Author: Erik Aronesty 2021-03-22 12:05:13
Published on: 2021-03-22T12:05:13+00:00
In a recent email thread on the Bitcoin-dev mailing list, Erik Aronesty suggested using sha3-256 for generating hashes instead of sha256 due to certain attacks such as length extension. A user named Arik Sosman asked if sha256-hmac(nonce, publicKeyPoint) would be a suitable and safe alternative. The original post was about an interesting and simple HD wallet design that used pure ECDSA and SHA-256. The design had some nice properties, such as all keys starting with 02 prefix and potentially unlimited custom derivation path using 256-bit nonce. The original poster asked if there were any flaws in the design or if it was safe enough to implement in practice. Erik's advice was to use sha3-256 instead of sha256 because padding doesn't matter in sha3 and it is more provably secure.
Updated on: 2023-06-14T19:43:19.277681+00:00