use sha3-256. sha256 suffers from certain attacks (length extension, for example) that could make your scheme vulnerable to leaking info, depending on how you concatenate things, etc. better to choose something where padding doesn't matter.
On Fri, Mar 19, 2021 at 7:28 PM vjudeu via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote: > > I recently found some interesting and simple HD wallet design here: > https://bitcointalk.org/index.php?topic=5321992.0 > Could anyone see any flaws in such design or is it safe enough to implement > it and use in practice? > If I understand it correctly, it is just pure ECDSA and SHA-256, nothing else: > > masterPublicKey = masterPrivateKey * G > masterChildPublicKey = masterPublicKey + ( SHA-256( masterPublicKey || nonce > ) mod n ) * G > masterChildPrivateKey = masterPrivateKey + ( SHA-256( masterPublicKey || > nonce ) mod n ) > > Also, it has some nice properties, like all keys starting with 02 prefix and > allows potentially unlimited custom derivation path by using 256-bit nonce. > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
