2

In A. Antonopoulus' Mastering Bitcoin (2nd edition) on page 106, there is a nice illustration showing how the basis for a BIP32 HD Wallet is generated:

enter image description here

So here is the one thing I don't understand about it:

In the middle of the picture there is the part where the seed is HMACed and stretched to 512 bits. Why is there a HMAC needed instead of just simply taking a hash of the seed (SHA512)?

As far as I understand, the difference between a hash and an HMAC is that the HMAC delivers some sort of non-repudiation namely that only the ones who are able to create a valid HMAC are the ones knowing a specific key (so kind of like a signature). This feature however is useless in the given use case.

So why HMAC-SHA512 instead of SHA512? Is the idea to artificially increase the workload needed for the generation of a HD Wallet to limit the possibilites of a brute-force attack?

Dalit Sairio
  • 639
  • 4
  • 12

1 Answers1

-2

I found this answer by David Schwartz under the cryptography tags in stackexchange, it may answer your question: HMAC . It basically states that HMAC is smaller in size and takes less CPU to compute.

John Singh
  • 345
  • 2
  • 7
  • Thank you John for you answer. I think there is a misunderstanding though. It looks like when David Schwartz says "HMAC is smaller in size and takes less CPU" he is _not_ comparing HMAC to hashes. Instead he is comparing symmetric cryptography (HMAC) to asymmetric cryptography (signatures). --- In other words: I think it's pretty safe to say that HMACs are actually "heavier" than just hashes, not least because creating an HMAC does actually involve hashing in it's process (two times in fact). – Dalit Sairio Jan 09 '18 at 15:28
  • 1
    @Dalit Indeed, John's answer here is wrong. – Pieter Wuille Mar 15 '18 at 01:42