These generators are fast and have good statistical properties. 1. Introduction. Linear Feedback Shift ... Key words and
TABLES OF MAXIMALLY-EQUIDISTRIBUTED COMBINED LFSR GENERATORS PIERRE L'ECUYER Abstract. We give the results of a computersearch for maximally-equidistributed combined linear feedback shift register (or Tausworthe) random number generators, whose components are trinomials of degrees slightly less than 32 or 64. These generators are fast and have good statistical properties.
1. Introduction Linear Feedback Shift Register (LFSR) random number generators, also called Tausworthe generators, are based on linear recurrences modulo 2 with primitive characteristic polynomials. E�cient implementations are available for the case where the characteristic polynomial is a trinomial and satis es some additional conditions. Trinomial-based generators have important statistical defects, but combining them can yield generators that are relatively fast and robust. Such combinations have been proposed and analyzed in [4, 9, 10]. In [4], it was explained how to nd combined generators with the best possible equidistribution properties in some sense, within speci ed classes of combined LFSR generators. Three speci c combined generators, each with three components and period length near 288, were also given. In the present paper, we provide the results of more extensive computer searches, for combined generators with larger periods. The need for large periods is supported by several arguments given, e.g., in [2, 3, 5]. The generators given in [4] are for 32-bit computers. Since 64-bit computers are becoming increasingly common, it is important to have good generators designed to fully use the 64-bit words. Some of the generators proposed here do it. The next section explains how we combine LFSR generators and recalls de nitions and properties. Section 3 gives speci c combined generators of di�erent sizes. Section 4 provides computer implementations in C. 2. Combined LFSR Generators and Equidistribution Consider the LFSR recurrence x = (a1 x ?1 + � � � + a x ? ) mod 2; (1) whose characteristic polynomial is P (z ) = z ? a1 z ?1 ? � � � ? a . This is a linear recurrence in the nite eld F2 with two elements, 0 and 1. The recurrence has n
n
k
k
n
k
k
k
1991 Mathematics Subject Classi cation. 65C10. Key words and phrases. Random number generation, equidistribution, combined generators, nite elds. This work has been supported by NSERC-Canada grants # ODGP0110050 and SMF0169893, and FCAR-Qu�ebec grant # 93ER1654. I wish to thank Luc De Bellefeuille and Armand Nganou who helped performing the computer searches. 1
2
PIERRE L'ECUYER
period length � = 2 ? 1 if and only if P is a primitive polynomial, which we now assume. Let k
=
un
L X
=1
xns+i?12?i;
(2)
i
where the step size s and the word length L are positive integers. If (x0; : : : ; x ?1) 6= 0, and s is coprime to �, then the sequence (2) is also purely periodic with period �. An LFSR (or Tausworthe) random number generator is one that outputs a sequence fu ; n � 0g de ned by (2). Suppose now that we have J LFSR recurrences, the j th one having a primitive characteristic polynomial P (z ) of degree k , and step size s relatively prime with � = 2 j ? 1. Assume that the P (z ) are pairwise relatively prime, that the � are also relatively prime, and that these LFSRs use a common L. Let fx ; n � 0g be the j th LFSR sequence, and de ne x = (x1 + � � � + x ) mod 2 and u as in (2). Equivalently, if fu ; n � 0g is the output sequence from the j th LFSR, then u = u1 � � � � � u where � denotes the bitwise exclusive-or in the binary expansion. The sequence fx g is called the combined LFSR sequence and a generator that produces this fu g is called a combined LFSR generator. In fact, fx g follows a recurrence with reducible characteristic polynomial P (z ) = P1(z ) � � � P (z ) [9]. Under our assumptions, the sequences fx g and fu g have period length � = (2 1 ? 