Robert Ransom pointed out offlist that the pak crypto is flawed in this draft so its back to the drawing board. please consider this version of the draft retracted :-)
> If an attacker can find scalars s1 and s2 such that s1*H(p1) = > s2*H(p2), then he can send s1*H(p1) as his public key, receive the > other party's public key P and a message encrypted using the resulting > shared secret key, then compute both possible shared secrets s1*P and > s2*P and try each of them to decrypt the message. > > If H(p) = p*G, then s1*H(p1) = s1*p1*G = s1*(p1/p2)*p2*G = > s1*(p1/p2)*H(p2) (with the divisions and multiplications computed in > the ring of scalars). -- cinap