1 Introduction

Random number generation is very important in many field of computer science, including Monte Carlo simulations [1], cryptography, and other computer applications. The study of pseudorandom number generators (PRNG) has received significant attention from researchers, and various fields of mathematics have been utilized to create random numbers such as number theory [2] or chaos theory [3]. Generating random numbers using automata theory is not new in the literature. Already in 1986 S. Wolfram proposed a method to generate random numbers using cellular automaton [4]. In 1989, Hortensius et al. proposed random number generation for VLSI systems using 1-dimensional cellular automata [5]. Since then, numerous articles have been published in the literature that build upon various types of cellular automata (see, e.g., [6,7,8,9,10]). The simple construction of cellular automata makes them an attractive option for generating random numbers or developing novel cryptosystems; however, this simplicity also makes them vulnerable to specific types of attacks [11, 12]. Therefore, it is reasonable to explore the creation of novel pseudorandom number generators and encryption schemes rely on automata theory principles different from cellular automata.

The aim of this paper is twofold: to develop a very simple automaton that successfully passes known statistical tests and to create a PRNG with very simple structure that is suitable for use in embedded devices and Internet of Things (IoT) applications. IoT is a ubiquitous and pervasive network of physical objects that are embedded with sensors, software, and other technologies, enabling them to connect and exchange data with other devices and systems over the Internet or other communication networks [13]. These interconnected devices can communicate with each other, collect data, and perform various tasks autonomously; therefore, ensuring the protection of each device is crucial in a complex IoT environment. Compared to classical computer systems, IoT devices used in these environments are often low-cost RFID tags, sensors, contactless smart cards that lack sufficient processing power and memory capabilities. As a result, standard cryptographic primitives may not be suitable for IoT endpoints and performing classical cyber attacks is often easier than on typical computer systems, making them a potential target for malicious users [14]. Lightweight cryptography is often employed to address the security concerns of constrained environments; however, the diverse nature of IoT devices presents a significant challenge in the design of cryptographic primitives for IoT systems.

In this paper, the authors continue their joint research of cryptographic tools based on compositions of abstract finite automata [15, 16]. In 2021, the authors presented a full cycle length counter-based PRNG based on automata compositions [17]. The promising statistical behavior of the proposed construction inspired us to explore the potential for developing even simpler generators based on automata compositions. The primary idea behind that PRNG was that random numbers are generated as state transitions of a given Gluskov product of automata, where the states of this Gluskov product are considered as binary strings of a given length m. To be more precise, for an appropriate fixed state \(a_0\) and fixed input letter x of the considered Gluskov product, the generated pseudorandom numbers are \(\delta (a_1,x), \delta (a_2,x), \delta (a_3,x), \dots \), \(\delta (a_n,x)\) where \(\delta \) denotes the transition function of the composite automaton and \(a_{i+1} = a_i +1 \mod 2^m\) for every \(i=1,2, \dots n\). It was shown that the generator produces good-quality numbers and passes well known statistical tests, but a significant drawback of the approach is the complexity of the automata composition being considered. In this paper, we introduce a simpler and more compact PRNG, which we refer to as the simple chain automaton random number generator (SCARNG). The main benefit of the algorithm proposed in this paper is its simple structure which allows easy implementation on FPGAs, GPUs, and IoT devices with minimal computing capacity. The algorithm proposed in this paper has successfully passed the National Institute of Standards and Technology (NIST) statistical test [18]. Furthermore, the unique properties of the introduced chain automaton can open new research directions.

1.1 Definitions and notations

All concepts needed for seamless understanding are presented in this paper. However, this paper does not cover the fundamentals of automata theory and their introductions. For basic notations and further insight into the subject, we recommend the reader to see the SIAM monograph on Algebraic Theory of Automata Networks written by Dömösi and Nehaniv [19].

As usual let us denote by \(\Sigma \) a finite, nonempty set of symbols, which we call alphabet. For any set \(\Sigma \), let \(\Sigma ^*\) represent the free monoid over \(\Sigma \), which means the set of all strings over an alphabet \(\Sigma \). Let \(\lambda \) be the unit element of \(\Sigma ^*\) called empty word. Then, for every \(p\in \Sigma ^*\), \(p\lambda =\lambda p=p\); moreover, for every pair \(p,q\in \Sigma ^*{\setminus }\{\lambda \}\), \(pq=x_1\cdots x_nx_{n+1}\cdots x_{n+k}\) whenever \(p=x_1\cdots x_n, q=x_{n+1}\cdots x_{n+k}\) for some \(x_1,\ldots , x_n,x_{n+1},\ldots , x_{n+k}\in \Sigma \), and \(k,n>0\). In addition, for every \(p\in \Sigma ^*,\) let \(p^0=\lambda \), and for every positive integer \(n\ge 1\), let \(p^n=p^{n-1}p\).

