[learc83]

Now that's a perfect example of something that seems obvious in hindsight, but obviously wasn't since the problem has existed for so long without a solution.

It's also nice to see a more EE oriented post on hacker news now and again.

[marshray]

No. There has been no shortage of perfectly workable designs for hardware random number generators patented over the years. If anything, it's something that engineering types with a fondness for crypto obsess about too much.

The reality is that it's just not that hard to generate quality random numbers after a few seconds have passed after bootup on a busy system. Nothing needs gigabit rates of random numbers.

The cases where applications have had lousy random numbers have all been boneheaded implementation bugs (like the early 90s Netscape one the reference).

There are two reasons why this had not been implemented until now:

1. Low demand. It's entirely practical for applications to generate random numbers in software, especially with help from the kernel. With a hardware RNG on some chips, a fallback implementation would still have to be available and people who care about their CSPRNGs in software wouldn't fully trust Intel's numbers anyway.

2. Additional design, documentation, and testing burden. Every feature has a cost. The cryptographic qualities of random numbers are nearly impossible to test as a black box.

[palish]

Speaking as a graphics programmer, I hope to see this hardware-level randomness eventually incorporated into GPUs. Randomness on a GPU is hard, and there are so many ways that a RNG can improve visual quality.

For example, adding a tiny amount of film grain to the final rendered image would most easily be done with RNG.

Another example: it's common for renderers to accumulate the scene's illumination into a HDR texture, and then radially blur it. The goal is to approximate the halo you observe around light sources at night time. The problem is, a Gaussian blur is perfectly smooth --- so the resulting glow typically ends up being a perfectly smooth blurry circle of light. But a real photograph of the same scene rarely has smooth glows. The image exhibits all kinds of subtle noise in the light's corona. After all, a photograph results from interaction of light with the camera lens, multiple scattering in outdoor scenes, chromatic dispersion, interaction between polarized light and certain materials, ... and many, many more phenomena.

So rather than try to model each of those physical lighting effects in realtime, it would be wonderful to have a "RNG()" shader function to simply add a smidgen of unpredictability to our realtime rendering techniques. The closer your final image resembles nature, the better it looks --- and nature is many things, but she is not a perfectly smooth BRDF lighting model!

So yeah... It would be frickin' sweet to have this RNG on a GPU.

[Dylan16807]

In what way is randomness on a GPU hard? The nVidia SDK apparently comes with a few of them, and you can implement an LCG in handful of arithmetic operations. If you need a seed feed it in from the CPU.

I don't see the benefit of having a high-cryptographic-quality RNG for rendering.

[palish]

You'll have to take my word for it, or try it yourself: there are visually noticeable repetitive patterns that are a direct result of the naive PRNG.

For example I once modeled raindrops as falling billboards that struck the ground at some random (x,y) in your field of view, followed by a "splash" animation billboard where it struck the ground. I started by using C rand() to determine the random (x,y) of the raindrop. And it looked terrible! The raindrops would mysteriously clump together in sinewave-like patterns, and seemingly avoid some spots altogether.

I dropped in a Mersenne Twister RNG and the problem instantly went away. I didn't change a thing except the RNG.

So yeah, a few arithmetic ops gets you rand() quality. But humans are unfortunately good at noticing the overall bias in the resulting patterns.

And you'll run into similar problems when e.g. trying to implement a non-repeating perlin noise function on a GPU. I tried it with a weighted combination of several different perlin noise textures... but I had to be very careful about aliasing artificts in some of the more interesting effects; while also being careful of avoiding visually-repetitive patterns (which almost always occur).

The value of Intel's RNG, I'd imagine, is that it's uniformly random and also unbiased -- meaning repetitive moire patterns won't show up in your results.

Of course it's not deterministic, which is tricky, but I can still think of several use cases for something like this.

[marshray]

So what you need is a high-quality Pseudorandom Number Generator (PRNG). You do not need a Cryptographically Secure PRNG.

This is good, what you need can be implemented significantly more efficiently than the CS version. As you mentioned, it doesn't help your application to be truly nondeterministic.

C rand() is about the worst one you can find. Mersenne Twister is great statistically, but it's quite expensive in terms of memory consumption.

As I understand GPU programming, you want to maximize parallelism. Ideally, you would have something small enough to have an independent generator for each processor. You should be able to generate perfectly random-looking numbers using 64 or 128 bits of state storage and a handful of instructions per 32-bits of output.

For example, the Skein hash function and CSPRNG can generate random data at 5 cycles per byte of output. But that's cryptographically secure, you can probably cut its state size and computational expense each in half to get statistical randomness.

