Questions tagged [key-derivation]
In cryptography, a key derivation function (or KDF) derives one or more secret keys from a secret value such as a master key or other known information such as a password or passphrase using a pseudo-random function. Keyed cryptographic hash functions are popular examples of pseudo-random functions used for key derivation.
665 questions
3
votes
2
answers
334
views
Implications of using a stream cipher as KDF
I'm currently working on a network protocol, and I'm exploring efficient ways of
generating new unique key/nonce pairs for the AEAD of each packet.
I would like it to ensure forward secrecy, which ...
3
votes
1
answer
142
views
Does sequential chaining of diverse cryptographic primitives increase resistance to parallel attacks in key derivation?
I'm implementing a key derivation scheme that sequentially chains different cryptographic primitives (SHA-2/3, BLAKE3, Argon2, scrypt, Balloon Hash) with the hypothesis that algorithmic diversity ...
- 31
0
votes
1
answer
87
views
How do I get the secret key d1 or d2 if I have d1-d2 and their corresponding signature values?
I have two different signatures $r_1, s_1, z_1$ signed with $d_1$ and $r_2, s_2, z_2$ signed with $d_2$ also I have $d_1-d_2$, my question is there any possibility that I can recover either $d_1$ or $...
- 43
1
vote
1
answer
124
views
Assess this TMTO resistance strategy for a KDF's LUT (Look Up Table) [closed]
So the challenge with memory-hard KDFs is to have a large - preferrably tunable - piece of data that should be stored in memory in its entirety for the duration of the computation, thereby taking up ...
- 21
1
vote
0
answers
44
views
Why does SLIP-0010 include the parent public key in HMAC input for child key derivation?
The Public Parent Key to Public Child Key derivation in SLIP-0010, includes the following computation:
$$
I = \text{HMAC-SHA512}( \text{Key} = c_{\text{par}}, \text{Data} = \text{ser}_P(K_{\text{par}})...
- 131
4
votes
1
answer
396
views
Practical implications of using HKDF as key combiner
In the paper "Practical (Post-Quantum) Key Combiners from
One-Wayness and Applications to TLS" is it stated that HKDF has not been proven to be a key combiner. That means that it could be ...
- 96.9k
0
votes
2
answers
156
views
Reverse-engineering SQLite encryption: raw key known, but unable to extract decrypted DB
I've been working on a project for about a month now, and I'm completely new to the world of cryptography and reverse engineering. I'm just beginning to explore both static and dynamic analysis (with ...
user129386
0
votes
2
answers
183
views
Raw AES using OpenSSL 3.x
I'm implementing key derivation for WebRTC / SRTP which uses AES as the PRF function.
For this I need "raw" AES - i.e. not CBC or GCM or whatever, there is no IV or NONCE input, just some ...
- 113
2
votes
1
answer
196
views
Are algorithms like Ascon-PRFshort collision resistant?
I'd like to double check my understanding of the collision resistance of a single unkeyed/public permutation call. I'll use two algorithms as examples, namely Ascon-PRFshort and HChaCha20.
Ascon-...
- 2,270
2
votes
1
answer
312
views
Is Bitlocker's KDF flawed/weak in 2025?
I have been looking into how Bitlocker performs key derivation[1][2] and apparently Bitlocker's PBKDF stretches by performing 1048576 iterations of SHA-256 instead of HMAC-SHA-256 as it's usually done ...
- 21
2
votes
0
answers
53
views
KeyCombination scheme in NIST SP 800-227 for hybrid cryptography instead of KDF over shared secrets
In NIST SP 800-227 (currently under review) on KEM's there is a specific section on creating a secure Composite KEM. Here a "key combiner algorithm" $\texttt{KeyCombine}$ is being defined to ...
- 96.9k
2
votes
1
answer
170
views
What's the use of the `delta` parameter in Balloon's hash?
The image below shows Balloon's pseudo code from its paper, and relevant parameters to my question is delta.
Question: What is its impact on memory hardness?
- 721
2
votes
0
answers
59
views
Is there any quantum memory hard key derivation?
Current memory hard key derivation techniques rely on functions that allow for serialisation on tiny memory, except for requiring a quadratic time penalty.
But, with Quantum's light-speed defying ...
- 721
1
vote
1
answer
185
views
What Makes a 2SKD (Two-Secret Key Derivation) Secure?
I'm currently studying the security mechanisms used by 1Password, particularly the Two-Secret Key Derivation (2SKD) sequence as described in section 8.2.1 of their white paper.
Here's the specific ...
1
vote
0
answers
65
views
Tweakable Block Ciphers, Nonces and KDF Key Schedules
What is the point of having dedicated tweakable block ciphers in lieu of XEX which does the same? Does this have something to do with why no one uses XEX with a simple counter? The tweak schedule is ...
- 11