Professional Documents
Culture Documents
com/print/52638
1 of 7 5/19/17, 12:15 PM
Understanding Intel's Ivy Bridge Random Number Generator http://www.electronicdesign.com/print/52638
gathering entropy.
Even when software can gather enough entropy, the random number
generator (RNG) itself is notoriously difficult to test, and may contain
subtle weaknesses that go unnoticed for years. These flaws can have
serious consequences. For example, from September 2006 to May 2008,
all OpenSSL keys generated on Debian and Ubuntu Linux systems were
weak: server certificates, SSH login keys, email encryption and signing
keys. Even using an ECDSA signing key on one of these systems would
compromise it. This bug was caused by a one-line code change to
OpenSSL's random number generator. Software-based RNGs are difficult
to build and test, often hard to use, and still don't work everywhere. That's
why security-oriented processors usually contain a dedicated hardware
RNG, even though most general-purpose cores do not. Now Intel has
included a hardware RNG on their "Ivy Bridge" processors, which were
released earlier in 2012.
4. Conclusion
Each Ivy Bridge die contains one hardware RNG, shared by all the cores.
The RNG begins with an entropy source (ES) whose behavior is
determined by unpredictable thermal noise (Fig. 1) . The core of Ivy
Bridge's ES is an RS-NOR latch with the set and reset inputs wired
2 of 7 5/19/17, 12:15 PM
Understanding Intel's Ivy Bridge Random Number Generator http://www.electronicdesign.com/print/52638
together (red). When the R/S input is de-asserted, the latch becomes
metastable, and its output eventually settles to 0 or 1, depending on
thermal noise. The tricky part is consistently reaching that metastable
state. This is accomplished by a negative feedback circuit (blue). This
circuit adjusts the charge on a set of large capacitors, which is used as an
extra input to the latch. The feedback nudges the latch slightly more
toward 0 whenever it produces a 1 and vice-versa. The buffering circuit
(green) detects when the latch has settled, and stores its output. After a
delay it asserts and then de-asserts the latch's R/S input to produce
another bit.
74774_fig1sm
The ES produces its own clock signal, which ticks irregularly at around
3GHz. The rest of the RNG operates at 800 MHz, so the RNG's output is
first sampled into that clock domain. Next, a series of health tests inspects
the samples to make sure that the entropy source hasn't failed.
The output of the ES is fairly high-quality, but it isn't strong enough for
cryptographic purposes. The output won't be entirely balanced. The
feedback circuit introduces bias, and the entire circuit may be influenced
be analog effects such as ringing. To solve this, the output is passed
through a cryptographic conditioner (Fig. 2) , which condenses many
mediocre random bits into a few very good ones. Even "unhealthy"
samples are sent to the conditioner, because they can't hurt the quality of
its output.
74774_fig2sm
3 of 7 5/19/17, 12:15 PM
Understanding Intel's Ivy Bridge Random Number Generator http://www.electronicdesign.com/print/52638
4 of 7 5/19/17, 12:15 PM
Understanding Intel's Ivy Bridge Random Number Generator http://www.electronicdesign.com/print/52638
The conditioner normally condenses 512 bits of ES output into 256 bits of
reseeding data. Since the ES is expected to produce at least half a bit of
entropy per output bit, these 256 bits should be almost completely
random, but with a very small safety margin. Fortunately, when the RNG
first starts, the initial seed is condensed from 32 kilobits of input, giving it
a much wider safety margin. This strong seed is carried forward as the
RNG runs, so the system remains strong even if it receives no additional
entropy.
5 of 7 5/19/17, 12:15 PM
Understanding Intel's Ivy Bridge Random Number Generator http://www.electronicdesign.com/print/52638
statistically random. Under very heavy load, it can generate multiple blocks
of output between reseeds. In this case, the generator has 256 bits of state,
and finding patterns in it is as hard as breaking 128-bit AES.
6 of 7 5/19/17, 12:15 PM
Understanding Intel's Ivy Bridge Random Number Generator http://www.electronicdesign.com/print/52638
10. M. Dworkin, "Recommendation for Block Cipher Modes of Operation: The CCM
Mode for Authentication and Confidentiality," NIST Special Publication 800-38C,
May 2004.
11. Z. Rached, F. Alajaji and L. Campbell, "Rényi's Entropy Rate For Discrete Markov
Sources," 1999.
7 of 7 5/19/17, 12:15 PM