Understanding Intel's Ivy Bridge Random Number Generator http://www.electronicdesign.

com/print/52638

Random number generation is the Achilles heel of cryptography.

Cryptographic algorithms – key generation, encryption and signing – need
secret values that must be unknown to attackers, and the best way to create
such a value is to choose it at random. But there is no way for software to
create random numbers. All it can do is stretch out randomness from
another source. That source might be the mechanical behavior of spinning
discs, or temperature measurements, or network timing, or mouse and
keyboard movements. Not all computers have mice, keyboards,
temperature sensors or spinning discs. Embedded systems, virtual
machines and servers with solid-state discs might have serious trouble

1 of 7 5/19/17, 12:15 PM
Understanding Intel's Ivy Bridge Random Number Generator http://www.electronicdesign.com/print/52638

gathering entropy.

Even when software can gather enough entropy, the random number
generator (RNG) itself is notoriously difficult to test, and may contain
subtle weaknesses that go unnoticed for years. These flaws can have
serious consequences. For example, from September 2006 to May 2008,
all OpenSSL keys generated on Debian and Ubuntu Linux systems were
weak: server certificates, SSH login keys, email encryption and signing
keys. Even using an ECDSA signing key on one of these systems would
compromise it. This bug was caused by a one-line code change to
OpenSSL's random number generator. Software-based RNGs are difficult
to build and test, often hard to use, and still don't work everywhere. That's
why security-oriented processors usually contain a dedicated hardware
RNG, even though most general-purpose cores do not. Now Intel has
included a hardware RNG on their "Ivy Bridge" processors, which were
released earlier in 2012.

1. The Ivy Bridge Entropy Source

2. The Conditioning Logic

3. Cryptography Research's Review

4. Conclusion

Each Ivy Bridge die contains one hardware RNG, shared by all the cores.
The RNG begins with an entropy source (ES) whose behavior is
determined by unpredictable thermal noise (Fig. 1) . The core of Ivy
Bridge's ES is an RS-NOR latch with the set and reset inputs wired

2 of 7 5/19/17, 12:15 PM
Understanding Intel's Ivy Bridge Random Number Generator http://www.electronicdesign.com/print/52638

together (red). When the R/S input is de-asserted, the latch becomes
metastable, and its output eventually settles to 0 or 1, depending on
thermal noise. The tricky part is consistently reaching that metastable
state. This is accomplished by a negative feedback circuit (blue). This
circuit adjusts the charge on a set of large capacitors, which is used as an
extra input to the latch. The feedback nudges the latch slightly more
toward 0 whenever it produces a 1 and vice-versa. The buffering circuit
(green) detects when the latch has settled, and stores its output. After a
delay it asserts and then de-asserts the latch's R/S input to produce
another bit.

74774_fig1sm

Figure 1. This circuit uses a trimmed 1-shot to provide an entropy source.

The ES produces its own clock signal, which ticks irregularly at around
3GHz. The rest of the RNG operates at 800 MHz, so the RNG's output is
first sampled into that clock domain. Next, a series of health tests inspects
the samples to make sure that the entropy source hasn't failed.

The output of the ES is fairly high-quality, but it isn't strong enough for
cryptographic purposes. The output won't be entirely balanced. The
feedback circuit introduces bias, and the entire circuit may be influenced
be analog effects such as ringing. To solve this, the output is passed
through a cryptographic conditioner (Fig. 2) , which condenses many
mediocre random bits into a few very good ones. Even "unhealthy"
samples are sent to the conditioner, because they can't hurt the quality of
its output.

74774_fig2sm

3 of 7 5/19/17, 12:15 PM
Understanding Intel's Ivy Bridge Random Number Generator http://www.electronicdesign.com/print/52638

Figure 2. The feedback circuit introduces bias so the output is passed

through a conditioning pipeline to improve overall quality.

The conditioner produces a 256-bit seed value

Related Articles every few microseconds. But if all the cores on
• Understanding The the chip are asking for random data, this won't
Ivy Bridge Architecture satisfy the demand. Therefore, the seed value is
• Generate An Interface fed into a NIST SP800-90A-based
Rule For Low-Power pseudorandom generator. This generator uses
Consumer Devices 128-bit AES in counter mode, and increases the
• Fundamentals Of The amount of data that the generator can produce
Intelligent Platform to around 800 megabytes per second.
Management Interface
Finally, the random data is put into an output
buffer, where it can be retrieved, 64 bits at a
time, by the RDRAND instruction. This instruction sets its destination
register to a random value. RDRAND sets the processor's carry flag to
indicate success. If the RNG fails (temporarily due to contention or
permanently from a failed self-test), RDRAND instead clears the carry flag
and outputs 0. Because the RNG itself signals failure by returning 0, the
RDRAND instruction can never succeed with a 64-bit output of 0. This bias
is generally small enough to ignore.

