6

Assume for the sake of the question that I have two variable-length bit strings, each with 128 bit cryptographic randomness, and I want to extract two 128 bit keys via HKDF-SHA256.

Which alternative is better (if any), and why?

  1. Use a single HKDF-extract on the concatenation of the two strings, and two HKDF-expands with different info strings to get two 128 bit keys.
  2. Use two HKDF-extract operations, one for each bit string, and use a single HKDF-expand on each to get two 128 bit keys.

Or in other words, is it better to HKDF-extract on a longer IKM string and use multiple HKDF-expands, or is it better to use HKDF on independent but shorter IKMs.

My intuition tells me that, if my randomness strings are really as good as I claim, then two independent HKDF extracts are better, but using a single one on the concatenation is, in practice, just as safe, and safer if my input randomness is not actually as good as assumed, so two HKDFs might be more robust in practice.

Mike Edward Moras
  • 18,161
  • 12
  • 87
  • 240
Marc Lehmann
  • 225
  • 1
  • 4

1 Answers1

1

Realistically, it probably doesn't matter, if all of your premises are accurate.

If it were me, I'd probably concatenate the inputs, then apply a HKDF to the concatenation to derive two keys -- but honestly, it's unlikely to matter. This is very unlikely to be the weakest link in your system. Pick something that's easy to implement and easy to understand, and move on: focus your energy on some other aspect of your system.

D.W.
  • 36,982
  • 13
  • 107
  • 196