Professional Documents
Culture Documents
Institute of Mathematical Statistics Statistical Science
Institute of Mathematical Statistics Statistical Science
Institute of Mathematical Statistics Statistical Science
REFERENCES
Linked references are available on JSTOR for this article:
https://www.jstor.org/stable/2246038?seq=1&cid=pdf-reference#references_tab_contents
You may need to log in to JSTOR to access the linked references.
JSTOR is a not-for-profit service that helps scholars, researchers, and students discover, use, and build upon a wide
range of content in a trusted digital archive. We use information technology and tools to increase productivity and
facilitate new forms of scholarship. For more information about JSTOR, please contact support@jstor.org.
Your use of the JSTOR archive indicates your acceptance of the Terms & Conditions of Use, available at
https://about.jstor.org/terms
This content downloaded from 58.27.226.232 on Wed, 11 Mar 2020 12:49:01 UTC
All use subject to https://about.jstor.org/terms
Statistical Sciernce
1993, Vol. 8, No. 1, 31-39
Pseudorandom Numbers
Jeffrey C. Lagarias
31
This content downloaded from 58.27.226.232 on Wed, 11 Mar 2020 12:49:01 UTC
All use subject to https://about.jstor.org/terms
32 J. C. LAGARIAS
Section 4 surveys results on the statistical perfor- in T( IA I) steps and outputs A has length greater than
mance of various known pseudorandom number gener- IA l. This notion of incompressibility is effectively com-
ators. In particular, a pseudorandom bit generator putable. One can similarly define incompressibility of
called the RSA generator produces secure pseudoran- ensembles of strings S with respect to time complexity
dom bits (in the sense of Section 2) if the problem of classes such as PTIME. In fact, the accepting function
factoring certain integers is computationally difficult. for membership in a "hard" set in a time-complexity
A good general reference for pseudorandom number class 3 behaves "randomly" when viewed as input to a
generators is Knuth (1981, Chapter 3). Turing machine that has a more restricted amount of
time available. This idea goes back at least to Meyer
and McCreight (1971).
2. EXPLICIT CONSTRUCTIONS OF PSEUDORANDOM
The three principles all involve some notion of func-
BIT GENERATORS
tional composition or of iteration of a function. Indeed,
Where might pseudorandom number generators running a computation of a Turing machine can be
come from? There are several general principles useful viewed as a kind of functional composition with feed-
in constructing deterministic sequences exhibiting back. The first two principles directly lead to can-
quasi-random behavior: expansiveness, nonlinearity didates for number-theoretic pseudorandom number
and computational complexity. generators (see below). The computational complexity
Expansiveness is a concept arising from dynamical principle leads to pseudorandom number generators
systems. A flow ft on a metric space is expansive (or having provably good properties with respect to some
hyperbolic) at a point x E M if nearby trajectories level of computational resources, but most of these are
diverge (locally) at an exponential rate from each other, not of use in practice because one must use more than
that is, Ift(x) - ft(y)I >- IIx - yI, where A > 1, providedthe allowed bound on computation to find them in the
Ix - yI < c, and for 0 c t < to. Such flows exhibit sensi- first place. Finally, we note that there are very close
tive dependence on initial conditions and are numeri- relations between expansiveness properties of map-
cally unstable to compute. A discrete version of this pings and the Kolmogorov-complexity of descriptions
phenomenon for maps on the interval I = [0, 1] is a of their trajectories (Brudno, 1982).
map T:I I such that IT'(x)I > 1 for almost all x E A variety of functions have been proposed for use in
[0, 1]; for example, T(x) = Ox (mod 1), where 0 > 1. In pseudorandom bit generators. We give several exam-
particular, it requires knowledge of at least the first ples below. Most of these functions are number-theo-
O(n) bits of T W>(x) to determine if x E [0, 1/2) or x E retic, and nearly all of them have an underlying group
[1/2, 1) as n -E xo. structure.
