Slashdot Mirror
VIA C3 Random Number Generator Reviewed
An anonymous reader writes "VIA has added a hardware
random number generator to its Nehemiah C3 CPU. I found a recent review
of its security. Interesting how it's done at the instruction level as opposed to
the chipset level used by the i810 RNG (also reviewed there)."
VIA Launches Seventh Generation 'Nehemiah' CPU Core, the First x86 Processor to Market with Embedded Security Features
Combining an integrated PadLock(TM) Data Encryption Engine with a wealth of enhanced performance features, the new generation VIA C3(TM) provides the lowest power native x86 platform for the fast-growing market of connected PCs and home entertainment centers
Taipei, Taiwan, 22 January 2003 - VIA Technologies, Inc., a leading innovator and developer of silicon chip technologies and PC platform solutions, today announced its new generation VIA C3(TM) processor integrating the 'Nehemiah' core. With its powerful PadLock(TM) Data Encryption Engine, this next generation VIA C3 is the first native x86 processor on the market with embedded security features that enhance the protection of sensitive corporate and personal data.
Available now at a speed of 1GHz, the new processor core is based on an advanced new CoolStream(TM) processor architecture that delivers all the necessary performance for running even the most demanding digital media applications while maintaining ultra low levels of power consumption and heat dissipation.
"The launch of the seventh generation VIA C3 processor extends our leadership in enabling the development of secure, quiet-running small form factor system designs for a rapidly growing number of exciting new lifestyle and productivity applications such as home digital media entertainment and connected computing," commented Paul Hsu, Executive Assistant to the President and Head of VIA's CPU Business Unit. "Integration of embedded security features in the processor provides the most robust and cost-effective solution for addressing the increased demands among individuals, businesses, and government organizations for enhanced authentication and protection of their data in today's connected world."
PadLock(TM) Data Encryption Engine
The PadLock Data Encryption Engine has been integrated into the new generation VIA C3 processor to ensure greater confidentiality, integrity, and authenticity of electronic data either stored in the computer or transmitted over a network or the Internet, and enables a host of powerful new security applications, including heavy-duty data encryption and safer online transactions.
At its heart is an advanced Random Number Generator (RNG) that uses random electrical noise on the chip to securely produce random number values, and features a direct application level interface through a new x86 instruction. Developers can obtain random numbers directly from the hardware without having to use separate software drivers, thereby providing an inherently more secure and efficient solution than combined hardware/software RNG architectures. The RNG includes several operating modes, offering performance from 750K bits per second to as high as 6 million bits per second.
"VIA's incorporation of a hardware random number source on the processor die is exciting for developers, since it provides a simple and effective way of obtaining high quality randomness. This is particularly important for security and cryptography applications, since it is notoriously difficult to generate random numbers of adequate quality without a hardware random number generator," said Paul Kocher, President of Cryptography Research, Inc. and co-inventor of SSL 3.0. "I am enthusiastic about the benefit to applications such as secure web browsing, cryptographic key generation, and protocols where randomness is required."
CoolStream(TM) Architecture
Based on the advanced CoolStream architecture, the new generation VIA C3 processor has a highly efficient design that, when coupled with the VIA Apollo CLE266 chipset, delivers performance increases of up to 20% over the current version of the VIA C3 processor in mainstream productivity applications and up to 73% for 3D graphics applications, while continuing to deliver the same benefits of low power and minimal heat dissipation.
New performanc
I'm playing around with bittorrent.
As a test, I put the PDF file of the review of the hardware RNG up here (The summary is here).
If you have bittorrent installed, feel free to try to download from me.
Aye, but nothing can be truly random
Actually, if Heisenburg theory of uncertainty holds true, which is supported by the unexplainable phenomena of singluar photon diffraction, random numbers are totally possible at the sub-atomic level and are not difficult to manipulate. This article hardly touches on how the numbers are generated, which lends me to question how valid this technology actually is.
