TinyMT32 Pseudo Random Number Generator (PRNG)
draft-ietf-tsvwg-tinymt32-06

Note: This ballot was opened for revision 01 and is now closed.

Magnus Westerlund Yes

Deborah Brungard No Objection

Alissa Cooper No Objection

Roman Danyliw (was Discuss) No Objection

Comment (2019-06-13 for -04)
Thank you for addressing my DISCUSSes and COMMENTs

Benjamin Kaduk No Objection

Comment (2019-05-28 for -03)
In Section 3.1:

   o  the original copyright and licence have been removed, in
      accordance with BCP 78 and the IETF Trust's Legal Provisions
      Relating to IETF Documents (http://trustee.ietf.org/license-info);

The original copyright holder's permission is needed to do this!  Perhaps
it is appropriate to note that the original authors are now listed as
authors on this document.

Please also specify what language the code in Section 3.1 is written in,
including reference (so as to specify which version of C it is to be
intepreted as).

I agree with the secdir reviewer and Mirja that some more references
would be good.

Section-by-section comments follow.

Abstract

   while keeping a reasonably good randomness.

please add the "non-cryptographic" qualifier.

Section 1

                          According to statistical tests (BigCrush in
   TestU01 and AdaptiveCrush), the quality of the outputs of TinyMT
   seems pretty good in terms of randomnes (in particular the uniformity
   of generated numbers), taking the small size of the internal state
   into consideration (see [TinyMT-web]).  [...]

I'd suggest rewording as "The outputs of TinyMT satisfy several
statistical tests for (non-cryptographic) randomness, including BigCrush
in TestU01 and AdaptiveCrush), leaving it well-placed for
non-cryptographic usage, especially given the small size of its internal
state." or similar.  (This avoids the "pretty good" construct and moves
the emphasis from the tests to the usability of the algorithm.)

Section 3.1

   o  mat1 = 0x8f7011ee = 2406486510
   o  mat2 = 0xfc78ff1f = 4235788063
   o  tmat = 0x3793fdff = 932445695

side note: these first two have the MSB set, and thus when the
decimal form of the constant is used in C code, the implicit type will
be a signed integer type of width strictly greater than 32, as opposed
to an unsigned integer type (which would presumably have width 32 bits
on most modern sytsems).

       for (int i = 1; i < MIN_LOOP; i++) {
           s->status[i & 3] ^= i + UINT32_C(1812433253)
               * (s->status[(i - 1) & 3]
                  ^ (s->status[(i - 1) & 3] >> 30));

side note: I note that the UINT32_C macro produces a result of type
uint_least32_t, which in theory could be wider and of greater conversion
rank than uint32_t.  This would result in the intermediate calculations
being done in a type other than uint32_t, though for the specific
calculation here this should not cause any difference in the final
output after truncation to 32 bits.

Section 3.2

   This PRNG MUST first be initialized with the following function:

      void tinymt32_init (tinymt32_t * s, uint32_t seed);

nit: the pointer declaration style here was missed in the style pass
done in a recent revision.

   It takes as input a 32-bit unsigned integer used as a seed (note that
   value 0 is authorized by TinyMT32).  [...]

nit: perhaps "permitted" is a better word than "authorized", which can
have some different connotations to IETF readers.

                                    The use of this structure authorizes
   several instances of this PRNG to be used in parallel, each of them
   having its own instance of the structure.

nit: here, "admits" is a better replacement for "authorizes" (but
"permits" would be fine, too).

Section 3.3

               Consequently, any implementation of the TinyMT32 PRNG in
   line with this specification MUST comply with the following criteria.
   Using a seed value of 1, the first 50 values returned by
   tinymt32_generate_uint32(s) as 32-bit unsigned integers MUST be equal
   to values provided in Figure 2.  [...]

I don't think it's appropriate to attempt to use "agreement with these
test vectors" as a compliance mechanism (i.e., normative "MUST") -- the
normative requirement must surely be to have the same observable
behavior as the algorithm specified in the C code of Section 3.1.  These
vectors are just test vectors to give an implementor some confidence
that they agree with the reference behavior.

