Design of a Dynamic Parameter-Controlled Chaotic-PRNG in a 65nm CMOS process
DDesign of a Dynamic Parameter-ControlledChaotic-PRNG in a 65 nm CMOS process
Partha Sarathi Paul, Maisha Sadia, and Md Sakib Hasan
Department of Electrical and Computer EngineeringUniversity of MississippiUniversity, MS 38677, USAEmail: [email protected], [email protected], [email protected]
Abstract —In this paper, we present the design of a new chaoticmap circuit with a 65 nm CMOS process. This chaotic map circuituses a dynamic parameter-control topology and generates a widechaotic range. We propose two designs of dynamic parameter-controlled chaotic map (DPCCM)-based pseudo-random numbergenerators (PRNG). The randomness of the generated sequence isverified using three different statistical tests, namely, NIST SP 800-22 test, FIPS PUB 140-2 test, and Diehard test. Our first designoffers a throughput of 200 MS/s with an on-chip area of 0.024 mm and a power consumption of 2.33 mW . The throughput ofour second design is 300 MS/s with an area consumption of 0.132 mm and power consumption of 2.14 mW . The wider chaoticrange and lower-overhead, offered by our designs, can be highlysuitable for various applications such as, logic obfuscation, chaos-based cryptography, re-configurable random number generation,and hard-ware security for resource-constrained edge devices likeIoT. Index Terms —Nonlinear dynamics, chaos, IoT, CMOS, PRNG,cryptography, logic-obfuscation, NIST, FIPS, Diehard.
I. I
NTRODUCTION
In recent decades, the nonlinear dynamic system has attractedthe attention of researchers in the field of physics, biology, eco-nomics, finance, and engineering. Chaotic system is a particulartype of nonlinear dynamic system whose behavior is charac-terized by deterministic equations. These irregular (aperiodic)but deterministic systems are very sensitive to the initial states.Even a tiny difference in the initial state makes the trajectoryof two chaotic sequences, from the same chaotic system,significantly diverged. This phenomenon is popularly knownas the butterfly effect. Some significant properties including,deterministic-aperiodicity and initial-state-sensitivity make thechaotic system very popular in security applications, includingpseudo-random number generator (PRNG), cryptography, im-age encryption, and logic obfuscation. However, the present-day advancement in machine-learning algorithms is makingthe chaos-based security systems vulnerable to potential adver-saries. Therefore, the chaos-based security community remainsin an ongoing quest for a superior-quality chaotic system. Ahigher dimensional chaotic system promises a more complexand secure chaotic sequence but brings the computation-costinto play as well. Hence, the design of a new chaotic system,with a simple structure but improved performance, is vital.In this paper, we present the design of a new chaotic mapcircuit with a 65 nm CMOS process. The general framework of the map circuit includes the three-transistor chaotic mapcircuit, proposed by Dudek et al. [1], and dynamic parameter-control topology, proposed by Hua et al. [2]. We propose thedesign of a novel PRNG circuit using our dynamic parameter-controlled chaotic map (DPCCM). Three statistical tests, NIST,FIPS, and Diehard, are performed on the PRNG output to verifythe randomness of the generated sequence.The remaining portion of the paper is organized as follows:section II describes the structure of the DPCCM. The proposedPRNG design and statistical analysis are described in sectionIII and IV, respectively. Section V talks about the overheadanalysis of the proposed PRNG. Finally, section VI gives theconcluding remarks.II. D
ESIGN OF
DPCCMThe transistor-level design of the DPCCM circuit is doneusing a 65 nm CMOS process in Cadence, with the supplyvoltage of 1.2 V . The structure of the circuit can be describedby separating it into three abstraction levels: a) the map circuit,b) the chaotic oscillator, and finally, c) the DPCCM. A. Map circuit
