TinyMT32 Pseudorandom Number Generator (PRNG)
RFC 8682
Yes
No Objection
Note: This ballot was opened for revision 01 and is now closed.
Alvaro Retana No Objection
Roman Danyliw (was Discuss) No Objection
Thank you for addressing my DISCUSSes and COMMENTs
Warren Kumari No Objection
I sometimes ballot "NoObj" in the "I read the protocol action, and I trust the sponsoring AD so have no problem" sense of the term.. but this time I'm using it in the "Goodness me, this is WAY outside my area of expertise" sense of the term. [Edit: I felt bad for not being able to do a more useful review, so I instead made sure that the code in the document actually generates the includes test vectors (and it does): $ gcc -o out tinymt32.c ; ./out 1: 2545341989 2: 981918433 3: 3715302833 4: 2387538352 5: 3591001365 6: 3820442102 7: 2114400566 8: 2196103051 9: 2783359912 10: 764534509 11: 643179475 12: 1822416315 13: 881558334 14: 4207026366 15: 3690273640 16: 3240535687 17: 2921447122 18: 3984931427 19: 4092394160 20: 44209675 21: 2188315343 22: 2908663843 23: 1834519336 24: 3774670961 25: 3019990707 26: 4065554902 27: 1239765502 28: 4035716197 29: 3412127188 30: 552822483 31: 161364450 32: 353727785 33: 140085994 34: 149132008 35: 2547770827 36: 4064042525 37: 4078297538 38: 2057335507 39: 622384752 40: 2041665899 41: 2193913817 42: 1080849512 43: 33160901 44: 662956935 45: 642999063 46: 3384709977 47: 1723175122 48: 3866752252 49: 521822317 50: 2292524454 This doesn't really say anything about the correctness of the document / algorithm, but does at least confirm that the code and test vectors match.
Éric Vyncke No Objection
Thanks for the work everyone has put into this document (and I understand that this -02 is coming out of another older document). While the mathematical aspects of the document are above my head, I took the liberty to put 3 comments and 1 nit in the hope to improve the quality of the document. == COMMENTS == -- Introduction -- Why not using the usual format for informative references in this chapter? The Mersenne Twister is part of the sentence but there are no reference to any paper. Please add a reference for the seminal piece of work. "...TinyMT32 represents a major improvement ..." can we have more information about this improvment? On which aspect ? == NITS == -- Abstract -- I find it a little surprizing that two authors are cited in the abstract.
(Magnus Westerlund; former steering group member) Yes
(Adam Roach; former steering group member) (was Discuss) No Objection
Thanks for addressing my discuss point.
(Alissa Cooper; former steering group member) No Objection
(Barry Leiba; former steering group member) No Objection
— Abstract — The main advantage of TinyMT32 over MT is the use of a small internal state, compatible with most target platforms including embedded devices, while keeping a reasonably good randomness. The difference between “most target platforms including embedded devices,” and “most target platforms, including embedded devices,” is too subtle to be sure that readers get the meaning right. I think the sentence would be clearer if it said, “most target platforms that include embedded devices,”. — Section 1 — the quality of the outputs of TinyMT seems pretty good in terms of randomnes Make it “randomness”. However, neither the TinyMT nor MT PRNG are meant to be used for cryptographic applications. This seems a bit more buried than it should be, as it’s important. I suggest putting some version of this in the Abstract, and also moving it more toward the beginning of the Introduction (probably in the first paragraph.
(Benjamin Kaduk; former steering group member) No Objection
In Section 3.1:
o the original copyright and licence have been removed, in
accordance with BCP 78 and the IETF Trust's Legal Provisions
Relating to IETF Documents (http://trustee.ietf.org/license-info);
The original copyright holder's permission is needed to do this! Perhaps
it is appropriate to note that the original authors are now listed as
authors on this document.
Please also specify what language the code in Section 3.1 is written in,
including reference (so as to specify which version of C it is to be
intepreted as).
