LINEAR CONGRUENTIAL GENERATORS DO NOT PRODUCE RANDOM SEQUENCES
F r i e z e * , R. Kannan
A.M.
**
and J . C .
Lagarias
***
,JGSIA, Carnegie-Mellon U n i v e r s i t y and Queen Mary C o l l e g e , London,
,,,Computer
S c i e n c e Department, Carnegie-Mellon U n i v e r s i t y ,
AT&T Bell L a b o r a t o r i e s , Murray H i l l .
random p o l y n o m i a l time a r e e s s e n t i a l l y t r a c t a b l e
Abstract
One of t h e most p o p u l a r and f a s t methods o f
generating
tlrandomrl
sequence
are
i s based on t h e h y p o t h e s i s t h a t a d e t e r m i n i s t i c
time
polynomial
linear
bounded
process
can
produce
are i n d i s t i n g u i s h a b l e from t r u l y
congruential generators.
This paper d i s c u s s e s t h e
sequences t h a t
predictability
sequence
random s e q u e n c e s i n d e t e r m i n i s t i c polynomial time.
of
the
given only a
constant proportion a of the leading b i t s of the
( S e e Cook ( 1 9 8 3 ) f o r a d i s c u s s i o n o f t h i s t h e s i s ) .
f i r s t few numbers g e n e r a t e d .
W
e show t h a t t h e
Indeed t h e g e n e r a l o b s e r v a t i o n so f a r seems t o be
rest o f t h e s e q u e n c e i s p r e d i c t a b l e i n polynomial
t h a t p r o b a b i l i s t i c ( c o i n - t o s s i n g ) a l g o r i t h m s work
time, a l m o s t a l w a y s , p r o v i d e d a
>
In view o f t h i s it is i m p o r t a n t
well i n p r a c t i c e .
2/5.
t o a n a l y s e one o f t h e most p o p u l a r random number
generators
generating
"random"
It h a s been s u g g e s t e d (Knuth 1980) t h a t a way
o f p r o d u c i n g s e c u r e s e q u e n c e s from an LCG i s t o
and an i n c r e m e n t c a r e p i c k e d .
o u t p u t t h e l e a d i n g p a r t o f each o f t h e X i l s
M
t h e leading h a l f of t h e b i t s . ?
Then s t a r t i n g a t a
secure.
Knuth. ( 1980). Plumstead ( 1 9 8 2 ) and Reeds
( 1 9 7 7 ) have
=
Xi + c(mod M )
a
considered
(0)
Knuth
shown
(Vol.
2)
contains
an
question
of
whether
show
Plumstead ( 1 9 8 2 ) u s e s a c l e v e r
that
if
the
b i t s of
several
c o n s e c u t i v e Xils a r e known, t h e n t h e m u l t i p l i e r a
elaborate
congruential generators
can be i n f e r r e d and w i t h g r e a t e r d i f f i c u l t y t h e
The s e q u e n c e s produced by L C G ' s have been
modulas t o o , t h u s d e m o n s t r a t i n g t h a t when a l l b i t s
discussion
(LCG).
idea t o
a r e a l l i n t e g e r s between 0 and M
(Thus t h e Xi
1.)
the
b i t s g e n e r a t e d by l i n e a r c o n g r u e n t i a l g e n e r a t o r s
are predictable.
-
- say
The main r e s u l t o f
t h i s p a p e r i s t o show t h a t t h i s s e q u e n c e i s n o t
one g e n e r a t e s t h e s e q u e n c e {Xi}
g i v e n by
Xi+l
l i n e a r congruential generator for
linear
are
a modulas M , a m u l t i p l i e r a r e l a t i v e l y prime t o
random %eedft X,
.
These work a s f o l l o w s :
sequences
congruential generators.
- the
p r e d i c t a b i li t y
One o f t h e most p o p u l a r and f a s t methods o f
to
of
linear
satisfy
various
statistical
of
t e s t s of
randomness f o r p r o p e r c h o i c e s o f t h e modulas and
multiplier.
