| |
| +--< DATA || PAD [|| ZEROS]
|
- +--< PRP(PRP_KEY, SERIAL)
+ +--< MAC(MAC_KEY, SERIAL)
@end verbatim
@code{SERIAL} is message's serial number. Odds are reserved for
-client(->server) messages, evens for server(->client) messages.
+client (to server) messages, evens for server (to client) messages.
-@code{PRP} is XTEA block cipher algorithm used here as PRP (pseudo
-random permutation function) to obfuscate @code{SERIAL}. Plaintext
-@code{SERIAL} state is kept in peers internal state, but encrypted
-before transmission.
-
-XTEA's encryption key is the first 128-bit of Salsa20's output with
-established common key and zero nonce (message nonces start from 1).
+@code{MAC} is BLAKE2b-MAC used to obfuscate @code{SERIAL}. MAC's key
+@code{MAC_KEY} is the first 256-bit of Salsa20's output with established
+common key and zero nonce (message nonces start from 1).
@verbatim
-PRP_KEY = 128bit(ENCRYPT(KEY, 0))
+MAC_KEY = 256bit(ENCRYPT(KEY, 0))
@end verbatim
@code{ENCRYPT} is Salsa20 stream cipher, with established session
encrypting it.
@code{DATA} is padded with @code{PAD} (0x80 byte). Optional @code{ZEROS}
-may follow, to fillup packet with the junk to conceal pyload packet
-length.
+may follow, to fill up packet to conceal payload packet length.
@code{AUTH} is Poly1305 authentication function. First 256 bits of
Salsa20's output are used as a one-time key for @code{AUTH}.
@verbatim
PACKET = ENCODED || NONCE
ENCODED = ENCLESS(DATA || PAD || ZEROS)
- NONCE = PRP(PRP_KEY, SERIAL)
+ NONCE = MAC(MAC_KEY, SERIAL)
@end verbatim
@code{ENCLESS} is AONT and chaffing function. There is no need in