Movatterモバイル変換

[0]ホーム
URL:

Jump to content
WikipediaThe Free Encyclopedia
Search

RDRAND

From Wikipedia, the free encyclopedia
(Redirected fromIntel Secure Key)
Computer instruction for returning hardware-generated random numbers

RDRAND (for "read random") is aninstruction for returning random numbers from anIntel on-chiphardware random number generator which has been seeded by an on-chip entropy source.[1] It is also known asIntel Secure Key Technology,[2] codenamedBull Mountain.[3] Intel introduced the feature around 2012, and AMD added support for the instruction in June 2015.RDRAND is available inIvy Bridge processors[a] and is part of theIntel 64 andIA-32instruction set architectures.[5]

The random number generator is compliant with security and cryptographic standards such asNIST SP 800-90A,[6]FIPS 140-2, andANSI X9.82.[1] After a request from Intel, Cryptography Research Inc. released research on RDRAND in the paperAnalysis of Intel's Ivy Bridge Digital Random Number Generator.[7]

RDSEED is similar toRDRAND and provides lower-level access to the entropy-generating hardware. TheRDSEED generator and processor instructionrdseed are available withIntel Broadwell CPUs[8] andAMD Zen CPUs.[9]

Overview

[edit]

TheCPUID instruction can be used on both AMD and IntelCPUs to check whether theRDRAND instruction is supported. If it is, bit 30 of the ECX register is set after calling CPUID standard function01H.[10] AMD processors are checked for the feature using the same test.[11]RDSEED availability can be checked on Intel CPUs in a similar manner. IfRDSEED is supported, the bit 18 of the EBX register is set after calling CPUID standard function07H.[12]

The opcode forRDRAND is0x0F 0xC7, followed by a ModRM byte that specifies the destination register and optionally combined with a REX prefix in 64-bit mode.[13]

Intel Secure Key isIntel's name for both theRDRAND instruction and the underlyingrandom number generator (RNG) hardware implementation,[1] which was codenamed "Bull Mountain" during development.[14] Intel calls their RNG a "digital random number generator" or DRNG. The generator takes pairs of 256-bit raw entropy samples generated by the hardwareentropy source and applies them to anAdvanced Encryption Standard (AES) (inCBC-MAC mode) conditioner which reduces them to a single 256-bit conditioned entropy sample. A deterministic random-bit generator calledCTR DRBG defined inNIST SP 800-90A is seeded by the output from the conditioner, providing cryptographically secure random numbers to applications requesting them via theRDRAND instruction.[1][14] The hardware will issue a maximum of 511 128-bit samples before changing the seed value. Using theRDSEED operation provides access to the conditioned 256-bit samples from the AES-CBC-MAC.

TheRDSEED instruction was added to Intel Secure Key for seeding another pseudorandom number generator,[15] available inBroadwell CPUs. The entropy source for theRDSEED instruction runs asynchronously on a self-timed circuit and uses thermal noise within the silicon to output a random stream of bits at the rate of 3 GHz,[16] slower than the effective 6.4 Gbit/s obtainable fromRDRAND (both rates are shared between allcores andthreads).[17] TheRDSEED instruction is intended for seeding asoftware PRNG of arbitrary width, whereas theRDRAND is intended for applications that merely require high-quality random numbers. If cryptographic security is not required, a software PRNG such asXorshift is usually faster.[18]

Performance

[edit]

On an Intel Core i7-7700K, 4500 MHz (45 × 100 MHz) processor (Kaby Lake-S microarchitecture), a singleRDRAND orRDSEED instruction takes 110 ns, or 463 clock cycles, regardless of the operand size (16/32/64 bits). This number of clock cycles applies to all processors withSkylake orKaby Lake microarchitecture. On theSilvermont microarchitecture processors, each of the instructions take around 1472 clock cycles, regardless of the operand size; and onIvy Bridge processorsRDRAND takes up to 117 clock cycles.[19]

On an AMD Ryzen CPU, each of the instructions takes around 1200 clock cycles for 16-bit or 32-bit operand, and around 2500 clock cycles for a 64-bit operand.[19]

An astrophysical Monte Carlo simulator examined the time to generate 107 64-bit random numbers usingRDRAND on a quad-core Intel i7-3740 QM processor. They found that a C implementation ofRDRAND ran about 2× slower than the default random number generator in C, and about 20× slower than theMersenne Twister. Although a Python module ofRDRAND has been constructed, it was found to be 20× slower than the default random number generator in Python,[20] although a performance comparison between aPRNG andCSPRNG cannot be made.

