Skye: An Expanding PRF based Fast KDF and its Applications
Authors: 
Amit Singh Bhati, Antonín Dufka, Elena Andreeva, Arnab Roy, Bart PreneelAuthors Info & Claims
Amit Singh Bhati, Antonín Dufka, Elena Andreeva, Arnab Roy, Bart PreneelAuthors Info & ClaimsPages 1082 - 1098
Abstract
A Key Derivation Function (KDF) generates a uniform and highly random key-stream from weakly random key material. KDFs are broadly used in various security protocols such as digital signatures and key exchange protocols. HKDF, the most deployed KDF in practice, is based on the extract-then-expand paradigm. It is presently used, among others, in the Signal Protocol for end-to-end encrypted messaging.
HKDF is a generic KDF for general input sources and thus is not optimized for source-specific use cases such as key derivation from Diffie-Hellman (DH) sources (i.e. DH shared secrets as key material). Furthermore, the sequential HKDF design is unnecessarily slow on some general-purpose platforms that can benefit from parallelization.
In this work, we propose a novel, efficient and secure KDF called Skye. Skye follows the extract-then-expand paradigm and consists of two algorithms: efficient deterministic randomness extractor and expander functions. Instantiating our extractor for dedicated source-specific (e.g. DH sources) inputs leads to a significant efficiency gain over HKDF while maintaining its security level. We provide concrete security analysis of Skye and both its underlying algorithms in the standard model.
We provide a software performance comparison of Skye with the AES-based expanding PRF ButterKnife and HKDF with SHA-256 (as used in practice). Our results show that in isolation Skye performs from 4x to 47x faster than HKDF, depending on the availability of AES or SHA instruction support. We further demonstrate that with such a performance gain, when Skye is integrated within the current Signal implementation, we can achieve significant overall improvements ranging from 38% to 64% relative speedup in unidirectional messaging. Even in bidirectional messaging, that includes DH computation with dominating computational cost, Skye still contributes to 12-36% relative speedup when just 10 messages are sent and received at once.
References
[1]
Joël Alwen, Sandro Coretti, and Yevgeniy Dodis. 2019. The Double Ratchet: Security Notions, Proofs, and Modularization for the Signal Protocol. In Advances in Cryptology - EUROCRYPT 2019. Springer, 129--158.
[2]
Elena Andreeva, Amit Singh Bhati, Bart Preneel, and Damian Vizár. 2021. 1, 2, 3, Fork: Counter Mode Variants based on a Generalized Forkcipher. IACR Trans. Symmetric Cryptol. 2021, 3 (2021), 1--35.
[3]
Elena Andreeva, Benoit Cogliati, Virginie Lallemand, Marine Minier, Antoon Purnal, and Arnab Roy. 2022. Masked Iterate-Fork-Iterate: A new Design Paradigm for Tweakable Expanding Pseudorandom Function. Cryptology ePrint Archive (2022).
[4]
Elena Andreeva, Virginie Lallemand, Antoon Purnal, Reza Reyhanitabar, Arnab Roy, and Damian Vizár. 2019. Forkcipher: a New Primitive for Authenticated Encryption of Very Short Messages. In International Conference on the Theory and Application of Cryptology and Information Security. Springer, 153--182.
[5]
Richard Barnes, Benjamin Beurdouche, Raphael Robert, Jon Millican, Emad Omara, and Katriel Cohn-Gordon. 2022. The Messaging Layer Security (MLS) Protocol. (2022). Internet-Draft, https://datatracker.ietf.org/doc/html/draft-ietf-mls-protocol-17.
[6]
Christof Beierle, Jérémy Jean, Stefan Kölbl, Gregor Leander, Amir Moradi, Thomas Peyrin, Yu Sasaki, Pascal Sasdrich, and Siang Meng Sim. 2016. The SKINNY family of block ciphers and its low-latency variant MANTIS. In Annual International Cryptology Conference (CRYPTO). Springer, 123--153.
[7]
Daniel J Bernstein. 2006. Curve25519: new Diffie-Hellman speed records. In International Workshop on Public Key Cryptography. Springer, 207--228.
[8]
Dan Boneh. 1998. The Decision Diffie-Hellman problem. In Algorithmic Number Theory. Springer, 48--63.
[9]
Jacqueline Brendel, Rune Fiedler, Felix Günther, Christian Janson, and Douglas Stebila. 2022. Post-quantum Asynchronous Deniable Key Exchange and the Signal Handshake. In 25th IACR International Conference on Practice and Theory of Public-Key Cryptography (PKC 2022). Springer, 3--34.
[10]
Lily Chen, Dustin Moody, Andrew Regenscheid, and Karen Randall. 2019. SP800-186, Recommendations for Discrete Logarithm-based Cryptography: Elliptic Curve Domain Parameters. Technical Report. National Institute of Standards and Technology.