Great Atrocit
The ideal source for random numbers has always been physical sources, such as the white noise you see on your television screen when tuned to an unused channel. The noise is generated by remnants from the big bang, and is cryptographically unusable (since the numbers are recordable by anyone). But is a good test for statistical algorithms such as evolutionary computation (which depend on randomn initial states).
The idea of using electrical currents secured on a chip is much sounder - since the noise is locally generated and very difficult to tap. I project that as quantum mechanics become more mainstream, the random quantum effects of electrons will be tapped to generate even sounder and accessible random signals.
That laptop was running the old (Ezra-T) core with a half-speed FPU. This is the new (Nehemiah) core that has full-speed floating point. It's yummy :-)
or imagine a giant P2P random number generator, something like Linux's entropy pool, but across many nodes. The problem with this is that you cannot trust external sources for input, but perhaps you could "cross the streams" and safely mix them?
It reminds me of Random.org, a web site/service that generates random numbers for you. I think they even sell CDs of random numbers.
1. Random numbers
2. ???
3. Profit!!!
cpeterso
This is awesome, but I feel it kind of skews one of the great things about CPUs. Presently, the same piece of code, run a million times, will always produce the same outcome, and follow the same path of execution (providing it accesses no hardware - ie, no io instructions). With the addition of this instruction, you no longer have this fixed execution path.
Still, with IO this 'problem' exists anyway (although only at ring 0 -intel). It just makes it difficult for heuristic anti-virus progams, and debugging etc, when the path of execution can be arbitrary. Nonetheless, I think its a cool concept, and great its being done at ring 3.
I.O.U One Sig.
* Freewheeling means that these oscillators are not tied to a crystal, and the frequency they oscillate at is not precisely locked at any exact rate (as would be the case if it employed a crystal.) These minute variations in frequency are the source of entropy the chip designers are actually gathering.
The sampled bits are then "whitened" to reduce biases, and the whitened bits are stored in a FIFO queue until used.
The paper in the article explains all this, and it talks about a couple of other cool cryptogeek features. You can change the bias voltage via CPU instruction (which would affect the jitter,) but each request of "randomness" comes with a pedigree indicating what bias settings were used! Finally, Cryptography Research's testing showed that they believe the chip (with whitening enabled) is capable of generating bits with an entropy of 0.99 bits/output bit, although they recommend trusting only a conservative entropy factor of about 0.75 bits/output bit. And since it generates bits at a rate of 30-50 million bits per second, most applications can probably afford to throw away a few in the name of entropy.
John
A better system would be to use radioactive decay to generate random numbers. Very easy to implement using existeng technology, one of the few things that is completely random
Your proposed method would be slightly skewed, as the half-life of the material would give you an "expected" number of events in your sampling period, which would cause the result to lean towards either even or odd. The effect would be small, but present.
An alternative approach is to have two detectors, and see which one triggers first. While that method would have no systemic bias, removing intrinsic bias from differences in the samples would be difficult.
The system in the new C3 chip, though, is also completely random if they designed it well (i.e. amplified thermal noise and rejected other noise sources). You have biasing problems, as with any other system where matching is important, but these can be overcome. Noise injection from other parts of the system is the thing to watch out for here.
In summary, purely electrical random number generators can be just as random as your proposed scheme, and your proposed scheme is not significantly easier to implement.
John Walker, the founder of Autodesk, has made a system like that, from which offers random bits:
HotBits/Styx
Atom-Age made a hardware box that produced 64K of random numbers with /amplifier. There was no whitening or other tricks played
every character entered in the serial port. They spent a lot of time
isolating each stage to ensure no noise got to the thermal noise
generator
to make the numbers 'more random' There were 3 sets of batteries,
a 9V for the noise source, C Cells for the microprocessor, and D cells
to run the serial interface. The whole thing was encased in a steel box
with sheilding around the connector and indicator lights. Analysis of
the numbers showed very good randomness.
