Author: Pieter Wuille 2016-06-29 06:58:21
Published on: 2016-06-29T06:58:21+00:00
In a discussion on the Bitcoin-dev mailing list, Pieter Wuille responded to a question about using HMAC instead of SHA256 for message authentication codes (MACs). He explained that SHA256(key|cipher-type|mesg) is insecure due to the length extension property of SHA256. Although this property technically does not apply in this case, it serves as an example of why a hash function cannot be generically used in place of a MAC. Additionally, if a hash function is already being used, HMAC can easily be constructed on top of it.
Updated on: 2023-05-19T23:38:06.286681+00:00