Data is split on 128 KiB chunks, each of which is encrypted the following way:
@verbatim
+H = Streebog-512
CK0 = CEK
-CKi = HKDF-Extract(Streebog-512, salt="", ikm=CK{i-1})
-Kenc = HKDF-Expand(Streebog-512, prk=CKi,
- info="cm/encrypted/kuznechik-ctr-hmac-kr/enc")
-IV = HKDF-Expand(Streebog-512, prk=CKi,
- info="cm/encrypted/kuznechik-ctr-hmac-kr/iv", len=8)
-Kauth || KauthTail = HKDF-Expand(Streebog-512, prk=CKi,
- info="cm/encrypted/kuznechik-ctr-hmac-kr/auth")
-KauthTail = HKDF-Expand(Streebog-512, prk=CKi,
- info="cm/encrypted/kuznechik-ctr-hmac-kr/authTail")
+CKi = HKDF-Extract(H, salt="", ikm=CK{i-1})
+Kenc = HKDF-Expand(H, prk=CKi, info="cm/encrypted/kuznechik-ctr-hmac-kr/enc")
+IV = HKDF-Expand(H, prk=CKi, info="cm/encrypted/kuznechik-ctr-hmac-kr/iv", len=8)
+Kauth || KauthTail = HKDF-Expand(H, prk=CKi, info="cm/encrypted/kuznechik-ctr-hmac-kr/auth")
+KauthTail = HKDF-Expand(H, prk=CKi, info="cm/encrypted/kuznechik-ctr-hmac-kr/authTail")
CT = Kuznechik-CTR(key=Kenc, ctr=IV, data=chunk)
CT || HMAC(Streebog-256, key={Kauth|KauthTail}, data=CT)
@end verbatim
Data is split on 128 KiB chunks, each of which is encrypted the following way:
@verbatim
+H = BLAKE2b
CK0 = CEK
-CKi = HKDF-Extract(BLAKE2b, salt="", ikm=CK{i-1})
-KEY = HKDF-Expand(BLAKE2b, prk=CKi, info="cm/encrypted/xchapoly-krkc/key")
-IV = HKDF-Expand(BLAKE2b, prk=CKi, info="cm/encrypted/xchapoly-krkc/iv", len=24)
+CKi = HKDF-Extract(H, salt="", ikm=CK{i-1})
+KEY = HKDF-Expand(H, prk=CKi, info="cm/encrypted/xchapoly-krkc/key")
+IV = HKDF-Expand(H, prk=CKi, info="cm/encrypted/xchapoly-krkc/iv", len=24)
if last chunk { IV[23] |= 0x01 } else { IV[23] &= 0xFE }
CIPHERTEXT || TAG = XChaCha20-Poly1305(key=KEY, ad="", nonce=IV, data=chunk)
COMMITMENT = BLAKE2b-256(KEY || IV || TAG)
password hasher must be used with BLAKE2b hash.
@verbatim
-KEK = HKDF-Expand(BLAKE2b,
- prk=balloon(BLAKE2b, passphrase, /kem/salt, s, t, p),
+H = BLAKE2b
+KEK = HKDF-Expand(H,
+ prk=balloon(H, passphrase, /kem/salt, s, t, p),
info="cm/encrypted/balloon-blake2b-hkdf" || /id)
@end verbatim
output is 512- or 1024-bit @code{BE(X)||BE(Y)} point, used in HKDF below:
@verbatim
-PRK = HKDF-Extract(Streebog-512, salt="", ikm=VKO(..., ukm=UKM))
-KEK = HKDF-Expand(Streebog-512, prk=PRK, info="cm/encrypted/gost3410-hkdf" || /id)
+H = Streebog-512
+PRK = HKDF-Extract(H, salt="", ikm=VKO(..., ukm=UKM))
+KEK = HKDF-Expand(H, prk=PRK, info="cm/encrypted/gost3410-hkdf" || /id)
@end verbatim
@code{/kem/*/cek} is wrapped with @ref{keywrap-kexp15} mechanism.
them to get the KEK decryption key of the CEK.
@verbatim
-PRK = HKDF-Extract(SHAKE256, salt="", ikm=
+H = SHAKE256
+PRK = HKDF-Extract(H, salt="", ikm=
mceliece6960119-shared-key || x25519-shared-key ||
- SHAKE256(mceliece6960119-sender-ciphertext || x25519-sender-public-key) ||
- SHAKE256(mceliece6960119-recipient-public-key || x25519-recipient-public-key))
-KEK = HKDF-Expand(SHAKE256, prk=PRK,
+ H(mceliece6960119-sender-ciphertext || x25519-sender-public-key) ||
+ H(mceliece6960119-recipient-public-key || x25519-recipient-public-key))
+KEK = HKDF-Expand(H, prk=PRK,
info="cm/encrypted/mceliece6960119-x25519-hkdf-shake256" || /salt)
@end verbatim
key of the CEK.
@verbatim
-PRK = HKDF-Extract(BLAKE2b, salt="", ikm=
+H = BLAKE2b
+PRK = HKDF-Extract(H, salt="", ikm=
sntrup4591761-shared-key || x25519-shared-key ||
- BLAKE2b(sntrup4591761-sender-ciphertext || x25519-sender-public-key) ||
- BLAKE2b(sntrup4591761-recipient-public-key || x25519-recipient-public-key))
-KEK = HKDF-Expand(BLAKE2b, prk=PRK,
- info="cm/encrypted/sntrup4591761-x25519-hkdf-blake2b" || /id)
+ H(sntrup4591761-sender-ciphertext || x25519-sender-public-key) ||
+ H(sntrup4591761-recipient-public-key || x25519-recipient-public-key))
+KEK = HKDF-Expand(H, prk=PRK, info="cm/encrypted/sntrup4591761-x25519-hkdf-blake2b" || /id)
@end verbatim
@code{/kem/*/cek} is wrapped with @ref{keywrap-xchapoly} mechanism.