Am Montag, 27. Januar 2025, 17:02:36 CET schrieb Markus Theil: Hi Markus, > As already mentioned in the comments, using a cryptographic > hash function, like SHA3-256, decreases the expected entropy > due to properties of random mappings (collisions and unused values). > > When mapping 256 bit of entropy to 256 output bits, this results > in roughly 6 bit entropy loss (depending on the estimate formula > for mapping 256 bit to 256 bit via a random mapping): > > NIST approximation (count all input bits as input): 255.0 > NIST approximation (count only entropy bits as input): 251.69 Bit > BSI approximation (count only entropy bits as input): 250.11 Bit > > Therefore add a cmdline override for the 64 bit oversampling safety margin, > This results in an expected entropy of nearly 256 bit also after hashing, > when desired. > > Only enable this, when you are aware of the increased runtime per > iteration. > > This override is only possible, when not in FIPS mode (as FIPS mandates > this to be true for a full entropy claim). > > Signed-off-by: Markus Theil <theil.markus@xxxxxxxxx> Reviewed-by: Stephan Mueller <smueller@xxxxxxxxxx> Ciao Stephan
