Skip to main content
SpringerLink
Log in

The entropy of a distributed computation random number generation from memory interleaving

  • Published:
Distributed Computing Aims and scope Submit manuscript

Abstract

We ask to what extent processes communicating through shared memory can extract randomness from their underlying scheduler, e.g., to generate random numbers for cryptographic applications. We introduce the quantitative notions of entropy rate and information capacity of a distributed algorithm. Whilst the entropy rate measures the Shannon information that may pass from a given scheduler to the processes executing the algorithm, the information capacity measures the optimal entropy rate over all possible schedulers. We present a general method for computing these quantities by classifying distributed algorithms according to their pattern of shared memory accesses. We then address the issue of effectively extracting, online, the information produced by the scheduler into a meaningful format at every process. We present Duez, an algorithm solving this problem with an optimal memory consumption. Putting these principles into practice, we introduce Co-RNG, a random number generator that leverages the unpredictability of modern processors state. The power of Co-RNG comes from its simplicity. No specialized hardware is required: two concurrent threads actively perform successive reads and writes to shared memory locations. Another thread collects the sequences of values read by these two threads and seeks to reconstruct the interleaving of read and write operations. The resulting (Markovian) interaction scheme is then used to produce random bits. This simplicity yields a transparent behavior. If the hardware exhibits enough entropy, then Co-RNG efficiently extracts random numbers from it. We successfully experimented Co-RNG on various idle as well as loaded platforms, from laptops and desktops featuring Intel Core processors, to servers with Intel Xeon and AMD Opteron. Co-RNG passes all state-of-the-art random number generator statistical test suites while being faster than current I/O sampling based methods by 2–3 orders of magnitude.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17
Fig. 18
Fig. 19
Fig. 20

Similar content being viewed by others

Notes

  1. A cryptographically secure PRNG “only” ensures that (under unproven assumptions in complexity theory, e.g., existence of one-way functions), the adversary cannot learn the seed from the output of the PRNG. Yet, the adversary may use indirect means (e.g., knowledge of a flaw in the implementation of the seed generation) to get information on the seed, and thus on the current state of the PRNG.

  2. Servers without any user interface.

  3. We assume that all rounds follow the same communication pattern.

  4. Unfortunately, there is no simple way to present all the cases. Our most compact presentation takes the form of a tree as presented in “Appendix A”.

  5. This is achieved using the CLFLUSH x86 instruction that invalidates the cache line through the whole cache hierarchy.

  6. We store two successive symbols of the trace into one byte. In particular, the number of rounds executed by each process equals the requested number N of bytes.

  7. https://infoscience.epfl.ch/record/221670/files/corng.tar.bz2.

  8. We could not measure this value because the implementation of HAVEGE does not allow to directly access the output of HAVEG.

  9. We thank the reviewers for letting us know about this work.

  10. Many developers have voiced their concern about the extent to which one can trust RD_RAND [5].

References

  1. DieHarder: A random number test suite. http://www.phy.duke.edu/~rgb/General/dieharder.php

  2. ENT—a pseudorandom number sequence test program. http://fourmilab.ch/random

  3. ID Quantique—quantum-safe crypto-photon counting—randomness. http://www.idquantique.com/

  4. Tails bug report #7675. https://labs.riseup.net/code/issues/7675

  5. Tor bug report #10402. https://trac.torproject.org/projects/tor/ticket/10402

  6. Intel Digital Random Number Generator (DRNG) Software Implementation Guide. https://software.intel.com/sites/default/files/m/d/4/1/d/8/441_Intel_R__DRNG_Software_Implementation_Guide_final_Aug7.pdf (2012)

  7. Aaronson, S.: Quantum randomness. Am. Sci. 102(4), 266 (2014). doi:10.1511/2014.109.266

    Article  Google Scholar 

  8. Aaronson, S.: The quest for randomness. Am. Sci. 102(3), 170 (2014). doi:10.1511/2014.108.170

    Article  Google Scholar 

  9. Abbes, S.: The information rate of asynchronous sources. In: Information and Communication Technologies, 2006. ICTTA ’06. 2nd, vol. 2, pp. 3463–3467. IEEE, Damascus, 24–28 Apr (2006). doi:10.1109/ICTTA.2006.1684974

