From d2a85a0d6b940e7dc92f422fc282c447734fcca2 Mon Sep 17 00:00:00 2001
From: Karolin Varner <karo@cupdev.net>
Date: Mon, 11 Aug 2025 15:18:41 +0200
Subject: [PATCH] fix(whitepaper): Inconsistency between implementation and
 whitepaper about labels for txki/txkr

Fix of Fig. 5 follows later.
---
 papers/whitepaper.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/papers/whitepaper.md b/papers/whitepaper.md
index 9bdaa06..4e4ed30 100644
--- a/papers/whitepaper.md
+++ b/papers/whitepaper.md
@@ -257,7 +257,7 @@ The different labels are:
 * `"mix"` – Mixing further values into the chaining key; i.e. into the protocol state.
 * `"user"` – Labels for external uses; these are what generate the `osk` (output shared key). See Sec. \ref{symmetric-keys}.
 * `"handshake encryption"` – Used when encrypting data using a shared key as part of the protocol execution; e.g. used to generate the `auth` (authentication tag) fields in protocol packages.
-* `"initiator session encryption"` and `"responder session encryption"` – For transmission of data after the key-exchange finishes. See Sec. \ref{symmetric-keys}.
+* `"initiator handshake encryption"` and `"responder handshake encryption"` – For transmission of data after the key-exchange finishes. See Sec. \ref{symmetric-keys}.
 
 ## Hashes
 
@@ -823,6 +823,8 @@ Changes, in particular:
     \end{quote}
     ```
 
+9. In the whitepaper we used the labels `"initiator session encryption"` and `"responder session encryption"`, but in the implementation we used `"initiator handshake encryption"` and `"responder handshake encryption"`. While the whitepaper was correct and the implementation was not, we opt to harmonize the whitepaper with the implementation to avoid a breaking change.
+
 #### 2025-06-24 – Specifying the `osk` used for WireGuard as a protocol extension
 
 \vspace{0.5em}