New cellular automata design based on transformation sequence programming

Complex CA that generate highly random number sequences have been identified to consist of register transformation functions with more inputs over a non-local neighborhood while time-var

TRANSFORMATION SEQUENCE PROGRAMMING

TAN SYN KIAT

NATIONAL UNIVERSITY OF SINGAPORE

2005

TRANSFORMATION SEQUENCE PROGRAMMING

TAN SYN KIAT (B.Eng (Hons.), NATIONAL UNIVERSITY OF SINGAPORE)

A THESIS SUBMITTED FOR THE DEGREE OF DOCTOR OF PHILOSOPHY DEPARTMENT OF ELECTRICAL & COMPUTER ENGINEERING

NATIONAL UNIVERSITY OF SINGAPORE

2005

Acknowledgement

I am most grateful to my supervisor, Associate Professor Guan Sheng-Uei for his

continuous guidance, understanding and encouragement during this work The four

years spent together on this thesis have been a taxing period This thesis would not be

possible if he has not regained my focus during the numerous times when I drifted

away from the research goals I would also like to express my appreciation to the

numerous anonymous reviewers of our works Many thanks to the fellow researchers

from the Computer Communication Networks Laboratory who have made the work

atmosphere enjoyable, especially to Zhu Fang Ming, Zhang Shu, Marie Therese Quieta

and Eric Poon for their help during this work

Support for this work was given by the research scholarship awarded by the National

University of Singapore

Contents

Acknowledgments i

Contents ii

Summary vi

List of Tables viii

List of Figures ix

Chapter 1 Introduction 1

1.1 Introduction to Work Presented in this Thesis 1

1.2 Overview on Pseudorandom Number Generators (PRNG) 5

1.3 Applications of Pseudorandom Number Generators 7

1.3.1 Cryptology 8

1.3.2 Built-in Self Test 9

1.4 1.4 Contribution of the Thesis .10

1.5 Overview of the Thesis 12

Chapter 2 CA and LFSM based PRNG: Introduction and Literature Survey 15

2.1 Linear Finite State Machines (LFSM) 15

2.2 Cellular Automata 20

2.3 Literature Survey of CA based PRNGs 23

2.3.1 Uniform CA 24

2.3.2 Hybrid CA 25

2.3.3 Approaches based on Genetic Algorithms 27

2.3.4 Two-Dimensional (2-d) CA 27

2.3.5 Configurable CA 29

2.4 Summary 31

Chapter 3 Self-Programmable CA 34

3.1 Details of the Self-Programmable CA 35

3.2 State Transformations of and .37

90 165 SPCAf ↔f 150 105 SPCAf ↔f 3.3 Experimental Results and Discussion 40

3.4 Summary 43

Chapter 4 Transformation Sequence With Maximum Length Matrix 45

4.1 Maximum length LFSM 47

4.2 Transformation Sequence With Maximum Length Matrix 49

4.3 Extension to Arbitrary PRNGs 58

4.4 Preview to Following Chapters 59

4.5 Summary 60

Chapter 5 L-Layered CA 62

5.1 Transformation Sequence of L-LCA 63

5.2 Analysis of Sequence Period for L-LCA 67

5.3 Experimental Results and Discussion 70

5.3.1 DIEHARD 70

5.3.2 Linear Complexity 76

5.4 Summary 78

Chapter 6 Programmable Transformations 80

6.1 Introduction 81

6.2 Programmable Transformations 83

6.3 Experimental Results and Discussion 90

6.3.1 DIEHARD 90

6.3.2 Linear Complexity 92

6.3.3 Implementation Issues 93

6.4 Summary 96

Chapter 7 Exponential Transformation Matrix Machines 98

7.1 Introduction 99

7.2 Exponential Transformation Matrix Machines 104

7.3 Experimental Results and Discussion 109

7.3.1 DIEHARD 110

7.3.2 Driving Ability 114

7.3.3 Implementation Issues 117

7.4 Summary 119

Chapter 8 Conclusion 121

8.1 Conclusion 121

8.2 Future Work 123

Bibliography 125

Appendix 133

A.1 Experimental Setup and Test Evaluation 134

A.2 DIEHARD Randomness Test Suite 135

Summary

Cellular automata based pseudorandom number generators (CA PRNG) are widely used in

various fields Complex CA that generate highly random number sequences have been

identified to consist of register transformation functions with more inputs over a non-local

neighborhood while time-varying transformations are also used These sequences are shown

to pass all the DIEHARD randomness tests, however their designs are difficult to analyze

and desirable sequence properties such as period and uniform distribution are not

guaranteed On the other hand, well-analyzed CA designs such as maximum length CA can

be shown to have desirable sequence properties However, the randomness quality of the

generated sequences is not always satisfactory

The proposed Transformation Sequence with Maximum Length Matrix (TSMLM) concept

facilitates the design of analyzable PRNG by using a top-down approach that changes all the

registers’ existing transformation function such that they possess identified characteristics of

complex CA and the concerted effect of all modified registers will generate sequences with

randomness quality hypothesized to be at least as good as those complex CA The

transformation sequence of any maximum length CA or Linear Finite State Machine (LFSM)

is first obtained and a suitable mapping is then applied to permute this transformation

sequence The resulting PRNG with this permuted transformation sequence will retain the

analyzability of maximum length CA/LFSM as well as their desirable sequence properties