[11]
Céline Chevalier, Pierre-Alain Fouque, David Pointcheval, and Sébastien Zimmer. 2009. Optimal Randomness Extraction from a Diffie-Hellman Element. EUROCRYPT 2009 (2009), 572.
[12]
Chai Wen Chuah, Edward Dawson, and Leonie Simpson. 2013. Key Derivation Function: The SCKDF Scheme. In IFIP International Information Security Conference. Springer, 125--138.
[13]
Carlos Cid, Tao Huang, Thomas Peyrin, Yu Sasaki, and Ling Song. 2017. A Security Analysis of Deoxys and its Internal Tweakable Block Ciphers. IACR Transactions on Symmetric Cryptology (2017), 73--107.
[14]
Abdoul Aziz Ciss. 2014. Two-sources randomness extractors for elliptic curves. arXiv preprint arXiv:1404.2226 (2014).
[15]
Abdoul Aziz Ciss and Djiby Sow. 2017. Two-Source Randomness Extractors for Elliptic Curves for Authenticated Key Exchange. In International Conference on Codes, Cryptology, and Information Security. Springer, 85--95.
[16]
Katriel Cohn-Gordon, Cas Cremers, Benjamin Dowling, Luke Garratt, and Douglas Stebila. 2017. A Formal Security Analysis of the Signal Messaging Protocol. In 2017 IEEE European Symposium on Security and Privacy (EuroS&P). 451--466.
[17]
Patrick Derbez, Tetsu Iwata, Ling Sun, Siwei Sun, Yosuke Todo, Haoyang Wang, and Meiqin Wang. 2018. Cryptanalysis of AES-PRF and Its Dual. IACR Transactions on Symmetric Cryptology 2018, 2 (2018).
[18]
Yevgeniy Dodis, Ariel Elbaz, Roberto Oliveira, and Ran Raz. 2004. Improved Randomness Extraction from Two Independent Sources. In Approximation, randomization, and combinatorial optimization. Algorithms and techniques. Springer, 334--344.
[19]
Signal Foundation. 2023. Signal Protocol software libraries. (2023). Github [accessed on 05/02/2023], https://github.com/signalapp/.
[20]
Pierre-Alain Fouque, David Pointcheval, Jacques Stern, and Sébastien Zimmer. 2006. Hardness of Distinguishing the MSB or LSB of Secret Keys in Diffie-Hellman Schemes. In Automata, Languages and Programming, 33rd International Colloquium, ICALP (LNCS, Vol. 4052). Springer, 240--251.
[21]
Edgar Nelson Gilbert. 1952. A Comparison of Signalling Alphabets. The Bell system technical journal 31, 3 (1952), 504--522.
[22]
Markus Grassl. 2007. Bounds on the minimum distance of linear codes and quantum codes. Online available at http://www.codetables.de. [accessed on 25/06/2021].
[23]
Meta Platforms Inc (Facebook Inc). 2016. Messenger secret conversations: Technical whitepaper. (2016). https://about.fb.com/wp-content/uploads/2016/07/messenger-secret-conversations-technical-whitepaper.pdf.
[24]
Jérémy Jean, Ivica Nikolić, Thomas Peyrin, and Yannick Seurin. October 2016. Submission to CAESAR: Deoxys v1.41. http://competitions.cr.yp.to/round3/deoxysv141.pdf.
[25]
Hugo Krawczyk. 2010. Cryptographic Extraction and Key Derivation: The HKDF Scheme. In Annual Cryptology Conference (CRYPTO). Springer, 631--648.
[26]
Hugo Krawczyk, Mihir Bellare, and Ran Canetti. 1997. HMAC: Keyed-hashing for Message Authentication. (1997). RFC 2104.
[27]
Ya Liu, Bing Shi, Dawu Gu, Fengyu Zhao, Wei Li, and Zhiqiang Liu. 2020. Improved Meet-in-the-Middle Attacks on Reduced-Round Deoxys-BC-256. Comput. J. 63, 12 (2020), 1859--1870.
[28]
J Lund. 2018. Signal partners with Microsoft to bring end-to-end encryption to Skype. (2018). https://signal.org/blog/skype-partnership/.
[29]
Neil Madden. 2020. What's the Curve25519 clamping all about? (2020). https://neilmadden.blog/2020/05/28/whats-the-curve25519-clamping-all-about/.
[30]
Moxie Marlinspike. 2016. Open whisper systems partners with Google on end-to-end encryption for Allo. (2016). https://signal.org/blog/allo/.
[31]
Moxie Marlinspike. 2016. WhatsApp's Signal Protocol integration is now complete. (2016). https://signal.org/blog/whatsapp-complete/.
[32]
Moxie Marlinspike and Trevor Perrin. 2016. The Double Ratchet Algorithm. (2016). https://whispersystems.org/docs/specifications/doubleratchet/doubleratchet.pdf.
