Which ChatGPT version was used? 4o? 5? It&#x27;s clear from the log it suffers from serious context problems, keeps forgetting&#x2F;hallucinating functions and forgetting arguments to functions is has already written.

Oh that&#x27;s fascinating, I didn&#x27;t get that impression at all from the article itself.

If you follow the ChatGPT log, that&#x27;s the angle he takes as well.

If you represent the state as a 128-long vector of GF(2) elements, you can model the state transition function as a matrix multiplication.This allows you to describe any output bit (at any offset in the output stream) as a function of the 128 initial state elements.Treating the initial state vector as 128 unknown variables, you can solve for them (via gaussian elimination) with any 128 bits from the output stream, so long as you know their offsets in the output sequence.Although, depending on what those offsets are there&#x27;s a ~50% chance there&#x27;s no unique solution, in which case you may need a few more bits. For the case of two consecutive 64-bit outputs, you get a unique solution.For 128 samples, the gaussian elimination can be done in 2^21 steps, or only 2^14 steps if you can put a whole bit-vector in one register (which you can!)If the offsets are known in advance, you can pre-compute the gaussian elimination work and end up with a constant matrix that, if multiplied by the leaked bits, obtains the initial state vector.

I&#x27;ve tried to use Z3 to find hash collisions in a simple hash, and it was amazingly bad at it. It took forever, whereas just trying random values until some were (multi)colliding was sub-second :-)

&gt; I couldn’t believe that z3 was the best one can doIt probably never is, but if you don&#x27;t care about a nice solution or don&#x27;t care about anything past &quot;is it possible?&quot;, then z3 and smt2 are amazing. You often don&#x27;t even need to understand the whole problem. &quot;take constraints, give solution&quot; works great in those situations.

No, the post takes the attack from 5 observations down to 3.

looking at the CVE report itself, Math.random() not being crypto-level seems to be known? - and vulnerability comes from Node.js using it for some crypto purposeso OP simply did a good exercise for himself recreating exact weakness of it

Had this issue on a ray tracer I worked on. Since sampling was supposed to be random, you could fire it up on multiple machines and just average the result to get a lower noise image.Except the distributed code fired it up all worker instances almost simultaneously and the code used time() to seed the RNG, so many workers ended up using the same seed and hence averaging those results did nothing.

UUIDv4 is banned in some environments because of how common it is to find someone using weak PRNGs to generate them. It happens way more often than it should.

Why would you ever use an insecure RNG to generate a cookie?

Thank you for your advise, I will update my blog with it.Just FYI I only use this on a hidden n&#x27; seek game engine, so it is fine.

A word of caution. A few years ago we had a production impact event where customers were getting identical cookies (and so started seeing each others sessions). When I took a look at the code, what I found was that they were doing something very like your code - using a time() based seed and an PRNG.Whenever we deployed new nginx configs, those servers would roll out and restart, getting _similar_ time() results in the seed. But the individual nginx workers? Their seeds were nearly identical. Not every call to the PRNG was meant for UUIDs, but enough were that disaster was inevitable.The solution is to use a library that leverages libuuid (via ffi or otherwise). A &quot;native lua&quot; implementation is always going to miss the entropy sources available in your server and generate clashes if it&#x27;s seeded with time(). (eg <a href="https:&#x2F;&#x2F;github.com&#x2F;Kong&#x2F;lua-uuid" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;Kong&#x2F;lua-uuid</a>, <a href="https:&#x2F;&#x2F;github.com&#x2F;bungle&#x2F;lua-resty-uuid" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;bungle&#x2F;lua-resty-uuid</a>)

I have recently replaced Lua&#x27;s random for this implemetation<a href="https:&#x2F;&#x2F;nullonerror.org&#x2F;2025&#x2F;08&#x2F;02&#x2F;replacing-lua-s-math-random-module-with-the-xorshift-algorithm&#x2F;" rel="nofollow">https:&#x2F;&#x2F;nullonerror.org&#x2F;2025&#x2F;08&#x2F;02&#x2F;replacing-lua-s-math-rand...</a>

No. Sometimes you want a reproducible PRNG sequence. These efforts to harden generators break the existing specifications with a rug pull.

Go has taken exactly this stance, at least since Go 1.22 from 18 months ago.They settled on 8 rounds of ChaCha with 300 bytes of internal state to amortize the latency. The end result is something only 1.5-2x slower than (their particular flavor of) PCG [1]. It was deemed good enough to become the default.[1]: <a href="https:&#x2F;&#x2F;go.dev&#x2F;blog&#x2F;chacha8rand#performance" rel="nofollow">https:&#x2F;&#x2F;go.dev&#x2F;blog&#x2F;chacha8rand#performance</a>

It is a cryptographic attack, just against an algorithm that isn&#x27;t cryptographically strong. There&#x27;s a lot of value in those.

I agree, why would you slow down things for everybody if it&#x27;s only a problem for cryptographic purposes. Xorshift128+ etc are around 10 to 30 times faster than ChaCha20.The challenge is things that don&#x27;t _obviously_ need cryptographically secure generators. For example, do you need a secure generator for the seed of a hash table, or a sorting algorithm? (For those that do use a seed). Some will argue that yes, this is important. Until a few years ago, the hash tables used static hash algorithms without any randomization, but &quot;hash flooding&quot; changed that. I think that nowadays, still many hash table implementations don&#x27;t use secure generators.Then, there&#x27;s secure and insecure hash functions. Secure hash functions like SHA-256 are (compared to non-secure functions) specially slow for short keys. There are &quot;somewhat&quot; secure hash function algorithms like SipHash that can be used for this purpose.

I think some naming conventions could go a long way. If you want to import `fast_unsafe_random`, you might think twice.

People are likely to use it in security-relevant ways without being aware that the use case constitutes “crypto”.

Perhaps put a warning in the name since the folks who don’t read the docs are the ones you’re trying to protect?For example:
Math.RandomNotCrypto()When someone uses that in production for cryptographic purposes (and, yes someone is going to do that), they have to wear a dunce cap to the office for a month.

Xorshift128+ is not a cryptographic rng though, so at least this isn&#x27;t a cryptographic attack...Should programming languages use cryptographic rngs like a ChaCha20 based one in their standard libraries to stop accidental use of non cryptographic rngs for cryptographic purposes? But that comes at the cost of speed

Inverting the Xorshift128 random number generator