Let N and α be integers larger than 1. Define an orbit to be the collection of residues in \(Z_N^* \) generated byiteratively applying \(x \to x^\alpha \) mod N to an element \(x \in Z_N^* \) which eventually maps back to itself.An orbit's length is the number of distinct residues in the orbit. When N isa large bicomposite integer, such as is commonly used in many cryptographicapplications, and when certain prime factorizations related to N are known,all orbit lengths and the number of orbits of each possible length can beefficiently computed using the results presented. If the required integerfactorizations are only partially known, the risk that a randomly selectedperiodic element might produce an orbit shorter than some (typically large)divisor of \(\phi (\phi (N))\) can be bounded. The information needed to producesuch a bound is fully available when the prime factors of N are generatedusing the prime generation algorithm defined in Maurer maur. Resultspresented can assist in choosing wisely a modulus N for the Blum, Blum, andShub pseudo-random bit generator. If N is a bicomposite RSA modulus, theanalysis shows how to quantify the risk posed by an iterated encryptionattack.
Blum Blum and Shub pseudo-random generator RSA iterated encryption