(You also need to say whether I read rows first or columns first in the
Figure's contents.)

Suresh Krishnan No Objection

Warren Kumari No Objection

Comment (2019-05-29 for -03)
I sometimes ballot "NoObj" in the "I read the protocol action, and I trust the sponsoring AD so have no problem" sense of the term.. but this time I'm using it in the "Goodness me, this is WAY outside my area of expertise" sense of the term.

[Edit:
I felt bad for not being able to do a more useful review, so I instead made sure that the code in the document actually generates the includes test vectors (and it does):

$ gcc -o out tinymt32.c ; ./out
 1: 2545341989
 2: 981918433
 3: 3715302833
 4: 2387538352
 5: 3591001365
 6: 3820442102
 7: 2114400566
 8: 2196103051
 9: 2783359912
10: 764534509
11: 643179475
12: 1822416315
13: 881558334
14: 4207026366
15: 3690273640
16: 3240535687
17: 2921447122
18: 3984931427
19: 4092394160
20: 44209675
21: 2188315343
22: 2908663843
23: 1834519336
24: 3774670961
25: 3019990707
26: 4065554902
27: 1239765502
28: 4035716197
29: 3412127188
30: 552822483
31: 161364450
32: 353727785
33: 140085994
34: 149132008
35: 2547770827
36: 4064042525
37: 4078297538
38: 2057335507
39: 622384752
40: 2041665899
41: 2193913817
42: 1080849512
43: 33160901
44: 662956935
45: 642999063
46: 3384709977
47: 1723175122
48: 3866752252
49: 521822317
50: 2292524454

This doesn't really say anything about the correctness of the document / algorithm, but does at least confirm that the code and test vectors match.

Mirja Kühlewind No Objection

Comment (2019-05-20 for -02)
I agree with Eric that a reference to MT would be really good.

As mentioned in the intro, "neither TinyMT nor MT are meant to be used for cryptographic applications". Please add this also to the security considerations section and maybe further explain risks.

Similar as the feedback originally provided (by other ADs) for draft-ietf-tsvwg-rlc-fec-scheme, I would prefer to have the algorithm specified in text and not only as code.

Barry Leiba No Objection

Comment (2019-05-28 for -03)
— Abstract —

   The main
   advantage of TinyMT32 over MT is the use of a small internal state,
   compatible with most target platforms including embedded devices,
   while keeping a reasonably good randomness.

The difference between “most target platforms including embedded devices,” and “most target platforms, including embedded devices,” is too subtle to be sure that readers get the meaning right.  I think the sentence would be clearer if it said, “most target platforms that include embedded devices,”.

— Section 1 —

   the quality of the outputs of TinyMT
   seems pretty good in terms of randomnes

Make it “randomness”.

   However, neither the TinyMT
   nor MT PRNG are meant to be used for cryptographic applications.

This seems a bit more buried than it should be, as it’s important.  I suggest putting some version of this in the Abstract, and also moving it more toward the beginning of the Introduction (probably in the first paragraph.

Alvaro Retana No Objection

Adam Roach (was Discuss) No Objection

Comment (2019-06-17)
Thanks for addressing my discuss point.

Martin Vigoureux No Objection

Comment (2019-05-28 for -03)
Hi,

I only have a minor question:
In which direction should the numbers of Figure 2 be read, per column or per line?

nit:
s/will then updated/will then be updated/

Éric Vyncke No Objection

Comment (2019-05-18 for -02)
Thanks for the work everyone has put into this document (and I understand that this -02 is coming out of another older document). While the mathematical aspects of the document are above my head, I took the liberty to put 3 comments and 1 nit in the hope to improve the quality of the document.


== COMMENTS ==

-- Introduction  --

Why not using the usual format for informative references in this chapter?

The Mersenne Twister is part of the sentence but there are no reference to any paper. Please add a reference for the seminal piece of work.

"...TinyMT32 represents a major improvement ..." can we have more information about this improvment? On which aspect ?
   
== NITS ==

-- Abstract  --

I find it a little surprizing that two authors are cited in the abstract.