On Mon, Dec 20, 2021 at 07:21:53AM +0100, Stephan Müller wrote: > The output n bits can receive more than n bits of min entropy, of course, > but the fixed output of the conditioning function can only asymptotically > approach the output size bits of min entropy, not attain that bound. > Random maps will tend to have output collisions, which reduces the > creditable output entropy (that is what SP 800-90B Section 3.1.5.1.2 > attempts to bound). > > The value "64" is justified in Appendix A.4 of the current 90C draft, > and aligns with NIST's in "epsilon" definition in this document, which is > that a string can be considered "full entropy" if you can bound the min > entropy in each bit of output to at least 1-epsilon, where epsilon is > required to be <= 2^(-32). > > Note, this patch causes the Jitter RNG to cut its performance in half in > FIPS mode because the conditioning function of the LFSR produces 64 bits > of entropy in one block. The oversampling requires that additionally 64 > bits of entropy are sampled from the noise source. If the conditioner is > changed, such as using SHA-256, the impact of the oversampling is only > one fourth, because for the 256 bit block of the conditioner, only 64 > additional bits from the noise source must be sampled. > > This patch is derived from the user space jitterentropy-library. > > Signed-off-by: Stephan Mueller <smueller@xxxxxxxxxx> > Reviewed-by: Simo Sorce <simo@xxxxxxxxxx> > --- > crypto/jitterentropy.c | 23 +++++++++++++++++++++-- > 1 file changed, 21 insertions(+), 2 deletions(-) Patch applied. Thanks. -- Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
