o Minor features (security):

    - Check for replays of the public-key encrypted portion of an
      INTRODUCE1 cell, in addition to the current check for replays of
      the g^x value.  This prevents a possible class of active attacks
      by an attacker who controls both an introduction point and a
      rendezvous point, and who uses the malleability of AES-CTR to
      alter the encrypted g^x portion of the INTRODUCE1 cell.  We
      think that these attacks is infeasible (requiring the attacker
      to send on the order of zettabytes of altered cells in a short
      interval), but we'd rather block them off in case there are any
      classes of this attack that we missed.  Reported by dvorak.