JPWO2017150672A1 - Random number generator, random number generation method, and computer program - Google Patents

Abstract

  Random number generating apparatus 100 has a storage unit 120 that stores a plurality of variables, and a calculation unit 130 that executes a plurality of update expressions that update each of the plurality of variables, and outputs update values of the plurality of variables to storage unit 120. And a generator 110 that generates a random number based on at least one of a plurality of variables. The update formula includes a permutation polynomial of the target variable updated by the update formula and variables other than the target variable included in the plurality of variables, and the periodicity when the target variable is repeatedly updated by the update formula is One-stroke periodicity.

Description

  The present invention relates to a random number generator and the like.

  Patent Document 1 discloses a random number generator using a permutation polynomial.

Japanese Patent No. 3806762

  Generally, high randomness is desired for random numbers. One approach for increasing the randomness of the random number generated using the value of the permutation polynomial is to increase the order of the permutation polynomial. However, when the degree of the permutation polynomial is increased, the calculation time by the calculator tends to increase.

  For this reason, it is desirable to easily obtain high randomness by an approach different from increasing the order.

  From one viewpoint, the present invention is a random number generator. The random number generator executes a plurality of update-type operations for updating each of the plurality of variables. The update formula includes a permutation polynomial of the target variable that is updated by the update formula and variables other than the target variable included in the plurality of variables. In the update formula, the periodicity when the update target variable is repeatedly updated is a one-stroke writing periodicity. According to the present invention, a long period similar to a one-stroke polynomial is obtained, and high randomness is easily obtained.

  From another viewpoint, the present invention is a method for generating a random number. From another viewpoint, the present invention is a computer program for causing a computer to function as a random number generator. The computer program is stored in a computer-readable recording medium.

It is a figure which shows the locus | trajectory of a substitution polynomial. It is a figure which shows the locus | trajectory of a single stroke polynomial. It is a block diagram of a random number generator.

[1. the term]

[1.1 Permutation polynomial]
The permutation polynomial F (X) is a polynomial that gives permutation of X over a finite set. A permutation polynomial gives bijection in a finite set. The trajectory indicating the change in the value of the variable X due to the permutation polynomial is necessarily a periodic trajectory. That is, the change in the value of the variable X by the replacement polynomial has periodicity.

[1.2 Two power surplus ring]
A two-residue remainder ring is a finite set expressed as follows. In the present specification, a 2-power residue ring represented as follows is referred to as a “2-power residue ring with a power index w”. w is an arbitrary non-negative integer.
If the value goes out of the range of the set during the calculation, “mod 2 ^w ” is taken. mod is a remainder operator.

[1.3 Permutation polynomial over 2 冪 remainder ring]
The permutation polynomial on the 2-power residue ring is a permutation polynomial that gives substitution on the 2-power residue ring. The permutation polynomial over the two-residue ring is an integer coefficient polynomial. In other words, the permutation polynomial F (X) on the 2-power residue ring is an integer coefficient polynomial in which F (X) mod 2 ^w gives bijection on the 2-power residue ring with a power exponent w, and Defined.

For example, the trajectory of the permutation polynomial F _a (X) = 2X ² + X + 1 on the two-residue ring with the power exponent 3 becomes a periodic trajectory as shown in FIG. That is, F _a (0) mod 2 ³ = 1, F _a (1) mod 2 ³ = 4, F _a (4) mod 2 ³ = 5, and F _a (5) mod 2 ³ = 0.

Further, the substitution polynomial F _a (X) = 2X ² + X + 1 also has another periodic trajectory shown in FIG. That is, F _a (2) mod 2 ³ = 3, F _a (3) mod 2 ³ = 6, F _a (6) mod 2 ³ = 7, and F _a (7) mod 2 ³ = 2.

[1.4 One-stroke periodicity and one-stroke polynomial]
One-stroke periodicity means that one trajectory (one period trajectory) formed by the polynomial F (X) goes around all elements of the 2-fold remainder ring. A polynomial whose orbit has a single stroke periodicity is called a single stroke polynomial. A one-stroke polynomial is defined as follows.

