> On Wed, Jun 29, 2016 at 08:34:06PM +0200, Jonas Schnelli via bitcoin-dev wrote: >>> Based on previous crypto analysis result, the actual security of SHA512 >>> is not significantly higher than SHA256. >>> maybe we should consider SHA3? >> >> As far as I know the security of the symmetric cipher key mainly depends >> on the PRNG and the ECDH scheme. >> >> The HMAC_SHA512 will be used to "drive" keys from the ECDH shared secret. >> HMAC_SHA256 would be sufficient but I have specified SHA512 to allow to >> directly derive 512bits which allows to have two 256bit keys with one >> HMAC operation (same pattern is used in BIP for the key/chaincode >> derivation). > > What's the rational for doing that "directly" rather than with two SHA256 > operations? (specifcially SHA256(0 . thing), SHA256(1 + thing) for the two > parts we need to derive) SHA256 and SHA512 are both from the SHA-2 family. I have specified SHA512 to (slightly) increase the brute-force security of the ecdh shared secret when knowing K_1 and K_2. And I assumed (haven't measured the required cpu cycles) that a single SHA512_HMAC is less expensive then two SHA256_HMAC.