A microcode update released by Intel in June 2020, designed to mitigate the CrossTalk vulnerability (see thesecurity issues section below), negatively impacts the performance ofRDRAND andRDSEED due to additional security controls. On processors with the mitigations applied, each affected instruction incurs additional latency and simultaneous execution ofRDRAND orRDSEED across cores is effectively serialised. Intel introduced a mechanism to relax these security checks, thus reducing the performance impact in most scenarios, but Intel processors do not apply this security relaxation by default.[21]

Compilers

[edit]

Visual C++ 2015 provides intrinsic wrapper support for theRDRAND andRDSEED functions.[22]GCC 4.6+ andClang 3.2+ provideintrinsic functions forRDRAND when-mrdrnd is specified in theflags,[23] also setting__RDRND__ to allowconditional compilation. Newer versions additionally provideimmintrin.h to wrap these built-ins into functions compatible with version 12.1+ of Intel's C Compiler. These functions write random data to the location pointed to by their parameter, and return 1 on success.[24]

Applications

[edit]

It is an option to generate cryptographically secure random numbers usingRDRAND andRDSEED inOpenSSL, to help secure communications.

Scientific application ofRDRAND in aMonte Carlo simulator was evaluated, focusing on performance and reproducibility, compared to other random number generators. It led to the conclusion that usingRDRAND as opposed to Mersenne Twister doesn't provide different results, but worse performance and reproducibility.[25][20]

Reception

[edit]

In September 2013, in response to aNew York Times articlerevealing the NSA's effort to weaken encryption,[26]Theodore Ts'o publicly posted concerning the use ofRDRAND for/dev/random in theLinux kernel:[27]

I am so glad I resisted pressure from Intel engineers to let/dev/random rely only on theRDRAND instruction. To quote from the [New York Times article[26]]: "By this year, theSigint Enabling Project had found ways inside some of the encryption chips that scramble information for businesses and governments, either by working with chipmakers to insert back doors..." Relying solely on the hardware random number generator which is using an implementation sealed inside a chip which is impossible to audit is a BAD idea.

Linus Torvalds dismissed concerns about the use ofRDRAND in the Linux kernel and pointed out that it is not used as the only source of entropy for/dev/random, but rather used to improve the entropy by combining the values received fromRDRAND with other sources of randomness.[28][29] However, Taylor Hornby of Defuse Security demonstrated that the Linux random number generator could become insecure if a backdoor is introduced into theRDRAND instruction that specifically targets the code using it. Hornby's proof-of-concept implementation works on an unmodified Linux kernel prior to version 3.13.[30][31][32] The issue was mitigated in the Linux kernel in 2013.[33]

Developers changed theFreeBSD kernel away from usingRDRAND andVIA PadLock directly with the comment "For FreeBSD 10, we are going to backtrack and removeRDRAND and Padlock backends and feed them intoYarrow instead of delivering their output directly to/dev/random. It will still be possible to access hardware random number generators, that is,RDRAND, Padlock etc., directly by inline assembly or by using OpenSSL from userland, if required, but we cannot trust them any more."[28][34] FreeBSD /dev/random usesFortuna and RDRAND starting from FreeBSD 11.[35]

Security issues

[edit]
See also:Transient execution CPU vulnerability

On 9 June 2020, researchers fromVrije Universiteit Amsterdam published aside-channel attack named CrossTalk (CVE-2020-0543) that affectedRDRAND on a number of Intel processors.[36] They discovered that outputs from the hardware digital random number generator (DRNG) were stored in a staging buffer that was shared across all cores. The vulnerability allowed malicious code running on an affected processor to readRDRAND andRDSEED instruction results from a victim application running on another core of that same processor, including applications running insideIntel SGX enclaves.[36] The researchers developed a proof-of-concept exploit[37] which extracted a completeECDSA key from an SGX enclave running on a separate CPU core after only one signature operation.[36] The vulnerability affects scenarios where untrusted code runs alongside trusted code on the same processor, such as in a shared hosting environment.

Intel refers to the CrossTalk vulnerability as Special Register Buffer Data Sampling (SRBDS). In response to the research, Intel released microcode updates to mitigate the issue. The updated microcode ensures that off-core accesses are delayed until sensitive operations – specifically theRDRAND,RDSEED, andEGETKEY instructions – are completed and the staging buffer has been overwritten.[21] The SRBDS attack also affects other instructions, such as those that readMSRs, but Intel did not apply additional security protections to them due to performance concerns and the reduced need for confidentiality of those instructions' results.[21] A wide range of Intel processors released between 2012 and 2019 were affected, including desktop, mobile, and server processors.[38][39] The mitigations themselves resulted in negative performance impacts when using the affected instructions, particularly when executed in parallel by multi-threaded applications, due to increased latency introduced by the security checks and the effective serialisation of affected instructions across cores. Intel introduced an opt-out option, configurable via theIA32_MCU_OPT_CTRL MSR on each logical processor, which improves performance by disabling the additional security checks for instructions executing outside of an SGX enclave.[21]

