英特尔的RDRAND有什么合法用途吗？ [英] Is there any legitimate use for Intel's RDRAND?

问题描述

今天我想：好吧，即使对RDRAND实施 NIST SP 800-90A 有很大怀疑，它仍然是伪随机数发生器（PRNG）的硬件实现，其必须足够好用于非敏感应用。所以，我想在我的游戏而不是Mersenne Twister使用它。

Today I thought: well, even if there is great suspicion on RDRAND implementation of NIST SP 800-90A, it is still a hardware implementation of pseudo-random number generator (PRNG) that must be good enough for non-sensitive applications. So I thought of using it on my game instead of Mersenne Twister.

因此，为了看看使用指令是否有任何性能增益，我比较了两个以下代码：

So, to see if there was any performance gain on using the instruction, I compared the time of the two following codes:

// test.cpp
#include <cstdio>

int main()
{
    unsigned int rnd = 0;
    for(int i = 0; i < 10000000; ++i) {
        __builtin_ia32_rdrand32_step(&rnd);
    }
    printf("%x\n", rnd);
}

和

//test2.cpp
#include <cstdio>
#include <random>

int main()
{
    unsigned int rnd = 0;
    __builtin_ia32_rdrand32_step(&rnd);
    std::mt19937 gen(rnd);
    for(int i = 0; i < 10000000; ++i) {
        rnd ^= gen();
    }
    printf("%x\n", rnd);
}

并运行两个我获得：

$ time ./test
d230449a

real    0m0.361s
user    0m0.358s
sys     0m0.002s

$ time ./test2 
bfc4e472

real    0m0.051s
user    0m0.050s
sys     0m0.002s

所以，Mersenne Twister比我的CPU上的RDRAND要快得多。好吧，我很失望，排除了我的游戏。但RDRAND是一个加密安全的PRNG（CSPRNG），所以它在幕后做了很多...更公平的比较它与其他CSPRNG。所以，我采取了我的 Rabbit 实现（将RFC简单翻译为C，没有性能的奇特技巧），并写了以下测试：

So, Mersenne Twister is much faster than RDRAND on my CPU. Well, I was disappointed, ruled out from my game. But RDRAND is a cryptographically secure PRNG (CSPRNG), so it does much behind the scenes... more fair would be compare it to other CSPRNG. So I took my Rabbit implementation (plain translation of the RFC to C, no fancy tricks for performance), and wrote the following test:

// test3.cpp
#include <cstdio>

extern "C"
{
#include "rabbit.h"
}

int main()
{
    rabbit_state s;
    unsigned long long buf[2];
    __builtin_ia32_rdrand64_step(&buf[0]);
    __builtin_ia32_rdrand64_step(&buf[1]);
    rabbit_init_key(&s, (uint8_t*)&buf[0]);

    for(int i = 0; i < 10000000; ++i) {
        rabbit_extract(&s, (uint8_t*)&buf[0]);
    }
    printf("%llx\n", buf[0]);
}

令我惊讶的是，生成的第一个伪随机数据其中两个，我比RDRAND有更好的时间：

And for my surprise, generating twice as much pseudo-random data as the first two of them, I got a better time than RDRAND:

$ time ./test3 
8ef9772277b70aba

real    0m0.344s
user    0m0.341s
sys     0m0.002s

这三个都是在启用优化的情况下编译的。

All three were compiled with optimization enabled.

因此，我们有一个广泛的偏执，RDRAND是将NSA后门嵌入到每个人的软件密码中。此外，我们至少有一个软件CSPRNG比RDRAND快，并且最广泛使用的体面PRNG，Mersenne Twister，比RDRAND要快。最后，我们有开源的可审计软件熵池，如 / dev / random 和 / dev / urandom 没有隐藏在AES的两层加扰器层，如RDRAND。

So, we have a widespread paranoia that RDRAND was made to embed NSA backdoors into everybody's software cryptography. Also we have at least one software CSPRNG faster than RDRAND, and the most widely used decent PRNG, Mersenne Twister, is much faster than RDRAND. Finally, we have open-source auditable software entropy pools, like /dev/random and /dev/urandom, that are not hidden behind twofold scrambler layers of AES, like RDRAND.

所以，问题：应该是人们使用RDRAND？有什么合法用途吗？

So, the question: should be people be using RDRAND? Is there any legitimate use for it? Or should we stop using it altogether?

推荐答案

正如owlstead所指出的，RDRAND是一个真随机的种子。特别地，它经常用128位硬件生成的随机重新设定其内部CSPRNG，保证每511×128位至少重新设定一次种子。请参阅本文档的第4.2.5节：

As owlstead pointed out, RDRAND is seeded with true randomness. In particular, it frequently reseeds its internal CSPRNG with 128 bits of hardware-generated randomness, guaranteeing a reseed at least once every 511 * 128 bits. See section 4.2.5 of this doc:

https://software.intel.com/en-us/articles/intel-digital-random-number-generator-drng-software-implementation-guide

因此，在您的示例中，您使用单个128位种子从rabbit_extract生成了一千万个随机抽取。在RDRAND版本中，您有相当于250万128位的绘图，意味着CSPRING重新种植至少2,500,000 / 511 = 4,892次。

So in your examples, you used a single 128-bit seed to generate 10 million random draws from rabbit_extract. In the RDRAND version, you had the equivalent of 2.5 million 128-bit draws, meaning that the CSPRING was reseeded at least 2,500,000/511 = 4,892 times.

因此，代替128位的熵进入你的兔子示例，在RDRAND示例中至少有4,892 * 128 = 626,176位的熵。

So instead of 128 bits of entropy going into your rabbit example, there were at least 4,892*128 = 626,176 bits of entropy going into the RDRAND example.

这是更多的熵比你会得到0.361秒没有硬件支持。这可能很重要，如果你做的东西，很多真正的随机性是重要的。一个例子是Shamir秘密共享大量数据 - 不确定是否有其他数据。

That's much, much more entropy than you're going to get in 0.361 seconds without hardware support. That could matter if you're doing stuff where lots of real randomness is important. One example is Shamir secret sharing of large quantities of data -- not sure if there are others.

总而言之，这不是为了速度，而是为了高安全性。当然，它是否回头的问题是麻烦的，但你总是可以与其他来源XOR它，至少它不伤害你。

So in conclusion -- it's not for speed, it's for high security. The question of whether it's backdoored is troubling, of course, but you can always XOR it with other sources, and at the very least it's not hurting you.

这篇关于英特尔的RDRAND有什么合法用途吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！