IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 46, NO. 6, SEPTEMBER 2000 2159

On the Linear Complexity Profile of thePower Generator

Frances Griffin and Igor E. Shparlinski

Abstract—We obtain a lower bound on the linear complexityprofile of the power generator of pseudo-random numbers moduloa Blum integer. A different method is also proposed to estimatethe linear complexity profile of the Blum–Blum–Shub generator.In particular, these results imply that lattice reduction attacks onsuch generators are not feasible.

Index Terms—Blum–Blum–Shub generator, cryptography,linear complexity profile, power generator, RSA generator.

I. INTRODUCTION

L ET , , and be integers such that .Then one can define the sequence by the recurrence

relation

(1)with the initial value .

This sequence is known as thepower generatorof pseudo-random numbers and has many applications to cryptography,see [1], [5], [14], and [21].

In two special cases , where is theEuler function, and this sequence is known as theRSAgeneratorand as theBlum–Blum–Shub generator, respectively.

It is obvious that the sequence (1) eventually becomes pe-riodic with some period . Throughout this paperwe assume that this sequence ispurely periodic, that is, that

beginning with . It is easy to see that ifthis is always the case, otherwise we con-

sider a shift of the original sequence.Various properties of the power generator have been studied

in a number of papers [1], [2], [4]–[9], [11], [14], [16], [20],[21]. For example, it is shown in [4] that the rightmost bit ofthe Blum–Blum–Shub generator takes valuesand almostequally often, provided that the period is large enough. For theRSA generator, the distribution of strings of leftmost and right-most bits of has been studied in [7] and [9]. In particular, itis shown in [9] that if the periodof the sequence satisfiesthe inequality for some fixed then the frac-tions are uniformly distributed in theinterval .

Here we study one more important characteristic of this se-quence.

Manuscript received October 7, 1998; revised April 7, 2000.The authors are with the Department of Computing, Macquarie University,

NSW 2109, Australia (e-mail: fgriffin @ics.mq.edu.au; igor@ics.mq.edu.au).Communicated by D. Stinson, Associate Editor for Complexity and Cryptog-

raphy.Publisher Item Identifier S 0018-9448(00)06989-3.

We recall, that thelinear complexity profile of aninfinite sequence over the residue ring modulo is thefunction which for every integer is defined as the order

of the shortest linear recurrence relation

which is satisfied by this sequence, see [5], [16]–[19].The largest value

is called thelinear complexityof the sequence.Obviously, for some sequences the linear complexity can be

equal to infinity. However, for the linear complexity of any pe-riodic sequence of periodone easily verifies that

In this paper, we study the most important case for applica-tions when . Such numbers are calledBlum integers(sometimes it is also requested that they satisfy additional con-ditions such as that ). In fact, this result isbased on a similar estimate for a prime . Moreover, onecan obtain similar results for any integer having only largeprime divisors.

For a Blum integer , the lower bound

has been obtained in [20], and it has been shown that ifis oforder , this bound is almost optimal. This bound is derivedfrom the bound

(2)

which holds when is prime. We note that it has beenproved in [8] that for almost all values of the parameters of theRSA generator the corresponding sequence indeed has periodof order .

Here we generalize these results and obtain lower bounds onthe linear complexity profile of the power generator modulo aBlum integer. Our bound is nontrivial when the periodsatisfiesthe inequality . In this case the bound applies toall values of beginning with for anyand sufficiently large .

Our results demonstrate that the power generator does notcontain any hidden linear structure. In particular, this rules outa possibility of the lattice reduction attack on this generator and

0018–9448/00$10.00 © 2000 IEEE

2160 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 46, NO. 6, SEPTEMBER 2000

even its truncated versions, see [13], [14] where such attacks onthe linear congruential generator

where and are integers with , have beendescribed.

We also propose an alternative method which works for smallvalues of and which we demonstrate in the most important caseof the Blum–Blum–Shub generator, that is, for .

II. A UXILIARY RESULTS

We need the following two simple statements.

Lemma 1: Let and be integers. Let be the largestpositive integer for which the powers aredistinct modulo . Then for any and ,there exists an integer, , such that the congruence

has

solutions.Proof: It is easy to see that

and the lemma follows.

