[cryptography] Intel RNG

Thierry Moreau thierry.moreau at connotech.com
Thu Jun 21 20:49:39 EDT 2012

James A. Donald wrote:
> James A. Donald wrote:
>  > > I see no valid case for on chip whitening. Whitening
>  > > looks like a classic job for software. Why waste chip
>  > > real estate on something that will only be used 0.001% of
>  > > the time.
> On 2012-06-22 6:53 AM, Michael Nelson wrote:
>  > I suppose that if the rng was shared between multiple
>  > processes, and if a malicious process could read the
>  > internal state, then it could predict what another process
>  > was going to be given in the near future.
> To the extent that rng generates true randomness, it can only partially 
> predict.  Assuming that each process collects sufficient true randomness 
> for its purposes, not a problem.  That is the whole point and purpose of 
> generating true randomness.

Just a few more random arguments in this discussion.

The NIST SP800-90 architecture, which is used in the Intel RNG, has

(A) a true random sampling process which "provides less than full" 
entropy, followed by

(B) an adaptation process, deterministic but not a NIST algorithm, 
called "conditioning" which provides well quantified full entropy bits 
(the designer has to make the demonstration that the goal is reached 
given the available understanding of the random sampling process), and 

(C) the DRBG (deterministic random bit generator) which is periodically 
seeded by the output of the conditioning algorithm.

(A) is truly random, (B) and (C) are deterministic.

If your enemy has access to the data used by either the conditioning 
algorithm or the DRBG, he can figure out their respective output.

Because the Intel RNG designers do not know which CPU request comes from 
a user versus an enemy, so they only provide a unique and independent 
output portion to each of them. One can not guess what the other 
received. If the enemy can trace the user program with debugging support 
CPU facilities, he might be in a position to eavesdrop an output portion 
given to the user. Be careful.

But don't trust me about these explanations, I might be an enemy. At 
least Intel designers don't trust me to audit their deterministic 
algorithms implementations within production parts. So they protect your 
secure applications, just in case my Trojan horse software is loaded 
when your application runs.

As a concluding remark, ... well why should I share a conclusion with 
potential enemies? You may as well (truly random) draw your own conclusion.


- Thierry Moreau

CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, QC, Canada H2M 2A1

Tel. +1-514-385-5691

More information about the cryptography mailing list