The schematic of the three-transistor map circuit is shownin Fig. 1(a). The size of the transistors, M , M , and M , arecarefully chosen to get a V-shaped transfer characteristic, whichis vital for generating a chaotic sequence [3]. The gate voltageof M (i.e. V c ) is used as the control voltage of the map. B. Chaotic oscillator
The chaotic oscillator (shown in Fig. 1(b)) comprises oftwo feed-back connected map circuits, using the same controlvoltage. The initial state voltage, X n , is applied through theclock, clk ini . X n passes through the first map circuit blockand we get the first output voltage, V out . V out is thenpassed to the map circuit block in the feedback path throughanother clock, clk a . The first iteration loop concludes when thegenerated output voltage, V out , is passed to the first map circuitthrough the clock, nclk a . As the cycle continues, we get twoanalog voltages per iteration. Since, the clock signals, clk a and nclk a , are non-overlapping, we use them to sample-and-holdthe analog output voltage of the chaotic oscillator. Conventionaldesigns use capacitors in the sample-and-hold circuit to storethe data. In this topology, to reduce the on-chip area overhead, a r X i v : . [ c s . A R ] J a n he parasitic capacitance of the pass transistors are leveragedto store the data. The total area consumption of the chaoticoscillator, along with the clocking circuits, is 0.556 µm andthe total power consumption is 18.4 µW . Fig. 2(a) shows thebifurcation plot of the chaotic oscillator and Fig. 3(a) showsthe corresponding Lyapunov exponent. C. DPCCM
The block diagram of the DPCCM is presented in Fig. 1(c).The analog output voltage from a chaotic oscillator (seed map)undergoes a linear transformation before going into anotherchaotic oscillator (controlled map) as its control voltage pa-rameter. The linear transformation is chosen in such a way thatthe output voltage of the first chaotic map is always mappedinto a range of control voltages that generates chaotic sequencefrom the controlled map. The transformation is done accordingto Eq (1) [2]. V control = ( b max − b min )( a max − a min ) × ( a max − V seed ) + b min (1)In Eq (1), V seed denotes any particular output voltage from theseed map, while V control is the transformed control voltage forthe controlled map. The chaotic range for the control voltageis within a max and a min whereas, the span of the seed mapoutput voltage is from b max to b min .The term, dynamic parameter-control, comes from the factthat, at each iteration, the control voltage of the controlledmap is being controlled by the output of the seed map. Itis obvious from Fig. 2(a) and Fig. 3(a) that, there are twodistinct chaotic regions in the chaotic oscillator’s output map,which shows positive Lyapunov exponent. The first range ofthe control voltage is between 0.5275 V and 0.6225 V . Thesecond range is between 0.89 V to 0.9525 V . The outputvoltage covers a larger range for the case of the first control-voltage range (0.5275 V - 0.6225 V ). Moreover, it is foundthat the transistor delay increases with the increase of thecontrol-voltage [4]. Hence, we chose the transformation of theDPCCM within the range of the first control voltage. Theseed map and the controlled map starts with the same initialvoltage. The bifurcation diagram from the DPCCM and thecorresponding Lyapunov exponent is shown in Fig. 2(b) andFig. 3(b), respectively. The bifurcation plot of the DPCCMshows a wider chaotic range, compared to the bifurcation plot ofthe chaotic oscillator. A chaotic map circuit with a wider chaoticrange can be extremely useful in applications like chaos-basedlogic and side channel obfuscation and re-configurable chaoticpseudo-random number generators (PRNG), where a widerchaotic range offers a larger design space. Here, we show theapplication of our DPCCM topology in a PRNG circuit.III. D ESIGN OF
PRNGThe DPCCM topology is implemented to design a PRNG.The schematic of the proposed PRNG is shown in Fig. 4.Two DPCCM blocks,
DP CCM a and DP CCM b , are used inthe PRNG design to get the required entropy in the generatedsequence. Two phase-shifted clocks, clk a and clk b , runs the Fig. 1: The schematic of DPCCM(a) Chaotic oscillator (b) DPCCM
