607:, but Intel did not apply additional security protections to them due to performance concerns and the reduced need for confidentiality of those instructions' results. A wide range of Intel processors released between 2012 and 2019 were affected, including desktop, mobile, and server processors. The mitigations themselves resulted in negative performance impacts when using the affected instructions, particularly when executed in parallel by multi-threaded applications, due to increased latency introduced by the security checks and the effective serialisation of affected instructions across cores. Intel introduced an opt-out option, configurable via the
590:
Intel refers to the CrossTalk vulnerability as
Special Register Buffer Data Sampling (SRBDS). In response to the research, Intel released microcode updates to mitigate the issue. The updated microcode ensures that off-core accesses are delayed until sensitive operations – specifically
489:
had found ways inside some of the encryption chips that scramble information for businesses and governments, either by working with chipmakers to insert back doors..." Relying solely on the hardware random number generator which is using an implementation sealed inside a chip which is impossible to
569:
on a number of Intel processors. They discovered that outputs from the hardware digital random number generator (DRNG) were stored in a staging buffer that was shared across all cores. The vulnerability allowed malicious code running on an affected processor to read
586:
key from an SGX enclave running on a separate CPU core after only one signature operation. The vulnerability affects scenarios where untrusted code runs alongside trusted code on the same processor, such as in a shared hosting environment.
188:(RNG) hardware implementation, which was codenamed "Bull Mountain" during development. Intel calls their RNG a "digital random number generator" or DRNG. The generator takes pairs of 256-bit raw entropy samples generated by the hardware
349:
across cores is effectively serialised. Intel introduced a mechanism to relax these security checks, thus reducing the performance impact in most scenarios, but Intel processors do not apply this security relaxation by default.
231:
instruction runs asynchronously on a self-timed circuit and uses thermal noise within the silicon to output a random stream of bits at the rate of 3 GHz, slower than the effective 6.4 Gbit/s obtainable from
1165:; if these are executed in a tight loop on 4 cores at 2 GHz, the throughput is 80 Gb/s. In practice it will be less due to load/store overheads etc, but is still likely to exceed the 6.4 Gb/s of
513:
instruction that specifically targets the code using it. Hornby's proof-of-concept implementation works on an unmodified Linux kernel prior to version 3.13. The issue was mitigated in the Linux kernel in 2013.
402:
to wrap these built-ins into functions compatible with version 12.1+ of Intel's C Compiler. These functions write random data to the location pointed to by their parameter, and return 1 on success.
1597:
509:
with other sources of randomness. However, Taylor Hornby of Defuse
Security demonstrated that the Linux random number generator could become insecure if a backdoor is introduced into the
452:
1007:
2178:
1735:
1064:
603:
instructions – are completed and the staging buffer has been overwritten. The SRBDS attack also affects other instructions, such as those that read
276:
instruction takes 110 ns, or 463 clock cycles, regardless of the operand size (16/32/64 bits). This number of clock cycles applies to all processors with
341:
due to additional security controls. On processors with the mitigations applied, each affected instruction incurs additional latency and simultaneous execution of
811:
755:
1027:
All Intel processors that support the RDSEED instruction indicate the availability of the RDSEED instruction via reporting CPUID.(EAX=07H, ECX=0H):EBX.RDSEED = 1
299:
On an AMD Ryzen CPU, each of the instructions takes around 1200 clock cycles for 16-bit or 32-bit operand, and around 2500 clock cycles for a 64-bit operand.
1680:
611:
MSR on each logical processor, which improves performance by disabling the additional security checks for instructions executing outside of an SGX enclave.
677:
583:
545:, Padlock etc., directly by inline assembly or by using OpenSSL from userland, if required, but we cannot trust them any more." FreeBSD /dev/random uses
433:
simulator was evaluated, focusing on performance and reproducibility, compared to other random number generators. It led to the conclusion that using
1141:
1116:
2104:
1039:
318:
has been constructed, it was found to be 20Ă— slower than the default random number generator in Python, although a performance comparison between a
1266:
967:
All Intel processors that support the RDRAND instruction indicate the availability of the RDRAND instruction via reporting CPUID.01H:ECX.RDRAND = 1
862:
256:
is intended for applications that merely require high-quality random numbers. If cryptographic security is not required, a software PRNG such as
1405:
898:
1728:
208:
is seeded by the output from the conditioner, providing cryptographically secure random numbers to applications requesting them via the
1829:
1747:
1492:"I wrote a short dialogue explaining why Linux's use of RDRAND is problematic. http://pastebin.com/A07q3nL3 /cc @kaepora @voodooKobra"
2188:
2110:
1989:
1865:
1755:
578:
instruction results from a victim application running on another core of that same processor, including applications running inside
705:
2120:
1759:
200:
mode) conditioner which reduces them to a single 256-bit conditioned entropy sample. A deterministic random-bit generator called
44:
730:
1721:
289:
288:
microarchitecture processors, each of the instructions take around 1472 clock cycles, regardless of the operand size; and on
170:, followed by a ModRM byte that specifies the destination register and optionally combined with a REX prefix in 64-bit mode.
89:. Intel also requested Cryptography Research Inc. to review the random number generator in 2012, which resulted in the paper
60:
36:
1089:
1074:
319:
224:
114:
1356:. American Astronomical Society Meeting #234, id. 207.01. Bulletin of the American Astronomical Society, Vol. 51, No. 4.
2006:
625:
193:
277:
995:
Support for the RDRAND instruction is optional. On processors that support the instruction, CPUID Fn0000_0001_ECX = 1
1551:
1964:
1928:
1427:
1291:
1142:
https://software.intel.com/en-us/articles/intel-digital-random-number-generator-drng-software-implementation-guide
2193:
2173:
2079:
2035:
1890:
579:
268:
On an Intel Core i7-7700K, 4500 MHz (45 Ă— 100 MHz) processor (Kaby Lake-S microarchitecture), a single
1379:
212:
instruction. The hardware will issue a maximum of 511 128-bit samples before changing the seed value. Using the
1117:"Intel Digital Random Number Generator (DRNG) Software Implementation Guide, Section 3.2.1 Entropy Source (ES)"
1470:"RDRAND backdoor proof of concept is working! Stock kernel (3.8.13), only the RDRAND instruction is modified"
923:
486:
437:
as opposed to
Mersenne Twister doesn't provide different results, but worse performance and reproducibility.
329:
A microcode update released by Intel in June 2020, designed to mitigate the CrossTalk vulnerability (see the
2085:
2014:
1785:
1780:
1576:
1015:
Intel® 64 and IA-32 Architectures
Software Developer’s Manual Combined Volumes: 1, 2A, 2B, 2C, 3A, 3B and 3C
955:
Intel® 64 and IA-32 Architectures
Software Developer’s Manual Combined Volumes: 1, 2A, 2B, 2C, 3A, 3B and 3C
604:
395:
367:
185:
143:
instruction is supported. If it is, bit 30 of the ECX register is set after calling CPUID standard function
136:
118:
1316:
1853:
649:
In some Ivy Bridge versions, due to a bug, the RDRAND instruction causes an
Illegal Instruction exception.
223:
instruction was added to Intel Secure Key for seeding another pseudorandom number generator, available in
873:
2183:
2055:
1878:
1446:
834:
2096:
2067:
1812:
1526:
1495:
1357:
1223:
237:
55:. Intel introduced the feature around 2012, and AMD added support for the instruction in June 2015. (
302:
An astrophysical Monte Carlo simulator examined the time to generate 10 64-bit random numbers using
2049:
1946:
1940:
804:
620:
558:
1409:
2140:
2134:
2128:
1345:
1241:
1213:
947:
447:
430:
375:
310:
ran about 2Ă— slower than the default random number generator in C, and about 20Ă— slower than the
241:
86:
562:
2019:
1817:
1797:
1981:
1231:
815:
534:
456:
311:
678:"Intel Digital Random Number Generator (DRNG): Software Implementation Guide, Revision 1.1"
77:
The random number generator is compliant with security and cryptographic standards such as
1744:
1469:
980:"AMD64 Architecture Programmer's Manual Volume 3: General-Purpose and System Instructions"
847:
775:"AMD64 Architecture Programmer's Manual Volume 3: General-Purpose and System Instructions"
501:
in the Linux kernel and pointed out that it is not used as the only source of entropy for
205:
155:
is supported, the bit 18 of the EBX register is set after calling CPUID standard function
78:
71:
1655:
1361:
1227:
1627:
1185:
805:"Recommendation for Random Number Generation Using Deterministic Random Bit Generators"
546:
494:
189:
2167:
1245:
1162:
1069:
529:
directly with the comment "For FreeBSD 10, we are going to backtrack and remove
249:
1491:
1158:
470:
216:
operation provides access to the conditioned 256-bit samples from the AES-CBC-MAC.
1406:"I am so glad I resisted pressure from Intel engineers to let /dev/random rely..."
582:. The researchers developed a proof-of-concept exploit which extracted a complete
541:. It will still be possible to access hardware random number generators, that is,
1626:
Ragab, Hany; Milburn, Alyssa; Razavi, Kaveh; Bos, Herbert; Giuffrida, Cristiano.
