Hi Erik,

Would sha256-hmac(nonce, publicKeyPoint) still be a suitable/safe alternative without relying on sha3? That should at the very least eliminate length extension attacks.

Best,
Arik

> On Mar 19, 2021, at 6:32 PM, Erik Aronesty via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
> 
> use sha3-256.  sha256 suffers from certain attacks (length extension,
> for example) that could make your scheme vulnerable to leaking info,
> depending on how you concatenate things, etc.  better to choose
> something where padding doesn't matter.
> 
> On Fri, Mar 19, 2021 at 7:28 PM vjudeu via bitcoin-dev
> <bitcoin-dev@lists.linuxfoundation.org> wrote:
>> 
>> I recently found some interesting and simple HD wallet design here: https://bitcointalk.org/index.php?topic=5321992.0
>> Could anyone see any flaws in such design or is it safe enough to implement it and use in practice?
>> If I understand it correctly, it is just pure ECDSA and SHA-256, nothing else:
>> 
>> masterPublicKey = masterPrivateKey * G
>> masterChildPublicKey = masterPublicKey + ( SHA-256( masterPublicKey || nonce ) mod n ) * G
>> masterChildPrivateKey = masterPrivateKey + ( SHA-256( masterPublicKey || nonce ) mod n )
>> 
>> Also, it has some nice properties, like all keys starting with 02 prefix and allows potentially unlimited custom derivation path by using 256-bit nonce.
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev