git.distorted.org.uk Git - u/mdw/catacomb/blob - rand.h

   1 /* -*-c-*-
   2  *
   3  * $Id: rand.h,v 1.1 1999/09/03 08:41:12 mdw Exp $
   4  *
   5  * Secure random number generator
   6  *
   7  * (c) 1999 Straylight/Edgeware
   8  */
   9
  10 /*----- Licensing notice --------------------------------------------------*
  11  *
  12  * This file is part of Catacomb.
  13  *
  14  * Catacomb is free software; you can redistribute it and/or modify
  15  * it under the terms of the GNU Library General Public License as
  16  * published by the Free Software Foundation; either version 2 of the
  17  * License, or (at your option) any later version.
  18  *
  19  * Catacomb is distributed in the hope that it will be useful,
  20  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  21  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  22  * GNU Library General Public License for more details.
  23  *
  24  * You should have received a copy of the GNU Library General Public
  25  * License along with Catacomb; if not, write to the Free
  26  * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
  27  * MA 02111-1307, USA.
  28  */
  29
  30 /*----- Revision history --------------------------------------------------*
  31  *
  32  * $Log: rand.h,v $
  33  * Revision 1.1  1999/09/03 08:41:12  mdw
  34  * Initial import.
  35  *
  36  */
  37
  38 /*----- Notes on the random number generator ------------------------------*
  39  *
  40  * The algorithm is one of the author's own devising.  It may therefore be
  41  * worth a certain amount of skepticism.  However, I've thought about this
  42  * method for over a year before actually considering it worth implementing.
  43  * With a little bit of luck, it should have received some peer review by the
  44  * time this code is actually properly released, and it'll be worth a bit
  45  * more confidence.  My earlier generator was very similar in structure to
  46  * the Linux /dev/random device.  This generator is intended to address
  47  * concerns I expressed about the Linux generator in a Usenet article to
  48  * sci.crypt.
  49  *
  50  * The generator is divided into two parts: an input pool and an outpu
  51  * buffer.  New random data is placed into the pool in the way described
  52  * below, which is shamelessly stolen from the Linux /dev/random generator.
  53  * The only interaction that the pool has on the output buffer is through the
  54  * keyed `gating' operation, which mixes up and redistributes all of the
  55  * generator's state in an irreversible manner.  Random bytes, when
  56  * requested, are extracted from the output buffer in a linear fashion.
  57  *
  58  * The input pool is best seen as being eight shift registers in parallel.
  59  * Data is added to the pool one octet at a time.  Each bit of a new octet is
  60  * added to a different shift register, by adding it (mod 2) with other bits
  61  * according to the coefficients of a primitive polynomial.  Each new byte is
  62  * rotated before being added into the pool, in a half-hearted attempt to
  63  * protect against biases in the input data (e.g., top bits being clear on
  64  * ASCII text).
  65  *
  66  * The gating operation takes a keyed hash of the entire generator state,
  67  * uses it as the key for a symmetric cipher, and encrypts the state.  The
  68  * key is then discarded.  The result is that every ouptut bit of the
  69  * operation depends in a complex way on every input bit, but the operation
  70  * cannot be reversed.
  71  *
  72  * As an added wrinkle, 160 bits of the output buffer are never actually
  73  * output.  They are used in the gating operation only, as an extra item that
  74  * an adversary has to guess before predicting generator output.
  75  */
  76
  77 #ifndef RAND_H
  78 #define RAND_H
  79
  80 #ifdef __cplusplus
  81   extern "C" {
  82 #endif
  83
  84 /*----- Header files ------------------------------------------------------*/
  85
  86 #include <stddef.h>
  87
  88 #include "rmd160-hmac.h"
  89
  90 /*----- Magic numbers -----------------------------------------------------*/
  91
  92 #define RAND_POOLSZ 1279                /* Input pool size in bytes */
  93 #define RAND_BUFSZ 1024                 /* Output buffer size in bytes */
  94 #define RAND_SECSZ 20                   /* Secret octets in output buffer */
  95
  96 #define RAND_IBITS (RAND_POOLSZ * 8)
  97 #define RAND_OBITS (RAND_BUFSZ * 8)
  98
  99 /*----- Data structures ---------------------------------------------------*/
 100
 101 /* --- A random number generator pool --- */
 102
 103 typedef struct rand_pool {
 104   octet pool[RAND_POOLSZ];              /* Actual contents of the pool */
 105   unsigned i;                           /* Current index into pool */
 106   unsigned irot;                        /* Current rotation applied */
 107   unsigned ibits;                       /* Number of good bits in pool */
 108   octet buf[RAND_BUFSZ];                /* Random octet output buffer */
 109   unsigned o;                           /* Current index into buffer */
 110   unsigned obits;                       /* Number of good bits in buffer */
 111   rmd160_mackey k;                      /* Secret key for this pool */
 112   const struct rand_source *s;          /* System-specific noise source */
 113 } rand_pool;
 114
 115 #define RAND_GLOBAL ((rand_pool *)0)    /* The global randomness pool */
 116
 117 /* --- A noise source --- */
 118
 119 typedef struct rand_source {
 120   void (*getnoise)(rand_pool */*r*/);   /* Acquire more noise */
 121   int (*timer)(rand_pool */*r*/);       /* Get noise from current time */
 122 } rand_source;
 123
 124 /*----- Functions provided ------------------------------------------------*/
 125
 126 /* --- @rand_init@ --- *
 127  *
 128  * Arguments:   @rand_pool *r@ = pointer to a randomness pool
 129  *
 130  * Returns:     ---
 131  *
 132  * Use:         Initializes a randomness pool.  The pool doesn't start out
 133  *              very random: that's your job to sort out.
