Bitcoin Core 30.99.0
P2P Digital Currency
random.h
Go to the documentation of this file.
1// Copyright (c) 2009-2010 Satoshi Nakamoto
2// Copyright (c) 2009-present The Bitcoin Core developers
3// Distributed under the MIT software license, see the accompanying
4// file COPYING or http://www.opensource.org/licenses/mit-license.php.
5
6#ifndef BITCOIN_RANDOM_H
7#define BITCOIN_RANDOM_H
8
9#include <crypto/chacha20.h>
10#include <crypto/common.h>
11#include <span.h>
12#include <uint256.h>
13#include <util/check.h>
14
15#include <bit>
16#include <cassert>
17#include <chrono>
18#include <concepts>
19#include <cstdint>
20#include <limits>
21#include <type_traits>
22#include <vector>
23
75/* ============================= INITIALIZATION AND ADDING ENTROPY ============================= */
76
83void RandomInit();
84
90void RandAddPeriodic() noexcept;
91
98void RandAddEvent(uint32_t event_info) noexcept;
99
100
101/* =========================== BASE RANDOMNESS GENERATION FUNCTIONS ===========================
102 *
103 * All produced randomness is eventually generated by one of these functions.
104 */
105
117void GetRandBytes(std::span<unsigned char> bytes) noexcept;
118
129void GetStrongRandBytes(std::span<unsigned char> bytes) noexcept;
130
131
132/* ============================= RANDOM NUMBER GENERATION CLASSES =============================
133 *
134 * In this section, 3 classes are defined:
135 * - RandomMixin: a base class that adds functionality to all RNG classes.
136 * - FastRandomContext: a cryptographic RNG (seeded through GetRandBytes in its default
137 * constructor).
138 * - InsecureRandomContext: a non-cryptographic, very fast, RNG.
139 */
140
141// Forward declaration of RandomMixin, used in RandomNumberGenerator concept.
142template<typename T>
143class RandomMixin;
144
146template<typename T>
147concept RandomNumberGenerator = requires(T& rng, std::span<std::byte> s) {
148 // A random number generator must provide rand64().
149 { rng.rand64() } noexcept -> std::same_as<uint64_t>;
150 // A random number generator must derive from RandomMixin, which adds other rand* functions.
151 requires std::derived_from<std::remove_reference_t<T>, RandomMixin<std::remove_reference_t<T>>>;
152};
153
155template<typename T>
156concept StdChronoDuration = requires {
157 []<class Rep, class Period>(std::type_identity<std::chrono::duration<Rep, Period>>){}(
158 std::type_identity<T>());
159};
160
162double MakeExponentiallyDistributed(uint64_t uniform) noexcept;
163
173template<typename T>
174class RandomMixin
175{
176private:
177 uint64_t bitbuf{0};
178 int bitbuf_size{0};
179
185 RandomNumberGenerator auto& Impl() noexcept { return static_cast<T&>(*this); }
186
187protected:
188 constexpr void FlushCache() noexcept
189 {
190 bitbuf = 0;
191 bitbuf_size = 0;
192 }
193
194public:
195 constexpr RandomMixin() noexcept = default;
196
197 // Do not permit copying or moving an RNG.
198 RandomMixin(const RandomMixin&) = delete;
199 RandomMixin& operator=(const RandomMixin&) = delete;
200 RandomMixin(RandomMixin&&) = delete;
201 RandomMixin& operator=(RandomMixin&&) = delete;
202
204 uint64_t randbits(int bits) noexcept
205 {
206 Assume(bits <= 64);
207 // Requests for the full 64 bits are passed through.
208 if (bits == 64) return Impl().rand64();
209 uint64_t ret;
210 if (bits <= bitbuf_size) {
211 // If there is enough entropy left in bitbuf, return its bottom bits bits.
212 ret = bitbuf;
213 bitbuf >>= bits;
214 bitbuf_size -= bits;
215 } else {
216 // If not, return all of bitbuf, supplemented with the (bits - bitbuf_size) bottom
217 // bits of a newly generated 64-bit number on top. The remainder of that generated
218 // number becomes the new bitbuf.
219 uint64_t gen = Impl().rand64();
220 ret = (gen << bitbuf_size) | bitbuf;
221 bitbuf = gen >> (bits - bitbuf_size);
222 bitbuf_size = 64 + bitbuf_size - bits;
223 }
224 // Return the bottom bits bits of ret.
