From 86b432976aa472a740137f279df1a29c673d023275b28add9a5fa5fcb073ebf7 Mon Sep 17 00:00:00 2001 From: Sergey Matveev Date: Mon, 21 Apr 2025 16:15:39 +0300 Subject: [PATCH] Move hash to variable for easier reading --- spec/cm/dem-kuznechik-ctr-hmac-kr.texi | 15 ++++++--------- spec/cm/dem-xchapoly-krkc.texi | 7 ++++--- spec/cm/kem-balloon-blake2b-hkdf.texi | 5 +++-- spec/cm/kem-gost3410-hkdf.texi | 5 +++-- .../kem-mceliece6960119-x25519-hkdf-shake256.texi | 9 +++++---- .../cm/kem-sntrup4591761-x25519-hkdf-blake2b.texi | 10 +++++----- 6 files changed, 26 insertions(+), 25 deletions(-) diff --git a/spec/cm/dem-kuznechik-ctr-hmac-kr.texi b/spec/cm/dem-kuznechik-ctr-hmac-kr.texi index 08f3052..b9e2fb0 100644 --- a/spec/cm/dem-kuznechik-ctr-hmac-kr.texi +++ b/spec/cm/dem-kuznechik-ctr-hmac-kr.texi @@ -9,16 +9,13 @@ CEK is 64 bytes long. Data is split on 128 KiB chunks, each of which is encrypted the following way: @verbatim +H = Streebog-512 CK0 = CEK -CKi = HKDF-Extract(Streebog-512, salt="", ikm=CK{i-1}) -Kenc = HKDF-Expand(Streebog-512, prk=CKi, - info="cm/encrypted/kuznechik-ctr-hmac-kr/enc") -IV = HKDF-Expand(Streebog-512, prk=CKi, - info="cm/encrypted/kuznechik-ctr-hmac-kr/iv", len=8) -Kauth || KauthTail = HKDF-Expand(Streebog-512, prk=CKi, - info="cm/encrypted/kuznechik-ctr-hmac-kr/auth") -KauthTail = HKDF-Expand(Streebog-512, prk=CKi, - info="cm/encrypted/kuznechik-ctr-hmac-kr/authTail") +CKi = HKDF-Extract(H, salt="", ikm=CK{i-1}) +Kenc = HKDF-Expand(H, prk=CKi, info="cm/encrypted/kuznechik-ctr-hmac-kr/enc") +IV = HKDF-Expand(H, prk=CKi, info="cm/encrypted/kuznechik-ctr-hmac-kr/iv", len=8) +Kauth || KauthTail = HKDF-Expand(H, prk=CKi, info="cm/encrypted/kuznechik-ctr-hmac-kr/auth") +KauthTail = HKDF-Expand(H, prk=CKi, info="cm/encrypted/kuznechik-ctr-hmac-kr/authTail") CT = Kuznechik-CTR(key=Kenc, ctr=IV, data=chunk) CT || HMAC(Streebog-256, key={Kauth|KauthTail}, data=CT) @end verbatim diff --git a/spec/cm/dem-xchapoly-krkc.texi b/spec/cm/dem-xchapoly-krkc.texi index b0ecb55..ae3e520 100644 --- a/spec/cm/dem-xchapoly-krkc.texi +++ b/spec/cm/dem-xchapoly-krkc.texi @@ -9,10 +9,11 @@ CEK is 64 bytes long. Data is split on 128 KiB chunks, each of which is encrypted the following way: @verbatim +H = BLAKE2b CK0 = CEK -CKi = HKDF-Extract(BLAKE2b, salt="", ikm=CK{i-1}) -KEY = HKDF-Expand(BLAKE2b, prk=CKi, info="cm/encrypted/xchapoly-krkc/key") -IV = HKDF-Expand(BLAKE2b, prk=CKi, info="cm/encrypted/xchapoly-krkc/iv", len=24) +CKi = HKDF-Extract(H, salt="", ikm=CK{i-1}) +KEY = HKDF-Expand(H, prk=CKi, info="cm/encrypted/xchapoly-krkc/key") +IV = HKDF-Expand(H, prk=CKi, info="cm/encrypted/xchapoly-krkc/iv", len=24) if last chunk { IV[23] |= 0x01 } else { IV[23] &= 0xFE } CIPHERTEXT || TAG = XChaCha20-Poly1305(key=KEY, ad="", nonce=IV, data=chunk) COMMITMENT = BLAKE2b-256(KEY || IV || TAG) diff --git a/spec/cm/kem-balloon-blake2b-hkdf.texi b/spec/cm/kem-balloon-blake2b-hkdf.texi index 4246110..c6e8c50 100644 --- a/spec/cm/kem-balloon-blake2b-hkdf.texi +++ b/spec/cm/kem-balloon-blake2b-hkdf.texi @@ -9,8 +9,9 @@ password hasher must be used with