GFSR Pseudorandom Number Generation The linear congruential method for pseudorandom number generation is commonly used, and is easily implemented in any high level language; however, the period length of its random number stream is limited by the underlying machine’s word size. This is a serious issue, since at present day computer speeds, a simulation run could exhaust such a random number stream in a few hours, especially since distribution sampling methods such as accept-reject, consume multiple random values. Very long period (VLP) pseudorandom number generators remedy this deficiency.

One class of VLP pseudorandom number generators, generalized feedback shift register (GFSR) pseudorandom number generators, is based on algebraic manipulation of a form of irreducible polynomials of high order called primitive trinomials.

It is often advantageous in a simulation model to be able to isolate (or duplicate) a sequence of events of a given type. If this sequence of events is managed by its own pseudorandom number stream, then there is no possibility for its alteration by the action of another sequence representing events of some other type. For this reason, simulation languages typically provide for multiple pseudorandom number streams. General purpose high level languages provide a single pseudorandom number stream. If multiple pseudorandom number streams are needed for a custom implementation, then they have to be programmed.

Randomness Testing The quality of a pseudorandom number stream is determined by applying various statistical tests for randomness. As we have seen, for some configurations, the linear congruential method (LCM) of Lehmer, has been shown (by Marsaglia) to have n-space uniformity problems. In particular, at least one LCM generator deployed for real world use, which when used to produce 3-tuples, clumped the resulting n-tuples along a small number of planes in 3-space. LCM generators are popular because they are easy to initiate (via a single "seed") and their computational characteristic are simple. With carefully chosen values, their randomness characteristics, other than for the short period, can be quite good. The generalized feedback shift register (GFSR) pseudorandom number generator is generally traced to a seminal paper by Lewis and Payne ["Generalized Feedback Shift Register Pseudorandom Number Algorithm," Journal of the ACM (3), 1973, pp. 456-468]. It provides an effective pseudorandom number generator whose randomness characteristics under the various statistical tests for randomness match those of standard implementations of LCM generators, including n-space uniformity. It has provided the basis for much of the more recent development work in VLP pseudorandom number generation.

Algebraic Basis for GFSR Generators Unlike the simple computational basis used by LCM generators, the underlying basis for GFSR generators is couched in modern algebra, and so presents an added mathematical element to be understood (as we shall see). Moreover, GFSR generators do not have an obvious approach for initializing the table employed in the feedback-shift process; in particular, the procedure utilized by Lewis and Payne was one of brute force. Collings and Hembree ["Initializing GFSR Pseudorandom Number Generators,” Journal of the ACM (33), 1986, pp. 706-711.] provided for a much superior initialization strategy involving manipulation of polynomials over the Galois field of order 2 (Z2). Multiple pseudorandom number streams are then provided by simply generating as many tables as necessary.

Algebraic Background

The two element field Z2 is trivial in the sense that in and of itself there isn't much to it. It simply provides the basic building block from which all digital computer hardware and software logic derives. The implicit algebraic connection to the integers modulo m (the basis for finite mathematics and computer arithmetic) explains why we often work with Z2 rather than an alternate viewpoint, such as Boolean logic (where 1 + 1 = 1, inclusive OR). The two elements of Z2 are denoted by {0, 1}. The two operations + and • are used because of their intimate correspondence to addition and multiplication of ordinary integers. In essence, we start by separating the integers into the two equivalence classes of the even integers and the odd integers. Representing the even integers by 0 and the odd integers by 1, then these operations are "inherited" from their behavior on the equivalence classes (i.e., even + even is even, even + odd is odd, even × odd is even, etc) yielding the familiar operation tables + 0 1 • 0 1 0 0 1 0 0 0 1 1 0 1 0 1 where in this case the + operation corresponds to the Boolean ⊕ operation (exclusive OR) and the • operation is Boolean AND. Note that Boolean ⊕ is also the logical operation ≠.