Fig. 2: (a) Bifurcation plot of the chaotic oscillator. The x-axis showsthe common control voltage parameter for both feed-back connectedmap circuits. (b) Bifurcation plot of the DPCCM. The x-axis showsthe control voltage parameter of the seed map. The y-axis representsthe steady-state output voltage in both plots.(a) Chaotic oscillator (b) DPCCM
Fig. 3: (a) The plot of Lyapunov exponent of the chaotic oscillator.The x-axis shows the common control voltage parameter for both feed-back connected map circuits. (b) The plot of Lyapunov exponent of theDPCCM. The x-axis shows the control voltage parameter of the seedmap. The y-axis, in both plots, represents the calculated Lyapunovexponent values from the steady-state output voltage. Positive valuesof Lyapunov exponent indicate chaotic operation. ig. 4:
Pseudo-random number generator circuit
DPCCM blocks,
DP CCM a and DP CCM b , respectively. Asthe clocks are phase-shifted, the selector pin, sel , of themultiplexer (MUX) can choose one output at a time and passthe output to an n-bit analog to digital converter (ADC). Theanalog voltages, generated at the even number of iterations,are sampled from DPCCM blocks. The ADC converts eachanalog voltage to an n-bit binary and stores the n th bit into a2-bit shift register. As soon as two binary bits are availablefrom two DPCCM blocks, the data is XORed and sent to theoutput pin. Two DPCCM blocks start the iteration with twounequal initial voltages, X na and X nb . Each DPCCM blockruns 2 million iteration loops. Therefore, we get a sequence of1 million ’1’s and ’0’s at the XOR output. The seed map controlvoltages of DPCCM blocks, V ca and V cb are kept the same.The positive Lyapunov exponent, in the first chaotic range, ofthe chaotic oscillator (shown in Fig. 3(a)) peaks for a controlvoltage value of 0.5925 V . Hence, the seed map control voltageis set to 0.5925 V . One hundred unique initial voltage pairs areused to generate a sequence containing 100 million binary bits,where each initial voltage pair corresponds to 1 million bits.The randomness in this generate sequence is tested in threedifferent statistical test suites, NIST, FIPS, and Diehard test.In addition to the above-mentioned PRNG design, we alsopropose a second PRNG design. In design-I, we take the n th bitof an n-bit ADC whereas, in design-II, we capture the last 3 bitsof an n-bit ADC. There are three 2-bit shift registers and three2-input XOR gates in design-II. Each DPCCM block provides3 binary bits for every even iteration. Therefore, 6 binary bitsfrom the two DPCCM blocks are stored in those three 2-bitshift registers. When all six bits are available, they are bitposition-wise XORed. That means, the n th -bit of DP CCM a is XORed with n th bit of DP CCM b . Thus, after running 2million iteration cycles, we get 3 million-bit sequences fromdesign-II. The throughput of design-II is three-times higher thandesign-I. For the statistical tests, a sequence of 100 million bitsis generated from design-II as well.IV. S TATISTICAL TESTES RESULTS
A. NIST SP 800-22 Test Suite
National Institute of Standards and Technology (NIST) testsuite offers 15 statistical tests to measure the randomness in asequence [5]. The test was performed with a bit-stream lengthof 1 million. The significance level was set to 0.01. That means,a sequence with 100 million bits will pass a particular test ifat least 96 out of the 100 bit-streams generate a p − value TABLE I: NIST Test results for design-I and design-II(*shows the average of multiple tests)
NIST TEST Pass ratedesign-I design-II
Frequency
Block frequency
Cumulative sums*
Runs
Longest runs of ones
Rank
FFT
Non-overlapping template*
Overlapping template
Universal
Approximate entropy
Random excursion*
Random excursion variant*
Serial*
Linear complexity
TABLE II: FIPS test results
PRNG
Total success
Monobit Poker Runs Long rundesign-I - - 1 -design-II - 3 - 1 of greater than 0.01. The 100 million-bit sequence, generatedfrom design-I, passes all 15 tests with an ADC of bit-size ≥ ≥
