Prop. 157 KDF cleanups

i2p2www/spec/proposals/157-new-tbm.rst

@@ -393,7 +393,7 @@ bytes   0-201: ChaCha20 encrypted ShortBuildReplyRecord
 KDF
 -----------------------
 
-TBD
+See KDF section below.
 
 
 
@@ -494,7 +494,7 @@ KDF
 ---
 
 We use ck from Noise state after tunnel build record encryption/decrytion
-to derivve following keys: reply key, AES layer key, AES iv key and garlic reply key/tag for OBEP.
+to derive following keys: reply key, AES layer key, AES IV key and garlic reply key/tag for OBEP.
 
 Reply key:
 Unlike long records we can't use left part of ck for reply key, because it's not last and will be used later.
@@ -504,29 +504,30 @@ Both use the same key, nonce is record's position in the message starring from 0
 .. raw:: html
 
   {% highlight lang='dataspec' %}
-ck = HKDF(ck, ZEROLEN, "SMTunnelReplyKey", 64)
+keydata = HKDF(ck, ZEROLEN, "SMTunnelReplyKey", 64)
-  replyKey = ck[32:63]
+  replyKey = keydata[32:63]
+  ck = keydata[0:31]
 
   Layer key:
   Layer key is always AES for now, but same KDF can be used from Chacha20
 
-  ck = HKDF(ck, ZEROLEN, "SMTunnelLayerKey", 64)
+  keydata = HKDF(ck, ZEROLEN, "SMTunnelLayerKey", 64)
-  replyKey = ck[32:63]
+  layerKey = keydata[32:63]
 
-  IV key:
+  IV key for non-OBEP record:
-  For non_OBEP record
+  ivKey = keydata[0:31]
-
-  ivKey = ck[0:32]
   because it's last
 
-  for OBEP record
+  IV key for OBEP record:
-  ck = HKDF(ck, ZEROLEN, "TunnelLayerIVKey", 64)
+  ck = keydata[0:31]
-  ivKey = ck[32:63]
+  keydata = HKDF(ck, ZEROLEN, "TunnelLayerIVKey", 64)
+  ivKey = keydata[32:63]
+  ck = keydata[0:31]
 
   OBEP garlic reply key/tag:
-  ck = HKDF(ck, ZEROLEN, "RGarlicKeyAndTag", 64)
+  keydata = HKDF(ck, ZEROLEN, "RGarlicKeyAndTag", 64)
-  key = ck[32:64]
+  replyKey = keydata[32:63]
-  tag = ck[0:8]
+  replyTag = keydata[0:7]
 
 {% endhighlight %}