306:
on a quad-core Intel i7-3740 QM processor. They found that a C implementation of
2043:
1522:
526:
1330:
1236:
1201:
505:, but rather used to improve the entropy by combining the values received from
285:
82:
1713:
1447:"Torvalds shoots down call to yank 'backdoored' Intel RDRAND in Linux crypto"
1346:"Intel Secure Key-Powered Radio-flaring Ultracool Dwarf Population Synthesis"
1040:"Intel® Digital Random Number Generator (DRNG) Software Implementation Guide"
2073:
1995:
1836:
1773:
1768:
979:
819:
774:
281:
557:
On 9 June 2020, researchers from Vrije
Universiteit Amsterdam published a
410:
It is an option to generate cryptographically secure random numbers using
1154:
257:
201:
64:
1635:
Systems and
Network Security Group, Vrije Universiteit Amsterdam (VUSec)
757:
Desktop 3rd
Generation Intel Core Processor Family, Specification Update
105:
and provides lower-level access to the entropy-generating hardware. The
47:
which has been seeded by an on-chip entropy source. It is also known as
1958:
1841:
1824:
1807:
1790:
1507:
1173:'s numbers should be higher than that of a software PRNG like Xorshift.
924:"AMD Starts Linux Enablement On Next-Gen "Zen" Architecture - Phoronix"
630:
518:
419:
197:
17:
2024:
1884:
387:
323:
27:
Computer instruction for returning hardware-generated random numbers
1708:
1218:
1970:
1908:
1848:
1552:"random: mix in architectural randomness earlier in extract_buf()"
1378:
Perlroth, Nicole; Larson, Jeff; Shane, Scott (September 5, 2013).
1317:"X86 Built-in Functions - Using the GNU Compiler Collection (GCC)"
684:
371:
177:
151:
availability can be checked on Intel CPUs in a similar manner. If
147:. AMD processors are checked for the feature using the same test.
131:
68:
40:
1008:"Volume 1, Section 7.3.17, 'Random Number Generator Instruction'"
948:"Volume 1, Section 7.3.17, 'Random Number Generator Instruction'"
1952:
1934:
1920:
1914:
1902:
1896:
1802:
863:"Analysis of Intel's Ivy Bridge Digital Random Number Generator"
1717:
899:"Introduction to Intel AES-NI and Intel SecureKey Instructions"
1869:
91:
Analysis of Intel's Ivy Bridge
Digital Random Number Generator
477:
I am so glad I resisted pressure from Intel engineers to let
1681:"Processors Affected: Special Register Buffer Data Sampling"
1656:"VUSec RIDL cpuid_leak PoC, modified to leak rdrand output"
358:
Visual C++ 2015 provides intrinsic wrapper support for the
1628:"CrossTalk: Speculative Data Leaks Across Cores Are Real"
1380:"N.S.A. Able to Foil Basic Safeguards of Privacy on Web"
1331:"Intel® C++ Compiler 19.1 Developer Guide and Reference"
861:
Hamburg, Mike; Kocher, Paul; Marson, Mark (2012-03-12).
333:
section below), negatively impacts the performance of
1144:
says 800 megabytes, which is 6.4 gigabits per second.
1350:
American Astronomical Society Meeting Abstracts #234
1202:"Radio-flaring Ultracool Dwarf Population Synthesis"
1186:
http://www.agner.org/optimize/instruction_tables.pdf
538:
485:
instruction. To quote from the : "By this year, the
465:
2119:
2095:
2033:
2005:
1980:
1864:
1754:
782:AMD Developer Guides, Manuals & ISA Documents
1373:
1371:
731:"Find out about Intel's new RDRAND Instruction"
537:instead of delivering their output directly to
475:
453:revealing the NSA's effort to weaken encryption
1992:(ABM: 2007, BMI1: 2012, BMI2: 2013, TBM: 2012)
1421:
1419:
812:National Institute of Standards and Technology
135:instruction can be used on both AMD and Intel
1729:
1195:
1193:
803:Barker, Elaine; Kelsey, John (January 2012).
8:
1621:
1619:
1617:
1065:"Behind Intel's New Random-Number Generator"
1063:Taylor, Greg; Cox, George (September 2011).
1058:
1056:
1017:. Intel Corporation. June 2013. p. 177
957:. Intel Corporation. June 2013. p. 177
1736:
1722:
1714:
1090:"The Difference Between RDRAND and RDSEED"
1235:
1217:
549:and RDRAND started from FreeBSD 11.
1428:"FreeBSD abandoning hardware randomness"
1261:
1259:
1257:
1255:
533:and Padlock backends and feed them into
2052:(2008); ARMv8 also has AES instructions
1267:"Special Register Buffer Data Sampling"
706:"What is Intel® Secure Key Technology?"
