keySNTRUP[:], keyX25519,
}, []byte{})
var prk []byte
- prk, err = hkdf.Extract(blake2bHash, ikm, encrypted.Salt[:])
+ prk, err = hkdf.Extract(blake2bHash, ikm, nil)
if err != nil {
log.Fatal(err)
}
kek, err = hkdf.Expand(
blake2bHash,
prk,
- cmenc.SNTRUP4591761X25519Info,
+ string(append(
+ []byte(cmenc.SNTRUP4591761X25519Info),
+ encrypted.Salt[:]...,
+ )),
chaPoly.KeyLen,
)
if err != nil {
keyMcEliece, keyX25519,
}, []byte{})
var prk []byte
- prk, err = hkdf.Extract(
- cmhash.NewSHAKE256, ikm, encrypted.Salt[:])
+ prk, err = hkdf.Extract(cmhash.NewSHAKE256, ikm, nil)
if err != nil {
log.Fatal(err)
}
kek, err = hkdf.Expand(
cmhash.NewSHAKE256,
prk,
- cmenc.ClassicMcEliece6960119X25519Info,
+ string(append(
+ []byte(cmenc.ClassicMcEliece6960119X25519Info),
+ encrypted.Salt[:]...,
+ )),
chaPoly.KeyLen,
)
if err != nil {
var kek []byte
kek, err = hkdf.Expand(
blake2bHash,
- balloon.H(blake2bHash,
- passwd,
- append(salt[:], bSalt...),
- *balloonS, *balloonT, *balloonP,
- ),
- cmballoon.HKDFInfo,
+ balloon.H(blake2bHash, passwd, bSalt, *balloonS, *balloonT, *balloonP),
+ string(append([]byte(cmballoon.HKDFInfo), salt[:]...)),
chaPoly.KeyLen,
)
if err != nil {
keySNTRUP[:], keyX25519,
}, []byte{})
var prk []byte
- prk, err = hkdf.Extract(blake2bHash, ikm, salt[:])
+ prk, err = hkdf.Extract(blake2bHash, ikm, nil)
if err != nil {
log.Fatal(err)
}
kek, err = hkdf.Expand(
blake2bHash,
prk,
- cmenc.SNTRUP4591761X25519Info,
+ string(append([]byte(cmenc.SNTRUP4591761X25519Info), salt[:]...)),
chaPoly.KeyLen,
)
if err != nil {
keyMcEliece[:], keyX25519,
}, []byte{})
var prk []byte
- prk, err = hkdf.Extract(cmhash.NewSHAKE256, ikm, salt[:])
+ prk, err = hkdf.Extract(cmhash.NewSHAKE256, ikm, nil)
if err != nil {
log.Fatal(err)
}
kek, err = hkdf.Expand(
cmhash.NewSHAKE256,
prk,
- cmenc.ClassicMcEliece6960119X25519Info,
+ string(append([]byte(cmenc.ClassicMcEliece6960119X25519Info), salt[:]...)),
chaPoly.KeyLen,
)
if err != nil {
@verbatim
KEK = HKDF-Expand(BLAKE2b,
- prk=balloon(BLAKE2b, passphrase, /salt || /kem/salt, s, t, p),
- info="keks/cm/encrypted/balloon-blake2b-hkdf")
+ prk=balloon(BLAKE2b, passphrase, /kem/salt, s, t, p),
+ info="keks/cm/encrypted/balloon-blake2b-hkdf" || /salt)
@end verbatim
@node cm-encrypted-gost3410-hkdf-kexp15
and KExp15 (Р 1323565.1.017) key wrapping algorithm:
@verbatim
-PRK = HKDF-Extract(Streebog-512, salt=bind, ikm=VKO(..., ukm=UKM))
+PRK = HKDF-Extract(Streebog-512, salt="", ikm=VKO(..., ukm=UKM))
KEKenv, IV, KEKauth = HKDF-Expand(Streebog-512, prk=PRK,
- info="keks/cm/encrypted/gost3410-hkdf-kexp15")
+ info="keks/cm/encrypted/gost3410-hkdf-kexp15" || /salt)
KExp15(KEKenc, KEKauth, IV, CEK) = CTR(Kenc, CEK || CMAC(Kauth, IV || CEK), IV=IV)
@end verbatim
them to get the KEK decryption key of the CEK.
@verbatim
-PRK = HKDF-Extract(BLAKE2b, salt=/salt,
- secret=
+PRK = HKDF-Extract(BLAKE2b, salt="", ikm=
sntrup4591761-sender-ciphertext ||
x25519-sender-public-key ||
sntrup4591761-recipient-public-key ||
sntrup4591761-shared-key ||
x25519-shared-key)
KEK = HKDF-Expand(BLAKE2b, prk=PRK,
- info="keks/cm/encrypted/sntrup4591761-x25519-hkdf-blake2b")
+ info="keks/cm/encrypted/sntrup4591761-x25519-hkdf-blake2b" || /salt)
@end verbatim
@code{/kem/*/cek} is encrypted with
them to get the KEK decryption key of the CEK.
@verbatim
-PRK = HKDF-Extract(SHAKE256, salt=/salt,
- secret=
+PRK = HKDF-Extract(SHAKE256, salt="", ikm=
mceliece6960119-sender-ciphertext ||
x25519-sender-public-key ||
mceliece6960119-recipient-public-key ||
mceliece6960119-shared-key ||
x25519-shared-key)[:32]
KEK = HKDF-Expand(SHAKE256, prk=PRK,
- info="keks/cm/encrypted/mceliece6960119-x25519-hkdf-shake256")
+ info="keks/cm/encrypted/mceliece6960119-x25519-hkdf-shake256" || /salt)
@end verbatim
@code{/kem/*/cek} is encrypted with