1// Copyright 2018 Developers of the Rand project.
2// Copyright 2017-2018 The Rust Project Developers.
3//
4// Licensed under the Apache License, Version 2.0 <LICENSE-APACHE or
5// https://www.apache.org/licenses/LICENSE-2.0> or the MIT license
6// <LICENSE-MIT or https://opensource.org/licenses/MIT>, at your
7// option. This file may not be copied, modified, or distributed
8// except according to those terms.
9
10//! Random number generation traits
11//!
12//! This crate is mainly of interest to crates publishing implementations of
13//! [`RngCore`]. Other users are encouraged to use the [`rand`] crate instead
14//! which re-exports the main traits and error types.
15//!
16//! [`RngCore`] is the core trait implemented by algorithmic pseudo-random number
17//! generators and external random-number sources.
18//!
19//! [`SeedableRng`] is an extension trait for construction from fixed seeds and
20//! other random number generators.
21//!
22//! [`Error`] is provided for error-handling. It is safe to use in `no_std`
23//! environments.
24//!
25//! The [`impls`] and [`le`] sub-modules include a few small functions to assist
26//! implementation of [`RngCore`].
27//!
28//! [`rand`]: https://docs.rs/rand
29
30#![doc(
31 html_logo_url = "https://www.rust-lang.org/logos/rust-logo-128x128-blk.png",
32 html_favicon_url = "https://www.rust-lang.org/favicon.ico",
33 html_root_url = "https://rust-random.github.io/rand/"
34)]
35#![deny(missing_docs)]
36#![deny(missing_debug_implementations)]
37#![doc(test(attr(allow(unused_variables), deny(warnings))))]
38#![cfg_attr(doc_cfg, feature(doc_cfg))]
39#![no_std]
40
41use core::convert::AsMut;
42use core::default::Default;
43
44#[cfg(feature = "std")] extern crate std;
45#[cfg(feature = "alloc")] extern crate alloc;
46#[cfg(feature = "alloc")] use alloc::boxed::Box;
47
48pub use error::Error;
49#[cfg(feature = "getrandom")] pub use os::OsRng;
50
51
52pub mod block;
53mod error;
54pub mod impls;
55pub mod le;
56#[cfg(feature = "getrandom")] mod os;
57
58
59/// The core of a random number generator.
60///
61/// This trait encapsulates the low-level functionality common to all
62/// generators, and is the "back end", to be implemented by generators.
63/// End users should normally use the `Rng` trait from the [`rand`] crate,
64/// which is automatically implemented for every type implementing `RngCore`.
65///
66/// Three different methods for generating random data are provided since the
67/// optimal implementation of each is dependent on the type of generator. There
68/// is no required relationship between the output of each; e.g. many
69/// implementations of [`fill_bytes`] consume a whole number of `u32` or `u64`
70/// values and drop any remaining unused bytes. The same can happen with the
71/// [`next_u32`] and [`next_u64`] methods, implementations may discard some
72/// random bits for efficiency.
73///
74/// The [`try_fill_bytes`] method is a variant of [`fill_bytes`] allowing error
75/// handling; it is not deemed sufficiently useful to add equivalents for
76/// [`next_u32`] or [`next_u64`] since the latter methods are almost always used
77/// with algorithmic generators (PRNGs), which are normally infallible.
78///
79/// Implementers should produce bits uniformly. Pathological RNGs (e.g. always
80/// returning the same value, or never setting certain bits) can break rejection
81/// sampling used by random distributions, and also break other RNGs when
82/// seeding them via [`SeedableRng::from_rng`].
83///
84/// Algorithmic generators implementing [`SeedableRng`] should normally have
85/// *portable, reproducible* output, i.e. fix Endianness when converting values
86/// to avoid platform differences, and avoid making any changes which affect
87/// output (except by communicating that the release has breaking changes).
88///
89/// Typically an RNG will implement only one of the methods available
90/// in this trait directly, then use the helper functions from the
91/// [`impls`] module to implement the other methods.
92///
93/// It is recommended that implementations also implement:
94///
95/// - `Debug` with a custom implementation which *does not* print any internal
96/// state (at least, [`CryptoRng`]s should not risk leaking state through
97/// `Debug`).
98/// - `Serialize` and `Deserialize` (from Serde), preferably making Serde
99/// support optional at the crate level in PRNG libs.
100/// - `Clone`, if possible.
101/// - *never* implement `Copy` (accidental copies may cause repeated values).