662:
642:
2179:Computer-related introductions in 2012
1153:The simplest 64-bit implementation of
843:
832:
459:publicly posted concerning the use of
398:. Newer versions additionally provide
248:instruction is intended for seeding a
1181:
1179:
672:
670:
668:
666:
39:for returning random numbers from an
7:
1490:Taylor Hornby (10 September 2013).
1404:Ts'o, Theodore (September 6, 2013).
1169:. On the other hand, the quality of
497:dismissed concerns about the use of
445:In September 2013, in response to a
330:
109:generator and processor instruction
236:(both rates are shared between all
1445:Gavin Clarke (10 September 2013).
1200:Route, Matthew (August 10, 2017).
763:. Intel Corporation. January 2013.
25:
1577:"FreeBSD Quarterly Status Report"
1468:Taylor Hornby (6 December 2013).
422:, to help secure communications.
227:CPUs. The entropy source for the
2152:Suspended extensions' dates are
252:of arbitrary width, whereas the
45:hardware random number generator
1709:RdRand .NET Open Source Project
1426:Richard Chirgwin (2013-12-09).
1088:John Mechalas (November 2012).
184:instruction and the underlying
897:Hofemeier, Gael (2012-07-26).
729:Hofemeier, Gael (2011-06-22).
314:. Although a Python module of
296:takes up to 117 clock cycles.
63:processors and is part of the
1:
1550:Ts'o, Theodore (2013-10-10).
985:. AMD. June 2015. p. 278
72:instruction set architectures
626:Bullrun (decryption program)
194:Advanced Encryption Standard
49:Intel Secure Key Technology
2210:
870:Cryptography Research, Inc
735:Intel Developer Zone Blogs
425:Scientific application of
284:microarchitecture. On the
35:(for "read random") is an
2150:
1206:The Astrophysical Journal
2189:Random number generation
1949:(FMA4: 2011, FMA3: 2012)
1237:10.3847/1538-4357/aa7ede
2007:Compressed instructions
1527:"Randomness generation"
1344:Route, Matthew (2019).
820:10.6028/NIST.SP.800-90A
521:kernel away from using
517:Developers changed the
487:Sigint Enabling Project
396:conditional compilation
192:and applies them to an
186:random number generator
842:Cite journal requires
492:
1521:Daniel J. Bernstein;
1292:"x86 intrinsics list"
1077:on September 6, 2011.
180:'s name for both the
139:to check whether the
2097:Transactional memory
1685:Intel Developer Zone
1042:. Software.intel.com
903:Intel Developer Zone
490:audit is a BAD idea.
386:is specified in the
115:Intel Broadwell CPUs
1449:. theregister.co.uk
1362:2019AAS...23420701R
1228:2017ApJ...845...66R
1096:. Intel Corporation
621:AES instruction set
559:side-channel attack
376:intrinsic functions
260:is usually faster.
113:are available with
1384:The New York Times
1296:docs.microsoft.com
1094:software.intel.com
580:Intel SGX enclaves
2161:
2160:
685:Intel Corporation
609:IA32_MCU_OPT_CTRL
561:named CrossTalk (
481:rely only on the
16:(Redirected from
2201:
2194:X86 architecture
2174:X86 instructions
1982:Bit manipulation
1738:
1731:
1724:
1715:
1696:
1695:
1693:
1691:
1677:
1671:
1670:
1668:
1666:
1652:
1646:
1645:
1643:
1641:
1632:
1623:
1612:
1611:
1609:
1608:
1594:
1588:
1587:
1585:
1584:
1573:
1567:
1566:
1564:
1562:
1547:
1541:
1540:
1538:
1536:
1531:
1518:
1512:
1511:
1505:
1503:
1487:
1481:
1480:
1478:
1476:
1465:
1459:
1458:
1456:
1454:
1442:
1436:
1435:
1423:
1414:
1413:
1401:
1395:
1394:
1392:
1390:
1375:
1366:
1365:
1341:
1335:
1334:
1327:
1321:
1320:
1313:
1307:
1306:
1304:
1303:
1288:
1282:
1281:
1279:
1277:
1263:
1250:
1249:
1239:
1221:
1197:
1188:
1183:
1174:
1172:
1168:
1151:
1145:
1139:
1133:
1132:
1130:
1128:
1115:Mechalas, John.
