ISO/IEC 11770-6:2016

INTERNATIONAL ISO/IEC
STANDARD 11770-6
First edition
2016-10-01
Information technology — Security
techniques — Key management —
Part 6:
Key derivation
Technologies de l’information — Techniques de sécurité — Gestion
de clés —
Partie 6: Dérivation de clés
Reference number
©
ISO/IEC 2016
© ISO/IEC 2016, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2016 – All rights reserved

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Symbols and abbreviations . 3
4.1 Symbols . 3
4.2 Abbreviations . 4
4.3 Notation . 4
5 Key derivation techniques . 4
5.1 Model . 4
5.2 Types of key derivation function . 5
5.3 Relationship to key management life cycle . 6
5.4 Use of a key derivation function . 6
6 One-step key derivation functions . 6
6.1 General . 6
6.2 One-step key derivation function 1 (OKDF1) . 7
6.2.1 General. 7
6.2.2 Requirements for use . 7
6.2.3 Operation of function . 7
6.3 One-step key derivation function 2 (OKDF2) . 8
6.3.1 General. 8
6.3.2 Requirements for use . 8
6.3.3 Operation of function . 8
6.4 One-step key derivation function 3 (OKDF3) . 9
6.4.1 General. 9
6.4.2 Requirements for use . 9
6.4.3 Operation of function . 9
6.5 One-step key derivation function 4 (OKDF4) . 9
6.5.1 General. 9
6.5.2 Requirements for use .10
6.5.3 Operation of function .10
6.6 One-step key derivation function 5 (OKDF5) .10
6.6.1 General.10
6.6.2 Requirements for use .11
6.6.3 Operation of function .11
6.7 One-step key derivation function 6 (OKDF6) .11
6.7.1 General.11
6.7.2 Requirements for use .12
6.7.3 Operation of function .12
7 Two-step key derivation functions .12
7.1 General .12
7.2 Key extraction function .13
7.2.1 Key extraction function 1 (KTF1) .13
7.3 Key expansion functions .14
7.3.1 Key expansion function 1 (KPF1) .14
7.3.2 Key expansion function 2 (KPF2) .15
7.3.3 Key expansion function 3 (KPF3) .16
7.3.4 Key expansion function 4 (KPF4) .17
7.4 Two-step KDFs .18
7.4.1 Two-step key derivation function 1 (TKDF1) .18
7.4.2 Two-step key derivation function 2 (TKDF2) .18
© ISO/IEC 2016 – All rights reserved iii

7.4.3 Two-step key derivation function 3 (TKDF3) .19
7.4.4 Two-step key derivation function 4 (TKDF4) .19
Annex A (normative) Object identifiers .20
Annex B (informative) Guidance on use .21
Bibliography .23
iv © ISO/IEC 2016 – All rights reserved

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment,
as well as information about ISO’s adherence to the World Trade Organization (WTO) principles in the
Technical Barriers to Trade (TBT) see the following URL: www.iso.org/iso/foreword.html.
The committee responsible for this document is ISO/IEC JTC 1, Information technology, Subcommittee
SC 27, IT Security techniques.
A list of all parts in the ISO/IEC 11770 series can be found on the ISO website.
© ISO/IEC 2016 – All rights reserved v

