Misplaced Pages

#622377

64-405: The random number generator is compliant with security and cryptographic standards such as NIST SP 800-90A , FIPS 140-2 , and ANSI X9.82 . Intel also requested Cryptography Research Inc. to review the random number generator in 2012, which resulted in the paper Analysis of Intel's Ivy Bridge Digital Random Number Generator . RDSEED is similar to RDRAND and provides lower-level access to

128-472: A x 0 = 1 {\displaystyle {\boldsymbol {x}}A={\begin{cases}{\boldsymbol {x}}\gg 1&x_{0}=0\\({\boldsymbol {x}}\gg 1)\oplus {\boldsymbol {a}}&x_{0}=1\end{cases}}} where x 0 {\displaystyle x_{0}} is the lowest order bit of x {\displaystyle x} . As like TGFSR(R), the Mersenne Twister

192-403: A 0 ) ) {\displaystyle A={\begin{pmatrix}0&I_{w-1}\\a_{w-1}&(a_{w-2},\ldots ,a_{0})\end{pmatrix}}} with I w − 1 {\displaystyle I_{w-1}} as the ( w − 1 ) ( w − 1 ) {\displaystyle (w-1)(w-1)} identity matrix. The rational normal form has

256-653: A New York Times article revealing the NSA's effort to weaken encryption , Theodore Ts'o publicly posted concerning the use of RDRAND for /dev/random in the Linux kernel : I am so glad I resisted pressure from Intel engineers to let /dev/random rely only on the RDRAND instruction. To quote from the [New York Times article]: "By this year, the Sigint Enabling Project had found ways inside some of

320-468: A Mersenne prime as its period length. The Mersenne Twister was designed specifically to rectify most of the flaws found in older PRNGs. The most commonly used version of the Mersenne Twister algorithm is based on the Mersenne prime 2 19937 − 1 {\displaystyle 2^{19937}-1} . The standard implementation of that, MT19937, uses a 32-bit word length. There

384-400: A side-channel attack named CrossTalk ( CVE-2020-0543 ) that affected RDRAND on a number of Intel processors. They discovered that outputs from the hardware digital random number generator (DRNG) were stored in a staging buffer that was shared across all cores. The vulnerability allowed malicious code running on an affected processor to read RDRAND and RDSEED instruction results from

448-605: A Mersenne Twister implementation is an array of n values of w bits each. To initialize the array, a w -bit seed value is used to supply x 0 {\displaystyle x_{0}} through x n − 1 {\displaystyle x_{n-1}} by setting x 0 {\displaystyle x_{0}} to the seed value and thereafter setting for i {\displaystyle i} from 1 {\displaystyle 1} to n − 1 {\displaystyle n-1} . In order to achieve

512-537: A NSA backdoor into its products. RSA has denied knowingly inserting a backdoor into its products. Following the NSA backdoor revelation, NIST has reopened the public vetting process for the NIST SP 800-90A standard. A revised version of NIST SP 800-90A that removes Dual_EC_DRBG was published in June 2015. Hash_DRBG and HMAC_DRBG have security proofs for a single call to generate pseudorandom numbers. The paper proving

576-436: A deal that Reuters describes as "handled by business leaders rather than pure technologists". As the $ 10 million contract to get RSA Security to use Dual_EC_DRBG was described by Reuters as secret, the people involved in the process of accepting Dual_EC_DRBG into NIST SP 800-90A were presumably not made aware of this obvious conflict of interest. This might help explain how a random number generator later shown to be inferior to

640-402: A draft analyses of the situation mentioned by Bernstein, i.e. state leakage assuming large amounts of randomness ( next ) generated between re-keying ( final ). Mersenne Twister The Mersenne Twister is a general-purpose pseudorandom number generator (PRNG) developed in 1997 by Makoto Matsumoto ( 松本 眞 ) and Takuji Nishimura ( 西村 拓士 ) . Its name derives from the choice of

704-634: A fourth generator, Dual_EC_DRBG (based on elliptic curve cryptography ). Dual_EC_DRBG was later reported to probably contain a kleptographic backdoor inserted by the United States National Security Agency (NSA). NIST SP 800-90A was published by the National Institute of Standards and Technology in June 2006 as NIST SP 800-90 with the title Recommendation for Random Number Generation Using Deterministic Random Bit Generators . The publication contains

