From 2cec1625e2dd8915e6c4489cea6ca3f45b974124 Mon Sep 17 00:00:00 2001
From: Jeff Becker <jeff@i2p.rocks>
Date: Sun, 25 Feb 2018 16:08:42 -0500
Subject: [PATCH] more changes to iwp

---
 doc/iwp_v0.txt | 33 +++++++++++++++++++++++++++------
 1 file changed, 27 insertions(+), 6 deletions(-)

diff --git a/doc/iwp_v0.txt b/doc/iwp_v0.txt
index 26b79f619..0170533e2 100644
--- a/doc/iwp_v0.txt
+++ b/doc/iwp_v0.txt
@@ -15,7 +15,7 @@ the first 32 bytes are message authentication bytes, h
 the next 32 bytes are nounce for shared secret, n
 the remaining bytes are interpreted as ciphertext, x
 
-a shared secret s is generated via TKE(us, them, n)
+a shared secret s is generated via TKE(initiater, recipiant, n)
 next the integrity of the ciphertext is done by checking MDS(n + x, s) == h
 if the ciphertext is valid then the frame is decrypted via SD(s, n, x)
 
@@ -37,15 +37,20 @@ handshake:
 
 0) intro
 
+32 bytes random padding, r (for future handshake use)
 32 bytes hmac, h
 32 bytes nounce, n
-64 bytes elligator sqaured encoded alice's transport public encryption key, a.k
+32 bytes alice's transport public encryption key, a.k
 variadic bytes padding, w0
 
-Alice transmits ( h + n + a.k + w0 ) to Bob from the transport address matching
-his public transport encryption key.
+Alice transmits ( r + h + n + a.k + w0 ) to Bob from the transport address matching
+his public transport encryption key (b.k).
 
-Bob recieves ( h + n + a.k + w0 ) 
+w0 = "[insert variable length random padding here]"
+s = TKE(a.k, b.k, n)
+h = MDS(n + a.k, s)
+
+Bob recieves ( r + h + n + a.k + w0 ) 
 
 1) intro ack
 
@@ -56,12 +61,13 @@ sent in reply to an intro, bob sends an intro ack encrypted to Alice using
 32 bytes ciphertext, x
 variadic bytes padding, w1
 
+w1 = "[insert variable length random padding here]"
 token = RAND(32)
 k = TKE(a.k, b.k, n)
 x = SE(k, token, n[0:24])
 h = MDS(n + x, k)
 
-Bob transmits ( h + n + x + w1 )
+Bob transmits ( h + n + x + w1 ), r is ignored and discarded
 Alice recieves ( h + n + x + w1 ) and verifies that h == MDS(n + x, k) silently
 dropping if it does not match.
 
@@ -74,6 +80,7 @@ Alice sends the token from the intro ack back to Bob
 32 bytes ciphertext, x
 variadic byttes padding, w2
 
+w2 = "[insert variable length random padding here]"
 k = TKE(a.k, b.k, n)
 x = SE(k, token, n[0:24])
 h = MDS(n + x, k)
@@ -91,6 +98,7 @@ Bob acks the token that he got from Alice
 32 bytes ciphertext, x
 variadic byttes padding, w3
 
+w3 = "[insert variable length random padding here]"
 S = TKE(a.k, b.k, token)
 x = SE(S, token, n[0:24])
 h = MDS(n + x, S)
@@ -117,6 +125,8 @@ plaintext payload: P
 s bytes of data
 N bytes remaining data is discarded
 
+Encryption:
+
 D = H + P
 x = SE(D, S, n)
 h = MDS(n + x, S)
@@ -129,6 +139,13 @@ Bob checks hmac by verifying h == MDS(n + x, S)
 
 if the hmac fails the data is silently dropped
 
+Decryption:
+
+verify h == MDS(n + x, S)
+D = SD(x, S, n)
+H = D[0:4]
+P = D[4:4+H.s]
+
 message types:
 
 XMIT = 0x01
@@ -172,6 +189,10 @@ msg_bytes = BE(msg)
 12 bits unsigned int fragment size bytes, s
 4 bits unsigned int nonzero number of fragments, n
 8 bits size of last fragment in bytes, l
+8 bits reserved flags, f
+if f MSB is set then last fragment is included and is l bytes long
+
+f's MSB MUST be set as of protocol version 0.
 
 msg_bytes is s * (n - 1) + l bytes long