FIG. 2 shows the trajectory of the one-stroke polynomial F _b (X) = 4X ² + X + 1 on the 2 power remainder ring with {3, {2, 1, 3, 4, 5, 6, 7}. Yes. The trajectory shown in FIG. 2 is a periodic trajectory, and one cycle trajectory passes through all elements {0, 1, 2, 3, 4, 5, 6, 7} once. Therefore, the trajectory on the 2-fold remainder ring by F _b (X) has a one-stroke writing periodicity, and F _b (X) is a one-stroke writing polynomial. As is clear from the comparison between FIG. 1 and FIG. 2, when there is a one-stroke writing periodicity, the period of the orbit is maximum and the period length is 2 ^w . A long period is advantageous for random number generation.

The necessary and sufficient condition that the permutation polynomial F (X) is a one-stroke polynomial is:
Is all true. The above necessary and sufficient conditions are:
The coefficients a ₀ and 1 are congruent with respect to modulus 2,
The coefficients a ₁ and 1 are congruent with respect to modulus 2,
The sum of all the coefficients a ₁ , a ₂ , a ₃ ,... With subscript 1 or more and 1 are congruent with respect to modulus 4.
The sum of all the coefficients a ₃ , a ₅ , a ₇ ,... Whose subscript is an odd number of 3 or more and 2a ₂ are congruent with respect to modulus 4.

  A one-stroke polynomial is advantageous for generating random numbers from the viewpoint of a long period, but temporal development (temporal change of the variable X) is simplified, and it may be difficult to obtain sufficient randomness. Therefore, a simple one-stroke polynomial has a disadvantage in generating random numbers.

[2. Outline of Embodiment]

[Section 1]
The random number generator according to the embodiment
A storage unit for storing a plurality of variables;
A calculation unit that executes calculation of a plurality of update expressions for updating each of the plurality of variables, and outputs update values of the plurality of variables to the storage unit;
A generator that generates a random number based on at least one of the plurality of variables;
Is provided.
The update formula is
A substitution polynomial of the target variable updated by the update formula, and other variables other than the target variable included in the plurality of variables,
The periodicity when the target variable is repeatedly updated by the update formula is the one-stroke writing periodicity.

  According to the random number generator of the first term, the update expression for updating the variable used for generating the random number includes other variables besides the target variable updated by the update expression. Randomness can be increased without increasing the size. Moreover, since the update formula has a one-stroke writing periodicity, a long cycle can be obtained.

[Section 2]
The update formula may include a sum of the permutation polynomial of the target variable and the other variable.

[Section 3]
The permutation polynomial of the target variable may be a coefficient part multiplied by the target variable, including the coefficient part represented by a polynomial, and the other variable may be included in the coefficient part.

[Section 4]
The permutation polynomial is preferably a one-stroke polynomial.

[Section 5]
The method according to the embodiment includes:
The calculation unit performs a plurality of update-type calculations for updating each of the plurality of variables stored in the storage unit;
The operation unit outputs updated values of the plurality of variables to a storage unit;
A generator generates a random number based on at least one variable of the plurality of variables;
including.
The update formula is
A substitution polynomial of the target variable updated by the update formula, and other variables other than the target variable included in the plurality of variables,
The periodicity when the target variable is repeatedly updated by the update formula is the one-stroke writing periodicity.

[Section 6]
The computer program according to the embodiment is
Computer
A storage unit for storing a plurality of variables;
Based on at least one of the plurality of variables, an arithmetic unit that executes a plurality of update formula operations for updating each of the plurality of variables, and outputs update values of the plurality of variables to the storage unit This is a computer program for functioning as a generator for generating random numbers.
The update formula is
A substitution polynomial of the target variable updated by the update formula, and other variables other than the target variable included in the plurality of variables,
The periodicity when the target variable is repeatedly updated by the update formula is the one-stroke writing periodicity.