SECTION 10

#1732793431623

768-627: A period of 2 127 − 1 {\displaystyle 2^{127}-1} , far shorter than the original, so it is only recommended by the authors in cases where memory is at a premium. Advantages: Disadvantages: The Mersenne Twister is used as default PRNG by the following software: It is also available in Apache Commons , in the standard C++ library (since C++11 ), and in Mathematica . Add-on implementations are provided in many program libraries, including

832-513: A properly-implemented instance of HMAC_DRBG does not compromise the security of the numbers generated before the compromise. Woodage and Shumow (2019) analyze the NIST schemes in more detail; specifically, they provide security proofs that take into account the initial seed generation and reseeding, which have not been analyzed at all before. Under random oracle model and assuming an oracle-independent entropy source: CTR_DRBG has been shown to have

896-483: A shared hosting environment. Intel refers to the CrossTalk vulnerability as Special Register Buffer Data Sampling (SRBDS). In response to the research, Intel released microcode updates to mitigate the issue. The updated microcode ensures that off-core accesses are delayed until sensitive operations – specifically the RDRAND , RDSEED , and EGETKEY instructions – are completed and

960-487: A simple recurrence relation, and then output numbers of the form x i T {\displaystyle x_{i}^{T}} , where T is an invertible F 2 {\displaystyle {\textbf {F}}_{2}} -matrix called a tempering matrix . The general algorithm is characterized by the following quantities: with the restriction that 2 n w − r − 1 {\displaystyle 2^{nw-r}-1}

1024-540: A single RDRAND or RDSEED instruction takes 110 ns, or 463 clock cycles, regardless of the operand size (16/32/64 bits). This number of clock cycles applies to all processors with Skylake or Kaby Lake microarchitecture. On the Silvermont microarchitecture processors, each of the instructions take around 1472 clock cycles, regardless of the operand size; and on Ivy Bridge processors RDRAND takes up to 117 clock cycles. On an AMD Ryzen CPU, each of

1088-531: A single 256-bit conditioned entropy sample. A deterministic random-bit generator called CTR DRBG defined in NIST SP 800-90A is seeded by the output from the conditioner, providing cryptographically secure random numbers to applications requesting them via the RDRAND instruction. The hardware will issue a maximum of 511 128-bit samples before changing the seed value. Using the RDSEED operation provides access to

1152-399: A tempering transform to be easily computable, and so do not actually construct T itself. This tempering is defined in the case of Mersenne Twister as where x {\displaystyle x} is the next value from the series, y {\displaystyle y} is a temporary intermediate value, and z {\displaystyle z} is the value returned from

1216-468: A theoretical imperfection when used with certain parameters because cryptographers did not consider the block size of the cipher when designing this pseudorandom number generator. CTR_DRBG appears secure and indistinguishable from a true random source when AES is used as the underlying block cipher and 112 bits are taken from this pseudorandom number generator . When AES is used as the underlying block cipher and 128 bits are taken from each instantiation,

1280-426: A victim application running on another core of that same processor, including applications running inside Intel SGX enclaves . The researchers developed a proof-of-concept exploit which extracted a complete ECDSA key from an SGX enclave running on a separate CPU core after only one signature operation. The vulnerability affects scenarios where untrusted code runs alongside trusted code on the same processor, such as in

1344-520: Is Intel 's name for both the RDRAND instruction and the underlying random number generator (RNG) hardware implementation, which was codenamed "Bull Mountain" during development. Intel calls their RNG a "digital random number generator" or DRNG. The generator takes pairs of 256-bit raw entropy samples generated by the hardware entropy source and applies them to an Advanced Encryption Standard (AES) (in CBC-MAC mode) conditioner which reduces them to

SECTION 20

#1732793431623

1408-574: Is patented . MTGP is a variant of Mersenne Twister optimised for graphics processing units published by Mutsuo Saito and Makoto Matsumoto. The basic linear recurrence operations are extended from MT and parameters are chosen to allow many threads to compute the recursion in parallel, while sharing their state space to reduce memory load. The paper claims improved equidistribution over MT and performance on an old (2008-era) GPU ( Nvidia GTX260 with 192 cores) of 4.7 ms for 5×10 random 32-bit integers. The SFMT ( SIMD -oriented Fast Mersenne Twister)

1472-455: Is a Mersenne prime. This choice simplifies the primitivity test and k -distribution test that are needed in the parameter search. The series x {\displaystyle x} is defined as a series of w -bit quantities with the recurrence relation: where ∣ {\displaystyle \mid } denotes concatenation of bit vectors (with upper bits on the left), ⊕ {\displaystyle \oplus }

