From c7ee4e7f1fae87710bf04b4276a464641d24c2fe Mon Sep 17 00:00:00 2001
From: zzz <zzz@mail.i2p>
Date: Sun, 13 Sep 2020 14:05:17 +0000
Subject: [PATCH] Small ECIES updates

---
 i2p2www/spec/blockfile.rst                   |  6 +++---
 i2p2www/spec/common-structures.rst           | 17 ++++++++-------
 i2p2www/spec/ecies.rst                       |  6 +++---
 i2p2www/spec/proposals/152-ecies-tunnels.rst | 22 ++++++++++++++++++--
 4 files changed, 36 insertions(+), 15 deletions(-)

diff --git a/i2p2www/spec/blockfile.rst b/i2p2www/spec/blockfile.rst
index 1490884e..db854fcf 100644
--- a/i2p2www/spec/blockfile.rst
+++ b/i2p2www/spec/blockfile.rst
@@ -2,8 +2,8 @@
 Blockfile and Hosts Database Specification
 ==========================================
 .. meta::
-    :lastupdated: November 2019
-    :accuratefor: 0.9.43
+    :lastupdated: 2020-09
+    :accuratefor: 0.9.47
 
 .. contents::
 
@@ -168,7 +168,7 @@ The maximum number of entries per span is 16.
 Properties Skiplist
 -------------------
 
-"%%__INFO__%%" is the master database skiplist with String/Properties key/value
+"%%__INFO__%%" is the main database skiplist with String/Properties key/value
 entries containing only one entry:
 
     info
diff --git a/i2p2www/spec/common-structures.rst b/i2p2www/spec/common-structures.rst
index d28b34fc..6abc948c 100644
--- a/i2p2www/spec/common-structures.rst
+++ b/i2p2www/spec/common-structures.rst
@@ -3,8 +3,8 @@ Common structures Specification
 ===============================
 .. meta::
     :category: Design
-    :lastupdated: April 2020
-    :accuratefor: 0.9.46
+    :lastupdated: 2020-09
+    :accuratefor: 0.9.47
 
 .. contents::
 
@@ -86,7 +86,7 @@ ElGamal       256                All Router Identities and Destinations
 P256           64         TBD    Reserved, see proposal 145
 P384           96         TBD    Reserved, see proposal 145
 P521          132         TBD    Reserved, see proposal 145
-X25519         32        0.9.38  Little-endian. See proposal 144
+X25519         32        0.9.38  Little-endian. See [ECIES]_ and proposal 156
 =======  ==============  ======  =====
 
 JavaDoc: http://{{ i2pconv('echelon.i2p/javadoc') }}/net/i2p/data/PublicKey.html
@@ -118,7 +118,7 @@ ElGamal       256                All Router Identities and Destinations
 P256           32         TBD    Reserved, see proposal 145
 P384           48         TBD    Reserved, see proposal 145
 P521           66         TBD    Reserved, see proposal 145
-X25519         32        0.9.38  Little-endian. See proposal 144
+X25519         32        0.9.38  Little-endian. See [ECIES]_ and proposal 156
 =======  ==============  ======  =====
 
 JavaDoc: http://{{ i2pconv('echelon.i2p/javadoc') }}/net/i2p/data/PrivateKey.html
@@ -439,7 +439,7 @@ ElGamal        0                 256            All Router Identities and Destin
 P256           1                  64            Reserved, see proposal 145
 P384           2                  96            Reserved, see proposal 145
 P521           3                 132            Reserved, see proposal 145
-X25519         4                  32            Not for use in key certs. See proposal 144
+X25519         4                  32            See [ECIES]_ and proposal 156
 reserved  65280-65534                           Reserved for experimental use
 reserved     65535                              Reserved for future expansion
 ========  ===========  =======================  =====
@@ -1189,10 +1189,10 @@ Notes
 
 * The encryption keys are used for end-to-end ElGamal/AES+SessionTag encryption
   [ELGAMAL-AES]_ (type 0) or other end-to-end encryption schemes.
-  See proposals 123, 144, and 145.
+  See [ECIES]_ and proposals 145 and 156.
   They may be generated anew at every router startup
   or they may be persistent.
-  X25519 (type 4, proposal 144) is supported as of release 0.9.44.
+  X25519 (type 4, see [ECIES]_) is supported as of release 0.9.44.
 
