Jonas Schnelli [ARCHIVE] on Nostr: 📅 Original date posted:2016-06-29 📝 Original message:> On Wed, Jun 29, 2016 at ...
📅 Original date posted:2016-06-29
📝 Original message:> On Wed, Jun 29, 2016 at 08:34:06PM +0200, Jonas Schnelli via bitcoin-dev wrote:
>>> Based on previous crypto analysis result, the actual security of SHA512
>>> is not significantly higher than SHA256.
>>> maybe we should consider SHA3?
>>
>> As far as I know the security of the symmetric cipher key mainly depends
>> on the PRNG and the ECDH scheme.
>>
>> The HMAC_SHA512 will be used to "drive" keys from the ECDH shared secret.
>> HMAC_SHA256 would be sufficient but I have specified SHA512 to allow to
>> directly derive 512bits which allows to have two 256bit keys with one
>> HMAC operation (same pattern is used in BIP for the key/chaincode
>> derivation).
>
> What's the rational for doing that "directly" rather than with two SHA256
> operations? (specifcially SHA256(0 . thing), SHA256(1 + thing) for the two
> parts we need to derive)
SHA256 and SHA512 are both from the SHA-2 family.
I have specified SHA512 to (slightly) increase the brute-force security
of the ecdh shared secret when knowing K_1 and K_2.
And I assumed (haven't measured the required cpu cycles) that a single
SHA512_HMAC is less expensive then two SHA256_HMAC.
</jonas>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20160629/8661e056/attachment.sig>;
📝 Original message:> On Wed, Jun 29, 2016 at 08:34:06PM +0200, Jonas Schnelli via bitcoin-dev wrote:
>>> Based on previous crypto analysis result, the actual security of SHA512
>>> is not significantly higher than SHA256.
>>> maybe we should consider SHA3?
>>
>> As far as I know the security of the symmetric cipher key mainly depends
>> on the PRNG and the ECDH scheme.
>>
>> The HMAC_SHA512 will be used to "drive" keys from the ECDH shared secret.
>> HMAC_SHA256 would be sufficient but I have specified SHA512 to allow to
>> directly derive 512bits which allows to have two 256bit keys with one
>> HMAC operation (same pattern is used in BIP for the key/chaincode
>> derivation).
>
> What's the rational for doing that "directly" rather than with two SHA256
> operations? (specifcially SHA256(0 . thing), SHA256(1 + thing) for the two
> parts we need to derive)
SHA256 and SHA512 are both from the SHA-2 family.
I have specified SHA512 to (slightly) increase the brute-force security
of the ecdh shared secret when knowing K_1 and K_2.
And I assumed (haven't measured the required cpu cycles) that a single
SHA512_HMAC is less expensive then two SHA256_HMAC.
</jonas>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20160629/8661e056/attachment.sig>;