How length extension attack is possible here? The input of SHA-256 has constant length of 512 bits in this scheme. And if someone will get some child public key, there is still no way to reverse it to the parent public key, because even if the second block of SHA-256 is the same all the times, the attacker still does not know the outcome of SHA-256, so the last round of SHA-256 is unknown and doing calculations backwards seems to be impossible.
> On 2021-03-20 03:08:39 user Arik Sosman <m...@arik.io> wrote: > > Hi Erik, > > > > Would sha256-hmac(nonce, publicKeyPoint) still be a suitable/safe > > alternative without relying on sha3? That should at the very least > > eliminate length extension attacks. > > > > Best, > > Arik > > > > > On Mar 19, 2021, at 6:32 PM, Erik Aronesty via bitcoin-dev > > > <bitcoin-dev@lists.linuxfoundation.org> wrote: > > > > > > use sha3-256. sha256 suffers from certain attacks (length extension, > > > for example) that could make your scheme vulnerable to leaking info, > > > depending on how you concatenate things, etc. better to choose > > > something where padding doesn't matter. > > > > > > On Fri, Mar 19, 2021 at 7:28 PM vjudeu via bitcoin-dev > > > <bitcoin-dev@lists.linuxfoundation.org> wrote: > > >> > > >> I recently found some interesting and simple HD wallet design here: > > >> https://bitcointalk.org/index.php?topic=5321992.0 > > >> Could anyone see any flaws in such design or is it safe enough to > > >> implement it and use in practice? > > >> If I understand it correctly, it is just pure ECDSA and SHA-256, nothing > > >> else: > > >> > > >> masterPublicKey = masterPrivateKey * G > > >> masterChildPublicKey = masterPublicKey + ( SHA-256( masterPublicKey || > > >> nonce ) mod n ) * G > > >> masterChildPrivateKey = masterPrivateKey + ( SHA-256( masterPublicKey || > > >> nonce ) mod n ) > > >> > > >> Also, it has some nice properties, like all keys starting with 02 prefix > > >> and allows potentially unlimited custom derivation path by using 256-bit > > >> nonce. > > >> _______________________________________________ > > >> bitcoin-dev mailing list > > >> bitcoin-dev@lists.linuxfoundation.org > > >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > > > _______________________________________________ > > > bitcoin-dev mailing list > > > bitcoin-dev@lists.linuxfoundation.org > > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > > > > > > > > _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
