Based on previous crypto analysis result, the actual security of SHA512 is
not significantly higher than SHA256.
maybe we should consider SHA3?


On Tue, Jun 28, 2016 at 3:19 PM, Jonas Schnelli via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> > To quote:
> >
> >> HMAC_SHA512(key=ecdh_secret|cipher-type,msg="encryption key").
> >>
> >>  K_1 must be the left 32bytes of the HMAC_SHA512 hash.
> >>  K_2 must be the right 32bytes of the HMAC_SHA512 hash.
> >
> > This seems a weak reason to introduce SHA512 to the mix.  Can we just
> > make:
> >
> > K_1 = HMAC_SHA256(key=ecdh_secret|cipher-type,msg="header encryption
> key")
> > K_2 = HMAC_SHA256(key=ecdh_secret|cipher-type,msg="body encryption key")
>
> SHA512_HMAC is used by BIP32 [1] and I guess most clients will somehow
> make use of bip32 features. I though a single SHA512_HMAC operation is
> cheaper and simpler then two SHA256_HMAC.
>
> AFAIK, sha256_hmac is also not used by the current p2p & consensus layer.
> Bitcoin-Core uses it for HTTP RPC auth and Tor control.
>
> I don't see big pros/cons for SHA512_HMAC over SHA256_HMAC.
>
> </jonas>
>
> [1]
>
> https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki#child-key-derivation-ckd-functions
>
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
>


-- 
Xuesong (Arthur) Chen
Senior Principle Engineer
BlockChain Technologist
BTCC