CTR_DRBG: Improve the explanation of security strength
Separate the cases that achieve a 128-bit strength and the cases that
achieve a 256-bit strength.
diff --git a/include/mbedtls/ctr_drbg.h b/include/mbedtls/ctr_drbg.h
index 4f8d131..892fd62 100644
--- a/include/mbedtls/ctr_drbg.h
+++ b/include/mbedtls/ctr_drbg.h
@@ -292,22 +292,24 @@
* Per NIST SP 800-57A table 2, the achievable security
* strength is 128 bits if using AES-128 and
* 256 bits if using AES-256.
- * Therefore, to provide full security,
+ *
+ * To achieve 256-bit security,
+ * you must use AES-256 and
* the entropy input must be at least:
- * - 24 bytes if using AES-128 and the \p custom
- * argument to mbedtls_ctr_drbg_seed() may repeat
- * (for example because it is empty, or more generally
- * constant);
- * - 48 bytes if using AES-256 and the \p custom
- * argument to mbedtls_ctr_drbg_seed() may repeat
- * (for example because it is empty, or more generally
- * constant);
- * - 16 bytes if using AES-128 and the \p custom
- * argument to mbedtls_ctr_drbg_seed() includes
- * a nonce;
- * - 32 bytes if using AES-256 and the \p custom
- * argument to mbedtls_ctr_drbg_seed() includes
- * a nonce.
+ * - 48 bytes if the \p custom argument to
+ * mbedtls_ctr_drbg_seed() may repeat (for example
+ * because it is empty, or more generally constant);
+ * - 32 bytes if the \p custom argument to
+ * mbedtls_ctr_drbg_seed() includes a nonce.
+ *
+ * To achieve 128-bit security,
+ * whether AES-128 or AES-256 is used,
+ * the entropy input must be at least:
+ * - 24 bytes if the \p custom argument to
+ * mbedtls_ctr_drbg_seed() may repeat (for example
+ * because it is empty, or more generally constant);
+ * - 16 bytes if the \p custom argument to
+ * mbedtls_ctr_drbg_seed() includes a nonce.
*
* \param ctx The CTR_DRBG context.
* \param len The amount of entropy to grab, in bytes.