A Key Derivation Function (KDF) is a cryptographic algorithm that derives one or more secret keys from a secret value—like a master key, password, or passphrase—using a pseudorandom function. Crucially, a KDF incorporates a salt, a random value unique to each derivation, to prevent pre-computation attacks like rainbow tables and ensure identical inputs produce different outputs. This process is essential for creating strong, unique encryption keys from weaker or reusable secrets, forming a core component of secure key management.
Glossary
Key Derivation Function (KDF)

What is a Key Derivation Function (KDF)?
A Key Derivation Function (KDF) is a fundamental cryptographic algorithm used to generate cryptographically strong keys from a single secret value, such as a password or master key.
In TinyML and embedded security, KDFs like HKDF or PBKDF2 are vital for generating device-specific keys from a shared secret or a Physical Unclonable Function (PUF) output. Their design must balance cryptographic strength with the severe computational and memory constraints of microcontrollers, often leveraging lightweight cryptography. A KDF establishes a secure chain of trust, enabling derived keys for authenticated encryption, Secure OTA updates, and secure communication channels, all while protecting against key compromise.
Core Properties of a Secure KDF
A secure Key Derivation Function (KDF) must possess specific cryptographic properties to safely generate keys from secrets like passwords or master keys, especially within the constrained environments of TinyML devices.
Deterministic Output
A secure KDF must be deterministic: given the same input (secret, salt, and other parameters), it must always produce the same output key. This property is essential for systems where multiple parties or processes need to derive the same key independently, such as in secure communication sessions or for decrypting stored data. However, determinism alone is dangerous for password-based keys, which is why a salt is a critical additional input to ensure uniqueness.
Pseudorandomness & Preimage Resistance
The output of a KDF must be pseudorandom and preimage-resistant. This means the derived key should be indistinguishable from a random bit string, and it should be computationally infeasible to reverse the function to find the original input secret. This property protects the source secret (e.g., a low-entropy password) even if the derived key is exposed. It is achieved by building the KDF upon a cryptographically secure pseudorandom function (PRF), such as HMAC-SHA256.
Collision Resistance
A secure KDF must be collision-resistant. It should be computationally infeasible to find two different input sets (e.g., two different passwords) that produce the same output key. While related to the properties of the underlying hash function, a well-designed KDF structure amplifies this resistance. Collision resistance prevents an attacker from substituting one secret for another, which is vital for authentication and integrity purposes in embedded systems.
Controlled Work Factor (Iteration Count)
To defend against brute-force attacks, especially on low-entropy inputs like passwords, a secure KDF incorporates a deliberate computational cost or work factor. This is typically implemented as a high iteration count (or CPU/memory cost in modern KDFs like Argon2 or scrypt). Each iteration applies the core PRF again, linearly increasing the time and energy required for an attack. For TinyML, this parameter must be carefully tuned to balance security with the device's limited power budget and latency requirements.
Salt Incorporation
A cryptographic salt is a non-secret, random value that is a mandatory input to a secure KDF. Its primary purposes are:
- Preventing Rainbow Table Attacks: By making each key derivation unique, a salt forces attackers to precompute tables for each salt value, rendering bulk precomputation impractical.
- Ensuring Key Uniqueness: Even if the same master secret is used across multiple devices or contexts, a unique salt ensures different keys are generated, preventing systemic compromise.
- For embedded devices, salts must be stored securely alongside the derived key or regenerated deterministically.
Algorithm Agility & Domain Separation
Algorithm agility is the property that allows a system to seamlessly transition to a stronger KDF or hash function if the underlying primitive is compromised. A well-designed KDF specification includes an identifier for the algorithm used. Domain separation ensures keys derived for different purposes (e.g., encryption vs. authentication) are cryptographically independent, even from the same source secret. This is often achieved by including a context or info field as a KDF input, a critical practice in TinyML for deriving multiple keys for different model protection functions from a single device root key.
How Does a Key Derivation Function Work?
A Key Derivation Function (KDF) is a deterministic algorithm that transforms a secret input, like a password or master key, into one or more cryptographically strong secret keys suitable for use in encryption, authentication, or other security protocols.
A KDF works by taking a secret value (e.g., a low-entropy password), a salt (a random, non-secret value to prevent pre-computation attacks like rainbow tables), and an iteration count or work factor. It feeds these inputs into a pseudorandom function (PRF), such as an HMAC or a cryptographic hash, and iteratively applies it. This computationally intensive stretching process generates a derived key of the required length while deliberately slowing down brute-force attempts.