Nonlinearity provides a second source of determin-
EXAMPLE 1 (Multiplicative congruential generator).
istic randomness. Functional compositions of linear
The generator is defined by
maps are themselves linear, but nonlinear polynomial
maps, when composed, can yield exponentially growing Xn+1--aXn + b (mod M),
nonlinearity; for example, if f(x) = x2 and f(')(x) =
where 0C Xn M - 1. Here (a, b, M) are the parame-
f ( ri-1(x)), then f(n)(X) = X2n. Even the simple nonlinear
ters describing the generator, and xo is the seed. This
map f(x) = ax(l - x) for a e [0, 41, which maps [0, 11was one of the first proposed pseudorandom number
into [0, 1], exhibits extremely complicated dynamics
generators. Generators of this form are widely used in
under iteration (Collet and Eckmann, 1980).
practice in Monte Carlo methods, taking xJIM to sim-
Computational complexity is a third source of de-
ulte uniform draws on [0, 1] (Knuth, 1981; Marsaglia,
terministic randomness. Kolmogorov (1965), Chaitin
1968; Rubinstein, 1982). More generally, one can con-
(1966) and Martin-Lof (1966) defined a finite string
sider polynomial recurrences (mod M).
A = a, ... ak of bits to be Kolmogorov-random if the
length of the shortest input to a fixed universal Turing EXAMPLE 2 (Power generator). The generator is de-
machine 3 that halts and outputs A is of length greater fined by
than or equal to k - co for a constant cO. This notion of
Xn+1 - (xn) (mod N).
randomness is that of computational incompressibility.
Unfortunately, it is an undecidable problem to tell Here (d, N) are parameters describing the generator,
whether a given string A is Kolmogorov-random. How- and xo is the seed.
ever, one obtains weaker notions of computational An important special case of the power generator
incompressibility by restricting the amount of compu- occurs when N = PlP2 is a product of two distinct odd
tation allowed in attempting to compress the string primes. The first case occurs when (d, p,(N)) = 1, where
A. For example, given a nondecreasing time-counting
(N) = #(ZINZ)* = (pi - l)(p2 - 1)
function T such as T(x) = 5x3, a string A is
T-incompressible if the shortest input to 5 that halts is Euler's totient function that counts the number of
This content downloaded from 58.27.226.232 on Wed, 11 Mar 2020 12:49:01 UTC
All use subject to https://about.jstor.org/terms
PSEUDORANDOM NUMBERS 33
where f is a fixed bivariate function, usually taken to The simplest case occurs with k = 1, where * is the
be nonlinear. The function f(,.) determines the genera- XOR operation
tor, and (xo, yo) and the family {zn constitute the seed.
Znx= xn + Yn (mod 2),
One often takesZn z= K for all integers n, for a fixed
K. This mapping has the feature that it is one-to-one, where Zn, xn, and Yn are viewed as k-dimensional vectors
with inverse over GF(2). More generally, whenever the operation
table of * on {O, 1}k X {O, l}k forms a Latin square (but
(Xn, Yn) (Yn+- f(Xn+i , Zn), Xn+). is not necessarily either commutative or associative),
This content downloaded from 58.27.226.232 on Wed, 11 Mar 2020 12:49:01 UTC
All use subject to https://about.jstor.org/terms
34 J. C. LAGARIAS
However, this may be possible when computing power 4. mth autocorrelation: am(y) = 1 _ lf-n-YiYi+m.
is limited. Indeed, what may happen is that G(P) may
approximate a target distribution Q having a much It is now a purely mathematical problem to decide
higher entropy so well that, within the limits of com- what e-tolerance level can be achieved for each of these
puting power available, one cannot tell the distribu- statistics, viewing G(Uk) as approximating U([O, i]l).
tions G(P) and Q apart. If H(Q) is much larger than Various results for such statistics for linear congru-
H(P), then we can say that G is computationally ential generators can be found in Niederreiter (1978).
rand omness-increasing. The statististical tests applied to pseudorandom num-
This content downloaded from 58.27.226.232 on Wed, 11 Mar 2020 12:49:01 UTC
All use subject to https://about.jstor.org/terms
PSEUDORANDOM NUMBERS 35
ber generators for use in Monte Carlo simulations are pseudorandom bit generator (U-PRG) in which PSIZE
generally simple; for- cryptographic applications, in Condition 2 is replaced by PTIME, where a family
psuedorandom number generators must pass a far T = {Ckl of circuits is in PTIME if there is a polyno-
more stringent battery of statistical tests. mial-time algorithm for computing Ck, given lk as in-
Now we are ready to give a precise definition of a put. This condition may be rephrased as, "' passes all
secure pseudorandom bit generator. To achieve insensi- polynomial time statistical tests." Since PTIME c
tivity to the computational model, this definition, due PSIZE, an N-PRG is always a U-PRG.
