Complexitatea calcului

Pseudorandom Generators

1

Pseudorandom Generators

2

Contents

Introduction…………………………………………………………………………………….. 4

Description of the method………………………………………………………………………. 6

Pseudo code with explanations………………………………………………………………… 13

Bibliography…………………………………………………………………………………… 18

3

Introduction

The second half of this century has witnessed the development of three theories of randomness,a notion which has been puzzling thinkers for ages. The first theory , initiated by Shannon, is rooted in probability theory and is focused at distributions which are not perfectly random. Shannon's Information Theory characterizes perfect randomness as the extreme case inwhich the information content is maximized (and there is no redundancy at all). Thus, perfectrandomness is associated with a unique distribution - the uniform one. In particular, by definition, one cannot generate such perfect random strings from shorter random seeds.

The second theory , due to Solomonov , Kolmogorov and Chaitin , is rooted in computability theory and specially in the notion of a universal language (equiv., universal machine or computing device). It measures the complexity of objects in terms of theshortest program (for a fixed universal machine) which generates the object. Like Shannon's theory, Kolmogorov Complexity is quantitative and perfect random objects appear as an extreme case. Interestingly, in this approach one may say that a single object, rather than a distribution over objects, is perfectly random. Still, Kolmogorov's approach is inherently intractable (i.e., Kolmogorov Complexity is uncomputable), and - by definition -one cannot generate strings of high Kolmogorov Complexity from short random seeds.

The third theory, initiated by Blum, Goldwasser, Micali and Yao , is rooted incomplexity theory and is the focus of this essay. This approach is explicitly aimed at providinga notion of perfect randomness which nevertheless allows to efficiently generate perfect randomstrings from shorter random seeds. The heart of this approach is the suggestion to view objects asequal if they cannot be told apart by any efficient procedure. Consequently a distribution whichcannot be efficiently distinguished from the uniform distribution will be considered as being random (or rather called pseudorandom). Thus, randomness is not an “inherent" property of objects (or distributions) but rather relative to an observer (and its computational abilities).

We conclude that the randomness of an event is relative to the information and computing resources at our disposal. Thus, a natural concept of pseudo randomness arises - a distribution is pseudorandom if no efficient procedure can distinguish it from the uniform distribution, where efficient procedures are associated with (probabilistic) polynomial-time algorithms.

Even when a problem is computationally solvable in principle it may not be solvable inpractice; it may require inordinate amounts of computational resources (e.g. more time than the age of the universe). Complexity addresses issues such as:

assessing how hard a problem is, in terms of resource consumption; how different computational resources can be traded o against each other; identification of “hard" computational tasks. These have important applications

in modern cryptography such as data authentication and public key cryptosystems.

the concept and study of complexity has deep fundamental significance for other areas such as physics and biology (cf later remark).

complexity theory is an exciting and currently very active area of research. In 2000 the Clay Mathematical Institute (USA) identified 7 most significant open problems, to celebrate mathematics in the new millennium.

4

Random probabilistic choice is different from non-determinism! (even though both relate a current configuration to many possibilities in a single transition) - in a NDTM the computer makes many steps “simultaneously" following all paths in a computational tree. In the probabilistic case the computer chooses only one step at each node (probabilistically) and follows only someone path through the tree. However on repeating the computation with the same input, the path chosen will generally be a different one. We require the final answer to be correct with “suitably high probability" (cf later for formal definitions of classes and various specific requirements that we impose).

5

Description of the method

We have two things which are called "probability ensembles", and denoted by

and . We are talking about infinite sequences of distributions like we talk about the language and each distribution seats on some final domain. Typically the distribution Xn will have as a support strings of length polynomial of n, not more and not much less.

Definition 1 (probability ensembles): A probability ensemble X is a family such that Xn is a probability distribution on some finite domain.

What is to say that these ensembles are computational indistinguishable? We want to look at the particular algorithm A and want to ask what is the probability of the event: when you give to A an input Xn then it says 1 (or 1 is just arbitrary) and look at the difference of the

probabilities for answers of execution this algorithm A for two inputs and . And if this difference is negligible, when you look at n as the parameter then we will say that we cannot distinguish the first ensemble from the second one.

Definition 2 (canonic notion of computational indistinguishability): Two probability ansambles

and are computationally indistinguishable if they are indistinguishable by any probabilistic polynomial-time algorithm. That is, for every probabilistic polynomial-time algorithm A, and every polynomial p() there exists N s.t. for all n > N

Another notion that we talk about is indistinguhability by circuits.