 134  */
 135
 136 extern void rand_init(rand_pool */*r*/);
 137
 138 /* --- @rand_noisesrc@ --- *
 139  *
 140  * Arguments:   @rand_pool *r@ = pointer to a randomness pool
 141  *              @const rand_source *s@ = pointer to source definition
 142  *
 143  * Returns:     ---
 144  *
 145  * Use:         Sets a noise source for a randomness pool.  When the pool's
 146  *              estimate of good random bits falls to zero, the @getnoise@
 147  *              function is called, passing the pool handle as an argument.
 148  *              It is expected to increase the number of good bits by at
 149  *              least one, because it'll be called over and over again until
 150  *              there are enough bits to satisfy the caller.  The @timer@
 151  *              function is called frequently throughout the generator's
 152  *              operation.
 153  */
 154
 155 extern void rand_noisesrc(rand_pool */*r*/, const rand_source */*s*/);
 156
 157 /* --- @rand_key@ --- *
 158  *
 159  * Arguments:   @rand_pool *r@ = pointer to a randomness pool
 160  *              @const void *k@ = pointer to key data
 161  *              @size_t sz@ = size of key data
 162  *
 163  * Returns:     ---
 164  *
 165  * Use:         Sets the secret key for a randomness pool.  The key is used
 166  *              when mixing in new random bits.
 167  */
 168
 169 extern void rand_key(rand_pool */*r*/, const void */*k*/, size_t /*sz*/);
 170
 171 /* --- @rand_add@ --- *
 172  *
 173  * Arguments:   @rand_pool *r@ = pointer to a randomness pool
 174  *              @const void *p@ = pointer a buffer of data to add
 175  *              @size_t sz@ = size of the data buffer
 176  *              @unsigned goodbits@ = number of good bits estimated in buffer
 177  *
 178  * Returns:     ---
 179  *
 180  * Use:         Mixes the data in the buffer with the contents of the
 181  *              pool.  The estimate of the number of good bits is added to
 182  *              the pool's own count.  The mixing operation is not
 183  *              cryptographically strong.  However, data in the input pool
 184  *              isn't output directly, only through the one-way gating
 185  *              operation, so that shouldn't matter.
 186  */
 187
 188 extern void rand_add(rand_pool */*r*/,
 189                      const void */*p*/, size_t /*sz*/,
 190                      unsigned /*goodbits*/);
 191
 192 /* --- @rand_goodbits@ --- *
 193  *
 194  * Arguments:   @rand_pool *r@ = pointer to a randomness pool
 195  *
 196  * Returns:     Estimate of the number of good bits remaining in the pool.
 197  */
 198
 199 extern unsigned rand_goodbits(rand_pool */*r*/);
 200
 201 /* --- @rand_gate@ --- *
 202  *
 203  * Arguments:   @rand_pool *r@ = pointer to a randomness pool
 204  *
 205  * Returns:     ---
 206  *
 207  * Use:         Mixes up the entire state of the generator in a nonreversible
 208  *              way.
 209  */
 210
 211 extern void rand_gate(rand_pool */*r*/);
 212
 213 /* --- @rand_stretch@ --- *
 214  *
 215  * Arguments:   @rand_pool *r@ = pointer to a randomness pool
 216  *
 217  * Returns:     ---
 218  *
 219  * Use:         Stretches the contents of the output buffer by transforming
 220  *              it in a nonreversible way.  This doesn't add any entropy
 221  *              worth speaking about, but it works well enough when the
 222  *              caller doesn't care about that sort of thing.
 223  */
 224
 225 extern void rand_stretch(rand_pool */*r*/);
 226
 227 /* --- @rand_get@ --- *
 228  *
 229  * Arguments:   @rand_pool *r@ = pointer to a randomness pool
 230  *              @void *p@ = pointer to output buffer
 231  *              @size_t sz@ = size of output buffer
 232  *
 233  * Returns:     ---
 234  *
 235  * Use:         Gets random data from the pool.  The pool's contents can't be
 236  *              determined from the output of this function; nor can the
 237  *              output data be determined from a knowledge of the data input
 238  *              to the pool wihtout also having knowledge of the secret key.
 239  *              The good bits counter is decremented, although no special
 240  *              action is taken if it reaches zero.
 241  */
 242
 243 extern void rand_get(rand_pool */*r*/, void */*p*/, size_t /*sz*/);
 244
 245 /* --- @rand_getgood@ --- *
 246  *
 247  * Arguments:   @rand_pool *r@ = pointer to a randomness pool
 248  *              @void *p@ = pointer to output buffer
 249  *              @size_t sz@ = size of output buffer
 250  *
 251  * Returns:     ---
 252  *
 253  * Use:         Gets random data from the pool.  The pool's contents can't be
 254  *              determined from the output of this function; nor can the
 255  *              output data be determined from a knowledge of the data input
 256  *              to the pool wihtout also having knowledge of the secret key.
 257  *              If a noise source is attached to the pool in question, it is
 258  *              called to replenish the supply of good bits in the pool;
 259  *              otherwise this call is equivalent to @rand_get@.
 260  */
 261
 262 extern void rand_getgood(rand_pool */*r*/, void */*p*/, size_t /*sz*/);
 263
 264 /*----- That's all, folks -------------------------------------------------*/
 265
 266 #ifdef __cplusplus
 267   }
 268 #endif
 269
 270 #endif