Wording improvements by Matt Stephanson and Thomas Köppe

Dani-Hub · Dani-Hub · commit 0fe7111979a1 · 2025-08-19T18:54:49.000+02:00
diff --git a/xml/issue4212.xml b/xml/issue4212.xml
@@ -36,9 +36,7 @@ is an alias for the initial value, <math><mi>X</mi></math>), so that the final r
 Set priority to 3 after reflector poll.
 </p>
 
-</discussion>
-
-<resolution>
+<superseded>
 <p>
 This wording is relative to <paper num="N5001"/>.
 </p>
@@ -122,6 +120,120 @@ where<del>:</del>
 </ol>
 </li>
 
+</ol>
+</blockquote>
+</li>
+</ol>
+</superseded>
+
+<note>2025-08-08; Matt Stephanson comments and makes wording improvements with Thomas Köppe</note>
+<ol>
+<li><p>For what it's worth, I believe the new wording correctly describes the algorithm and does not make any substantive changes.</p></li>
+<li><p>As for the wording itself:</p>
+<ol style="list-style-type:lower-alpha">
+<li><p>Paragraphs 1, 2, and 3 still refer to the output sequence as <tt><i>Y</i></tt>, so I don't think 
+it should be removed from the end of the first sentence in p4. On the contrary, to maintain the connection 
+and parallel the "$X^{(0)} := X$" wording, I think the final sentence should also be 
+"The output sequence is $X^{(r)} := Y$".</p></li>
+<li><p>I can't explain why, but my intuition is that, in bullet (4.2), "the elements of $V^{(q)}$"  
+sounds better than "the elements of the $V^{(q)}$". The second "the" worked with the original wording 
+"the <tt><i>V</i></tt> sequence", but "sequence" is omitted in the proposed resolution.</p></li>
+<li><p>The use of <tt><i>K</i></tt> for both the fixed key sequence and the round keys seems potentially 
+confusing. Maybe <tt><i>R</i></tt> for "round key" is better?</p></li>
+</ol>
+</li>
+</ol>
+<p>
+After discussion with Thomas Köppe there was agreement that (a) should be applied with the modification 
+that we should write it as definition of <tt><i>Y</i></tt> and not the other way around, that (b) should 
+be applied as suggested, and that there was no real consensus for proposal (c).
+</p>
+</discussion>
+
+<resolution>
+<p>
+This wording is relative to <paper num="N5014"/>.
+</p>
+
+<ol>
+<li><p>Modify <sref ref="[rand.eng.philox]"/> as indicated:</p>
+
+<blockquote>
+<p>
+-2- The generation algorithm returns <math><msub><mi>Y</mi><mrow><mi>i</mi></mrow></msub></math>, the value stored in 
+the <math><msup><mi>i</mi><mtext>th</mtext></msup></math> element of <math><mi>Y</mi></math> after applying the 
+transition algorithm.
+<p/>
+-3- The state transition is performed as if by the following algorithm:
+</p>
+<blockquote><pre>
+<math><mi>i</mi><mo>=</mo><mi>i</mi><mo>+</mo><mn>1</mn></math>
+<tt>if (<math><mi>i</mi></math> == <math><mi>n</mi></math>) {</tt>
+  <math><mi>Y</mi><mo>=</mo></math><tt>Philox</tt>(<math><mi>K</mi></math>, <math><mi>X</mi></math>) <i>// see below</i>
+  <math><mi>Z</mi><mo>=</mo><mi>Z</mi><mo>+</mo><mn>1</mn></math>         <ins><i>// this updates <math><mi>X</mi></math></i></ins>
+  <math><mi>i</mi><mo>=</mo><mn>0</mn></math>
+}
+</pre></blockquote>
+<p>
+-4- The <tt>Philox</tt> function maps the length-<math><mi>n</mi></math>/2 sequence <math><mi>K</mi></math> 
+and the length-<math><mi>n</mi></math> sequence <math><mi>X</mi></math> into a length-<math><mi>n</mi></math> output
+sequence <del><math><mi>Y</mi></math></del>. Philox applies an <math><mi>r</mi></math>-round substitution-permutation network to 
+the values in <math><mi>X</mi></math>. <del>A single round of the generation algorithm performs the following steps:</del>