Polynomials over Z2 Polynomials have been extensively studied in mathematics for centuries. If we restrict them to coefficients in Z2 and the above operations, then they become easy to manipulate. In particular, since 1 + 1 = 0 in Z2 , we have the nice reduction

x + x = 0 when looking at polynomials over Z2 . The collection of all polynomials with coefficients restricted to 0 and 1 from Z2 is denoted by Z2[x]. It is an algebraic system in and of itself, and is in fact a ring structure with essentially the same kinds of algebraic properties as the ring of integers Z (the term ring is used to describe algebraic systems of two operations that have the same kinds of properties as addition and multiplication of numbers). Hence the terminology the ring of polynomials Z2[x] is used. Algebraists classify rings into different types, generally based on properties they share with common algebraic systems (e.g., the ring of matrices is a non-commutative ring). The ring of polynomials Z2[x], interestingly, has properties analogous to ones normally associated with the integers. In particular, there are polynomials in Z2[x], called irreducible polynomials, that are very analogous to the prime numbers of the ring of integers Z (Z is from the German word for number, Zahl). .

Tying it Back to Computer Arithmetic The manner in which computer memory is addressed dictates that a power of 2 is the natural word size n to employ (the word size is the number of bits used to represent an integer). The most natural operation at the circuit level for a computer word size of n = 2k is arithmetic modulo n. There are a number of practical consequences associated with both the finite size of the word space and the computational characteristics implicit in this native computer arithmetic. Leaving those aside for the moment, the reason it actually works is that it directly represents the quotient ring Z / 2k . The elements of Z / 2k are just the equivalence classes of the integers modulo 2k with operations of addition and multiplication as inherited from the (infinite) algebraic system we know as the integers. The number of elements (the order of Z / 2k ) is automatically 2k , and represents all possible sequences of 0's and 1's that can be stored in a computer word. A practical issue of computer arithmetic is the presence of "0-divisors", numbers which when multiplied together give 0 (the circuitry reports this as an overflow condition). Overcoming this limitation requires adding additional features, such as floating point arithmetic (based on "scientific notation"), an inherently imprecise mechanism if used for integer arithmetic. The "arithmetic precision" can be increased by using algorithms for processing bit-strings whose length exceeds the "natural integers" of the machine's 2k word size. The natural representation of integers in computer memory as integers modulo 2k eliminates any natural means of eliminating 0-divisors, since integer arithmetic modulo p has 0-divisors unless p is a prime or p = 1 (a trivial case).

Finite Fields 0-divisiors do not occur if the modulo base is a prime p, in which case the integers modulo p (designated Zp) not only has no zero divisors, but also has the property that non-zero elements have multiplicative inverses. This type of ring is called a field, the most familiar examples of which are infinite, the real numbers R, and the complex numbers C. Algebraists have been able to show that every finite field has order pk for some prime p and that finite fields are unique; i.e., any two finite fields of the same order are equivalent. It turns out that we get a field of order pk from Zp[x] by factoring modulo an irreducible polynomial f(x) of degree k. Just like prime numbers, an irreducible polynomial is one whose only divisors are itself and 1 (this concept is useless when there are 0-divisors present, which is why we are looking at the context of Z2[x] rather than the computer representation of integers mod 2n). Getting back to Z2[x], for irreducible polynomial f(x) ∈ Z2[x] of degree k, Z2[x]/(f(x)) is a finite (Galois) field of order 2k (in general, the notation R[x]/(f(x)) represents the ring of polynomials R[x] modulo the polynomial f(x)). This tells us how to get our hands on all finite fields whose order is a power of 2, subject to being able to find the necessary irreducible polynomials, which in turn makes the issue of finding such irreducible polynomials pretty important (keep in mind that people continue to try to unravel the mystery of prime numbers and you will gain some additional appreciation for the potential degree of difficulty this may entail).

Special Properties of Finite Fields In general, the multiplicative group of any finite field is cyclic, which means that there is some non-zero element c whose powers c0=1, c1=c, c2, . . . cycle through all of the n-1 non-zero elements of the field of order n=pk. We now know that a finite field has order n = pk for some prime p, so for p = 2 we just need an irreducible polynomial f(x) in Z2[x] of degree k to generate the field of order 2k. For some irreducible polynomials in Z2[x]/(f(x)) the obvious cyclic generator works; namely, the powers of x modulo f(x). In other words, we get the n - 1 non-zero elements of Z2[x]/(f(x)) by computing

1=x0, x1, x2, x3, ... , xn-2 , xn-1 = x0 = 1, where n = 2k , reducing modulo f(x) as we get powers larger than k-1. This kind of irreducible polynomial is called a primitive polynomial. It has been shown that for Zp[x], primitive polynomials of degree k exist for every k. It is obviously important to identify primitive polynomials of degree k (especially for p = 2) since for them the powers of x are algebraically guaranteed to cycle through all the non-zero polynomials of degree less than k. Whenever 2k – 1 is prime, it is sufficient to identify the irreducible polynomials for Zp[x] of order k since in this case all irreducible polynomials of order k are primitive (prime numbers of the form 2k – 1 are called Mersenne primes; the largest known prime numbers are all in this category).