  10. Agafin, S., Krasnopevtsev, A.: Memory access time as entropy source for RNG. In: Proceedings of the 7th International Conference on Security of Information and Networks, SIN ’14, pp. 176:176–176:179. ACM, New York, NY, USA (2014). doi:10.1145/2659651.2659695

  11. Alistarh, D., Censor-Hillel, K., Shavit, N.: Are lock-free concurrent algorithms practically wait-free? In: Symposium on Theory of Computing, STOC 2014, New York, NY, USA, May 31–June 03, 2014, pp. 714–723 (2014). doi:10.1145/2591796.2591836

  12. Alistarh, D., Sauerwald, T., Vojnovic, M.: Lock-free algorithms under stochastic schedulers. In: Proceedings of the 2015 ACM Symposium on Principles of Distributed Computing, PODC 2015, Donostia-San Sebastián, Spain, July 21–23, 2015, pp. 251–260 (2015). doi:10.1145/2767386.2767430

  13. Anthes, G.: The quest for randomness. Commun. ACM 54(4), 13–15 (2011). doi:10.1145/1924421.1924427

    Article  Google Scholar 

  14. Aspnes, J.: Fast deterministic consensus in a noisy environment. J. Algorithms 45(1), 16–39 (2002). doi:10.1016/S0196-6774(02)00220-1

    Article  MathSciNet  MATH  Google Scholar 

  15. Barker, E., Kelsley, J.: Recommendation for random bit generator (rbg) constructions. SP 800-90C (2012)

  16. Barker, E., Kelsley, J.: Recommendation for random number generation using deterministic random bit generators. SP 800-90A (2012)

  17. Barker, E., Kelsley, J.: Recommendation for the entropy sources used for random bit generation. SP 800-90B (2012)

  18. Bhat, B., Mueller, F.: Making DRAM refresh predictable. Real Time Syst. 47(5), 430–453 (2011). doi:10.1007/s11241-011-9129-6

    Article  Google Scholar 

  19. Blanchard, P., Guerraoui, R., Stainer, J., Zablotchi, I.: The disclosure power of shared objects. In: Networked Systems—5th International Conference, NETYS 2017, Marrakech, Morocco, May 17–19, 2017, Proceedings, pp. 222–227 (2017). doi:10.1007/978-3-319-59647-1_17

  20. Colesa, A., Tudoran, R., Banescu, S.: Software random number generation based on race conditions. In: SYNASC 2008, 10th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing, Timisoara, Romania, 26–29 September 2008, pp. 439–444 (2008). doi:10.1109/SYNASC.2008.36

  21. Davis, D., Ihaka, R., Fenstermacher, P.: Cryptographic randomness from air turbulence in disk drives. In: Desmedt, Y. (ed.) Advances in Cryptology—CRYPTO ’94, Lecture Notes in Computer, vol. 839, pp. 114–120. Springer, Berlin (1994). doi:10.1007/3-540-48658-5_13

    Google Scholar 

  22. Devietti, J., Lucia, B., Ceze, L., Oskin, M.: DMP: Deterministic shared memory multiprocessing. In: Proceedings of the 14th International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS XIV, pp. 85–96. ACM, New York, NY, USA (2009). doi:10.1145/1508244.1508255

  23. Diffie, W., Van Oorschot, P., Wiener, M.: Authentication and authenticated key exchanges. Des. Codes Cryptogr. 2(2), 107–125 (1992). doi:10.1007/BF00124891

    Article  MathSciNet  Google Scholar 

  24. Dingledine, R., Mathewson, N., Syverson, P.: Tor: the second-generation Onion Router. https://svn.torproject.org/svn/projects/design-paper/tor-design.html

  25. Fidge, C.J.: Timestamps in message passing systems that preserve the partial ordering. In: Australian Computer Science Conference (1988)

  26. Fidge, C.J.: A limitation of vector timestamps for reconstructing distributed computations. Inf. Process. Lett. 68(2), 87–91 (1998). doi:10.1016/S0020-0190(98)00143-4

