Formal description of KDF1 and KDF2

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












6












$begingroup$


I've seen many descriptions of KDF1 and KDF2 by now, but most documents simply point to specifications that are behind a pay wall. These standards are not specific to the KDF's; they just use these KDF's as sub-part of an algorithm description (key agreement). Does somebody have a formal description of both KDF's that adheres to the standards?



The description should include additional information to derive a key such as OtherInfo field or label, or indicate their absence. Needless to say the other input parameters and the use of the internal counter would be needed for the full algorithm as well.



The standards can be found in IEEE Std 1363-2000, ANSI X9.42 (KDF1) and ISO 18033-2 (KDF2). That last standard defines OID's for them, KDF1 is 1.0.18033.2.5.1 and KDF2 is 1.0.18033.2.5.2 (unprotected links to oid-info.com).










share|improve this question











$endgroup$
















    6












    $begingroup$


    I've seen many descriptions of KDF1 and KDF2 by now, but most documents simply point to specifications that are behind a pay wall. These standards are not specific to the KDF's; they just use these KDF's as sub-part of an algorithm description (key agreement). Does somebody have a formal description of both KDF's that adheres to the standards?



    The description should include additional information to derive a key such as OtherInfo field or label, or indicate their absence. Needless to say the other input parameters and the use of the internal counter would be needed for the full algorithm as well.



    The standards can be found in IEEE Std 1363-2000, ANSI X9.42 (KDF1) and ISO 18033-2 (KDF2). That last standard defines OID's for them, KDF1 is 1.0.18033.2.5.1 and KDF2 is 1.0.18033.2.5.2 (unprotected links to oid-info.com).










    share|improve this question











    $endgroup$














      6












      6








      6


      2



      $begingroup$


      I've seen many descriptions of KDF1 and KDF2 by now, but most documents simply point to specifications that are behind a pay wall. These standards are not specific to the KDF's; they just use these KDF's as sub-part of an algorithm description (key agreement). Does somebody have a formal description of both KDF's that adheres to the standards?



      The description should include additional information to derive a key such as OtherInfo field or label, or indicate their absence. Needless to say the other input parameters and the use of the internal counter would be needed for the full algorithm as well.



      The standards can be found in IEEE Std 1363-2000, ANSI X9.42 (KDF1) and ISO 18033-2 (KDF2). That last standard defines OID's for them, KDF1 is 1.0.18033.2.5.1 and KDF2 is 1.0.18033.2.5.2 (unprotected links to oid-info.com).










      share|improve this question











      $endgroup$




      I've seen many descriptions of KDF1 and KDF2 by now, but most documents simply point to specifications that are behind a pay wall. These standards are not specific to the KDF's; they just use these KDF's as sub-part of an algorithm description (key agreement). Does somebody have a formal description of both KDF's that adheres to the standards?



      The description should include additional information to derive a key such as OtherInfo field or label, or indicate their absence. Needless to say the other input parameters and the use of the internal counter would be needed for the full algorithm as well.



      The standards can be found in IEEE Std 1363-2000, ANSI X9.42 (KDF1) and ISO 18033-2 (KDF2). That last standard defines OID's for them, KDF1 is 1.0.18033.2.5.1 and KDF2 is 1.0.18033.2.5.2 (unprotected links to oid-info.com).







      key-exchange key-derivation standards






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Feb 13 at 21:19







      Maarten Bodewes

















      asked Feb 13 at 19:29









      Maarten BodewesMaarten Bodewes

      55.2k679196




      55.2k679196




















          3 Answers
          3






          active

          oldest

          votes


















          3












          $begingroup$

          FCD 18033-2
          Encryption algorithms — Part 2:
          Asymmetric ciphers - the final committee draft (FCD) of ISO/IEC 18033 - by Victor Shoup is publicly available from his website and specifies (in section 6.2) that KDF1 is




          For an octet string $x$ and a non-negative integer $l$, $operatornameKDF1(x,l)$ is defined to be the first $l$ octets of



          $$operatornameHash.eval(x || operatornameI2OSP(0, 4)) || ··· || operatornameHash.eval(x || operatornameI2OSP(k − 1, 4)),$$



          where $$k = lceil l/textHash.len rceil $$




          The binary counter representation should translate to 4 bytes in big endian.



          KDF2 is identical but starts counting from 1 instead of 0.






          share|improve this answer











          $endgroup$












          • $begingroup$
            The implementation in Basic (first link in the answer of Swashbuckler) does contain the OtherInfo part behind the counter, and references ISO-18033-2. So now I'm still wondering where that came from. Interesting find though, at least we've got the initial description of the first document, assuming that it is identical to the final draft!
            $endgroup$
            – Maarten Bodewes
            Feb 13 at 21:09











          • $begingroup$
            I can find the definition - including OtherInfo - in section "7.6 KEY DERIVATION FROM SHARED SECRET NUMBER." but I'm not certain the draft I'm reading is officially publicly available. What is definitely publicly available is this ANSI X9.42 presentation from a NIST workshop - pages 20-22 describe the key derivation.
            $endgroup$
            – orip
            Feb 13 at 22:35











          • $begingroup$
            It seems that ANS X9.42, ANS X9.63 and SEC v2 all describe the same scheme which is basically KDF2 with SharedInfo parameter. I've described it in my own answer. I've accepted yours because commonly it seems to be referred to as "ANS X9.63 KDF" and I asked for KDF1 and KDF2. The Info part is not part of the original KDF1 and KDF2 descriptions it seems, but I guess it is part of many API's for compatibility with other KDF descriptions. If the Info octet string is empty then it is identical to the description without Info of course.
            $endgroup$
            – Maarten Bodewes
            Feb 14 at 14:25


















          3












          $begingroup$

          Here is a list of differences of these KDF's in various standards, taken from Analysis of ECIES and Other Cryptosystems
          Based on Elliptic Curves written by V. Gayoso Martínez, F. Hernández Álvarez, L. Hernández Encinas and C. Sánchez Ávila.



