0
From what I understand, the wallet seed is created by inputting into PBKDF2 (using HMAC-SHA512 of which 2048 rounds are applied) a bunch of mnemonic code words and an optional salt (defaulted to "mnemonic"). This generates a 512 bit-seed that is completely impractical to brute-force. This is a picture of the process that I am referring to taken from Mastering Bitcoin. Why, then, is it again hashed using HMAC-SHA512, besides for creating 512 bits of output (in the case where it originally might have been 128 or 256)? Why not just use a SHA512 hash alone (assuming the reason is just to create 512 bits)? What is the point of the HMAC here? Length-extension attacks should have been avoided from the previous iterations during PBKDF2, no?
But why HMAC-SHA-512 as opposed to a regular SHA-512 hash? Was this just arbitrary since it was used before? – Leeren – 2017-10-19T08:36:17.613
Ah sorry I misread your question. I've updated my answer :) – MeshCollider – 2017-10-19T09:32:41.520
Can you explain why HMAC-SHA-512 makes no assumptions on how the seed was generated but SHA does? – Leeren – 2017-10-19T15:53:00.100
Simply mean we want a key generated from the seed specifically for this purpose, rather than any old SHA-512 hash – MeshCollider – 2017-10-19T20:00:43.747