Hierarchical Key Distribution System (HKDS)

Executive Summary

Deterministic transaction-key infrastructure built to replace DUKPT-AES at payment-network scale

HKDS is a symmetric key establishment and transaction-key distribution system for centrally processed terminal networks. It was designed specifically as a higher-security, higher-performance successor to DUKPT-AES, replacing one-way derivation chains with a two-root server hierarchy, device-unique embedded keys, and authenticated encrypted epoch tokens that seed one-time transaction-key caches.

In the QRCS stack, HKDS occupies the role of a deterministic key lifecycle and remote terminal protection layer. Its replacement value is defined against legacy payment-key infrastructure: the protocol replaces growing server reconstruction cost with bounded constant work, replaces static embedded-chain behavior with server-assisted token refresh, and adds formally modeled confidentiality, token authenticity, forward secrecy under erasure, and post-compromise recovery properties.

High relative value Role: Symmetric key establishment and transaction-key distribution Primary buyers: Payment processors, POS vendors, banking infrastructure, regulated embedded fleets

Protocol At A Glance

Trust model MDK = BDK ∥ STK ∥ KID

The server holds two independent root secrets: the Base Derivation Key used for device provisioning and the Secret Token Key used to derive per-epoch tokens.

Client model EDK + KSN + token cache

Each terminal stores a device-unique embedded key and uses the transmitted key serial number to request authenticated encrypted tokens and consume one-time transaction keys.

Refresh model 42 / 34 / 18 keys per token

With the default cache multiplier, HKDS derives 42 transaction keys at 128-bit strength, 34 at 256-bit strength, and 18 at 512-bit strength before token refresh.

Server cost ≤ 4 Keccak permutations

Server-side reconstruction remains bounded by the cache multiplier rather than growing with the transaction counter, which is central to the DUKPT replacement case.

Executive Summary

The strategic and acquisition-oriented summary of HKDS, protocol valuation, positioned within the broader QRCS key management and transaction-security stack.

Open Executive Summary

Formal Analysis

Game-based security treatment covering confidentiality, message authenticity, token authenticity, forward secrecy, and post-compromise security through fresh token exchange.

Open Formal Analysis

Technical Specification

Engineering-level description of device identities, master derivation keys, packet formats, token processing, cache generation, performance benchmarks, and deployment guidance.

Open Technical Specification

Strategic Positioning

HKDS is a replacement-class payment-key system, not a variant beside DUKPT

The protocol was designed in direct response to three persistent weaknesses in legacy transaction-key infrastructure: one-way key chains with limited recovery properties, server-side reconstruction cost that grows with transaction history, and limited security scaling in environments that now process remote transactions at very large volume.

Why the model is materially different

HKDS separates device provisioning from ongoing token refresh. Instead of deriving every future key from a single embedded chain, it binds a long-lived device-unique EDK to a server-generated epoch token and derives a fresh one-time cache from their combination. The result is a model better suited to modern regulated payment networks than classical DUKPT-style derivation.

Dimension	Legacy DUKPT	HKDS
Core structure	One-way embedded derivation chain	Two-root hierarchy with server-issued epoch tokens
Server work	Grows with transaction path	Bounded by cache multiplier
Refresh model	Finite key path	Practically unbounded with token renewal
Security scaling	Legacy AES profile assumptions	128 / 256 / 512-bit Keccak-based profiles
Formal posture	Operational legacy system	Provable security model with token and message games

High-level technical rationale

The core design objective is that remote terminals should not need to store enough information to regenerate past keys, nor enough state to predict future caches without renewed server entropy. The protocol therefore combines two independent roots, explicit customization strings, authenticated token exchange, and deterministic server reconstruction under a compact state model.

The embedded device key can remain fixed for the lifetime of the terminal.
Fresh token entropy is injected from the server side without rewriting terminal hardware state.
The server reconstructs only the required cache window rather than traversing an expanding derivation path.