102/// - *do not* implement `Default` for pseudorandom generators, but instead
103/// implement [`SeedableRng`], to guide users towards proper seeding.
104/// External / hardware RNGs can choose to implement `Default`.
105/// - `Eq` and `PartialEq` could be implemented, but are probably not useful.
106///
107/// # Example
108///
109/// A simple example, obviously not generating very *random* output:
110///
111/// ```
112/// #![allow(dead_code)]
113/// use rand_core::{RngCore, Error, impls};
114///
115/// struct CountingRng(u64);
116///
117/// impl RngCore for CountingRng {
118/// fn next_u32(&mut self) -> u32 {
119/// self.next_u64() as u32
120/// }
121///
122/// fn next_u64(&mut self) -> u64 {
123/// self.0 += 1;
124/// self.0
125/// }
126///
127/// fn fill_bytes(&mut self, dest: &mut [u8]) {
128/// impls::fill_bytes_via_next(self, dest)
129/// }
130///
131/// fn try_fill_bytes(&mut self, dest: &mut [u8]) -> Result<(), Error> {
132/// Ok(self.fill_bytes(dest))
133/// }
134/// }
135/// ```
136///
137/// [`rand`]: https://docs.rs/rand
138/// [`try_fill_bytes`]: RngCore::try_fill_bytes
139/// [`fill_bytes`]: RngCore::fill_bytes
140/// [`next_u32`]: RngCore::next_u32
141/// [`next_u64`]: RngCore::next_u64
142pub trait RngCore {
143 /// Return the next random `u32`.
144 ///
145 /// RNGs must implement at least one method from this trait directly. In
146 /// the case this method is not implemented directly, it can be implemented
147 /// using `self.next_u64() as u32` or via [`impls::next_u32_via_fill`].
148 fn next_u32(&mut self) -> u32;
149
150 /// Return the next random `u64`.
151 ///
152 /// RNGs must implement at least one method from this trait directly. In
153 /// the case this method is not implemented directly, it can be implemented
154 /// via [`impls::next_u64_via_u32`] or via [`impls::next_u64_via_fill`].
155 fn next_u64(&mut self) -> u64;
156
157 /// Fill `dest` with random data.
158 ///
159 /// RNGs must implement at least one method from this trait directly. In
160 /// the case this method is not implemented directly, it can be implemented
161 /// via [`impls::fill_bytes_via_next`] or
162 /// via [`RngCore::try_fill_bytes`]; if this generator can
163 /// fail the implementation must choose how best to handle errors here
164 /// (e.g. panic with a descriptive message or log a warning and retry a few
165 /// times).
166 ///
167 /// This method should guarantee that `dest` is entirely filled
168 /// with new data, and may panic if this is impossible
169 /// (e.g. reading past the end of a file that is being used as the
170 /// source of randomness).
171 fn fill_bytes(&mut self, dest: &mut [u8]);
172
173 /// Fill `dest` entirely with random data.
174 ///
175 /// This is the only method which allows an RNG to report errors while
176 /// generating random data thus making this the primary method implemented
177 /// by external (true) RNGs (e.g. `OsRng`) which can fail. It may be used
178 /// directly to generate keys and to seed (infallible) PRNGs.
179 ///
180 /// Other than error handling, this method is identical to [`RngCore::fill_bytes`];
181 /// thus this may be implemented using `Ok(self.fill_bytes(dest))` or
182 /// `fill_bytes` may be implemented with
183 /// `self.try_fill_bytes(dest).unwrap()` or more specific error handling.
184 fn try_fill_bytes(&mut self, dest: &mut [u8]) -> Result<(), Error>;
185}
186
187/// A marker trait used to indicate that an [`RngCore`] or [`BlockRngCore`]
188/// implementation is supposed to be cryptographically secure.
189///
190/// *Cryptographically secure generators*, also known as *CSPRNGs*, should
191/// satisfy an additional properties over other generators: given the first
192/// *k* bits of an algorithm's output
193/// sequence, it should not be possible using polynomial-time algorithms to
194/// predict the next bit with probability significantly greater than 50%.
195///
196/// Some generators may satisfy an additional property, however this is not
197/// required by this trait: if the CSPRNG's state is revealed, it should not be
198/// computationally-feasible to reconstruct output prior to this. Some other
199/// generators allow backwards-computation and are considered *reversible*.
200///
201/// Note that this trait is provided for guidance only and cannot guarantee
202/// suitability for cryptographic applications. In general it should only be
203/// implemented for well-reviewed code implementing well-regarded algorithms.
