[math-fun] linear psu-random generators with linear "feed-in"
THEOREM: The linear congruential generator x <-- x*a + R mod 2^w (where w>=2 and a mod 4=1) has period = 2^w if R is any odd constant. If however R is actually ANOTHER psu-random generator with odd period and odd period-sum, then the result is a generator whose period is the product of R's period with 2^w. Here R's "period-sum" means the sum of all the R-values in R's period. EXAMPLE (in C language using 32-bit unsigned integers) if(z >= 1588146105U){ z -= 1588146105U; }else{ z -= 1588146108U; } implements a Weyl generator modulo 2^32-3, using step size 1588146105 which is chosen because 1588146105/(2^32-3) has only 1s and 2s in its continued fraction expansion. Its period-sum is odd because 2^32-3 mod 4 = 1. Hence x *= 2891336453U; if(z >= 1588146105U){ z -= 1588146105U; }else{ z -= 1588146108U; } x += z; (output x) implements a generator with period = (2^32-3) * (2^32) using the two state-variables w and x. (Here 2891336453 is spectrally-good multiplier mod 2^32.) THEOREM: If y <-- T y where y is an n-bit vector and T is an nXn matrix over GF(2) is a psu-random generator with period=2^n-1 for nonzero vectors y, then y <-- (T y) XOR R also is a period=2^n-1 generator if R is any constant n-vector. If however R is itself a psu-random generator whose period is relatively prime to 2^n-1, then the result is a psu-random generator whose period is the product of the two original periods. EXAMPLE (again in C with 32-bit unsigned int words): y ^= (y << 5); y ^= (y >> 7); y ^= (y << 22); is a psu-random generator with period-2^32-1 (state is a nonzero 32-bit word y). We could feed the output of the preceding example into it to get a generator with period = (2^32-1) * (2^32-3) * 2^32: x *= 2891336453U; y ^= (y << 5); y ^= (y >> 7); y ^= (y << 22); if(z >= 1588146105U){ z -= 1588146105U; }else{ z -= 1588146108U; } x += z; y ^= x; (output y) and so on. It also would be possible, of course, to combine two generators by just (say) XORing (or adding mod 2^32) their outputs. However, it seems intuitively that "feeding in" generator 1 to generator 2 usually will produce a result "more random" than just XORing their outputs, whenever generator 2 "amplifies randomness." The feed-in option is open to us essentially whenever generator 2 is a "linear recurrence" in some ring. For nonlinear psu-random generators, such as v <-- v*(975403184785438903-2*v)+856300274470584321 mod 2^64 (I chose these numbers randomly subject to 975403184785438903 mod 4 = 3 and 856300274470584321=odd, here the state is odd 64-bit unsigned int v and the period is 2^63) I have no feedin theorem, but these can still be used as "generator 1." For example in C now with 64-bit unsigned integers: v = v*(975403184785438903-2*v)+856300274470584321 x ^= x<<7; x ^= x>>9; x ^= v; (output x) is a generator with period=(2^64-1)*2^63. Here x is a linear-GF2 generator with state being nonzero 64-bit words; it has feed-in from the quadratic v-generator with state being odd 64-bit words. Richard Brent devised a class of generators he calls "xorgens" http://arxiv.org/pdf/1004.3115.pdf which are linear over GF2 and have period=2^(n*w)-1 which is maximal considering their state is n words, each w bits, not all zero. He then wanted to combine these with a 1-word Weyl generator with period=2^w. In doing so, Brent made two small mistakes, in my opinion (better would be calling them "missed opportunities" not "mistakes"). First, he could have "fed in" the Weyl generator into his xorgen instead of just combining their two outputs. Second, he used step size in the Weyl generator based on the golden ratio times 2^w where w is the word size. Better would have been to employ an odd step size S chosen so S/2^w had only 1's and 2's in its continued fraction expansion. With w=32 the following 5 S's work: S=1774682003=69C77F93, S=1812433253=6C078965, S=2482534043=93F8769B, S=2520285293=9638806D, S=3140748093=BB34033D. With w=16 this S works: S=46073=B3F9. I'm not sure whether it will be feasible to find such an S for w=64, but it is feasible to find examples with max partial quotient <=3 for every word size w, see H.Neiderreiter: Dyadic fractions with small partial quotients, Monatshefte fur Mathematik 101,4 (1986) 309-315. [If anybody could send me a pdf of this, would appreciate that.] Although I have no feedin theorem for nonlinear generators, sometimes nonlinear generators are really linear ones "in disguise" in which case feedin theorems can be made. For example, the lagged Fibonacci generator x[n] = x[n-55] * x[n-24] where the x's are odd numbers and multiplication is mod 2^w, is linear using discrete log as the disguise. Hence one could use multiplicative feedin like this x[n] = x[n-55] * x[n-24] * R where R is any generator that always outputs odd values, and has an odd period relatively prime to 2^55-1. The resulting generator will have period of (x mod 4) equal to (2^55-1)*period(R). -- Warren D. Smith http://RangeVoting.org <-- add your endorsement (by clicking "endorse" as 1st step)
H.Neiderreiter: Dyadic fractions with small partial quotients, Monatshefte fur Mathematik 101,4 (1986) 309-315. [If anybody could send me a pdf of this, would appreciate that.]
