From 29febb8712dd2082fffd42a3813903358e3121bc Mon Sep 17 00:00:00 2001
From: zzz <zzz@i2pmail.org>
Date: Mon, 12 Jul 2021 15:31:22 -0400
Subject: [PATCH] Prop. 157 KDF cleanups

---
 i2p2www/spec/proposals/157-new-tbm.rst | 33 +++++++++++++-------------
 1 file changed, 17 insertions(+), 16 deletions(-)

diff --git a/i2p2www/spec/proposals/157-new-tbm.rst b/i2p2www/spec/proposals/157-new-tbm.rst
index bc1a237cc..38040c30b 100644
--- a/i2p2www/spec/proposals/157-new-tbm.rst
+++ b/i2p2www/spec/proposals/157-new-tbm.rst
@@ -393,7 +393,7 @@ bytes   0-201: ChaCha20 encrypted ShortBuildReplyRecord
 KDF
 -----------------------
 
-TBD
+See KDF section below.
 
 
 
@@ -494,7 +494,7 @@ KDF
 ---
 
 We use ck from Noise state after tunnel build record encryption/decrytion
-to derivve following keys: reply key, AES layer key, AES iv key and garlic reply key/tag for OBEP.
+to derive following keys: reply key, AES layer key, AES IV key and garlic reply key/tag for OBEP.
 
 Reply key:
 Unlike long records we can't use left part of ck for reply key, because it's not last and will be used later.
@@ -504,29 +504,30 @@ Both use the same key, nonce is record's position in the message starring from 0
 .. raw:: html
 
   {% highlight lang='dataspec' %}
-ck = HKDF(ck, ZEROLEN, "SMTunnelReplyKey", 64)
-  replyKey = ck[32:63]
+keydata = HKDF(ck, ZEROLEN, "SMTunnelReplyKey", 64)
+  replyKey = keydata[32:63]
+  ck = keydata[0:31]
 
   Layer key:
   Layer key is always AES for now, but same KDF can be used from Chacha20
 
-  ck = HKDF(ck, ZEROLEN, "SMTunnelLayerKey", 64)
-  replyKey = ck[32:63]
+  keydata = HKDF(ck, ZEROLEN, "SMTunnelLayerKey", 64)
+  layerKey = keydata[32:63]
 
-  IV key:
-  For non_OBEP record
-
-  ivKey = ck[0:32]
+  IV key for non-OBEP record:
+  ivKey = keydata[0:31]
   because it's last
 
-  for OBEP record
-  ck = HKDF(ck, ZEROLEN, "TunnelLayerIVKey", 64)
-  ivKey = ck[32:63]
+  IV key for OBEP record:
+  ck = keydata[0:31]
+  keydata = HKDF(ck, ZEROLEN, "TunnelLayerIVKey", 64)
+  ivKey = keydata[32:63]
+  ck = keydata[0:31]
 
   OBEP garlic reply key/tag:
-  ck = HKDF(ck, ZEROLEN, "RGarlicKeyAndTag", 64)
-  key = ck[32:64]
-  tag = ck[0:8]
+  keydata = HKDF(ck, ZEROLEN, "RGarlicKeyAndTag", 64)
+  replyKey = keydata[32:63]
+  replyTag = keydata[0:7]
 
 {% endhighlight %}
 
-- 
GitLab