We also developed several theorems to support the design of new PRNG and the TSMLM

concept can be applied with arbitrary PRNG under certain conditions

The new Programmable Transformations (PT) scheme uses cascaded, programmable linear

transformations that are equivalent to a nonlinear transformation These programmable

transformations can be keyed such that a large class of 2 -1 different nonlinear

transformations can be used Each resulting nonlinear transformation generates n-bit

sequences with a period of 2 -1 while the n single-bit sequences are not cyclically

equivalent (unlike single-bit sequences from registers in maximum length LFSM) The PT

scheme can also replace nonlinear transformations in many cryptosystems such as S-boxes,

etc Due to their low cost, nonlinear transformations with a large number of inputs is thus

feasible Furthermore, the overall security will be improved due to the key-able nature of the

PT scheme We tested the randomness quality of sequences generated from several

n n

16- to

48-bit PT schemes using DIEHARD - their results consistently outperform the maximum

length CA For 24-bit and longer PT schemes, more than 18 DIEHARD tests are passed

consistently The linear complexity of these sequences is bounded by LC>n(2 -q) where

q<6 for all the sequences tested

n

Designed for built-in self test, the proposed Exponential Transformation Matrix Machines

(ETMM) possess increased driving ability and generate sequences passing more than 18

DIEHARD tests Both improvement in DIEHARD and driving ability are due to the

modified channel separations that can be determined analytically The concept of ETMM is

closely related to the widely used time-spacing scheme – optimal time-spacing parameters

to use can be provided now The ETMM can be emulated by changing the clock rate,

providing a flexible tradeoff in implementation cost/speed

List of Tables

Table 2.1 Truth tables for transformation functions 21

Table 2.2 Characteristics leading to improved randomness quality in sequences 32

Table 3.1 Number of DIEHARD tests passed (maximum score 19) 40

Table 3.2 Some configurations of passing more than 17 tests 42

Table 4.1 Cayley relations (A f t, = A f +A t) for primitive polynomialx4+x3+1 57

Table 5.1 Transformations on initial states 66

Table 6.1 Equivalent nonlinear vector functions 90

Table 6.2 Linear complexity of 5- to 18-bit PT sequences 92

Table 7.1 Number of DIEHARD tests passed by LFSM (maximum score of 19) 102 Table 7.2 Improvement in driving ability with phase shifters 103

Table 7.3 Detailed channel separations for ETMMs 107

Table 7.4 Characteristic polynomials of A f in hexadecimal notation 109

Table 7.5 Two-input XOR gate count of ETMM 118

Table A.1 List of individual tests in the DIEHARD suite 135

List of Figures

Figure 1.1 A 4-bit cellular automata 2

Figure 2.1 Three common forms of LSFM and their transformation matrices 16

Figure 2.2 A configurable register structure 30

Figure 3.1 A 4-bit .36

90 165 SPCAf ↔f Figure 3.2 Generation of states in the SPCA 38

Figure 4.1 Two 4-bit CA configured using A1 and A2 54

Figure 5.1 The structure of a 4-bit L-LCA 63

Figure 5.2 Number of DIEHARD tests passed by single-bit sequences from

10- to 48-bit 90 / 150 HCAf f and 1-LCA 71

Figure 5.3 Number of DIEHARD tests passed by n-bit sequences from

10- to 48-bit 90 / 150 HCAf f and 1-LCA 72

Figure 5.4 Number of DIEHARD tests passed by single-bit sequences from

10- to 48-bit 90 / 150 HCAf f and 2-LCA 72

Figure 5.5 Number of DIEHARD tests passed by n-bit sequences from

10- to 48-bit 90 / 150 HCAf f and 2-LCA 73

Figure 5.6 Number of DIEHARD tests passed by single-bit sequences from

10- to 48-bit 90 / 150 HCAf f and 3-LCA 74

Figure 5.7 Number of DIEHARD tests passed by n-bit sequences from

10- to 48-bit 90 / 150 HCAf f and 3-LCA 74

Figure 5.8 Number of DIEHARD tests passed by single-bit sequences from

10- to 48-bit 90 / 150 HCAf f and 4-LCA 74

Figure 5.9 Number of DIEHARD tests passed by n-bit sequences from

10- to 48-bit 90 / 150 HCAf f and 4-LCA 75

Figure 5.10 Linear complexity of 1-LCA and 2-LCA 78

Figure 6.1 Number of DIEHARD tests passed (maximum score of 19) by

16- to 48-bit CA 83

Figure 6.2 A 3-bit PT scheme 89

Figure 6.3 Number of DIEHARD tests passed (maximum score of 19) by

16- to 48-bit PT schemes 91

Figure 6.4 XOR gate count for 16- to 48-bit PT schemes 94

Figure 7.1 Two phase shifters used with 1-LFSR 100

Figure 7.2 Number of DIEHARD tests passed by 29-bit ETMMs A f≠2k 110

Figure 7.3 Number of DIEHARD tests passed by 30-bit ETMMs A f≠2k 110

Figure 7.4 Number of DIEHARD tests passed by 31-bit ETMMs A f≠2k 111

Figure 7.5 Number of DIEHARD tests passed by 24-bit ETMMs

A f=2k,k=0,1, , 23 113

Figure 7.6 Number of DIEHARD tests passed by 29-bit ETMMs

A f=2k,k=0,1, , 28 113

Figure 7.7 Number of DIEHARD tests passed by 30-bit ETMMs

A f=2k,k=0,1, , 29 113

Figure 7.8 Number of DIEHARD tests passed by 31-bit ETMMs

A f=2k,k=0,1, , 30 114 Figure 7.9 Driving ability (minimum separation 4096) for 24-bit ETMMs