to Yao (1982), is an asymptotic one. Instead of a single These definitions of N-PRG and U-PRG form the
generator G of fixed size, we consider an ensemble basis of a nice theory, whose purpose is to reduce
S = {Gk: k 2 1} of generators with the existence question for apparently very complicated
objects (N-PRGs) to the existence question for simpler,
Gk {O, 1 }k* {O, 1 }f(k)
more plausible objects. As an example, we have:
that have the property of being polynomial length-
THEOREM 1. If there exists an N-PRG with f(x) =
increasing; that is
k + 1, then there exists an N-PRG with f(k) = ktm + m
k + 1 c f(k) c ktm + m for each m 2 2. (Similarly for U-PRGs.)
for some fixed integer m > 1. We say that S is a That is, if there is an PRG that can inflate k random
nonuniform secure pseudorandom bit generator (N- bits to k + 1 pseudorandom bits, this is already suffi-
PRG) if: cient to construct a PRG that inflates k random bits
to any polynomial number of pseudorandom bits. A
1. there is a (deterministic) polynomial-time algo-
proof appears in Boppana and Hirschfeld (1989).
rithm that computes all Gk(x), given (k, x) as input
One disadvantage of these definitions (N-PRG, etc.)
with x E {O, 1}k, and
at present is that no such generators have been proved
2. for any PSIZE family Tf of Boolean circuit statis-
to exist. In fact, proving that they exist is at least as
tical tests, Gk(Uk) is polynomially indistinguish-
hard a problem as settling the famous P * NP ques-
able by Tf from Uf(k); that is, for all m > 1, the
tion of theoretical computer science. On the positive
distribution Gk(Uk) is k-m-indistinguishable by Tf
side, however, Theorem 4 below suggests that the RSA
from Uf(k) for all sufficiently large k.
generator may well be a U-PRG.
Condition 1 says that S is easy to compute. Condition Yao (1982) provided the basic insight that the nature
2 requires more explanation. A Boolean circuit Ce is of secure pseudorandomness (N-PRG) is the computa-
made of and, or and not gates having e inputs and tional unpredictability of successive bits produced by
computes a Boolean function Ce: {O, 1}t -- {O, 1}. A fami- a pseudorandom bit generator. The notion of computa-
ly ii = {Ck : k > 1} of Boolean circuits is of polynomial tional unpredictability is captured by the concept of a
size (abbreviated Tf E PSIZE) if there is some fixed m nonuniform next-bit test, as follows. Let S = {Gk} be a
such that the number of gates in Ck is ktm + m, for collection of mappings Gk : {O, l}k -- {o, l}f(k), where f(k)
all m. The Boolean function Ce(x) computed by Ce with is polynomial in k. A predicting collection is a doubly
e = f(k) provides a statistical test for comparing Gk(Uk) indexed family of Boolean circuits (e = {Ci,k: 1 C i <
and Ut. Then Condition 2 asserts that f(k) - 1, k > 1} computing functions 64ik {O, l}i -
{O, 1}, where the circuit Cik is viewed as predicting the
E[Ck(x): x E Gk(Uk)]- E[Ck(x) : x E Uf(k)] <k-m (i + 1)st bit of a sequence in {O, l}f(k) given the first i
bits. The predicting collection is polynomial size if
for all k > co(g, m). there is some m > 2 such that each CQk has at most
ktm + m gates. Let pEk denote the probability that the
The PSIZE measure of computational complexity is output of 64k applied to a bit sequence (xi, . . . , xi)
nonuniform in that no relation between the circuits Ck drawn from Gk(Uk) iS xi+l. We say that S passes the
for different k is required. In particular, the family Tf nonuniform next-bit test if for each polynomial-size
might be noncomputable (nonrecursive). Condition 2 predicting collection (e and each m > 2, for all suffi-
may be colloquially rephrased as, "' passes all polyno- ciently large k,
mial size statistical tests."