+<ins>That is, there are intermediate values <math><msup><mi>X</mi><mrow><mo>(</mo><mn>0</mn><mo>)</mo></mrow></msup></math>,
+<math><msup><mi>X</mi><mrow><mo>(</mo><mn>1</mn><mo>)</mo></mrow></msup></math>, &hellip;,
+<math><msup><mi>X</mi><mrow><mo>(</mo><mi>r</mi><mo>)</mo></mrow></msup></math>, where 
+<math><msup><mi>X</mi><mrow><mo>(</mo><mn>0</mn><mo>)</mo></mrow></msup><mo>:=</mo><mi>X</mi></math>, and for each round
+<math><mi>q</mi></math> (with <math><mi>q</mi><mo>=</mo><mn>1</mn><mo>,</mo><mo>&hellip;</mo><mo>,</mo><mi>r</mi></math>),
+<math><msup><mi>X</mi><mrow><mo>(</mo><mi>q</mi><mo>)</mo></mrow></msup></math> is computed from
+<math><msup><mi>X</mi><mrow><mo>(</mo><mi>q</mi><mo>-</mo><mn>1</mn><mo>)</mo></mrow></msup></math> as follows. The output sequence
+is <math><mi>Y</mi><mo>:=</mo><msup><mi>X</mi><mrow><mo>(</mo><mi>r</mi><mo>)</mo></mrow></msup></math>.</ins>
+</p>
+<ol style="list-style-type: none">
+<li><p>(4.1) &mdash; <del>The output sequence <math><mi>X</mi><mi>'</mi></math> of the previous round (<math><mi>X</mi></math> 
+in case of the first round) is permuted to obtain the intermediate state <math><mi>V</mi></math>:</del></p>
+<blockquote><pre>
+<del><math><msub><mi>V</mi><mrow><mi>j</mi></mrow></msub><mo>=</mo><msub><mi>X</mi><mi>'</mi><mrow><msub><mi>f</mi><mrow><mi>n</mi></mrow></msub><mo>(</mo><mi>j</mi><mo>)</mo></mrow></msub></math></del>
+</pre></blockquote>
+<p>
+<ins>An intermediate state <math><msup><mi>V</mi><mrow><mo>(</mo><mi>q</mi><mo>)</mo></mrow></msup></math> is obtained
+by permuting the previous output, 
+<math><msubsup><mi>V</mi><mi>j</mi><mrow><mo>(</mo><mi>q</mi><mo>)</mo></mrow></msubsup><mo>:=</mo><msubsup><mi>X</mi><mrow><msub><mi>f</mi><mrow><mi>n</mi></mrow></msub><mo>(</mo><mi>j</mi><mo>)</mo></mrow><mrow><mo>(</mo><mi>q</mi><mo>-</mo><mn>1</mn><mo>)</mo></mrow></msubsup></math>,</ins>
+where <math><mi>j</mi><mo>=</mo><mn>0</mn><mo>,</mo><mo>&hellip;</mo><mo>,</mo><mi>n</mi><mo>−</mo><mn>1</mn></math><ins>,</ins> and 
+<math><msub><mi>f</mi><mrow><mi>n</mi></mrow></msub><mo>(</mo><mi>j</mi><mo>)</mo></math> is defined in Table 124.
+</p>
+</li>
+<li><p>(4.2) &mdash; <del>The following computations are applied to the elements of the <math><mi>V</mi></math> sequence:</del>
+<ins>The next output <math><msup><mi>X</mi><mrow><mo>(</mo><mi>q</mi><mo>)</mo></mrow></msup></math> is computed from the elements of
+<math><msup><mi>V</mi><mrow><mo>(</mo><mi>q</mi><mo>)</mo></mrow></msup></math> as follows. For <math><mi>k</mi><mo>=</mo><mn>0</mn><mo>,</mo><mo>&hellip;</mo><mo>,</mo><mi>n</mi><mo>/</mo><mn>2</mn><mo>-</mo><mn>1</mn><mo>,</mo></math></ins></p>
+<ol style="list-style-type: none">
+<li><p><ins>(4.2.?) &mdash; <math><msubsup><mi>X</mi><mrow><mn>2</mn><mi>k</mi><mo>+</mo><mn>0</mn></mrow><mrow><mo>(</mo><mi>q</mi><mo>)</mo></mrow></msubsup></math> = mulhi(<math><msubsup><mi>V</mi><mrow><mn>2</mn><mi>k</mi></mrow><mrow><mo>(</mo><mi>q</mi><mo>)</mo></mrow></msubsup></math>,<math><msub><mi>M</mi><mi>k</mi></msub></math>,<i>w</i>) xor <math><msubsup><mi>K</mi><mi>k</mi><mrow><mo>(</mo><mi>q</mi><mo>)</mo></mrow></msubsup></math> xor <math><msubsup><mi>V</mi><mrow><mn>2</mn><mi>k</mi><mo>+</mo><mn>1</mn></mrow><mrow><mo>(</mo><mi>q</mi><mo>)</mo></mrow></msubsup></math>, and</ins><del><math><msub><mi>X</mi><mrow><mn>2</mn><mi>k</mi><mo>+</mo><mn>0</mn></mrow></msub></math> = mulhi(<math><msub><mi>V</mi><mrow><mn>2</mn><mi>k</mi></mrow></msub></math>,<math><msub><mi>M</mi><mi>k</mi></msub></math>,<i>w</i>) xor <math><msubsup><mi style="font-style: italic">key</mi><mi>k</mi><mi>q</mi></msubsup></math> xor <math><msub><mi>V</mi><mrow><mn>2</mn><mi>k</mi><mo>+</mo><mn>1</mn></mrow></msub></math></del></p></li>
+<li><p><ins>(4.2.?) &mdash; <math><msubsup><mi>X</mi><mrow><mn>2</mn><mi>k</mi><mo>+</mo><mn>1</mn></mrow><mrow><mo>(</mo><mi>q</mi><mo>)</mo></mrow></msubsup></math> = mullo(<math><msubsup><mi>V</mi><mrow><mn>2</mn><mi>k</mi></mrow><mrow><mo>(</mo><mi>q</mi><mo>)</mo></mrow></msubsup></math>,<math><msub><mi>M</mi><mi>k</mi></msub></math>,<i>w</i>),</ins><del><math><msub><mi>X</mi><mrow><mn>2</mn><mi>k</mi><mo>+</mo><mn>1</mn></mrow></msub></math> = mullo(<math><msub><mi>V</mi><mrow><mn>2</mn><mi>k</mi></mrow></msub></math>,<math><msub><mi>M</mi><mi>k</mi></msub></math>,<i>w</i>)</del></p></li>
+</ol>
+<p>
+where<del>:</del>
+</p>
+<ol style="list-style-type: none">
+<li><p>(4.2.1) &mdash; mullo(<math><mi>a</mi><mo>,</mo><mi>b</mi><mo>,</mo><mi>w</mi></math>) is the low half of the modular multiplication of 
+<math><mi>a</mi></math> and <math><mi>b</mi></math>: <math><mo>(</mo><mi>a</mi><mo>&#8901;</mo><mi>b</mi><mo>)</mo><mo>mod</mo><msup><mn>2</mn><mi>w</mi></msup></math>,</p></li>
+<li><p>(4.2.2) &mdash; mulhi(<math><mi>a</mi><mo>,</mo><mi>b</mi><mo>,</mo><mi>w</mi></math>) is the high half of the modular multiplication of 
+<math><mi>a</mi></math> and <math><mi>b</mi></math>: <math><mo>(</mo><mo>&#x230A;</mo><mo>(</mo><mi>a</mi><mo>&#8901;</mo><mi>b</mi><mo>)</mo><mo>/</mo><msup><mn>2</mn><mi>w</mi></msup><mo>&#x230B;</mo><mo>)</mo></math>,</p></li>
+<li><p>(4.2.3) &mdash; 
+<del><math><mi>k</mi><mo>=</mo><mn>0</mn><mo>,</mo><mo>&hellip;</mo><mo>,</mo><mi>n</mi><mo>/</mo><mn>2</mn><mo>−</mo><mn>1</mn></math> is the index in the sequences,</del>
+<ins><math><msubsup><mi>K</mi><mi>k</mi><mrow><mo>(</mo><mi>q</mi><mo>)</mo></mrow></msubsup></math> is the
+<math><msup><mi>k</mi><mtext>th</mtext></msup></math> round key for round <math><mi>q</mi></math>,
+<math><msubsup><mi>K</mi><mi>k</mi><mrow><mo>(</mo><mi>q</mi><mo>)</mo></mrow></msubsup><mo>:=</mo><mo>(</mo><msub><mi>K</mi><mi>k</mi></msub><mo>+</mo><mo>(</mo><mi>q</mi><mo>-</mo><mn>1</mn><mo>)</mo><mo>&#8901;</mo><msub><mi>C</mi><mi>k</mi></msub><mo>)</mo><mo>mod</mo><msup><mn>2</mn><mi>w</mi></msup></math>,</ins></p></li>
+<li><p>(4.2.4) &mdash; <del><math><mi>q</mi><mo>=</mo><mn>0</mn><mo>,</mo><mo>&hellip;</mo><mo>,</mo><mi>r</mi><mo>−</mo><mn>1</mn></math> is the index of the round,</del>
+<ins><math><msub><mi>K</mi><mi>k</mi></msub></math> is the <math><msup><mi>k</mi><mtext>th</mtext></msup></math> element of the key sequence
+<math><mi>K</mi></math>,</ins></p></li>
+<li><p><del>(4.2.5) &mdash; <math><msubsup><mi style="font-style: italic">key</mi><mi>k</mi><mi>q</mi></msubsup></math> is the 
+<math><msup><mi>k</mi><mtext>th</mtext></msup></math> round key for round <math><mi>q</mi></math>, 
+<math><msubsup><mi style="font-style: italic">key</mi><mi>k</mi><mi>q</mi></msubsup><mo>:=</mo><mo>(</mo><msub><mi>K</mi><mi>k</mi></msub><mo>+</mo><mi>q</mi><mo>&#8901;</mo><msub><mi>C</mi><mi>k</mi></msub><mo>)</mo><mo>mod</mo><msup><mn>2</mn><mi>w</mi></msup></math>,</del></p></li>
+<li><p><del>(4.2.6) &mdash; <math><msub><mi>K</mi><mi>k</mi></msub></math> are the elements of the key sequence <math><mi>K</mi></math>,</del></p></li>
+<li><p>(4.2.7) &mdash; <math><msub><mi>M</mi><mi>k</mi></msub></math> is <tt>multipliers[<math><mi>k</mi></math>]</tt>, and</p></li>
+<li><p>(4.2.8) &mdash; <math><msub><mi>C</mi><mi>k</mi></msub></math> is <tt>round_consts[<math><mi>k</mi></math>]</tt>.</p></li>
+</ol>
+</li>
+
 </ol>
 </blockquote>
 </li>
