Abstract
A pseudo-random number generator is considered cryptographically secure if, even when a cryptanalyst has obtained long segments of the generator’s output, he or she is unable to compute any other segment within certain time and space complexity bounds. A pseudo-random number generator which is as cryptographically secure as the RivestShamir-Adleman encryption scheme is presented in [Shamir]. This method for generating pseudo-random numbers is quite slow, though, and it is not known whether any statistical biases might be present in the sequences it generates. Blum and Micali [BlMi] give a pseudo-random bit generator, with arbitrarily small bias, which is cryptographically strong, assuming the problem of index finding is intractable. But their method is also slow. Other cryptographically strong, but slow, pseudo-random bit generators are given in [BBS] and [Yao]. This suggests the question of whether any of the pseudo-random number generators commonly in use are also cryptographically secure. In particular, the linear congruential method, X i+1 = aX i + b mod m, is very popular and fast. Obviously, this method is not cryptographically secure if the modulus, m, is known. In that case, one could solve for z in the congruence (X 2 − X 1) = x (X 1 − X 0) mod m. Then the remainder of the sequence could be correctly predicted using X i+1 = x(X i ) + (X 1 − x(X 0 )) mod m. In [K1980], Knuth has discussed this problem, assuming m is known and is a power of two, but assuming that only the high order bits of the numbers generated are actually used. We have looked at the problem, assuming the m is unknown and arbitrary, but that the low order bits are also used. We have shown that, under these assumptions, the linear congruential method is cryptographically insecure. A similar result is given in [Reeds], but, among other problems, that result relies on the assumption that factoring is easy.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Blum, L., Blum, M., and Shub, M., A Simple Secure Pseudo-Random. Number Generator, Advances in Cryptography: Proceedings of CRYPTO 82, 1982.
Blum, M., and Miceli, S., How to Generate Cryptographically Strong Sequences of Pseudo-Random Bits, Proc. 23rd IEEE Symp. on Foundations of Computer Science, 1982.
Knuth, D.E., Deciphering a Linear Congruential Encryption, Technical Report 024800, Stanford University, 1980.
Plumstead, J., Inferring a Sequence Generated by a Linear Congruence, Proc. 23rd IEEE Symp. on Foundations of Computer Science, 1982.
Reeds, J. “Cracking” a Random Number Generator,Cryptologia, Vol. 1, January 1977.
Shamir, A., On the Generation of Cryptographically Strong Pseudo-Random Sequences, International Colloquium on Automata, Languages, and Programming, 7th, 1980.
Yao, A., Theory and Applications of Trapdoor Functions, Proc. 23rd IEEE Symp. on Foundations of Computer Science, 1982.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 1983 Springer Science+Business Media New York
About this paper
Cite this paper
Plumstead, J.B. (1983). Inferring a Sequence Generated by a Linear Congruence. In: Chaum, D., Rivest, R.L., Sherman, A.T. (eds) Advances in Cryptology. Springer, Boston, MA. https://doi.org/10.1007/978-1-4757-0602-4_32
Download citation
DOI: https://doi.org/10.1007/978-1-4757-0602-4_32
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4757-0604-8
Online ISBN: 978-1-4757-0602-4
eBook Packages: Springer Book Archive