By an automaton, we mean a deterministic finite automaton without outputs. To be more precise, an automaton is an algebraic structure \(\mathcal{A}=(A,\Sigma ,\delta )\) consisting of the nonempty and finite state set A, the nonempty and finite input set \(\Sigma \), and a transition function \(\delta : A\times \Sigma \rightarrow A\). The transition matrix of an automaton is represented by a matrix where rows are associated with each input and columns with each state. For any row denoted by input \(x\in \Sigma \) and any column denoted by state \(a\in A\), the matrix entry contains the state \(\delta (a,x)\). If all rows of the transition matrix are permutations of the state set, then we speak about permutation automaton.

We shall use the concept of transition function of automata in the usual extended form. Given an automaton \(\mathcal{A}=(A,\Sigma ,\delta )\), its extended transition function is the mapping \(\delta : A\times \Sigma ^*\rightarrow A,\) where \(\Sigma ^*\) denotes the free monoid over \(\Sigma \), and \(\delta : A\times \Sigma \rightarrow A\) is extended to \(\delta : A\times \Sigma ^*\rightarrow A\) by the following recursive definition: for every state \(a\in A,\) \(\delta (a,\lambda )=a\), and for every triplet \(a\in A, p\in \Sigma ^*, x\in \Sigma \), \(\delta (a,px)=\delta (\delta (a,p),x)\). A Latin square of order n is an \(n\times n\) matrix (with n rows and n columns), where each cell is filled with an element from a set of n elements \(\{a_0,a_1,\ldots ,a_{n-1}\}\). Each element occurs exactly once in each row and each column of the matrix. In this paper, we will consider a special composition of automata, called key automaton, whose state transition table forms a Latin square. By these properties, the considered pseudorandom number generator has a strong immunity against statistical attacks. Prior to presenting the precise design of our generator, we will first introduce several essential concepts needed to understand the SCARNG construction.

2 Key automaton

Let \(\mathcal{A}_i= (A_i, \Sigma _i,\delta _i)\) be automata where \(i\in \{1,\ldots , n\}, \ n\ge 1.\) Take a finite nonvoid set \(\Sigma \) and a feedback function \(\varphi _i: A_1\times \cdots \times A_n\times \Sigma \rightarrow \Sigma _i\) for every \(i\in \{1,\ldots , n\}.\) A Gluškov-type product of the automata \(\mathcal{A}_i\) with respect to the feedback functions \(\varphi _i\ (i\in \{1,\ldots , n\})\) is defined to be the automaton \(\mathcal{A}=\mathcal{A}_1\times \cdots \times \mathcal{A}_n(\Sigma ,(\varphi _1,\ldots ,\varphi _n))\) with state set \(A=A_1\times \cdots \times A_n,\) input set \(\Sigma ,\) transition function \(\delta \) given by \(\delta ((a_1,\ldots , a_n), x)=(\delta _1(a_1,\varphi _1(a_1,\ldots , a_n, x)),\ldots ,\delta _n(a_n,\varphi _n(a_1,\ldots , a_n, x)))\) for all \((a_1,\ldots , a_n)\in A\) and \(x\in \Sigma .\) In particular, if \(\mathcal{A}_1=\ldots =\mathcal{A}_n\), then we say that \(\mathcal A\) is a Gluškov-type power.

