On Tue, 26 Mar 2019 19:07:01 GMT George Spelvin <l...@sdf.org> wrote:
> lfsr113 is indeed trivial to predict. It's a 113-bit LFSR defined > by a degree-113 polynomial. (The implementation as four separate > polynomials of degree 31, 29, 28 and 25 doesn't change this.) Given > any 113 bits of its output (not necessarily consecutive), that's > 113 boolean linear equations in 113 unknowns to find the internal > state. > > I don't have PoC code, but Gaussian elimination is not exactly > rocket science. If some code is using existing lfsr in a manner where prediction would be a problem, then it is probably using the PRNG incorrectly and should be using a cryptographic RNG.
