Overview

A key derivation function (KDF) is a deterministic algorithm used in cryptography to convert a secret input — for example a password, passphrase, or shared secret — into one or more cryptographic keys suitable for use in encryption, message authentication, or other protocols. KDFs are designed so the derived output appears uniformly random and unpredictable even if the input is low-entropy. They are a core building block in many protocols in modern security systems and cryptography.

Purpose and main properties

KDFs serve several purposes: they expand or compress secret material into keys of appropriate length, add domain separation so the same secret can safely be reused for different purposes, and increase the cost for an attacker trying to guess the original secret. Important properties include one-wayness (hard to invert), pseudorandomness of outputs, and support for parameters such as salts, iteration counts or memory-cost settings. When processing passwords KDFs often perform key stretching or memory-hard computations to slow brute-force and hardware-accelerated attacks. Common design elements are salts (random nonces), iteration counts, and optional context or info strings.

Types and examples

  • Iterated hash-based KDFs such as PBKDF2.
  • Adaptive password hashing algorithms like bcrypt and scrypt, which add cost factors and sometimes memory hardness.
  • Modern memory-hard designs such as Argon2, created to resist GPU and ASIC cracking.
  • Extract-and-expand constructions such as HKDF used to derive multiple keys from a high-entropy shared secret (for example after a Diffie–Hellman agreement).

History and development

Early KDFs were simple iterations of cryptographic hashes. As password-cracking hardware evolved, designers introduced adjustable cost parameters and memory-hard functions to increase the resources an attacker needs. This evolution led from basic iterated hashes to widely adopted standards and newer algorithms that balance performance with resistance to parallel hardware.

Uses and examples

KDFs are used for password storage, key stretching, deriving symmetric keys from master secrets, and producing keys for different protocol roles. For instance a shared secret produced by Diffie–Hellman is typically fed into a KDF to produce session keys used by ciphers such as AES. KDFs also allow a single secret value to yield multiple domain-separated keys (encryption, MAC, IV generation) safely. They are frequently combined with salts and other context data and are referenced in standards and RFCs.

Security considerations and distinctions

Selecting a KDF involves trade-offs: choose parameters that make legitimate use practical but increase attacker cost. Always use a per-secret salt to avoid precomputation attacks and prefer algorithms with adjustable cost or memory parameters. Distinguish KDFs from simple cryptographic hashes or MACs: while related, KDFs incorporate additional structure (salts, iterations, context) and are intended specifically to produce keys. For guidance consult protocol specifications and trusted cryptographic libraries; further resources are available on general cryptography pages and password-handling guides such as those focused on password security.

Further reading

Technical standards and algorithm descriptions provide implementation details and recommended parameter choices. For an introduction to randomness sources and entropy considerations see material on random inputs and entropy estimation. Practical examples and interoperable formats are discussed in many protocol specifications and implementation guides.