    Article  MATH  Google Scholar 

  27. Fischer, M.J., Michael, A.: Sacrificing serializability to attain high availability of data. In: Proceedings of the ACM Symposium on Principles of Database Systems, March 29–31, 1982, Los Angeles, California, USA, pp. 70–75 (1982). doi:10.1145/588111.588124

  28. Goubault, E.: Geometry and concurrency: a user’s guide. Math. Struct. Comput. Sci. 10(4), 411–425 (2000). http://journals.cambridge.org/action/displayAbstract?aid=54593

  29. Gutterman, Z., Pinkas, B., Reinman, T.: Analysis of the Linux Random Number Generator. In: 2006 IEEE Symposium on Security and Privacy (S&P 2006), 21–24 May 2006, Berkeley, California, USA, pp. 371–385 (2006). doi:10.1109/SP.2006.5

  30. Heninger, N., Durumeric, Z., Wustrow, E., Halderman, J.A.: Mining your Ps and Qs: detection of widespread weak keys in network devices. In: Presented as part of the 21st USENIX Security Symposium (USENIX Security 12), pp. 205–220. USENIX, Bellevue, WA (2012). https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/heninger

  31. Herlihy, M., Kozlov, D.N., Rajsbaum, S.: Distributed Computing Through Combinatorial Topology. Morgan Kaufmann (2013). https://store.elsevier.com/product.jsp?isbn=9780124045781

  32. Herlihy, M., Wing, J.M.: Linearizability: a correctness condition for concurrent objects. ACM Trans. Program. Lang. Syst. 12(3), 463–492 (1990). doi:10.1145/78969.78972

    Article  Google Scholar 

  33. Jakobsson, M., Shriver, E., Hillyer, B.K., Juels, A.: A practical secure physical random bit generator. In: Fifth ACM Conference on Computer and Communications Security pp. 103–111 (1998)

  34. Lamport, L.: Time, clocks, and the ordering of events in a distributed system. Commun. ACM 21(7), 558–565 (1978). doi:10.1145/359545.359563

    Article  MATH  Google Scholar 

  35. Lamport, L.: The mutual exclusion problem—part I: a theory of interprocess communication. J. ACM 33, 313–326 (1986)

    Article  MathSciNet  MATH  Google Scholar 

  36. Lamport, L.: The mutual exclusion problem—part II: statement and solutions. J. ACM 33, 327–348 (1986)

    Article  MathSciNet  MATH  Google Scholar 

  37. Lamport, L.: On interprocess communication. Distrib. Comput. 1, 86–101 (1986)

    Article  MATH  Google Scholar 

  38. Li, M., Vitányi, P.M.B.: An Introduction to Kolmogorov Complexity and Its Applications. Texts in Computer Science, 3rd edn. Springer, Berlin (2008)

    Book  Google Scholar 

  39. Lu, M., Fang, J.Z.: A solution of the cache ping-pong problem in multiprocessor systems. J. Parallel Distrib. Comput. 16(2), 158–171 (1992)

    Article  MathSciNet  MATH  Google Scholar 

  40. Luby, M.G., Michael, L.: Pseudorandomness and Cryptographic Applications. Princeton University Press, Princeton (1994)

    MATH  Google Scholar 

  41. Marandi, A., Leindecker, N.C., Vodopyanov, K.L., Byer, R.L.: All-optical quantum random bit generation from intrinsically binary phase of parametric oscillators. Opt. Express 20(17), 19,322–19,330 (2012). doi:10.1364/OE.20.019322. http://www.opticsexpress.org/abstract.cfm?URI=oe-20-17-19322

  42. Mezard, M., Montanari, A.: Information, Physics, and Computation. Oxford University Press Inc., New York (2009)

    Book  MATH  Google Scholar 

  43. Müller, S.: Cpu time jitter based non-physical true random number generator. In: Ottawa Linux Symposium (2014)

  44. Neumann, J.V.: Various techniques used in connection with random digits. Appl. Math. Ser. 12, 36–38 (1951)

    Google Scholar 

  45. Nisan, N., Zuckerman, D.: Randomness is linear in space. J. Comput. Syst. Sci. 52(1), 43–52 (1996). doi:10.1006/jcss.1996.0004

