world seeds can be brute-forced in a few hours on a GPU

A (non-string-derived) Minecraft world seed is 64 bits, which would take decades to brute-force without excessive computational power.

However, the locations of slime chunks, villages and scattered features (temples and witch huts) are computed from the 64 bit world seed using Java.util.Random, which only uses the lower 48 bits of that seed. This reduction makes it possible to perform a brute-force analysis in a matter of hours on a single desktop GPU.

Only a handful of feature locations (~15-20) are required in order to narrow the lower 48 bits of the seed down to a few candidates. From there, the remaining 16 bits can be brute-forced by pairing all 65536 possibilities with each 48-bit candidate and testing for known biome locations under the resulting world seed. This can be run in Java in a few minutes.

In order to prevent this reverse-engineering of world seeds, all uses of Java.util.Random should be replaced with a proper 64-bit PRNG. Failing that, the magic numbers for each type of feature (10387312 for villages, etc) should be made configurable for multiplayer servers, so that a player would have to include them in their brute-force attack, raising the difficulty from 48 bits up beyond 64.

Unfortunately, existing worlds which already contain a sufficient number of spawned features cannot be easily protected from this attack. The only defense for such worlds would be to manually relocate a majority of those features to neighboring chunks, in order to throw off the math of the brute-force computation.

I can submit working source code for this attack upon request. I have also verified that it can succeed against a multiplayer server to which I did not even log in (I used their public live map to locate enough villages).

Regards,
Alex Frase