Multiply-with-carry

In computer science, multiply-with-carry (MWC) is a method invented by George Marsaglia for generating sequences of random integers based on an initial set from two to many thousands of randomly chosen seed values. The main advantages of the MWC method are that it invokes simple computer integer arithmetic and leads to very fast generation of sequences of random numbers with immense periods, ranging from around $2^$ to $2^$.

As with all pseudorandom number generators, the resulting sequences are functions of the supplied seed values.

General theory

An MWC generator is a special form of Lehmer random number generator $x_n = bx_ \bmod p$ which allows efficient implementation of a prime modulus $p$ much larger than the machine word size.

Normal Lehmer generator implementations choose a modulus close to the machine word size. An MWC generator instead maintains its state in base $b$, so multiplying by $b$ is done implicitly by shifting one word. The base $b$ is typically chosen to equal the computer's word size, as this makes arithmetic modulo $b$ trivial. This may vary from $b = 2^8$ for a microcontroller to $b = 2^$. (This article uses $b = 2^$ for examples.)

The initial state ("seed") values are arbitrary, except that they must not be all zero, nor all at the maximum permitted values ($x_0 = b-1$ and $c_0 = a-1$ ). (This is commonly done by choosing $c_0$ between 1 and $a-2$.). The MWC sequence is then a sequence of pairs $x_n, c_n$ determined by

: $x_n=(ax_+c_)\,\bmod\,b,\ c_n=\left\lfloor\frac\right\rfloor$

This is called a lag-1 MWC sequence. Sometimes an odd base is preferred, in which case $b = 2^k-1$ can be used, which is almost as simple to implement. A lag-$r$ sequence is a generalization of the lag-1 sequence allowing longer periods. The lag-$r$ MWC sequence is then a sequence of pairs
$x_n, c_n$ (for $n > r$) determined by

: $x_n=(ax_+c_)\,\bmod\,b,\ c_n=\left\lfloor\frac\right\rfloor$

and the MWC generator output is the sequence of $x$'s,
: $x_r, x_, x_, ...$

In this case, the initial state ("seed") values must not be all zero nor ''$x_0 = b-1$ and $c_ = a-1$.

The MWC multiplier $a$ and lag $r$ determine the modulus $p = ab^r-1$. In practice, $a$ is chosen so the modulus is prime and the sequence has long period. If the modulus is prime, The period of a lag-$r$ MWC generator is the order of $b$ in the multiplicative group of numbers modulo $p$. While it is theoretically possible to choose a non-prime modulus, a prime modulus eliminates the possibility of the initial seed sharing a common divisor with the modulus, which would reduce the generator's period.

Because 2 is a quadratic residue of numbers of the form $8k \pm 1$, $b = 2^k$ cannot be a primitive root of $p = ab^r-1$. Therefore, MWC generators with base $2^k$ have their parameters chosen so their period is (''ab^r''−1)/2. This is one of the difficulties that use of ''b'' = 2^''k'' − 1 overcomes.

The basic form of an MWC generator has parameters ''a'', ''b'' and ''r'', and ''r''+1 words of state. The state consists of ''r'' residues modulo ''b''
: 0 ≤ ''x''₀, ''x''₁, ''x''₂,..., ''x''_''r''−1 < b,
and a carry ''c''_''r''−1 < ''a''.

Although the theory of MWC generators permits ''a'' > ''b'', ''a'' is almost always chosen smaller for convenience of implementation.

The state transformation function of an MWC generator is one step of Montgomery reduction modulo ''p''. The state is a large integer with most significant word ''c''_''n''−1 and least significant word ''x''_{''n''−''r''}. Each step, ''x''_{''n''−''r''}·(''ab^r''−1) is added to this integer. This is done in two parts: −1·''x''_{''n''−''r''} is added to ''x''_{''n''−''r''}, resulting in a least significant word of zero. And second, ''a''·''x''_{''n''−''r''} is added to the carry. This makes the integer one word longer, producing two new most significant words ''x_n'' and ''c_n''.