          Unfortunately it is missing KDF's that are defined for X9.42: DH over a multiplicative group. It seems to define two KDF's, where the concatenation based KDF is compatible with ANS X9.63 specified below.



          X9.42 also seems to define an ASN.1 based KDF as specified in RFC 2631: Diffie-Hellman Key Agreement Method, so that one is incompatible with KDF1 and KDF2 as the counter is included in the ASN.1 structure.




          ANSI X9.63 allows to use an arbitrary parameter as an
          input to the KDF function, but does not mention the content
          of that optional parameter. In comparison, the so-called
          DHAES mode in IEEE 1363a mandates to use the
          binary representation of the sender’s public key as an input
          parameter.




          ...




          ISO/IEC 18033-2 does not allow parameters in the KDF
          function, whereas IEEE 1363a allows the usage of parameters
          in that function.



          IEEE 1363a suggests to use always the same set of parameters
          and functions for a given public key. In comparison,
          ISO/IEC 18033-2 mandates not to change under
          any circumstance those parameters for the same receiver’s
          public key.




          ...




          ISO/IEC 18033-2 does not allow input parameters in the
          KDF function, whilst SEC 1 allows to include this additional
          information, even though in the test vectors included
          in the GEC 2 document [32] no additional parameters
          have been used.



          SEC 1 does not explicitly include the sender’s ephemeral
          public key in the KDF computation. However, it mentions
          that the public key could be one of the elements
          used as input parameters in that function.




          The main thing to take from this is that the official KDF1 and KDF2 as defined by ISO do not take parameters, so the answer of orip is correct.




          However, sometimes it makes sense to do include parameters, e.g. to let the KDF generate multiple keys from the same key input material (the original versions of the key agreement specifications split the output in two separate keys, a MAC and ENC key, of which the order differs, this is more efficient but less neat). So for that reason I'll include ANS X9.63 KDF below; it should be compatible with KDF2 except for the additional $textSharedInfo$.



          The SEC 1: Elliptic Curve Cryptography, May 21, 2009, Version 2.0 standard defines the X9.63 KDF. The fact that a draft 1.99 of the paper states that X9.63 is still in draft phase at the time of writing shows that these documents were generated in parallel.



          3.6.1 ANS X9.63 Key Derivation Function



          Keying data should be calculated using ANSI-X9.63-KDF as follows:



          Setup: Select one of the approved hash functions listed in Section 3.5. Let $textHash$ denote the hash
          function chosen, $texthashlen$ denote the length in octets of hash values computed using $textHash$, and
          $texthashmaxlen$ denote the maximum length in octets of messages that can be hashed using $textHash$.



          Input: The input to the key derivation function is:



          1. An octet string $Z$ which is the shared secret value.
            value.

          2. An integer $textkeydatalen$ which is the length in octets of the keying data to be generated.

          3. (Optional) An octet string $textSharedInfo$ which consists of some data shared by the entities
            intended to share the shared secret value $Z$.

          Output: The keying data $K$ which is an octet string of length $textkeydatalen$ octets, or $texttt“invalid”$.



          Actions: Calculate the keying data $K$ as follows:



          1. Check that $|Z| + |textSharedInfo| + 4 < texthashmaxlen$.

            If $|Z| + |textSharedInfo| + 4 ge texthashmaxlen$,
            output $texttt“invalid”$ and stop.


          2. Check that $textkeydatalen < texthashlen × (2^32 − 1)$.

            If $textkeydatalen ge texthashlen × (2^32 − 1)$, output
            $texttt“invalid”$ and stop.


          3. Initiate a 4 octet, big-endian octet string $textCounter$ as $texttt00000001_16$.



          4. For $i = 1$ to $lceil textkeydatalen / texthashlen rceil$, do the following:



            4.1. Compute:
            $K_i = textHash(Z mathbin | textCounter mathbin | [textSharedInfo])$
            using the selected hash function from the list of approved hash functions in Section 3.5.



            4.2. Increment $textCounter$.



            4.3. Increment $i$ (note: probably a bug in the spec, we're already iterating over $i$).



          5. Set $K$ to be the leftmost keydatalen octets of:
            $K_1 mathbin | K_2 mathbin | dots mathbin | K_lceil textkeydatalen / texthashlen rceil$.


          6. Output $K$.



          There is also the NIST SP 800-56B specifying the aptly named "5.5.1 The Single-step Key-Derivation Function" (think of a name, guys) where they manage to put the counter in front of the keying material so that it is incompatible with all the schemes above. Although it contains a full (but pretentious and overly complex) way of specifying $textOtherInfo$ (their version of $textSharedInfo$) I would consider it completely useless for this reason alone.






          share|improve this answer











          $endgroup$




















            2












            $begingroup$

            So... Googling around KDF1 is supposedly the same as MGF1 as defined in PKCS#1 2.1, which can be found in Appendix B of RFC 3447. KDF2 is nearly the same as KDF1 except the counter runs from 1 to n instead of from 0 to n - 1.






            share|improve this answer









            $endgroup$












            • $begingroup$
              Yeah, I saw something similar within another protocol. Interesting to show that it is used in PKCS#1, but MGF1 is missing any Info or similar. Unfortunately I don't see any statement about copyright for that forum as the KDF1 functions in the Basic langue (first link) are very descriptive - and they do include OtherInfo.
              $endgroup$
              – Maarten Bodewes
              Feb 13 at 20:52











            Your Answer





            StackExchange.ifUsing("editor", function ()
            return StackExchange.using("mathjaxEditing", function ()
            StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
            StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
            );
            );
            , "mathjax-editing");

            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "281"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader:
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            ,
            noCode: true, onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













            draft saved

            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f67280%2fformal-description-of-kdf1-and-kdf2%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown

























            3 Answers
            3






            active

            oldest

            votes








            3 Answers
            3






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            3












            $begingroup$

            FCD 18033-2
            Encryption algorithms — Part 2:
            Asymmetric ciphers - the final committee draft (FCD) of ISO/IEC 18033 - by Victor Shoup is publicly available from his website and specifies (in section 6.2) that KDF1 is




            For an octet string $x$ and a non-negative integer $l$, $operatornameKDF1(x,l)$ is defined to be the first $l$ octets of



            $$operatornameHash.eval(x || operatornameI2OSP(0, 4)) || ··· || operatornameHash.eval(x || operatornameI2OSP(k − 1, 4)),$$



            where $$k = lceil l/textHash.len rceil $$




            The binary counter representation should translate to 4 bytes in big endian.



