[Cryptography] Apple's Early Random PRNG

Nico Williams nico at cryptonector.com
Mon Mar 17 18:49:49 EDT 2014

On Mon, Mar 17, 2014 at 4:44 PM, Tom Mitchell <mitch at niftyegg.com> wrote:
> On 03/17/2014 02:16 PM, tytso at mit.edu wrote:
>> If anyone has any suggestions about how to influence ARM SOC
>> vendors to provide something liek RDRAND, short of compromising

The rpi has one, it turns out.  But yeah, it needs to be on-CPU, so
it's never not there due to choice of peripherals.

>> photos from web cams of company execs provided courtesy of GCHQ
>> :-), I'm sure lots of people would appreciate any ideas....
> What is known about the patent tangle and other costs of RdRand?

If it really matters to you then you should ask your lawyers.  Though
if it makes you happy, there's a long trail of embedded RNGs, not all
at Intel, much predating RDRAND.  Which means that you might happier
to pay the cost of the legal research knowing there's likely to be
good enough prior art or that the patent holders that exist are the
type who won't come after you (a very subjective call, to be sure).

> i.e. is it expensive IP or simply transistor power budget.

It's not transistor budget.  It's designing a circuit that will
reliably produce real entropy (specifically, that can be credibly
characterized as or shown to do so) without being too easy to force
into an all-ones or all-zeros state (or other trivial pattern).  A
circuit that will not significantly increase bad silicon rates.

It's an engineering process more than anything.  The die space needed
can be fairly minimal.

> The SOC world is driven by pennies in their cost of goods.

This is a large fixed cost, zero marginal cost.  If you find good
enough public-domain designs, maybe the fixed cost is very low, but if
you start from scratch or are full of FUD then you might find this
fixed cost to be ample.

There's also the cost of failure to take into account.  Avoiding
failure will mean following a more rigorous engineering (including
testing) process.

> The best two places to address this is at ARM. and


> also from the portable device market (phones, tablets).

That's... the SOC market.


More information about the cryptography mailing list