One of the most simple Gluškov-type powers is the following construction. Let \(\mathcal{A}=(\Sigma ,\Sigma ,\delta )\) be an automaton whose set of states coincides with the set of input signals. Given a positive integer n, define the automaton \(\mathcal{B}=(\Sigma ^n,\Sigma ^n,\delta _\mathcal{B})\) such that for every pair \((a_1,\ldots , a_n), (x_1,\ldots , x_n)\in \Sigma ^n\), \(\delta _\mathcal{B}((a_1,\ldots , a_n), (x_1,\ldots , x_n))=(a'_1,\ldots , a'_n)\), where the first component \(a'_1\) of the next-state vector \((a'_1,\ldots , a'_n)\) is a result of a state transition chain of automata \(\mathcal{A}_1,\ldots ,\mathcal{A}_n\) with \(\mathcal{A}_1=\ldots =\mathcal{A}_n=\mathcal{A}\) such that the last member \(\mathcal{A}_n\) of the chain goes from the state \(a_n\) into its next state under the effect of the input signal component \(x_1\), and each of the previous members of the chain goes from its state \(a_i, i=1,\ldots , n-1\) into its next state under the effect of its input signal which coincides with the result of the state transition of the \((i+1)^{th}\) member of the considered chain of automata. For every further \(j=1,\ldots ,n\) we repeat this procedure such that the initial state \((a_1,\ldots , a_n)\) is changed with \((a_j,a_{j+1},\ldots ,a_n,a'_1,\ldots ,a'_{j-1})\). In formulas, let \(a'_1=\delta (a_1,\delta (a_2,\ldots ,\delta (a_n,x_1)\ldots )), a'_2=\delta (a_2,\delta (a_3,\ldots ,\delta (a_n,\delta (a'_1,x_2))\ldots ))\), \(a'_3=\delta (a_3,\delta (a_4,\ldots ,\delta (a_n,\delta (a'_1,\delta (a'_2,x_3)))\ldots )), \ldots , \ \ a'_n=\delta (a_n,\delta (a'_1,\ldots ,\delta (a'_{n-1}, x_n)\ldots ))\). From now on, the above constructed automaton \(\mathcal B\) is referred to as a chain power of \(\mathcal A\). The diagram illustrating the state transition of the chain power is viewed in Fig. 1.

Fig. 1
figure 1

Chain power state transition

Full size image

Proposition 1

Suppose that \(\mathcal{A}= (\Sigma , \Sigma ,\delta )\) is a permutation automaton. Then, every chain power of \(\mathcal{A}\) also is a permutation automaton.

Proof

Assume that \(\mathcal{A}=(\Sigma ,\Sigma ,\delta )\) is a permutation automaton. Then, by definition, all rows of its transition matrix are permutations of the state set. Therefore, none of these rows contain repetition. Consequently, for any states \(a,b\in \Sigma \) and input \(x\in \Sigma ,\) \(\delta (a,x)=\delta (b,x)\) implies \(a=b\). Given a positive integer n, let \(\mathcal{B}=(\Sigma ^n,\Sigma ^n,\delta _\mathcal{B})\) be a chain power of \(\mathcal A\) and suppose that \(\mathcal B\) is not a permutation automaton. Then, it has distinct states \((a_1,\ldots ,a_n), (b_1,\ldots ,b_n)\in \Sigma ^n\) and input sign \((x_1,\ldots ,x_n)\in \Sigma \) with \(\delta _\mathcal{B}((a_1,\ldots ,a_n),(x_1,\ldots ,x_n))=\delta _\mathcal{B}((b_1,\ldots ,b_n),(x_1,\ldots ,x_n))= (c_1,\ldots ,c_n)\) for some \((c_1,\ldots ,c_n)\in \Sigma ^n.\) Suppose that \(i\in \{1,\ldots ,n\}\) is the maximal index for which \(a_i\ne b_i\). Then, by definition, \(c_i=\delta (a_i,\delta (a_{i+1},\ldots ,\delta (a_n,\delta (c_1,\ldots ,\delta (c_{i-1},x_i)))))\) and also \(c_i=\delta (b_i,\delta (a_{i+1},\ldots ,\delta (a_n,\delta (c_1,\ldots ,\delta (c_{i-1},x_i)))))\). Put \(x=\delta (a_{i+1},\ldots ,\delta (a_n,\delta (c_1,\ldots ,\delta (c_{i-1},x_i))))\) and recall that \(\mathcal A\) is a permutation automaton. Obviously, then \(\delta (a_i,x)\ne \delta (b_i,x)\) contradicting the assumption \(c_i=\delta (a_i,x)=\delta (b_i,x)\). Therefore, \(\mathcal{B}\) should be a permutation automaton. This completes the proof.

Theorem 2

Suppose that the transition matrix of an automaton \(\mathcal{A}= (\Sigma , \Sigma ,\delta )\) forms a Latin square. Then every chain power of \(\mathcal{A}\) also has this property.

