High Quality Uniform Random Number Generation Using LUT Optimised State-transition Matrices

Abstract

This paper presents a family of uniform random number generators designed for efficient implementation in Lookup table (LUT) based FPGA architectures. A generator with a period of 2^k − 1 can be implemented using k flip-flops and k LUTs, and provides k random output bits each cycle. Each generator is based on a binary linear recurrence, with a state-transition matrix designed to make best use of all available LUT inputs in a given FPGA architecture, and to ensure that the critical path between all registers is a single LUT. This class of generator provides a higher sample rate per area than LFSR and Combined Tausworthe generators, and operates at similar or higher clock-rates. The statistical quality of the generators increases with k, and can be used to pass all common empirical tests such as Diehard, Crush and the NIST cryptographic test suite. Theoretical properties such as global equidistribution can also be calculated, and best and average case statistics shown. Due to the large number of random bits generated per cycle these generators can be used as a basis for generators with even higher statistical quality, and an example involving combination through addition is demonstrated.

1 Introduction

Many applications are reliant on random numbers, such as financial calculations, simulated equipment testbeds, and simulation of communications channels. Such applications require large amounts of processing power, while providing many opportunities to exploit fine-grain and coarse-grain parallelism, and so are often ideally suited to implementation in FPGAs [5, 20, 30]. In order to function correctly, these applications require many parallel streams of high quality, large period, uncorrelated uniform random number generators. These are most commonly used as input to transformation functions which will provide the non-uniform distributions, and typically require many uniform input bits for each non-uniform output sample [4, 15].

In this paper we introduce a class of random number generators where every bit of the generator state can be used as a random output bit, allowing large numbers of parallel number streams to be produced from one large period generator. The key contributions are:

• A technique for creating linear recurrence based random number generators, using state-transition matrices optimised for LUT based architectures; it is particularly suited for applications where many random bits are needed per-cycle

• Hardware implementation and benchmarking of the generators in the Virtex-II architecture

• An example of an additively combined generator which passes all empirical tests, with low area requirements and high generation speed

• Empirical evaluation of generator quality using the Diehard, Crush and NIST test batteries, and theoretical evaluation using the equidistribution test

• A comparison of the generators with other types of linear recurrence, such as LFSR and Combined Tausworth based generators

2 Background

Random number streams can be generated using either a True Random Number Generator (TRNG), or a Pseudo-Random Number Generator (PRNG). TRNGs rely on physical processes such as thermal noise or jitter, and so produce data that are fundamentally unpredictable. FPGA based implementations of TRNGs are available, such as [7] and [26], which are both variants on the same technique of sampling a high frequency clock with a low frequency unstable clock. While excellent for cryptographic purposes, these generators are generally not useful for simulations, as the bit generation rate is too low, typically only tens or hundreds of kilo-bits per second. TRNGs also make it impossible to repeat a random sequence unless the entire sequence is stored, meaning that it is impossible to repeat a specific simulation run in order to verify results.

Pseudo-Random Number Generators produce random numbers by using a deterministic state-transition function \(f(x)\) to transform the current state \(x_{i}\) into a new state \(x_{i+1}\). The sequence of states \(x_{1},x_{2},...\) is then used as a sequence of random numbers. Because there are a finite number of states that can be produced, and the transition function is deterministic, the maximum sequence length that any PRNG with \(k\)-bit state can produce is limited to \(2^k\). Selection of the state-transition function is obviously critical: \(x_{i+1}=(x_{i}+1) \mod 2^k\) will produce a full length sequence, but is obviously not random. A good overview of common random number generators is provided by Knuth [11], but concentrates mainly on software generators. Here a brief survey of techniques appropriate for hardware implementation is presented.

The two most common types of hardware random number generators are Linear Feedback Shift Registers (LFSRs) and their variants, and Cellular Automata (CA) generators. Other algorithms are also used for more specialised situations, such as the Blum Blum Shub algorithm [26] for cryptographic random numbers, but are not appropriate for situations requiring high sample rates such as simulations.

LFSRs are the best known of a family of generators based on binary linear recurrences [25], that includes other generators used in hardware such as Tausworthe, Combined Tausworthe, as well as the new family of generators introduced in this paper. Some software generators such as the Mersenne Twister [19] and WELL [22] also belong to this family, but are less commonly implemented in hardware.

Binary linear recurrence based generators form each new bit in the next state from a linear combination of the bits in the current state. The advantage of this type of generator is that the state-transition function is easily and efficiently implemented in LUTs: state \(x_{i+n}\) can be determined from state \(x_i\) in \(O(\log_2(n))\) steps, and that the period length is only one less than the theoretical maximum. However, current generators from this family suffer from poor statistical quality. This type of generator is discussed in more detail in Section 3.

Cellular Automata generators form a large class of algorithms, including linear recurrences, but are usually taken to mean binary non-linear recurrences [27]. For example the well-known Rule-30 generator forms each new bit from a combination of the three nearest bits in the previous state according to the formula: \(x_{{i + 1,b}} = x_{{i,b - 1}} \oplus {\left( {x_{{i,b}} \vee x_{{i,b + 1}} } \right)}\). An example of a 6-bit CA is shown in Fig. 1, where each register bit is updated using a combinatorial function of its current state plus that of its two neighbours. The array of bits is typically organised as a ring, so the first and last bits are considered to be neighbours. This type of generator gives a chaotic sequence, i.e. the only way to find state \(x_{i+n}\) from \(x_n\) is to step through all the intermediate states. The period of a given generator is also difficult to determine, as there are likely to be multiple state-cycles of different lengths, with the initial state selecting which cycle is used.

