-Comments:
-The paper is, overall, well written and clear, with appropriate references to the relevant concepts and prior work. The motivation of the work, however, is not quite clear: the authors present (provable) chaotic properties of a PRNG as a security improvement, but provide no convincing argument beyond opinion (or hope). There seems to have been no effort in showing how the new PRNG improves on a single (say) xorshift generator, considering the slowdown of calling 3 of them per iteration (cf. Listing 1). This could be done, if not with the mathematical rigor of chaos theory, then with simpler bit diffusion metrics, often used in cryptography to evaluate building blocks of ciphers.
-
-The generator of Listing 1, despite being proved chaotic, has several problems. First, it doesn't seem to be new; using xor to mix the states of several independent generators is standard procedure (e.g., [1]). Secondly, the periods of the 3 xorshift generators are not coprime --- this reduces the useful period of combining the sequences. Thirdly, by combining 3 linear generators with xor, another linear operation, you still get a linear generator, potentially vulnerable to stringent high-dimensional spectral tests.
-
-The BBS-based generator of section 9 is anything but cryptographically secure. A 16-bit modulus (trivially factorable) gives out a period of at most $2^16$, which is neither useful nor secure. Its speed is irrelevant, as this generator as no practical applications whatsoever (a larger modulus, at least 1024-bit long, might be useful in some situations, but it will be a terrible GPU performer, of course).
-
-To sum it up, while the theoretical part of the paper is interesting, the practical results leave much to be desired, and do not back the thesis that chaos improves some quality metric of the generators. On the theoretical side, you may be interested in Vladimir Anashin's work on ergodic theory on p-adic (specifically, 2-adic) numbers to prove uniform distribution and maximal period of generators. The $d_s(S, \check{S})$ distance loosely resembles the p-adic norm.
-
-Typos and other nitpicks:
- - Blub Blum Shub is misspelled in a few places as "Blum Blum Shum";
- - Page 12, right column, line 54: In "t<<=4", the << operation is using the « character instead.
-
- [1] Howes, L., and Thomas, D. "Efficient random number generation and application using CUDA." In GPU Gems 3, H. Nguyen, Ed. NVIDIA, 2007, Ch. 37.
+\bigskip
+\textit{The paper is, overall, well written and clear, with appropriate references to the relevant concepts and prior work. The motivation of the work, however, is not quite clear: the authors present (provable) chaotic properties of a PRNG as a security improvement, but provide no convincing argument beyond opinion (or hope).}
+
+
+\bigskip
+\textit{There seems to have been no effort in showing how the new PRNG improves on a single (say) xorshift generator, considering the slowdown of calling 3 of them per iteration (cf. Listing 1). This could be done, if not with the mathematical rigor of chaos theory, then with simpler bit diffusion metrics, often used in cryptography to evaluate building blocks of ciphers.}
+
+A large section (Section 5) has been added, using and extending some previous works. It explains with more detail why topological chaos
+is useful to pass statistical tests. This new section contains both qualitative explanations and quantitative (experimental) evaluations.
+ Using several examples, this section illustrates that defective PRNGs are always improved, according
+to the NIST, DieHARD, and TestU01 batteries.
+
+\bigskip
+\textit{The generator of Listing 1, despite being proved chaotic, has several problems. First, it doesn't seem to be new; using xor to mix the states of several independent generators is standard procedure (e.g., [1]).}
+
+The novelty of the approach is not in the discovery of a new kind of operator, but on the way to combine existing PRNGs. We propose
+to realize a post-treatment based on chaotic iterations on these generators, in order to add topological properties that improve
+their statistics while preserving their cryptographical security. In this document, generators that use XOR or BBS are only
+illustrative examples using the vectorial negation as iterative function in the chaotic iterations. Theorems 1 and 2 explain how to
+replace this negation function, that leads to well known forms of generators, by more exotic ones. However, the choice of the vectorial
+negation for illustrations has been motivated for speed.
+
+Indeed, to the best of our knowledge, all the generators proposed in the literature mix only a few operations on previously obtained states:
+arithmetic operations, exponentiation, shift, exclusive or. It is impossible to define a fast PRNG or to prove its security when
+using more complicated operations, and the number of such operations that are mixed is necessary very low. Thus almost all
+ up-to-date fast or secure generators are very simple, like the BBS or all the XORshift-like ones. In a certain extend, they are all similar,
+due to the very reduced number of efficient elementary operations offered to define them.
+
+
+\bigskip
+\textit{Secondly, the periods of the 3 xorshift generators are not coprime --- this reduces the useful period of combining the sequences.}
+
+We agree with the reviewer in the fact that using coprimes here will improve
+the period of the resulted PRNG. Nevertheless the goal of this section was to
+pass the Big Crush battery, and we achieve that with proposed combination of
+the three XORshifts.
