Paper 2014/504

A Provable Security Analysis of Intel's Secure Key RNG

Thomas Shrimpton and R. Seth Terashima

Abstract

We provide the first provable-security analysis of the Intel Secure Key hardware RNG (ISK-RNG), versions of which have appeared in Intel processors since late 2011. To model the ISK-RNG, we generalize the PRNG-with-inputs primitive, introduced Dodis et al. introduced at CCS'13 for their /dev/[u]random analysis. The concrete security bounds we uncover tell a mixed story. We find that ISK-RNG lacks backward-security altogether, and that the forward-security bound for the ``truly random'' bits fetched by the RDSEED instruction is potentially worrisome. On the other hand, we are able to prove stronger forward-security bounds for the pseudorandom bits fetched by the RDRAND instruction. En route to these results, our main technical efforts focus on the way in which ISK-RNG employs CBCMAC as an entropy extractor.

Metadata
Available format(s)
PDF
Category
Implementation
Publication info
A major revision of an IACR publication in EUROCRYPT 2015
Keywords
provable securityrandom-number generatorentropy extraction
Contact author(s)
sethterashima @ gmail com
History
2015-02-18: revised
2014-06-26: received
See all versions
Short URL
https://ia.cr/2014/504
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2014/504,
      author = {Thomas Shrimpton and R.  Seth Terashima},
      title = {A Provable Security Analysis of Intel's Secure Key {RNG}},
      howpublished = {Cryptology {ePrint} Archive, Paper 2014/504},
      year = {2014},
      url = {https://eprint.iacr.org/2014/504}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.