Inferring a Sequence Generated by a Linear Congruence

A pseudo-random number generator is considered cryptographically secure if, even when a cryptanalyst has obtained long segments of the generator’s output, he or she is unable to compute any other segment within certain time and space complexity bounds. A pseudo-random number generator which is as cryptographically secure as the RivestShamir-Adleman encryption scheme is presented in [Shamir]. This method for generating pseudo-random numbers is quite slow, though, and it is not known whether any statistical biases might be present in the sequences it generates. Blum and Micali [BlMi] give a pseudo-random bit generator, with arbitrarily small bias, which is cryptographically strong, assuming the problem of index finding is intractable. But their method is also slow. Other cryptographically strong, but slow, pseudo-random bit generators are given in [BBS] and [Yao]. This suggests the question of whether any of the pseudo-random number generators commonly in use are also cryptographically secure. In particular, the linear congruential method, X_i+1 = aX _i + bmod m, is very popular and fast. Obviously, this method is not cryptographically secure if the modulus, m, is known. In that case, one could solve for z in the congruence (X₂ − X₁) = x (X ₁ − X₀) mod m. Then the remainder of the sequence could be correctly predicted using X_i+1 = x(X _i ) + (X₁ − x(X ₀ )) mod m. In [K1980], Knuth has discussed this problem, assuming m is known and is a power of two, but assuming that only the high order bits of the numbers generated are actually used. We have looked at the problem, assuming the m is unknown and arbitrary, but that the low order bits are also used. We have shown that, under these assumptions, the linear congruential method is cryptographically insecure. A similar result is given in [Reeds], but, among other problems, that result relies on the assumption that factoring is easy.