Definition 3 Two probability ensembles and are indistinguishable by small circuits if for all families of polynomial-size circuits {Cn}

is negligible.

The notion of Computational Indistinguishability is a relaxation of the notion of statistical closeness (or statistical indistinguishability). If two probability ensembles are statistical close then they are computationally indistinguishable.

We note that there are computationally indistinguishable probability ensembles which are not statistical close.

Suppose, there exists a distinguisher D, between and . Then define

It is easy to see that

. Define algorithm D’ as follows:Begin Algorithm DistinguisherInput α, (taken from Xn or Yn)

(1) Choose (i.e., uniformly in )

6

(2) Construct Return D(Z)end.

whereas

Thus,

for some p() and for infinitely many n’s.

Definition 4 (PseudoRandom Generator - PRG): The function withstretch function l(n) is a pseudo-random generator if:

G is a polynomial time algorithm

or every x,

and are computational indistinguishable, where Um denotes the

uniform distribution over .Suppose we have a Pseudo-Random Generator G1 with a stretch function n + 1. Then for all

polynome l(n) there exists a Pseudo-Random Generator with stretch function l(n).Suppose we have a probabilistic polynomial time algorithm A, which on input of length n

uses m(n), random bits. Algorithm A’ may solve either search problem for some relation or decision problem for some language L. Our claim will be that for all ε > 0 there exists a probabilistic polynomial time algorithm A’ that uses only nε random bits and “behaves" in the same way that A does.

7

The construction of A’ bases on assumption that we are given pseudo-random generator G :

. Recall that A(x, R) that A is running on input x with coins R.

Algorithm A'

Input

Choose R ← G(s) (generate the coin tosses)Return A(x, R) (run A on input x using coins R )end.

It is infeasible given 1n to find , such that the “behavior" of A’(x) is substantially different from A(x).

The meaning of this proposition depends on the computational problem solved by A. In case A solves some NP-search problem, the proposition asserts that it is hard (i.e., feasible only with negligible probability) to find large x' s such that A can find the solution for x, and A’(x) will fail to do so. In case A computes some function the proposition applies too.

An important property of a pseudo-random generator G(S) that it turns the seed into the sequence x = G(S) in polynomial time. But the inverse operation of finding the seed S from G(S) would be hard (or else pseudorandomness is violated as shown below). A pseudo-random generator is however, not just a function that hard to invert it also stretches the input into the larger sequence that look random. Still pseudo-random generators can be related to functions which are “only" easy to compute and hard to invert, as defined next.

Definition 5 (One-way functions – OWF): ):A function such that is one-way if :

there is exists polynomial time algorithm A, such that for all probabilistic polynomial time A0 and for all polynome p() and for all sufficiently

large n' s : In other words this function must be easy computed and hard inverted. Note an important

feauture : the inversion algorithm must fail almost always. But the probability distribution used here is not uniform over all f(x); rather, it is the distribution f(x) when x is choosen uniformly.

Pseudo-Random Generators exist if and only if One-Way Functions exist.Intuitively, two objects are called computationally indistinguishable if no efficient

procedure can tell them apart. As usual in complexity theory, an elegant formulation requires asymptotic analysis (or rather a functional treatment of the running time of algorithms in terms of the length of their input). Thus, the objects in question are infinite sequences of distributions, where each distribution has a finite support. Such a sequence will be called a distribution

ensemble. Typically, we consider distribution ensembles of the form , where for some

8

function , the support of each Dn is a subset of . Furthermore, typically will be a positive polynomial.Definition 6 (Pseudorandom Generators): A deterministic polynomial-time algorithm G is called a pseudorandom generator if there exists a stretching function, so that the

following two probability ensembles, denoted and , are computationally indistinguishable

1. Distribution Gn is defined as the output of G on a uniformly selected seed in .

2. Distribution Rn is defined as the uniform distribution on .

That is, letting Um denote the uniform distribution over , we require that for any probabilistic polynomial-time algorithm A, for any positive polynomial p, and for all sufficiently

large n' s .Thus, pseudorandom generators are efficient (i.e., polynomial-time) deterministic

programs which expand short randomly selected seeds into longer pseudorandom bit sequences, where the latter are defined as computationally indistinguishable from truly random sequences by efficient (i.e., polynomial-time) algorithms. It follows that any efficient randomized algorithm maintains its performance when its internal coin tosses are substituted by a sequence generated by a pseudorandom generator.

