Prove a “random” generator is weak by recovering it.
Random number generators quietly protect session tokens, password resets, API keys, nonces, and lottery/gaming draws. When an app uses a non-cryptographicgenerator — Python's random (Mersenne Twister), an LCG, a time/PID seed — its output looks random but is fully predictable to anyone who recovers the generator. The AT-1 RNG Auditor does exactly that: it tries to recover the generator behind a stream, and if it can, the generator is broken and you hold the proof.
Recovery is the proof
Recover the generator behind a stream and you don't have a hunch — you have the next values it will emit. A BROKEN verdict ships with the recovered seed/state as evidence, then predicts forward to demonstrate it.
Known-weak generators
Recovers Mersenne Twister (MT19937) — Python's random, PHP mt_rand, Ruby — from consecutive outputs; LCG families (glibc, MINSTD, Numerical Recipes) under common output mappings; short-period and low-dimensional chaotic maps.
Statistical battery
When no generator is recovered, a battery runs anyway — bit-frequency (monobit), runs, Shannon entropy, serial correlation, period detection, and compressibility — to flag weakness even without a full break.
Evidence, not assertions
Auditors need a finding they can hand to a regulator: input summary, every test run, a verdict with severity, the evidence behind it, and remediation. A PASS means no known attack succeeded and it looks random.
BROKEN: recovered the generator, predicted forward
Mersenne Twister (MT19937) is the default in Python's random, PHP's mt_rand, Ruby and many others. From enough consecutive raw outputs the Auditor recovers the full internal state — and then predicts every future value. A stream that passes every statistical test still falls, because looking random and being unpredictable are not the same thing.
# a stream of session tokens, drawn from Python's random (MT19937) at1 rng-audit tokens.hex --format hex # INPUT 4096 values, 32-bit, parsed as hex # TESTS monobit PASS · runs PASS · entropy 7.98/8.00 · serial-corr 0.001 # ^ it LOOKS random to every statistical test # ATTACK Mersenne Twister (MT19937) ... recovering internal state # recovered full 624-word state from 624 consecutive outputs # VERDICT BROKEN (severity: CRITICAL) # EVIDENCE recovered MT19937 state; predicted the next 8 outputs exactly: # 0x6b8c4f21 0x09afd3e0 0x1f77ba55 0xc4e21d08 # 0x3a9e0b6c 0x88012f4d 0x5d6ace11 0xe0473f92 # REMEDIATE replace random/Mersenne Twister with a CSPRNG (os.urandom / secrets)
Illustrative example. Sample output — values shown are not from a real run.
PASS: resists every known attack
When no generator is recovered and the stream passes the statistical battery and is incompressible, the Auditor returns PASS. Read it precisely: no known attack succeeded and it looks random — not a proof of cryptographic security.
# the same audit against a stream from os.urandom at1 rng-audit secure.bin --format raw # INPUT 4096 values, 8-bit, raw bytes # TESTS monobit PASS · runs PASS · entropy 8.00/8.00 · serial-corr 0.000 # ATTACK MT19937 / LCG families / short-period / chaotic maps ... no recovery # VERDICT PASS (no known attack succeeded; passes the battery; incompressible) # NOTE PASS = resisted KNOWN attacks and looks random. # It is not a proof of cryptographic security.
Illustrative example. Sample output — values shown are not from a real run.
Three verdicts
Generator or internal state recovered — the stream is fully predictable. The recovered seed/state ships as evidence, and the Auditor predicts the next values to prove it.
No full break, but the battery flags statistical anomalies — biased bits, failed runs, low entropy, serial correlation, or a short detected period.
Resists the known attacks and looks random across the battery. Strong evidence of soundness — not a proof of cryptographic security.
One command surface
Point it at a file of values in any common encoding; it emits a findings report — input summary, tests, verdict, severity, evidence, and remediation — or machine-readable JSON for your pipeline.
at1 rng-audit <file> --format raw|hex|dec|base64 [--json] # raw consecutive raw values (bytes or words) # hex whitespace/newline-separated hex integers # dec decimal integers # base64 base64-decoded to raw bytes # --json emit the findings report as machine-readable JSON
A battery tells you it looks random. This tells you it isn't.
Generic randomness batteries detect statistical weakness; they never recover the generator. The Auditor adds the attack that produces a prediction — and wraps it in a scoped findings report.
| Approach | Recovers generator | Predicts next value | Scoped verdict |
|---|---|---|---|
Statistical battery (NIST STS / Dieharder) flags statistical weakness, but never recovers the generator or predicts the next value | partial | ||
Ad-hoc MT19937 cracker script can break one generator, but it's a one-off script — no battery, no report, no scope | partial | ||
Compressibility / entropy spot-check catches gross low-entropy streams, but a weak-but-uniform PRNG sails through | partial | ||
AT-1 RNG Auditor recovers the generator, predicts forward, and emits a scoped findings report |
Who this is for
- iGaming, casino & lottery — fairness compliance: prove the draw RNG is sound, or catch a rigged or weak one before it ships.
- Application security — find predictable session tokens, password-reset links and nonces before an attacker does.
- Key management & embedded devices — validate the RNG that seeds keys on constrained or headless hardware.
- Auditors — hand a regulator evidence, not an assertion: a recovered state and a predicted next value.
Honest scope
The Auditor detects known-weak generatorsand statistical weakness. A PASS means “no known attack succeeded and it looks random” — it is not a proof of cryptographic security. MT19937 recovery needs enough consecutive raw outputs to reconstruct the state. This is a force-multiplier for auditors, not a magic break of strong cryptography — a CSPRNG (os.urandom, secrets) correctly resists it.
It comes from AT-1's broader compression-as-structure-detector line — the same engine that certified a national lottery draw fair and flagged a biased roulette wheel. The thesis is consistent: a generator whose output a model can recover or compress has structure, and structure in a “random” stream is the weakness.
The RNG Auditor ships in the same release wave as the CLI. Running an audit is metered against a connected account.