            KDF2 is identical but starts counting from 1 instead of 0.






            share|improve this answer











            $endgroup$












            • $begingroup$
              The implementation in Basic (first link in the answer of Swashbuckler) does contain the OtherInfo part behind the counter, and references ISO-18033-2. So now I'm still wondering where that came from. Interesting find though, at least we've got the initial description of the first document, assuming that it is identical to the final draft!
              $endgroup$
              – Maarten Bodewes
              Feb 13 at 21:09











            • $begingroup$
              I can find the definition - including OtherInfo - in section "7.6 KEY DERIVATION FROM SHARED SECRET NUMBER." but I'm not certain the draft I'm reading is officially publicly available. What is definitely publicly available is this ANSI X9.42 presentation from a NIST workshop - pages 20-22 describe the key derivation.
              $endgroup$
              – orip
              Feb 13 at 22:35











            • $begingroup$
              It seems that ANS X9.42, ANS X9.63 and SEC v2 all describe the same scheme which is basically KDF2 with SharedInfo parameter. I've described it in my own answer. I've accepted yours because commonly it seems to be referred to as "ANS X9.63 KDF" and I asked for KDF1 and KDF2. The Info part is not part of the original KDF1 and KDF2 descriptions it seems, but I guess it is part of many API's for compatibility with other KDF descriptions. If the Info octet string is empty then it is identical to the description without Info of course.
              $endgroup$
              – Maarten Bodewes
              Feb 14 at 14:25















            3












            $begingroup$

            FCD 18033-2
            Encryption algorithms — Part 2:
            Asymmetric ciphers - the final committee draft (FCD) of ISO/IEC 18033 - by Victor Shoup is publicly available from his website and specifies (in section 6.2) that KDF1 is




            For an octet string $x$ and a non-negative integer $l$, $operatornameKDF1(x,l)$ is defined to be the first $l$ octets of



            $$operatornameHash.eval(x || operatornameI2OSP(0, 4)) || ··· || operatornameHash.eval(x || operatornameI2OSP(k − 1, 4)),$$



            where $$k = lceil l/textHash.len rceil $$




            The binary counter representation should translate to 4 bytes in big endian.



            KDF2 is identical but starts counting from 1 instead of 0.






            share|improve this answer











            $endgroup$












            • $begingroup$
              The implementation in Basic (first link in the answer of Swashbuckler) does contain the OtherInfo part behind the counter, and references ISO-18033-2. So now I'm still wondering where that came from. Interesting find though, at least we've got the initial description of the first document, assuming that it is identical to the final draft!
              $endgroup$
              – Maarten Bodewes
              Feb 13 at 21:09











            • $begingroup$
              I can find the definition - including OtherInfo - in section "7.6 KEY DERIVATION FROM SHARED SECRET NUMBER." but I'm not certain the draft I'm reading is officially publicly available. What is definitely publicly available is this ANSI X9.42 presentation from a NIST workshop - pages 20-22 describe the key derivation.
              $endgroup$
              – orip
              Feb 13 at 22:35











            • $begingroup$
              It seems that ANS X9.42, ANS X9.63 and SEC v2 all describe the same scheme which is basically KDF2 with SharedInfo parameter. I've described it in my own answer. I've accepted yours because commonly it seems to be referred to as "ANS X9.63 KDF" and I asked for KDF1 and KDF2. The Info part is not part of the original KDF1 and KDF2 descriptions it seems, but I guess it is part of many API's for compatibility with other KDF descriptions. If the Info octet string is empty then it is identical to the description without Info of course.
              $endgroup$
              – Maarten Bodewes
              Feb 14 at 14:25













            3












            3








            3





            $begingroup$

            FCD 18033-2
            Encryption algorithms — Part 2:
            Asymmetric ciphers - the final committee draft (FCD) of ISO/IEC 18033 - by Victor Shoup is publicly available from his website and specifies (in section 6.2) that KDF1 is




            For an octet string $x$ and a non-negative integer $l$, $operatornameKDF1(x,l)$ is defined to be the first $l$ octets of



            $$operatornameHash.eval(x || operatornameI2OSP(0, 4)) || ··· || operatornameHash.eval(x || operatornameI2OSP(k − 1, 4)),$$



            where $$k = lceil l/textHash.len rceil $$




            The binary counter representation should translate to 4 bytes in big endian.



            KDF2 is identical but starts counting from 1 instead of 0.






            share|improve this answer











            $endgroup$



            FCD 18033-2
            Encryption algorithms — Part 2:
            Asymmetric ciphers - the final committee draft (FCD) of ISO/IEC 18033 - by Victor Shoup is publicly available from his website and specifies (in section 6.2) that KDF1 is




            For an octet string $x$ and a non-negative integer $l$, $operatornameKDF1(x,l)$ is defined to be the first $l$ octets of



            $$operatornameHash.eval(x || operatornameI2OSP(0, 4)) || ··· || operatornameHash.eval(x || operatornameI2OSP(k − 1, 4)),$$



            where $$k = lceil l/textHash.len rceil $$




            The binary counter representation should translate to 4 bytes in big endian.



            KDF2 is identical but starts counting from 1 instead of 0.