Pseudorandom generators as defined above are only required to stretch their input a bit; for example, stretching n-bit long inputs to (n+1)-bit long outputs will do. Clearly generator of such moderate stretch function are of little use in practice. In contrast, we want to have pseudorandom generators with an arbitrary long stretch function. By the efficiency requirement, the stretch function can be at most polynomial. It turns out that pseudorandom generators with the smallest possible stretch function can be used to construct pseudorandom generators with any desirable polynomial stretch function.

The known constructions transform computation difficulty, in the form of one-way functions (defined below), into pseudorandomness generators. Loosely speaking, a polynomial-time computable function is called one-way if any efficient algorithm can invert it only with negligible success probability.

For simplicity, we consider only length-preserving one-way functions. Recall that givenany one-way 1-1 function, we can easily construct a pseudorandom generator. Actually, the 1-1requirement may be dropped, but the currently known construction - for the general case - is quite complex. Still we do have.

To show that the existence of pseudorandom generators imply the existence of one-way

functions, consider a pseudorandom generator G with stretch function .For

, define , and so f is polynomial-time computable (and length-preserving). It must be that f is one-way, or else one can distinguish G(Un) from U2n by trying to invert and checking the result: Inverting f on its range distribution refers to the distribution G(Un), whereas the probability that U2n has inverse under f is negligible.

9

The interesting direction is the construction of pseudorandom generators based on any one-way function. In general (when f may not be 1-1) the ensemble f(Un) may not be pseudorandom, and G(s) = f(s)b(s), where b is a hard-core of f cannot be used directly.One idea is to hash f(Un) to an almost uniform string of length related to its entropy, using Universal Hash Functions . (This is done after guaranteeing, that the logarithm of theprobability mass of a value of f(Un) is typically close to the entropy of f(Un).) But “hashingf(Un) down to length comparable to the entropy" means shrinking the length of the output to,say, n’ < n. This foils the entire point of stretching the n-bit seed. Thus, a second idea isto compensate for the n - n’ loss by extracting these many bits from the seed Un itself. This isdone by hashing Un, and the point is that the (n – n’ + 1)-bit long hash value does not make theinverting task any easier. Implementing these ideas turns out to be more difficult than it seems, and indeed an alternative construction would be most appreciated.

Pseudorandom generators allow to efficiently generate long pseudorandom sequences from short random seeds. Pseudorandom functions (defined below) are even more powerful: They allow efficient direct access to a huge pseudorandom sequence (which is infeasible to scan bit-by-bit). Put in other words, pseudorandom functions can replace truly random functions in any efficient application (e.g., most notably in cryptography). That is, pseudorandom functions are indistinguishable from random functions by efficient machines which may obtain the function values at arguments of their choice. (Such machines are called oracle machines, and if M is such machine and f is a function, then Mf (x) denotes the computation of M on input x when M 's queries are answered by the function f.)

A pseudorandom function (ensemble), with length parameters , is a

collection of functions Satisfying :

(efficient evaluation): There exists an efficient (deterministic) algorithm which given a

seed, s, and an -bit argument, x, returns the -bit long value fs(x). (pseudorandomness): For every probabilistic polynomial-time oracle machine, M, for

every positive polynomial p and all sufficiently large n' s

where Fn denotes the distribution on F obtained by selecting s uniformly in {0,1}n, and Rn denotes the uniform

distribution over all functions mapping to .

Suppose, for simplicity, that and . Then a function uniformly selected among 2n functions (of a pseudorandom ensemble) presents an input-output behavior which is indistinguishable in poly(n)-time from the one of a function selected at random among all the

Boolean functions. Contrast this with the 2n pseudorandom sequences, produced by a pseudorandom generator, which are computationally indistinguishable from a sequence selected uniformly among all the 2poly(n) many sequences. Still pseudorandom functions can be constructed from any pseudorandom generator. Randomness is playing an increasingly important role in computation: It is frequently used in the design of sequential, parallel and distributed algorithms, and is of course central to cryptography.

Whereas it is convenient to design such algorithms making free use of randomness, it is

10

also desirable to minimize the usage of randomness in real implementations. Thus, pseudorandom generators (as defined above) are a key ingredient in an “algorithmic tool-box” - they provide an automatic compiler of programs written with free usage of randomness into programs which make an economical use of randomness.

