Download the Latest Bull Mountain Software Implementation Guide

Product Index
Search

Intel® Software Network

Language:
- English

	June 12, 2011 12:00 AM PDT

Overview:

Bull Mountain is Intel's code name for its new Intel® 64 Architecture instruction RdRand and its underlying Digital Random Number Generator (DRNG) hardware implementation. Bull Mountain provides a processor-based RNG solution that is of high quality and performance, highly available, and secure.

Bull Mountain Software Implementation Guide

The Bull Mountain Software Implementation Guide is intended to provide a complete source of technical information. Among other things, it provides an overview of RdRand instruction usage, including code examples and recommendations on library API design.

Download Bull Mountain Software Implementation Guide

Bull Mountain Software Code Examples

Code examples shown in the Bull Mountain Software Implementation Guide are available in their entirety within the rdrand_lib. Implemented in C, the library can be compiled and run on a platform supporting the RdRand instruction.

Download Code Examples

Rdrand Library (Linux* Version)

Rdrand Library (Windows* Version)

For more complete information about compiler optimizations, see our Optimization Notice.

Comments (13)

June 28, 2011 5:11 PM PDT

javierandrescaceres

Total Points:
6,820

Black Belt

Great resource!

September 2, 2011 12:32 PM PDT

Jiri Hladky

Hello,

thanks for a very nice article.

Could you share the details of operation of the whitener (conditioner)? What do you take as the key for AES? As AES based CBC_MAC will produce only 128 bits, are you producing two MACs which are then concatenate to 256 bit value?

Thanks a lot
Jiri

September 6, 2011 5:30 AM PDT

Uwe Dauernheim

I tried to compile the example using GCC 4.6.1. I got the following error:

» gcc -c rdrand.s -o rdrand.o
rdrand.c:71:no such instruction: `rdrand %ax'
rdrand.c:92:no such instruction: `rdrand %eax'
rdrand.c:113:no such instruction: `rdrand %rax'

Is there something I need to enable in GCC or when configure/compile it?

September 6, 2011 9:29 AM PDT

David Johnston

Jiri,

You have it right. AES-CBC-MAC is run twice for each reseed to get the necessary 256 bits of reseed state required by SP800-90 for a 128 bit AES core based CTR DRBG. The CBC-MAC key is fixed. It's value is not relevant to the security assurances of the algorithm when used as a conditioner.

DJ

September 7, 2011 9:42 AM PDT

David Johnston

Uwe,

Only The most recent versions of GCC and binutils has support for RdRand.
The code was compiled on "gcc version 4.6.0 20110110 (experimental) [trunk revision 168632] (GCC)" that was taken from GNU's repository.

There should now be full releases that support rdrand.

September 8, 2011 8:53 AM PDT

hladkyjiri

Total Points:
200

Green Belt

Hi David,

I have tried to model the conditioner using crypto++ library (http://www.cryptopp.com/). Let's see if I have it right.

I take first 256 bits from entropy source (HW RNG) and send it to AES-CBC-MAC. It means first 128 input bits goes directly to AES. Output of AES is XORed with next 128 input bits and goes to AES, using the same fixed key. I will get 128 bits on output. I do the same with next 256 input bits using the same fixed key for AES, thus reducing 512 bits to 256 bits.

Now the question is how to model entropy source. Getting good entropy source using the hardware design is difficult, there will be always bias. Looking to Intel basic HW RNG design it's clear that it will be very very fast but I assume that quality of these random numbers will be poor. So I decided to take a very weak RNG to model entropy source - Linear congruential generator (LCG) with period 2^31-1

So my model is:
LCG -> AES-CBC-MAC (reducing 256 bits to 128bits)
while (true) {
rng.GenerateBlock( input, BLOCKSIZE_INPUT);
cbc_mac.CalculateDigest (output, input, BLOCKSIZE_INPUT);
cout.write(reinterpret_cast<const char *>(output),BLOCKSIZE_OUTPUT);
}

I have fed output to Dieharder Random Number Test Suite
http://www.phy.duke.edu/~rgb/General/dieharder.php
only to find out that it's failing almost all tests.

Now designing a good conditioner is difficult. However, I'm quite disappointed with results I got. Am I missing something?

