XorshiftUL+: A novel hybrid random number generator for internet of things and wireless sensor network applications

Abstract


Introduction
In recent years, emerging technologies, such as smart cards, radio frequency identification tags (RFID), wireless sensor network (WSN) nodes and the concept of Internet of things (IoT) brought not only new solutions but also challenges in their scope of application. The proliferation of devices manipulating or transmitting sensitive and critical information requires more attention to security issues, because classical security algorithms cannot offer effective and feasible security solutions for these groups of devices. Thus, many lightweight cryptographic algorithms have been suggested in literature, including block ciphers [1]- [7], and hash functions [8]- [10]. The aim of lightweight security algorithms is to find a balanced solution for performance, speed and security needs taking into account limitations such as storage, and processing power.
Random number generation has an important role in cryptography and authentication, and therefore, in security. These numbers can be used as the key or the seed for key generation in cryptographic algorithms and as nonce values in authentication protocols. For example, random numbers can be used as the secret keys for symmetric encryption algorithms such as advanced encryption standard (AES) and data encryption standard (DES). All these encryption algorithms and * Corresponding author/Yazışılan Yazar authentication protocols need random number sequences generated with levels of high randomness to prevent attackers infiltrating the system. Generating these number sequences, requires a source called a random number generator (RNG). There are two types of RNGs based on their sources. True random number generators (TRNGs) which use hardware sources; and pseudorandom number generators (PRNGs), that use algorithms for generating random numbers or bit sequences [11]. Most PRNGs create random numbers more rapidly than TRNGs, and are suitable for stream ciphers. Moreover, well-designed PRNG algorithms can be easily implemented in lightweight devices. However, the generated number sequence can be predicted in PRNGs if both the algorithm and initial seed are known [12]. For this reason, PRNGs must be computationally secure and seeded by an unpredictable source. Thus, the two RNG types should be used together. A random number generated by a TRNG is used as the initial seed of a PRNG function. This type of random number generator can be called as hybrid random number generator (HRNG). HRNGs make a combination of PRNG (fast generation and high quality random numbers) seeded repeatedly by TRNG (high unpredictability but slow generation). HRNG design should resolve the challenge of the balance between speed and predictability [12].
Ultra-light random number generators have been developed specifically for ultra-lightweight devices. These number generators have simple mathematical and bitwise operations (AND, OR, XOR and +). In this paper, a new, effective and ultralightweight hybrid random number generator is proposed. The generator was implemented on wireless identification and sensing platform (WISP). This newly designed HRNG combines a TRNG that uses the temperature sensor with the newly designed PRNG, a light version of Marsaglia's xorshift algorithm [13]. The PRNG is called the xorshiftUL+, with "UL" denoting "ultra-lightweight". xorshiftUL+ is suitable for ultra-lightweight and lightweight devices such as IoT devices and RFID tags due to its randomness, performance and resource usage.
WISP has 16-bit programmable microcontroller. It also has accelerometer, light sensor and temperature sensor as built-in physical sensors [14]- [16]. Unlike most of the other RFID tags, WISP family of devices are programmable. WISP 5, which is developed at the University of Washington laboratories, is used in this work for testing the performance and runtime of the hybrid generator [17].
Our contribution is an HRNG that uses a PRNG initialized by a chosen TRNG. This HRNG is ultra-lightweight, it is proposed and tested on WISP passive RFID tag. All random numbers created by this HRNG were tested by the NIST STS.
The rest of this article is organized as follows. Section 2 discusses previous and related works. In Section 3, details of material and methods used for proposed HRNG are given. Section 4 gives experimental results of performance, test, evaluation and discussions. Finally, the paper is concluded in Section 5.