            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited Feb 14 at 18:17









            Maarten Bodewes

            55.2k679196




            55.2k679196










            answered Feb 13 at 20:59









            oriporip

            1916




            1916











            • $begingroup$
              The implementation in Basic (first link in the answer of Swashbuckler) does contain the OtherInfo part behind the counter, and references ISO-18033-2. So now I'm still wondering where that came from. Interesting find though, at least we've got the initial description of the first document, assuming that it is identical to the final draft!
              $endgroup$
              – Maarten Bodewes
              Feb 13 at 21:09











            • $begingroup$
              I can find the definition - including OtherInfo - in section "7.6 KEY DERIVATION FROM SHARED SECRET NUMBER." but I'm not certain the draft I'm reading is officially publicly available. What is definitely publicly available is this ANSI X9.42 presentation from a NIST workshop - pages 20-22 describe the key derivation.
              $endgroup$
              – orip
              Feb 13 at 22:35











            • $begingroup$
              It seems that ANS X9.42, ANS X9.63 and SEC v2 all describe the same scheme which is basically KDF2 with SharedInfo parameter. I've described it in my own answer. I've accepted yours because commonly it seems to be referred to as "ANS X9.63 KDF" and I asked for KDF1 and KDF2. The Info part is not part of the original KDF1 and KDF2 descriptions it seems, but I guess it is part of many API's for compatibility with other KDF descriptions. If the Info octet string is empty then it is identical to the description without Info of course.
              $endgroup$
              – Maarten Bodewes
              Feb 14 at 14:25
















            • $begingroup$
              The implementation in Basic (first link in the answer of Swashbuckler) does contain the OtherInfo part behind the counter, and references ISO-18033-2. So now I'm still wondering where that came from. Interesting find though, at least we've got the initial description of the first document, assuming that it is identical to the final draft!
              $endgroup$
              – Maarten Bodewes
              Feb 13 at 21:09











            • $begingroup$
              I can find the definition - including OtherInfo - in section "7.6 KEY DERIVATION FROM SHARED SECRET NUMBER." but I'm not certain the draft I'm reading is officially publicly available. What is definitely publicly available is this ANSI X9.42 presentation from a NIST workshop - pages 20-22 describe the key derivation.
              $endgroup$
              – orip
              Feb 13 at 22:35











            • $begingroup$
              It seems that ANS X9.42, ANS X9.63 and SEC v2 all describe the same scheme which is basically KDF2 with SharedInfo parameter. I've described it in my own answer. I've accepted yours because commonly it seems to be referred to as "ANS X9.63 KDF" and I asked for KDF1 and KDF2. The Info part is not part of the original KDF1 and KDF2 descriptions it seems, but I guess it is part of many API's for compatibility with other KDF descriptions. If the Info octet string is empty then it is identical to the description without Info of course.
              $endgroup$
              – Maarten Bodewes
              Feb 14 at 14:25















            $begingroup$
            The implementation in Basic (first link in the answer of Swashbuckler) does contain the OtherInfo part behind the counter, and references ISO-18033-2. So now I'm still wondering where that came from. Interesting find though, at least we've got the initial description of the first document, assuming that it is identical to the final draft!
            $endgroup$
            – Maarten Bodewes
            Feb 13 at 21:09





            $begingroup$
            The implementation in Basic (first link in the answer of Swashbuckler) does contain the OtherInfo part behind the counter, and references ISO-18033-2. So now I'm still wondering where that came from. Interesting find though, at least we've got the initial description of the first document, assuming that it is identical to the final draft!
            $endgroup$
            – Maarten Bodewes
            Feb 13 at 21:09













            $begingroup$
            I can find the definition - including OtherInfo - in section "7.6 KEY DERIVATION FROM SHARED SECRET NUMBER." but I'm not certain the draft I'm reading is officially publicly available. What is definitely publicly available is this ANSI X9.42 presentation from a NIST workshop - pages 20-22 describe the key derivation.
            $endgroup$
            – orip
            Feb 13 at 22:35





            $begingroup$
            I can find the definition - including OtherInfo - in section "7.6 KEY DERIVATION FROM SHARED SECRET NUMBER." but I'm not certain the draft I'm reading is officially publicly available. What is definitely publicly available is this ANSI X9.42 presentation from a NIST workshop - pages 20-22 describe the key derivation.
            $endgroup$
            – orip
            Feb 13 at 22:35













            $begingroup$
            It seems that ANS X9.42, ANS X9.63 and SEC v2 all describe the same scheme which is basically KDF2 with SharedInfo parameter. I've described it in my own answer. I've accepted yours because commonly it seems to be referred to as "ANS X9.63 KDF" and I asked for KDF1 and KDF2. The Info part is not part of the original KDF1 and KDF2 descriptions it seems, but I guess it is part of many API's for compatibility with other KDF descriptions. If the Info octet string is empty then it is identical to the description without Info of course.
            $endgroup$
            – Maarten Bodewes
            Feb 14 at 14:25




            $begingroup$
            It seems that ANS X9.42, ANS X9.63 and SEC v2 all describe the same scheme which is basically KDF2 with SharedInfo parameter. I've described it in my own answer. I've accepted yours because commonly it seems to be referred to as "ANS X9.63 KDF" and I asked for KDF1 and KDF2. The Info part is not part of the original KDF1 and KDF2 descriptions it seems, but I guess it is part of many API's for compatibility with other KDF descriptions. If the Info octet string is empty then it is identical to the description without Info of course.
            $endgroup$
            – Maarten Bodewes
            Feb 14 at 14:25











            3












            $begingroup$

            Here is a list of differences of these KDF's in various standards, taken from Analysis of ECIES and Other Cryptosystems
            Based on Elliptic Curves written by V. Gayoso Martínez, F. Hernández Álvarez, L. Hernández Encinas and C. Sánchez Ávila.



            Unfortunately it is missing KDF's that are defined for X9.42: DH over a multiplicative group. It seems to define two KDF's, where the concatenation based KDF is compatible with ANS X9.63 specified below.



            X9.42 also seems to define an ASN.1 based KDF as specified in RFC 2631: Diffie-Hellman Key Agreement Method, so that one is incompatible with KDF1 and KDF2 as the counter is included in the ASN.1 structure.




            ANSI X9.63 allows to use an arbitrary parameter as an
            input to the KDF function, but does not mention the content
            of that optional parameter. In comparison, the so-called
            DHAES mode in IEEE 1363a mandates to use the
            binary representation of the sender’s public key as an input
            parameter.




            ...




            ISO/IEC 18033-2 does not allow parameters in the KDF
            function, whereas IEEE 1363a allows the usage of parameters
            in that function.



            IEEE 1363a suggests to use always the same set of parameters
            and functions for a given public key. In comparison,
            ISO/IEC 18033-2 mandates not to change under
            any circumstance those parameters for the same receiver’s
            public key.




            ...




            ISO/IEC 18033-2 does not allow input parameters in the
            KDF function, whilst SEC 1 allows to include this additional
            information, even though in the test vectors included
            in the GEC 2 document [32] no additional parameters
            have been used.



            SEC 1 does not explicitly include the sender’s ephemeral
            public key in the KDF computation. However, it mentions
            that the public key could be one of the elements
            used as input parameters in that function.




            The main thing to take from this is that the official KDF1 and KDF2 as defined by ISO do not take parameters, so the answer of orip is correct.




            However, sometimes it makes sense to do include parameters, e.g. to let the KDF generate multiple keys from the same key input material (the original versions of the key agreement specifications split the output in two separate keys, a MAC and ENC key, of which the order differs, this is more efficient but less neat). So for that reason I'll include ANS X9.63 KDF below; it should be compatible with KDF2 except for the additional $textSharedInfo$.



            The SEC 1: Elliptic Curve Cryptography, May 21, 2009, Version 2.0 standard defines the X9.63 KDF. The fact that a draft 1.99 of the paper states that X9.63 is still in draft phase at the time of writing shows that these documents were generated in parallel.



            3.6.1 ANS X9.63 Key Derivation Function



            Keying data should be calculated using ANSI-X9.63-KDF as follows:



            Setup: Select one of the approved hash functions listed in Section 3.5. Let $textHash$ denote the hash
            function chosen, $texthashlen$ denote the length in octets of hash values computed using $textHash$, and
            $texthashmaxlen$ denote the maximum length in octets of messages that can be hashed using $textHash$.



            Input: The input to the key derivation function is:



            1. An octet string $Z$ which is the shared secret value.
              value.

            2. An integer $textkeydatalen$ which is the length in octets of the keying data to be generated.

            3. (Optional) An octet string $textSharedInfo$ which consists of some data shared by the entities
              intended to share the shared secret value $Z$.

            Output: The keying data $K$ which is an octet string of length $textkeydatalen$ octets, or $texttt“invalid”$.



            Actions: Calculate the keying data $K$ as follows:



            1. Check that $|Z| + |textSharedInfo| + 4 < texthashmaxlen$.

              If $|Z| + |textSharedInfo| + 4 ge texthashmaxlen$,
              output $texttt“invalid”$ and stop.


            2. Check that $textkeydatalen < texthashlen × (2^32 − 1)$.

              If $textkeydatalen ge texthashlen × (2^32 − 1)$, output
              $texttt“invalid”$ and stop.


            3. Initiate a 4 octet, big-endian octet string $textCounter$ as $texttt00000001_16$.



            4. For $i = 1$ to $lceil textkeydatalen / texthashlen rceil$, do the following:



              4.1. Compute:
              $K_i = textHash(Z mathbin | textCounter mathbin | [textSharedInfo])$
              using the selected hash function from the list of approved hash functions in Section 3.5.



              4.2. Increment $textCounter$.



              4.3. Increment $i$ (note: probably a bug in the spec, we're already iterating over $i$).



            5. Set $K$ to be the leftmost keydatalen octets of:
              $K_1 mathbin | K_2 mathbin | dots mathbin | K_lceil textkeydatalen / texthashlen rceil$.


            6. Output $K$.



            There is also the NIST SP 800-56B specifying the aptly named "5.5.1 The Single-step Key-Derivation Function" (think of a name, guys) where they manage to put the counter in front of the keying material so that it is incompatible with all the schemes above. Although it contains a full (but pretentious and overly complex) way of specifying $textOtherInfo$ (their version of $textSharedInfo$) I would consider it completely useless for this reason alone.






            share|improve this answer











            $endgroup$

















              3












              $begingroup$

              Here is a list of differences of these KDF's in various standards, taken from Analysis of ECIES and Other Cryptosystems
              Based on Elliptic Curves written by V. Gayoso Martínez, F. Hernández Álvarez, L. Hernández Encinas and C. Sánchez Ávila.



              Unfortunately it is missing KDF's that are defined for X9.42: DH over a multiplicative group. It seems to define two KDF's, where the concatenation based KDF is compatible with ANS X9.63 specified below.



              X9.42 also seems to define an ASN.1 based KDF as specified in RFC 2631: Diffie-Hellman Key Agreement Method, so that one is incompatible with KDF1 and KDF2 as the counter is included in the ASN.1 structure.




              ANSI X9.63 allows to use an arbitrary parameter as an
              input to the KDF function, but does not mention the content
              of that optional parameter. In comparison, the so-called
              DHAES mode in IEEE 1363a mandates to use the
              binary representation of the sender’s public key as an input
              parameter.




              ...




              ISO/IEC 18033-2 does not allow parameters in the KDF
              function, whereas IEEE 1363a allows the usage of parameters
              in that function.



              IEEE 1363a suggests to use always the same set of parameters
              and functions for a given public key. In comparison,
              ISO/IEC 18033-2 mandates not to change under
              any circumstance those parameters for the same receiver’s
              public key.




              ...




              ISO/IEC 18033-2 does not allow input parameters in the
              KDF function, whilst SEC 1 allows to include this additional
              information, even though in the test vectors included
              in the GEC 2 document [32] no additional parameters
              have been used.



