, |ω
i
| = L;
• randomly choose a string y of length L;
• compute z = ( f
ω
1
(y))( f
ω
2
(y))...( f
ω
k
(y);
• return D(z) as output.
Observe that by definition of Φ
y
D
0
(ω) = D(Φ
y
(ω))
and also
Φ
y
(K(x)) = K
f
(yx).
Using these expressions we obtain
D
0
(K(x)) = D(Φ
y
(K(x))) = D(H
f
(yx)),
thus
P[D
0
(K(δ
L
))) = 1] = P[D(K
f
(δ
2L
)) = 1].
Furthermore, since Φ
y
is bijective by hypothesis, we
have
P[D
0
(δ
kL
) = 1] = P[D(Φ
y
(δ
kL
)) = 1] = P[D(δ
kL
) = 1].
Putting everything together we are able to conclude
that K is not secure, reaching a contradiction and thus
a proof of this theorem. In fact we have found a poly-
nomial time probabilistic algorithm D
0
, and a posi-
tive polynomial p, such that for all ε > 0 there exists
L ≥ ε/2 such that
|P[D
0
(K(δ
L
))) = 1] − P[D
0
(δ
kL
) = 1]| =
|P[D(K
f
(δ
2L
)) = 1] − P[D(δ
kL
) = 1]| ≥
1
p(2L)
.
6 CONCLUSIONS
Designing pseudorandom number generators is an in-
teresting and challenging task. In this article we pre-
sented a class of generators, we modeled it as a class
of discrete dynamical systems or a class of Markov
chains, and we used theoretical tools from topology
and ergodic theory to deduce chaotic properties of
these systems and in particular to compute their en-
tropy, under the mixing assumption. A further step in
this direction will be the study of the speed of mixing
of these PRNG, which is interesting from both practi-
cal and theoretical points of view.
In the field of security, we proved that cPRNG
based on chaotic iterations are suitable for crypto-
graphical applications, in the sense that they pre-
served the security property of an inputted genera-
tor. Many other properties could be analyzed in this
framework, such as a more extended study of the
collision-free property, or the study of the avalanche
effect. Another research direction will be to exploit
the connection between the secure boolean functions
(boolean function satisfying the hypothesis of Theo-
rem 5) and the chaotic boolean functions (the ones
with a regular associated Markov matrix).
REFERENCES
Bahi, J. M., Couchot, J.-F., Guyeux, C., and Richard, A.
(2011). On the link between strongly connected it-
eration graphs and chaotic boolean discrete-time dy-
namical systems. In 18th International Symposium on
Fundamentals of Computation Theory. Lecture Notes
in Computer Science.
Bahi, J. M., Couturier, R., C.Guyeux, and Cyrille, P. (2015).
Efficient and cryptographically secure generation of
chaotic pseudorandom numbers on gpu. In The jour-
nal of Supercomputing.
Galatolo, S., Nisoli, I., and Rojas, C. (2014). Probability,
statistics and computation in dynamical systems. In
Mathematical Structures in Computer Science. Cam-
bridge University Press.
Guyeux, C. and Bahi, J. (2012). A topological study of
chaotic iterations. application to hash functions. In
Studies in Computational Intelligence. Springer.
Marangio, L., Guyeux, C., and Bahi, J. M. (2018). On
the collision property of chaotic iterations based post-
treatments over cryptographic pseudorandom number
generators. In 2018 IEEE Middle East and North
Africa Communications COnference. IEEE.
Schindler, W. (2013). Functionality classes and evaluation
methodology for deterministic random number gener-
ators. In Anwendungshinweise und Interpretationen
(AIS). Bundesamt f
¨
ur Sicherheit in der Information-
stechnik.
Entropy and Security of Pseudorandom Number Generators based on Chaotic Iterations
407
