Editing Yarrow algorithm (section)

===Cons===
*Yarrow depends on SHA-1, a hash that has been broken (in terms of collision resistance) since Yarrow's publication and is no longer considered secure.<ref>{{Cite web |last1=Stevens |first1=Marc |last2=Bursztein |first2=Elie |last3=Karpman |first3=Pierre |last4=Albertini |first4=Ange |last5=Markov |first5=Yarik |date=2017-02-23 |title=SHAttered |url=https://shattered.io/ |access-date=2017-04-27 |website=SHAttered}}</ref> However, there is no published attack that uses SHA-1 collisions to undermine Yarrow's randomness.
*Since the outputs of Yarrow are cryptographically derived, the systems that use those outputs can only be as secure as the generation mechanism itself. That means the attacker who can break the generation mechanism will easily break a system that depends on Yarrow's outputs. This problem cannot be solved by increasing entropy accumulation.
*Yarrow requires entropy estimation, which is a very big challenge for implementations.<ref>{{cite web|url=https://www.silabs.com/Support%20Documents/TechnicalDocs/AN0806.pdf |title=Fortuna Cryptographically Secure PRNG : AN0806 - Application Note |website=Silabs.com |access-date=2016-10-21}}</ref> It is hard to be sure how much entropy to collect before using it to reseed the PRNG.<ref>{{cite web|url=http://www.codeproject.com/Articles/6321/Fortuna-A-Cryptographically-Secure-Pseudo-Random-N|title=Fortuna – A Cryptographically Secure Pseudo Random Number Generator – CodeProject|last=citadel|date=4 March 2004 |access-date=18 October 2016}}</ref> This problem is solved by [[Fortuna (PRNG)|Fortuna]], an improvement of Yarrow. Fortuna has 32 pools to collect entropy and removed the entropy estimator completely.
*Yarrow's strength is limited by the size of the key. For example, Yarrow-160 has an effective key size of 160 bits. If the security requires 256 bits, Yarrow-160 is not capable of doing the job.