[Cryptography] Use of RDRAND in Haskell's TLS RNG?

Viktor Dukhovni cryptography at dukhovni.org
Sat Nov 26 00:41:51 EST 2016

> On Nov 25, 2016, at 3:55 PM, Arnold Reinhold <agr at me.com> wrote:
> In addition the need for a proper published audit that bear suggested, the most glaring defect in the Intel design is the lack of access to the un-whitened random bits. Adding a mode that bypassed the whitener would have been simple. Statistical analysis of the raw bit stream can provide ongoing assurance that the RNG is doing what it says. Likely there will be correlations between raw bit statistics and external parameters such as chip temperature and supply voltage. Of course it is possible for a deterministic generator to mimic such variations, but it would have to have a relatively large footprint on the die compared to simply using the whitener in a feedback mode or similar mischief.

It seems you're hinting at:


RDSEED first appears in Broadwell CPUs, while RDRAND appears earlier in Ivy Bridge.


More information about the cryptography mailing list