Updated BTP spec to include stream number in stream header nonce.

### 3.2 Stream Headers

The pseudo-random tag is followed by the stream header, which consists of a true random **initialisation vector (IV)** followed by a symmetric **ephemeral cipher key.**

The pseudo-random tag is followed by the stream header, which consists of a true random **initialisation vector (IV)** followed by a symmetric **ephemeral cipher key.** The IV is IV\_LEN bytes long, where IV\_LEN = NONCE\_LEN - 8.

The ephemeral cipher key is encrypted and authenticated with the sender's outgoing header key, using the random IV as the nonce. The ephemeral cipher key is used for encrypting and authenticating the rest of the stream.

The ephemeral cipher key is encrypted and authenticated with the sender's outgoing header key, using a nonce consisting of the stream number as a 64-bit integer followed by the IV. The ephemeral cipher key is used for encrypting and authenticating the rest of the stream.

The stream header is NONCE\_LEN + KEY\_LEN + AUTH\_LEN bytes long.

The stream header is IV\_LEN + KEY\_LEN + AUTH\_LEN bytes long.

The stream header is composed as follows:

- stream\_iv = R(NONCE\_LEN)

- stream\_iv = R(IV\_LEN)

- stream\_header = stream\_iv || ENC(outgoing\_header\_key, stream\_iv, ephemeral\_cipher\_key)

- stream\_header\_nonce = int(stream\_number) || stream\_iv

- stream\_header = stream\_iv || ENC(outgoing\_header\_key, stream\_header\_nonce, ephemeral\_cipher\_key)

The random IV ensures that if a stream number is accidentally reused, the nonces will be different. IV\_LEN must be large enough to ensure that two random IVs are different with high probability. (*Note:* In the current version of the protocol, IV\_LEN = 16.)

### 3.3 Frames