From: cguyeux Date: Tue, 4 Sep 2012 09:10:01 +0000 (+0200) Subject: fajflak X-Git-Url: https://bilbo.iut-bm.univ-fcomte.fr/and/gitweb/prng_gpu.git/commitdiff_plain/1ac8792cbffd85b53eb50d99f0f70e7d2bf2eb3f fajflak --- diff --git a/reponse.tex b/reponse.tex index f720670..97e39a2 100644 --- a/reponse.tex +++ b/reponse.tex @@ -27,7 +27,7 @@ As other tests (NIST, Diehard, SmallCrush and Crush of TestU01 ) are deemed less \textit{Section 9: The authors say they replace the xor-like PRNG with a cryptographically secure one, BBS, but then proceed to use extremely small values, as far as a cryptographer is concerned (modulus of $2^{16}$), in the computation due to the need to use 32 bit integers in the GPU and combine bits from multiple BBS generated values, but they never prove (or even discuss) how this can be considered cryptographically secure due to the small individual values. At the end of 9.1, the authors say $S^n$ is secure because it is formed from bits from the BBS generator, but do not consider if the use of such small values will lead to exhaust searches to determine individual bits. The authors either need to remove all of section 9 and or prove the resulting PRNG is cryptographically secure.} -A new section has been added to measure practically the security of the generator. +A new section (namely, the Section 9.2) has been added to measure practically the security of the generator. \bigskip \textit{In the conclusion: @@ -48,13 +48,21 @@ Done. \textit{There seems to have been no effort in showing how the new PRNG improves on a single (say) xorshift generator, considering the slowdown of calling 3 of them per iteration (cf. Listing 1). This could be done, if not with the mathematical rigor of chaos theory, then with simpler bit diffusion metrics, often used in cryptography to evaluate building blocks of ciphers.} A large section (Section 5) has been added, using and extending some previous works, explains with more detail why topological chaos -is useful to pass statistical tests. Using several examples, this section illustrates that defective PRNGs are always improved, according +is useful to pass statistical tests. This new section contains both qualitative explanations and quantitative (experimental) evaluations. + Using several examples, this section illustrates that defective PRNGs are always improved, according to the NIST, DieHARD, and TestU01 batteries. \bigskip \textit{The generator of Listing 1, despite being proved chaotic, has several problems. First, it doesn't seem to be new; using xor to mix the states of several independent generators is standard procedure (e.g., [1]).} -To the best of our knowledge, all the generators proposed in the literature mix only a few operations on previously obtained states: +The novelty of the approach is not in the discovery of a new kind of operator, but on the way to combine existing PRNGs. We propose +to realize a post-treatment based on chaotic iterations on these generators, in order to add topological properties that improve +their statistics while preserving their cryptographical security. In this document, generators that use XOR or BBS are only +illustrative examples using the vectorial negation as iterative function in the chaotic iterations. Theorems 1 and 2 explain how to +replace this negation function, that leads to well known forms of generators, by more exotic ones. However, the choice of the vectorial +negation for illustrations has been motivated for speed. + +Indeed, to the best of our knowledge, all the generators proposed in the literature mix only a few operations on previously obtained states: arithmetic operations, exponentiation, shift, exclusive or. It is impossible to define a fast PRNG or to prove its security when using more complicated operations, and the number of such operations that are mixed is necessary very low. Thus almost all up-to-date fast or secure generators are very simple, like the BBS or all the XORshift-like ones. In a certain extend, they are all similar, @@ -66,21 +74,25 @@ due to the very reduced number of efficient elementary operations offered to def \begin{color}{green} Raph, c'est pour toi ça : soit tu changes tes xorshits, soit tu justifies ton choix ;) -\end{color}{green} +\end{color} \bigskip \textit{Thirdly, by combining 3 linear generators with xor, another linear operation, you still get a linear generator, potentially vulnerable to stringent high-dimensional spectral tests.} This first generator has not been designed for security reasons, but for speed: the idea was to provide a very efficient version of our former generator that can pass -TestU01. If the desire is to use a fast and statistically perfect PRNG, then simulations +TestU01, and linear +operations are a necessity when speed with pseudorandomness are desired. If the desire is to use a fast and statistically perfect PRNG, then simulations proposed in this document show that this first PRNG is suitable. However, we have neither -claimed nor proved that this generator is secure. Indeed, to the authors opinion, -linear operations are a necessity when speed with pseudorandomness are only desired. -A sentence has been added to clarify this point \begin{color}{green} Il faudrait ajouter -cette phrase fin de la section 6 (je l'ai fait pour la fin de la section 5.4). -Dire que pour l'instant, on veut juste avoir de la rapidité sans biais -statistique, que la sécurité viendra après.\end{color} +claimed nor proved that this generator is secure. Indeed, we have only shown that some +chaotic iteration based post-treatment, like the one that use the vectorial negation, +can preserve the cryptographically secure property (while adding chaos), if this property has been established +for the inputted generator. As the inputted generator is not +cryptographically secure in the example disputed by the reviewer, we cannot apply this +result. Indeed the first part of the document does not deal with security, +but it investigates the speed, chaos, and statistical quality of PRNGs. +A sentence has been added to clarify this point at the end of Section 5.4. + \bigskip \textit{The BBS-based generator of section 9 is anything but cryptographically secure.}