HKDF-Extract's input should not be HKDF-Extract's output

author Sergey Matveev <stargrave@stargrave.org>

Thu, 18 Sep 2025 07:46:34 +0000 (10:46 +0300)

committer Sergey Matveev <stargrave@stargrave.org>

Sun, 21 Sep 2025 08:09:31 +0000 (11:09 +0300)
author Sergey Matveev <stargrave@stargrave.org>
Thu, 18 Sep 2025 07:46:34 +0000 (10:46 +0300)
committer Sergey Matveev <stargrave@stargrave.org>
Sun, 21 Sep 2025 08:09:31 +0000 (11:09 +0300)
diff --git a/go/cm/enc/chapoly/dem.go b/go/cm/enc/chapoly/dem.go

index 364762b1ee41069b15f1571ca53c1bd69b7c58172171b7f04eebc1aaf523a842..568895e49401f09ab253c9e2a608ce2826a175d87626db35ae09c6849fb7e554 100644 (file)
--- a/go/cm/enc/chapoly/dem.go
+++ b/go/cm/enc/chapoly/dem.go
@@ -92,6 +92,11 @@ func do(
                         if errHKDF != nil {
                                 panic(errHKDF)
                         }
+                       ck, errHKDF = hkdf.Expand(
+                               blake2bHash, ck, "cm/encrypted/xchapoly-krkc/kr", CEKLen)
+                       if errHKDF != nil {
+                               panic(errHKDF)
+                       }
                 }
         }()
         blobChunkLen := ChunkLen + chacha20poly1305.Overhead + CommitmentLen
diff --git a/spec/cm/dem/kuznechik-ctr-hmac-kr b/spec/cm/dem/kuznechik-ctr-hmac-kr

index 756b0af792ea0bce3f5fc254ed5951e488048cb449ea754b2b4d7554455f5f6a..97e57e247a6438aee973ffd6d717023ee72b70df689ede55c103cb815291edb6 100644 (file)
--- a/spec/cm/dem/kuznechik-ctr-hmac-kr
+++ b/spec/cm/dem/kuznechik-ctr-hmac-kr
@@ -5,9 +5,13 @@ Data is split on 128 KiB chunks, each of which is encrypted the following way:
  
      H = Streebog-512
      CK0 = CEK
-    CKi = HKDF-Extract(H, salt="", ikm=CK{i-1})
-    Kenc = HKDF-Expand(H, prk=CKi, info="cm/encrypted/kuznechik-ctr-hmac-kr/enc")
-    IV = HKDF-Expand(H, prk=CKi, len=8, info="cm/encrypted/kuznechik-ctr-hmac-kr/iv")
+    CKi = HKDF-Expand(H,
+        prk=HKDF-Extract(H, salt="", ikm=CK{i-1}),
+        info="cm/encrypted/kuznechik-ctr-hmac-kr/kr")
+    Kenc = HKDF-Expand(H, prk=CKi,
+        info="cm/encrypted/kuznechik-ctr-hmac-kr/enc")
+    IV = HKDF-Expand(H, len=8, prk=CKi,
+        info="cm/encrypted/kuznechik-ctr-hmac-kr/iv")
      Kauth || KauthTail = HKDF-Expand(H, prk=CKi,
          info="cm/encrypted/kuznechik-ctr-hmac-kr/auth")
      CIPHERTEXT = Kuznechik-CTR(key=Kenc, ctr=IV, data=chunk)
diff --git a/spec/cm/dem/xchacha-krmr b/spec/cm/dem/xchacha-krmr

index 09d602f575771005f8455d5eade36bfc82419511f9235863349210f1d1818585..24ac07243a303477db1f526e2b234ee7fce8212e29ea8da3a1c7e1d11332af47 100644 (file)
--- a/spec/cm/dem/xchacha-krmr
+++ b/spec/cm/dem/xchacha-krmr
@@ -6,8 +6,12 @@ Data is split on 128 KiB chunks, each of which is encrypted the following way:
  
      H = BLAKE2b
      CK0, prMACx0 = CEK || prMACx
-    CKi = HKDF-Extract(H, salt="", ikm=CK{i-1})
-    prMACxi = HKDF-Extract(H, salt="", ikm=prMACx{i-1})
+    CKi = HKDF-Expand(H,
+        prk=HKDF-Extract(H, salt="", ikm=CK{i-1}),
+        info="cm/encrypted/xchacha-krmr/kr")
+    prMACxi = HKDF-Expand(H,
+        prk=HKDF-Extract(H, salt="", ikm=prMACx{i-1}),
+        info="cm/encrypted/xchacha-krmr/mr")
      KEY = HKDF-Expand(H, prk=CKi, info="cm/encrypted/xchacha-krmr/key")
      IV = HKDF-Expand(H, prk=CKi, info="cm/encrypted/xchacha-krmr/iv", len=24)
      if {last chunk} then { IV[23] |= 0x01 } else { IV[23] &= 0xFE }
diff --git a/spec/cm/dem/xchapoly-krkc b/spec/cm/dem/xchapoly-krkc

index bb2b14e7d048dc5b1afca3862b44e7bf0026ea34d4577f4bbef5401b71caf845..822473725f8e427d69840e8ce20be27af233de1e9723fef41166cd7494385d44 100644 (file)
--- a/spec/cm/dem/xchapoly-krkc
+++ b/spec/cm/dem/xchapoly-krkc
@@ -5,7 +5,9 @@ Data is split on 128 KiB chunks, each of which is encrypted the following way:
  
