[Cryptography] My comments regarding using CPU jitter for random number generation

James A. Donald jamesd at echeque.com
Wed Oct 30 05:22:19 EDT 2013


On 2013-10-30 13:47, Bill Frantz wrote:
> On 10/28/13 at 4:03 PM, tytso at mit.edu wrote:
>
>> Maybe someone can prove that there is more entropy because of some
>> instability between the oscillator used by the CPU clock and the one
>> used by the ethernet NIC, and so I'm being hopelessly
>> over-conservative.  Perhaps; but until we know for sure, using a
>> similar analysis to what I described above, I'd much rather be slow
>> than be potentially insecure.
>
> And in 5 years time, someone will build hardware that uses the same
> oscillator for both the CPU clock and the Ethernet NIC, doing to clock
> jitter entropy what solid state disks did to Don Davis' "Cryptographic
> randomness from air turbulence in disk drives" approach.

The TSC is a very fast, not very accurate clock.

It is hard to build a very accurate clock.  The TSC does not need to be 
a very accurate clock.  Therefore it will never be a very accurate clock.

Therefore, even if the adversary has perfect knowledge of the exact 
details of every interrupt and the exact time of every interrupt, he 
will not know the exact TSC value of any interrupt.

Therefore every interrupt provides at least one bit of entropy.

Therefore, by the time you have finished any non trivial boot process, 
you have enough entropy.  The only problem is whether you delay all 
processes that need entropy far enough into the boot process.




More information about the cryptography mailing list