Editing Yarrow algorithm (section)

==Pros and cons of Yarrow==
{{Prose|section|date=November 2015}}

===Pros===
*Yarrow reuses existing building blocks.
*Compared to previous PRNGs, Yarrow is reasonably efficient.
*Yarrow can be used by programmers with no cryptography background in a reasonably secure way. Yarrow is portable and precisely defined. The interface is simple and clear. These features somewhat decrease the chances of implementation errors.
*Yarrow was created using an attack-oriented design process.
*The [[entropy estimation]] of Yarrow is very conservative, thus preventing [[Brute force attack|exhaustive search attacks]]. It is very common that PRNGs fail in real-world applications due to entropy overestimation and guessable starting points.
*The reseeding process of Yarrow is relatively computationally expensive, thus the cost of attempting to guess the PRNG's key is higher.
*Yarrow uses functions to simplify the management of seed files, thus the files are constantly updated.
*To handle [[cryptanalysis|cryptanalytic]] attacks, Yarrow is designed to be based on a block cipher that is secured. The [[level of security]] of the generation mechanism depends on the block cipher.
*Yarrow tries to avoid data-dependent execution paths. This is done to prevent [[side-channel attacks]] such as [[timing attacks]] and [[power analysis]]. This is an improvement compared to earlier PRNGs, for example RSAREF 2.0 PRNG, that will completely fall apart once additional information about the internal operations are no longer secured.
*Yarrow uses cryptographic hash functions to process input samples, and then uses a secure update function to combine the samples with the existing key. This makes sure that the attacker cannot easily manipulate the input samples. PRNGs such as RSAREF 2.0 PRNG do not have the ability to resist this kind of chosen-input attack.
*Unlike ANSI X9.17 PRNG, Yarrow has the ability to recover from a key compromise. This means that even when the key is compromised, the attacker will not be able to predict future outputs forever. This is due to the reseeding mechanism of Yarrow.<ref name="report1999"/>{{rp|5}}
*Yarrow has the entropy samples pool separated from the key, and only reseeds the key when the entropy pool content is completely unpredictable. {{anchor|Iterative guessing attack}}This design prevents iterative guessing attacks, where an attacker with the key guesses the next sample and checks the result by observing the next output.

===Cons===
*Yarrow depends on SHA-1, a hash that has been broken (in terms of collision resistance) since Yarrow's publication and is no longer considered secure.<ref>{{Cite web |last1=Stevens |first1=Marc |last2=Bursztein |first2=Elie |last3=Karpman |first3=Pierre |last4=Albertini |first4=Ange |last5=Markov |first5=Yarik |date=2017-02-23 |title=SHAttered |url=https://shattered.io/ |access-date=2017-04-27 |website=SHAttered}}</ref> However, there is no published attack that uses SHA-1 collisions to undermine Yarrow's randomness.
*Since the outputs of Yarrow are cryptographically derived, the systems that use those outputs can only be as secure as the generation mechanism itself. That means the attacker who can break the generation mechanism will easily break a system that depends on Yarrow's outputs. This problem cannot be solved by increasing entropy accumulation.
*Yarrow requires entropy estimation, which is a very big challenge for implementations.<ref>{{cite web|url=https://www.silabs.com/Support%20Documents/TechnicalDocs/AN0806.pdf |title=Fortuna Cryptographically Secure PRNG : AN0806 - Application Note |website=Silabs.com |access-date=2016-10-21}}</ref> It is hard to be sure how much entropy to collect before using it to reseed the PRNG.<ref>{{cite web|url=http://www.codeproject.com/Articles/6321/Fortuna-A-Cryptographically-Secure-Pseudo-Random-N|title=Fortuna – A Cryptographically Secure Pseudo Random Number Generator – CodeProject|last=citadel|date=4 March 2004 |access-date=18 October 2016}}</ref> This problem is solved by [[Fortuna (PRNG)|Fortuna]], an improvement of Yarrow. Fortuna has 32 pools to collect entropy and removed the entropy estimator completely.
*Yarrow's strength is limited by the size of the key. For example, Yarrow-160 has an effective key size of 160 bits. If the security requires 256 bits, Yarrow-160 is not capable of doing the job.