-@node Handshake protocol
+@node Handshake
@section Handshake protocol
@verbatiminclude handshake.utxt
-Each handshake message ends with so called @code{IDtag}: it is an XTEA
-encrypted first 64 bits of each message with client's identity as a key.
-It is used to transmit identity and to mark packet as handshake message.
-Server can determine used identity by trying all possible known to him
-keys. It consumes resources, but XTEA is rather fast algorithm and
-handshake messages checking is seldom enough event.
+Each handshake message ends with so called @code{IDtag}: it is
+BLAKE2b-MAC of the first 64 bits of the handshake message, with client's
+@ref{Identity} used as a key. It is used to transmit identity and to
+mark packet as handshake message.
+
+If @ref{Noise, noise} is enabled, then data is padded to fill up packet
+to MTU's size.
+
+@strong{Preparation stage}:
@enumerate
@item
-client generates @code{CPubKey}, random 64bit @code{R} that is used as a
-nonce for encryption
+Client knows only his identity and passphrase written somewhere in the
+human readable form. Server knows his identity and
+@ref{Verifier structure, verifier}: @code{DSAPub}.
@item
-@verb{|R + enc(PSK, R, CPubKey) + IDtag -> Server|} [48 bytes]
+Client computes verifier which produces @code{DSAPriv} and
+@code{DSAPub}. @code{H()} is @emph{BLAKE2b-256} hash function.
@item
-server remembers clients address, decrypt @code{CPubKey}, generates
-@code{SPrivKey}/@code{SPubKey}, computes common shared key @code{K}
-(based on @code{CPubKey} and @code{SPrivKey}), generates 64bit random
-number @code{RS} and 256bit random @code{SS}. PSK-encryption uses
-incremented @code{R} (from previous message) for nonce
+Client generates DH keypair: @code{CDHPub} and @code{CDHPriv}.
+Also it generates random 64-bit @code{R} that is used as a nonce for
+symmetric encryption. @code{El()} is Elligator point encoding (and vice
+versa) algorithm.
+@end enumerate
+
+@strong{Interaction stage}:
+
+@enumerate
@item
-@verb{|enc(PSK, R+1, SPubKey) + enc(K, R, RS + SS) + IDtag -> Client|} [80 bytes]
+@verb{|R + enc(H(DSAPub), R, El(CDHPub)) + IDtag -> Server|} [48 bytes]
+
@item
-client decrypt @code{SPubKey}, computes @code{K}, decrypts @code{RS},
-@code{SS} with key @code{K}, remembers @code{SS}, generates 64bit random
-number @code{RC} and 256bit random @code{SC},
+@itemize
+@item Server remembers client address.
+@item Decrypts @code{El(CDHPub)}.
+@item Inverts @code{El()} encoding and gets @code{CDHPub}.
+@item Generates DH keypair: @code{SDHPriv}/@code{SDHPub}.
+@item Computes common shared key @code{K = H(DH(SDHPriv, CDHPub))}.
+@item Generates 64-bit random number @code{RS}.
+@item Generates 256-bit pre-master secret @code{SS}.
+@end itemize
+
@item
-@verb{|enc(K, R+1, RS + RC + SC) + IDtag -> Server|} [56 bytes]
+@verb{|enc(H(DSAPub), R+1, El(SDHPub)) + enc(K, R, RS + SS) + IDtag -> Client|} [80 bytes]
+
@item
-server decrypt @code{RS}, @code{RC}, @code{SC} with key @code{K},
-compares @code{RS} with it's own one send before, computes final main
-encryption key @code{S = SS XOR SC}
+@itemize
+@item Client decrypts @code{El(SDHPub)}.
+@item Inverts @code{El()} encoding and gets @code{SDHPub}.
+@item Computes @code{K}.
+@item Decrypts @code{RS} and @code{SS}.
+@item Remembers @code{SS}.
+@item Generates 64-bit random number @code{RC}.
+@item Generates 256-bit pre-master secret @code{SC}.
+@item Signs with @code{DSAPriv} key @code{K}.
+@end itemize
+
@item
-@verb{|ENC(K, 0, RC) + IDtag -> Client|} [16 bytes]
+@verb{|enc(K, R+1, RS + RC + SC + Sign(DSAPriv, K)) + IDtag -> Server|} [120 bytes]
+
@item
-server switches to the new client
+@itemize
+ @item Server decrypts @code{RS}, @code{RC}, @code{SC},
+ @code{Sign(DSAPriv, K)}.
+
+ @item Compares @code{RS} with its own one sent before. Server
+ decrypts @code{RS}, @code{RC}, @code{SC} with key @code{K}, compares
+ @code{RS} with its own one sent before.
+
+ @item Verifies @code{K} signature with verifier @code{DSAPub}.
+
+ @item Computes final session encryption key:
+ @code{MasterKey=SS XOR SC}.
+@end itemize
+
@item
-client decrypts @code{RC} and compares with it's own generated one,
-computes final main encryption key @code{S}
+@verb{|ENC(K, R+2, RC) + IDtag -> Client|} [16 bytes]
+
+@item
+@itemize
+@item Client decrypts @code{RC}
+@item Compares with its own one sent before.
+@item Computes final session encryption key as server did.
+@end itemize
+
@end enumerate
-Where PSK is 256bit pre-shared key. @code{R*} are required for handshake
-randomization and two-way authentication. K key is used only during
-handshake. DH public keys can be trivially derived from private ones.
+@code{MasterKey} is high entropy 256-bit key. @code{K} DH-derived one
+has 128-bit security margin and that is why are not in use except in
+handshake process. @code{R*} are required for handshake randomization
+and two-way authentication.
+
+In @ref{Encless, encryptionless mode} each @code{enc()} is replaced with
+AONT and chaffing function over the noised data.