# Re: AES 256 based key derivation function.

*From*: Maaartin <grajcar1@xxxxxxxxx>*Date*: Mon, 27 Oct 2008 16:09:50 -0700 (PDT)

PublicValue = PublicValue0 || PublicValue1

DerivedKey0 = AES-ECB-256(RootKey, PublicValue0 ^ 0)

DerivedKey1 = AES-ECB-256(RootKey, PublicValue1 ^ DerivedKey0)

DerivedKey2 = AES-ECB-256(RootKey, PublicValue0 ^ DerivedKey1)

Derivedkey = DerivedKey1 || DerivedKey2

It's like CBC with IV=0 and input

PublicValue0 || PublicValue1 || PublicValue0

and the first result gets thrown away.

I don't see any significant problems. The biggest problem I see is that it

requires 256-bits of PublicValue and 3 AES operations instead of 128 and 2.

So unless I'm missing something it is just a small efficiency cost.

Joe

The 256 bits of PublicValue comes from Fabrice's question -

he wrote "...That is, RootKey and Derived Key are 256 bits, and Public

Value could be up to 256 bits.".

So I thing three AES operations are necessary.

I just tried to make both parts of the output depend on both parts of

the input in a non-trivial way.

Now I see, it's similar to what Kristian Gjøsteen proposed at the end.

It also requires three AES invocations and no extra key schedule;

there's just one additional xor/add.

It can generate nearly alle 2**256 possible derived keys, but is it

worth it?

.

**References**:**AES 256 based key derivation function.***From:*Fabrice

**Re: AES 256 based key derivation function.***From:*Kristian Gjøsteen

**Re: AES 256 based key derivation function.***From:*Fabrice

**Re: AES 256 based key derivation function.***From:*Fabrice

**Re: AES 256 based key derivation function.***From:*Kristian Gjøsteen

**Re: AES 256 based key derivation function.***From:*Fabrice

**Re: AES 256 based key derivation function.***From:*Maaartin

**Re: AES 256 based key derivation function.***From:*Joseph Ashwood

- Prev by Date:
**Re: What is a (sci.crypt expert) ?** - Next by Date:
**Secure permutation of a 1e8 element set** - Previous by thread:
**Re: AES 256 based key derivation function.** - Next by thread:
**Re: AES 256 based key derivation function.** - Index(es):