[Cryptography] A TRNG review per day: RDRAND and the right TRNG architecture

David Leon Gil coruus at gmail.com
Sun Oct 26 22:10:53 EDT 2014

On Fri, Oct 24, 2014 at 5:31 AM, Bill Cox <waywardgeek at gmail.com> wrote:
> However, I happen to be something of a speed freak.  Intel's RDRAND
> instruction is appealing to me.  The architecture is the fastest TRNG I have
> seen.  So, why not use it?  Here's why:
> - It is probably back doored
> - It is not auditable
> - Critical portions of its design remain secret (such as whitening and how
> to disable it)

I thought that the whitening design had been published? They're using
CTR-DRBG instantiated with AES-128. (This, in itself, is probably all
the NSA could want; the security strength of that construction is
rather low.)

Here's the paper:


> That said, this TRNG has so many drawbacks that I predict no one other than
> Intel will ever use it.  First, it requires a couple of large-ish on-chip
> capacitors to hold the control voltages that compensate for factors that
> cause the latch to prefer to power up one way or the other.  Without
> measuring the 0/1 bias and dynamically compensating for it, this circuit
> simply does not work.  This by itself makes Intel's TRNG both large and
> complex.  Worse, it is *massively* sensitive to nearby signals.  It is more
> sensitive to external signals than any other architecture I know of.  No
> other TRNG relies on amplifying such a small noise signal, and no other
> architecture can be PWNed with as little injected energy.  This is literally
> the most attacker signal sensitive TRNG ever designed.

Thanks for the terrific summary of potential side-channel attacks.

> A TRNG simply does not need to be fast.  A Lava Lamp generates entropy fast
> enough for almost any application, so long as we use it to seed add a high
> speed CPRNG firehose.  Anyone selling you a high speed TRNG for a lot of
> money, based on quantum voodoo or whatever, is ripping you off.

Agreed; the quantum RNGs in particular make me laugh. (I'd wonder who
would be so stupid as to buy one, but even Google has bought into the
similarly craptastic D-wave nonsense.)

> Due to Intel's inexplicable reluctance to make their device auditable, while
> relying on what is probably the hardest TRNG architecture to get right, I
> have to rate RDRAND as snake-oil for use in cryptography.

They need to publish layout information so that third-parties can
easily(-ish) verify it. Information on the "eight different
operational modes" supported by the RNG would be nice too.


More information about the cryptography mailing list