> Would there be any problem with allowing each server to choose for > itself whether or not to XOR against a self-generated secret? Those servers that want to do that can simply send all-zeroes as the enc_secret, saving complexity in the protocol.