On Wed, Jul 08, 2026 at 01:16:13PM -0700, Sophie Schmieg wrote: > As I said back in 2024, when this discussion was actually had (I consider > it resolved), hashing a random number generator output defends against one > specific failure of an RNG, but not others. In particular, a hash function, > like any deterministic function can only ever decrease the entropy of the > input, so a RNG with not enough entropy will continue to not have enough > entropy (and technically will have slightly less entropy after the hash).
One could use a symmetric key encryption function in such a way as to lose no entropy. > For TLS in particular, this conversation is especially moot, as TLS has > client and server random values, that are not usually hashed before being > published on the wire. Pretending that this is some sort of failure of > ML-KEM is beyond ridiculous. I forget that those are remarkably large. _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