Proof

Consider an automaton \(\mathcal{A}= (\Sigma , \Sigma ,\delta )\) and assume that its transition matrix forms a Latin square. Let \(\mathcal{B}=(\Sigma ^n,\Sigma ^n,\delta _\mathcal{B})\) be its chain power for some positive integer n. By Proposition 1, \(\mathcal B\) is a permutation automaton. Therefore, it is enough to show that for every state \((a_1,\ldots , a_n)\in \Sigma ^n\) and distinct pair \((x_1,\ldots ,x_n),(y_1,\ldots ,y_n)\) of input signals, \(\delta _\mathcal{B}((a_1,\ldots , a_n),(x_1,\ldots ,x_n))\ne \delta _\mathcal{B}((a_1,\ldots , a_n),(y_1,\ldots ,y_n))\). Put \((b_1,\ldots ,b_n)=\delta _\mathcal{B}((a_1,\ldots , a_n),(x_1,\ldots ,x_n))\) and \((c_1,\ldots ,c_n)=\delta _\mathcal{B}((a_1,\ldots , a_n),(y_1,\ldots ,y_n))\). Let \(i\in \{1,\ldots ,n\}\) be the minimal index with \(x_i\ne y_i\). Then, by definition, either \(i=1\), or \(b_1=c_1,\ldots ,b_{i-1}=c_{i-1}\). If \(i=1\) then \(b_1=\delta (a_1,\delta (a_2,\ldots ,\delta (a_n,x_1)\ldots ))\) and \(c_1=\delta (a_1,\delta (a_2,\ldots ,\delta (a_n,y_1)\ldots ))\) with \(x_1\ne y_1\). Recall that the transition matrix of \(\mathcal A\) forms a Latin square. Obviously, then using that the columns of the transition matrix are also permutations of \(\Sigma \), we have \(\delta (a_n,x_1) \ne \delta (a_n,y_1)\). Inductively, \(\delta (a_{n-1},\delta (a_n,x_1)) \ne \delta (a_{n-1}(a_n,y_1)), \ldots , \delta (a_1,\delta (a_2,\ldots ,\delta (a_n,x_1)\ldots )) \ne \delta (a_1,\delta (a_2,\ldots ,\delta (a_n,y_1)\ldots ))\). Thus, we are ready if \(i=1\). Otherwise, using \(b_1=c_1,\ldots ,b_{i-1}=c_{i-1}\), \(b_i=\delta (a_i,\delta (a_{i+1},\ldots ,\delta (a_n,\delta (b_1,\ldots ,\delta (b_{i-1},x_i)))))\) \(c_i=\delta (a_i,\delta (a_{i+1},\ldots ,\delta (a_n,\delta (b_1,\ldots ,\delta (b_{i-1},y_i)))))\).Because the columns of the transition matrix of \(\mathcal A\) are permutations of \(\Sigma \), we have \(\delta (b_{i-1},x_i)\ne \delta (b_{i-1},y_i)\), and inductively, \(\delta (b_{i-2},\delta (b_{i-1},x_i)) \ne \delta (b_{i-2},\delta (b_{i-1},x_i)), \ldots \), \(\delta (a_{i+1},\ldots ,\delta (a_n,\delta (b_1,\ldots ,\delta (b_{i-1},x_i))))\ne \delta (a_{i+1},\ldots ,\delta (a_n,\delta (b_1,\ldots \), \(\delta (b_{i-1},y_i))))\). Put \(x=\delta (a_{i+1},\ldots ,\delta (a_n,\delta (b_1,\ldots ,\delta (b_{i-1},x_i))))\), and \(y=\delta (a_{i+1},\ldots ,\delta (a_n,\delta (b_1,\ldots ,\delta (b_{i-1},y_i))))\) and recall again that the columns of the transition matrix of \(\mathcal A\) are permutations of \(\Sigma \). Then, we receive \(b_i=\delta (a_{i},x)\ne \delta (a_{i},y)=c_i\). Therefore, \((b_1,\ldots ,b_n)\ne (c_1,\ldots ,c_n)\) as we stated. The proof is complete.

Let \(\mathcal{A}=(\Sigma ,\Sigma ,\delta )\) be an automaton whose transition matrix forms a Latin square. Given a positive integer n, consider a chain power \(\mathcal{B}=(\Sigma ^n,\Sigma ^n,\delta _\mathcal{B})\) of \(\mathcal A\). From now on, we say that \(\mathcal B\) is a key automaton.

3 Counter-based pseudorandom number generator

The use of an integer counter as the sole internal state of a generator is a well-known approach for developing a pseudo-random number generator, known as a counter-based PRNG (see e.g. [20]).

The state transition function is an increment by one modulo the size n of the finite state set \(S=\{0,\ldots , n-1\}\) and the complexity comes in the map from the state to the random sample. Formally, a counter-based pseudorandom number generator (CBPRNG) is a structure \({\mathcal {CBPRNG}}= (K, Z_J, S, f, U, g)\), where K is the key space; \(Z_J = \{0, 1,..., J-1\}\), where J is a positive integer called output multiplicity; S is the state space; U is the output space; \(f: S \rightarrow S\) is the state transition function, \(s_i = f(s_{i-1})\); \(g: K \times Z_J \times S \rightarrow U\) is the output function.

