From: Sergey Matveev <stargrave@stargrave.org>
Date: Sun, 21 Sep 2025 16:34:50 +0000 (+0300)
Subject: Pass CEK through the whole HKDF
X-Git-Tag: v0.1.0~4
X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=22ff031a0c6a6250ad8993d8e1cc8743cfb001861dbc19420f47b0b3b90a5db1;p=keks.git

Pass CEK through the whole HKDF
---

diff --git a/spec/cm/dem/kuznechik-ctr-hmac-kr b/spec/cm/dem/kuznechik-ctr-hmac-kr
index 97e57e2..ba002c9 100644
--- a/spec/cm/dem/kuznechik-ctr-hmac-kr
+++ b/spec/cm/dem/kuznechik-ctr-hmac-kr
@@ -4,7 +4,7 @@ CEK is 64 bytes long.
 Data is split on 128 KiB chunks, each of which is encrypted the following way:
 
     H = Streebog-512
-    CK0 = CEK
+    CK{-1} = CEK
     CKi = HKDF-Expand(H,
         prk=HKDF-Extract(H, salt="", ikm=CK{i-1}),
         info="cm/encrypted/kuznechik-ctr-hmac-kr/kr")
diff --git a/spec/cm/dem/xchacha-krmr b/spec/cm/dem/xchacha-krmr
index 24ac072..ed6f54a 100644
--- a/spec/cm/dem/xchacha-krmr
+++ b/spec/cm/dem/xchacha-krmr
@@ -5,7 +5,7 @@ and 64 bytes long per-KEM/per-recipient random MAC key (prMACx).
 Data is split on 128 KiB chunks, each of which is encrypted the following way:
 
     H = BLAKE2b
-    CK0, prMACx0 = CEK || prMACx
+    CK{-1} || prMACx{-1} = CEK
     CKi = HKDF-Expand(H,
         prk=HKDF-Extract(H, salt="", ikm=CK{i-1}),
         info="cm/encrypted/xchacha-krmr/kr")
diff --git a/spec/cm/dem/xchapoly-krkc b/spec/cm/dem/xchapoly-krkc
index 7c0a58e..8cde867 100644
--- a/spec/cm/dem/xchapoly-krkc
+++ b/spec/cm/dem/xchapoly-krkc
@@ -4,7 +4,7 @@ CEK is 64 bytes long.
 Data is split on 128 KiB chunks, each of which is encrypted the following way:
 
     H = BLAKE2b
-    CK0 = CEK
+    CK{-1} = CEK
     CKi = HKDF-Expand(H,
         prk=HKDF-Extract(H, salt="", ikm=CK{i-1}),
         info="cm/encrypted/xchapoly-krkc/kr")