204///
205/// Note also that use of a `CryptoRng` does not protect against other
206/// weaknesses such as seeding from a weak entropy source or leaking state.
207///
208/// [`BlockRngCore`]: block::BlockRngCore
209pub trait CryptoRng {}
210
211/// An extension trait that is automatically implemented for any type
212/// implementing [`RngCore`] and [`CryptoRng`].
213///
214/// It may be used as a trait object, and supports upcasting to [`RngCore`] via
215/// the [`CryptoRngCore::as_rngcore`] method.
216///
217/// # Example
218///
219/// ```
220/// use rand_core::CryptoRngCore;
221///
222/// #[allow(unused)]
223/// fn make_token(rng: &mut dyn CryptoRngCore) -> [u8; 32] {
224/// let mut buf = [0u8; 32];
225/// rng.fill_bytes(&mut buf);
226/// buf
227/// }
228/// ```
229pub trait CryptoRngCore: CryptoRng + RngCore {
230 /// Upcast to an [`RngCore`] trait object.
231 fn as_rngcore(&mut self) -> &mut dyn RngCore;
232}
233
234impl<T: CryptoRng + RngCore> CryptoRngCore for T {
235 fn as_rngcore(&mut self) -> &mut dyn RngCore {
236 self
237 }
238}
239
240/// A random number generator that can be explicitly seeded.
241///
242/// This trait encapsulates the low-level functionality common to all
243/// pseudo-random number generators (PRNGs, or algorithmic generators).
244///
245/// [`rand`]: https://docs.rs/rand
246pub trait SeedableRng: Sized {
247 /// Seed type, which is restricted to types mutably-dereferenceable as `u8`
248 /// arrays (we recommend `[u8; N]` for some `N`).
249 ///
250 /// It is recommended to seed PRNGs with a seed of at least circa 100 bits,
251 /// which means an array of `[u8; 12]` or greater to avoid picking RNGs with
252 /// partially overlapping periods.
253 ///
254 /// For cryptographic RNG's a seed of 256 bits is recommended, `[u8; 32]`.
255 ///
256 ///
257 /// # Implementing `SeedableRng` for RNGs with large seeds
258 ///
259 /// Note that the required traits `core::default::Default` and
260 /// `core::convert::AsMut<u8>` are not implemented for large arrays
261 /// `[u8; N]` with `N` > 32. To be able to implement the traits required by
262 /// `SeedableRng` for RNGs with such large seeds, the newtype pattern can be
263 /// used:
264 ///
265 /// ```
266 /// use rand_core::SeedableRng;
267 ///
268 /// const N: usize = 64;
269 /// pub struct MyRngSeed(pub [u8; N]);
270 /// pub struct MyRng(MyRngSeed);
271 ///
272 /// impl Default for MyRngSeed {
273 /// fn default() -> MyRngSeed {
274 /// MyRngSeed([0; N])
275 /// }
276 /// }
277 ///
278 /// impl AsMut<[u8]> for MyRngSeed {
279 /// fn as_mut(&mut self) -> &mut [u8] {
280 /// &mut self.0
281 /// }
282 /// }
283 ///
284 /// impl SeedableRng for MyRng {
285 /// type Seed = MyRngSeed;
286 ///
287 /// fn from_seed(seed: MyRngSeed) -> MyRng {
288 /// MyRng(seed)
289 /// }
290 /// }
291 /// ```
292 type Seed: Sized + Default + AsMut<[u8]>;
293
294 /// Create a new PRNG using the given seed.
295 ///
296 /// PRNG implementations are allowed to assume that bits in the seed are
297 /// well distributed. That means usually that the number of one and zero
298 /// bits are roughly equal, and values like 0, 1 and (size - 1) are unlikely.
299 /// Note that many non-cryptographic PRNGs will show poor quality output
300 /// if this is not adhered to. If you wish to seed from simple numbers, use
301 /// `seed_from_u64` instead.
302 ///
303 /// All PRNG implementations should be reproducible unless otherwise noted:
304 /// given a fixed `seed`, the same sequence of output should be produced
305 /// on all runs, library versions and architectures (e.g. check endianness).
306 /// Any "value-breaking" changes to the generator should require bumping at
307 /// least the minor version and documentation of the change.
308 ///
309 /// It is not required that this function yield the same state as a
310 /// reference implementation of the PRNG given equivalent seed; if necessary
311 /// another constructor replicating behaviour from a reference
312 /// implementation can be added.
