[cryptography] "folded" SHA1 vs HMAC for entropy extraction

Sandy Harris sandyinchina at gmail.com
Thu Jan 5 21:00:01 EST 2012

On Thu, Jan 5, 2012 at 1:47 AM, Thor Lancelot Simon <tls at panix.com> wrote:

> Eventually I will replace it with a multi-pool implementation like
> Fortuna.  However, I'm trying to make incremental improvements while
> waiting for that mythical great extent of free time to appear.

Why do you want to do that? For Linux, rewrites based on Yarrow
or Fortuna have been proposed several times and always firmly
rejected by the maintainers, I'd say for good reason.

Here's one example: http://lwn.net/Articles/103653/
Search on mailing list archives will turn up extensive discussion,

> One thing that's always bothered me has been the use of an odd
> "folded" SHA1 construct to generate output bits.  What is done is
> this:

Many of the newer hashes, including some SHA-3 candidates, use
a "wide trail" strategy in which the internal state is larger than the
hash output size. They include an output-compression function
that reduces the state to the desired size. Why not use one of
those instead of simple folding? That gives you a well-analysed

e.g. use Skein-1024-512 with 1024 state and 512 output. Then
split the output into say 128 for actual output and 384 for feedback.

More information about the cryptography mailing list