From 16cd69ea98b0c75a195c1c21bd75beec29cc56b73e9abe14bb2b51b78b7d5255 Mon Sep 17 00:00:00 2001 From: Sergey Matveev Date: Sun, 21 Sep 2025 19:34:24 +0300 Subject: [PATCH] No need in keeping TAG --- spec/cm/dem/xchapoly-krkc | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/spec/cm/dem/xchapoly-krkc b/spec/cm/dem/xchapoly-krkc index 8224737..7c0a58e 100644 --- a/spec/cm/dem/xchapoly-krkc +++ b/spec/cm/dem/xchapoly-krkc @@ -10,10 +10,12 @@ Data is split on 128 KiB chunks, each of which is encrypted the following way: info="cm/encrypted/xchapoly-krkc/kr") KEY = HKDF-Expand(H, prk=CKi, info="cm/encrypted/xchapoly-krkc/key") IV = HKDF-Expand(H, prk=CKi, info="cm/encrypted/xchapoly-krkc/iv", len=24) + MAC = HKDF-Expand(H, prk=CKi, info="cm/encrypted/xchapoly-krkc/mac") if {last chunk} then { IV[23] |= 0x01 } else { IV[23] &= 0xFE } - CIPHERTEXT || TAG = XChaCha20-Poly1305(key=KEY, ad="", nonce=IV, data=chunk) - COMMITMENT = BLAKE2b-256(KEY || IV || TAG) - CIPHERTEXT || TAG || COMMITMENT + CIPHERTEXT = XChaCha20(key=KEY, nonce=IV, data=chunk) + TAG = Poly1305(key=MAC, data=CIPHERTEXT) + COMMITMENT = BLAKE2b-256(KEY || IV || MAC || TAG) + CIPHERTEXT || COMMITMENT Chaining key (CK) advances with every chunk. 256-bit encryption key and randomised 192-bit nonce (initialisation vector) are derived from it. -- 2.51.0