1) � � � � � (2 J ? 1). This type of combination is interesting because it permits one to conciliate e�cient implementation with statistical robustness, by choosing the P as trinomials for which the recurrence is easy to implement and runs fast, while making sure that P (z ) has many non-zero coe�cients and that the combined generator has good equidistribution properties [1, 7, 10]. Of course, this is not the only way of constructing generators with good equidistribution; for other approaches, see, e.g., [5, 6, 8] and other references given there. Let T be the set (in the sense of a multiset ) of t-dimensional vectors of successive output values, from all possible initial states: � T = u = (u ; : : : ; u + ?1) j n � 0; (x0 ; : : : ; x ?1) 2 f0; 1g : Dividing the interval [0; 1) into 2 equal segments determines a partition of the unit hypercube [0; 1) into 2 cubic cells of equal size, called a (t; `)-equidissection in base 2, and the set T is said to be (t; `)-equidistributed if each cell contains the same number of points of T . The latter is possible only if ` � L and t` � k. If T is (t; `� )-equidistributed for 0 � t � k, where `� = min(L; bk=tc), then the (output) sequence is called maximally-equidistributed (ME). An ME sequence for which all non-empty cells contain exactly one point, for t � 1 and `� < ` � L (i.e., when there are more cells than points), is called collision-free (CF). ME-CF sequences enjoy nice equidistribution properties; their point sets are very evenly distributed in all dimensions, in terms of equidissections. Verifying whether a sequence is ME or MECF amounts to computing the rank of a binary matrix that expresses the relevant bits of u in terms of (x1 0; : : : ; x1 1?1); : : : ; (x 0; : : : ; x J ?1 ), for di�erent values of t, as explained in [4]. The above de nitions of ME and ME-CF are based on the ` most signi cant bits of each u , so when t is large, we look only at a few most signi cant bits. What about the least signi cant bits? For the LFSR generators considered here, it turns out that any successive ` bits in each u have the same equidistribution properties as the most signi cant ones. More speci cally, let r be an integer such k
n
j
j
k
j
j
j
j
j;n
n
;n
J;n
n
j;n
;n
n
J;n
n
n
n
J
n
n
k
k
j
t
t
n
n
n
t
k
k
`
t
t`
t
t
t
t
t
t
n
;
;k
J;
J;k
n
n
COMBINED LFSR GENERATORS
that 0 � r � L ? ` and de ne vn
=2
r
un
mod 1 =
?r X
L
=1
3
xr+ns+i?12?i :
i
Then, for any box C in the (t; `)-equidissection, � v = (v ; : : : ; v + ?1) 2 C j n � 0; (x0 ; : : : ; x ?1) 2 f0; 1g � = u = (u ; : : : ; u + ?1) 2 C j n � 0; (x ; : : : ; x + ?1) 2 f0; 1g : Therefore, the sequence fv g has exactly the same (t; `)-equidistribution properties as fu g. n
n
n
n
n
t
n
k
k
t
r
r
k
k
n
n
3. Some Maximally-Equidistributed Collision-Free Generators We now give ME-CF combined LFSR generators with word-lengths L = 32 and 64, whose components have recurrences with primitive trinomials of the form P (z ) = z j ? z j ? 1 with 0 < 2q < k , and with step size s satisfying 0 < s � k ? q < k � L and gcd(s ; 2 j ? 