[tripzilch]

I've been reading New Kind Of Science recently, intrigued by some of Wolfram's grandiose claims I ran some tests and it indeed turns out that the Rule 30 cellular automaton is a very high quality PRNG (as long as you pick the right bits). It's a very simple algorithm and very parallel too.

It's just that my version picked one bit per generation (the middle one) and the period of the PRNG is determined by the size of the buffer, so it might be a bit memory intensive for a GPU, if you need several random bits per pixel. I couldn't find any patterns within the period, though. Also it might be possible to get more than one random bit per generation, though I expect the ones right next to eachother are probably too correlated.

Formula's real simple, if the previous state and the two neighbours are labeled L,M and R, rule 30 boils down to the new state will be L xor (M and A).

[palish]

As I understand GPU programming, you want to maximize parallelism. Ideally, you would have something small enough to have an independent generator for each processor. You should be able to generate perfectly random-looking numbers using 64 or 128 bits of state storage and a handful of instructions per 32-bits of output.

A perfect assessment.

It's why I keep learning about every field --- there are so many areas that turn out to be applicable in different domains.

For example, "variance shadow maps" create soft shadows using statistical analysis. (I wish they were practical. It's just an example.)

I'll check out the Skein function, thanks.

[T-hawk]

> But humans are unfortunately good at noticing the overall bias in the resulting patterns.

Humans are also, of course, good at noticing bias in a distribution even when there isn't any. Ask any online poker player about shufflers.

[nitrogen]

Do bloom effects generally use Gaussian filters? Is anybody doing full convolution with something more natural looking, like a flat circle or a regular polygon (e.g. like Gimp's Focus Blur plugin)?

[learc83]

I've never really looking into integrated hardware random number generators, but I got the impression from the article that the previous hardware random number generators were based on analog circuits.

[Daniel_Newby]

Nothing needs gigabit rates of random numbers.

Consider a Monte Carlo algorithm on a 2 GHz processor, with a 50 instruction cycle inner loop, using a 64 bit random value per loop: it needs 2.5 Gb/sec of random bits.

[tedunangst]

There's no need for the bits to be truly random. In fact, if you ever want anyone to replicate your simulation, you'll need to provide them with the prng algorithm and seed used.

[ghshephard]

Perhaps this should be better written as "Nothing needs gigabit rates of _cryptographically strong_ random numbers."

Using a megabit rates of cryptographically strong random numbers to seed a PRNG would be fine for most purposes.

Can anyone think of a reason why you would want/use gigabit rates of truly random numbers instead of using a slower rate to see a PRNG?

[marshray]

Perhaps this should be better written as "Nothing needs gigabit rates of _cryptographically strong_ random numbers."

Yes that's what I meant to say. I probably didn't realize the discussion had widened to include insecure number generation.

[algorias]

>Using a megabit rates of cryptographically strong random numbers to seed a PRNG would be fine for most purposes.

And that's exactly what the hardware described in the article does for you.

[Daniel_Newby]

True. Although the new Intel system is not cryptographically secure.

Gigabit true random numbers could be used to modulate a jam-resistant radar signal. That makes it difficult for an opponent to use active electronics to cloak their target, even in principle. However actual systems would use dedicated hardware, not an Intel chip.

The profoundly paranoid could interleave true random bits with their data bits before encrypting (discard them on receipt). Pattern analysis would become much more difficult.

[rwg]

VIA's "Nehemiah" core C3 CPUs had hardware random number generation, as well as hardware AES assist, way back in 2003. (And, of course, VIA's "PadLock" instructions and Intel's RdRand instruction + AES-NI instructions are totally different. Hooray for continued x86 instruction set fragmentation!)

Edit: It just occurred to me that you're probably referring to the implementation, not the existence of a hardware RNG in x86. Doh!

[wmf]

Yeah, IIRC VIA is using the same ring oscillator style that Intel used to use. This article is about a new, lower-power RNG design.

[marshray]

The idea that a hardware RNG would ever need to consume a noticeable amount of power on a 20W CPU seems strange to me. Lots of low power chips have them. A quick search returns a paper titled "A 2.92μW Hardware Random Number Generator".

[jbri]

Having a look at that paper, the actual rate at which it produces bits is very low - for 2.92μW, they're producing only 500 bits per second.

For an embedded device that might be suitable, but for a consumer or server machine you need a much higher bitrate.

[tedunangst]

You only need a little "grade-A" random to seed an appropriate high bitrate algorithm from time to time.

[marshray]

No one has ever broken a properly designed CSPRNG properly seeded with more than 100 or 200 bits of entropy, total.