A2k,k=0,1, , 23 115 Figure 7.10 Driving ability (minimum separation 160k) for 29-bit ETMMs

A2k,k=0,1, , 28 115 Figure 7.11 Driving ability (minimum separation 160k) for 30-bit ETMMs

A2k,k=0,1, , 29 116 Figure 7.12 Driving ability (minimum separation 160k) for 31-bit ETMMs

A2k,k=0,1, , 30 116

List of Symbols and Abbreviations

PRNG pseudorandom number generators

LFSM linear finite state machines

LFSR linear feedback shift registers

L-LCA layered CA with L layers of memory

TSMLM transformation sequence with maximum length matrix

ETMM (CA) ETMM constructed from the transformation matrix of a CA ETMM (1-LFSR) ETMM constructed from the transformation matrix of a 1-LFSR ETMM (2-LFSR) ETMM constructed from the transformation matrix of a 2-LFSR

{f a| 0≤ ≤a 255} CA register function from the set formed over the nearest

UCAfa uniform CA with all its register functions configured using f a

/ / hybrid CA with register functions configured using HCAf f

90 / 150

HCAf f maximum length CA with register functions configured using f 90

or f150

G ≡ g − g − g vector function over the previous states in the

memory layer; used to derive

( 1)t

S −

( )t

C

A denotes the transformation matrix of a maximum length CA

a ij binary element in i th row and j th column of transformation matrix A

basic CA state transformation equation

Φ time-invariant CA transformation such that S(t+1) = Φ(S( )t )

general transformation sequence for linear sequences

d channel separation between the register pair ( , where 0 , and

Uniform channel separations are attained in an n-bit LFSM when

between adjacent registers

Chapter 1

Introduction

1.1 Introduction to Work Presented in this Thesis

Cellular Automata (CA) [1] are dynamic systems in which space and time are discrete

A CA consists of an array of cells where each cell can be in any of the possible states

Each cell’s state is updated synchronously in discrete time steps according to a local

interaction rule - a function over the current states of a surrounding neighborhood of

cells The cells can be arranged in k-dimensional grids, where k=1,2,3 is more

commonly used in practice

In 1986, Wolfram began studying one-dimensional finite binary CA as suitable

pseudorandom number generators (PRNG) [2,3] Each cell or binary register

has the same function f to update its state at time (t) and this function uses

inputs from the neighborhood

(s j t−,s j t ,s j t+1) The CA transformation is thus defined as the juxtaposition of all these individual functions Figure 1.1 shows a 4-bit CA

Wolfram considered all the possible 256 functions over this nearest-three-input

neighborhood and certain CA transformations are found to be suitable for

pseudorandom number generation because their successive states in time do not have

any persisting patterns or structures observed visually using time-space diagrams

Furthermore, if these patterns repeat themselves only after a suitably long cycle, such

patterns have a period length that is suitable for pseudorandom number generation

Wolfram showed that the randomness quality of the patterns generated by CA is better

than the widely used Linear Feedback Shift Registers (LFSR) [25] This observation is

quickly confirmed by various researchers who extended Wolfram’s work

s

(1) 1

s

(1) 2

Figure 1.1 A 4-bit cellular automata

In previously published CA PRNG proposals (surveyed in Chapter 2), authors have

frequently focused on a particular objective(s) from the full set of desirable PRNG

properties In [63,67,69,70,75], the focus is on configuring finite length n-bit CA (with

n binary registers) to generate sequences with maximum period These

proposals developed theories on the existence of such maximum length configuration

for CA of any size, showed that CA are actually related to the LFSR (by their common

characteristic polynomial) and procedures to derive these CA

2n

p= −1

In [76-80,88], passing the DIEHARD tests [33] (a well known stringent randomness

test suite) is the main priority The authors hypothesized that by making the CA state

transitions more complex or chaotic, the randomness quality of these sequences can be

increased Other researchers [76,77,86,87] view the CA as a model for processes

occurring in nature, and hence utilized genetic algorithms and other evolutionary

techniques [39,40,85] to improve a population of candidate CA such that a final

“evolved” CA is obtained These authors used a variety of randomness test results to

guide the evolution and DIEHARD is then used to evaluate the final evolved CA In

both approaches, CA passing all DIEHARD tests are successfully derived

Interestingly, we do not know of any proposals in the literature that contains

theoretical analysis on the properties of the proposed CA as well as DIEHARD test

results on the generated sequences We conducted our own DIEHARD testing on

maximum length sequences and found that their randomness quality is not always

satisfactory (see Section 5.3.1) On the other hand, analysis of both the evolved CA

and highly complex CA are not easy - sequence properties such as period length and

distribution etc., are usually based on experimental results

In previous works, there is considerable focus on the CA structure primarily because of

strong influence from the initial research areas on CA such as self-reproduction

systems [5,8], Game of Life [6], etc The following are some examples on how the CA

structure is modified so that the CA transformation is changed - boundary conditions,

type of neighborhood to draw inputs, number of registers in a CA, dimensionality of

