HKDF in gost3410-kexp15

diff --git a/spec/format/enveloped-data.cddl b/spec/format/enveloped-data.cddl
index e27ea3be98399d4265fab49d1c293098eff1e85ed0f6e9aff17a536f9f455f1d..1eedab6bdf508c0f1ff08b034a15cfd0398a82e0bb13ee2d659eb3b4c8c14bcb 100644 (file)
--- a/spec/format/enveloped-data.cddl
+++ b/spec/format/enveloped-data.cddl
@@ -19,7 +19,7 @@ dem-kuznechik-ctracpkm-hmac-hkdf = {
 
 kem = kem-generic /
       kem-balloon-blake2b-hkdf /
-      kem-gost3410-kexp15 /
+      kem-gost3410-hkdf-kexp15 /
       kem-sntrup4591761-x25519-hkdf-blake2b
 
 kem-generic = {
@@ -39,8 +39,8 @@ kem-balloon-blake2b = {
     salt: bytes,
 }
 
-kem-gost3410-kexp15 = {
-    a: "gost3410-kexp15",
+kem-gost3410-hkdf-kexp15 = {
+    a: "gost3410-hkdf-kexp15",
     cek: bytes,
     ukm: bytes,
     pub: bytes,

diff --git a/spec/format/enveloped-data.texi b/spec/format/enveloped-data.texi
index 3ff80ef030c737ba98a660287ab8357de91b40819e028ecba2b9702969a182d9..93a28eb19f66420f7ebaf8c149b2ec1aac8ce77973c8b7e0af9ebcb6f4006a25 100644 (file)
--- a/spec/format/enveloped-data.texi
+++ b/spec/format/enveloped-data.texi
@@ -98,10 +98,10 @@ KEK = HKDF-Extract(BLAKE2b-256,
 ChaCha20-Poly1305(data=16*0x00 || CEK, key=KEK, nonce=12*0x00, ad="")
 @end verbatim
 
-@node enveloped-data-gost3410-kexp15
-@subsection enveloped-data-gost3410-kexp15
+@node enveloped-data-gost3410-hkdf-kexp15
+@subsection enveloped-data-gost3410-hkdf-kexp15
 
-@code{/kem/*/a} equals to "gost3410-kexp15".
+@code{/kem/*/a} equals to "gost3410-hkdf-kexp15".
 Recipient map must also contain additional fields:
 
 @table @code
@@ -113,12 +113,16 @@ Recipient map must also contain additional fields:
     8-byte initialisation vector for KExp15.
 @end table
 
-ГОСТ Р 34.10-2012 VKO 512-bit parameter set C ("gost3410-512C") must be
-used for DH operation, with UKM taken from the structure. Its 512-bit
-output result is used for KExp15 (Р 1323565.1.017) key wrapping algorithm:
+ГОСТ Р 34.10-2012 VKO parameter set A/C ("gost3410-256A", "gost3410-512C")
+must be used for DH operation, with UKM taken from the structure. VKO's
+output is 512- or 1024-bit @code{BE(X)||BE(Y)} point. It is used in HKDF
+and KExp15 (Р 1323565.1.017) key wrapping algorithm:
 
 @verbatim
-KExp15(Kenc, Kauth, IV, CEK):
+KEKenv, KEKauth = HKDF-Extract(Streebog-512,
+    salt="keks/enveloped-data/gost3410-hkdf-kexp15",
+    secret=bind || VKO(...))
+KExp15(KEKenc, KEKauth, IV, CEK):
     return CTR(Kenc, CEK+CMAC(Kauth, IV+CEK), IV=IV)
 @end verbatim
 

diff --git a/spec/format/registry.texi b/spec/format/registry.texi
index 6436925f2cd83cea8ce1acf2ec189e9cb1837688029a8d846f192f5ce0efc7d2..f9e614abede3fea707759f2bd65ff319944d6567c971b62b38ac5035df36835d 100644 (file)
--- a/spec/format/registry.texi
+++ b/spec/format/registry.texi
@@ -57,8 +57,8 @@ There is example registry of known algorithm identifiers.
 @item argon2id-hkdf-blake2b
 @item balloon-blake2b-hkdf
     @code{@ref{enveloped-data-balloon-blake2b-hkdf}}
-@item gost3410-kexp15
-    @code{@ref{enveloped-data-gost3410-kexp15}}
+@item gost3410-hkdf-kexp15
+    @code{@ref{enveloped-data-gost3410-hkdf-kexp15}}
 @item mlkem768-x25519
 @item sntrup761-x25519
 @item sntrup4591761-x25519