Handshake protocol

     ┌──────┐                                ┌──────┐                                     
     │Client│                                │Server│                                     
     └──┬───┘                                └──┬───┘                                     
        │    R, enc(H(DSAPub), R, El(CDHPub))   │  ╔══════════════════════╗               
        │ ──────────────────────────────────────>  ║R=rand(64bit)        ░║               
        │                                       │  ║CDHPriv=rand(256bit)  ║               
        │                                       │  ╚══════════════════════╝               
        │                                       │  ╔══════════════════════════╗           
        │    enc(H(DSAPub), R+1, El(SDHPub))    │  ║SDHPriv=rand(256bit)     ░║           
        │    enc(K, R, RS+SS)                   │  ║K=H(DH(SDHPriv, CDHPub))  ║           
        │ <──────────────────────────────────────  ║RS=rand(64bit)            ║           
        │                                       │  ║SS=rand(256bit)           ║           
        │                                       │  ╚══════════════════════════╝           
        │                                       │  ╔══════════════════════════╗           
        │ enc(K, R+1, RS+RC+SC+Sign(DSAPriv, K))│  ║K=H(DH(CDHPriv, SDHPub)) ░║           
        │ ──────────────────────────────────────>  ║RC=rand(64bit)            ║           
        │                                       │  ║SC=rand(256bit)           ║           
        │                                       │  ╚══════════════════════════╝           
        │                                       │  ╔═════════════════════════════════════╗
        │            enc(K, R+2, RC)            │  ║compare(RS)                         ░║
        │ <──────────────────────────────────────  ║compare(RC)                          ║
        │                                       │  ║Verify(DSAPub, Sign(DSAPriv, K), K)  ║
        │                                       │  ║MasterKey=SS XOR SC                  ║
        │                                       │  ╚═════════════════════════════════════╝

Each handshake message ends with so called IDtag: it is BLAKE2b-MAC of the first 64 bits of the handshake message, with client’s Identity used as a key. It is used to transmit identity and to mark packet as handshake message.

If noise is enabled, then data is padded to fill up packet to MTU’s size.

Preparation stage:

1. Client knows only his identity and passphrase written somewhere in the human readable form. Server knows his identity and verifier: DSAPub.
2. Client computes verifier which produces DSAPriv and DSAPub. H() is BLAKE2b-256 hash function.
3. Client generates DH keypair: CDHPub and CDHPriv. Also it generates random 64-bit R that is used as a nonce for symmetric encryption. El() is Elligator point encoding (and vice versa) algorithm.

Interaction stage:

1. R + enc(H(DSAPub), R, El(CDHPub)) + IDtag -> Server [48 bytes]
2. • Server remembers client address.
   • Decrypts El(CDHPub).
   • Inverts El() encoding and gets CDHPub.
   • Generates DH keypair: SDHPriv/SDHPub.
   • Computes common shared key K = H(DH(SDHPriv, CDHPub)).
   • Generates 64-bit random number RS.
   • Generates 256-bit pre-master secret SS.
3. enc(H(DSAPub), R+1, El(SDHPub)) + enc(K, R, RS + SS) + IDtag -> Client [80 bytes]
4. • Client decrypts El(SDHPub).
   • Inverts El() encoding and gets SDHPub.
   • Computes K.
   • Decrypts RS and SS.
   • Remembers SS.
   • Generates 64-bit random number RC.
   • Generates 256-bit pre-master secret SC.
   • Signs with DSAPriv key K.
5. enc(K, R+1, RS + RC + SC + Sign(DSAPriv, K)) + IDtag -> Server [120 bytes]
6. • Server decrypts RS, RC, SC, Sign(DSAPriv, K).
   • Compares RS with its own one sent before. Server decrypts RS, RC, SC with key K, compares RS with its own one sent before.
   • Verifies K signature with verifier DSAPub.
   • Computes final session encryption key: MasterKey=SS XOR SC.
7. ENC(K, R+2, RC) + IDtag -> Client [16 bytes]
8. • Client decrypts RC
   • Compares with its own one sent before.
   • Computes final session encryption key as server did.

MasterKey is high entropy 256-bit key. K DH-derived one has 128-bit security margin and that is why are not in use except in handshake process. R* are required for handshake randomization and two-way authentication.

In encryptionless mode each enc() is replaced with AONT and chaffing function over the noised data.