CA, initial state configuration of the CA, the individual function used for each register,

etc Ultimately, the type of sequence generated still depends on the CA transformation

Four characteristics common in CA transformations that passed all DIEHARD tests

are identified in Table 2.2 The high randomness quality of sequences generated is

possibly attributed to these characteristics

In this thesis, a systematic approach to the design and analysis of CA containing the

above characteristics is developed The focus is on CA that pass all DIEHARD tests

while desirable sequence properties such as maximum period length, balanced

distribution of 1 and 0, uniform distribution of the n-bit states, etc can be easily

guaranteed by the approach A brief description of the DIEHARD tests as well as our

experimental setup used for the rest of this thesis is given in Appendix A

The aim of this thesis is to go beyond the limitations set by the current structural view

of CA Current designs of CA seem preoccupied with retaining simplicity in the

register functions New designs are actually driven by making changes in the CA

structure first, and the generated sequences are then checked for passing of DIEHARD

tests and desired properties When we design a CA to generate highly random number

sequences, the focus should be on its global behavior, in other words the desired

sequence properties Unfortunately, this global behavior cannot be easily determined

While we are certain that the global behavior is brought about from the interaction

among individual registers, there is unfortunately no clear links as to how desired

global behavior can be achieved by considering separately the individual behavior of

the registers contained in the CA We can study the interaction between a few registers

but this quickly becomes infeasible due to the exponential growth of possible

configurations that can arise from the multiplicity of register functions, arrangements

of registers, etc

We are interested to compare the following approaches - Is it fruitful to derive desired

sequence properties from a CA by modifying its individual registers and their

functions? Can a CA-level modification be applied to an existing CA transformation

that is close to the solution we seek, such that each register function is specifically

modified and the concerted effect of all modified registers generates the sequence

properties we seek? The answer to the second question is different from the first

question and previous approaches where changes to the local structural properties are

first made

1.2 Overview on Pseudorandom Number Generators

Random numbers [33-35] are needed in a variety of scientific, mathematical,

engineering and industrial applications including cryptography, built-in self test,

artificial evolution such as genetic algorithm [85], Monte Carlo simulations [35], etc

In a sequence of random numbers, each is obtained by chance, independent of the

other numbers in the sequence and takes on any value in the given range with uniform

probability Real random numbers can only be obtained by devices based on some

physical phenomenon [34]; however these are difficult to be used in most applications

These physical devices are usually unable to provide fast operating speed, bulky and

prone to failure In most applications, a random number sequence must be exactly

regenerated to reproduce or verify previous results This can be very difficult to

achieve using a truly random physical source unless large data storages are available to

store the random numbers for re-use The most convenient and reliable way to generate

random numbers is via deterministic algorithms These algorithms generate a sequence

of numbers that seem to behave like independent random numbers hence are known as

pseudorandom numbers and these algorithms are also known as pseudorandom number

generators

Definition 1.1 A pseudorandom number generator (PRNG) can generally be described as a recurrence function Φ associated with a generator state S( )t Given an

initial state S(0), the generator state is repeatedly updated by the application of Φ on the current state, S(t+1) = Φ(S( )t ), for t=0,1, 2, A PRNG does not retain the values

of previous states S(t l−), for l=1, 2, 3, , so each new state S( 1)t+ is only determined by and the current state

S

At clock (t), the n-bit PRNG state can be sampled for output as the pseudorandom

number sequence Since the algorithm is deterministic and finite,

this sequence eventually repeats, starting from a particular state

pre-Sτ+ =Sτ is called a graveyard state such that the PRNG retains the same state despite application of the function Φ It is clear that the period cannot exceed 2n and generators are usually designed with p very close to

so that computer memory is not wasted

2n

Building a good random number generator may seem simple, but it is not As Knuth

[34] mentioned, PRNG should not be built in an ad-hoc or random manner since many

criteria must be met concurrently A large period length is only one desirable property

for a pseudorandom number sequence; other basic requirements include having a

balanced count of 1 and 0 as well as uniform distribution of n-bit states over a single

period of the generated sequence The quality of a pseudorandom number sequence is

of fundamental importance to its intended application and it is therefore crucial to

choose an appropriate PRNG exhibiting not only good statistical and randomness

quality – all tests on the PRNG’s sequences should demonstrate that these sequences

are indistinguishable from a true random source In this thesis, the generated sequences

from each CA are subjected to the well-known 19 DIEHARD [33] randomness tests A

brief description of these DIEHARD tests as well as our experimental setup used for

the rest of this thesis is given in Appendix A We may also require sequences that are

difficult to predict unless the process generating them is known To ensure they are