(Knuth-Vol.
2).
Xi
are
announced,
the
sequence
becomes
p r e d i c t a b l e even i f t h e modulas and m u l t i p l i e r are
unknown.
However it d o e s n o t
Knuth ( 1 9 8 0 ) c o n s i d e r s t h e problem when
i m m e d i a t e l y f o l l o w from t h e s e t h a t t h e s e s e q u e n c e s
are " u n p r e d i c t a D l e r l
-
e x p e c t a random s e q u e n c e t o be.
randomness h a s been
+Note t h a t i f t h e modulas is known i t i s c e r t a i n l y
wnich o n e would i n t u i t i v e l y
insecure t o output
This aspect of
t h e n c e c can b e found.
Shamir ( 1 9 8 0 ) . Blum and M i c a l i ( 1 9 8 2 ) , Yao (1982)
and
Goldreich,
Goldwasser and M i c a l i
1984 IEEE
a n y i , for
(xi+2-Xi+,)
and
exist,
a
simple
m o d i f i c a t i o n o f t h e e x p r e s s i o n s u f f i c e s t o f i n d a.
480
@
for
Here t h e i n v e r s e i s modulo
M, i f t h e i n v e r s e does not
(1984).
Also, t h e t h e s i s t h a t problems t h a t can be done i n
0272-5428/84/0000/0480$01.00
1+1,x_iic2,
Xi,X.
t h e n a i s g i v e n by (Xi+l-Xi)
f o r m a l i z e d by c r y p t o g r a p h e r s
t h e m u l t i p l i e r and modulas a r e unknown and o n l y a
s m a l l f r a c t i o n o f t h e b i t s of s e v e r a l c o n s e c u t i v e
azl
az2
Xi's a r e announced. For t h i s c a s e , h e d e v i s e s an
e x p o n e n t i a l time a l g o r i t h m t o i n f e r t h e hidden
0
information.
Plumstead
< 2m
zi
(1982)
a l s o t r e a t s t h e c a s e when t h e t r a i l i n g O ( l o g ( n ) )
t h a t Lenstra's
time)
To d e s c r i b e our r e s u l t we
let n
i n M.
W
e break Xi
E
-
ayi
- c)
(mod M ) f o r i
and p l , p2 a r e new i n t e g e r v a r i a b l e s .
b i t s of s e v e r a l c o n s e c u t i v e Xi's a r e unknown.
some n o t a t i o n :
(2)
i = 1, 2 , 3.
where Yi = 2m(yi+l
Reeds (1977) c o n s i d e r s some s p e c i a l
cases with f i x e d multipliers.
5
- z2 + Mpl = y1
- z3 + M P =~ y2
E
1,2
(We remark
(1979) a l g o r i t h m c o u l d t a k e Q(n9)
.
introduce
Now c l e a r l y i f z l , z2, z 3 are t h e "hidden
2m b e t h e number of b i t s
b i t s " of an LCG t h e n t h e y w i l l form a s o l u t i o n t o
first
i n t o two e q u a l p a r t s :
( 2 ) w i t h s u i t a b l e v a l u e s f o r p l , p2.
The key
o r n o t t h e r e a r e any o t h e r
issue i s whether
xi
= 2"
+ zi
yi
I f t h e r e a r e none t h e n our method i s
solutions.
(1)
valid.
where
5
0
c o n s i d e r is:
5
yi,zi
2m.
The
problem
g i v e n M , a , c , y l , y2, y3*...yp.
W
e d e f i n e t h e s e t sw f o r which we know t h a t
we
t h e s o l u t i o n i s unique.
for
Suppose t h a t t h e r e i s a n o t h e r s o l u t i o n ( z l
some 8 , c a n one d e t e r m i n e z 1 (and t h e n of c o u r s e
a l l t h e Xi
result
can b e e a s i l y computed.)
