|
|
@ -391,7 +391,9 @@ This is a variation on the $\CryptoBoxSeal$ algorithm defined in libsodium |
|
|
|
\cite{cryptoboxseal}, but with a single ephemeral key used for all encryptions in a |
|
|
|
given \PourDescription, and with the nonce for each ciphertext component depending |
|
|
|
on the index $i$. Also, $\CryptoBoxSealHash$ (the full hash, not the compression |
|
|
|
function) is used instead of $\mathsf{blake2b}$. |
|
|
|
function) is used instead of $\mathsf{blake2b}$. The particular nonce construction |
|
|
|
is chosen so that a known-nonce distinguisher for $\mathsf{Salsa20}$ would not |
|
|
|
directly lead to a break of the IK-CCA (key privacy) property. |
|
|
|
|
|
|
|
\subsubsection{Coin Commitments} |
|
|
|
|
|
|
|