path: root/crypto/sha256_generic.c
diff options
authorStephan Müller <smueller@chronox.de>2021-12-20 07:21:53 +0100
committerHerbert Xu <herbert@gondor.apana.org.au>2021-12-31 18:10:54 +1100
commit908dffaf88a248e542bdae3ca174f27b8f4ccf37 (patch)
treefe8123f47594b1cbccbf876209662fea4c2525a2 /crypto/sha256_generic.c
parentMAINTAINERS: update SEC2 driver maintainers list (diff)
crypto: jitter - add oversampling of noise source
The output n bits can receive more than n bits of min entropy, of course, but the fixed output of the conditioning function can only asymptotically approach the output size bits of min entropy, not attain that bound. Random maps will tend to have output collisions, which reduces the creditable output entropy (that is what SP 800-90B Section attempts to bound). The value "64" is justified in Appendix A.4 of the current 90C draft, and aligns with NIST's in "epsilon" definition in this document, which is that a string can be considered "full entropy" if you can bound the min entropy in each bit of output to at least 1-epsilon, where epsilon is required to be <= 2^(-32). Note, this patch causes the Jitter RNG to cut its performance in half in FIPS mode because the conditioning function of the LFSR produces 64 bits of entropy in one block. The oversampling requires that additionally 64 bits of entropy are sampled from the noise source. If the conditioner is changed, such as using SHA-256, the impact of the oversampling is only one fourth, because for the 256 bit block of the conditioner, only 64 additional bits from the noise source must be sampled. This patch is derived from the user space jitterentropy-library. Signed-off-by: Stephan Mueller <smueller@chronox.de> Reviewed-by: Simo Sorce <simo@redhat.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Diffstat (limited to 'crypto/sha256_generic.c')
0 files changed, 0 insertions, 0 deletions