International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Cryptographic Treatment of Key Control Security -- In Light of NIST SP 800-108

Authors:
Ritam Bhaumik , TII
Avijit Dutta , Institute for Advancing Intelligence, TCG CREST and AcSIR
Akiko Inoue , NEC Corporation
Tetsu Iwata , Nagoya University
Ashwin Jha , Ruhr-University Bochum
Kazuhiko Minematsu , NEC Corporation
Mridul Nandi , Indian Statistical Institute, Kolkata
Yu Sasaki , NTT Social Informatics Laboratories, NIST associate
Meltem Sönmez Turan , National Institute of Standards and Technology
Stefano Tessaro , University of Washington
Download:
Search ePrint
Search Google
Conference: CRYPTO 2025
Abstract: This paper studies the security of {\em key derivation functions} (KDFs), a central class of cryptographic algorithms used to derive {\em multiple} independent-looking keys (each associated with a particular context) from a {\em single} secret. The main security requirement is that these keys are pseudorandom (i.e., the KDF is a pseudorandom function). This paper initiates the study of an additional security property, called {\em key control} (KC) security, first informally put forward in a recent update to NIST Special Publication (SP) 800-108 standard for KDFs. Informally speaking, KC security demands that, given a {\em known} key, it is hard for an adversary to find a context that forces the KDF-derived key for that context to have a property that is specified a-priori and is hard to satisfy (e.g., that the derived key consists mostly of 0s, or that it is a weak key for a cryptographic algorithm using it). We provide a rigorous security definition for KC security, and then move on to the analysis of the KDF constructions specified in NIST SP 800-108. We show, via security proofs in the random oracle model, that the proposed constructions based on XOFs or hash functions can accommodate for reasonable security margins (i.e., 128-bit security) when instantiated from KMAC and HMAC. We also show, via attacks, that all proposed block-cipher based modes of operation (while implementing mitigation techniques to prevent KC security attacks affecting earlier version of the standard) only achieve {\em at best} 72-bit KC security for 128-bit blocks, as with AES.
BibTeX
@inproceedings{crypto-2025-35801,
  title={Cryptographic Treatment of Key Control Security -- In Light of NIST SP 800-108},
  publisher={Springer-Verlag},
  author={Ritam Bhaumik and Avijit Dutta and Akiko Inoue and Tetsu Iwata and Ashwin Jha and Kazuhiko Minematsu and Mridul Nandi and Yu Sasaki and Meltem Sönmez Turan and Stefano Tessaro},
  year=2025
}