Figure 1

Six bit one-dimensional Cellular Automata (CA) circuit.

One dimensional, nearest-neighbour CA generators have been used instead of LFSRs in VLSI for random bit generation [10], but the quality of simple one-dimensional sequences is often poor. In [23] more complex configurations are considered, such as four input functions to take advantage of 4-LUTs, and different connection topologies. This gives higher statistical quality, but because all four LUT inputs are used there is no easy way to load or store the generator’s state without partial reconfiguration or extra LUTs. The generators also still have unsolved problems related to sequence period and quality, due to the lack of formal methods for analysing CAs.

The quality of random number generators is usually determined through the use of empirical tests for sequence randomness. These operate on the sequence of numbers produced by a generator, rather than the generator algorithm itself. Each test looks for specific patterns within the sequence, then calculates the likelihood of that type of pattern occurring; for example, in the infinite limit a truly random bit sequence should consist of half zeroes, and half ones. Unfortunately it is only possible to test a finite number of samples, so the number of zeros is expected to follow a binomial distribution. By counting the number of zeroes found in a sample of numbers, then plugging this observed value into the inverse CDF (Cumulative Distribution Function) of the expected distribution, in this case a binomial CDF, a value between 0 and 1 is produced, often called a p value. If a generator produces random numbers that pass the test, i.e. they fit that test’s particular view of what is important in a random sequence, then the set of p values from multiple runs of the test should be uniformly distributed. If the p values are clustered around 0 or 1 then the generator does not meet that test’s expectations about randomness. It is important to note that empirical testing is inherently probabilistic: a perfect random number generator will occasionally produce p values that appear to indicate a failure.

Each empirical test only looks at one aspect of randomness, so it is common to group together lots of different tests into a test battery. The best known of these is Diehard [16], which comprises 16 different tests, and has been the standard test battery in recent years. Unfortunately Diehard is not parametrisable, and consumes just 2.5 M 32-bit integers across all the tests; a hardware simulation running at 133 MHz will consume over 50 times the Diehard sample size each second. TestU01 [13] is a newer test suite designed for modern applications that consume many more numbers. The standard test battery of the suite, Crush, consumes approximately \(2^{35}\) numbers, while Big-Crush, designed to test random numbers for long running applications, consumes \(2^{38}\). Another common test is the NIST test battery, which is designed to test random numbers for cryptographic purposes (although the test does not confer any guarantee of algorithmic cryptographic strength), and so has an emphasis on the ability to predict the next number from the previously generated ones.

3 Linear Recurrence Generators

In this section some of the theory behind binary linear recurrences for random number generation will be introduced, along with the way that existing generators fit into this model.

A large family of software and hardware uniform random number generators, such as LFSRs and Combined Tausworthe generators, are based on linear recurrences using GF(2) (i.e. modulo 2 or binary) arithmetic. In their most general form these generators consist of a \(k \times k\) matrix \(A\), used to provide a sequence \(x_1...x_{\inf}\) from an initial state \(x_1\) using the recurrences:

$$x_{{i + 1}} = Ax_{i} ,\,\,\,y_{i} = Bx_{i} $$

(1)

The \(k\) bit wide sequence is reduced down to a \(w\) bit wide output sequence using a \(w \times k\) matrix \(B\). The sequence \(y_{1},y_{2},...\) can then be interpreted as a sequence of random numbers, most commonly by transforming to real numbers in the range \([0,1)\), or by interpreting as integers in the range \([0,2^w-1]\).

The parameter \(k\) is the number of state bits used by the generator, and ultimately determines the maximum period that can be provided. For a given matrix \(A\) there may be multiple distinct sequences that can be entered, depending on the initial value \(x_1\). The maximum period achievable is \(p=2^k-1\), starting from \(x_1 \neq 0\). It is impossible to achieve a sequence of length \(2^k\), as there is no way to create a matrix \(A\) that will transform a vector of all zero to anything other than zeros under GF(2): the best that can be achieved is one cycle of length 1 when \(x_1 = 0\), and another of length \(2^k-1\) when \(x_1 \neq 0\).

The condition for maximum period is that the recurrence matrix must have a characteristic polynomial which is primitive modulo 2 [25]. The characteristic polynomial is defined as \(P(z)=\det(A-Iz)\), so for a \(k \times k\) matrix this will be a polynomial of degree less than or equal to \(k\). The sequence generated by \(A\) has maximum period if and only if \(P(z)\) is primitive modulo 2 [17].

Parameter \(w\) determines the number of output bits provided by the generator, and the matrix \(B\) is used to determine how the output bits are created from the state bits. If \(B = I\) then the state bits will be used directly, but if \(B \neq I\) then the output bits will comprise some linear combination of the state bits. This process is often called tempering [18], and can be used to improve the statistical properties of the output sequence, for example by using two state bits to provide each output bit when \(k \geq 2w\).

