Empirical Uncertainty Measurement


One of the main objection we first got when  releasing HAVEGE was that  we are claiming too much entropy collection after each OS interrupt.

The problem comes from that there does not exist any method to determine the entropy of a source that furnishes a random data of several thousands bits (i.e. the unmonitorable hardware states after each OS interrupt).
 

Below is the algorithm we used to empirically  measure  the average uncertaintity introduced by an OS interrupt  on the I-cache + branch predictor (does not work for Itanium):
 

int Entrop[SIZEENTROPY];
int A;
while (NBINTERRUPT < NMININT){
    if (A==0) A++; else A--};
    Entrop[K] = (Entrop[K] << 5) ^ (Entrop[K] >> 27) ^
       HARDTICK()^(Entrop[(K + 1) & (SIZEENTROPY - 1)] >> 31);
    K = (K + 1) & (SIZEENTROPY - 1);
    **repeated XX times **
}
 


HARDTICK() is a function that reads the hardware clock counter, tests the difference with the last read value, and increments the  NBINTERRUPT counter  whenever this difference is higher than a threshold indicating that there was an interruption between two successive calls to the function reads.

Throughout the loop, HARDTICK() is called  many times  and the result of this read is combined through exclusive-OR and shifts in the  Entrop
array. The unrolling factor (XX) is chosen in such a way that the loop body fits in the instruction cache (e.g. 16Kbytes for Pentium III or UltraSparc II), and that it does not overflow the branch prediction structures.

The  while loop is run until the number of encountered interruptions reaches NMININT. SIZEENTROPY is the size of the table used for
gathering  the read value of the hardware clock counter.  The flow of instructions executed by the loop body of the algorithm is
completely deterministic. Therefore, in the absence of operating system interrupt,the content of the instruction cache and also of the branch
predictor should be  completely predictable: we checked that the iterations of the loop just after an interruption present much more uncertainty that the iterations that occur long after the last iteration.

The Entrop array gathers (part of) the uncertainty injected in the instruction cache and the branch predictor by the operating system
interrupts. The content of the Entrop array is recorded in a file and the Entrop array is reinitialized  to zero.

Fixing SIZEENTROPY to 65536, we determined the threshold for NMININT  above which the content of  Entrop array can be CONSISTANTLY
considered as random, i.e. it cannot be distinguished by our battery of tests from truly random numbers (i.e DieHard + ent + FIPS 140). By consistantly, we mean that we  got such results under many different workloads.