1

In Blum Blum Shub, the generator is $x_{n+1}={x_n}^2 \mod M$ where $M=p \cdot q$, $p \in \mathbb P$, and $q \in \mathbb P$. Supposedly, knowing $p$ and $q$ is enough to break the system. But if I know M, I can calculate the next number in the sequence, so there is no need to know the two factors. Why isn't that sufficient?

Update: Since I wasn't think all those times I read about BBS, just ignore the part about directly calculating the next number. Instead, why would knowing the period provide an attacker with any additional information?

Melab
  • 4,178
  • 4
  • 24
  • 49

1 Answers1

2

Knowing $M$ is not enough to break Blum Blum Shub because the internal state of the random number generator, $x_i$, should never be revealed. Therefore, while you are correct that knowing the current state allows you to know the next (and all subsequent) states, a secure implementation of BBS should not reveal the internal state.

For provable security, only one bit should be revealed at each iteration. That said, you shouldn't be using BBS in practical applications at all.

Community
  • 1
mikeazo
  • 39,117
  • 9
  • 118
  • 183