So far, this has simply added a multiple of ''p'' to the state, resulting in a different representative of the same residue class modulo ''p''. But finally, the state is shifted down one word, dividing by ''b''. This discards the least significant word of zero (which, in practice, is never computed at all) and effectively multiplies the state by ''b''⁻¹ (mod ''p'').

Thus, a multiply-with-carry generator ''is'' a Lehmer generator with modulus ''p'' and multiplier ''b''⁻¹ (mod ''p''). This is the same as a generator with multiplier ''b'', but producing output in reverse order, which does not affect the quality of the resultant pseudorandom numbers.

Couture and L'Ecuyer have proved the surprising result that the lattice associated with a multiply-with-carry generator is very close to the lattice associated with the Lehmer generator it simulates. Thus, the mathematical techniques developed for Lehmer generators (such as the spectral test) can be applied to multiply-with-carry generators.

Efficiency

A linear congruential generator with base ''b'' = 2³² is implemented as
:$x_=(ax_n+c)\ \bmod\,2^,$
where ''c'' is a constant.
If ''a'' ≡ 1 (mod 4) and ''c'' is odd, the resulting base-2³² congruential sequence will have period 2³².

This can be computed using only the low 32 bits of the product of ''a'' and the current ''x''.
However, many microprocessors can compute a full 64-bit product in almost the same time as the low 32 bits. Indeed, many compute the 64-bit product and then ignore the high half.

A lag-1 multiply-with-carry generator allows us to make the period nearly 2⁶³ by using almost the same computer operations, except that the top half of the 64-bit product is not ignored after the product is computed.
Instead, a 64-bit sum is computed, and the top half is used as a ''new'' carry value ''c'' rather than the fixed additive constant of the standard congruential sequence:
Compute ''ax''+''c'' in 64 bits, then use the top half as the new ''c'', and bottom half as the new ''x''.

Choice of multiplier

With multiplier ''a'' specified,
each pair of input values ''x'', ''c'' is converted to a new pair,

:$x\leftarrow (ax+c)\,\bmod\,2^,\ \ c\leftarrow \left\lfloor\frac\right\rfloor.$

If ''x'' and ''c'' are not both zero, then the period of the resulting multiply-with-carry sequence will be the order of ''b'' = 2³²
in the multiplicative group of residues modulo
''ab^r'' − 1, that is, the smallest ''n'' such that
''bⁿ'' ≡ 1 (mod ''ab^r'' − 1).

If ''p'' = ''ab^r'' − 1 is prime, then Fermat's little theorem guarantees that the order of any element must divide ''p'' − 1 = ''ab^r'' − 2, so one way to ensure a large order is to choose ''a'' such that ''p'' is a "safe prime",
that is both ''p'' and (''p'' − 1)/2 = ''ab^r''/2 − 1 are prime. In such a case, for ''b''= 2³² and ''r'' = 1, the period will be ''ab^r''/2 − 1, approaching 2⁶³, which in practice may be an acceptably large subset of the number of possible 32-bit pairs (''x'', ''c'').

More specifically, in such a case, the order of ''any'' element divides ''p'' − 1, and there are only four possible divisors: 1, 2, ''ab^r''/2 − 1, or ''ab^r'' − 2. The first two apply only to the elements 1 and −1, and quadratic reciprocity arguments show that the fourth option cannot apply to ''b'', so only the third option remains.

Following are some maximal values of ''a'' for computer applications which satisfy the above safe prime condition, for lag-1 generators:

While a safe prime ensures that almost ''any'' element of the group has a large order, the period of the generator is specifically the order of ''b''. For small moduli, more computationally expensive methods can be used to find multipliers ''a'' where the period is ''ab''/2 − 1.
The following are again maximum values of ''a'' of various sizes.

MWC generators as repeating decimals

The output of a multiply-with-carry generator is equivalent to the radix-''b'' expansion of a fraction with denominator ''p'' = ''ab^r'' − 1. Here is an example for the simple case of ''b'' = 10 and ''r'' = 1, so the result is a repeating decimal.

