Twisted GFSR Generators II
Makoto Matsumoto
Research Institute for Mathematical Sciences
Kyoto University, Kyoto 606, Japan
and
Yoshiharu Kurita
National Research Laboratory of Metrology
Tsukuba 305, Japan
December 2, 1992
Abstract
The twisted GFSR generators proposed in a previous paper have a defect in k-distribution
for k larger than the order of recurrence. In this follow-up paper we introduce and ana-
lyze a new TGFSR variant having better k-distribution property. An efficient algorithm
to obtain the order of equidistribution is provided, together with a tight upper bound on
the order. A method to search for generators attaining this bound is discussed, and some
such generators are listed. The upper bound turns out to be (sometimes far) less than the
maximum order of equidistribution for a generator of that period length, but far more than
that for a GFSR with a working area of the same size.
1 Introduction
In the previous paper[9], we introduced a random-number-generating algorithm, the twisted
GFSR generator (TGFSR).
Definition 1. A sequence x
0
, x
1
, x
2
,...of w-bit integers is a TGFSR sequence with parameters
(w, n, m, A)(n>m: positive integers) if it satisfies
x
l+n
= x
l+m
⊕ x
i
A (l =0, 1, 2,...), (1)
where x
i
are regarded as row vectors of bits, ⊕ denotes the bitwise exclusive-or operation, A is
a w × w matrix with components in GF(2), and x
i
A denotes the multiplication between a row
vector and a matrix over GF(2).
If A is an identity matrix, then the sequence is a GFSR sequence based on a characteristic
trinomial. As shown in [6, §§3.7, §§3.8], both GFSR and TGFSR can be viewed as implementa-
tion approaches of digital matrix generators, and TGFSR generators can also be implemented
as large GFSRs (based on a characteristic polynomial of order wn).
Categories and Subject Descriptors: G. 2.1. [Discrete Mathematics] : Combinatorics–recurrences and
difference equations; G. 3. [Probability and Statistics]–random number generation.
General Terms: Algorithms, Theory, Experimentation
Additional Key Words and Phrases: GFSR, TGFSR, m-sequences, k-distribution, finite fields
1
With a suitable choice of (w, n, m, A), the sequence attains the maximal period 2
nw
−1. Here
we treat only TGFSR with maximal periods, and simply call them TGFSR. In the previous
paper, we dealt with the case where A is of rational normal form, as below, because it permits
an efficient implementation of the recurrence (1).
Definition 2. A TGFSR sequence with
A = R :=
1
1
.
.
.
1
a
0
a
1
··· ··· a
w−1
is called a TGFSR sequence of rational normal form (TGFSR(R)).
Unfortunately, a TGFSR(R) has a defect from the viewpoint of k-distribution to v-bit accuracy[11],
defined as follows.
Definition 3. A pseudorandom sequence x
i
of w-bit integers of period P satisfying the fol-
lowing condition is said to be k-distributed to v-bit accuracy: let trunc
v
(x) denote the number
formed by the leading v bits of x, and consider the kv-bit vectors
(trunc
v
(x
i
), trunc
v
(x
i+1
),...,trunc
v
(x
i+k−1
)) (0 ≤ i<P).
Then, each of the 2
kv
possible combinations of bits occurs the same number of times in a period,
except for the all-zero combination that occurs once less often.
Let x
0
, x
1
,...be a sequence of w-bit integers and let P be its period. For each v =1, 2,...,w,
let k(v) denote the maximum number such that the sequence is k(v)-distributed to v-bit accuracy.
Clearly we have the inequality 2
k(v)v
− 1 ≤ P , since at most P patterns can occur in one period.
In the case of TGFSR, P =2
nw
− 1 holds, hence we have k(v) ≤nw/v with n being the
number of words. However, as Tezuka[10] pointed out, TGFSR(R) is only n-distributed to 2-bit
accuracy, far smaller than the upper bound k(v) ≤nw/v. (Generators attaining this upper
bound for every v (1 ≤ v ≤ w) are called asymptotically random[11].) This led us to consider
k-distribution of TGFSR with other types of A instead of R. The purpose of this paper is to
introduce a new feasible variant of TGFSR with better k-distribution.
It turns out that TGFSR has a tighter upper bound than the one deduced above, namely
k(v) ≤ nw/v. Consequently, a TGFSR is never asymptotically random. However, we could
find an efficient algorithm to obtain A attaining this bound and an efficient implementation of
the corresponding TGFSR. We shall list some TGFSR generators attaining these upper bounds
nw/v simultaneously for all v. They are much better than the n/v achieved by a GFSR of
the same size (i.e., n words of w-bit integers). One may still insist that a GFSR of the same
period 2
nw
− 1 (consuming w times memory area of TGFSR) may achieve an asymptotically
random distribution k(v)=nw/v, and consequently that Theorem 1 is a negative result. This
is not necessarily the case, as shown in the following comparison with an asymptotically random
GFSR of N-words (N ∼ nw) with k(v)=N/v.
