[cryptography] HKDF salt

Jack Lloyd lloyd at randombit.net
Thu Aug 1 11:00:40 EDT 2013

On Thu, Aug 01, 2013 at 10:16:51AM +0100, Michael Rogers wrote:

> My understanding of the above is that the salt doesn't increase the
> entropy of HKDF's output from the adversary's point of view, since the
> adversary knows the salt value. However, the salt prevents accidental
> collisions if identical initial keying material is used in multiple
> application domains. Is that right? Can anyone shed light on the
> meaning of "source-independent extraction"?

The reasoning for this is in the paper "On Extract-then-Expand Key
Derivation Functions and an HMAC-based KDF", where HKDF was
originally defined. http://webee.technion.ac.il/~hugo/kdf/kdf.pdf

The basic motivation is that having this random salt allows one to
show (given various assumptions) that HKDF will produce a uniform
random string given an input string with sufficient min-entropy,
regardless of the source distribution.


More information about the cryptography mailing list