@headitem @tab XDR type @tab Value
@item Magic number @tab
8-byte, fixed length opaque data @tab
- @verb{|N N C P E 0x00 0x00 0x04|}
+ @verb{|N N C P E 0x00 0x00 0x05|}
@item Niceness @tab
unsigned integer @tab
1-255, packet @ref{Niceness, niceness} level
All following encryption is done in AEAD mode using
@url{https://cr.yp.to/chacha.html, ChaCha20}-@url{https://en.wikipedia.org/wiki/Poly1305, Poly1305}
-algorithms. Data is splitted on 128 KiB blocks. Each block is encrypted with
+algorithms. Data is divided on 128 KiB blocks. Each block is encrypted with
increasing nonce counter.
Authenticated and encrypted size come after the header:
@item takes remote node's exchange public key and performs
Diffie-Hellman computation on this remote static public key and
private ephemeral one
-@item derive the keys:
- @enumerate
- @item initialize @url{https://blake2.net/, BLAKE2Xb} XOF with
- derived ephemeral key and 96-byte output length
- @item feed @verb{|N N C P E 0x00 0x00 0x04|} magic number to XOF
- @item read 32-bytes of "size" AEAD encryption key
- @item read 32-bytes of payload AEAD encryption key
- @item optionally read 32-bytes pad generation key
- @end enumerate
+@item derives 32-bytes AEAD encryption key with BLAKE3 derivation
+ function. Source key is the derived ephemeral key. Context is
+ @verb{|N N C P E 0x00 0x00 0x05|} magic number
@item encrypts size, appends its authenticated ciphertext to the header
-@item encrypts payload, appends its authenticated ciphertext
+@item encrypts each payload block, appending its authenticated ciphertext
@item possibly appends any kind of "junk" noise data to hide real
- payload's size from the adversary (generated using XOF with
- unlimited output length)
+ payload's size from the adversary (generated using BLAKE3 XOF, with
+ the key derived from the ephemeral one and context string of
+ @verb{|N N C P E 0x00 0x00 0x05 <SP> P A D|})
@end enumerate