I need to select a function that will be used as a key derivation function (KDF) and pseudorandom function (PRF) in contexts that I haven't anticipated. It will run on very low-end devices (think potato-powered IoT sensor with a bulk cost of a fraction of a cent). It will also run on higher-end devices that have the luxury of a hardware AES accelerator (costing a larger fraction of a cent), sometimes specifically an AES-CMAC accelerator. As a consequence, the key derivation function must be based on AES and should be based on AES-CMAC. Since this is for low-end devices, efficiency is a concern: we want to keep down CPU cycles, power consumption, RAM usage and code size.
I don't have any strict compliance or interoperability requirements. However, it's likely that some products using this KDF will want to obtain certifications such as FIPS. And it would be nice if the KDF was easy to implement on existing crypto APIs such as PKCS#11.
The obvious candidate is SP 800-108 KDF in counter mode. In a nutshell, output block $i$ is $$ \mathrm{out}[i] = \mathrm{CMAC}_{K}(i \mathop\Vert \mathrm{info}) $$ But it has a number of downsides:
This requires a secret master key $K$ of exactly 128 bits. That's perfectly fine where $K$ is a master key that's generated for the sake of this key derivation function. But it isn't suitable, for example, to derive material from an ECDH shared secret.
If the secrecy of $K$ is compromised, this breaks the security of the KDF — if you know $K$, you can create collisions in the output. This is fine when this construction is used with HMAC or KMAC but not with CMAC. SP 800-108r1 offers a countermeasure:
$$ \mathrm{out}[i] = \mathrm{CMAC}_{K}(i \mathop\Vert \mathrm{info} \mathop\Vert K') \qquad \text{where } K' = \mathrm{CMAC}_{K}(\mathrm{info}) $$ But it isn't completely clear to me what the security properties of this construction are with respect to a party that knows $K$.
It processes the whole input for each output block, which is inefficient in terms of both CPU cycles and RAM usage.
Is there a key derivation function that meets the following requirements? If not, what comes closest?
- Requires only AES-CMAC (or at the very least only AES) as a cryptographic building block.
- Takes two inputs
secretandinfoof arbitrary length up to a reasonable bound. - Can produce at least a few kilobytes of output, incrementally.
- Can be implemented in $O(1)$ memory with respect to the length of the inputs, even when emitting output blocks incrementally.
- Has good security properties. I'm not sure what the formal security properties should be, but they should cover the case where two parties know the “secret” input and can select part of the non-secret input, and predictability or collisions in the output are a concern. Basically, I'd like to have the same security properties as a hash-based KDF, because it's likely that people will take existing protocols built for a hash-based KDF and they'll substitute my KDF because AES is more efficient on their device.
- Has been studied by cryptographers. I'm reluctantly selecting my own because the world doesn't seem to have settled on one, but I don't want to completely roll my own.
