📅 Original date posted:2016-06-29 📝 Original message:On Wed, Jun 29, 2016 at ...

Peter Todd [ARCHIVE] /

npub1m23…2np2

2023-06-07 17:51:33

in reply to nevent1q…lgre

📅 Original date posted:2016-06-29
📝 Original message:On Wed, Jun 29, 2016 at 08:34:06PM +0200, Jonas Schnelli via bitcoin-dev wrote:
> > Based on previous crypto analysis result, the actual security of SHA512
> > is not significantly higher than SHA256.
> > maybe we should consider SHA3?
>
> As far as I know the security of the symmetric cipher key mainly depends
> on the PRNG and the ECDH scheme.
>
> The HMAC_SHA512 will be used to "drive" keys from the ECDH shared secret.
> HMAC_SHA256 would be sufficient but I have specified SHA512 to allow to
> directly derive 512bits which allows to have two 256bit keys with one
> HMAC operation (same pattern is used in BIP for the key/chaincode
> derivation).

What's the rational for doing that "directly" rather than with two SHA256
operations? (specifcially SHA256(0 . thing), SHA256(1 + thing) for the two
parts we need to derive)

Reducing the # of basic cryptographic primitives you need to implement a
standard needs is a good thing.

--
https://petertodd.org 'peter'[:-1]@petertodd.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Digital signature
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20160629/12948cd4/attachment.sig>;

Author Public Key

npub1m230cem2yh3mtdzkg32qhj73uytgkyg5ylxsu083n3tpjnajxx4qqa2np2

Seen on

wss://relay.noswhere.com

Show more details

Published at

2023-06-07 17:51:33

Kind type

1 Short Text Note

Event JSON

{ "id": "bdc442cd1f1c861a8fb038927e46042fe68de99195a227628f6e6e74e766bc53", "pubkey": "daa2fc676a25e3b5b45644540bcbd1e1168b111427cd0e3cf19c56194fb231aa", "created_at": 1686160293, "kind": 1, "tags": [ [ "e", "865ae9660ffa796d019b6409907548cf0d8cccc89b3d009b0f6e17232981afa9", "", "root" ], [ "e", "5a1d94692ef404f63dc6b225accd4cc6bb747bf27cb9cbbd99ede12fb5595f34", "", "reply" ], [ "p", "9a463e0fab8963b013698c15a0f2449d19c97f3b88458e5874095b5006df9a0c" ] ], "content": "📅 Original date posted:2016-06-29\n📝 Original message:On Wed, Jun 29, 2016 at 08:34:06PM +0200, Jonas Schnelli via bitcoin-dev wrote:\n\u003e \u003e Based on previous crypto analysis result, the actual security of SHA512\n\u003e \u003e is not significantly higher than SHA256.\n\u003e \u003e maybe we should consider SHA3?\n\u003e \n\u003e As far as I know the security of the symmetric cipher key mainly depends\n\u003e on the PRNG and the ECDH scheme.\n\u003e \n\u003e The HMAC_SHA512 will be used to \"drive\" keys from the ECDH shared secret.\n\u003e HMAC_SHA256 would be sufficient but I have specified SHA512 to allow to\n\u003e directly derive 512bits which allows to have two 256bit keys with one\n\u003e HMAC operation (same pattern is used in BIP for the key/chaincode\n\u003e derivation).\n\nWhat's the rational for doing that \"directly\" rather than with two SHA256\noperations? (specifcially SHA256(0 . thing), SHA256(1 + thing) for the two\nparts we need to derive)\n\nReducing the # of basic cryptographic primitives you need to implement a\nstandard needs is a good thing.\n\n-- \nhttps://petertodd.org 'peter'[:-1]@petertodd.org\n-------------- next part --------------\nA non-text attachment was scrubbed...\nName: signature.asc\nType: application/pgp-signature\nSize: 455 bytes\nDesc: Digital signature\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20160629/12948cd4/attachment.sig\u003e", "sig": "d7be64e62a2c3e536a4672239600bd8681fed89c7da1f46bef2d6df469c05ed4aad8cb75ef7d82a0202b10bcb6d9ede893b4696be19dbfd6058939c0bfc63d34" }