-@node Transport protocol
+@node Transport
@section Transport protocol
@verbatim
-ENCn(SERIAL) + ENC(KEY, ENCn(SERIAL), DATA_SIZE+DATA) +
- AUTH(ENCn(SERIAL) + ENC(KEY, ENCn(SERIAL), DATA_SIZE+DATA))
+ NONCE = 64bit(ZEROS) || 64bit(MAC(MAC_KEY, SERIAL))
+ PAYLOAD = DATA || PAD [|| ZEROS]
+CIPHERTEXT = ENCRYPT(KEY, NONCE, PAYLOAD)
+ TAG = AUTH(AUTH_KEY, CIPHERTEXT || NONCE)
+ MESSAGE = TAG || CIPHERTEXT || NONCE
@end verbatim
-All transport and handshake messages are indistinguishable from
-pseudo random noise.
-
@code{SERIAL} is message's serial number. Odds are reserved for
-client(→server) messages, evens for server(→client) messages.
-
-@code{ENCn} is XTEA block cipher algorithm used here as PRP (pseudo
-random permutation) to randomize, obfuscate @code{SERIAL}. Plaintext
-@code{SERIAL} state is kept in peers internal state, but encrypted
-before transmission. XTEA is compact and fast enough. Salsa20 is PRF
-function and requires much more code to create PRP from it. XTEA's
-encryption key is the first 128-bit of Salsa20's output with established
+client (to server) messages, evens for server (to client) messages.
+
+@code{MAC} is BLAKE2b-MAC used to obfuscate @code{SERIAL}. MAC's key
+@code{MAC_KEY} is the first 256-bit of ChaCha20's output with established
common key and zero nonce (message nonces start from 1).
-Encrypted @code{SERIAL} is used as a nonce for @code{DATA} encryption:
-encryption key is different during each handshake, so (key, nonce) pair
-is always used only once. @code{ENC} is Salsa20 cipher, with established
-session @code{KEY} and encrypted @code{SERIAL} used as a nonce.
-@code{DATA_SIZE} is @emph{uint16} storing length of the @code{DATA}.
+@verbatim
+MAC_KEY = 256bit(ENCRYPT(KEY, 0))
+@end verbatim
+
+@code{ENCRYPT} is ChaCha20 stream cipher, with established session
+@code{KEY} and obfuscated @code{SERIAL} used as a nonce. 512 bit of
+ChaCha20's output is ignored and only remaining is XORed with ther data,
+encrypting it.
+
+@code{DATA} is padded using ISO/IEC 7816-4 format (@code{PAD} (0x80
+byte) with optional @code{ZEROS} following), to fill up packet to
+conceal payload packet length.
@code{AUTH} is Poly1305 authentication function. First 256 bits of
-Salsa20 output are used as a one-time key for @code{AUTH}. Next 256 bits
-of Salsa20 are ignored. All remaining output is XORed with the data,
-encrypting it.
+ChaCha20's output are used as a one-time key for @code{AUTH}.
+
+@verbatim
+AUTH_KEY = 256bit(ENCRYPT(KEY, NONCE))
+@end verbatim
+
+To prevent replay attacks we must remember received @code{SERIAL}s and
+drop when receiving duplicate ones.
+
+In @ref{Encless, encryptionless mode} this scheme is slightly different:
+
+@verbatim
+ NONCE = MAC(MAC_KEY, SERIAL)
+ENCODED = ENCLESS(DATA || PAD || ZEROS)
+ PACKET = ENCODED || NONCE
+@end verbatim
-To prevent replay attacks we remember latest @code{SERIAL} from the
-remote peer. If received message's @code{SERIAL} is not greater that the
-saved one, then drop it. Optionally, because some UDP packets can be
-reordered during transmission, we can allow some window for valid
-serials with the @code{-noncediff} option. @code{-noncediff 10} with
-current saved serial state equals to 78 allows messages with 68…78
-serials. That time window can be used by attacker to replay packets, so
-by default it equals to 1. However it can improve performance because of
-rearranged UDP packets.
+@code{ENCLESS} is AONT and chaffing function. There is no need in
+explicit separate authentication.