Starting with $c_0=1,x_0=0$, the MWC sequence

:$x_n=(7x_+c_)\,\bmod\,10,\ c_n=\left\lfloor\frac\right\rfloor,$

produces this sequence of states:
:10,01,07,49,67,55,40,04,28,58,61,13,22,16,43,25,37,52,19,64,34,31, 10,01,07,...

with period 22. Consider just the sequence of ''x_i:
:0,1,7,9,7,5,0,4,8,8,1,3,2,6,3,5,7,2,9,4,4,1, 0,1,7,9,7,5,0,...

Notice that if those repeated segments of ''x'' values are put ''in reverse order'':
:$1449275\cdots 9710\,1449275\cdots 9710\,144\cdots$
we get the expansion
''j''/(''ab''−1) with ''a''=7, ''b''=10, ''j=10'':

:$\frac=0.1449275362318840579710\,14492753623\ldots$

This is true in general: The sequence of ''x''s produced by a lag-''r'' MWC generator:

:$x_n=(ax_+c_)\bmod\,b\,,\ \ c_n=\left\lfloor\frac\right\rfloor,$

when put in reverse order, will be the radix-''b'' expansion of a fraction ''j''/(''ab^r'' − 1) for some 0 < ''j'' < ''ab^r''.

Equivalence to linear congruential generator

Continuing the above example, if we start with $x_0=34$, and generate the ordinary congruential sequence
:$x_n=7x_\,\bmod\,69$,
we get the period 22 sequence
:31,10,1,7,49,67,55,40,4,28,58,61,13,22,16,43,25,37,52,19,64,34, 31,10,1,7,...
and that sequence, reduced mod 10, is
:1,0,1,7,9,7,5,0,4,8,8,1,3,2,6,3,5,7,2,9,4,4, 1,0,1,7,9,7,5,0,...
the same sequence of ''xs resulting from the MWC sequence.

This is true in general, (but apparently only for lag-1 MWC sequences):

Given initial values $x_0,c_0$, the sequence $x_1,x_2,\ldots$ resulting from the lag-1 MWC sequence

:$x_n=(ax_+c_)\,\bmod b\,,\ \ c_n=\left\lfloor\frac\right\rfloor$

is exactly the Lehmer random number generator output sequence ''y_n'' = ''ay''_{''n'' − 1} mod (''ab'' − 1),
reduced modulo ''b''.

Choosing a different initial value ''y''₀ merely rotates the cycle of ''xs.

Complementary-multiply-with-carry generators

Establishing the period of a lag-''r'' MWC generator usually entails choosing multiplier ''a'' so that ''p'' = ''ab^r'' − 1 is prime. Then ''p'' − 1 will have to be factored in order to find the order of ''b'' mod ''p''. If ''p'' is a safe prime, then this is simple, and the order of ''b'' will be either ''p'' − 1 or (''p'' − 1)/2. In other cases, ''p'' − 1 may be difficult to factor.

However, the algorithm also permits a ''negative'' multiplier. This leads to a slight modification of the MWC procedure, and produces a modulus ''p'' = = ''ab^r'' + 1. This makes ''p'' − 1 = ''ab^r'' easy to factor, making it practical to establish the period of very large generators.

The modified procedure is called complementary-multiply-with-carry (CMWC), and the setup is the same as that for lag-''r'' MWC: multiplier ''a'', base ''b'', and ''r'' + 1 seeds,

: ''x''₀, ''x''₁, ''x''₂, ..., ''x''_''r''−1, and ''c''_''r''−1.

The modification is to the generation of a new pair (''x'', ''c''). Rearranging the computation to avoid negative numbers, the new ''x'' value is complemented by subtracting it from ''b'' − 1:
:$x_n=(b-1)-(ax_+c_)\,\bmod\,b,\ c_n=\left\lfloor\frac\right\rfloor.$

The resulting sequence of ''x''s produced by the CMWC RNG will have period the order of ''b'' in the multiplicative group of residues modulo ''ab^r''+1, and the output ''x''s, in reverse order, will form the base ''b'' expansion of ''j''/(''ab^r''+1) for some 0 < ''j'' < ''ab^r''.

