1. 技术文章
  2. True random numbers with C++11 and RDRAND

True random numbers with C++11 and RDRAND

本秂侑毒 提交于 2019-12-17 18:18:21

问题


I have seen that Intel seems to have included a new assembly function to get real random numbers obtained from hardware. The name of the instruction is RdRand, but only a small amount of details seem accessible on it on Internet: http://en.wikipedia.org/wiki/RdRand

My questions concerning this new instruction and its use in C++11 are the following:

  1. Are the random numbers generated with RdRand really random? (each bit generated from uncorrelated white noise or quantum processes? )

  2. Is it a special feature of Ivy Bridge processors and will Intel continue to implement this function in the next generation of cpu?

  3. How to use it through C++11? Maybe with std::random_device but do compilers already call RdRand if the instruction is available?

  4. How to check whether RdRand is really called when I compile a program?


回答1:


  1. That certainly depends on your view of the determinism of the universe, so is more a philosophical question, but many people consider it being random.
  2. Only intel will know, but since there was demand to add it, its likely there will be demand to keep it
  3. std::random_device is not required to be hardware driven, and even if it is, it is not required to use rdrand. You can ask its double entropy() const noexcept member function whether it is hardware driven or not. Using rdrand for that is a QoI issue, but I would expect every sane implementation that has it available to do so (I have seen e.g. gcc doing it). If unsure, you can always check assembly, but also other means of hardware randomness should be good enough (there is other dedicated hardware available).
  4. See above, if you are interested in whether its only hardware, use entropy, if interested in rdrand, scan the generated machine code.



回答2:


I designed the random number generator that supplies the random numbers to the RdRand instruction. So for a change, I really know the answers.

1) The random numbers are generated from an SP800-90 AES-CTR DRBG compliant PRNG. The AES uses a 128 bit key, and so the numbers have multiplicative prediction resistance up to 128 bits and additive beyond 128.

However the PRNG is reseeded from a full entropy source frequently. For isolated RdRand instructions it will be freshly reseeded. For 8 threads on 4 cores pulling as fast as possible, it will be reseeded always more frequently than once per 14 RdRands.

The seeds come from a true random number generator. This involves a 2.5Gbps entropy source that is fed into a 3:1 compression ratio entropy extractor using AES-CBC-MAC.

So it is in effect a TRNG, but one that falls back to the properties of a cryptographically secure PRNG for short sequences when heavily loaded.

This is exactly the semantic difference between /dev/random and /dev/urandom on linux, only a lot faster.

The entropy is ultimately gathered from a quantum process, since that is the only fundamental random process we know of in nature. In the DRNG it is specifically the thermal noise in the gates of 4 transistors that drive the resolution state of a metastable latch, 2.5 billion times a second.

The entropy source and conditioner is intended to SP800-90B and SP800-90C compliant, but those specs are still in draft form.

2) RdRand is a part of the standard intel instruction set. It will be supported in all CPU products in the future.

3) You either need to use inline assembly or a library (like openssl) that does use RdRand. If you use a library, the library is implementing the inline assembler that you could implement directly. Intel gives code examples on their web site.

Someone else mentioned librdrand.a. I wrote that. It's pretty simple.

4) Just look for the RdRand opcodes in the binary.




回答3:


Since PRISM and Snowden revelations, I would be very carefull at using hardware random generators, or relying on one single library, in an application with security concerns. I prefer using a combination of independant open source cryptographic random generators. By combination, I mean for example: Let's ra, rb, rc be three independant cryptographic random generators, r be the random value returned to the application. Let's sa, sb, sc be their seed, ta, tb, tc, reseed periods i.e. e.g. reseed rb every tb draws. By independant: belonging as far as possible to independant libraries, and relying on different cyphers or algorithms.

Pseudo-code:

// init
seed std rand with time (at least millisec, preferably microsec)
sa = std rand xor time // of course, not the same time evaluation
// loop
sb = ra every tb
sc = rb every tc
r = rb xor rc
sa = rc every ta

Of course, every draw shall be used only once.

Probably two sources are enough:

// init
seed std rand with time (at least millisec, preferably microsec)
sa = std rand xor time // of course, not the same time evaluation
// loop
sb = ra every tb
sa = rb every ta
r = rb xor ra

Choose different values for ta, tb, tc. Their range depends on the strengh of the random source you use.

EDIT: I have started the new library ABaDooRand for this purpose.




回答4:


1) No, the numbers from RdRand are not truly random, since they come from a cryptographically-secure pseudorandom number generator. However, RdRand, RdSeed, and the Intel Secure Key technology are probably the closest to truly random you will find.

2) Yes, the feature is available in all Intel processors that appear in laptops, desktops, and servers starting with the Ivy Bridge processors you mention. These days, the features are also implemented in AMD chips.

3 and 4) The Intel software development guide is the place to look for these answers. There is an interesting discussion of how Intel Secure Key is applied to an astrophysical problem here (http://iopscience.iop.org/article/10.3847/1538-4357/aa7ede/meta;jsessionid=A9DA9DDB925E6522D058F3CEEC7D0B21.ip-10-40-2-120) and non-paywalled version here (https://arxiv.org/abs/1707.02212). This paper describes how the technology works, how to implement it, and describes its performance (Sections 2.2.1 and 5). Had to read it for a class.




回答5:


  1. I think they are "said to be" random...Since it's for encryption. I wouldn't worry too much about the quality of the random numbers.
  2. I think Intel will keep doing it as they always regard backward compatibility as important even if this instruction maybe useless in the future.
  3. I am sorry I cannot answer this question because I don't use C++11.
  4. You can try librdrand.a if you don't want to dig into assembly code. Intel has provided the library for free download on their website. I have tested it, it's pretty convenient and has error report mechanism (since the random number generator has a small probability of failing to generate a random number). So if you use this library, you only need to check the return value of the function in librdrand

Please let me know if there is anything wrong in my reply. Thanks

Good luck

xiangpisaiMM



来源:https://stackoverflow.com/questions/17616960/true-random-numbers-with-c11-and-rdrand

标签
c++
assembly
c++11
random
rdrand
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!