openentropy-core 0.12.3

Core entropy harvesting library — hardware noise sources, raw or SHA-256 conditioned
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267

//! CommonCrypto AES-128-CBC warm/cold path bimodal timing entropy.
//!
//! Apple's **CommonCrypto** framework provides the OS-level symmetric encryption
//! API (`CCCrypt`). Unlike the direct ARM64 AES instructions measured by
//! `aes_exec_timing`, `CCCrypt` goes through the framework dispatch layer, which
//! adds an OS-managed warm/cold-path decision:
//!
//! - **Warm path** (key schedule cached): The AES hardware key expansion is
//!   retained in the execution unit's internal key schedule register. The call
//!   returns in ~50 ticks.
//! - **Cold path** (key schedule evicted): The key expansion must be reloaded
//!   from the key material in DRAM, traversing the system fabric to the AES
//!   coprocessor. The call returns in ~120 ticks.
//!
//! The transition between warm and cold paths is governed by:
//! - Other processes' AES activity (FileVault, HTTPS, disk encryption)
//! - The interval since the last call (AES unit power management)
//! - CPU frequency scaling affecting the key schedule register retention time
//! - Thermal throttling of the crypto coprocessor
//!
//! ## Empirical characterisation (Mac mini M4, N=1000)
//!
//! ```text
//! Bimodal distribution:
//!   Fast peak:  ~50 ticks  (warm path)
//!   Slow peak:  ~120 ticks (cold path, key reload)
//!   CV = 155.4%
//!   LSB P(odd) = 0.41 (near-uniform — good for entropy)
//! ```
//!
//! ## Relationship to `aes_exec_timing`
//!
//! `aes_exec_timing` measures direct `AESE`/`AESMC` instruction pipeline timing
//! via inline assembly. It captures **instruction-level** pipeline state:
//! execution unit availability, pipeline fill, thermal throttling.
//!
//! `commoncrypto_aes_timing` measures the **framework call** overhead including
//! OS dispatch, parameter validation, key schedule management, and the framework's
//! own caching decisions. The bimodal is wider (CV=155% vs CV=268% for direct AES)
//! because the framework adds stable overhead atop the hardware variation.
//!
//! ## Cross-process side channel
//!
//! Heavy AES usage by other processes (Time Machine backups, Safari HTTPS,
//! FileVault I/O bursts) consistently pushes `CCCrypt` toward the cold path,
//! causing our timing to jump from ~50 to ~120 ticks. This makes the bimodal
//! distribution a real-time indicator of system-wide AES coprocessor load — a
//! genuine cross-process side channel via the CommonCrypto framework.
//!
//! ## Prior art
//!
//! AES timing side channels have been extensively studied for key recovery (Bernstein
//! 2005, Osvik et al. 2006, Acıiçmez et al. 2007). CommonCrypto's internal caching
//! behaviour has not previously been characterised as a bimodal entropy source.
//! The specific warm/cold path transition controlled by the AES coprocessor's
//! key schedule register is an Apple Silicon-specific hardware feature not present
//! in software AES implementations.

use crate::source::{EntropySource, Platform, SourceCategory, SourceInfo};

static COMMONCRYPTO_AES_TIMING_INFO: SourceInfo = SourceInfo {
    name: "commoncrypto_aes_timing",
    description: "CommonCrypto AES-128-CBC warm/cold key schedule bimodal timing",
    physics: "Times CCCrypt(AES-128-CBC) calls with rotating keys. Framework dispatch \
              shows bimodal distribution: ~50 ticks (warm, key schedule cached) vs \
              ~120 ticks (cold, key reload via system fabric). CV=155.4%; warm/cold \
              transition driven by other processes' AES load (FileVault, HTTPS), AES \
              coprocessor power management, and thermal state. Distinct from direct \
              AESE instruction timing (aes_exec_timing): captures framework overhead \
              and key schedule management layer. Cross-process sensitivity: Time Machine \
              / FileVault bursts visibly shift distribution toward cold path.",
    category: SourceCategory::Microarch,
    platform: Platform::MacOS,
    requirements: &[],
    entropy_rate_estimate: 2.0,
    composite: false,
    is_fast: false,
};

/// Entropy from CommonCrypto AES-128-CBC warm/cold key-schedule bimodal timing.
pub struct CommonCryptoAesTimingSource;

#[cfg(all(target_os = "macos", target_arch = "aarch64"))]
mod imp {
    use super::*;
    use crate::sources::helpers::extract_timing_entropy_debiased;
    use crate::sources::helpers::mach_time;

    // CCCrypt constants
    const CC_ENCRYPT: u32 = 0;
    const CC_AES: u32 = 0;
    const CC_CBC_MODE: u32 = 2;
    const CC_SUCCESS: i32 = 0;
    const AES_KEY_SIZE: usize = 16;
    const AES_BLOCK_SIZE: usize = 16;

    // CCCrypt is in libSystem (automatically linked on macOS); no explicit #[link] needed.
    unsafe extern "C" {
        fn CCCrypt(
            operation: u32,
            algorithm: u32,
            options: u32,
            key: *const u8,
            key_length: usize,
            iv: *const u8,
            data_in: *const u8,
            data_in_len: usize,
            data_out: *mut u8,
            data_out_available: usize,
            data_out_moved: *mut usize,
        ) -> i32;
    }

