From de14440b1f5b9e5beeda8b3e9945b6a840894dd63581cd1318472855db1fa2f0 Mon Sep 17 00:00:00 2001
From: Sergey Matveev <stargrave@stargrave.org>
Date: Wed, 17 Apr 2024 01:01:29 +0300
Subject: [PATCH] Note about BLAKE2s-XOF as a KDF

---
 doc/proto.texi | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/doc/proto.texi b/doc/proto.texi
index a1af4d4..dc7c3d2 100644
--- a/doc/proto.texi
+++ b/doc/proto.texi
@@ -11,9 +11,10 @@ participant) and 24-bit big-endian packet counter. Reordered packets are
 dropped. 24-bit counter is long enough for very long talk sessions.
 
 Each packet is encrypted with ChaCha20 and authenticated with SipHash24.
-The keys are generated during the handshake procedure with the server
-and is shared among the other participants. The stream identifier
-together with the packet counter is used as a nonce.
+Their keys are generated from BLAKE2s-XOF, which is fed with completed
+handshake's binding value. Then they are shared among the other
+participants. The stream identifier together with the packet counter is
+used as a nonce.
 
 It is tuned for 24Kbps bandwidth. But remember that it has additional 8B
 of MAC tag, 4B VoRS, 8B UDP and 40B IPv6 headers.
-- 
2.48.1