- Source: Inversive congruential generator
Inversive congruential generators are a type of nonlinear congruential pseudorandom number generator, which use the modular multiplicative inverse (if it exists) to generate the next number in a sequence. The standard formula for an inversive congruential generator, modulo some prime q is:
x
0
=
seed
,
{\displaystyle x_{0}={\text{seed}},}
x
i
+
1
=
{
(
a
x
i
−
1
+
c
)
mod
q
if
x
i
≠
0
,
c
if
x
i
=
0.
{\displaystyle x_{i+1}={\begin{cases}(ax_{i}^{-1}+c){\bmod {q}}&{\text{if }}x_{i}\neq 0,\\c&{\text{if }}x_{i}=0.\end{cases}}}
Such a generator is denoted symbolically as ICG(q, a, c, seed) and is said to be an ICG with parameters q, a, c and seed seed.
Period
The sequence
(
x
n
)
n
≥
0
{\displaystyle (x_{n})_{n\geq 0}}
must have
x
i
=
x
j
{\displaystyle x_{i}=x_{j}}
after finitely many steps, and since the next element depends only on its direct predecessor, also
x
i
+
1
=
x
j
+
1
{\displaystyle x_{i+1}=x_{j+1}}
etc. The maximum possible period for the modulus q is q itself, i.e. the sequence includes every value from 0 to q − 1 before repeating.
A sufficient condition for the sequence to have the maximum possible period is to choose a and c such that the polynomial
f
(
x
)
=
x
2
−
c
x
−
a
∈
F
q
[
x
]
{\displaystyle f(x)=x^{2}-cx-a\in \mathbb {F} _{q}[x]}
(polynomial ring over
F
q
{\displaystyle \mathbb {F} _{q}}
) is primitive. This is not a necessary condition; there are choices of q, a and c for which
f
(
x
)
{\displaystyle f(x)}
is not primitive, but the sequence nevertheless has a period of q. Any polynomial, primitive or not, that leads to a maximal-period sequence is called an inversive maximal-period (IMP) polynomial. Chou describes an algorithm for choosing the parameters a and c to get such polynomials.
Eichenauer-Herrmann, Lehn, Grothe and Niederreiter have shown that inversive congruential generators have good uniformity properties, in particular with regard to lattice structure and serial correlations.
Example
ICG(5, 2, 3, 1) gives the sequence 1, 0, 3, 2, 4, 1, 0, 3, 2, 4, 1, 0, ...
In this example,
f
(
x
)
=
x
2
−
3
x
−
2
{\displaystyle f(x)=x^{2}-3x-2}
is irreducible in
F
5
[
x
]
{\displaystyle \mathbb {F} _{5}[x]}
, as none of 0, 1, 2, 3 or 4 is a root. It can also be verified that x is a primitive element of
F
5
[
x
]
/
(
f
)
{\displaystyle \mathbb {F} _{5}[x]/(f)}
and hence f is primitive.
Compound inversive generator
The construction of a compound inversive generator (CIG) relies on combining two or more inversive congruential generators according to the method described below.
Let
p
1
,
…
,
p
r
{\displaystyle p_{1},\dots ,p_{r}}
be distinct prime integers, each
p
j
≥
5
{\displaystyle p_{j}\geq 5}
. For each index j, 1 ≤ j ≤ r, let
(
x
n
)
n
≥
0
{\displaystyle (x_{n})_{n\geq 0}}
be a sequence of elements of
F
p
j
{\displaystyle \mathbb {F} _{p_{j}}}
periodic with period length
p
j
{\displaystyle p_{j}}
. In other words,
{
x
n
(
j
)
∣
0
≤
n
≤
p
j
}
∈
F
p
j
{\displaystyle \{x_{n}^{(j)}\mid 0\leq n\leq p_{j}\}\in \mathbb {F} _{p_{j}}}
.
For each index j, 1 ≤ j ≤ r, we consider
T
j
=
T
/
p
j
{\displaystyle T_{j}=T/p_{j}}
, where
T
=
p
1
⋯
p
r
{\displaystyle T=p_{1}\cdots p_{r}}
is the period length of the following sequence
(
x
n
)
n
≥
0
{\displaystyle (x_{n})_{n\geq 0}}
.
The sequence
(
x
n
)
n
≥
0
{\displaystyle (x_{n})_{n\geq 0}}
of compound pseudorandom numbers is defined as the sum
x
n
=
(
T
1
x
n
(
1
)
+
T
2
x
n
(
2
)
+
⋯
+
T
r
x
n
(
r
)
)
mod
T
{\displaystyle x_{n}=\left(T_{1}x_{n}^{(1)}+T_{2}x_{n}^{(2)}+\dots +T_{r}x_{n}^{(r)}\right){\bmod {T}}}
.
The compound approach allows combining inversive congruential generators, provided they have full period, in parallel generation systems.
Advantages of CIG
The CIG are accepted for practical purposes for a number of reasons.
Firstly, binary sequences produced in this way are free of undesirable statistical deviations. Inversive sequences extensively tested with variety of statistical tests remain stable under the variation of parameter.
