[tsvwg] Benjamin Kaduk's No Objection on draft-ietf-tsvwg-tinymt32-03: (with COMMENT)

Benjamin Kaduk via Datatracker <noreply@ietf.org> Wed, 29 May 2019 04:35 UTC

MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Benjamin Kaduk via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-tsvwg-tinymt32@ietf.org, Wesley Eddy <wes@mti-systems.com>, tsvwg-chairs@ietf.org, wes@mti-systems.com, tsvwg@ietf.org
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Benjamin Kaduk <kaduk@mit.edu>
Message-ID: <155910453869.25689.218037844632567036.idtracker@ietfa.amsl.com>
Date: Tue, 28 May 2019 21:35:38 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/BUitWTkf2FAZSFxyMR1LsGEwlCw>
Subject: [tsvwg] Benjamin Kaduk's No Objection on draft-ietf-tsvwg-tinymt32-03: (with COMMENT)

Benjamin Kaduk has entered the following ballot position for
draft-ietf-tsvwg-tinymt32-03: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-tsvwg-tinymt32/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

In Section 3.1:

   o  the original copyright and licence have been removed, in
      accordance with BCP 78 and the IETF Trust's Legal Provisions
      Relating to IETF Documents (http://trustee.ietf.org/license-info);

The original copyright holder's permission is needed to do this!  Perhaps
it is appropriate to note that the original authors are now listed as
authors on this document.

Please also specify what language the code in Section 3.1 is written in,
including reference (so as to specify which version of C it is to be
intepreted as).

I agree with the secdir reviewer and Mirja that some more references
would be good.

Section-by-section comments follow.

Abstract

   while keeping a reasonably good randomness.

please add the "non-cryptographic" qualifier.

Section 1

                          According to statistical tests (BigCrush in
   TestU01 and AdaptiveCrush), the quality of the outputs of TinyMT
   seems pretty good in terms of randomnes (in particular the uniformity
   of generated numbers), taking the small size of the internal state
   into consideration (see [TinyMT-web]).  [...]

I'd suggest rewording as "The outputs of TinyMT satisfy several
statistical tests for (non-cryptographic) randomness, including BigCrush
in TestU01 and AdaptiveCrush), leaving it well-placed for
non-cryptographic usage, especially given the small size of its internal
state." or similar.  (This avoids the "pretty good" construct and moves
the emphasis from the tests to the usability of the algorithm.)

Section 3.1

   o  mat1 = 0x8f7011ee = 2406486510
   o  mat2 = 0xfc78ff1f = 4235788063
   o  tmat = 0x3793fdff = 932445695

side note: these first two have the MSB set, and thus when the
decimal form of the constant is used in C code, the implicit type will
be a signed integer type of width strictly greater than 32, as opposed
to an unsigned integer type (which would presumably have width 32 bits
on most modern sytsems).

       for (int i = 1; i < MIN_LOOP; i++) {
           s->status[i & 3] ^= i + UINT32_C(1812433253)
               * (s->status[(i - 1) & 3]
                  ^ (s->status[(i - 1) & 3] >> 30));

side note: I note that the UINT32_C macro produces a result of type
uint_least32_t, which in theory could be wider and of greater conversion
rank than uint32_t.  This would result in the intermediate calculations
being done in a type other than uint32_t, though for the specific
calculation here this should not cause any difference in the final
output after truncation to 32 bits.

Section 3.2

   This PRNG MUST first be initialized with the following function:

      void tinymt32_init (tinymt32_t * s, uint32_t seed);

nit: the pointer declaration style here was missed in the style pass
done in a recent revision.

   It takes as input a 32-bit unsigned integer used as a seed (note that
   value 0 is authorized by TinyMT32).  [...]

nit: perhaps "permitted" is a better word than "authorized", which can
have some different connotations to IETF readers.

                                    The use of this structure authorizes
   several instances of this PRNG to be used in parallel, each of them
   having its own instance of the structure.

nit: here, "admits" is a better replacement for "authorizes" (but
"permits" would be fine, too).

Section 3.3

               Consequently, any implementation of the TinyMT32 PRNG in
   line with this specification MUST comply with the following criteria.
   Using a seed value of 1, the first 50 values returned by
   tinymt32_generate_uint32(s) as 32-bit unsigned integers MUST be equal
   to values provided in Figure 2.  [...]

I don't think it's appropriate to attempt to use "agreement with these
test vectors" as a compliance mechanism (i.e., normative "MUST") -- the
normative requirement must surely be to have the same observable
behavior as the algorithm specified in the C code of Section 3.1.  These
vectors are just test vectors to give an implementor some confidence
that they agree with the reference behavior.

(You also need to say whether I read rows first or columns first in the
Figure's contents.)

[tsvwg] Benjamin Kaduk's No Objection on draft-ie… Benjamin Kaduk via Datatracker