10. Table I shows the NIST test result for design-I (8-bit ADC)and design-II (10 bit ADC).
B. FIPS PUB 140-2
Federal Information Processing Standards Publications (FIPSPUB) 140-2 Test was developed by NIST [6]. FIPS tests therandomness of a binary sequence by dividing it into 20,000-bitblocks. The blocks are subjected to 4 sub-tests - the Monobittest, Poker test, Runs test and Long run test. The Monobit testcounts the number of 1’s in the 20,000-bit block. This numbermust be within the range of (9725,10275) to pass the test. ThePoker test divides the 20,000-bit block into 5,000 successive4-bit segments. The 4-bit segment can have 16 possible valuesand the occurrence of these 16 values is counted and stored.This sub-test verifies the uniformity of the 4-bit segment. Runstest counts and stores the maximum sequence of consecutivebits of 1’s or 0’s in a 20,000-bit block. A run of 26 or more ofeither 1’s or 0’s is defined as a Long run. The total number ofLong runs in a 20,000-bit block is counted in the total failure.Table II shows the FIPS test result for design-I and design-II.FIPS divides the 100 million sequence into 5,000 blocks of20,000-bits. The second column of Table II shows the numberof blocks passing the test and the last 4 columns show thenumber of failed blocks under corresponding sub-tests.
C. Diehard Statistical Test Suite
Diehard Statistical Test Suite, developed by GeorgeMarsaglia, offers 15 sub-tests, that generate 219 p − values a) design-I (8-bit ADC) (b) design-II (10-bit ADC) Fig. 5:
Diehard statistical test results [7]. The sequence is considered to be random if the p − values are within the range of [0,1). A sequence will fail the test ifit produces six or more (out of 219) p − values of either 0 or1. Our test sequence size is 100,000,032 bits. Fig. 5 shows theplot of the generated p − values , sorted in ascending order. Thelinear fit shows close conformity with the generated p − value trend and demonstrates the randomness of our sequence.V. O VERHEAD ANALYSIS OF THE
PRNGEach of the two DPCCM blocks, shown in Fig. 4, used inthe design, consumes an area of 1.1 µm and a power of 36.8 µW . The 8-bit ADC, used in design-I, can be implementedfrom the proposed design of Wei et al. in [8]. This 8-bitADC takes 0.024 mm on-chip area and consumes 1.8 mW power. As we can see, the ADC is responsible for most ofthe area and power consumption of the circuit making it theprimary overhead contributor to the whole PRNG design. Themaximum bit generation rate of this 8-bit ADC is 250 MS/s.However, design-I generates binary sequence with a rate of200 MS/s. The throughput of the slower component dictatesthe overall throughput of the system. Hence, the throughput ofthe overall PRNG system, with design-I, is limited to 200 MS/s.We have determined that our design-II can offer a maximumthroughput of 600 MS/s (i.e. three times higher than design-I).The 10-bit ADC, used in design-II, can be implemented fromthe design reported by Ma et al. [9]. This 10-bit ADC coversan on-chip area of 0.132 mm and consumes 1.6 mW power.For our design-II, we are taking the last three ADC bits atevery even iteration. Therefore, the throughput from the 10-bit ADC, with 100 MS/s bit-rate, will eventually become 300MS/s (i.e. three times 100 MS/s) in our design. For this reason,the throughput of the overall PRNG system, with design-II,is limited to 300 MS/s. The total area overhead for design-I, including chaotic oscillators, ADC, shift register, MUX, andXOR gate, is 0.024 mm and the power overhead is 2.33 mW .For design-II, total area and power overheads are 0.132 mm and 2.14 mW , respectively. Table III presents a comparisonbetween the PRNG designs of this paper and prior works ondifferent PRNG circuits. Compared to previous works, both ofour designs cover significantly less on-chip area. Our design-Iis a suitable choice for applications with high area-constraintwhereas design-II offers better throughput. It should be notedthat design-II can be generalized for higher-bit ADC whilecompromising the area and power. TABLE III: Overhead comparison Parameter Reported works This work[10] [11] [12] [4] design-I design-IITechnology ( nm ) 180 180 180 65
65 65
Supply voltage ( V ) 1.8 1.8 1.8 1.2 Area ( mm ) 0.126 0.275 0.767 0.132 Power ( mW ) 22 13.9 37 2.12 Throughput (
MS/s ) 100 6400 120 100
200 300
VI. C
ONCLUSION
A new design of a chaotic map circuit, with dynamicparameter control, is presented in a 65 nm CMOS process. Ithas been shown that this design provides a wide chaotic regionin the bifurcation plot, offering a large design space for varioussecurity applications such as, logic obfuscation, chaos-basedcryptography and re-configurable random number generatorcircuits. The map circuit is used in a novel PRNG design.The randomness of the generated sequence is verified usingthree statistical tests. It is found that the dynamic parameter-control leads to a low-overhead PRNG design. Future workmay include, the exploration of various CMOS topologies anddifferent post-processing schemes for the bit generation.R
EFERENCES[1] P. Dudek and V. Juncu, “Compact discrete-time chaos generator circuit,”
Electronics Letters , vol. 39, no. 20, pp. 1431–1432, 2003.[2] Z. Hua and Y. Zhou, “Dynamic parameter-control chaotic system,”
IEEEtransactions on cybernetics , vol. 46, no. 12, pp. 3330–3341, 2015.[3] A. S. Shanta, M. B. Majumder, M. S. Hasan, M. Uddin, and G. S. Rose,“Design of a reconfigurable chaos gate with enhanced functionality spacein 65nm cmos,” in . IEEE, 2018, pp. 1016–1019.[4] A. S. Shanta, M. S. Hasan, M. B. Majumder, and G. S. Rose, “Designof a lightweight reconfigurable prng using three transistor chaotic map,”in . IEEE, 2019, pp. 586–589.[5] A. Rukhin, J. Soto, J. Nechvatal, M. Smid, and E. Barker, “A statisticaltest suite for random and pseudorandom number generators for crypto-graphic applications,” Booz-allen and hamilton inc mclean va, Tech. Rep.,2001.[6] N. F. PUB, “140-2: Security requirements for cryptographic modules,”
Information Technology Laboratory, National Institute of Standards andTechnology , 2001.[7] G. Marsaglia. The marsaglia random number cdrom including thediehard battery of tests of randomness. [Online]. Available: https://web.archive.org/web/20160125103112/ \ http://stat.fsu.edu/pub/diehard/[8] H. Wei, C.-H. Chan, U.-F. Chio, S.-W. Sin, U. Seng-Pan, R. Martins,and F. Maloberti, “A 0.024 mm 2 8b 400ms/s sar adc with 2b/cycleand resistive dac in 65nm cmos,” in . IEEE, 2011, pp. 188–190.[9] J. Ma, Y. Guo, L. Li, Y. Wu, X. Cheng, and X. Zeng, “A low power10-bit 100-ms/s sar adc in 65nm cmos,” in . IEEE, 2011, pp. 484–487.[10] F. Pareschi, G. Setti, and R. Rovatti, “Implementation and testing of high-speed cmos true random number generators based on chaotic systems,” IEEE transactions on circuits and systems I: regular papers , vol. 57,no. 12, pp. 3124–3137, 2010.[11] C.-Y. Li, Y.-H. Chen, T.-Y. Chang, L.-Y. Deng, and K. To, “Periodextension and randomness enhancement using high-throughput reseeding-mixing prng,”
IEEE Transactions on Very Large Scale Integration (VLSI)Systems , vol. 20, no. 2, pp. 385–389, 2011.[12] H.-T. Yang, J.-R. Huang, and T.-Y. Chang, “A chaos-based fully digital120 mhz pseudo random number generator,” in