[cryptography] Quality of HAVEGE algorithm for entropy?

Joachim Strömbergson Joachim at Strombergson.com
Tue Nov 26 13:09:00 EST 2013

Hash: SHA1


Fabio Pietrosanti (naif) wrote:
> i found such a very nice piece of software that's said to provide
> added entropy using HAVEGE algorithm: 
> http://www.issihosts.com/haveged/ 
> http://www.irisa.fr/caps/projects/hipsor/

Yes. I've done some testing of Havege. Generating ~100 MByte of data and
tested it with Dieharder. Data generated on late x86-64 arch yielded
good quality random numbers. Havege generates entropy in good quantity
and the entropy source is does not depend on an external physical source.

I have concerns though on embedded SSL stacks that use Havege as entropy
source on MCUs such as AVR32 and ARM. Havege is based on the assumption
that instruction execution varies and tries to force cache misses to
increase execution variance by forcing hitting all levels in the cache
hierarchy including main store. But on RISC architectures with few or no
levels of cache memories this assumption does not hold. Note that I have
not yet tested Havege on these architectures though.

Also, the entropy estimator supplied with Havege is (was) broken. We
tested Havege in a system simulator where we could manipulate/force the
TSC which means that Havege generated predictable values. The estimator
happily reported good entropy.

On an x86-based server you can use Havege, but use it to feed
/dev/random, not as a RNG directly. The same goes for Jytter.

- -- 
Med vänlig hälsning, Yours

Joachim Strömbergson - Alltid i harmonisk svängning.
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the cryptography mailing list