[Cfrg] Revive of draft-agl-ckdf?

Joachim Strömbergson <joachim@strombergson.com> Thu, 02 November 2017 10:06 UTC

Return-Path: <joachim@strombergson.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 328BE13F5AD for <cfrg@ietfa.amsl.com>; Thu, 2 Nov 2017 03:06:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id ASv3esXjEVnq for <cfrg@ietfa.amsl.com>; Thu, 2 Nov 2017 03:06:49 -0700 (PDT)
Received: from vsp02.oderland.com (vsp02-out.oderland.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 236F813F4FA for <cfrg@irtf.org>; Thu, 2 Nov 2017 03:06:48 -0700 (PDT)
X-Scanned-Cookie: b12a05d12b23ae622f7215184e090f6a8f986438
Received: from susano.oderland.com (unknown []) by vsp-out.oderland.com (Halon) with ESMTPSA id 86e2e905-bfb5-11e7-a9a1-f7b4f2d1c151; Thu, 02 Nov 2017 11:06:43 +0100 (CET)
Received: from [] (port=3546 helo=Knubbis.local) by susano.oderland.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.89) (envelope-from <joachim@strombergson.com>) id 1eACOY-002g2g-UF for cfrg@irtf.org; Thu, 02 Nov 2017 11:06:43 +0100
Message-ID: <59FAEE31.4080300@strombergson.com>
Date: Thu, 02 Nov 2017 11:06:41 +0100
From: Joachim Strömbergson <joachim@strombergson.com>
User-Agent: Postbox 5.0.20 (Macintosh/20171012)
MIME-Version: 1.0
To: "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/v5hfj89ESziRK9gXFLBiH9AZvAQ>
Subject: [Cfrg] Revive of draft-agl-ckdf?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Nov 2017 10:06:51 -0000


draft-agl-ckdf is a draft by Adam Langley specifying a block cipher
based version of the hash based HKDF in RFC 5869. More specifically,
CKDF use AES in CMAC mode to implement the extract and expand stages of

The 01-draft expired Feb 25, 2016. I've had a brief contact with Langley
who stated that he had no further interest in it.

But I think the premise in the introduction of the draft still stands.

For many IoT devices with really constrained MCUs, if there is
cryptographic support in HW, it is an AES-128 core. CKDF would allow
these devices to use the same core for key derivation and session

In pure SW solutions, having just one primitive makes the code size
smaller too. Performance-wise. the number of iterations and thus total
cycles will be much smaller for CKDF compared to HKDF, reducing the time
to establish sessions.

For these reasons, I believe CKDF would provide use case advantages
compared to HKDF.

Would it be possible to revive the draft?

Joachim Strömbergson