The \({\mathcal {CBPRNG}}= (K, Z_J, S, f, U, g)\) works in discrete time scale. It starts from a fixed state \(s\in S\), called initial state and a fixed key \(k\in K\). Then, the generated random number sequence is \(g(k, 0, f^{1}(s)), \ldots \), \(g(k, J-1, f^{1}(s)), g(k,0, f^2(s)), \ldots , g(k, J-1, f^2(s)), g(k, 0, f^n(s)), \ldots , g(k, J-1, f^n(s))\), where \(f^{1}(s)=f(s), f^2(s)= f(f(s))\) and \(f^n(s)= f(f^{n-1}(s))\) for every further \(n>2\). In this case, the vector \((g(k, 0, f(s)), \ldots \), \(g(k, J-1, f(s) )\) is called the output vector of initial state.

Given a \({\mathcal {CBPRNG}}= (K, Z_J, S, f, U, g)\), we say that its state transition function \(f: S \rightarrow S\) has a full cycle if for every \(s\in S\), \(S=\{f^{n}(s) \mid n= 1,\ldots ,\vert S\vert \}\), where, by definition, \(\vert S\vert \) denotes the cardinality of S. Moreover, a \({\mathcal {CBPRNG}}\) is said to have a full cycle or full period if for any key and initial state \(s\in S\), the \({\mathcal {CBPRNG}}\) traverses every output vector \((u_0,\ldots ,u_{J-1})\in U^J\) before returning to the output vector of the initial state.

Suppose that, for the simplicity, S is a set of binary strings of the same fixed length. We say that \({\mathcal {CBPRNG}}\) is of a trivial period if \(\vert S\vert \) is the minimal positive integer n for which \(g(k,i,f^n(s+n+m\mod \vert S\vert ))=g(k,i,f^n(s+m \mod \vert S\vert )), k\in K, i\in Z_J, m\ge 1\).Footnote 1 The following statement is clear.

Proposition 3

A \({\mathcal {CBPRNG}}= (K, Z_J, S, f, U, g)\) has a full cycle if and only if its state transition function \(f: S \rightarrow S\) has a full cycle, and for every key \(k\in K\), the function \(g_k:S\rightarrow U^{J}\) with \(g_k(s)=(g(k,0,s),\ldots , g(k,J-1,s)), s\in S\) is bijective.

If the set \(Z_J\) of \({\mathcal {CBPRNG}}= (K, Z_J, S, f, U, g)\) is a singleton (i.e., \(Z_J=\{0\}\)), then we will write g in the form \(g: K \times S \rightarrow U\), and then, we say that \({\mathcal {CBPRNG}}\) has a simple output multiplicity. In this case, we will write also \({{\mathcal {CBPRNG}}}\) in the form \({{\mathcal {CBPRNG}}}= (K, S, f, U, g)\). For the sake of simplicity, in this paper we consider CBPRNGs having a simple output multiplicity.Footnote 2

Given an output function \(g: K \times S \rightarrow U\) having a simple output multiplicity and assume that \(U\subseteq S\). We say that the output function \(g':K\times S\rightarrow U\) is a double round of the output function \(g:K\times S\rightarrow U\) if for every \(k\in K, s\in S,\) \(g'(k,s)=g(k,g(k,s))\). In general, we say that \(g':K\times S\rightarrow U\) is a \(t(>1)\)-times round of \(g:K\times S\rightarrow U\) if for every \(k\in K, s\in S,\) \(g'(k,s)=g(k,h(k,s))\) such that \(h:K\times S\) is a \((t-1)\)-times round of \(g:K\times S\). Finally, the single round of \(g: K \times S \rightarrow U\) is the function \(g: K \times S \rightarrow U\) itself.

For CBPRNGs, we should have that g is complex and f is a simple counter with \(f(s) = (s+1)\ \mod \ 2^p\), where p is the state size in bits and \(S=\{0,\ldots ,2^{p-1}\}\)[20]. Applying the ideas of this construction, in this paper we consider CBPRNGs, where f is a counter, and g is defined by composition of abstract finite automata.

