$30 off During Our Annual Pro Sale. View Details »

Xorshift* and Erlang/OTP: Searching for Better PRNGs

Kenji Rikitake
March 27, 2015
Programming
0
150

Xorshift* and Erlang/OTP: Searching for Better PRNGs

Erlang Factory SF Bay 2015 presentation

Kenji Rikitake

March 27, 2015
Tweet

More Decks by Kenji Rikitake

See All by Kenji Rikitake
SDR Implementation of Analog FM Broadcast Multipath Filter
jj1bdx
0
380
インターネットとオープンな無線技術の今後 / Future of Internet and Open Radio Engineering
jj1bdx
0
900
FM放送とマルチパスを適応フィルタで極めてみた / Solving multipath distortion of FM broadcast by adaptive filters
jj1bdx
1
2.6k
ソフトウェアラジオとC++ そしてFMエアチェックのための信号解析と数値計算にまつわるよもやま話 / Software radio and C++
jj1bdx
0
590
SDR時代のFM受信 マルチパスモニタとマルチパスフィルタ / FM broadcast reception with SDR - multipath monitor and multipath filter
jj1bdx
0
220
How I discover a working implementation of clock_nanosleep() for macOS in CPAN Time::Hires
jj1bdx
1
650
Sleeping pays / 1000eng-74th-jj1bdx
jj1bdx
1
28
The BEAM Programming Paradigm
jj1bdx
1
590
Safe randomness: theory and practice
jj1bdx
1
950

Other Decks in Programming

See All in Programming
Being On Call Does Not Have to Suck.
charity
0
570
Excelを扱うRubyGemまとめ 2022
ktam1219
0
270
Ltag
inoue2002
0
130
JavaOne 2022 報告会(パターンマッチングとString Templatesの話)
takasyou
0
100
FrankenPHP: a modern app server for PHP and Symfony apps
dunglas
0
190
Modern Web Apps with Spring Boot & Angular
toedter
13
15k
Step Functionsの設計時に知っておいたほうがいいかもしれないこと
pirosikick
0
150
JavaScript Testing Framework: Under the Hood(JSConfJP2022)
yoshiaki_togami
0
2.4k
やさしく入門するOAuth2.0/easy-entry-oauth
marchin1989
3
470
Ship Faster With Feature Flags
davidodari
0
170
組織と技術の両輪で開発を加速させるkintoneチームの取り組み / JJUG CCC 2022 Fall Cybozu kintone
itchyny
0
490
Findy - エンジニア向け会社紹介 / Findy Letter for Engineers
findyinc
2
40k

Featured

See All Featured
Documentation Writing (for coders)
carmenintech
49
2.8k
Principles of Awesome APIs and How to Build Them.
keavy
116
15k
Statistics for Hackers
jakevdp
782
210k
Build your cross-platform service in a week with App Engine
jlugia
221
17k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
28
20k
Atom: Resistance is Futile
akmur
256
24k
Design by the Numbers
sachag
271
17k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
215
21k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
1
310
Build The Right Thing And Hit Your Dates
maggiecrowley
21
1.4k
What's in a price? How to price your products and services
michaelherold
231
9.6k
Making Projects Easy
brettharned
101
4.7k

Transcript

  1. Xorshift* and Erlang/ OTP: Searching for Better PRNGs Kenji Rikitake

    / Erlang Factory SF Bay 2015 1

  2. Kenji Rikitake 27-MAR-2015 Erlang Factory SF Bay 2015 San Francisco,

    CA, USA @jj1bdx Professional Internet Engineer ACM Erlang Workshop 2011 Workshop Chair Erlang Factory SF Bay 2010-2015 speaker (for six consecutive years!) Kenji Rikitake / Erlang Factory SF Bay 2015 2

  3. Executive summary: do not try inventing your own random number

    generators! Kenji Rikitake / Erlang Factory SF Bay 2015 3

  4. PRNGs matter • The first talk of pseudo random number

    generators in Erlang Factory events was on 2011 • Now four years later, people are still using the good-old random module, already fully exploited. We should stop using it! • So I decided to do the talk again with new algorithms, and the talk is accepted Kenji Rikitake / Erlang Factory SF Bay 2015 4

  5. PRNGs are everywhere • Rolling dice (for games) • (Property)

    testing (QuickCheck, ProPer, Triq) • Variation analysis of electronic circuits • Network congestion and delay analysis • Risk analysis of project schedules • Passwords (Secure PRNGs only!) Kenji Rikitake / Erlang Factory SF Bay 2015 5

