Do you really need a KDF when you have a PRF?ECDH security when no KDF is usedDeriving Keys for Symmetric Encryption and AuthenticationDifference between Pseudorandom Function vs randomly chosen functionECDH security when no KDF is usedsecurity for PRF when key is changed oftenHow can a hash function be suitable for hashing passwords, but not for deriving enctyption keys, and vice versa?PBKDF security if all but one keys are exposedRelationship between PRF/KDF/MAC?Key derivation: Does it make sense to use KDF and PRF consecutively?KDF Salt: How/When is it Okay for it to be public?What are the disadvantages of XOR key derivation?
How can one's career as a reviewer be ended?
How and why do references in academic papers work?
Why did the World Bank set the global poverty line at $1.90?
That's not my X, its Y is too Z
Rail-to-rail op-amp only reaches 90% of VCC, works sometimes, not everytime
What plausible reason could I give for my FTL drive only working in space
A Salute to Poetry
Are the guests in Westworld forbidden to tell the hosts that they are robots?
What would be the way to say "just saying" in German? (Not the literal translation)
What differences exist between adamantine and adamantite in all editions of D&D?
What should I be wary of when insurer is taking a lot of time to decide whether car is repairable or a total loss?
Why ambiguous grammars are bad?
Housemarks (superimposed & combined letters, heraldry)
Why is the length of the Kelvin unit of temperature equal to that of the Celsius unit?
Cathode rays and the cathode rays tube
Why do radiation hardened IC packages often have long leads?
Does the new finding on "reversing a quantum jump mid-flight" rule out any interpretations of QM?
Command of files and size
What STL algorithm can determine if exactly one item in a container satisfies a predicate?
Assigning function to function pointer, const argument correctness?
Should I put programming books I wrote a few years ago on my resume?
C++ logging library
How make a table fit inside the margins?
Wizard clothing for warm weather
Do you really need a KDF when you have a PRF?
ECDH security when no KDF is usedDeriving Keys for Symmetric Encryption and AuthenticationDifference between Pseudorandom Function vs randomly chosen functionECDH security when no KDF is usedsecurity for PRF when key is changed oftenHow can a hash function be suitable for hashing passwords, but not for deriving enctyption keys, and vice versa?PBKDF security if all but one keys are exposedRelationship between PRF/KDF/MAC?Key derivation: Does it make sense to use KDF and PRF consecutively?KDF Salt: How/When is it Okay for it to be public?What are the disadvantages of XOR key derivation?
$begingroup$
My understanding is that a KDF is like a PRF, except that it has a preliminary step that "extract" entropy. It is thus needed when the entropy is non-uniform (for example the output of ECDH is modulo a number that is not a power of 2, and is thus non-uniform if represented as a bit-string).
Yet, I am not sure there are modern symmetric algorithms that require the secret to be uniformly distributed. Sure their security might be defined with a uniform key, but using a KDF feels a bit like a cheat since there is no new entropy added, and it's not slow either. Am I missing something?
key-derivation pseudo-random-function hkdf
$endgroup$
add a comment |
$begingroup$
My understanding is that a KDF is like a PRF, except that it has a preliminary step that "extract" entropy. It is thus needed when the entropy is non-uniform (for example the output of ECDH is modulo a number that is not a power of 2, and is thus non-uniform if represented as a bit-string).
Yet, I am not sure there are modern symmetric algorithms that require the secret to be uniformly distributed. Sure their security might be defined with a uniform key, but using a KDF feels a bit like a cheat since there is no new entropy added, and it's not slow either. Am I missing something?
key-derivation pseudo-random-function hkdf
$endgroup$
1
$begingroup$
What is meant by "algorithms that require the secret to be uniformly distributed"? Specifically the word "require"; If the algorithms definition says it needs a uniform key, doesn't that mean it requires the secret to be uniformly distributed? Or do you mean "require" as in "security would become broken in practice if the secret is not uniformly distributed"?
$endgroup$
– Ella Rose♦
7 hours ago
add a comment |
$begingroup$
My understanding is that a KDF is like a PRF, except that it has a preliminary step that "extract" entropy. It is thus needed when the entropy is non-uniform (for example the output of ECDH is modulo a number that is not a power of 2, and is thus non-uniform if represented as a bit-string).
