Is intel's RdRand TRNG or PRNG?

Question

I've searched the net for quite a while and couldn't find a definitive answer. I want to know the quality of random numbers generated by intel's rdrand instructions. How does it compare to IDQ's cards for example? Is it truly random or pseudo random?

Thanks

Answer 1

Please read John M's articles and code samples https://software.intel.com/en-us/articles/intel-digital-random-number-generator-drng-software-implementation-guide section 2.2 covers pseudo and 2.3 covers true

Answer 2

RdRand is fed from an RNG consisting of an entropy source that feeds and AES-CBC-MAC entropy extractor that seeds an AES-CTR-DRBG. The DRBG is reseeded at around 1 million times a second (it varies, slower on slower chips, faster on faster chips). So the output of the DRBG is a randomly seeded PRNG. If you read slowly (less that 1 million times/s), you can expect the DRBG to be freshly reseeded every time and so the asymptote is a full entropy RNG. If you read faster than the CPU will allow, the DRNG hardware tops out at 511 DRBG 128 bit outputs per seed. The cryptographic prediction resistance is O(2^128).

RdSeed provides a NIST SP800-90C XOR construction variation, where every value contains a fresh seed. The TRNG term is not well defined, but RdSeed is probably close to what people think they mean by a TRNG. It is lower performance than RdRand, since the speed is a function of the output rate of the entropy extractor, not the output rate of the DRBG.

So in asking "what is the quality" you need to specify either a min-entropy or a computational bound. Both are statistically indistinguishable from uniform, but RdRand also guarantees a O(2^128) cryptographic prediction resistance (how much work you would have to do to predict the next state reliably) which only applies between reseeds (so over periods of about 1us), when the prior state is overwritten with fresh entropic data. RdSeed offers a stronger min-entropy guarantee that the output is epsilon-close to uniform. The practical effect is you can safely concatenate RdSeed values to make larger keys and IVs. E.G. 512 bit keys giving O(2^512) security. RdRand is adequate for all needs up to O(2^128) security. If you want to supply a cryptosystem with greater than O(2^128) security from RdRand, read the SDG from Intel, which explains how to do this safely with appropriate cryptographic algorithms.

Answer 3

Intel's RdRand is a high-quality, cryptographically-secure, psuedorandom number generator. There is a detailed description of what it is, how to use it, how it has been used, and how fast it is to use given in a paper here (http://iopscience.iop.org/article/10.3847/1538-4357/aa7ede/meta;jsessionid=A9DA9DDB925E6522D058F3CEEC7D0B21.ip-10-40-2-120) or non-paywalled version here (https://arxiv.org/abs/1707.02212).

I think sections 2.2.1 and 5 have what you are looking for.