2 @unnumbered Developer manual
4 Pay attention how to get @ref{Sources, development source code}.
7 @item Nonce and identity encryption
8 @url{http://143.53.36.235:8080/tea.htm, XTEA}.
10 @url{http://cr.yp.to/snuffle.html, Salsa20}.
11 @item Message authentication
12 @url{http://cr.yp.to/mac.html, Poly1305}.
13 @item Password authenticated key agreement
14 DH-A-EKE powered by @url{http://cr.yp.to/ecdh.html, Curve25519}
15 and @url{http://ed25519.cr.yp.to/, Ed25519}.
16 @item DH elliptic-curve point encoding for public keys
17 @url{http://elligator.cr.yp.to/, Elligator}.
18 @item Verifier password hashing algorithm
19 @url{https://password-hashing.net/#argon2, Argon2d}.
20 @item Encryptionless confidentiality preserving encoding
21 @url{http://people.csail.mit.edu/rivest/chaffing-980701.txt,
22 Chaffing-and-Winnowing} (two Poly1305 MACs for each bit of message)
24 @url{http://theory.lcs.mit.edu/~cis/pubs/rivest/fusion.ps,
25 All-Or-Nothing-Transformed} (based on
26 @url{http://cseweb.ucsd.edu/~mihir/papers/oaep.html, OAEP} using
27 @url{https://en.wikipedia.org/wiki/Key_derivation_function, HKDF}
28 with @url{https://blake2.net/, BLAKE2b-512} and BLAKE2b-256 based
29 @url{http://crypto.stanford.edu/~dabo/abstracts/saep.html, SAEP+}
30 checksums) data with 128-bits of feeded random.
32 25 bytes per packet. Plus 4128 bytes and noise in encryptionless mode.
33 @item Handshake overhead
34 4 UDP (2 from client, 2 from server) packets (round-trips for TCP).
35 264 bytes total payload, 20680 in encryptionless mode.
36 @item Entropy required
37 832 bits in average on client, 832 bits in average on server side
38 per handshake. 128 bits for each outgoing packet in encryptionless
43 * Verifier structure::
44 * Transport protocol: Transport.
45 * Handshake protocol: Handshake.
48 @include verifierstruct.texi
49 @include transport.texi
50 @include handshake.texi