              SEC 1 does not explicitly include the sender’s ephemeral
              public key in the KDF computation. However, it mentions
              that the public key could be one of the elements
              used as input parameters in that function.




              The main thing to take from this is that the official KDF1 and KDF2 as defined by ISO do not take parameters, so the answer of orip is correct.




              However, sometimes it makes sense to do include parameters, e.g. to let the KDF generate multiple keys from the same key input material (the original versions of the key agreement specifications split the output in two separate keys, a MAC and ENC key, of which the order differs, this is more efficient but less neat). So for that reason I'll include ANS X9.63 KDF below; it should be compatible with KDF2 except for the additional $textSharedInfo$.



              The SEC 1: Elliptic Curve Cryptography, May 21, 2009, Version 2.0 standard defines the X9.63 KDF. The fact that a draft 1.99 of the paper states that X9.63 is still in draft phase at the time of writing shows that these documents were generated in parallel.



              3.6.1 ANS X9.63 Key Derivation Function



              Keying data should be calculated using ANSI-X9.63-KDF as follows:



              Setup: Select one of the approved hash functions listed in Section 3.5. Let $textHash$ denote the hash
              function chosen, $texthashlen$ denote the length in octets of hash values computed using $textHash$, and
              $texthashmaxlen$ denote the maximum length in octets of messages that can be hashed using $textHash$.



              Input: The input to the key derivation function is:



              1. An octet string $Z$ which is the shared secret value.
                value.

              2. An integer $textkeydatalen$ which is the length in octets of the keying data to be generated.

              3. (Optional) An octet string $textSharedInfo$ which consists of some data shared by the entities
                intended to share the shared secret value $Z$.

              Output: The keying data $K$ which is an octet string of length $textkeydatalen$ octets, or $texttt“invalid”$.



              Actions: Calculate the keying data $K$ as follows:



              1. Check that $|Z| + |textSharedInfo| + 4 < texthashmaxlen$.

                If $|Z| + |textSharedInfo| + 4 ge texthashmaxlen$,
                output $texttt“invalid”$ and stop.


              2. Check that $textkeydatalen < texthashlen × (2^32 − 1)$.

                If $textkeydatalen ge texthashlen × (2^32 − 1)$, output
                $texttt“invalid”$ and stop.


              3. Initiate a 4 octet, big-endian octet string $textCounter$ as $texttt00000001_16$.



              4. For $i = 1$ to $lceil textkeydatalen / texthashlen rceil$, do the following:



                4.1. Compute:
                $K_i = textHash(Z mathbin | textCounter mathbin | [textSharedInfo])$
                using the selected hash function from the list of approved hash functions in Section 3.5.



                4.2. Increment $textCounter$.



                4.3. Increment $i$ (note: probably a bug in the spec, we're already iterating over $i$).



              5. Set $K$ to be the leftmost keydatalen octets of:
                $K_1 mathbin | K_2 mathbin | dots mathbin | K_lceil textkeydatalen / texthashlen rceil$.


              6. Output $K$.



              There is also the NIST SP 800-56B specifying the aptly named "5.5.1 The Single-step Key-Derivation Function" (think of a name, guys) where they manage to put the counter in front of the keying material so that it is incompatible with all the schemes above. Although it contains a full (but pretentious and overly complex) way of specifying $textOtherInfo$ (their version of $textSharedInfo$) I would consider it completely useless for this reason alone.






              share|improve this answer











              $endgroup$















                3












                3








                3





                $begingroup$

                Here is a list of differences of these KDF's in various standards, taken from Analysis of ECIES and Other Cryptosystems
                Based on Elliptic Curves written by V. Gayoso Martínez, F. Hernández Álvarez, L. Hernández Encinas and C. Sánchez Ávila.



                Unfortunately it is missing KDF's that are defined for X9.42: DH over a multiplicative group. It seems to define two KDF's, where the concatenation based KDF is compatible with ANS X9.63 specified below.



                X9.42 also seems to define an ASN.1 based KDF as specified in RFC 2631: Diffie-Hellman Key Agreement Method, so that one is incompatible with KDF1 and KDF2 as the counter is included in the ASN.1 structure.




                ANSI X9.63 allows to use an arbitrary parameter as an
                input to the KDF function, but does not mention the content
                of that optional parameter. In comparison, the so-called
                DHAES mode in IEEE 1363a mandates to use the
                binary representation of the sender’s public key as an input
                parameter.




                ...




                ISO/IEC 18033-2 does not allow parameters in the KDF
                function, whereas IEEE 1363a allows the usage of parameters
                in that function.



                IEEE 1363a suggests to use always the same set of parameters
                and functions for a given public key. In comparison,
                ISO/IEC 18033-2 mandates not to change under
                any circumstance those parameters for the same receiver’s
                public key.




                ...




                ISO/IEC 18033-2 does not allow input parameters in the
                KDF function, whilst SEC 1 allows to include this additional
                information, even though in the test vectors included
                in the GEC 2 document [32] no additional parameters
                have been used.



                SEC 1 does not explicitly include the sender’s ephemeral
                public key in the KDF computation. However, it mentions
                that the public key could be one of the elements
                used as input parameters in that function.




                The main thing to take from this is that the official KDF1 and KDF2 as defined by ISO do not take parameters, so the answer of orip is correct.




                However, sometimes it makes sense to do include parameters, e.g. to let the KDF generate multiple keys from the same key input material (the original versions of the key agreement specifications split the output in two separate keys, a MAC and ENC key, of which the order differs, this is more efficient but less neat). So for that reason I'll include ANS X9.63 KDF below; it should be compatible with KDF2 except for the additional $textSharedInfo$.



                The SEC 1: Elliptic Curve Cryptography, May 21, 2009, Version 2.0 standard defines the X9.63 KDF. The fact that a draft 1.99 of the paper states that X9.63 is still in draft phase at the time of writing shows that these documents were generated in parallel.



