From 5c8b6c4b12930720d2a75b1689f96334cbbbf3b52436c6c3efd4d1c121cd727c Mon Sep 17 00:00:00 2001
From: Sergey Matveev <stargrave@stargrave.org>
Date: Thu, 10 Apr 2025 12:48:37 +0300
Subject: [PATCH] Split out KEMs from encrypted scheme

---
 spec/cm/kem-balloon-blake2b-hkdf.texi         | 14 +-------
 spec/cm/kem-gost3410-hkdf.texi                | 10 +-----
 ...-mceliece6960119-x25519-hkdf-shake256.texi |  9 ++---
 ...kem-sntrup4591761-x25519-hkdf-blake2b.texi |  8 +++--
 tcl/schemas/encrypted.tcl                     | 33 ++-----------------
 tcl/schemas/kem-balloon-blake2b-hkdf.tcl      | 12 +++++++
 tcl/schemas/kem-gost3410-hkdf-kexp15.tcl      |  7 ++++
 tcl/schemas/kem-with-encap.tcl                |  8 +++++
 8 files changed, 42 insertions(+), 59 deletions(-)
 create mode 100644 tcl/schemas/kem-balloon-blake2b-hkdf.tcl
 create mode 100644 tcl/schemas/kem-gost3410-hkdf-kexp15.tcl
 create mode 100644 tcl/schemas/kem-with-encap.tcl

diff --git a/spec/cm/kem-balloon-blake2b-hkdf.texi b/spec/cm/kem-balloon-blake2b-hkdf.texi
index faabf29..4246110 100644
--- a/spec/cm/kem-balloon-blake2b-hkdf.texi
+++ b/spec/cm/kem-balloon-blake2b-hkdf.texi
@@ -3,19 +3,7 @@
 @nodedescription Balloon-BLAKE2b+HKDF KEM
 @subsubsection Balloon-BLAKE2b+HKDF KEM
 
-@code{/kem/*/a} equals to "balloon-blake2b-hkdf".
-Recipient map must also contain additional fields:
-
-@table @code
-@item /kem/*/cost/s: uint64
-    Balloon's space cost (buffer size, number of hash-output sized blocks).
-@item /kem/*/cost/t: uint64
-    Balloon's time cost (number of rounds).
-@item /kem/*/cost/p: uint64
-    Balloon's parallel cost (number of threads).
-@item /kem/*/salt: bytes
-    Salt.
-@end table
+@verbatiminclude ../tcl/schemas/kem-balloon-blake2b-hkdf.tcl
 
 @url{https://crypto.stanford.edu/balloon/, Balloon} memory-hardened
 password hasher must be used with BLAKE2b hash.
diff --git a/spec/cm/kem-gost3410-hkdf.texi b/spec/cm/kem-gost3410-hkdf.texi
index ef2bbb0..6db2006 100644
--- a/spec/cm/kem-gost3410-hkdf.texi
+++ b/spec/cm/kem-gost3410-hkdf.texi
@@ -3,15 +3,7 @@
 @nodedescription GOST R 34.10+HKDF KEM
 @subsubsection GOST R 34.10+HKDF KEM
 
-@code{/kem/*/a} equals to "gost3410-hkdf".
-Recipient map must also contain additional fields:
-
-@table @code
-@item /to/*/ukm: bytes
-    Additional 16-bytes keying material.
-@item /to/*/pub: bytes
-    Sender's ephemeral 512-bit public key.
-@end table
+@verbatiminclude ../tcl/schemas/kem-gost3410-hkdf-kexp15.tcl
 
 GOST R 34.10-2012 VKO parameter set A/C ("gost3410-256A", "gost3410-512C")
 must be used for DH operation, with UKM taken from the structure. VKO's
diff --git a/spec/cm/kem-mceliece6960119-x25519-hkdf-shake256.texi b/spec/cm/kem-mceliece6960119-x25519-hkdf-shake256.texi
index 949824e..5ddee79 100644
--- a/spec/cm/kem-mceliece6960119-x25519-hkdf-shake256.texi
+++ b/spec/cm/kem-mceliece6960119-x25519-hkdf-shake256.texi
@@ -3,15 +3,16 @@
 @nodedescription Classic McEliece 6960-119+X25519+HKDF-SHAKE256 KEM
 @subsubsection Classic McEliece 6960-119+X25519+HKDF-SHAKE256 KEM
 
+@verbatiminclude ../tcl/schemas/kem-with-encap.tcl
+
 @code{/kem/*/a} equals to "mceliece6960119-x25519-hkdf-shake256".
 Recipient public key with
 @ref{cm-pub-mceliece6960119-x25519, @code{mceliece6960119-x25519}}
 algorithm must be used. It should have "kem" key usage set.
 
-Recipient map must also contain additional field:
-@code{/kem/*/encap: bytes} -- concatenation of 194 bytes of
-Classic McEliece 6960-119 ciphertext with 32 bytes of ephemeral
-X25519 public key.
+Recipient's map @code{/kem/*/encap} field is a concatenation of
+194 bytes of Classic McEliece 6960-119 ciphertext with 32 bytes of
+ephemeral X25519 public key.
 
