Cryptology ePrint Archive: Report 2010/264

Cryptographic Extraction and Key Derivation: The HKDF Scheme

Hugo Krawczyk

Abstract: In spite of the central role of key derivation functions (KDF) in applied cryptography, there has been little formal work addressing the design and analysis of general multi-purpose KDFs. In practice, most KDFs (including those widely standardized) follow ad-hoc approaches that treat cryptographic hash functions as perfectly random functions. In this paper we close some gaps between theory and practice by contributing to the study and engineering of KDFs in several ways. We provide detailed rationale for the design of KDFs based on the extract-then-expand approach; we present the first general and rigorous definition of KDFs and their security which we base on the notion of computational extractors; we specify a concrete fully practical KDF based on the HMAC construction; and we provide an analysis of this construction based on the extraction and pseudorandom properties of HMAC. The resultant KDF design can support a large variety of KDF applications under suitable assumptions on the underlying hash function; particular attention and effort is devoted to minimizing these assumptions as much as possible for each usage scenario.

Beyond the theoretical interest in modeling KDFs, this work is intended to address two important and timely needs of cryptographic applications: (i) providing a single hash-based KDF design that can be standardized for use in multiple and diverse applications, and (ii) providing a conservative, yet efficient, design that exercises much care in the way it utilizes a cryptographic hash function.

(The HMAC-based scheme presented here, named HKDF, is being standardized by the IETF.)

Category / Keywords: cryptographic protocols /

Date: received 10 May 2010, last revised 10 May 2020

Contact author: hugo at ee technion ac il

Available format(s): PDF | BibTeX Citation

Note: Corrects a typo in original version: The example at the top of page 12, using a function from {0,1}^{k+1} -> {0,1}^k, was mistakenly written before as {0,1}^{2k} -> {0,1}^k.

Version: 20200510:234923 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]