Introduction
The establishment of shared secret cryptographic keys is a fundamental key management service. It
is a prerequisite for the use of a range of symmetric cryptographic techniques, including symmetric
encryption for confidentiality protection, and message authentication codes (MACs) for integrity
protection and data origin authentication. Key derivation techniques enable such keys to be generated
from pre-existing secrets and have a range of possible applications. Two particularly important
applications are as follows.
First, while two (or more) parties might share secret information, this secret information might not
be suitable for immediate use as input to an encryption algorithm or a message authentication code
scheme. For example, the initial secret information might not be distributed randomly across the entire
space of possible values, or an unauthorized third party might have partial information about it. A key
derivation function (or a key extraction function) can be used to resolve this issue by taking the secret
information as input, perhaps together with other non-secret material, and giving a suitable secret key
as output.
Second, a number of secret keys might be required for different purposes, e.g. for different applications
or for input to different cryptographic functions. Again, a key derivation function (or a key expansion
function) can be used to meet this requirement by taking secret information, perhaps together with
other non-secret material, as input, and giving a secret key, or keys, as output. The secret information
might, for example, be shared by two or more parties, and the generated secret keys could then be
used to protect data exchanged between these parties via untrusted channels; alternatively, the secret
information might only be known by a single party, and the generated keys could then be used to
protect data stored by that party in untrusted locations.
This document is concerned with such key derivation techniques. Two general classes of key derivation
techniques are specified, namely one-step and two-step functions, both of which can be used to generate
either a single key or multiple keys. One-step functions transform the input information into one or
more keys in a single operation. Two-step functions first transform the input information into a secret
MAC key, which is then used in the second step (which can be executed multiple times) to generate one
or more secret keys for use in applications.
The choice between one-step and two-step functions depends on two main things: the nature of the
available secret input to the key derivation function, and the way in which the secret input is to be used.
For example, if the available secret input is already in the form of a secret key, then a one-step function
will normally be appropriate. Also, regardless of the nature of the secret input, if the function is to
be used only once with a particular set of secret inputs, then again a one-step function will typically
be appropriate. However, if the secret input is not in the form of a secret key, and the same secret
input is to be used multiple times to generate one or more keys, then a two-step function is likely to
be appropriate, where the first step is performed once to generate a MAC key and the second step is
performed whenever a new key is, or keys are, to be generated from the MAC key.
This document defines a range of one-step key derivation functions. It also defines examples of both key
extraction functions and key expansion functions, where a key extraction function can be combined
with a key expansion function to define a two-step key derivation function.
vi © ISO/IEC 2016 – All rights reserved

INTERNATIONAL STANDARD ISO/IEC 11770-6:2016(E)
Information technology — Security techniques — Key
management —
Part 6:
Key derivation
1 Scope
This document specifies key derivation functions, i.e. functions which take secret information and other
(public) parameters as input and output one or more “derived” secret keys. Key derivation functions
based on MAC algorithms and on hash-functions are specified.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 9797 (all parts), Information technology — Security techniques —Message Authentication
Codes (MACs)
ISO/IEC 10118 (all parts), Information technology — Security techniques — Hash-functions
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 11770-1 and the
following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— IEC Electropedia: available at http://www.electropedia.org/
— ISO Online browsing platform: available at http://www.iso.org/obp
3.1
entropy
measure of the disorder, randomness or variability in a closed system
Note 1 to entry: The particular measure of entropy that is used in the document is discussed in 5.1.
3.2
hash-function
function which maps strings of bits of variable (but usually upper bounded) length to fixed-length
strings of bits
Note 1 to entry: Cryptographic requirements on hash-functions employed for the purposes of this document are
considered in 6.1.
© ISO/IEC 2016 – All rights reserved 1

3.3
key derivation function
KDF
function which takes as input a number of parameters, at least one of which shall be secret, and which
gives as output keys appropriate for the intended algorithm(s) and applications
Note 1 to entry: Cryptographic requirements on key derivation functions are specified in 5.1.
Note 2 to entry: Key derivation functions are also sometimes known as “key generating functions.”
3.4
key expansion function
KPF
function which takes as input a number of parameters, at least one of which shall be a secret key, and
which gives as output keys appropriate for the intended algorithm(s) and applications
Note 1 to entry: Cryptographic requirements on key expansion functions are specified in 7.1.
Note 2 to entry: All the KPFs specified in this document are based on a MAC algorithm.
3.5
key extraction function
KTF
function which takes as input a number of parameters, at least one of which shall be secret, and which
gives as output a key suitable for use as input to a key expansion function
Note 1 to entry: Cryptographic requirements on key extraction functions are specified in 7.1.
3.6
message authentication code
MAC
string of bits which is the output of a MAC algorithm
[SOURCE: ISO/IEC 9797-1:2011, 3.9 – modified, Note 1 to entry removed]
3.7
message authentication code algorithm
MAC algorithm
algorithm for computing a function which maps strings of bits and a secret key to fixed-length strings
of bits, satisfying the following two properties:
— for any key and any input string, the function can be computed efficiently;
— for any fixed key, and given no prior knowledge of the key, it is computationally infeasible to
compute the function value on any new input string, even given knowledge of a set of input strings
and corresponding function values, where the value of the ith input string might have been chosen
after observing the value of the first i − 1 function values (for integers i > 1)
Note 1 to entry: A MAC algorithm is sometimes called a “cryptographic check function.”
Note 2 to entry: Computational feasibility depends on the user’s specific security requirements and environment.
Note 3 to entry: Additional cryptographic requirements for MAC algorithms employed for the purposes of this
document are specified in 6.1 and 7.1.
3.8
message authentication code key
MAC key
bit string suitable for use as a key input to a MAC algorithm
2 © ISO/IEC 2016 – All rights reserved