1) = 1. Components that satisfy these conditions are implemented easily using the algorithm described in [4]. When they satisfy the additional condition that L?k � r ?s (3) for all j , then the initialization procedure in [4, p. 205] is not necessary. All the parameter sets given in the forthcoming tables satisfy this additional condition. For L = 32, three speci c ME-CF generators with J = 3 were given in [4], and it was reported that there are 4744 ME-CF generators with J = 4, k1 = 31, k2 = 29, k3 = 28, and k4 = 25, among the 3.28 million that satisfy all our conditions except for (3). Since this paper was published, several people asked the author for speci c instances of such generators. Table 1 gives a partial list. These combined generators have period lengths (231 ? 1)(229 ? 1)(228 ? 1)(225 ? 1) � 2113 and their characteristic polynomials have degree 113. The 62 generators in Table 1 satisfy (3). They all have (q1; q2; q3; q4) = (6; 2; 13; 3), so they have the same characteristic polynomial P (z ), which has 58 coe�cients equal to zero and 55 coe�cients equal to 1. The following tables give selected results of random searches for ME-CF generators with L = 64, and with J = 3, 4, and 5 components. Here, k = k1 + � � � + k is the degree of the product polynomial associated with the combination, N1 is the number of coe�cients that are 1 in that polynomial, and lg � = lcm (k1; : : : ; k ) is (approximately) the logarithm in base 2 of the period length of the generator. In Table 2, the rst 4 generators have full period length � = (2 1 ? 1)(2 2 ? 1)(2 3 ? 1) � 2 . The remaining 6 do not have full period, because the k are not co-prime. Note that for all generators in this table, N1 is rather small in comparison with k; that is, the characteristic polynomials have much more zeros than ones. Table 3 gives 8 full-period ME-CF generators with L = 64, J = 4, (k1; k2; k3; k4) = (63; 58; 55; 47), and (q1; q2; q3; q4) = (31; 19; 24; 21). Their period length is approximately 2223 and their characteristic polynomial P (z ) (they all have the same) has 49 coe�cients (out of 223) equal to 1. Table 4 gives a partial list of ME-CF generators with (k1 ; k2; k3; k4) = (63; 58; 57; 55) and (q1; q2; q3; q4) = (1; 19; 7; 24), so k = 233 and lg � = 230, whereas Table 5 gives ME-CF generators with (k1 ; k2; k3; k4) = (63; 60; 58; 57), which gives k = 238 and lg � = 220. In all cases, the number of ones k
j
j
j
q
j
j
j
j
j
j
k
j
j
j
J
J
k
k
k
k
j
4
PIERRE L'ECUYER
Table 1. ME-CF generators with L = 32 and J = 4. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
s1
18 13 24 10 16 11 17 12 23 23 14 22 21 10 22 3 24 21 12 17 3 9 9 11 20 17 21 11 6 20 12
s2
2 3 3 4 4 5 5 5 5 6 8 8 8 9 9 10 10 10 10 10 11 11 11 12 12 12 13 14 14 15 16
s3
7 4 11 2 2 4 4 11 11 7 2 7 11 8 11 4 7 8 8 11 4 4 7 4 7 11 4 8 8 7 2
s4
13 9 12 6 12 3 6 9 12 8 9 4 4 2 9 15 8 4 15 6 12 13 4 10 15 11 14 7 13 13 10
32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62
s1
4 22 21 20 19 4 12 15 17 12 15 6 8 13 5 6 24 6 13 24 14 10 7 15 9 20 16 20 23 14 16
s2
16 17 17 17 17 17 17 18 18 18 18 18 19 19 19 19 19 20 20 21 21 22 22 23 23 24 24 24 24 24 24
s3
s4
8 4 4 7 11 11 11 4 4 7 8 11 2 4 8 8 11 2 4 2 8 8 8 8 11 4 4 4 7 8 11
3 6 13 8 6 7 15 9 15 4 11 13 9 2 3 11 5 10 10 7 13 13 14 5 4 8 14 14 3 10 12
Table 2. ME-CF generators with L = 64 and J = 3. 1 2 3 4 5 6 7 8 9 10
k1
63 63 63 63 63 63 63 63 63 63
k2
58 55 55 55 58 58 58 58 58 57
k3
55 52 47 47 57 57 57 57 57 55
q1
5 1 5 31 31 31 31 31 31 5
q2
19 24 24 24 19 19 19 19 19 22
q3
24 3 5 21 22 22 22 22 22 24
s1
24 27 22 17 20 26 20 29 11 51
s2
13 22 18 21 26 14 11 26 25 18
s3
7 14 21 5 13 15 16 20 27 19
k
176 170 165 165 178 178 178 178 178 175
lg � 176 170 165 165 175 175 175 175 175 172
N1
17 27 21 21 27 27 27 27 27 27
in the characteristic polynomial of the combined generator is signi cantly less than k=2, but still reasonably high.
