Re: AES 256 based key derivation function.

PublicValue = PublicValue0 || PublicValue1
DerivedKey0  =  AES-ECB-256(RootKey, PublicValue0 ^ 0)
DerivedKey1 = AES-ECB-256(RootKey, PublicValue1 ^ DerivedKey0)
DerivedKey2 = AES-ECB-256(RootKey, PublicValue0 ^ DerivedKey1)
Derivedkey = DerivedKey1 || DerivedKey2

It's like CBC with IV=0 and input
PublicValue0 || PublicValue1 || PublicValue0
and the first result gets thrown away.

I don't see any significant problems. The biggest problem I see is that it
requires 256-bits of PublicValue and 3 AES operations instead of 128 and 2.
So unless I'm missing something it is just a small efficiency cost.

The 256 bits of PublicValue comes from Fabrice's question -
he wrote "...That is, RootKey and Derived Key are 256 bits, and Public
Value could be up to 256 bits.".
So I thing three AES operations are necessary.

I just tried to make both parts of the output depend on both parts of
the input in a non-trivial way.
Now I see, it's similar to what Kristian Gjøsteen proposed at the end.
It also requires three AES invocations and no extra key schedule;
there's just one additional xor/add.
It can generate nearly alle 2**256 possible derived keys, but is it
worth it?