Random Number Generator

The random number generator (RNG) is used to generate the master encryption key, the secondary key (XTS mode), salt, and keyfiles. It creates a pool of random values in RAM (memory). The pool, which is 640 bytes long, is filled with data from the following sources:

* Mouse movements

* Keystrokes

* Mac OS X and Linux: Values generated by the built-in RNG (both /dev/random and /dev/urandom)

* MS Windows only: MS Windows CryptoAPI (collected regularly at 500-ms interval)

* MS Windows only: Network interface statistics (NETAPI32)

* MS Windows only: Various Win32 handles, time variables, and counters (collected regularly at 500-ms interval)

Before a value obtained from any of the above-mentioned sources is written to the pool, it is divided into individual bytes (e.g., a 32-bit number is divided into four bytes). These bytes are then individually written to the pool with the modulo 28 addition operation (not by replacing the old values in the pool) at the position of the pool cursor. After a byte is written, the pool cursor position is advanced by one byte. When the cursor reaches the end of the pool, its position is set to the beginning of the pool. After every 16th byte written to the pool, the pool mixing function is applied to the entire pool (see below).

Pool Mixing Function

The purpose of this function is to perform diffusion [2]. Diffusion spreads the influence of individual “raw” input bits over as much of the pool state as possible, which also hides statistical relationships. After every 16th byte written to the pool, this function is applied to the entire pool.

Description of the pool mixing function:

1. Let R be the randomness pool

2. Let H be the hash function selected by the user (SHA-512, RIPEMD-160, or Whirlpool)

3. l = byte size of the output of the hash function H (i.e., if H is RIPEMD-160, then l = 20; if H is SHA-512, l = 64)

4. z = byte size of the randomness pool R (640 bytes)

5. q = z / l – 1 (e.g., if H is Whirlpool, then q = 4)

6. R is divided into l-byte blocks B0...Bq.
For 0 < i < q (i.e., for each block B) the following steps are performed:

1. M = H (B0 || B1 || ... || Bq) [i.e., the randomness pool is hashed using the hash function H, which produces a hash M]

2. Bi = Bi ^ M

7. R = B0 || B1 || ... || Bq

For example, if q = 1, the randomness pool would be mixed as follows:

1. (B0 || B1) = R

2. B0 = B0 ^ H(B0 || B1)

3. B1 = B1 ^ H(B0 || B1)

4. R = B0 || B1

The design and implementation of the random number generator are based on the following works:

* Software Generation of Practically Strong Random Numbers by Peter Gutmann [10]
* Cryptographic Random Numbers by Carl Ellison [11]