On Melissa O’Neill’s PCG random number generator

A few notes:<p>The author writes &quot;Meanwhile, at least one influential researcher (whose work I respect) had harsh words publicly for her result&quot;, and then quotes some of these words:<p><pre><code> Note that (smartly enough) the PCG author avoids carefully to compare with xorshift128+ or xorshift1024*. </code></pre> However, the author fails to note that said &quot;influential researcher&quot;, Sebastiano Vigna, is the author of xorshift128+ and related PRNG.<p>In the linked test [2] by John D. Cook (who uses PactRand, a test similar to the (obsolete) DIEHARD), xorshift128+ and xoroshir0128+ fail within 3 seconds, while PCG ran 16 hours producing 2 TB of pseudo-random numbers without any suspicious p-value detected.<p>On the other hand, Vigna claims that the xoroshiro family does &quot;pass&quot; PactRand.<p>I&#x27;ve submitted an answer to StackOverflow a while ago [1], recommending xoroshiro and PCG, thus I&#x27;d be concerned if PCG turns out to be flawed. It&#x27;s actually quite hard to get academics in the field to give an authoritative recommendation (I&#x27;ve tried) - their response is typically along the line &quot;It&#x27;s complicated&quot;...<p>[1] <a href="https:&#x2F;&#x2F;stackoverflow.com&#x2F;questions&#x2F;4720822&#x2F;best-pseudo-random-number-generator&#x2F;38202922#38202922" rel="nofollow">https:&#x2F;&#x2F;stackoverflow.com&#x2F;questions&#x2F;4720822&#x2F;best-pseudo-rand...</a><p>[2] <a href="https:&#x2F;&#x2F;www.johndcook.com&#x2F;blog&#x2F;2017&#x2F;08&#x2F;14&#x2F;testing-rngs-with-practrand&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.johndcook.com&#x2F;blog&#x2F;2017&#x2F;08&#x2F;14&#x2F;testing-rngs-with-...</a><p>Edit: remove italics due to asterisk in PRNG name, &amp; add link to John. D Cook&#x27;s test.

Here&#x27;s the site for the random number generator.[1] It&#x27;s basically a simple linear congruential random number generator (well known, but not very good) fed into a mixer. The mixer is new.<p>Most of the analysis is about the LCG or the final output. The suggested mixer is just<p><pre><code> output = rotate64(uint64_t(state ^ (state &gt;&gt; 64)), state &gt;&gt; 122); </code></pre> That&#x27;s simple, and the insight in this paper is that something that simple helps a lot. I would have thought that you&#x27;d want a mixer where changing one bit of the input changes, on average, half the bits of the output. The mixer above won&#x27;t do that. DES as a mixer would probably be better, but it&#x27;s slower. The new result here is that something this simple passes many statistical tests.<p>This isn&#x27;t crypto-grade; both that mixer and a LCG generator are reversible with enough work.<p>[1] <a href="http:&#x2F;&#x2F;www.pcg-random.org&#x2F;" rel="nofollow">http:&#x2F;&#x2F;www.pcg-random.org&#x2F;</a>

I love O&#x27;Neill&#x27;s work on PCG, and loved the talks by her I watched online.<p>As a tenured professor I want to say two things about this piece:<p>1. I think academic publishing will be forced to change. I&#x27;m not sure what it&#x27;s going to look like in the end, but traditional journals are starting to seem really quaint and outdated now.<p>2. As far as I can tell from what she&#x27;s written on the PCG page, the submission to TOMS is a poor example, because no one I know expects to be done with one submission. That is, no one I know submits a paper to one journal, even one reputable journal, and is done. They submit and it gets rejected and revise it and resubmit it, maybe three or even four times. After the fourth or fifth time, you might give up, but not necessarily even then.<p>I have mixed feelings about the PCG paper as an example, because in some ways it&#x27;s great: an example of how something very influential has superceded traditional academic publishing. In other ways, though, it&#x27;s horrible, because it&#x27;s misleading about the typical academic publishing experience. Yes, academic publishing is full of random nonsense, and corruption, but yes, you can also get past it (usually) with just a little persistence. In still other ways, it&#x27;s a good example of what we might see increasingly, which is a researcher having a lower threshold for the typical bullshit out there.

&gt; I wonder whether the academic publications are growing ever less relevant to practice.<p>I think there are two topics here. One is whether academic research and work is becoming less relevant to practice. The other is whether the formalism of academic-style publishing are becoming less relevant to the modern world where more and more venues for publishing, rating, and discovering work.<p>On the former, I believe that academic work is as relevant as ever. There are some areas (like systems) where I&#x27;m doubtful about relevance from the point of view of a practitioner, but other areas (like hardware and ML where work remains extremely relevant). I haven&#x27;t noticed a trend there over the last decade, except in some areas of systems where the industrial practice tends to happen on cluster sizes that are often not approachable for academia.<p>On the latter, academic publication does indeed seem to be getting less relevant. There are other (often better) ways to discover work. There are other ways to tell whether a piece of work is relevant, or credible. There are other, definitely better, ways to publish and distribute work. In some sense I think this is a pity: as an academic-turned-practitioner I like academic-style publications. Still, I think they are going to either change substantially or die.<p>This article raises another very good point: sometimes the formalism of academic publication makes the work harder to understand, less approachable, or less valuable. That&#x27;s clear harm, and it seems like this professor was right to avoid that.