Indeed, “pseudo-random number generators” have appeared with the first computers. However, typical implementations use generators which are not pseudorandom according to the above definition. Instead, at best, these generators are shown to pass some ad-hoc statistical test. However, the fact that a “pseudo-random number generator” passes some statistical tests, doesnot mean that it will pass a new test and that it is good for a future (untested) application. Furthermore, the approach of subjecting the generator to some ad-hoc tests fails to provide general results of the type stated above (i.e., of the form “for all practical purposes using the output of the generator is as good as using truly unbiased coin tosses”). The notion of computational indistinguishability, covers all possible efficient applications postulating that for all of them pseudorandom sequences are as good as truly random ones.

Our definition of pseudorandom generators is based on the notion of computational indistinguishability. The behaviorist nature of the latter notion is best demonstrated by confronting it with the Kolmogorov-Chaitin approach to randomness. Loosely speaking, a string is Kolmogorov-random if its length equals the length of the shortest program producing it. This shortest program may be considered the \true explanation" to the phenomenon described by the string. A Kolmogorov-random string is thus a string which does not have a substantially simpler (i.e., shorter) explanation than itself. Considering the simplest explanation of a phenomenon may be viewed as an ontological approach. In contrast, considering the effect of phenomena (on an observer), as underlying the definition of pseudorandomness, is a behaviorist approach.

Furthermore, there exist probability distributions which are not uniform (and are not even statistically close to a uniform distribution) that nevertheless are indistinguishable from a uniform distribution by any efficient method. Thus, distributions which are ontologically very different, are considered equivalent by the behaviorist point of view taken in the definitions above.

Pseudorandomness is defined above in terms of its observer. It is a distribution which cannot be told apart from a uniform distribution by any efficient (i.e. polynomial-time) observer. However, pseudorandom sequences may be distinguished from random ones by infinitely powerful (not at our disposal). Specifically, an exponential time machine can easily distinguish the output of a pseudorandom generator from a uniformly selected string of the same length (e.g., just by trying all possible seeds). Thus, pseudorandomness is subjective to the abilities of the observer.

Pseudorandomness and computational difficulty play dual roles: The definition of pseudo randomness relies on the fact that putting computational restrictions on the observer gives rise to distributions which are not uniform and still cannot be distinguished from uniform. Furthermore, the construction of pseudorandom generators rely on conjectures regarding computational difficulty (i.e., the existence of one-way functions), and this is inevitable: given a pseudorandom generator, we can construct one-way functions. Thus, (non-trivial) pseudorandomness and computational hardness can be converted back and forth.

A generic formulation of pseudorandom generators consists of specifying three fundamental aspects - the stretching measure of the generators; the class of distinguishers that the generators are supposed to fool (i.e., the algorithms with respect to which the computational

11

indistinguishability requirement should hold); and the resources that the generators are allowed to use (i.e., their own computational complexity). In the above presentation we focused on polynomial-time generators (thus having polynomial stretching measure) which fool any probabilistic polynomial-time observers. A variety of other cases are of interest too, and we briey discuss some of them. Whenever the aim is to replace random sequences utilized by an algorithm with pseudorandom ones, one may try to capitalize on knowledge of the target algorithm. Above we have merely used the fact that the target algorithm runs in polynomial-time. However, for example, if we know that the algorithm uses very little workspace then we may able to do better. Similarly, if we know that the analysis of the algorithm only depends on some specific properties of the random sequence it uses (e.g., pairwise independence of its elements). In general, weaker notions of computational indistinguishability such as fooling space-bounded algorithms, constant-depth circuits, and even speci_c tests (e.g., testing pairwise independence of the sequence), arise naturally: Generators producing sequences which fool such tests are useful in a variety of applications { if the application utilizes randomness in a restricted way then feeding it with sequences of low randomness-quality may do. Needless to say that we advocate a rigorous formulation of the characteristics of such applications and rigorous construction of generators which fool the type of tests which emerge. The above discussion has focused on one aspectof the pseudorandomness question { the resources or type of the observer (or potential distinguisher).

Another important question is whether such pseudorandom sequences can be generatedfrom much shorter ones, and at what cost (or complexity). Throughout this essay we've requiredthe generation process to be at least as efficient as the efficiency limitations of the distinguisher.4This seems indeed \fair" and natural. Allowing the generator to be more complex (i.e., use moretime or space resources) than the distinguisher seems unfair, but still yields interesting consequences in the context of trying to \de-randomize" randomized complexity classe. For example, one may consider generators working in time exponential in the length of the seed. In some cases we loose nothing by being more liberal (i.e., allowing exponential-time generators). To see why, we consider a typical de-randomization argument, proceeding in two steps: First one replaces the true randomness of the algorithm by pseudorandom sequences generated from much shorter seeds, and next one goes deterministically over all possible seeds and looks for the most frequent behavior of the modified algorithm. Thus, in such a case the deterministic complexity is anyhow exponential in the seed length. However, constructing exponential time generators may be easier than constructing polynomial-time ones.

12

Pseudo code with explanations

The random number generators in standard function libraries are not always of the bestquality. With today’s fast computers it is possible to make larger computer simulations thanwhat has been common previously. Furthermore, today’s multi-kernel microprocessors require random number generators with support for multithreading. The present random number generator libraries are designed for the purpose of meeting these high demands. The advantages of these packages are:

Very good randomness Very long cycle length High resolution Support for multiple threads and multiple streams Very fast and efficient Allow seeds of any length Includes Mersenne Twister, Mother-Of-All generator, SFMT generator and

combinations of these Discrete uniform distribution over arbitrary interval is exact where other

implementations have rounding errors Continuous distributions supported: Uniform and normal Discrete distributions supported: Uniform, Poisson, binomial, hypergeometric and

various noncentral hypergeometric distributions Open source Support for Windows, Linux, BSD, Mac, etc.A random number generator is typically based on a recursion of the form:

where the transition function f calculates each new value Xn from the k preceding values. The transition function f can use either integer (Euclidian) algebra modulo some value m, or finite field algebra.

The generators based on integer algebra use addition and/or multiplication. For example,

a simple linear congruential generator has the form: The modulo operation is easy to implement if m=2b, where b is the number of bits in a

computer word. To take a value modulo 2b is simply to ignore the carry and use only thelower b bits of the result.

In some cases, a better randomness can be obtained by making m a prime. However, thisimplies a rounding error which most theorists have ignored. Assume, for example, that wehave chosen m = 231-1, which is a prime. We want to convert Xn to a floating-point uniformrandom number Un = Xn/m in the interval [0,1). The representation of floating-point numbers(IEEE 754 standard) is quantified so that the maximum number of equidistant points in theinterval [0,1) is a power of 2 (224, 253 or 264, depending on the precision). To get equidistantvalues of Un, we will need to space the values by 2-31. There are only 231-1 possible valuesof Xn, so one of the values in the interval [0,1) will be missing and the distribution will not beperfectly uniform. For this reason, I have chosen not to use any random number generatorwhere m is not a power of 2.

If the transition function f contains only simple algebraic operations such as addition andmultiplication then there is information flow from the least significant bits of the X values to

13

the most significant bits through the carries, but no information flow in the opposite direction.The consequence of this is that the least significant bits of each X forms an independentrandom number generator with inferior randomness. The most significant bits are morerandom than the least significant bits. This is unacceptable since some applications mayrely on the least significant bits. For example, it is quite common to have an application thattests whether Xn is odd or even, which is determined only by the least significant bit. Toavoid this problem, it is necessary to establish a feedback from the most significant bits tothe least significant bits. This is done in the multiply-with-carry generator, which adds theupper bits of a multiplication result to the lower bits. A multiply-with-carry generator withmore than one factor is the Mother-Of-All generator invented by George Marsaglia:

This generator has very good randomness and passes all tests in the powerful TestU01battery of tests for randomness4. A minor drawback of this generator is that it has a slightbias in the upper bits of Xn. This bias is too small to show in any experimental tests.The present package uses a Mother-Of-All generator with k = 4 and b = 32. The transitionfunction involves four multiplications of 32-bit factors into 64-bit products and addition ofthese 64-bit products. It is required that the compiler supports such 64-bit operations, or itmust be coded in assembly language.

Some measures of randomness are better determined by theoretical analysis than byexperiment. Most importantly, the cycle length should preferably be so long that it cannot bedetermined experimentally. The cycle length is the number of random numbers that can begenerated before the sequence is repeated. The highest possible cycle length is equal tothe number of different possible states in the state vector = 2kb. In many cases, the cyclelength is less than this value.

