Multiply-with-carry pseudorandom number generator explained

In computer science, multiply-with-carry (MWC) is a method invented by George Marsaglia for generating sequences of random integers based on an initial set from two to many thousands of randomly chosen seed values. The main advantages of the MWC method are that it invokes simple computer integer arithmetic and leads to very fast generation of sequences of random numbers with immense periods, ranging from around

to .

As with all pseudorandom number generators, the resulting sequences are functions of the supplied seed values.

General theory

which allows efficient implementation of a prime modulus much larger than the machine word size.

Normal Lehmer generator implementations choose a modulus close to the machine word size. An MWC generator instead maintains its state in base

, so multiplying by is done implicitly by shifting one word. The base is typically chosen to equal the computer's word size, as this makes arithmetic modulo trivial. This may vary from for a microcontroller to . (This article uses for examples.)

The initial state ("seed") values are arbitrary, except that they must not be all zero, nor all at the maximum permitted values (

and ). (This is commonly done by choosing between 1 and .). The MWC sequence is then a sequence of pairs determined by

This is called a lag-1 MWC sequence. Sometimes an odd base is preferred, in which case

can be used, which is almost as simple to implement. A lag- sequence is a generalization of the lag-1 sequence allowing longer periods. The lag- MWC sequence is then a sequence of pairs (for ) determined by

and the MWC generator output is the sequence of

's,

In this case, the initial state ("seed") values must not be all zero nor

and .

The MWC multiplier

and lag determine the modulus . In practice, is chosen so the modulus is prime and the sequence has long period. If the modulus is prime, the period of a lag- MWC generator is the order of in the multiplicative group of numbers modulo . While it is theoretically possible to choose a non-prime modulus, a prime modulus eliminates the possibility of the initial seed sharing a common divisor with the modulus, which would reduce the generator's period.

Because 2 is a quadratic residue of numbers of the form

, cannot be a primitive root of . Therefore, MWC generators with base have their parameters chosen so their period is (ab^r−1)/2. This is one of the difficulties that use of b = 2^k − 1 overcomes.

The basic form of an MWC generator has parameters a, b and r, and r+1 words of state. The state consists of r residues modulo b

0 ≤ x₀, x₁, x₂,..., x_r−1 < b,and a carry c_r−1 < a.

Although the theory of MWC generators permits a > b, a is almost always chosen smaller for convenience of implementation.

The state transformation function of an MWC generator is one step of Montgomery reduction modulo p. The state is a large integer with most significant word c_n−1 and least significant word x_n−r. Each step, x_n−r·(ab^r−1) is added to this integer. This is done in two parts: −1·x_n−r is added to x_n−r, resulting in a least significant word of zero. And second, a·x_n−r is added to the carry. This makes the integer one word longer, producing two new most significant words x_n and c_n.

So far, this has simply added a multiple of p to the state, resulting in a different representative of the same residue class modulo p. But finally, the state is shifted down one word, dividing by b. This discards the least significant word of zero (which, in practice, is never computed at all) and effectively multiplies the state by b⁻¹ (mod p).

Thus, a multiply-with-carry generator is a Lehmer generator with modulus p and multiplier b⁻¹ (mod p). This is the same as a generator with multiplier b, but producing output in reverse order, which does not affect the quality of the resultant pseudorandom numbers.

Couture and L'Ecuyer have proved the surprising result that the lattice associated with a multiply-with-carry generator is very close to the lattice associated with the Lehmer generator it simulates. Thus, the mathematical techniques developed for Lehmer generators (such as the spectral test) can be applied to multiply-with-carry generators.

Efficiency

A linear congruential generator with base b = 2³² is implemented as

where c is a constant. If a ≡ 1 (mod 4) and c is odd, the resulting base-2³² congruential sequence will have period 2³².^[1]

This can be computed using only the low 32 bits of the product of a and the current x.However, many microprocessors can compute a full 64-bit product in almost the same time as the low 32 bits. Indeed, many compute the 64-bit product and then ignore the high half.

A lag-1 multiply-with-carry generator allows us to make the period nearly 2⁶³ by using almost the same computer operations, except that the top half of the 64-bit product is not ignored after the product is computed.Instead, a 64-bit sum is computed, and the top half is used as a new carry value c rather than the fixed additive constant of the standard congruential sequence:Compute ax+c in 64 bits, then use the top half as the new c, and bottom half as the new x.

Choice of multiplier

With multiplier a specified, each pair of input values x, c is converted to a new pair,

If x and c are not both zero, then the period of the resulting multiply-with-carry sequence will be the order of b = 2³²in the multiplicative group of residues moduloab^r − 1, that is, the smallest n such thatbⁿ ≡ 1 (mod ab^r − 1).