Given a nonempty set \(\Sigma \), put \(\overline{w}=(a_1,\ldots , a_m)\) for every \(m>1\) and \(w=a_1 \cdots a_m\) with \((a_1,\ldots , a_m)\in \Sigma ^m\). Consider a pair of nonempty sets \(\Delta , \Sigma \), a positive integer \(n>0\) and functions \(f:\Delta ^n\times \Sigma ^n\rightarrow \Sigma ^n,\) \(g:\{w \mid \overline{w}\in \Delta ^n\}\times \{z\mid \overline{z}\in \Sigma ^n\}\rightarrow \{w \mid \overline{w}\in \Delta ^n\}\). Suppose that for every pair \(\overline{w}\in \Delta ^n,\overline{z}\in \Sigma ^{n}\), it holds that \(f(\overline{w},\overline{z})=\overline{g(w,z)}\). Then, we say that g represents f in one round. Moreover, if there exists a \(t\ge 1\) such that for every pair \(\overline{w}\in \Delta ^n,\overline{z}\in \Sigma ^{n}\), it holds that \(f(\overline{w},\overline{z^t})=\overline{g(w,z)}\), then we say that f represents g in t rounds.

Theorem 4

Given a positive integer \(t\ge 1\), every key automaton transition function represents in \(t\ge 1\) rounds an output function of a counter-based pseudorandom number generator (having a simple output multiplicity).

Proof

As the proof of our statement, we give a construction of an appropriate counter based PRNG (CBPRNG) \({{\mathcal {CBPRNG}}}= (K, S, f, U, g)\) having this property. First of all, consider a counter which realizes the state function as \(f(n) = n+1\ \mod \ m\), where m is a sufficiently large positive integer (preferably \(m=2^{128}\)), and n is given as a fixed-length binary number (preferably with 128-bit length).

Thus, the state space is \(S=\{0,\ldots ,m-1\}\).

The elements of the state set S of \({{\mathcal {CBPRNG}}}\) may be considered binary strings of fixed length. We assume that the state space S of \({{\mathcal {CBPRNG}}}\) coincide with \(\{\overline{w}\mid w\in \Sigma ^n\}\), where \(\Sigma ^{n}\) is the input set of \(\mathcal K\) for an appropriate positive integer \(n\ge 1\). Moreover, we also assume that the output set U and also the key space of \({{\mathcal {CBPRNG}}}\) coincides with K.

In addition, assume that the output function \(g:K\times S\rightarrow U\) of \({{\mathcal {CBPRNG}}}\) is given as \(\overline{g(k,s)}=\delta _\mathcal{K}(\overline{k},\overline{s^t})), k\in K,s\in S\) for every \(k\in K,s\in S\) and fixed \(t\ge 1\). Obviously, then the transition function \(\delta _\mathcal{K}\) represents the output function g. This completes the proof.

By Proposition 3 and Theorem 4, we can derive the following.

Proposition 5

Let \({{\mathcal {CBPRNG}}}= (K, S, f, U, g)\) be a counter based pseudorandom number generator with simple output multiplicity (i.e., \(Z_J=\{0\}\)) and assume that the transition function of a given key automaton represents the output function of \({{\mathcal {CBPRNG}}}\). If \({{\mathcal {CBPRNG}}}\) is of a single round, then it has a full cycle.

Proof

Recall that, by definition, for every key automaton, the transition matrix of its basic automaton forms a Latin square. Therefore, by Theorem 2, the transition matrix of all key automata has this property. Thus, all rows and all columns of their transition matrix of \(\mathcal K\) are a permutation of its state set.

Of course, because the state transition f of \({{\mathcal {CBPRNG}}}\) (having a simple output multiplicity) is a simple counter with \(f(s) = (s+1)\ \mod \ 2^p\), where p is the state size in bits and \(S=\{0,\ldots ,2^{p-1}\}\), f has a full cycle. Moreover, by Theorem 2 the key automaton \(\mathcal{K}=(\Sigma ^n,\Sigma ^{n},\delta _\mathcal{K}), n>1\) is a permutation automaton; therefore, for every input sign \(x\in \Sigma ^{n}\), \(h_x: \Sigma ^n \rightarrow \Sigma ^n\) with \(h_x(y)=\delta _\mathcal{K}(x,y)\) is a bijective mapping of \(\Sigma ^n\) onto itself. Because \(t=1\), \(\overline{\delta _\mathcal{K}(x,y)}=g(\overline{x},\overline{y})\). Obviously, then the function \(g_{\overline{x}}=g(\overline{x},\overline{y}),\overline{y}\in \Sigma ^n\), where g denotes the output function of \({\mathcal {CBPRNG}}\), is also bijective. By Proposition 3, that means that \({{\mathcal {CBPRNG}}}\) (having a simple output multiplicity) has a full cycle.

