Park-Miller Random Number Generator

The Lehmer random number generator (named after D. H. Lehmer), sometimes also referred to as the Park–Miller random number generator (after Stephen K. Park and Keith W. Miller), is a type of linear congruential generator (LCG) that operates in multiplicative group of integers modulo n. The general formula is

: $X_ = a \cdot X_k \bmod m,$

where the modulus ''m'' is a prime number or a power of a prime number, the multiplier ''a'' is an element of high multiplicative order modulo ''m'' (e.g., a primitive root modulo ''n''), and the seed ''X'' is coprime to ''m''.

Other names are multiplicative linear congruential generator (MLCG) and multiplicative congruential generator (MCG).

Parameters in common use

In 1988, Park and Miller suggested a Lehmer RNG with particular parameters ''m'' = 2 − 1 = 2,147,483,647 (a Mersenne prime ''M'') and ''a'' = 7 = 16,807 (a primitive root modulo ''M''), now known as MINSTD. Although MINSTD was later criticized by Marsaglia and Sullivan (1993), it is still in use today (in particular, in CarbonLib and C++11's minstd_rand0). Park, Miller and Stockmeyer responded to the criticism (1993), saying:

Given the dynamic nature of the area, it is difficult for nonspecialists to make decisions about what generator to use. "Give me something I can understand, implement and port... it needn't be state-of-the-art, just make sure it's reasonably good and efficient." Our article and the associated minimal standard generator was an attempt to respond to this request. Five years later, we see no need to alter our response other than to suggest the use of the multiplier ''a'' = 48271 in place of 16807.

This revised constant is used in C++11's minstd_rand random number generator.

The Sinclair ZX81 and its successors use the Lehmer RNG with parameters ''m'' = 2 + 1 = 65,537 (a Fermat prime ''F'') and ''a'' = 75 (a primitive root modulo ''F'').
The CRAY random number generator RANF is a Lehmer RNG with the power-of-two modulus ''m'' = 2 and ''a'' = 44,485,709,377,909.GNU Scientific Library: Other random number generators
The GNU Scientific Library includes several random number generators of the Lehmer form, including MINSTD, RANF, and the infamous IBM random number generator RANDU.

Choice of modulus

Most commonly, the modulus is chosen as a prime number, making the choice of a coprime seed trivial (any 0 < ''X'' < ''m'' will do). This produces the best-quality output, but introduces some implementation complexity, and the range of the output is unlikely to match the desired application; converting to the desired range requires an additional multiplication.

Using a modulus ''m'' which is a power of two makes for a particularly convenient computer implementation, but comes at a cost: the period is at most ''m''/4, and the lower bits have periods shorter than that. This is because the lowest ''k'' bits form a modulo-2 generator all by themselves; the higher-order bits never affect lower-order bits. The values ''X'' are always odd (bit 0 never changes), bits 2 and 1 alternate (the lower 3 bits repeat with a period of 2), the lower 4 bits repeat with a period of 4, and so on. Therefore, the application using these random numbers ''must'' use the most significant bits; reducing to a smaller range using a modulo operation with an even modulus will produce disastrous results.

To achieve this period, the multiplier must satisfy ''a'' â‰¡ Â±3 (mod 8), and the seed ''X'' must be odd.

Using a composite modulus is possible, but the generator ''must'' be seeded with a value coprime to ''m'', or the period will be greatly reduced. For example, a modulus of F = 2 + 1 might seem attractive, as the outputs can be easily mapped to a 32-bit word 0 ≤ ''X'' âˆ’ 1 < 2. However, a seed of ''X'' = 6700417 (which divides 2 + 1) or any multiple would lead to an output with a period of only 640.

A more popular implementation for large periods is a combined linear congruential generator; combining (e.g. by summing their outputs) several generators is equivalent to the output of a single generator whose modulus is the product of the component generators' moduli. and whose period is the least common multiple of the component periods. Although the periods will share a common divisor of 2, the moduli can be chosen so that is the only common divisor and the resultant period is (''m'' âˆ’ 1)(''m'' âˆ’ 1)···(''m'' âˆ’ 1)/2. One example of this is the Wichmann–Hill generator.

Relation to LCG

While the Lehmer RNG can be viewed as a particular case of the linear congruential generator with , it is a special case that implies certain restrictions and properties. In particular, for the Lehmer RNG, the initial seed ''X'' must be coprime to the modulus ''m'', which is not required for LCGs in general. The choice of the modulus ''m'' and the multiplier ''a'' is also more restrictive for the Lehmer RNG. In contrast to LCG, the maximum period of the Lehmer RNG equals ''m'' âˆ’ 1, and it is such when ''m'' is prime and ''a'' is a primitive root modulo ''m''.

On the other hand, the discrete logarithms (to base ''a'' or any primitive root modulo ''m'') of ''X'' in $\mathbb_m$ represent a linear congruential sequence modulo the Euler totient $\varphi(m)$.