From an acquisition standpoint, HKDS is best understood as a replacement-class symmetric transaction-key infrastructure for payment networks, ATMs, point-of-sale systems, and other centrally processed embedded terminal environments. This positioning is defined by its ability to preserve the operational advantages of symmetric key hierarchies while eliminating the structural weaknesses of legacy schemes such as static key derivation paths, predictable key lifecycles, and limited forward security. HKDS introduces a hierarchically derived, transaction-scoped key evolution model that supports high-throughput environments without requiring per-transaction asymmetric operations, enabling it to scale across large terminal fleets while maintaining strict key isolation and cryptographic freshness.

System Architecture

Provisioning, token derivation, and deterministic reconstruction define the operating model

The specification organizes HKDS around a centralized processing server, device-unique client state, and a compact packet protocol. These roles are deliberately asymmetric: the server owns the master derivation structure, while the terminal owns only the material needed to authenticate, decrypt, and consume one-time keys.

MDK

The Master Derivation Key contains the Base Derivation Key, the Secret Token Key, and the key identifier. It is the server-side trust root for both provisioning and epoch-token generation.

Role	Server master state
Members	BDK, STK, KID

EDK

The Embedded Device Key is computed as SHAKE(DID ∥ BDK), stored on the terminal, and used both to decrypt epoch tokens and to authenticate token packets under KMAC.

Role	Long-lived client secret
Derived	DID and BDK

TOK / ETOK

The epoch token is derived from CTOK and STK, encrypted under a SHAKE-derived pad bound to CTOK and EDK, then authenticated under KMAC keyed with the EDK.

Role	Refreshes effective working entropy
Wire	ETOK ∥ token MAC tag

TKC

The transaction key cache is generated as SHAKE(TOK ∥ EDK) and partitioned into one-time blocks. In authenticated mode, each protected message consumes two consecutive entries.

Role	Ephemeral one-time key window
Use	Encryption key, then MAC key

Cryptographic Mechanism

Token-authenticated cache generation and encrypt-then-authenticate message protection

HKDS is not a negotiated channel protocol. It is a deterministic server-reconstructable transaction-key system with a compact request/response lifecycle centered on KSN, CTOK, EDK, TOK, and TKC.

Lifecycle abstraction

Operational flow
Provisioning: EDK = SHAKE(DID ∥ BDK)
Token epoch: TOK = SHAKE(CTOK ∥ STK)
Token pad: Kpad = SHAKE(CTOK ∥ EDK)
Transport form: ETOK = TOK ⊕ Kpad, TAGt = KMAC_EDK(ETOK; TMS)
Cache seed: TKC = SHAKE(TOK ∥ EDK)
Message mode: C = M ⊕ Kenc, TAG = KMAC_Kmac(C; A)

The client verifies the token MAC before decryption, erases intermediate token material after use, then consumes the cache sequentially so that each transaction key is used exactly once. This consumption model enforces a strict forward-only key progression, where previously used keys cannot be reconstructed and future keys remain cryptographically independent of prior disclosures. In operational terms, this ensures that compromise of a device or memory snapshot yields only the remaining unused portion of the cache, while all prior transaction keys are irrecoverably destroyed, aligning the system with modern expectations of forward secrecy within high-volume symmetric transaction environments.

Primitive and state inventory

Element	Role	Function
KSN	Public identifier	Combines device identity and transaction counter for deterministic server reconstruction.
CTOK	Customization string	Binds token derivation to the token request counter, implementation name, and device identity.
TMS	Customization string	Binds token authentication to the transmitted KSN and the KMAC algorithm identity.
SHAKE	PRF / XOF	Derives EDK, TOK, Kpad, and the transaction-key cache.
KMAC	Authenticator	Authenticates ETOK and protected ciphertexts under independent derived keys.

Operational Profile

Compact packet structures, bounded reconstruction work, and a cache multiplier that controls refresh economics

The engineering specification couples a minimal packet protocol with a controlled refresh model. Token requests are small, token responses are compact, and server work is deliberately bounded by the same multiplier that determines cache size.

