From 35f6465301ec6a2b19e08576e51c4d8bc3d7ebdf Mon Sep 17 00:00:00 2001
From: zzz <zzz@i2pmail.org>
Date: Thu, 24 Apr 2025 09:55:45 -0400
Subject: [PATCH] ratchet notes on replay prevention

---
 i2p2www/spec/ecies.rst | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/i2p2www/spec/ecies.rst b/i2p2www/spec/ecies.rst
index d7a11d8c..c191e80e 100644
--- a/i2p2www/spec/ecies.rst
+++ b/i2p2www/spec/ecies.rst
@@ -2147,6 +2147,9 @@ Assists in replay prevention.
 Bob must validate that the message is recent, using this timestamp.
 Bob must implement a Bloom filter or other mechanism to prevent replay attacks,
 if the time is valid.
+Bob may also use an earlier replay detection check for a duplicate ephemeral key
+(either pre- or post-Elligator2 decode) to detect and drop recent duplicate NS messages
+before decryption.
 Generally included in New Session messages only.
 
 .. raw:: html
@@ -3102,6 +3105,24 @@ to expire, but Alice should keep them for a short while, to
 decrypt any other NSR messages that are received.
 
 
+Replay Prevention
+-----------------
+
+Bob must implement a Bloom filter or other mechanism to prevent NS replay attacks,
+if the included DateTime is recent, and reject NS messages where the
+DateTime is too old.
+Bob may also have use an earlier replay detection check for a duplicate ephemeral key
+(either pre- or post-Elligator2 decode) to detect and drop recent duplicate NS messages
+before decryption.
+
+NSR and ES messages have inherent replay prevention because the
+session tag is one-time-use.
+
+Garlic messages also have replay prevention if the router implements
+a router-wide Bloom filter based on I2NP message ID.
+
+
+
 
 Related Changes
 =====================