Implementation

A prime modulus requires the computation of a double-width product and an explicit reduction step. If a modulus just less than a power of 2 is used (the Mersenne primes 2³¹ âˆ’ 1 and 2⁶¹ âˆ’ 1 are popular, as are 2³² âˆ’ 5 and 2⁶⁴ âˆ’ 59), reduction modulo can be implemented more cheaply than a general double-width division using the identity .

The basic reduction step divides the product into two ''e''-bit parts, multiplies the high part by ''d'', and adds them: . This can be followed by subtracting ''m'' until the result is in range. The number of subtractions is limited to ''ad''/''m'', which can be easily limited to one if ''d'' is small and is chosen. (This condition also ensures that ''d''  is a single-width product; if it is violated, a double-width product must be computed.)

When the modulus is a Mersenne prime (''d'' = 1), the procedure is particularly simple. Not only is multiplication by ''d'' trivial, but the conditional subtraction can be replaced by an unconditional shift and addition. To see this, note that the algorithm guarantees that , meaning that ''x'' = 0 and ''x'' = ''m'' are both impossible. This avoids the need to consider equivalent ''e''-bit representations of the state; only values where the high bits are non-zero need reduction.

The low ''e'' bits of the product ''ax'' cannot represent a value larger than ''m'', and the high bits will never hold a value greater than ''a'' âˆ’ 1 â‰¤ m âˆ’ 2. Thus the first reduction step produces a value at most ''m'' + ''a'' âˆ’ 1 ≤ 2''m'' âˆ’ 2 = 2^''e''+1 âˆ’ 4. This is an (''e'' + 1)-bit number, which can be greater than ''m'' (i.e. might have bit ''e'' set), but the high half is at most 1, and if it is, the low ''e'' bits will be strictly less than ''m''. Thus whether the high bit is 1 or 0, a second reduction step (addition of the halves) will never overflow ''e'' bits, and the sum will be the desired value.

If ''d'' > 1, conditional subtraction can also be avoided, but the procedure is more intricate. The fundamental challenge of a modulus like 2³² âˆ’ 5 lies in ensuring that we produce only one representation for values such as 1 â‰¡ 2³² âˆ’ 4. The solution is to temporarily add ''d'', so that the range of possible values is ''d'' through 2^''e'' âˆ’ 1, and reduce values larger than ''e'' bits in a way that never generates representations less than ''d''. Finally subtracting the temporary offset produces the desired value.

Begin by assuming that we have a partially reduced value ''y'' bounded so that 0 â‰¤ ''y'' < 2''m'' = 2^''e''+1 âˆ’ 2''d''. In this case, a single offset subtraction step will produce 0 â‰¤ ' < ''m''. To see this, consider two cases:
; 0 ≤ ''y'' < ''m'' = 2^''e'' − ''d''
: In this case, ''y'' + ''d'' < 2^''e'' and ' = ''y'' < ''m'', as desired.
; ''m'' ≤ ''y'' < 2''m''
: In this case, 2^''e'' ≤ ''y'' + ''d'' < 2^''e''+1 is an (''e'' + 1)-bit number, and  = 1. Thus, ' = (''y'' + ''d'') âˆ’ 2^''e'' + ''d'' âˆ’ ''d'' = ''y'' âˆ’ 2^''e'' + ''d'' = ''y'' âˆ’ ''m'' < ''m'', as desired. Because the multiplied high part is ''d'', the sum is at least ''d'', and subtracting the offset never causes underflow.

(For the case of a Lehmer generator specifically, a zero state or its image ''y'' = ''m'' will never occur, so an offset of ''d'' âˆ’ 1 will work just the same, if that is more convenient. This reduces the offset to 0 in the Mersenne prime case, when ''d'' = 1.)

Reducing a larger product ''ax'' to less than 2''m'' = 2^''e''+1 âˆ’ 2''d'' can be done by one or more reduction steps without an offset.

If ''ad'' â‰¤ ''m'', then one additional reduction step suffices. Since ''x'' < ''m'', ''ax'' < ''am'' ≤ (''a'' âˆ’ 1)2^''e'', and one reduction step converts this to at most 2^''e'' âˆ’ 1 + (''a'' âˆ’ 1)''d'' = ''m'' + ''ad'' âˆ’ 1. This is within the limit of 2''m'' if ''ad'' âˆ’ 1 < ''m'', which is the initial assumption.

If ''ad'' > ''m'', then it is possible for the first reduction step to produce a sum greater than 2''m'' = 2^''e''+1 âˆ’ 2''d'', which is too large for the final reduction step. (It also requires the multiplication by ''d'' to produce a product larger than ''e'' bits, as mentioned above.) However, as long as ''d''² < 2^''e'', the first reduction will produce a value in the range required for the preceding case of two reduction steps to apply.

Schrage's method

If a double-width product is not available, Schrage's method, also called the approximate factoriation method, This explores several different implementations of modular multiplication by a constant. may be used to compute , but this comes at the cost:
* The modulus must be representable in a signed integer; arithmetic operations must allow a range of ±''m''.
* The choice of multiplier ''a'' is restricted. We require that , commonly achieved by choosing ''a'' â‰¤ .
* One division (with remainder) per iteration is required.