If p = ab^r − 1 is prime, then Fermat's little theorem guarantees that the order of any element must divide p − 1 = ab^r − 2, so one way to ensure a large order is to choose a such that p is a "safe prime",that is both p and (p − 1)/2 = ab^r/2 − 1 are prime. In such a case, for b= 2³² and r = 1, the period will be ab^r/2 − 1, approaching 2⁶³, which in practice may be an acceptably large subset of the number of possible 32-bit pairs (x, c).

More specifically, in such a case, the order of any element divides p − 1, and there are only four possible divisors: 1, 2, ab^r/2 − 1, or ab^r − 2. The first two apply only to the elements 1 and −1, and quadratic reciprocity arguments show that the fourth option cannot apply to b, so only the third option remains.

Following are some maximal values of a for computer applications which satisfy the above safe prime condition, for lag-1 generators:

Bits in a	b	Maximum a such that ab−1 is a safe prime	Period
15	216	215−50 = 32,718	1,072,103,423
16	216	216−352 = 65,184	2,135,949,311
31	232	231−563 = 2,147,483,085	4,611,684,809,394,094,079
32	232	232−178 = 4,294,967,118	9,223,371,654,602,686,463
64	264	264−742 = 18,446,744,073,709,550,874	263(264−742)−1 ≈
128	2128	2128−10,408	2127(2128−10,408)−1 ≈
256	2256	2256−9166	2255(2256−9166)−1 ≈
512	2512	2512−150,736	2511(2512−150,736)−1 ≈

While a safe prime ensures that almost any element of the group has a large order, the period of the generator is specifically the order of b. For small moduli, more computationally expensive methods can be used to find multipliers a where the period is ab/2 − 1.The following are again maximum values of a of various sizes.

Bits in a	br	Maximum a such that b has order abr/2-1	Period
8	28	28−7 = 249	31,871
8	(28)2 = 216	28−32 = 224	7,340,031
15	216	215−29 = 32,739	1,072,791,551
16	216	216−22 = 65,514	2,146,762,751
8	(28)4 = 232	28−64 = 192	412,316,860,415
15	(216)2 = 232	215−26 = 32,742	70,312,909,602,815
16	(216)2 = 232	216−2 = 65,534	140,733,193,388,031
31	232	231−68 = 2,147,483,580	4,611,685,872,398,499,839
32	232	232−76 = 4,294,967,220	9,223,371,873,646,018,559
8	(28)8 = 264	28−41 = 215	263(28−41)−1 ≈
15	(216)4 = 264	215−50 = 32,718	263(215−50)−1 ≈
16	(216)4 = 264	216−56 = 65,480	263(216−56)−1 ≈
31	(232)2 = 264	231−38 = 2,147,483,610	263(231−38)−1 ≈
32	(232)2 = 264	232−43 = 4,294,967,253	263(232−43)−1 ≈
63	264	263−140 = 9,223,372,036,854,775,668	263(263−140)−1 ≈
64	264	264−116 = 18,446,744,073,709,551,500	263(264−116)−1 ≈

MWC generators as repeating decimals

The output of a multiply-with-carry generator is equivalent to the radix-b expansion of a fraction with denominator p = ab^r − 1. Here is an example for the simple case of b = 10 and r = 1, so the result is a repeating decimal.

Starting with $c\_0=1,x\_0=0$, the MWC sequence

produces this sequence of states:

10,01,07,49,67,55,40,04,28,58,61,13,22,16,43,25,37,52,19,64,34,31, 10,01,07,...

with period 22. Consider just the sequence of x_i:

0,1,7,9,7,5,0,4,8,8,1,3,2,6,3,5,7,2,9,4,4,1, 0,1,7,9,7,5,0,...

Notice that if those repeated segments of x values are put in reverse order:

we get the expansionj/(ab−1) with a=7, b=10, j=10:

This is true in general: The sequence of xs produced by a lag-r MWC generator:

when put in reverse order, will be the radix-b expansion of a fraction j/(ab^r - 1) for some 0 < j < ab^r.

Equivalence to linear congruential generator

Continuing the above example, if we start with $x\_0=34$, and generate the ordinary congruential sequence

,we get the period 22 sequence

31,10,1,7,49,67,55,40,4,28,58,61,13,22,16,43,25,37,52,19,64,34, 31,10,1,7,...and that sequence, reduced mod 10, is

1,0,1,7,9,7,5,0,4,8,8,1,3,2,6,3,5,7,2,9,4,4, 1,0,1,7,9,7,5,0,...the same sequence of xs resulting from the MWC sequence.

This is true in general, (but apparently only for lag-1 MWC sequences):

Given initial values

, the sequence resulting from the lag-1 MWC sequence

is exactly the Lehmer random number generator output sequence y_n = ay_n - 1 mod (ab - 1),reduced modulo b.