In October 2025, an issue with RDSEED on AMDZen 5 processors was discovered by Gregory Price ofMeta Platforms. Due to this issue: the RDSEED instruction could return a value of 0 instead of a random number while incorrectly signalling success. This only affects the 16 bit and 32 bit forms of the instruction and not the 64 bit form.[40][41]

See also

[edit]

Notes

[edit]
  1. ^In some Ivy Bridge versions, due to a bug, the RDRAND instruction causes an Illegal Instruction exception.[4]

References

[edit]
  1. ^abcd"Intel Digital Random Number Generator (DRNG): Software Implementation Guide, Revision 1.1"(PDF).Intel Corporation. 2012-08-07. Retrieved2012-11-25.
  2. ^"What is Intel® Secure Key Technology?".Intel. Retrieved2020-09-23.
  3. ^Hofemeier, Gael (2011-06-22)."Find out about Intel's new RDRAND Instruction".Intel Developer Zone Blogs. Retrieved30 December 2013.
  4. ^Desktop 3rd Generation Intel Core Processor Family, Specification Update(PDF). Intel Corporation. January 2013.
  5. ^"AMD64 Architecture Programmer's Manual Volume 3: General-Purpose and System Instructions"(PDF).AMD Developer Guides, Manuals & ISA Documents. June 2015. Retrieved16 October 2015.
  6. ^Barker, Elaine; Kelsey, John (January 2012)."Recommendation for Random Number Generation Using Deterministic Random Bit Generators"(PDF).National Institute of Standards and Technology.doi:10.6028/NIST.SP.800-90A. RetrievedSeptember 16, 2013.
  7. ^Hamburg, Mike; Kocher, Paul; Marson, Mark (2012-03-12)."Analysis of Intel's Ivy Bridge Digital Random Number Generator"(PDF).Cryptography Research, Inc. Archived fromthe original(PDF) on 2014-12-30. Retrieved2015-08-21.
  8. ^Hofemeier, Gael (2012-07-26)."Introduction to Intel AES-NI and Intel SecureKey Instructions".Intel Developer Zone. Intel. Retrieved2015-10-24.
  9. ^"AMD Starts Linux Enablement On Next-Gen "Zen" Architecture - Phoronix".www.phoronix.com. Retrieved2015-10-25.
  10. ^"Volume 1, Section 7.3.17, 'Random Number Generator Instruction'"(PDF).Intel® 64 and IA-32 Architectures Software Developer’s Manual Combined Volumes: 1, 2A, 2B, 2C, 3A, 3B and 3C. Intel Corporation. June 2013. p. 177. Retrieved24 June 2013.All Intel processors that support the RDRAND instruction indicate the availability of the RDRAND instruction via reporting CPUID.01H:ECX.RDRAND[bit 30] = 1
  11. ^"AMD64 Architecture Programmer's Manual Volume 3: General-Purpose and System Instructions"(PDF). AMD. June 2015. p. 278. Retrieved15 October 2015.Support for the RDRAND instruction is optional. On processors that support the instruction, CPUID Fn0000_0001_ECX[RDRAND] = 1
  12. ^"Volume 1, Section 7.3.17, 'Random Number Generator Instruction'"(PDF).Intel® 64 and IA-32 Architectures Software Developer’s Manual Combined Volumes: 1, 2A, 2B, 2C, 3A, 3B and 3C. Intel Corporation. June 2013. p. 177. Retrieved25 October 2015.All Intel processors that support the RDSEED instruction indicate the availability of the RDSEED instruction via reporting CPUID.(EAX=07H, ECX=0H):EBX.RDSEED[bit 18] = 1
  13. ^"Intel® Digital Random Number Generator (DRNG) Software Implementation Guide". Software.intel.com. Retrieved2014-01-30.
  14. ^abTaylor, Greg; Cox, George (September 2011)."Behind Intel's New Random-Number Generator".IEEE Spectrum. Archived fromthe original on September 6, 2011.
  15. ^John Mechalas (November 2012)."The Difference Between RDRAND and RDSEED".software.intel.com. Intel Corporation. Retrieved1 January 2014.
  16. ^Mechalas, John."Intel Digital Random Number Generator (DRNG) Software Implementation Guide, Section 3.2.1 Entropy Source (ES)".Intel Software. Intel. Retrieved18 February 2015.
  17. ^https://software.intel.com/en-us/articles/intel-digital-random-number-generator-drng-software-implementation-guide says 800 megabytes, which is 6.4 gigabits per second.
  18. ^The simplest 64-bit implementation ofXorshift has 3XORs and 3shifts; if these are executed in a tight loop on 4 cores at 2 GHz, the throughput is 80 Gb/s. In practice it will be less due to load/store overheads etc, but is still likely to exceed the 6.4 Gb/s ofRDRAND. On the other hand, the quality ofRDRAND's numbers should be higher than that of a software PRNG like Xorshift.
