X-Git-Url: http://www.git.cypherpunks.ru/?p=govpn.git;a=blobdiff_plain;f=doc%2Ftransport.texi;h=e5f5abba9eba15dec245489f2aa53c807d007b5f;hp=cdb5950524820360b2d15fa7fb749e473ab154b3;hb=0bf04621961589bc735dc8bd8a075d7db24c4178;hpb=b97d37d9494cf064a50d30b4936393eeab32b0e1

diff --git a/doc/transport.texi b/doc/transport.texi
index cdb5950..e5f5abb 100644
--- a/doc/transport.texi
+++ b/doc/transport.texi
@@ -2,49 +2,35 @@
 @section Transport protocol
 
 @verbatim
-TAG || ENCRYPTED || NONCE --> PACKET
- ^         ^          ^
- |         |          |
- |         |          +-------------+
- |         |                        |
- |         +-------------+          |
- |                       |          |
- +--< AUTH(AUTH_KEY, ENCRYPTED || NONCE)
-                         ^          ^
-                         |          |
-+------------------------+          |
-|                                   |
-|                   +---------------+
-|                   |
-+--< ENCRYPT(KEY, NONCE, PAYLOAD)
-                    ^       ^
-                    |       |
-                    |       +--< DATA || PAD [|| ZEROS]
-                    |
-                    +--< MAC(MAC_KEY, SERIAL)
+     NONCE = 64bit(ZEROS) || 64bit(MAC(MAC_KEY, SERIAL))
+   PAYLOAD = DATA || PAD [|| ZEROS]
+CIPHERTEXT = ENCRYPT(KEY, NONCE, PAYLOAD)
+       TAG = AUTH(AUTH_KEY, CIPHERTEXT || NONCE)
+   MESSAGE = TAG || CIPHERTEXT || NONCE
 @end verbatim
 
 @code{SERIAL} is message's serial number. Odds are reserved for
 client (to server) messages, evens for server (to client) messages.
 
 @code{MAC} is BLAKE2b-MAC used to obfuscate @code{SERIAL}. MAC's key
-@code{MAC_KEY} is the first 256-bit of Salsa20's output with established
+@code{MAC_KEY} is the first 256-bit of ChaCha20's output with established
 common key and zero nonce (message nonces start from 1).
 
 @verbatim
 MAC_KEY = 256bit(ENCRYPT(KEY, 0))
 @end verbatim
 
-@code{ENCRYPT} is Salsa20 stream cipher, with established session
+@code{ENCRYPT} is ChaCha20 stream cipher, with established session
 @code{KEY} and obfuscated @code{SERIAL} used as a nonce. 512 bit of
-Salsa20's output is ignored and only remaining is XORed with ther data,
+ChaCha20's output is ignored and only remaining is XORed with ther data,
 encrypting it.
 
-@code{DATA} is padded with @code{PAD} (0x80 byte). Optional @code{ZEROS}
-may follow, to fill up packet to conceal payload packet length.
+@code{DATA} is padded using ISO/IEC 7816-4 format (@code{PAD} (0x80
+byte) with optional @code{ZEROS} following), to fill up packet to
+conceal payload packet length.
 
 @code{AUTH} is Poly1305 authentication function. First 256 bits of
-Salsa20's output are used as a one-time key for @code{AUTH}.
+ChaCha20's output are used as a one-time key for @code{AUTH}.
 
 @verbatim
 AUTH_KEY = 256bit(ENCRYPT(KEY, NONCE))
@@ -56,9 +42,9 @@ drop when receiving duplicate ones.
 In @ref{Encless, encryptionless mode} this scheme is slightly different:
 
 @verbatim
- PACKET = ENCODED || NONCE
-ENCODED = ENCLESS(DATA || PAD || ZEROS)
   NONCE = MAC(MAC_KEY, SERIAL)
+ENCODED = ENCLESS(DATA || PAD || ZEROS)
+ PACKET = ENCODED || NONCE
 @end verbatim
 
 @code{ENCLESS} is AONT and chaffing function. There is no need in