More Chempat-like KEM combining

author Sergey Matveev <stargrave@stargrave.org>

Thu, 27 Feb 2025 10:13:15 +0000 (13:13 +0300)

committer Sergey Matveev <stargrave@stargrave.org>

Thu, 27 Feb 2025 10:26:42 +0000 (13:26 +0300)
author Sergey Matveev <stargrave@stargrave.org>
Thu, 27 Feb 2025 10:13:15 +0000 (13:13 +0300)
committer Sergey Matveev <stargrave@stargrave.org>
Thu, 27 Feb 2025 10:26:42 +0000 (13:26 +0300)
diff --git a/go/cm/cmd/enctool/main.go b/go/cm/cmd/enctool/main.go

index 72f0aa5126f6899f344a582d2d19cbb76251c4dfc051d81c5660f057cd11d9df..df4c7a58f3fb134bd78504a52f58298bedf6a3e148fddb75f80b4d752fc755d2 100644 (file)
--- a/go/cm/cmd/enctool/main.go
+++ b/go/cm/cmd/enctool/main.go
@@ -20,6 +20,7 @@ import (
         "crypto/ecdh"
         "crypto/hkdf"
         "crypto/rand"
+       "crypto/sha3"
         "errors"
         "flag"
         "fmt"
@@ -246,7 +247,7 @@ func main() {
                                 }
                         case sntrup4591761x25519.SNTRUP4591761X25519HKDFBLAKE2b:
                                 if len(prvs) == 0 {
-                                       log.Println(kemIdx, kem.A, "skipping because no -prv")
+                                       log.Println(kemIdx, kem.A, "skipping because no private key specified")
                                         continue
                                 }
                                 if kem.Encap == nil {
@@ -292,13 +293,13 @@ func main() {
                                                 log.Fatal(err)
                                         }
                                         {
-                                               pub := append(
+                                               ctHash := blake2b.Sum512(kem.Encap)
+                                               pkHash := blake2b.Sum512(append(
                                                         ourSNTRUP[382:],
                                                         ourX25519.PublicKey().Bytes()...,
-                                               )
+                                               ))
                                                 ikm := bytes.Join([][]byte{
-                                                       kem.Encap, pub,
-                                                       keySNTRUP[:], keyX25519,
+                                                       keySNTRUP[:], keyX25519, ctHash[:], pkHash[:],
                                                 }, []byte{})
                                                 var prk []byte
                                                 prk, err = hkdf.Extract(blake2bHash, ikm, nil)
@@ -334,7 +335,7 @@ func main() {
                                 }
                         case mceliece6960119x25519.ClassicMcEliece6960119X25519HKDFSHAKE256:
                                 if len(prvs) == 0 {
-                                       log.Println(kemIdx, kem.A, "skipping because no -prv")
+                                       log.Println(kemIdx, kem.A, "skipping because no private key specified")
                                         continue
                                 }
                                 if kem.Encap == nil {
@@ -365,7 +366,9 @@ func main() {
                                         }
                                         theirMcEliece := (kem.Encap)[:len(kem.Encap)-32]
                                         var keyMcEliece []byte
-                                       keyMcEliece, err = mceliece6960119.Decapsulate(ourMcEliece, theirMcEliece)
+                                       keyMcEliece, err = mceliece6960119.Decapsulate(
+                                               ourMcEliece, theirMcEliece,
+                                       )
                                         if err != nil {
                                                 log.Fatal(err)
                                         }
@@ -388,13 +391,13 @@ func main() {
                                                 if err != nil {
                                                         log.Fatal(err)
                                                 }
-                                               pub := append(
-                                                       ourMcEliecePubRaw,
-                                                       ourX25519.PublicKey().Bytes()...,
-                                               )
+                                               pkHash := cmhash.NewSHAKE256()
+                                               pkHash.Write(ourMcEliecePubRaw)
+                                               pkHash.Write(ourX25519.PublicKey().Bytes())
                                                 ikm := bytes.Join([][]byte{
-                                                       kem.Encap, pub,
                                                         keyMcEliece, keyX25519,
+                                                       sha3.SumSHAKE256(kem.Encap, 32),
+                                                       pkHash.Sum(nil),
                                                 }, []byte{})
                                                 var prk []byte
                                                 prk, err = hkdf.Extract(cmhash.NewSHAKE256, ikm, nil)
@@ -534,13 +537,15 @@ func main() {
                                 if err != nil {
                                         log.Fatal(err)
                                 }
-                               kem := cmenc.KEM{A: sntrup4591761x25519.SNTRUP4591761X25519HKDFBLAKE2b}
-                               encap := append(ciphertext[:], ourPubX25519.Bytes()...)
-                               kem.Encap = encap
+                               kem := cmenc.KEM{
+                                       A:     sntrup4591761x25519.SNTRUP4591761X25519HKDFBLAKE2b,
+                                       Encap: append(ciphertext[:], ourPubX25519.Bytes()...),
+                               }
                                 {
+                                       ctHash := blake2b.Sum512(kem.Encap)
+                                       pkHash := blake2b.Sum512(pub.V)
                                         ikm := bytes.Join([][]byte{
-                                               encap, pub.V,
-                                               keySNTRUP[:], keyX25519,
+                                               keySNTRUP[:], keyX25519, ctHash[:], pkHash[:],
                                         }, []byte{})
                                         var prk []byte
                                         prk, err = hkdf.Extract(blake2bHash, ikm, nil)
@@ -602,13 +607,15 @@ func main() {
                                 if err != nil {
                                         log.Fatal(err)
                                 }
-                               kem := cmenc.KEM{A: mceliece6960119x25519.ClassicMcEliece6960119X25519HKDFSHAKE256}
-                               encap := append(ciphertext[:], ourPubX25519.Bytes()...)
-                               kem.Encap = encap
+                               kem := cmenc.KEM{
+                                       A:     mceliece6960119x25519.ClassicMcEliece6960119X25519HKDFSHAKE256,
+                                       Encap: append(ciphertext[:], ourPubX25519.Bytes()...),
+                               }
                                 {
                                         ikm := bytes.Join([][]byte{
-                                               encap, pub.V,
                                                 keyMcEliece[:], keyX25519,
+                                               sha3.SumSHAKE256(kem.Encap, 32),
+                                               sha3.SumSHAKE256(pub.V, 32),
                                         }, []byte{})
                                         var prk []byte
                                         prk, err = hkdf.Extract(cmhash.NewSHAKE256, ikm, nil)
@@ -619,7 +626,10 @@ func main() {
                                         kek, err = hkdf.Expand(
                                                 cmhash.NewSHAKE256,
                                                 prk,
-                                               string(append([]byte(cmenc.ClassicMcEliece6960119X25519Info), id[:]...)),
+                                               string(append(
+                                                       []byte(cmenc.ClassicMcEliece6960119X25519Info),
+                                                       id[:]...),
+                                               ),
                                                 chacha20poly1305.KeySize,
                                         )
                                         if err != nil {
diff --git a/go/cm/enc/balloon/decap.go b/go/cm/enc/balloon/decap.go

index 56a3c0cd30c27adc1a3935dee361d859332657760cc93f2479a15a2312051524..7a55f7d373f157b0817331e4fd9c57a6b381754c14973df31716c47b7bab7452 100644 (file)
--- a/go/cm/enc/balloon/decap.go
+++ b/go/cm/enc/balloon/decap.go
@@ -30,7 +30,7 @@ import (
  const (
         BalloonBLAKE2bHKDF = "balloon-blake2b-hkdf"
         SaltLen            = 16
-       HKDFInfo           = "keks/cm/encrypted/balloon-blake2b-hkdf"
+       HKDFInfo           = "cm/encrypted/balloon-blake2b-hkdf"
  )
  
  func blake2bHash() hash.Hash {
diff --git a/go/cm/enc/chapoly/dem.go b/go/cm/enc/chapoly/dem.go

index b23888e1a6f697b34cb359d83e8bdd726488eb16cc6415244874d543878c5197..854a84d61acd725f1b64d105cd8d0d812194b0d90e276fed302180f124ea22ff 100644 (file)
--- a/go/cm/enc/chapoly/dem.go
+++ b/go/cm/enc/chapoly/dem.go
@@ -70,7 +70,7 @@ func do(
                 var errHKDF error
                 for {
                         keyAndCommitment, errHKDF = hkdf.Expand(
-                               blake2bHash, ck, "dem-chapoly-krkc",
+                               blake2bHash, ck, "cm/encrypted/chapoly-krkc",
                                 chacha20poly1305.KeySize+CommitmentLen)
                         if errHKDF != nil {
                                 panic(errHKDF)
diff --git a/go/cm/enc/kem.go b/go/cm/enc/kem.go

index bb4a3b4c535cda870fbb12a9f3e4581488dd7c5855bbf7537b5eb035a7af9e61..7e41cad5095cd1fbcfa5e6207e25a053802766851ec059edfdb1c2e3821b02ff 100644 (file)
--- a/go/cm/enc/kem.go
+++ b/go/cm/enc/kem.go
@@ -5,8 +5,8 @@ import (
  )
  
  const (
-       SNTRUP4591761X25519Info          = "keks/cm/encrypted/sntrup4591761-x25519-hkdf-blake2b"
-       ClassicMcEliece6960119X25519Info = "keks/cm/encrypted/mceliece6960119-x25519-hkdf-shake256"
+       SNTRUP4591761X25519Info          = "cm/encrypted/sntrup4591761-x25519-hkdf-blake2b"
+       ClassicMcEliece6960119X25519Info = "cm/encrypted/mceliece6960119-x25519-hkdf-shake256"
  )
  