In TinyML and embedded security, lightweight KDFs like HKDF are critical. They derive unique session keys for device-to-cloud communication or peripheral encryption keys from a single, securely stored master secret. This process limits key exposure, supports forward secrecy, and enables efficient key management on memory-constrained microcontrollers without storing multiple full-length keys.
Common KDF Algorithms and Their Use Cases
Key Derivation Functions are essential for generating cryptographically strong keys from secrets like passwords or master keys. Different algorithms are optimized for specific security requirements and hardware constraints.
SP 800-108 KDF in Counter Mode
NIST SP 800-108 specifies several KDFs in feedback modes, with the Counter Mode being a common, efficient choice for constrained environments. It is designed for use with a pre-shared secret key (KKM).
- Core Mechanism:
K_i = HMAC(K_KDM, [i] || Label || 0x00 || Context || [L])whereiis a counter. Each iteration produces a block of key material. - Key Features: Deterministic, efficient, and allows derivation of multiple keys for different contexts (identified by the
LabelandContextfields). - Primary Use Case: Deriving multiple encryption and authentication keys from a single master key in standardized systems, such as storage encryption or network protocols. Its simplicity can be advantageous for TinyML implementations where a strong master key already exists.
CMAC-/KMAC-based KDF (NIST SP 800-108 Rev. 1)
The revision of NIST SP 800-108 adds KDFs based on CMAC (Cipher-based MAC) and KMAC (Keccak-based MAC, from SHA-3). These provide alternatives to HMAC-based constructions.
- CMAC-based KDF: Uses a block cipher (like AES) in CMAC mode. This can be highly efficient on hardware with AES acceleration.
- KMAC-based KDF: Built on the SHA-3 / Keccak sponge function, offering security properties distinct from SHA-2-based HMAC. KMAC itself can be used as a variable-length output PRF, making it naturally suitable for key derivation.
- Primary Use Case: Systems requiring diversification from SHA-2 or leveraging specific hardware accelerators (AES-NI, SHA-3 co-processors). KMAC is also a core component of post-quantum cryptography standards like ML-KEM, making its use in KDFs future-resistant.
KDF vs. Related Cryptographic Primitives
This table clarifies the distinct purpose, inputs, outputs, and security properties of a Key Derivation Function (KDF) compared to other core cryptographic algorithms used in embedded systems.
| Feature / Property | Key Derivation Function (KDF) | Cryptographic Hash Function (e.g., SHA-256) | Password Hashing Function (e.g., Argon2, bcrypt) | Encryption Cipher (e.g., AES) |
|---|---|---|---|---|
Primary Purpose | Derive one or more cryptographically strong keys from a secret. | Produce a fixed-size digest (hash) from arbitrary data for integrity/verification. | Securely store password verification tokens by intentionally being slow/resource-intensive. | Provide confidentiality by transforming plaintext into ciphertext and back. |
Core Inputs | Secret (key/password), salt, context/application info, desired key length. | Arbitrary-length input message/data. | Password, salt, work/cost parameters (time, memory, parallelism). | Plaintext data, a symmetric key, and an initialization vector (IV) for modes like CBC/GCM. |
Core Output | One or more derived keys of specified length. | Fixed-length hash digest (e.g., 256 bits for SHA-256). | Fixed-length hash digest suitable for storage and later verification. | Ciphertext of length similar to the plaintext. |
Key Property: Key Strengthening | ||||
Key Property: Salt Integration (for pre-computation defense) | ||||
Key Property: Variable Output Length | ||||
Key Property: Designed to be Computationally Expensive | ||||
Typical Use Case in TinyML | Deriving unique device keys from a master secret, generating session keys for secure comms. | Firmware integrity verification, digital signature generation. | Not typically used on-device; used server-side for user authentication storage. | Encrypting sensor data before transmission, decrypting secure OTA update payloads. |
Common Standard/Algorithm | HKDF (RFC 5869), NIST SP 800-108. | SHA-2, SHA-3 families (NIST FIPS 180-4, 202). | Argon2 (winner of PHC), bcrypt, scrypt. | AES (NIST FIPS 197), ChaCha20. |
Frequently Asked Questions
A Key Derivation Function (KDF) is a fundamental cryptographic primitive for generating secure keys from secrets like passwords or master keys. In the context of TinyML and embedded security, KDFs are critical for establishing device identity, securing communication channels, and protecting model parameters on resource-constrained microcontrollers.