3.9
one-step key derivation function
OKDF
key derivation function which operates in a single stage, in contrast to key derivation functions
involving separate key-extraction and key-expansion stages (cf. 3.12)
3.10
salt
value used as input to a key derivation function, a key expansion function or a key extraction function,
which might not be a secret
3.11
secret information
bit string used as input to a KDF or a KTF, which shall be known only to entities which are authorized
to agree upon the key or keys, and possibly to one or more other entities trusted for the purposes of key
establishment
3.12
two-step key derivation function
TKDF
key derivation function which involves two stages, namely the use of a key extraction function followed
by a key expansion function
4 Symbols and abbreviations
4.1 Symbols
a algorithm identifier
b bit string output by a KDF
c counter
f MAC algorithm, where f (d) denotes the MAC obtained when f is given as input the key k and
k
the data d (a bit string)
h hash-function
k secret key
k secret MAC key
m
L bit-length of the output b of a KDF
b
L bit-length of the binary encoding of the counter c
c
L bit-length of the output of the MAC algorithm f used as part of a KDF
f
L bit-length of the output of a hash-function h used as part of a KDF
h
L bit-length of a secret key k
k
p label employed to 1) indicate how a bit string is to be partitioned into one or more keys, and 2)
identify the algorithm(s) with which the resulting key(s) should be used
s secret information
t salt value
© ISO/IEC 2016 – All rights reserved 3

u auxiliary secret information
y bit string
z bit string
4.2 Abbreviations
KDF key derivation function
KPF key exPansion function
KTF key exTraction function
MAC message authentication code
OKDF one-step KDF
TKDF two-step KDF
4.3 Notation
|| concatenation, where x||y denotes the bit string obtained by concatenating the bit strings x
and y in the order specified
   
... if x is a real number, x denotes the smallest integer greater than or equal to x
   
[.] if x is a bit string, [x] indicates that the inclusion of x is optional
5 Key derivation techniques
5.1 Model
A KDF is a function which can be used to generate one or more secret keys, given a range of possible
inputs. In general, a KDF has the following inputs and outputs.
Inputs:
— Mandatory inputs:
— s secret information possessed by the party or parties using the KDF. It shall be
computationally infeasible for parties not authorized to obtain the keys output from the KDF
to differentiate between values produced using the mechanism employed to generate s and
values selected with sufficient entropy to support the security requirements of the user(s) of
the intended application(s) of the generated key(s) (see B.1.2 for guidance).
NOTE 1 The entropy of a (discrete) random variable X is a mathematical measure of the uncertainty
associated with the possible outcomes of an observation, which serves as an estimate of the information
that may be gained from an observation of X. Entropy is at its highest if all possible outcomes are equally
likely. Entropy is lessened if the distribution on X is such that some outcomes are more likely than others;
entropy is at its lowest (zero) if each observation is certain to be a particular (predetermined) value.
NOTE 2 There are various notions of entropy that are relevant to cryptographic applications, but in this
[5]
document entropy is measured using min-entropy, as defined in ISO/IEC 18031:2011, 3.22 . When the unit
of measurement is bits, the min-entropy of a (discrete) random variable X is the largest value m for which the
m
probability of observing any particular value of X is at most (1/2) . The min-entropy of X is a lower bound
for other commonly used measures of entropy.
NOTE 3 Computational feasibility depends on the user’s specific security requirements and environment.
4 © ISO/IEC 2016 – All rights reserved