1536-485: Is a publication by the National Institute of Standards and Technology with the title Recommendation for Random Number Generation Using Deterministic Random Bit Generators . The publication contains the specification for three allegedly cryptographically secure pseudorandom number generators for use in cryptography : Hash DRBG (based on hash functions ), HMAC DRBG (based on HMAC ), and CTR DRBG (based on block ciphers in counter mode ). Earlier versions included

1600-558: Is a variant of Mersenne Twister, introduced in 2006, designed to be fast when it runs on 128-bit SIMD. Intel SSE2 and PowerPC AltiVec are supported by SFMT. It is also used for games with the Cell BE in the PlayStation 3 . TinyMT is a variant of Mersenne Twister, proposed by Saito and Matsumoto in 2011. TinyMT uses just 127 bits of state space, a significant decrease compared to the original's 2.5 KiB of state. However, it has

1664-546: Is another implementation (with five variants ) that uses a 64-bit word length, MT19937-64; it generates a different sequence. A pseudorandom sequence x i {\displaystyle x_{i}} of w -bit integers of period P is said to be k-distributed to v -bit accuracy if the following holds. For a w -bit word length, the Mersenne Twister generates integers in the range [ 0 , 2 w − 1 ] {\displaystyle [0,2^{w}-1]} . The Mersenne Twister algorithm

1728-433: Is based on a matrix linear recurrence over a finite binary field F 2 {\displaystyle {\textbf {F}}_{2}} . The algorithm is a twisted generalised feedback shift register (twisted GFSR, or TGFSR) of rational normal form (TGFSR(R)), with state bit reflection and tempering. The basic idea is to define a series x i {\displaystyle x_{i}} through

1792-485: Is cascaded with a tempering transform to compensate for the reduced dimensionality of equidistribution (because of the choice of A being in the rational normal form). Note that this is equivalent to using the matrix A where A = T − 1 ∗ A T {\displaystyle A=T^{-1}*AT} for T an invertible matrix, and therefore the analysis of characteristic polynomial mentioned below still holds. As with A , we choose

1856-405: Is much less than the security level implied by the key size. CTR_DRBG is also shown to fail to deliver the expected security level whenever Triple DES is used because its 64-bit block size is much less than the 112-bit key size used for Triple DES. There is currently no known method to exploit this issue when AES is used. The NIST CTR_DRBG scheme erases the key after the requested randomness

1920-567: Is not used as the only source of entropy for /dev/random , but rather used to improve the entropy by combining the values received from RDRAND with other sources of randomness. However, Taylor Hornby of Defuse Security demonstrated that the Linux random number generator could become insecure if a backdoor is introduced into the RDRAND instruction that specifically targets the code using it. Hornby's proof-of-concept implementation works on an unmodified Linux kernel prior to version 3.13. The issue

1984-449: Is output by producing additional randomness to replace the key. This is wasteful from a performance perspective, but does not immediately cause issues with forward secrecy. However, realizing the performance implications, the NIST recommends an "extended AES-CTR-DRBG interface" for its Post-Quantum Cryptography Project submissions. This interface allows multiple sets of randomness to be generated without intervening erasure, only erasing when

RDRAND - Misplaced Pages Continue

2048-946: Is required to reach the upper bound of equidistribution for the upper bits. The coefficients for MT19937 are: ( w , n , m , r ) = ( 32 , 624 , 397 , 31 ) a = 9908B0DF 16 ( u , d ) = ( 11 , FFFFFFFF 16 ) ( s , b ) = ( 7 , 9D2C5680 16 ) ( t , c ) = ( 15 , EFC60000 16 ) l = 18 {\displaystyle {\begin{aligned}(w,n,m,r)&=(32,624,397,31)\\a&={\textrm {9908B0DF}}_{16}\\(u,d)&=(11,{\textrm {FFFFFFFF}}_{16})\\(s,b)&=(7,{\textrm {9D2C5680}}_{16})\\(t,c)&=(15,{\textrm {EFC60000}}_{16})\\l&=18\\\end{aligned}}} Note that 32-bit implementations of