Lemma 2: Let a sequence satisfy a linear recurrencerelation of order over a field . Then for anypairwise-distinct nonnegative integers there exist

, not all equal to zero, such that

Proof: It is easy to see that the set of all solutions of anylinear recurrence relation over any fieldis a linear space ofdimension over , for example, see [15, Ch. 8]. Therefore,any solutions are linear dependent. In particular, thesequences are linear dependent.

We also need the following statements which are partial casesof much more general results of [3], [10], [12].

Lemma 3: Let a sequence satisfy a linear recurrencerelation of order over a field . Then the sequence of squares

satisfies a linear recurrence relation of order at most.

Lemma 4: Let sequences and satisfy linear recur-rence relations of order and , respectively, over a field .Then the sequence satisfies a linear recurrence rela-tion of order at most .

III. GENERAL ESTIMATES

Now we are prepared to formulate our estimates for the RSAgenerator. First of all we consider the case of prime modulus.

Theorem 5: Let be prime. Assume that a sequence, given by (1) with , is pure periodic with period.

Then for the linear complexity profile the bound

holds.Proof: As we have mentioned, for .

We now assume that . Put

Let be the largest positive integer for which the powers,are distinct modulo . Obviously

From Lemma 1 we see that there exists, ,such that the number of solutionsof the congruence

satisfies

Let and be the corresponding values ofand , respectively.Assume that . Let be a linear recurrence

sequence of order with forwhich satisfies the same linear recurrence relation as the first

terms of the sequence . Thus in fact for.

From Lemma 2 we see that there exist integersnot all equal to zero modulo, such that

for all .Remarking that

for all with

we conclude that

for such . In particular, it holds for because inthis case

GRIFFIN AND SHPARLINSKI: ON THE LINEAR COMPLEXITY PROFILE OF THE POWER GENERATOR 2161

Because , we conclude thatthe nonzero modulo polynomial

of degree

has at least distinct zeros , modulo, which is impossible. Hence , and the desired

result follows.

We use Theorem 5 to estimate the linear complexity profilemodulo a Blum integer.

Theorem 6: Let , where and are two distinctprimes. Assume that the sequence , given by (1), is pureperiodic with period . Then, for , for the linear com-plexity profile the bound

holds.Proof: Let be the period of the sequence modulo

and let be the period of the sequence modulo . Obvi-ously, . Assume that . Let be the linearcomplexity profile of the sequence taken modulo . Obvi-ously, . Therefore, from Theorem 5 and thebound (2) we derive

Taking into account that and , weobtain the desired statement.

IV. THE BLUM–BLUM–SHUB GENERATOR

For small , an alternative approach has been described in[20]. Although we still do not know how to apply it to estimatingthe linear complexity , surprisingly enough, it can be com-bined with the lower bound (2) and thus can produce nontrivialestimates on .

We demonstrate this approach for the very important case, which is not covered by Theorems 5 and 6. The result

can be easily extended to other values ofbut it weakens quitequickly when grows.

Theorem 7: Let be prime. Assume that a sequenceis given by (1) with and and let be the

period of this sequence. Then for the linear complexity profilethe bound

holds.Proof: Let be a sequence over , whose initial seg-

ment of length coincides with that of , that is, ,and which satisfies the same linear recur-

rence equation as the first terms of . From Lemmas 3and 4 we see that the sequence is of order

On the other hand, it has consecutive zeros forso, unless this sequence is the all-zeros sequence

Therefore,

in this case.Otherwise, that is, if is the all-zeros sequence,

we have for all . Since we also havethen for every . Hence

in this case, and we obtain the desired result.

From Theorem 7 and the bound (2) we see

(3)

As before, we use Theorem 7 to estimate the linear com-plexity profile modulo a Blum integer.

Theorem 8: Let , where and are two distinctprimes. Assume that the sequence is given by (1) with

and let be the period of this sequence. Then, for thelinear complexity profile the bound

holds.Proof: Let be the period of the sequence modulo

and let be the period of the sequence modulo . Obvi-ously, . Therefore,

Without loss of generality we may assume that

Let be the linear complexity profile of the sequencetaken modulo . Obviously, and from thebound (3) we derive the desired statement.

We remark that if then the bound of Theorem8 is nontrivial for any value of .

V. REMARKS

Of course, Theorem 5 allows us to derive lower bounds onthe linear complexity of the RSA generator modulo any integer

without small prime divisors. On the other hand, it would beof interest to obtain a general lower bound which is nontrivialfor, say, large powers of small prime numbers.