Secondly, there exists a steady and simple way of parameter choice, based on the Chou algorithm that guarantees maximum period length.
Thirdly, compound approach has the same properties as single inversive generators, but it also provides period length significantly greater than obtained by a single inversive congruential generator. They seem to be designed for application with multiprocessor parallel hardware platforms.
There exists an algorithm that allows designing compound generators with predictable period length, predictable linear complexity level, with excellent statistical properties of produced bit streams.
The procedure of designing this complex structure starts with defining finite field of p elements and ends with choosing the parameters a and c for each inversive congruential generator being the component of the compound generator. It means that each generator is associated to a fixed IMP polynomial. Such a condition is sufficient for maximum period of each inversive congruential generator and finally for maximum period of the compound generator. The construction of IMP polynomials is the most efficient approach to find parameters for inversive congruential generator with maximum period length.
Discrepancy and its boundaries
Equidistribution and statistical independence properties of the generated sequences, which are very important for their usability in a stochastic simulation, can be analyzed based on the discrepancy of s-tuples of successive pseudorandom numbers with
s
=
1
{\displaystyle s=1}
and
s
=
2
{\displaystyle s=2}
respectively.
The discrepancy computes the distance of a generator from a uniform one. A low discrepancy means that the sequence generated can be used for cryptographic purposes, and the first aim of the inversive congruential generator is to provide pseudorandom numbers.
Definition
For N arbitrary points
t
1
,
…
,
t
N
−
1
∈
[
0
,
1
)
{\displaystyle {\mathbf {t} }_{1},\dots ,{\mathbf {t} }_{N-1}\in [0,1)}
the discrepancy is defined by
D
N
(
t
1
,
…
,
t
N
−
1
)
=
s
u
p
J
|
F
N
(
J
)
−
V
(
J
)
|
{\displaystyle D_{N}({\mathbf {t} }_{1},\dots ,{\mathbf {t} }_{N-1})={\rm {sup}}_{J}|F_{N}(J)-V(J)|}
,
where the supremum is extended over all subintervals J of
[
0
,
1
)
s
{\displaystyle [0,1)^{s}}
,
F
N
(
J
)
{\displaystyle F_{N}(J)}
is
N
−
1
{\displaystyle N^{-1}}
times the number of points among
t
1
,
…
,
t
N
−
1
{\displaystyle {\mathbf {t} }_{1},\dots ,{\mathbf {t} }_{N-1}}
falling into J and
V
(
J
)
{\displaystyle V(J)}
denotes the s-dimensional volume of J.
Until now, we had sequences of integers from 0 to
T
−
1
{\displaystyle T-1}
, in order to have sequences of
[
0
,
1
)
s
{\displaystyle [0,1)^{s}}
, one can divide a sequences of integers by its period T.
From this definition, we can say that if the sequence
t
1
,
…
,
t
N
−
1
{\displaystyle {\mathbf {t} }_{1},\dots ,{\mathbf {t} }_{N-1}}
is perfectly random then its well distributed on the interval
J
=
[
0
,
1
)
s
{\displaystyle J=[0,1)^{s}}
then
V
(
J
)
=
1
{\displaystyle V(J)=1}
and all points are in J so
F
N
(
J
)
=
N
/
N
=
1
{\displaystyle F_{N}(J)=N/N=1}
hence
D
N
(
t
1
,
…
,
t
N
−
1
)
=
0
{\displaystyle D_{N}({\mathbf {t} }_{1},\dots ,{\mathbf {t} }_{N-1})=0}
but instead if the sequence is concentrated close to one point then the subinterval J is very small
V
(
j
)
≈
0
{\displaystyle V(j)\approx 0}
and
F
N
(
j
)
≈
N
/
N
≈
1
{\displaystyle F_{N}(j)\approx N/N\approx 1}
so
D
N
(
t
1
,
…
,
t
N
−
1
)
=
1
{\displaystyle D_{N}({\mathbf {t} }_{1},\dots ,{\mathbf {t} }_{N-1})=1}
Then we have from the better and worst case:
0
≤
D
N
(
t
1
,
…
,
t
N
−
1
)
≤
1
{\displaystyle 0\leq D_{N}({\mathbf {t} }_{1},\dots ,{\mathbf {t} }_{N-1})\leq 1}
.
Notations
Some further notation is necessary. For integers
k
≥
1
{\displaystyle k\geq 1}
and
q
≥
2
{\displaystyle q\geq 2}
let
C
k
(
q
)
{\displaystyle C_{k}(q)}
be the set of nonzero lattice points
(
h
1
,
…
,
h
k
)
∈
Z
k
{\displaystyle (h_{1},\dots ,h_{k})\in Z^{k}}
with
−
q
/
2
<
h
j
<
q
/
2
{\displaystyle -q/2
for
1
≤
j
≤
k
{\displaystyle 1\leq j\leq k}
.