The theoretical analysis of a good random number generator can be very difficult. This is a serious dilemma: The random number generators that are easy to analyze theoretically tendto have poor randomness. If the random number generator has a simple mathematicalstructure that is easy to analyze, then it is also possible to construct a test that explores thisstructure and the generator will fail this test.

The best generators based on integer algebra with feedback from the high bits to the lowbits are difficult to analyze theoretically. Thus, the theoretical properties of the Mother-Of-Allgenerator have not been analyzed as thoroughly as one may wish.

Another class of random number generators that are easier to analyze theoretically arebased on finite field algebra. Addition and multiplication in the finite field F2 b are done simplyby bitwise XOR and AND operations on b-bit integers (C operators ^ and &). Thesegenerators are known as Linear Feedback Shift Registers (LFSR). The much usedMersenne Twister belongs to this class of random number generators6. The transitionfunction f consists of only XOR and AND operations, and shift operations for shuffling thebits. This type of generators can be constructed with extremely long cycle lengths.The fact that LFSR generators have a relatively simple mathematical structure also meansthat it is possible to construct tests that they cannot pass. The linear complexity test caneasily defeat any LFSR generator. This test is based on the Berlekamp-Massey algorithmwhich is an algorithm that detects the structure of an LFSR generator from any bit sequenceit has generated4. It is no wonder that the LFSR generators fail this test because the Berlekamp-Massey algorithm is in fact used during the construction of some LFSRgenerators. An arguably more relevant test is the binary matrix rank test. All LFSR

14

generators fail the binary matrix rank test when a sufficiently large matrix is used4. Thebigger the state vector in the generator, the bigger a matrix is needed in the test before itfails. The standard Mersenne Twister (MT19937) has such a large state vector that it takeshours to execute a binary matrix rank test large enough to defeat it.The Mersenne Twister has an output function Yn = g(Xn) where Yn is used as the randomnumber output. The output function g of the Mersenne Twister is called tempering. Thetempering function g simply shuffles and XOR’s the bits in Xn with each other. You may saythat this redistributes randomness rather than generate randomness because the value ofYn is not fed back into the state vector. A Mersenne Twister without the tempering algorithmfails the important gap test. The tempering algorithm takes a significant part of the totalexecution time because it has a dependency chain that prevents parallel execution.

A good random number generator should have chaotic behavior1. The degree of chaos ismeasured by a term which is called bifurcation in chaos theory. This is almost similar to theconcept of diffusion in cryptology3,8. The bifurcation is the divergence of two trajectories thatdiffer in their starting point by only one bit in the state vector. The standard Mersenne Twister has very poor bifurcation. For example, it takes many steps to recover from a state where most of the bits are zero.

Certain improvements have been made since the invention of the original MersenneTwister. Two improved generators based on the same principle as the Mersenne Twisterare the WELL generator and the SFMT generator. Both have better randomness, betterbifurcation/diffusion and higher speed than the original Mersenne Twister, and someversions don’t require the tempering function.

While the WELL generator has better bifurcation/diffusion than the SFMT generator, I have chosen the latter for the sake of efficient implementation. The impressive speed of moderncomputers are to a considerable degree due the their ability to do multiple operationssimultaneously. The amount of parallelism that can be obtained in the software implementation is limited by the shortest feedback path in the transition function f. The shortest feedback path is 32 bits in the WELL generator, but 128 bits in the SFMT generator. This makes it possible to do parallel operations in 128-bit SIMD (Single Instruction Multiple Data) registers with the SFMT generator, but not the WELL generator.

None of these generators can fully use the 256-bit registers of the new AVX instruction set or further extensions that are expected to be available in future computers. The SFMT isamong the fastest random number generators that satisfy our high requirements for randomness.The SFMT generator is specifically designed to take advantage of the SIMD capabilities ofmodern computers. Such capabilities are standard in modern PC’s (SSE2 or later instructionset), but absent in older PC’s and some mainframe computers. The portability of the SFMTgenerator is therefore limited. The C++ implementation in the randomc class libraryrequires that the computer has the SSE2 instruction set and that the compiler supports it.The implementation in the randoma library includes a branch for supporting old computerswithout SIMD/SSE2. On computers with non x86 instruction sets you need to use theoriginal C implementation by Mutsuo Saito. It would be possible to improve the bifurcationof the SFMT generator by using the new carry-less multiplication instruction, but nobody hasexplored this possibility yet.

