From: Sergey Matveev <stargrave@stargrave.org>
Date: Mon, 21 Apr 2025 16:16:17 +0000 (+0300)
Subject: Chain prMACs
X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;p=keks.git

Chain prMACs
---

diff --git a/spec/cm/dem-xchapoly-krmr.texi b/spec/cm/dem-xchapoly-krmr.texi
index f812648..1b133c0 100644
--- a/spec/cm/dem-xchapoly-krmr.texi
+++ b/spec/cm/dem-xchapoly-krmr.texi
@@ -12,18 +12,20 @@ Data is split on 128 KiB chunks, each of which is encrypted the following way:
 
 @verbatim
 H = BLAKE2b
-CK0 = CEK
+CK0, prMACx0 = CEK || prMACx
 CKi = HKDF-Extract(H, salt="", ikm=CK{i-1})
 KEY = HKDF-Expand(H, prk=CKi, info="cm/encrypted/xchapoly-krmr/key")
 IV = HKDF-Expand(H, prk=CKi, info="cm/encrypted/xchapoly-krmr/iv", len=24)
 if last chunk { IV[23] |= 0x01 } else { IV[23] &= 0xFE }
 CIPHERTEXT || TAG = XChaCha20-Poly1305(key=KEY, ad="", nonce=IV, data=chunk)
-MACi = BLAKE2b-256-MAC(key=prMACi, H(CIPHERTEXT || TAG))
-CIPHERTEXT || TAG || MAC0 [|| MAC1 ...]
+prMACxi = HKDF-Extract(H, salt="", ikm=prMACx{i-1})
+MACx = BLAKE2b-256-MAC(key=prMACxi, H(CIPHERTEXT || TAG))
+CIPHERTEXT || TAG || MACx || MAC{x+1} [|| MAC{x+2} ...]
 @end verbatim
 
-Chaining key (CK) advances with every chunk. 256-bit encryption key and
-randomised 192-bit nonce (initialisation vector) are derived from it.
+Chaining key (CK) and per-recipient MAC key advance with every chunk.
+256-bit encryption key and randomised 192-bit nonce (initialisation
+vector) are derived from chaining key.
 
 Nonce's lowest bit is set only if this is the last chunk we encrypting.