Intel to also add RNG

Fri Jul 2 08:19:14 EDT 2010

http://www.technologyreview.com/printer_friendly_article.aspx?id=25670&channel=Briefings&section=Microprocessors 

Tuesday, June 29, 2010

Nanoscale Random Number Circuit to Secure Future Chips

Intel unveils a circuit that can pump out truly random numbers at high speed.

By Tom Simonite

It might sound like the last thing you need in a precise piece of hardware,
but engineers at Intel are pretty pleased to have found a way to build a
circuit capable of random behavior into computer processors.

Generating randomness--an unpredictable stream of numbers--is much harder
than you might think. It's also crucial to creating the secure cryptographic
keys needed to keep data safe. Building a random-number-generating ability
into the Central Processing Unit (CPU) at a computer's heart is ideal, says
Ram Krishnamurthy, an engineer at Intel's Microprocessor Technology Labs, in
Hillsboro, OR. It should speed up any process that requires the generation of
an encrypted key, for example securing sensitive data on a hard drive, and
make it harder for an attacker to compromise that encryption.

Building circuitry capable of producing random numbers into a CPU has proved
difficult. "Today random numbers are either generated in software, or in the
chip set outside the microprocessor," explains Krishnamurthy, one of the
Intel researchers on the project.

Neither solution is ideal. Software produces only pseudo random numbers
(given enough computing power, patterns can be found within that randomness).

"If the random numbers are not truly random, for example, if they are biased
in some way, then an adversary has a better chance of guessing/determining
the value," explains mathematician Elaine Barker, at the National Institute
for Standards and Technology (NIST), in Gaithersburg, MD. "In the case of
cryptographic keys, if the adversary can determine the key without an
excessive amount of computing power, then he can breach the confidentiality
of that data."

Installing a source of random numbers outside of a computer's core
microprocessor provides another avenue of opportunity to attackers, says
Krishnamurthy. "You are vulnerable to side channel attacks," he explains,
"there are many ways by which the key can be directly read off of the bus, or
attacks that look at how the power supply varies and look for signatures that
indicate what the key looks like."

Building the circuit into the main processor shuts off that possibility, says
Krishnamurthy, although the barrier to doing that has been practicality. The
best-established methods of generating random numbers use analog circuits
that rely on thermal noise as a source of randomness, and those circuits are
not easily fabricated with the techniques used to make the digital circuits
of a microprocessor. Nor are they easily scaled down to the size of
components on modern chips.

Intel's new circuit has a fully-digital design, making it possible to
incorporate it into the microprocessor die. At the heart of the new design is
a cross-coupled inverter, a combination of two basic circuit components that
is essentially a memory capable of storing a single 1 or 0. This memory,
though, is designed to be unreliable; it can be tipped between its two
possible outputs by the influence of thermal noise from the surrounding
silicon. Since that thermal noise is random, the circuit's output should be,
too.

In reality, though, the influence of fluctuations in voltage and temperature
normal inside a chip could bias that output to be less-than-random, requiring
Krishnamurthy and colleagues to develop additional measures to counteract
their influence. Benchmarks for "true" randomness maintained by NIST were
used to confirm they had been successful. "We exceeded all of those
thresholds," he says. The speed at which the new circuit cranks out
numbers--2.4 billion a second or 2.4Gbps--is also around 200 times faster
than anything before, Krishnamurthy adds.

Having built the circuit with a smallest feature size of 45 nanometers, he
and colleagues are now working toward proving it can be built using 32 and 22
nanometer manufacturing processes with minimal design tweaks.

Passing existing benchmarks of randomness, though, does not mean the new
circuit is perfect. Current techniques do not make it possible to be certain
that any source of randomness is truly random, says Barker. "We just don't
know enough to design tests that catch all the problems, and tests may not
always catch the point at which a noise source starts to go bad if the change
is subtle." Research by groups like that at NIST will generate smarter tests
that help industry engineers raise the bar further.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com