[Cryptography] My comments regarding using CPU jitter for random number generation
Stephan Mueller
smueller at chronox.de
Wed Oct 30 14:14:32 EDT 2013
Am Mittwoch, 30. Oktober 2013, 19:22:19 schrieb James A. Donald:
Hi James,
>On 2013-10-30 13:47, Bill Frantz wrote:
>> On 10/28/13 at 4:03 PM, tytso at mit.edu wrote:
>>> Maybe someone can prove that there is more entropy because of some
>>> instability between the oscillator used by the CPU clock and the one
>>> used by the ethernet NIC, and so I'm being hopelessly
>>> over-conservative. Perhaps; but until we know for sure, using a
>>> similar analysis to what I described above, I'd much rather be slow
>>> than be potentially insecure.
>>
>> And in 5 years time, someone will build hardware that uses the same
>> oscillator for both the CPU clock and the Ethernet NIC, doing to
>> clock
>> jitter entropy what solid state disks did to Don Davis'
>> "Cryptographic
>> randomness from air turbulence in disk drives" approach.
>
>The TSC is a very fast, not very accurate clock.
A fast clock on my design is important, but it accuracy is not. In fact,
the less accurate the clock is, the better.
But do you have an idea how inaccurate that clock is?
>
>It is hard to build a very accurate clock. The TSC does not need to be
>a very accurate clock. Therefore it will never be a very accurate
>clock.
>
>Therefore, even if the adversary has perfect knowledge of the exact
>details of every interrupt and the exact time of every interrupt, he
>will not know the exact TSC value of any interrupt.
>
>Therefore every interrupt provides at least one bit of entropy.
Well, that only applies if the inaccuracy is more than one tick.
Ciao
Stephan
More information about the cryptography
mailing list