Skip to content

Instantly share code, notes, and snippets.

@jonasschnelli
Last active November 13, 2020 08:30
Show Gist options
  • Save jonasschnelli/604f31cc7425dd15dc8a912ebd7c0974 to your computer and use it in GitHub Desktop.
Save jonasschnelli/604f31cc7425dd15dc8a912ebd7c0974 to your computer and use it in GitHub Desktop.

The AEAD is constructed as follows: for each packet, generate a Poly1305 key by taking 128 bits of ChaCha20 stream output generated using K_2 and an IV of zero. The chacha20 key-stream remains for follow up packets (don't change the IV and block counter) and will only be reset after a rekeying. A client may precompute the ChaCha20 key-stream up to the desired length.

A rekey MUST exact happen after 2^24 bytes (16MB) have been used from the key-stream. The rekeying can also happen in the middle of encrypting a payload. If the key-stream contains less than 128bits when starting to encrypt a packet, a rekeying MUST happen (to avoid a MAC key from two cipher instances).

The next symmetric cipher key MUST be calculated by `SHA256(SHA256(session ID || old_symmetric_cipher_key))`.

During a rekey, the packet length encryption instance keyed by K_1 must also reset (use the next symmatric cipher key, reset IV and block counter to zero).

The packet length encryption instance can therefor maximal encrypt 2^24/3+1+16 packet lengths (~2.4MB) per key (20 bytes is the smallest possible packet).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment