Reconstructing noisy polynomial evaluation in residue rings

Abstract

Let q > 1 be an integer and let a and b be elements of the residue ring Z q of integers modulo q. We show how, when given a polynomial f ∈ Z q [ X ] and approximations to v 0 , v 1 ∈ Z q such that v 1 ≡ f ( v 0 ) mod q one can recover v 0 and v 1 efficiently. This result has direct applications to predicting the polynomial congruential generator: a sequence ( v n ) of pseudorandom numbers defined by the relation v n + 1 ≡ f ( v n ) mod q for some polynomial f ∈ Z q [ X ] . The applications lead to analogues of results known for the linear congruential generator x n + 1 ≡ a x n + b mod q , although the results are much more restrictive due to nonlinearity of the problem.