From: Sergey Matveev Date: Thu, 27 Feb 2025 10:13:15 +0000 (+0300) Subject: More Chempat-like KEM combining X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=f3ec7f903ad5ccac05f840f865e088941fb95556fd4fdb42066f96a90b2fa272;p=keks.git More Chempat-like KEM combining --- diff --git a/go/cm/cmd/enctool/main.go b/go/cm/cmd/enctool/main.go index 72f0aa5..df4c7a5 100644 --- a/go/cm/cmd/enctool/main.go +++ b/go/cm/cmd/enctool/main.go @@ -20,6 +20,7 @@ import ( "crypto/ecdh" "crypto/hkdf" "crypto/rand" + "crypto/sha3" "errors" "flag" "fmt" @@ -246,7 +247,7 @@ func main() { } case sntrup4591761x25519.SNTRUP4591761X25519HKDFBLAKE2b: if len(prvs) == 0 { - log.Println(kemIdx, kem.A, "skipping because no -prv") + log.Println(kemIdx, kem.A, "skipping because no private key specified") continue } if kem.Encap == nil { @@ -292,13 +293,13 @@ func main() { log.Fatal(err) } { - pub := append( + ctHash := blake2b.Sum512(kem.Encap) + pkHash := blake2b.Sum512(append( ourSNTRUP[382:], ourX25519.PublicKey().Bytes()..., - ) + )) ikm := bytes.Join([][]byte{ - kem.Encap, pub, - keySNTRUP[:], keyX25519, + keySNTRUP[:], keyX25519, ctHash[:], pkHash[:], }, []byte{}) var prk []byte prk, err = hkdf.Extract(blake2bHash, ikm, nil) @@ -334,7 +335,7 @@ func main() { } case mceliece6960119x25519.ClassicMcEliece6960119X25519HKDFSHAKE256: if len(prvs) == 0 { - log.Println(kemIdx, kem.A, "skipping because no -prv") + log.Println(kemIdx, kem.A, "skipping because no private key specified") continue } if kem.Encap == nil { @@ -365,7 +366,9 @@ func main() { } theirMcEliece := (kem.Encap)[:len(kem.Encap)-32] var keyMcEliece []byte - keyMcEliece, err = mceliece6960119.Decapsulate(ourMcEliece, theirMcEliece) + keyMcEliece, err = mceliece6960119.Decapsulate( + ourMcEliece, theirMcEliece, + ) if err != nil { log.Fatal(err) } @@ -388,13 +391,13 @@ func main() { if err != nil { log.Fatal(err) } - pub := append( - ourMcEliecePubRaw, - ourX25519.PublicKey().Bytes()..., - ) + pkHash := cmhash.NewSHAKE256() + pkHash.Write(ourMcEliecePubRaw) + pkHash.Write(ourX25519.PublicKey().Bytes()) ikm := bytes.Join([][]byte{ - kem.Encap, pub, keyMcEliece, keyX25519, + sha3.SumSHAKE256(kem.Encap, 32), + pkHash.Sum(nil), }, []byte{}) var prk []byte prk, err = hkdf.Extract(cmhash.NewSHAKE256, ikm, nil) @@ -534,13 +537,15 @@ func main() { if err != nil { log.Fatal(err) } - kem := cmenc.KEM{A: sntrup4591761x25519.SNTRUP4591761X25519HKDFBLAKE2b} - encap := append(ciphertext[:], ourPubX25519.Bytes()...) - kem.Encap = encap + kem := cmenc.KEM{ + A: sntrup4591761x25519.SNTRUP4591761X25519HKDFBLAKE2b, + Encap: append(ciphertext[:], ourPubX25519.Bytes()...), + } { + ctHash := blake2b.Sum512(kem.Encap) + pkHash := blake2b.Sum512(pub.V) ikm := bytes.Join([][]byte{ - encap, pub.V, - keySNTRUP[:], keyX25519, + keySNTRUP[:], keyX25519, ctHash[:], pkHash[:], }, []byte{}) var prk []byte prk, err = hkdf.Extract(blake2bHash, ikm, nil) @@ -602,13 +607,15 @@ func main() { if err != nil { log.Fatal(err) } - kem := cmenc.KEM{A: mceliece6960119x25519.ClassicMcEliece6960119X25519HKDFSHAKE256} - encap := append(ciphertext[:], ourPubX25519.Bytes()...) - kem.Encap = encap + kem := cmenc.KEM{ + A: mceliece6960119x25519.ClassicMcEliece6960119X25519HKDFSHAKE256, + Encap: append(ciphertext[:], ourPubX25519.Bytes()...), + } { ikm := bytes.Join([][]byte{ - encap, pub.V, keyMcEliece[:], keyX25519, + sha3.SumSHAKE256(kem.Encap, 32), + sha3.SumSHAKE256(pub.V, 32), }, []byte{}) var prk []byte prk, err = hkdf.Extract(cmhash.NewSHAKE256, ikm, nil) @@ -619,7 +626,10 @@ func main() { kek, err = hkdf.Expand( cmhash.NewSHAKE256, prk, - string(append([]byte(cmenc.ClassicMcEliece6960119X25519Info), id[:]...)), + string(append( + []byte(cmenc.ClassicMcEliece6960119X25519Info), + id[:]...), + ), chacha20poly1305.KeySize, ) if err != nil { diff --git a/go/cm/enc/balloon/decap.go b/go/cm/enc/balloon/decap.go index 56a3c0c..7a55f7d 100644 --- a/go/cm/enc/balloon/decap.go +++ b/go/cm/enc/balloon/decap.go @@ -30,7 +30,7 @@ import ( const ( BalloonBLAKE2bHKDF = "balloon-blake2b-hkdf" SaltLen = 16 - HKDFInfo = "keks/cm/encrypted/balloon-blake2b-hkdf" + HKDFInfo = "cm/encrypted/balloon-blake2b-hkdf" ) func blake2bHash() hash.Hash { diff --git a/go/cm/enc/chapoly/dem.go b/go/cm/enc/chapoly/dem.go index b23888e..854a84d 100644 --- a/go/cm/enc/chapoly/dem.go +++ b/go/cm/enc/chapoly/dem.go @@ -70,7 +70,7 @@ func do( var errHKDF error for { keyAndCommitment, errHKDF = hkdf.Expand( - blake2bHash, ck, "dem-chapoly-krkc", + blake2bHash, ck, "cm/encrypted/chapoly-krkc", chacha20poly1305.KeySize+CommitmentLen) if errHKDF != nil { panic(errHKDF) diff --git a/go/cm/enc/kem.go b/go/cm/enc/kem.go index bb4a3b4..7e41cad 100644 --- a/go/cm/enc/kem.go +++ b/go/cm/enc/kem.go @@ -5,8 +5,8 @@ import ( ) const ( - SNTRUP4591761X25519Info = "keks/cm/encrypted/sntrup4591761-x25519-hkdf-blake2b" - ClassicMcEliece6960119X25519Info = "keks/cm/encrypted/mceliece6960119-x25519-hkdf-shake256" + SNTRUP4591761X25519Info = "cm/encrypted/sntrup4591761-x25519-hkdf-blake2b" + ClassicMcEliece6960119X25519Info = "cm/encrypted/mceliece6960119-x25519-hkdf-shake256" ) type KEM struct { diff --git a/spec/cm/dem-chapoly-krkc.texi b/spec/cm/dem-chapoly-krkc.texi index c3700a8..67ad95f 100644 --- a/spec/cm/dem-chapoly-krkc.texi +++ b/spec/cm/dem-chapoly-krkc.texi @@ -11,7 +11,7 @@ Data is split on 128 KiB chunks, each of which is encrypted the following way: @verbatim CK0 = CEK CKi = HKDF-Extract(BLAKE2b, salt="", ikm=CK{i-1}) -KEY || COMMITMENT = HKDF-Expand(BLAKE2b, prk=CKi, info="dem-chapoly-krkc") +KEY || COMMITMENT = HKDF-Expand(BLAKE2b, prk=CKi, info="cm/encrypted/chapoly-krkc") ChaCha20-Poly1305(key=KEY, ad="", nonce=11*0x00 || tail-flag, data=chunk) || COMMITMENT @end verbatim diff --git a/spec/cm/dem-kuznechik-ctr-hmac-kr.texi b/spec/cm/dem-kuznechik-ctr-hmac-kr.texi index 1df0f05..508a6f4 100644 --- a/spec/cm/dem-kuznechik-ctr-hmac-kr.texi +++ b/spec/cm/dem-kuznechik-ctr-hmac-kr.texi @@ -12,7 +12,7 @@ Data is split on 128 KiB chunks, each of which is encrypted the following way: CK0 = CEK CKi = HKDF-Extract(Streebog-512, salt="", ikm=CK{i-1}) Kenc || Kauth || KauthTail = HKDF-Expand( - Streebog-512, prk=CKi, info="dem-kuznechik-ctr-hmac-kr") + Streebog-512, prk=CKi, info="cm/encrypted/kuznechik-ctr-hmac-kr") CT = Kuznechik-CTR(key=Kenc, ctr=0x00, data=chunk) CT || HMAC(Streebog-256, key={Kauth|KauthTail}, data=CT) @end verbatim diff --git a/spec/cm/kem-balloon-blake2b-hkdf.texi b/spec/cm/kem-balloon-blake2b-hkdf.texi index c87c5fa..61bd83a 100644 --- a/spec/cm/kem-balloon-blake2b-hkdf.texi +++ b/spec/cm/kem-balloon-blake2b-hkdf.texi @@ -23,7 +23,7 @@ password hasher must be used with BLAKE2b hash. @verbatim KEK = HKDF-Expand(BLAKE2b, prk=balloon(BLAKE2b, passphrase, /kem/salt, s, t, p), - info="keks/cm/encrypted/balloon-blake2b-hkdf" || /id) + info="cm/encrypted/balloon-blake2b-hkdf" || /id) @end verbatim @code{/kem/*/cek} is wrapped with @ref{keywrap-xchapoly} mechanism. diff --git a/spec/cm/kem-gost3410-hkdf.texi b/spec/cm/kem-gost3410-hkdf.texi index adba835..d660f45 100644 --- a/spec/cm/kem-gost3410-hkdf.texi +++ b/spec/cm/kem-gost3410-hkdf.texi @@ -20,8 +20,7 @@ and KExp15 (Р 1323565.1.017) key wrapping algorithm: @verbatim PRK = HKDF-Extract(Streebog-512, salt="", ikm=VKO(..., ukm=UKM)) -KEK= HKDF-Expand(Streebog-512, prk=PRK, - info="keks/cm/encrypted/gost3410-hkdf" || /id) +KEK= HKDF-Expand(Streebog-512, prk=PRK, info="cm/encrypted/gost3410-hkdf" || /id) @end verbatim @code{/kem/*/cek} is wrapped with @ref{keywrap-kexp15} mechanism. diff --git a/spec/cm/kem-mceliece6960119-x25519-hkdf-shake256.texi b/spec/cm/kem-mceliece6960119-x25519-hkdf-shake256.texi index 9c00499..0fda580 100644 --- a/spec/cm/kem-mceliece6960119-x25519-hkdf-shake256.texi +++ b/spec/cm/kem-mceliece6960119-x25519-hkdf-shake256.texi @@ -19,14 +19,11 @@ them to get the KEK decryption key of the CEK. @verbatim PRK = HKDF-Extract(SHAKE256, salt="", ikm= - mceliece6960119-sender-ciphertext || - x25519-sender-public-key || - mceliece6960119-recipient-public-key || - x25519-recipient-public-key || - mceliece6960119-shared-key || - x25519-shared-key)[:32] + mceliece6960119-shared-key || x25519-shared-key || + SHAKE256(mceliece6960119-sender-ciphertext || x25519-sender-public-key) || + SHAKE256(mceliece6960119-recipient-public-key || x25519-recipient-public-key)) KEK = HKDF-Expand(SHAKE256, prk=PRK, - info="keks/cm/encrypted/mceliece6960119-x25519-hkdf-shake256" || /salt) + info="cm/encrypted/mceliece6960119-x25519-hkdf-shake256" || /salt) @end verbatim @code{/kem/*/cek} is wrapped with @ref{keywrap-xchapoly} mechanism. diff --git a/spec/cm/kem-sntrup4591761-x25519-hkdf-blake2b.texi b/spec/cm/kem-sntrup4591761-x25519-hkdf-blake2b.texi index fca71c7..35e1b09 100644 --- a/spec/cm/kem-sntrup4591761-x25519-hkdf-blake2b.texi +++ b/spec/cm/kem-sntrup4591761-x25519-hkdf-blake2b.texi @@ -18,14 +18,11 @@ key of the CEK. @verbatim PRK = HKDF-Extract(BLAKE2b, salt="", ikm= - sntrup4591761-sender-ciphertext || - x25519-sender-public-key || - sntrup4591761-recipient-public-key || - x25519-recipient-public-key || - sntrup4591761-shared-key || - x25519-shared-key) + sntrup4591761-shared-key || x25519-shared-key || + BLAKE2b(sntrup4591761-sender-ciphertext || x25519-sender-public-key) || + BLAKE2b(sntrup4591761-recipient-public-key || x25519-recipient-public-key)) KEK = HKDF-Expand(BLAKE2b, prk=PRK, - info="keks/cm/encrypted/sntrup4591761-x25519-hkdf-blake2b" || /id) + info="cm/encrypted/sntrup4591761-x25519-hkdf-blake2b" || /id) @end verbatim @code{/kem/*/cek} is wrapped with @ref{keywrap-xchapoly} mechanism.