Define
r
(
h
,
q
)
=
{
q
sin
(
π
|
h
|
/
q
)
for
h
∈
C
1
(
q
)
1
for
h
=
0
{\displaystyle r(h,q)={\begin{cases}q\sin(\pi |h|/q)&{\text{for }}h\in C_{1}(q)\\1&{\text{for }}h=0\end{cases}}}
and
r
(
h
,
q
)
=
∏
j
=
1
k
r
(
h
j
,
q
)
{\displaystyle r(\mathbf {h} ,q)=\prod _{j=1}^{k}r(h_{j},q)}
for
h
=
(
h
1
,
…
,
h
k
)
∈
C
k
(
q
)
{\displaystyle {\mathbf {h} }=(h_{1},\dots ,h_{k})\in C_{k}(q)}
. For real
t
{\displaystyle t}
the abbreviation
e
(
t
)
=
e
x
p
(
2
π
⋅
i
t
)
{\displaystyle e(t)={\rm {exp}}(2\pi \cdot it)}
is used, and
u
⋅
v
{\displaystyle u\cdot v}
stands for the standard inner product of
u
,
v
{\displaystyle u,v}
in
R
k
{\displaystyle R^{k}}
.
Higher bound
Let
N
≥
1
{\displaystyle N\geq 1}
and
q
≥
2
{\displaystyle q\geq 2}
be integers. Let
t
n
=
y
n
/
q
∈
[
0
,
1
)
k
{\displaystyle {\mathbf {t} }_{n}=y_{n}/q\in [0,1)^{k}}
with
y
n
∈
{
0
,
1
,
…
,
q
−
1
}
k
{\displaystyle y_{n}\in \{0,1,\dots ,q-1\}^{k}}
for
0
≤
n
<
N
{\displaystyle 0\leq n
.
Then the discrepancy of the points
t
0
,
…
,
t
N
−
1
{\displaystyle {\mathbf {t} }_{0},\dots ,{\mathbf {t} }_{N-1}}
satisfies
D
N
(
t
0
,
t
1
,
…
,
t
N
−
1
)
{\displaystyle D_{N}(\mathbf {t} _{0},\mathbf {t} _{1},\dots ,\mathbf {t} _{N-1})}
≤
k
q
{\displaystyle {\frac {k}{q}}}
+
1
N
{\displaystyle {\frac {1}{N}}}
∑
h
∈
C
k
(
q
)
{\displaystyle \sum _{h\in \mathbb {C} _{k}(q)}}
1
r
(
h
,
q
)
|
∑
n
=
0
N
−
1
e
(
h
⋅
t
n
)
|
{\displaystyle {\frac {1}{r(\mathbf {h} ,q)}}{\Bigg |}\sum _{n=0}^{N-1}e(\mathbf {h} \cdot \mathbf {t} _{n}){\Bigg |}}
Lower bound
The discrepancy of
N
{\displaystyle N}
arbitrary points
t
1
,
…
,
t
N
−
1
∈
[
0
,
1
)
k
{\displaystyle \mathbf {t} _{1},\dots ,\mathbf {t} _{N-1}\in [0,1)^{k}}
satisfies
D
N
(
t
0
,
t
1
,
…
,
t
N
−
1
)
≥
π
2
N
(
(
π
+
1
)
l
−
1
)
∏
j
=
1
k
m
a
x
(
1
,
h
j
)
|
∑
n
=
0
N
−
1
e
(
h
⋅
t
n
)
|
{\displaystyle D_{N}(\mathbf {t} _{0},\mathbf {t} _{1},\dots ,\mathbf {t} _{N-1})\geq {\frac {\pi }{2N((\pi +1)^{l}-1)\prod _{j=1}^{k}{\rm {max}}(1,h_{j})}}{\Bigg |}\sum _{n=0}^{N-1}e(\mathbf {h} \cdot \mathbf {t} _{n}){\Bigg |}}
for any nonzero lattice point
h
=
(
h
1
,
…
,
h
k
)
∈
Z
k
{\displaystyle {\mathbf {h} }=(h_{1},\dots ,h_{k})\in Z^{k}}
, where
l
{\displaystyle l}
denotes the number of nonzero coordinates of
h
{\displaystyle {\mathbf {h} }}
.
These two theorems show that the CIG is not perfect because the discrepancy is greater strictly than a positive value but also the CIG is not the worst generator as the discrepancy is lower than a value less than 1.
There exist also theorems which bound the average value of the discrepancy for Compound Inversive Generators and also ones which take values such that the discrepancy is bounded by some value depending on the parameters. For more details see the original paper.
See also
Pseudorandom number generator
List of random number generators
Linear congruential generator
Generalized inversive congruential pseudorandom numbers
Naor-Reingold Pseudorandom Function
References
External links
Inversive Generators Archived 2008-09-24 at the Wayback Machine at the University of Salzburg.
Kata Kunci Pencarian:
- Inversive congruential generator
- Linear congruential generator
- Modular multiplicative inverse
- Generalized inversive congruential pseudorandom numbers
- List of random number generators
- ICG
- Pseudorandom number generator
- Multiply-with-carry pseudorandom number generator
- Inversive geometry
- Bruce Saran
