From: Sergey Matveev <stargrave@stargrave.org>
Date: Wed, 28 May 2025 11:37:33 +0000 (+0300)
Subject: No need in Poly1305
X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=e37958afa1a572c865ec23d2ede0b3b7e7150963089d1ab1fc23c8a34cfe7e8b;p=keks.git

No need in Poly1305
---

diff --git a/spec/cm/dem/xchapoly-krmr b/spec/cm/dem/xchacha-krmr
similarity index 69%
rename from spec/cm/dem/xchapoly-krmr
rename to spec/cm/dem/xchacha-krmr
index e3ac53c..9a2d1b3 100644
--- a/spec/cm/dem/xchapoly-krmr
+++ b/spec/cm/dem/xchacha-krmr
@@ -1,5 +1,5 @@
-XChaCha20-Poly1305 with key ratcheting and multi-recipient DEM.
-[cm/encrypted/]'s "/dem/a" equals to "xchapoly-krmr".
+XChaCha20 with key ratcheting and multi-recipient DEM.
+[cm/encrypted/]'s "/dem/a" equals to "xchacha-krmr".
 CEK consists of common 64-bytes part equal in all KEMs (CEK itself),
 and 64 bytes long per-KEM/per-recipient random MAC key (prMACx).
 Data is split on 128 KiB chunks, each of which is encrypted the following way:
@@ -8,12 +8,12 @@ Data is split on 128 KiB chunks, each of which is encrypted the following way:
     CK0, prMACx0 = CEK || prMACx
     CKi = HKDF-Extract(H, salt="", ikm=CK{i-1})
     prMACxi = HKDF-Extract(H, salt="", ikm=prMACx{i-1})
-    KEY = HKDF-Expand(H, prk=CKi, info="cm/encrypted/xchapoly-krmr/key")
-    IV = HKDF-Expand(H, prk=CKi, info="cm/encrypted/xchapoly-krmr/iv", len=24)
+    KEY = HKDF-Expand(H, prk=CKi, info="cm/encrypted/xchacha-krmr/key")
+    IV = HKDF-Expand(H, prk=CKi, info="cm/encrypted/xchacha-krmr/iv", len=24)
     if {last chunk} then { IV[23] |= 0x01 } else { IV[23] &= 0xFE }
-    CIPHERTEXT || TAG = XChaCha20-Poly1305(key=KEY, ad="", nonce=IV, data=chunk)
-    MACx = BLAKE2b-256-MAC(key=prMACxi, H(CIPHERTEXT || TAG))
-    CIPHERTEXT || TAG || MACx || MAC{x+1} [|| MAC{x+2} ...]
+    CIPHERTEXT = XChaCha20(key=KEY, nonce=IV, data=chunk)
+    MACx = BLAKE2b-256-MAC(key=prMACxi, H(CIPHERTEXT))
+    CIPHERTEXT || MACx || MAC{x+1} [|| MAC{x+2} ...]
 
 Chaining key (CK) and per-recipient MAC (prMAC) key advance with every
 chunk. 256-bit encryption key and randomised 192-bit nonce
diff --git a/spec/cm/encrypted/authcrypt b/spec/cm/encrypted/authcrypt
index 309a501..047fb0f 100644
--- a/spec/cm/encrypted/authcrypt
+++ b/spec/cm/encrypted/authcrypt
@@ -10,6 +10,6 @@ sender's public key(s). Public keys may be encrypted, to hide the actual
 deanonymisation contents.
 
 It is *highly* recommended to use multi-recipient safe DEM when
-encrypting to multiple recipients. For example [cm/dem/xchapoly-krmr]
+encrypting to multiple recipients. For example [cm/dem/xchacha-krmr]
 instead of [cm/dem/xchapoly-krkc], but unfortunately with the price of
 more expensive double pass authentication scheme.
diff --git a/tcl/schemas/encrypted.tcl b/tcl/schemas/encrypted.tcl
index 15d87f1..6562043 100644
--- a/tcl/schemas/encrypted.tcl
+++ b/tcl/schemas/encrypted.tcl
@@ -9,7 +9,7 @@ encrypted {
 dem {
     {field . {map}}
     {field a {str} >0} {# xchapoly-krkc}
-                       {# xchapoly-krmr}
+                       {# xchacha-krmr}
                        {# kuznechik-ctr-hmac-kr}
 }