> To quote:
> 
>> HMAC_SHA512(key=ecdh_secret|cipher-type,msg="encryption key").
>>
>>  K_1 must be the left 32bytes of the HMAC_SHA512 hash.
>>  K_2 must be the right 32bytes of the HMAC_SHA512 hash.
> 
> This seems a weak reason to introduce SHA512 to the mix.  Can we just
> make:
> 
> K_1 = HMAC_SHA256(key=ecdh_secret|cipher-type,msg="header encryption key")
> K_2 = HMAC_SHA256(key=ecdh_secret|cipher-type,msg="body encryption key")

SHA512_HMAC is used by BIP32 [1] and I guess most clients will somehow
make use of bip32 features. I though a single SHA512_HMAC operation is
cheaper and simpler then two SHA256_HMAC.

AFAIK, sha256_hmac is also not used by the current p2p & consensus layer.
Bitcoin-Core uses it for HTTP RPC auth and Tor control.

I don't see big pros/cons for SHA512_HMAC over SHA256_HMAC.

</jonas>

[1]
https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki#child-key-derivation-ckd-functions