Yet, I am not sure there are modern symmetric algorithms that require the secret to be uniformly distributed. Sure their security might be defined with a uniform key, but using a KDF feels a bit like a cheat since there is no new entropy added, and it's not slow either. Am I missing something?
key-derivation pseudo-random-function hkdf
$endgroup$
My understanding is that a KDF is like a PRF, except that it has a preliminary step that "extract" entropy. It is thus needed when the entropy is non-uniform (for example the output of ECDH is modulo a number that is not a power of 2, and is thus non-uniform if represented as a bit-string).
Yet, I am not sure there are modern symmetric algorithms that require the secret to be uniformly distributed. Sure their security might be defined with a uniform key, but using a KDF feels a bit like a cheat since there is no new entropy added, and it's not slow either. Am I missing something?
key-derivation pseudo-random-function hkdf
key-derivation pseudo-random-function hkdf
asked 8 hours ago
David 天宇 WongDavid 天宇 Wong
701618
701618
1
$begingroup$
What is meant by "algorithms that require the secret to be uniformly distributed"? Specifically the word "require"; If the algorithms definition says it needs a uniform key, doesn't that mean it requires the secret to be uniformly distributed? Or do you mean "require" as in "security would become broken in practice if the secret is not uniformly distributed"?
$endgroup$
– Ella Rose♦
7 hours ago
add a comment |
1
$begingroup$
What is meant by "algorithms that require the secret to be uniformly distributed"? Specifically the word "require"; If the algorithms definition says it needs a uniform key, doesn't that mean it requires the secret to be uniformly distributed? Or do you mean "require" as in "security would become broken in practice if the secret is not uniformly distributed"?
$endgroup$
– Ella Rose♦
7 hours ago
1
1
$begingroup$
What is meant by "algorithms that require the secret to be uniformly distributed"? Specifically the word "require"; If the algorithms definition says it needs a uniform key, doesn't that mean it requires the secret to be uniformly distributed? Or do you mean "require" as in "security would become broken in practice if the secret is not uniformly distributed"?
$endgroup$
– Ella Rose♦
7 hours ago
$begingroup$
What is meant by "algorithms that require the secret to be uniformly distributed"? Specifically the word "require"; If the algorithms definition says it needs a uniform key, doesn't that mean it requires the secret to be uniformly distributed? Or do you mean "require" as in "security would become broken in practice if the secret is not uniformly distributed"?
$endgroup$
– Ella Rose♦
7 hours ago
add a comment |
1 Answer
1
active
oldest
votes
$begingroup$
Do you really need a KDF when you have a PRF?
The purpose of the ‘expand’ step of a KDF like HKDF-Expand is to yield essentially arbitrary-size keys for distinct input labels. It is, in fact, a PRF. If you look closely, you will see that $$operatornameHKDF-Expand_k(L) = operatornameHMAC-!H_k(L mathbin| mathtt0x01),$$ if the desired output size matches the output size of $H$; if more bytes are requested, just repeatedly call $operatornameHMAC-!H$ with consecutive counters and the previous chunk prepended to $L$, and concatenate the outputs. You could, of course, substitute for $operatornameHMAC-!H$ your favorite PRF like keyed BLAKE2b, KMAC128, KangarooTwelve, Kravatte, prefix-keyed Gimli-Hash, or ChaCha $circ$ Poly1305, and while it wouldn't be HKDF it would have corresponding security.
My understanding is that a KDF is like a PRF, except that it has a preliminary step that "extract" entropy. It is thus needed when the entropy is non-uniform (for example the output of ECDH is modulo a number that is not a power of 2, and is thus non-uniform if represented as a bit-string).
Correct: The other purpose of collecting the concepts of extract-with-salt and expand-with-label into a single term KDF is that often the two steps are close by—you have a DH secret, or a master diceware seed, which is not uniform in bit strings but which has high entropy, and you want to derive many secret keys from it for different labeled purposes.
Yet, I am not sure there are modern symmetric algorithms that require the secret to be uniformly distributed. Sure their security might be defined with a uniform key, but using a KDF feels a bit like a cheat since there is no new entropy added, and it's not slow either. Am I missing something?
The security contract for many cryptographic primitives requires the input to be uniform random. Obviously you can choose the input by a pseudorandom function under a uniform random key—if that broke the composition, merely using the composition would then serve as a distinguisher for the pseudorandom function. But it's not a priori clear whether highly structured keys like the bit encodings of integers on particular curves might be exploitable in downstream cryptosystems; using HKDF-Extract, or otherwise hashing the input, renders these concerns moot so you don't even have to think about them.
$endgroup$
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f71184%2fdo-you-really-need-a-kdf-when-you-have-a-prf%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
Do you really need a KDF when you have a PRF?