Use of lag-''r'' CMWC makes it much easier to find periods for ''r''s as large as 512, 1024, 2048, etc.
(Making ''r'' a power of 2 makes it slightly simpler to access elements in the array containing the ''r'' most recent ''x''s.)

Another advantage of this modified procedure is that the period is a multiple of ''b'', so the output is exactly equidistributed mod ''b''. (The ordinary MWC, over its full period, produces each possible output an equal number of times ''except'' that zero is produced one time less, a bias which is negligible if the period is long enough.)

One ''disadvantage'' of the CMWC construction is that, with a power-of-two base, the maximum achievable period is less than for a similar-sized MWC generator; you lose several bits. Thus, an MWC generator is usually preferable for small lags. This can remedied by using ''b'' = 2^''k''−1, or choosing a lag one word longer to compensate.

Some examples:
With ''b'' = 2³², and ''a'' = 109111 or 108798 or 108517, the period of the lag-1024 CMWC
: $x_n=(b-1)-(ax_+c_)\,\bmod\,b,\ c_n=\left\lfloor\frac\right\rfloor.$
will be ''a''·2³²⁷⁶² = ''ab''¹⁰²⁴/64, about 10⁹⁸⁶⁷.

With ''b'' = 2³² and ''a'' = 3636507990, ''p'' = ''ab''¹³⁵⁹ − 1 is a safe prime, so the MWC sequence based on that ''a'' has period 3636507990·2⁴³⁴⁸⁷ ≈ 10¹³¹⁰¹.

With ''b'' = 2³², a CMWC RNG with near record period may be based on the prime ''p'' = 15455296''b''⁴²⁶⁵⁸ + 1. The order of ''b'' for that prime is 241489·2^1365056 ≈ 10⁴¹⁰⁹²⁸.

More general moduli

The MWC modulus of ''ab^r''−1 is chosen to make computation particularly simple, but brings with it some disadvantages, notably that the period is at most half the modulus. There are several ways to generalize this, at the cost of more multiplications per iteration.

First, it is possible to add additional terms to the product, producing a modulus of the form ''a_rb^r''+''a_sb^s''−1. This requires computing ''c_nb'' + ''x_n'' = ''a_rx''_{''n''−''r''} + ''a_sx''_{''n''−''s''}. (The carry is limited to one word if ''a_r'' + ''a_s'' ≤ ''b''.)

However, this does not fix the period issue, which depends on the low bits of the modulus. Fortunately, the Montgomery reduction algorithm permits other moduli, as long as they are relatively prime to the base ''b'', and this can be applied to permit a modulus of the form ''a_rb^r''−''a''₀, for a wide range of values ''a''₀. Goresky and Klapper developed the theory of these generalized multiply-with-carry generators, proving, in particular, that choosing a negative ''a''₀ and ''a_r''–''a''₀ < ''b'' the carry value is always smaller than ''b'', making the implementation efficient. The more general form of the modulus improves also the quality of the generator, albeit one cannot always get full period.

To implement a Goresky-Klapper generator one precomputes ''a'' (mod ''b''), and changes the iteration as follows:
:$t = c_ + \sum_1^r a_i x_, \ x_n = a_0^t \bmod b, \ c_n = \left\lfloor\frac\right\rfloor.$

In the common case that ''b'' = 2^''k'', ''a''₀ must be odd for the inverse to exist.

Implementation

The following is an implementation of the CMWC algorithm in the C programming language. Also, included in the program is a sample initialization function. In this implementation the base is 2³²−1 and lag ''r''=4096. The period of the resulting generator is about $2^$.

