A Framework for Security Analysis of Key Derivation Functions
This paper presents a comprehensive formal security framework for key derivation functions (KDF). The major security goal for a KDF is to produce cryptographic keys from a private seed value where the derived cryptographic keys are indistinguishable from random binary strings. We form a framework of five security models for KDFs. This consists of four security models that we propose: Known Public Inputs Attack (KPM, KPS), Adaptive Chosen Context Information Attack (CCM) and Adaptive Chosen Public Inputs Attack(CPM); and another security model, previously defined by Krawczyk , which we refer to as Adaptive Chosen Context Information Attack(CCS). These security models are simulated using an indistinguisibility game. In addition we prove the relationships between these five security models and analyse KDFs using the framework (in the random oracle model).
KeywordsKey derivation function Security framework Indistinguishability Cryptographic keys
Unable to display preview. Download preview PDF.
- 3.Dang, Q.: Recommendation for Existing Application-Specific Key Derivation Functions. NIST Special Publication 800, 135 (2010)Google Scholar
- 4.Kaliski, B.: PKCS# 5: Password-based cryptography specification version 2.0. Technical report, RFC 2898 (September 2000)Google Scholar
- 5.Krawczyk, H.: On Extract-then-Expand Key Derivation Functions and an HMAC-based KDF (2008), http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.131.8254&rep=rep1&type=pdf
- 6.Krawczyk, H.: Cryptographic Extraction and Key Derivation: The HKDF Scheme. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 631–648. Springer, Heidelberg (2010)Google Scholar
- 7.Krawczyk, H., Eronen, P.: HMAC-based Extract-and-Expand Key Derivation Function (HKDF). Technical report, RFC 5869 (May 2010)Google Scholar
- 8.McGrew, D., Weis, B.: Key Derivation Functions and Their Uses (2010), http://www.ietf.org/id/draft-irtf-cfrg-kdf-uses-00.txt
- 9.Shoup, V.: ISO 18033-2: An emerging standard for public-key encryption. Final Committee Draft (December 2004)Google Scholar