[cryptography] Intel RNG

dj at deadhat.com dj at deadhat.com
Tue Jun 19 12:02:24 EDT 2012

> Aloha!
> On 2012-06-19 11:30 , coderman wrote:
>> On Tue, Jun 19, 2012 at 12:48 AM, Marsh Ray <marsh at extendedsubset.com>
>> wrote:
>>> So something is causing AES-NI to take 300 clocks/block to run this
>>> DRBG.
>>> Again, more than 3x slower than the benchmarks I see for the hardware
>>> primitive. My interpretation is that either RdRand is blocking due to
>>> "entropy depletion", there's some internal data pipe bottleneck, or
>>> maybe
>>> some of both.
>> it is also seeding from the physical noise sources, running sanity
>> checks of some type, and then handing over to DRBG. so there is
>> clearly more involved than just a call to AES-NI. 3x as expensive
>> doesn't sound unreasonable if the seeding and validation overhead is
>> significant.
> I might be missing something. But is it clear that Bull Mountain is
> actually using AES-NI? I assumed that one would like to use a separate
> HW-engine. Reading from the CRI paper seems (to me) to suggest that this
> is actually the case:
It is not using AES-NI. It is a self contained unit on chip with a built
in HW AES encrypt block cipher.

More information about the cryptography mailing list