Chain prMACs

diff --git a/spec/cm/dem-xchapoly-krmr.texi b/spec/cm/dem-xchapoly-krmr.texi
index f81264813b42bf069678c6c0c4a0a83cc9dab3d1396171953c3af1e99ab5bd54..1b133c0cf3e72ff52c147704ff43f77925f3a92270e8f8da5cd2ccc8778096b6 100644 (file)
--- a/spec/cm/dem-xchapoly-krmr.texi
+++ b/spec/cm/dem-xchapoly-krmr.texi
@@ -12,18 +12,20 @@ Data is split on 128 KiB chunks, each of which is encrypted the following way:
 
 @verbatim
 H = BLAKE2b
-CK0 = CEK
+CK0, prMACx0 = CEK || prMACx
 CKi = HKDF-Extract(H, salt="", ikm=CK{i-1})
 KEY = HKDF-Expand(H, prk=CKi, info="cm/encrypted/xchapoly-krmr/key")
 IV = HKDF-Expand(H, prk=CKi, info="cm/encrypted/xchapoly-krmr/iv", len=24)
 if last chunk { IV[23] |= 0x01 } else { IV[23] &= 0xFE }
 CIPHERTEXT || TAG = XChaCha20-Poly1305(key=KEY, ad="", nonce=IV, data=chunk)
-MACi = BLAKE2b-256-MAC(key=prMACi, H(CIPHERTEXT || TAG))
-CIPHERTEXT || TAG || MAC0 [|| MAC1 ...]
+prMACxi = HKDF-Extract(H, salt="", ikm=prMACx{i-1})
+MACx = BLAKE2b-256-MAC(key=prMACxi, H(CIPHERTEXT || TAG))
+CIPHERTEXT || TAG || MACx || MAC{x+1} [|| MAC{x+2} ...]
 @end verbatim
 
-Chaining key (CK) advances with every chunk. 256-bit encryption key and
-randomised 192-bit nonce (initialisation vector) are derived from it.
+Chaining key (CK) and per-recipient MAC key advance with every chunk.
+256-bit encryption key and randomised 192-bit nonce (initialisation
+vector) are derived from chaining key.
 
 Nonce's lowest bit is set only if this is the last chunk we encrypting.