[3. Details of Embodiment]

[3.1 Configuration of random number generator]
FIG. 3 shows a random number generation device 100 according to the embodiment. The random number generation device 100 is configured by, for example, hardware including an arithmetic circuit that executes an operation for generating a random number. The random number generation device 100 may be a computer in which a random number generation computer program is installed. The computer functions as the random number generation device 100 by executing a random number generation computer program.

The random number generation device 100 includes a generator 110 that generates a random number. The generator 110 generates a random number from the variable x. The generator 110 according to the embodiment generates a random number based on _n (n is an integer of 2 or more) variables x ₁ ,..., X _n . Here, the variables x ₁ ,..., X _n are w-bit unsigned variables. w is an arbitrary non-negative integer, for example, 64. In the following, the notation ^xt representing the time evolution of the variable x may be used. x ^t represents the value of the variable x at time t.

  The random number generation device 100 includes a storage unit 120 that stores n variables, and a calculation unit 130 that executes a calculation for updating the n variables. The storage unit 120 has n storage areas 120-1,..., 120-n for storing n variables. The size of each storage area 120-1,..., 120-n is w bits.

The computing unit 130 has n computing units 130-1,..., 130-n corresponding to n storage areas 120-1,. Each calculator 130-1, ..., 130-n, the corresponding storage areas 120-1, ..., 120-n variables _x 1 stored in, ..., to update the _{x n} Update The calculation of the expression bodies G ₁ ,..., G _n is executed. The update formula bodies G ₁ ,..., G _n are portions obtained by removing “mod 2 ^w ” from the update formula described later.

A variable x that is a target of calculation by each of the calculators 130-1,..., 130-n is referred to as a target variable. For example, the target variable for the calculator 130-1, a variable _{x 1,} target variable for the computing unit 130-n is a variable _{x n.}

Each computing unit 130-1,..., 130-n acquires the target variable from the storage unit 120 in order to update the target variable. For example, calculator 130-1 obtains the variable _{x 1} as the target variable from the storage area 120-1, calculator 130-n obtains the variable _{x n} as the target variable from the storage area 120-n.

Each of the calculators 130-1,..., 130-n acquires not only the target variable but also other variables from the storage unit 120. The other variables are variables included in the plurality of variables x ₁ ,..., X _n and are variables other than the target variable. There may be one or more other variables. Each computing unit 130 may acquire all of the plurality of variables x ₁ ,..., X _n . For example, calculator 130-1 acquires from the storage area 120-2 and the variable _{x 2} as other variables, computing unit 130-n may acquire the variables _{x 1} as the other variables from the storage area 120-1 To do.

  Other variables acquired by the respective arithmetic units 130-1,..., 130-n are used for updating the target variable together with the target variable. In other words, the update expression is an expression including the target variable and other variables. An example of the update formula will be described later.

Each calculator 130-1, ···, 130-n, the update type body _G 1, · · ·, the operation result R-1 of _{G n,} · · ·, and outputs the R-n. The number of bits of the calculation results R-1, ..., Rn may exceed w bits. Each calculation result R-1, ···, are lower w bits of R-n, the variable _x ¹ _t, ···, updated values _x ¹ t + 1 of _x ^{n _t,} ···, the ^{x n t + 1.} Mathematically, taking out the lower w bits from each operation result R-1,..., Rn means that for each operation result R-1,. This is equivalent to performing the operation mod 2 ^w ″. In the present embodiment, since it is not necessary to perform a remainder operation, the operation can be speeded up.

Update values x ₁ ^{t + 1} ,..., X _n ^{t + 1} are output from the calculation unit 130 to the storage unit 120. The update values x ₁ ^{t + 1} ,..., X _n ^{t + 1} are overwritten on the storage areas 120-1,.

In the present embodiment, the generator 110 generates an output sequence ^{t + 1} used for random number generation from one or more variables x ^{t + 1} output from the arithmetic unit 130 at time t + 1, and the random number at time t + 1 from the output sequence ^{t + 1. t + 1} is generated. The configuration of the generator 110 is not particularly limited as long as it performs a predetermined operation for generating a random number from one or a plurality of variables x. The operation for generating random numbers from the variables by the generator 110 may be an operation in which some or all of a plurality of variables x are combined in any way, or an operation using only one variable among the plurality of variables x. It may be. The generator 110 may generate a random number by reading the variable x from the storage unit 120 after the updated value of the variable x is overwritten in the storage unit 120.