feasible for a wide variety of applications, PRNG designs should be easy to implement

and provide high output rate In practice, many acceptable deterministic procedures

exist for generating pseudorandom number sequences

1.3 Applications of Pseudorandom Number Generators

The various structural advantages of CA for VLSI implementation have led to their

popularity in several important application areas such as pseudorandom number

generators in built-in self test [44,47,71,72] and cryptosystems [23,24,73,89], design of

associative memory, error detection and correction for coding schemes, etc A good

review for the state-of-art in CA applications can be found in [9,74] The CA is

characterized by very simple processing units, which can be implemented in massive

parallelism Implementation cost wise, each new state is computed locally and

propagation delays are small The CA has local inter-connections with low wiring

complexity and this modularity allow easy layout design The CA is often compared to

the linear feedback shift register (LFSR) [25] Due to the structure of the LFSR, long

wiring and cascaded connections are required The randomness quality of sequences

generated by the CA is often pointed out as superior over those from the LFSR

[52,55,62,64] Both the CA and the LFSR are actually models of finite state machines

and when only linear functions are used in the CA, these can be considered under the

class of Linear Finite State Machines (LFSM) In this thesis, we focus on designing

CA PRNG with potential applications in cryptography and built-in self test

1.3.1 Cryptography

Current communication trends are characterized by explosive growth of digital

information exchange and mobility Organizations rely on cryptography to secure

information exchange between mobile devices over insecure communication channels

such as wireless networks Mobile computing devices are typically limited in terms of

size, processing capability as well as battery power Specialized hardware

cryptography circuits are thus ideal for these mobile devices since their main (general)

processors used may not keep up with new encryption/decryption requirements

Stream ciphers [26,30] are best suited for such communication environments because

they can operate at very high speed, have low-cost construction in terms of gates and

memory, and have limited error propagation etc A central problem in any stream

cipher scheme is to design PRNG to generate long sequences of highly nonlinear and

unpredictable pseudorandom numbers These pseudorandom numbers must be

indistinguishable from truly random ones and the probabilities of any particular value

being selected is small enough such that any search technique cannot be used to

succeed with probability significantly more than ½ These PRNG are also known as

keystream generators in this context An example is the recent stream cipher [32]

for Bluetooth which consists of four linear feedback shift registers [32] with 25, 31, 33,

39 binary registers respectively

0

E

1.3.2 Built-In Self Test

Increasingly high density and high performance integrated circuit technology drive the

need for highly effective fault testing at high clock speed Testing a circuit involves

applying an appropriate set of input patterns to the circuit and checking for the correct

inputs Previously, expensive external testers are used to perform testing on integrated

chips Built-in self-test (BIST) architecture [42,43] offers desirable advantages such as

accurate diagnostics capabilities, modularity, small implementation area, protection of

intellectual property and propriety cores, etc The test pattern generators are directly

embedded onto the same IC chip with the circuit under test Without the need for

significant inter-chip data transfer, tests can be conducted at the same clock rate under

normal circuit operations which is important for detecting timing related faults that

only manifest during actual operating conditions With external testers, at-speed testing

is difficult to implement

Pseudo-random testing is an attractive approach for BIST where an LFSM is used as

the test pattern generator to apply pseudo-random test patterns There are limits on the

test length, which is the number of pseudo-random patterns that can be applied during

a test session These can be the time required to apply the patterns, the simulation time

required to determine fault coverage or even the heat dissipation for the chip under

test If the circuit under test has more than 20 inputs, the time required to test

exhaustively is prohibitively large and a selected subset of test inputs is used instead

The built-in logic block observation technique [43] is a commonly used approach that

uses an LFSM to generate the required test inputs Each fault is associated with a

detection probability that is given as the number of patterns detecting the fault divided

by the total number of test patterns The so-called random pattern resistant faults have

very low detection probabilities

Most importantly, a test pattern generator must provide high fault coverage during

testing Structural dependencies in generated test patterns are often the cause of low

fault coverage Randomness testing is important because the analysis of fault coverage

during testing is usually based on the assumption of a truly random test pattern source

When the LFSM used is non-random, the actual fault coverage will be different from

the assumed level

1.4 Contribution of the Thesis

This thesis started with the aim of generating pseudorandom sequences that pass all

DIEHARD tests using the minimum number of registers The Self-Programmable CA

[80] (SPCA) is proposed which used time-varying register functions that are selected

through a set of control signals These control signals are derived from the previous

CA states, so that the associated switching costs for the individual register functions

are minimized The need for specifying an external control source is also removed

Several SPCA with only 36 to 48 registers are shown to generate sequences passing at

least 18 DIEHARD tests

The Layered-CA [84] is generalized from the SPCA using the Transformation

Sequence with Maximum Length Matrix (TSMLM) concept so that analysis is

facilitated A reduced form of the time-varying, composite CA transformation used at

each clock is obtained and the state sequences generated can be categorized into

groups with a representative transformation sequence Many variants of the

Layered-CA with at least 44 registers are shown to generate sequences passing at least 18