As an engineer who switched to PCG:<p>- PCG is not crypto, everybody should understand that. It&#x27;s for simulation and rendering.<p>- PCG mainly replaces Mersenne Twister which is in c++11. The Twister has a LOT more state and is a LOT slower for less randomness.<p>- In rendering and simulation speed really matters, and PCG excels there.<p>- Xorshift is another algorithm in the same class. I would really like to see an objective comparison. In my cursory engineering look PCG seemed better.<p>- Fast PRNG is almost a new field again: It&#x27;s not crypto, but immensely useful. How did the Twister get into C++11 while it is so much worse than PCG or Xorshift? Nobody cared!<p>- Maybe PCG should have been a paper at SigGraph.<p>- For the style of the paper, I think one contribution is rethinking PRNG outside crypto. That deserves and requires a lot of exposition.

I like this because she is a professor at Harvey Mudd. They took steps to make CS more inclusive, with great results. I appreciate her attitude on accessibility, which is in keeping with that institution&#x27;s philosophy.<p>That she ran into a paper wall doesn&#x27;t bother her because she&#x27;s openly publishing is even better.

It sounds like an interesting result, I look forward to reading the paper more carefully. That said, it&#x27;s clearly not written for an academic journal. Section 2.4.3 is entitled &quot;The Importance of Code Size&quot;, and explains why shorter code is better. I think you can argue that some academic papers are excessively concise, but this is a 58-page paper about an RNG. It is clearly not a journal paper and has a ton of extraneous content. I have to sympathize with the commenter that the author has made a trade-off and written a paper that&#x27;s less rigorous than it should be (for peer review). I wonder why she didn&#x27;t write 2 versions.

This is an interesting article, but it&#x27;s more about the changing landscape of academic publishing than it is about random number generators.<p>[EDIT] The actual paper is here: <a href="http:&#x2F;&#x2F;www.pcg-random.org&#x2F;pdf&#x2F;hmc-cs-2014-0905.pdf" rel="nofollow">http:&#x2F;&#x2F;www.pcg-random.org&#x2F;pdf&#x2F;hmc-cs-2014-0905.pdf</a>

As a general comment, I dislike deliberately obtuse writing in papers. In my current work, I came across a very in-depth survey of our industry (sex work). Excellent study, very helpful. But some of the sentences seemed to over-complicate the math. Example: &quot;Consider the set P {p1, p2, ... pN} representing providers and the set C {c1, c2, ... cN} representing customers&quot;. I am pretty sure this kind of stuff is filler or pretends to make things look more rigorous than they are.<p>On the other hand, maybe spending more than a line explaining what the birthday paradox is should be cut out and put in a backgrounder paper or appendix so that the paper can focus on the actual novel ideas.

Melissa O&#x27;Neill gave a talk describing the PCG random number generator at Stanford in EE380. <a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=45Oet5qjlms" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=45Oet5qjlms</a>

I once tried to develop my own fast random number generate using nothing but bitwise operations. On the theory they were the fastest&#x2F;simplest. I had a program generate thousands of random combinations of bitwise functions. And then used statistical tests to see which ones produced the most &quot;random&quot; seeming behavior.<p>It worked as far as I can tell. But I don&#x27;t trust the statistical tests. Who is to say there isn&#x27;t a very obvious pattern in the numbers that I didn&#x27;t test for or notice? How do you prove a random number generator is good?

