From: Sergey Matveev Date: Tue, 18 Feb 2025 13:52:49 +0000 (+0300) Subject: Another HKDF usage revision X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=73b114cf4bc4c5d87839e474b93bcc7a9b143ead56a0bbc3959bea1eec769965;p=keks.git Another HKDF usage revision --- diff --git a/go/cm/cmd/enctool/main.go b/go/cm/cmd/enctool/main.go index d3789f3..097a7e2 100644 --- a/go/cm/cmd/enctool/main.go +++ b/go/cm/cmd/enctool/main.go @@ -293,7 +293,7 @@ func main() { keySNTRUP[:], keyX25519, }, []byte{}) var prk []byte - prk, err = hkdf.Extract(blake2bHash, ikm, encrypted.Salt[:]) + prk, err = hkdf.Extract(blake2bHash, ikm, nil) if err != nil { log.Fatal(err) } @@ -301,7 +301,10 @@ func main() { kek, err = hkdf.Expand( blake2bHash, prk, - cmenc.SNTRUP4591761X25519Info, + string(append( + []byte(cmenc.SNTRUP4591761X25519Info), + encrypted.Salt[:]..., + )), chaPoly.KeyLen, ) if err != nil { @@ -386,8 +389,7 @@ func main() { keyMcEliece, keyX25519, }, []byte{}) var prk []byte - prk, err = hkdf.Extract( - cmhash.NewSHAKE256, ikm, encrypted.Salt[:]) + prk, err = hkdf.Extract(cmhash.NewSHAKE256, ikm, nil) if err != nil { log.Fatal(err) } @@ -395,7 +397,10 @@ func main() { kek, err = hkdf.Expand( cmhash.NewSHAKE256, prk, - cmenc.ClassicMcEliece6960119X25519Info, + string(append( + []byte(cmenc.ClassicMcEliece6960119X25519Info), + encrypted.Salt[:]..., + )), chaPoly.KeyLen, ) if err != nil { @@ -470,12 +475,8 @@ func main() { var kek []byte kek, err = hkdf.Expand( blake2bHash, - balloon.H(blake2bHash, - passwd, - append(salt[:], bSalt...), - *balloonS, *balloonT, *balloonP, - ), - cmballoon.HKDFInfo, + balloon.H(blake2bHash, passwd, bSalt, *balloonS, *balloonT, *balloonP), + string(append([]byte(cmballoon.HKDFInfo), salt[:]...)), chaPoly.KeyLen, ) if err != nil { @@ -534,7 +535,7 @@ func main() { keySNTRUP[:], keyX25519, }, []byte{}) var prk []byte - prk, err = hkdf.Extract(blake2bHash, ikm, salt[:]) + prk, err = hkdf.Extract(blake2bHash, ikm, nil) if err != nil { log.Fatal(err) } @@ -542,7 +543,7 @@ func main() { kek, err = hkdf.Expand( blake2bHash, prk, - cmenc.SNTRUP4591761X25519Info, + string(append([]byte(cmenc.SNTRUP4591761X25519Info), salt[:]...)), chaPoly.KeyLen, ) if err != nil { @@ -602,7 +603,7 @@ func main() { keyMcEliece[:], keyX25519, }, []byte{}) var prk []byte - prk, err = hkdf.Extract(cmhash.NewSHAKE256, ikm, salt[:]) + prk, err = hkdf.Extract(cmhash.NewSHAKE256, ikm, nil) if err != nil { log.Fatal(err) } @@ -610,7 +611,7 @@ func main() { kek, err = hkdf.Expand( cmhash.NewSHAKE256, prk, - cmenc.ClassicMcEliece6960119X25519Info, + string(append([]byte(cmenc.ClassicMcEliece6960119X25519Info), salt[:]...)), chaPoly.KeyLen, ) if err != nil { diff --git a/go/cm/enc/balloon/decap.go b/go/cm/enc/balloon/decap.go index b7ab13b..5aa9c56 