Tne main
z,;
i s an a l g o r i t h m A w i t h t h e f o l l o w i n g
P i , P;)
23,
for i
Then p u t t i n g ui =
t o (2).
zi
- 211'
1 , 2 , 3 we have
z
properties :
A is
1)
deterministic
time
polynomial
Indeed A r u n s i n time O(n210gnloglogn).
bounded.
It t a k e s a s i n p u t
2)
i n t e g e r s y 1 * y 2 and
Y ~ ,0
integers M,
5
y,.y2,y3
5
a
and
u2
aul
(Mod M
U3
= au2
(Mod M
5
;Ui:
2m+1
(3)
i
L
1,2,3
2m and
returns an
i n t e g e r z, between 0 and 2m o r r e t u r n s
where we d e f i n e (Mod M ) , a s opposed t o (mod M ) to
the answer
"cannot solve the instance".
be t h e least a b s o l u t e value r e s i d u e i.e.
(See
(3)
<
y(Mod M)
below)
3)
For each
a t l e a s t (1
M,
t h e r e is
- 0(M-("5))
= 0 as
any
a
in
SM. and
any
c,
given
y i n t e g e r s i n [O,JM], t h e r e is a unique
Y17Y29 3
z 2 and z 3 i n [ O , J M l such t h a t x l , X 2 and
d e f i n e d by ( 1 ) s a t i s f y ( 0 ) .
b ) t h e r e i s a polynomial-time
given a,M t e s t s whether a 1s i n
c ) whenever a
E
]U.
.
I < M.
0 (clearly i f
easily
and
our
-
- BM
Thus i f
X3
algorithm t h a t
sM*
SM, t h e a l g o r i t h m A g i v e s
and
t h e c o r r e c t ( u n i q u e ) answer; i f a $ SM, A r e t u r n s
%annot solve".
SM = IO, 1,
Algorithm A
We u s e the a l g o r i t h m o f Kannan (1983) t o f i n d
t h e n we have
an i n t e g e r s o l u t i o n t o
48 1
U,
<
0 we
But t h e n pi
distinct )
Z1s
w i t h o u t loss of
If u1 = 0 we f i n d t h a t UE = U3
= p i for i = 1,2
r e p l a c e U , by -ul.
of t h e i n t e g e r s modulo M
follows
for
>
generality t h a t U,
a set SM c o n t a i n i n g
such t h a t
a)
We can assume
M/2.
- ~ / 25
M
11
solutions
are
not
If a
-
E
To s e e t h i s c o n s i d e r a f i x e d (Yl9Z2) E $-'(U)
having t h e s m a l l e s t value of :Y + Y2.
Then ( Y i p
SM then t h e r e i s a t most one s o l u t i o n
(Ir)
t o ( 2 ) and our algorithm f i n d s i t .
i f and only if
(5)
a s each a
E
BM i s counted a t l e a s t once i n t h e sum
on t h e r i g h t hand s i d e
Of
(5).
Consider now a f i x e d x, 0
<
x
5L
and assume
f i r s t t h a t x and M a r e r e l a t i v e l y prime.
x-'
(Mod M )
i f and o n l y if
.
NOW
=
Let
2
Then p u t t i n g y = ax (Mod M) and u s i n g a
f o r non-negative
t h e equation
X
x2
wy2 (Mod M ) we o b t a i n
t y
It follows
We now o b t a i n a bound f o r t h e size of
i n t e g e r n, l e t Jl(n) denote
t h e number of d i s t i n c t i n t e g e r s o l u t i o n s (x,y) t o
2
zt*
L,?z:
lX,f
which w i l l be used w i t h ( 5 ) and ( 6 ) t o bound fBM:,
Consider t h e function 6:
X,' -->
2 defined
Now i t i s known (Le Veque (1956) f o r example) t h a t
f o r any
by
b n".
E
>
0 t h e r e e x i s t s bc s u c h t h a t q ( n )
5
It follows from (10) t h a t ( 9 ) h o l d s with a
ZE2'+€b
E
.