313 ///
314 /// PRNG implementations should make sure `from_seed` never panics. In the
315 /// case that some special values (like an all zero seed) are not viable
316 /// seeds it is preferable to map these to alternative constant value(s),
317 /// for example `0xBAD5EEDu32` or `0x0DDB1A5E5BAD5EEDu64` ("odd biases? bad
318 /// seed"). This is assuming only a small number of values must be rejected.
319 fn from_seed(seed: Self::Seed) -> Self;
320
321 /// Create a new PRNG using a `u64` seed.
322 ///
323 /// This is a convenience-wrapper around `from_seed` to allow construction
324 /// of any `SeedableRng` from a simple `u64` value. It is designed such that
325 /// low Hamming Weight numbers like 0 and 1 can be used and should still
326 /// result in good, independent seeds to the PRNG which is returned.
327 ///
328 /// This **is not suitable for cryptography**, as should be clear given that
329 /// the input size is only 64 bits.
330 ///
331 /// Implementations for PRNGs *may* provide their own implementations of
332 /// this function, but the default implementation should be good enough for
333 /// all purposes. *Changing* the implementation of this function should be
334 /// considered a value-breaking change.
335 fn seed_from_u64(mut state: u64) -> Self {
336 // We use PCG32 to generate a u32 sequence, and copy to the seed
337 fn pcg32(state: &mut u64) -> [u8; 4] {
338 const MUL: u64 = 6364136223846793005;
339 const INC: u64 = 11634580027462260723;
340
341 // We advance the state first (to get away from the input value,
342 // in case it has low Hamming Weight).
343 *state = state.wrapping_mul(MUL).wrapping_add(INC);
344 let state = *state;
345
346 // Use PCG output function with to_le to generate x:
347 let xorshifted = (((state >> 18) ^ state) >> 27) as u32;
348 let rot = (state >> 59) as u32;
349 let x = xorshifted.rotate_right(rot);
350 x.to_le_bytes()
351 }
352
353 let mut seed = Self::Seed::default();
354 let mut iter = seed.as_mut().chunks_exact_mut(4);
355 for chunk in &mut iter {
356 chunk.copy_from_slice(&pcg32(&mut state));
357 }
358 let rem = iter.into_remainder();
359 if !rem.is_empty() {
360 rem.copy_from_slice(&pcg32(&mut state)[..rem.len()]);
361 }
362
363 Self::from_seed(seed)
364 }
365
366 /// Create a new PRNG seeded from another `Rng`.
367 ///
368 /// This may be useful when needing to rapidly seed many PRNGs from a master
369 /// PRNG, and to allow forking of PRNGs. It may be considered deterministic.
370 ///
371 /// The master PRNG should be at least as high quality as the child PRNGs.
372 /// When seeding non-cryptographic child PRNGs, we recommend using a
373 /// different algorithm for the master PRNG (ideally a CSPRNG) to avoid
374 /// correlations between the child PRNGs. If this is not possible (e.g.
375 /// forking using small non-crypto PRNGs) ensure that your PRNG has a good
376 /// mixing function on the output or consider use of a hash function with
377 /// `from_seed`.
378 ///
379 /// Note that seeding `XorShiftRng` from another `XorShiftRng` provides an
380 /// extreme example of what can go wrong: the new PRNG will be a clone
381 /// of the parent.
382 ///
383 /// PRNG implementations are allowed to assume that a good RNG is provided
384 /// for seeding, and that it is cryptographically secure when appropriate.
385 /// As of `rand` 0.7 / `rand_core` 0.5, implementations overriding this
386 /// method should ensure the implementation satisfies reproducibility
387 /// (in prior versions this was not required).
388 ///
389 /// [`rand`]: https://docs.rs/rand
390 fn from_rng<R: RngCore>(mut rng: R) -> Result<Self, Error> {
391 let mut seed = Self::Seed::default();
392 rng.try_fill_bytes(seed.as_mut())?;
393 Ok(Self::from_seed(seed))
394 }
395
396 /// Creates a new instance of the RNG seeded via [`getrandom`].
397 ///
398 /// This method is the recommended way to construct non-deterministic PRNGs
399 /// since it is convenient and secure.
400 ///
401 /// In case the overhead of using [`getrandom`] to seed *many* PRNGs is an
402 /// issue, one may prefer to seed from a local PRNG, e.g.
403 /// `from_rng(thread_rng()).unwrap()`.
404 ///
405 /// # Panics
406 ///
407 /// If [`getrandom`] is unable to provide secure entropy this method will panic.
