[Cryptography] Random number generation influenced, HW RNG

Perry E. Metzger perry at piermont.com
Tue Sep 10 00:08:10 EDT 2013

On Mon, 9 Sep 2013 23:29:52 -0400 John Kelsey <crypto.jmk at gmail.com>
> On Sep 9, 2013, at 6:32 PM, "Perry E. Metzger" <perry at piermont.com>
> wrote:
> > First, David, thank you for participating in this discussion.
> > 
> > To orient people, we're talking about whether Intel's on-chip
> > hardware RNGs should allow programmers access to the raw HRNG
> > output, both for validation purposes to make sure the whole
> > system is working correctly, and if they would prefer to do their
> > own whitening and stretching of the output.
> Giving raw access to the noise source outputs lets you test the
> source from the outside, and there is alot to be said for it.  But
> I am not sure how much it helps against tampered chips.  If I can
> tamper with the noise source in hardware to make it predictable, it
> seems like I should also be able to make it simulate the expected
> behavior.

Sure, but that might be visible in chip teardowns, which
would see an unexpected circuit, while an analog defect in the dual
inverter circuit Intel is using (or was using, I haven't looked in a
while) that biased the output might be quite subtle and very
difficult to find even then.

People forget that you can, in fact, tear down chips. Though I
will not claim it can be done with anything like the the ease with
which people reverse engineer software, the tools are available at
many research universities these days, and more and more people are
doing it.

The part that could get hairy, of course, is that there's an ocean of
circuitry on a modern high end processor, and given that this is being
handled by an instruction, there's an awful lot of ways it could be
gimmicked even if the "correct" circuit was there and seemed to work
as advertised. Fully analyzing the situation might take real funding.

Perry E. Metzger		perry at piermont.com

More information about the cryptography mailing list