International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

D(e)rive with Care: Lessons Learned from Analyzing Real-World Multi-Input Key Derivation Functions

Authors:
Matilda Backendal
Sebastian Clermont
Marc Fischlin
Felix Günther
Miro Haller
Matteo Scarlata
Download:
Search ePrint
Search Google
Presentation: Slides
Abstract: Key derivation functions (KDFs) are integral to many cryptographic protocols, turning raw (e.g., Diffie-Hellman) key material into strong cryptographic keys. Traditionally KDFs are designed and analyzed, for settings where they take a single key material input. Modern protocol designs, however, regularly need to combine multiple secrets (e.g., in hybrid key exchange for quantum-safe migration) with the guarantee that the derived key is secure as long as at least one of the inputs is good. Complex applications, especially in the setting where keys are user-managed, may even require threshold versions of KDFs. In this talk, we present lessons learned from analyzing such real-world proposals for multi-input KDFs. We first discuss combiner KDFs (aka key combiners), studying the designs in Signal's X3DH protocol, ETSI's TS 103-744 standard for hybrid key exchange, and MLS' combiner for pre-shared keys. Notably, the ETSI standard, widely recognized and recommended for use, for example by the German Federal Agency for IT Security, misuses the underlying HKDF salt input in a way that makes it insecure in its general form. We take the opportunity to revisit the syntax and security model for KDFs (mainly due to Krawczyk's HKDF paper, CRYPTO 2010) to give results on multiple-input KDFs. Taking an assertive stand on syntax, we do away with salts, which are needed in theory to extract from arbitrary sources in the standard model, but in practice, are almost never used (or even available) and sometimes even misused, as we saw. We then turn to the novel threshold primitive, which emerged as part of the multi-factor KDF (MFKDF) design (Nair and Song, USENIX 2023). We show how a naive implementation (such as the one proposed in MFKDF) leaves the scheme open to devastating cryptographic attacks and discuss ways forward.
Video: https://youtu.be/w3dpdVgT2ig
BibTeX
@misc{rwc-2025-35895,
  title={D(e)rive with Care: Lessons Learned from Analyzing Real-World Multi-Input Key Derivation Functions},
  note={Video at \url{https://youtu.be/w3dpdVgT2ig}},
  howpublished={Talk given at RWC 2025},
  author={Matilda Backendal and Sebastian Clermont and Marc Fischlin and Felix Günther and Miro Haller and Matteo Scarlata},
  year=2025
}