  type KEM struct {
diff --git a/spec/cm/dem-chapoly-krkc.texi b/spec/cm/dem-chapoly-krkc.texi

index c3700a8ca36e51a28e35e69ea4fa3a8647a92c3eef94d4be1700faf570af6d76..67ad95f1e2b4a8133c68448e4f65b6117a7e790b358209eb25d506817ce3062f 100644 (file)
--- a/spec/cm/dem-chapoly-krkc.texi
+++ b/spec/cm/dem-chapoly-krkc.texi
@@ -11,7 +11,7 @@ Data is split on 128 KiB chunks, each of which is encrypted the following way:
  @verbatim
  CK0 = CEK
  CKi = HKDF-Extract(BLAKE2b, salt="", ikm=CK{i-1})
-KEY || COMMITMENT = HKDF-Expand(BLAKE2b, prk=CKi, info="dem-chapoly-krkc")
+KEY || COMMITMENT = HKDF-Expand(BLAKE2b, prk=CKi, info="cm/encrypted/chapoly-krkc")
  ChaCha20-Poly1305(key=KEY, ad="", nonce=11*0x00 || tail-flag, data=chunk) || COMMITMENT
  @end verbatim
  
diff --git a/spec/cm/dem-kuznechik-ctr-hmac-kr.texi b/spec/cm/dem-kuznechik-ctr-hmac-kr.texi

index 1df0f05e1263def66f381ec7e675ba76af361bbad0ec584973a0e8b94251ac3b..508a6f404405d91eba991d41ed1dd7df0ddf7085f45942af71736440b7e6664c 100644 (file)
--- a/spec/cm/dem-kuznechik-ctr-hmac-kr.texi
+++ b/spec/cm/dem-kuznechik-ctr-hmac-kr.texi
@@ -12,7 +12,7 @@ Data is split on 128 KiB chunks, each of which is encrypted the following way:
  CK0 = CEK
  CKi = HKDF-Extract(Streebog-512, salt="", ikm=CK{i-1})
  Kenc || Kauth || KauthTail = HKDF-Expand(
-    Streebog-512, prk=CKi, info="dem-kuznechik-ctr-hmac-kr")
+    Streebog-512, prk=CKi, info="cm/encrypted/kuznechik-ctr-hmac-kr")
  CT = Kuznechik-CTR(key=Kenc, ctr=0x00, data=chunk)
  CT || HMAC(Streebog-256, key={Kauth|KauthTail}, data=CT)
  @end verbatim
diff --git a/spec/cm/kem-balloon-blake2b-hkdf.texi b/spec/cm/kem-balloon-blake2b-hkdf.texi

index c87c5fa07f2d6ca2e5040c8a5f0a73f91a50ab310409345408df3b3776180ccf..61bd83a91d55b5cf9766978647ce850c43766c05566d2e3e9d2c6ff8e8179b43 100644 (file)
--- a/spec/cm/kem-balloon-blake2b-hkdf.texi
+++ b/spec/cm/kem-balloon-blake2b-hkdf.texi
@@ -23,7 +23,7 @@ password hasher must be used with BLAKE2b hash.
  @verbatim
  KEK = HKDF-Expand(BLAKE2b,
      prk=balloon(BLAKE2b, passphrase, /kem/salt, s, t, p),
-    info="keks/cm/encrypted/balloon-blake2b-hkdf" || /id)
+    info="cm/encrypted/balloon-blake2b-hkdf" || /id)
  @end verbatim
  
  @code{/kem/*/cek} is wrapped with @ref{keywrap-xchapoly} mechanism.
diff --git a/spec/cm/kem-gost3410-hkdf.texi b/spec/cm/kem-gost3410-hkdf.texi

index adba835bf4889da0d5d031527bba1324540ec0a07d5e11126759096e607b3ae0..d660f45e2be3e8e720f634fc1ee4196e35d5dd607f68151b81332ff182a329f6 100644 (file)
--- a/spec/cm/kem-gost3410-hkdf.texi
+++ b/spec/cm/kem-gost3410-hkdf.texi
@@ -20,8 +20,7 @@ and KExp15 (Р 1323565.1.017) key wrapping algorithm:
  
  @verbatim
  PRK = HKDF-Extract(Streebog-512, salt="", ikm=VKO(..., ukm=UKM))
-KEK= HKDF-Expand(Streebog-512, prk=PRK,
-    info="keks/cm/encrypted/gost3410-hkdf" || /id)
+KEK= HKDF-Expand(Streebog-512, prk=PRK, info="cm/encrypted/gost3410-hkdf" || /id)
  @end verbatim
  
