[cryptography] Intel RNG

Joachim Strömbergson Joachim at Strombergson.com
Tue Jun 19 07:06:31 EDT 2012


On 2012-06-19 11:30 , coderman wrote:
> On Tue, Jun 19, 2012 at 12:48 AM, Marsh Ray <marsh at extendedsubset.com> wrote:
>> So something is causing AES-NI to take 300 clocks/block to run this DRBG.
>> Again, more than 3x slower than the benchmarks I see for the hardware
>> primitive. My interpretation is that either RdRand is blocking due to
>> "entropy depletion", there's some internal data pipe bottleneck, or maybe
>> some of both.
> it is also seeding from the physical noise sources, running sanity
> checks of some type, and then handing over to DRBG. so there is
> clearly more involved than just a call to AES-NI. 3x as expensive
> doesn't sound unreasonable if the seeding and validation overhead is
> significant.

I might be missing something. But is it clear that Bull Mountain is
actually using AES-NI? I assumed that one would like to use a separate
HW-engine. Reading from the CRI paper seems (to me) to suggest that this
is actually the case:

"Entropy conditioning is done via two independent AES-CBC-MAC chains,
one for the generator’s key and one for its counter. AES-CBC-MAC should
be suitable as an entropy extractor, and allows reuse of the module’s
AES hardware."

Med vänlig hälsning, Yours

Joachim Strömbergson - Alltid i harmonisk svängning.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20120619/aeaaf4f1/attachment.asc>

More information about the cryptography mailing list