[bitcoin-dev] BIP 151 use of HMAC_SHA512

Rusty Russell rusty at rustcorp.com.au
Fri Jul 1 03:25:17 UTC 2016

Ethan Heilman <eth3rs at gmail.com> writes:
>>It's also not clear to me why the HMAC, vs just SHA256(key|cipher-type|mesg).  But that's probably just my crypto ignorance...
> SHA256(key|cipher-type|mesg) is an extremely insecure MAC because of
> the length extension property of SHA256.
> If I have a tag y = SHA256(key|cipher-type|mesg), I can without
> knowing key or msg compute a value y' such that
> y' = SHA256(key|cipher-type|mesg|any values I want).

Not quite, there's an important subtlety that SHA256 appends the
bitlength, so you can only create:

y' = SHA256(key|cipher-type|mesg|padding|bitlength|any values I want).

But we're not using this for a MAC in BIP151, we're using this to
generate the encryption keys.

Arthur Chen <arthur.chen at btcc.com> said:
> HMAC has proven security property.
> It is still secure even when underlying crypto hashing function has
> collision resistant weakness.
> For example, MD5 is considered completely insecure now, but HMAC-MD5 is
> still considered secure.
> When in doubt, we should always use HMAC for MAC(Message Authentication
> Code) rather than custom construction

Bitcoin already relies on SHA256's robustness, but again, we don't need
a MAC here.

I'm happy to buy "we just copied ssh" if that's the answer, and I can't
see anything wrong with using HMAC here, it just seems odd...


More information about the bitcoin-dev mailing list