Representing the Polynomials of Degree < k Note that the polynomials of degree less than k can be represented by the 2k sequences of 0's and 1's representing their coefficients; i.e.,

0 0 0 . . . 0 ≡ 0 1 0 0 . . . 0 ≡ 1 0 1 0 . . . 0 ≡ x 1 1 0 . . . 0 ≡ 1 + x 0 0 1 . . . 0 ≡ x2 1 0 1 . . . 0 ≡ 1 + x2 0 1 1 . . . 0 ≡ x + x2 1 1 1 . . . 0 ≡ 1 + x + x2 . . . . . .

These are the base representatives of the elements of Z2[x]/(f(x)) just as 0, 1, 2, …, 2n-1 are the base representatives for the integers modulo 2n. If f(x) is irreducible and of degree k, there are 2k-1 of these since the field has 2k elements (including 0). When this sequence of polynomials (all of degree < k) is evaluated at x=1 (addition is mod 2; i.e., exclusive OR), the Tausworthe sequence results [ "Random Numbers Generated by Linear Recurrence Modulo Two,” Math. Comput. (19), 1965, pp. 201-209], which is the sequence of 0's and 1's of period 2k-1 described in Lewis and Payne.

x0 x1 x2 . . . xk-1 coefficients corresponding polynomial

Example Irreducible that is not Primitive

For Z2[x], f(x) = 1 + x + x2 + x3 + x4 is an irreducible polynomial of degree 4. This means that for Z2[x]/f(x) is a field of order 16 = 24 and moreover that x4 ≡ (x + x2 + x3 + x4) mod f(x). The sequence of powers of x is x0 ≡ 1 x1 x2 x3 x4 ≡ 1+x+x2+x3 x5 ≡ x+x2+x3+x4 ≡ 1 f(x) is not primitive since x is not a cyclic generator for the multiplicative group of Z2[x] mod f(x). However, according to the theory of finite fields, the multiplicative group must have at least one cyclic generator. For example, g(x) = (1+x) is a cyclic generator for the multiplicative group of this field.

(1+x)0 ≡ 1 (1+x)1 ≡ 1+x (1+x)2 ≡ 1+x2

(1+x)(1+x2) ≡1+x+x2+x3 x+x2+x3 1+x2+x3 x3 1+x+x2 1+x3 x2

x2+x3 1+x+x3 x x+x2 x+x3

(1+x)15 ≡ (1+x)(x+x3) ≡x+x3+x2+(1+x+x2+x3)≡1

1 0 0 0 0 1 0 0 0 0 1 0 0 0 0 1 1 1 1 1

1 0 0 0 1 1 0 0 1 0 1 0 1 1 1 1 0 1 1 1 1 0 1 1 0 0 0 1 1 1 1 0 1 0 0 1 0 0 1 0 0 0 1 1 1 1 0 1 0 1 0 0 0 1 1 0 0 1 0 1

Example Irreducible that is Primitive

For Z2[x], f(x) = 1 + x + x4 is an irreducible polynomial of degree 4 that is primitive. This again means that for Z2[x]/f(x) is a field of order 16 = 24 and in this case that x4 ≡ (1+x) mod f(x).

The sequence of powers of x confirms that x is a cyclic generator for the 15 elements of the multiplicative group of Z2[x]/f(x); i.e., f(x) is primitive. x0 ≡ 1 x1 x2 x3 x4 ≡ 1+x x+x2

x2+x3 1+x+x3 1+x2 x+x3 1+x+x2 x+x2+x3 1+x+x2+x3 1+x2+x3 1+x3

1 0 0 0 0 1 0 0 0 0 1 0 0 0 0 1 1 1 0 0 0 1 1 0 0 0 1 1 1 1 0 1 1 0 1 0 0 1 0 1 1 1 1 0 0 1 1 1 1 1 1 1 1 0 1 1 1 0 0 1

A Small Example

It can be shown that f(x) = 1 + x2 + x5 is a primitive polynomial in Z2[x], which is one that is small enough to illustrate the computational processes involved because the multiplicative group of Z2[x]/(f(x)) in this case only has 25 - 1 = 31 terms. First note that since f(x) ≡ 0 mod (f(x)), and since over Z2 we always have t + t = 0. Applying this to

f(x) = 1 + x2 + x5 = 0 as follows

1 + x2 + x5 + 1 + x2 = 0 + 1 + x2 we get the reduction

x5 = 1 + x2 Then using this reduction on the powers of x we get:

x0 =1, x, x2, x3, x4, x5 = 1+x2, x6 = xx5 = x(1 + x2 ) = x + x3, x7 = xx6 = x(x + x3 ) =x2 +x4, x8 = xx7 = x(x2 + x4 ) = x3 + x5 = 1 + x2 + x3, x9 = xx8 = x(1 + x2 + x3 ) = x + x3 + x4, x10 = xx9 = x(x + x3 + x4 ) = x2 + x4 + x5 = x2 + x4 + 1+x2 = 1 + x4, . . . x20 = x2 + x3 , . . .

If we evaluate each of these at x = 1 we get the Tausworthe sequence

1 1 1 1 1 0 0 0 1 1 0 1 1 1 0 1 0 1 0 0 0 0 1 0 0 1 0 1 1 0 0 which has an appearance of randomly distributed 0's and 1's once past the initial run of 1's.

Value for x = 1 1, 1, 1, 1, 1,

0 0 0 1 1 0

. . . 0

General Procedure for Getting the Powers of x It is always the case for polynomial f(x) of degree p in Z2[x] that

f(x) = g(x) + xp for some g(x) of degree < p, so xp = g(x) mod (f(x)).

Hence, xp may be obtained from those of the p terms x0, x1, x2, ..., xp-1 for which g(x) has non-zero coefficients. This is the basis for a linear recurrence relation, where the ith term is obtained from those of the preceding p terms that correspond to the non-zero positions in g(x). Computation is simplified if f(x) is chosen to be a primitive trinomial of the form f(x) = 1 + xq + xp, in which case the linear recurrence is given by xi = xi-p + x(i-p)+q. Primitive trinomials are important enough that lists of them have been published:

Zierler, N. and J. Brillhart, "On Primitive Trinomials (Mod 2)," Inf. Control (13), 1968, pp. 541-554.

Zierler, N. and J. Brillhart, "On Primitive Trinomials (Mod 2), II," Inf. Control (14), 1969, pp. 566-569.

Lewis, T. G. and W. H. Payne, "Generalized Feedback Shift Register Pseudorandom Number Algorithm," Journal of the ACM (3), 1973, pp. 456-468.

Arvillias, A. C. and D. G. Maritsas, "Partitioning the Period of a Class of m-Sequences and Application to Pseudorandom Number Generation," Journal of the ACM (25), 1978, pp. 675-686.

Florent Chabaud’s exhaustive lists are at http://fchabaud.free.fr/English/default.php?COUNT=1&FILE0=Poly

(degree 2 to 2000) For example,

1 + x15 + x49 is primitive and 1 + x32 + x521 is primitive

(one produces a Tausworthe sequence of period 249 - 1 and the other of period 2521 - 1, a very long period indeed). Continued study has revealed enormously larger polynomials in this class.

xi = xpx(i-p)

= (1+xq)x(i-p)=xi-p+x(i-p)+q

As per Richard Brent and Paul Zimmermann http://wwwmaths.anu.edu.au/~brent/trinom.html The largest known primitive trinomials as of June-July, 2007 are 1 + x8785528 + x24036583 and 1 + x8412642 + x24036583 both of degree 24,036,583