                3.6.1 ANS X9.63 Key Derivation Function



                Keying data should be calculated using ANSI-X9.63-KDF as follows:



                Setup: Select one of the approved hash functions listed in Section 3.5. Let $textHash$ denote the hash
                function chosen, $texthashlen$ denote the length in octets of hash values computed using $textHash$, and
                $texthashmaxlen$ denote the maximum length in octets of messages that can be hashed using $textHash$.



                Input: The input to the key derivation function is:



                1. An octet string $Z$ which is the shared secret value.
                  value.

                2. An integer $textkeydatalen$ which is the length in octets of the keying data to be generated.

                3. (Optional) An octet string $textSharedInfo$ which consists of some data shared by the entities
                  intended to share the shared secret value $Z$.

                Output: The keying data $K$ which is an octet string of length $textkeydatalen$ octets, or $texttt“invalid”$.



                Actions: Calculate the keying data $K$ as follows:



                1. Check that $|Z| + |textSharedInfo| + 4 < texthashmaxlen$.

                  If $|Z| + |textSharedInfo| + 4 ge texthashmaxlen$,
                  output $texttt“invalid”$ and stop.


                2. Check that $textkeydatalen < texthashlen × (2^32 − 1)$.

                  If $textkeydatalen ge texthashlen × (2^32 − 1)$, output
                  $texttt“invalid”$ and stop.


                3. Initiate a 4 octet, big-endian octet string $textCounter$ as $texttt00000001_16$.



                4. For $i = 1$ to $lceil textkeydatalen / texthashlen rceil$, do the following:



                  4.1. Compute:
                  $K_i = textHash(Z mathbin | textCounter mathbin | [textSharedInfo])$
                  using the selected hash function from the list of approved hash functions in Section 3.5.



                  4.2. Increment $textCounter$.



                  4.3. Increment $i$ (note: probably a bug in the spec, we're already iterating over $i$).



                5. Set $K$ to be the leftmost keydatalen octets of:
                  $K_1 mathbin | K_2 mathbin | dots mathbin | K_lceil textkeydatalen / texthashlen rceil$.


                6. Output $K$.



                There is also the NIST SP 800-56B specifying the aptly named "5.5.1 The Single-step Key-Derivation Function" (think of a name, guys) where they manage to put the counter in front of the keying material so that it is incompatible with all the schemes above. Although it contains a full (but pretentious and overly complex) way of specifying $textOtherInfo$ (their version of $textSharedInfo$) I would consider it completely useless for this reason alone.






                share|improve this answer











                $endgroup$



                Here is a list of differences of these KDF's in various standards, taken from Analysis of ECIES and Other Cryptosystems
                Based on Elliptic Curves written by V. Gayoso Martínez, F. Hernández Álvarez, L. Hernández Encinas and C. Sánchez Ávila.



                Unfortunately it is missing KDF's that are defined for X9.42: DH over a multiplicative group. It seems to define two KDF's, where the concatenation based KDF is compatible with ANS X9.63 specified below.



                X9.42 also seems to define an ASN.1 based KDF as specified in RFC 2631: Diffie-Hellman Key Agreement Method, so that one is incompatible with KDF1 and KDF2 as the counter is included in the ASN.1 structure.




                ANSI X9.63 allows to use an arbitrary parameter as an
                input to the KDF function, but does not mention the content
                of that optional parameter. In comparison, the so-called
                DHAES mode in IEEE 1363a mandates to use the
                binary representation of the sender’s public key as an input
                parameter.




                ...




                ISO/IEC 18033-2 does not allow parameters in the KDF
                function, whereas IEEE 1363a allows the usage of parameters
                in that function.



                IEEE 1363a suggests to use always the same set of parameters
                and functions for a given public key. In comparison,
                ISO/IEC 18033-2 mandates not to change under
                any circumstance those parameters for the same receiver’s
                public key.




                ...




                ISO/IEC 18033-2 does not allow input parameters in the
                KDF function, whilst SEC 1 allows to include this additional
                information, even though in the test vectors included
                in the GEC 2 document [32] no additional parameters
                have been used.



                SEC 1 does not explicitly include the sender’s ephemeral
                public key in the KDF computation. However, it mentions
                that the public key could be one of the elements
                used as input parameters in that function.




                The main thing to take from this is that the official KDF1 and KDF2 as defined by ISO do not take parameters, so the answer of orip is correct.




                However, sometimes it makes sense to do include parameters, e.g. to let the KDF generate multiple keys from the same key input material (the original versions of the key agreement specifications split the output in two separate keys, a MAC and ENC key, of which the order differs, this is more efficient but less neat). So for that reason I'll include ANS X9.63 KDF below; it should be compatible with KDF2 except for the additional $textSharedInfo$.



                The SEC 1: Elliptic Curve Cryptography, May 21, 2009, Version 2.0 standard defines the X9.63 KDF. The fact that a draft 1.99 of the paper states that X9.63 is still in draft phase at the time of writing shows that these documents were generated in parallel.



                3.6.1 ANS X9.63 Key Derivation Function



                Keying data should be calculated using ANSI-X9.63-KDF as follows:



                Setup: Select one of the approved hash functions listed in Section 3.5. Let $textHash$ denote the hash
                function chosen, $texthashlen$ denote the length in octets of hash values computed using $textHash$, and
                $texthashmaxlen$ denote the maximum length in octets of messages that can be hashed using $textHash$.



                Input: The input to the key derivation function is:



                1. An octet string $Z$ which is the shared secret value.
                  value.

                2. An integer $textkeydatalen$ which is the length in octets of the keying data to be generated.

                3. (Optional) An octet string $textSharedInfo$ which consists of some data shared by the entities
                  intended to share the shared secret value $Z$.

                Output: The keying data $K$ which is an octet string of length $textkeydatalen$ octets, or $texttt“invalid”$.



                Actions: Calculate the keying data $K$ as follows:



                1. Check that $|Z| + |textSharedInfo| + 4 < texthashmaxlen$.

                  If $|Z| + |textSharedInfo| + 4 ge texthashmaxlen$,
                  output $texttt“invalid”$ and stop.