408 ///
409 /// [`getrandom`]: https://docs.rs/getrandom
410 #[cfg(feature = "getrandom")]
411 #[cfg_attr(doc_cfg, doc(cfg(feature = "getrandom")))]
412 fn from_entropy() -> Self {
413 let mut seed = Self::Seed::default();
414 if let Err(err) = getrandom::getrandom(seed.as_mut()) {
415 panic!("from_entropy failed: {}", err);
416 }
417 Self::from_seed(seed)
418 }
419}
420
421// Implement `RngCore` for references to an `RngCore`.
422// Force inlining all functions, so that it is up to the `RngCore`
423// implementation and the optimizer to decide on inlining.
424impl<'a, R: RngCore + ?Sized> RngCore for &'a mut R {
425 #[inline(always)]
426 fn next_u32(&mut self) -> u32 {
427 (**self).next_u32()
428 }
429
430 #[inline(always)]
431 fn next_u64(&mut self) -> u64 {
432 (**self).next_u64()
433 }
434
435 #[inline(always)]
436 fn fill_bytes(&mut self, dest: &mut [u8]) {
437 (**self).fill_bytes(dest)
438 }
439
440 #[inline(always)]
441 fn try_fill_bytes(&mut self, dest: &mut [u8]) -> Result<(), Error> {
442 (**self).try_fill_bytes(dest)
443 }
444}
445
446// Implement `RngCore` for boxed references to an `RngCore`.
447// Force inlining all functions, so that it is up to the `RngCore`
448// implementation and the optimizer to decide on inlining.
449#[cfg(feature = "alloc")]
450impl<R: RngCore + ?Sized> RngCore for Box<R> {
451 #[inline(always)]
452 fn next_u32(&mut self) -> u32 {
453 (**self).next_u32()
454 }
455
456 #[inline(always)]
457 fn next_u64(&mut self) -> u64 {
458 (**self).next_u64()
459 }
460
461 #[inline(always)]
462 fn fill_bytes(&mut self, dest: &mut [u8]) {
463 (**self).fill_bytes(dest)
464 }
465
466 #[inline(always)]
467 fn try_fill_bytes(&mut self, dest: &mut [u8]) -> Result<(), Error> {
468 (**self).try_fill_bytes(dest)
469 }
470}
471
472#[cfg(feature = "std")]
473impl std::io::Read for dyn RngCore {
474 fn read(&mut self, buf: &mut [u8]) -> Result<usize, std::io::Error> {
475 self.try_fill_bytes(dest:buf)?;
476 Ok(buf.len())
477 }
478}
479
480// Implement `CryptoRng` for references to a `CryptoRng`.
481impl<'a, R: CryptoRng + ?Sized> CryptoRng for &'a mut R {}
482
483// Implement `CryptoRng` for boxed references to a `CryptoRng`.
484#[cfg(feature = "alloc")]
485impl<R: CryptoRng + ?Sized> CryptoRng for Box<R> {}
486
487#[cfg(test)]
488mod test {
489 use super::*;
490
491 #[test]
492 fn test_seed_from_u64() {
493 struct SeedableNum(u64);
494 impl SeedableRng for SeedableNum {
495 type Seed = [u8; 8];
496
497 fn from_seed(seed: Self::Seed) -> Self {
498 let mut x = [0u64; 1];
499 le::read_u64_into(&seed, &mut x);
500 SeedableNum(x[0])
501 }
502 }
503
504 const N: usize = 8;
505 const SEEDS: [u64; N] = [0u64, 1, 2, 3, 4, 8, 16, -1i64 as u64];
506 let mut results = [0u64; N];
507 for (i, seed) in SEEDS.iter().enumerate() {
508 let SeedableNum(x) = SeedableNum::seed_from_u64(*seed);
509 results[i] = x;
510 }
511
512 for (i1, r1) in results.iter().enumerate() {
513 let weight = r1.count_ones();
514 // This is the binomial distribution B(64, 0.5), so chance of
515 // weight < 20 is binocdf(19, 64, 0.5) = 7.8e-4, and same for
516 // weight > 44.
517 assert!((20..=44).contains(&weight));
518
519 for (i2, r2) in results.iter().enumerate() {
520 if i1 == i2 {
521 continue;
522 }
523 let diff_weight = (r1 ^ r2).count_ones();
524 assert!(diff_weight >= 20);
525 }
526 }
527
528 // value-breakage test:
529 assert_eq!(results[0], 5029875928683246316);
530 }
531}
532