GOST R 34.10+HKDF KEM (KEKS)

Next: SNTRUP4591761+X25519+HKDF-BLAKE2b KEM, Previous: Balloon-BLAKE2b+HKDF KEM, Up: Key encapsulation mechanisms [Index]

GOST R 34.10+HKDF KEM ¶

kem-gost3410-hkdf {
    {field a {str} =gost3410-hkdf}
    {field cek {bin} >0} {# wrapped CEK}
    {field ukm {bin} len=16} {# additional keying material}
    {field pub {bin} >0} {# sender's ephemeral public key}
    {field to {with fpr} optional} {# recipient's public key}
}

GOST R 34.10-2012 VKO parameter set A/C ("gost3410-256A", "gost3410-512C") must be used for DH operation, with UKM taken from the structure. VKO’s output is 512- or 1024-bit BE(X)||BE(Y) point, used in HKDF below:

H = Streebog-512
DH(sk, pk) = GOSTR3410-VKO(prv=sk, pub=pk, ukm=UKM)
PRK = HKDF-Extract(H, salt="", ikm=DH(e, s))
if specified(sender):
    PRK = HKDF-Extract(H, salt=PRK, ikm=DH(s, s))
KEK = HKDF-Expand(H, prk=PRK, info="cm/encrypted/gost3410-hkdf" || /id)

/kem/*/cek is wrapped with KExp15 key wrapping mechanism mechanism.

HKDF is KDF algorithm, RFC 5869. Streebog is GOST R 34.11-2012 hashing algorithm, RFC 6986. GOST R 34.10-2012 is signing/key-aggreement algorithm, RFC 7091.