Remark 1

Consider a key automaton \(\mathcal{K}=(\Sigma ^n,\Sigma ^{n},\delta _\mathcal{K})\) such that its transition function represents the output function g of a given \({{\mathcal {CBPRNG}}}\) in t rounds. Then, g is of the form \(g:\{w\mid \overline{w} \in \Sigma ^n\}\times \{z\mid \overline{z}\in \Sigma ^n\}\rightarrow \{w\mid \overline{w}\in \Sigma ^n\}\). Then, the function \(f_w\) with \(\overline{f_{w}(z)}=\delta _\mathcal{K}(\overline{w},\overline{z^t})\) for \(t>1\) is not bijective in general. Therefore, if \(t>1\), then the represented output function of \({{\mathcal {CBPRNG}}}\) does not necessarily have a full cycle.

4 Simple chain automaton random number generator

In this section, we give an example and then we study the security of our CBPRNG which we call simple chain automaton random number generator (SCARNG). The main advantage of this generator is its simplicity and the fact that it can be easily implemented for IoT devices. The very simple structure of the proposed generator is shown in Fig. 2.

The proposed automaton uses only fundamental arithmetic operations. A detailed pseudocode of SCARNG is shown in Algorithm 1.

figure a

4.1 Algorithm description

Fig. 2
figure 2

Simple chain automaton random number generator (SCARNG) with r rounds

Full size image

The procedure parameters are the number of random blocks (SIZE), the input word (INPUT) of the key automaton, the transition matrix of the basic automaton (AUT), and the initial (seed) state of the key automaton (ISTATE). Each of the generated random blocks consists of 128 random strings, and each of the random strings is 128 bits long. Thus, the size of the generated random blocks is 2048 byte. The key automaton \(\mathcal{K}=(\Sigma ^n,\Sigma ^{ROUND \times n},\delta _\mathcal{K})\) is a ROUND-component temporal power of an automaton \(\mathcal{B}=(\Sigma ^n,\Sigma ^n,\delta _\mathcal{B})\) which is the 16-component chain power of the basic automaton \(\mathcal{A}=(\Sigma ^n,\Sigma ^n,\delta )\) and this basic automaton has a \(256\times 256\)-type transition matrix which forms a Latin square. Thus, each state and input sign can be represented by a 8-bit binary string. We shall use a \(16\times 16\)-type auxiliary matrix P, where its first row consists of the vector \(0,1,\ldots , 15\) and all the others are cyclic permutations of the previous one. We will consider \(ROUND=1,2,3\) rounds of the output function of CBPRNG. The vector INPUT consisting of 16 components represents a single input sign of the key automaton.

4.2 Toy example

In this section, we show a simple example. Consider the following transition table of an automaton \(\mathcal{A}=(\{0,1,2,3\}, \{0,1,2,3\},\delta )\)Footnote 3:

\(\delta \)

0

1

2

3

0

1

2

3

0

1

3

0

1

2

2

2

3

0

1

3

0

1

2

3

For the sake of simplicity assume that \(n=3\), i.e., the key automaton consists of the three-factor chain power of \(\mathcal A\), moreover, let the number of rounds be 3. Assume that the subsequent states of the counter, which are the subsequent input signals of the key automaton, are determined by applying the formula \(s_{t+1} = s_t + 1 (\mod 64)\), or in quaternary number system, \(s_{t+1} = s_t + 1 (\mod 1000)\), such that the generated pseudorandom number is a three-digit quaternary number. Let the core state \(s_0\), i.e., the initial state of the counter be 203. Therefore, in this case (applying the quaternary number system for calculations), \(s_{t+1} = s_t + 1 (\mod 1000)\), i.e., the first input signal of the key automaton is \(203+1=210\) in the quaternary number system. Let 123 be a fixed state of the key automaton (consisting of the state’s first, second, and third component automaton of the chain power of \(\mathcal A\) represented by the key automaton). In that case, with \(a_1a_2a_3=123\), \(x_1x_2x_3=210\), \(a'_1= \delta (a_1, \delta (a_2, \delta (a_3, x_1)))= \delta (1, \delta (2, \delta (3, 2)))= \delta (1, \delta (2, 1))= \delta (1, 1)=0\), \(a'_2= \delta (a_2, \delta (a_3, \delta (a'_1, x_2)))= \delta (2, \delta (3, \delta (0, 1)))= \delta (2, \delta (3, 3))= \delta (2,3)=2\), \(a;_3= \delta (a_3, \delta (a'_1, \delta (a'_2, x_3)))= \delta (3, \delta (0, \delta (2, 0)))= \delta (3, \delta (0, 3))= \delta (3,0)=0\).