      H = BLAKE2b
      CK0 = CEK
-    CKi = HKDF-Extract(H, salt="", ikm=CK{i-1})
+    CKi = HKDF-Expand(H,
+        prk=HKDF-Extract(H, salt="", ikm=CK{i-1}),
+        info="cm/encrypted/xchapoly-krkc/kr")
      KEY = HKDF-Expand(H, prk=CKi, info="cm/encrypted/xchapoly-krkc/key")
      IV = HKDF-Expand(H, prk=CKi, info="cm/encrypted/xchapoly-krkc/iv", len=24)
      if {last chunk} then { IV[23] |= 0x01 } else { IV[23] &= 0xFE }
diff --git a/spec/cm/kem/gost3410-hkdf b/spec/cm/kem/gost3410-hkdf

index f376790155e36fbf113862a257030c24b01833f1b0cf90e15c7269c944caf5c2..74f2aeaf9d16b33b3da0b746697d6724dfc93fbff83caae32e503b47f89fed44 100644 (file)
--- a/spec/cm/kem/gost3410-hkdf
+++ b/spec/cm/kem/gost3410-hkdf
@@ -16,6 +16,7 @@ output is 512- or 1024-bit "BE(X)||BE(Y)" point, used in HKDF below:
      DH(sk, pk) = GOSTR3410-VKO(prv=sk, pub=pk, ukm=UKM)
      PRK = HKDF-Extract(H, salt="", ikm=DH(e, s))
      if {specified sender}
+        PRK = HKDF-Expand(H, prk=PRK, info="cm/encrypted/gost3410-hkdf/auth")
          PRK = HKDF-Extract(H, salt=PRK, ikm=DH(s, s))
      KEK = HKDF-Expand(H, prk=PRK, info="cm/encrypted/gost3410-hkdf" || /id)
  
diff --git a/spec/cm/kem/mceliece6960119-x25519-hkdf-shake256 b/spec/cm/kem/mceliece6960119-x25519-hkdf-shake256

index 01342bd91cf63b4e3467142ac6f7900dcbb055e7449e07b7110831ffbfd87ba0..9436d2f9257fdb2fb27218143226bbb739d5cca22255a0794f4abe499e301095 100644 (file)
--- a/spec/cm/kem/mceliece6960119-x25519-hkdf-shake256
+++ b/spec/cm/kem/mceliece6960119-x25519-hkdf-shake256
@@ -44,6 +44,8 @@ X25519 public key, computes shared secrets, combines them and derives KEK.
      if {specified sender}
          ss-x25519-shared-key = X25519(s-x25519-sender-private-key,
                                        s-x25519-recipient-public-key)
+        PRK = HKDF-Expand(H, prk=PRK,
+            info="cm/encrypted/mceliece6960119-x25519-hkdf-shake256/auth")
          PRK = HKDF-Extract(H, salt=PRK, ikm=
              ss-x25519-shared-key || s-x25519-sender-public-key)
      KEK = HKDF-Expand(H, prk=PRK,
diff --git a/spec/cm/kem/sntrup761-x25519-hkdf-blake2b b/spec/cm/kem/sntrup761-x25519-hkdf-blake2b

index 608122a7efbb7ec3b7b6208803267d184f4b6227718a308564ca5b703ca549ea..f9fc4c9880a329a3c10807a0004f0782240d690ee9769a82145b2b80d4fef4ff 100644 (file)
--- a/spec/cm/kem/sntrup761-x25519-hkdf-blake2b
+++ b/spec/cm/kem/sntrup761-x25519-hkdf-blake2b
@@ -30,6 +30,8 @@ key of the CEK.
          H(sntrup761-sender-ciphertext || e-x25519-sender-public-key) ||
          H(sntrup761-recipient-public-key || s-x25519-recipient-public-key))
      if {specified sender}
+        PRK = HKDF-Expand(H, prk=PRK,
+            info="cm/encrypted/sntrup761-x25519-hkdf-blake2b/auth")
          PRK = HKDF-Extract(H, salt=PRK, ikm=
              ss-x25519-shared-key ||
              s-x25519-sender-public-key ||
author	Sergey Matveev <stargrave@stargrave.org>
	Thu, 18 Sep 2025 07:46:34 +0000 (10:46 +0300)
committer	Sergey Matveev <stargrave@stargrave.org>
	Sun, 21 Sep 2025 08:09:31 +0000 (11:09 +0300)
go/cm/enc/chapoly/dem.go		patch \| blob \| history
spec/cm/dem/kuznechik-ctr-hmac-kr		patch \| blob \| history
spec/cm/dem/xchacha-krmr		patch \| blob \| history
spec/cm/dem/xchapoly-krkc		patch \| blob \| history
spec/cm/kem/gost3410-hkdf		patch \| blob \| history
spec/cm/kem/mceliece6960119-x25519-hkdf-shake256		patch \| blob \| history
spec/cm/kem/sntrup761-x25519-hkdf-blake2b		patch \| blob \| history