2

I recently read that you can predict the outcomes of a PRNG if you:

  1. Know what algorithm is being used.
  2. Have consecutive data points.

Is it possible to figure out the seed used for a PRNG from only data points?

Blender
  • 289,723
  • 53
  • 439
  • 496
  • In theory, yes. In practice, probably not. The number of data points you'll need to narrow your search down to one specific seed will be quite large, depending on the possible range of seed values and possible values of the data points. – Wooble Oct 06 '11 at 14:30

3 Answers3

2

I managed to find a paper by Kelsey et al which details the different types of attack and also summarises some real-world examples. It seems most attacks rely on similar techniques to those against cryptosystems, and in most cases actually taking advantage of the fact that the PRNG is used in a cryptosystem.

Mathew Hall
  • 994
  • 9
  • 18
1

With "enough" data points that are the absolute first data points generated by the PRNG with no gaps, sure. Most PRNG functions are invertible, so just work backwards and you should get the seed.

For example, the typical return seed=(seed*A+B)%N has an inverse of return seed=((seed-B)/A)%N.

Blindy
  • 65,249
  • 10
  • 91
  • 131
  • But in a real-life scenario, you'll rarely get consecutive data points. Would it be possible with blocks of consecutive data points (ones that aren't too far apart in terms of order of output)? – Blender Oct 06 '11 at 14:34
  • 1
    Maybe, but you'll have to do it differently, ie start with every possible seed and try to see if you can generate every block in the right order. Doable, but time consuming and you need a pretty large sample to avoid false positives. – Blindy Oct 06 '11 at 14:37
0

It's always theoretically possible, if you're "allowed" to brute force all possible values for the seed, and if you have enough data points that there's only one seed that could have produced that output. If the PRNG was seeded with the time, and you know roughly when that happened, then this might be very fast since there aren't many plausible values to try. If the PRNG was seeded with data from a truly random source having 64 bits of entropy, then this approach is computationally infeasible.

Whether there are other techniques depends on the algorithm. For example doing this for Blum Blum Shub is equivalent to integer factorization, which is generally believed to be a hard computational problem. Other, faster PRNGs might be less "secure" in this sense. Any PRNG used for crypto purposes, for example in a stream cipher, pretty much needs there to be no known feasible way of doing it.

Steve Jessop
  • 273,490
  • 39
  • 460
  • 699