(i) To obtain a TGFSR whose k(v) exceeds N/v for all v, it is sufficient to take n = 2N/(w+1)
words ( N). (This follows from a simple calculation.) Thus, a TGFSR needs much less memory
than a GFSR of the same k-distribution property. Note that in a multi-task system, a memory-
consuming program is sometimes time-consuming, because of swapping of memories.
2
(ii) In the GFSR case, to obtain k(v) for a given initial value, one must calculate the rank of an
N × N matrix for each v, while any initial value attains the upper bound in the case of TGFSR.
(iii) Even an asymptotically random GFSR is rejected by the weight-distribution test, if it is
based on a trinomial (see Section 4. See also [9]).
A brief sketch of this paper is as follows. In Section 2, we provide an efficient algorithm to
obtain k(v) through simple operations on matrix A (Theorem 1), which also shows that TGFSR
has the upper bound k(v) ≤ nw/v. In Section 3, we discuss how to search for the matrix A
which satisfies the above bounds at once for all v and also allows for an efficient implementation.
In Subsection 3.1, we analyze the bad correlation in TGFSR(R) by applying Theorem 1. In
Subsection 3.2, based on this analysis, we discuss a method to modify the output sequence of a
TGFSR(R) by a simple linear transformation into a sequence of TGFSR satisfying the bound
of Theorem 1. This modification requires only a few instructions to be added to the previous
TGFSR(R) program. In Subsection 3.3, we discuss an efficient way to determine a modifying
parameter. In Section 4, we list some efficient generators attaining these bounds. We conduct
empirical tests on these generators and the old TGFSR(R), and we dismiss the latter type.
2 Criterion for equidistribution
The next theorem provides an efficient algorithm to obtain k(v) and its tight upper bound for
the general TGFSR.
Theorem 1. Let (w, n, m, A) be the parameters of a TGFSR. Let d
(i)
j
denote the i-th column
vector of A
j
. Consider the sequence of vectors
d
(0)
0
, d
(1)
0
,...,d
(v−1)
0
, d
(0)
1
, d
(1)
1
,...,d
(v−1)
1
, d
(0)
2
,....
Let d
(i
0
)
j
0
be the first vector that is GF(2)-linearly dependent with the preceding vectors. Then
we have
k(v)=nj
0
.
Corollary 1.
n|k(v) and k(v) ≤ nw/v (v =1, 2,...,w).
Proof (by R. Couture). Fix k and v. Let V
w
:= GF (2)
w
be the space of w-bit integers regarded
as a row vector space.
Define
Ω
w
:= Ω
w
:= V
k
w
,
and identify Ω
w
with the space of k × w matrices. Similarly define V
v
,Ω
v
, and Ω
v
.
Let ρ : V
n
w
→ Ω
w
map (x
0
,...,x
n−1
) to the first k values (x
0
,...,x
k−1
) of the TGFSR
sequence (x
0
, x
1
,...,x
j
,...) with initial value (x
0
,...,x
n−1
). Let trunc : V
w
→ V
v
denote
the truncation map defined in Definition 3, that is, the multiplication by the w × v-matrix
Q :=
I
v
0
from the right. We denote the multiplication from the right by ×Q and from the
left by Q×. Now the k-distribution to v-bit accuracy is equivalent to the surjectivity of the
composition map
V
n
w
ρ
→ Ω
w
×Q
→ Ω
v
,
3
since the state vector assumes all nonzero values in V
n
w
in one period. Let τ : V
n
w
→ Ω
w
be the
map defined by
(x
0
, x
1
,...,x
n−1
) → (x
0
, x
1
,...,x
n−1
, x
0
A, x
1
A...,x
n−1
A, x
0
A
2
,...,x
0
A
q
,...,x
r−1
A
q
),
where r and q are the residue and the quotient of k/n, respectively.
Let us consider the linear recurrence
y
l+n
= y
l+m
+ y
l
X (l =0, 1, 2,...),
where X is an indeterminate, y
0
,...,y
n−1
are indeterminates, and y
l
(l ≥ n) is a polynomial of
these indeterminates. Then, for any integer N, y
N
can be written as a linear combination of
{y
i
X
j
|i =0, 1,...,n− 1,i+ jn ≤ N},
and the coefficient of y
i
X
j
for unique (i, j) with N = i + jn does not vanish. By substituting
y
l
:= x
l
and X := A, we see that there is a regular lower-half triangular k × k-matrix T such
that the composition
V
n
w
τ
→ Ω
w
T ×
→ Ω
w
coincides with ρ. Now we have a commutative diagram
V
n
w
τ
→ Ω
w
×Q
→ Ω
v
↓↓
V
n
w
ρ
→ Ω
w
×Q
→ Ω
v
,
where the two vertical maps are the isomorphisms T ×. Hence, it is sufficient to consider the
surjectivity of the upper row, which is the linear transformation
(x
0
, x
1
,...,x
n−1
) → (x
0
Q, x
1
Q,...,x
n−1
Q, x
0
AQ, x
1
AQ, . . . , x
n−1
AQ, x
0
A
2
Q,...,x
r−1
A
q
Q),
and this splits to a direct sum according to V
n
w
= V
w
⊕ V
w
⊕···⊕V
w
. Thus the surjectivity of
the upper row reduces to the surjectivity of
V
n
w
→ V
q+1
v
x → xU,
where U is a w × (q +1)v-matrix
U := (Q, AQ, A
2
Q,...,A
q
Q).
