Re: [tor-dev] New paper by Goldberg, Stebila, and Ostaoglu with proposed circuit handshake

On Wed, May 11, 2011 at 6:10 PM, Ian Goldberg iang@cs.uwaterloo.ca wrote: [...]

Remember also that if you have non-black-box access to the exponentiation routine, the server can compute X^y and X^b simultaneously.  That will make a bigger difference in time, but is not really relevant from a spec-level standpoint.

Can you expand on how this would work? I didn't ask the first time you told me this, on the theory that I could figure it out if I thought about it for long enough, but several days later I still don't have it. All the ways I can think of are inefficient, non-constant-time, or both.