— Optional/mechanism-dependent inputs:
— a algorithm identifier employed by the OKDF2 mechanism, which specifies the algorithm
with which the single key it gives as output should be used;
— p label, used with certain KDFs to indicate how the output bit string should be partitioned
into secret keys and the intended use for each such secret key;
— t salt value, i.e. a (not necessarily secret) value that can be used, for example, to make the
generated key(s) specific to a particular application and/or to ensure that the output key(s)
will vary with each execution of a key derivation function; used as a MAC key by the KTF1
mechanism;
— t′ salt value, i.e. a (not necessarily secret) value that is used as a MAC key by the OKDF6
mechanism and used as an initialization value by the KPF3 mechanism;
— u auxiliary secret information possessed by the party or parties using the KDF; the
entropy provided by the choice of u may be used to supplement that provided by the choice of
s, in support of the security requirements of the user(s) of the intended application(s) of the
generated key(s).
Outputs:
— b bit string that is either equal to a single secret key or can be partitioned to obtain a number of
secret keys.
The instantiation of a key derivation function specified in this document requires a number of critical
choices, including the selection of a hash-function or MAC algorithm(s), the type and source of various
input parameters, etc. Appropriate choices will provide assurance that the resulting KDF satisfies the
following requirement.
Given no prior knowledge of s, it shall be computationally infeasible to predict the value of an (as-yet-
unseen) output b with a probability of success that is a significant improvement over simply guessing
either the value of b or the value of s. This shall be the case even when given knowledge of a (bounded)
number of KDF outputs which were computed using the same (unknown) s, but with other (possibly
known and adaptively chosen) input parameters that are not identical to those used to generate b.
NOTE 4 Computational feasibility and the significance of the probability of successfully predicting b depend
on the KDF user’s specific security requirements and environment.
5.2 Types of key derivation function
In this document, two types of KDF are specified.
— One-step KDFs (OKDFs) are KDFs which transform input information into one or more keys in a
single operation.
— Two-step KDFs (TKDFs) are KDFs which transform input information into one or more keys in two
operations. A TKDF consists of a combination of two functions: a key extraction function (KTF), and
a key expansion function (KPF). In some cases, the KTF can be the identity function (i.e. a function
whose output is always the same as the input), i.e. the TKDF is simply a KPF, in which case the
secret information input to the TKDF shall take the form of a MAC key suitable for use with the MAC
algorithm on which the KPF is based.
Six OKDFs (OKDF1 to OKDF6) are specified in Clause 6. In Clause 7, one key extraction function (KTF1),
four key expansion functions (KPF1 to KPF4), and four TKDFs (TKDF1 to TKDF4) are specified, where
the TKDFs are defined as specific combinations of a KTF and a KPF.
The KDFs specified in this document are built upon existing cryptographic functions, namely either
hash-functions, as specified in ISO/IEC 10118 (all parts), or message authentication code algorithms, as
specified in ISO/IEC 9797 (all parts).
© ISO/IEC 2016 – All rights reserved 5

