2 @section Transport protocol
5 NONCE = 64bit(MAC(MAC_KEY, SERIAL))
6 PAYLOAD = DATA || PAD [|| ZEROS]
7 CIPHERTEXT = ENCRYPT(KEY, NONCE, PAYLOAD)
8 TAG = AUTH(AUTH_KEY, CIPHERTEXT || NONCE)
9 MESSAGE = TAG || CIPHERTEXT || NONCE
12 @code{SERIAL} is message's serial number. Odds are reserved for
13 client (to server) messages, evens for server (to client) messages.
15 @code{MAC} is BLAKE2b-MAC used to obfuscate @code{SERIAL}. MAC's key
16 @code{MAC_KEY} is the first 256-bit of Salsa20's output with established
17 common key and zero nonce (message nonces start from 1).
20 MAC_KEY = 256bit(ENCRYPT(KEY, 0))
23 @code{ENCRYPT} is Salsa20 stream cipher, with established session
24 @code{KEY} and obfuscated @code{SERIAL} used as a nonce. 512 bit of
25 Salsa20's output is ignored and only remaining is XORed with ther data,
28 @code{DATA} is padded with @code{PAD} (0x80 byte). Optional @code{ZEROS}
29 may follow, to fill up packet to conceal payload packet length.
31 @code{AUTH} is Poly1305 authentication function. First 256 bits of
32 Salsa20's output are used as a one-time key for @code{AUTH}.
35 AUTH_KEY = 256bit(ENCRYPT(KEY, NONCE))
38 To prevent replay attacks we must remember received @code{SERIAL}s and
39 drop when receiving duplicate ones.
41 In @ref{Encless, encryptionless mode} this scheme is slightly different:
44 NONCE = MAC(MAC_KEY, SERIAL)
45 ENCODED = ENCLESS(DATA || PAD || ZEROS)
46 PACKET = ENCODED || NONCE
49 @code{ENCLESS} is AONT and chaffing function. There is no need in
50 explicit separate authentication.