A very efficient method of improving randomness is to combine the outputs of two or more different random number generators. In fact, you can get a good random number generator

15

out of two or more bad ones, especially if they are very different. The philosophy behind this method is quite simple. Combining something non-random with something random produces something random. Any "non-randomness" that one of the generators may have is eliminated by the other generator as long as the latter doesn’t have the same type of weakness. Only if both generators have the same type of weakness will it show in the combined output. The combination of two random number generators can be as simple as generating a b-bit integer from each generator and adding these two numbers modulo 2b.

A particular random number generator is suitable for a particular application if there is noundesired interaction between generator and application. The risk of an undesired 3-wayinteraction between application, generator 1 and generator 2 is much smaller than the riskof an undesired 2-way interaction between the application and a single generator if the twogenerators are different. I have not been able to find any experimental evidence ofundesired interactions between two random number generators, even if they were verysimilar in design.

I have implemented this principle by allowing the combination of the SFMT generator and the Mother-Of-All generator. These two generators are based on different kinds of algebraand are therefore very different. A generator based on integer algebra may fail certain testsbased on integer algebra; and a generator based on finite field algebra is known to fail certain tests based on finite field algebra. But each generator eliminates the weaknesses of the other one so that the combined generator is as good as we can wish for. The advantages of the SFMT generator are long cycle length and high-order equidistribution.

The weaknesses are a relatively low bifurcation and the failure to pass certain tests basedon finite field algebra. The advantages of the Mother-Of-All generator are a very high bifurcation and the fact that it passes the most stringent experimental tests for randomness.

The disadvantages are a slight bias in the output and the fact that it is difficult to analyzetheoretically so that it may have undetected theoretical weaknesses. All of these weaknesses are eliminated by combining the two generators. The fact that the two generators are based on fundamentally different algebras makes it unlikely that they have any noticeable weakness in common.

There is no practical limit to how long we can make the cycle length. The advantages of along cycle length are:• The probability of overlapping subsequences is reduced.• It is possible to obtain high-order equidistribution on generators with long cyclelengths.

The disadvantages of a long cycle length are:• The search for good parameters becomes more difficult.• The state vector becomes bigger. This takes more space in memory and cache andslows down cache-hungry applications.

Member functions (methods)void RandomInit(int seed);Initialize or re-initialize the random number generator. The value of seed can be anyinteger. The same seed always gives the same sequence of random numbers. A differentseed gives a different sequence.void RandomInitByArray(int const seeds[], int NumSeeds);Available only in Mersenne Twister and SFMT generator.

16

Initialize or re-initialize the random number generator. Allows any number of seeds.seeds[] is an array with NumSeeds seeds. A different value of any of the seeds gives adifferent sequence of random numbers.int IRandom(int min, int max);Generates a random integer n with uniform distribution in the interval min ≤ n ≤ max.The distribution may be slightly biased due to rounding errors if the interval length (max -min + 1) is large and not a power of 2.Use IRandomX instead if the highest precision is required.Restrictions: max ≥ min and max - min + 1 < 232.If max - min + 1 = 232, i.e. if you are using the whole range of integers, then use BRandom()instead. You may type-cast the output of BRandom to a signed integer if needed.Error conditions: Returns 0x80000000 if max < min.int IRandomX(int min, int max);Available only in Mersenne Twister and SFMT generator.Same as IRandom. The distribution is always exact. See page 19 below for a detailedexplanation.IRandomX takes a little extra time every time the length of the interval (max - min + 1) isdifferent from the last value.uint32_t BRandom();Gives a random 32-bit integer. May be used as 32 random bits.double Random();Gives a random floating point number x with uniform distribution in the interval 0 ≤ x < 1.Resolution:32 bits in Mersenne Twister and Mother-Of-All generator, 52 bits in SFMT generator.

The execution times vary a lot depending on the compiler and the optimization possibilities.

Bibliography

17

M. Blum and S. Micali. How to Generate Cryptographically Strong Sequences of Pseudo- Random Bits. SICOMP, Vol. 13, pages 850{864, 1984. Preliminary version in 23rd FOCS,1982.

O. Goldreich. Modern Cryptography, Probabilistic Proofs and Pseudorandomness. Algorithmsand Combinatorics series (Vol. 17), Springer, 1998.

