Random numbers are, quite literally, the key to encryption. But generating genuinely random numbers is a problem that has continuously exercised the minds of cryptographers. If the initial random number can be guessed or predicted, then the encryption built on top of it can be broken.
One of the main problems is that it is difficult to judge the quality of a random number generator. As Bruce Schneier commented earlier this year, “One of the hardest parts of cryptography is random number generation. It's really easy to write a lousy random number generator, and it's not at all obvious that it is lousy. Randomness is a non-functional requirement, and unless you specifically test for it -- and know how to test for it -- you're going to think your cryptosystem is working just fine.” Even when it isn’t.
The importance of the RNG goes beyond simple data encryption. “For example,” comments the report, “the popular DSA and ECDSA digital signature standards require a random value when each signature is produced. Even very slight biases in the RNG used to produce this value can lead to exploitable cryptographic weaknesses.” In short, random numbers are the base of much of our good security if, and only if, they are genuinely random.
“Intel is not the first company to put an RNG on the processor,” Ben Jun, vice president and CTO of Cryptography Research, told Infosecurity, “but this is certainly providing randomness to the public on a much greater scale than before. Good security requires strong and robust randomness," he continued. "In fact, the most frequently used secure protocols require good randomness at the client device. Intel’s choice to add a random number generator to the Ivy Bridge processor line gives developers improved security and assurance when writing secure applications. This translates into better secure software for everyone. CRI’s job was to independently evaluate the strength, design conservatism, and robustness of the Ivy Bridge RNG.”
“Most modern RNGs, including the Intel Ivy Bridge design,” notes the report, “consist of an entropy source (ES) followed by digital post-processing logic.” The quality of the random number generated depends upon the quality of the entropy source, but “One drawback of using post-processing is that defects in the entropy source become more difficult to observe.” It is such unobservable defects that have, in the past, led to “some catastrophic failure modes” in RNGs.
The full CRI report is detailed and technical. “The ES is an interesting design based on the random resolution of a circuit designed to seek out its metastable state. Intel has modeled and tested the ES extensively and believes that within a wide range of conditions, including typical PVT variations, the ES generates at least 0.5 bits of entropy per sample. Our modeling and testing agree with this assessment.”
The bottom line, however, is relatively simple: “the Ivy Bridge RNG is well designed, with a wide margin of safety, and the output is appropriate to use directly for cryptographic keys, secret nonces, and other sensitive values.” By incorporating a ‘good’ RNG directly within the CPU, Intel has made it easier for cryptographers to develop better security for PCs, laptops and PC applications – and any other device that incorporates the Ivy Bridge chip.