Choosing a different initial value y₀ merely rotates the cycle of xs.

Complementary-multiply-with-carry generators

Establishing the period of a lag-r MWC generator usually entails choosing multiplier a so that p = ab^r − 1 is prime. Then p − 1 will have to be factored in order to find the order of b mod p. If p is a safe prime, then this is simple, and the order of b will be either p − 1 or (p − 1)/2. In other cases, p - 1 may be difficult to factor.

However, the algorithm also permits a negative multiplier. This leads to a slight modification of the MWC procedure, and produces a modulus p = = ab^r + 1. This makes p − 1 = ab^r easy to factor, making it practical to establish the period of very large generators.

The modified procedure is called complementary-multiply-with-carry (CMWC), and the setup is the same as that for lag-r MWC: multiplier a, base b, and r + 1 seeds,

x₀, x₁, x₂, ..., x_r−1, and c_r−1.

The modification is to the generation of a new pair (x, c). Rearranging the computation to avoid negative numbers, the new x value is complemented by subtracting it from b − 1:

The resulting sequence of xs produced by the CMWC RNG will have period the order of b in the multiplicative group of residues modulo ab^r+1, and the output xs, in reverse order, will form the base b expansion of j/(ab^r+1) for some 0 < j < ab^r.

Use of lag-r CMWC makes it much easier to find periods for rs as large as 512, 1024, 2048, etc.(Making r a power of 2 makes it slightly simpler to access elements in the array containing the r most recent xs.)

Another advantage of this modified procedure is that the period is a multiple of b, so the output is exactly equidistributed mod b. (The ordinary MWC, over its full period, produces each possible output an equal number of times except that zero is produced one time less, a bias which is negligible if the period is long enough.)

One disadvantage of the CMWC construction is that, with a power-of-two base, the maximum achievable period is less than for a similar-sized MWC generator; you lose several bits. Thus, an MWC generator is usually preferable for small lags. This can remedied by using b = 2^k−1, or choosing a lag one word longer to compensate.

Some examples:With b = 2³², and a = 109111 or 108798 or 108517, the period of the lag-1024 CMWC

will be a·2³²⁷⁶² = ab¹⁰²⁴/64, about 10⁹⁸⁶⁷.

With b = 2³² and a = 3636507990, p = ab¹³⁵⁹ − 1 is a safe prime, so the MWC sequence based on that a has period 3636507990·2⁴³⁴⁸⁷ ≈ 10¹³¹⁰¹.

With b = 2³², a CMWC RNG with near record period may be based on the prime p = 15455296b⁴²⁶⁵⁸ + 1. The order of b for that prime is 241489·2^1365056 ≈ 10⁴¹⁰⁹²⁸.

More general moduli

The MWC modulus of ab^r−1 is chosen to make computation particularly simple, but brings with it some disadvantages, notably that the period is at most half the modulus. There are several ways to generalize this, at the cost of more multiplications per iteration.

First, it is possible to add additional terms to the product, producing a modulus of the form a_rb^r+a_sb^s−1. This requires computing c_nb + x_n = a_rx_n−r + a_sx_n−s. (The carry is limited to one word if a_r + a_s ≤ b.)

However, this does not fix the period issue, which depends on the low bits of the modulus. Fortunately, the Montgomery reduction algorithm permits other moduli, as long as they are relatively prime to the base b, and this can be applied to permit a modulus of the form a_rb^r−a₀, for a wide range of values a₀. Goresky and Klapper developed the theory of these generalized multiply-with-carry generators, proving, in particular, that choosing a negative a₀ and a_r–a₀ < b the carry value is always smaller than b, making the implementation efficient. The more general form of the modulus improves also the quality of the generator, albeit one cannot always get full period.

To implement a Goresky-Klapper generator one precomputes a (mod b), and changes the iteration as follows:

In the common case that b = 2^k, a₀ must be odd for the inverse to exist.

Implementation

The following is an implementation of the CMWC algorithm in the C programming language. Also, included in the program is a sample initialization function. In this implementation the base is 2³²-1 and lag r=4096. The period of the resulting generator is about

.