1112:
1106:
1105:
1103:
1101:
1085:
1079:
1078:
1073:. Archived from
1060:
1051:
1050:
1048:
1047:
1036:
1030:
1029:
1024:
1022:
1012:
1004:
998:
997:
992:
990:
984:
976:
970:
969:
964:
962:
952:
944:
938:
937:
935:
934:
928:www.phoronix.com
920:
914:
913:
911:
910:
894:
888:
887:
885:
884:
878:
872:. Archived from
867:
858:
852:
851:
845:
840:
838:
830:
828:
826:
809:
800:
794:
793:
791:
789:
779:
771:
765:
764:
762:
752:
746:
745:
743:
741:
726:
720:
719:
717:
716:
702:
696:
695:
693:
692:
682:
674:
650:
647:
610:
602:
598:
594:
577:
573:
568:
565:) that affected
544:
532:
524:
512:
508:
504:
500:
484:
480:
468:
462:
436:
428:
417:
413:
401:
393:
385:
381:
365:
361:
348:
344:
340:
336:
326:cannot be made.
317:
312:Mersenne Twister
309:
305:
295:
275:
271:
255:
247:
235:
230:
222:
215:
211:
183:
174:Intel Secure Key
169:
165:
158:
154:
150:
146:
142:
134:
112:
108:
104:
99:
59:is available in
58:
33:
21:
2209:
2208:
2204:
2203:
2202:
2200:
2199:
2198:
2164:
2163:
2162:
2157:
2146:
2115:
2091:
2029:
2001:
1976:
1860:
1750:
1745:Instruction set
1742:
1705:
1700:
1699:
1689:
1687:
1679:
1678:
1674:
1664:
1662:
1654:
1653:
1649:
1639:
1637:
1630:
1625:
1624:
1615:
1606:
1604:
1602:www.freebsd.org
1596:
1595:
1591:
1582:
1580:
1575:
1574:
1570:
1560:
1558:
1549:
1548:
1544:
1534:
1532:
1529:
1525:(16 May 2014).
1520:
1519:
1515:
1501:
1499:
1489:
1488:
1484:
1474:
1472:
1467:
1466:
1462:
1452:
1450:
1444:
1443:
1439:
1425:
1424:
1417:
1403:
1402:
1398:
1388:
1386:
1377:
1376:
1369:
1343:
1342:
1338:
1329:
1328:
1324:
1315:
1314:
1310:
1301:
1299:
1290:
1289:
1285:
1275:
1273:
1265:
1264:
1253:
1199:
1198:
1191:
1184:
1177:
1170:
1166:
1152:
1148:
1140:
1136:
1126:
1124:
1114:
1113:
1109:
1099:
1097:
1087:
1086:
1082:
1062:
1061:
1054:
1045:
1043:
1038:
1037:
1033:
1020:
1018:
1010:
1006:
1005:
1001:
988:
986:
982:
978:
977:
973:
960:
958:
950:
946:
945:
941:
932:
930:
922:
921:
917:
908:
906:
896:
895:
891:
882:
880:
876:
865:
860:
859:
855:
841:
831:
824:
822:
807:
802:
801:
797:
787:
785:
777:
773:
772:
768:
760:
754:
753:
749:
739:
737:
728:
727:
723:
714:
712:
704:
703:
699:
690:
688:
680:
676:
675:
664:
659:
654:
653:
648:
644:
639:
617:
608:
600:
596:
592:
575:
571:
566:
555:
553:Security issues
542:
530:
522:
510:
506:
502:
498:
482:
478:
464:
460:
443:
434:
426:
415:
411:
408:
399:
391:
390:, also setting
383:
379:
363:
359:
356:
346:
342:
338:
334:
331:security issues
315:
307:
303:
293:
273:
269:
266:
253:
245:
233:
228:
220:
213:
209:
206:NIST SP 800-90A
181:
167:
163:
162:The opcode for
156:
152:
148:
144:
140:
130:
127:
110:
106:
102:
97:
79:NIST SP 800-90A
56:
31:
28:
23:
22:
15:
12:
11:
5:
2207:
2205:
2197:
2196:
2191:
2186:
2181:
2176:
2166:
2165:
2159:
2158:
2154:struck through
2151:
2148:
2147:
2145:
2144:
2138:
2132:
2125:
2123:
2121:Virtualization
2117:
2116:
2114:
2113:
2108:
2101:
2099:
2093:
2092:
2090:
2089:
2083:
2077:
2071:
2065:
2059:
2053:
2047:
2040:
2038:
2031:
2030:
2028:
2027:
2022:
2017:
2011:
2009:
2003:
2002:
2000:
1999:
1993:
1986:
1984:
1978:
1977:
1975:
1974:
1968:
1962:
1956:
1950:
1944:
1938:
1932:
1926:
1918:
1912:
1906:
1900:
1894:
1888:
1882:
1875:
1873:
1862:
1861:
1859:
1858:
1857:
1856:
1846:
1845:
1844:
1834:
1833:
1832:
1822:
1821:
1820:
1815:
1810:
1805:
1795:
1794:
1793:
1788:
1778:
1777:
1776:
1765:
1763:
1752:
1751:
1743:
1741:
1740:
1733:
1726:
1718:
1712:
1711:
1704:
1703:External links
1701:
1698:
1697:
1672:
1647:
1613:
1589:
1568:
1542:
1513:
1482:
1460:
1437:
1415:
1412:on 2018-06-11.
