Arm Mbed OS support forum

Ctr_drbg entropy length = key length or 1.5 * key length?

In the ctr_drbg.h discussion of mbedtls_ctr_drbg_seed() it says that MBEDTLS_CTR_DRBG_ENTROPY_LEN must be at least 1.5 x the key size to achieve security strength equivalent to key size.

However, in discussion of mbedtls_ctr_drbg_set_entropy_len() it says:

When using AES-128

  •                    (\c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is enabled)
    
  •                    \p len must be at least 16 (in bytes)
    
  •                    to achieve a 128-bit strength.
    

In my reading of NIST SP800-90Ar1, it seems like the second statement is correct. Where does the 1.5x come from? I wonder, does it only apply to 256-bit key, i.e., where the blocksize < keysize?