同余发生器的可预测性问题, 即能否由一段截位序列还原发生器的参数和初态, 进而准确预测后面的序列, 是评估发生器安全性的重要研究课题. 本文研究在模数m = 2k 已知, 系数a, b未知的条件下, 二阶线性同余发生器xi+2 = axi+1 + bxi mod m 的可预测性问题. 我们给出一个基于格基约化算法的方法, 可以在已知一段连续的高位s 比特截位序列的条件下, 还原系数a, b 和初态x0, x1, 实现对序列的预测. 实验结果表明, 当模数m = 232, 发生器生成的序列为整数剩余类环Z/mZ 上的二阶本原序列时, 可以由140 拍连续的高位6 比特截位序列还原系数a,b 和初态x0, x1. 本文从逆向还原的角度探究二阶线性同余发生器的抗预测能力, 旨在为其在密码上的应用提供参考和指导.

The predictability problem of congruential generator, that is, whether the parameters and initial state of the generator can be reconstructed by a truncated sequence, and then accurately predict the subsequent sequence, is an important research topic for evaluating the security of the generator. This work studies the predictability problem of the second-order linear congruential generator xi+2=axi+1+bxi mod m, under the conditions that the modulus m=2k is known and the coefficients a,b are unknown. Based on the lattice reduction algorithm, a method to reconstruct the coefficients a,b and the initial state x0,x1 is presented under the condition that a consecutive truncated sequence of leading s bits is known. When the modulus m=232 and the sequence generated by the generator is a primitive sequence of order 2 over the integer residue ring Z/mZ, the experimental results show that the coefficients a,b and the initial state x0,x1 can be reconstructed by 140 consecutive truncated digits of leading 6 bits. This study explores the anti-predictive ability of second-order linear congruential generators from the perspective of reconstruction, aiming to provide reference and guidance for its application in cryptography.