The two matrices \(A\) and \(B\) are chosen to provide an output sequence that is of high statistical quality, while also being easy to implement. Ease of implementation breaks down into two further categories, of software and hardware: in software it is necessary that the matrix multiplications can be implemented efficiently using full-length word operations, while in hardware it is desirable to minimise the amount of logic and registers used. Satisfying any two of these three conditions often means that the third one is not met; for example generators that can be easily implemented in software and have good statistical quality often require too much state to be area-efficient in hardware.

The classic hardware linear recurrence based generator is the single bit LFSR. This generator is based on very simple maximum period linear recurrences, by selecting a primitive polynomial of the appropriate degree, then setting up a recurrence that implements the polynomial directly. This is usually generated as a bit sequence, \(b_{i+1}=w_1 b_{i} + w_2 b_{i-1} ... w_k b_{i-k+1}\), where \(w_1...w_k\) are the coefficients of the polynomial. The generator obviously still has a \(k\) bit state, formed from the last \(k\) bits, \(x_i=<b_i,b_{i-1},...,b_{i-k+1}>\), but because most of the state is just a shifted version of the previous state only 1 bit can be used as an output. Figure 2 gives an example of the structure of a 6-bit LFSR, based on the feedback polynomial \(b^6+b^5+b^0\).

Figure 2

A 6 bit Linear Feedback Shift Register (LFSR).

LFSRs have very efficient implementations in certain architectures [1], particularly in the Virtex-II and later families from Xilinx, where the shift register portions can be implemented using SRL16s [9]. However, because each instance only produces 1 bit per cycle, \(w\) parallel instances are needed to produced a \(w\) bit number sequence. So to produce a \(2^k-1\) bit sequence, \(k w\) bits of state are needed, rather than just \(k\). LFSRs also become less area-efficient as the number of taps or the period length is increased, so are not appropriate for high quality random word (as opposed to bit) generators.

The Tausworthe generator [12] is a type of linear recurrence generator that avoids the main drawback of LFSRs, as more than one bit from the state can be used as an output each cycle. A Tausworthe sequence is created by taking \(w\) bit blocks from a maximum period \(k\) bit recurrence (\(w \le k\)) every \(s\) bits, i.e. \(x_i=<b_{i s+1},b_{i s+2},...,b_{i s+w}>\). If \(2^k-1\) and \(s\) are relatively prime then the overall period of the sequence \(x\) will remain \(2^k-1\). It may appear that each state transition will require \(s\) steps, but it is possible to calculate each transition in parallel; for example the QuickTaus algorithm [12] can be used in both software and hardware to implement Tausworthe generators for primitive trinomials. Because Tausworthe generators are usually implemented using trinomials, the quality of the generators is poor, particularly when \(s<w\). The main use of the Tausworthe generator is to create Combined Tausworthe generators [12], whereby two or more \(w\) bit wide generators are combined using exclusive-or to provide a new sequence. If the constituent polynomials are chosen such that all their periods are relatively prime, then the period of the combined generator is equal to the product of the polynomial periods. Although implemented as a combination of three separate generators, the overall combination forms another linear recurrence matrix, though with a non-maximum period sequence. Combined Tausworthe Generators are area efficient (compared to parallel LFSRs), and produce good quality generators [14, 29].

4 LUT Optimised Linear Recurrences

The Tausworthe generator is primarily designed for software use, with a low instruction count implementation as the main design priority. The left side of Fig. 3 shows the recurrence matrix for a 31-bit Tausworthe generator, which takes six instructions to execute in software. In hardware this will take 31 FFs and 22 4-LUTs, and only two inputs of each LUT entry will be used. This is a waste of logic as only half the LUT’s inputs will be used.

Figure 3

Feedback matrices for, from left to right: 31-bit Tausworthe generator, 4-tap matrix, 3-tap loadable matrix, 4-tap ring matrix.

If the requirements of software implementations are ignored, then designing the generator recurrence matrix becomes much simpler. The restrictions imposed on the matrix to allow efficient calculation using word-based bit-wise instructions can be ignored, allowing the matrix to be designed for efficient LUT based implementation. The rules for selecting an efficient matrix are then as follows:

• A minimal criterion for maximum period is that all bits must depend on at least one other bit, and must in turn be used by at least one other bit.

• If a bit is to appear minimally random, rather than just a shifted copy of another bit from a previous state, then it must depend on at least two bits.

• A 2 input function requires one \(l\)-LUT, but the extra \(l-2\) inputs may as well be used as it costs nothing.

• Ideally all bits should only be sampled by \(l\) other bits to avoid over-dependence on specific bits within the state.

• The matrix must have maximum-period, i.e. the characteristic polynomial of the matrix must be primitive (modulo 2).

These rules mean that a \(k\times k\) matrix must be found, where all rows of the matrix contain \(l\) ones, all columns of the matrix contain \(l\) ones, and the characteristic polynomial is primitive (as explained later, the row and column constraints have to be relaxed slightly in practise).

To find such matrices a stochastic search approach is used, which generates random candidate matrices that satisfy the constraints on tap placement until a matrix is found which has a primitive characteristic polynomial. Both calculating the characteristic polynomial and testing a polynomial for primitivity are time-consuming processes, so some quick rejection steps are used. First, if the determinant of a binary matrix is zero then the characteristic polynomial cannot be primitive. Second, a necessary (but not sufficient) condition for polynomial primitivity is that the polynomial is irreducible. This leads to the following algorithm for finding generator matrices:

1. 1.

