How to create an encryption such that we need two keys to decrypt, while one key is derivable from the other if I have the secret

Suppose I have some plaintext $M$, and I want to have some process $f$ to make ciphertext $M':=f(M,s)$, where $s$ is some secret. The ciphertext $M'$ can be decrypted by using some decryption process $M=g(M',k_1,k_2)$, where $k_1$ and $k_2$ are two keys, and $k_1$ is a random key (cannot be controlled, such as the current time), and $k_2$ can be generated from $k_1$ by using the secret, i.e. $k_2=k_2(k_1,s)$. How can I achieve this encryption and decryption process?

Edit: As @fgrieu suggests, we may just use $k_2:=k_1\oplus s$ and then decrypt using $s=k_1\oplus k_2$. However, this is not what I desire. The generated $k_2$ is distributed to other people letting them decrypt $M'$ by using it together with $k_1$, but it should not let other people be able to figure out how to generate $k_2$ themselves. The function $k_2(k_1,s)$ should make it hard to guess $s$ from many pairs of $(k_1,k_2)$ so that $s$ is secret enough.