How to Predict Congruential Generators

Abstract In this paper we show how to predict a large class of pseudorandom number generators. We consider congruential generators which output a sequence of integers s 0 , s 1 ,…, where s i is computed by the recurrence s i ≡ Σ j = 1 k α j Φ j ( s 0 , s 1 ,…, s i −1 ) (mod m ) for integers m and α j , and integer-valued functions Φ j , j = 1,…, k . The predictors know the functions Φ j in advance and have access to the elements of the sequence prior to the element being predicted, but they do not know the modulus m or the coefficients α j with which the generator actually works. We prove that both the number of mistakes made by the predictors and the time complexity of each prediction are bounded by a polynomial in k and log m , provided that the functions Φ j are computble (over the integers) in polynomial time. This extends previous results about the predictability of such generators. In particular, we prove that multivariate polynomial generators, i.e., generators where s i ≡ P ( s i − n ,…, s i −1 ) (mod m ), for a polynomial P of known degree in n variables, are efficiently predictable.

[1]  Alan M. Frieze,et al.  Reconstructing Truncated Integer Variables Satisfying Linear Congruences , 1988, SIAM J. Comput..

[2]  Jeffrey C. Lagarias,et al.  Unique Extrapolation of Polynomial Recurrences , 1988, SIAM J. Comput..

[3]  Manuel Blum,et al.  A Simple Unpredictable Pseudo-Random Number Generator , 1986, SIAM J. Comput..

[4]  Oded Goldreich,et al.  On the power of two-point based sampling , 1989, J. Complex..

[5]  Joan Boyar,et al.  Inferring sequences produced by pseudo-random number generators , 1989, JACM.

[6]  H. Niederreiter Quasi-Monte Carlo methods and pseudo-random numbers , 1978 .

[7]  Ravi Kannan,et al.  Polynomial Algorithms for Computing the Smith and Hermite Normal Forms of an Integer Matrix , 1979, SIAM J. Comput..

[8]  J. Boyar Inferring a Sequence Generated by a Linear Congruence , 1982, FOCS.

[9]  A. T. Butson,et al.  Systems Of Linear Congruences , 1955, Canadian Journal of Mathematics.

[10]  J. Edmonds Systems of distinct representatives and linear algebra , 1967 .

[11]  Leonid A. Levin,et al.  Pseudo-random generation from one-way functions , 1989, STOC '89.

[12]  Oded Goldreich,et al.  RSA and Rabin Functions: Certain Parts are as Hard as the Whole , 1988, SIAM J. Comput..

[13]  Joan Boyar Plumstead Inferring sequences produced by pseudo-random number generators , 1983 .

[14]  Manuel Blum,et al.  How to generate cryptographically strong sequences of pseudo random bits , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[15]  Eric Bach,et al.  Realistic analysis of some randomized algorithms , 1987, J. Comput. Syst. Sci..

[16]  Donald E. Knuth,et al.  Deciphering a linear congruential encryption , 1985, IEEE Trans. Inf. Theory.

[17]  Andrew Chi-Chih Yao,et al.  Theory and application of trapdoor functions , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[18]  Jacques Stern,et al.  Secret linear congruential generators are not cryptographically secure , 1987, 28th Annual Symposium on Foundations of Computer Science (sfcs 1987).

[19]  Hugo Krawczyk,et al.  On the existence of pseudorandom generators , 1988, [Proceedings 1988] 29th Annual Symposium on Foundations of Computer Science.