udpkey.c: Describe the proposed new forward-secure protocol.

diff --git a/udpkey.c b/udpkey.c
index 2715c65..1a623d6 100644 (file)
--- a/udpkey.c
+++ b/udpkey.c
@@ -471,6 +471,8 @@ static void debug_ge(const char *what, group *g, ge *X)
 
 /*----- Protocol summary --------------------------------------------------*
  *
+ * There are two protocol versions.  The original version works as follows.
+ *
  *   * Request
  *     memz            KEYTAG  tag of wanted secret
  *     ge              U       public vector
@@ -480,8 +482,39 @@ static void debug_ge(const char *what, group *g, ge *X)
  *     ge              W       encrypted clue: W = R - Y = r P - v U
  *     mem[TAGSZ]      TAG     MAC tag on ciphertext
  *     mem[KSZ]        CT      secret, encrypted with Z = r X
+ *
+ * The new version provides forward secrecy, which involves additional flows.
+ *
+ *   * Greeting
+ *     u8              0       marker byte for new protocol
+ *     u8              1       packet type
+ *     mem8            KEYTAG  wanted secret tag
+ *
+ *   * Challenge
+ *     u8              17      packet type
+ *     u32             REF     server's reference
+ *     ge              R       public DLIES vector: R = r P
+ *     ge              W       masked DH vector: W = V - Y = v P - r X
+ *
+ *   * Response
+ *     u8              0       marker byte for new protocol
+ *     u8              2       packet type
+ *     mem8            KEYTAG  wanted secret tag
+ *     u32             REF     reference from challenge
+ *     ge              U       public DH vector
+ *     mem[HASHSZ]     H0      hash; H0||H1 = H(U, V, Z), where Z = v U
+ *
+ *   * Reply
+ *     u8              18      packet type
+ *     mem[TAGSZ]      TAG     MAC tag on ciphertext
+ *     mem[KSZ]        CT      secret, encrypted with H1
  */
 
+#define FWS_GREET 0x01
+#define FWS_CHALL 0x11
+#define FWS_RESP 0x02
+#define FWS_REPLY 0x12
+
 /*----- Listening for requests --------------------------------------------*/
 
 /* Rate limiting parameters.