  @code{/kem/*/cek} is wrapped with @ref{keywrap-kexp15} mechanism.
diff --git a/spec/cm/kem-mceliece6960119-x25519-hkdf-shake256.texi b/spec/cm/kem-mceliece6960119-x25519-hkdf-shake256.texi

index 9c00499f7d5e3c60b2f02e1e241d488757ac7df7fc3d4f86e6e8c72841670b89..0fda580ff138f41ae322e3a9d02ea76dfc12b8a258c657ad8670266fb66d051c 100644 (file)
--- a/spec/cm/kem-mceliece6960119-x25519-hkdf-shake256.texi
+++ b/spec/cm/kem-mceliece6960119-x25519-hkdf-shake256.texi
@@ -19,14 +19,11 @@ them to get the KEK decryption key of the CEK.
  
  @verbatim
  PRK = HKDF-Extract(SHAKE256, salt="", ikm=
-        mceliece6960119-sender-ciphertext ||
-        x25519-sender-public-key ||
-        mceliece6960119-recipient-public-key ||
-        x25519-recipient-public-key ||
-        mceliece6960119-shared-key ||
-        x25519-shared-key)[:32]
+    mceliece6960119-shared-key || x25519-shared-key ||
+    SHAKE256(mceliece6960119-sender-ciphertext || x25519-sender-public-key) ||
+    SHAKE256(mceliece6960119-recipient-public-key || x25519-recipient-public-key))
  KEK = HKDF-Expand(SHAKE256, prk=PRK,
-    info="keks/cm/encrypted/mceliece6960119-x25519-hkdf-shake256" || /salt)
+    info="cm/encrypted/mceliece6960119-x25519-hkdf-shake256" || /salt)
  @end verbatim
  
  @code{/kem/*/cek} is wrapped with @ref{keywrap-xchapoly} mechanism.
diff --git a/spec/cm/kem-sntrup4591761-x25519-hkdf-blake2b.texi b/spec/cm/kem-sntrup4591761-x25519-hkdf-blake2b.texi

index fca71c7a6dec45c2ec8f0c46bc672c75716004030dc6d56f6ed685e90675b4a3..35e1b096a14ef758180d2bb432ea6270145afc77e464249e56c66bcf869e5ba8 100644 (file)
--- a/spec/cm/kem-sntrup4591761-x25519-hkdf-blake2b.texi
+++ b/spec/cm/kem-sntrup4591761-x25519-hkdf-blake2b.texi
@@ -18,14 +18,11 @@ key of the CEK.
  
  @verbatim
  PRK = HKDF-Extract(BLAKE2b, salt="", ikm=
-        sntrup4591761-sender-ciphertext ||
-        x25519-sender-public-key ||
-        sntrup4591761-recipient-public-key ||
-        x25519-recipient-public-key ||
-        sntrup4591761-shared-key ||
-        x25519-shared-key)
+    sntrup4591761-shared-key || x25519-shared-key ||
+    BLAKE2b(sntrup4591761-sender-ciphertext || x25519-sender-public-key) ||
+    BLAKE2b(sntrup4591761-recipient-public-key || x25519-recipient-public-key))
  KEK = HKDF-Expand(BLAKE2b, prk=PRK,
-    info="keks/cm/encrypted/sntrup4591761-x25519-hkdf-blake2b" || /id)
+    info="cm/encrypted/sntrup4591761-x25519-hkdf-blake2b" || /id)
  @end verbatim
  
  @code{/kem/*/cek} is wrapped with @ref{keywrap-xchapoly} mechanism.
author	Sergey Matveev <stargrave@stargrave.org>
	Thu, 27 Feb 2025 10:13:15 +0000 (13:13 +0300)
committer	Sergey Matveev <stargrave@stargrave.org>
	Thu, 27 Feb 2025 10:26:42 +0000 (13:26 +0300)
go/cm/cmd/enctool/main.go		patch \| blob \| history
go/cm/enc/balloon/decap.go		patch \| blob \| history
go/cm/enc/chapoly/dem.go		patch \| blob \| history
go/cm/enc/kem.go		patch \| blob \| history
spec/cm/dem-chapoly-krkc.texi		patch \| blob \| history
spec/cm/dem-kuznechik-ctr-hmac-kr.texi		patch \| blob \| history
spec/cm/kem-balloon-blake2b-hkdf.texi		patch \| blob \| history
spec/cm/kem-gost3410-hkdf.texi		patch \| blob \| history
spec/cm/kem-mceliece6960119-x25519-hkdf-shake256.texi		patch \| blob \| history
spec/cm/kem-sntrup4591761-x25519-hkdf-blake2b.texi		patch \| blob \| history