From 226ed19254d46ae43bc35edb202dac77fa7113ac Mon Sep 17 00:00:00 2001
From: Nico Alt <nico@briarproject.org>
Date: Sat, 1 Feb 2025 11:24:32 +0100
Subject: [PATCH] Update BHP spec to version 0.1

---
 protocols/BHP.md | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/protocols/BHP.md b/protocols/BHP.md
index 33b1aef..6b776bf 100644
--- a/protocols/BHP.md
+++ b/protocols/BHP.md
@@ -1,4 +1,4 @@
-# Bramble Handshake Protocol, version 0
+# Bramble Handshake Protocol, version 0.1
 
 ## 1 Introduction
 
@@ -68,14 +68,18 @@ The peers exchange a series of **records** over the transport connection. Each r
 
 The maximum length of the payload is 48 KiB.
 
-The current version of the protocol is 0, which has two record types:
+The current version of the protocol is 0.1, which has three record types:
 
 **0: EPHEMERAL\_PUBLIC\_KEY** - The payload consists of the sender's ephemeral public key.
 
 **1: PROOF\_OF\_OWNERSHIP** - The payload consists of a message authentication code proving ownership of the sender's long-term and ephemeral public keys and binding them to the recipient's long-term and ephemeral public keys.
 
+**2: MINOR\_VERSION** - The payload consists of a single byte giving the sender's protocol minor version, which must be non-zero.
+
 A peer should reject any record with an unsupported protocol version and ignore any record with a supported protocol version but an unrecognised record type. This allows new record types to be added without breaking compatibility.
 
+A peer must abort the protocol when no minor version is received from its remote peer, since the initial version 0 of BHP is vulnerable to attacks on forward secrecy.
+
 ### 2.2 Protocol Steps
 
 The protocol has four steps:
@@ -89,13 +93,13 @@ The protocol has four steps:
 
 Alice calculates three "raw" shared secrets as follows:
 
-- raw\_static = DH(pri\_long\_term\_a, pub\_long\_term\_b)
+- raw\_ephemeral = DH(pri\_ephemeral\_a, pub\_ephemeral\_b)
 - raw\_static\_ephemeral = DH(pri\_long\_term\_a, pub\_ephemeral\_b)
 - raw\_ephemeral\_static = DH(pri\_ephemeral\_a, pub\_long\_term\_b)
 
 Bob calculates three "raw" shared secrets as follows:
 
-- raw\_static = DH(pri\_long\_term\_b, pub\_long\_term\_a)
+- raw\_ephemeral = DH(pri\_ephemeral\_b, pub\_ephemeral\_a)
 - raw\_static\_ephemeral = DH(pri\_ephemeral\_b, pub\_long\_term\_a)
 - raw\_ephemeral\_static = DH(pri\_long\_term\_b, pub\_ephemeral\_a)
 
@@ -103,7 +107,7 @@ Bob calculates three "raw" shared secrets as follows:
 
 If the adversary did not intercept the prior exchange of long-term public keys and has not modified the EPHEMERAL\_PUBLIC\_KEY records then both peers will calculate the same shared secrets. The peers then derive a "cooked" shared secret known as the **ephemeral master key**, which incorporates both peers' long-term and ephemeral public keys:
 
-- ephemeral\_master\_key = HASH("org.briarproject.bramble.handshake/MASTER\_KEY", raw\_static, raw\_static\_ephemeral, raw\_ephemeral\_static, pub\_long\_term\_a, pub\_long\_term\_b, pub\_ephemeral\_a, pub\_ephemeral\_b)
+- ephemeral\_master\_key = HASH("org.briarproject.bramble.handshake/MASTER\_KEY", raw\_ephemeral, raw\_static\_ephemeral, raw\_ephemeral\_static, pub\_long\_term\_a, pub\_long\_term\_b, pub\_ephemeral\_a, pub\_ephemeral\_b)
 
 The peers must then delete their ephemeral private keys and the raw shared secrets, allowing the calling application to use the master key for forward secret communication if required.
 
-- 
GitLab