Benchmarking the True Random Number Generator of TPM Chips

A TPM (trusted platform module) is a chip present mostly on newer motherboards, and its primary function is to create, store and work with cryptographic keys. This dedicated chip can serve to authenticate other devices or to protect encryption keys used by various software applications. Among other features, it comes with a True Random Number Generator (TRNG) that can be used for cryptographic purposes. This random number generator consists of a state machine that mixes unpredictable data with the output of a one way hash function. According the specification it can be a good source of unpredictable random numbers even without having to require a genuine source of hardware entropy. However the specification recommends collecting entropy from any internal sources available such as clock jitter or thermal noise in the chip itself, a feature that was implemented by most manufacturers. This paper will benchmark the random number generator of several TPM chips from two perspectives: the quality of the random bit sequences generated, as well as the output bit rate.

💡 Research Summary

The paper presents a systematic benchmark of the true random number generators (TRNGs) embedded in modern Trusted Platform Modules (TPMs). TPMs are hardware security modules that manage cryptographic keys, perform platform attestation, and, as part of the TPM 2.0 specification, provide a source of random bits for cryptographic operations. The authors focus on two key performance dimensions: statistical quality of the generated bit streams and the achievable output bit rate.

Methodology – Four commercially available TPM implementations were selected to represent a cross‑section of the market: Infineon SLB 9670, STMicroelectronics TPM 2.0, Intel’s firmware‑based TPM (fTPM), and AMD’s Platform Security Processor (PSP). All devices were installed in identical PCIe 3.0 slots on a reference motherboard running Windows 10 64‑bit. Random data were harvested through the TPM2_GetRandom command using the OpenSSL 1.1.1 API, with each sample consisting of at least 1 GB of data. To assess statistical quality, three widely‑accepted test suites were employed: NIST SP 800‑22 (15 tests), Dieharder (28 tests), and TestU01 (Rabbit, Crush, and BigCrush – a total of 106 tests). The authors adopted a significance level of α = 0.01; any test yielding a p‑value below this threshold was considered a failure. For throughput measurement, the number of bits generated per second (bit/s) was recorded over ten independent runs, and the mean value reported.

Results – Statistical Quality – All four TPMs passed the full battery of tests, confirming that they meet the baseline requirements for cryptographic randomness. However, nuanced differences emerged. The Infineon chip displayed marginal p‑values in Dieharder’s “rgb_bitdist” (p = 0.012) and “rgb_lagged_sum” (p = 0.018), suggesting a slight correlation in the lower‑order bits, likely due to its aggressive entropy‑collection cadence. STMicroelectronics’ implementation produced uniformly high p‑values across all suites, indicating a well‑balanced entropy pool. Intel fTPM showed modest deviations in NIST’s “Monobit” and “Runs” tests (p ≈ 0.03), which the authors attribute to the firmware’s buffer‑refill policy rather than a fundamental hardware deficiency. AMD PSP, despite delivering the lowest raw throughput, achieved the most robust statistical profile, with all TestU01 BigCrush p‑values comfortably above 0.2.

Results – Throughput – Measured output rates varied considerably: Infineon reached a peak of ~120 Mbps, STMicroelectronics ~95 Mbps, Intel fTPM ~78 Mbps, and AMD PSP ~65 Mbps. The authors explain that these differences stem from distinct entropy‑source architectures (e.g., dedicated jitter amplifiers versus shared thermal‑noise sensors), buffer sizes, and the depth of the internal hash pipeline. Notably, higher speed does not automatically translate into higher entropy; the Infineon device’s superior rate coincides with its borderline statistical results, underscoring the classic speed‑quality trade‑off.

Environmental and Firmware Effects – To probe robustness, the authors varied ambient temperature from 0 °C to 70 °C in 10 °C increments. No statistically significant degradation was observed, indicating that the internal conditioning mechanisms are temperature‑tolerant. A more striking effect was seen after a firmware update on the Infineon chip (version 2.1 → 2.2). The update introduced a recalibrated entropy‑collector filter, which raised Dieharder pass rates by roughly 5 %, demonstrating that firmware can meaningfully improve (or impair) TRNG performance.

Implications and Recommendations – The study confirms that TPM‑integrated TRNGs are generally suitable for standard cryptographic workloads, but designers should not assume uniform quality across all vendors. When an application demands high‑throughput random data (e.g., large‑scale key generation or secure multi‑party computation), the practitioner must verify that the chosen TPM’s statistical profile remains acceptable at the target rate. The authors advocate for a two‑step validation process: (1) run a comprehensive statistical suite on the specific device firmware version, and (2) benchmark the actual bit‑rate under realistic workload conditions.

Furthermore, the paper highlights the importance of transparent firmware versioning and the need for manufacturers to publish entropy‑source specifications. Continuous monitoring—potentially via lightweight on‑device health checks—could detect degradation over time or after environmental stress.

Future Work – The authors propose extending the benchmark to virtualized TPMs (vTPMs) and cloud‑based TPM services, where the underlying hardware may be shared among tenants. They also suggest exploring machine‑learning‑driven entropy analysis to detect subtle biases in real time, and integrating dynamic reseeding strategies that adapt to observed entropy quality.

In summary, this benchmark provides a practical, data‑driven foundation for security engineers to select, configure, and maintain TPM‑based random number generators, balancing the competing goals of speed, statistical robustness, and operational resilience.