From: Sergey Matveev <stargrave@stargrave.org>
Date: Tue, 16 Apr 2024 22:01:29 +0000 (+0300)
Subject: Note about BLAKE2s-XOF as a KDF
X-Git-Tag: v3.0.0~25
X-Git-Url: http://www.git.stargrave.org/?a=commitdiff_plain;h=de14440b1f5b9e5beeda8b3e9945b6a840894dd63581cd1318472855db1fa2f0;p=vors.git

Note about BLAKE2s-XOF as a KDF
---

diff --git a/doc/proto.texi b/doc/proto.texi
index a1af4d4..dc7c3d2 100644
--- a/doc/proto.texi
+++ b/doc/proto.texi
@@ -11,9 +11,10 @@ participant) and 24-bit big-endian packet counter. Reordered packets are
 dropped. 24-bit counter is long enough for very long talk sessions.
 
 Each packet is encrypted with ChaCha20 and authenticated with SipHash24.
-The keys are generated during the handshake procedure with the server
-and is shared among the other participants. The stream identifier
-together with the packet counter is used as a nonce.
+Their keys are generated from BLAKE2s-XOF, which is fed with completed
+handshake's binding value. Then they are shared among the other
+participants. The stream identifier together with the packet counter is
+used as a nonce.
 
 It is tuned for 24Kbps bandwidth. But remember that it has additional 8B
 of MAC tag, 4B VoRS, 8B UDP and 40B IPv6 headers.