[cryptography] Quality of HAVEGE algorithm for entropy?

Joachim Strömbergson Joachim at Strombergson.com
Fri Nov 29 05:22:29 EST 2013

Hash: SHA1


Stephan Mueller wrote:
> I am doing a lot of research in this area these days. If you imply
> that main storage means RAM outside the caches, I think your
> statement is not entirely correct.

Yes, main store is RAM.

>> From the first rounds of testing, I think I see the following:

What CPU is this? From your description it sounds to me like a x86,
modern high performance CPU with instructions that has different cycle
times and multiple levels of caches. On these types of CPUs, yes you
don't need to hit main memory to get execution time variance.

What I was trying to say is that Havege running on MCUs (AVR, AVR32,
PIC, PIC32, ARM Cortex M0 etc) where instructions in general takes the
same number of cycles to execute and where caches are few (few levels),
have simple or even no replacement policy (it is done by SW control),
the assumptions in Havege is not really present. And that this change in
physical setup _should_ affect the variance measured. But again, I
haven't tested it yet.

> - disabling the caches completely introduces massive variations

That is interesting. For a sequence of the same type of instructions?

> ==> My current hunch is that the differences in the clock speeds that
>  drive the CPU versus the clock speed driving the memory locations
> that you access (either for instruction or data fetches) are the key
> driver of variations.

It's more of a clock descynchronization effect?

> I do not concur here, because even IF the VM host does some RDTSC 
> emulation, the emulation code is subject to the fundamental jitter
> problem outlined above. Hence, I do not think that the jitter can be
> eliminated by virtualization.

I would say that Intel, Wind River would have a different opinion. It is
in fact one of the things you can control. You can lock the RDTSC to
provide all kinds of sequences in related to the CPU or clock or
otherwise. This is actually what is being used to protect against timing
side channel attacks between VMs, processes.

> [1] http://www.chronox.de

Very cool. How does [1] compare functionally to jytter?

Side note, on [1] you state that it is "a non-physical true random
number generator". I would say that it is a physical RNG. It measures
physical events. But it does not measure events _outside_ the CPU.

- -- 
Med vänlig hälsning, Yours

Joachim Strömbergson - Alltid i harmonisk svängning.
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the cryptography mailing list