Ballot for draft-ietf-tsvwg-tinymt32
Yes
No Objection
Note: This ballot was opened for revision 01 and is now closed.
Thank you for addressing my DISCUSSes and COMMENTs
I sometimes ballot "NoObj" in the "I read the protocol action, and I trust the sponsoring AD so have no problem" sense of the term.. but this time I'm using it in the "Goodness me, this is WAY outside my area of expertise" sense of the term. [Edit: I felt bad for not being able to do a more useful review, so I instead made sure that the code in the document actually generates the includes test vectors (and it does): $ gcc -o out tinymt32.c ; ./out 1: 2545341989 2: 981918433 3: 3715302833 4: 2387538352 5: 3591001365 6: 3820442102 7: 2114400566 8: 2196103051 9: 2783359912 10: 764534509 11: 643179475 12: 1822416315 13: 881558334 14: 4207026366 15: 3690273640 16: 3240535687 17: 2921447122 18: 3984931427 19: 4092394160 20: 44209675 21: 2188315343 22: 2908663843 23: 1834519336 24: 3774670961 25: 3019990707 26: 4065554902 27: 1239765502 28: 4035716197 29: 3412127188 30: 552822483 31: 161364450 32: 353727785 33: 140085994 34: 149132008 35: 2547770827 36: 4064042525 37: 4078297538 38: 2057335507 39: 622384752 40: 2041665899 41: 2193913817 42: 1080849512 43: 33160901 44: 662956935 45: 642999063 46: 3384709977 47: 1723175122 48: 3866752252 49: 521822317 50: 2292524454 This doesn't really say anything about the correctness of the document / algorithm, but does at least confirm that the code and test vectors match.
Thanks for the work everyone has put into this document (and I understand that this -02 is coming out of another older document). While the mathematical aspects of the document are above my head, I took the liberty to put 3 comments and 1 nit in the hope to improve the quality of the document. == COMMENTS == -- Introduction -- Why not using the usual format for informative references in this chapter? The Mersenne Twister is part of the sentence but there are no reference to any paper. Please add a reference for the seminal piece of work. "...TinyMT32 represents a major improvement ..." can we have more information about this improvment? On which aspect ? == NITS == -- Abstract -- I find it a little surprizing that two authors are cited in the abstract.
Thanks for addressing my discuss point.
— Abstract — The main advantage of TinyMT32 over MT is the use of a small internal state, compatible with most target platforms including embedded devices, while keeping a reasonably good randomness. The difference between “most target platforms including embedded devices,” and “most target platforms, including embedded devices,” is too subtle to be sure that readers get the meaning right. I think the sentence would be clearer if it said, “most target platforms that include embedded devices,”. — Section 1 — the quality of the outputs of TinyMT seems pretty good in terms of randomnes Make it “randomness”. However, neither the TinyMT nor MT PRNG are meant to be used for cryptographic applications. This seems a bit more buried than it should be, as it’s important. I suggest putting some version of this in the Abstract, and also moving it more toward the beginning of the Introduction (probably in the first paragraph.
In Section 3.1: o the original copyright and licence have been removed, in accordance with BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info); The original copyright holder's permission is needed to do this! Perhaps it is appropriate to note that the original authors are now listed as authors on this document. Please also specify what language the code in Section 3.1 is written in, including reference (so as to specify which version of C it is to be intepreted as). I agree with the secdir reviewer and Mirja that some more references would be good. Section-by-section comments follow. Abstract while keeping a reasonably good randomness. please add the "non-cryptographic" qualifier. Section 1 According to statistical tests (BigCrush in TestU01 and AdaptiveCrush), the quality of the outputs of TinyMT seems pretty good in terms of randomnes (in particular the uniformity of generated numbers), taking the small size of the internal state into consideration (see [TinyMT-web]). [...] I'd suggest rewording as "The outputs of TinyMT satisfy several statistical tests for (non-cryptographic) randomness, including BigCrush in TestU01 and AdaptiveCrush), leaving it well-placed for non-cryptographic usage, especially given the small size of its internal state." or similar. (This avoids the "pretty good" construct and moves the emphasis from the tests to the usability of the algorithm.) Section 3.1 o mat1 = 0x8f7011ee = 2406486510 o mat2 = 0xfc78ff1f = 4235788063 o tmat = 0x3793fdff = 932445695 side note: these first two have the MSB set, and thus when the decimal form of the constant is used in C code, the implicit type will be a signed integer type of width strictly greater than 32, as opposed to an unsigned integer type (which would presumably have width 32 bits on most modern sytsems). for (int i = 1; i < MIN_LOOP; i++) { s->status[i & 3] ^= i + UINT32_C(1812433253) * (s->status[(i - 1) & 3] ^ (s->status[(i - 1) & 3] >> 30)); side note: I note that the UINT32_C macro produces a result of type uint_least32_t, which in theory could be wider and of greater conversion rank than uint32_t. This would result in the intermediate calculations being done in a type other than uint32_t, though for the specific calculation here this should not cause any difference in the final output after truncation to 32 bits. Section 3.2 This PRNG MUST first be initialized with the following function: void tinymt32_init (tinymt32_t * s, uint32_t seed); nit: the pointer declaration style here was missed in the style pass done in a recent revision. It takes as input a 32-bit unsigned integer used as a seed (note that value 0 is authorized by TinyMT32). [...] nit: perhaps "permitted" is a better word than "authorized", which can have some different connotations to IETF readers. The use of this structure authorizes several instances of this PRNG to be used in parallel, each of them having its own instance of the structure. nit: here, "admits" is a better replacement for "authorizes" (but "permits" would be fine, too). Section 3.3 Consequently, any implementation of the TinyMT32 PRNG in line with this specification MUST comply with the following criteria. Using a seed value of 1, the first 50 values returned by tinymt32_generate_uint32(s) as 32-bit unsigned integers MUST be equal to values provided in Figure 2. [...] I don't think it's appropriate to attempt to use "agreement with these test vectors" as a compliance mechanism (i.e., normative "MUST") -- the normative requirement must surely be to have the same observable behavior as the algorithm specified in the C code of Section 3.1. These vectors are just test vectors to give an implementor some confidence that they agree with the reference behavior. (You also need to say whether I read rows first or columns first in the Figure's contents.)
Hi, I only have a minor question: In which direction should the numbers of Figure 2 be read, per column or per line? nit: s/will then updated/will then be updated/
I agree with Eric that a reference to MT would be really good. As mentioned in the intro, "neither TinyMT nor MT are meant to be used for cryptographic applications". Please add this also to the security considerations section and maybe further explain risks. Similar as the feedback originally provided (by other ADs) for draft-ietf-tsvwg-rlc-fec-scheme, I would prefer to have the algorithm specified in text and not only as code.