It then follows from ( 8 ) and (9) t h a t
Note t h a t
which completes t h e c a s e f o r x and M r e l a t i v e l y
prime.
L e t now E > 0 b e a n a r b i t r a r i l y s m a l l
p o s i t i v e r e a l number. W
e show t h a t t h e r e exists
a
such t h a t i f
;U:
5
If
2 L then
(9)
482
d=d(X) = gcd(x,M)>l we f i n d t h a t
It Ifolloys from ( 1 1 ) t h a t
( 4 a L3+2E/M) ’I2 and hence t h a t
(B(x)(
d(x)
We n e x t c o n s i d e r t h e c a s e where t h e c o n s t a n t c
in
L
lBMf 5
d ( x ) - € ( 4 a L3+2c/M)1/2
(12)
x = l
i s n o t known.
(0)
As i t t u r n s o u t ,
we can
proceed i n a s i m i l a r manner t o t h e above.
This
time we need t h e f i r s t 3 numbers g e n e r a t e d .
Using
t h e decomposition ( 1 ) we w i l l be l o o k i n g f o r a n
integer solution t o
azl
az2
= 2a1l2.
where c
L = 2m+1 and p u t t i n g
Subs&tuti:g
y i e l d s lBwl
O(M4”)
We n o t e t h a t
= 1/20
E
az3
>
l a n ( b i t s where
(13)
= Y1
= y2
z4 + c + Mp
3 = y3
-
as s t a t e d .
i f we a r e g i v e n s l i g h t l y fewer
t h a n n/2 b i t s i.e.
- z2 + c + Mpl
- z3 + c + Mp2
-M<c<M
2/5 t h e n
-2m
5
zi
5
i = 1,2,3,4
2m
simply p u t t i n g m = ( (l-(l)n I i n t h e above a n a l y s i s
shows t h a t o u r method works e x c e p t on a s e t o f a ’ s
o f s i z e o ( M ~ - - * ~ / ~f+o Er )any
E
>
= 2m(yi+l
where Yi
0.
-
ayi)
(mod M ) f o r i = 1,2,3.
We show n e x t t h a t i f we change t h e d e f i n i t i o n o f
We now c o n s i d e r t h e problem o f t e s t i n g f o r a
BM s l i g h t l y by r e p l a c i n g 2m+1 by 2m+2 t h e n
E
T h i s i s a g a i n a n i n t e g e r program i n a f i x e d
BM.
Thus a
number o f v a r i a b l e s .
E
BM i f and o n l y i f
a
E
(14)
SM i m p l i e s (13) h a s a unique s o l u t i o n
there is a solution t o
Suppose
l t x ( L
-L
5
ax + plM
(zj,
5
L
P u t vi
1,2,3,4 and t h e ui = vi
-L 5 a2x + p 2 5
~ L
PI) i s
z j , z i , c 1 , p i , p;,
z,;
alternative solution.
- vi+l
= z,
-
for i
z;
for i
= 1,2,3.
an
=
It
f o l l o w s t h a t ( 3 ) h o l d s with 2m+1 r e p l a c e d by 2m+2.
x , p l , p2 i n t e g e r .
F i n a l l y t h e c a s e when a and p o s s i b l y M are a l s o
unknown i n a d d i t i o n t o a f r a c t i o n of t h e b i t s o f
Extensions
t h e problem n a t u r a l l y a r i s e s : what i f
Xi,
i n s t e a d of h a l f t h e b i t s we a r e o n l y g i v e n a much
s m a l l e r f r a c t i o n o f them?
remains an i n t e r e s t i n g open problem.
The i d e a s used
Then, o f c o u r s e we may
algorithm f o r
i n t h i s paper w i l l
t h e c a s e when M
yield
an
i s odd and t h e
r e q u i r e p o r t i o n s o f more t h a n 3 of t h e Xils, b u t
t r a i l i n g h a l f o f t h e b i t s a r e g i v e n t o us.
w i l l a f i x e d number depending o n l y on a d o ?