The purpose of the ‘expand’ step of a KDF like HKDF-Expand is to yield essentially arbitrary-size keys for distinct input labels. It is, in fact, a PRF. If you look closely, you will see that $$operatornameHKDF-Expand_k(L) = operatornameHMAC-!H_k(L mathbin| mathtt0x01),$$ if the desired output size matches the output size of $H$; if more bytes are requested, just repeatedly call $operatornameHMAC-!H$ with consecutive counters and the previous chunk prepended to $L$, and concatenate the outputs. You could, of course, substitute for $operatornameHMAC-!H$ your favorite PRF like keyed BLAKE2b, KMAC128, KangarooTwelve, Kravatte, prefix-keyed Gimli-Hash, or ChaCha $circ$ Poly1305, and while it wouldn't be HKDF it would have corresponding security.
My understanding is that a KDF is like a PRF, except that it has a preliminary step that "extract" entropy. It is thus needed when the entropy is non-uniform (for example the output of ECDH is modulo a number that is not a power of 2, and is thus non-uniform if represented as a bit-string).
Correct: The other purpose of collecting the concepts of extract-with-salt and expand-with-label into a single term KDF is that often the two steps are close by—you have a DH secret, or a master diceware seed, which is not uniform in bit strings but which has high entropy, and you want to derive many secret keys from it for different labeled purposes.
Yet, I am not sure there are modern symmetric algorithms that require the secret to be uniformly distributed. Sure their security might be defined with a uniform key, but using a KDF feels a bit like a cheat since there is no new entropy added, and it's not slow either. Am I missing something?
The security contract for many cryptographic primitives requires the input to be uniform random. Obviously you can choose the input by a pseudorandom function under a uniform random key—if that broke the composition, merely using the composition would then serve as a distinguisher for the pseudorandom function. But it's not a priori clear whether highly structured keys like the bit encodings of integers on particular curves might be exploitable in downstream cryptosystems; using HKDF-Extract, or otherwise hashing the input, renders these concerns moot so you don't even have to think about them.
$endgroup$
add a comment |
$begingroup$
Do you really need a KDF when you have a PRF?
The purpose of the ‘expand’ step of a KDF like HKDF-Expand is to yield essentially arbitrary-size keys for distinct input labels. It is, in fact, a PRF. If you look closely, you will see that $$operatornameHKDF-Expand_k(L) = operatornameHMAC-!H_k(L mathbin| mathtt0x01),$$ if the desired output size matches the output size of $H$; if more bytes are requested, just repeatedly call $operatornameHMAC-!H$ with consecutive counters and the previous chunk prepended to $L$, and concatenate the outputs. You could, of course, substitute for $operatornameHMAC-!H$ your favorite PRF like keyed BLAKE2b, KMAC128, KangarooTwelve, Kravatte, prefix-keyed Gimli-Hash, or ChaCha $circ$ Poly1305, and while it wouldn't be HKDF it would have corresponding security.
My understanding is that a KDF is like a PRF, except that it has a preliminary step that "extract" entropy. It is thus needed when the entropy is non-uniform (for example the output of ECDH is modulo a number that is not a power of 2, and is thus non-uniform if represented as a bit-string).
Correct: The other purpose of collecting the concepts of extract-with-salt and expand-with-label into a single term KDF is that often the two steps are close by—you have a DH secret, or a master diceware seed, which is not uniform in bit strings but which has high entropy, and you want to derive many secret keys from it for different labeled purposes.
Yet, I am not sure there are modern symmetric algorithms that require the secret to be uniformly distributed. Sure their security might be defined with a uniform key, but using a KDF feels a bit like a cheat since there is no new entropy added, and it's not slow either. Am I missing something?
The security contract for many cryptographic primitives requires the input to be uniform random. Obviously you can choose the input by a pseudorandom function under a uniform random key—if that broke the composition, merely using the composition would then serve as a distinguisher for the pseudorandom function. But it's not a priori clear whether highly structured keys like the bit encodings of integers on particular curves might be exploitable in downstream cryptosystems; using HKDF-Extract, or otherwise hashing the input, renders these concerns moot so you don't even have to think about them.
$endgroup$
add a comment |
$begingroup$
Do you really need a KDF when you have a PRF?
