HAVEGE [ HArdware Volatile Entropy Gathering and Expansion ]

Abstract

Random numbers with high cryptographic quality are needed to enhance the security of cryptography applications. Software heuristics for generating empirically strong random number sequences rely on entropy gathering by measuring unpredictable external events. These generators only deliver a few bits per event. This limits them to being used as seeds for pseudorandom generators. General-purpose processors feature a large number of hardware mechanisms that aim to improve performance: caches, branch predictors, ... The state of these components is not architectural (i.e., the result of an ordinary application does not depend on it). It is also volatile and cannot be directly monitored by the user. On the other hand, every operating system interrupt modifies thousands of these binary volatile states. In this article, we present and analyze HAVEGE (HArdware Volatile Entropy Gathering and Expansion), a new user-level software heuristic to generate practically strong random numbers on general-purpose computers. The hardware clock cycle counter of the processor can be used to gather part of the entropy/uncertainty introduced by operating system interrupts in the internal states of the processor. Then, we show how this entropy gathering technique can be combined with pseudorandom number generation in HAVEGE. Since the internal state of HAVEGE includes thousands of internal volatile hardware states, it seems impossible even for the user itself to reproduce the generated sequences.

 

Abstract

The availability of a random number generator with high cryptographic qualities on a computer is one of the central issues of cryptographic implementations. HAVEGE (HArdware Volatile Entropy Gathering and Expansion) is a new software heuristic for generating unpredictable random numbers on PC s and workstations. PCs and workstations are built around modern superscalar microprocessors. These processors feature complex hardware mechanisms that aim to increase performance. A significant part of the global state of the microprocessor is not architecturally visible through the instruction set (e.g. caches, branch predictors and buffers). HAVEGE leverages the uncertainty introduced in the internal states of the processor by external events. HAVEGE combines entropy/uncertainty gathering from the architecturally invisible states of a modern superscalar microprocessor with pseudo-random number generation. First we show that the hardware clock cycle counter of the processor can be used to gather part of the uncertainty introduced by operating system interruptions in the internal state of the processor. Tens of thousands of unpredictable bits can be gathered per operating system interruption in average. Then, we show how this entropy gathering technique can be combined with pseudo-random number generation in HAVEGE. Since the internal state of HAVEGE includes thousands of internal volatile hardware states, HAVEGE features a very high security level. HAVEGE also reaches an unprecedented throughput for a software unpredictable random number generator: more than 100 Mbits/s with off-the-shelf workstations and PCs.