If you say that AES256 needs CSPRNG seeding with 256 bits, then why doesn't RSA 2048 keygen need seed to be seeded with 2048 bits? I am not a cryptographer, but I do not agree with this argument algorithms with a security level of 256 bit in TLS (like AES-256-CTR), so it is necessary that the random generator provides this level of security.
But if it is true, an AES128-CTR DRBG is still sufficient for generating keys. For the same reason that it is sufficient for generating Ed4418 or RSA2048 keys. > The use of the nonce is mandated by section 10.2.1.3.2 of Nist SP > 800-90Ar1: We are not going for FIPS validation here. This might be a nice to have, but it is *NOT* a requirement for this release. Especially if it puts the seeding requirement beyond the reach of some of our supported platforms. _______________________________________________ openssl-project mailing list firstname.lastname@example.org https://mta.openssl.org/mailman/listinfo/openssl-project