Linear Congruential Generators, that class of pseudo random generators with recursive rule
$x_{n+1}\equiv a\cdot x_n +b\ \ (\mod m)$, $a,b,x_n\in Z/mZ$, $m,n\in N$
are considered inapt for use in cryptography, as the constants $a$, $b$ may by deduced from a small set of outputs $x_n$. Now, when you choose $m=p-1$ for some odd prime $p$, the sequence $(x_n)_{n\in N}$ may live as exponents of some generator $g$ of the multiplicative cyclic group $Z/pZ^*$, as $y_n:=g^{x_n}, n\in N$:
$y_{n+1}\equiv g^{x_{n+1}}\equiv g^{a\cdot x_n+b}\equiv (g^{x_n})^a\cdot g^b\equiv y_n^a\cdot g^b\ (\mod p)$
This is an equivalent power series.
Equal distribution comes with maximum period. Conditions for maximum period $m$ of the sequence $(y_n)_{n\in N}$ are given by Knuth's Theorem
- $gcd(m,b)=1$
- For prime decomposition $m=:\prod p_i^{\alpha_i}$ and all prime factors $p_i$: $\ \ \ p_i/(a-1)$
- $m\equiv 0\ (\mod 4) \implies a-1\equiv 0\ (\mod 4)$
As $m=p-1$ is even and there are very few primes with shape $p=2^k+1$, the easiest common composition of $p-1$ from primes would be $p-1=2^k\cdot p'$, $k\geq 1$ with $p'$ another prime.
According to 2nd condition smallest choice of $a$ is by $a-1=2\cdot p'$.
To avoid trivial case $a-1=m$, $k\geq 2$ is necessary. With this we run into 3rd condition, so that $a-1$ has at least two times the factor $2$.
Again, avoidance of the trivial case requires $k\geq 3$.
Now, a prime pair $(p,p')$ fitting the linear equation $p=8p'+1$ allows non-trivial choice $a-1=4p'$ and with this the power series $(y_n)$ may have maximum period $m$.
Question: As we have 3 hidden parameters $g, g^a,g^b$ and finding logarithms in multiplicative groups is considered difficult, can the random sequence $(y_n){n\in N}$ be considered secure for use in cryptography; are there better choices for constant $a$?
EDIT $g$ is actually not important as parameter, as we raise powers to $a$, where in addition $p$ is not known from the output, i.e. the unknown parameters are $(p, a, g^b)$ .