Intel asked Cryptography Research to review the design of the RNG

(download Analysis of Intel's Ivy Bridge Digital Random Number
Generator ). The summary is that the Ivy Bridge RNG is very
conservatively designed, and the few concerns we identified do not
materially affect its security.

4 of 7 5/19/17, 12:15 PM
Understanding Intel's Ivy Bridge Random Number Generator http://www.electronicdesign.com/print/52638

The entropy source itself is mathematically sound. The capacitors in the

tuning circuit need to be large; a pulse from the 1-shot must change them
by less than the amplitude of the thermal noise in the circuit in order to
consistently make the latch metastable. When they are at least this large,
the ES circuit is robust against variations due to process, voltage and
temperature.

We found that real-world data from the ES roughly matches these

mathematical predictions. This means that in some cases, either the latch
or the feedback circuit is not operating exactly the way that the model
supposes. Still, the quality of ES's output is appropriately high, and even
our pessimistic measurements on the worst samples are above its design
goals.

The health-testing logic is ad-hoc, but it is sufficient to catch any simple

patterns that might occur if the ES fails. The output of the ES is sampled
down from about 3GHz to 800 MHz before the health tests run, and the
sampling might hide some patterns from the health tests. Even so, if the
ES's quality slips below its conservative design goal of 0.5 bits of entropy
per output bit, then the health tests will almost certainly notice this failure.

The conditioner normally condenses 512 bits of ES output into 256 bits of
reseeding data. Since the ES is expected to produce at least half a bit of
entropy per output bit, these 256 bits should be almost completely
random, but with a very small safety margin. Fortunately, when the RNG
first starts, the initial seed is condensed from 32 kilobits of input, giving it
a much wider safety margin. This strong seed is carried forward as the
RNG runs, so the system remains strong even if it receives no additional
entropy.

Finally, the seed is passed to a pseudorandom generator, which generates

the RNG's final output. Under normal load, the generator reseeds every
time it produces an output, so its output should be almost completely

5 of 7 5/19/17, 12:15 PM
Understanding Intel's Ivy Bridge Random Number Generator http://www.electronicdesign.com/print/52638

statistically random. Under very heavy load, it can generate multiple blocks
of output between reseeds. In this case, the generator has 256 bits of state,
and finding patterns in it is as hard as breaking 128-bit AES.

Intel's new RNG simplifies and improves cryptographic random number

generation on servers and embedded platforms, where it is otherwise a
challenge. It is carefully and conservatively engineered, and Cryptography
Research recommends its use without reservation. Still, conservative
system design will incorporate other sources of entropy if they are
available. In all cases, users should confirm that the RDRAND instruction
returns a carry flag of 1 to ensure that the RNG is reporting proper
operation.

1. C. E. Shannon, "A Mathematical Theory of Communication," Bell System

Technical Journal, vol. 27, pp. 379–423, 623-656, 1948.

2. E. Barker and J. Kelsey, Recommendation for Random Number Generation Using

Deterministic Random Bit Generators, NIST Special Publication 800-90A, January
2012.

3. B. Schneier, Security Pitfalls in Cryptography, Counterpane Systems, 1998.

4. DSA-1571-1- openssl -- predictable random number generator," Debian, 13 May

2008. [Accessed 1 February 2012].

5. A. K. Lenstra, J. P. Hughes, M. Augier, J. W. Bos, T. Kleinjung and C. Wachter,

"Ron was wrong, Whit is right," IACR eprint archive, vol. 064, 2012.

6. D. Bleichenbacher, On the generation of one-time keys in DL signature schemes,

IEEE P1363 Working Group Meeting, November 2000.

7. D. J. Johnston, "Mircoarchitecture Specification (MAS) for PP-DRNG," Intel

Corporation (unpublished), V1.4, 2009.

6 of 7 5/19/17, 12:15 PM
Understanding Intel's Ivy Bridge Random Number Generator http://www.electronicdesign.com/print/52638

8. C. E. Dike, "3 Gbps Binary RNG Entropy Source," Intel Corporation

(unpublished), 2011.

9. C. E. Dike and S. Gueron, "Digital Symmetric Random Number Generator

Mathematics," Intel Corporation (unpublished), 2009.

10. M. Dworkin, "Recommendation for Block Cipher Modes of Operation: The CCM
Mode for Authentication and Confidentiality," NIST Special Publication 800-38C,
May 2004.

11. Z. Rached, F. Alajaji and L. Campbell, "Rényi's Entropy Rate For Discrete Markov
Sources," 1999.

12. NIST, "NIST Special Publication 800-22rev1a," 11 August 2010. [Accessed 2

February 2012].

13. M. Hamburg, P. Kocher. M. Marson, Analysis of Intel's Ivy Bridge Digital

Random Number Generator

Source URL: http://www.electronicdesign.com/learning-resources/understanding-intels-ivy-bridge-

random-number-generator

7 of 7 5/19/17, 12:15 PM