On Wed, Jul 08, 2026 at 01:16:13PM -0700, Sophie Schmieg wrote:
> As I said back in 2024, when this discussion was actually had (I consider
> it resolved), hashing a random number generator output defends against one
> specific failure of an RNG, but not others. In particular, a hash function,
> like any deterministic function can only ever decrease the entropy of the
> input, so a RNG with not enough entropy will continue to not have enough
> entropy (and technically will have slightly less entropy after the hash).

One could use a symmetric key encryption function in such a way as to
lose no entropy.

> For TLS in particular, this conversation is especially moot, as TLS has
> client and server random values, that are not usually hashed before being
> published on the wire. Pretending that this is some sort of failure of
> ML-KEM is beyond ridiculous.

I forget that those are remarkably large.

_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to