←back to thread

Inverting the Xorshift128 random number generator

(littlemaninmyhead.wordpress.com)
108 points rurban | 4 comments | 31 Aug 25 18:49 UTC | HN request time: 0s | source
Show context
NooneAtAll3 ◴[04 Sep 25 13:02 UTC] No.45126799[source]
looking at the CVE report itself, Math.random() not being crypto-level seems to be known? - and vulnerability comes from Node.js using it for some crypto purpose

so OP simply did a good exercise for himself recreating exact weakness of it

replies(1): >>45126831 #
tptacek ◴[04 Sep 25 13:06 UTC] No.45126831[source]
No, the post takes the attack from 5 observations down to 3.
replies(1): >>45141945 #
1. NooneAtAll3 ◴[05 Sep 25 18:29 UTC] No.45141945[source]
no, the post takes a shoddy quickly-made implementation of an attack and improves it to its own better implementation of an attack

neither are professional frontline research, because said frontline work has already been done long loong ago when Xorshift was popularized and definitely when it became javascript's *default* rng

this is recreational cryptography, don't over-present it

replies(3): >>45143051 #>>45146945 #>>45148015 #
2. tptacek ◴[05 Sep 25 20:09 UTC] No.45143051[source]
Please tell me more about what does and doesn't qualify as recreational cryptography.
3. ScottContini ◴[06 Sep 25 05:54 UTC] No.45146945[source]
You can call it recreational cryptography. I am no longer a professional cryptographer: I used to be. Now I have a full time job in the software industry and a family with kids. I don't have a lot of free time to work on cryptography like professional cryptographers do.

The person you replied to is correct. To my knowledge, the best inversion of Math.random( ) is this one: https://github.com/PwnFunction/v8-randomness-predictor . It takes 5 outputs from Math.random( ) to determine the seed. My research included a 2^50 algorithm to get it with 3 outputs. If there is a better implementation out there that does it in less than 2^50 work for 3 outputs, could you please provide a link to the implementation?

Also, as I said in the blog, this is a first step. I think I can bring it down by a factor of 2^6 with another trick I am working on, but details are still being tested. As the saying goes, attacks always get better, never worse.

The blog is also to encourage the aspiring or amateur cryptographer to have a look themselves. Nothing in my research is particularly deep, so I hope it shows a wider audience that what cryptographers do doesn't always require complex mathematics. This is a simple attack and I thought it was worth blogging about.

I have another blog about why I left cryptography. Part of it is about being stuck in doing research that has no practical implications. To a real cryptographer, attacking XorShift128+ and Math.random( ) may seem uninteresting. I have a different view. Engineers make mistakes and use the wrong tools for the job all the time. We tell them it is wrong, but it is so much more powerful to prove it. When I looked at CVE-2025-7783, I just shook my head: the web security community is stuck using less than ideal tools (requiring 5 outputs to invert the algorithm) because the cryptographic community does not value producing tools to invert things that are not designed for cryptographic purposes. I think this attitude is doing a disfavour to the web security community.

4. ScottContini ◴[06 Sep 25 10:07 UTC] No.45148015[source]
Also: I just realised who the person is that you were replying to, tptacek. Maybe you should Google his name. He's well known in cryptography, glad he is on my side! :-)