Java Program to Implement Inversion Method for Random Number Generation
Here we will be going through the inversion method for random number generation in java. So basically we will be illustrating two approaches which are as follows:
- Shuffling elements in an array
- Using Collection.shuffle() method
Important Method here namely is setSeed(). It is used to set the seed via setSeed() method of Random class sets of the random number generator using a single long seed.
Next long value: 3738641717178320652 Seed 158514749661962 Next long value from seed: 3738641717178320652
Random uses a 48-bit seed and a linear congruential generator. These are not cryptographically safe generators, because of the tiny state size and the fact that the output just isn’t that random (many generators will exhibit small cycle length in certain bits, meaning that those bits can be easily predicted even if the other bits seem random).
Random’s seed update is as follows:
nextseed = (seed * 0x5DEECE66DL + 0xBL) & ((1L << 48) - 1)
This is a very simple function, and it can be inverted if you know all the bits of the seed by calculating
seed = ((nextseed - 0xBL) * 0xdfe05bcb1365L) & ((1L << 48) - 1)
Since 0x5DEECE66DL * 0xdfe05bcb1365L = 1 mod 248. With this, a single seed value at any point in time suffices to recover all past and future seeds.
Random has no functions that reveal the whole seed, though, so we’ll have to be a bit clever.
Now, obviously, with a 48-bit seed, you have to observe at least 48 bits of output or you clearly don’t have an injective (and thus invertible) function to work with. We’re in luck: nextLong returns ((long)(next(32)) << 32) + next(32);, so it produces 64 bits of output (more than we need). Indeed, we could probably make do with nextDouble (which produces 53 bits), or just repeated calls of any other function. Note that these functions cannot output more than 248 unique values because of the seed’s limited size (hence, for example, there are 264-248 longs that nextLong will never produce).
Let’s specifically look at nextLong. It returns a number (a << 32) + b where a and b are both 32-bit quantities. Let s be the seed before nextLong is called. Then, let t = s * 0x5DEECE66DL + 0xBL, so that a is the high 32 bits of t, and let u = t * 0x5DEECE66DL + 0xBL so that b is the high 32 bits of u. Let c and d be the low 16 bits of t and u respectively.
Note that since c and d are 16-bit quantities, we can just brute–force them (since we only need one) and be done with it. That’s pretty cheap since 216 is only 65536 — tiny for a computer. But let’s be a bit more clever and see if there’s a faster way.
We have (b << 16) + d = ((a << 16) + c) * 0x5DEECE66DL + 11. Thus, doing some algebra, we obtain (b << 16) – 11 – (a << 16)*0x5DEECE66DL = c*0x5DEECE66DL – d, mod 248. Since c and d are both 16-bit quantities, c*0x5DEECE66DL has at most 51 bits. This usefully means that
(b << 16) - 11 - (a << 16)*0x5DEECE66DL + (k<<48)
is equal to c*0x5DEECE66DL – d for some k at most 6. (There are more sophisticated ways to compute c and d, but because the bound on k is so tiny, it’s easier to just brute force).
We can just test all the possible values for k until we get a value whose negated remainder mod 0x5DEECE66DL is 16 bits (mod 248 again), so that we recover the lower 16 bits of both t and u. At that point, we have a full seed, so we can either find future seeds using the first equation, or past seeds using the second equation. It is as shown in the example given below which is as follows:
[826100673, 702667566, 238146028, -1525439028, -133372456] Testing seed: 181503804585936 --> 272734279476123 Verifying: 15607138131897 --> 181503804585936 Verifying: 46050021665190 --> 15607138131897 Verifying: 54139333749543 --> 46050021665190 Seed found: 782634283105 [826100673, 702667566, 238146028, -1525439028, -133372456]
Output explanation: The program will brute force on the lower 16
- -bit discarded by nextInt(), use the algorithm provided in the blog by James Roper to find the previous seed, then check that the upper 32 bit of the 48-bit seed is the same as the previous number. We need at least 2 integers to derive the previous seed. Otherwise, there will be 216 possibilities for the previous seed, and all of them are equally valid until we have at least one more number.
- It can be extended for nextLong() easily, and 1 long number is enough to find the seed, since we have 2 pieces of upper 32-bit of the seed in one long, due to the way it is generated.
Note: There are cases where the result is not the same as what you set as secret seed in the SEED variable. If the number you set as secret seed occupies more than 48-bit (which is the number of bits used for generating random numbers internally), then the upper 16 bits of 64 bit of long will be removed in the setSeed() method. In such cases, the result returned will not be the same as what you have set initially, it is likely that the lower 48-bit will be the same.