225 return ret & ((uint64_t{1} << bits) - 1);
226 }
227
229 template<int Bits>
230 uint64_t randbits() noexcept
231 {
232 static_assert(Bits >= 0 && Bits <= 64);
233 if constexpr (Bits == 64) {
234 return Impl().rand64();
235 } else {
236 uint64_t ret;
237 if (Bits <= bitbuf_size) {
238 ret = bitbuf;
239 bitbuf >>= Bits;
240 bitbuf_size -= Bits;
241 } else {
242 uint64_t gen = Impl().rand64();
243 ret = (gen << bitbuf_size) | bitbuf;
244 bitbuf = gen >> (Bits - bitbuf_size);
245 bitbuf_size = 64 + bitbuf_size - Bits;
246 }
247 constexpr uint64_t MASK = (uint64_t{1} << Bits) - 1;
248 return ret & MASK;
249 }
250 }
251
253 template<std::integral I>
254 I randrange(I range) noexcept
255 {
256 static_assert(std::numeric_limits<I>::max() <= std::numeric_limits<uint64_t>::max());
257 Assume(range > 0);
258 uint64_t maxval = range - 1U;
259 int bits = std::bit_width(maxval);
260 while (true) {
261 uint64_t ret = Impl().randbits(bits);
262 if (ret <= maxval) return ret;
263 }
264 }
265
267 void fillrand(std::span<std::byte> span) noexcept
268 {
269 while (span.size() >= 8) {
270 uint64_t gen = Impl().rand64();
271 WriteLE64(span.data(), gen);
272 span = span.subspan(8);
273 }
274 if (span.size() >= 4) {
275 uint32_t gen = Impl().rand32();
276 WriteLE32(span.data(), gen);
277 span = span.subspan(4);
278 }
279 while (span.size()) {
280 span[0] = std::byte(Impl().template randbits<8>());
281 span = span.subspan(1);
282 }
283 }
284
286 template<std::integral I>
287 I rand() noexcept
288 {
289 static_assert(std::numeric_limits<I>::max() <= std::numeric_limits<uint64_t>::max());
290 static constexpr auto BITS = std::bit_width(uint64_t(std::numeric_limits<I>::max()));
291 static_assert(std::numeric_limits<I>::max() == std::numeric_limits<uint64_t>::max() >> (64 - BITS));
292 return I(Impl().template randbits<BITS>());
293 }
294
296 template <BasicByte B = unsigned char>
297 std::vector<B> randbytes(size_t len) noexcept
298 {
299 std::vector<B> ret(len);
300 Impl().fillrand(MakeWritableByteSpan(ret));
301 return ret;
302 }
303
305 template <size_t N, BasicByte B = std::byte>
306 std::array<B, N> randbytes() noexcept
307 {
308 std::array<B, N> ret;
309 Impl().fillrand(MakeWritableByteSpan(ret));
310 return ret;
311 }
312
314 uint32_t rand32() noexcept { return Impl().template randbits<32>(); }
315
317 uint256 rand256() noexcept
318 {
319 uint256 ret;
320 Impl().fillrand(MakeWritableByteSpan(ret));
321 return ret;
322 }
323
325 bool randbool() noexcept { return Impl().template randbits<1>(); }
326
328 template <typename Tp>
329 Tp rand_uniform_delay(const Tp& time, typename Tp::duration range) noexcept
330 {
331 return time + Impl().template rand_uniform_duration<Tp>(range);
332 }
333
335 template <typename Chrono> requires StdChronoDuration<typename Chrono::duration>
336 typename Chrono::duration rand_uniform_duration(typename Chrono::duration range) noexcept
337 {
338 using Dur = typename Chrono::duration;
339 return range.count() > 0 ? /* interval [0..range) */ Dur{Impl().randrange(range.count())} :
340 range.count() < 0 ? /* interval (range..0] */ -Dur{Impl().randrange(-range.count())} :
341 /* interval [0..0] */ Dur{0};
342 };
343
345 template <StdChronoDuration Dur>
346 Dur randrange(std::common_type_t<Dur> range) noexcept
347 // Having the compiler infer the template argument from the function argument
348 // is dangerous, because the desired return value generally has a different
349 // type than the function argument. So std::common_type is used to force the
350 // call site to specify the type of the return value.
