Cryptology ePrint Archive: Report 2010/264
Cryptographic Extraction and Key Derivation: The HKDF Scheme
Abstract: In spite of the central role of key derivation functions (KDF) in applied cryptography, there has been little formal work addressing the design and analysis of general multi-purpose KDFs. In practice, most KDFs (including those widely standardized) follow ad-hoc approaches that treat cryptographic hash functions as perfectly random functions. In this paper we close some gaps between theory and practice by contributing to the study and engineering of KDFs in several ways. We provide detailed rationale for the design of KDFs based on the extract-then-expand approach; we present the first general and rigorous definition of KDFs and their security which we base on the notion of computational extractors; we specify a concrete fully practical KDF based on the HMAC construction; and we provide an analysis of this construction based on the extraction and pseudorandom properties of HMAC. The resultant KDF design can support a large variety of KDF applications under suitable assumptions on the underlying hash function; particular attention and effort is devoted to minimizing these assumptions as much as possible for each usage scenario.
Beyond the theoretical interest in modeling KDFs, this work is intended to address two important and timely needs of cryptographic applications: (i) providing a single hash-based KDF design that can be standardized for use in multiple and diverse applications, and (ii) providing a conservative, yet efficient, design that exercises much care in the way it utilizes a cryptographic hash function.
(The HMAC-based scheme presented here, named HKDF, is being standardized by the IETF.)
Category / Keywords: cryptographic protocols /
Publication Info: Extended abstract to be published in Proceedings of Crypto'2010.
Date: received 10 May 2010
Contact author: hugo at ee technion ac il
Available format(s): PDF | BibTeX Citation
Version: 20100511:063858 (All versions of this report)
Short URL: ia.cr/2010/264
Discussion forum: Show discussion | Start new discussion
[ Cryptology ePrint archive ]