M i s even t h e s e b i t s d o n o t form a random sequence
We
show t h a t t h e answer i s a f f i r m a t i v e provided t h e
-
f o l l o w i n g number t h e o r y c o n j e c t u r e i s t r u e :
The sets BM, SM d o n o t change.
Corresponding t o any f r a c t i o n a
e
E
(0,l)
Acknowledgment
such t h a t t h e c a r d i n a l i t y of t h e set B a t M d e f i n e d
useful
below i s O ( M 6 ) .
z
{a : 0
5 Ma,
attention.
<
x
5 Ma
i= 1,2
such t h a t
,...81.
We have proved t h e c o n j e c t u r e when M i s s q u a r e
free.
considerations.)
However t h e c o n j e c t u r e i s open for g e n e r a l
M.
483
We t h a n k Rick Statman f o r
discussions
Plumstead
< a ( M-l;3x,O
laix(Mod M ) I
from b a s i c
(0,l) t h e r e
e x i s t s a n a t u r a l number 8 and a f r a c t i o n 6
Ba,M
t h i s can be seen
(When
and
f o r bringing
M.
Blum
and
J.
t h e problem t o o u r
References
M.
Blum a n d S.
Micali,
lIHow t o g e n e r a t e
c r y p t o g r a p h i c a l l y s t r o n g sequence of pseudo
random b i t s ? "
P r o c e e d i n g s o f t h e 23rd I E E E
Symposium o f t h e F o u n d a t i o n s o f Computer S c i e n c e
(1982) *
S.
Cook, $*An overview o f c o m p u t a t i o n a l c o m p l e x i t y "
1982 ACM T u r i n g Award l e c t u r e , Communications
o f t h e ACM Vol. 26, No. 6 June ( 1 9 8 3 ) pp.
-
400-408.
0. G o l d r e i c h , S. Goldwasser and S.
c o n s t r u c t random f u n c t i o n s ! ' .
M i c a l i , IIHow t o
R.
Kannan,
flImproved a l g o r i t h m s f o r i n t e g e r
programming and r e l a t e d l a t t i c e problems"
15th
Annual ACM symposium on t h e o r y o f computing
( 1 9 8 3 ) PP. 193-206.
D.
E. Knuth, "Seminumerical a l g o r i t h m s .
The a r t
of computer programminglt Vol. 2 , Addison-Wesley
(1969).
D. E. Knuth,
"Deciphering a l i n e a r congruential
encryption"
T e c h n i c a l Report no. 024800,
Stanford University (1980).
H.
W. Lenstra,
" I n t e g e r programming w i t h a f i x e d
number of v a r i a b l e s "
F i r s t announcement ( 1 9 7 9 )
To a p p e a r i n Mathematics o f O p e r a t i o n s r e s e a r c h .
W.
J . LeVegne, '*Topics i n
Addison-Wesley, Mass. ( 1 9 5 6 ) .
number
theory,"
J . P l u m s t e a d , " I n f e r r i n g a s e q u e n c e g e n e r a t e d by a
l i n e a r congruence"
23rd I E E E Symposium on t h e
F o u n d a t i o n s o f C o m p u t e r S c i e n c e ( 1 9 8 2 1 , pp.
153-1 59
-
J.
Reeds,
"Cracking a random number
C r y p t o l o g i a , Vol. 1 , Jan ( 1 9 7 7 ) .
generator"
A. Shamir, "On t h e g e n e r a t i o n of c r y p t o g r a p h i c a l l y
Seventh
s t r o n g p s e u d o r a n d o m s e q u e n c e sf'
I n t e r n a t i o n a l Colloquium on Automate, Languages
and Programming, ( 1980).
A.
Yao,
'ITheory and a p p l i c a t i o n s o f t r a p d o o r
f u n c t i o n s " P r o c e e d i n g s of t h e 23rd I E E E Syposium
of t h e F o u n d a t i o n s o f Computer S c i e n c e ( 1 9 8 2 ) ,
pp. 80-91.
484