[Cryptography] Fwd: [IP] 'We cannot trust' Intel and Via's chip-based crypto, FreeBSD developers say
Donald Eastlake
d3e3e3 at gmail.com
Fri Dec 13 14:10:46 EST 2013
On Fri, Dec 13, 2013 at 1:24 PM, John Kelsey <crypto.jmk at gmail.com> wrote:
> Why not just XOR RD_RAND outputs with Yarrow outputs? That guarantees strong results if either one is good.
Just XORing does not do as good a job of preserving the entropy in the
two inputs as a good hash function. For example, assume both are
strong in the same subfield. You could throw away half of the
potentially available entropy with XOR. But XOR has the virtue of
simplicity and so lower probability of implementation error. It is a
trade off. And, of course, if one of the inputs has zero entropy, then
XOR is fine.
Thanks,
Donald
=============================
Donald E. Eastlake 3rd +1-508-333-2270 (cell)
155 Beaver Street, Milford, MA 01757 USA
d3e3e3 at gmail.com
> --John
More information about the cryptography
mailing list