5.3 Relationship to key management life cycle
[1]
ISO/IEC 11770-1:2010, Clause 4 specifies a model for key management, including, in 4.3, a model for
the life cycle of a key. Key derivation forms part of the first step in this life cycle, namely the “Generation”
step. Key derivation could also be used in the “Active” state for a key, when an existing active key is used
to generate additional keys.
5.4 Use of a key derivation function
The inputs to and outputs from a KDF are permitted to take a variety of forms.
The secret information s input to a KDF could be an existing secret key, secret information established
between two parties, e.g. using one of the key establishment mechanisms specified in ISO/IEC 11770-
[2] [3]
2 or ISO/IEC 11770-3 , or any other secret data known by the party or parties using the KDF.
A KDF could be invoked once with particular secret information s to generate either a single secret key
or to generate a number of secret keys. Alternatively, it could be invoked multiple times with the same s
and different salt values t to generate a series of secret keys for specific applications. These salt values
could take a range of forms and have varying lengths, even when used with the same secret value s.
Guidance on use is provided in Annex B.
6 One-step key derivation functions
6.1 General
A one-step KDF (an OKDF) is a KDF which is capable of transforming input information into one or more
secret keys in a single phase of operations (in contrast to the separate extraction and expansion phases
that are employed by two-step KDFs). Like all KDFs, an OKDF takes as input secret information together
with other parameters, some or all of which might be public, and gives as output one or more secret keys.
In Clause 6, six OKDFs (OKDF1 to OKDF6) are specified. Five of them (OKDF1 to OKDF5) are based
on the use of a cryptographic hash-function chosen from ISO/IEC 10118 (all parts). The other scheme
(OKDF6) is based on the use of a MAC algorithm selected from ISO/IEC 9797 (all parts). OKDF2 outputs
a single secret key, whereas the other five functions output a bit string which can be partitioned into
multiple secret keys, as required.
A hash-function used by OKDF1 to OKDF5 shall satisfy the following three properties:
— it is computationally infeasible to construct two distinct inputs that map to the same output (collision
resistance);
— for a given output, it is computationally infeasible to find an input that maps to this output (preimage
resistance);
— for a given input, it is computationally infeasible to find a second (distinct) input that maps to the
same output (second preimage resistance).
The hash-function employed in an implementation of OKDF1 to OKDF5 and/or the method(s) used to
encode the data input to that hash-function shall be chosen in a manner that guards against length-
extension attacks. A hash-function h is called “length-extension resistant” if, given the hash value, h(x),
of some unknown input x (and possibly given the length of x as well), it is computationally infeasible
to deduce (with non-negligible probability of success) the value h(x||y) for any non-empty bit string y,
unless x itself can be guessed. Examples of hash-functions that are length-extension resistant include
SHA-384 and SHA-512/256, which output truncated versions of a 512-bit hash value. Length-extension
resistance is not required of h in applications where each bit string used as input to the hash-function
has the same fixed length, or in situations where the input strings correspond to information that has
been encoded in a prefix-free fashion, ensuring that no (non-empty) input string will appear as the
initial segment of another (longer) input string.
6 © ISO/IEC 2016 – All rights reserved

In OKDF6, a MAC function f is used with a MAC key that may be publicly known, but with secret
information included as part of the input message data. The MAC algorithm employed in an
implementation of OKDF6 shall satisfy the following property, in addition to those that are ordinarily
required (cf. 3.7).
Given that the key k input to the MAC function f is a publicly known value, and the input data d includes
secret information s, then, without prior knowledge of s, it shall be computationally infeasible to predict
the (as-yet-unseen) MAC value f (d) with a probability of success that is a significant improvement over
k
simply guessing either f (d) or s. This shall be the case even when given knowledge of a (bounded)
k
number of MAC values f (d ), where each d includes the same (unknown) s and where both k and the
kj j j j
non-secret portions of d are known and (adaptively) chosen, subject to the restriction that (k , d ) is not
j j j
equal to (k, d).
6.2 One-step key derivation function 1 (OKDF1)
6.2.1 General
This key derivation function takes as input secret information s and (optionally) a salt t, which does
not need to be a secret. It gives as output a bit string b which can be partitioned into one or more secret
keys. If the key derivation function is invoked multiple times with the same s to generate a series of
distinct secret keys, then a different value of t shall be used with each invocation.
[3]
NOTE The “IEEE P1363 key derivation function” mechanism described in ISO/IEC 11770-3 is a special
case of the OKDF1 mechanism, where s and t are encoded as octet strings (with t representing the key derivation
parameters) and the output bit string is used as a single secret key.
6.2.2 Requirements for use
Prior to use, the one or more entities which wish to use the function shall meet the following
requirements.
— They shall agree on the use of OKDF1.
— They shall agree on a specific hash-function h, which shall be one of the algorithms specified in
ISO/IEC 10118 (all parts). This hash-function shall give as output a string of bit-length greater than
or equal to the sum of the bit-lengths of the keys to be generated.
— They shall agree on the encoding methods for the strings s and (if used) t prior to concatenation in
step a) of 6.2.3.
— They shall agree on precisely how the output of the KDF shall be partitioned into secret keys.
— If the option to employ a salt is exercised, they shall agree on a specific salt value t, which does not
need to be a secret.
— They shall all possess a bit string s, constituting the secret information.
6.2.3 Operation of function
The function involves the following two steps.
a) Compute b = h(s || [t]).
b) Partition b into one or more secret keys.
© ISO/IEC 2016 – All rights reserved 7

6.3 One-step key derivation function 2 (OKDF2)
6.3.1 General
This key derivation function takes as input secret information s, an algorithm identifier a, (optionally)
a salt t, which does not need to be a secret, and (optionally) auxiliary secret information u. It gives as
output a single secret key k for use with a specific algorithm. If the key derivation function is invoked
multiple times with the same s to generate a series of distinct secret keys, then a different value of a, t,
or u shall be used with each invocation.
NOTE Provided that its output is used as a single secret key, an instance of the “ANSI X9.42 key derivation
[3]
function” mechanism described in ISO/IEC 11770-3 could be viewed as an example of the OKDF2 mechanism,
where the counter c is encoded as a 32-bit octet string, t and u (if used) comprise an appropriate subset of the
(optional) key-specification information denoted by EntityAInfo, EntityBInfo, SuppPrivInfo and SuppPubInfo in
[3]
ISO/IEC 11770-3 , and the quantity denoted a || c || [t] || [u] in the specification of OKDF2 is encoded using an
ASN.1 DER encoding.
6.3.2 Requirements for use
Prior to use, the one or more entities which wish to use the function shall meet the following
requirements.
— They shall agree on the use of OKDF2.
— They shall agree on a specific hash-function h, with output bit-length L , which shall be one of the
h
algorithms specified in ISO/IEC 10118 (all parts).
— They shall agree on the method for binary encoding the counter c, including the number L of bits in
c
the encoding. They shall also agree on the methods for encoding s, a, t (if used) and u (if used) prior
to their concatenation in step d) 1) of 6.3.3.
— They shall agree on the algorithm and bit-length L for the output secret key k, together with an
k
algorithm identifier a for this algorithm.
— If the option to employ a salt is exercised, they shall agree on a specific salt value t, which does not
need to be a secret.
— They shall possess a bit string s, constituting the secret information, together (optionally) with an
auxiliary secret u.
6.3.3 Operation of function
The function involves the following steps.
 
a) Set d = LL/ .
kh
 
L
b) If d ≥ 2 then halt and output “invalid.”
c,
c) Set z = empty bit string.
d) For c = 1 to d:
1) Set z = z || h(s || a || c || [t] || [u]).
e) Set k = the leftmost L bits of z.
k
8 © ISO/IEC 2016 – All rights reserved

6.4 One-step key derivation function 3 (OKDF3)
6.4.1 General
This key derivation function takes as input secret information s, (optionally) a salt t, which does not
need to be secret, and (optionally) auxiliary secret information u. It gives as output a bit string b which
can be partitioned into one or more secret keys. If the key derivation function is invoked multiple times
with the same s to generate a series of distinct secret keys, then a different value of t or u shall be used
with each invocation.
NOTE The “NIST/SP 800-56A concatenation key derivation function” mechanism and “NIST/SP 800-56A
[3]
ASN.1 key derivation function” mechanism described in ISO/IEC 11770-3 , as well as option 1 of the single-
[9]
step KDF mechanism specified in NIST/SP 800-56A (Revision 2):2013, 5.8.1.1 and NIST/SP 800-56B (Revision
[10]
1):2014, 5.5.1.1 are special cases of the OKDF3 mechanism, where the counter c is encoded as a 32-bit, big-
endian bit string, and t is the appropriate encoding of OtherInfo.
6.4.2 Requirements for use
Prior to use, the one or more entities which wish to use the function shall meet the following
requirements.
— They shall agree on the use of OKDF3.
— They shall agree on a specific hash-function h, with output bit-length L , which shall be one of the
h
algorithms specified in ISO/IEC 10118 (all parts).
— They shall agree on the method for binary encoding the counter c, including the number L of bits in
c
the encoding. They shall also agree on the methods for encoding s, t (if used) and u (if used) prior to
their concatenation in step d) 1) of 6.4.3.
— They shall agree on the length L of the required output string and precisely how the output b of the
b
KDF shall be partitioned into secret keys.
— If the option to employ a salt is exercised, they shall agree on a specific salt value t, which does not
need to be a secret.
— They shall possess a bit string s, constituting the secret information, together (optionally) with an
auxiliary secret u.
6.4.3 Operation of function
The function involves the following steps.
 