Related works
The literature contains many solutions for random number generations, which are the main issues in the security of the lightweight and ultra-lightweight devices. Studies are currently focusing on ways to overcome these challenges using innovative solutions. In this study, we examined previous RNG implementations and their statistical and security properties.
Avaroğlu et al. [18] proposed a new hybrid PRNG by means of an additional input introduced to transition and output functions used in a raw PRNG system in order to eliminate failure to meet the R4 security requirement. R4: following random numbers cannot be calculated if the internal state value is known or if it is possible to predict the internal state value even when it is not known [19]. The random number generator developed in this study uses AES and similar algorithms that are complex and resource intensive. Therefore, it will not be suitable for all lightweight devices.
Avaroğlu [20] proposed a PRNG that uses two Arnold [21] cat map outputs. The output of this generator was tested with NIST STS and some other analytical tests. Author admitted that bit rate decreased after sampling. In the manuscript there is no test or information about if the generator is suitable for lightweight devices.
Koyuncu and Özcerit proposed a study that presents a Sundarapandian-Pehlivan chaotic system's Xilinx Virtex-6 FPGA implementation for TRNG. TRNG has a speed of 58.76 Mbit/s. It was verified by NIST 800-22 standards and FIPS 140-1 [22]. In the article there is no specific information about if it is suitable for lightweight devices such as RFID or IoT devices.
Çabuk et al. [23] proposed a new PRNG by modifying well known xorshift algorithm called xorshiftR+, after developing many versions of the original xorshift128plus by changing parameters. Finally, three final versions were developed and compared. WISP passive RFID tag was used to implement these algorithms which were checked against electronic product code generation 2 (EPCGen2) standards, and the ENT, NIST statistical test suite (NIST STS) and TestU01 tests. After the tests, the authors selected the best of the three versions based on the test results, resource usage and performance.
Kösemen at el. [24] developed a pseudorandom number generator by using genetic programming method. Genetic programming method uses Shannon entropy calculation for the fitness function. Mathematical and logical operators were used to generate a PRNG satisfying NIST STS tests and EPCGen2 standards.
Lawnik [25] used adequate chaotic transformation with uniform distribution and recommended a pseudo-random number generation method. This method changes continuous distributions into uniform distributions by flattening, allowing generation of pseudo-random numbers by continuous distribution. For the flattening process, it uses the frequency of the occurrence of successive chaotic transformation branches. Standard normal distribution example is used to analyze this method. In this paper, recommended PRNG was not tested with NIST STS.
Rose made an [26] analysis about cryptographic quality of the KISS ('Keep it Simple Stupid') PRNG. Marsaglia and Zaman first specified KISS in 1993 [27] and Marsaglia published C code in 1998. Some authors argued that KISS PRNG is cryptographically secure, although Marsaglia himself never claimed this. Rose showed that KISS PRNG does not meet certain cryptographically secure PRNG criteria, demonstrating that the initial state of the KISS PRNG can be recovered with 70 output words, and takes about 2 hours depending on the computer hardware. Rose also pointed out that Marsaglia's 2011 version of KISS is vulnerable to divide-and-conquer attack, so KISS is not suitable for applications needing cryptographically secure generator.
Alcin et al. proposed a high-speed chaotic true random number generator based on artificial neural network. They claimed that it generates random numbers that pass all randomness tests and this TRNG can be used in cryptographic and communication applications [28].
Rahmat et al. developed a hybrid pseudorandom generator using Vector algebra for a traditional game called Kuaci that was recently developed for Android systems. Milliseconds of the system clock were used as seeds [29]. The generator recommended in this application has not been tested by any statistical test such as Diehard or NIST.
A circuit is implemented to generate random numbers on a highly efficient FPGA card that generates 32-bit random numbers operating at a frequency of 125 MHz by Devi et al. [30]. These random numbers were tested with Diehard and NIST. In this study there is no comparison against well-known RNGs according to performance and resource usage.

Material and methods
To develop a random number generator that is effective, secure and lightweight, it is important to be very familiar with the characteristics of both the hardware and the environment, and also, to create an effective algorithm that produces random bit sequences and seeds from the hardware sources. To achieve this, the temperature sensor on the WISP passive RFID tag has been used to produce the initial seed. The production of this random number generator was made possible by exploiting the xorshift+ algorithm, which is lightweight in terms of resource utilization, and experiments were carried out until suitable results were obtained. Our proposed HRNG has a PRNG that is a member of "Mersenne Twister" (MT) [31], well-known feedback shift register superclass, and a TRNG that uses temperature sensor as the hardware source.

Xorshift+
Using addition operation instead of using multiplication makes non-linear transformation faster. Saito and Matsumoto proposed this idea in their XSadd generator. This generator adds two consecutive outputs of an underlying xorshift generator based on 32-bit shifts [32]. XSadd fails several BigCrush tests so Vigna introdued xorshift+ family. This family is based on 64-bit logical shift operations. For example, the code shown in Figure 1 belongs to xorshift128plus generator. It uses 128 bits of state. It is one of the well-known member of the xorshift+ family.