--turns out this is available online here: http://gdz.sub.uni-goettingen.de/dms/load/img/?PPN=GDZPPN002485222&IDDOC=246...
actually I think the best psu-random generator would be "hierarchical." That is, you use a very fast+simple generator for a while, then reseed it using a slower but more random generator, that in turn would be re-seeded at longer intervals with a slower but still more random generator etc. You aim to get nearly the speed of the fastest but nearly the randomness of the slowest generator. The "feedin" technique is a way to do such reseeding in a "continual slow drip" rather than all at once. Seems to me the hierarchical idea can be backed up with a THEOREM (or pretty close): If "randomness" is measured by expected computational complexity of a statistical test that finds a problem with it, and if achievable randomness grows with generator runtime exponentially, then it is possible to achieve arbitrarily enormous randomness with only a constant factor slower average runtime than the simplest generator.
These days, why would anyone bother with software generated random numbers? Use hardware generation, amplified noise or quantum detection. Bypass the requirement of algorithm verification. Bypass the problem of a limited number of seeds. -- Gene
________________________________ From: Warren D Smith <warren.wds@gmail.com> To: math-fun <math-fun@mailman.xmission.com>; richard.brent <Richard.Brent@anu.edu.au> Sent: Monday, September 30, 2013 1:19 PM Subject: Re: [math-fun] linear psu-random generators with linear "feed-in"
actually I think the best psu-random generator would be "hierarchical." That is, you use a very fast+simple generator for a while, then reseed it using a slower but more random generator, that in turn would be re-seeded at longer intervals with a slower but still more random generator etc.
You aim to get nearly the speed of the fastest but nearly the randomness of the slowest generator. The "feedin" technique is a way to do such reseeding in a "continual slow drip" rather than all at once. Seems to me the hierarchical idea can be backed up with a
THEOREM (or pretty close): If "randomness" is measured by expected computational complexity of a statistical test that finds a problem with it, and if achievable randomness grows with generator runtime exponentially, then it is possible to achieve arbitrarily enormous randomness with only a constant factor slower average runtime than the simplest generator.
_______________________________________________ math-fun mailing list math-fun@mailman.xmission.com http://mailman.xmission.com/cgi-bin/mailman/listinfo/math-fun
Precisely because hardware generated is *too* random since it's effectively non-deterministic, one cannot reproduce precisely the same sequence from a given seed - being able to do so is extremely useful in software terms. On 30 Sep 2013, at 21:34, Eugene Salamin wrote:
These days, why would anyone bother with software generated random numbers? Use hardware generation, amplified noise or quantum detection. Bypass the requirement of algorithm verification. Bypass the problem of a limited number of seeds.
-- Gene
________________________________ From: Warren D Smith <warren.wds@gmail.com> To: math-fun <math-fun@mailman.xmission.com>; richard.brent <Richard.Brent@anu.edu.au> Sent: Monday, September 30, 2013 1:19 PM Subject: Re: [math-fun] linear psu-random generators with linear "feed-in"
actually I think the best psu-random generator would be "hierarchical." That is, you use a very fast+simple generator for a while, then reseed it using a slower but more random generator, that in turn would be re-seeded at longer intervals with a slower but still more random generator etc.
You aim to get nearly the speed of the fastest but nearly the randomness of the slowest generator. The "feedin" technique is a way to do such reseeding in a "continual slow drip" rather than all at once. Seems to me the hierarchical idea can be backed up with a
THEOREM (or pretty close): If "randomness" is measured by expected computational complexity of a statistical test that finds a problem with it, and if achievable randomness grows with generator runtime exponentially, then it is possible to achieve arbitrarily enormous randomness with only a constant factor slower average runtime than the simplest generator.
_______________________________________________ math-fun mailing list math-fun@mailman.xmission.com http://mailman.xmission.com/cgi-bin/mailman/listinfo/math-fun
_______________________________________________ math-fun mailing list math-fun@mailman.xmission.com http://mailman.xmission.com/cgi-bin/mailman/listinfo/math-fun
The meaning and purpose of life is to give life purpose and meaning. The instigation of violence indicates a lack of spirituality.