                2. Check that $textkeydatalen < texthashlen × (2^32 − 1)$.

                  If $textkeydatalen ge texthashlen × (2^32 − 1)$, output
                  $texttt“invalid”$ and stop.


                3. Initiate a 4 octet, big-endian octet string $textCounter$ as $texttt00000001_16$.



                4. For $i = 1$ to $lceil textkeydatalen / texthashlen rceil$, do the following:



                  4.1. Compute:
                  $K_i = textHash(Z mathbin | textCounter mathbin | [textSharedInfo])$
                  using the selected hash function from the list of approved hash functions in Section 3.5.



                  4.2. Increment $textCounter$.



                  4.3. Increment $i$ (note: probably a bug in the spec, we're already iterating over $i$).



                5. Set $K$ to be the leftmost keydatalen octets of:
                  $K_1 mathbin | K_2 mathbin | dots mathbin | K_lceil textkeydatalen / texthashlen rceil$.


                6. Output $K$.



                There is also the NIST SP 800-56B specifying the aptly named "5.5.1 The Single-step Key-Derivation Function" (think of a name, guys) where they manage to put the counter in front of the keying material so that it is incompatible with all the schemes above. Although it contains a full (but pretentious and overly complex) way of specifying $textOtherInfo$ (their version of $textSharedInfo$) I would consider it completely useless for this reason alone.







                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited Feb 14 at 3:33

























                answered Feb 14 at 1:31









                Maarten BodewesMaarten Bodewes

                55.2k679196




                55.2k679196





















                    2












                    $begingroup$

                    So... Googling around KDF1 is supposedly the same as MGF1 as defined in PKCS#1 2.1, which can be found in Appendix B of RFC 3447. KDF2 is nearly the same as KDF1 except the counter runs from 1 to n instead of from 0 to n - 1.






                    share|improve this answer









                    $endgroup$












                    • $begingroup$
                      Yeah, I saw something similar within another protocol. Interesting to show that it is used in PKCS#1, but MGF1 is missing any Info or similar. Unfortunately I don't see any statement about copyright for that forum as the KDF1 functions in the Basic langue (first link) are very descriptive - and they do include OtherInfo.
                      $endgroup$
                      – Maarten Bodewes
                      Feb 13 at 20:52
















                    2












                    $begingroup$

                    So... Googling around KDF1 is supposedly the same as MGF1 as defined in PKCS#1 2.1, which can be found in Appendix B of RFC 3447. KDF2 is nearly the same as KDF1 except the counter runs from 1 to n instead of from 0 to n - 1.






                    share|improve this answer









                    $endgroup$












                    • $begingroup$
                      Yeah, I saw something similar within another protocol. Interesting to show that it is used in PKCS#1, but MGF1 is missing any Info or similar. Unfortunately I don't see any statement about copyright for that forum as the KDF1 functions in the Basic langue (first link) are very descriptive - and they do include OtherInfo.
                      $endgroup$
                      – Maarten Bodewes
                      Feb 13 at 20:52














                    2












                    2








                    2





                    $begingroup$

                    So... Googling around KDF1 is supposedly the same as MGF1 as defined in PKCS#1 2.1, which can be found in Appendix B of RFC 3447. KDF2 is nearly the same as KDF1 except the counter runs from 1 to n instead of from 0 to n - 1.






                    share|improve this answer









                    $endgroup$



                    So... Googling around KDF1 is supposedly the same as MGF1 as defined in PKCS#1 2.1, which can be found in Appendix B of RFC 3447. KDF2 is nearly the same as KDF1 except the counter runs from 1 to n instead of from 0 to n - 1.







                    share|improve this answer












                    share|improve this answer



                    share|improve this answer










                    answered Feb 13 at 20:36









                    SwashbucklerSwashbuckler

                    47824




                    47824











                    • $begingroup$
                      Yeah, I saw something similar within another protocol. Interesting to show that it is used in PKCS#1, but MGF1 is missing any Info or similar. Unfortunately I don't see any statement about copyright for that forum as the KDF1 functions in the Basic langue (first link) are very descriptive - and they do include OtherInfo.
                      $endgroup$
                      – Maarten Bodewes
                      Feb 13 at 20:52

















                    • $begingroup$
                      Yeah, I saw something similar within another protocol. Interesting to show that it is used in PKCS#1, but MGF1 is missing any Info or similar. Unfortunately I don't see any statement about copyright for that forum as the KDF1 functions in the Basic langue (first link) are very descriptive - and they do include OtherInfo.
                      $endgroup$
                      – Maarten Bodewes
                      Feb 13 at 20:52
















                    $begingroup$
                    Yeah, I saw something similar within another protocol. Interesting to show that it is used in PKCS#1, but MGF1 is missing any Info or similar. Unfortunately I don't see any statement about copyright for that forum as the KDF1 functions in the Basic langue (first link) are very descriptive - and they do include OtherInfo.
                    $endgroup$
                    – Maarten Bodewes
                    Feb 13 at 20:52





                    $begingroup$
                    Yeah, I saw something similar within another protocol. Interesting to show that it is used in PKCS#1, but MGF1 is missing any Info or similar. Unfortunately I don't see any statement about copyright for that forum as the KDF1 functions in the Basic langue (first link) are very descriptive - and they do include OtherInfo.
                    $endgroup$
                    – Maarten Bodewes
                    Feb 13 at 20:52


















                    draft saved

                    draft discarded
















































                    Thanks for contributing an answer to Cryptography Stack Exchange!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid


                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.

                    Use MathJax to format equations. MathJax reference.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f67280%2fformal-description-of-kdf1-and-kdf2%23new-answer', 'question_page');

                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown






                    Popular posts from this blog

                    How to check contact read email or not when send email to Individual?

                    Displaying single band from multi-band raster using QGIS

                    How many registers does an x86_64 CPU actually have?