The generator 110 according to the embodiment includes an exclusive OR operation unit 111. The exclusive OR operation unit 111 performs an exclusive logical operation on _n variables x ₁ ,..., X _n . A predetermined upper bit (for example, upper 16 bits) of the output of the exclusive OR operation unit 111 is an output sequence ^{t + 1} . The generator 110 generates a random number ^{t + 1} using the output sequence ^{t + 1} , and outputs the generated random number ^{t + 1} . The exclusive OR operation unit 111 may perform an exclusive OR operation on the upper bits of each of the N variables x ₁ ,..., X _n . The generator 110 may output the output sequence as a random number.

[3.2 First example of update formula]
A first example of n update expressions for updating each of the n variables x ₁ ,..., x _n is as follows.

The right side of each update formula has a “mod 2 ^w ” portion and an update formula body that is a portion other than “mod 2 ^w ”. For example, update equation updating expression body _{G 1} variables _{x 1,} out of the update equation variables _{x 1,} a "mod ^{2 w"} other parts ^{_{"F 1 (x 1 (i}} )) + c 1,1 x ₁ ⁽ⁱ⁾ + c _1,2 x ₂ ⁽ⁱ⁾ + c _1,3 x ₃ ⁽ⁱ⁾ +... + C _{1, n} x _n ⁽ⁱ⁾ ”. The same applies to the other variables x ₂ ,..., X _n .

The updatable body is computed by a corresponding computing unit. For example, update equation body _{G 1} is calculated by the computing unit 130-1. The update formula body G ₁ includes a one-stroke polynomial F ₁ (x ₁ ⁽ⁱ⁾ ) as a permutation polynomial of the target variable x ₁ and an additional polynomial c _1,1 x ₁ ⁽ⁱ⁾ + c _1,2 x ₂ ^{(i )} + C _1,3 x ₃ ⁽ⁱ⁾ +... + C _{1, n} x _n ⁽ⁱ⁾ . The additional polynomial includes at least one other variable (variable other than the target variable x ₁ ) x ₂ ,... X _n . Additional polynomial may include a target variable x _1. In the first example, the additional polynomial is a linear combination with _{ck, l} as coefficients for a plurality of variables x included in the additional polynomial. Note that in this specification, a polynomial includes a monomial. Description of the above update equations body _{G 1} is other variables _x 2, · · ·, update expression body _G 2 for _{x n,} · · ·, is the same in _{G n.}

  In the first example of the update equation, an additional polynomial is added to each one-stroke polynomial, but the one-stroke periodicity in each update equation is maintained.

In the first example of the update formula, the conditions for having one-stroke periodicity are as follows.
The coefficients c _{k, l} (k = 1, 2,..., N, l = 1, 2,..., N) are all even numbers (even numbers include 0, and so on).
For any k, the number of c _{k, 1} , c _{k, 2} ,..., C _{k, n} that is not divisible by 4 is an even number.

  Note that “+” in the addition polynomial and “+” for taking the sum of the addition polynomial and the permutation polynomial (one-stroke polynomial) need not be an arithmetic sum operation, but an exclusive OR operation. May be. Also, arithmetic operations and exclusive OR operations may be mixed as operations corresponding to a plurality of “+”. When arithmetic sum operation and exclusive OR operation coexist, priority of both operations may be determined as appropriate.

The first example of the update formula is useful in the following points. First, since each update formula has a one-stroke writing periodicity, the period of each variable is guaranteed to be a long period of 2 ^w . That is, the following holds.
Note that long periodicity is an important property in pseudorandom number generators and stream ciphers.

  The time evolution in the first example of the update formula is advantageous because it has a more complicated behavior than the time evolution of a simple one-stroke polynomial alone. In the first example of the update formula, the order of each update formula is suppressed to 2, but a complicated behavior of time evolution can be obtained without increasing the order. The increase in the degree causes an increase in multiplication with a large calculation load. However, in the first example of the update formula, the order of each update formula can be suppressed low, which is advantageous.

