Author: Rusty Russell 2016-07-01 03:25:17
Published on: 2016-07-01T03:25:17+00:00
In a discussion about the use of HMAC vs SHA256 for a Message Authentication Code (MAC), Ethan Heilman questions the need for HMAC. However, it is noted that SHA256 is extremely insecure for a MAC due to its length extension property. If an attacker has a tag value generated with SHA256(key|cipher-type|mesg), they can compute a new value without knowing the key or message by appending any values they want. While SHA256 appends the bitlength making it more difficult to generate a new value, this is not being used for a MAC in BIP151. Arthur Chen explains that HMAC has proven security properties, even when the underlying crypto hashing function has weaknesses, and it is still secure even with MD5 which is considered completely insecure. For MACs, it is always better to use HMAC rather than custom constructions. Although Bitcoin already relies on SHA256's robustness, there is no need for a MAC in this particular case.
Updated on: 2023-06-11T18:53:05.749900+00:00