KDF based on X9.63 vs. NIST SP800-108

Question

What is the difference between KDF based on NIST SP800-108 vs. the older one in ANSI X9.63? When should one be selected over the other? Thanks.

kelalaka · Answer 1 · 2019-08-12T20:09:41.160

The ANSI X9.63 uses SHA-1 for Key Derivation Function:

Ingredients: The key derivation function employs the hash function SHA-1 specified in Section 5.6.2

NIST SP800-108 uses PRFs:

This Section defines several families of key derivation functions that use PRFs.

First look at their dates;

And, SHA-1 is no longer recomended. So you should prefer NIST SP800-108

There are two other reasons for not to use SHA-1:

SHA-1 is shattered, you can also read these two articles:
- Does “Shattered” actually show SHA-1-signed certificates are “unsafe”?
- After Google's collision attack, is RSA-SHA1 signature still safe?.
Reaching $2^{80}$ for the generic birthday attack is not that far since the Bitcoin miners reached $\approx2^{92}$ for SHA256 hashes per year in 06 Agust 2019.
Also, SHA-256 is approximately 2.2 times slower than SHA-1 on hashcat 2080Ti

Note: Depending on your case, there is also password-based key derivations; as PBKDF2

1 Answers1