Arik Sosman [ARCHIVE] on Nostr: 📅 Original date posted:2021-03-20 📝 Original message:Hi Erik, Would ...
📅 Original date posted:2021-03-20
📝 Original message:Hi Erik,
Would sha256-hmac(nonce, publicKeyPoint) still be a suitable/safe alternative without relying on sha3? That should at the very least eliminate length extension attacks.
Best,
Arik
> On Mar 19, 2021, at 6:32 PM, Erik Aronesty via bitcoin-dev <bitcoin-dev at lists.linuxfoundation.org> wrote:
>
> use sha3-256. sha256 suffers from certain attacks (length extension,
> for example) that could make your scheme vulnerable to leaking info,
> depending on how you concatenate things, etc. better to choose
> something where padding doesn't matter.
>
> On Fri, Mar 19, 2021 at 7:28 PM vjudeu via bitcoin-dev
> <bitcoin-dev at lists.linuxfoundation.org> wrote:
>>
>> I recently found some interesting and simple HD wallet design here: https://bitcointalk.org/index.php?topic=5321992.0
>> Could anyone see any flaws in such design or is it safe enough to implement it and use in practice?
>> If I understand it correctly, it is just pure ECDSA and SHA-256, nothing else:
>>
>> masterPublicKey = masterPrivateKey * G
>> masterChildPublicKey = masterPublicKey + ( SHA-256( masterPublicKey || nonce ) mod n ) * G
>> masterChildPrivateKey = masterPrivateKey + ( SHA-256( masterPublicKey || nonce ) mod n )
>>
>> Also, it has some nice properties, like all keys starting with 02 prefix and allows potentially unlimited custom derivation path by using 256-bit nonce.
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev at lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev at lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20210319/194c9b22/attachment.sig>;
📝 Original message:Hi Erik,
Would sha256-hmac(nonce, publicKeyPoint) still be a suitable/safe alternative without relying on sha3? That should at the very least eliminate length extension attacks.
Best,
Arik
> On Mar 19, 2021, at 6:32 PM, Erik Aronesty via bitcoin-dev <bitcoin-dev at lists.linuxfoundation.org> wrote:
>
> use sha3-256. sha256 suffers from certain attacks (length extension,
> for example) that could make your scheme vulnerable to leaking info,
> depending on how you concatenate things, etc. better to choose
> something where padding doesn't matter.
>
> On Fri, Mar 19, 2021 at 7:28 PM vjudeu via bitcoin-dev
> <bitcoin-dev at lists.linuxfoundation.org> wrote:
>>
>> I recently found some interesting and simple HD wallet design here: https://bitcointalk.org/index.php?topic=5321992.0
>> Could anyone see any flaws in such design or is it safe enough to implement it and use in practice?
>> If I understand it correctly, it is just pure ECDSA and SHA-256, nothing else:
>>
>> masterPublicKey = masterPrivateKey * G
>> masterChildPublicKey = masterPublicKey + ( SHA-256( masterPublicKey || nonce ) mod n ) * G
>> masterChildPrivateKey = masterPrivateKey + ( SHA-256( masterPublicKey || nonce ) mod n )
>>
>> Also, it has some nice properties, like all keys starting with 02 prefix and allows potentially unlimited custom derivation path by using 256-bit nonce.
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev at lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev at lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20210319/194c9b22/attachment.sig>;