Generated Values
The content of the RNG pool is never directly exported (even when VeraCrypt instructs the RNG to
generate and export a value). Thus, even if the attacker obtains a value generated by the RNG, it is
infeasible for him to determine or predict (using the obtained value) any other values generated by
the RNG during the session (it is infeasible to determine the content of the pool from a value
generated by the RNG).
The RNG ensures this by performing the following steps whenever VeraCrypt instructs it to
generate and export a value:
1. Data obtained from the sources listed above is added to the pool as described above.
2. The requested number of bytes is copied from the pool to the output buffer (the copying
starts from the position of the pool cursor; when the end of the pool is reached, the copying
continues from the beginning of the pool; if the requested number of bytes is greater than the
size of the pool, no value is generated and an error is returned).
3. The state of each bit in the pool is inverted (i.e., 0 is changed to 1, and 1 is changed to 0).
4. Data obtained from some of the sources listed above is added to the pool as described above.
5. The content of the pool is transformed using the pool mixing function. Note: The function
uses a cryptographically secure one-way hash function selected by the user (for more
information, see the section Pool Mixing Function above).
6. The transformed content of the pool is XORed into the output buffer as follows:
a. The output buffer write cursor is set to 0 (the first byte of the buffer).
b. The byte at the position of the pool cursor is read from the pool and XORed into the
byte in the output buffer at the position of the output buffer write cursor.
c. The pool cursor position is advanced by one byte. If the end of the pool is reached,
the cursor position is set to 0 (the first byte of the pool).
d. The position of the output buffer write cursor is advanced by one byte.
e. Steps b–d are repeated for each remaining byte of the output buffer (whose length is
equal to the requested number of bytes).
7. The content of the output buffer, which is the final value generated by the RNG, is exported.
Design Origins
The design and implementation of the random number generator are based on the following works:
Software Generation of Practically Strong Random Numbers by Peter Gutmann [10]
Cryptographic Random Numbers by Carl Ellison [11]