  6. Variation analysis of a band pass filter Kenji Rikitake /

    Erlang Factory SF Bay 2015 6

  7. Without variance Kenji Rikitake / Erlang Factory SF Bay 2015

    7

  8. With 10% variance Kenji Rikitake / Erlang Factory SF Bay

    2015 8

  9. How PRNG works • Sequential iterative process • For multiple

    processes, seeds and other parameters should be chosen carefully to prevent sequence overlapping % Give a seed S1 {Result1, S2} = prng(S1), {Result2, S3} = prng(S2), % ... and on and on Kenji Rikitake / Erlang Factory SF Bay 2015 9

  10. NOT in this talk: Secure PRNGs • For password and

    cryptographic key generation with strong security • Use crypto:strong_rand_bytes/1 • Remember entropy gathering takes time • This is cryptography - use and only use proven algorithms! Do not invent yours! Kenji Rikitake / Erlang Factory SF Bay 2015 10

  11. In this talk: non-secure PRNGs • May be vulnerable to

    cryptographic attacks • (Uniform) distribution guaranteed • Predictive: same seed = same result • Lots of seed (internal state) choices • Long period: no intelligible patterns Kenji Rikitake / Erlang Factory SF Bay 2015 11

  12. Even non-secure PRNGs fail • Found from the observable patterns

    by making a graphical representation • Very short period of showing up the same number sequence again • Even a fairly long sequence of numbers can be fully exploited and made predictable Kenji Rikitake / Erlang Factory SF Bay 2015 12

  13. PHP5 on Windows (2012) Kenji Rikitake / Erlang Factory SF

    Bay 2015 13

  14. Other PRNG failures • Cryptocat 2013 (blue: OK, red: bad)

    Kenji Rikitake / Erlang Factory SF Bay 2015 14

  15. Erlang/OTP's first ever security advisory • ... was about PRNG!

    (R14B02, 2011) • US CERT VU#178990: Erlang/OTP SSH library uses a weak random number generator (CVE-2011-0766) • Used random non-secure PRNG for the SSH session RNG seed, easily exploitable Kenji Rikitake / Erlang Factory SF Bay 2015 15

  16. Erlang random's problem • The algorithm AS183 is too old

    (designed in 1980s for 16- bit computers) • Period: 6953607871644 ~= 2^(42.661), too short for modern computer exploits • Fully exploited in < 9 hours on Core i5 (single core) (my C source) - Richard O'Keefe told me this was nothing new in either academic and engineering perspectives (he is right!) Kenji Rikitake / Erlang Factory SF Bay 2015 16

  17. Alternative Erlang PRNGs • sfmt-erlang (SFMT, 2^19937-1, 32-bit) • tinymt-erlang

    (TinyMT, 2^127-1, ~2^56 orthogonal sequences, 32-bit) • exs64 (XorShift*64, 2^64-1, 64-bit) • exsplus (Xorshift+128, 2^128-1, 64-bit) • exs1024 (Xorshift*1024, 2^1024-1, 64-bit) Kenji Rikitake / Erlang Factory SF Bay 2015 17

  18. SFMT • Mersenne Twister: default PRNG on Python, MATLAB, C+

    +11, R, etc. • Internal state: 624 32-bit integers (2496 bytes) • SIMD-oriented Fast Mersenne Twister (SFMT) = MT improved • Extremely long period (2^19937-1, longer variants available) Kenji Rikitake / Erlang Factory SF Bay 2015 18

  19. sfmt-erlang: on NIFs sfmt-erlang gains a lot by NIFs because:

    • It needs bulk state initialization (624 x 32-bit) • NIFnizing it makes total execution time ~16 times faster (on FreeBSD, OTP 17.4.1) • Execution time of state initialization: ~100 times faster (~1600 -> ~15 microseconds) Kenji Rikitake / Erlang Factory SF Bay 2015 19

  20. TinyMT • Tiny Mersenne Twister for restricted resources • Shorter

    but sufficient period (2^127-1) • 127-bit state + three 32-bit words for the polynomial parameters • ~2^56 choice of orthogonal polynomials, suitable for parallelism • On Erlang: non-NIF only Kenji Rikitake / Erlang Factory SF Bay 2015 20

  21. tinymt-erlang: on NIFs tinymt-erlang did not gain much from NIFs

    presumably because: • No bulk initialization, state calculation complexity is small • Most of execution time: function calling overhead • In NIFs, sfmt-erlang was faster for generating a large sequence Kenji Rikitake / Erlang Factory SF Bay 2015 21