    Article  MathSciNet  MATH  Google Scholar 

  46. Potter, B., Wood, S.: Understanding and managing entropy usage. BlackHat, Las Vegas, Navada (2015)

  47. Pratt, V.R.: Modeling concurrency with geometry. In: Conference Record of the Eighteenth Annual ACM Symposium on Principles of Programming Languages, Orlando, Florida, USA, January 21–23, 1991, pp. 311–322 (1991). doi:10.1145/99583.99625

  48. Raynal, M.: Concurrent Programming—Algorithms, Principles, and Foundations. Springer, Berlin (2013). doi:10.1007/978-3-642-32027-9

  49. Ruhkin, A., Soto, J., Nechvatal, J., Smid, M., Barker, E., Leigh, S., Levenson, M., Vangel, M., Banks, D., Heckert, A., Dray, J., Vol, S., Bassham III, L.E.: A statistical test suite for random and pseudorandom number generators for cryptographic applications. SP 800–22 Rev. 1a (2010)

  50. Santha, M., Vazirani, U.V.: Generating quasi-random sequences from semi-random sources. J. Comput. Syst. Sci. 33(1), 75–87 (1986). doi:10.1016/0022-0000(86)90044-9

    Article  MATH  Google Scholar 

  51. Seznec, A., Sendrier, N.: HAVEGE: a user-level software heuristic for generating empirically strong random numbers. ACM Trans. Model. Comput. Simul. 13(4), 334–346 (2003). doi:10.1145/945511.945516

    Article  Google Scholar 

  52. Shaltiel, R.: Recent developments in explicit constructions of extractors. Bull. Eur. Assoc. Theor. Comput. Sci. (EATCS) 77, 67–95 (2002)

    MathSciNet  MATH  Google Scholar 

  53. Shannon, C.E.: A mathematical theory of communication. ACM SIGMOBILE Mob. Comput. Commun. Rev. 5(1), 3–55 (2001)

    Article  MathSciNet  Google Scholar 

  54. Zhou, H., Bruck, J.: Generalizing the Blum-Elias method for generating random bits from markov chains. In: Proceedings of IEEE International Symposium on Information Theory (ISIT) (2010)

Download references

Author information

Authors and Affiliations

  1. Distributed Programming Laboratory, École Polytechnique Fédérale de Lausanne, Lausanne, CH-1015, Switzerland

    Karolos Antoniadis, Peva Blanchard, Rachid Guerraoui & Julien Stainer

Authors
  1. Karolos Antoniadis
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Peva Blanchard
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Rachid Guerraoui
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Julien Stainer
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Peva Blanchard.

Additional information

This work has been supported in part by the European ERC Grant 339539 -AOC.

Appendix A: a description of Duez

Appendix A: a description of Duez

In this section, we proceed to the detailed description of Duez. Each iteration of the detection loop splits in two parts. The conditional block at lines 1431 rebuilds steps of schedules whose reconstruction stopped at a point where both processes are about to write. Symmetrically, the block at lines 3246 rebuilds steps starting by a read for both processes.

Note that in both blocks, steps are pushed only as follows. Either an even number of steps of the same process are appended to the schedule (lines 17, 24, 35 and 39), or a step of each process is added (lines 27 and 42). Since both processes start by writing, it follows that, at any moment, processes are either both about to write or both about to read in the rebuilt schedule. Similarly, the variables \(my\_steps\) and \(her\_steps\) are updated at lines 18, 25, 2829, 36, 40 and 4344 to keep track of the number of steps rebuilt for each process. These variables are consequently always both even (when both processes are about to write) or both odd (when they are about to read).

