[Cryptech Tech] Discussion: On-line tests for entropy providers in Cryptech

[Bernd Paysan]

Am Donnerstag, 15. Januar 2015, 14:19:25 schrieb Joachim Strömbergson:
> Aloha!
> 
> I would like to start up a discussion about what on-line tests we are to
> implement in our entropy providers.
> 
> The general plan is that we develop a healt monitor HW-module that
> should be integrated in the entropy provider module. The module
> continuously monitors the entropy source connected to the provider and
> alarms the system if the entropy source is found by the module to be
> faulty. Note that my idea is that there is one health monitor for each
> entropy source. The purpose of the monitor is not to provide a quality
> metric of the entopy currently provided by the source, but to detect if
> the entropy source is broken. Quality tests are assumed to be done
> offline by extracting entropy and then run tests

Things easy to implement:

1. monitor the rate of output bits of the diode noise after the von Neumann 
extractor - if it drops below a certain rate, the diode is considered 
unhealthy.  That's pretty easy to do, just a timer that gets reset with every 
32 bits of output, and if that timer overflows, signal the "unhealthy" status.  
I'd say 1/4th of the typical rate (for 32 bit words) is a good indication of 
failure.  You should also add a higher rate limit (lower number on the 
counter).

2. histogram: Take every 4 bits of output and use that to select one of 16 
counters.  After 64 bits (16*4) are fed through, decrement all counters by 1 
(this is "one round").  Let's assume each counter has n bits including sign, 
then it should never overflow if we reset all counters after 2^(2n-margin) 
rounds (the likelyhood of a false positive is higher with smaller counters, 
e.g. with a byte counter, 2^9 rounds works with 8 bit counters on the rosc 
data I have, 2^10 rounds don't; 2^9 is sensitive for a single stuck-at per 32 
bits, 2^8 isn't).  For the sake of simplification, an overflow is assumed when 
e.g. a byte counter reaches $80 (regardless from which side).   After these 
2^(2n-margin) rounds, the byte counters are reset.  This checks for stuck-at 
and large bias; to make it more sensitive, a bigger counter than just one byte 
is needed, or the histogram units need to observe fewer ROSCs.

-- 
Bernd Paysan
"If you want it done right, you have to do it yourself"
http://bernd-paysan.de/
net2o ID: kQusJzA;7*?t=uy at X}1GWr!+0qqp_Cn176t4(dQ*