Return-Path: <dev@jonasschnelli.ch>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 0301D279
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Wed, 29 Jun 2016 20:31:57 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.7.6
Received: from server3 (server3.include7.ch [144.76.194.38])
	by smtp1.linuxfoundation.org (Postfix) with ESMTP id 57DD21C6
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Wed, 29 Jun 2016 20:31:56 +0000 (UTC)
Received: by server3 (Postfix, from userid 115)
	id 7AF0A2E605D9; Wed, 29 Jun 2016 22:31:55 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, FSL_HELO_NON_FQDN_1
	autolearn=ham version=3.3.1
Received: from Jonass-MacBook-Pro-2.local (cable-static-140-182.teleport.ch
	[87.102.140.182]) by server3 (Postfix) with ESMTPSA id 28F8B2D000CB;
	Wed, 29 Jun 2016 22:31:54 +0200 (CEST)
To: Peter Todd <pete@petertodd.org>,
	Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
References: <87h9cecad5.fsf@rustcorp.com.au>
	<577224E8.6070307@jonasschnelli.ch>
	<CAP+0UNKqDknS-w6QyCJ0_ra71YfsDDtSdSBYoguUicW2oNMLvQ@mail.gmail.com>
	<5774149E.1010105@jonasschnelli.ch>
	<20160629201317.GA4855@fedora-21-dvm>
From: Jonas Schnelli <dev@jonasschnelli.ch>
Message-ID: <57743036.5040304@jonasschnelli.ch>
Date: Wed, 29 Jun 2016 22:31:50 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0)
	Gecko/20100101 Thunderbird/38.7.2
MIME-Version: 1.0
In-Reply-To: <20160629201317.GA4855@fedora-21-dvm>
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature";
	boundary="4Ge7FsNuKwwxbsHsnVf2QcVuukDpGOsgI"
Subject: Re: [bitcoin-dev] BIP 151 use of HMAC_SHA512
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jun 2016 20:31:57 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--4Ge7FsNuKwwxbsHsnVf2QcVuukDpGOsgI
Content-Type: multipart/mixed; boundary="LLVHJxermdiLgmLif0lm1KwfU2DChTtc0"
From: Jonas Schnelli <dev@jonasschnelli.ch>
To: Peter Todd <pete@petertodd.org>,
 Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Cc: Arthur Chen <arthur.chen@btcc.com>
Message-ID: <57743036.5040304@jonasschnelli.ch>
Subject: Re: [bitcoin-dev] BIP 151 use of HMAC_SHA512
References: <87h9cecad5.fsf@rustcorp.com.au>
 <577224E8.6070307@jonasschnelli.ch>
 <CAP+0UNKqDknS-w6QyCJ0_ra71YfsDDtSdSBYoguUicW2oNMLvQ@mail.gmail.com>
 <5774149E.1010105@jonasschnelli.ch> <20160629201317.GA4855@fedora-21-dvm>
In-Reply-To: <20160629201317.GA4855@fedora-21-dvm>

--LLVHJxermdiLgmLif0lm1KwfU2DChTtc0
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

> On Wed, Jun 29, 2016 at 08:34:06PM +0200, Jonas Schnelli via bitcoin-de=
v wrote:
>>> Based on previous crypto analysis result, the actual security of SHA5=
12
>>> is not significantly higher than SHA256.
>>> maybe we should consider SHA3?
>>
>> As far as I know the security of the symmetric cipher key mainly depen=
ds
>> on the PRNG and the ECDH scheme.
>>
>> The HMAC_SHA512 will be used to "drive" keys from the ECDH shared secr=
et.
>> HMAC_SHA256 would be sufficient but I have specified SHA512 to allow t=
o
>> directly derive 512bits which allows to have two 256bit keys with one
>> HMAC operation (same pattern is used in BIP for the key/chaincode
>> derivation).
>=20
> What's the rational for doing that "directly" rather than with two SHA2=
56
> operations? (specifcially SHA256(0 . thing), SHA256(1 + thing) for the =
two
> parts we need to derive)

SHA256 and SHA512 are both from the SHA-2 family.

I have specified SHA512 to (slightly) increase the brute-force security
of the ecdh shared secret when knowing K_1 and K_2.

And I assumed (haven't measured the required cpu cycles) that a single
SHA512_HMAC is less expensive then two SHA256_HMAC.

</jonas>


--LLVHJxermdiLgmLif0lm1KwfU2DChTtc0--

--4Ge7FsNuKwwxbsHsnVf2QcVuukDpGOsgI
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJXdDA2AAoJECnUvLZBb1Psq4oQAKmYJzm342SAUxvSk9zVA2Ax
yl90AHoizzj2tvu3Msepnq0BxS8kLPQyESyR9FeAzxxi6toWiYFjcta/8orPCYIx
GLGkmuqMg9ceSmZxBO+sU/wOUT1mps/7xv0Vr+/zUn/s22SbkwCQRIpkECu/H8O9
Cr50TmuxRvmMIEd1chSa8GbTlU3NqcnPc4S7QhB6z2i+ttN7Vl/70BAvTz7EAgE6
WVZMZ0/D2c6UYhvv6sZtAGAVZ/A/SWZadFGOFx7Jc6D1QdGzNDNyadRUD4ffTy9E
MsKh6DHmiOdrJOuSmO+Bpe+VdxZ2FdezrGFvveX5AWbjVG7cbvUx2BxlZ30HbUSB
9/2GNZP2GcfKn6Idzh/omBLr3Z+IdB/H7EDDCbDVZRI2SHgHNULROO8ONdngLIoC
1E1/BKbpE7MwqUD3Jsj/Ao1jio8s3PIObkXzCbBwQ8AgozfOYizjXy3EeQpdXIF9
aARU7sM2TIGsutkAkpF4gxuDef7Y68mnmdsGGjViEMIHSLa0/NhsC/e9Zp7ZPRED
nwY0PrrXYdb2q9+N4kc8g58fdcGwMy5V7ohI4PCsouBO/2p3XzXzof00V8pyJ0U8
qvuOwKftLLbw5hejDZh4IWIIBandZBqXVSZBYdBdT0I5MZ0KtFb/GxYpDVgPY4vN
pOiqxmBLpZpuQ2kUehqH
=W+lE
-----END PGP SIGNATURE-----

--4Ge7FsNuKwwxbsHsnVf2QcVuukDpGOsgI--