This definition implies that N-PRGs must have a one-
2 km+m
c 1 ~~1
way property: Given the output y = Gk(x) E {O, l}f(k),
one cannot recover the string x E {O, l}k using a PSIZE
holds for 1 c i c f(k) - 1. This test says that xi+1
family of circuits for a fraction of the inputs exceeding
cannot be accurately guessed using PSIZE circuit fami-
1I(km + m) for any fixed m. Otherwise, it would fail the
lies with xi, . .. , xi as input.
statistical test, "Is there a seed x such that Gk(x) = y?"
We also consider the weaker notion of uniform secure THEOREM 2 (Yao, 1982). The following are equivalent:
This content downloaded from 58.27.226.232 on Wed, 11 Mar 2020 12:49:01 UTC
All use subject to https://about.jstor.org/terms
36 J. C. LAGARIAS
1. A collection S = {Gk} passes the nonuniform 2. There exists a nonuniform one-way collection {ff}
next-bit test. of functions.
2. A collection S = {Gkj passes all polynomial-size
The implication (1) > (2) is easy, because an
statistical tests.
N-PRG 9 = {Gk} is a one-way collection. To pro
In this theorem, there is no restriction on the sizes (1), it suffices by Theorem 1 to enlarge a set of erandom
of circuits needed to compute the functions Gk; for bits to obtain e + 1 pseudorandom bits, for an infinite
example, they could be of exponential size in k. The set of f. We may reduce to the case that the function
direction (2) > (1) is fairly easy to prove because the fk is length-preserving by padding its input bits if
next-bit test is essentially a family of PSIZE statistical necessary. The first key idea, due to Goldreich and
tests. The direction (1) > (2) is harder. A proof of this Levin (1989), is that the Boolean inner product
result is given in Boppana and Hirschfeld (1989). k
This content downloaded from 58.27.226.232 on Wed, 11 Mar 2020 12:49:01 UTC
All use subject to https://about.jstor.org/terms
PSEUDORANDOM NUMBERS 37
cryptosystems is apparent: the key supplies absolutely E(y) ye:= x (mod N).
random bits from which pseudorandom bits (the en-
Suppose one is given a 0 - 1-valued oracle function
crypted message) are created. This analogy can be
O(x) for which
made precise. For a statement of the result, see Laga-
rias (1990, Section 6); some related results appear in O(x) - y (mod 2)
Impagliazzo and Luby (1989).
Rompel (1990) showed how to construct a secure holds for d + 1I(km + m)) N of all inputs x E [O, N - 11,
authentication scheme based on a one-way function. where k = log2 N. Then there is a probabilistic polyno-
Finally, we note that probabilistic algorithms play mial time algorithm that makes 0(kcom) oracle calls,
a fundamental role in the theoretical foundations of uses 0(kc0m) "random" bits, halts in 0(kc0m) steps and
modern cryptography, as indicated in Goldwasser and for any x finds y with probability > 1 - 1/N, where
Micali (1984). the probability is taken over all sequences of "random"
bits.
4. PERFORMANCE OF CERTAIN PSEUDORANDOM This algorithm involves several clever ideas. The
BIT GENERATORS first of these is due to Ben-Or, Chor and Shamir (1983),
We now turn to results on the performance of various using the fact that the encryption function E(*) re-
generators; see Knuth (1981) for general background. spects the group law on (ZINZ)*; that is,
Linear congruential pseudorandom number genera-
E(ay) = E(a)E(y).
tors have been extensively studied, and many of their
statistical properties carefully analyzed. With proper They suppose that one is given an oracle 0 that
choice of parameters, they can produce sequences {Xk} perfectly recognizes membership in an interval I =
such that {xk(mod M): 1 c k c n } is close to uniformly [-5N12, JNI2] for fixed positive a c 1/2; that is,
distributed on [1, Ml. Marsaglia (1968) was the first to
notice that these generators have certain undesirable o,x)=f', ify EI,
correlation properties among several consecutive iter-
, ifyCI.
ates (xn, Xn+l, ... ., xn+k). Extensive analysis is given in
Niederreiter (1978). These generators are apparently Define [xJN to be the least nonnegative residue (mod
unsuitable for cryptographic use (Frieze et al., 1988). N), and define absN(x) to be the distance of the least
The group-theoretic structure of certain other gen- (positive or negative) residue from 0 so that
erators can be used to prove "almost-everywhere
hardness" results for such generators, including the
following one. abs,v(x) = fxI O x<NI2,
U- [x1Nv N12 < x < N.
