[Cryptography] Entropy Needed for SSH Keys?

Kent Borg kentborg at borg.org
Fri May 27 10:12:28 EDT 2016 

On 05/25/2016 10:25 PM, Theodore Ts'o wrote:
> Right but what are you measuring that CPU clock against? In the 
> absence of interrupts if you are running something in a tight loop, 
> and then periodically sampling the TSC, then if there is no jitter, 
> the only thing which is unknown is the starting offset of the TSC.

Sorry, I am talking about measuring against external interrupts.

I guess I am promoting that old trick of beating two clocks against each 
other. But I am impressed that one clock (in the case of Intel chips) is 
pretty special: it is running very fast, it is physically small (does 
not even exist beyond a span of a few mm), it is designed to be only 
mostly regular and not particularly stable. It drives a counter that can 
be sampled in response to an interrupt. As a bonus, this interrupt 
servicing is itself very complex--but I don't trust that either.

The other clock (interrupt) has to be much slower: The CPU is mostly for 
doing other work and doesn't want to spend all its time servicing 
interrupts, and it is physically incapable of servicing interrupts at 
anything very close to its internal clock speed.

It also seems important here that the TSC is running fast. We aren't 
talking lots of big fat nanoseconds here, we are interested in the 
precise phase on a sub-nanosecond period. I don't think we have to pine 
for sloppy mechanical stuff like keyboard and mouse activity, I think 
any interrupt from any other subsystem will do--let's fudge it and say 
"subsystem with its own crystal". Certainly anything so external as a 
network interrupt is great.

Is there a term for how far a photon can travel in a clock period? Well, 
whatever that might be called, if the physical distance of a second 
clock is on-order that far away--inches in this case--it feels like the 
problem changes. It seems there is real entropy in the analog aspects 
inside the CPU and there are theoretical problems with how well that 
could ever be communicated to a distance, and similar problems with how 
well it could ever be correlated at a distance.


Or am I being overly impressed by how a fast 2GHz is?


-kb, the Kent who remembers kilocycles.

More information about the cryptography mailing list