16

The latest AMD programmer manuals, dated June 2015, include the RDRAND instruction in the instruction set. For completeness, it lacks RDSEED. Confer, AMD64 Architecture Programmer’s Manual Volume 3: General-Purpose and System Instructions, page 278.

The description includes the text:

Loads the destination register with a hardware-generated random value.

I'm having trouble finding information on AMD's circuit and other design/implementation details. I'm not getting specific hits when searching AMD's site, and a general web search is returning a lot of noise dominated by Intel (not Intel's fault, its just the way it is).

What is known about AMD's circuit?

Based on @Richie comments (it was a good lead): according to NIST's Validated FIPS 140-1 and FIPS 140-2 Cryptographic Modules, AMD does not have an approved module. Additionally, according to NIST's Modules In Process, AMD does not have something in evaluation.

otus
  • 32,462
  • 5
  • 75
  • 167

1 Answers1

3

These circuits use an asynchronous counter that is ringing, and are sometimes combined with a seed from the unique processor ID (you blow these with e-fuses during test)

If you take 32 ring oscillators in parallel that each supply a single bit, you will see a random 32-bit value every time you sample. The randomness introduced is due the Poisson process of charge arriving at different times across the channel of the device, and this is why ring oscillators are "noisy". This is why do not need a seed, you just need a few moments that taken when the CPU resets to achieve electrical chaos. I would probably even keep a few ground ties weak to substrate through the resistors to increase the charge distribution.

I also have seen an implementation of this were the a few inputs were then put into SHA-1 that was XOR'd with the processor ID, but just from the standpoint of physics, you could have just have the ring oscillators. I assume this approach was used because it's outlined in a NIST spec.

addendum:

The most approachable discussion of this noise is probably this paper:

R. Sarpeshkar, T. Delbruck, and C. A. Mead, “White noise in MOS transistors and resistors,” IEEE Circuits and Devices Magazine, vol. 9, no. 6, pp. 23–29, 1993.

b degnan
  • 5,110
  • 1
  • 27
  • 49