   Generate a random \(k \times k\) matrix \(A\) with approximately \(l\) ones in each row and \(l\) ones in each column.

2. 2.

   If \(\det(A)=0\) then go to step 1.

3. 3.

   Calculate \(P(z)\), the characteristic polynomial of \(A\).

4. 4.

   If \(P(z)\) is reducible then go to step 1. This step is performed using a fast probabilistic algorithm that will occasionally not reject a reducible matrix.

5. 5.

   Perform full primitivity test on \(P(z)\). If \(P(z)\) is primitive then accept matrix \(A\) as a full-period generator. The primitivity test rejects the small number of reducible matrices that were misclassified in step 4 by the probabilistic test.

This search process is implemented using the NTL Number Theory Library [24] to implement the calculations in steps 2, 3 and 4. The final primitivity test is performed by a version of PPSearch [6], modified to accept NTL format binary polynomials. This system can be used to find full period matrices up to a size of about 1,500, but beyond this point a more efficient algorithm, or hardware accelerated implementation, will be needed.

Table 1 shows statistics from the search process while searching for matrices with \(l=4\) for increasing matrix size. For each size the search process is run until four different full-period matrices are found, and the table shows the overall statistics. The Tested Candidates figure is the total number of candidate matrices tested, while the Rejections columns show how many matrices are rejected by each stage. A very small proportion of non-primitive matrices make it through to the primitivity test, with most being rejected by the Determinant test. The Total time column is the total CPU time used to find the four generators, measured on an Athlon 1.2 GHz machine with 1 GB of RAM. Also included is a breakdown of where the time is spent, and it is clear that by far the biggest bottleneck is the characteristic polynomial calculation, which increasingly dominates execution time as the matrix size increases.

Table 1 Search process statistics for finding primitive 4-LUT generators with increasing matrix size.

After implementing the search process, it was discovered that the requirements outlined above, specifically that each row and column must have exactly \(l\) ones, results in matrices that are never full-period generators. The solution that is adopted is to select one or two bits in the state and either use an \(l+1\) input feedback or an \(l-1\) input feedback for those bits. Only one modified bit seems to be necessary in order to find a solution, but scaling the number up with the matrix size speeds up the search process. The first solution requires an extra LUT for the selected bits, while the second solution possibly sacrifices a little quality. In this paper the second solution is used, but where possible the \(l-1\) input bit(s) are not directly used to form random numbers, hopefully hiding this minor flaw.

Equation (2) shows an example of a six bit full-period generator, with \(l=3\). Note that the bottom row only contains two ones in order to allow the full-period criteria to be met. The equivalent generator circuit is also shown in Fig. 4.

$$\begin{array}{*{20}l} {{x_{{i + 1}} = } \hfill} & {{\begin{array}{*{20}l} {0 \hfill} & {0 \hfill} & {0 \hfill} & {1 \hfill} & {1 \hfill} & {1 \hfill} \\ {1 \hfill} & {1 \hfill} & {0 \hfill} & {0 \hfill} & {0 \hfill} & {1 \hfill} \\ {1 \hfill} & {0 \hfill} & {0 \hfill} & {0 \hfill} & {1 \hfill} & {1 \hfill} \\ {0 \hfill} & {1 \hfill} & {1 \hfill} & {1 \hfill} & {0 \hfill} & {0 \hfill} \\ {1 \hfill} & {1 \hfill} & {0 \hfill} & {0 \hfill} & {1 \hfill} & {0 \hfill} \\ {0 \hfill} & {0 \hfill} & {1 \hfill} & {1 \hfill} & {0 \hfill} & {0 \hfill} \\ \end{array} } \hfill} & {{x_{i} } \hfill} \\ \end{array} $$

(2)

Figure 4

Six-bit 3-tap LUT optimised linear Recurrence.

The right hand side of Fig. 3 shows a larger 31 bit recurrence matrix generated for a 4-LUT architecture. The difference from the Tausworthe generator to the left is visually clear, and in Section 7 the statistical quality will also be evaluated, but first some alternate matrix constraints will be considered that organise the feedback in different ways.

The first modification is to allow the generator’s state to be read and stored, which is necessary in order to be able to start the sequence from a specific state. This is particularly important in parallel simulations, as each simulation node needs to operate within a different sub-sequence of the generators entire sequence. This can be achieved by assigning starting states at known offsets within the sequence to each simulation node, using the property of linear recurrences that \(x_{i+t}=A^{t}x_{i}\). For example, if each of \(N\) simulation nodes will consume \(t\) random outputs, each node \(1\le n \le N\) can be given a starting state \(s_{n} = A^{t} s_{n-1}\), where \(s_{0}\) is some arbitrary base state. However, this requires some way of loading arbitrary states into each generator.

Loading state into a generator is a problem if all \(l\) inputs of each LUT are already used, as two extra inputs are needed for each bit in the state: one to control whether the bit will be formed from a recurrence or loaded from an external source, and another to supply the bit from an external source. Implementing this function will require two LUTs, one to implement the original recurrence, and another to select between the recurrence input and the external input on the basis of a control input. One option is to increase the number of feedback taps from \(l\) to \(2l-3\) by using two LUTs, increasing the complexity of the recurrence as well as supporting loading. For example in a 4-LUT device this would increase the width of each exclusive-or to five inputs.

If doubling the number of LUTs is unacceptable, then state loading can be implemented with just one input: the control signal. This is achieved by loading the state serially in \(k\) cycles, rather than in parallel in a single cycle. A \(k\) bit cycle through the state bits is chosen from the set of connections already used to form a matrix with \(l-1\) inputs per bit. This cycle of bits forms a shift register, which is used to load new state bits in serial. The control bit uses up the final input in each LUT, and selects between just using the single connection shift register connection to load a new state, or all of the connections to calculate the next state.

In a 4-LUT architecture, such as the Virtex [28] family, this arrangement will reduce each bit’s state transition to a linear combination of three other bits. This lack of feedback complexity can be compensated for by organising the feedback matrix such that the \(w\) bits used to form an output stream only depend on the other \(k-w\). This avoids the simplest correlations between bits within the output stream, and can be extended for multiple streams taken from the same generator.

In other architectures this arrangement can be implemented with no overhead. For example, the Stratix-II device [3] adopts a flexible LUT architecture, and one of the modes allows two 5-LUTs per cell, as long as two of the inputs are common to both LUTs. This configuration can be used to implement a 4-input per bit recurrence generator with serial state loading, as one of the shared inputs will be used by the control signal, while the other can be found simply by grouping together pairs of bits that already depend on a common input. Alternately the SLOAD feature can be used to implement the serial loading, but this may require device specific HDL.

The major factor that limits performance in this architecture is routing congestion: even in the simple six bit example shown in Fig. 2 the routing is already very complex. An attempt to reduce routing congestion was made, by restricting the matrix to only connect together bits within \(t\) bits of each other (when the state is considered as a ring of bits). Figure 3 shows a 31 bit matrix where such a constraint with \(t=5\) has been used, showing that all feedback taps are clustered along the main diagonal. When implemented in hardware this, form of matrix would be expected to form a ring of registers with only local connections, and so be able to achieve higher speeds than a more general matrix. Finding matrices with low values of \(t\) takes a long time, with \(t=k/8\) being a reasonable lower point for the current search process. In practise it was found that such matrices were consistently slower than matrices without such constraints, rather than faster. The reason for this is unclear, and whether this behaviour is due to the place-and-route tools, architecture, or both is unknown.

5 Implementation

In this section the hardware performance of the generators is tested using VHDL implementations in the Stratix-II, Spartan-3 and Virtex-4 architectures.

Given a binary recurrence matrix, it is straightforward to create a hardware description that implements it. For example, the following Handel-C code segment:

• macro expr k = 6:

• macro expr matrix ={{0,0,0,1,1,1},

  {1,1,0,0,0,1},

  {1,0,0,0,1,1},

  {0,1,1,1,0,0},

  {1,1,0,0,1,0},

  {0,0,1,1,0,0}};

• macro expr fb(i,row) =  select (i==k,0,

  (state[i]&row[i])^fb(i − 1,row)

  bool state[k]; par(i = 0;i < k;i++){

  state[i] = fb(0, matrix[i]); }

can be used to implement the six bit generator example shown previously, or any other generator if the matrix and k constants are changed.

Figures 5, 6, and 7 give feedback matrices of a practical size in a more compact form. Each tuple within the data-set identifies the feedback taps for bit-0 through bit-\(k\), with each tuple containing the zero-based offsets of the tap locations. A negative one in a tuple indicates that less than the full number of taps are used for that bit. Listing 1 gives example Handel-C code for using data-sets in this form.

Figure 5

Feedback taps for a 32-bit 3-tap generator.

Figure 6

Feedback taps for a 64-bit 4-tap generator.

Figure 7

Feedback taps for a 128-bit 3-tap generator.

• macro proc RNG(k,numTaps,taps,oState)

• {

  • // make sure initial state is not zero

  • static unsigned 1 state[k]={1};

  • // xor of up to numTaps bits from state

  • macro expr fb(i,t) =

  • select (t==numTaps, 0,

  • select (taps[i][t]==−1, 0

  • state[taps[i][t]]^fb(i,t+1)));

  • // calculate next value of bit in state

  • par(i=0;i<k;i++){

  • state[i]=fb(i,0);

  • oState[i]=state[i];

• }

• }

• Listing 1 Example handled-C code for implementing a random number generator using the given data-sets.

For evaluation purposes two types of hardware can be generated: one that implements just the generator core for area and speed measurements, and another that also contains interfacing code to software for statistical testing. The area and speed measurements are implemented using one clock input pin, one reset input pin, and with all generator state bits routed to output pins. The clock rates quoted here represent flip-flop to flip-flop delay, and do not include flip-flop to pin paths. Where not enough pins are available in a package, multiple pins are multiplexed together with exclusive-ors before being routed to output pins, with the extra area excluded from the overall total. The designs are implemented using VHDL, and compiled using ISE 8.1 for Spartan-3 and Virtex-4 devices, and Quartus II 4.0 for Stratix-II devices. The built-in synthesis was used in both tool-chains, all effort levels were set to “high,” and all settings for area/speed optimisation settings were set to favour area.

In all cases where the number of inputs per bit is less than or equal to the number of LUT inputs, the reported area is exactly as predicted: for 3- or 4-tap matrices each generator requires exactly \(k\) flip-flips and \(k\) LUTs. In these cases the critical path contains just one LUT, plus a routing delay that increases with matrix size, due to congestion. Figure 8 shows the changes in speed for increasing values of \(k\) in the three different architectures. The log-trend curve fitted through each set of points shows that the decrease in speed is approximately logarithmic in the number of state bits. No statistically significant difference in timing is detected between 3-tap generators that supported sequential loading and unloading of state compared with those that do.

Figure 8

Clock rates (according to critical path) for 4-tap generators of increasing matrix size, with fitted log-trend for each family.

Figure 9 shows the change in area and speed as the number of taps is increased in a 64-bit generator. Once the number of inputs per exclusive-or calculation exceeds that of a single LUT, the synthesis and place-and-route tools have to start making more complex decisions about how to compute partial products. This is most striking in the 4-LUT based Virtex-4 and Spartan-3 architectures, where a 5-tap generator requires twice the LUTs of a 4-tap generator. However, the ALUTs of the Stratix-II can support more inputs per LUT, and allow more flexibility when partitioning the ALUTs to create partial products, so the number of LUTs for a given tap count is lower.

Figure 9

Changing LUT count and clock rate for 64-bit generators with an increasing number of taps.

As well as requiring more area, increasing the tap counts also increases the critical path, due both to the increase in logic depth needed to implement the wider exclusive-or functions, and because the fan-out per-bit increases with the tap count. Given the increase in LUTs and decrease in clock rate, there are very few occasions where it is worth using more taps than can be supported by a single LUT. Each extra LUT that is used to support a wider exclusive-or could equally be used as a LUT plus register to increase the matrix size (rather than allowing more taps), and the subsequent increase in period is likely to provide better quality than increasing the number of taps. For example, compare the quality of the 3-tap, k = 128 and 5-tap, k = 64 generators in Table 3 in Section 7.

6 Further Optimisations

As shown in Section 7, the statistical quality of the generators shown so far is good, but suffers from the same problem as any generator based on a linear recurrence: the next state of a linear recurrence based generator can always be predicted if more than \(k\) previous states are known. This is why none of the given generators pass the linear complexity statistical tests. Here we outline one modification that can be used to pass these tests, while still retaining all the good properties of recurrence generators, such as low area, high speed, and the ability to skip the sequence ahead.

Increasing the value of \(k\) until each test passes treats the symptoms, but not the underlying problem. A better solution is to combine two samples using addition or multiplication. The underlying linear recurrence is then masked due to the mixing of bits. Multiplication does the best job of mixing, but requires high-cost resources in hardware, so here addition is chosen. One problem with combining through addition is that the lowest bit is simply the exclusive-or of the least significant bits of the inputs. To make sure that even the low output bit is of good quality, the lowest \(d\) bits produced by the addition will be discarded, so to produce a \(w\) bit output a \(w+d\) bit adder is used. If \(w\) is large, e.g. 32 bits, then this adder is likely to limit clock speed, so instead the addition is split up into \(s\) separate additions of \(w/s+d\). To supply this addition a total of \(w+s d\) random bits are needed to produce each output sample.

This additive combination scheme is implemented using \(w=32\), \(s=4\), and \(d=2\). The two input samples are supplied by two separate 3-tap matrix generators, one of size 80, the other 81, both generated with support for serial loading. Because the periods of the two generators are coprime the full period is \((2^{80}-1)(2^{81}-1)\) giving a period of approximately \(2^{160}\). Two separate generators are used rather than one single generator, as it should improve speed in congested designs. This generator can produce a single stream, or by using two additive combination stages, two streams. Higher period generators that support more streams can easily be created by using larger matrices, and different width streams can also be generated from a single generator if necessary.

As well as passing the Diehard and Crush tests, this generator also passes the harder Big-Crush test. The NIST test for cryptographic numbers is also passed, using a 1 Gb sample treated as 1,000 independent streams. When two streams are generated, both pass all the tests, and so far no empirical test batteries have been found that it does not pass.

7 Empirical Statistical Quality

Testing randomness with a test battery, such as Diehard, does not provide a definite answer to the question of whether a given sequence is random or not. All the tests provide is a set of p values which must then be interpreted. One approach to this is to run the tests, and consider any values outside the \([0.01,0.09]\) range as a fail, but in a set of 100 p values at least one value in this range should “fail.”

The approach taken here is to run each test battery three times, and then for each test within the battery the triple of corresponding p values is considered. Tests are considered a fail if one of three conditions hold: at least one p value outside the range \([0.0001,0.9999]\); at least two p values outside the range \([0.01,0.99]\); or all three p values outside the range \([0.05,0.95]\). This means that there is very roughly a 1 in 10,000 chance that the wrong decision is made. The tests are performed by executing the matrix generators in hardware using an RC2000 (Alpha-Data ADMX-RC2) system [2] (containing an XC2V6000 FPGA), with a software wrapper to return the generated samples back to the test suites. The generators are initialised to a random state before each test, and strictly consecutive samples are returned to the test suite, i.e. no samples are dropped or skipped.

Results for the Diehard and Crush batteries are shown in Table 2, indicating the number of tests failed, and an abbreviation of each of the failed test types. The abbreviations are expanded underneath the table; for a full explanation of each test, see the Diehard [16] and Crush [13] documentation.

Table 2 Failed tests for the diehard and crush test batteries for different random number generators.

