SIAM J. COMPUT. Vol. 15, No. 2, May 1986 (C) 1986 Society for Industrial and Applied Mathematics 003 A SIMPLE UNPREDICTABLE PSEUDO-RANDOM NUMBER GENERATOR* L. BLUM?, M. BLUM AND M. SHUB Abstract. Two closely-related pseudo-random sequence generators are presented: The lIP generator, with input P a prime, outputs the quotient digits obtained on dividing by P. The x mod N generator with inputs N, Xo (where N P. Q is a product of distinct primes, each congruent to 3 mod 4, and x 0 is a quadratic residue mod N), outputs bob1 b2" where bi parity (xi) and xi+ x mod N. From short seeds each generator efficiently produces long well-distributed sequences. Moreover, both generators have computationally hard problems at their core. The first generator’s sequences, however, are completely predictable (from any small segment of 21PI + consecutive digits one can infer the "seed," P, and continue the sequence backwards and forwards), whereas the second, under a certain intractability assumption, is unpredictable in a precise sense. The second generator has additional interesting properties: from knowledge of Xo and N but not P or Q, one can generate the sequence forwards, but, under the above-mentioned intractability assumption, one can not generate the sequence backwards. From the additional knowledge of P and Q, one can generate the sequence backwards; one can even "jump" about from any point in the sequence to any other. Because of these properties, the x mod N generator promises many interesting applications, e.g., to public-key cryptography. To use these generators in practice, an analysis is needed of various properties of these sequences such as their periods. This analysis is begun here. Key words, random, pseudo-random, Monte Carlo, computational complexity, secure transactions, public-key encryption, cryptography, one-time pad, Jacobi symbol, quadratic residuacity What do we want from a pseudo-random sequence generator? Ideally, we would like a pseudo-random sequence generator to quickly produce, from short seeds, long sequences (of bits) that appear in every way to be generated by successive flips of a fair coin. Certainly, the idea of a (fast) deterministic mechanism producing such non- deterministic behavior seems contradictory: by observing its outcome over time, we could in principle eventually detect the determinism and simulate such a generator. The resolution [Knuth], usually, is to require of such generators only that the sequences they produce pass certain standard statistical tests (e.g., in the long run, the frequency of O’s and l’s occurring in such a sequence should be nearly the same, and the O’s and l’s should be "well-mixed"). However, the usual statistical tests do not capture enough. An important property of sequences of coin tosses is their unpredictability. Pseudo-random sequences should be unpredictable to computers with feasible resources. We say that a pseudo-random sequence generator is polynomial-time unpredictable (unpredictable to the right, unpre- dictable to the left) [Shamir], [Blum-Micali] if and only if for every finite initial segment of sequence that has been produced by such a generator, but with any element (the rightmost element, the leftmost element) deleted from that segment, a probabilistic * Received by the editors September 7, 1982, and in final revised form August 15, 1983. A preliminary version of this paper was presented at Crypto 82. " Department of Mathematics and Computer Science, Mills College, Oakland, California 94613, and Department of Mathematics, University of California at Berkeley, Berkeley, California 94720. This work was supported in part by the Letts-Villard Chair, Mills College. $ Department of Electrical Engineering and Computer Sciences, University of California at Berkeley, Berkeley, California 94720. This work was supported in part by the National Science Foundation under grant MCS 82-04506. IBM Thomas J. Watson Research Center, Yorktown Heights, New York 10598, and City University of New York, New York, New York 10036. This work was supported in part by the National Science Foundation under grant MCS 82-01267. 364 Downloaded 04/02/13 to 165.91.100.54. Redistribution subject to SIAM license or copyright; see http://www.siam.org/journals/ojsa.php