O. Goldreich and L.A. Levin. Hard-core Predicates for any One-Way Function. In 21stSTOC, 1989.

S. Goldwasser and S. Micali. Probabilistic Encryption. JCSS, Vol. 28, No. 2, 1984. Preliminary version in 14th STOC, 1982.

J. H_astad, R. Impagliazzo, L.A. Levin and M. Luby. Construction of Pseudorandom Generator from any One-Way Function. To appear in SICOMP. Preliminary versions by Impagliazzo et. al. in 21st STOC (1989) and Hastad in 22nd STOC (1990).

A.C. Yao. Theory and Application of Trapdoor Functions. In 23rd FOCS, 1982.G.J. Chaitin. On the Length of Programs for Computing Finite Binary Sequences. Journal

of the ACM, Vol. 13, 1966. T.M. Cover and G.A. Thomas. Elements of Information Theory. John Wiley & Sons,

Inc., New-York, 1991. O. Goldreich. Foundation of Cryptography { Fragments of a Book. February 1995.

Available from http : //theory:lcs:mit:edu/~oded/frag:html. O. Goldreich. Modern Cryptography, Probabilistic Proofs and Pseudorandomness.

Algorithms and Combinatorics series (Vol. 17), Springer, 1998.O. Goldreich, S. Goldwasser, and S. Micali. How to Construct Random Functions.

Journal of the ACM, Vol. 33, No. 4, 1986. O. Goldreich and L.A. Levin. Hard-core Predicates for any One-Way Function. In 21st

ACM Symposium on the Theory of Computing, 1989.O. Goldreich and S. Micali. Increasing the Expansion of Pseudorandom Generators.

Manuscript, 1984. Available from http://theory.lcs.mit.edu/_oded/papers.html O. Goldreich, and H. Krawczyk, On Sparse Pseudorandom Ensembles. Random

Structures and Algorithms, Vol. 3, No. 2, (1992) . O. Goldreich, H. Krawcyzk and M. Luby. On the Existence of Pseudorandom

Generators. SIAM Journal on Computing, Vol. 22-6, 1993. S. Goldwasser and S. Micali. Probabilistic Encryption. Journal of Computer and System

Science, Vol. 28, No. 2, 1984. Preliminary version in 14th ACM Symposiumon the Theory of Computing, 1982.

J. Haastad, R. Impagliazzo, L.A. Levin and M. Luby. Construction of Pseudorandom Generator from any One-Way Function. To appear in SIAM Journal on Computing. Preliminaryversions by Impagliazzo et. al. in 21st ACM Symposium on the Theory of Computing (1989)and Hastad in 22nd ACM Symposium on the Theory of Computing (1990).

D.E. Knuth. The Art of Computer Programming, Vol. 2 (Seminumerical Algorithms). Addison-Wesley Publishing Company, Inc., 1969 (first edition) and 1981 (second edition).

A. Kolmogorov. Three Approaches to the Concept of \The Amount Of Information". Probl. of Inform. Transm., Vol. 1/1, 1965.

L.A. Levin. Randomness Conservation Inequalities: Information and Independence in Mathematical Theories. Inform. and Control, Vol. 61, 1984.

M. Li and P. Vitanyi. An Introduction to Kolmogorov Complexity and its Applications.

18

Springer Verlag, August 1993.A.M. Odlyzko. The future of integer factorization. CryptoBytes (The technical newsletter

of RSA Laboratories), Vol. 1 (No. 2), 1995.A.M. Odlyzko. Discrete logarithms and smooth polynomials. In Finite Fields: Theory,

Applications and Algorithms, G. L. Mullen and P. Shiue, eds., Amer. Math. Soc., ContemporaryMath. Vol. 168, 1994.

A.R. Razborov and S. Rudich. Natural proofs. Journal of Computer and System Science,Vol. 55 (1), 1997.

C.E. Shannon. A mathematical theory of communication. Bell Sys. Tech. Jour., Vol. 27, 1948.

R.J. Solomono_. A Formal Theory of Inductive Inference. Inform. and Control, Vol. 7/1, 1964.

L. Valiant. A theory of the learnable. Communications of the ACM, Vol. 27/11, 1984. A.C. Yao. Theory and Application of Trapdoor Functions. In 23rd IEEE Symposium onFoundations of Computer Science, pages 80{91, 1982.

19