On Wed, Jun 29, 2016 at 08:34:06PM +0200, Jonas Schnelli via bitcoin-dev wrote: > > Based on previous crypto analysis result, the actual security of SHA512 > > is not significantly higher than SHA256. > > maybe we should consider SHA3? > > As far as I know the security of the symmetric cipher key mainly depends > on the PRNG and the ECDH scheme. > > The HMAC_SHA512 will be used to "drive" keys from the ECDH shared secret. > HMAC_SHA256 would be sufficient but I have specified SHA512 to allow to > directly derive 512bits which allows to have two 256bit keys with one > HMAC operation (same pattern is used in BIP for the key/chaincode > derivation).
What's the rational for doing that "directly" rather than with two SHA256 operations? (specifcially SHA256(0 . thing), SHA256(1 + thing) for the two parts we need to derive) Reducing the # of basic cryptographic primitives you need to implement a standard needs is a good thing. -- https://petertodd.org 'peter'[:-1]@petertodd.org
signature.asc
Description: Digital signature
_______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