Using the Tausworthe Sequence to Produce Random Values You should have noticed that the Tausworthe sequence always will start out predictably, since the first p terms are obtained from x0, x1, x2, ..., xp-1 which evaluates to a sequence of p 1's. Generally desirable randomness properties only begin to occur after progressing well out into the sequence. Sticking with primitive trinomials of the form f(x) = 1 + xq + xp for simplicity, the idea is to maintain a window of length p into the Tausworthe sequence in a shift register of length p. The + operation of Z2 is the same as Boolean XOR. The bit to be shifted in is calculated via feedback from positions 0 and q using the linear recurrence

xi = xi-p + x(i-p)+q position 0 of register position q of register

With the bit shifted in calculated in this manner by the Boolean XOR operation applied to the 0th and qth bits, the effect is to shift a window of length p along the Tausworthe sequence. Note that if the hardware register support is provided, at the microcode level this can be accomplished in a single CPU cycle! In the earlier example, from the primitive trinomial f(x) = 1 + x2 + x5 we obtained the Tausworthe sequence: 1 1 1 1 1 0 0 0 1 1 0 1 1 1 0 1 0 1 0 0 0 0 1 0 0 1 0 1 1 0 0 From x5 = 1 + x2 we compute xi-5x5 = xi-5 + xi-5x2 giving xi = xi-5 + xi-5+2 so the recurrence relation is given by xi = xi-5 + xi-3 .

xi-5 + xi-3 = xi

left shift, xi shifted in (window moves right)

5-bit value 21 13 18 25 2 7

Getting an RNG from the Tausworthe Sequence Lewis and Payne ["Generalized Feedback Shift Register Pseudorandom Number Algorithm," Journal of the ACM (3), 1973, pp. 456-468] turned this basic idea into an RNG. Their procedure was to arrange p segments of the Tausworthe sequence each of length p in columns, each segment "delayed" by some constant amount d from the preceding one. In essence,

p shift registers are arranged in this fashion to produce a p×p array of p-bit words.

It can be shown that maximum period length on these words (2p-1) is achieved if the p×p matrix has rank p (linearly independent columns). This condition is satisfied if 0 < d < 2p - 1 and d is relatively prime to 2p - 1. For a pseudorandom number generator producing L-bit words (L < p), only the first L columns are employed. For f(x) = 1 + x2 + x5 , recurrence relation xi = xi-5 + xi-3 , and its sequence 5 1 1 1 1 1 0 0 0 1 1 0 1 1 1 0 1 0 1 0 0 0 0 1 0 0 1 0 1 1 0 0 20 1 0 1 1 0

20 0 1 0 1 0

20 1 1 0 0 0 20 0 0 1 0 1

20 1 1 0 1 0

the matrix with columns starting from position 5 in the Tausworthe sequence with a column to column delay of 20 is given by

1 0 1 0 1 0 1 1 0 1 1 0 0 1 0 1 1 0 0 1 0 0 0 1 0 0 0 1 1 1

delay column 1

column 2

xi-3 feed back position

xi-5 feed back position

xi values to be shifted in

column 3 column 4 column 5

Getting a VLP RNG For the primitive trinomial

1 + x32 + x521 with p = 521, we clearly get a random stream using the generalized feedback shift process of enormous period (2521 - 1), a clear example of a VLP RNG. With the typical machine word size of L = 64, it is clear that we don't need but first 64 columns of the p×p array to produce 64-bit random values. Normally, the p×L array consisting of the first L columns is used. This means that for the above primitive trinomial, 457 of the possible 521 columns in the generating matrix are not used. Note that in the complete cycle of length 2521 - 1 for this generator, any combination of 0's and 1's in the first 64 columns occurs 2457 times when considering all possible combinations across the full width of 521. In taking only L columns, this means that each of the 264 integers that can be represented on the machine occurs 2457 times in the sequence! Hence, it is natural for this type of generator to repeat values. Since the basic LCM generator of period length 231 - 1 is inherently limited to the values in its 32-bit computation space, it does not have the capacity for providing repetition in its random number stream. Obviously, one weakness for the GFSR generator for the above polynomial is that the control matrix of 64 521 bit registers (about 4K bytes) needs to be provided for in the hardware. Another weakness is the lack of means for easily initializing the generator. Lewis and Payne provided only a brute force mechanism. A much superior approach is described in

Collins, B. J. and G. B. Hembree, "Initializing GFSR Pseudorandom Number Generators,” Journal of the ACM (33), 1986, pp. 706-711.