The 4-tap generators represent the case where the generator state does not need to be loaded (e.g. a free running generator or test vector generator), while the 3-tap generators are for use where the state needs to be loaded (e.g. for a simulation application). The third group contains results for two Combined Tausworthe generators [12], and two parallel LFSRs generated using Xilinx CoreGen.

A feature of the matrix generators is that all \(k\) bits are usable, so another test of the quality of all \(k/w\) streams of the selected generators was also performed. It was found that the streams are all of roughly the same quality, and in only one exceptional case (where \(k=256\)) was the quality of one stream significantly worse than another from the same generator. In that case the stream is supplied from a set of bits with very low connectivity to the rest of the matrix, forming an almost independent stream. However, this was the only example of this type found, and a notable feature of this matrix was that it had very poor equidistribution (see Section 8).

Table 3 provides a summary of the area, speed and empirical quality of multiple generators. The first group of results shows a selection of 4-tap generators, while the second group shows 3-tap generators that support serial state loading. The third group shows the additive combination generator from Section 6, first where just one 32 bit stream is produced, then where two streams are produced. The fourth group contains other hardware generators for comparison purposes, while the last group contains results from software generators running on a 3.2 GHz P4, including the widely used Mersenne Twister (mt19937) [19]. The LUT and Flip-Flop counts only apply to the Virtex-4 implementation, although for the first two groups (4-tap and 3-tap generators) the size of the generators was identical across all three devices.

Table 3 Summary of the quality, area and speed of a selection of hardware generators.

In many cases the critical path of a generator is extremely fast, and speeds of up to 1 GHz are seen in Fig. 8. However, in practise the working speed will be limited to that of the clock distribution lines, so Table 3 limits the reported generator frequency to the minimum of the critical path and the global clock net. Where clock distribution is the limiting factor the corresponding entry is italicised. Where the manufacturers do not list a maximum global clock net frequency, the maximum output frequency from the DCMs/DLLs is used.

The Diehard results reveal the slight loss in randomness in the 3-tap generators, as the 4-tap generators pass with \(k=96\), while the 3-tap generators only pass at \(k=128\). The Crush results show this as well, with the 4-tap generators passing more tests for the same \(k\) value. The parallel LFSR-160 generator gives similar quality to the 3- and 4-tap generators with \(k=64\), but requires 7 times as many LUTs, even with the SRL16 optimisations performed by CoreGen.

The Tausworthe generators provide much better quality than the LFSRs, and are actually better than the matrix generators for a similar period length; this is not unexpected, as the generators in [12] are selected to have Maximal Equidistribution (i.e. a sum of dimension gaps of zero), but also have the further property of being Collision Free, so have slightly better equidistribution than the matrices used in the table. For larger periods the matrix generators achieve equal or better quality, while requiring less logic per sample generated: the 4-tap, \(k=256\) generator is of about the same quality as Taus113, but has over eight times the pure sample rate, and achieves 5 times the sample rate per LUT used.

When high quality random number generation is considered, the LFSR based generators cannot compete due to large area and poor quality. For instance, the combo, 2-strm generator produces over three times the sample rate per LUT compared to LFSR-160, and has much better quality. The Taus113 generator requires a relatively low amount of area, but still does not pass all the tests, while the dual combination generator has roughly the same sample generation rate per LUT, and is of much higher quality.

Two of the Crush tests are not passed by any of the basic matrix generators, or by the LFSR and Tausworthe generators. These are two tests for linear complexity, and so easily detect the linear structure of the relatively low period generators shown here. Another two tests are only passed by the two matrix generators with \(k=1248\), which are both tests for matrix rank. These tests can detect linear recurrences below a certain degree, in the case of Crush the maximum degree is 1,200. For evaluation purposes a period just over 1,200 is chosen, just to check that it could be passed. A better solution is the modifications suggested in Section 6, using in the combo generators.

8 Theoretical Statistical Quality

The equidistribution test provides a theoretical quality metric that applies to a generator’s entire output sequence, as opposed to empirical tests that can usually only test a very small sub-sequence. The test determines how evenly successive \(t\)-tuples of random outputs fill a \(t\)-dimensional hyper-cube, by partitioning the hypercube into multiple buckets and counting the number of times each bucket is hit [21]. By using properties of linear recurrences it is possible to calculate the equidistribution of a generator over it’s entire sequence, without having to manually generate and classify each output.

Specific measures of quality are made by splitting the \(t\)-dimensional hyper-cube into \(2^{l}\) equal sized segments, where \(l \le k\) (\(k\) is the number of binary bits in the generator state). This means that the \(2^{k}\) possible \(t\)-tuples are assigned to a total of \(2^{t l}\) buckets in the \(t\)-dimensional hyper-cube. A generator is said to be \((t,l\))-equidistributed if each bucket in the hypercube contains \(2^{k-t l}\) points. For a given resolution of \(l\), let \(t_l\) be largest dimension \(t\) for which a generator is \((t,l)\)-equidistributed, with an upper bound on \(t_{l}\) of \(t_{l}^{*} = \lfloor k/l \rfloor \). The quality of a generator can then be measured by using the dimension gap \(\delta_{l} = t_{l}^{*} - t_{l}\). For a given resolution \(l\) a low value of \(\delta_{l}\) indicates a good equidistribution, with \(\delta_{l}=0\) indicating the best possible equidistribution.

