|
|
|
@ -1028,14 +1028,14 @@ All of the resulting ciphertexts are combined to form a \coinsCiphertext. |
|
|
|
\changed{ |
|
|
|
Let $\SymEncrypt{\Key}(\Plaintext)$ be authenticated encryption using a variation |
|
|
|
of $\SymSpecific$ \cite{rfc7539} encryption of plaintext $\Plaintext$, with empty |
|
|
|
``associated data", all-zero nonce, and key $\Key$. The variation is that the |
|
|
|
$\SymCipher$ keystream is used to encrypt the plaintext starting immediately after |
|
|
|
the 32 bytes of the $\SymAuth$ key, without discarding 32 bytes as in \cite{rfc7539}. |
|
|
|
``associated data", all-zero nonce $\zeros{96}$, and 256-bit key $\Key$. The variation |
|
|
|
is that the $\SymCipher$ keystream is used to encrypt the plaintext starting immediately |
|
|
|
after the 32 bytes of the $\SymAuth$ key, without discarding 32 bytes as in \cite{rfc7539}. |
|
|
|
|
|
|
|
Similarly, let $\SymDecrypt{\Key}(\Ciphertext)$ be decryption using the same |
|
|
|
$\SymSpecific$ variation of ciphertext $\Ciphertext$, with empty ``associated data", |
|
|
|
all-zero nonce, and key $\Key$. The result is either the plaintext byte sequence, |
|
|
|
or $\bot$ indicating failure to decrypt. |
|
|
|
all-zero nonce $\zeros{96}$, and 256-bit key $\Key$. The result is either the plaintext |
|
|
|
byte sequence, or $\bot$ indicating failure to decrypt. |
|
|
|
|
|
|
|
Define: |
|
|
|
|
|
|
|
|
Daira Hopwood
8 years ago