diff --git a/BTP.md b/BTP.md index 43c3f18..597589b 100644 --- a/BTP.md +++ b/BTP.md @@ -14,6 +14,7 @@ BTP uses the following cryptographic primitives: * A message authentication code, MAC(k, m) * An authenticated cipher, ENC(k, n, m) and DEC(k, n, m), where n is a nonce +* A random number generator, R(n), with an output length of n bytes. R(n) must be either a true random number generator or a cryptographically secure pseudo-random number generator. We use MAC(k, m) to define a key derivation function: @@ -96,6 +97,9 @@ To avoid reusing tags, which would allow the adversary to distinguish BTP traffi The pseudo-random tag is followed by the stream header, which consists of a random initialisation vector followed by an ephemeral key encrypted and authenticated with the sender's outgoing header key, using the random IV as the nonce. The stream header is NONCE_LEN + KEY_LEN + AUTH_LEN bytes long. The ephemeral key is used for encrypting and authenticating the rest of the stream. +* `stream_iv = R(NONCE_LEN)` +* `stream_header = stream_iv || ENC(outgoing_header_key, stream_iv, ephemeral_key)` + ### Frames The remainder of the stream consists of one or more frames. Each frame has a fixed-length header and a variable-length body that may contain data, padding, neither or both. The frames are numbered from zero. A stream may not contain more than 2^63 frames. @@ -107,9 +111,9 @@ The plaintext frame header is 4 bytes long, with the following format: * Bit 16: Zero * Bits 17-31: Length of the padding in bytes as a 15-bit integer -The plaintext frame body contains the data and padding. The total length of the data and padding must be less than 2^15 bytes. If any padding is present it must all be zeroes. +The plaintext frame body contains the data and padding. The total length of the data and padding must be less than 2^15 bytes. -The header and body are encrypted and authenticated separately using the ephemeral key and deterministic nonces, which are not sent. +The header and body are encrypted and authenticated separately using the ephemeral key and deterministic nonces, which are not sent. The encrypted and authenticated frame header is 4 + AUTH_LEN bytes long, while the encrypted and authenticated frame body is AUTH_LEN bytes longer than the data and padding. The nonce for the frame header is NONCE_LEN bytes long, with the following format: