Updated shuffle implementation to use better hash function #1257
Conversation
djns99
force-pushed
the
fix_shuffle
branch
2 times, most recently
from
31e7415 to
47a7c62
Compare
djns99
force-pushed
the
fix_shuffle
branch
5 times, most recently
from
134cf64 to
f8a04a5
Compare
|
@djns99 @RAMitchell Just checking in -- it looks like you two have been iterating on this PR, just let me know when you're ready for me to do a final review and start testing/landing it. |
|
@djns99 I'm happy with your current approach using murmurhash, did you have anything else you wanted to add? Would be good to have a couple of comments with references for CephesFunctions and murmerhash. Please also check the licenses are compatible i.e. we are allowed to use their code in this way. |
@RAMitchell I probably wont have time to do this in the next few days. However, I am still having difficulty obtaining sufficiently random results, even if I increase the number of rounds. Some preliminary investigations indicate that it is likely the murmur hash function with insufficient randomness, however it is a significant improvement over the current results even at 8 rounds. As for licensing, cephes was taken from the NIST suite for testing randomness, which according to https://csrc.nist.gov/Projects/Random-Bit-Generation/Documentation-and-Software is in the public domain. I took murmur hash from the smhasher repo, the licensing information there say it is also in the public domain. |
|
Ok, I think the key thing is for us to make the next toolkit release (11.1?). Let's catch up next week on this. |
|
@RAMitchell I have done a bit of work on this and decided to use the RC5 encryption algorithm https://doi.org/10.1007/3-540-60590-8_7. This uses a 12-20 round (I have it set to 12 at present) feistel network using data dependent rotations on an w-bit register. The only shortfall of this is that it requires us to round to a power of 4 instead of 2. However, it means we can make some guarantees about the strength of our internal function (i.e. any errors are due to an insufficiently random key). As for licensing, the patent for the algorithm expired in 2015 https://patents.google.com/patent/US5835600A/en so I believe this means we are allowed to use it. |
djns99
force-pushed
the
fix_shuffle
branch
2 times, most recently
from
640e7c3 to
3f1dcb4
Compare
|
Test issues are resolved. |
There was a problem hiding this comment.
Regarding the use of RC5, that's up to the thrust team. You might want to have an alternative in mind.
The only shortfall of this is that it requires us to round to a power of 4 instead of 2.
I'm a bit confused, current code still uses nearest power of two in get_cipher_bits.
Looks really good otherwise and glad to see you've got the tests passing at high accuracy!
Note the change to This counts the number of pairs of bits now, with |
|
I see, thanks! Nearest power of four is not ideal from a performance perspective but I think we are still much faster than alternatives and robustness is priority one. |
In theory we could modify the RC5 algorithm slightly and use modulus by a different amount for each register to allow for a power of two instead of 4. However, this would likely require a more comprehensive analysis of the problem to ensure the correct behaviour is maintained, so I dont believe this is the place for this optimisation. There are a range of other candidate ciphers available to consider, but RC5/RC6 (though RC6 rounds to a power of 16) was the main one I found that explicitly supports a variable block width. |
djns99
force-pushed
the
fix_shuffle
branch
2 times, most recently
from
09f7a87 to
f9ea205
Compare
+ Uses RC5 cipher as bijective function + Adds more comprehensive tests for shuffle distribution
|
@djns99 let us know when you are ready for final review. |
|
If we are ok with RC5 I don't think there is anything left to do at present. So we should be good to go ahead with review and merge. |
|
Whatever implementation you two decide on is fine with me, but it sounds like there are some possible concerns with licensing, too? Can someone summarize the potentially problematic portions of the current PR, along with their licenses, patents, and other IP concerns? |
|
There are two parts that potentially have licensing/IP issues. The first is the Cephes functions used in the test suite, which are directly taken from a NIST test suite for random numbers.
The Cephes functions are fine as is Murmur Hash if we go that route to the best of my understanding.
If we go for RC5 (my preferred function @RAMitchell ) then it is covered by an expired patent, with the implementation being my own (based off the original paper https://doi.org/10.1007/3-540-60590-8_7). My understanding is the expired patent means the algorithm is in the public domain, so it is acceptable to use as we have here, however I don't know enough to say for sure. To the best of my knowledge there are no other licensing/IP issues. |
|
I'm going to have one of the NVIDIA open source lawyers look at this. |
alliepiper
added
blocked
|
@djns99 @RAMitchell I haven't been able to get a straight answer on this from our lawyers, and I get the feeling that the only way this patch will move forward is by rewriting it to avoid anything that is known to be associated with a non-NVIDIA owned patent. Would you be willing to submit a different implementation that avoids the patent-related algorithms? |
|
Ok, we will look at rewriting with a different hash. @djns99 if you don't have time, I will take a stab at it later this week. |
|
@RAMitchell it would be good if you can. I suspect going back to MurmurHash2 will probably work now I have fixed the tests. Just a bit less academic backing behind it's quality. Should also be able to go to power of two instead of 4 again |
|
Thanks. Sorry about this, but it's the only way to get this moving again in a reasonable amount of time. |
|
Replaced by #1309 due to IP concerns. |
Fixes #1256 by changing the hash function from taus88 to use wyhash. Adds test for a random distribution of numbers