> To quote: > >> HMAC_SHA512(key=ecdh_secret|cipher-type,msg="encryption key"). >> >> K_1 must be the left 32bytes of the HMAC_SHA512 hash. >> K_2 must be the right 32bytes of the HMAC_SHA512 hash. > > This seems a weak reason to introduce SHA512 to the mix. Can we just > make: > > K_1 = HMAC_SHA256(key=ecdh_secret|cipher-type,msg="header encryption key") > K_2 = HMAC_SHA256(key=ecdh_secret|cipher-type,msg="body encryption key")
SHA512_HMAC is used by BIP32 [1] and I guess most clients will somehow make use of bip32 features. I though a single SHA512_HMAC operation is cheaper and simpler then two SHA256_HMAC. AFAIK, sha256_hmac is also not used by the current p2p & consensus layer. Bitcoin-Core uses it for HTTP RPC auth and Tor control. I don't see big pros/cons for SHA512_HMAC over SHA256_HMAC. </jonas> [1] https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki#child-key-derivation-ckd-functions
signature.asc
Description: OpenPGP digital signature
_______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
