-XChaCha20-Poly1305 with key ratcheting and multi-recipient DEM.
-[cm/encrypted/]'s "/dem/a" equals to "xchapoly-krmr".
+XChaCha20 with key ratcheting and multi-recipient DEM.
+[cm/encrypted/]'s "/dem/a" equals to "xchacha-krmr".
CEK consists of common 64-bytes part equal in all KEMs (CEK itself),
and 64 bytes long per-KEM/per-recipient random MAC key (prMACx).
Data is split on 128 KiB chunks, each of which is encrypted the following way:
CK0, prMACx0 = CEK || prMACx
CKi = HKDF-Extract(H, salt="", ikm=CK{i-1})
prMACxi = HKDF-Extract(H, salt="", ikm=prMACx{i-1})
- KEY = HKDF-Expand(H, prk=CKi, info="cm/encrypted/xchapoly-krmr/key")
- IV = HKDF-Expand(H, prk=CKi, info="cm/encrypted/xchapoly-krmr/iv", len=24)
+ KEY = HKDF-Expand(H, prk=CKi, info="cm/encrypted/xchacha-krmr/key")
+ IV = HKDF-Expand(H, prk=CKi, info="cm/encrypted/xchacha-krmr/iv", len=24)
if {last chunk} then { IV[23] |= 0x01 } else { IV[23] &= 0xFE }
- CIPHERTEXT || TAG = XChaCha20-Poly1305(key=KEY, ad="", nonce=IV, data=chunk)
- MACx = BLAKE2b-256-MAC(key=prMACxi, H(CIPHERTEXT || TAG))
- CIPHERTEXT || TAG || MACx || MAC{x+1} [|| MAC{x+2} ...]
+ CIPHERTEXT = XChaCha20(key=KEY, nonce=IV, data=chunk)
+ MACx = BLAKE2b-256-MAC(key=prMACxi, H(CIPHERTEXT))
+ CIPHERTEXT || MACx || MAC{x+1} [|| MAC{x+2} ...]
Chaining key (CK) and per-recipient MAC (prMAC) key advance with every
chunk. 256-bit encryption key and randomised 192-bit nonce
deanonymisation contents.
It is *highly* recommended to use multi-recipient safe DEM when
-encrypting to multiple recipients. For example [cm/dem/xchapoly-krmr]
+encrypting to multiple recipients. For example [cm/dem/xchacha-krmr]
instead of [cm/dem/xchapoly-krkc], but unfortunately with the price of
more expensive double pass authentication scheme.