Linear Congruential Generators
Let m be a positive integer, and let a, b, x0 ∈ {0, . . . , m−1}. These parameters define a sequence
{xi }∞
i=0 defined by
xi = (axi−1 + b) mod m
(i ≥ 1).
(1)
Here, each xi lies in the set {0, . . . , m − 1}.
The general problem we consider here is this: given m, x0 , . . . , xn for some n, predict the
remaining xi ’s in the sequence. This turns out to be quite easy, with just n = 2. We also consider
the same problem but with m unknown, which turns out to be more interesting and challenging.
The case where m is known
Consider the congruences:
x2 ≡ ax1 + b (mod m),
x1 ≡ ax0 + b (mod m).
Subtracting the second from the first, we obtain
x2 − x1 ≡ a(x1 − x0 ) (mod m).
(2)
Now, assuming gcd(m, x1 − x0 ) = 1, we can compute
a=
x2 − x1
mod m.
x1 − x0
Here, in dividing by x1 −x0 , we actually mean multiplication by the multiplicative inverse of x1 −x0
modulo m, which exists because we are assuming gcd(m, x1 − x0 ) = 1, and which we can efficiently
compute using the extended Euclidean algorithm. Having obtained a, we compute b as
b = x1 − ax0 mod m.
Thus, given m, x0 , x1 , x2 , if gcd(m, x1 − x0 ) = 1, then we can efficiently compute a and b, and
hence the entire sequence of xi ’s.
So we now consider the possibility that gcd(m, x1 − x0 ) > 1. It is convenient to introduce the
difference sequence {yi }∞
i=1 , defined by
yi := xi − xi−1
(i ≥ 1).
Note that in this definition, the yi ’s are not reduced modulo m, so each yi lies in the set {−m +
1, . . . , m − 1}.
Generalizing (2), it is easy to verify from the definitions that
yi+1 ≡ ayi mod m
The following lemma will prove useful.
1
(i ≥ 1)
(3)
Lemma 1. Let ã, m̃ be arbitrary integers with 0 ≤ ã < m̃. If {yi }i≥1 is the difference sequence
corresponding to {xi }i≥0 , and if
yi+1 ≡ ãyi mod m̃
(i ≥ 1),
then
xi ≡ ãxi−1 + b̃
(i ≥ 1),
where b̃ := x1 − ãx0 mod m̃.
Proof. This is easily proved by induction on i. The base case i = 1 holds because of the way b̃ is
defined. Details are left to the reader.
Intuitively, this lemma says that if we have ã and m̃, not necessarily equal to the original a and
m, as long as the difference sequence satisfies the congruences corresponding to (3), we can still
predict the xi ’s, at least modulo m̃.
So now, let d := gcd(m, y1 ) > 1. The congruences (3) can be restated as
yi+1 = ayi + ki m
for each i ≥ 1 and some ki ∈ Z.
Dividing through by d, we have
yi
m
yi+1
= a + ki
d
d
d
(i ≥ 1).
Since d mod m and d | y1 , one can easily see by induction on i that yi /d ∈ Z for all i ≥ 1.
Moreover, defining m̄ := m/d and ȳi := yi /d for i ≥ 1, we have
ȳi+1 ≡ aȳi (mod m̄)
(i ≥ 1).
Also, note that gcd(m̄, ȳ1 ) = 1, so we can apply our original strategy to m̄, {ȳi }∞
i=1 , computing
ā =
ȳ2
mod m.
ȳ1
This value of ā satisfies
ȳi+1 ≡ āȳi (mod m̄)
(i ≥ 1),
which we can write as
yi
m
yi+1
= ā + k̄i
d
d
d
for each i ≥ 1 and some k̄i ∈ Z,
and multiplying by d, we obtain
yi+1 = āyi + k̄i m
(i ≥ 1),
which implies
yi+1 ≡ āyi (mod m)
(i ≥ 1).