 * The signature is over the data above, PREPENDED with the single byte
   containing the DatabaseStore type (3).
@@ -1711,6 +1711,9 @@ Specification [GARLIC-DELIVERY]_.
 References
 ==========
 
+.. [ECIES]
+   {{ spec_url('ecies') }}
+
 .. [ELGAMAL]
     {{ site_url('docs/how/cryptography', True) }}#elgamal
 
diff --git a/i2p2www/spec/ecies.rst b/i2p2www/spec/ecies.rst
index 071c55dc..b48fda3e 100644
--- a/i2p2www/spec/ecies.rst
+++ b/i2p2www/spec/ecies.rst
@@ -3,8 +3,8 @@ ECIES-X25519-AEAD-Ratchet
 =========================
 .. meta::
     :category: Protocols
-    :lastupdated: 2020-05-07
-    :accuratefor: 0.9.46
+    :lastupdated: 2020-09
+    :accuratefor: 0.9.47
 
 .. contents::
 
@@ -2936,7 +2936,7 @@ Recommended parameters and timeouts:
 - Remove previous ES tagset after: 3 minutes
 - Tagset look ahead of tag N: min(tsmax, tsmin + N/4)
 - Tagset trim behind tag N: min(tsmax, tsmin + N/4) / 2
-- Send next key at tag: TBD
+- Send next key at tag: 4096
 - Send next key after tagset lifetime: TBD
 - Replace session if NS received after: 3 minutes
 - Max clock skew: -5 minutes to +2 minutes
diff --git a/i2p2www/spec/proposals/152-ecies-tunnels.rst b/i2p2www/spec/proposals/152-ecies-tunnels.rst
index 2cc100ef..4c0fb5c8 100644
--- a/i2p2www/spec/proposals/152-ecies-tunnels.rst
+++ b/i2p2www/spec/proposals/152-ecies-tunnels.rst
@@ -6,7 +6,7 @@ ECIES Tunnels
     :author: chisana, zzz
     :created: 2019-07-04
     :thread: http://zzz.i2p/topics/2737
-    :lastupdated: 2020-09-05
+    :lastupdated: 2020-09-13
     :status: Open
     :target: 0.9.51
 
@@ -173,6 +173,10 @@ Request Record Unencrypted (ElGamal)
 `````````````````````````````````````````
 
 For reference, this is the current specification of the tunnel BuildRequestRecord for ElGamal routers, taken from [I2NP]_.
+The unencrypted data is prepended with a nonzero byte and the SHA-256 hash of the data before encryption,
+as defined in [Cryptography]_.
+
+All fields are big-endian.
 
 Unencrypted size: 222 bytes
 
@@ -267,6 +271,8 @@ If the Properties structure is empty, this is two bytes 0x00 0x00.
 Request Record Encrypted (ECIES)
 `````````````````````````````````````
 
+All fields are big-endian except for the ephemeral public key which is little-endian.
+
 Encrypted size: 528 bytes
 
 .. raw:: html
@@ -274,7 +280,7 @@ Encrypted size: 528 bytes
   {% highlight lang='dataspec' %}
 
 bytes    0-15: Hop's truncated identity hash
-  bytes   16-47: Sender's ephemeral public key
+  bytes   16-47: Sender's ephemeral X25519 public key
   bytes  48-511: ChaCha20 encrypted BuildRequestRecord
   bytes 512-527: Poly1305 MAC
 
@@ -290,6 +296,11 @@ Encrypted BuildReplyRecords are 528 bytes for both ElGamal and ECIES, for compat
 
 Reply Record Unencrypted (ElGamal)
 `````````````````````````````````````
+ElGamal replies are encrypted with AES.
+
+All fields are big-endian.
+
+Unencrypted size: 528 bytes
 
 .. raw:: html
 
@@ -306,6 +317,9 @@ bytes 0-31   :: SHA-256 Hash of bytes 32-527
 
 Reply Record Unencrypted (ECIES)
 `````````````````````````````````````
+ECIES replies are encrypted with ChaCha20/Poly1305.
+
+All fields are big-endian.
 
 Unencrypted size: 512 bytes
 
@@ -634,6 +648,10 @@ Issues
 * Is an HKDF required for the keys, what's the advantage of doing that vs.
   just including them in the build record as before?
 
+* Make KDFs be similar to those in Noise (NTCP2) and Ratchet
+
+* HKDF output no more than 64 bytes preferred
+
 * In the current Java implementation, the full router hash field in the build
   request record at bytes 4-35 is not checked and does not appear to be necessary.