the answer to this question suggests that the x-coordinate of an ECDH shared secret is itself usable as an encryption key without apply a KDF.... if so, then what additional security is provided by the KDF???
i'm operating in a very resource-constrained embedded environment, where eliminating code normally used in a KDF (eg., SHA256) is critical... i should also add that ECDH private key is generated from a truly random 256-bit seed....
i'm already using 128-bit AES-CCM for encryption/authentication.... perhaps i can use the AES engine in some manner to "hash" the shared secret if that is advantageous....
that gives me three choices to produce a 128-bit AES key from my ECDH shared secret:
- use the secret's x-coordinate (trimming its size)
- applying a SHA-256 hash
- using AES-CCM for hashing (with some known key/IV)
what are the tradeoffs here and are there any other options worth considering???
