Join Log in
Score:1
avatar Crypto

Why does the RFC version of HKDF-Expand start the counter at 1?

in flag
Neil Madden

In RFC 5869, the definition of HKDF-Expand is given as follows, with the terminating counter value ranging from 1 to (presumably) 255:

The output OKM is calculated as follows:

   N = ceil(L/HashLen)
   T = T(1) | T(2) | T(3) | ... | T(N)
   OKM = first L octets of T

   where:
   T(0) = empty string (zero length)
   T(1) = HMAC-Hash(PRK, T(0) | info | 0x01)
   T(2) = HMAC-Hash(PRK, T(1) | info | 0x02)
   T(3) = HMAC-Hash(PRK, T(2) | info | 0x03)
   ...

However, in section 4.2 of the HKDF paper the same function is instead defined with the counter value starting at 0. Is there some subtle reason to avoid a 0 value in this terminal counter byte?

148
0 + 0
DannyNiu avatar
vu flag
DannyNiu
It's not the only modification the IETF people ever made to an algorithm. The academic version of ChaCha20 cipher had 64-bit IV and 64-big counter, they changed it to 96-bit IV and 32-bit counter so as to make it fit better for Internet protocols.
0
Reply
DannyNiu avatar
vu flag
DannyNiu
My final comment here is that, these kind of questions are better asked to the people made the decision. The drafters of the RFC can probably still be reached from the contacts listed in the last page of that RFC. One of them is a [member](https://crypto.stackexchange.com/users/86083/hugo-krawczyk) of this community (albeit inactive).
1
Reply
Maarten Bodewes avatar
in flag
Maarten Bodewes
Seconded, but I will add that it would be helpful if they could answer here, or - if you receive an answer - to post it as a self answer.
0
Reply
Marc Ilunga avatar
tr flag
Marc Ilunga
Only speculating, but in terms of security I think the difference doesn't matter as the security relies on the PRF security of HMAC. But maybe it's make is "easy" to implement naively as the loop counter is the same as the counter value and no need to do a "-1"?
0
Reply
in flag
Neil Madden
OK, I will ask on the CFRG mailing list as they may know. It seems a little odd to restrict it to a single byte and then to eliminate 1/256th of the capacity!
0
Reply
Marc Ilunga avatar
tr flag
Marc Ilunga
with sha256, a 255 counter amounts to around 7MB of random data.
0
Reply
kelalaka avatar
in flag
kelalaka
It is a matter of taste...
1
Reply
Maarten Bodewes avatar
in flag
Maarten Bodewes
Wouldn't that be $255 \cdot 32$ bytes, which is $(2^8 - 1) \cdot (2^5) = 2^{13} - 32 = 8 Ki - 32$ bytes of data?
1
Reply
Score:1
avatar Crypto
in flag
Neil Madden

Hugo Krawczyk answered on the CFRG mailing list that the RFC version was adjusted to be compatible with IKE, which starts the counter at 1:

Good question. I believe (I checked some old email of mine with Pasi) this was done for compatibility with the definition of HKDF in IKE (which is when I originally designed HKDF, though without a name and published analysis). I wasn't too happy about being limited by backwards compatibility but it was judged at the time as one less hurdle for adoption.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.