[RFC] Built-in RNG design #14623

issue sipa openend this issue on October 31, 2018
  1. sipa commented at 9:56 pm on October 31, 2018: member

    This is a proposal for the operation of our internal random number generator.

    Clear classification of what use case uses which interface:

    • Random numbers whose security is critical (private keys, seeds, encryption keys) use the GetStrongRandBytes function, which draws from our own RNG state, after mixing in “slow” entropy (see further).
    • Non-critical random numbers that are infrequently needed use the GetRandBytes class of functions (designed to work in ~microsecond time), which draw from our own RNG state after mixing in “fast” entropy.
    • Non-critical random numbers needed inside tight loops use a local FastRandomContext (which produces cryptographically secure random numbers, but is only seeded once - using the GetRandBytes level (see previous bullet point).

    To assist in generation, we have 3 levels of seeding:

    • fast This is automatically invoked by GetRandBytes, and mixes in things like stack pointer and high-precision timestamp.
    • medium This is automatically invoked by GetStrongRandBytes, and mixes in everything fast seeding mixes in, as well as all external sources of entropy (rdrand, getrandom, /dev/urandom, …).
    • slow This is automatically invoked once at startup, and can be invoked periodically by the scheduler thread when idle. It mixes in everything the slow seeding mixes in, as well as OS environment data, performance monitoring data if available, and time the duration of sleeps.

    Initially “medium” and “slow” can include OpenSSL as an entropy source, and when sufficiently many replacements are added, it can be dropped.

  2. fanquake added the label Brainstorming on Nov 2, 2018
  3. pstratem commented at 7:38 pm on November 8, 2018: contributor
    change the GetRandBytes functions to GetWeakRandBytes measure latency of various entropy sources
  4. meshcollider commented at 2:07 pm on November 11, 2018: contributor
    Related: #10299 ?
  5. gmaxwell commented at 7:13 pm on November 23, 2018: contributor
    I assume for very slow we’d use some hardening function too? (even just a timed hashloop) – I was fond of that element of the prior code.
  6. sipa commented at 10:25 pm on December 13, 2018: member
    Actually instead of GetStrongRandBytes, what about GetFreshRandBytes? Both provide equally strong cryptographic random material; the non-Fresh one is just based on potentially older seeding data.
  7. laanwj referenced this in commit 6e6b3b944d on Jan 21, 2019
  8. MarcoFalke commented at 10:01 pm on February 12, 2019: member
    Anything left to do here?
  9. MarcoFalke commented at 8:44 pm on August 7, 2019: member
    No response in half a year. Closing
  10. MarcoFalke closed this on Aug 7, 2019

  11. dzutto referenced this in commit 4cbecd4510 on Sep 10, 2021
  12. UdjinM6 referenced this in commit be79070f60 on Sep 11, 2021
  13. MarcoFalke locked this on Dec 16, 2021

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-12-19 09:12 UTC

This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me