The purpose of the ‘expand’ step of a KDF like HKDF-Expand is to yield essentially arbitrary-size keys for distinct input labels. It is, in fact, a PRF. If you look closely, you will see that $$operatornameHKDF-Expand_k(L) = operatornameHMAC-!H_k(L mathbin| mathtt0x01),$$ if the desired output size matches the output size of $H$; if more bytes are requested, just repeatedly call $operatornameHMAC-!H$ with consecutive counters and the previous chunk prepended to $L$, and concatenate the outputs. You could, of course, substitute for $operatornameHMAC-!H$ your favorite PRF like keyed BLAKE2b, KMAC128, KangarooTwelve, Kravatte, prefix-keyed Gimli-Hash, or ChaCha $circ$ Poly1305, and while it wouldn't be HKDF it would have corresponding security.
My understanding is that a KDF is like a PRF, except that it has a preliminary step that "extract" entropy. It is thus needed when the entropy is non-uniform (for example the output of ECDH is modulo a number that is not a power of 2, and is thus non-uniform if represented as a bit-string).
Correct: The other purpose of collecting the concepts of extract-with-salt and expand-with-label into a single term KDF is that often the two steps are close by—you have a DH secret, or a master diceware seed, which is not uniform in bit strings but which has high entropy, and you want to derive many secret keys from it for different labeled purposes.
Yet, I am not sure there are modern symmetric algorithms that require the secret to be uniformly distributed. Sure their security might be defined with a uniform key, but using a KDF feels a bit like a cheat since there is no new entropy added, and it's not slow either. Am I missing something?
The security contract for many cryptographic primitives requires the input to be uniform random. Obviously you can choose the input by a pseudorandom function under a uniform random key—if that broke the composition, merely using the composition would then serve as a distinguisher for the pseudorandom function. But it's not a priori clear whether highly structured keys like the bit encodings of integers on particular curves might be exploitable in downstream cryptosystems; using HKDF-Extract, or otherwise hashing the input, renders these concerns moot so you don't even have to think about them.
$endgroup$
Do you really need a KDF when you have a PRF?
The purpose of the ‘expand’ step of a KDF like HKDF-Expand is to yield essentially arbitrary-size keys for distinct input labels. It is, in fact, a PRF. If you look closely, you will see that $$operatornameHKDF-Expand_k(L) = operatornameHMAC-!H_k(L mathbin| mathtt0x01),$$ if the desired output size matches the output size of $H$; if more bytes are requested, just repeatedly call $operatornameHMAC-!H$ with consecutive counters and the previous chunk prepended to $L$, and concatenate the outputs. You could, of course, substitute for $operatornameHMAC-!H$ your favorite PRF like keyed BLAKE2b, KMAC128, KangarooTwelve, Kravatte, prefix-keyed Gimli-Hash, or ChaCha $circ$ Poly1305, and while it wouldn't be HKDF it would have corresponding security.
My understanding is that a KDF is like a PRF, except that it has a preliminary step that "extract" entropy. It is thus needed when the entropy is non-uniform (for example the output of ECDH is modulo a number that is not a power of 2, and is thus non-uniform if represented as a bit-string).
Correct: The other purpose of collecting the concepts of extract-with-salt and expand-with-label into a single term KDF is that often the two steps are close by—you have a DH secret, or a master diceware seed, which is not uniform in bit strings but which has high entropy, and you want to derive many secret keys from it for different labeled purposes.
Yet, I am not sure there are modern symmetric algorithms that require the secret to be uniformly distributed. Sure their security might be defined with a uniform key, but using a KDF feels a bit like a cheat since there is no new entropy added, and it's not slow either. Am I missing something?
The security contract for many cryptographic primitives requires the input to be uniform random. Obviously you can choose the input by a pseudorandom function under a uniform random key—if that broke the composition, merely using the composition would then serve as a distinguisher for the pseudorandom function. But it's not a priori clear whether highly structured keys like the bit encodings of integers on particular curves might be exploitable in downstream cryptosystems; using HKDF-Extract, or otherwise hashing the input, renders these concerns moot so you don't even have to think about them.
edited 5 hours ago
answered 7 hours ago
Squeamish OssifrageSqueamish Ossifrage
27.6k144121
27.6k144121
add a comment |
add a comment |
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f71184%2fdo-you-really-need-a-kdf-when-you-have-a-prf%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
$begingroup$
What is meant by "algorithms that require the secret to be uniformly distributed"? Specifically the word "require"; If the algorithms definition says it needs a uniform key, doesn't that mean it requires the secret to be uniformly distributed? Or do you mean "require" as in "security would become broken in practice if the secret is not uniformly distributed"?
$endgroup$
– Ella Rose♦
7 hours ago