While this technique is popular for portable implementations in high-level languages which lack double-width operations, on modern computers division by a constant is usually implemented using double-width multiplication, so this technique should be avoided if efficiency is a concern. Even in high-level languages, if the multiplier ''a'' is limited to , then the double-width product ''ax'' can be computed using two single-width multiplications, and reduced using the techniques described above.

To use Schrage's method, first factor , i.e. precompute the auxiliary constants and = (''m''−''r'')/''a''. Then, each iteration, compute .

This equality holds because
:$\begin aq &= a \cdot (m - r) / a \\ &= (a / a) \cdot (m - r) \\ &= (m - r) \\ &\equiv -r \pmod m \\ \end$
so if we factor ''x'' = (''x'' mod ''q'') + ''q'', we get:
:$\begin ax &= a(x \bmod q) + aq\lfloor x/q \rfloor \\ &= a(x \bmod q) + (m-r)\lfloor x/q \rfloor \\ &\equiv a(x \bmod q) - r\lfloor x/q \rfloor \pmod m \\ \end$

The reason it does not overflow is that both terms are less than ''m''. Since ''x'' mod ''q'' < ''q'' ≤ ''m''/''a'', the first term is strictly less than ''am''/''a'' = ''m'' and may be computed with a single-width product.

If ''a'' is chosen so that ''r'' â‰¤ ''q'' (and thus ''r''/''q'' â‰¤ 1), then the second term is also less than ''m'': ''r''  ≤ ''rx''/''q'' = ''x''(''r''/''q'') ≤ ''x''(1) = ''x'' < ''m''. Thus, the difference lies in the range −''m'', ''m''−1and can be reduced to , ''m''−1with a single conditional add.

This technique may be extended to allow a negative ''r'' (−''q'' â‰¤ ''r'' < 0), changing the final reduction to a conditional subtract.

The technique may also be extended to allow larger ''a'' by applying it recursively. Of the two terms subtracted to produce the final result, only the second (''r'' ) risks overflow. But this is itself a modular multiplication by a compile-time constant ''r'', and may be implemented by the same technique. Because each step, on average, halves the size of the multiplier (0 â‰¤ ''r'' < ''a'', average value (''a''−1)/2), this would appear to require one step per bit and be spectacularly inefficient. However, each step also divides ''x'' by an ever-increasing quotient , and quickly a point is reached where the argument is 0 and the recursion may be terminated.

Sample C99 code

Using C code, the Park-Miller RNG can be written as follows:

uint32_t lcg_parkmiller(uint32_t *state)

This function can be called repeatedly to generate pseudorandom numbers, as long as the caller is careful to initialize the state to any number greater than zero and less than the modulus. In this implementation, 64-bit arithmetic is required; otherwise, the product of two 32-bit integers may overflow.

To avoid the 64-bit division, do the reduction by hand:

uint32_t lcg_parkmiller(uint32_t *state)

To use only 32-bit arithmetic, use Schrage's method:

uint32_t lcg_parkmiller(uint32_t *state)

or use two 16×16-bit multiplies:

uint32_t lcg_parkmiller(uint32_t *state)

Another popular Lehmer generator uses the prime modulus 2−5:

uint32_t lcg_rand(uint32_t *state)

This can also be written without a 64-bit division:

uint32_t lcg_rand(uint32_t *state)

Many other Lehmer generators have good properties. The following modulo-2¹²⁸ Lehmer generator requires 128-bit support from the compiler and uses a multiplier computed by L'Ecuyer. It has a period of 2¹²⁶:

static unsigned __int128 state;

/* The state must be seeded with an odd value. */
void seed(unsigned __int128 seed)

uint64_t next(void)

The generator computes an odd 128-bit value and returns its upper 64 bits.

This generator passes BigCrush from TestU01, but fails the TMFn test fro
PractRand
That test has been designed to catch exactly the defect of this type of generator: since the modulus is a power of 2, the period of the lowest bit in the output is only 2⁶², rather than 2¹²⁶. Linear congruential generators with a power-of-2 modulus have a similar behavior.

The following core routine improves upon the speed of the above code for integer workloads (if the constant declaration is allowed to be optimized out of a calculation loop by the compiler):

uint64_t next(void)

However, because the multiplication is deferred, it is not suitable for hashing, since the first call simply returns the upper 64 bits of the seed state.

References

* {{cite book , last=Lehmer , first=D. H. , contribution=Mathematical methods in large-scale computing units , url=https://archive.org/details/proceedings_of_a_second_symposium_on_large-scale_ , title=Proceedings of a Second Symposium on Large-Scale Digital Calculating Machinery , year=1949 , page
141
€“146 , mr=0044899 (journal version: ''Annals of the Computation Laboratory of Harvard University'', Vol. 26 (1951)).
* Steve Park
Random Number Generators

External links

may be useful for choosing moduli. Part of Prime Pages.

Pseudorandom number generators
Modular arithmetic