It supports key renegotiation which is a pretty tricky feature (caused two vulnerabilities in TLS already) and has no detail on how this works.
It's also important to specify the shared secret format - it should only be the x-coord so montgomery can be used. Why both nonce and ephemeral key? _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