    /// Time one CCCrypt(AES-128-CBC) call in 24 MHz ticks.
    unsafe fn time_cccrypt(
        key: &[u8; AES_KEY_SIZE],
        iv: &[u8; AES_BLOCK_SIZE],
        plaintext: &[u8; AES_BLOCK_SIZE],
    ) -> Option<u64> {
        let mut ciphertext = [0u8; AES_BLOCK_SIZE];
        let mut out_moved: usize = 0;

        let t0 = mach_time();
        let status = unsafe {
            CCCrypt(
                CC_ENCRYPT,
                CC_AES,
                CC_CBC_MODE,
                key.as_ptr(),
                AES_KEY_SIZE,
                iv.as_ptr(),
                plaintext.as_ptr(),
                AES_BLOCK_SIZE,
                ciphertext.as_mut_ptr(),
                AES_BLOCK_SIZE,
                &mut out_moved,
            )
        };
        let t1 = mach_time();

        if status == CC_SUCCESS {
            Some(t1.wrapping_sub(t0))
        } else {
            None
        }
    }

    /// Probe whether CCCrypt actually works by performing a single encryption.
    fn cccrypt_probe() -> bool {
        let key = [0u8; AES_KEY_SIZE];
        let iv = [0u8; AES_BLOCK_SIZE];
        let plaintext = [0u8; AES_BLOCK_SIZE];
        // SAFETY: CCCrypt with valid buffers of correct sizes.
        unsafe { time_cccrypt(&key, &iv, &plaintext).is_some() }
    }

    impl EntropySource for CommonCryptoAesTimingSource {
        fn info(&self) -> &SourceInfo {
            &COMMONCRYPTO_AES_TIMING_INFO
        }

        fn is_available(&self) -> bool {
            static CCCRYPT_AVAILABLE: std::sync::OnceLock<bool> = std::sync::OnceLock::new();
            *CCCRYPT_AVAILABLE.get_or_init(cccrypt_probe)
        }

        fn collect(&self, n_samples: usize) -> Vec<u8> {
            // 8× oversampling
            let raw_count = n_samples * 8 + 128;
            let mut timings = Vec::with_capacity(raw_count);

            // Base key material (AES-128)
            let base_key: [u8; AES_KEY_SIZE] = [
                0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf,
                0x4f, 0x3c,
            ];
            // Base IV
            let base_iv: [u8; AES_BLOCK_SIZE] = [
                0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d,
                0x0e, 0x0f,
            ];
            // Fixed plaintext
            let plaintext: [u8; AES_BLOCK_SIZE] = [
                0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93,
                0x17, 0x2a,
            ];

            // Warmup: 32 calls to stabilise the framework dispatch layer
            for i in 0..32_usize {
                let mut key = base_key;
                for j in 0..16 {
                    key[j] = base_key[j].wrapping_add(i as u8);
                }
                let _ = unsafe { time_cccrypt(&key, &base_iv, &plaintext) };
            }

            for i in 0..raw_count {
                // Rotate key to prevent key schedule caching across samples
                let mut key = [0u8; AES_KEY_SIZE];
                for j in 0..16 {
                    key[j] = base_key[(j + i) & 15].wrapping_add((i >> 4) as u8);
                }

                if let Some(t) = unsafe { time_cccrypt(&key, &base_iv, &plaintext) } {
                    // Accept values in [0, 50_000] — reject interrupt-induced outliers
                    if t < 50_000 {
                        timings.push(t);
                    }
                }
            }

            // Bimodal peaks around 50 and 120 ticks — both are even (AES unit).
            // Shift right by 1 to bring bit-1 to LSB position.
            let shifted: Vec<u64> = timings.iter().map(|&t| t >> 1).collect();
            extract_timing_entropy_debiased(&shifted, n_samples)
        }
    }
}

#[cfg(not(all(target_os = "macos", target_arch = "aarch64")))]
impl EntropySource for CommonCryptoAesTimingSource {
    fn info(&self) -> &SourceInfo {
        &COMMONCRYPTO_AES_TIMING_INFO
    }
    fn is_available(&self) -> bool {
        false
    }
    fn collect(&self, _n_samples: usize) -> Vec<u8> {
        Vec::new()
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn info() {
        let src = CommonCryptoAesTimingSource;
        assert_eq!(src.info().name, "commoncrypto_aes_timing");
        assert!(matches!(src.info().category, SourceCategory::Microarch));
        assert_eq!(src.info().platform, Platform::MacOS);
        assert!(!src.info().composite);
    }

    #[test]
    #[cfg(all(target_os = "macos", target_arch = "aarch64"))]
    fn is_available_on_macos() {
        assert!(CommonCryptoAesTimingSource.is_available());
    }

    #[test]
    #[ignore] // Hardware-dependent bimodal timing measurement
    fn collects_bimodal_variation() {
        let src = CommonCryptoAesTimingSource;
        if !src.is_available() {
            return;
        }
        let data = src.collect(32);
        assert!(!data.is_empty());
        let unique: std::collections::HashSet<u8> = data.iter().copied().collect();
        assert!(
            unique.len() > 2,
            "expected bimodal variation from CCCrypt warm/cold paths"
        );
    }
}