> > Wait what? This sounds nuts... Can you refer to something that backs your
> > claim?
>
> The 384 comes straight out of SP800-90A, see the table 10.2.1.
> It's also in the code where we do:
> drbg->seedlen = keylen + 16;
> [...]
> if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
> [...]
> } else {
> drbg->min_entropylen = drbg->seedlen;
>
> (With keylen == 32)
>
> You'll also see that when not using a DF "full entropy" is needed,
> when using a DF it's not required.
>
> A DRBG can only generate "full entropy" for the first security
> strength / 2 bits it generates after a reseed. This is at least
> covered in SP800-90C 10.4, but there are other places that mention
> this too. So you need to pull the double amount of entropy from
> your entropy source if it doesn't provide full entropy. This also
> requires to use of prediction resistance.
>
>
> KurtEven if your claim about the 768 bits of entropy is correct, it only proves that it was a good idea to make the derivation function the default in commit 8164d91d1802e6173291dee50923cc60fcd3bf72. Matthias https://github.com/openssl/openssl/commit/8164d91d1802e6173291dee50923cc60fcd3bf72
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
