The Blum–Micali algorithm is a cryptographically secure pseudorandom number generator. The algorithm gets its security from the difficulty of computing discrete logarithms.

Let p {\displaystyle p} be an odd prime, and let g {\displaystyle g} be a primitive root modulo p {\displaystyle p} . Let x 0 {\displaystyle x_{0}} be a seed, and let

x i + 1 = g x i   mod   p {\displaystyle x_{i+1}=g^{x_{i}}\ {\bmod {\ p}}} .

The i {\displaystyle i} th output of the algorithm is 1 if x i ≤ p − 1 2 {\displaystyle x_{i}\leq {\frac {p-1}{2}}} . Otherwise the output is 0. This is equivalent to using one bit of x i {\displaystyle x_{i}} as your random number. It has been shown that n − c − 1 {\displaystyle n-c-1} bits of x i {\displaystyle x_{i}} can be used if solving the discrete log problem is infeasible even for exponents with as few as c {\displaystyle c} bits.

In order for this generator to be secure, the prime number p {\displaystyle p} needs to be large enough so that computing discrete logarithms modulo p {\displaystyle p} is infeasible. To be more precise, any method that predicts the numbers generated will lead to an algorithm that solves the discrete logarithm problem for that prime.

There is a paper discussing possible examples of the quantum permanent compromise attack to the Blum–Micali construction. This attacks illustrate how a previous attack to the Blum–Micali generator can be extended to the whole Blum–Micali construction, including the Blum Blum Shub and Kaliski generators.