Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 14A9E721 for ; Wed, 29 Jun 2016 06:58:24 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-lf0-f50.google.com (mail-lf0-f50.google.com [209.85.215.50]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 4643D126 for ; Wed, 29 Jun 2016 06:58:23 +0000 (UTC) Received: by mail-lf0-f50.google.com with SMTP id l188so26617055lfe.2 for ; Tue, 28 Jun 2016 23:58:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=4UE5MQnIxoEE9Chi0ktSXlE427RpQZE+6JGd6pc2UGc=; b=QuKw+ccJNWtMYy3QOLL4Jl4rZ1rj8d6Z//xbCuCMpGivVLMduuFwp1/rgSRdnQ36Z0 zHSQ6KklfK6xsQWso/h9VPq0wCpS4tzRke5GXsKl++8QBpRpyJLJGgiI3fBX3A3pA3yX aQ9XulCWK5FuzTLc+hhA7XpeGfChtLUdO8tOcSt0acDEJh+d2ZX1MF/PbVtPUmMahnef ZM03cnYJNWGx9Ll9VXwuU2+qxmbTbGcB9ab9/YzZ1dFOVqnZfTX3vGscBi3CIhkAAj3/ 28kZCXgdXDxKH4VleJkpfI+cQRdoYI00bvR4LvjhHH2d1l/P3nhc97+NNzKLDAgrgMCO /sfQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=4UE5MQnIxoEE9Chi0ktSXlE427RpQZE+6JGd6pc2UGc=; b=gTQ0CUKHEFOo/2DhjHdeC4aLIk5y90OB7BR48Xqy4QfXf5d0jXAGyrcOVI+Ht22vZs I9OOh0j0ihaphAlMpCs2EEPNoE9sbInOJIDweLWvn2bfuxT4XFM5GtzukCVeoX7l9n3a Ri6yZrMf1qhY7KohNUPLvBGXS5BZ6vJuk9vjQ3QRSGa/W/EqPMOCE7teC5EBpRkKwvX+ Fo7+dADNDLBp2VfrKe6B5JoDASjSRcVYOPZ9P8Ss6eTIyjqVoHThKcrwEvW4XhuK4/k3 iixYqanEwFtN21oqxYrdq3UvJB/s4aip7m9jRc03VDmdjCAsmvCUzdCD27laC8wmPBCA roGg== X-Gm-Message-State: ALyK8tKnpJLEdz7SLRCvipNdE/zYuH7txyQRviXUNCuUXMTlK7Bj1Rc96mBF9CXrIjNkpFAW2KCl7VLHpiXt/Q== MIME-Version: 1.0 X-Received: by 10.46.71.83 with SMTP id u80mr1736071lja.15.1467183501243; Tue, 28 Jun 2016 23:58:21 -0700 (PDT) Received: by 10.114.180.101 with HTTP; Tue, 28 Jun 2016 23:58:21 -0700 (PDT) Received: by 10.114.180.101 with HTTP; Tue, 28 Jun 2016 23:58:21 -0700 (PDT) In-Reply-To: References: <87h9cecad5.fsf@rustcorp.com.au> <577224E8.6070307@jonasschnelli.ch> <8760ssdd1u.fsf@rustcorp.com.au> Date: Wed, 29 Jun 2016 08:58:21 +0200 Message-ID: From: Pieter Wuille To: Ethan Heilman , Bitcoin Dev Content-Type: multipart/alternative; boundary=001a11402fa4697c6305366547fb X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: Re: [bitcoin-dev] BIP 151 use of HMAC_SHA512 X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2016 06:58:24 -0000 --001a11402fa4697c6305366547fb Content-Type: text/plain; charset=UTF-8 On Jun 29, 2016 07:05, "Ethan Heilman via bitcoin-dev" < bitcoin-dev@lists.linuxfoundation.org> wrote: > > >It's also not clear to me why the HMAC, vs just SHA256(key|cipher-type|mesg). But that's probably just my crypto ignorance... > > SHA256(key|cipher-type|mesg) is an extremely insecure MAC because of > the length extension property of SHA256. This property does technically not apply here, as the output of the hash is kept secret, and the possible messages are constants (which are presumably chosen in such a way that one is never an extension of another). However, this is a good example of why you can't generically use a hash function in places where you want a MAC (aka "a hash with a shared secret"). Furthermore, if you already have a hash function anyway, HMAC is very easy construct on top of it. -- Pieter --001a11402fa4697c6305366547fb Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

On Jun 29, 2016 07:05, "Ethan Heilman via bitcoin-dev&q= uot; <bitcoin-d= ev@lists.linuxfoundation.org> wrote:
>
> >It's also not clear to me why the HMAC, vs just SHA256(key|cip= her-type|mesg).=C2=A0 But that's probably just my crypto ignorance... >
> SHA256(key|cipher-type|mesg) is an extremely insecure MAC because of > the length extension property of SHA256.

This property does technically not apply here, as the output= of the hash is kept secret, and the possible messages are constants (which= are presumably chosen in such a way that one is never an extension of anot= her).

However, this is a good example of why you can't generic= ally use a hash function in places where you want a MAC (aka "a hash w= ith a shared secret"). Furthermore, if you already have a hash functio= n anyway, HMAC is very easy construct on top of it.

--
Pieter

--001a11402fa4697c6305366547fb--