[bitcoin-dev] BIP 151 use of HMAC_SHA512

Arthur Chen arthur.chen at btcc.com
Wed Jun 29 01:38:44 UTC 2016


HMAC has proven security property.
It is still secure even when underlying crypto hashing function has
collision resistant weakness.
For example, MD5 is considered completely insecure now, but HMAC-MD5 is
still considered secure.
When in doubt, we should always use HMAC for MAC(Message Authentication
Code) rather than custom construction

On Wed, Jun 29, 2016 at 9:00 AM, Rusty Russell via bitcoin-dev <
bitcoin-dev at lists.linuxfoundation.org> wrote:

> Jonas Schnelli <dev at jonasschnelli.ch> writes:
> >> To quote:
> >>
> >>> HMAC_SHA512(key=ecdh_secret|cipher-type,msg="encryption key").
> >>>
> >>>  K_1 must be the left 32bytes of the HMAC_SHA512 hash.
> >>>  K_2 must be the right 32bytes of the HMAC_SHA512 hash.
> >>
> >> This seems a weak reason to introduce SHA512 to the mix.  Can we just
> >> make:
> >>
> >> K_1 = HMAC_SHA256(key=ecdh_secret|cipher-type,msg="header encryption
> key")
> >> K_2 = HMAC_SHA256(key=ecdh_secret|cipher-type,msg="body encryption key")
> >
> > SHA512_HMAC is used by BIP32 [1] and I guess most clients will somehow
> > make use of bip32 features. I though a single SHA512_HMAC operation is
> > cheaper and simpler then two SHA256_HMAC.
>
> Good point; I would argue that mistake has already been made.  But I was
> looking at appropriating your work for lightning inter-node comms, and
> adding another hash algo seemed unnecessarily painful.
>
> > AFAIK, sha256_hmac is also not used by the current p2p & consensus layer.
> > Bitcoin-Core uses it for HTTP RPC auth and Tor control.
>
> It's also not clear to me why the HMAC, vs just
> SHA256(key|cipher-type|mesg).  But that's probably just my crypto
> ignorance...
>
> Thanks!
> Rusty.
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev at lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>



-- 
Xuesong (Arthur) Chen
Senior Principle Engineer
BlockChain Technologist
BTCC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20160629/3e68c72a/attachment-0001.html>


More information about the bitcoin-dev mailing list