GFSR Table Initialization

In their seminal paper ("Generalized Feedback Shift Register Pseudorandom Number Algorithm," Journal of the ACM (3), 1973, pp. 456-468), Lewis and Payne chose to work directly from the basic Tausworthe sequence in initializing the p×L-bit matrix. Their initialization literally applied the linear recurrence repeatedly, starting from the initial sequence of p 1's as the first column, and employing a delay of d = 100p. To offset the effect of the initial column of all 1's, they cycled the matrix an additional r times (r = 5000p). With these values, Collins and Hembree ("Initializing GFSR Pseudorandom Number Generators,” Journal of the ACM (33), 1986, pp. 706-711) note that 637,098 terms must be computed when p=98 and L=15. In a similar vein, Arvillias and Maritsas ("Partitioning the Period of a Class of m-Sequences and Application to Pseudorandom Number Generation," Journal of the ACM (25), 1978, pp. 675-686) argue that the limitations of these somewhat arbitrary delay values may produce correlation problems in some instances (lack of independence between evenly spaced numbers in the sequence). They suggest a delay d of (2p-1)/L, which is obviously impractical when p = 521 and L = 64 and a brute force initialization is employed.

Modern Algebra to the Rescue

A little judicious application of modern algebra (Collings and Hembree) provides computationally reasonable means of providing initialization at any distance out in the Tausworthe sequence. 1. It is easy to calculate the polynomials xp, x2p, x4p, ... where each is the square

of the preceding one.

Since 1+1 = 0 for Z2, squaring is accomplished by simply doubling the exponents (then reducing modulo f(x) to get a polynomial of degree less than p). This process is algorithmically easier to deal with than it might first appear. If given a polynomial Ti(x) = xtp for t = 2i in this sequence, represent it by a bit string T of length p. Then prior to reduction modulo f(x), the active bit positions in Ti+1(x) = (Ti(x))2 are given by 2 times the active positions in Ti(x); so,

if Ti(x) is given by 1 0 0 1 0 1 (corresponding to 1 + x3 + x5 ) it has active positions at 0, 3, 5)

Ti+1(x) = (Ti(x))2 is given by 1 0 0 0 0 0 1 0 0 0 1 (corresponding to 1 + x6 + x10 ) and has active positions 0, 6, 10)

2. If we cycle out the initial amount r, then delay another d in the Tausworthe sequence, we get the <1st-row,1st-column> element of the GFSR table. The power of x that produces this element is xdxr.

If we are clever and take as the values for the initial delay of r, and the repeating delay of d numbers of the form 2np, say d=2np and r=2mp, then we will be able to cast this using the Ti's. What we really want is the polynomial of degree < p that we get by reducing this power of x modulo our primitive trinomial. This is obtained by reducing

Sd+r(x) = xdxr = Tn(x)Tm(x) modulo f(x).

Remark: If p=521 and n=100, then 101 iterations, xp, x2p, x4p, … , p2100

x will be required to obtain Tn(x); Tm(x) may be picked up along the way.

In contrast to the brute force method, relatively few iterations gets us a long way out in the sequence!

3. Moving along the 1st row, we delay another d in getting to the 1st element of

the next column. This means that the value comes from x2d+r so we need to reduce

S2d+r(x) = x2d+r = Sd+r(x) Tn(x) = (Tn(x))2 Tm(x) modulo f(x). Successive multiplication by Tn(x) (with reduction modulo f(x)) produces the sequence of polynomials for generating the 1st row of the GFSR table. Call this sequence of polynomials W0.

4. The sequence of polynomials for the next row of the GFSR table is produced

by multiplying each element of W0 by x (recall that the polynomials generating the Tausworthe sequence still correspond to powers of x even when reduced modulo f(x)). Iteratively repeating this process will produce the generating polynomials for each row Wi of the GFSR table.

5. Note that for each row, this sequence of L polynomials Wi can be

represented as an L×p matrix, each row representing the corresponding polynomial of degree < p in Wi. The L terms generated by applying XOR across each row of the L×p matrix produces the ith row of the GFSR table (ie., each of the polynomials in Wi is evaluated at x = 1).