RSA BIT GENERATOR. Given k 2 2 and m 2 1, select
odd primes pi and P2 uniformly from the range 2k <Let parN(x) be the parity of absN(x). The clever idea is
pi < 2k+1, and form N = PlP2. Select e uniformly from
to generate "random" a, b and attempt to compute the
[1, N1 subject to (e, (N)p) = 1. Set gcd of [ayJv and [bylv using a modified binary gcd
algorithm due to Brent and Kung (1983) and Purdy
Xn+1 -(Xn)e (mod N),
(1983). This algorithm computes the greatest common
and let the bit Zn+i be given by divisor (r, s) by noting that it is equal to 2 (rl2, s12) if
r, s are both even, to (rl2, s) or (r, s12) if one is even and
Zn+1 Xn+1 (mod 2).
to '/2(r + s), '/2(r - s) otherwise. It is easy to check that
Then {Zn: 1 _ n ktm + m} are the pseudorandom bits max(QrI, Is I) is nonincreasing at each iteration and that
generated from the seed xO of length 2k bits. it decreases by at least a factor of 3/4 every two
iterations, so this algorithm halts in at most 2 log4/3 N
We consider the problem of predicting the next bit
iterations. The Ben-Or, Chor and Shamir algorithm
Zn+1 of the RSA generator, given {z1, . . ., Zn}. Alexi et draws pairs (a, b) of "random" numbers uniformly on
al. (1988) showed that getting any information at all
[0, N]. Such a pair will be called "good" (for the unknown
about Zn+l is as hard as the (apparently difficult) prob-
y) if [ayJN and [by] Nboth fall in I. For a good pair the
lem of factoring N. Their argument shows how an
oracle 0 can be used to determine correctly the parity
oracle that guesses the next bit with a probability
of [ay]N and [bylN, even though y is unknown. We use
slightly greater than 1/2 can be used in an explicit
the fact that if w E I is even, then w12 E I, whereas if
fashion to construct an inversion algorithm.
it is odd, then w12 E [N12 - I1/2,N12 + 111/21. Hence
THEOREM 4. Let (e, N) be a fixed pair, where for a good pair, one has (a/2)y E I if [ayJN is even and
(e, (N)) = 1 and N = PlP2 is odd, with the associated (a/2)y ? I if [ay]N is odd. This holds similarly for [bylv.
power generator Thus using the group law
This content downloaded from 58.27.226.232 on Wed, 11 Mar 2020 12:49:01 UTC
All use subject to https://about.jstor.org/terms
38 J. C. LAGARIAS
REFERENCES
parN([ayIN) = 1 - O(E[(y)y])
ALEXI, W., CHOR, B., GOLDREICH, 0. and SCHNORR, C. P. (1988).
RSA and Rabin functions: Certain parts are as hard as the
whole. SIAMJ. Comput. 17 194-209.
= 1 -0 i(E ]x)
BEN-OR, M., CHOR, B. and SHAMIR, A. (1983). On the crypto-
graphic security of single RSA bits. In Proceedings of the
is calculable. Consequently, one can compute one step 15th Annual Symposium on Theory of Computing 421-430
ACM Press, New York.
of the modified binary gcd algorithm to ([ayJN, [byIN)
BLUM, L., BLUM, M. and SHUB, M. (1986). A simple unpredictable
and obtain new values ([a'yJN, [b'y]N), with (a', b') pseudorandom number operator. SIAMJ. Comput. 15 364-
known. Now (a', b') is still a good pair, so we can 383.
continue to follow the modified binary gcd algorithm BLUM, M. and MICALI, S. (1984). How to generate cryptographi-
perfectly and eventually determine [1yJN = gcd ([ay]N, cally strong versions of pseudorandom bits. SIAM J. Com-
put. 13 850-864.