1408:Archived from
1396:
1367:
1336:
1322:
1308:
1283:
1251:
1189:
1175:
1146:
1134:
1121:Intel Software
1107:
1080:
1052:
1031:
999:
971:
939:
915:
889:
853:
844:|journal=
795:
766:
747:
721:
697:
661:
660:
658:
655:
652:
651:
641:
640:
638:
635:
634:
633:
628:
623:
616:
613:
554:
551:
495:Linus Torvalds
448:New York Times
442:
439:
407:
404:
355:
352:
265:
262:
190:entropy source
126:
123:
101:is similar to
26:
24:
14:
13:
10:
9:
6:
4:
3:
2:
2206:
2195:
2192:
2190:
2187:
2185:
2182:
2180:
2177:
2175:
2172:
2171:
2169:
2155:
2149:
2142:
2139:
2136:
2133:
2130:
2127:
2126:
2124:
2122:
2118:
2112:
2109:
2106:
2103:
2102:
2100:
2098:
2094:
2087:
2084:
2081:
2078:
2075:
2072:
2069:
2066:
2063:
2060:
2057:
2054:
2051:
2048:
2045:
2042:
2041:
2039:
2037:
2034:Security and
2032:
2026:
2023:
2021:
2018:
2016:
2013:
2012:
2010:
2008:
2004:
1997:
1994:
1991:
1988:
1987:
1985:
1983:
1979:
1972:
1969:
1966:
1963:
1960:
1957:
1954:
1951:
1948:
1945:
1942:
1939:
1936:
1933:
1930:
1927:
1925:
1922:
1919:
1916:
1913:
1910:
1907:
1904:
1901:
1898:
1895:
1892:
1889:
1886:
1883:
1880:
1877:
1876:
1874:
1871:
1867:
1863:
1855:
1852:
1851:
1850:
1847:
1843:
1840:
1839:
1838:
1835:
1831:
1828:
1827:
1826:
1823:
1819:
1816:
1814:
1811:
1809:
1806:
1804:
1801:
1800:
1799:
1796:
1792:
1789:
1787:
1784:
1783:
1782:
1779:
1775:
1772:
1771:
1770:
1767:
1766:
1764:
1761:
1757:
1753:
1749:
1746:
1739:
1734:
1732:
1727:
1725:
1720:
1719:
1716:
1710:
1707:
1706:
1702:
1686:
1682:
1676:
1673:
1661:
1657:
1651:
1648:
1636:
1629:
1622:
1620:
1618:
1614:
1603:
1599:
1593:
1590:
1579:. Freebsd.org
1578:
1572:
1569:
1557:
1553:
1546:
1543:
1528:
1524:
1517:
1514:
1509:
1497:
1493:
1486:
1483:
1471:
1464:
1461:
1448:
1441:
1438:
1433:
1429:
1422:
1420:
1416:
1411:
1407:
1400:
1397:
1385:
1381:
1374:
1372:
1368:
1363:
1359:
1355:
1351:
1347:
1340:
1337:
1333:. 2019-12-23.