Each resolution \(l\) measures the quality of the \(l\) most significant bits of a generated sequence, so \(\delta_{2}=0\) would indicate that the two most significant bits of the sequence have the optimum distribution. A measure of quality across all bits in the output sequence is provided by the worst-case dimension gap \(\Delta_{\infty}\) and the sum of dimension gaps \(\Delta_{1}\):

$$\Delta \infty = {\mathop {\max }\limits_{1 \leqslant l \leqslant w} }\delta _{l} \Delta _{1} = {\sum\limits_{l = 1}^{l = w} {\delta _{l} } }$$

(3)

Together these two measures characterise the optimality of a generator across all output bits, with \(\Delta_{1}=0\) indicating a maximally equidistributed generator.

Calculating \(\delta_{l}\) over the entire output sequence is not possible for all types of generator (such as Cellular Automata), and in those cases only an empirical measure of local sub-sequence equidistribution can be calculated. In the case of binary linear recurrences, it is possible to calculate \(\delta_{l}\) using properties of the state-transition matrix. From a given state \(s_i\), it is possible to directly calculate \(s_{i+j}\), or any individual bit within it, using the matrix \(A^j\). This allows the \(t l\) bits that form each \(t\)-tuple with resolution \(l\) to be expressed as a \(t l \times k\) matrix \(E_{t,l}\). It can be shown that a necessary and sufficient condition for \((t,l)\)-equidistribution is that \(E_{t,l}\) have full rank [8, 12]. In this way it is possible to directly calculate \(\Delta_{\infty}\) and \(\Delta_{1}\) for binary linear recurrences.

In the case of the hardware binary linear recurrences discussed in this paper \(w\) is typically less than \(k\), but the distribution of the entire \(k\)-bit state is still of interest. Table 4 summarises the equidistribution of the best matrices found for different values of \(k\). \(\Delta_{\infty}\) and \(\Delta_{1}\) are shown both for a likely output width of \(w=32\), and for \(w=k\). Also included are the weights of the characteristic polynomials. In all cases the weight is close to \(k/2\), an indicator of good statistical quality.

Table 4 Equidistribution of best 3- and 4-tap generators found through random search.

Because the search process used to find matrices is stochastic, there is no guarantee that just because no maximally equi-distributed generators are quoted in Table 4 that they do not exist. Figure 10 shows the cumulative distribution of \(\Delta_{1}\) for a 32 bit output sequence. It is clearly much easier to find a well equidistributed matrix with large \(k\) than it is for small \(k\). Figure 11 shows the cumulative distribution of \(\Delta_{1}\) for 64-bit generators using different numbers of taps. As the number of taps is increased it becomes much more likely that a generator with good equidistribution is found. However, a generator with more taps requires a recurrence matrix with a larger number of ones, increasing the time taken to generate each matrix. This results in a sweet-spot of around 5 or 6 taps, where the probability of finding a maximally equidistributed generator balances the time taken to find each full-period generator, explaining why these are the only two such generators in Table 4.

Figure 10

Cumulative probability distribution of \(\Delta_{1}\) for k={32,64,128} and w = 32.

Figure 11

Cumulative probability distribution of \(\Delta_{1}\) for generators with differing numbers of taps and \(k=w=64\).

9 Conclusion

In this paper a novel technique for designing and implementing linear recurrence based generators in LUT based architectures has been demonstrated. By designing the recurrence matrix to make maximum use of LUT inputs, it is possible to make high quality random number generators with relatively few resources. A generator with period \(2^k-1\) can be implemented using just \(k\) Flip-flops and \(k\) LUTs. All \(k\) bits of the state are random, allowing multiple streams of numbers to be sourced from a single generator, rather than requiring one generator per random number stream. The theoretical properties of these matrices, as measured through equidistribution, are very good, and maximally equidistributed generators within this family of generators can be found.

Table 5 summarises the statistics for some of the suggested generators, as well as the Taus113 and the software Mersenne Twister. The LUT optimised generators can offer high period and very high speed sample generation for a modest area cost, particularly when multiple streams are taken from one generator.

Table 5 Comparison of two 4-tap generators, the additive combination generator, a combined Tausworthe generator, and the software Mersenne Twister.

By combining two of these generators, it is possible to create an FPGA 32-bit random number generator with a period of \(2^{160}\) that passes all common empirical tests, including Crush, Big-Crush and the NIST suite, for a cost of just 307 Flip-flops and 202 LUTS, running at a speed of 360 MHz in the Virtex-4 architecture (combo, 1-stream design in Table 2). This type of generator is ideal for parallel simulations, as the generator state can be read and written at runtime, and the generator state at arbitrary points in the future can be efficiently calculated.

There are several avenues for further work. Improving the efficiency of the search process should increase the speed at which full-period matrices can be found, making it possible to find more maximally equidistributed and collision free generators. This could be achieved by using canonical labels for matrices in order to detect matrices that have already been tried, and to allow for exhaustive searches for state-transition matrices.

Different FPGA families offer opportunities for increasing quality or reducing area using architecture specific components. For instance, the Virtex SRL16 could be used to provide high periods when not all bits of the state will be consumed, while the Stratix-II flexible LUT architecture offers the possibility of prioritising the quality of some bits, by using higher input count LUTs for those bits.