[byIN), where 1 is known. We say that the algorithm
BOPPANA, R. and HIRSCHFELD, R. (1989). Pseudorandom genera-
succeeds if [1yIN = 1, because in that case y i'- 1 (mod tors and complexity classes. In Randomness and Computa-
N) is found. We verify success in this case by checking tion (S. Micali, ed.) 1-26. JAI Press, Greenwich, CT.
that E[1-1' = x. In all other cases, when (a, b) is not BRENT, R. P. and KUNG, H. T. (1983). Systolic VLSI arrays for
good or when it is good and the gcd is not 1, we carry linear time gcd computations. In VLSI 83, IFIP (F. Anceau
and D. J. Aas, eds.) 145-154. North-Holland, Amsterdam.
out the above procedure for 2 1og4,3 N iterations and
BRUDNO, A. A. (1982). Entropy and the complexity of the trajecto-
check the final iterate 1 to see whether E[1-11 = x. ries of a dynamical system. Trans. Moscow Math. Soc. 44
This procedure is a probabilistic polynomial-time al- 127-151.
gorithm. The pair (a, b) is good with probability at least CHAITIN, G. J. (1966). On the length of programs for computing
52. Also, because the distributions of [ayIN, E[bYN are finite binary sequences. J. Assoc. Comput. Mach. 13 547-
569.
uniform on [- 5N12, 5N121, and because the probability
COLLET, P. and ECKMANN, J.-P. (1980). Iterated Maps on the
that gcd(r, s) = 1 for such draws approaches ir2/6 as
Interval as Dynamical Systems. Birkhauser, Boston.
III0 oo, it exceeds a positive constant a for all values DEVROYE, L. (1986). Nonuniform Random Variate Generation.
of {III}. Thus the success probability for any draw (a, b) Springer, New York.
is 2 62a, and the expected time until the algorithm DIFFIE, W. and HELLMAN, M. (1976). New directions in cryptogra-
phy. IEEE Trans. Inform. Theory 22 644-654.
succeeds is polynomial in log N.
FEIGENBAUM, J. (1993). Probabilistic algorithms for defeating
One immediately sees that this algorithm still works adversaries. Statist. Sci. 8 26-30.
if the oracle 0I is not perfect but is accurate with FRIEZE, A., HASTAD, J., KANNAN, R., LAGARIAS, J. C. and
probability of error less than (4 log413N)-l. SHAMIR, A. (1988). Reconstructing truncated integer vari-
Subsequent work of several authors showed how an ables satisfying linear congruences. SIAM J. Comput. 17
262-280.
oracle having a 1/2 + 1/(log N)k advantage in guessing
GAREY, M. and JOHNSON, D. (1979). Computers and Intractability:
parity of the smallest RSA bit can be used to simulate
A Guide to the Theory of NP-Completeness. W. H. Freeman,
a much more accurate oracle and then to simulate an San Francisco.
oracle such as OI above with sufficient accuracy to GOLDREICH, O., KRAWCZYK, H. and LUBY, M. (1988). On the
obtain Theorem 4 (Alexi et al., 1988). existence of pseudorandom generators. In Proceedings of
the 29th Annual Symposium on Foundations of Computer
Theorem 4 shows that if the factoring problem is
Science 12-24. IEEE Computer Society Press, Los Alamitos,
difficult, then recovering any information at all about CA.
Zn+1 given {z1, ... ., Zn is hard. In particular, the bits GOLDREICH, 0. and LEVIN, L. (1989). A hard-core predicate for
{Zk} would then be computationally indistinguishable all one-way functions. In Proceedings of the 21st Annual
from i.i.d. coin ffips. Symposium on Theory of Computing 25-32. ACM Press,
New York.
One can extract several pseudorandom bits from
GOLDWASSER, S. and MICALI, S. (1984). Probabilistic encryption.
each of the iterates xn of the RSA generator. The J. Comput. System Sci. 28 270-299.
strongest result to date on this problem can be found HXSTAD, J. (1990). Pseudo-random generators under uniform
in Schrift and Shamir (1990). assumptions. In Proceedings of the 22nd Annual Symposium
The use of the group structure on (ZINZ)* to "ran- on Theory of Computing 395-404. ACM Press, New York.
IMPAGLIAZZO, R., LEVIN, L. and LUBY, M. (1989). Pseudorandom
domize" is an example of the concept of an instance-
number generation from one-way functions. In Proceedings
hiding scheme discussed by Feigenbaum in this issue. of the 21st Annual Symposium on Theory of Computing 12-
24. ACM Press, New York.
IMPAGLIAZZO, R. and LUBY, M. (1989). One-way functions are
essential for complexity-based cryptography. In Proceedings
ACKNOWLEDGMENT of the 30th Annual Symposium on Foundations of Computer
Science 230-235. IEEE Computer Society Press, Los Ala-
This article is an abridged and revised version of mitos, CA.
