A design flaw was found in the libgcrypt PRNG . An attacker who can obtain the first 580 bytes of the PRNG output can trivially predict the following 20 bytes.