BLAKE2b hash. @verbatim -KEK = HKDF-Expand(BLAKE2b, - prk=balloon(BLAKE2b, passphrase, /kem/salt, s, t, p), +H = BLAKE2b +KEK = HKDF-Expand(H, + prk=balloon(H, passphrase, /kem/salt, s, t, p), info="cm/encrypted/balloon-blake2b-hkdf" || /id) @end verbatim diff --git a/spec/cm/kem-gost3410-hkdf.texi b/spec/cm/kem-gost3410-hkdf.texi index e9e3057..7f77fb3 100644 --- a/spec/cm/kem-gost3410-hkdf.texi +++ b/spec/cm/kem-gost3410-hkdf.texi @@ -10,8 +10,9 @@ must be used for DH operation, with UKM taken from the structure. VKO's output is 512- or 1024-bit @code{BE(X)||BE(Y)} point, used in HKDF below: @verbatim -PRK = HKDF-Extract(Streebog-512, salt="", ikm=VKO(..., ukm=UKM)) -KEK = HKDF-Expand(Streebog-512, prk=PRK, info="cm/encrypted/gost3410-hkdf" || /id) +H = Streebog-512 +PRK = HKDF-Extract(H, salt="", ikm=VKO(..., ukm=UKM)) +KEK = HKDF-Expand(H, prk=PRK, info="cm/encrypted/gost3410-hkdf" || /id) @end verbatim @code{/kem/*/cek} is wrapped with @ref{keywrap-kexp15} mechanism. diff --git a/spec/cm/kem-mceliece6960119-x25519-hkdf-shake256.texi b/spec/cm/kem-mceliece6960119-x25519-hkdf-shake256.texi index 5ddee79..db507dd 100644 --- a/spec/cm/kem-mceliece6960119-x25519-hkdf-shake256.texi +++ b/spec/cm/kem-mceliece6960119-x25519-hkdf-shake256.texi @@ -19,11 +19,12 @@ derive/decapsulate two 32-byte shared keys. Then it combines them to get the KEK decryption key of the CEK. @verbatim -PRK = HKDF-Extract(SHAKE256, salt="", ikm= +H = SHAKE256 +PRK = HKDF-Extract(H, salt="", ikm= mceliece6960119-shared-key || x25519-shared-key || - SHAKE256(mceliece6960119-sender-ciphertext || x25519-sender-public-key) || - SHAKE256(mceliece6960119-recipient-public-key || x25519-recipient-public-key)) -KEK = HKDF-Expand(SHAKE256, prk=PRK, + H(mceliece6960119-sender-ciphertext || x25519-sender-public-key) || + H(mceliece6960119-recipient-public-key || x25519-recipient-public-key)) +KEK = HKDF-Expand(H, prk=PRK, info="cm/encrypted/mceliece6960119-x25519-hkdf-shake256" || /salt) @end verbatim diff --git a/spec/cm/kem-sntrup4591761-x25519-hkdf-blake2b.texi b/spec/cm/kem-sntrup4591761-x25519-hkdf-blake2b.texi index cd8d89c..3d5e0d4 100644 --- a/spec/cm/kem-sntrup4591761-x25519-hkdf-blake2b.texi +++ b/spec/cm/kem-sntrup4591761-x25519-hkdf-blake2b.texi @@ -19,12 +19,12 @@ two 32-byte shared keys. Then it combines them to get the KEK decryption key of the CEK. @verbatim -PRK = HKDF-Extract(BLAKE2b, salt="", ikm= +H = BLAKE2b +PRK = HKDF-Extract(H, salt="", ikm= sntrup4591761-shared-key || x25519-shared-key || - BLAKE2b(sntrup4591761-sender-ciphertext || x25519-sender-public-key) || - BLAKE2b(sntrup4591761-recipient-public-key || x25519-recipient-public-key)) -KEK = HKDF-Expand(BLAKE2b, prk=PRK, - info="cm/encrypted/sntrup4591761-x25519-hkdf-blake2b" || /id) + H(sntrup4591761-sender-ciphertext || x25519-sender-public-key) || + H(sntrup4591761-recipient-public-key || x25519-recipient-public-key)) +KEK = HKDF-Expand(H, prk=PRK, info="cm/encrypted/sntrup4591761-x25519-hkdf-blake2b" || /id) @end verbatim @code{/kem/*/cek} is wrapped with @ref{keywrap-xchapoly} mechanism. -- 2.48.1