We also remark that all our results can be extended to intervals.

2162 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 46, NO. 6, SEPTEMBER 2000

It would also be interesting to extend the results of this paperas well as the results of [7], [20] to the case of theexponentialgenerator

which also has numerous cryptographic applications [5], [14].

ACKNOWLEDGMENT

The authors wish to thank H. Niederreiter for consultationson the theory of linear complexity of sequences.

REFERENCES

[1] L. Blum, M. Blum, and M. Shub, “A simple unpredictable pseudo-random number generator,”SIAM J. Comput., vol. 15, pp. 364–383,1986.

[2] J. J. Brennan and B. Geist, “Analysis of iterated modular exponentiation:The orbit ofx mod N ,” Des., Codes Cryptogr., vol. 13, pp. 229–245,1998.

[3] E. Çakçak, “A remark on the minimal polynomial of the product of linearrecurring sequences,”Finite Fields and Their Appl., vol. 4, pp. 87–97,1998.

[4] T. W. Cusick, “Properties of thex mod N pseudorandom number gen-erator,”IEEE Trans. Inform. Theory, vol. 41, pp. 1155–1159, July 1995.

[5] T. W. Cusick, C. Ding, and A. Renvall,Stream Ciphers and NumberTheory. Amsterdam, The Netherlands: Elsevier, 1998.

[6] R. Fischlin and C. P. Schnorr,Stronger Security Proofs for RSA andRabin Bits’ (Lecture Notes in Computer Science). Berlin, Germay:Springer-Verlag, 1997, vol. 1233, pp. 267–279.

[7] J. B. Friedlander, D. Lieman, and I. E. Shparlinski, “On the distributionof the RSA generator,” inProc. Int. Conf. Sequences and Their Appli-cations (SETA’98), Singapore. London, U.K.: Springer-Verlag, 1999,pp. 205–212.

[8] J. B. Friedlander, C. Pomerance, and I. E. Shparlinski, “Period of thepower generator and small values of Carmichael’s function,”Math.Comput., to be published.

[9] J. B. Friedlander and I. E. Shparlinski, “On the distribution of the powergenerator,”Math. Comput., to be published.

[10] R. Göttfert and H. Niederreiter, “On the minimal polynomial of theproduct of linear recurring sequences,”Finite Fields and Their Appl.,vol. 1, pp. 204–218, 1995.

[11] J. Håstad and M. Näslund, “The security of individual RSA bits,” inProc39th IEEE Symp. Foundations of Computer Science, 1998, pp. 510–519.

[12] T. Herlestam, “On functions of linear shift register sequences,” inLec-ture Notes in Computer Science. Berlin, Germany: Springer-Verlag,1987, vol. 291, pp. 119–129.

[13] A. Joux and J. Stern, “Lattice reduction: A toolbox for the cryptanalyst,”J. Cryptol., vol. 11, pp. 161–185, 1998.

[14] J. C. Lagarias, “Pseudorandom number generators in cryptography andnumber theory,” inProc. Symp. Applied Maththematics. Providence,RI: Amer. Math. Soc., 1990, vol. 42, pp. 115–143.

[15] R. Lidl and H. Niederreiter,Finite Fields. Cambridge, U.K.: Cam-bridge Univ. Press, 1997.

[16] A. J. Menezes, P. C. van Oorrschot, and S. A. Vanstone,Handbook ofApplied Cryptography. Boca Raton, FL: CRC , 1996.

[17] H. Niederreiter, “Some computable complexity measures for binary se-quences,” inProc. Int. Conf. Sequences and Their Applications, Singa-pore, 1998.

[18] H. Niederreiter and M. Vielhaber, “Linear complexity profiles: Hausdorfdimension for almost perfect profiles and measures for general profiles,”J. Compl., vol. 13, pp. 353–383, 1996.

[19] R. A. Rueppel, “Stream ciphers,” inContemporary Cryptology: The Sci-ence of Information Integrity. New York: IEEE, 1992, pp. 65–134.

[20] I. E. Shparlinski, “On the linear complexity of the power generator,”Des., Codes Cryptogr., to be published.

[21] D. R. Stinson,Cryptography: Theory and Practice. Boca Raton, FL:CRC, 1995.