COMBINED LFSR GENERATORS
5
Table 3. Full-period ME-CF generators with L = 64, J = 4, k = 223, and N1 = 49. 1 2 3 4
s1
18 26 19 18
s2
28 20 25 31
s3
s4
7 11 12 13
8 7 9 6
5 6 7 8
s1
18 30 17 12
s2
22 28 28 8
s3
16 17 18 22
s4
6 9 6 9
Table 6 lists 24 full-period ME-CF generators with L = 64, J = 5, (k1; k2; k3; k4; k5) = (63; 55; 52; 47; 41), (q1 ; q2; q3; q4; q5) = (1; 24; 3; 5; 3), k = 258, � � 2258, and N1 = 103. ME-CF generators with L = 64, J = 5, (k1 ; k2; k3; k4; k5) = (63; 57; 55; 52; 47), (q1; q2; q3; q4; q5) = (1; 7; 24; 3; 5), k = 274, � � 2271, and N1 = 119, are given in Table 7. As J increases, N1 tends to approach k=2. With J = 6 or 7, one can probably obtain N1 � k=2. However, as more components are added while making sure that lg � is close to k, one eventually comes up using polynomials P of relatively small degree k . Increasing J further then becomes less pro table. One could also use polynomials P of larger degrees; e.g., use values of k near 128, having in mind (hypothetical) computers with 128-bit words. Still larger values of J would then be required in order to obtain N1 near k=2. 4. Implementations The procedure lfsr113 in Figure 1 gives an implementation, in the language C, of the rst ME-CF generator in Table 1, with � � 2113. It uses the algorithm QuickTaus in Section 2.2 of [4], for each component of the combination. Before calling lfsr113 for the rst time, the variables z1, z2, z3, and z4 must be initialized to any (random) integers larger than 1, 7, 15, and 127, respectively. In other words, the k most signi cant bits of z must be nonzero, for each j . (Note: this restriction also applies to the computer code given in [4], but was mistakenly not mentioned in that paper.) Ideally, the vector of initial seeds (z1 ; : : : ; z ) would be drawn from a uniform distribution over the set of admissible values. Figure 2 implements the rst ME-CF generator in Table 6, whose period length is � � 2258. The type \unsigned long long" refers to a 64-bit unsigned integer, available on 64-bit computers. On a SUN UltraSparc 1, to generate 10 million (107 ) random numbers and add them up to print the sum, it took approximately 2.5 seconds with lfsr113, 3.1 seconds with lfsr258, and 0.2 seconds with the procedure dummy in Figure 1. For these speed comparisons, we used the cc compiler with the -fast option. We added the numbers and printed the sum to make sure that the optimizing compiler was not outsmarting us by skipping instructions after observing that the result was not used. j
j
j
j
j
j
j
6
PIERRE L'ECUYER
Table 4. ME-CF generators with L = 64, J = 4, k = 233, lg � = 230, and N1 = 59. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46
s1
