[tor-dev] New paper by Goldberg, Stebila, and Ostaoglu with proposed circuit handshake

[Nick Mathewson]

On Wed, May 11, 2011 at 6:10 PM, Ian Goldberg <iang at cs.uwaterloo.ca> wrote:
 [...]
> Remember also that if you have non-black-box access to the
> exponentiation routine, the server can compute X^y and X^b
> simultaneously.  That will make a bigger difference in time, but is not
> really relevant from a spec-level standpoint.

Can you expand on how this would work?  I didn't ask the first time
you told me this, on the theory that I could figure it out if I
thought about it for long enough, but several days later I still don't
have it.  All the ways I can think of are inefficient,
non-constant-time, or both.

-- 
Nick