Non-physical true random number generator
A non-physical true random number generator (NPTRNG),[1] also known as a non-physical nondeterministic random bit generator is a generator of unpredictable random numbers without the use of dedicated hardware entropy source.[2] NPTRNG uses a non-physical noise source that obtains entropy from system data, like outputs of application programming interface functions, residual information in the random access memory, system time or human input (e.g., mouse movements and keystrokes)[3] [1] in the hope that that data may contain elements that are truly random, or at least not known to or controllable by others.[citation needed ] A typical NPTRNG is implemented as software running on a computer.[1] The NPTRNGs are frequently found in the kernels of the popular operating systems [4] that are expected to run on any generic CPU.
Reliability
[edit ]An NPTRNG is inherently less trustworthy than its physical random number generator counterpart, as the non-physical noise sources require specific conditions to work, thus the entropy estimates require major assumptions about the external environment and skills of an attacker.[5]
Typical attacks include:[6]
- vulnerability to an adversary with system access (just like any software-based TRNG);
- an attacker connecting a predictable source of events (for example, a mouse simulator);
- operating in an environment where the assumptions about the system behavior no longer hold true (for example, in a virtual machine).
A more sophisticated attack in 2007 breached the forward secrecy of the NPTRNG in Windows 2000 by exploiting few implementation flaws.[7]
Implementations
[edit ]The design of an NPTRNG is traditional for TRNGs: a noise source is followed by a postprocessing randomness extractor and, optionally, with a pseudorandom number generator (PRNG) seeded by the true random bits. For example, in Linux, the /dev/random requires true random seed (and thus can block when it needs to collect more entropy, e.g., at boot time), while /dev/urandom will always provide more bits and is non-blocking.[8] [9]
As of 2025, the Linux NPTRNG implementation extracted the entropy from:[10] [11]
- the interrupts, mixing CPU cycle counter, kernel timer value, IRQ number, and instruction pointer of the interrupted instruction into a "fast pool" of entropy;
- the random-time I/O (events from keyboard, mouse, and disk), mixing the kernel timer value, cycle counter, device-specific information into the "input pool".
At the time, testing in virtualized environments had shown that there existed a boot-time "entropy hole" (reset vulnerability) when the early (u)random outputs were catastrophically non-random, but in general the system provided enough uncertainty to thwart an attacker.[12]
Alam et al. had proposed using hardware performance counters as a source of entropy.[13] [14]
References
[edit ]- ^ a b c Schindler 2008, p. 18.
- ^ Turan et al. 2018, p. 64.
- ^ Turan et al. 2018, p. 5.
- ^ Hall 2021.
- ^ Peter & Schindler 2022, p. 61.
- ^ Peter & Schindler 2022, p. 62.
- ^ Schindler 2008, p. 20.
- ^ Schindler 2008, pp. 18–19.
- ^ Everspaugh et al. 2014, p. 560.
- ^ Everspaugh et al. 2014, p. 561.
- ^ Bouez, Daemen & Mennink 2025, p. 600.
- ^ Everspaugh et al. 2014, p. 573.
- ^ Bouez, Daemen & Mennink 2025, p. 601.
- ^ Alam et al. 2020, pp. 3–19.
Sources
[edit ]- Alam, Manaar; Singh, Astikey; Bhattacharya, Sarani; Pratihar, Kuheli; Mukhopadhyay, Debdeep (2020). "In-situ Extraction of Randomness from Computer Architecture Through Hardware Performance Counters". Smart Card Research and Advanced Applications. Vol. 11833. Cham: Springer International Publishing. doi:10.1007/978-3-030-42068-0_1. ISBN 978-3-030-42067-3 . Retrieved 2025年11月01日.
- Bouez, Alexandre; Daemen, Joan; Mennink, Bart (2025). "Statistical Evaluation of Entropy Accumulation in Linux". 2025 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). IEEE: 600–612. doi:10.1109/EUROSPW67616.2025.00075.
- Everspaugh, Adam; Zhai, Yan; Jellinek, Robert; Ristenpart, Thomas; Swift, Michael (2014). Not-So-Random Numbers in Virtualized Linux and the Whirlwind RNG (PDF). 2014 IEEE Symposium on Security and Privacy. IEEE. pp. 559–574. doi:10.1109/SP.2014.42. ISBN 978-1-4799-4686-0.
- Hall, Tim (29 April 2021). "Non-physical entropy sources" (PDF). NIST.
- Peter, Matthias; Schindler, Werner (September 2, 2022). A Proposal for Functionality Classes for Random Number Generators (2.35 DRAFT ed.). Bundesamt für Sicherheit in der Informationstechnik.
- Turan, Meltem Sönmez; Barker, Elaine; Kelsey, John; McKay, Kerry A; Baish, Mary L; Boyle, Mike (2018). NIST SP800-90B: Recommendation for the entropy sources used for random bit generation (Report). Gaithersburg, MD: National Institute of Standards and Technology. doi:10.6028/nist.sp.800-90b .
- Schindler, Werner (2008). "Random Number Generators for Cryptographic Applications". In Koc, C.K. (ed.). Cryptographic Engineering. Boston, MA: Springer US. pp. 5–23. doi:10.1007/978-0-387-71817-0_2. ISBN 978-0-387-71817-0 . Retrieved 2024年08月24日.