A Key Derivation Function (KDF) is a cryptographic algorithm designed to derive one or more cryptographically strong secret keys from a secret value, such as a master key, password, or passphrase. It uses a pseudorandom function to expand the input entropy and produce output suitable for use as encryption keys, authentication keys, or other cryptographic material. For secure operation, a KDF typically incorporates a salt—a random, non-secret value—to prevent pre-computation attacks like rainbow tables and to ensure unique keys are derived even from identical inputs. In embedded systems, KDFs are essential for bootstrapping secure communication from a shared secret or a device's unique hardware identity.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Key Derivation Functions are a critical component within a broader cryptographic ecosystem. The following terms represent foundational concepts, complementary algorithms, and security architectures essential for implementing robust key management in embedded and TinyML systems.
Cryptographic Hash Function
A Cryptographic Hash Function is a deterministic algorithm that maps data of arbitrary size to a fixed-size output (a hash or digest). It is a core building block for a KDF. Key properties include:
- Pre-image resistance: Infeasible to reverse the hash to find the original input.
- Collision resistance: Infeasible to find two different inputs that produce the same hash.
- Avalanche effect: A small change in input produces a drastically different output.
Common hash functions like SHA-256 and SHA-3 are used within KDFs (e.g., HKDF, PBKDF2) to provide the necessary pseudorandomness and one-way properties for secure key derivation.
Password-Based KDF (PBKDF)
A Password-Based Key Derivation Function is a specific class of KDF designed to derive cryptographic keys from low-entropy, human-memorable passwords. It intentionally uses a computationally expensive process to slow down brute-force and dictionary attacks.
Core Components:
- Password: The weak secret input.
- Salt: A random value added to each password to prevent precomputed rainbow table attacks.
- Iteration Count: The number of times the underlying hash function is repeated, increasing the work factor for an attacker.
PBKDF2 is the most widely deployed standard, though modern alternatives like Argon2 (the winner of the Password Hashing Competition) provide better resistance against GPU/ASIC attacks.
HMAC-based KDF (HKDF)
HKDF is a Key Derivation Function standardized in RFC 5869, built using the HMAC (Hash-based Message Authentication Code) construct. It is designed for use where the input keying material (IKM) already has sufficient entropy, such as a Diffie-Hellman shared secret or a hardware-generated random key.
HKDF operates in two stages:
- Extract: Uses HMAC with a salt to 'concentrate' the possibly non-uniform IKM into a fixed-length, cryptographically strong pseudorandom key.
- Expand: Uses HMAC to generate multiple output keys of the required length from the extracted key material.
HKDF is efficient and is the recommended KDF for deriving keys from established secrets in protocols like TLS 1.3 and for securing IoT device communications.
Salt (Cryptographic Salt)
A Salt is a random, non-secret value used as an additional input to a KDF or one-way function. Its primary security functions are:
- Uniqueness: Ensures that identical passwords or inputs produce different derived keys. This defeats rainbow table attacks where an attacker precomputes hashes for common passwords.
- Key Separation: Using a unique salt for each context (e.g., per user, per device) ensures derived keys are independent, preventing compromise in one context from affecting others.
In a KDF like PBKDF2, the salt is not a secret but must be stored and retrieved alongside the derived key or its verifier. For HKDF, the salt can serve as a 'key diversification' parameter.
Key Stretching
Key Stretching is the technique of deliberately increasing the computational resources (time and/or memory) required to test each possible key or password candidate. It is a critical defense when the input secret has low entropy, such as a user password.
Implementation in KDFs:
- Iterative Hashing: As used in PBKDF2, where the core hash function is applied thousands or millions of times.
- Memory-Hard Functions: As used in scrypt and Argon2, which require large amounts of memory to compute, making hardware-accelerated attacks prohibitively expensive.
The goal is to make brute-force attacks computationally infeasible for the defender, who performs the stretching once, while imposing the same high cost on an attacker for every guess.
Cryptographic Key Hierarchy
A Cryptographic Key Hierarchy is a structured system for managing keys, where higher-level, long-lived keys are used to derive or protect lower-level, short-lived keys for specific operations. A KDF is the engine that enables this hierarchy.
Example for a TinyML Device:
- Root Key: A unique device secret provisioned in hardware (e.g., from a PUF or Secure Element).
- Identity Key: Derived via KDF from the Root Key + a fixed label. Used for device attestation.
- Session Keys: Derived via KDF (e.g., HKDF) from an ephemeral shared secret (from ECDH) for encrypting a firmware update.
This practice limits the exposure and scope of any single key, contains damage from key compromise, and supports secure key rotation.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us