I'll be a while going through this. I was thinking about our earlier discussion where I was hammering on the point that compressing entropy too early is a mistake, and just now realized that I should have given you credit for my recent 4.7-rc1 patch 2a18da7a. The hash function ("good, fast AND cheap!") introduced there exploits that point: using a larger hash state (and postponing compression to the final size) dramatically reduces the requirements on the hash mixing function. I wasn't conscious of it at the time, but I just now realized that explaining it clarified the point in my mind, which led to applying the principle in other situations. So thank you! -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html