Key derivation function: key-hash based computational extractor and stream based pseudorandom expander

Our contribution

In this article, we introduce the development of a keyed-hash based computation extractor and a stream-based pseudorandom expander. We denoted this design as HMSKDF. The cryptographic primitive that is constructing the keyed-hash based computation extractor is the keyed-hash message authentication code that utilizes the secure hash algorithm with an output block size of 512 bits. For the stream-based pseudorandom expander, the cryptographic primitive is Trivium. The output for HMSKDF is arbitrary length. The research will focus on evaluating the security, software, and hardware performance of this alternative approach. Overall, our proposed HMSKDF provides a significant advancement in the field of key derivation functions, offering better security for ensuring the pseudo randomness of the generated cryptographic keys and eliminating bits wastage.

Organization of the article

We provide the theoretical definition of key derivation function in ‘Key Derivation Function’. ‘The proposed HMSKDF Scheme’ presents the HMSKDF scheme, the security analysis for the proposed scheme, the software performance evaluation in term of execution time and hardware performance. ‘Conclusion’ concludes the article.

CAM security model

The security objective of a key derivation function is to ensure that the values of private string s is unknown and public string c is known. The cryptographic key K generated by the key derivation function is indistinguishable from truly random binary strings of the same length. Koh & Chuah (2020) proposed the robust security model for key derivation function, namely CAM. The CAM serves as the formal security framework for evaluating the security of key derivation function. The CAM security model employs modern cryptography security proof technique, involving an indistinguishability game between two players known as the challenger and adversary. The indistinguishability game is performed in polynomial time t. The adversaries with the capability of influencing all the inputs of the key derivation function to conduct the bit-flipping attack, the objective is to identify any weaknesses in the key derivation function within polynomial time.

Definition 4. (CAM-secure) (Koh & Chuah, 2020). Key derivation function is $\left(m,t,q,\varepsilon \right)$ CAM-secure if for all probabilistic polynomial time adversary is making q queries ($q<\left|\mathrm{\beta }\right|\times \left|\gamma \right|$) to the key derivation function with chosen bit position of the private string s. The adversary can win this indistinguishability game with probability not greater than $\left(\frac{1}{2}+\varepsilon \right),$where ɛ is deemed negligible.

1. Challenger chooses p←β.

2. For i = 1, …, q′ ≤ q,

   1. Adversary chooses the bit position z_i of p.

   2. Adversary chooses s_i←τ and c_i←ω.

   3. Adversary sends z_i, s_i and c_i to challenger.

   4. Challenger generates $K_i\stackrel{t_i}{\leftarrow }KDF\left(p,s_i,c_i,n\right)$, t_i is time that used to generate the K_i.

   5. Challenger sends K_i and t_i to adversary.

3. Adversary chooses z,  s←τ and c←ω, subjected that ($\left\{z,s,x\right\}⁄\in \left\{z_i,s_i,c_i\right\},\dots ,\left\{z_q^{\prime }{s}_q^{\prime },c_q^{\prime }\right\}$. Adversary sends z, s and c to challenger.

4. Challenger chooses b randomly, $b\stackrel{R}{\leftarrow }\left\{0,1\right\}$.

   1. If b = 0, challenger generates $K^{\prime }\stackrel{t_b}{\leftarrow }KDF\left(p,s,c,n\right)$, t₀ is the execution time that used to generate the cryptographic key K′.

   2. Else challenger generates random $K^{\prime }\stackrel{R,t_b}{\leftarrow }{\left\{0,1\right\}}^n$, t₁ is the random time that used to generate the random K′.