 Recipient performs X25519 and Classic McEliece computations to
 derive/decapsulate two 32-byte shared keys. Then it combines
diff --git a/spec/cm/kem-sntrup4591761-x25519-hkdf-blake2b.texi b/spec/cm/kem-sntrup4591761-x25519-hkdf-blake2b.texi
index 9f54c18..cd8d89c 100644
--- a/spec/cm/kem-sntrup4591761-x25519-hkdf-blake2b.texi
+++ b/spec/cm/kem-sntrup4591761-x25519-hkdf-blake2b.texi
@@ -3,14 +3,16 @@
 @nodedescription SNTRUP4591761+X25519+HKDF-BLAKE2b KEM
 @subsubsection SNTRUP4591761+X25519+HKDF-BLAKE2b KEM
 
+@verbatiminclude ../tcl/schemas/kem-with-encap.tcl
+
 @code{/kem/*/a} equals to "sntrup4591761-x25519-hkdf-blake2b".
 Recipient public key with @ref{cm-pub-sntrup4591761-x25519,
 @code{sntrup4591761-x25519}} algorithm must be used. It should have
 "kem" key usage set.
 
-Recipient map must also contain additional field: @code{/kem/*/encap:
-bytes} -- concatenation of 1047 bytes of Streamlined NTRU Prime
-4591^761's ciphertext with 32 bytes of ephemeral X25519 public key.
+Recipient's map @code{/kem/*/encap} field is a concatenation of 1047
+bytes of Streamlined NTRU Prime 4591^761's ciphertext with 32 bytes of
+ephemeral X25519 public key.
 
 Recipient performs X25519 and SNTRUP computations to derive/decapsulate
 two 32-byte shared keys. Then it combines them to get the KEK decryption
diff --git a/tcl/schemas/encrypted.tcl b/tcl/schemas/encrypted.tcl
index 21e0cbe..7917c39 100644
--- a/tcl/schemas/encrypted.tcl
+++ b/tcl/schemas/encrypted.tcl
@@ -17,34 +17,7 @@ kem {
     {field cek {bin} >0}
 }
 
-balloon-cost {
-    {field s {int} >0} {# space cost}
-    {field t {int} >0} {# time cost}
-    {field p {int} >0} {# parallel cost}
-}
-
-kem-balloon-blake2b-hkdf {
-    {field a {str} =balloon-blake2b-hkdf}
-    {field cek {bin} >0}
-    {field salt {bin} >0}
-    {field cost {with balloon-cost}}
-}
-
-kem-gost3410-hkdf-kexp15 {
-    {field a {str} =gost3410-hkdf-kexp15}
-    {field cek {bin} >0}
-    {field ukm {bin} >0}
-    {field pub {bin} >0}
-    {field to {with fpr} optional} {# recipient's public key}
-}
-
-kem-with-encap {
-    {# sntrup4591761-x25519-hkdf-blake2b}
-    {# mceliece6960119-x25519-hkdf-shake256}
-    {field a {str} >0}
-    {field cek {bin} >0}
-    {field encap {bin} >0}
-    {field to {with fpr} optional} {# recipient's public key}
-}
-
 schema-include fpr.tcl
+schema-include kem-with-encap.tcl
+schema-include kem-gost3410-hkdf-kexp15.tcl
+schema-include kem-balloon-blake2b-hkdf.tcl
diff --git a/tcl/schemas/kem-balloon-blake2b-hkdf.tcl b/tcl/schemas/kem-balloon-blake2b-hkdf.tcl
new file mode 100644
index 0000000..287b137
--- /dev/null
+++ b/tcl/schemas/kem-balloon-blake2b-hkdf.tcl
@@ -0,0 +1,12 @@
+balloon-cost {
+    {field s {int} >0} {# space cost}
+    {field t {int} >0} {# time cost}
+    {field p {int} >0} {# parallel cost}
+}
+
+kem-balloon-blake2b-hkdf {
+    {field a {str} =balloon-blake2b-hkdf}
+    {field cek {bin} >0} {# wrapped CEK}
+    {field salt {bin} >0}
+    {field cost {with balloon-cost}}
+}
diff --git a/tcl/schemas/kem-gost3410-hkdf-kexp15.tcl b/tcl/schemas/kem-gost3410-hkdf-kexp15.tcl
new file mode 100644
index 0000000..08268b2
--- /dev/null
+++ b/tcl/schemas/kem-gost3410-hkdf-kexp15.tcl
@@ -0,0 +1,7 @@
+kem-gost3410-hkdf-kexp15 {
+    {field a {str} =gost3410-hkdf-kexp15}
+    {field cek {bin} >0} {# wrapped CEK}
+    {field ukm {bin} len=16} {# additional keying material}
+    {field pub {bin} >0} {# sender's ephemeral public key}
+    {field to {with fpr} optional} {# recipient's public key}
+}
diff --git a/tcl/schemas/kem-with-encap.tcl b/tcl/schemas/kem-with-encap.tcl
new file mode 100644
index 0000000..4f0752d
--- /dev/null
+++ b/tcl/schemas/kem-with-encap.tcl
@@ -0,0 +1,8 @@
+kem-with-encap {
+    {# sntrup4591761-x25519-hkdf-blake2b}
+    {# mceliece6960119-x25519-hkdf-shake256}
+    {field a {str} >0}
+    {field cek {bin} >0} {# wrapped CEK}
+    {field encap {bin} >0}
+    {field to {with fpr} optional} {# recipient's public key}
+}
-- 
2.48.1