RDRAND
RDRAND
is an instruction for returning random numbers from an Intel on-chip hardware random number generator which has been seeded by an on-chip entropy source. RDRAND
is available in Ivy Bridge processors and is part of the Intel 64 and IA-32 instruction set architectures. AMD added support for the instruction in June 2015.The random number generator is compliant with security and cryptographic standards such as NIST SP 800-90A, FIPS 140-2, and ANSI X9.82. Intel also requested Cryptography Research Inc. to review the random number generator in 2012, which resulted in the paper Analysis of Intel's Ivy Bridge Digital Random Number Generator.
RDSEED
is similar to RDRAND
and provides lower-level access to the entropy-generating hardware. The RDSEED
generator and processor instruction rdseed
are available with Intel Broadwell CPUs and AMD Zen CPUs.Overview
TheCPUID
instruction can be used to check whether the central processing unit supports the RDRAND
instruction on both AMD and Intel CPUs. If supported, bit 30 of the ECX register is set after calling CPUID standard function 01H
. AMD processors are checked for the feature using the same test. RDSEED
availability can be checked on Intel CPUs in a similar manner. If RDSEED
is supported, the bit 18 of the EBX register is set after calling CPUID standard function 07H
.The opcode for
RDRAND
is 0x0F 0xC7
, followed by a ModRM byte that specifies the destination register and optionally combined with a REX prefix in 64-bit mode.Intel Secure Key is Intel's name for both the
RDRAND
instruction and the underlying random number generator hardware implementation, which was codenamed "Bull Mountain" during development. Intel calls their RNG a "digital random number generator" or DRNG. The generator takes pairs of 256-bit raw entropy samples generated by the hardware entropy source and applies them to an Advanced Encryption Standard conditioner which reduces them to a single 256-bit conditioned entropy sample. A deterministic random-bit generator called CTR_DRBG defined in NIST SP 800-90A is seeded by the output from the conditioner, providing cryptographically secure random numbers to applications requesting them via the RDRAND
instruction. The hardware will issue a maximum of 511 128-bit samples before changing the seed value. Using the RDSEED
operation provides access to the conditioned 256-bit samples from the AES-CBC-MAC.The
RDSEED
instruction was added to Intel Secure Key for seeding another pseudorandom number generator, available in Broadwell CPUs. The entropy source for the RDSEED
instruction runs asynchronously on a self-timed circuit and uses thermal noise within the silicon to output a random stream of bits at the rate of 3 GHz, slower than the effective 6.4 Gbit/s obtainable from RDRAND
. The RDSEED
instruction is intended for seeding a software PRNG of arbitrary width, whereas the RDRAND
is intended for applications that merely require high-quality random numbers. If cryptographic security is not required, a software PRNG such as Xorshift is usually faster.Performance
On an Intel Core i7-7700K, 4500 MHz processor, a singleRDRAND
or RDSEED
instruction takes 110ns or 463 clock cycles, regardless of the operand size. This number of clock cycles applies to all processors with Skylake or Kaby Lake microarchitecture. On the Silvermont microarchitecture processors, each of the instructions take around 1472 clock cycles, regardless of the operand size; and on Ivy Bridge processors RDRAND
takes up to 117 clock cycles.On an AMD Ryzen CPU, each of the instructions takes around 1200 clock cycles for 16-bit or 32-bit operand, and around 2500 clock cycles for a 64-bit operand.
An astrophysical Monte Carlo simulator examined the time to generate 107 64-bit random numbers using
RDRAND
on a quad-core Intel i7-3740 QM processor. They found that a C implementation of RDRAND
ran about 2x slower than the default random number generator in C, and about 20x slower than the Mersenne Twister. Although a Python module of RDRAND
has been constructed, it was found to be 20x slower than the default random number generator in Python.Compilers
Visual C++ 2015 provides intrinsic wrapper support for theRDRAND
and RDSEED
functions. GCC 4.6+ and Clang 3.2+ provide intrinsic functions for RDRAND
when -mrdrnd is specified in the flags, also setting __RDRND__ to allow conditional compilation. Newer versions additionally provide immintrin.h
to wrap these built-ins into functions compatible with version 12.1+ of Intel's C Compiler. These functions write random data to the location pointed to by their parameter, and return 1 on success.Applications
It is an option to generate cryptographically-secure random numbers usingRDRAND
and RDSEED
in OpenSSL, to help secure communications.The first scientific application of
RDRAND
can be found in astrophysics. Radio observations of low-mass stars and brown dwarfs have revealed that a number of them emit bursts of radio waves. These radio waves are caused by magnetic reconnection, the same process that causes solar flares on the Sun. RDRAND
was used to generate large quantities of random numbers for a Monte Carlo simulator, to model physical properties of the brown dwarfs and the effects of the instruments that observe them. They found that about 5% of brown dwarfs are sufficiently magnetic to emit strong radio bursts. They also evaluated the performance of the RDRAND
instruction in C and Python compared to other random number generators.Reception
In September 2013, in response to a New York Times article revealing the NSA's effort to weaken encryption, Theodore Ts'o publicly posted concerning the use ofRDRAND
for /dev/random
in the Linux kernel:Linus Torvalds dismissed concerns about the use of
RDRAND
in the Linux kernel, and pointed out that it is not used as the only source of entropy for /dev/random
, but rather used to improve the entropy by combining the values received from RDRAND
with other sources of randomness. However, Taylor Hornby of Defuse Security demonstrated that the Linux random number generator could become insecure if a backdoor is introduced into the RDRAND
instruction that specifically targets the code using it. Hornby's proof-of-concept implementation works on an unmodified Linux kernel prior to version 3.13. The issue was fixed in the Linux kernel in 2013.Developers changed the FreeBSD kernel away from using
RDRAND
and VIA PadLock directly with the comment "For 10, we are going to backtrack and remove RDRAND
and Padlock backends and feed them into Yarrow instead of delivering their output directly to /dev/random. It will still be possible to access hardware random number generators, that is, RDRAND
, Padlock etc., directly by inline assembly or by using OpenSSL from userland, if required, but we cannot trust them any more."