1. General Theory

An MWC generator is a special form of Lehmer random number generator x_n = bx_n−1 mod p which allows efficient implementation of a prime modulus p much larger than the machine word size.

Normal Lehmer generator implementations choose a modulus close to the machine word size. An MWC generator instead maintains its state in base b, so multiplying by b is done implicitly by shifting one word. The MWC multiplier a and lag r determine the modulus p = ab^r−1. a is chosen so the modulus is prime and the multiplier has long period.

The base b is typically chosen to equal the computer's word size, as this makes arithmetic modulo b trivial. This may vary from b = 2⁸ for a microcontroller to b = 2⁶⁴. (This article uses b = 2³² for examples.)

Sometimes an odd base is preferred, in which case b = 2^k − 1 can be used, which is almost as simple to implement.

The period of a lag-r MWC generator is the order of b in the multiplicative group of numbers modulo p = ab^r − 1. While it is theoretically possible to choose a non-prime modulus, a prime modulus eliminates the possibility of the initial seed sharing a common divisor with the modulus, which would reduce the generator's period.

Because 2 is a quadratic residue of numbers of the form 8k±1, b = 2^k cannot be a primitive root of p = ab^r − 1. Therefore MWC generators with base 2^k have their parameters chosen so their period is (ab^r−1)/2. This is one of the difficulties that use of b = 2^k − 1 overcomes.

The basic form of an MWC generator has parameters a, b and r, and r+1 words of state. The state consists of r residues modulo b

0 ≤ x₀, x₁, x₂,..., x_r−1 < b,

and a carry c_r−1 < a.

The initial state ("seed") values are arbitrary, except that they must not be all zero, nor all at the maximum permitted values (x_i = b−1 and c_r−1 = a−1). (This is commonly done by choosing c_r−1 between 1 and a−2.)

The lag-r MWC sequence is then a sequence of pairs x_n, c_n (for n > r) determined by

[math]\displaystyle{ x_n=(ax_{n-r}+c_{n-1})\,\bmod\,b,\ c_n=\left\lfloor\frac{ax_{n-r}+c_{n-1}}{b}\right\rfloor }[/math]

and the MWC generator output is the sequence of x's,

x_r, x_r+1, x_r+2, ...

Although the theory of MWC generators permits a > b, a is almost always chosen smaller for convenience of implementation.

The state transformation function of an MWC generator is one step of Montgomery reduction modulo p. The state is a large integer with most significant word c_n−1 and least significant word x_n−r. Each step, x_n−r·(ab^r−1) is added to this integer. This is done in two parts: −1·x_n−r is added to x_n−r, resulting in a least significant word word of zero. And second, a·x_n−r is added to the carry. This makes the integer one word longer, producing two new most significant words x_n and c_n.

So far, this has simply added a multiple of p to the state, resulting in a different representative of the same residue class modulo p. But finally, the state is shifted down one word, dividing by b. This discards the least significant word of zero (which, in practice, is never computed at all) and effectively multiplies the state by b⁻¹ (mod p).

Thus, a multiply-with-carry generator is a Lehmer generator with modulus p and multiplier b⁻¹ (mod p). This is the same as a generator with multiplier b, but producing output in reverse order, which does not affect the quality of the resultant pseudorandom numbers.

This in turn means that the mathematical techniques developed for such generators (such as the spectral test) can be applied to multiply-with-carry generators.

2. Efficiency

A linear congruential generator with base b = 2³² is implemented as

[math]\displaystyle{ x_{n+1}=(ax_n+c)\ \bmod\,2^{32}, }[/math]

where c is a constant. If a ≡ 1 (mod 4) and c is odd, the resulting base-2³² congruential sequence will have period 2³².^[1]

This can be computed using only the low 32 bits of the product of a and the current x. However, many microprocessors can compute a full 64-bit product in almost the same time as the low 32 bits. Indeed, many compute the 64-bit product and then ignore the high half.

A lag-1 multiply-with-carry generator allows us to make the period nearly 2⁶³ by using almost the same computer operations, except that the top half of the 64-bit product is not ignored after the product is computed. Instead, a 64-bit sum is computed, and the top half is used as a new carry value c rather than the fixed additive constant of the standard congruential sequence: Compute ax+c in 64 bits, then use the top half as the new c, and bottom half as the new x.

3. Choice of Multiplier

With multiplier a specified, each pair of input values x, c is converted to a new pair,

[math]\displaystyle{ x\leftarrow (ax+c)\,\bmod\,2^{32},\ \ c\leftarrow \left\lfloor\frac{ax+c}{2^{32}}\right\rfloor. }[/math]

If x and c are not both zero, then the period of the resulting multiply-with-carry sequence will be the order of b = 2³² in the multiplicative group of residues modulo ab^r − 1, that is, the smallest n such that bⁿ ≡ 1 (mod ab^r − 1).

If p = ab^r − 1 is prime, then Fermat's little theorem guarantees that the order of any element must divide p − 1 = ab^r − 2, so one way to ensure a large order is to choose a such that p is a "safe prime", that is both p and (p − 1)/2 = ab^r/2 − 1 are prime. In such a case, for b= 2³² and r = 1, the period will be ab^r/2 − 1, approaching 2⁶³, which in practice may be an acceptably large subset of the number of possible 32-bit pairs (x, c).

More specifically, in such a case, the order of any element divides p − 1, and there are only four possible divisors: 1, 2, ab^r/2 − 1, or ab^r − 2. The first two apply only to the elements 1 and −1, and quadratic reciprocity arguments show that the fourth option cannot apply to b, so only the third option remains.

Following are some maximal values of a for computer applications which satisfy the above safe prime condition, for lag-1 generators:

While a safe prime ensures that almost any element of the group has a large order, the period of the generator is specifically the order of b. For small moduli, more computationally expensive methods can be used to find multipliers a where the period is ab/2 − 1. The following are again maximum values of a of various sizes.

4. MWC Generators as Repeating Decimals

The output of a multiply-with-carry generator is equivalent to the radix-b expansion of a fraction with denominator p = ab^r − 1. Here is an example for the simple case of b = 10 and r = 1, so the result is a repeating decimal.

Starting with [math]\displaystyle{ c_0=1,x_0=0 }[/math], the MWC sequence

[math]\displaystyle{ x_n=(7x_{n-1}+c_{n-1})\,\bmod\,10,\ c_n=\left\lfloor\frac{7x_{n-1}+c_{n-1}}{10}\right\rfloor, }[/math]

produces this sequence of states:

10,01,07,49,67,55,40,04,28,58,61,13,22,16,43,25,37,52,19,64,34,31, 10,01,07,...

with period 22. Consider just the sequence of x_i:

0,1,7,9,7,5,0,4,8,8,1,3,2,6,3,5,7,2,9,4,4,1, 0,1,7,9,7,5,0,...

Notice that if those repeated segments of x values are put in reverse order:

[math]\displaystyle{ 1449275\cdots 9710\,1449275\cdots 9710\,144\cdots }[/math]

we get the expansion j/(ab−1) with a=7, b=10, j=10:

[math]\displaystyle{ \frac{10}{69}=0.1449275362318840579710\,14492753623\ldots }[/math]

This is true in general: The sequence of xs produced by a lag-r MWC generator:

[math]\displaystyle{ x_n=(ax_{n-r}+c_{n-1})\bmod\,b\,,\ \ c_n=\left\lfloor\frac{ax_{n-r}+c_{n-1}}{b}\right\rfloor, }[/math]

when put in reverse order, will be the radix-b expansion of a fraction j/(ab^r − 1) for some 0 < j < ab^r.

5. Equivalence to Linear Congruential Generator

Continuing the above example, if we start with [math]\displaystyle{ x_0=34 }[/math], and generate the ordinary congruential sequence

[math]\displaystyle{ x_n=7x_{n-1}\,\bmod\,69 }[/math],

we get the period 22 sequence

31,10,1,7,49,67,55,40,4,28,58,61,13,22,16,43,25,37,52,19,64,34, 31,10,1,7,...

and that sequence, reduced mod 10, is

1,0,1,7,9,7,5,0,4,8,8,1,3,2,6,3,5,7,2,9,4,4, 1,0,1,7,9,7,5,0,...

the same sequence of x's resulting from the MWC sequence.

This is true in general, (but apparently only for lag-1 MWC sequences):

Given initial values [math]\displaystyle{ x_0,c_0 }[/math], the sequence [math]\displaystyle{ x_1,x_2,\ldots }[/math] resulting from the lag-1 MWC sequence

[math]\displaystyle{ x_n=(ax_{n-1}+c_{n-1})\,\bmod b\,,\ \ c_n=\left\lfloor\frac{ax_{n-1}+c_{n-1}}{b}\right\rfloor }[/math]

is exactly the Lehmer random number generator output sequence y_n = ay_n − 1 mod (ab − 1), reduced modulo b.

Choosing a different initial value y₀ merely rotates the cycle of x's.

6. Complementary-multiply-with-carry Generators

Establishing the period of a lag-r MWC generator usually entails choosing multiplier a so that p=ab^r − 1 is prime. Then p − 1 will have to be factored in order to find the order of b mod p. If p is a safe prime, then this is simple, and the order of b will be either p − 1 or (p − 1)/2. In other cases, p − 1 may be difficult to factor.

However, the procedure also permits a negative multiplier. This leads to a slight modification of the MWC procedure, and produces a modulus p = |−ab^r − 1| = ab^r + 1. This makes p − 1 = ab^r easy to factor, making it practical to establish the period of very large generators.

The modified procedure is called complementary-multiply-with-carry (CMWC), and the setup is the same as that for lag-r MWC: multiplier a, base b, and r + 1 seeds,

x₀, x₁, x₂, ..., x_r−1, and c_r−1.

The modification is to the generation of a new pair (x, c). Rearranging the computation to avoid negative numbers, the new x value is complemented by subtracting it from b − 1:

[math]\displaystyle{ x_n=(b-1)-(ax_{n-r}+c_{n-1})\,\bmod\,b,\ c_n=\left\lfloor\frac{ax_{n-r}+c_{n-1}}{b}\right\rfloor. }[/math]

The resulting sequence of x's produced by the CMWC RNG will have period the order of b in the multiplicative group of residues modulo ab^r+1, and the output x's, in reverse order, will form the base b expansion of j/(ab^r+1) for some 0 < j < ab^r.

Use of lag-r CMWC makes it much easier to find periods for r's as large as 512, 1024, 2048, etc. (Making r a power of 2 makes it slightly easier (and faster) to access elements in the array containing the r most recent x's.)

Another advantage of this modified procedure is that the period is a multiple of b, so the output is exactly equidistributed mod b.^[2] (The ordinary MWC has a slight bias over its full period, which is negligible if the period is long enough.) produces one fewer zero over its full period.)

One disadvantage of the CMWC construction is that, with a power-of-two base, the maximum achievable period is less than for a similar-sized MWC generator; you lose several bits. Thus, an MWC generator is usually preferable for small lags. This can remedied by using b = 2^k−1, or choosing a lag one word longer to compensate.

Some examples: With b=2³², and a=109111 or 108798 or 108517, the period of the lag-1024 CMWC

[math]\displaystyle{ x_n=(b-1)-(ax_{n-1024}+c_{n-1})\,\bmod\,b,\ c_n=\left\lfloor\frac{ax_{n-1024}+c_{n-1}}{b}\right\rfloor. }[/math]

will be a·2³²⁷⁶² = ab¹⁰²⁴/64, about 10⁹⁸⁶⁷.

With b = 2³² and a = 3636507990, p = ab¹³⁵⁹ − 1 is a safe prime, so the MWC sequence based on that a has period 3636507990·2⁴³⁴⁸⁷ [math]\displaystyle{ \approx }[/math] 10¹³¹⁰¹.

With b = 2³², a CMWC RNG with near record period may be based on the prime p = 15455296b⁴²⁶⁵⁸ + 1. The order of b for that prime is 241489·2^1365056, about 10⁴¹⁰⁹²⁸.

7. More General Moduli

The MWC modulus of ab^r−1 is chosen to make computation particularly simple, but brings with it some disadvantages, notably that the period is at most half the modulus. There are several ways to generalize this, at the cost of more multiplications per iteration.

First, it is possible to add additional terms to the product, producing a modulus of the form a_rb^r+a_sb^s−1. This requires computing c_nb + x_n = a_rx_n−r + a_sx_n−s. (The carry is limited to one word if a_r + a_s ≤ b.)

However, this does not fix the period issue, which depends on the low bits of the modulus. Fortunately, the Montgomery reduction algorithm permits other moduli, as long as they are relatively prime to the base b, and this can be applied to permit a modulus of the form a_rb^r−a₀, for a wide range of values a₀. To do this, precompute a−10 (mod b), and change the iteration as follows:^[3]:3

[math]\displaystyle{ t = c_{n-1} + \sum_1^r a_i x_{n-i}, \ c_n = \left\lfloor\frac{t}{b}\right\rfloor, \ x_n = a_0^{-1}t \bmod b. }[/math]

In the common case that b = 2^k, a₀ must be odd for the inverse to exist.

8. Implementation

The following is an implementation of the CMWC algorithm in the C programming language. Also, included in the program is a sample initialization function. In this implementation the base is 2³²−1 and lag r=4096. The period of the resulting generator is about [math]\displaystyle{ 2^{131104} }[/math].

// C99 Complementary Multiply With Carry generator #include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <time.h> // CMWC working parts #define CMWC_CYCLE 4096 // as Marsaglia recommends #define CMWC_C_MAX 809430660 // as Marsaglia recommends struct cmwc_state { uint32_t Q[CMWC_CYCLE]; uint32_t c; // must be limited with CMWC_C_MAX unsigned i; }; // Make 32 bit random number (some systems use 16 bit RAND_MAX [Visual C 2012 uses 15 bits!]) uint32_t rand32(void) { uint32_t result = rand(); return result << 16 | rand(); } // Init the state with seed void initCMWC(struct cmwc_state *state, unsigned int seed) { srand(seed); for (int i = 0; i < CMWC_CYCLE; i++) state->Q[i] = rand32(); do state->c = rand32(); while (state->c >= CMWC_C_MAX); state->i = CMWC_CYCLE - 1; } // CMWC engine uint32_t randCMWC(struct cmwc_state *state) //EDITED parameter *state was missing { uint64_t const a = 18782; // as Marsaglia recommends uint32_t const m = 0xfffffffe; // as Marsaglia recommends uint64_t t; uint32_t x; state->i = (state->i + 1) & (CMWC_CYCLE - 1); t = a * state->Q[state->i] + state->c; /* Let c = t / 0xfffffff, x = t mod 0xffffffff */ state->c = t >> 32; x = t + state->c; if (x < state->c) { x++; state->c++; } return state->Q[state->i] = m - x; } int main() { struct cmwc_state cmwc; unsigned int seed = time(NULL); initCMWC(&cmwc, seed); printf("Random CMWC: %u\n", randCMWC(&cmwc)); }

9. Usage

Because of simplicity, speed, quality (it passes statistical tests very well) and astonishing period, CMWC is known to be used in game development, particularly in modern roguelike games. It is informally known as the Mother of All PRNGs. In libtcod, CMWC4096 replaced MT19937 as the default PRNG.^[4]