**Blum Blum Shub** (BBS) is a pseudorandom number generator, of the form:

*x*_{n+1}= (*x*)_{n}^{2}mod*M*

The generator is not appropriate for use in simulations, only for cryptography, because it is not very fast. However, it has an unusually strong security proof, which relates the quality of the generator to the difficulty of integer factorization. When the primes are chosen appropriately, and O(log log *M*) bits of each *x _{n}* are output, then in the limit as

The two primes, *p* and *q*, should both be congruent to 3 mod 4 (this guarantees that each quadratic residue has one square root which is also a quadratic residue) and gcd(&phi(*p*-1), φ(*q*-1)) should be small (this makes the cycle length large).

If integer factorization is difficult (as is suspected) then BBS with large *M* will have an output free from any nonrandom patterns that can be discovered with any reasonable amount of calculation. There are very few random number generators or cryptographic systems with such strong results known. However, it's theoretically possible that a fast algorithm for factoring will someday be found, so BBS is not yet guaranteed to be secure.

BBS was originally proposed in:

- L. Blum, M. Blum, and M. Shub.
- A Simple Unpredictable Pseudo-Random Number Generator.
*SIAM Journal on Computing*, volume 15, pages 364-383, May 1986