   3. Challenger sends K′ to adversary.

5. Continue q − q′ queries, follows the step 2 subjected $\left\{z_i,s_i,c_i\right\}⁄\in \left\{z,s,c\right\}$.

6. Adversary win the game if b′ = b.

   1. If adversary output b′ = 0,  then adversary believes K′ is derived cryptographic key K from key derivation function.

   2. Else adversary output b′ = 1. 

Hash-based message authentication code based key derivation function

Krawczyk (2010) proposed hash-based message authentication code based key derivation function (HKDF). The HKDF is constructed using computational extractor and pseudorandom expander. The HKDF has been proven to be CAM-secure (Koh & Chuah, 2020). The computational extractor and pseudorandom expander of HKDF are defined as: (4)${\displaystyle PRK\leftarrow \mathfrak{F}\left(\left(s⨁opad\right)\parallel \mathfrak{F}\left(\left(s⨁ipad\right)\parallel p\right)\right)}$ (5)${\displaystyle K\left(i+1\right)\leftarrow \mathfrak{F}\left(\left(PRK⨁opad\right)\parallel \mathfrak{F}\left(\left(PRK⨁ipad\right)\parallel K\left(i\right)\parallel c\parallel i\right)\right)}$

• 𝔉 is hash function, either secure hash algorithm 1(SHA1) or secure hash algorithm 2 (SHA2).

• ⨁ is exclusive OR.

• ∥ is string concatenation.

• opad is outer padding, is formed by repeating the byte 0x36.

• ipad is inner padding, is formed by repeating byte 0x5c.

• $1\le i<\mathfrak{L},\mathfrak{L}=⌈\frac{n}{l^{PRK}}⌉.$

The length s,  𝔩^s must equal with 𝔩^PRK. Therefore, s is hashed using 𝔉, if 𝔩^s > 𝔩^PRK. Or, s is padded with zero until 𝔩^s is equal with 𝔩^PRK, if l^s < 𝔩^PRK. The 𝔩^PRK issame with the length of hash digest (SHA1 or SHA2). The first n bits derived cryptographic key K = K(1)||…||K(𝔏 − 1) is utilized as cryptographic keys, while the remaining bits is discarded.

One benefit of HKDF is its ability to handle inputs of arbitrary length, but a drawback is that it generates fixed-length blocks and discards any excess bits, causing wastage.

Definition 5. (HMAC-PRF) (Hirose, 2019; Gaži, Pietrzak & Rybár, 2014; Naik & Singh, 2024). A hash-based message authentication code, 𝔉:𝕂x𝔻 → ℝ, with key of 𝕜 ∈ 𝕂. A keyed-function with specific to the input length, such that G:0, 1^cx0, 1^b∗ → 0, 1^c is (ɛ, t, g, 𝔩)-HMAC-PRF secure, if all probabilistic polynomial time adversary t, making at most q queries, each of length at most 𝔩 (the bbits block), a R:0, 1^b∗ → 0, 1^c and a uniformly random key 𝕂←0, 1^c, therefore, ${\Delta }^{\text{Adversary}}\left(G_{\mathbb{K}},\mathbb{R}\right)\le \varepsilon ,$where ɛ is deemed negligible.

Stream cipher based key derivation function

Chuah, Dawson & Simpson (2013) proposed a stream cipher based key derivation function (SCKDF). The SCKDF has been proven not CAM-secure (Koh & Chuah, 2020). The computation extractor of SCKDF is defined as: (6)${\displaystyle PRK\leftarrow \mathfrak{S}\left[\left[\left(p^1⨁s\right)⨁\left(p^2\parallel p^3\right)\right]⨁\dots ⨁\left(p^{\mathfrak{l}-1}\parallel p^{\mathfrak{l}}\right)\right].}$

The inputs for pseudorandom keystream generator (𝔖) consist of key and initial vector. The length for the key, we denoted as 𝔩^sk. The length for the initial vector, we denoted it as 𝔩^iv. These inputs are substituted with the input pairs of key derivation function p and s (Italis, Pierre & Quintero, 2023). If s is null, p is divided into 𝔩^sk + 𝔩^iv per block. If s is not null, the length of s is suggested to be same with 𝔩^sk and p is divided into 𝔩^ivper block. If 𝔩^pis greater than𝔩^iv, the first block’s length of p is 𝔩^iv. The remaining block’s length of p is 𝔩^sk + 𝔩^iv. The pseudorandom keystream generator executes the entire blocks p^𝔩of p. Then, outputs PRK. The length of PRK,  𝔩^PKR is equal to the key length of pseudorandom keystream generator for pseudorandom expander phase 𝔩^sk.

