chip-level randomness?

Thu Sep 20 01:00:25 EDT 2001

Ted Tso writes:
> It turns out that with the Intel 810 RNG, it's even worse because
> there's no way to bypass the hardware "whitening" which the 810 chip
> uses.  Hence, if the 810 random number generator fails, and starts
> sending something that's close to a pure 60 HZ sine wave to the
> whitening circuitry, it may be very difficult to detect that this has
> happened.

The "whitener" is just a slightly improved von Neumann bias remover.

The tradition vN state machine looks at pairs of bits and does something
like this:

0 0  ->  discard
0 1  ->  output 1
1 0  ->  output 0
1 1  ->  discard

This removes a static bias.  I.e. if you are producing say 55% 0's
and 45% 1's, after this whitener you will output 50% 0's and 1's.
However it is at the cost of discarding a considerable fraction of
the bits.

The improved version in the Intel RNG has a 3 bit window and this
lets it remove the bias just as well while discarding somewhat
fewer bits.

If the internal circuitry did output a 60Hz sine wave then regularities
would still be visible after this kind of whitener.  It is a rather
mild cleanup of the signal.

It doesn't seem right to object to them including a bias remover.
They have done other things to reduce bias.  For example they use a pair
of thermal resistors located next to each other on the chip and use the
difference of the values from each of them, to reduce sensitivity to
environmental influences.  This reduces bias, but should they have left
the differencing out so that you could more easily measure a possible
influence?

Suppose the voltage were to drop to this part of the chip; the
differencing will hide this fact and prevent you from detecting that maybe
some other parts aren't working well.  Here is an example of a possible
partial-failure mode which the chip internal design will tend to hide.
It should not be considered a design flaw for the chip to do this.
It improves the random numbers which the chip produces.  And similarly,
the digital bias remover does the same thing.

The bottom line is the quality of the random numbers produced by the
device.  It is designed internally to withstand various kinds of noise
and bias, so as to produce the best random numbers possible.

See http://www.cryptography.com/intelRNG.pdf for information on the
design of the RNG.  See if you can identify a plausible failure mode
which could be detected if the whitener was not present, but which will
be undetectable with the vN whitener in place.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com