From f56d8f6c4d5ec5182fee51f63c9a5069b1b954c7c39acb24b3938e8c27cd90d5 Mon Sep 17 00:00:00 2001
From: Sergey Matveev <stargrave@stargrave.org>
Date: Sun, 20 Apr 2025 09:43:38 +0300
Subject: [PATCH] xchapoly is more correct

---
 go/cm/enc/chapoly/dem.go                               |  6 +++---
 .../{dem-chapoly-krkc.texi => dem-xchapoly-krkc.texi}  | 10 +++++-----
 spec/cm/encrypted.texi                                 |  2 +-
 tcl/schemas/encrypted.tcl                              |  2 +-
 4 files changed, 10 insertions(+), 10 deletions(-)
 rename spec/cm/{dem-chapoly-krkc.texi => dem-xchapoly-krkc.texi} (82%)

diff --git a/go/cm/enc/chapoly/dem.go b/go/cm/enc/chapoly/dem.go
index 220693d..1c04c5e 100644
--- a/go/cm/enc/chapoly/dem.go
+++ b/go/cm/enc/chapoly/dem.go
@@ -33,7 +33,7 @@ const (
 	ChunkLen      = 128 * 1024
 	CommitmentLen = 32
 	CEKLen        = blake2b.Size
-	DEMAlgo       = "chapoly-krkc"
+	DEMAlgo       = "xchapoly-krkc"
 )
 
 type keymat struct {
@@ -76,13 +76,13 @@ func do(
 		var errHKDF error
 		for {
 			key, errHKDF = hkdf.Expand(
-				blake2bHash, ck, "cm/encrypted/chapoly-krkc/key",
+				blake2bHash, ck, "cm/encrypted/xchapoly-krkc/key",
 				chacha20poly1305.KeySize)
 			if errHKDF != nil {
 				panic(errHKDF)
 			}
 			iv, errHKDF = hkdf.Expand(
-				blake2bHash, ck, "cm/encrypted/chapoly-krkc/iv",
+				blake2bHash, ck, "cm/encrypted/xchapoly-krkc/iv",
 				chacha20poly1305.NonceSizeX)
 			if errHKDF != nil {
 				panic(errHKDF)
diff --git a/spec/cm/dem-chapoly-krkc.texi b/spec/cm/dem-xchapoly-krkc.texi
similarity index 82%
rename from spec/cm/dem-chapoly-krkc.texi
rename to spec/cm/dem-xchapoly-krkc.texi
index 171b32a..b0ecb55 100644
--- a/spec/cm/dem-chapoly-krkc.texi
+++ b/spec/cm/dem-xchapoly-krkc.texi
@@ -1,9 +1,9 @@
-@node dem-chapoly-krkc
-@cindex dem-chapoly-krkc
+@node dem-xchapoly-krkc
+@cindex dem-xchapoly-krkc
 @nodedescription XChaCha20-Poly1305 with key ratcheting and key commitment DEM
 @subsubsection XChaCha20-Poly1305 with key ratcheting and key commitment DEM
 
-@code{cm/encrypted}'s @code{/dem/a} equals to "chapoly-krkc".
+@code{cm/encrypted}'s @code{/dem/a} equals to "xchapoly-krkc".
 
 CEK is 64 bytes long.
 Data is split on 128 KiB chunks, each of which is encrypted the following way:
@@ -11,8 +11,8 @@ Data is split on 128 KiB chunks, each of which is encrypted the following way:
 @verbatim
 CK0 = CEK
 CKi = HKDF-Extract(BLAKE2b, salt="", ikm=CK{i-1})
-KEY = HKDF-Expand(BLAKE2b, prk=CKi, info="cm/encrypted/chapoly-krkc/key")
-IV = HKDF-Expand(BLAKE2b, prk=CKi, info="cm/encrypted/chapoly-krkc/iv", len=24)
+KEY = HKDF-Expand(BLAKE2b, prk=CKi, info="cm/encrypted/xchapoly-krkc/key")
+IV = HKDF-Expand(BLAKE2b, prk=CKi, info="cm/encrypted/xchapoly-krkc/iv", len=24)
 if last chunk { IV[23] |= 0x01 } else { IV[23] &= 0xFE }
 CIPHERTEXT || TAG = XChaCha20-Poly1305(key=KEY, ad="", nonce=IV, data=chunk)
 COMMITMENT = BLAKE2b-256(KEY || IV || TAG)
diff --git a/spec/cm/encrypted.texi b/spec/cm/encrypted.texi
index a43c354..42a0682 100644
--- a/spec/cm/encrypted.texi
+++ b/spec/cm/encrypted.texi
@@ -64,7 +64,7 @@ in KDF.
 @nodedescription Data encapsulation mechanisms
 @subsection Data encapsulation mechanisms
 
-@include cm/dem-chapoly-krkc.texi
+@include cm/dem-xchapoly-krkc.texi
 @include cm/dem-kuznechik-ctr-hmac-kr.texi
 
 @node KEM
diff --git a/tcl/schemas/encrypted.tcl b/tcl/schemas/encrypted.tcl
index 43f054f..7a91171 100644
--- a/tcl/schemas/encrypted.tcl
+++ b/tcl/schemas/encrypted.tcl
@@ -7,7 +7,7 @@ encrypted {
 
 dem {
     {field . {map}}
-    {field a {str} >0} {# chapoly-krkc}
+    {field a {str} >0} {# xchapoly-krkc}
                        {# kuznechik-ctr-hmac-kr}
 }
 
-- 
2.48.1