The pseudorandom expander of SCKDF is defined as: (7)${\displaystyle K\leftarrow \mathfrak{S}\left[\left[\left(PRK⨁c^1\right)⨁c^2\right]⨁\dots ⨁c^{\mathfrak{l}}\right].}$

The input for pseudorandom keystream generator (Gaži, Pietrzak & Rybár, 2014) is substituted with the input pairs of key derivation function PRK and c (Chuah, Dawson & Simpson, 2013). The public string c can be null or not null. If c is null, c is 0^𝔩iv. If c is not null, c is divided 𝔩^iv per block. The pseudorandom keystream generator executes the entire blocks of c. Then, outputs n bits K.

The design of SCKDF is allows combination of different types of pseudorandom keystream generator for computational extractor and pseudorandom expander (Chuah, Dawson & Simpson, 2013). This pseudorandom expander can generate arbitrary length of cryptographic key without discarding any excess bits, thus enhancing efficiency (Canniere & Preneel, 2008). However, pseudorandom keystream generator is not able to accommodate inputs of arbitrary length, the modification made to process the key derivation function inputs for the computational extractor phase has led to the SCKDF is not CAM-secure.

Definition 6. (PKG) (Katz & Lindell, 2014). The pseudorandom keystream generator is considered to pass all statistical tests within polynomial time if the polynomial time algorithm can distinguish between the output sequence of the generator and a truly random sequence of equal length with probability significantly greater than $\frac{1}{2}$.

Block cipher based key derivation function

NIST SP 800-56C specified a cipher-based message authentication code based key derivation function (BKDF) (Barker, Chen & Davis, 2020) which consists of computational extractor and pseudorandom expander. The BKDF has been proven CAM-secure (Koh & Chuah, 2020). The computation extractor of BKDF is defined as: (8)${\displaystyle PR{K}_i\leftarrow {\mathfrak{B}}_s\left(PR{K}_{i-1}⨁D_i\right)}$

• 𝔅 is advanced encryption standard with key length of either 128 bits, 192 bits or 256 bits.

• D_i is p divided into 128 bits per block.

• s is considered as the key for advanced encryption standard.

• Initial PRK₀is0¹²⁸. l^PRK is128 bits.

• $1\le i<t,t=⌈\frac{{\mathfrak{l}}^p}{128}⌉$.

The pseudorandom expander of BKDF is defined as: (9)${\displaystyle K\left(i\right)\leftarrow {\mathfrak{B}}_{PRK}\left(K_{i-1}⨁M_i\right)}$

• 𝔅 is advanced encryption standard with key length of 128 bits.

• M_i is considered as c with 128 bits per block.

• PRK is considered as the secret key for advanced encryption standard.

• Initial K(0)is0¹²⁸.

• $1\le i<t,t=⌈\frac{{\mathfrak{l}}^c}{128}⌉$,

If n is greater than 128, the iterations in generating K are continued until the required length is exceed by $⌈\frac{n}{128}⌉$. The K is comprised of the initial n bits, while the remaining bits are deleted.

The benefit of BKDF is its ability to handle inputs of arbitrary length. A similar drawback of HKDF is that it produces blocks of a fixed-length and discards any excess bits, leading to inefficiency. Another limitation is that the pseudorandom expander is fixed for advanced encryption standard with a key length of 128 bits.

Security analysis

This section provides a security analysis of general attacks that can be used against the different types of computation extractors and a formal security proof for the proposed HMSKDF scheme.

•   Brute force attack and collision attack

Assuming that no weaknesses are present in the key derivation functions, the key derivation functions are vulnerable to brute force attacks and collision attacks against the internal state of the computation extractor. If the internal state of the computation extractor is compromised, it can be used to generate the entire cryptographic keys. It should be noted that if the cryptographic keys are compromised, they can no longer be used to protect the security of electronic data.