2112-517: Is shown to be efficiently solvable. The truncated point problem requires enough bits to be truncated from the point selected by Dual_EC_DRBG to make it indistinguishable from a truly random number. However, the truncation of 16 bits, the default specified by the Dual_EC_DRBG standard, has been shown to be insufficient to make the output indistinguishable from a true random number generator and therefore invalidates Dual_EC_DRBG's security proof when

2176-423: Is the common notion of "forward secrecy" of PRNGs: in the event of a state compromise, the attacker cannot recover historical states and outputs. The latter means that if the state is compromised and subsequently re-seeded with sufficient entropy, security is restored. An attempted security proof for Dual_EC_DRBG states that it requires three problems to be mathematically hard in order for Dual_EC_DRBG to be secure:

2240-461: The 2 n w − r − 1 {\displaystyle 2^{nw-r}-1} theoretical upper limit of the period in a T GFSR , ϕ B ( t ) {\displaystyle \phi _{B}(t)} must be a primitive polynomial , ϕ B ( t ) {\displaystyle \phi _{B}(t)} being the characteristic polynomial of The twist transformation improves

2304-403: The RDRAND and RDSEED functions. GCC 4.6+ and Clang 3.2+ provide intrinsic functions for RDRAND when -mrdrnd is specified in the flags , also setting __RDRND__ to allow conditional compilation . Newer versions additionally provide immintrin.h to wrap these built-ins into functions compatible with version 12.1+ of Intel's C Compiler. These functions write random data to

2368-752: The Boost C++ Libraries , the CUDA Library , and the NAG Numerical Library . The Mersenne Twister is one of two PRNGs in SPSS : the other generator is kept only for compatibility with older programs, and the Mersenne Twister is stated to be "more reliable". The Mersenne Twister is similarly one of the PRNGs in SAS : the other generators are older and deprecated. The Mersenne Twister is

2432-529: The Mersenne Twister . Although a Python module of RDRAND has been constructed, it was found to be 20× slower than the default random number generator in Python, although a performance comparison between a PRNG and CSPRNG cannot be made. A microcode update released by Intel in June 2020, designed to mitigate the CrossTalk vulnerability (see the security issues section below), negatively impacts

2496-535: The LHS, x k {\displaystyle x_{k}} , is the next generated value in the series in terms of values generated in the past, which are on the RHS. The twist transformation A is defined in rational normal form as: A = ( 0 I w − 1 a w − 1 ( a w − 2 , … ,

2560-1052: The Mersenne Twister generally have d  = FFFFFFFF 16 . As a result, the d is occasionally omitted from the algorithm description, since the bitwise and with d in that case has no effect. The coefficients for MT19937-64 are: ( w , n , m , r ) = ( 64 , 312 , 156 , 31 ) a = B5026F5AA96619E9 16 ( u , d ) = ( 29 , 5555555555555555 16 ) ( s , b ) = ( 17 , 71D67FFFEDA60000 16 ) ( t , c ) = ( 37 , FFF7EEE000000000 16 ) l = 43 {\displaystyle {\begin{aligned}(w,n,m,r)=(64,312,156,31)\\a={\textrm {B5026F5AA96619E9}}_{16}\\(u,d)=(29,{\textrm {5555555555555555}}_{16})\\(s,b)=(17,{\textrm {71D67FFFEDA60000}}_{16})\\(t,c)=(37,{\textrm {FFF7EEE000000000}}_{16})\\l=43\\\end{aligned}}} The state needed for

2624-620: The affected instructions, particularly when executed in parallel by multi-threaded applications, due to increased latency introduced by the security checks and the effective serialisation of affected instructions across cores. Intel introduced an opt-out option, configurable via the IA32_MCU_OPT_CTRL MSR on each logical processor, which improves performance by disabling the additional security checks for instructions executing outside of an SGX enclave. NIST SP 800-90A NIST SP 800-90A ("SP" stands for " special publication ")

RDRAND - Misplaced Pages Continue

2688-552: The algorithm, with ≪ {\displaystyle \ll } and ≫ {\displaystyle \gg } as the bitwise left and right shifts , and & {\displaystyle \&} as the bitwise AND . The first and last transforms are added in order to improve lower-bit equidistribution. From the property of TGFSR, s + t ≥ ⌊ w 2 ⌋ − 1 {\displaystyle s+t\geq \left\lfloor {\frac {w}{2}}\right\rfloor -1}

