HAVEGE: A user-level software heuristic for generating empirically strong random numbers

Random numbers with high cryptographic quality are needed to enhance the security of cryptography applications. Software heuristics for generating empirically strong random number sequences rely on entropy gathering by measuring unpredictable external events. These generators only deliver a few bits per event. This limits them to being used as seeds for pseudorandom generators.General-purpose processors feature a large number of hardware mechanisms that aim to improve performance: caches, branch predictors, …. The state of these components is not architectural (i.e., the result of an ordinary application does not depend on it). It is also volatile and cannot be directly monitored by the user. On the other hand, every operating system interrupt modifies thousands of these binary volatile states.In this article, we present and analyze HAVEGE (HArdware Volatile Entropy Gathering and Expansion), a new user-level software heuristic to generate practically strong random numbers on general-purpose computers. The hardware clock cycle counter of the processor can be used to gather part of the entropy/uncertainty introduced by operating system interrupts in the internal states of the processor. Then, we show how this entropy gathering technique can be combined with pseudorandom number generation in HAVEGE. Since the internal state of HAVEGE includes thousands of internal volatile hardware states, it seems impossible even for the user itself to reproduce the generated sequences.

[1]  Jack L. Lo,et al.  Exploiting Choice: Instruction Fetch and Issue on an Implementable Simultaneous Multithreading Processor , 1996, 23rd Annual International Symposium on Computer Architecture (ISCA'96).

[2]  Andreas Moshovos,et al.  Streamlining inter-operation memory communication via data dependence prediction , 1997, Proceedings of 30th Annual International Symposium on Microarchitecture.

[3]  William M. Daley,et al.  Security Requirements for Cryptographic Modules , 1999 .

[4]  Richard E. Kessler,et al.  The Alpha 21264 microprocessor , 1999, IEEE Micro.

[5]  Elaine B. Barker,et al.  A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications , 2000 .

[6]  Nicolas Sendrier,et al.  HArdware Volatile Entropy Gathering and Expansion: generating unpredictable random number at user level , 2001 .

[7]  P. L'Ecuyer,et al.  About polynomial-time “unpredictable” generators , 1989, WSC '89.

[8]  Ross Ihaka,et al.  Cryptographic Randomness from Air Turbulence in Disk Drives , 1994, CRYPTO.

[9]  Paul C. Kocher,et al.  The intel random number generator , 1999 .

[10]  Keith Diefendorff,et al.  Power4 focuses on memory bandwidth , 1999 .

[11]  Markus Jakobsson,et al.  A practical secure physical random bit generator , 1998, CCS '98.

[12]  Joel S. Emer,et al.  Memory dependence prediction using store sets , 1998, Proceedings. 25th Annual International Symposium on Computer Architecture (Cat. No.98CB36235).

[13]  Takuji Nishimura,et al.  Mersenne twister: a 623-dimensionally equidistributed uniform pseudo-random number generator , 1998, TOMC.

[14]  Nicolas Sendrier,et al.  HArdware Volatile Entropy Gathering and Expansion: generating unpredictable random number at user level , 2001 .

[15]  Bruce Schneier,et al.  Yarrow-160: Notes on the Design and Analysis of the Yarrow Cryptographic Pseudorandom Number Generator , 1999, Selected Areas in Cryptography.