Inverting the Xorshift128 random number generator
8 months ago
- #Cryptography
- #Vulnerability
- #Node.js
- CVE-2025-7783 is a Node.js vulnerability affecting axios and the deprecated request library, though exploitation is unlikely due to specific conditions.
- The vulnerability requires an attacker to access five consecutive Math.random() outputs to predict future values using the z3 solver.
- The blog explores improving the inversion of Xorshift128+, the algorithm behind Math.random(), requiring only two 64-bit outputs for inversion.
- A 226-operation algorithm is presented to invert Xorshift128+ by guessing the least significant 26 bits of R1 and deriving the remaining bits.
- The method can be extended to Math.random() by brute-forcing 24 additional bits, increasing the search space to 250 operations.
- Optimizations include delaying state updates and potential table lookups to speed up the inversion process.
- The author reflects on using AI (ChatGPT) for research, noting its potential despite initial setbacks in code accuracy.