I agree with the secdir reviewer and Mirja that some more references
would be good.
Section-by-section comments follow.
Abstract
while keeping a reasonably good randomness.
please add the "non-cryptographic" qualifier.
Section 1
According to statistical tests (BigCrush in
TestU01 and AdaptiveCrush), the quality of the outputs of TinyMT
seems pretty good in terms of randomnes (in particular the uniformity
of generated numbers), taking the small size of the internal state
into consideration (see [TinyMT-web]). [...]
I'd suggest rewording as "The outputs of TinyMT satisfy several
statistical tests for (non-cryptographic) randomness, including BigCrush
in TestU01 and AdaptiveCrush), leaving it well-placed for
non-cryptographic usage, especially given the small size of its internal
state." or similar. (This avoids the "pretty good" construct and moves
the emphasis from the tests to the usability of the algorithm.)
Section 3.1
o mat1 = 0x8f7011ee = 2406486510
o mat2 = 0xfc78ff1f = 4235788063
o tmat = 0x3793fdff = 932445695
side note: these first two have the MSB set, and thus when the
decimal form of the constant is used in C code, the implicit type will
be a signed integer type of width strictly greater than 32, as opposed
to an unsigned integer type (which would presumably have width 32 bits
on most modern sytsems).
for (int i = 1; i < MIN_LOOP; i++) {
s->status[i & 3] ^= i + UINT32_C(1812433253)
* (s->status[(i - 1) & 3]
^ (s->status[(i - 1) & 3] >> 30));
side note: I note that the UINT32_C macro produces a result of type
uint_least32_t, which in theory could be wider and of greater conversion
rank than uint32_t. This would result in the intermediate calculations
being done in a type other than uint32_t, though for the specific
calculation here this should not cause any difference in the final
output after truncation to 32 bits.
Section 3.2
This PRNG MUST first be initialized with the following function:
void tinymt32_init (tinymt32_t * s, uint32_t seed);
nit: the pointer declaration style here was missed in the style pass
done in a recent revision.
It takes as input a 32-bit unsigned integer used as a seed (note that
value 0 is authorized by TinyMT32). [...]
nit: perhaps "permitted" is a better word than "authorized", which can
have some different connotations to IETF readers.
The use of this structure authorizes
several instances of this PRNG to be used in parallel, each of them
having its own instance of the structure.
nit: here, "admits" is a better replacement for "authorizes" (but
"permits" would be fine, too).
Section 3.3
Consequently, any implementation of the TinyMT32 PRNG in
line with this specification MUST comply with the following criteria.
Using a seed value of 1, the first 50 values returned by
tinymt32_generate_uint32(s) as 32-bit unsigned integers MUST be equal
to values provided in Figure 2. [...]
I don't think it's appropriate to attempt to use "agreement with these
test vectors" as a compliance mechanism (i.e., normative "MUST") -- the
normative requirement must surely be to have the same observable
behavior as the algorithm specified in the C code of Section 3.1. These
vectors are just test vectors to give an implementor some confidence
that they agree with the reference behavior.
(You also need to say whether I read rows first or columns first in the
Figure's contents.)
(Deborah Brungard; former steering group member) No Objection
(Martin Vigoureux; former steering group member) No Objection
Hi, I only have a minor question: In which direction should the numbers of Figure 2 be read, per column or per line? nit: s/will then updated/will then be updated/
(Mirja Kühlewind; former steering group member) No Objection
I agree with Eric that a reference to MT would be really good. As mentioned in the intro, "neither TinyMT nor MT are meant to be used for cryptographic applications". Please add this also to the security considerations section and maybe further explain risks. Similar as the feedback originally provided (by other ADs) for draft-ietf-tsvwg-rlc-fec-scheme, I would prefer to have the algorithm specified in text and not only as code.
(Suresh Krishnan; former steering group member) No Objection