Unfortunatly at $200 it never really sold well.
They did release the code in the processor for inspection,
I'm not sure about the schematics, probably not.
Starman97@Gmail.com (bring it on spammers)
This VIA chip is producing 30-50 million bits per second.
Also, each radiological decay event would have more potential to cause bit rot in your normal CPU, memory or other chipset's operations.
John Walker is already doing exactly this, producing random bits with a system he calls HotBits. Take a look at this page for his system and a good explanation. Of course I also think it may help to live in a castle with a 1-meter-thick-concrete-lined cistern located three-basement-levels-down to stick your Krypton-85 source in...
And while using nuclear decay would raise the geek factor so high as to be measurable on a geiger counter, the manufacturing and disposal licensing and other handling problems that would accompany any usage of nuclear materials would be more than onerous for any company that had an economical alternative.
John
The guy's name is Heisenberg. Sorry for nitpicking, but three posts in a row mispelling his name is a bit too much. The school I went to was named after him, incidently.
Switch back to Slashdot's D1 system.
Along similar lines, a system using visual noise rather than radioactive...
It's too bad that, outside of a few people in the scientific community (such as those running Monte Carlo simulations and statistical thermodynamics calculations), no one uses random number generators (RNGs).
And the worst thing is, the aforementioned people who do use RNGs undoubtedly will want to run their own generator that is most likely superior.
For example, I run Monte Carlo simulations of polymer networks. The algorithm I use is the Mersenne Twister algorithm, which has an enormous period of 2^19937 - 1. This is much superior to VIA's built in RNG, and much faster than the standard rand() function in C.
So I'm sorry, but I fail to see the utility of VIA's RNG. It's a cool little toy, and I'm sure it's going to get VIA some publicity, but I'm betting that it will be a hard sell to most people.
You *can* be sure whether it's random or not. "999" is not random. It may very well be randomly-generated, but that's not the same thing at all.
Of course, it's not that simple either:
If I have a RNG that spits a long string of the same number. Is the string random? Well, not really. So I take the string, and make sure it has the same number of each digit in it. But 1111222233334444 isn't random either, so now I make sure the same number of each pair occurs, so we've got as many 12s as we have 21s. 1234321234321234 still isn't random, so we check 3-digit sets. And at the end, I'm left with a string that is random, right? Well, it has known properties, namely that it has the same number of each digit (+-1), the same number of each pair, etc. So that's not random. But what about the original string of 8s? That's clearly not random. So what to do?
High-speed Road Trip (18.000KPH)
And you are wrong. Uncertainty principle holds with just a single particle. You clearly have no idea what you are talking about. If you know the position 100% accurately, you don't know the speed, and vice versa. This is a simple, provable, and unescapable rule of the universe.
In norwegian the strip is located in my Dilbert-archive.
Ofcourse I got an English archive as well, for you Dilbert fans out there!
Not Buzzword 2.0 compliant. Please speak english.
Because of quantum uncertainty. If there had been no quantum uncertainty then after the big bang every particle would have had perfectly equal forces on it and thus the Universe would have settled into a perfectly homogenous soup (or maybe a big symmetric crystal), quantum uncertainty caused minute vartiations in density, forces etc, which allowed clumps to form and hence stars, planets and everything else.
Consider a deterministic pseudorandom number generator that's highly sensitive to its initial conditions. Maybe that's the universe and we don't know it because we can't determine the initial conditions with absolute certainty nor can we even determine its current state with sufficient accuracy.
... a computational process that defines how the universe operates. This process is only (universally) taking us toward increasing entropy, so it's a randomizing process by nature. Really I think that order is the oddity ... not randomness.
What if space and time are discrete (Ed Fredkin and so on)? Of course, space couldn't be a rigidly even lattice (it could be a network of loosely connected nodes), but in this sense you have a rigorous foundation for modelling the evolution of the universe from one state to the next
___
The ends are ape-chosen, only the means are man's. -- Aldous Huxley