We can now apply Lemma 1, with ã = ā and m̃ = m, computing b̄ = x1 − āx0 mod m. While ā
and b̄ may not be the same as a and b, we get the same sequence of xi ’s using ā and b̄ in place of
a and b. This illustrates the fact that when gcd(m, y1 ) > 1, the values of a and b consistent with
(1) are not uniquely determined.
2
The case where m is unknown
In this situation, we are given x0 , . . . , xn , but not m. We can still do a good job of predicting all
the xi ’s, although there are some limitations.
The idea is that we will first compute an effective multiplier a0 , which satisfies
yi+1 ≡ a0 yi (mod m)
(i ≥ 1).
We will do with just the first O(log m) terms of the sequence {xi }∞
i=0 , and without knowing m.
Once we have a0 , we can compute
mj := gcd(y2 − a0 y1 , . . . , yj+1 − a0 yj )
and
aj := a0 mod mj ,
for any desired value of j. Observe that m | mj . We can view mj and aj as approximations
to m and a. With some luck, we will have m = mj for j that is reasonably small, and this is
what typically happens in practice. In any case, applying Lemma 1 with ã = aj and m̃ = mj , we
can predict the entire sequence of xi ’s modulo mj . Moreover, one can view this as an adaptive,
self-correcting process: given correct values for the xi ’s, as soon as the prediction fails, we can
correct our approximation to m and a. Because each correction step produces a proper factor to
our running approximation to m, there can be only O(log m) correction steps before we reach the
correct value of m.
So now we focus on the problem of finding an effective multiplier a0 . To avoid some unpleasant
corner cases, we will assume that y1 6= 0; indeed, if y1 = 0, then yi = 0 and xi = x0 for all i ≥ 1,
so this is not a very interesting case. The following lemma tells us exactly how to do this.
Lemma 2. Assume y1 6= 0. For i ≥ 1, let ei := gcd(y1 , . . . , yi ). Let t be the smallest positive
integer such that et | yt+1 , and set e := et . Let c1 , . . . , ct ∈ Z such that e = c1 y1 + · · · ct yt (the
extended Euclidean algorithm guarantees that these exist and can be efficiently computed). Set
a0 :=
c1 y2 + · · · ct yt+1
∈ Z.
e
Then we have:
(i) t = O(log m), and
(ii) yi+1 ≡ a0 yi (mod m) for all i ≥ 1.
Proof. To prove (i), observe that if ei - yi+1 , then ei+1 is a proper divisor of ei , and in particular,
ei+1 ≤ ei /2. It follows that ei+1 ≤ e1 /2i = |y1 |/2i , from which part (i) is immediate.
Now for part (ii).
Let di := gcd(m, yi ) for i ≥ 1. We first claim that di | di+1 for all i ≥ 1. This follows by
observing that
yi+1 = ayi + ki m
for each i ≥ 1 and some ki ∈ Z.
So if di | yi and di | m, then di must divide ayi + ki m = yi+1 , and therefore di | di+1 .
From this claim, it follows that d := d1 | e. So, in fact, d = gcd(m, e).
Now, we have
ae = c1 ay1 + · · · + ct ayt
≡ c1 y2 + · · · + ct yt+1 (mod m)
= a0 e.
3
Thus, ae ≡ a0 e (mod m), and so
ae = a0 e + km
for some m ∈ Z. Dividing through by d, we have
a
e
e
m
= a0 + k ,
d
d
d
which means that
e
e
m
≡ a0 (mod ).
d
d
d
Since d = gcd(m, e), it follows that gcd(m/d, e/d) = 1, and so we can apply the law of cancellation
for congruences, obtaining
m
a ≡ a0 (mod ),
d
which implies
m
a = a0 + `
d
for some ` ∈ Z.
Finally, for all i ≥ 1, we have
a
yi+1 ≡ ayi (mod m)
m
= (a0 + ` )yi
d
yi
0
= a yi + m`
d
≡ a0 yi (mod m)
That proves the lemma.
4
since d | yi .