CryptoDB
Key Derivation Functions Without a Grain of Salt
| Authors: |
|
|---|---|
| Download: | |
| Conference: | EUROCRYPT 2025 |
| Abstract: | Key derivation functions (KDFs) are integral to many cryp- tographic protocols. Their functionality is to turn raw key material, such as a Diffie–Hellman secret, into a strong cryptographic key that is indis- tinguishable from random. This guarantee was formalized by Krawczyk together with the seminal introduction of HKDF (CRYPTO 2010), in a model where the KDF only takes a single key material input. Modern protocol designs, however, regularly need to combine multiple secrets, possibly even from different sources, with the guarantee that the derived key is secure as long as at least one of the inputs is good. This is par- ticularly relevant in settings like hybrid key exchange for quantum-safe migration. Krawczyk’s KDF formalism does not capture this goal, and there has been surprisingly little work on the security considerations for KDFs since then. In this work, we thus revisit the syntax and security model for KDFs to treat multiple, possibly correlated inputs. Our syntax is assertive: We do away with salts, which are needed in theory to extract from arbitrary sources in the standard model, but in practice, they are almost never used (or even available) and sometimes even misused, as we argue. We use our new model to analyze real-world multi-input KDFs—in Signal’s X3DH protocol, ETSI’s TS 103-744 standard, and MLS’ combiner for pre-shared keys—as well as new constructions we introduce for specialized settings— e.g., a purely blockcipher-based one. We further discuss the importance of collision resistance for KDFs and finally apply our multi-input KDF model to show how hybrid KEM key exchange can be analyzed from a KDF perspective. |
BibTeX
@inproceedings{eurocrypt-2025-35009,
title={Key Derivation Functions Without a Grain of Salt},
publisher={Springer-Verlag},
author={Matilda Backendal and Sebastian Clermont and Marc Fischlin and Felix Günther},
year=2025
}