Jitter RNG
The CPU Jitter Random Number Generator provides a non-physical true random number generator that works equally in kernel and user land. The only prerequisite is the availability of a high-resolution timer that is available in modern CPUs.
It is the first software-based entropy source that is suitable to provide:
at the same time after applying the SP800-90B configuration or the AIS 20/31 NTG.1 configuration and demonstrating the required entropy rate following the specified validation and test methodology.
Both NIST/CMVP and the German BSI confirmed that the Jitter RNG is suitable for the specified compliance claims. Note that the actual confirmation of such claims will only be applied for a particular instance of the Jitter RNG on a particular hardware after completing the testing provided with the Jitter RNG source code distribution.
GitHub Links
The source code of the following Jitter RNG components is publicly available:
-
Jitter RNG Userspace Library provides a shared library that a consuming application or other library can link to. The consumer is able to receive fresh entropy from the Jitter RNG library where the data is stored in a caller-provided buffer. This library is independent of and does not rely on the following implementation.
-
Jitter RNG Daemon is a Linux “rngd”. This rngd is a daemon that collects entropy and injects it by using an IOCTL into the Linux kernel via /dev/random. This daemon has a build-in copy of the Jitter RNG library and can be compiled standalone from the library and thus does not depend on the Jitter RNG library.
When using the Jitter RNG to complete an SP800-90B or NTG.1 validation, the following information is to be observed.
The following version information is applicable for user space:
The following version information is applicable for kernel space:
- Active versions: >= 3.4.0
Compliance Claim
The following compliance is claimed for the different versions when using with the applicable configuration:
| Jitter-RNG Version |
SP800-90B Compliance |
AIS 20/31 NTG.1 Compliance |
| >= 3.4.0 |
compliant |
not compliant |
| >= 3.7.0 |
compliant |
compliant |
Applied Conditioning Function
The following conditioning functions are implemented for the Jitter RNG:
| Jitter-RNG Version |
Conditioning Function |
| >= 3.4.0 |
SHA3-256 |
| >= 3.7.0 |
Two serialized SHAKE-256 instances |
Documentation
The reference to the applicable documentation is given with the various releases.
The latest documentation applies to the current version.
The Jitter RNG v2.2.0 documentation documents the Jitter RNG copy found in older Linux kernels.
Request For Help
I am looking for CPUs that are not listed in appendix F of the documentation. If you happen to have such a CPU with a Unix-ish operating system and you want to help me to gather more evidence on the appropriateness of the CPU Jitter random number generator, please perform the following:
-
Get the current library source code, unpack it
-
cd <librarydir>/tests/raw_entropy/recording_userspace
-
execute invoke_testing.sh
-
Send the result of the execution found in the directory results_measurements to me
Archive with Test Results
The archive with all collected test data is available at this location.
Historic Releases
For older releases, see the Jitter RNG historic page.
Subsections of Jitter RNG
Jitter RNG 3.7.0
SP800-90B, SP800-90C compliance
Jitter RNG Library 3.7.0 Source Code
Jitter RNG Library 3.7.0 Signature
Documentation
The following documentation is available:
Changelog
- Add secure memory implementation for Linux and {Net,Open,Free}BSD, MacOS and Windows
- Update supported CMake version to 3.10
- doc: use Doxygen-style comments
- NTG.1 compliance: Modify startup such that the memory access and SHA-3 loop are treated as independent noise sources which are sampled to collect at least 240 bits each before first block of random numbers is released
- Remove all code when JENT_CONF_DISABLE_LOOP_SHUFFLE is unset. This code is already discouraged for a long time. Now it is taken out for good.
- If cache size cannot be detected from base system (e.g. virtualization), use the requested memory size.
- Change the stuck test to always calculate the absolute values of the 2nd and 3rd discrete derivation of time.
- Replace SHA3-256 output generation with XDRBG-256
- Prune the jitterentropy.h header file of internal definitions and delcarations which are moved to src/jitterentropy-internal.h. With that, jitterentropy.h only contains the API. This modification does not alter the Jitter RNG behavior at all.
- Update secure storage memory implementation for libgcrypt and OpenSSL
- Add API jent_status
3.6.3
- Correct time stamp processing on AIX
- Use high-resolution time stamp on Apple Silicon
- GCD power-up test: consider OSR
Standards Compliance
Jitter RNG Daemon
The Jitter RNG daemon is a separate instance of the Jitter RNG usable on Linux to inject entropy into the Linux kernel. Applying the BSI AIS20/31 methodology, it is possible to achieve a DRT.1 seeded by an NTG.1 claim.
This code is completely independent of the aforementioned library. It consumes the library for a specific use case of the Jitter RNG.
Jitter RNG RNGd 1.3.1 Source Code
Jitter RNG RNGd 1.3.1 Signature
Jitter RNG 3.6.3
SP800-90B, SP800-90C compliance
Jitter RNG Library 3.6.3 Source Code
Jitter RNG Library 3.6.3 Signature
Documentation
The PDF documentation covers all aspects of the design and testing of the Jitter RNG.
Changelog
- Correct time stamp processing on AIX
- Use high-resolution time stamp on Apple Silicon
- GCD power-up test: consider OSR
Jitter RNG 3.6.2
SP800-90B, SP800-90C compliance
Jitter RNG Library 3.6.2 Source Code
Jitter RNG Library 3.6.2 Signature
Documentation
The PDF documentation covers all aspects of the design and testing of the Jitter RNG.
Changelog
- Fix RCT re-initialization in jent_read_entropy_safe (thanks to Joshua Hill for pointing this out)
- simplify test code
- improve keyword portability
Jitter RNG 3.6.1
SP800-90B, SP800-90C compliance
Jitter RNG Library 3.6.1 Source Code
Jitter RNG Library 3.6.1 Signature
Documentation
The PDF documentation covers all aspects of the design and testing of the Jitter RNG.
Changelog
-
Add more test code
-
Add support for SunPRO compiler
-
Fix compilation on OpenBSD by replacing sed with tr
-
internal timer: Add support for Apple
-
Various small fixes to compilation to imporve portability
Jitter RNG 3.6.0
SP800-90B, SP800-90C compliance
Jitter RNG Library 3.6.0 Source Code
Jitter RNG Library 3.6.0 Signature
Documentation
The PDF documentation covers all aspects of the design and testing of the Jitter RNG.
Changelog
-
Remove bi-modal behavior of conditioning function
-
Make jent_read_entropy_safe safer by retrying the health test
-
Move the version information to make them available at compile time
Jitter RNG 3.5.0
SP800-90B, SP800-90C compliance
Jitter RNG Library 3.5.0 Source Code
Jitter RNG Library 3.5.0 Signature
Documentation
The PDF documentation covers all aspects of the design and testing of the Jitter RNG.
Changelog
Jitter RNG 3.4.1
SP800-90B, SP800-90C compliance
Jitter RNG Library 3.4.1 Source Code
Jitter RNG Library 3.4.1 Signature
Jitter RNG Linux Daemon 1.2.8 Source Code
Jitter RNG Linux Daemon 1.2.8 Signature
Documentation
The PDF documentation covers all aspects of the design and testing of the Jitter RNG.
Changelog
-
library: add FIPS 140 hints to man page
-
library: simplify the test tool to search for optimal configurations
-
library: fix: jent_loop_shuffle: re-add setting the time that was lost with 3.4.0
-
library: enhancement: add ARM64 assembler code to read high-res timer
-
RNGD: enhancement: use Jitter RNG library 3.4.1