Fig. 21
figure 21

Round-trip from the point of view of \(P_0\)

Full size image
Fig. 22
figure 22

Possible schedules starting by write operations and pending detection

Full size image
Fig. 23
figure 23

Possible schedules starting by read operations and pending detection

Full size image
Fig. 24
figure 24

Final values of the journal variables of \(P_0\)

Full size image

The structure of the two conditional blocks is very similar. Process \(P_i\) first checks (lines 14 or 32) if a full round-trip (see Sect. 5.2) occurred in the schedule between the end of its last fully rebuilt round and the current round. This means that an ordered chain of events as displayed in Fig. 21 took place since the last of its fully rebuilt rounds. The index e computed at line 15 (resp. 33) captures the oldest entry in the journal of process \(P_{1-i}\) concerning a round of process \(P_i\) that has not been fully rebuilt yet (if both processes are about to read, the corresponding write may have been rebuilt already).

We now proceed to the analysis of the different conditional branches. To visualize the reconstruction loop, we present in Figs. 22 and 23 the trees of all possible schedules containing one round-trip from the point of view of \(P_0\). The operations marked in blue form the communication round-trip.

We focus first on Fig. 22. This tree describes the possibilities when both processes are about to write, and corresponds to the conditional block at line 14. The conditional block reconstructs the sequence \((W_1R_1)^a (W_0R_0)^b (W_0 || W_1)\) in the branches A to D. The block reconstructs the sequence \((W_1R_1)^a (W_0R_0)^{b+1}\) in the other branches. The condition at line 19 matches the branch ABCFGH, and, if \(c \ne 0\), the branch D as well. The condition at line 26 matches ABCD.

Figure 23 presents the tree of possibilities when both processes are about to read, which corresponds to the conditional block at line 32. The condition at line 37 matches the branches D.

The main technical difficulty in the algorithm is the computation of the several exponents (e.g., \((W_1R_1)^a\)) from the different counters in the journal. We illustrate such a computation on the branch G of Fig. 22; the other cases being treated similarly. Figure 24 gives the values of the journal variables (\(my\_jour\) and \(her\_jour\)) of \(P_0\) at the end of the schedule G. The schedule G is divided in 11 segments. We assume that the exponents a and m are non-zero. The entry 1 of \(my\_jour\) is recorded during the first round \(W_0R_0\) of segment 1 since it is the first time that \(P_0\) learns something new about \(P_1\) (assuming \(a \ne 0\)). More precisely, at this moment, \(P_0\) learns at his round \(\frac{my\_steps}{2}\) that \(P_1\) has completed \(a-1\) more rounds since her last reconstructed round \(\frac{her\_steps}{2}\). A similar argument shows that the entry 0 of \(my\_jour\) is recorded right after the read \(R_0\) of segments 5 and 11. The entry 2 of \(her\_jour\) is recorded (by \(P_1\)) after the read \(R_1\) of segment 4. The entry 1 of \(her\_jour\) is recorded after the read \(R_1\) of segment 7. The entry 0 of \(her\_jour\) is recorded after the first read \(R_1\) of segment 10.

After the last read of segment 11, process \(P_0\) triggers a reconstruction loop since the condition at line 14 in Algorithm 2 is satisfied. The value e computed at line 15 is \(e = 2\). The value \(\alpha \) computed at line 16 is \(\alpha = a\). Process \(P_0\) then pushes (correctly) the segment \((W_1R_1)^a\), and increments the variable \(her\_steps\) accordingly. The condition at line 19 is not satisfied, so that the value \(\beta \) computed at line 20 is \(\beta = b+1\). Process \(P_0\) then pushes \((W_1R_1)^{b+1}\), and increments the variable \(my\_steps\) accordingly. At this point, the conditions at lines 14 and 32 (checking that there is one round-trip) have become false: process \(P_0\) needs to wait for another round-trip to complete before proceeding to reconstruct further steps.

Thanks to the fairness condition, there will always be enough round-trips for both processes to keep progressing in their reconstruction. Thus, Duez solves the reconstruction problem.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Antoniadis, K., Blanchard, P., Guerraoui, R. et al. The entropy of a distributed computation random number generation from memory interleaving. Distrib. Comput. 31, 389–417 (2018). https://doi.org/10.1007/s00446-017-0311-5

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00446-017-0311-5

Keywords

Search

Navigation