  In the first example of the update formula, an additional polynomial is added to the one-stroke polynomial, but it is not necessary to divide substantially as in the one-stroke polynomial. In other words, the superiority of the one-stroke polynomial that the remainder calculation can be ignored on a digital computer is maintained.

  By calculating n update expressions in parallel, that is, by calculating each of the calculators 130-1,..., 130-n in parallel, the calculation time can be increased even if the number of variables increases. Can be suppressed.

When a power of 2 is selected as the value of the coefficient c _{k, l} , c _{k, l} x _{k, l} expressed as multiplication in the update formula is realized by a bit shift operation of the variable x _{k, l} Therefore, higher speed is possible. As the values of the coefficients _{ck, l} , various values can be adopted as long as the above conditions are satisfied. Therefore, the degree of freedom of design as a random number generator increases.

[3.3 Evaluation of first example of renewal formula]
In order to evaluate the randomness of the first example of the update formula, the following n update formulas were used.

  The evaluation was performed by causing the computer to execute a program that causes the computer to operate so that the arithmetic unit 130 in the random number generation device of FIG. The computer processor that functions as the random number generator is 1.3 GHz Intel Core i5. The evaluation was performed without parallelizing n update expressions.

In the evaluation, the generation unit 110 performs exclusive OR of the variables x ₁ , x ₂ , x ₃ , x ₄ , x ₅ , x ₆ output from the calculation unit 130, and right-shifts the result by 48 bits. A 16-bit value (output series) is generated as an evaluation series. That is, the generation unit 110 performs the following calculation.

Randomness was evaluated by 40 sets with the following as one set.
1. _{x 1, x 2, x 3} , x 4, x 5, x 6, a 1, a 2, a 3, a 4, a 5, a 6, b 1, b 2, b 3, b 4, b 5 , B ₆ are determined at random.
2. "1." to execute the random number generator which sets the value determined by, for generating a ^109-bit random number generated evaluated sequence.
3. The resulting random number ^109-bit random number, and 1000 10 ^6-bit random number. 1000 random numbers are subjected to a random number test as defined by the National Institute of Standards and Technology (NIST) SP 800-22.

Table 1 shows the random number test results.

  NIST SP 800-22 consists of 188 tests. 26 out of 40 sets passed all 188 items. In the case of an ideal random number, the theoretical value of the number of sets that clears all 188 items is in the range of standard deviation from 21 to 27 out of 40 sets. Moreover, it is the result which an ideal random number can take sufficiently also about 14 sets which did not pass all the items. Therefore, it can be seen that good results are obtained with respect to randomness.

  In the evaluation, an execution speed of 3 Gbps or more was obtained, and a good result was obtained from the viewpoint of execution speed.

[3.4 Second example of update formula]
A second example of the N update expressions for updating each of the N variables x ₁ ,..., X _N is as follows.

  Note that “+” in the second example is not necessarily an arithmetic sum operation, and may be an exclusive OR operation. Also, arithmetic operations and exclusive OR operations may be mixed as operations corresponding to a plurality of “+”. When arithmetic sum operation and exclusive OR operation coexist, priority of both operations may be determined as appropriate.

The second example of the update formula is defined in a format including the first example. That is, among all the coefficients c _{i, j, k, l, the} coefficient c with the subscript j being 0 and the subscript l being 1 (other subscripts i and k may be 0 or 0). _If everything except _{i, 0, k, 1 is set} to 0,
This corresponds to the first example.

Also in the second example, the update formula for each variable x ₁ ,..., X _N has a one-stroke writing periodicity. Also in the second example, the right side of each updating formula has a “mod 2 ^w ” portion and an updating formula body that is a portion other than “mod 2 ^w ”. Also in the second example, the update formula body is represented as a sum of the permutation polynomial (one-stroke polynomial) of the target variable and the additional polynomial, but in the second example, the additional polynomial may not be included. In the second example, the coefficient part of the permutation polynomial (the part to be multiplied by the target variable) is represented by a polynomial including variables other than the target variable.

