MoRF is a mutually-authenticated, encrypted communication protocol over lossy packet links with small MTUs, e.g. LoRa. Inspired by Noise.
no_std
compatible, no dynamic memory allocation- Minimum supported MTU: 49 bytes, overhead per data packet: 19 bytes
- Primitives: X25519 + BLAKE3 + ChaCha20-Poly1305
- Identity hiding, forward secrecy, replay protection
To establish an encrypted session, a client initiates a handshake to a server to exchange keys. Both peers are required to have ahead-of-time knowledge of each other's public key.
-
$CE_{pub}$ ,$CE_{sec}$ : Client ephemeral X25519 public/secret key -
$SE_{pub}$ ,$SE_{sec}$ : Server ephemeral X25519 public/secret key -
$CS_{pub}$ ,$CS_{sec}$ : Client static X25519 public/secret key -
$SS_{pub}$ ,$SS_{sec}$ : Server static X25519 public/secret key -
$X25519(secret, public)$ : X25519 Diffie-Hellman key agreement -
$ChaCha20(key, payload)$ : Apply (unauthenticated) ChaCha20 keystream derived from$key$ to$payload$ -
$Mac(key, payload)$ : Apply BLAKE3 keyed hash with$key$ to$payload$ , and truncate the output to the first 16 bytes. -
$DeriveKey(key, info)$ : Derive a 32-byte subkey from$key$ using BLAKE3 as a KDF with$info$ as the info string -
$Hash(payload)$ : Calculate the BLAKE3 hash of$payload$ and truncate the output to the first 16 bytes. -
$InitialEncryptionKeyInfo$ : The stringinitial_encryption_key
-
$ServerEphemeralPublicKeyMacKeyInfo$ : The stringserver_ephemeral_public_key_mac_key
Let
Field | Length |
---|---|
1 | |
32 | |
16 |
Lookup client static public key
Let
Let
Field | Length |
---|---|
1 | |
32 | |
16 |
Let
Check that:
Let