a) Set d = LL/ .
bh
 
L
b) If d ≥ 2 , then halt and output “invalid.”
c
c) Set z = empty bit string.
d) For c = 1 to d:
1) Set z = z || h(c || s || t || [u]).
e) Set b = the leftmost L bits of z.
b
6.5 One-step key derivation function 4 (OKDF4)
6.5.1 General
This key derivation function takes as input secret information s, a label p, which describes the intended
use of the output, (optionally) a salt t, which does not need to be a secret, and (optionally) auxiliary
© ISO/IEC 2016 – All rights reserved 9

secret information u. It gives as output a bit string b which can be partitioned into one or more secret
keys. If the key derivation function is invoked multiple times with the same s to generate a series of
distinct secret keys, then a different value of p, t, or u shall be used with each invocation.
NOTE Provided that p || [t] || [u] is an appropriate encoding of SharedInfo, the “ANSI X9.63 key derivation
[3]
function” mechanism described in ISO/IEC 11770-3 is a special case of the OKDF4 mechanism, where the
counter c is encoded as a 32-bit, big-endian bit string.
6.5.2 Requirements for use
Prior to use, the one or more entities which wish to use the function shall meet the following
requirements.
— They shall agree on the use of OKDF4.
— They shall agree on a specific hash-function h, with output bit-length L , which shall be one of the
h
algorithms specified in ISO/IEC 10118 (all parts).
— They shall agree on the method for binary encoding the counter c, including the number L of bits in
c
the encoding. They shall also agree on the methods for encoding s, p, t (if used) and u (if used) prior
to concatenation in step d) 1) of 6.5.3.
— They shall agree on the length L of the required output string and precisely how the output b of
b
the KDF shall be partitioned into secret keys. They shall also agree on a label p that specifies this
partitioning and with which algorithm each of the keys shall be used.
— If the option to employ a salt is exercised, they shall agree on a specific salt value t, which does not
need to be a secret.
— They shall possess a bit string s, constituting the secret information, together (optionally) with an
auxiliary secret u.
6.5.3 Operation of function
The function involves the following two steps.
 
a) Set d = LL/ .
 bh
L
b) If d ≥ 2 , then halt and output “invalid.”
c
c) Set z = empty bit string.
d) For c = 1 to d:
1) Set z = z || h(s || c || p || t || [u]).
e) Set b = the leftmost L bits of z.
b
6.6 One-step key derivation function 5 (OKDF5)
6.6.1 General
This key derivation function takes as input secret information s, (optionally) a salt t, which does not
need to be secret, and (optionally) auxiliary secret information u. It gives as output a bit string b which
can be partitioned into one or more secret keys. If the key derivation function is invoked multiple times
10 © ISO/IEC 2016 – All rights reserved

with the same s to generate a series of distinct secret keys, then a different value of t or u shall be used
with each invocation.
[6]
NOTE The “KDF1” mechanism specified in ISO/IEC 18033-2 is a special case of the OKDF5 mechanism,
where the counter c is encoded as a 32-bit octet string, the methods employed for encoding s, t (if used) and u (if
[6]
used) produce an octet string as v, and e = 0. Similarly, the “KD
...