Score:1

Why does the RFC version of HKDF-Expand start the counter at 1?

in flag

In RFC 5869, the definition of HKDF-Expand is given as follows, with the terminating counter value ranging from 1 to (presumably) 255:

The output OKM is calculated as follows:

   N = ceil(L/HashLen)
   T = T(1) | T(2) | T(3) | ... | T(N)
   OKM = first L octets of T

   where:
   T(0) = empty string (zero length)
   T(1) = HMAC-Hash(PRK, T(0) | info | 0x01)
   T(2) = HMAC-Hash(PRK, T(1) | info | 0x02)
   T(3) = HMAC-Hash(PRK, T(2) | info | 0x03)
   ...

However, in section 4.2 of the HKDF paper the same function is instead defined with the counter value starting at 0. Is there some subtle reason to avoid a 0 value in this terminal counter byte?

DannyNiu avatar
vu flag
It's not the only modification the IETF people ever made to an algorithm. The academic version of ChaCha20 cipher had 64-bit IV and 64-big counter, they changed it to 96-bit IV and 32-bit counter so as to make it fit better for Internet protocols.
DannyNiu avatar
vu flag
My final comment here is that, these kind of questions are better asked to the people made the decision. The drafters of the RFC can probably still be reached from the contacts listed in the last page of that RFC. One of them is a [member](https://crypto.stackexchange.com/users/86083/hugo-krawczyk) of this community (albeit inactive).
Maarten Bodewes avatar
in flag
Seconded, but I will add that it would be helpful if they could answer here, or - if you receive an answer - to post it as a self answer.
Marc Ilunga avatar
tr flag
Only speculating, but in terms of security I think the difference doesn't matter as the security relies on the PRF security of HMAC. But maybe it's make is "easy" to implement naively as the loop counter is the same as the counter value and no need to do a "-1"?
in flag
OK, I will ask on the CFRG mailing list as they may know. It seems a little odd to restrict it to a single byte and then to eliminate 1/256th of the capacity!
Marc Ilunga avatar
tr flag
with sha256, a 255 counter amounts to around 7MB of random data.
kelalaka avatar
in flag
It is a matter of taste...
Maarten Bodewes avatar
in flag
Wouldn't that be $255 \cdot 32$ bytes, which is $(2^8 - 1) \cdot (2^5) = 2^{13} - 32 = 8 Ki - 32$ bytes of data?
Score:1
in flag

Hugo Krawczyk answered on the CFRG mailing list that the RFC version was adjusted to be compatible with IKE, which starts the counter at 1:

Good question. I believe (I checked some old email of mine with Pasi) this was done for compatibility with the definition of HKDF in IKE (which is when I originally designed HKDF, though without a name and published analysis). I wasn't too happy about being limited by backwards compatibility but it was judged at the time as one less hurdle for adoption.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.