Blum–Micali algorithm

The Blum–Micali algorithm is a cryptographically secure pseudorandom number generator. The algorithm gets its security from the difficulty of computing discrete logarithms.^[1]

Let ${\displaystyle p}${\displaystyle p} be an odd prime, and let ${\displaystyle g}${\displaystyle g} be a primitive root modulo ${\displaystyle p}${\displaystyle p}. Let ${\displaystyle x_{0}}${\displaystyle x_{0}} be a seed, and let

${\displaystyle x_{i+1}=g^{x_{i}}\ {\bmod {\ p}}}${\displaystyle x_{i+1}=g^{x_{i}}\ {\bmod {\ p}}}.

The ${\displaystyle i}${\displaystyle i}th output of the algorithm is 1 if ${\displaystyle x_{i}\leq {\frac {p-1}{2}}}${\displaystyle x_{i}\leq {\frac {p-1}{2}}}. Otherwise the output is 0. This is equivalent to using one bit of ${\displaystyle x_{i}}${\displaystyle x_{i}} as your random number. It has been shown that ${\displaystyle n-c-1}${\displaystyle n-c-1} bits of ${\displaystyle x_{i}}${\displaystyle x_{i}} can be used if solving the discrete log problem is infeasible even for exponents with as few as ${\displaystyle c}${\displaystyle c} bits.^[2]

In order for this generator to be secure, the prime number ${\displaystyle p}${\displaystyle p} needs to be large enough so that computing discrete logarithms modulo ${\displaystyle p}${\displaystyle p} is infeasible.^[1] To be more precise, any method that predicts the numbers generated will lead to an algorithm that solves the discrete logarithm problem for that prime.^[3]

There is a paper discussing possible examples of the quantum permanent compromise attack to the Blum–Micali construction. This attacks illustrate how a previous attack to the Blum–Micali generator can be extended to the whole Blum–Micali construction, including the Blum Blum Shub and Kaliski generators.^[4]

• https://web.archive.org/web/20080216164459/http://crypto.stanford.edu/pbc/notes/crypto/blummicali.xhtml

• Cryptographically secure pseudorandom number generators
• Cryptography stubs

• All stub articles