100644 --- a/go/cm/enc/balloon/decap.go +++ b/go/cm/enc/balloon/decap.go @@ -54,12 +54,12 @@ func Decapsulate(kem cmenc.KEM, encSalt, passphrase []byte) (cek []byte, err err balloon.H( blake2bHash, passphrase, - append(encSalt, *kem.Salt...), + *kem.Salt, int(kem.BalloonCost.S), int(kem.BalloonCost.T), int(kem.BalloonCost.P), ), - HKDFInfo, + string(append([]byte(HKDFInfo), encSalt...)), chaPoly.KeyLen, ) if err != nil { diff --git a/spec/cm/encrypted.texi b/spec/cm/encrypted.texi index 912d51a..b88da31 100644 --- a/spec/cm/encrypted.texi +++ b/spec/cm/encrypted.texi @@ -104,8 +104,8 @@ Kenc || IV || Kauth = CEK @verbatim KEK = HKDF-Expand(BLAKE2b, - prk=balloon(BLAKE2b, passphrase, /salt || /kem/salt, s, t, p), - info="keks/cm/encrypted/balloon-blake2b-hkdf") + prk=balloon(BLAKE2b, passphrase, /kem/salt, s, t, p), + info="keks/cm/encrypted/balloon-blake2b-hkdf" || /salt) @end verbatim @node cm-encrypted-gost3410-hkdf-kexp15 @@ -129,9 +129,9 @@ KEK = HKDF-Expand(BLAKE2b, and KExp15 (Р 1323565.1.017) key wrapping algorithm: @verbatim -PRK = HKDF-Extract(Streebog-512, salt=bind, ikm=VKO(..., ukm=UKM)) +PRK = HKDF-Extract(Streebog-512, salt="", ikm=VKO(..., ukm=UKM)) KEKenv, IV, KEKauth = HKDF-Expand(Streebog-512, prk=PRK, - info="keks/cm/encrypted/gost3410-hkdf-kexp15") + info="keks/cm/encrypted/gost3410-hkdf-kexp15" || /salt) KExp15(KEKenc, KEKauth, IV, CEK) = CTR(Kenc, CEK || CMAC(Kauth, IV || CEK), IV=IV) @end verbatim @@ -155,8 +155,7 @@ KExp15(KEKenc, KEKauth, IV, CEK) = CTR(Kenc, CEK || CMAC(Kauth, IV || CEK), IV=I them to get the KEK decryption key of the CEK. @verbatim -PRK = HKDF-Extract(BLAKE2b, salt=/salt, - secret= +PRK = HKDF-Extract(BLAKE2b, salt="", ikm= sntrup4591761-sender-ciphertext || x25519-sender-public-key || sntrup4591761-recipient-public-key || @@ -164,7 +163,7 @@ PRK = HKDF-Extract(BLAKE2b, salt=/salt, sntrup4591761-shared-key || x25519-shared-key) KEK = HKDF-Expand(BLAKE2b, prk=PRK, - info="keks/cm/encrypted/sntrup4591761-x25519-hkdf-blake2b") + info="keks/cm/encrypted/sntrup4591761-x25519-hkdf-blake2b" || /salt) @end verbatim @code{/kem/*/cek} is encrypted with @@ -191,8 +190,7 @@ KEK = HKDF-Expand(BLAKE2b, prk=PRK, them to get the KEK decryption key of the CEK. @verbatim -PRK = HKDF-Extract(SHAKE256, salt=/salt, - secret= +PRK = HKDF-Extract(SHAKE256, salt="", ikm= mceliece6960119-sender-ciphertext || x25519-sender-public-key || mceliece6960119-recipient-public-key || @@ -200,7 +198,7 @@ PRK = HKDF-Extract(SHAKE256, salt=/salt, mceliece6960119-shared-key || x25519-shared-key)[:32] KEK = HKDF-Expand(SHAKE256, prk=PRK, - info="keks/cm/encrypted/mceliece6960119-x25519-hkdf-shake256") + info="keks/cm/encrypted/mceliece6960119-x25519-hkdf-shake256" || /salt) @end verbatim @code{/kem/*/cek} is encrypted with