Monty Cantsin wrote:
Often we have a source of entropy whose output we use as the input to a secure hash function.
Does it matter if the hashing function is secure? I don't think so. All that really matters is that the function hashes evenly so that any input string is about as likely as any other input string to result in a particular hash. Even if the hash function is weak and collisions can be found, if it is even the same level of entropy is still available.
Have I got this right?
In the case where: 1) Your entropy source is as good as you think it is 2) Your opponent knows nothing about the data from your entropy source and 3) Your entropy mixes the way you expect it to. this is indeed the case. If you're not completely sure about the above, using a cryptographic hash requires your hypothetical opponent to be able to reverse the hash to exploit what they know, rather than simpler computations. Since it seems that paranoia pays off in the design of cryptographic software, I'd recommend always using a strong hash. Jon Leonard