+
+\bigskip
+\textit{Thirdly, by combining 3 linear generators with xor, another linear operation, you still get a linear generator, potentially vulnerable to stringent high-dimensional spectral tests.}
+
+This first generator has not been designed for security reasons, but for speed: the
+idea was to provide a very efficient version of our former generator that can pass
+TestU01, and linear
+operations are a necessity when speed with pseudorandomness are desired. If the desire is to use a fast and statistically perfect PRNG, then simulations
+proposed in this document show that this first PRNG is suitable. However, we have neither
+claimed nor proved that this generator is secure. Indeed, we have only shown that some
+chaotic iteration based post-treatment, like the one that use the vectorial negation,
+can preserve the cryptographically secure property (while adding chaos), if this property has been established
+for the inputted generator. As the inputted generator is not
+cryptographically secure in the example disputed by the reviewer, we cannot apply this
+result. Indeed the first part of the document does not deal with security,
+but it investigates the speed, chaos, and statistical quality of PRNGs.
+A sentence has been added to clarify this point at the end of Section 5.4.
+
+
+\bigskip
+\textit{The BBS-based generator of section 9 is anything but cryptographically secure. A 16-bit modulus (trivially factorable) gives out a period of at most $2^{16}$, which is neither useful nor secure. Its speed is irrelevant, as this generator as no practical applications whatsoever (a larger modulus, at least 1024-bit long, might be useful in some situations, but it will be a terrible GPU performer, of course).}
+
+
+This claim is surprising, as this result is mathematically proven in the article:
+either there is something wrong in the proof, or the generator is cryptographically
+secure. Indeed, there is probably a misunderstanding of this notion, which does
+not deal with the practical aspects of security. For instance, BBS is
+cryptographically secure, but whatever the size of the keys, a brute force attack always
+achieve to break it. It is only a question of time: with sufficiently large primes,
+the time required to break it is astronomically large, making this attack completely
+impracticable: being cryptographically secure is not a
+question of key size.
+
+\begin{color}{green}
+Most of theoretical cryptographic definitions are somehow an extension of the
+notion of one-way function. Intuitively a one way function is a function
+ easy to compute but which is practically impossible to
+inverse (i.e. from $f(x)$ it is not possible to compute $x$).
+Since the size of $x$ is known, it is always possible to use a brute force
+attack, that is computing $f(y)$ for all $y$'s of the good size until
+$f(y)\neq f(x)$. Informally, if a function is one-way, it means that every
+algorithm that can compute $x$ from $f(x)$ with a good probability requires
+a similar amount of time than the brute force attack. It is important to
+note that if the size of $x$ is small, then the brute force attack works in
+practice. The theoretical security properties don't guaranty that the system
+cannot be broken, it guaranty that if the keys are large enough, then the
+system still works (computing $f(x)$ can be done, even if $x$ is large), and
+cannot be broken in a reasonable time. The theoretical definition of a
+secure PRNG is more technical than the one on one-way function but the
+ideas are the same: a cryptographically secured PRNG can be broken
+ by a brute force prediction, but not in a reasonable time if the
+ keys/seeds are large enough.
+\end{color}
+
+Nevertheless, new arguments have been added in several places of the revision of our paper,
+concerning more concrete and practical aspects of security, like the
+$(T,\varepsilon)-$security notion of Section 8.2. Such a practical evaluation
+has not yet been performed for the GPU version of our PRNG, and the reviewer
+has true when thinking that these aspects are fundamentals to determine whether
+the proposed PRNG can face or not attacks in practice. A formula similar to what
+has been computed for the BBS (as in Section 8.2) must be found in future work,
+to measure how much time an attacker must have to break the proposed generator
+when considering the parameters we have chosen (this computation is a difficult
+task).
+Sentenses have been added in several places (like at the end of Section 9.1)
+summarizing this.
+
+\bigskip
+\textit{To sum it up, while the theoretical part of the paper is interesting, the practical results leave much to be desired, and do not back the thesis that chaos improves some quality metric of the generators.}
+
+
+We hope now that, with the new sections added to the document (like the Section 5), we have convinced the reviewers that to add chaotic properties in
+existing generators can be of interest.
+
+\bigskip
+\textit{On the theoretical side, you may be interested in Vladimir Anashin's work on ergodic theory on p-adic (specifically, 2-adic) numbers to prove uniform distribution and maximal period of generators. The $d_s(S, \check{S})$ distance loosely resembles the p-adic norm.}
+
+Thank you for this information. However, we have already established the uniform distribution in \cite{bcgr11:ip} (recalled in Theorem 2).
+
+\bigskip
+\textit{Typos and other nitpicks:\\
+ - Blub Blum Shub is misspelled in a few places as "Blum Blum Shum";}
+
+These misspells have been corrected (sorry for that).
+
+\bigskip
+\textit{ - Page 12, right column, line 54: In "$t<<=4$", the $<<$ operation is using the `` character instead.}
+
+\bigskip
+\textit{ [1] Howes, L., and Thomas, D. "Efficient random number generation and application using CUDA." In GPU Gems 3, H. Nguyen, Ed. NVIDIA, 2007, Ch. 37. }
+
+
+\bibliographystyle{plain}
+\bibliography{mabase}