I have a few comments:<p>1. The paper itself[1] is <i>extremely</i> readable by the standards of most cryptography research. On one hand, this is great because I was able to follow the whole thing in essentially one pass. On the other hand, the paper is <i>very</i> long for its result (58 pages!), and it could easily do without passages like this one:<p><i>Yet because the algorithms that we are concerned with are deterministic, their behavior is governed by their inputs, thus they will produce the same stream of “random” numbers from the same initial conditions—we might therefore say that they are only random to an observer unaware of those initial conditions or unaware of how the algorithm has iterated its state since that point. This deterministic behavior is valuable in a number of fields, as it makes experiments reproducible. As a result, the parameters that set the initial state of the generator are usually known as the seed. If we want reproducible results we should pick an arbitrary seed and remember it to reproduce the same random sequence later, whereas if we want results that cannot be easily reproduced, we should select the seed in some inscrutable (and, ideally, nondeterministic) way, and keep it secret. Knowing the seed, we can predict the output, but for many generators even without the seed it is possible to infer the current state of the generator from its output. This property is trivially true for any generator where its output is its entire internal state—a strategy used by a number of simple random number generators. For some other generators, such as the Mersenne Twister [35], we have to go to a little more trouble and invert its tempering function (which is a bijection; see Section 5), but nevertheless after only 624 outputs, we will have captured its entire internal state.</i><p>That&#x27;s a lot of setup for what is frankly a very basic idea. A cryptographer being verbose in their writing might briefly remind the reader of these properties with the first sentence, but they&#x27;d still likely do that with much more brevity than this. I understand wanting to make your research accessible, but for people who understand the field this detracts from getting to the &quot;meat.&quot; It might make it harder to get through, but a 10-30 page result is preferable to a nearly 60-page one that assumes I know nearly nothing about the field. If I don&#x27;t know these details very well, how can I properly assess the author&#x27;s results?<p>2. The author&#x27;s <i>tone</i> in her writing is something I take issue with. For example, passages like this one...<p><i>Suppose that, excited by the idea of permutation functions, you decide to always improve the random number generators you use with a multiplicative step. You turn to L’Ecuyer’s excellent paper [25], and without reading it closely (who has time to read papers these days!), you grab the last 32-bit constant he lists, 204209821. You are then surprised to discover that your “improvement” makes things worse! The problem is that you were using XorShift</i> 32&#x2F;32, a generator that already includes multiplication by 747796405 as an improving step. Unfortunately, 204209821 is the multiplicative inverse of 747796405 (mod 2 32), so you have just turned it back into the far-worse–performing XorShift generator! Oops.*<p>...go a bit beyond levity. If you&#x27;re trying to establish rigorous definitions and use cases to distinguish between generators, functions and permutations, this isn&#x27;t the way to do it. This isn&#x27;t appropriate because it doesn&#x27;t go far enough to <i>formalize</i> the point. It makes it intuitive, sure, and that&#x27;s a great educational tool! But it&#x27;s a poor scenario to use as the basis for a problem statement - research is not motivated by the failure of an engineer to properly read and understand existing primitives, it&#x27;s motivated by novel results that exhibit superior qualities over existing primitives.<p>3. The biggest grievance I have with this paper is the way in which it analyzes its primitives for cryptographic security. For example, this passage under 6.2.2 Security Considerations:<p><i>In addition, most of the PCG variations presented in the next section have an output function that returns only half as many bits as there are in the generator state. But the mere use of a 2 b&#x2F;2-to -1 function does not guarantee that an adversary cannot reconstruct generator state from the output. For example, Frieze et al. [12] showed that if we simply drop the low-order bits, it is possible for an adversary to discover what they are. Our output functions are much more complex than mere bit dropping, however, with each adding at least some element of additional challenge. In addition, one of the generators, PCG-XSL-RR (described in Section 6.3.3), is explicitly designed to make any attempt at state reconstruction especially difficult, using xor folding to minimize the amount of information about internal state that leaks out.17 It should be used when a fast general-purpose generator is needed but enhanced security would also be desirable. It is also the default generator for 64-bit output.</i><p>That&#x27;s not a rigorous analysis of a primitive&#x27;s security. It <i>is</i> an informal explanation of why the primitive <i>may</i> be secure, but it so high level that there is no proof based on a significant hardness assumption. Compare this with Dan Boneh&#x27;s recent paper, &quot;Constrained Keys for Invertible Pseudorandom Functions&quot;[2]. Appendices A and B after the list of references occupy nearly 20 pages of theorems used to analyze and prove the security of primitives explored in the paper under various assumptions.<p>Novel research exploring functions with (pseudo)random properties is inherently mathematical; it&#x27;s absolutely insufficient to use a bunch of statistical tests, then informally assess the security of a primitive based on the abbreviated references to one or two papers.<p>_________<p>1. <a href="http:&#x2F;&#x2F;www.pcg-random.org&#x2F;pdf&#x2F;hmc-cs-2014-0905.pdf" rel="nofollow">http:&#x2F;&#x2F;www.pcg-random.org&#x2F;pdf&#x2F;hmc-cs-2014-0905.pdf</a><p>2. <a href="https:&#x2F;&#x2F;eprint.iacr.org&#x2F;2017&#x2F;477.pdf" rel="nofollow">https:&#x2F;&#x2F;eprint.iacr.org&#x2F;2017&#x2F;477.pdf</a>

Physicist here.<p>Off-topic<p>&gt; And it is not even entirely clear what “really random” would mean. It is not clear that we live in a randomized universe…<p>At the quantum level it really is clear that we live in a really random universe. What&#x27;s the meaning of really random? The outcome of a quantum process.<p>On-topic. Yeah, you have to know your audience. As OP mentions, just because the paper wasn&#x27;t published doesn&#x27;t prevent anyone from thinking about it and even building on it. On the other hand these scientific publications have styles and target audiences, and maybe she got rejected not due to lack of relevance or rigor, but because the paper didn&#x27;t match the publication&#x27;s non-scientific criteria for publication.