rdrand-gen (7) - Linux Manuals

rdrand-gen: Generate randomness by using RdRand on Intel's CPUs.


rdrand-gen - Generate randomness by using RdRand on Intel's CPUs.


rdrand-gen [--amount NUM] [--method NAME] [--output FILE]
[--threads NUM] [--aes-ctr [--aes-keys FILE]] [--verbose] [--version]


RdRand is an instruction for returning random numbers from an Intel on-chip hardware random number generator. RdRand is available on Ivy Bridge and later processors.

It uses cascade construction, combining a HW RNG operating at 3Gbps with CSPRNG with all components sealed on CPU. The entropy source is a metastable circuit, with unpredictable behavior based on thermal noise. The entropy is fed into a 3:1 compression ratio entropy extractor (whitener) based on AES-CBC-MAC. Online statistical tests are performed at this stage and only high quality random data are used as the seed for cryptograhically secure SP800-90 AES-CTR DRBG compliant PRNG. This generator is producing maximum of 512 128-bit AES blocks before it's reseeded. According to documentation the 512 blocks is a upper limit for reseed, in practice it reseeds much more frequently.

Despite the statistical tests did not reveal any flaws in RdRand's output, it's intern operation cannot be verified (with a possibility for the backdoor to be built into it).

rdrand-gen is a simple application for generating randomness on Intel's CPUs (Ivy Bridge and newers) using the HW RNG on the CPU. It can use three methods of generating: Default get_bytes - is fastest (on a laptop with a Core i7 about 200 MiB/s in one thread) and simply pulls out randomness from the HW RNG, and two slow, but more secure methods. These two methods, reseed_delay and reseed_skip are enforcing full regeneration of the CPU's pool before each single value that is pushed out.

reseed_delay is putting small delays (20 microseconds), long enough to allow the HW to reseed the RdRand's internal generator with new thermal noise based entropy so that two consequent values returned by reseed_delay are guaranteed to be produced with different seed. reseed_skip is taking one of 1025 64bit values (the size of the inner pool) and throwing away the rest, forcing the HW to reseed. The perfomance of these reseeding methods is about 1/1000 of the default one. The performance differs on each machine, one one machine the reseed_skip is faster than reseed_delay , while on another one it can be different.

If aes-ctr is set, then the output of RdRand instruction is encrypted with AES-CTR from OpenSSL. It can either use a random key, or you can give it a set of keys and nonces to use by using aes-keys parameter. If AES is not enabled by the first flag, the keys are ignored.

Syntax of the key file is following:
On each line is a hexadecimal string containing a key and a nonce. There can be 128 lines at max. Length of a single key is twice of the nonce, so if K stands for a key character and N for a nonce, a single line in the key file will look like the following.

24 bytes (48 characters) for a key and a nonce represents a 128bit key. This is also the only currently supported length of the key. See Examples for a simple way of generating the key file.


  --help       -h      Print this help.
  --amount     -n  NUM Generate given amount of bytes. Suffixes: K, M, G, T. Without the option or when 0, generate unlimited amount.
  --method     -m  NAME Use method NAME (default is get_bytes , others are reseed_skip and reseed_delay ).
  --output     -o  FILE Save the generated data to the file.
  --threads    -t  NUM Run the generator in NUM threads (default 2).
  --aes-ctr    -a Encrypt the output with AES-CTR.
  --aes-keys   -k FILE Use given key file for the AES encryption

            instead of random one. Works only when -a is set.
  --verbose    -v Be verbose (will print on stderr).
  --version    -V Print version.

AES keys in file for -k argument has to be 24 bytes long in hexadecimal form.


Write 10.5MB of random data to the file /tmp/random
rdrand-gen -n 10.5M -o /tmp/random

Generate 20 random passwords of length 20 build from all letters and digits. Use the secure get_uint64_array_reseed_skip method.
(rdrand-gen -n2k -m reseed_skip | tr -cd '[:alnum:]' | fold -w 20 && echo ) | head -20

Create GPG encrypted keyfile for aespipe.
tar -cvf - files... | bzip2 | aespipe -w 10 -K keyfile.gpg >archive.aes
aespipe -d -K keyfile.gpg < /tmp/archive.aes | bzip2 -d -q | tar -tvf -
rdrand-gen -n3705 -m reseed_skip | uuencode -m - | head -n 66 | tail -n 65 | \
gpg --symmetric -a > keyfile.gpg

Test the randomness of the generated data with dieharder test suite
rdrand-gen | dieharder -g 200 -a

Measure the speed of generation.
rdrand-gen | pv > /dev/null

Create a key file for AES encryption
head -n 3100 /dev/random | xxd -p -c 24 | head -n 129 | tail -n 128 > keys.txt

Create the keys and pass them to the rdrand-gen without saving the keys on disk
rdrand-gen -a -k <(head -n 3100 /dev/random | \
xxd -p -c 24 | head -n 129 | tail -n 128)


No known bugs.


Jan Tulak (jan [at] tulak.me) Jiri Hladky (hladky.jiri [at] gmail.com)


librdrand(3) librdrand-aes(3)