[crypto] Determine appropriate thresholds for entropy health tests.

[jadephilipoom]

Description

The entropy_src block has various registers which configure health test "thresholds" (e.g. REPCNT_THRESHOLDS, BUCKET_THRESHOLDS). Right now, the cryptolib driver leaves these at the reset values. We should determine appropriate values for these thresholds by looking at guidelines and/or experimentation, and then change them in the driver. I'm not sure exactly where I would start looking for reasonable values for these thresholds, so input is welcome!

CC @andreaskurth @moidx

[moidx]

Hi @jadephilipoom, this is something we would probably have to get feedback from a FIPS lab, as the expectation is that the health checks should be able to detect some errors to prove that they are working.

The threshold calculation functions are available here: https://github.com/lowRISC/opentitan/blob/master/util/design/gen-rng-health-thresholds.py

[vrozic]

The threshold calculation functions are available here: https://github.com/lowRISC/opentitan/blob/master/util/design/gen-rng-health-thresholds.py

To add to this, in gen-rng-health-thresholds.py, parameter p is a magic number p: float = 0.5, which means that the incoming numbers are expected to be fully-random. If my understanding of the specifications is correct, this should be changed to: p: float = 2 ** (-80 / 384) for boot-time health checks, and p: float = 2 ** (- 0.375) for normal operations

The only unknown is the --sigma parameter. Specifications are a bit vague, saying that we should operate with low false-alarm rate (high sigma) while maintaining low false-negative rate (low sigma). So we will probably have to ask the FIPS lab which false-alarm rate we should target.

Also, gen-rng-health-thresholds.py doesn't provide the threshold for the repetition-count test, but section 4.4.1 of NIST SP 800-90B has instructions on how to calculate it.

[vogelpi]

This is related to https://github.com/lowRISC/opentitan/issues/2111.

[vsukhoml]

According to NIST 800-90B, APT and RCT thresholds are calculated using provided formulas. Assuming entropy/bit, $H = 0.5$ and $\alpha = 2^{-40}$, RCT cutoff is $1+\frac{-log_2\alpha}{H}=81$ and APT cutoff = CRITBINOM(1024, $2^{-H}$, $1-\alpha$) = 823, where W=1024 - windows size of 1-bit values, assuming operations with individual bits from each noise source.

[vsukhoml]

However, the question is how to translate calculated cutoffs to configuration of health checks, and how to calculate cutoffs for Markov and Bucket tests given measured entropy and desired false positive probability.