mode, designed by Bellare, Canetti and Krawczyk). These can all be
overridden by setting attributes on your private key, as follows.
.TP
+.B bulk
+Names the bulk-crypto transform to use. See below.
+.TP
+.B blkc
+Names a block cipher, used by some bulk-crypto transforms (e.g.,
+.BR iiv ). The default is to use the block cipher underlying the chosen
+.BR cipher ,
+if any.
+.TP
.B cipher
Names the symmetric encryption scheme to use. The default is
.BR blowfish\-cbc .
A `mask-generation function', used in the key-exchange. The default is
.IB hash \-mgf
and there's no good reason to change it.
+.PP
+The available bulk-crypto transforms are as follows.
+.TP
+.B v0
+Originally this was the only transform available. It's a standard
+generic composition of a CPA-secure symmetric encryption scheme with a
+MAC; initialization vectors for symmetric encryption are chosen at
+random and included explicitly in the cryptogram.
+.TP
+.B iiv
+A newer `implicit-IV' transform. Rather than having an explicit random
+IV, the IV is computed from the sequence number using a block cipher.
+This has two advantages over the
+.B v0
+transform. Firstly, it adds less overhead to encrypted messages
+(because the IV no longer needs to be sent explicitly). Secondly, and
+more significantly, the transform is entirely deterministic, so (a) it
+doesn't need the (possibly slow) random number generator, and (b) it
+closes a kleptographic channel, over which a compromised implementation
+could leak secret information to a third party.
.SS "Using SLIP interfaces"
Though not for the faint of heart, it is possible to get
.B tripe
~mdw / tripe / blobdiff