I'm actually working on KDF (Key Derivation Function) and specificialy on the HKDF paper from CRYPTO-2010.
Let's consider the following HKDF oracle : $KDF(\sigma, r, c, l)$ where :
- $\sigma$ : Raw data from which the KDF is to derive the sub-keys
- $r$ : Random salt (optionnal)
- $c$ : Context information field (optionnal)
- $l$ : Number of key bits to be produced by KDF
In the context of a KDF, where the attacker can freely choose values for the context parameter $c$, I wonder if it's possible to perform a "flooding" attack to exhaust all possible contexts.
Specifically, since we cannot reuse a context, every new context $c$ must not be part of the set $\{c_1, ..., c_{q'}\}$ where $q'$ is the maximum number of requests we can make to the oracle.
Such an attack would involve submitting a large number of queries with different context values $c$ with the goal of:
- Exhausting the system's resources that run the KDF oracle
- Generating so many keys associated with different contexts that the KDF becomes impractical to use in a real-world scenario. Context is optionnal but could be helpful in practice I guess.
My specific questions are as follows:
- Is this scenario realistic in a properly (or not) designed system ? For example, could the size of the context $c$ or limits on KDF invocations make this attack unlikely ?
- Are there known KDF implementations vulnerable to this kind of attack?
Thanks in advance for your insights!
