-rw-r--r-- 3384 librandombytes-20240318/doc/readme.md raw
librandombytes provides a simple API for applications generating fresh randomness: include `<randombytes.h>`, call `randombytes(x,xbytes)` whenever desired to generate fresh random bytes `x[0]`, `x[1]`, ..., `x[xbytes-1]`, and link with `-lrandombytes`. Random bytes are often used directly in applications. Random bytes are also the foundation of more complicated random objects, such as random integers in a limited interval, random floating-point numbers from a (nearly) normal distribution, and random keys used in public-key cryptosystems. librandombytes is dedicated to obtaining fresh random bytes in the first place, and leaves it to higher-level libraries to convert those bytes into other types of random objects. librandombytes aims for the following stringent randomness goal: no feasible computation will ever be able to tell the difference between the output bytes and true randomness (independent uniformly distributed random bytes). This makes the `randombytes()` output suitable for use in applications ranging from simulations to cryptography. Most alternative sources of randomness (such as `rand()` and `random()` in C, and `mt19937_64` in C++) consider detectable deviations from true randomness to be acceptable as long as _most_ applications do not notice the deviations. These sources are not permitted inside librandombytes; the `randombytes()` caller is entitled to expect that the output comes from sources that are designed for the right goal. Internally, librandombytes is an abstraction layer for a choice of two libraries, where each library provides the same `randombytes` interface but the libraries choose two different sources of randomness: * `librandombytes-kernel` reads random bytes provided by the OS kernel via mechanisms such as `getrandom()`. These mechanisms are typically advertised as providing RNG security features that are harder to provide in user space, such as hypervisor integration. * `librandombytes-openssl` uses OpenSSL's `RAND_bytes` to generate random bytes. This mechanism is typically advertised as providing speed that is difficult to achieve without a per-process RNG. The idea is that the OS can install `librandombytes-kernel` by default, but the sysadmin can install `librandombytes-openssl` to transparently switch all of the `randombytes()` applications to `RAND_bytes` (for example, via Debian's `/etc/alternatives` mechanism) _if_ profiling shows that this switch is important for overall system performance. Making this choice centrally means that applications are free to simply call `randombytes()` * without worrying about evaluating performance, * without worrying about how to balance performance concerns with competing concerns, and * without worrying that these performance evaluations will be rendered obsolete by speed improvements: for example, by [ongoing work](https://lkml.org/lkml/2023/1/1/87) to accelerate `getrandom()`, or by the increasing deployment of [fast-key-erasure RNGs](https://blog.cr.yp.to/20170723-random.html). Another virtue of having a `randombytes()` abstraction layer is that test frameworks can substitute a deterministic seeded `randombytes()` providing _known_ pseudorandom bytes for reproducible tests. Of course, the `randombytes()` provided by these test frameworks must be kept separate from the fresh `randombytes()` used for deployment.