Next I'm going to test LavaRnd Digital Blendertm Algorithm
http://www.lavarnd.org/what/digital-blender.html
to see if it performs better.

You may call my test setup unrealistic but I think it's a valid test to see how conditioner performs. It seems that Intel's conditioner is designed to be very fast but giving up on quality. Higher quality could be probably achieved at the cost of the speed assuming lower entropy per bit (currently the reducing factor is 2).

Next I'm going to look at CSPRNG. I expect that it will make the weak points of conditioner to go away.

BTW, do you have some source code to share which will model new Intel's DRNG? I can also share my C code if you are interested.

Any comments, thoughts? Is my AES-CBC-MAC in sync with the operation of Intel's conditioner?

Thanks
Jiri

September 9, 2011 7:40 AM PDT

hladkyjiri

Total Points:
200

Green Belt

Hi,

I'm going to implement CTR_DRBG. I just would like to clarify few details:

Block Ciphre used: AES, 128 bit key, right?

How is entropy coming from conditioner used? Does it flow only to seed for CTR_DRBG? Are you using personalization_string, nonce, (init CTR_DRBG), Derivation function, additional_input (reseed)?

What criteria is used to decide if it's time to reseed CTR_DRBG?

Thanks a lot
Jirka

September 19, 2011 12:33 PM PDT

Maarten Bodewes

As a security professional of 10 years, I'm creating a blog post about Bull Mountain RdRand. I want to have Intel's view about the blog article and some (3) design issues I'm experiencing with the Bull Mountain Software Implementation Guide. Who should I contact?

December 19, 2011 8:47 AM PST

Gael Holmes Hofemeier (Intel)

Total Points:
23,219

Black Belt

Maarten Bodewes: Please send it to me in a private message - you should be able to do so from this interface. I will make sure it gets seen by the right people. We would love to have your blog post on our site as well (contact Kathy Farrel who is our Community Manager.)

March 1, 2012 11:25 PM PST

Joachim Strömbergson

Aloha!

I'm currently writing an article about random number generators in modern computers for the IDG TechWorld magazine (in Swedish). I'm planning to cover Bull Mountain in the article. Is there any press kit or similar with images etc available?

March 13, 2012 3:47 AM PDT

pmokeefe

Total Points:
165

Green Belt

Hi,
The effort involved in the implementation of RdRand instruction to promote its use in security-related applications, in particular the self-testing functionality, is very impressive!
I'm interested in cryptographic applications of the RdRand instruction. Sometimes I might want an entropy source which is unaffected by deterministic processing which could potentially compromise my cryptographic applications. In particular, I am concerned that the Online Health Tests (OHTs) will affect the output of the RdRand instruction. Suppose the entropy source is in fact working properly. The ES will sometimes fail the OHT even though the entropy source is fine. That means that ES bit streams that fail the OHT will never be seen. Hence certain output sequences which would be generated by a perfectly random entropy source will never appear in an output sequence generated by the RdRand instruction. If I understand the documentation, there's a 65536 bit sliding window which is used for the OHT. 256-bit chunks output from the OHT are then used to create up to 1022 64-bit RdRands. It then seems if I only use one out of every 1022*65536/256 = 261,632 values returned by RdRand, each 64-bit sample selected will be outside the sliding window of all the other 64-bit samples selected.
Is that in fact the case? If I use only one out of every 261,632 calls to RdRand, will I in fact get 64-bit samples from non-overlapping sliding windows used by the OHT?
Even when the RdRand outputs I use are from non-overlapping sliding windows, it would still be helpful to know the exact algorithm used by the OHT to see if that might affect my cryptographic applications. Is documentation available for the algorithm used by the OHT? If not, I would like to request that.

Thank you,
Patrick

April 3, 2012 1:45 PM PDT

Gael Holmes Hofemeier (Intel)

Total Points:
23,219

Black Belt

Hi everyone, if you have questions, please post them to our Developer's Forum: http://software.intel.com/en-us/forums/intel-vpro-software-development/

April 3, 2012 1:50 PM PDT

Gael Holmes Hofemeier (Intel)

Total Points:
23,219

Black Belt

Patrick - I submitted your question - please refer to our forum: http://software.intel.com/en-us/forums/showthread.php?t=104200