The following shows a specific example of the second example.

For example, the update formula for the variable x ₁ has an update formula body G ₁ other than “mod 2 ⁶⁴ ”. In the update formula body G ₁ , the one-stroke polynomial for the target variable x ₁ is “2 {x ₁ ^(t) } ² + {4x ₃ ^(t) +3} x ₁ ^(t) +1”. The portion, which corresponds to the additional polynomial, is the portion “4x ₂ ^(t) ”. The additional polynomial of the update formula body G ₁ has x ₂ ^(t) as another variable.

In the one-stroke polynomial of the update formula body G ₁ , the coefficient of x ₁ ^(t) is not a constant but includes another variable x ₃ ^(t) . Therefore, the coefficient of the one-stroke polynomial changes with time, and the time evolution of the update formula becomes more complicated than in the first example. The same applies to the update formulas of the other variables x _{2 to} x ₈ .

  Further, the second example includes the first example, and the same utility as the first example can be obtained. Furthermore, in the second example, since the coefficient portion of the permutation polynomial (single-stroke polynomial) can be changed by other variables, even if the coefficient portion includes a constant whose value does not change with time, the value is small. It's okay. Therefore, it is not necessary to allocate a large memory to a constant whose value does not change, and the memory efficiency is improved.

[3.5 Evaluation of second example of renewal formula]
Evaluation of the randomness of the second example of the update formula was performed using the n update formulas shown as the above specific examples.

  The evaluation method is substantially the same as the evaluation method of the first example. In the second example, 52 sets were evaluated. In the second example, each variable is 64 bits, and the upper 32 bits of each variable are used for output sequence generation.

  In the case of the second example, the maximum value of the execution speed is 4936.824780 Mpbs, which is 2.16 cycle / byte when converted into the encryption speed, and a very high speed is obtained.

  In the case of the 2nd example, as for the result of the random number test defined by NIST SP 800-22, 40 sets out of 52 sets passed for all 188 items. Good randomness was also confirmed in the second example.

  The present invention is not limited to the above embodiment, and various modifications can be made.

100 random number generator 110 generator 120 storage unit 130 calculation unit

Claims (6)

A storage unit for storing a plurality of variables;
A calculation unit that executes calculation of a plurality of update expressions for updating each of the plurality of variables, and outputs update values of the plurality of variables to the storage unit;
A generator that generates a random number based on at least one of the plurality of variables;
With
The update formula is
A substitution polynomial of the target variable updated by the update formula, and other variables other than the target variable included in the plurality of variables,
The random number generator according to claim 1, wherein the periodicity when the target variable is repeatedly updated by the update formula is a one-stroke writing periodicity. The random number generation device according to claim 1, wherein the update formula includes a sum of the permutation polynomial of the target variable and the other variable. The permutation polynomial of the target variable is a coefficient part to be multiplied by the target variable, and includes the coefficient part represented by a polynomial, and the other variable is included in the coefficient part. The random number generator described. The random number generator according to claim 1, wherein the permutation polynomial is a one-stroke polynomial. The calculation unit performs a plurality of update-type calculations for updating each of the plurality of variables stored in the storage unit;
The operation unit outputs updated values of the plurality of variables to a storage unit;
A generator generates a random number based on at least one variable of the plurality of variables;
Including
The update formula is
A substitution polynomial of the target variable updated by the update formula, and other variables other than the target variable included in the plurality of variables,
The random number generation method, wherein the periodicity when the target variable is repeatedly updated by the update formula is a one-stroke writing periodicity. Computer
A storage unit for storing a plurality of variables;
Based on at least one of the plurality of variables, an arithmetic unit that executes a plurality of update formula operations for updating each of the plurality of variables, and outputs update values of the plurality of variables to the storage unit A computer program for functioning as a generator for generating random numbers,
The update formula is
A substitution polynomial of the target variable updated by the update formula, and other variables other than the target variable included in the plurality of variables,
A computer program in which the periodicity when the target variable is repeatedly updated by the update formula is a one-stroke writing periodicity.