From: Sergey Matveev Date: Mon, 17 Feb 2025 09:59:41 +0000 (+0300) Subject: Curve25519 -> X25519 X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=2a840dca43c5a3ee15414c8145d17f44e42d295ee33e0ccd89fd5216df3429ab;p=keks.git Curve25519 -> X25519 Curve is only a curve, but X is the ECDH algorithm. --- diff --git a/spec/cm/encrypted.texi b/spec/cm/encrypted.texi index c32f5c6..c74e041 100644 --- a/spec/cm/encrypted.texi +++ b/spec/cm/encrypted.texi @@ -136,8 +136,8 @@ KExp15(KEKenc, KEKauth, IV, CEK) = CTR(Kenc, CEK || CMAC(Kauth, IV || CEK), IV=I @node cm-encrypted-sntrup4591761-x25519-hkdf-blake2b @cindex cm-encrypted-sntrup4591761-x25519-hkdf-blake2b -@nodedescription cm/encrypted with SNTRUP4591761+Curve25519+HKDF-BLAKE2b KEM -@subsection cm/encrypted with SNTRUP4591761+Curve25519+HKDF-BLAKE2b KEM +@nodedescription cm/encrypted with SNTRUP4591761+X25519+HKDF-BLAKE2b KEM +@subsection cm/encrypted with SNTRUP4591761+X25519+HKDF-BLAKE2b KEM @code{/kem/*/a} equals to "sntrup4591761-x25519-hkdf-blake2b". Recipient public key with @@ -147,9 +147,9 @@ KExp15(KEKenc, KEKauth, IV, CEK) = CTR(Kenc, CEK || CMAC(Kauth, IV || CEK), IV=I Recipient map must also contain additional field: @code{/kem/*/encap: bytes} -- concatenation of 1047 bytes of Streamlined NTRU Prime 4591^761's ciphertext with 32 bytes of ephemeral - Curve25519 public key. + X25519 public key. - Recipient performs Curve25519 and SNTRUP computation to + Recipient performs X25519 and SNTRUP computation to derive/decapsulate two 32-byte shared keys. Then it combines them to get the KEK decryption key of the CEK. @@ -172,8 +172,8 @@ KEK = HKDF-Expand(BLAKE2b, prk=PRK, @node cm-encrypted-mceliece6960119-x25519-hkdf-shake256 @cindex cm-encrypted-mceliece6960119-x25519-hkdf-shake256 -@nodedescription cm/encrypted with Classic McEliece 6960-119+Curve25519+HKDF-SHAKE256 KEM -@subsection cm/encrypted with Classic McEliece 6960-119+Curve25519+HKDF-SHAKE256 KEM +@nodedescription cm/encrypted with Classic McEliece 6960-119+X25519+HKDF-SHAKE256 KEM +@subsection cm/encrypted with Classic McEliece 6960-119+X25519+HKDF-SHAKE256 KEM @code{/kem/*/a} equals to "mceliece6960119-x25519-hkdf-shake256". Recipient public key with @@ -183,9 +183,9 @@ KEK = HKDF-Expand(BLAKE2b, prk=PRK, Recipient map must also contain additional field: @code{/kem/*/encap: bytes} -- concatenation of 194 bytes of Classic McEliece 6960-119 ciphertext with 32 bytes of ephemeral - Curve25519 public key. + X25519 public key. - Recipient performs Curve25519 and Classic McEliece computation to + Recipient performs X25519 and Classic McEliece computation to derive/decapsulate two 32-byte shared keys. Then it combines them to get the KEK decryption key of the CEK. diff --git a/spec/cm/prv.texi b/spec/cm/prv.texi index ad2b472..e3f6cc8 100644 --- a/spec/cm/prv.texi +++ b/spec/cm/prv.texi @@ -33,20 +33,20 @@ Stored in a file, it should begin with "cm/prv" @ref{MAGIC, magic}. @node cm-prv-sntrup4591761-x25519 @cindex cm-prv-sntrup4591761-x25519 -@nodedescription cm/prv with SNTRUP4591761+Curve25519 -@subsection cm/prv with SNTRUP4591761+Curve25519 +@nodedescription cm/prv with SNTRUP4591761+X25519 +@subsection cm/prv with SNTRUP4591761+X25519 Concatenation of Streamlined NTRU Prime 4591^761's 1600-byte private key - and Curve25519's 32-byte one. + and X25519's 32-byte one. @code{sntrup4591761-x25519} algorithm identifier is used. @node cm-prv-mceliece6960119-x25519 @cindex cm-prv-mceliece6960119-x25519 -@nodedescription cm/prv with Classic McEliece 6960-119+Curve25519 -@subsection cm/prv with Classic McEliece 6960-119+Curve25519 +@nodedescription cm/prv with Classic McEliece 6960-119+X25519 +@subsection cm/prv with Classic McEliece 6960-119+X25519 Concatenation of Classic McEliece 6960-119 13948-byte private key - and Curve25519's 32-byte one. + and X25519's 32-byte one. @code{mceliece6960119-x25519} algorithm identifier is used. diff --git a/spec/cm/pub.texi b/spec/cm/pub.texi index 60489df..784c4b5 100644 --- a/spec/cm/pub.texi +++ b/spec/cm/pub.texi @@ -29,7 +29,7 @@ Public key container itself may contain multiple public keys. That is @strong{solely} intended for tasks requiring more than single key usage. For example @url{http://www.nncpgo.org, NNCP} uses one -curve25519 for (DH) encryption, one curve25519 for online authentication +X25519 for (DH) encryption, one curve25519 for online authentication and one ed25519 for signing purposes. All those three keys are used together. That public key's key usage field must contain something like "nncp". @@ -125,30 +125,30 @@ Algorithm identifier for the public key: @code{ed25519ph-blake2b}. @node cm-pub-sntrup4591761-x25519 @cindex cm-pub-sntrup4591761-x25519 -@nodedescription cm/pub with SNTRUP4591761+Curve25519 -@subsection cm/pub with SNTRUP4591761+Curve25519 +@nodedescription cm/pub with SNTRUP4591761+X25519 +@subsection cm/pub with SNTRUP4591761+X25519 -Combined Streamlined NTRU Prime 4591^761 and Curve25519 public keys are +Combined Streamlined NTRU Prime 4591^761 and X25519 public keys are used for KEM purposes, so should have "kem" key usage set. Its algorithm identifier is @code{sntrup4591761-x25519}. Its public key value is a concatenation of 1218-byte SNTRUP4591761 public key and -32-byte Curve25519 one. +32-byte X25519 one. Public key's identifier should be calculated using BLAKE2b hash with 128 or 256 bit output length specified. @node cm-pub-mceliece6960119-x25519 @cindex cm-pub-mceliece6960119-x25519 -@nodedescription cm/pub with Classic McEliece 6960-119+Curve25519 -@subsection cm/pub with Classic McEliece 6960-119+Curve25519 +@nodedescription cm/pub with Classic McEliece 6960-119+X25519 +@subsection cm/pub with Classic McEliece 6960-119+X25519 -Combined Classic McEliece 6960-119 and Curve25519 public keys are used +Combined Classic McEliece 6960-119 and X25519 public keys are used for KEM purposes, so should have "kem" key usage set. Its algorithm identifier is @code{mceliece6960119-x25519}. Its public key value is a concatenation of 1047319-byte @code{mceliece6960119} public key -and 32-byte Curve25519 one. +and 32-byte X25519 one. Public key's identifier should be calculated using either SHAKE128 or SHAKE256 hash.