References

by Intel Authors

Solving The Platform Entropy Problem Phase 2, by George Cox (November 2013)
describes RDSEED

Armor Your Applications Against Attacks Using Intel® Secure Key by John Mechalas  (2013)
discusses and compares RDRAND and RDSEED

Intel and Random Numbers by David Johnston  (2012)
NIST Random Number Workshop

Intel® Digital Random Number Generator (DRNG) Software Implementation Guide (May 14, 2012)
explains the RdRand instruction.

Conceptual Foundations of the Ivy Bridge Random Number Generator by Jesse Walker of Intel Labs (November 2011)
provides slides discussing some of the theory .

Technologies to Improve Platform Security by Ernie Brickell (9/29/2011)
has benchmark data from a preproduction part

Behind Intel's New Random-Number Generator  by Greg Taylor and George Cox,  IEEE Spectrum, (September 2011).

Bull Mountain Software Implementation Guide. by Jeffrey Rott Intel Publication  (June 2011)

Intel’s Digital Random Number Generator (DRNG)  by George Cox, Charles Dike, and DJ Johnston (July, 2011)
contains some nice slides explaining the architecture

Digital random number generator: United States Patent Application 20100332574 by Herbert; Howard C. et al.(December 30, 2010).
Intel's patent application which covers the RdRand instruction.



prepared under contract to Intel
ANALYSIS OF INTEL’S IVY BRIDGE DIGITAL RANDOM NUMBER GENERATOR
by Mike Hamburg, Paul Kocher, Mark E. Marson of Cryptography Research, Inc.(CRI) (March 12, 2012)
Intel provided CRI with detailed documentation on the RNG, as well as access to its principal developers. The paper describes the system architecture, a theoretical analysis of entropy source.  CRI did not have access to Ivy Bridge parts, but Intel provided them with testing data from pre-production chips which they analyzed.

Other
A Provable-Security Analysis of Intel's Secure Key RNG by Thomas Shrimpton and R. Seth Terashima (26 Jun 2014)


from Blogs
, Discussion Boards

RDRAND on Jim’s Blog states
This instruction appears to be backdoored by the NSA.
In reply, David Johnston of Intel posted this comment on the blog
I’m just saying that they are wrong about a back door in the rdrand instruction because I happen to know there isn’t because of my position as the designer


Randomness on Your Next Chip? blog post by Patrick O'Keefe about the RdRand instruction (March 2012).

RDRAND and Is it possible to protect against malicious hw accelerators? somewhat skeptical remarks about using RdRand in cryptography.

Schneier on Security blog from September 2011 has extensive comments on the new Intel random number generator.

Questions about the Digital Random Number Generator (aka Bull Mountain) is a thread on the Intel® vPro™ Software Development Forum.



Standards

Recommendation for the Entropy. Sources Used for Random Bit. Generation: NIST SP 800-90B (draft) (August 2012),
 by Elaine Barker and John Kelsey.

Recommendation for Random Bit Generator (RBG) Constructions : NIST SP 800-90C (draft) (August 2012),
by Elaine Barker and John Kelsey.

Recommendation for Random Number Generation Using Deterministic Random Bit Generators: NIST SP 800-90A (January 2012)
by Elaine Barker and John Kelsey.
CTR_DRBG, which is used in RdRand is defined in section 10.2.1 of this document.

Recommendation for Block Cipher Modes of Operation: NIST Special Publication 800-38A  by Morris Dworkin (2001).
defines CBC-MAC, Cipher Block Chaining - Message Authentication Code, which is used by the RdRand Conditioner, BMSIG Section 3.2.2, p.13

Theory/Analysis of CBC-MAC
The Security of the Cipher Block Chaining Message Authentication Code
by Mihir Bellare,. Joe Kiliany, and Phillip Rogaway (1999)
Randomness Extraction and Key Derivation Using the CBC, Cascade and HMAC Modes
by Yevgeniy Dodis, Rosario Gennaro, Johan Håstad, Hugo Krawczyk and Tal Rabin In: Advances in Cryptology | CRYPTO 2004 Proceedings. Volume 3152 of Lecture Notes in Computer Science., Springer (2004).
Analysis of the suitability of CBC-MAC for cryptological applications of randomness extraction.
An improved collision probability for CBC-MAC and PMAC
by Avradip Mandal and Mridul Nandi,University of Waterloo, Canada (2007).
Distinguishing Attack and Second-Preimage Attack on the CBC-like MACs
by Keting Jia, Xiaoyun Wang, Zheng Yuan, and Guangwu Xu (2008)
How to Extract and Expand Randomness: A Summary and Explanation of Existing Results
by Yvonne Cliff, Colin Boyd, and Juan Gonzalez Nieto (2009).
Contains details about the security level of AES-CBC-MAC in particular.
On the Security of Cipher Block Chaining Message Authentication Code by Charles Rackoff. and Serge Gorbunov (manuscript).
Evaluation of Some Blockcipher Modes of Operation by Phillip Rogaway (2011.)
Comprehensive survey of cryptological results which includes CBC-MAC.

Comments