Reconstructing noisy polynomial evaluation in residue rings

Let q>1 be an integer and let a and b be elements of the residue ring Zq of integers modulo q. We show how, when given a polynomial f ∈ ℤq[X] and approximations to v₀, v₁ ∈ ℤq such that v₁≡f(v₀)modq one can recover v₀ and v₁ efficiently. This result has direct applications to predicting the polynomial congruential generator: a sequence (vn) of pseudorandom numbers defined by the relation vn₊₁≡f(vn)modq for some polynomial f ∈ ℤq[X]. The applications lead to analogues of results known for the linear congruential generator xn₊₁≡axn+bmodq, although the results are much more restrictive due to nonlinearity of the problem.13 page(s