-@node Handshake protocol
+@node Handshake
@section Handshake protocol
@verbatiminclude handshake.utxt
-Each handshake message ends with so called @code{IDtag}: it is an XTEA
-encrypted first 64 bits of each message with client's @ref{Identity} as
-a key. It is used to transmit identity and to mark packet as handshake
-message. Server can determine used identity by trying all possible known
-to him keys. It consumes resources, but XTEA is rather fast algorithm
-and handshake messages checking is seldom enough event.
+Each handshake message ends with so called @code{IDtag}: it is
+BLAKE2b-MAC of the first 64 bits of the handshake message, with client's
+@ref{Identity} used as a key. It is used to transmit identity and to
+mark packet as handshake message.
+
+If @ref{Noise, noise} is enabled, then data is padded to fill up packet
+to MTU's size.
@strong{Preparation stage}:
@enumerate
@item
Client knows only his identity and passphrase written somewhere in the
-human. Server knows his identity and
+human readable form. Server knows his identity and
@ref{Verifier structure, verifier}: @code{DSAPub}.
@item
Client computes verifier which produces @code{DSAPriv} and
-@code{DSAPub}. @code{H()} is @emph{HSalsa20} hash function.
+@code{DSAPub}. @code{H()} is @emph{BLAKE2b-256} hash function.
@item
Client generates DH keypair: @code{CDHPub} and @code{CDHPriv}.
Also it generates random 64-bit @code{R} that is used as a nonce for
-symmetric encryption. @code{El()} is Elligator point encoding algorithm.
+symmetric encryption. @code{El()} is Elligator point encoding (and vice
+versa) algorithm.
@end enumerate
@strong{Interaction stage}:
@verb{|R + enc(H(DSAPub), R, El(CDHPub)) + IDtag -> Server|} [48 bytes]
@item
-@itemize @bullet
+@itemize
@item Server remembers client address.
@item Decrypts @code{El(CDHPub)}.
@item Inverts @code{El()} encoding and gets @code{CDHPub}.
@verb{|enc(H(DSAPub), R+1, El(SDHPub)) + enc(K, R, RS + SS) + IDtag -> Client|} [80 bytes]
@item
-@itemize @bullet
+@itemize
@item Client decrypts @code{El(SDHPub)}.
@item Inverts @code{El()} encoding and gets @code{SDHPub}.
@item Computes @code{K}.
@verb{|enc(K, R+1, RS + RC + SC + Sign(DSAPriv, K)) + IDtag -> Server|} [120 bytes]
@item
-@itemize @bullet
+@itemize
@item Server decrypts @code{RS}, @code{RC}, @code{SC},
@code{Sign(DSAPriv, K)}.
@verb{|ENC(K, R+2, RC) + IDtag -> Client|} [16 bytes]
@item
-@itemize @bullet
+@itemize
@item Client decrypts @code{RC}
@item Compares with its own one sent before.
@item Computes final session encryption key as server did.
has 128-bit security margin and that is why are not in use except in
handshake process. @code{R*} are required for handshake randomization
and two-way authentication.
+
+In @ref{Encless, encryptionless mode} each @code{enc()} is replaced with
+AONT and chaffing function over the noised data.