1332:
1326:
1323:
1318:
1312:
1309:
1297:
1293:
1287:
1284:
1272:
1268:
1262:
1260:
1258:
1256:
1252:
1247:
1243:
1238:
1233:
1229:
1225:
1220:
1215:
1211:
1207:
1203:
1196:
1194:
1190:
1187:
1182:
1180:
1176:
1164:
1160:
1156:
1150:
1147:
1143:
1138:
1135:
1122:
1118:
1111:
1108:
1095:
1091:
1084:
1081:
1076:
1072:
1071:
1070:IEEE Spectrum
1066:
1059:
1057:
1053:
1041:
1035:
1032:
1028:
1016:
1009:
1003:
1000:
996:
981:
975:
972:
968:
956:
949:
943:
940:
929:
925:
919:
916:
904:
900:
893:
890:
879:on 2014-12-30
875:
871:
864:
857:
854:
849:
836:
825:September 16,
821:
817:
813:
806:
799:
796:
783:
776:
770:
767:
759:
758:
751:
748:
736:
732:
725:
722:
711:
707:
701:
698:
686:
679:
673:
671:
669:
667:
663:
656:
646:
643:
636:
632:
629:
627:
624:
622:
619:
618:
614:
612:
606:
588:
585:
581:
564:
563:CVE-2020-0543
560:
552:
550:
548:
540:
536:
528:
520:
515:
496:
491:
488:
474:
472:
467:
458:
457:Theodore Ts'o
454:
450:
449:
440:
438:
432:
423:
421:
405:
403:
397:
389:
377:
374:3.2+ provide
373:
369:
353:
351:
332:
327:
325:
321:
313:
300:
297:
291:
287:
283:
279:
263:
261:
259:
251:
250:software PRNG
243:
239:
226:
217:
207:
203:
199:
195:
191:
187:
179:
175:
171:
160:
138:
133:
124:
122:
120:
116:
100:
94:
92:
88:
84:
80:
75:
73:
70:
66:
62:
54:
53:Bull Mountain
50:
46:
42:
38:
34:
19:
2184:Machine code
2153:
2061:
2036:cryptography
1923:
1688:. Retrieved
1684:
1675:
1663:. Retrieved
1659:
1650:
1638:. Retrieved
1634:
1605:. Retrieved
1601:
1592:
1581:. Retrieved
1571:
1559:. Retrieved
1555:
1545:
1533:. Retrieved
1516:
1506:– via
1500:. Retrieved
1485:
1473:. Retrieved
1463:
1451:. Retrieved
1440:
1432:The Register
1431:
1410:the original
1399:
1389:November 15,
1387:. Retrieved
1383:
1353:
1349:
1339:
1325:
1311:
1300:. Retrieved
1298:. 2020-02-28
1295:
1286:
1274:. Retrieved
1270:
1209:
1205:
1149:
1137:
1125:. Retrieved
1120:
1110:
1098:. Retrieved
1093:
1083:
1075:the original
1068:
1044:. Retrieved
1034:
1026:
1019:. Retrieved
1014:
1002:
994:
987:. Retrieved
974:
966:
959:. Retrieved
954:
942:
931:. Retrieved
927:
918:
907:. Retrieved
902:
892:
881:. Retrieved
874:the original
869:
856:
835:cite journal
823:. Retrieved
798:
786:. Retrieved
781:
769:
756:
750:
738:. Retrieved
734:
724:
713:. Retrieved
709:
700:
689:. Retrieved
687:. 2012-08-07
645:
589:
556:
516:
493:
476:
471:Linux kernel
446:
444:
424:
409:
406:Applications
357:
328:
301:
298:
267:
218:
173:
172:
161:
128:
119:AMD Zen CPUs
96:
95:
90:
76:
52:
51:, codenamed
48:
30:
29:
2020:MIPS16e ASE
1690:26 December
1665:26 December
1640:26 December
1598:"random(4)"
1523:Tanja Lange
1276:26 December
1127:18 February
784:. June 2015
740:30 December
539:/dev/random
527:VIA PadLock
503:/dev/random
479:/dev/random
466:/dev/random
431:Monte Carlo
400:immintrin.h
366:functions.
292:processors
264:Performance
204:defined in
37:instruction
2168:Categories
1748:extensions
1607:2020-09-25
1583:2014-01-30
1502:11 January
1302:2020-05-07
1219:1707.02212
1046:2014-01-30
1021:25 October
989:15 October
933:2015-10-25
909:2015-10-24
883:2015-08-21
788:16 October
715:2020-09-23
691:2012-11-25
657:References
290:Ivy Bridge
286:Silvermont
196:(AES) (in
87:ANSI X9.82
83:FIPS 140-2
61:Ivy Bridge
1837:Power ISA
1818:MIPS SIMD
1246:118895524
1212:(1): 66.
1100:1 January
441:Reception
394:to allow
392:__RDRND__
370:4.6+ and
354:Compilers
282:Kaby Lake
225:Broadwell
168:0x0F 0xC7
2143:(AMD-Vi)
1453:12 March
1155:Xorshift
615:See also
451:article
258:Xorshift
202:CTR DRBG
125:Overview
65:Intel 64
43:on-chip
2044:PadLock
1959:AVX-512
1825:PA-RISC
1808:MIPS-3D
1561:30 July
1535:9 April
1508:Twitter
1475:9 April
1358:Bibcode
1224:Bibcode
1123:. Intel
961:24 June
905:. Intel
631:wolfSSL
601:EGETKEY
547:Fortuna
519:FreeBSD
469:in the
420:OpenSSL
384:-mrdrnd
278:Skylake
244:). The
242:threads
198:CBC-MAC
2137:(2006)
2131:(2005)
2107:(2013)
2088:(2021)
2082:(2015)
2076:(2015)
2070:(2013)
2064:(2012)
2062:RDRAND
2058:(2010)
2050:AES-NI
2046:(2003)
1998:(2014)
1973:(2023)
1967:(2022)
1961:(2015)
1955:(2013)
1943:(2009)
1937:(2009)
1931:(2008)
1924:(2007)
1917:(2006)
1911:(2006)
1905:(2004)
1899:(2001)
1893:(1999)
1887:(1998)
1885:3DNow!
