@section Transport protocol
@verbatim
-TAG || ENCRYPTED || NONCE --> PACKET
- ^ ^ ^
- | | |
- | | +-------------+
- | | |
- | +-------------+ |
- | | |
- +--< AUTH(AUTH_KEY, ENCRYPTED || NONCE)
- ^ ^
- | |
-+------------------------+ |
-| |
-| +---------------+
-| |
-+--< ENCRYPT(KEY, NONCE, PAYLOAD)
- ^ ^
- | |
- | +--< DATA || PAD [|| ZEROS]
- |
- +--< MAC(MAC_KEY, SERIAL)
+ NONCE = 64bit(MAC(MAC_KEY, SERIAL))
+ PAYLOAD = DATA || PAD [|| ZEROS]
+CIPHERTEXT = ENCRYPT(KEY, NONCE, PAYLOAD)
+ TAG = AUTH(AUTH_KEY, CIPHERTEXT || NONCE)
+ MESSAGE = TAG || CIPHERTEXT || NONCE
@end verbatim
@code{SERIAL} is message's serial number. Odds are reserved for
Salsa20's output is ignored and only remaining is XORed with ther data,
encrypting it.
-@code{DATA} is padded with @code{PAD} (0x80 byte). Optional @code{ZEROS}
-may follow, to fill up packet to conceal payload packet length.
+@code{DATA} is padded using ISO/IEC 7816-4 format (@code{PAD} (0x80
+byte) with optional @code{ZEROS} following), to fill up packet to
+conceal payload packet length.
@code{AUTH} is Poly1305 authentication function. First 256 bits of
Salsa20's output are used as a one-time key for @code{AUTH}.
In @ref{Encless, encryptionless mode} this scheme is slightly different:
@verbatim
- PACKET = ENCODED || NONCE
-ENCODED = ENCLESS(DATA || PAD || ZEROS)
NONCE = MAC(MAC_KEY, SERIAL)
+ENCODED = ENCLESS(DATA || PAD || ZEROS)
+ PACKET = ENCODED || NONCE
@end verbatim
@code{ENCLESS} is AONT and chaffing function. There is no need in