DIEHARD tests The Layered-CA also increases linear complexity substantially when

simple nonlinear functions are used

The core of this thesis is the TSMLM concept for designing analyzable CA PRNG

The transformation sequence of an LFSM is defined, and the TSMLM concept

revolves around techniques to permute this transformation sequence We developed

several supporting theorems and proved that the desired sequence properties such as

maximum period length, balanced distribution of 1 and 0, uniform distribution of the

n-bit states, etc are guaranteed by conforming to the concept Subsequently, new CA

designs are created using a top-down approach that changes all the register functions

such that they possess the identified characteristics of complex CA transformations

and the concerted effect of all modified registers generates sequences with randomness

quality hypothesized to be at least as good

In keystream generators, nonlinearity is conventionally provided by a very complex

nonlinear Boolean function with n inputs which have typically XOR and AND

gates Due to the exponential cost in gates, such functions use 16 or less inputs The

Programmable Transformations (PT) scheme [81] is a set of cascaded, programmable

linear transformations that “induce” nonlinearity into the generated sequence indirectly

1

2n

n⋅ −

The PT scheme can replace nonlinear transformations in many cryptosystems such as

Secret-Boxes, etc For certain conditions, a special low-cost scheme requiring

approximately n XOR gates can be derived Due to its low cost, nonlinear 2

transformations with a large number of inputs is thus feasible Furthermore, the overall

security is improved due to the key-able nature of the PT scheme 24- to 48-bit

versions of this PT scheme generated sequences that passed more than 18 DIEHARD

tests consistently The linear complexity LC of these sequences is also tested and the

results show that it is bounded by LC≥2n−5

For BIST applications, the Exponential Transformation Matrix Machines (ETMM)

derived from any maximum length LFSM have channel separations that can be

determined analytically and a method to obtain an ETMM with uniform channel

separation is given The driving ability and randomness quality of sequences generated

from each ETMM is improved over the LFSM it is derived from The ETMM are

shown to have flexible implementation that allows emulation by changing the clock

rate The concept of time spacing is thus closely related; a derivation for the optimum

parameter settings for time spacing is given

1.5 Overview of the Thesis

This introductory chapter has briefly introduced the thesis focus and the potential

applications for our solutions Our two contrasting methodologies to design CA are

discussed – a bottom-up approach used in Chapter 3 and 5 against a top-down

approach used in Chapter 4, 6, 7 and 8 The rest of the thesis is organized as follows

• Chapter 2 introduces the basic theory of LFSM – which includes the LFSR and CA The fundamental operations of these LFSM and the basic method of obtaining

pseudorandom numbers from a CA is explained as well as related work on CA

PRNG Extended models building upon basic CA to improve randomness quality

of their generated sequences are reviewed The common characteristics of CA

PRNG that generate sequences with high randomness quality are identified

• Chapter 3 introduces the SPCA, a class of configurable CA using memory to effect time-varying CA transformations A uniform CA having one memory layer is used

so that control signals can be derived from the previous CA states Experimental

results and implementation issues are compared with previously proposed CA

passing all DIEHARD tests Being designed using a bottom-up approach starting

with the registers’ transformations, the inadequacy of mathematical support for

these CA is highlighted

• Chapter 4 presents the details of our proposed TSMLM concept to facilitate the design of analyzable CA The transformation sequence is formally defined and

several theorems encapsulating the TSMLM concept are developed These lay the

foundation for new CA designs examined in Chapters 6, 7, and 8

• In Chapter 5, the SPCA introduced previously is generalized to the Layered-CA so that its state transformation can be analyzed using the TSMLM theorems A

maximum length CA having L memory layers is used and the control signals are

derived directly from the previous CA states Many variants are studied by

increasing the size of the maximum length CA, the number of memory layers, the

function used to derive the control signal, etc

• In Chapter 6, the PT scheme demonstrates the use of our proposed TSMLM concept to “induce” nonlinearity into the sequences indirectly The permuted

transformation sequence is obtained by using an external source to determine the

transformation to use at each clock

• Being used as pseudo exhaustive test pattern generators, maximum length LFSM have an important role in BIST These LFSM also need to satisfy high channel

separations and driving ability In Chapter 7, the three canonical forms of LFSM

are studied in the BIST context The ETMM designs are derived by suitable matrix

multiplication on the transformation matrix of an LFSM In certain cases, phase

shifters may not be necessary and addition costs are thus avoided The three

canonical forms of LFSM are used to derive several ETMM and these results

showed improved driving ability and DIEHARD results over the original canonical

forms

• Finally, Chapter 8 gives a conclusion for this thesis and highlights some potential directions for future work

Chapter 2

CA and LFSM based PRNG:

Introduction and Literature Survey

In this chapter, we first introduce the LFSM, the general class which includes LFSR

and linear CA - the structural differences and similarities of the different types of

LFSM, how states are being updated in these LFSM, and a basic method to obtain

and test pseudorandom number sequences After this, the focus is shifted back to

CA where existing proposals are studied to gain insights for improving the

randomness qualities of generated sequences

2.1 Linear Finite State Machines (LFSM)

An LFSM is an array of n binary registers connected in a particular manner

with XOR gates - it is known that [25] an n-bit maximum length LFSM can be

configured using any n-degree primitive polynomials over GF(2) - the primitive

polynomial is viewed as a recurrence function that determines the value of the next

bit given the previous n bits The different ways to configure an LFSM using a

primitive polynomial give rise to the three canonical forms of LFSM shown in

Figure 2.1 The two types of LFSR are dominantly used in most VLSI applications

although the CA is starting to gain popularity For the LFSR, the feedback

connections correspond to the positions of coefficients in the primitive polynomial -bit

n

' ∈1

while the individual register functions used the CA can be obtained using a

transform given in [69] The connection structure of these LFSM can be represented

using a binary transformation matrix A [74]