// C99 Complementary Multiply With Carry generator

1. include
2. include
3. include
4. include

// How many bits in rand?// https://stackoverflow.com/a/27593398

1. define LOG_1(n) (((n) >= 2) ? 1 : 0)
2. define LOG_2(n) (((n) >= 1<<2) ? (2 + LOG_1((n)>>2)) : LOG_1(n))
3. define LOG_4(n) (((n) >= 1<<4) ? (4 + LOG_2((n)>>4)) : LOG_2(n))
4. define LOG_8(n) (((n) >= 1<<8) ? (8 + LOG_4((n)>>8)) : LOG_4(n))
5. define LOG(n) (((n) >= 1<<16) ? (16 + LOG_8((n)>>16)) : LOG_8(n))
6. define BITS_TO_REPRESENT(n) (LOG(n) + !!((n) & ((n) - 1)))
7. if ((RAND_MAX | (RAND_MAX >> 1)) != RAND_MAX)
8. error "expected a RAND_MAX that is 2^n - 1!"
9. endif
10. define RAND_BITS BITS_TO_REPRESENT(RAND_MAX)

// CMWC working parts

1. define CMWC_CYCLE 4096 // as Marsaglia recommends
2. define CMWC_C_MAX 809430660 // as Marsaglia recommends

struct cmwc_state ;

// Collect 32 bits of rand. You are encouraged to use a better source instead.uint32_t rand32(void)

// Init the state with seedvoid initCMWC(struct cmwc_state *state, unsigned int seed)

// CMWC engineuint32_t randCMWC(struct cmwc_state *state) //EDITED parameter *state was missing

int main

The following are implementations of small-state MWC generators with 64-bit output using 128-bit multiplications.// C99 + __uint128_t MWC, 128 bits of state, period approx. 2^127

/* The state must be neither all zero, nor x = 2^64 - 1, c = MWC_A1 - 1. The condition 0 < c < MWC_A1 - 1 is thus sufficient. */

uint64_t x, c = 1;

1. define MWC_A1 0xff3a275c007b8ee6

uint64_t inline next

// C99 + __uint128_t MWC, 256 bits of state, period approx. 2^255

/* The state must be neither all zero, nor x = y = z = 2^64 - 1, c = MWC_A3 - 1. The condition 0 < c < MWC_A3 - 1 is thus sufficient. */

uint64_t x, y, z, c = 1;

1. define MWC_A3 0xff377e26f82da74a

uint64_t inline next

The following are implementations of small-state Goresky-Klapper's generalized MWC generators with 64-bit output using 128-bit multiplications.// C99 + __uint128_t Goresky-Klapper GMWC, 128 bits of state, period approx. 2^127

/* The state must be neither all zero, nor x = 2^64 - 1, c = GMWC_A1 + GMWC_MINUS_A0. The condition 0 < c < GMWC_A1 + GMWC_MINUS_A0 is thus sufficient. */

uint64_t x = 0, c = 1;

1. define GMWC_MINUSA0 0x7d084a4d80885f
2. define GMWC_A0INV 0x9b1eea3792a42c61
3. define GMWC_A1 0xff002aae7d81a646

uint64_t inline next

// C99 + __uint128_t Goresky-Klapper GMWC, 256 bits of state, period approx. 2^255

/* The state must be neither all zero, nor x = y = z = 2^64 - 1, c = GMWC_A3 + GMWC_MINUS_A0. The condition 0 < c < GMWC_A3 + GMWC_MINUS_A0 is thus sufficient. */

uint64_t x, y, z, c = 1; /* The state can be seeded with any set of values, not all zeroes. */

1. define GMWC_MINUSA0 0x54c3da46afb70f
2. define GMWC_A0INV 0xbbf397e9a69da811
3. define GMWC_A3 0xff963a86efd088a2

uint64_t inline next

Usage

Because of simplicity and speed, CMWC is known to be used in game development, particularly in modern roguelike games. It is informally known as the Mother of All PRNGs, a name originally coined by Marsaglia himself.^[2] In libtcod, CMWC4096 replaced MT19937 as the default PRNG.^[3]

See also

• Mersenne Twister
• List of random number generators

References

• Marsaglia . George . George Marsaglia . Xorshift RNGs . Journal of Statistical Software . 4 July 2003 . 8 . 14 . 1–6 . 10.18637/jss.v008.i14 . free.
• George . Marsaglia . George Marsaglia . On the randomness of Pi and other decimal expansions . Interstat . October 2005 . 10.1.1.694.4783.
• Book: Press . William H. . William H. Press . Teukolsky . Saul A. . Saul Teukolsky . Vetterling . William T. . Flannery . Brian P. . Brian P. Flannery . 2007 . Numerical Recipes: The Art of Scientific Computing . 3rd . Cambridge University Press . New York . 978-0-521-88068-8 . Section 7.1.2.B Multiply With Carry (MWC) . http://apps.nrbook.com/empanel/index.html#pg=347.

Notes and References

1. Hull . T. E. . Dobell . A. R. . July 1962 . Random Number Generators . SIAM Review . 4 . 3 . 230–254 . 10.1137/1004061. 1962SIAMR...4..230H . 1828/3142 . free.
2. Web site: Marsaglia's Mother of All Random Number Generators . home.sandiego.edu.
3. Web site: Random number generator - RogueBasin. www.roguebasin.com. 2016-11-30.