I had the same thought as David, but then I thought: Why not record the sequence of hardware-generated numbers for future use if needed. Just how random are hardward-generated sequences, anyway? --Dan On 2013-09-30, at 3:37 PM, David Makin wrote:
Precisely because hardware generated is *too* random since it's effectively non-deterministic, one cannot reproduce precisely the same sequence from a given seed - being able to do so is extremely useful in software terms.
On 30 Sep 2013, at 21:34, Eugene Salamin wrote:
These days, why would anyone bother with software generated random numbers? Use hardware generation, amplified noise or quantum detection. Bypass the requirement of algorithm verification. Bypass the problem of a limited number of seeds.
You coud record it - but then you could have memory issues - e.g. recording a whole 24 hour's play's worth of randoms for something like Skyrim is not going to be trivial (I love to be able to playback). On 1 Oct 2013, at 01:39, Dan Asimov wrote:
I had the same thought as David, but then I thought: Why not record the sequence of hardware-generated numbers for future use if needed.
Just how random are hardward-generated sequences, anyway?
--Dan
On 2013-09-30, at 3:37 PM, David Makin wrote:
Precisely because hardware generated is *too* random since it's effectively non-deterministic, one cannot reproduce precisely the same sequence from a given seed - being able to do so is extremely useful in software terms.
On 30 Sep 2013, at 21:34, Eugene Salamin wrote:
These days, why would anyone bother with software generated random numbers? Use hardware generation, amplified noise or quantum detection. Bypass the requirement of algorithm verification. Bypass the problem of a limited number of seeds.
_______________________________________________ math-fun mailing list math-fun@mailman.xmission.com http://mailman.xmission.com/cgi-bin/mailman/listinfo/math-fun
The meaning and purpose of life is to give life purpose and meaning. The instigation of violence indicates a lack of spirituality.
Where I've used lots of random numbers it's been in Monte Carlo simulations with several hundred random variables and a thousand repetitions. Then I need to be able to run the MC again after some change to the system as a baseline test; as well as running it with a sequence of hardware "really" random values. Brent Meeker On 9/30/2013 6:11 PM, David Makin wrote:
You coud record it - but then you could have memory issues - e.g. recording a whole 24 hour's play's worth of randoms for something like Skyrim is not going to be trivial (I love to be able to playback).
On 1 Oct 2013, at 01:39, Dan Asimov wrote:
I had the same thought as David, but then I thought: Why not record the sequence of hardware-generated numbers for future use if needed.
Just how random are hardward-generated sequences, anyway?
--Dan
On 2013-09-30, at 3:37 PM, David Makin wrote:
Precisely because hardware generated is *too* random since it's effectively non-deterministic, one cannot reproduce precisely the same sequence from a given seed - being able to do so is extremely useful in software terms.
On 30 Sep 2013, at 21:34, Eugene Salamin wrote:
These days, why would anyone bother with software generated random numbers? Use hardware generation, amplified noise or quantum detection. Bypass the requirement of algorithm verification. Bypass the problem of a limited number of seeds.
_______________________________________________ math-fun mailing list math-fun@mailman.xmission.com http://mailman.xmission.com/cgi-bin/mailman/listinfo/math-fun The meaning and purpose of life is to give life purpose and meaning. The instigation of violence indicates a lack of spirituality.
_______________________________________________ math-fun mailing list math-fun@mailman.xmission.com http://mailman.xmission.com/cgi-bin/mailman/listinfo/math-fun
----- No virus found in this message. Checked by AVG - www.avg.com Version: 2014.0.4142 / Virus Database: 3604/6702 - Release Date: 09/26/13
Skyrim appears to be a game. So use a pseudo if you need the same sequence. For serious scientific calculations, does anyone have a idea of how many bytes would need to be recorded? For cryptography I would not trust a software algorithm. Even for a hardware device, you would want to be sure the NSA did not influence the design. Avoid high-level integrated devices in the critical path, and interface through standard off-the-shelf components. How random are hardware-generated sequences? With biases removed and waiting out correlation times, they are completely random. Even then, a little bit of bias or correlation won't compromise cryptography. -- Gene
________________________________ From: David Makin <makinmagic@tiscali.co.uk> To: math-fun <math-fun@mailman.xmission.com> Sent: Monday, September 30, 2013 6:11 PM Subject: Re: [math-fun] linear psu-random generators with linear "feed-in"
You coud record it - but then you could have memory issues - e.g. recording a whole 24 hour's play's worth of randoms for something like Skyrim is not going to be trivial (I love to be able to playback).
On 1 Oct 2013, at 01:39, Dan Asimov wrote:
I had the same thought as David, but then I thought: Why not record the sequence of hardware-generated numbers for future use if needed.
Just how random are hardward-generated sequences, anyway?