  22. So are NIFs effective? • Not really, unless processing a

    bulk generation/computation • Remember NIFs block the scheduler • If NIFs are not needed, don't use them • If NIFs are really needed, tuning the scheduler is inevitable - ask the gurus for the details Kenji Rikitake / Erlang Factory SF Bay 2015 22

  23. Xorshift*/+ algorithms • Marsaglia's Xorshift, output scrambled by the algorithm

    of Sebastiano Vigna for the best result against TestU01 strength test • Xorshift64*, Xorshift128+, Xorshift1024* are so far the most practical three choices • C code in public domain • Deceptively simple Kenji Rikitake / Erlang Factory SF Bay 2015 23

  24. Xorshift64* % See https://github.com/jj1bdx/exs64 -type uint64() :: 0..16#ffffffffffffffff. -opaque state()

    :: uint64(). -define(UINT64MASK, 16#ffffffffffffffff). -spec next(state()) -> {uint64(), state()}. next(R) -> R1 = R bxor (R bsr 12), R2 = R1 bxor ((R1 bsl 25) band ?UINT64MASK), R3 = R2 bxor (R2 bsr 27), {(R3 * 2685821657736338717) band ?UINT64MASK, R3}. Kenji Rikitake / Erlang Factory SF Bay 2015 24

  25. Xorshift1024* (1/2) % See https://github.com/jj1bdx/exs1024 -type uint64() :: 0..16#ffffffffffffffff. -opaque

    seedval() :: list(uint64()). % 16 64-bit integers -opaque state() :: {list(uint64()), list(uint64())}. -define(UINT64MASK, 16#ffffffffffffffff). %% calc(S0, S1) -> {X, NS1} / X: random number output -spec calc(uint64(), uint64()) -> {uint64(), uint64()}. calc(S0, S1) -> S11 = S1 bxor ((S1 bsl 31) band ?UINT64MASK), S12 = S11 bxor (S11 bsr 11), S01 = S0 bxor (S0 bsr 30), NS1 = S01 bxor S12, {(NS1 * 1181783497276652981) band ?UINT64MASK, NS1}. Kenji Rikitake / Erlang Factory SF Bay 2015 25

  26. Xorshift1024* (2/2) -spec next(state()) -> {uint64(), state()}. % with a

    ring buffer using a pair of lists next({[H], RL}) -> next({[H|lists:reverse(RL)], []}); next({L, RL}) -> [S0|L2] = L, [S1|L3] = L2, {X, NS1} = calc(S0, S1), {X, {[NS1|L3], [S0|RL]}}. Kenji Rikitake / Erlang Factory SF Bay 2015 26

  27. Performance implications • HiPE highly recommended • Handling full 64-bit

    numbers means handling BIGNUMs and slow; short integers are up to (2^59) • exs64: < x2 execution time of random • exs1024: slower, but ~ x2 of random • Speed penalty: worth being paid for Kenji Rikitake / Erlang Factory SF Bay 2015 27

  28. Suggested purposes for the alternative PRNGs • sfmt-erlang: proven, can

    be chosen in ProPer • tinymt-erlang: proven, has ~268 million polynomial parameters available at tinymtdc-longbatch • exs64: replacement of AS183 • exsplus: an alternative to exs64 • exs1024: good choice for simulation Kenji Rikitake / Erlang Factory SF Bay 2015 28

  29. Merging to OTP (1/2) • Dan Gudmundsson (of OTP Team)

    offered me to help writing a multi-algorithm successor of random module • exs64/plus/1024: MIT licensed (by me) • sfmt-erlang/tinymt-erlang: BSD licensed • All pieces of code had to be relicensed in Erlang Public License to be included in OTP Kenji Rikitake / Erlang Factory SF Bay 2015 29

  30. Merging to OTP (2/2) • It was expected to be

    called as new random, but the OTP team didn't want it (presumably due to backward compatibility issues), so it's called rand • Project name: emprng • random-compatible functions currently available for the six algorithms: as183, exs64 (default), exsplus, exs1024, sfmt, tinymt Kenji Rikitake / Erlang Factory SF Bay 2015 30

  31. Future directions • Keep promoting banning/deprecating the good-old random module

    and use something else that is much better (try exs64) • Merge emprng to OTP: more algorithms, user-supplied functions, tests • Analyze performance implication on large-scale applications Kenji Rikitake / Erlang Factory SF Bay 2015 31

  32. Thanks Questions? Kenji Rikitake / Erlang Factory SF Bay 2015

    32