1 files changed, 10 insertions, 1 deletions

diff --git a/rend-spec-v3.txt b/rend-spec-v3.txt
index bbe7b91..383b73a 100644
--- a/rend-spec-v3.txt
+++ b/rend-spec-v3.txt
@@ -216,6 +216,9 @@ Table of contents:
       * Instantiate MAC(key=k, message=m) with H(k_len | k | m),
         where k_len is htonll(len(k)).
 
+	When we need a particular MAC key length below, we choose
+	MAC_KEY_LEN=32 (256 bits).
+
    For legacy purposes, we specify compatibility with older versions of
    the Tor introduction point and rendezvous point protocols. These used
    RSA1024, DH1024, AES128, and SHA1, as discussed in
@@ -1856,6 +1859,11 @@ Table of contents:
    INTRODUCE2 cell with exactly the same contents to the service, and sends an
    INTRODUCE_ACK response to the client.
 
+   (Note that the introduction point does not "clean up" the
+   INTRODUCE1 cells that it retransmits. Specifically, it does not
+   change the order or multiplicity of the extensions sent by the
+   client.)
+
    The same rules for multiplicity, ordering, and handling unknown types
    apply to the extension fields here as described [EST_INTRO] above.
 
@@ -2102,7 +2110,8 @@ Table of contents:
    The hidden service host now also knows the keys generated by the
    handshake, which it will use to encrypt and authenticate data
    end-to-end between the client and the server. These keys are as
-   computed in tor-spec.txt section 5.1.4.
+   computed in tor-spec.txt section 5.1.4, except that instead of using
+   AES-128 and SHA1 for this hop, we use AES-256 and SHA3-256.
 
 3.4. Authentication during the introduction phase. [INTRO-AUTH]