[cryptography] HKDF salt

Michael Rogers michael at briarproject.org
Mon Aug 5 06:51:38 EDT 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/08/13 16:00, Jack Lloyd wrote:
> On Thu, Aug 01, 2013 at 10:16:51AM +0100, Michael Rogers wrote:
> 
>> My understanding of the above is that the salt doesn't increase
>> the entropy of HKDF's output from the adversary's point of view,
>> since the adversary knows the salt value. However, the salt
>> prevents accidental collisions if identical initial keying
>> material is used in multiple application domains. Is that right?
>> Can anyone shed light on the meaning of "source-independent
>> extraction"?
> 
> The reasoning for this is in the paper "On Extract-then-Expand Key 
> Derivation Functions and an HMAC-based KDF", where HKDF was 
> originally defined. http://webee.technion.ac.il/~hugo/kdf/kdf.pdf
> 
> The basic motivation is that having this random salt allows one to 
> show (given various assumptions) that HKDF will produce a uniform 
> random string given an input string with sufficient min-entropy, 
> regardless of the source distribution.

Thanks Jack! So it seems I should use salt even if the input keying
material has enough entropy to prevent a dictionary attack, since the
IKM in my case isn't uniformly distributed (it's the output from an
ECDH key agreement). That's very useful to know.

Cheers,
Michael

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJR/4O6AAoJEBEET9GfxSfMug8H/iBngO6dJmvp98OKV1f45r/k
D0kfjEGs0qEL46mHr5aeSZ6uM11AxgooJrG2fbdF4TbD8wy/UYNEVIPJeX3wntcj
sEIqOchZ3BdhJ+e8B9UMllUIK7h8ju9/SF6pp+XJFLCgOKApy1sefq2RIz/zNOgd
4Kq9n9pq1Dnujo7LHr6l5NaUI6mCnKqTewnk5fH6vVgMYJNyndEZLc5vp5x3Xu9x
HXsk9dfet+VSD+BMqM+h1lr2V1ZQYg/stVCWAdaw1GcFKOxD2S7hewI+7YWyRttq
I86aPiuamvzr62ivXXGn93uIWmQRTNCAUbB74O1zfV7ujevMmQESQfu4nEC/SRA=
=OIJa
-----END PGP SIGNATURE-----


More information about the cryptography mailing list