On Thu, Sep 06, 2012 at 07:42:49PM +0200, Dag-Erling Smrgrav wrote:
> David O'Brien <obr...@freebsd.org> writes:
> > RW <rwmailli...@googlemail.com> writes:
> > > IMO the order should be reversed or the low-grade stuff should be
> > > piped through sha256.
> > We considered that. Arthur wanted to do it sooner, but I'm concerned
> > about impact of multiple sha256 invocations on a large amount of data
> > on low-end MIPS.
>
> Is there a reason to choose sha256 over a weaker, faster hash?
I see Arthur,
But still wanted to give my own longer responce.
Using a weaker hash could reduce the amount of entropy in the output
(due to collisions).
The Yarrow paper makes this argument (but willing to potentially loose
some entropy) in 5 'The Generic Yarrow Design an Yarrow-160'
The reason is if you take an 'm' bit random value and apply a hash
function that produces 'm' bits of output, the result has less than
'm' bits of entropy due to the collisions that occur. This is a very
minor effect, and overall results in the loss of at most a few bits
of entropy.
For a good entropy input I likely agree with you.
But for the poor-grade entropy input I don't think we want to
prematurely loose any of it.
But I have not fully thought thru potential loss of entropy in a hash
of a hash [where entropy was or wasn't lost].
--
-- David (obr...@freebsd.org)
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
