Inversive congruential generator

Abstract: Let p be a prime and let a and b be elements of the finite field Fp of p elements. The inversive congruential generator (ICG) is a sequence (u n ) of pseudorandom numbers defined by the relation u n+1 ≡ au -1 n +b mod p. We show that if sufficiently many of the most significant bits of several consecutive values u n of the ICG are given, one can recover the initial value u 0 (even in the case where the coefficients a and b are not known). We also obtain similar results for the quadratic congruential generator (QCG), v n+1 ≡ f(v n ) mod p, where f ∈ F p [X]. This suggests that for cryptographic applications ICG and QCG should be used with great care. Our results are somewhat similar to those known for the linear congruential generator (LCG), x n+1 ≡ ax n + b mod p, but they apply only to much longer bit strings. We also estimate limits of some heuristic approaches, which still remain much weaker than those known for LCG.

Abstract: Nonlinear congruential pseudorandom number generators based on inversions have recently been introduced and analyzed. These generators do not show the lattice structure of the widely used linear congruential method. In the present paper it is proved that the points formed by d consecutive pseudorandom numbers of an inversive congruential generator with prime modulus possess an even stronger property: Any hyperplane in (/-space contains at most d of these points, that is to say, the hyperplane spanned by d arbitrary points of an inversive congruential generator contains no further points. This feature makes the inversive congruential method particularly attractive for simulation problems where linear structures within the generated points should be avoided.

Abstract: Let p be a prime and let a and b be integers modulo p. The inversive congruential generator (ICG) is a sequence (u n ) of pseudorandom numbers defined by the relation \(U_{n+1}\equiv au{^{-1}_{n}}+b {\rm mod} p\).We show that if b and sufficiently many of the most significant bits of three consecutive values u n of the ICG are given, one can recover in polynomial time the initial value u 0 (even in the case where the coefficient a is unknown) provided that the initial value u 0 does not lie in a certain small subset of exceptional values.

Abstract: The inversive congruential method is an attractive alternative to the classical linear congruential method for pseudorandom number generation. The authors have recently introduced a new method for obtaining nontrivial upper bounds on the multidimensional discrepancy of inversive congruential pseudorandom numbers in parts of the period. This method has also been used to study the multidimensional distribution of several other similar families of pseudorandom numbers. Here we apply this method to show that, ''on average'' over all initial values, much stronger results than those known for ''individual'' sequences can be obtained.

Abstract: Let p be a prime and let a and b be integers modulo p. The inversive congruential generator (ICG) is a sequence (u n ) of pseudorandom numbers defined by the relation \(U_{n+1}\equiv au{^{-1}_{n}}+b {\rm mod} p\).We show that if b and sufficiently many of the most significant bits of three consecutive values u n of the ICG are given, one can recover in polynomial time the initial value u 0 (even in the case where the coefficient a is unknown) provided that the initial value u 0 does not lie in a certain small subset of exceptional values.