On Wed, Jun 29, 2016 at 08:34:06PM +0200, Jonas Schnelli via bitcoin-dev wrote:
> > Based on previous crypto analysis result, the actual security of SHA512
> > is not significantly higher than SHA256.
> > maybe we should consider SHA3?
> 
> As far as I know the security of the symmetric cipher key mainly depends
> on the PRNG and the ECDH scheme.
> 
> The HMAC_SHA512 will be used to "drive" keys from the ECDH shared secret.
> HMAC_SHA256 would be sufficient but I have specified SHA512 to allow to
> directly derive 512bits which allows to have two 256bit keys with one
> HMAC operation (same pattern is used in BIP for the key/chaincode
> derivation).

What's the rational for doing that "directly" rather than with two SHA256
operations? (specifcially SHA256(0 . thing), SHA256(1 + thing) for the two
parts we need to derive)

Reducing the # of basic cryptographic primitives you need to implement a
standard needs is a good thing.

-- 
https://petertodd.org 'peter'[:-1]@petertodd.org