351 {
352 return Dur{Impl().randrange(range.count())};
353 }
354
365 std::chrono::microseconds rand_exp_duration(std::chrono::microseconds mean) noexcept
366 {
367 using namespace std::chrono_literals;
368 auto unscaled = MakeExponentiallyDistributed(Impl().rand64());
369 return std::chrono::duration_cast<std::chrono::microseconds>(unscaled * mean + 0.5us);
370 }
371
372 // Compatibility with the UniformRandomBitGenerator concept
373 typedef uint64_t result_type;
374 static constexpr uint64_t min() noexcept { return 0; }
375 static constexpr uint64_t max() noexcept { return std::numeric_limits<uint64_t>::max(); }
376 inline uint64_t operator()() noexcept { return Impl().rand64(); }
377};
378
385class FastRandomContext : public RandomMixin<FastRandomContext>
386{
387private:
388 bool requires_seed;
389 ChaCha20 rng;
390
391 void RandomSeed() noexcept;
392
393public:
395 explicit FastRandomContext(bool fDeterministic = false) noexcept;
396
398 explicit FastRandomContext(const uint256& seed) noexcept;
399
401 void Reseed(const uint256& seed) noexcept;
402
404 uint64_t rand64() noexcept
405 {
406 if (requires_seed) RandomSeed();
407 std::array<std::byte, 8> buf;
408 rng.Keystream(buf);
409 return ReadLE64(buf.data());
410 }
411
413 void fillrand(std::span<std::byte> output) noexcept;
414};
415
424class InsecureRandomContext : public RandomMixin<InsecureRandomContext>
425{
426 uint64_t m_s0;
427 uint64_t m_s1;
428
429 [[nodiscard]] constexpr static uint64_t SplitMix64(uint64_t& seedval) noexcept
430 {
431 uint64_t z = (seedval += 0x9e3779b97f4a7c15);
432 z = (z ^ (z >> 30)) * 0xbf58476d1ce4e5b9;
433 z = (z ^ (z >> 27)) * 0x94d049bb133111eb;
434 return z ^ (z >> 31);
435 }
436
437public:
438 constexpr explicit InsecureRandomContext(uint64_t seedval) noexcept
439 : m_s0(SplitMix64(seedval)), m_s1(SplitMix64(seedval)) {}
440
441 constexpr void Reseed(uint64_t seedval) noexcept
442 {
443 FlushCache();
444 m_s0 = SplitMix64(seedval);
445 m_s1 = SplitMix64(seedval);
446 }
447
448 constexpr uint64_t rand64() noexcept
449 {
450 uint64_t s0 = m_s0, s1 = m_s1;
451 const uint64_t result = std::rotl(s0 + s1, 17) + s0;
452 s1 ^= s0;
453 m_s0 = std::rotl(s0, 49) ^ s1 ^ (s1 << 21);
454 m_s1 = std::rotl(s1, 28);
455 return result;
456 }
457};
458
459
460/* ==================== CONVENIENCE FUNCTIONS FOR COMMONLY USED RANDOMNESS ==================== */
461
463inline uint256 GetRandHash() noexcept
464{
465 uint256 hash;
466 GetRandBytes(hash);
467 return hash;
468}
469
470/* ============================= MISCELLANEOUS TEST-ONLY FUNCTIONS ============================= */
471
475bool Random_SanityCheck();
476
477#endif // BITCOIN_RANDOM_H
ret
int ret
Definition: bitcoin-cli.cpp:1352
Assume
#define Assume(val)
Assume is the identity function.
Definition: check.h:125
ChaCha20
Unrestricted ChaCha20 cipher.
Definition: chacha20.h:76
ChaCha20::Keystream
void Keystream(std::span< std::byte > out) noexcept
outputs the keystream to out.
Definition: chacha20.cpp:281
FastRandomContext
Fast randomness source.
Definition: random.h:386
FastRandomContext::rand64
uint64_t rand64() noexcept
Generate a random 64-bit integer.
Definition: random.h:404
FastRandomContext::rng
ChaCha20 rng
Definition: random.h:389
FastRandomContext::RandomSeed
void RandomSeed() noexcept
Definition: random.cpp:619
FastRandomContext::fillrand
void fillrand(std::span< std::byte > output) noexcept
Fill a byte span with random bytes.
Definition: random.cpp:626
FastRandomContext::Reseed
void Reseed(const uint256 &seed) noexcept
Reseed with explicit seed (only for testing).
Definition: random.cpp:634
FastRandomContext::requires_seed
bool requires_seed
Definition: random.h:388
InsecureRandomContext
xoroshiro128++ PRNG.
Definition: random.h:425
InsecureRandomContext::SplitMix64
static constexpr uint64_t SplitMix64(uint64_t &seedval) noexcept
Definition: random.h:429
InsecureRandomContext::rand64
constexpr uint64_t rand64() noexcept
Definition: random.h:448
InsecureRandomContext::Reseed
constexpr void Reseed(uint64_t seedval) noexcept
Definition: random.h:441
InsecureRandomContext::InsecureRandomContext
constexpr InsecureRandomContext(uint64_t seedval) noexcept
Definition: random.h:438
RandomMixin
Mixin class that provides helper randomness functions.
Definition: random.h:175
RandomMixin::fillrand
void fillrand(std::span< std::byte > span) noexcept
Fill a span with random bytes.
Definition: random.h:267
RandomMixin::max
static constexpr uint64_t max() noexcept
Definition: random.h:375
RandomMixin::RandomMixin
constexpr RandomMixin() noexcept=default
RandomMixin::Impl
RandomNumberGenerator auto & Impl() noexcept
Access the underlying generator.