// C99 Complementary Multiply With Carry generator
#include
#include
#include
#include

// How many bits in rand()?
// https://stackoverflow.com/a/27593398
#define LOG_1(n) (((n) >= 2) ? 1 : 0)
#define LOG_2(n) (((n) >= 1<<2) ? (2 + LOG_1((n)>>2)) : LOG_1(n))
#define LOG_4(n) (((n) >= 1<<4) ? (4 + LOG_2((n)>>4)) : LOG_2(n))
#define LOG_8(n) (((n) >= 1<<8) ? (8 + LOG_4((n)>>8)) : LOG_4(n))
#define LOG(n) (((n) >= 1<<16) ? (16 + LOG_8((n)>>16)) : LOG_8(n))
#define BITS_TO_REPRESENT(n) (LOG(n) + !!((n) & ((n) - 1)))
#if ((RAND_MAX , (RAND_MAX >> 1)) != RAND_MAX)
#error "expected a RAND_MAX that is 2^n - 1!"
#endif
#define RAND_BITS BITS_TO_REPRESENT(RAND_MAX)

// CMWC working parts
#define CMWC_CYCLE 4096 // as Marsaglia recommends
#define CMWC_C_MAX 809430660 // as Marsaglia recommends
struct cmwc_state ;

// Collect 32 bits of rand(). You are encouraged to use a better source instead.
uint32_t rand32(void)

// Init the state with seed
void initCMWC(struct cmwc_state *state, unsigned int seed)

// CMWC engine
uint32_t randCMWC(struct cmwc_state *state) //EDITED parameter *state was missing

int main()

The following are implementations of small-state MWC generators with 64-bit output using 128-bit multiplications.

// C99 + __uint128_t MWC, 128 bits of state, period approx. 2^127

/* The state must be neither all zero, nor x = 2^64 - 1, c = MWC_A1 -
1. The condition 0 < c < MWC_A1 - 1 is thus sufficient. */

uint64_t x, c = 1;

#define MWC_A1 0xff3a275c007b8ee6

uint64_t inline next()

// C99 + __uint128_t MWC, 256 bits of state, period approx. 2^255

/* The state must be neither all zero, nor x = y = z = 2^64 - 1, c =
MWC_A3 - 1. The condition 0 < c < MWC_A3 - 1 is thus sufficient. */

uint64_t x, y, z, c = 1;

#define MWC_A3 0xff377e26f82da74a

uint64_t inline next()

The following are implementations of small-state Goresky-Klapper's generalized MWC generators with 64-bit output using 128-bit multiplications.

// C99 + __uint128_t Goresky-Klapper GMWC, 128 bits of state, period approx. 2^127

/* The state must be neither all zero, nor x = 2^64 - 1, c = GMWC_A1 +
GMWC_MINUS_A0. The condition 0 < c < GMWC_A1 + GMWC_MINUS_A0 is thus
sufficient. */

uint64_t x = 0, c = 1;

#define GMWC_MINUSA0 0x7d084a4d80885f
#define GMWC_A0INV 0x9b1eea3792a42c61
#define GMWC_A1 0xff002aae7d81a646

uint64_t inline next()

// C99 + __uint128_t Goresky-Klapper GMWC, 256 bits of state, period approx. 2^255

/* The state must be neither all zero, nor x = y = z = 2^64 - 1, c =
GMWC_A3 + GMWC_MINUS_A0. The condition 0 < c < GMWC_A3 + GMWC_MINUS_A0
is thus sufficient. */

uint64_t x, y, z, c = 1; /* The state can be seeded with any set of values, not all zeroes. */

#define GMWC_MINUSA0 0x54c3da46afb70f
#define GMWC_A0INV 0xbbf397e9a69da811
#define GMWC_A3 0xff963a86efd088a2

uint64_t inline next()

Usage

Because of simplicity and speed, CMWC is known to be used in game development, particularly in modern roguelike games. It is informally known as the Mother of All PRNGs, a name originally coined by Marsaglia himself. In libtcod, CMWC4096 replaced MT19937 as the default PRNG.

See also

* Mersenne Twister
* List of random number generators

References

*
*
*

{{DEFAULTSORT:Multiply-With-Carry
Pseudorandom number generators