Figure 2.1 Three common forms of LSFM and their transformation matrices

The LFSM state at time t can be denoted by the binary vector

(transposed) where each register’s state s and The 1-LFSR is characterized by the directing shifting of register bits

XOR-ing the bits from several feedback points In the 2-LFSR, the last register’s state

is XOR-ed with other register’s states at several feedback points and each

Common primitive characteristic polynomial

(obtained from the transformation matrix A)

register’s new bit is given by either s(j t++11) ←s( )j t or s(j t++11) ←s XOR s( )j t n( )t−1 In the CA, each register’s new bit is usually given by XOR-ing a subset of neighboring bits, i.e

, each corresponding to the positions of ‘1’ in row i is XOR-ed From the 1-LFSR example in Figure 2.1, the first three rows have a single ‘1’ and these

successive states can be related to the initial state (note that all arithmetic is

performed over the binary field ):

To avoid confusion in subsequent mathematical expressions, note that the

superscript f without parenthesis is used to indicate A f which can be understood as

≡ ∏ The superscript (t) in parenthesis is used i) to indicate the

transformation matrix A( )t used at time (t) – A( )t can take on any values from the set A( )t ∈{A f}2f n=−11, and ii) to indicate denote the output state vector at time

The subscript k is used for indicating a specific bit or register within a vector, i.e

}

The states of an LFSM during each discrete time step can be successively sampled

to form a pseudorandom number sequence Besides the two basic definitions given

below, there are also several types of sampling schemes [46,78,87] which avoid

state sampling at every clock or every register of the CA, so as to improve the

randomness qualities of the pseudorandom number sequence

Definition 2.1 An n-bit sequence is defined as the concatenation of all bit

states from the LFSM at each sampling instance to form {S(1),S(2),S(3),…

Definition 2.2 A single-bit sequence is defined as the concatenation of the bit state from a single specified register from the LFSM at each sampling instance

to form {s(1)j ,s(2)j ,s(3)j ,…

In both types of sequences, the notion of a period is based on the length of each

well-known class of LFSM [25,63,67] that generates both n-bit and single-bit sequences

with maximum possible period of 2

(t p) (t

S + =S (t p) (t

1

n− For an n-bit maximum length LFSM, all

nonzero states reside in a single cycle with period 2n−1 while the zero state is contained, i.e for S(0) =0, S( )t = A S t⋅ (0) = A maximum length LFSM has a 0transformation matrix that is associated with a primitive characteristic polynomial

self-In [66], the authors stated that a pair of CA and LFSR is equivalent on the basis of

their common characteristic polynomial Note that although different LFSM can be

associated with the same primitive characteristic polynomial, their transformation

matrix A is not identical and this leads to different n-bit state sequences being

generated from each LFSM For example, the three LFSM shown in Figure 2.1 have

a common primitive characteristic polynomial x4+x3+ However, single-bit 1sequences are identical regardless of the LFSM used, as long as their transformation

matrix is associated with the same primitive characteristic polynomial

For a particular primitive polynomial, the LFSM structure has a strong influence on

the randomness quality of the n-bit sequences produced as well as the VLSI

implementation cost Structural dependencies in generated test patterns from

1-LFSR are often the cause of low fault coverage in built-in self test applications

Structural dependencies arise from the fact that for a 1-LFSR, each state is shifted

from right to left progressively at each clock, therefore the channel separations

between adjacent registers is only one clock and thus the single-bit sequences from

adjacent registers are highly correlated This major shortcoming due to the 1-LFSR

structure gives rise to alternative LFSM structures such as 2-LFSR and CA The

canonical forms of the CA, 1-LFSR and 2-LFSR form versions of LFSM with

certain optimized aspects Both LFSR types have the lowest XOR gate counts

equivalent to the number of nonzero coefficients in the characteristic polynomial

CA has localized connections, higher speed and allows modularized layout, but has

a higher XOR gate count since each register function uses up to 2 XOR gates

1-LFSR may have operating speed degradation due to the cascaded nature (b-1 levels)

of the computed feedback bit 2-LFSR faces excessive fan-out with the first stage

register output since it has to drive b XOR gates It is desirable to have low-cost

LFSM that can generate sequences with desirable randomness quality Since CA

has been widely shown to generate sequences with better randomness quality over

LFSR [25], we use CA as a reference for comparison

The various forms of LFSM have been widely used in applications proposed in the

literature due to the following advantages:

• They have efficient implementation and fast operation

• Generated sequences can have maximum period 2n−1 and satisfy Golomb’s postulates [25]

• Their structures and generated sequence properties can be readily analyzed with algebraic techniques

