Right. A key difference between what I proposed and what Zack is proposing, as I understand it, is that in my proposal the server (RS) challenges the client with a fresh ephemeral public key (periodically or once per session, according to server policy). In Zack’s proposal the server has a static p
One potential mitigation is multiple DH, where the server has a static key
*and* ephemeral key. Then the shared secret for HMAC becomes:
KDF(DH(client_ephemeral, server_static) || DH(client_ephemeral,
server_ephemeral))
For the cost of an additional client <-> server interaction (to share t
