No need in keeping TAG

author Sergey Matveev <stargrave@stargrave.org>

Sun, 21 Sep 2025 16:34:24 +0000 (19:34 +0300)

committer Sergey Matveev <stargrave@stargrave.org>

Sun, 21 Sep 2025 16:34:24 +0000 (19:34 +0300)
author Sergey Matveev <stargrave@stargrave.org>
Sun, 21 Sep 2025 16:34:24 +0000 (19:34 +0300)
committer Sergey Matveev <stargrave@stargrave.org>
Sun, 21 Sep 2025 16:34:24 +0000 (19:34 +0300)
diff --git a/spec/cm/dem/xchapoly-krkc b/spec/cm/dem/xchapoly-krkc

index 822473725f8e427d69840e8ce20be27af233de1e9723fef41166cd7494385d44..7c0a58e51f1a6cfa799ed97905aea43ce6ec4741d69141777a9e222833320d44 100644 (file)
--- a/spec/cm/dem/xchapoly-krkc
+++ b/spec/cm/dem/xchapoly-krkc
@@ -10,10 +10,12 @@ Data is split on 128 KiB chunks, each of which is encrypted the following way:
          info="cm/encrypted/xchapoly-krkc/kr")
      KEY = HKDF-Expand(H, prk=CKi, info="cm/encrypted/xchapoly-krkc/key")
      IV = HKDF-Expand(H, prk=CKi, info="cm/encrypted/xchapoly-krkc/iv", len=24)
+    MAC = HKDF-Expand(H, prk=CKi, info="cm/encrypted/xchapoly-krkc/mac")
      if {last chunk} then { IV[23] |= 0x01 } else { IV[23] &= 0xFE }
-    CIPHERTEXT || TAG = XChaCha20-Poly1305(key=KEY, ad="", nonce=IV, data=chunk)
-    COMMITMENT = BLAKE2b-256(KEY || IV || TAG)
-    CIPHERTEXT || TAG || COMMITMENT
+    CIPHERTEXT = XChaCha20(key=KEY, nonce=IV, data=chunk)
+    TAG = Poly1305(key=MAC, data=CIPHERTEXT)
+    COMMITMENT = BLAKE2b-256(KEY || IV || MAC || TAG)
+    CIPHERTEXT || COMMITMENT
  
  Chaining key (CK) advances with every chunk. 256-bit encryption key and
  randomised 192-bit nonce (initialisation vector) are derived from it.
author	Sergey Matveev <stargrave@stargrave.org>
	Sun, 21 Sep 2025 16:34:24 +0000 (19:34 +0300)
committer	Sergey Matveev <stargrave@stargrave.org>
	Sun, 21 Sep 2025 16:34:24 +0000 (19:34 +0300)