1881:(1996)
1660:GitHub
1556:GitHub
1244:
1171:RDRAND
1167:RDRAND
1163:shifts
1161:and 3
1157:has 3
599:, and
597:RDSEED
593:RDRAND
576:RDSEED
572:RDRAND
567:RDRAND
543:RDRAND
535:Yarrow
531:RDRAND
523:RDRAND
511:RDRAND
507:RDRAND
499:RDRAND
483:RDRAND
461:RDRAND
435:RDRAND
427:RDRAND
416:RDSEED
412:RDRAND
380:RDRAND
364:RDSEED
360:RDRAND
347:RDSEED
343:RDRAND
339:RDSEED
335:RDRAND
324:CSPRNG
316:RDRAND
308:RDRAND
304:RDRAND
294:RDRAND
274:RDSEED
270:RDRAND
254:RDRAND
246:RDSEED
234:RDRAND
229:RDSEED
221:RDSEED
214:RDSEED
210:RDRAND
182:RDRAND
164:RDRAND
153:RDSEED
149:RDSEED
141:RDRAND
111:rdseed
107:RDSEED
103:RDRAND
98:RDSEED
85:, and
57:RDRAND
32:RDRAND
18:RdRand
2135:AMD-V
2056:CLMUL
2015:Thumb
1971:AVX10
1909:SSSE3
1849:SPARC
1769:Alpha
1631:(PDF)
1530:(PDF)
1496:Tweet
1271:Intel
1242:S2CID
1214:arXiv
1011:(PDF)
983:(PDF)
951:(PDF)
877:(PDF)
866:(PDF)
808:(PDF)
778:(PDF)
761:(PDF)
710:Intel
681:(PDF)
637:Notes
584:ECDSA
429:in a
388:flags
382:when
372:Clang
238:cores
178:Intel
132:CPUID
69:IA-32
41:Intel
2141:VT-d
2129:VT-x
1953:AVX2
1935:F16C
1921:SSE5
1915:SSE4
1903:SSE3
1897:SSE2
1866:SIMD
1803:MDMX
1798:MIPS
1786:NEON
1760:RISC
1756:SIMD
1692:2020
1667:2020
1642:2020
1563:2021
1537:2015
1504:2016
1477:2015
1455:2014
1391:2017
1278:2020
1159:XORs
1129:2015
1102:2014
1023:2015
991:2015
963:2013
848:help
827:2013
790:2015
742:2013
605:MSRs
591:the
574:and
525:and
463:for
414:and
378:for
362:and
337:and
322:and
320:PRNG
240:and
219:The
137:CPUs
129:The
117:and
74:.)
67:and
2111:ASF
2105:TSX
2086:TDX
2080:SGX
2074:MPX
2068:SHA
2025:RVC
1996:ADX
1990:BMI
1965:AMX
1947:FMA
1941:XOP
1929:AVX
1891:SSE
1879:MMX
1870:x86
1854:VIS
1842:VMX
1830:MAX
1813:MXU
1791:SVE
1781:ARM
1774:MVI
1354:234
1232:doi
1210:845
816:doi
418:in
368:GCC
345:or
280:or
272:or
176:is
166:is
157:07H
145:01H
2170::
1683:.
1658:.
1633:.
1616:^
1600:.
1554:.
1430:.
1418:^
1382:.
1370:^
1352:.
1348:.
1294:.
1269:.
1254:^
1240:.
1230:.
1222:.
1208:.
1204:.
1192:^
1178:^
1119:.
1092:.
1067:.
1055:^
1025:.
1013:.
993:.
965:.
953:.
926:.
901:.
868:.
839::
837:}}
833:{{
814:.
810:.
780:.
733:.
708:.
683:.
665:^
595:,
473::
455:,
159:.
121:.
93:.
81:,
2156:.
1872:)
1868:(
1762:)
1758:(
1737:e
1730:t
1723:v
1694:.
1669:.
1644:.
1610:.
1586:.
1565:.
1539:.
1510:.
1498:)
1494:(
1479:.
1457:.
1434:.
1393:.
1364:.
1360::
1319:.
1305:.
1280:.
1248:.
1234::
1226::
1216::
1131:.
1104:.
1049:.
936:.
912:.
886:.
850:)
846:(
829:.
818::
792:.
744:.
718:.
694:.
20:)
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.