--Dan
On 2013-09-30, at 3:37 PM, David Makin wrote:
Precisely because hardware generated is *too* random since it's effectively non-deterministic, one cannot reproduce precisely the same sequence from a given seed - being able to do so is extremely useful in software terms.
On 30 Sep 2013, at 21:34, Eugene Salamin wrote:
These days, why would anyone bother with software generated random numbers? Use hardware generation, amplified noise or quantum detection. Bypass the requirement of algorithm verification. Bypass the problem of a limited number of seeds.
Frankly I'd be surprised if any "real" hardware random was more statistically random than say the Mersenne Twister (at multiple bit-widths say from 1 to 64). One of the most sensitive monte-carlo method uses is chaos-game rendering of IFS fractals - for example even generation over time of a standard Sierpinski triangle and the Mersenne works great - with the added bonus that the determinism means exactly the same image can be reproduced from the single seed. On 1 Oct 2013, at 02:44, Eugene Salamin wrote:
Skyrim appears to be a game. So use a pseudo if you need the same sequence. For serious scientific calculations, does anyone have a idea of how many bytes would need to be recorded?
For cryptography I would not trust a software algorithm. Even for a hardware device, you would want to be sure the NSA did not influence the design. Avoid high-level integrated devices in the critical path, and interface through standard off-the-shelf components.
How random are hardware-generated sequences? With biases removed and waiting out correlation times, they are completely random. Even then, a little bit of bias or correlation won't compromise cryptography.
-- Gene
________________________________ From: David Makin <makinmagic@tiscali.co.uk> To: math-fun <math-fun@mailman.xmission.com> Sent: Monday, September 30, 2013 6:11 PM Subject: Re: [math-fun] linear psu-random generators with linear "feed-in"
You coud record it - but then you could have memory issues - e.g. recording a whole 24 hour's play's worth of randoms for something like Skyrim is not going to be trivial (I love to be able to playback).
On 1 Oct 2013, at 01:39, Dan Asimov wrote:
I had the same thought as David, but then I thought: Why not record the sequence of hardware-generated numbers for future use if needed.
Just how random are hardward-generated sequences, anyway?
--Dan
On 2013-09-30, at 3:37 PM, David Makin wrote:
Precisely because hardware generated is *too* random since it's effectively non-deterministic, one cannot reproduce precisely the same sequence from a given seed - being able to do so is extremely useful in software terms.
On 30 Sep 2013, at 21:34, Eugene Salamin wrote:
These days, why would anyone bother with software generated random numbers? Use hardware generation, amplified noise or quantum detection. Bypass the requirement of algorithm verification. Bypass the problem of a limited number of seeds.
_______________________________________________ math-fun mailing list math-fun@mailman.xmission.com http://mailman.xmission.com/cgi-bin/mailman/listinfo/math-fun
The meaning and purpose of life is to give life purpose and meaning. The instigation of violence indicates a lack of spirituality.
Hardware RNGs are very random, except when they aren't. And if they aren't, your adversary may well know about it before you do. http://crypto.2013.rump.cr.yp.to/55e2988c4ed3c9f635c9a4c3f52fa0b1.pdf
How random are hardware-generated sequences? With biases removed and waiting out correlation times, they are completely random. Even then, a little bit of bias or correlation won't compromise cryptography.
If you're using random bits as a way of gathering evidence about random phenomena, consider using the (binary) digits of pi. Then it's win-win: either pi leads you to correct conclusions about random phenomena (so you won't look too foolish) or pi leads you astray (and you'll be remembered as the person whose work led to the discovery of patterns in the digits of pi). On the other hand, if your work leads to the discovery of flaws in some RNG, then your work will be self-effacing in the long term: thanks to your discovery of flaws in that RNG, the RNG will lapse into disuse and tumble into obscurity, dragging with it the fact that it was your work that unearthed the flaw. See mathoverflow.net/questions/26942/is-pi-a-good-random-number-generatorfor a more sober discussion of this topic. Jim Propp On Monday, September 30, 2013, Hilarie Orman <ho@alum.mit.edu> wrote:
Hardware RNGs are very random, except when they aren't. And if they aren't, your adversary may well know about it before you do.
http://crypto.2013.rump.cr.yp.to/55e2988c4ed3c9f635c9a4c3f52fa0b1.pdf
How random are hardware-generated sequences? With biases removed and waiting out correlation times, they are completely random. Even then, a little bit of bias or correlation won't compromise cryptography.
_______________________________________________ math-fun mailing list math-fun@mailman.xmission.com http://mailman.xmission.com/cgi-bin/mailman/listinfo/math-fun
participants (7)
-
Dan Asimov -
David Makin -
Eugene Salamin -
Hilarie Orman -
James Propp -
meekerdb -
Warren D Smith