> Based on previous crypto analysis result, the actual security of SHA512
> is not significantly higher than SHA256.
> maybe we should consider SHA3?

As far as I know the security of the symmetric cipher key mainly depends
on the PRNG and the ECDH scheme.

The HMAC_SHA512 will be used to "drive" keys from the ECDH shared secret.
HMAC_SHA256 would be sufficient but I have specified SHA512 to allow to
directly derive 512bits which allows to have two 256bit keys with one
HMAC operation (same pattern is used in BIP for the key/chaincode
derivation).

Keccak would be an alternative but we probably don't want to introduce
another new hash type just for the encryption.

</jonas>