JP Grossman: Hi Warren, the paper doesn't give the details of the "Threefish N-word P-box" transformation, but it's more complicated than swap(R1,R2) for exactly the reasons you mention (better mixing of low and high bits).

--they had a footnote sating in the 4-word case it was just swapping the Rs.

A single 4-word philox round actually looks like this:

(L1, R1, L2, R2) => (low(R2*M2), high(R2*M2) xor L1 xor K2, low(R1*M1), high(R1*M1) xor L2 xor K1) Changing some of the "xors" to adds to shave a cycle using madd instructions is a good idea. Also, you can indeed get rid of K altogether and still pass BigCrush with 7 rounds; the key was included just to show how one could be introduced if desired. --actually, the key really may be needed, because otherwise the original L's and R's being almost entirely 0s could make it take longer for philox to get going to generate randomness. (I suspect their bigcrush tests were conducted with initial counter far away from all-0.)

Incrementing a counter really is just fine; it doesn't matter that the high bits are the same. In fact, any single-bit mutation of the input produces a statistically uncorrelated output (that is, there is no correlation that BigCrush is able to detect), so you don't get any additional advantage from more complicated counter schemes.

--yes, but that is the problem. They had to do a lot of philoxing, enough so any single bit change in the input produced random output. If their input already was pretty random and changed already by itself in lots of bits, then they could have gotten away with less philoxing. Their whole theme was that you can (a) do a complicated iteration and a simple output, or you can (b) do a simple iteration (a counter, the simplest) and a complicated state--> output transform. My point is, why go to silliness-extremes? There is no good reason we should use the incredibly simple state-iteration of just counting. We could do a somewhat more complicated state-transform, taking it looks to me the same amount of time as a plain +1 counter, thus enabling us to save work on the output transform by doing less philoxing. --Warren D. Smith http://RangeVoting.org  <-- add your endorsement (by clicking "endorse" as 1st step)