The actual reduction modulo f(x) and polynomial multiplication over Z2 are just bit manipulation exercises easily accommodated in a high level language such as C. After calculation of W0, for the primitive trinomial x521 + x32 +1 and a 64 bit table, there is a single polynomial reduction required for each of the remaining 33,343 positions (33,343 = 521x64 –1).

The Small Example Revisited Our small example used

f(x) = 1 + x2 + x5. This polynomial is an primitive polynomial in Z2[x]. Although there are only 31 elements in Z2[x]/(f(x)), there are enough terms to fully illustrate the construction process without overwhelming amounts of computation. The powers of x are

1, x, x2, x3, x4, x5=T0(x) =1+x2, x6=x+x3, x7=x2+x4, x8=1+x2+x3, x9=x+x3+x4, x10=T1(x)=1+x4, x11=1+x+x2, x12=x+x2+x3, x13=x2+x3+x4, x14=1+x2+x3+x4,

x15=1+x+x2+x3+x4, x16=1+x+x3+x4, x17=1+x+x4, x18=1+x, x19=x+x2,

x20=T2(x)= x2+x3, x21=x3+x4, x22=1+x2+x4, x23=1+x+x2+x3, x24=x+x2+x3+x4, x25=1+x3+x4, x26=1+x+x2+x4, x27=1+x+x3, x28=x+x2+x4, x29=1+x3, x30=x+x4

which produces the Tausworthe sequence 1 1 1 1 1 0 0 0 1 1 0 1 1 1 0 1 0 1 0 0 0 0 1 0 0 1 0 1 1 0 0

For delay d = 22×5 = 20 and r = 20×5 = 5, the GFSR table generating polynomials W0, W1, W2, W3, W4 are given by

W0 = (x25=T2(x)T0(x) =1+x3+x4), (T2(x)2 T0(x) =1+x2+x3+x4), (T2(x)3 T0(x) =x3), (T2(x)4 T0(x) =1+x+x2+x3), (T2(x)5 T0(x) =x+x2+x3)

W1 = (1+x+x2+x4), (1+x+x2+x3+x4), (x4), (x+x2+x3+x4), (x2+x3+x4)

W2 = (1+x+x3), (1+x+x3 +x4), (1+x2), (1+x3+x4), (1+x2+x3+x4)

W3 = (x+x2+x4), (1+x+x4), (x+x3), (1+x+x2+x4), (1+x+x2+x3+x4)

W4 = (1+x3), (1+x), (x2+x4), (1+x+x3), (1+x+x3+x4)

Evaluating W0, W1, W2, W3, W4 at x=1 yields the GFSR table 1 0 1 0 1 ≡10 21 ← feedback position 0 1 1 0 1 ≡10 13 1 0 0 1 0 ≡10 18 ← feedback position 1 1 0 0 1 ≡10 25 0 0 0 1 0 ≡10 2

Then the 1st iteration of the GFSR pseudorandom number generator will combine the 2 feedback positions to yield 7 and the GFSR table becomes 0 1 1 0 1 ≡10 13 1 0 0 1 0 ≡10 9 1 1 0 0 1 ≡10 25 0 0 0 1 0 ≡10 2 0 0 1 1 1 ≡10 7

It is evident that once the table is in place, the actual random number generation is computationally efficient, since it involves only shift and exclusive OR operations. Significant computational time is necessary to generate GFSR tables, but only needs to be done once for each random number stream employed.

What Next?

The Mersenne Twister (MT) RNG is a derivative of the twisted GFSR RNG of Matsumoto and Kurita [“Twisted GFSR generators II,” ACM Transactions on Modeling and Computer Simulation (4), 1994, pp. 254-266]. The technique overcomes the initialization and seeding problems associated with the original GFSR approach.

Openware code for a Mersenne Twister of period 219937-1. can be obtained from http://www.math.sci.hiroshima-u.ac.jp/~m-mat/MT/emt.html At this site, Matsumoto provides a C implementation requiring only 624 words of memory. He also notes that the generator benchmarks at 4 times faster than rand().

Matsumoto further notes that the sequence produced is not cryptographically secure and that for cryptographic use an appropriate secure hashing algorithm (non-invertible function compressing several words into one word) has to be additionally used. There are other VLP RNGs that have now been developed. Research is ongoing. A battery of statistical tests (Marsaglia’s “Diehard” collection) is available from http://stat.fsu.edu/pub/diehard/