@nodedescription Balloon-BLAKE2b+HKDF KEM
@subsubsection Balloon-BLAKE2b+HKDF KEM
-@code{/kem/*/a} equals to "balloon-blake2b-hkdf".
-Recipient map must also contain additional fields:
-
-@table @code
-@item /kem/*/cost/s: uint64
- Balloon's space cost (buffer size, number of hash-output sized blocks).
-@item /kem/*/cost/t: uint64
- Balloon's time cost (number of rounds).
-@item /kem/*/cost/p: uint64
- Balloon's parallel cost (number of threads).
-@item /kem/*/salt: bytes
- Salt.
-@end table
+@verbatiminclude ../tcl/schemas/kem-balloon-blake2b-hkdf.tcl
@url{https://crypto.stanford.edu/balloon/, Balloon} memory-hardened
password hasher must be used with BLAKE2b hash.
@nodedescription GOST R 34.10+HKDF KEM
@subsubsection GOST R 34.10+HKDF KEM
-@code{/kem/*/a} equals to "gost3410-hkdf".
-Recipient map must also contain additional fields:
-
-@table @code
-@item /to/*/ukm: bytes
- Additional 16-bytes keying material.
-@item /to/*/pub: bytes
- Sender's ephemeral 512-bit public key.
-@end table
+@verbatiminclude ../tcl/schemas/kem-gost3410-hkdf-kexp15.tcl
GOST R 34.10-2012 VKO parameter set A/C ("gost3410-256A", "gost3410-512C")
must be used for DH operation, with UKM taken from the structure. VKO's
@nodedescription Classic McEliece 6960-119+X25519+HKDF-SHAKE256 KEM
@subsubsection Classic McEliece 6960-119+X25519+HKDF-SHAKE256 KEM
+@verbatiminclude ../tcl/schemas/kem-with-encap.tcl
+
@code{/kem/*/a} equals to "mceliece6960119-x25519-hkdf-shake256".
Recipient public key with
@ref{cm-pub-mceliece6960119-x25519, @code{mceliece6960119-x25519}}
algorithm must be used. It should have "kem" key usage set.
-Recipient map must also contain additional field:
-@code{/kem/*/encap: bytes} -- concatenation of 194 bytes of
-Classic McEliece 6960-119 ciphertext with 32 bytes of ephemeral
-X25519 public key.
+Recipient's map @code{/kem/*/encap} field is a concatenation of
+194 bytes of Classic McEliece 6960-119 ciphertext with 32 bytes of
+ephemeral X25519 public key.
Recipient performs X25519 and Classic McEliece computations to
derive/decapsulate two 32-byte shared keys. Then it combines
@nodedescription SNTRUP4591761+X25519+HKDF-BLAKE2b KEM
@subsubsection SNTRUP4591761+X25519+HKDF-BLAKE2b KEM
+@verbatiminclude ../tcl/schemas/kem-with-encap.tcl
+
@code{/kem/*/a} equals to "sntrup4591761-x25519-hkdf-blake2b".
Recipient public key with @ref{cm-pub-sntrup4591761-x25519,
@code{sntrup4591761-x25519}} algorithm must be used. It should have
"kem" key usage set.
-Recipient map must also contain additional field: @code{/kem/*/encap:
-bytes} -- concatenation of 1047 bytes of Streamlined NTRU Prime
-4591^761's ciphertext with 32 bytes of ephemeral X25519 public key.
+Recipient's map @code{/kem/*/encap} field is a concatenation of 1047
+bytes of Streamlined NTRU Prime 4591^761's ciphertext with 32 bytes of
+ephemeral X25519 public key.
Recipient performs X25519 and SNTRUP computations to derive/decapsulate
two 32-byte shared keys. Then it combines them to get the KEK decryption
{field cek {bin} >0}
}
-balloon-cost {
- {field s {int} >0} {# space cost}
- {field t {int} >0} {# time cost}
- {field p {int} >0} {# parallel cost}
-}
-
-kem-balloon-blake2b-hkdf {
- {field a {str} =balloon-blake2b-hkdf}
- {field cek {bin} >0}
- {field salt {bin} >0}
- {field cost {with balloon-cost}}
-}
-
-kem-gost3410-hkdf-kexp15 {
- {field a {str} =gost3410-hkdf-kexp15}
- {field cek {bin} >0}
- {field ukm {bin} >0}
- {field pub {bin} >0}
- {field to {with fpr} optional} {# recipient's public key}
-}
-
-kem-with-encap {
- {# sntrup4591761-x25519-hkdf-blake2b}
- {# mceliece6960119-x25519-hkdf-shake256}
- {field a {str} >0}
- {field cek {bin} >0}
- {field encap {bin} >0}
- {field to {with fpr} optional} {# recipient's public key}
-}
-
schema-include fpr.tcl
+schema-include kem-with-encap.tcl
+schema-include kem-gost3410-hkdf-kexp15.tcl
+schema-include kem-balloon-blake2b-hkdf.tcl
--- /dev/null
+balloon-cost {
+ {field s {int} >0} {# space cost}
+ {field t {int} >0} {# time cost}
+ {field p {int} >0} {# parallel cost}
+}
+
+kem-balloon-blake2b-hkdf {
+ {field a {str} =balloon-blake2b-hkdf}
+ {field cek {bin} >0} {# wrapped CEK}
+ {field salt {bin} >0}
+ {field cost {with balloon-cost}}
+}
--- /dev/null
+kem-gost3410-hkdf-kexp15 {
+ {field a {str} =gost3410-hkdf-kexp15}
+ {field cek {bin} >0} {# wrapped CEK}
+ {field ukm {bin} len=16} {# additional keying material}
+ {field pub {bin} >0} {# sender's ephemeral public key}
+ {field to {with fpr} optional} {# recipient's public key}
+}
--- /dev/null
+kem-with-encap {
+ {# sntrup4591761-x25519-hkdf-blake2b}
+ {# mceliece6960119-x25519-hkdf-shake256}
+ {field a {str} >0}
+ {field cek {bin} >0} {# wrapped CEK}
+ {field encap {bin} >0}
+ {field to {with fpr} optional} {# recipient's public key}
+}