The issue is that the common suites of statistical test don't include every credible statistical test at their level of complexity.
Essentially as you retry against the tests you expend their utility, producing a result that is guaranteed to pass them as a byproduct of your process. ... but may in fact be extraordinarily weak to yet another reasonable statistical test (and/or broken in some practical application) that no one has yet thought to include in the test suite.
On the plus side, those tests are fairly extensive and brutal nowadays. They detect anomalies in cryptographic algorithms that were still used a decade ago, such as arc4random().
But one thing I hint at at the end is that I hope, and anticipate, to see more accurate quality measurement tools in the future.
If it passes the remainder on the first try, you might be on to something.
If it fails, you've got a problem: tweaking until it passes isn't going to help you.
After that, you try with the complete suite and unless the result reaches a predetermined passing criteria you declare the design as flawed and go back to step 1 rather than continuing to tweak (as the result of continued tweaking will inevitably be a pass even if the design is poor).
Unfortunately, high performance and even 'good random-like behavior' may be at odds with having a construct which is transparent enough to be able to justify its performance from analysis rather than running it. :(
One thing I did when designing random functions is run them against DieHarder and Practrand, but then also against SMHasher, you just have to use some construction to fold the key into the state. I think that's a useful somewhat orthogonal way to test. have you considered this?
For example, if a game uses a PRNG to "stretch" a random seed for procedural generation purposes conditional probabilities are important (to avoid spurious correlations between features) but period is completely irrelevant (even a relatively short period would be many orders of magnitude larger than output size).
Depending on how the “blending” is done and whether the algorithms are truly independent of each other, combining them is definitively more secure than any of them individually. The Linux kernel let’s you do this through writing to /dev/random. The written bytes get added (in part) to the entropy pool.
I don't think this is quite correct. You can move efficiently from r64 to XMM/YMM without going through memory with MOVQ/_mm_cvtsi64_si128. I'm not able to look into it more closely right now, but these links should give insight:
My vague recollection is that you might be right that this is clumsy with AVX2. Maybe it's a case where you have to take advantage of the fact that XMM1 and YMM1 are same register, and cast the YMM to XMM? Or just drop to inline assembly.
But thanks for the writeup, and I hope to be able to look at Shishua more closely at some point in the future.
An intrinsic cast works fine though:
Intel even says about the cast:
> Cast vector of type __m128i to type __m256i; the upper 128 bits of the result are undefined. This intrinsic is only used for compilation and does not generate any instructions, thus it has zero latency.
That seems a bit beyond their mandate since what the compilers generate is mostly up to them, and in fact it doesn't seem true: at -O0, both gcc and clang generate a few extra instructions for the cast. With optimization on, it's all good though.
He mentions that perhaps the implementation of ChaCha8 for the benchmark is done by hand and unoptimized. And it is true from what I saw that a lot of benchmarks with ChaCha8 are implemented with none of the tweaks that make it fast.
In this instance, it looks like the Randen author didn’t reimplement it from scratch, but they used an SSE implementation, not an AVX2 one, which would have been faster: https://github.com/google/randen/blob/1365a91bafc04ba491ce79...
> Or, as Pearson puts it:
> From this it will be more than ever evident how little chance had to do with the results of the Monte Carlo roulette in July 1892.
> (Not sure why his academic paper suddenly becomes so specific; maybe he had a gambling problem on top of being a well-known racist.)
Why is irreversibility a bad thing? Is it just the loss of useful state which reduces the internal entropy?
Is irreversibility ever useful? Wouldn't some amount of discarded bits make it harder for an adversary to infer the state?
If something is irreversible then it's not 1 to 1 and you don't use the whole state space, so you'll likely have short cycles.
Second part, again yes. But you can add that useful irreversible transform in the finalization of the output, and not in the state transform itself.
I'm self taught so my understanding and terminology may not mesh with the people who have been taught this.
You mentioned the lack of cryptanalysis; there is also the lack of rounds (which prevents researchers from breaking partial versions to ease their study, and allows setting a security margin).
That said, I'm not up to date on the speed of CSPRNGs so maybe they're already there.
(I speak cantonese, though, so maybe mandarin speakers wouldn't fall in this trap)
SHISHUA is a strong design, suitable for many use-cases. But the decision of which PRNG is right for you depends on platform, context, comfort, and ease of access.
If you are making a simple video game, it might be fine to just use your standard library; or to write one of the simple ones that you memorized and that don’t have too terrible an output.
If your video game has more severe stakes, if it is the backbone of a virtual economy in a massively multiplayer game where servers feed on a large amount of randomness that needs high quality to ensure players don’t find flaws and abuse the system for their own gain, maybe SHISHUA is right for you.
If you are targeting a platform that does not support 64-bit computation, SHISHUA can’t do it well, and other PRNGs such as sfc32 can be good there.
If you are working on machine learning that feeds on heaps of randomness over the course of months of computation, and that need quality to ensure an unbiased, even learning, SHISHUA can be right for you.
There was a neat article recently that contrasted a large number of PRNGs for use on video games, in particular on consoles: https://rhet.dev/wheel/rng-battle-royale-47-prngs-9-consoles...
It is before the publication of SHISHUA, but the insights there are interesting.