The brute force attack is a method where the attacker systematically generates all possible strings of internal states of the computation extractor. The adversary can try all possible combinations of bits in the string until the correct one is found, which is then used to generate the cryptographic key. If the length of the internal state is 𝔩^is. Then, the complexity to brute force the internal state is 2^𝔩is.

The collision attack is a method where the adversary uses the concept of the birthday paradox algorithm to find two or more inputs into the key derivation function that generate the same cryptographic key. With an internal state length of 𝔩^is. using the birthday paradox to calculate the collision, there is approximately a 50% chance of internal state collision at $2^{\frac{{\mathfrak{l}}^{is}}{2}}.$

Table 1 shows the finding of the brute force attack and collision attack towards the different type computation extractors. In general, extractors based on key-hash message authentication code (HMAC) for both HMAC_SHA1 and HMAC_SHA512, offer heightened security against brute force and collision attacks, compared to extractors based on stream ciphers or block ciphers. The extract with the lowest complexity is Trivium-based, with complexity of 2⁸⁰ for brute force attack and 2⁴⁰ for collision attack. Conversely, the extractor with the highest complexity is HMAC_SHA51-based, with complexity of 2⁵¹² for brute force attack and 2²⁵⁶ for collision attack. It can be inferred that the proposed key derivation function scheme (HMSKDF) with an HMAC-SHA512 based computation extractor and Trivium based pseudorandom expander offer high level of security with complexity of 2⁵¹² for brute force attack and 2²⁵⁶ for collision attack.

Software performance evaluation

In this section, the software performance is showcased by analyzing the execution time of 25 different combinations of computational extractors and pseudorandom expanders. These combinations include HMAC_SHA1 (Eastlake & Hansen, 2017), HMAC_512 (Eastlake & Hansen, 2017), AES128 (Song et al., 2006), Rabbit (Boesgaard, Vesterager & Zenner, 2008) and Trivium (Robshaw, 2008). In this simulation, one includes the existing key derivation function schemes such as hash-based message authentication code based key derivation (Krawczyk, 2010), block cipher based key derivation function (Barker, Chen & Davis, 2020) and stream cipher based key derivation function (Chuah, Dawson & Simpson, 2013).

There are two experiments were conducted to calculate the running time required to generate n bits K using the parameters p, s and c. The lengths of the parameters p, s, c, and n are based on the Host Identity Protocol (Moskowitz et al., 2015) as shown in Table 2. The experiments are simulated 100 times and the resulting times are recorded. The average simulation time is then calculated. The execution time is captured in nanoseconds using a CLOCK system. All the simulations were performed on a machine with the following specifications: AMD Ryzen 7 5700U with Radeon Graphics, 1.80 GHz, 16.0GB RAM and running a 64 bits Windows operating system.

Figure 3 displays the simulation results of the experiments, with experiment 2 featuring longer input lengths compared to experiment 1. For all key derivation functions schemes, the execution time shows an increase from experiment 1 to experiment 2.

The Trivium based key derivation function performs faster when the input length is shorter, taking just 13,815 nanoseconds. Conversely, it slows down as the input length 𝔩^p increases (experiment 2). In comparison, the key derivation function using HMAC_SHA1 as the computational extractor and Trivium as the pseudorandom expander shows faster simulation speeds of 19,247 nanoseconds in experiment 2. On the other hand, the AES based key derivation function demonstrates the slowest simulation speeds among the different schemes. The combination of HMAC_SHA512 as the computational extractor and Trivium as the pseudorandom expander shows an average faster simulation time of 36,014 nanoseconds for experiment 1 and 41,618 nanoseconds for experiment 2.

Hardware performance

Table 3 illustrates the hardware performance for hash functions (SHA1 and SHA512), stream ciphers (Trivium and Rabbit) and block cipher (AES). The results indicate that the AES has the lowest throughput, while Trivium requires fewer resources and has the highest throughput, and SHA512 has the second highest throughput at 2909 Mb/s. Overall, these results suggest that a hardware-based HMSKDF utilizing HMAC-SHA512 and Trivium offers notable medium throughput and efficiency compared to other key derivation function schemes.