  19. ^ab"Instruction tables - Lists of instruction latencies, throughputs and micro-operation breakdown for Intel and AMD CPU's"(PDF). Archived fromthe original(PDF) on 2006-08-08.
  20. ^abRoute, Matthew (August 10, 2017)."Radio-flaring Ultracool Dwarf Population Synthesis".The Astrophysical Journal.845 (1): 66.arXiv:1707.02212.Bibcode:2017ApJ...845...66R.doi:10.3847/1538-4357/aa7ede.S2CID 118895524.
  21. ^abcd"Special Register Buffer Data Sampling".Intel. Retrieved26 December 2020.
  22. ^"x86 intrinsics list".docs.microsoft.com. 2020-02-28. Retrieved2020-05-07.
  23. ^"X86 Built-in Functions - Using the GNU Compiler Collection (GCC)".
  24. ^"Intel® C++ Compiler 19.1 Developer Guide and Reference". 2019-12-23.
  25. ^Route, Matthew (2019)."Intel Secure Key-Powered Radio-flaring Ultracool Dwarf Population Synthesis".American Astronomical Society Meeting Abstracts #234.234. American Astronomical Society Meeting #234, id. 207.01. Bulletin of the American Astronomical Society, Vol. 51, No. 4.Bibcode:2019AAS...23420701R.
  26. ^abPerlroth, Nicole; Larson, Jeff; Shane, Scott (September 5, 2013)."N.S.A. Able to Foil Basic Safeguards of Privacy on Web".The New York Times. RetrievedNovember 15, 2017.
  27. ^Ts'o, Theodore (September 6, 2013)."I am so glad I resisted pressure from Intel engineers to let /dev/random rely..." Archived fromthe original on 2018-06-11.
  28. ^abRichard Chirgwin (2013-12-09)."FreeBSD abandoning hardware randomness".The Register.
  29. ^Gavin Clarke (10 September 2013)."Torvalds shoots down call to yank 'backdoored' Intel RDRAND in Linux crypto". theregister.co.uk. Retrieved12 March 2014.
  30. ^Taylor Hornby (6 December 2013)."RDRAND backdoor proof of concept is working! Stock kernel (3.8.13), only the RDRAND instruction is modified". Retrieved9 April 2015.
  31. ^Taylor Hornby [@DefuseSec] (10 September 2013)."I wrote a short dialogue explaining why Linux's use of RDRAND is problematic. http://pastebin.com/A07q3nL3 /cc @kaepora @voodooKobra" (Tweet). Retrieved11 January 2016 – viaTwitter.
  32. ^Daniel J. Bernstein;Tanja Lange (16 May 2014)."Randomness generation"(PDF). Retrieved9 April 2015.
  33. ^Ts'o, Theodore (2013-10-10)."random: mix in architectural randomness earlier in extract_buf()".GitHub. Retrieved30 July 2021.
  34. ^"FreeBSD Quarterly Status Report". Freebsd.org. Retrieved2014-01-30.
  35. ^"random(4)".www.freebsd.org. Retrieved2020-09-25.
  36. ^abcRagab, Hany; Milburn, Alyssa; Razavi, Kaveh; Bos, Herbert; Giuffrida, Cristiano."CrossTalk: Speculative Data Leaks Across Cores Are Real"(PDF).Systems and Network Security Group, Vrije Universiteit Amsterdam (VUSec). Retrieved26 December 2020.
  37. ^"VUSec RIDL cpuid_leak PoC, modified to leak rdrand output".GitHub. Retrieved26 December 2020.
  38. ^"Processors Affected: Special Register Buffer Data Sampling".Intel Developer Zone.Intel. Archived fromthe original on 4 March 2021. Retrieved26 December 2020.
  39. ^"Processors Affected: Special Register Buffer Data Sampling".Intel.Archived from the original on 18 May 2025. Retrieved2025-05-18.
  40. ^Jones, Conner (2025-11-05)."AMD red-faced over random-number bug that kills cryptographic security".The Register. Retrieved2025-11-08.{{cite web}}: CS1 maint: url-status (link)
  41. ^"RDSEED Failure on AMD Zen 5 Processors".Lenovo Support IT. 2025-10-24. Retrieved2025-11-08.{{cite web}}: CS1 maint: url-status (link)

External links

[edit]
SIMD (RISC)
SIMD (x86)
Bit manipulation
  • BMI (ABM: 2007, BMI1: 2012, BMI2: 2013, TBM: 2012)
  • ADX (2014)
Compressed instructions
Security andcryptography
Transactional memory
Virtualization
General-purpose registers
Suspended extensions' dates arestruck through.
Retrieved from "https://en.wikipedia.org/w/index.php?title=RDRAND&oldid=1330140931"
Categories:
Hidden categories:
[8]ページ先頭
©2009-2026 Movatter.jp