On Extract-then-Expand Key Derivation Functions
and an HMAC-based KDF (HKDF)
by Hugo Krawczyk
- HMAC-based KDF:
In spite of their central security role in any cryptographic system,
the design of
key derivation functions (KDF) has traditionally
been carried in ad-hoc ways
with little analytical foundation. This is especially true
for KDFs based on cryptographic hash functions (which is the most common
case in practice) where hash functions are "abused" by assuming that
they behave as perfect random functions.
Our opinion is that:
Given the current (healthy) skepticism about the strength of our hash
functions we must strive to design schemes that use the hash function as
prudently as possible.
Research results obtained in recent years point out to the advantages
of building KDF functions based on HMAC rather than on plain hash
functions as traditional schemes do.
In particular, these results show that an HMAC-based KDF
can be founded on weaker assumptions on the underlying hash function.
This is analogous to the use of HMAC as PRF that has been
favored in the last 10 years over plain-hash PRFs especially due to
HMAC's better resilience to weaknesses in the underlying hash function
(e.g., collision attacks).
Based on such results we propose
a fully-specified HMAC-based KDF,
that can serve multiple applications under a wide variety of
requirements and under relaxed assumptions on the hash functions.
We accompany this proposal with a VERY detailed rationale and analysis,
and a thorough comparison with existing alternatives.
In particular, the proposed scheme follows the
extract-then-expand paradigm for KDF design that we
discuss in great detail.
The proposal is intended to address two important and timely needs of
(i) Providing a single hash-based KDF design that can be standardized
for use in multiple and diverse applications, and
(ii) Providing a conservative, yet efficient, design that exercises
much care in the way it utilizes a cryptographic hash function.
We offer this proposal for consideration by NIST and the IETF and any
other interested parties or standard bodies.
NEW!! HKDF specification has been published as
The paper: .
The full details and rationale of the scheme are presented in the paper
Cryptographic Extraction and
Key Derivation: The HKDF Scheme (to appear in Crypto'2010)
For those interested in the specification only, please see
and Section 4.2 of the above paper (and the schematic figure below).
An earlier version of the paper containing less formal rationale is also
- Definition of HKDF:
Figure 1 shows the proposed HMAC-based KDF.
Please refer to Section 4.2 of the
paper for full details.