On Thu, Sep 06, 2012 at 07:42:49PM +0200, Dag-Erling Smrgrav wrote: > David O'Brien <obrien@FreeBSD.org> writes: > > RW <rwmaillists@googlemail.com> writes: > > > IMO the order should be reversed or the low-grade stuff should be > > > piped through sha256. > > We considered that. Arthur wanted to do it sooner, but I'm concerned > > about impact of multiple sha256 invocations on a large amount of data > > on low-end MIPS. > > Is there a reason to choose sha256 over a weaker, faster hash? I see Arthur, But still wanted to give my own longer responce. Using a weaker hash could reduce the amount of entropy in the output (due to collisions). The Yarrow paper makes this argument (but willing to potentially loose some entropy) in 5 'The Generic Yarrow Design an Yarrow-160' The reason is if you take an 'm' bit random value and apply a hash function that produces 'm' bits of output, the result has less than 'm' bits of entropy due to the collisions that occur. This is a very minor effect, and overall results in the loss of at most a few bits of entropy. For a good entropy input I likely agree with you. But for the poor-grade entropy input I don't think we want to prematurely loose any of it. But I have not fully thought thru potential loss of entropy in a hash of a hash [where entropy was or wasn't lost]. -- -- David (obrien@FreeBSD.org) _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"