2016.07.09 21:04:43 (751854615646396416) from Daniel J. Bernstein, replying to "Trevor Perrin (@trevp__)" (751774169012924419):
Happy to hear that the key isn't attached to the ciphertext. The paper still sounds wrong to me; should clarify. @trevp__ @sweis @alexstamos
2016.07.09 01:47:06 (751563292548620289) from "Steve Weis (@sweis)":
Do you mean the franking? That's the MAC of a user-encrypted ciphertext.
2016.07.09 12:25:37 (751723978386014208) from Daniel J. Bernstein, replying to "Steve Weis (@sweis)" (751563292548620289):
If it's ciphertext then how can it be reported? Sounds like they want a commitment to the plaintext M: e.g. SHA-256(R,M). @sweis @alexstamos
2016.07.09 15:45:03 (751774169012924419) from "Trevor Perrin (@trevp__)":
That's what this is (commitment with R = Nf). Whitepaper is clear on this.