Efficient, perfect polynomial random number generators

Abstract

Let N be a positive integer and let P ε ℤ [x] be a polynomial that is nonlinear on the set ℤN of integers modulo N. If, by choosing x at random in an initial segment of ℤN, P(x) (mod N) appears to be uniformly distributed in ℤN to any polynomial-time observer, then it is possible to construct very efficient pseudorandom number generators that pass any polynomial-time statistical test. We analyse this generator from two points of view. A complexity theoretic analysis relates the perfectness of the generator to the security of the RSA-scheme. A statistical analysis proves that the least-significant bits of P(x) (mod N) are statistically random. © 1991 International Association for Cryptologic Research.