2.2 Cellular Automata

The main difference between a CA and the two types of LFSR is due to the term

“shift register” As its name suggest, the LFSR is characterized by the shifting of

bits especially evident in 1-LFSR On the other hand, each register in the CA

updates its state using a function f applied to the current states of neighboring registers, s(j t+1) = f s( ( )j r t− , ,s( )j t , ,s( )j r t+ ) where r denotes the radius used to define the register’s neighborhood of 2r+1 registers The conventional nearest-three-input

neighborhood, having r=1, consists of the register itself s j, and its left/rightmost neighbors s j−1/s j+1 The next state transformation of the CA is thus considerably more random Single-bit sequences from both CA and LFSR can be considered

pseudorandom, but often multiple bits are required at each sampling instance This

cannot be done for the LFSR due to the high correlation between adjacent registers

t j

The 256 transformation functions (including nonlinear functions) associated with

the nearest-three-input neighborhood are usually denoted by their truth table

decimal representation (see [1] for function naming convention) For example, six

widely studied additive transformation functions (these are often used in the rest of

the thesis) are given below and their associated function names can be understood

from their output values in Table 2.2

We only consider CA with null boundary conditions (unless stated otherwise)

where the leftmost/rightmost registers’ function receive a fixed "0" input from its

“supposed” left/right neighbors respectively Null boundary conditions avoid long

connection wires routing across the whole length of the CA when periodic

boundary conditions are used There are other types of boundary conditions such as

the immediate boundary condition, etc and details for these can be found in [75]

A CA can be uniform - the same set of function/neighborhood is used for each

register; or hybrid – where each register can use a different set Figure 2.1 shows a

4-bit hybrid CA with the function configuration Φ ={f150,f90,f150, f90

Definition 2.3 A uniform CA uses the same transformation function f for all its registers and is denoted as UCA When the transformation function is from

the set {f a| 0≤ ≤a 255} over the nearest-three-input neighborhood, the UCA is denoted as UCAfa

Definition 2.4 A hybrid CA can use different transformation functions for different registers and is denoted as HCA When these transformation functions are

from the set { over the nearest-three-input neighborhood, the HCA

contains only linear functions, it is equivalent to a transformation matrix A as

shown in Equation (2.1)

Definition 2.6 A time-invariant CA transformation is defined as the fixed transformation Φ applied at each clock to generate the next CA state from the current CA state,

2.3 Literature Survey of CA based PRNG

Truly random numbers can only be obtained from some physical phenomenon The

random numbers generated by PRNG are only pseudo-random since PRNG are

deterministic and based on a particular algorithm Although this assertion is

inevitable, we would still like to obtain sequences that behave as if they are random

It is impossible to give a mathematical proof that a PRNG is indeed random The

following review is on CA PRNG designed to pass randomness tests and are thus

evaluated empirically – from the time-space diagrams used by Wolfram to the

DIEHARD test suite used in most recent proposals [76-84,87,88,90] A brief

description of the DIEHARD test suite [33] is given in Appendix A

2.3.1 Uniform CA

CA based PRNG have been studied previously in a variety of ways

UCAfa ( 0≤ ≤a 255 ) is examined by Wolfram [1,2,3] using the time-space

diagrams (plotting all the CA states for each consecutive clock) While these

UCAfa have very simple structure and each register’s transformation function is local, the evolution of states generated by successive state transformations of the

CA display a wide range of behaviors Wolfram categorized these into four general

classes – Class-1 CA evolves to homogeneous final global states, Class-2 CA

evolves to periodic structures, Class-3 CA exhibits chaotic behavior and Class-4

CA has complicated localized and propagating structures Wolfram considers

Class-3 CA as an abstract model of naturally occurring randomness and therefore suitable

for PRNG purposes Class-3 CA’s complex behaviors ensure that the generated

states cannot be predicted and can only be found by observation or simulation

Among these Class-3 UCA,

However, an attack is later shown in [22] that exploited the strong correlation

between the inputs of f and 30 f and their outputs The initial state is shown to be 45

reconstructed using a backward construction method

30

UCAf and

45

UCAf are also studied in [46] and high correlations are found to exist in the single-bit

sequences generated from adjacent registers in these UCA However, this

correlation dies out between registers separated by at least 4 sites The period of

sequences generated by

30

UCAf and

45

UCAf is also found to be much shorter

than2n−1 The states of

of registers, several large cycles can exist in

45

UCAf and the largest cycle is much

larger than that in

f , f165, f150 and f105 (see Equations (2.2)

to (2.5)) The only difference in f and 90 f150 is the inclusion of the register’s own

state s j as an input, while the functions f165 and f105 are simply the complementary functions of f and 90 f150

2.3.2 Hybrid CA

Registers in a HCA can be configured with different rules Researchers also studied

HCA since intuitively, regularity in the UCA structure may lead to regularities in

the generated sequences Interestingly, special configurations of (a list

of these configurations up to

/

90 150

HCAf f500

n= is given in [67]) are shown to generate sequences having period 2 CA formed using these functions has a symmetrical

f , otherwise a j j, =0 means it uses f90 In [46], the maximum length

and the nonlinear

/

90 150

tests on their generated sequences Unlike the UCA, single-bit sequences drawn