A Forward-Secure Symmetric-Key Derivation Protocol

How to Improve Classical DUKPT
  • Eric Brier
  • Thomas Peyrin
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6477)


In this article, we study an interesting and very practical key management problem. A server shares a symmetric key with a client, whose memory is limited to R key registers. The client would like to send private messages using each time a new key derived from the original shared secret and identified with a public string sent together with the message. The server can only process N computations in order to retrieve the derived key corresponding to a given message. Finally, the algorithm must be forward-secure on the client side: even if the entire memory of the client has leaked, it should be impossible for an attacker to retrieve previously used communication keys. Given N and R, the total amount T of keys the system can handle should be as big as possible.

In practice such a forward-secure symmetric-key derivation protocol is very relevant, in particular in the payment industry where the clients are memory-constraint paying terminals and where distributing symmetric keys on field is a costly process. At the present time, one standard is widely deployed: the Derive Unique Key Per Transaction (DUKPT) scheme defined in ANSI X9.24. However, this algorithm is complicated to apprehend, not scalable and offers poor performances.

We provide here a new construction, Optimal-DUKPT (or O-DUKPT), that is not only simpler and more scalable, but also more efficient both in terms of client memory requirements and server computations when the total number of keys T is fixed. Finally, we also prove that our algorithm is optimal in regards to the client memory R / server computations N / number of keys T the system can handle.


key management key derivation DUKPT forward-security 


  1. 1.
    Bellare, M.: New Proofs for NMAC and HMAC: Security Without Collision-Resistance. Cryptology ePrint Archive, Report 2006/043 (2006), http://eprint.iacr.org/
  2. 2.
    Bellare, M., Kilian, J., Rogaway, P.: The Security of Cipher Block Chaining. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 341–355. Springer, Heidelberg (1994)Google Scholar
  3. 3.
    Canetti, R., Halevi, S., Katz, J.: A Forward-Secure Public-Key Encryption Scheme. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 255–271. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  4. 4.
    Brier, E., Peyrin, T., Stern, J.: BPS: a Format Preserving Encryption Proposal. NIST submission (April 2010), http://csrc.nist.gov/groups/ST/toolkit/BCM/modes_development.html
  5. 5.
    American National Standards Institute. ISO 9564-1:2002 Banking – Personal Identification Number (PIN) management and security – Part 1: Basic principles and requirements for online PIN handling in ATM and POS systems (2002)Google Scholar
  6. 6.
    American National Standards Institute. ANSI X9.8-1:2003 Banking - Personal Identification Number Management and Security - Part 1: PIN protection principles and techniques for online PIN verification in ATM and POS systems (2003)Google Scholar
  7. 7.
    American National Standards Institute. ANSI X9.24-1:2009 Retail Financial Services Symmetric Key Management Part 1: Using Symmetric Techniques (2009)Google Scholar
  8. 8.
    Kocher, P.C.: Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
  9. 9.
    Kocher, P.C., Jaffe, J., Jun, B.: Differential Power Analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)Google Scholar
  10. 10.
    Bellare, M., Rogaway, P., Spies, T.: Format-preserving Feistel-based Encryption Mode. NIST submission (April 2010), http://csrc.nist.gov/groups/ST/toolkit/BCM/modes_development.html
  11. 11.
    NIST. FIPS 198 – The Keyed-Hash Message Authentication Code, HMAC (2002)Google Scholar
  12. 12.
    National Institute of Standards and Technology. SP800-67: Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher (May 2004), http://csrc.nist.gov
  13. 13.
    Quisquater, J.-J., Samyde, D.: ElectroMagnetic Analysis (EMA): Measures and Counter-Measures for Smart Cards. In: E-smart, pp. 200–210 (2001)Google Scholar

Copyright information

© International Association for Cryptologic Research 2010

Authors and Affiliations

  • Eric Brier
    • 1
  • Thomas Peyrin
    • 1
  1. 1.IngenicoFrance

Personalised recommendations