Key derivation functions (KDFs) are algorithms used in cryptography to turn secret values, such as passwords, into strong, usable keys. When multiple secrets are combined, these are called multi-input KDFs. Modern cryptographic systems increasingly require combining multiple secret inputs to obtain strong cryptographic keys. This is especially relevant in hybrid key exchange settings, where post-quantum and classical key materials are used in parallel, or or messaging applications.

The researchers systematically analyzed real-world proposals for such multi-input KDFs, including those used in:

• Signal’s X3DH protocol, used for secure messaging,
• the ETSI TS 103-744, a European standard for hybrid key exchange (recommended by Germany’s BSI),
• the Messaging Layer Security (MLS) protocol, which is used for encrypted group messaging.

Their results show that even widely adopted standards can contain critical misuses—for example, the flawed handling of the HKDF salt input in the ETSI standard, leading to potentially insecure behavior. The team revisited foundational syntax and security models to propose improvements, advocating for removing salt inputs when, in practice, they are neither available nor correctly used. They also examined novel threshold KDFs, such as those introduced in the MFKDF design (Nair and Song, USENIX 2023), and highlighted serious vulnerabilities in naive implementations. Their findings lay groundwork for safer future designs of key derivation.

The presentation is a joint effort by Matilda Backendal (ETH Zurich), Sebastian Clermont (TU Darmstadt), Marc Fischlin (TU Darmstadt), Felix Günther (IBM Research Zurich), Miro Haller (UC San Diego), and Matteo Scarlata (ETH Zurich). Real World Crypto (RWC) is a major symposium in applied cryptography, bringing together experts from academia and industry to discuss real-world applications of cryptographic systems.