Implementation of HKDF (HMAC-based Key Derivation Function) using SHA-256 in Circom 2.1.8. The circuit follows RFC 5869's extract-then-expand paradigm.
Main template that combines Extract and Expand operations.
template HKDFSha256(s, i, k, m, n)Parameters:
s: Salt lengthi: Info lengthk: Input key lengthm: Number of output keysn: Output key length
Signals:
- Input:
salt[s],info[i],key[k] - Output:
out[m][n]
Implements HKDF-Extract using HMAC-SHA256.
template Extract(s, k)Parameters:
s: Salt lengthk: Key length
Signals:
- Input:
salt[s],key[k] - Output:
out[32](fixed 32-byte SHA-256 output)
Implements HKDF-Expand using HMAC-SHA256.
template Expand(i, k, m, n)Parameters:
i: Info lengthk: Key length (PRK)m: Number of output keysn: Length per output key
Signals:
- Input:
info[i],key[k] - Output:
out[m][n]
- Uses HmacSha256 component
- Sets input key material as message
- Uses salt as HMAC key
- Produces 32-byte PRK (Pseudorandom Key)
- Calculates required rounds:
rounds = ceil((m*n)/32) - First round:
- Message = info || 0x01
- Key = PRK
- Subsequent rounds:
- Message = prev_hash || info || counter
- Key = PRK
- Counter increments each round
- Output mapping:
- Maps expanded keys to output array
- Uses byte-wise indexing for proper output arrangement
Input Key Material → Extract → PRK → Expand → Output Key Material
↑ ↑ ↑ ↑
Salt HMAC Info HMAC[rounds]
- HMAC circuit (
./hmac/circuits/hmac.circom) - Circom 2.1.8 or higher