Abstract
The Permuted Congruential Generators (PCG) are popular conventional (non-cryptographic) pseudo-random generators designed in 2014. They are used by default in the NumPy scientific computing package. Even though they are not of cryptographic strength, their designer stated that predicting their output should nevertheless be "challenging".In this article, we present a practical algorithm that recovers all the hidden parameters and reconstructs the successive internal states of the generator. This enables us to predict the next “random” numbers, and output the seeds of the generator. We have successfully executed the reconstruction algorithm using 512 bytes of challenge input; in the worst case, the process takes 20 000 CPU hours.This reconstruction algorithm makes use of cryptanalytic techniques, both symmetric and lattice-based. In particular, the most computationally expensive part is a guessand-determine procedure that solves about 252 instances of the Closest Vector Problem on a very small lattice.
Highlights
Pseudo-random generators (PRG) are well-studied primitives in symmetric cryptography
While the Permuted Congruential Generators (PCG) pseudo-random generator is not meant as a cryptographic primitive, obtaining an actual prediction algorithm requires the use of cryptanalytic techniques
PCG64 has an internal state of 128-bit, which operate as a linear congruential generator modulo 2128
Summary
Pseudo-random generators (PRG) are well-studied primitives in symmetric cryptography. We describe an algorithm that reconstructs the full internal state of the strongest member of the PCG family This allows to predict the pseudo-random stream deterministically and clock the generator backwards. While the PCG pseudo-random generator is not meant as a cryptographic primitive, obtaining an actual prediction algorithm requires the use of cryptanalytic techniques Making it practical requires in addition a non-trivial implementation effort. This is the default situation in NumPy, where both the state and the increment are initialised using an external source of entropy In this case, our prediction algorithm requires 4096 bits of pseudo-random stream ; it guesses between 51 and 55 bits, for each guess it solves an instance of CVP in dimension 4 (using about 75 arithmetic operations). Joux and Stern extended this result to the case where the multiplier a and the modulus 2k are unknown, using lattice techniques [JS98]
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