Definition: random.h:185
RandomMixin::rand_uniform_delay
Tp rand_uniform_delay(const Tp &time, typename Tp::duration range) noexcept
Return the time point advanced by a uniform random duration.
Definition: random.h:329
RandomMixin::rand_uniform_duration
Chrono::duration rand_uniform_duration(typename Chrono::duration range) noexcept
Generate a uniform random duration in the range from 0 (inclusive) to range (exclusive).
Definition: random.h:336
RandomMixin::randrange
I randrange(I range) noexcept
Generate a random integer in the range [0..range), with range > 0.
Definition: random.h:254
RandomMixin::bitbuf_size
int bitbuf_size
Definition: random.h:178
RandomMixin::rand256
uint256 rand256() noexcept
generate a random uint256.
Definition: random.h:317
RandomMixin::randbytes
std::array< B, N > randbytes() noexcept
Generate fixed-size random bytes.
Definition: random.h:306
RandomMixin::result_type
uint64_t result_type
Definition: random.h:373
RandomMixin::bitbuf
uint64_t bitbuf
Definition: random.h:177
RandomMixin::randbool
bool randbool() noexcept
Generate a random boolean.
Definition: random.h:325
RandomMixin::rand
I rand() noexcept
Generate a random integer in its entire (non-negative) range.
Definition: random.h:287
RandomMixin::randbytes
std::vector< B > randbytes(size_t len) noexcept
Generate random bytes.
Definition: random.h:297
RandomMixin::FlushCache
constexpr void FlushCache() noexcept
Definition: random.h:188
RandomMixin::rand_exp_duration
std::chrono::microseconds rand_exp_duration(std::chrono::microseconds mean) noexcept
Return a duration sampled from an exponential distribution (https://en.wikipedia.org/wiki/Exponential...
Definition: random.h:365
RandomMixin::min
static constexpr uint64_t min() noexcept
Definition: random.h:374
RandomMixin::rand32
uint32_t rand32() noexcept
Generate a random 32-bit integer.
Definition: random.h:314
RandomMixin::randbits
uint64_t randbits() noexcept
Same as above, but with compile-time fixed bits count.
Definition: random.h:230
RandomMixin::randrange
Dur randrange(std::common_type_t< Dur > range) noexcept
Generate a uniform random duration in the range [0..max).
Definition: random.h:346
RandomMixin::operator()
uint64_t operator()() noexcept
Definition: random.h:376
uint256
256-bit opaque blob.
Definition: uint256.h:195
RandomNumberGenerator
A concept for RandomMixin-based random number generators.
Definition: random.h:147
StdChronoDuration
A concept for C++ std::chrono durations.
Definition: random.h:156
WriteLE32
void WriteLE32(B *ptr, uint32_t x)
Definition: common.h:50
ReadLE64
uint64_t ReadLE64(const B *ptr)
Definition: common.h:35
WriteLE64
void WriteLE64(B *ptr, uint64_t x)
Definition: common.h:57
test_vectors_musig2_generate.s
tuple s
Definition: test_vectors_musig2_generate.py:72
RandAddEvent
void RandAddEvent(uint32_t event_info) noexcept
Gathers entropy from the low bits of the time at which events occur.
Definition: random.cpp:617
RandAddPeriodic
void RandAddPeriodic() noexcept
Gather entropy from various expensive sources, and feed them to the PRNG state.
Definition: random.cpp:612
GetStrongRandBytes
void GetStrongRandBytes(std::span< unsigned char > bytes) noexcept
Gather entropy from various sources, feed it into the internal PRNG, and generate random data using i...
Definition: random.cpp:607
Random_SanityCheck
bool Random_SanityCheck()
Check that OS randomness is available and returning the requested number of bytes.
Definition: random.cpp:641
GetRandHash
uint256 GetRandHash() noexcept
Generate a random uint256.
Definition: random.h:463
RandomInit
void RandomInit()
Overall design of the RNG and entropy sources.
Definition: random.cpp:696
GetRandBytes
void GetRandBytes(std::span< unsigned char > bytes) noexcept
Generate random data via the internal PRNG.
Definition: random.cpp:601
MakeExponentiallyDistributed
double MakeExponentiallyDistributed(uint64_t uniform) noexcept
Given a uniformly random uint64_t, return an exponentially distributed double with mean 1.
Definition: random.cpp:704
MakeWritableByteSpan
auto MakeWritableByteSpan(V &&v) noexcept
Definition: span.h:89
rotl
static SECP256K1_INLINE uint64_t rotl(const uint64_t x, int k)
Definition: testrand_impl.h:39
Generated on Sat Feb 7 2026 20:00:32 for Bitcoin Core by doxygen 1.9.4