Inferensys

Glossary

Key Derivation Function (KDF)

A Key Derivation Function (KDF) is a cryptographic algorithm that derives one or more secret keys from a secret value, such as a master key or password, using a pseudorandom function and a salt.
Stylish WeWork-like workspace with hot desks and document wall, professional searching through enterprise knowledge base on a mounted ultrawide display, warm industrial pendants overhead.
CRYPTOGRAPHIC PRIMITIVE

What is a Key Derivation Function (KDF)?

A Key Derivation Function (KDF) is a fundamental cryptographic algorithm used to generate cryptographically strong keys from a single secret value, such as a password or master key.

A Key Derivation Function (KDF) is a cryptographic algorithm that derives one or more secret keys from a secret value—like a master key, password, or passphrase—using a pseudorandom function. Crucially, a KDF incorporates a salt, a random value unique to each derivation, to prevent pre-computation attacks like rainbow tables and ensure identical inputs produce different outputs. This process is essential for creating strong, unique encryption keys from weaker or reusable secrets, forming a core component of secure key management.

In TinyML and embedded security, KDFs like HKDF or PBKDF2 are vital for generating device-specific keys from a shared secret or a Physical Unclonable Function (PUF) output. Their design must balance cryptographic strength with the severe computational and memory constraints of microcontrollers, often leveraging lightweight cryptography. A KDF establishes a secure chain of trust, enabling derived keys for authenticated encryption, Secure OTA updates, and secure communication channels, all while protecting against key compromise.

CRYPTOGRAPHIC PRIMITIVES

Core Properties of a Secure KDF

A secure Key Derivation Function (KDF) must possess specific cryptographic properties to safely generate keys from secrets like passwords or master keys, especially within the constrained environments of TinyML devices.

01

Deterministic Output

A secure KDF must be deterministic: given the same input (secret, salt, and other parameters), it must always produce the same output key. This property is essential for systems where multiple parties or processes need to derive the same key independently, such as in secure communication sessions or for decrypting stored data. However, determinism alone is dangerous for password-based keys, which is why a salt is a critical additional input to ensure uniqueness.

02

Pseudorandomness & Preimage Resistance

The output of a KDF must be pseudorandom and preimage-resistant. This means the derived key should be indistinguishable from a random bit string, and it should be computationally infeasible to reverse the function to find the original input secret. This property protects the source secret (e.g., a low-entropy password) even if the derived key is exposed. It is achieved by building the KDF upon a cryptographically secure pseudorandom function (PRF), such as HMAC-SHA256.

03

Collision Resistance

A secure KDF must be collision-resistant. It should be computationally infeasible to find two different input sets (e.g., two different passwords) that produce the same output key. While related to the properties of the underlying hash function, a well-designed KDF structure amplifies this resistance. Collision resistance prevents an attacker from substituting one secret for another, which is vital for authentication and integrity purposes in embedded systems.

04

Controlled Work Factor (Iteration Count)

To defend against brute-force attacks, especially on low-entropy inputs like passwords, a secure KDF incorporates a deliberate computational cost or work factor. This is typically implemented as a high iteration count (or CPU/memory cost in modern KDFs like Argon2 or scrypt). Each iteration applies the core PRF again, linearly increasing the time and energy required for an attack. For TinyML, this parameter must be carefully tuned to balance security with the device's limited power budget and latency requirements.

05

Salt Incorporation

A cryptographic salt is a non-secret, random value that is a mandatory input to a secure KDF. Its primary purposes are:

  • Preventing Rainbow Table Attacks: By making each key derivation unique, a salt forces attackers to precompute tables for each salt value, rendering bulk precomputation impractical.
  • Ensuring Key Uniqueness: Even if the same master secret is used across multiple devices or contexts, a unique salt ensures different keys are generated, preventing systemic compromise.
  • For embedded devices, salts must be stored securely alongside the derived key or regenerated deterministically.
06

Algorithm Agility & Domain Separation

Algorithm agility is the property that allows a system to seamlessly transition to a stronger KDF or hash function if the underlying primitive is compromised. A well-designed KDF specification includes an identifier for the algorithm used. Domain separation ensures keys derived for different purposes (e.g., encryption vs. authentication) are cryptographically independent, even from the same source secret. This is often achieved by including a context or info field as a KDF input, a critical practice in TinyML for deriving multiple keys for different model protection functions from a single device root key.

CRYPTOGRAPHIC PRIMITIVE

How Does a Key Derivation Function Work?

A Key Derivation Function (KDF) is a deterministic algorithm that transforms a secret input, like a password or master key, into one or more cryptographically strong secret keys suitable for use in encryption, authentication, or other security protocols.

A KDF works by taking a secret value (e.g., a low-entropy password), a salt (a random, non-secret value to prevent pre-computation attacks like rainbow tables), and an iteration count or work factor. It feeds these inputs into a pseudorandom function (PRF), such as an HMAC or a cryptographic hash, and iteratively applies it. This computationally intensive stretching process generates a derived key of the required length while deliberately slowing down brute-force attempts.