Packet and parameter profile

Item	Value	Purpose
Token request packet	20 bytes	Client sends flag, protocol ID, sequence, size, and 16-byte KSN.
Token response packet	36 / 52 / 84 bytes	Server returns encrypted token plus MAC for 128 / 256 / 512-bit profiles.
Client message packet	36 / 52 bytes	Contains KSN, 16-byte ciphertext block, and optional 16-byte authentication tag.
Message block	16 bytes	Fixed protected payload size in the reference authenticated mode.
Cache multiplier	2, 4, 6, …, 16	Controls refresh interval and the upper bound on server-side reconstruction effort.

Performance and replacement economics

The benchmark case in the specification is explicitly framed against DUKPT-AES and DUKPT-AESNI, because that is the infrastructure HKDS is intended to replace. The important claim is not only raw speed, but bounded server-side cost as counters advance.

Task	HKDS-128	HKDS-256	DUKPT-128
Decrypt	1761 ns	1675 ns	12013 ns
Encrypt	101 ns	102 ns	4226 ns
Enc + Auth	1461 ns	1479 ns	13276 ns
Dec + Verify	3545 ns	3548 ns	27733 ns

The optimized DUKPT-AESNI comparison remains materially in HKDS’s favor, and the specification argues that embedded Keccak instructions would likely improve HKDS further. This is why the protocol is presented as an infrastructure-cost reduction mechanism as well as a security upgrade.

Security Model

Formal treatment covers confidentiality, authenticity, forward secrecy under erasure, and post-compromise recovery

The formal paper models HKDS with token-generation, encryption, corruption, and challenge oracles. The resulting claims are expressed as explicit experiments and reductions rather than as informal implementation commentary.

Security properties proved or reduced in the formal model

IND-CPA confidentiality for encrypted messages under the SHAKE-derived one-time transaction keys.
UF-CMA message authenticity for protected ciphertexts using KMAC keyed by a distinct cache entry.
Token authenticity reducing to the PRF security of KMAC under the embedded device key.
Forward secrecy under erasure when consumed keys and intermediate token material are properly erased.
Post-compromise security through fresh server-issued token exchange after recovery from client compromise.

Comparative security and hardening view

The specification’s own cryptanalysis summary complements the formal model by contrasting HKDS directly with legacy DUKPT-AES. In that comparison, HKDS-128 and HKDS-256 are marked as providing both forward security and predictive resistance, while DUKPT-AES is marked as lacking both.

Scheme	HKDS-128 / HKDS-256 / DUKPT-AES
FS / PR	HKDS: yes / yes; DUKPT-AES: no / no
Server work	HKDS: ≤ 4 P(Keccak); DUKPT-AES: ≤ 18 AES
Hardening notes	Frequent STK rotation, longer tags for higher profiles, full-round Keccak in high-assurance deployments

Operational profile

Payment-network scale depends on deterministic reconstruction rather than key logistics

HKDS is designed for environments in which very large numbers of terminals must communicate securely with a centralized transaction-processing authority under tight cost and latency constraints. The protocol assumes that terminal devices may be resource-constrained, physically exposed, and expensive to re-provision in the field. It therefore keeps long-lived client state small, moves refresh authority to the server side, and structures every working key as the output of deterministic derivation rather than warehouse-style key distribution. Each token refresh creates a new cache epoch, and each message uses a narrowly scoped one-time key pair within that epoch. Server reconstruction remains bounded even as transaction history grows, which is the central operational distinction from DUKPT-style systems.

This operating model aligns particularly well with point-of-sale fleets, ATMs, payment gateways, and other regulated embedded infrastructures where cryptographic assurance, auditability, and cost per transaction all matter simultaneously. Because the system uses SHAKE and KMAC throughout, it also gives operators a consistent primitive base across derivation and authentication rather than mixing legacy mechanisms with newer deployment requirements.

Deployment fit

HKDS is particularly well aligned with centrally processed transaction networks and large embedded device fleets where deterministic server reconstruction, bounded operating cost, and device-unique symmetric protection are more important than general-purpose session negotiation.

Role in stack	Foundational key-establishment and transaction-key substrate
Primary buyers	Financial processors, payment-terminal vendors, banking infrastructure providers, regulated embedded-system operators
Replacement case	DUKPT-AES and related legacy remote terminal key-management systems