1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
|
Return-Path: <rusty@ozlabs.org>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 6E932A55
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 29 Jun 2016 01:13:09 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from ozlabs.org (ozlabs.org [103.22.144.67])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 795EB10E
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 29 Jun 2016 01:13:07 +0000 (UTC)
Received: by ozlabs.org (Postfix, from userid 1011)
id 3rfPmx2FCDz9ryQ; Wed, 29 Jun 2016 11:13:05 +1000 (AEST)
From: Rusty Russell <rusty@rustcorp.com.au>
To: Jonas Schnelli <dev@jonasschnelli.ch>
In-Reply-To: <577224E8.6070307@jonasschnelli.ch>
References: <87h9cecad5.fsf@rustcorp.com.au>
<577224E8.6070307@jonasschnelli.ch>
User-Agent: Notmuch/0.21 (http://notmuchmail.org) Emacs/24.5.1
(x86_64-pc-linux-gnu)
Date: Wed, 29 Jun 2016 10:30:29 +0930
Message-ID: <8760ssdd1u.fsf@rustcorp.com.au>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Status: No, score=-5.5 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
Cc: bitcoin-dev@lists.linuxfoundation.org
Subject: Re: [bitcoin-dev] BIP 151 use of HMAC_SHA512
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jun 2016 01:13:09 -0000
Jonas Schnelli <dev@jonasschnelli.ch> writes:
>> To quote:
>>
>>> HMAC_SHA512(key=ecdh_secret|cipher-type,msg="encryption key").
>>>
>>> K_1 must be the left 32bytes of the HMAC_SHA512 hash.
>>> K_2 must be the right 32bytes of the HMAC_SHA512 hash.
>>
>> This seems a weak reason to introduce SHA512 to the mix. Can we just
>> make:
>>
>> K_1 = HMAC_SHA256(key=ecdh_secret|cipher-type,msg="header encryption key")
>> K_2 = HMAC_SHA256(key=ecdh_secret|cipher-type,msg="body encryption key")
>
> SHA512_HMAC is used by BIP32 [1] and I guess most clients will somehow
> make use of bip32 features. I though a single SHA512_HMAC operation is
> cheaper and simpler then two SHA256_HMAC.
Good point; I would argue that mistake has already been made. But I was
looking at appropriating your work for lightning inter-node comms, and
adding another hash algo seemed unnecessarily painful.
> AFAIK, sha256_hmac is also not used by the current p2p & consensus layer.
> Bitcoin-Core uses it for HTTP RPC auth and Tor control.
It's also not clear to me why the HMAC, vs just
SHA256(key|cipher-type|mesg). But that's probably just my crypto
ignorance...
Thanks!
Rusty.
|