WISP
Wireless identification and sensing platform (WISP) is a passive RFID device with a microcontroller and sensors. WISP was first developed by Intel Research Seattle. Then studies continued at the Sensor Systems Laboratory of the University of Washington. It is a passive tag so doesn't have any built-in battery. Energy that is required for both powering the sensors and sending the response to the RFID reader was harvested from the radio signals sent by the RFID Reader. WISP can be the EPC Gen1 or Gen2 tag [33]. There is a 16-bit lightweight microcontroller on it. For example, Wisp 5.0 has Texas Instruments MSP430FR5969 microcontroller. This tag also includes 1 accelerometer, 1 temperature sensor, analog digital converter (ADC) and 1 light emitting diode (LED). It has system clocks running on different frequencies. Figure 2 shows the 16-bit true random number generation flow chart with a temperature sensor, and an ADC. The ADC produces 12-bit values. The least significant bit (LSB) of the 12bit values is set as the random number's first bit, and the random number is shifted logically to the left. The process given in Figure 2 continues for 16 samplings, thus generating a 16-bit true random number. 16-bit true random number generation steps can be seen in Table 1. In the scope of our study, we changed the original xorshift128+ by random scramblings made by our predictions. We generated many PRNGs with fewer shift operations and shorter seeds compared with the original xorshift128+ and selected the one having the best NIST STS results. xorshiftL+ algorithm was presented in 2018. In that study, a lightweight HRNG called xorshiftL+ is mentioned. The authors claimed that this HRNG passes NIST STS tests [35]. We extended this study and made tests, comparisons. This newly created HRNG produces 32-bit random numbers. C programming language implementation of the proposed HRNG tested on WISP RFID is shown in Figure 3. Firstly, a 16-bit random number is generated by sampling from WISP's built-in temperature sensor. This number is given to PRNG as a seed. PRNG adds x and s values with mathematical addition operation and stores the result to y. Afterwards, x value is shifted to the left 3 times and this shifted value is taken into XOR operation with its previous status. The overall result is stored on x again. Then, the value of x is shifted 5 times to the right and 2 times to the right separately. s, x and these two new shifted values are all taken into XOR operation and the result is stored on x. As a result, the = + value in the first step is returned. We want operations within the algorithm to change the y value in the next cycle so we return y value which is calculated in this first step. In this way, it will ensure randomness at every step.

Experimental results and discussion
In this section, the randomness of the numbers generated by the proposed random number generator is evaluated. NIST, and ENT tests results and EPCGen2 security requirements were examined and evaluated. At the same time, run time comparison on WISP passive RFID and the known rival algorithms were shared and evaluated.

NIST Results
The new HRNG was tested using the well-known test suite, NIST STS, which has a battery of statistical tests, such as Rank, Runs, Serial, Frequency, FFT, etc. It makes 188 runs for 15 different tests by running certain tests with different parameters [36]. In each round 64 million bits (2 million 32-bit numbers) are generated by the HRNG and tested with NIST STS. This is repeated tens of times. The output of the random number generator is well distributed statistically if it's serial correlation results are near zero and the output has high entropy. This and other properties ensure that the generator passes the NIST STS tests. NIST STS results show that the new HRNG is successful according to test results, and also that HRNG produces statistically random number sequences. NIST STS results of the one of the generated bit sequences are given in Table 2. Detailed NIST test results and generated random numbers can be seen on http://srg.cs.deu.edu.tr/publications/ 2019/xorshiftULplus/index.htm.

Time and operator comparison results
xorshiftUL+ was tested with NIST STS test suite and compared with well-known algorithms listed in Table 3. All of the algorithms ran on WISP and personal computer (PC). Table 3 shows that xorshiftUL+ is the fastest on both WISP and PC. In the time evaluation of the xorshiftUL+ algorithm, only the PRNG time value is calculated and TRNG is excluded because it works once at the beginning of the algorithm to produce a seed, and the time required is negligible. xorshiftUL+ generates random numbers about 16.24% faster than the closest rival on WISP environment and about 15.05% faster on PC environment. It also outperforms the rival algorithms in terms of number of operators used and variable lengths. Compared with the xorshift128+ algorithm, it is seen that the operations in the xorshift128+ algorithm are performed on 64-bit length numbers. It is also observed that there are 1 mathematical addition operation, 23 logical left shifts, 23 logical right shifts and 4 XOR operations in this algorithm. Likewise, xorshift128+, all operations in the xorshiftR+ algorithm are 64 bits length variables. xorshiftR+ has 1 mathematical addition, 23 logical left shift, 17 logical right shift and 2 XOR operations. In our new proposed xorshiftUL+ algorithm, there are 1 mathematical addition, 3 logical left shifts, 7 logical right shifts and 4 XOR operations. This new algorithm has been developed to ensure the faster generation of numbers by applying less processing with 32 bit variables.