In TinyML and embedded security, lightweight KDFs like HKDF are critical. They derive unique session keys for device-to-cloud communication or peripheral encryption keys from a single, securely stored master secret. This process limits key exposure, supports forward secrecy, and enables efficient key management on memory-constrained microcontrollers without storing multiple full-length keys.

CRYPTOGRAPHIC PRIMITIVES

Common KDF Algorithms and Their Use Cases

Key Derivation Functions are essential for generating cryptographically strong keys from secrets like passwords or master keys. Different algorithms are optimized for specific security requirements and hardware constraints.

05

SP 800-108 KDF in Counter Mode

NIST SP 800-108 specifies several KDFs in feedback modes, with the Counter Mode being a common, efficient choice for constrained environments. It is designed for use with a pre-shared secret key (KKM).

  • Core Mechanism: K_i = HMAC(K_KDM, [i] || Label || 0x00 || Context || [L]) where i is a counter. Each iteration produces a block of key material.
  • Key Features: Deterministic, efficient, and allows derivation of multiple keys for different contexts (identified by the Label and Context fields).
  • Primary Use Case: Deriving multiple encryption and authentication keys from a single master key in standardized systems, such as storage encryption or network protocols. Its simplicity can be advantageous for TinyML implementations where a strong master key already exists.
06

CMAC-/KMAC-based KDF (NIST SP 800-108 Rev. 1)

The revision of NIST SP 800-108 adds KDFs based on CMAC (Cipher-based MAC) and KMAC (Keccak-based MAC, from SHA-3). These provide alternatives to HMAC-based constructions.

  • CMAC-based KDF: Uses a block cipher (like AES) in CMAC mode. This can be highly efficient on hardware with AES acceleration.
  • KMAC-based KDF: Built on the SHA-3 / Keccak sponge function, offering security properties distinct from SHA-2-based HMAC. KMAC itself can be used as a variable-length output PRF, making it naturally suitable for key derivation.
  • Primary Use Case: Systems requiring diversification from SHA-2 or leveraging specific hardware accelerators (AES-NI, SHA-3 co-processors). KMAC is also a core component of post-quantum cryptography standards like ML-KEM, making its use in KDFs future-resistant.
FUNCTIONAL COMPARISON

KDF vs. Related Cryptographic Primitives

This table clarifies the distinct purpose, inputs, outputs, and security properties of a Key Derivation Function (KDF) compared to other core cryptographic algorithms used in embedded systems.

Feature / PropertyKey Derivation Function (KDF)Cryptographic Hash Function (e.g., SHA-256)Password Hashing Function (e.g., Argon2, bcrypt)Encryption Cipher (e.g., AES)

Primary Purpose

Derive one or more cryptographically strong keys from a secret.

Produce a fixed-size digest (hash) from arbitrary data for integrity/verification.

Securely store password verification tokens by intentionally being slow/resource-intensive.

Provide confidentiality by transforming plaintext into ciphertext and back.

Core Inputs

Secret (key/password), salt, context/application info, desired key length.

Arbitrary-length input message/data.

Password, salt, work/cost parameters (time, memory, parallelism).

Plaintext data, a symmetric key, and an initialization vector (IV) for modes like CBC/GCM.

Core Output

One or more derived keys of specified length.

Fixed-length hash digest (e.g., 256 bits for SHA-256).

Fixed-length hash digest suitable for storage and later verification.

Ciphertext of length similar to the plaintext.

Key Property: Key Strengthening

Key Property: Salt Integration (for pre-computation defense)

Key Property: Variable Output Length

Key Property: Designed to be Computationally Expensive

Typical Use Case in TinyML

Deriving unique device keys from a master secret, generating session keys for secure comms.

Firmware integrity verification, digital signature generation.

Not typically used on-device; used server-side for user authentication storage.

Encrypting sensor data before transmission, decrypting secure OTA update payloads.

Common Standard/Algorithm

HKDF (RFC 5869), NIST SP 800-108.

SHA-2, SHA-3 families (NIST FIPS 180-4, 202).

Argon2 (winner of PHC), bcrypt, scrypt.

AES (NIST FIPS 197), ChaCha20.

KEY DERIVATION FUNCTION (KDF)

Frequently Asked Questions

A Key Derivation Function (KDF) is a fundamental cryptographic primitive for generating secure keys from secrets like passwords or master keys. In the context of TinyML and embedded security, KDFs are critical for establishing device identity, securing communication channels, and protecting model parameters on resource-constrained microcontrollers.

A Key Derivation Function (KDF) is a cryptographic algorithm designed to derive one or more cryptographically strong secret keys from a secret value, such as a master key, password, or passphrase. It uses a pseudorandom function to expand the input entropy and produce output suitable for use as encryption keys, authentication keys, or other cryptographic material. For secure operation, a KDF typically incorporates a salt—a random, non-secret value—to prevent pre-computation attacks like rainbow tables and to ensure unique keys are derived even from identical inputs. In embedded systems, KDFs are essential for bootstrapping secure communication from a shared secret or a device's unique hardware identity.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.