From c3fa76d2e263d810b35dfca4fb0fa8e6abd3808f4c3b18288dfb98718292976c Mon Sep 17 00:00:00 2001 From: Sergey Matveev Date: Wed, 22 Jan 2025 12:11:45 +0300 Subject: [PATCH] HKDF in gost3410-kexp15 --- spec/format/enveloped-data.cddl | 6 +++--- spec/format/enveloped-data.texi | 18 +++++++++++------- spec/format/registry.texi | 4 ++-- 3 files changed, 16 insertions(+), 12 deletions(-) diff --git a/spec/format/enveloped-data.cddl b/spec/format/enveloped-data.cddl index e27ea3b..1eedab6 100644 --- a/spec/format/enveloped-data.cddl +++ b/spec/format/enveloped-data.cddl @@ -19,7 +19,7 @@ dem-kuznechik-ctracpkm-hmac-hkdf = { kem = kem-generic / kem-balloon-blake2b-hkdf / - kem-gost3410-kexp15 / + kem-gost3410-hkdf-kexp15 / kem-sntrup4591761-x25519-hkdf-blake2b kem-generic = { @@ -39,8 +39,8 @@ kem-balloon-blake2b = { salt: bytes, } -kem-gost3410-kexp15 = { - a: "gost3410-kexp15", +kem-gost3410-hkdf-kexp15 = { + a: "gost3410-hkdf-kexp15", cek: bytes, ukm: bytes, pub: bytes, diff --git a/spec/format/enveloped-data.texi b/spec/format/enveloped-data.texi index 3ff80ef..93a28eb 100644 --- a/spec/format/enveloped-data.texi +++ b/spec/format/enveloped-data.texi @@ -98,10 +98,10 @@ KEK = HKDF-Extract(BLAKE2b-256, ChaCha20-Poly1305(data=16*0x00 || CEK, key=KEK, nonce=12*0x00, ad="") @end verbatim -@node enveloped-data-gost3410-kexp15 -@subsection enveloped-data-gost3410-kexp15 +@node enveloped-data-gost3410-hkdf-kexp15 +@subsection enveloped-data-gost3410-hkdf-kexp15 -@code{/kem/*/a} equals to "gost3410-kexp15". +@code{/kem/*/a} equals to "gost3410-hkdf-kexp15". Recipient map must also contain additional fields: @table @code @@ -113,12 +113,16 @@ Recipient map must also contain additional fields: 8-byte initialisation vector for KExp15. @end table -ГОСТ Р 34.10-2012 VKO 512-bit parameter set C ("gost3410-512C") must be -used for DH operation, with UKM taken from the structure. Its 512-bit -output result is used for KExp15 (Р 1323565.1.017) key wrapping algorithm: +ГОСТ Р 34.10-2012 VKO parameter set A/C ("gost3410-256A", "gost3410-512C") +must be used for DH operation, with UKM taken from the structure. VKO's +output is 512- or 1024-bit @code{BE(X)||BE(Y)} point. It is used in HKDF +and KExp15 (Р 1323565.1.017) key wrapping algorithm: @verbatim -KExp15(Kenc, Kauth, IV, CEK): +KEKenv, KEKauth = HKDF-Extract(Streebog-512, + salt="keks/enveloped-data/gost3410-hkdf-kexp15", + secret=bind || VKO(...)) +KExp15(KEKenc, KEKauth, IV, CEK): return CTR(Kenc, CEK+CMAC(Kauth, IV+CEK), IV=IV) @end verbatim diff --git a/spec/format/registry.texi b/spec/format/registry.texi index 6436925..f9e614a 100644 --- a/spec/format/registry.texi +++ b/spec/format/registry.texi @@ -57,8 +57,8 @@ There is example registry of known algorithm identifiers. @item argon2id-hkdf-blake2b @item balloon-blake2b-hkdf @code{@ref{enveloped-data-balloon-blake2b-hkdf}} -@item gost3410-kexp15 - @code{@ref{enveloped-data-gost3410-kexp15}} +@item gost3410-hkdf-kexp15 + @code{@ref{enveloped-data-gost3410-hkdf-kexp15}} @item mlkem768-x25519 @item sntrup761-x25519 @item sntrup4591761-x25519 -- 2.48.1