2752-428: The alternatives (in addition to the back door) made it into the NIST SP 800-90A standard. The potential for a backdoor in Dual_EC_DRBG had already been documented by Dan Shumow and Niels Ferguson in 2007, but continued to be used in practice by companies such as RSA Security until the 2013 revelation. Given the known flaws in Dual_EC_DRBG, there have subsequently been accusations that RSA Security knowingly inserted

2816-426: The benefit that multiplication by A can be efficiently expressed as: (remember that here matrix multiplication is being done in F 2 {\displaystyle {\textbf {F}}_{2}} , and therefore bitwise XOR takes the place of addition) x A = { x ≫ 1 x 0 = 0 ( x ≫ 1 ) ⊕

2880-460: The bitwise exclusive or (XOR), x k u {\displaystyle x_{k}^{u}} means the upper w − r bits of x k {\displaystyle x_{k}} , and x k + 1 l {\displaystyle x_{k+1}^{l}} means the lower r bits of x k + 1 {\displaystyle x_{k+1}} . The subscripts may all be offset by -n where now

2944-408: The classical GFSR with the following key properties: CryptMT is a stream cipher and cryptographically secure pseudorandom number generator which uses Mersenne Twister internally. It was developed by Matsumoto and Nishimura alongside Mariko Hagita and Mutsuo Saito. It has been submitted to the eSTREAM project of the eCRYPT network. Unlike Mersenne Twister or its other derivatives, CryptMT

3008-526: The conditioned 256-bit samples from the AES-CBC-MAC. The RDSEED instruction was added to Intel Secure Key for seeding another pseudorandom number generator, available in Broadwell CPUs. The entropy source for the RDSEED instruction runs asynchronously on a self-timed circuit and uses thermal noise within the silicon to output a random stream of bits at the rate of 3 GHz, slower than

3072-413: The decisional Diffie-Hellman problem , the x-logarithm problem , and the truncated point problem . The decisional Diffie-Hellman problem is widely accepted as hard. The x-logarithm problem is not widely accepted as hard. Some evidence is shown that this problem is hard but that evidence is not conclusive. The security proof is therefore questionable and would be proven invalid if the x-logarithm problem

3136-611: The default PRNG in Stata , the other one is KISS , for compatibility with older versions of Stata. An alternative generator, WELL ("Well Equidistributed Long-period Linear"), offers quicker recovery, and equal randomness, and nearly equal speed. Marsaglia's xorshift generators and variants are the fastest in the class of LFSRs. 64-bit MELGs ("64-bit Maximally Equidistributed F 2 {\displaystyle {\textbf {F}}_{2}} -Linear Generators with Mersenne Prime Period") are completely optimized in terms of

3200-604: The default truncation value is used. As part of the Bullrun program, NSA has inserted backdoors into cryptography systems. One such target was suggested in 2013 to be Dual_EC_DRBG. The NSA accomplished this by working during the standardization process to eventually become the sole editor of the standard. In getting Dual_EC_DRBG accepted into NIST SP 800-90A, NSA cited prominent security firm RSA Security 's usage of Dual_EC_DRBG in their products. However, RSA Security had been paid $ 10 million by NSA to use Dual_EC_DRBG as default, in

3264-508: The effective 6.4 Gbit/s obtainable from RDRAND (both rates are shared between all cores and threads ). The RDSEED instruction is intended for seeding a software PRNG of arbitrary width, whereas the RDRAND is intended for applications that merely require high-quality random numbers. If cryptographic security is not required, a software PRNG such as Xorshift is usually faster. On an Intel Core i7-7700K, 4500 MHz (45 × 100 MHz) processor (Kaby Lake-S microarchitecture),

SECTION 50

#1732793431623

3328-399: The encryption chips that scramble information for businesses and governments, either by working with chipmakers to insert back doors..." Relying solely on the hardware random number generator which is using an implementation sealed inside a chip which is impossible to audit is a BAD idea. Linus Torvalds dismissed concerns about the use of RDRAND in the Linux kernel and pointed out that it

3392-456: The entropy-generating hardware. The RDSEED generator and processor instruction rdseed are available with Intel Broadwell CPUs and AMD Zen CPUs . The CPUID instruction can be used on both AMD and Intel CPUs to check whether the RDRAND instruction is supported. If it is, bit 30 of the ECX register is set after calling CPUID standard function 01H . AMD processors are checked for