Therefore, in the second round we have \(a_1a_2a_3=020\), and as before, \(x_1x_2x_3=210\). Thus, we get

\(a'_1= \delta (a_1, \delta (a_2, \delta (a_3, x_1)))= \delta (0, \delta (2, \delta (0, 2)))= \delta (0, \delta (2, 2))= \delta (0, 0)=1\), \(a'_2= \delta (a_2, \delta (a_3, \delta (a'_1, x_2)))= \delta (2, \delta (0, \delta (1, 1)))= \delta (2, \delta (0, 0))= \delta (2,1)=1\), \(a'_3= \delta (a_3, \delta (a'_1, \delta (a'_2, x_3)))= \delta (0, \delta (1, \delta (1, 0)))= \delta (0, \delta (1, 2))= \delta (0,3)=0\).

Hence, in the third round we have \(a_1a_2a_3=110\), and as previously, \(x_1x_2x_3=210\). Consequently, we get the first pseudorandom number in the following way.

\(a'_1= \delta (a_1, \delta (a_2, \delta (a_3, x_1)))= \delta (1, \delta (1, \delta (0, 2)))= \delta (1, \delta (1,2))= \delta (1, 3)=1\), \(a'_2= \delta (a_2, \delta (a_3, \delta (a'_1, x_2)))= \delta (1, \delta (0,\delta (1, 1)))= \delta (1, \delta (0, 0))= \delta (1,1)=0\), \(a'_3= \delta (a_3, \delta (a'_1, \delta (a'_2, x_3)))= \delta (0, \delta (1, \delta (0, 0)))= \delta (0, \delta (1, 1))= \delta (0,0)=1\).

Then, the first pseudorandom number will be the three-digit quaternary number 101.

Then, we either finish our procedure or generate the second pseudorandom number. When the second pseudorandom number is generated, the procedure is repeated with one and the same state \(a_1a_2a_3=123\) of the key automaton, and its input signal \(s_{t+2} = s_{t+1} + 1 (\mod \ 1000)=210+1 (\mod \ 1000)=211\) (given in quaternary number system), etc.

Table 1 Parameters used for NIST test suite
Full size table
Table 2 Results for the uniformity of p-values and the proportion of passing sequences
Full size table

5 Experimental results

We implemented Algorithm SCARNG in C++ in order to measure the actual running time and statistical properties of the generator. The test environment was a 2017 MacBook Pro equipped with 7th Generation Kaby Lake 2.9 GHz Intel Core i7 processor (7820HQ) using 16 GB RAM. We have generated 1 GB of random data and applied the NIST statistical randomness test.

5.1 NIST test

The National Institute of Standards and Technology (NIST) published a statistical package consisting of 15 statistical tests that were developed to test the randomness of arbitrarily long binary sequences produced by either hardware- or software-based cryptographic random or pseudorandom number generators [18]. In case of each statistical test, a set of p-values is produced. Given a significance level \(\alpha \), if the p-value is less than or equal to \(\alpha \), then the test suggests that the observed data are inconsistent with our null hypothesis, i.e., the ’hypothesis of randomness,’ so we reject it.

A significance level of \(\alpha =0.01\) was used, as it is a standard value for such problems in the field of cryptography and PRNG testing. If the significance level, \(\alpha \), is set to 0.01, it implies that one can expect to reject one sequence out of 100 sequences under the null hypothesis. Therefore, a p-value greater than 0.01 would suggest that the sequence is random, while a p-value less than or equal to 0.01 would indicate that the sequence is non-random.

One of the most important characteristics of a PRNG is the indistinguishability from true random sources. This means that any statistical tests applied to the output of the PRNG should not reveal any computational differences between it and a truly random source. In order to test the quality of SCARNG, the NIST SP-800-22 SP statistical tests were performed using the same parameters as for the AES candidates in order to achieve the most reliable and comparable results. All parameters such as the sequence length, sample size, and significance level were fixed. Namely, these parameters were set to \(2^{20}\) bits, 300 binary sequences, and \(\alpha =0.01\), respectively. The other input parameters are shown in Table 1.

5.2 Minimum number of rounds

Applying only 3 rounds, it was found that the SCARNG algorithm successfully met all of the requirements outlined by the NIST statistical test suite. It has turned out that the NIST statistical test suite is unable to distinguish the output of the algorithm (when using ROUND = 3) from true random sources. Without precise parallelization, the algorithm running time was 27 s to generate 1 GB of random data. The exact p-values of the evaluation of the SCARNG for \(ROUND=3\) are shown in Table 2. We also tested the uniformity of the distribution of the p-values obtained by the statistical tests included in NIST. The uniformity of p-values provided no additional information about the applied PRNG. We have also shown that the proportions of binary sequences which passed the 0.01 level lie in the required confidence interval. For further reading about the testing methodology, we refer to the NIST documentation [18].