EPCGen2 security requirements
There are three conditions to satisfy security level that are specified by the EPCGen2 standard. These are:  Probability of a single RN16 shall be bounded by [37]:  This condition is met when maximum 10000 tags are considered and the condition is not dependent to the revival time of the tags. Generating same 16 bits random numbers shall have a probability less than 0.1% for two or much more tags,


To meet this condition a 16-bit random number is predicted with a probability not bigger than 25 × 10 −3 % If the RNG's outcomes of the prior draws, performed under identical conditions, are known.
XorshiftUL+ was also checked for EPCGen2 standards that are given above. Three conditions of EPCGen2 standard as pointed out in the EPC™ Gen-2 Class 1 document [38] were examined, to ensure that it meets the RFID tags' security standards. Firstly, we know that each 16-bit random number selected (RN16 16bit random number) from generated 2 30 numbers should have the probability of 0.8 2 16 < P (RN16 = j)) < 1.25 2 16 . Proposed HRNG should satisfy this condition. We generated numbers and checked the result. xorshiftUL+ satisfies this condition with the probability of 0.917 2 16 < P (RN16 = j)) < 1.048 2 16 for 2 30 numbers. Secondly, simultaneously identical sequences' probability for 10000 tags should be less than 0.1%. xorshiftUL+ has two inputs, and these two seeds are 32-bit integers, so calculating the probability as ( ] × 100 = 5.42% × 10 −18 < 0.1%, this condition is also satisfied. The final condition is that an RN16 drawn from a tag's RNG shall not be predictable with a probability greater than 0.025%. This was proved using an ENT test suite detailed and defined on www.fourmilab.ch/random [39]. The detailed results and test parameters can be seen in Table 4. The ENT test package performs some tests using the file including the numbers generated by the random number generators. The results of files produced with different seeds by xorshiftUL+ can be seen in Table 4. The entropy value of this test is maximum 1. This is because each character is represented by a single bit. Since the entropy value is close to 1, the compression ratio is also close to zero. These two values mean that the result is good.
The result of the chi-square test is expected to be between 10% and 90%. As it shown in the table, these test results are also satisfactory.
The perfect value for the arithmetic mean is 0.5. For xorshiftUL+, these values are very close to 0.5. Monte Carlo value should be close to Pi value. As we see in the table, the values are very close to the Pi value and the error percentage is low.
The Serial correlation coefficient value that queries the relationship of a byte in a sequence with the previous bytes should be close to zero. It is not important whether this value is negative or positive. xorshiftUL+ produced close to zero output based on this test result.

Conclusion
This study presents a proposal for a solution for existing and pending security challenges on lightweight and ultralightweight devices in consideration of resource and time constraints. New solutions are offered for random number generation which are the key points of security for lightweight devices. The WISP passive RFID tag confirming to EPC Gen2 standard was used as the ultra-lightweight device to conduct tests and experiments. WISP has built-in sensors, 256-bit AES encryption and can be programmed, and so was selected for its high usability and applicability in the scope of future technologies.
Marsaglia's well-known Mersenne Twister based xorshift random number generator was modified to produce a new PRNG. To initialize the PRNG, WISP RFID tag's temperature sensor was used to obtain a true random number by performing 16 temperature samplings in a cycle. Our newly created HRNG was proposed as a combination of a PRNG and a TRNG. The time required for random number generation using the HRNG was estimated and compared with some of the previous well-known random number generators shown in Table 3 in the previous section. A similar approach was taken to investigate whether the random number generator satisfies 3 conditions for EPC™ Gen-2 Class 1 standards. Finally, the quality of the random number series generated by the HRNG was examined using the NIST STS. These tests and evaluations revealed that the new HRNG satisfies 3 conditions for EPC™ Gen-2 Class 1 standards, passes all NIST STS tests and generates random numbers approximately 16% faster than the closest rival.
For future works, xorshiftUL+ can be implemented on different IoT devices and the results investigated in terms of time, resource and performance requirements.