CPU Jitter Random Number Generator

The CPU Jitter Random Number Generator provides a non-physical true random number generator that works equally in kernel and user land. The only prerequisite is the availability of a high-resolution timer that is available in modern CPUs.

A PDF documentation is also available. The pictures and graphs are better to read in the PDF version.

Request For Help

I am looking for CPUs that are not listed in appendix F of the documentation. If you happen to have such a CPU with a Unix-ish operating system and you want to help me to gather more evidence on the appropriateness of the CPU Jitter random number generator, please perform the following:

  1. Get the test tarball, unpack it and execute:
    1. cd <testdir>/tests_userspace/timing/
    2. make -f Makefile.foldtime
    3. ./jitterentropy-foldtime > foldtime.O0
    4. make -f Makefile.foldtime clean
    5. edit Makefile.foldtime and replace -O0 with -O2 in the CFLAGS line
    6. make -f Makefile.foldtime
    7. ./jitterentropy-foldtime > foldtime.O2
    8. Send both files to me.
    9. make -f Makefile.foldtime clean
    10. make -f Makefile.inittest
    11. ./jitterentropy-inittest
    12. Send the result of the application to me

Source Code

The following source code contains the implementation of the CPU Random Number Generator.

Link Changes
20130508 Initial version
20130516

Small enhancement of Kernel DRNG support -- making the reseeding and rekeying implementation more robust for edge conditions

Compile the CPU Jitter RNG as stand-alone shared library

Addition of OpenSSL engine support

20130521

Moving of code parts relevant to different consumer into sub directories

OpenSSL: add jitterentropy-drng and jitterentropy-strong engines

20130617

Adding test to assess entropy of timer over folding loop -- test results in section 5.1 and appendix F added to documentation

Update jent_entropy_init to check for coarse timers

Add patch to integrate CPU Jitter RNG as entropy of last resort into /dev/random and /dev/urandom -- see appendix B.3

20130621

Adding more test to assess entropy of timer over folding loop -- test results in appendix F added to documentation

Bug fix in jent_entropy_init

Add code in arch/ and android/ directories for non-Linux environments

20130626

Adding more test to assess entropy of timer over folding loop -- test results in appendix F added to documentation

Bug fix in jent_entropy_init

20130724

Adding more test to assess entropy of timer over folding loop -- test results in appendix F added to documentation (there are now 197 different tests)

Remove statistical tests in jent_entropy_init that cause ambiguous results

Add support for MacOS and AIX in jent_get_nstime

20130806

Addition of z/OS test code and description in arch/zOS

20130818

Added missing -O0 to /dev/random patch

Fix bug in output of random data: mixed bit and byte representation

20130910

Adding of jitterentropy-rngd -- an entropy feeder daemon to add entropy to /dev/random's input_pool from user space (see appendix E)

Use of Linux kernel clocksource if get_cycles return zero

Documentation: adding section 4.5 to discuss Von Neumann De-Skew

20130912

Replace varying entropy loop counter with Von Neumann unbias operating. This implies that the analysis of the entropy loop counter statistics in chapter 4 are removed. The impact of the Von Neumann unbias operation on the entropy is discussed in chapter 5.

20130930

Allow caller of jent_entropy_collector_alloc to specify an oversampling rate. That rate determines whether the folding loop is executed in multiple instances to implement an oversampling of the individual bits.

Add test results for microkernels.

Add analysis of change of CPU execution jitter over time in section 5.1.1.

Add analysis of the impact of disabling certain system characteristics on CPU execution jitter in appendix F.43.

20131020

Addition of non-cryptographic whitening function that can be enabled during allocation time.

Addition of tests on Windows 7

20131028

Add add_jent_randomness call to initialization of entropy pools in random.c.

Update structure of Linux kernel Makefile to allow seamless integration into kernel

Addition of tests on Samsung Galaxy S4

20131113

Add JENT_DISABLE_UNBIAS flag to allocation function to disable Von-Neumann unbias.

Add test to verify presence of CPU execution time jitter on bare metal (test_baremetal/)

Document baremetal testing by adding new chapter 6

Add folding test result for Intel Core i7 IvyBridge

20140131

Addition of new noise source: memory access which adds significant additional entropy

Rewrite of bare metal test to include memory access testing and more CPU execution jitter testing

Chapter 6 of the documentation completely rewritten to cover an in-depth analysis of the noise sources, including a rationale of the theory of root cause of memory access variations

Update Linux kernel patch for 3.13 and to feed the input_pool only

20140219

Add PID file to jitterentropy-rngd -- thanks to Jan Blunck

Fix wrapping logic in memaccess loop -- thanks to Jan Blunck

Fix NULL pointer dereference in jent_entropy_collector_free

20140220

Bug fix for wrap calculation in memaccess loop -- thanks to Mikko Loytynoja

20140402

jitterentropy-rngd: compile without JENT_DISABLE_MEMORY_ACCESS to protect state in case of swap-out, crash dumps, etc

FIPS mode: read /proc/sys/crypto/fips_enabled

20140411

RNGD 20140411

The shuffling function that selects the new number of folding loop is now more balanced

jitterentropy-rngd: make a separate package

20141015

RNGD 20141015

The number of memory accesses is now shuffled the same way as the folding loop: For each memory access noise request, a time stamp determines a number between 64 and 192 for the memory accesses

Jitterentropy 1.1.0 (Signature)

RNGD 1.0.0 (Signature)

start new numbering schema

update processing of bit that is deemed holding no entropy by heuristic: XOR it into pool without LFSR and bit rotation (reported and suggested by Kevin Fowler)

RNGD 1.0.1 (Signature)

mark function jentrng_versionstring static (thanks to Kevin Fowler)

use errno with strerror (thanks to Kevin Fowler)

compile with -pedantic and make appropriate code changes

RNGD 1.0.2 (Signature)

change jitterentropy.service: move RNGd startup up the boot ladder to allow all cryptographic services to benefit from a RNGd-updated /dev/?random

Jitterentropy 1.2.0 (Signature)

jent_stir_pool is now a constant time function to prevent leaking timing information about the random number.

Make it compile on 32 bit architectures.

RNGD 1.0.3 (Signature)

Ensure that the buffer holding entropy data is zeroized immediately after use.

Jitterentropy 2.0.0 (Signature)

RNGD 1.0.4 (Signature)

Jitterentropy: Replace the XOR folding of a time delta with an LFSR -- the use of an LFSR is mathematically more sound for the argument to maintain entropy

rngd: inject only 32 bytes of entropy of entropy instead of 256 bytes

rngd: apply oversampling factor -- i.e. obtain OVERSAMPLINGFACTOR bytes more from Jitter RNG than required for the 32 bytes of entropic data

rngd: do not install sig_alarm handler if the LRNG is present

rngd: Use Jitter RNG logic v2.0.0

The test cases without the results that went into the documentation can be found in the test tarball. Start with the scripts getstat.sh. If you are interested in the test results, the SVG files, etc., please let me know as this is a 30GB archive.


2016-10-09 smueller at chronox.de