Hi Erik, Would sha256-hmac(nonce, publicKeyPoint) still be a suitable/safe alternative without relying on sha3? That should at the very least eliminate length extension attacks.
Best, Arik > On Mar 19, 2021, at 6:32 PM, Erik Aronesty via bitcoin-dev > <bitcoin-dev@lists.linuxfoundation.org> wrote: > > use sha3-256. sha256 suffers from certain attacks (length extension, > for example) that could make your scheme vulnerable to leaking info, > depending on how you concatenate things, etc. better to choose > something where padding doesn't matter. > > On Fri, Mar 19, 2021 at 7:28 PM vjudeu via bitcoin-dev > <bitcoin-dev@lists.linuxfoundation.org> wrote: >> >> I recently found some interesting and simple HD wallet design here: >> https://bitcointalk.org/index.php?topic=5321992.0 >> Could anyone see any flaws in such design or is it safe enough to implement >> it and use in practice? >> If I understand it correctly, it is just pure ECDSA and SHA-256, nothing >> else: >> >> masterPublicKey = masterPrivateKey * G >> masterChildPublicKey = masterPublicKey + ( SHA-256( masterPublicKey || nonce >> ) mod n ) * G >> masterChildPrivateKey = masterPrivateKey + ( SHA-256( masterPublicKey || >> nonce ) mod n ) >> >> Also, it has some nice properties, like all keys starting with 02 prefix and >> allows potentially unlimited custom derivation path by using 256-bit nonce. >> _______________________________________________ >> bitcoin-dev mailing list >> bitcoin-dev@lists.linuxfoundation.org >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
