Key Derivation Function¶
links: AC1 TOC - Random Oracle & Applications - Index
High to High Entropy¶
KDF (key derivation functions) derive a key from a KDK (key derivation key). This means that a KDF creates a key based on another key. A KDF assumes that the KDK which is supplied as input already possesses high entropy and therefore the KDF must not mess with this and just delegates to underlying PRF (pseudo random functions). For this purpose, KDF leverage PRF. The NIST recommends to use HMAC or KMAC as underlying PRF. KDF which take high entropy as input can also be termed as key expansion. Key expansion is a subpart of a functioning KDF. You could also define a KDF which take low entropy and generate a high entropy output from this. For low-high entropy scenarios read about Password Based Key Derivation Function (PBKDF).
NIST Recommendations on KDF: NIST SP 800-108r1
KDF using HMAC (HKDF)¶
HKDF is a simple KDF based on the HMAC. The main approach of HKDF follows the "extract-then-expand" paradigm, where the KDF logically consists of two modules.
- HKDF-Extract: takes "input key material" (IKM) such as a shared secret of DH, optional a salt and generates a PRK (pseudorandom key). The output is the HMAC with the "salt" as the key and the "IKM" as the message.
- HKDF-Expand: Takes the PRK, some "info" and a length and generates output of the length. This module act as a pseudorandom function keyed on PRK.
KDF using KMAC¶
KMAC (Keccak based Message Authentication Code) is based on the Keccak sponge construction and therefore can output an arbitrary length of output bits.
The NIST defines a KMAC based KDF as follows:
Input: KDK, Context, L, and Label
Process:
1. If L > 2^1040 − 1, output an error indicator and stop (i.e., skip step 2).
2. DERIVED KEY = KMAC#(KDK, Context, L, Label).
Output: DERIVED KEY (or an error indicator)
Where the error condition \(L > 2^{1040-1}\) is a limitation by KMAC (Section 6.2 of the NIST document).
Parameters¶
- KDK: The key derivation key of which a key shall be derived
- Context: Context information for the derived key
- L: The desired length of the derived key
- Label: "Label can be an encoding of
the characters “KDF” or “KDF4X” in 8-bit ASCII" (quote of the NIST document)
Limitations¶
The recommended implementation of the KDF by the NIST assume, that the final length of the derived key is always known (the assumption makes sense, since the key length directly influence the security level). But in theory it would also be possible to create variable length derived keys by using XOF KMAC which would allow this.