[33]
Moxie Marlinspike and Trevor Perrin. 2016. The X3DH Key Agreement Protocol. Open Whisper Systems (2016). https://signal.org/docs/specifications/x3dh/x3dh.pdf.
[34]
Ueli Maurer, Krzysztof Pietrzak, and Renato Renner. 2007. Indistinguishability Amplification. In Advances in Cryptology-CRYPTO 2007: 27th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19-23, 2007. Proceedings 27. Springer, 130--149.
[35]
Bart Mennink and Samuel Neves. 2017. Optimal PRFs from Blockcipher Designs. IACR Transactions on Symmetric Cryptology (2017), 228--252.
[36]
Trevor Perrin. 2016. The Noise Protocol Framework. (2016). noiseprotocol.org.
[37]
Andrea Piana, Pedro Pombeiro, Corey Petty, Oskar Thorén, and Dean Eigenmann. 2020. Specifications for Status clients - 5/SECURE-TRANSPORT. (2020). https://specs.status.im/spec/5.
[38]
Phillip Rogaway. 2011. Evaluation of Some Blockcipher Modes of Operation. Cryptography Research and Evaluation Committees (CRYPTREC) for the Government of Japan (2011).
[39]
Armando Ruggeri, Antonio Celesti, Maria Fazio, Antonino Galletta, and Massimo Villari. 2020. BCB-X3DH: a Blockchain Based Improved Version of the Extended Triple Diffie-Hellman Protocol. In 2020 Second IEEE International Conference on Trust, Privacy and Security in Intelligent Systems and Applications (TPS-ISA). 73--78.
[40]
Hortense Boudjou Tchapgnouo and Abdoul Aziz Ciss. 2015. Multi-sources Randomness Extraction over Finite Fields and Elliptic Curve. arXiv preprint arXiv:1502.00433 (2015).
[41]
Hortense Boudjou Tchapgnouo, Abdoul Aziz Ciss, Djiby Sow, and Dina Taïwé Kolyang. 2017. Two-sources randomness extractors in finite fields and in elliptic curves. African Journal of Research in Computer Science and Applied Mathematics 24 (2017).
[42]
Rom Rubenovich Varshamov. 1957. Estimate of the number of signals in error correcting codes. Docklady Akad. Nauk, SSSR 117 (1957), 739--741.
[43]
Boxin Zhao, Xiaoyang Dong, and Keting Jia. 2019. New Related-Tweakey Boomerang and Rectangle Attacks on Deoxys-BC Including BDT Effect. IACR Transactions on Symmetric Cryptology (2019), 121--151.
Index Terms
- Skye: An Expanding PRF based Fast KDF and its Applications
Recommendations
Towards Post-Quantum Security for Signal’s X3DH Handshake
Selected Areas in CryptographyAbstractModern key exchange protocols are usually based on the Diffie–Hellman (DH) primitive. The beauty of this primitive, among other things, is its potential reusage of key shares: DH shares can be either used a single time or in multiple runs. Since ...
Ascon MAC, PRF, and Short-Input PRF: Lightweight, Fast, and Efficient Pseudorandom Functions
Topics in Cryptology – CT-RSA 2024AbstractIn 2023, NIST has selected Ascon as the new standard for lightweight cryptography. The Ascon v1.2 family provides authenticated encryption, hash functions, and extendable output functions, all using the same Ascon permutation. The main use case of ...
Expanding Pseudorandom Functions; or: From Known-Plaintext Security to Chosen-Plaintext Security
CRYPTO '02: Proceedings of the 22nd Annual International Cryptology Conference on Advances in CryptologyGiven any weak pseudorandom function, we present a general and efficient technique transforming such a function to a new weak pseudorandom function with an arbitrary length output. This implies, among other things, an encryption mode for block ciphers. ...
Comments
Information & Contributors
Information
Published In
July 2024
1987 pages
ISBN:9798400704826
DOI:10.1145/3634737
- Chair:
- Jianying Zhou,
- Co-chair:
- Tony Q. S. Quek,
- Program Chairs:
- Debin Gao,
- Alvaro Cardenas
Copyright © 2024 Copyright is held by the owner/author(s). Publication rights licensed to ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 01 July 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- Austrian Science Fund (FWF)
- CyberSecurity Research Flanders
- Research Council KU Leuven C1
- FWO
- European Union
Conference
ASIA CCS '24
Sponsor:
ASIA CCS '24: 19th ACM Asia Conference on Computer and Communications Security
July 1 - 5, 2024
Singapore, Singapore
Acceptance Rates
Overall Acceptance Rate 418 of 2,322 submissions, 18%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 64Total Downloads
- Downloads (Last 12 months)64
- Downloads (Last 6 weeks)7
Reflects downloads up to 26 Jan 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in