Lagarias (1990), published by the American Mathemat- KARP, R. and LIPTON, R. (1982). Turing machines that take
ical Society. advice. Enseign. Math. 28 191-209.
This content downloaded from 58.27.226.232 on Wed, 11 Mar 2020 12:49:01 UTC
All use subject to https://about.jstor.org/terms
PSEUDORANDOM NUMBERS 39
KNUTH, D. (1981). The Art of Computer Programming 2 Seminu- PURDY, G. B. (1983). A carry-free algorithm for finding the great-
merical Algorithms 2nd. ed. Addison-Wesley, Reading, MA. est common divisor of two integers. Comput. Math. Appl. 9
KNUTH, D. and YAO, A. C. (1976). The complexity of nonuniform 311-316.
random number generation. In Algorithms and Complexity REEDS, J. (1979). Cracking a multiplicative congruential en-
(J. F. Traub, ed.) 357-428. Academic, New York. cryption algorithm. In Information Linkage between Applied
KOLMOGOROV, A. N. (1965). Three approaches to the concept of Mathematics and Industry (P. C. Wong, ed.) 467-472. Aca-
"the amount of information." Problems Inform. Transmission demic, New York.
1 3-13. RIVEST, R., SHAMIR, A. and ADLEMAN, L. (1978). On digital
LAGARIAS, J. C. (1990). Pseudorandom number generators in signatures and public key cryptosystems. Comm. ACM 21
number theory and cryptography. In Cryptology and Compu- 120-126.
tational Number Theory (C. Pomerance, ed.) 115-143. Amer. ROMPEL, J. (1990). One-way functions are necessary and sufficient
Math. Soc., Providence, RI. for secure signatures. In Proceedings of the 22nd Annual
MARSAGLIA, G. (1968). Random numbers fall mainly in the planes. Symposium on Theory of Computing 387-394. ACM Press,
Proc. Nat. Acad. Sci. USA. 61 25-28. New York.
MARSAGLIA, G. (1985). A current view of random number genera- RUBINSTEIN, R. Y. (1982). Simulation and the Monte Carlo
tors. In Computer Science and Statistics: Sixteenth Sympo- Method. Wiley, New York.
sium on the Interface (L. Billard, ed.) 3-11. North-Holland, SAVAGE, J. (1976). The Complexity of Computing. Wiley, New
Amsterdam. York.
MARSAGLIA, G. and ZAMAN, A. (1991). A new class of random SCHRIFT, A. and SHAMIR, A. (1990). The discrete log is very
number generators. Ann. Appl. Probab. 1 462-480. discreet. In Proceedings of the 22nd Annual Symposium on
MARTIN-LOF, P. (1966). The definition of random sequences. In- Theory of Computing 405-415. ACM Press, New York.
form. and Control 9 619-682. SCHUSTER, H. G. (1988). Deterministic Chaos. VCH Verlags-
MEYER, A.R. and MCCREIGHT, E. M. (1971). Computationally gesellschaft GmbH, Weinheim, Germany.
complex and pseudorandom zero-one valued functions. In WOLFRAM, S. (1986). Random sequence generation by cellular
Theory of Machines and Computations (Z. Kohlavi and A. automata. Adv. in Appl. Math. 7 123-169.
Paz, eds.) 19-42. Academic, New York. YAO, A. (1982). Theory and applications of trapdoor functions
NIEDERREITER, H. (1978). Quasi-Monte Carlo methods and pseu- (extended abstract). In Proceedings of the 23rd Annual Sym-
dorandom numbers. Bull. Amer. Math. Soc. 84 957-1041. posium on Foundations of Computer Science 80-91. IEEE
ODLYZKO, A. M. (1985). Discrete logarithms in finite fields and Computer Society Press, Los Alamitos, CA.
their cryptographic significance. In Advances in Cryptology: YAO, A. (1988). Computational information theory. In Complexity
Eurocrypt '84. Lecture Notes in Comput. Sci. 209 224-316. in Information Theory (Y. Abu-Mostafa, ed.) 1-15. Springer,
Springer, New York. New York.
This content downloaded from 58.27.226.232 on Wed, 11 Mar 2020 12:49:01 UTC
All use subject to https://about.jstor.org/terms