3456-457: The feature using the same test. RDSEED availability can be checked on Intel CPUs in a similar manner. If RDSEED is supported, the bit 18 of the EBX register is set after calling CPUID standard function 07H . The opcode for RDRAND is 0x0F 0xC7 , followed by a ModRM byte that specifies the destination register and optionally combined with a REX prefix in 64-bit mode. Intel Secure Key

3520-426: The instructions takes around 1200 clock cycles for 16-bit or 32-bit operand, and around 2500 clock cycles for a 64-bit operand. An astrophysical Monte Carlo simulator examined the time to generate 10 64-bit random numbers using RDRAND on a quad-core Intel i7-3740 QM processor. They found that a C implementation of RDRAND ran about 2× slower than the default random number generator in C, and about 20× slower than

3584-633: The location pointed to by their parameter, and return 1 on success. It is an option to generate cryptographically secure random numbers using RDRAND and RDSEED in OpenSSL , to help secure communications. Scientific application of RDRAND in a Monte Carlo simulator was evaluated, focusing on performance and reproducibility, compared to other random number generators. It led to the conclusion that using RDRAND as opposed to Mersenne Twister doesn't provide different results, but worse performance and reproducibility. In September 2013, in response to

3648-517: The performance of RDRAND and RDSEED due to additional security controls. On processors with the mitigations applied, each affected instruction incurs additional latency and simultaneous execution of RDRAND or RDSEED across cores is effectively serialised. Intel introduced a mechanism to relax these security checks, thus reducing the performance impact in most scenarios, but Intel processors do not apply this security relaxation by default. Visual C++ 2015 provides intrinsic wrapper support for

3712-411: The required security level is delivered with the caveat that a 128-bit cipher's output in counter mode can be distinguished from a true random number generator. When AES is used as the underlying block cipher and more than 128 bits are taken from this pseudorandom number generator, then the resulting security level is limited by the block size instead of the key size and therefore the actual security level

3776-411: The security of Hash_DRBG and HMAC_DRBG does cite the attempted security proof for Dual_EC_DRBG used in the previous paragraph as a security proof to say that one should not use CTR_DRBG because it is the only DRBG in NIST SP 800-90A that lacks a security proof. HMAC_DRBG also has a machine-verified security proof. The thesis containing the machine-verified security proof also proves that a compromise of

3840-449: The specification for three allegedly cryptographically secure pseudorandom number generators for use in cryptography : Hash DRBG (based on hash functions ), HMAC DRBG (based on HMAC ), and CTR DRBG (based on block ciphers in counter mode ). Since June 24, 2015, the current version of the publication is Revision 1. Earlier versions included a fourth generator, Dual_EC_DRBG (based on elliptic curve cryptography ). Dual_EC_DRBG

3904-495: The staging buffer has been overwritten. The SRBDS attack also affects other instructions, such as those that read MSRs , but Intel did not apply additional security protections to them due to performance concerns and the reduced need for confidentiality of those instructions' results. A wide range of Intel processors released between 2012 and 2019 were affected, including desktop, mobile, and server processors. The mitigations themselves resulted in negative performance impacts when using

SECTION 60

#1732793431623

3968-462: The user explicitly signals the end of requests. As a result, the key could remain in memory for an extended time if the "extended interface" is misused. An alternative proposed by Bernstein is to produce randomness to replace the key before the requested randomness is output, as done in "fast-key-erasure" RNGs. The security bounds reported by Campagna (2006) does not take into account any key replacement procedure. Woodage and Shumow (2019) provides

4032-561: Was later reported to probably contain a kleptographic backdoor inserted by the United States National Security Agency (NSA), while the other three random number generators are accepted as uncontroversial and secure by multiple cryptographers. As a work of the US Federal Government , NIST SP 800-90A is in the public domain and freely available. NIST claims that each of the four (revised to three) DBRGs are "backtracking resistant" and "prediction resistant". The former

4096-758: Was mitigated in the Linux kernel in 2013. Developers changed the FreeBSD kernel away from using RDRAND and VIA PadLock directly with the comment "For FreeBSD 10, we are going to backtrack and remove RDRAND and Padlock backends and feed them into Yarrow instead of delivering their output directly to /dev/random . It will still be possible to access hardware random number generators, that is, RDRAND , Padlock etc., directly by inline assembly or by using OpenSSL from userland, if required, but we cannot trust them any more." FreeBSD /dev/random uses Fortuna and RDRAND started from FreeBSD 11. On 9 June 2020, researchers from Vrije Universiteit Amsterdam published

#622377