18 26 48 27 46 23 25 34 50 15 44 6 16 11 18 19 45 17 52 52 25 27 25 6 19 38 53 50 17 39 53 12 16 25 54 45 30 39 19 50 11 19 13 46 20 5
s2
10 10 17 20 22 29 29 29 7 8 22 23 5 10 11 16 23 7 11 22 23 7 11 26 28 28 28 29 32 8 13 5 5 7 10 11 20 20 22 23 26 26 29 32 4 10
s3
23 13 30 9 9 24 13 9 38 19 16 29 22 25 40 30 24 9 20 30 26 19 13 31 25 37 18 32 41 12 33 13 11 32 36 29 18 43 22 25 19 11 40 29 31 33
s4
11 11 11 11 11 11 11 11 12 12 12 12 13 13 13 13 13 14 14 14 14 15 15 15 15 15 15 15 15 16 16 17 17 17 17 17 17 17 17 17 17 17 17 17 18 18
47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92
s1
43 38 46 47 33 18 43 5 53 24 30 34 18 15 52 5 9 16 17 40 46 6 25 5 13 26 37 38 30 38 9 34 38 8 19 37 27 8 41 50 55 50 39 55 13 51
s2
16 23 25 4 7 11 11 14 20 25 25 29 5 11 11 22 22 23 23 23 23 28 28 32 7 8 10 10 13 16 17 25 26 28 29 32 8 10 10 13 13 17 26 26 28 32
s3
31 37 39 26 27 17 37 13 27 25 27 41 36 18 34 10 10 38 26 37 5 27 33 26 37 41 43 11 39 43 32 17 41 31 12 27 5 29 25 4 37 36 29 23 16 10
s4
18 18 18 19 19 19 19 19 19 19 19 19 20 20 20 20 20 20 20 20 20 20 20 20 21 21 21 21 21 21 21 21 21 21 21 21 22 22 22 22 22 22 22 22 22 22
COMBINED LFSR GENERATORS
7
Table 5. ME-CF generators with L = 64, J = 4, k = 238, lg � = 220, and N1 = 71. 1 2 3 4 5 6
q1
31 31 31 31 31 31
q2
1 1 1 1 11 11
q3
19 19 19 19 19 19
q4
22 22 22 22 22 22
s1
30 13 17 26 26 29
s2
23 23 38 47 34 38
s3
17 26 23 17 20 28
s4
18 5 24 19 17 18
Table 6. ME-CF generators with L = 64, J = 5, k = 258, lg � = 258, and N1 = 103. 1 2 3 4 5 6 7 8 9 10 11 12
s1
10 12 17 17 18 19 20 22 23 24 26 26
s2
5 5 5 5 5 5 5 5 5 5 5 5
s3
29 11 16 19 37 31 11 17 37 7 22 26
s4
23 16 6 16 7 15 13 10 13 16 4 13
s5
8 15 7 14 3 13 6 11 7 8 9 12
13 14 15 16 17 18 19 20 21 22 23 24
s1
26 36 36 39 43 44 44 44 45 51 53 54
s2
5 5 5 5 5 5 5 5 5 5 5 5
s3
31 32 32 19 14 14 29 34 16 28 26 28
s4
14 16 21 6 20 15 6 25 21 3 16 13
s5
13 8 8 8 15 15 13 9 8 12 8 3
Table 7. ME-CF generators with L = 64, J = 5, k = 274, lg � = 271, and N1 = 119. 1 2 3 4 5 6 7 8 9 10
s1
9 9 9 10 12 12 12 17 17 20
s2
34 32 25 24 17 40 26 27 8 41
s3
5 5 5 5 5 5 5 5 5 5
s4
26 31 37 7 14 16 34 13 37 14
s5
18 6 22 12 8 22 23 9 19 6
11 12 13 14 15 16 17 18 19 20
s1
22 22 22 22 26 26 44 44 53 53
s2
40 19 41 16 9 19 20 31 8 12
s3
5 5 5 5 5 5 5 5 5 5
s4
4 14 16 32 11 29 8 22 23 31
s5
18 19 6 4 14 3 6 14 17 18
8
PIERRE L'ECUYER
unsigned long z1, z2, z3, z4; double lfsr113 () { /* Generates numbers between 0 and 1. */ unsigned long b; b = (((z1 > 13); z1 = (((z1 & 4294967294) 27); z2 = (((z2 & 4294967288) 21); z3 = (((z3 & 4294967280) 12); z4 = (((z4 & 4294967168) 53); z1 = (((z1 & 18446744073709551614) 50); z2 = (((z2 & 18446744073709551104) 23); z3 = (((z3 & 18446744073709547520) 24); z4 = (((z4 & 18446744073709420544) 33); z5 = (((z5 & 18446744073701163008)
