Dear all, Please find attached out final version for Proposal 295. This version has two changes compared to the previous one:
1. It fixes a vulnerability introduced in the previous iteration which was the result of making the authentication layer stateless. Since there is no freshness entering into the first layer, the same plaintext would have resulted in the same ciphertext thus allowing an adversary to distinguish. This is now fixed by restoring the running digest also for authentication layer thus making in stateful again.
2. It adds an option for forward secrecy. The approach here is similar to the one taken by Proposal 308 by replacing the encryption key of the first layer after successfully processing the message. If this approach is taken, there is no need to keep the authentication layer stateful anymore.
I'll be leaving the mailing list to reduce noise in my mailbox. If you need anything from me regarding this proposal just make sure to CC me on the email and I'll be happy to answer.
Wishes, Tomer