On 10/11/2013 11:22 AM, Jerry Leichter wrote:
1. Brute force. No public key-stretching algorithm can help, since the
attacker
will brute-force the k's, computing the corresponding K's as he goes.
There is a completely impractical solution for this which is applicable
in a very few
Without doing any key management or requiring some kind of reliable
identity or memory of previous sessions, the best we can do in the inner
protocol is an ephemeral Diffie-Hellman, so suppose we do this:
a. Generate random a and send aG on curve P256
b. Generate random b and send bG on