Thus, k-distribution of the v-bit accuracy is equivalent to the rank of U being (q +1)v. In other
words, to the independence of columns of U. The maximum q equals j
0
in the statement of the
theorem, and since q = k/n, the theorem follows. Corollary 1 is an immediate consequence of
the theorem.
Remark 1. The j
0
in the theorem coincides with the order of equidistribution to v-bit accuracy
of the matrix linear congruential sequence defined by z
i+1
= z
i
A,ifϕ
A
(t) is primitive. It is worth
noting that the condition for a TGFSR with parameters (w, n, m, A) to achieve the upper bound
in Corollary 1 depends only on A, and is independent of n and m, unlike the case of GFSR[11][3].
This implies that one good A serves for any n and m, provided that (w, n, m, A) is a tuple of
parameters of a (maximal period) TGFSR generator.
4
3 How to attain the bound
We want to find matrices A satisfying the upper bound in Corollary 1 and permitting an efficient
implementation. We will show that TGFSR(R)s cannot reach that upper bound, and then
propose a way of constructing matrices A that satisfy those conditions.
3.1 Bad correlation in TGFSR(R)
We interpret j
0
in Theorem 1 as the degree of the minimal-degree relation between some poly-
nomials, in order to investigate bad correlations in TGFSR(R). Let us fix one set of parameters
(w, n, m, A) providing a TGFSR. Let η be an eigenvalue of A. Then η generates GF(2
w
) over
GF(2) and is of multiplicity one, because the characteristic polynomial of A is irreducible. Thus,
the corresponding row eigenvector can be taken in GF(2
w
)
w
. Let (φ
1
,...,φ
w
) be such a (row)
eigenvector of A, namely,
(φ
1
,...,φ
w
)A =(ηφ
1
,...,ηφ
w
),φ
i
∈ GF(2
w
). (2)
We can state Theorem 1 in terms of degree, as follows.
Theorem 2. Let η ∈ GF(2
w
) be an eigenvalue of A and (φ
1
,...,φ
w
) be a corresponding row
eigenvector. Let us define the degree of an element of GF(2
w
) as the minimal degree of its
representations as a nonzero polynomial in η. (Thus, degree of 0 is w.) Let v be an integer with
1 ≤ v ≤ w. For a linear relation
v
i=1
γ
i
φ
i
= 0 in GF(2
w
), we define the degree of the linear
relation as the maximum degree of γ
i
(i =1,...,v).
Then, k(v) equals n times the degree of the minimal-degree relation between {φ
1
,φ
2
,...,φ
v
}.
Proof. First we claim that {φ
1
,φ
2
,...,φ
w
} is linearly independent over GF(2). Because,
if not, they satisfy a linear relation over GF(2), and hence all Galois conjugates of the set
{φ
1
,φ
2
,...,φ
w
} satisfy the same linear relation. Thus, the Galois conjugates of the vector
(φ
1
,φ
2
,...,φ
w
) (there are exactly w conjugates) are linearly dependent. This contradicts that
each of these vectors lies in an eigenspace with distinct eigenvalues.
By this and Theorem 1, k(v)isn times the minimum j such that the components in the
(j +1)v-dim GF(2
w
)-vector
(φ
1
,φ
2
,...,φ
v
)(Q, AQ, A
2
Q,...,A
j
Q)
(Q: the w × v matrix defined in the proof of Theorem 1) are linearly dependent over GF(2), in
other words, the set
{φ
1
,φ
2
,...,φ
v
,ηφ
1
,ηφ
2
,...,ηφ
v
η
2
φ
1
,...,η
j
φ
1
,...,η
j
φ
v
}
being linearly dependent. Thus, j is nothing but the degree of the minimal-degree relation
between {φ
1
,...,φ
v
}.
We shall apply this theorem to TGFSR(R). A direct calculation shows the following.
Lemma 1. Let A := R be the matrix in Definition 2. Then, a GF(2
w
) vector (φ
1
,φ
2
,...,φ
w
)
is a (row) eigenvector of R if and only if it satisfies the equations
φ
i
= ηφ
i+1
+ a
i
φ
w
(i =1,...,w− 1) (3)
5
