/*----- Protocol summary --------------------------------------------------*
*
+ * There are two protocol versions. The original version works as follows.
+ *
* * Request
* memz KEYTAG tag of wanted secret
* ge U public vector
* ge W encrypted clue: W = R - Y = r P - v U
* mem[TAGSZ] TAG MAC tag on ciphertext
* mem[KSZ] CT secret, encrypted with Z = r X
+ *
+ * The new version provides forward secrecy, which involves additional flows.
+ *
+ * * Greeting
+ * u8 0 marker byte for new protocol
+ * u8 1 packet type
+ * mem8 KEYTAG wanted secret tag
+ *
+ * * Challenge
+ * u8 17 packet type
+ * u32 REF server's reference
+ * ge R public DLIES vector: R = r P
+ * ge W masked DH vector: W = V - Y = v P - r X
+ *
+ * * Response
+ * u8 0 marker byte for new protocol
+ * u8 2 packet type
+ * mem8 KEYTAG wanted secret tag
+ * u32 REF reference from challenge
+ * ge U public DH vector
+ * mem[HASHSZ] H0 hash; H0||H1 = H(U, V, Z), where Z = v U
+ *
+ * * Reply
+ * u8 18 packet type
+ * mem[TAGSZ] TAG MAC tag on ciphertext
+ * mem[KSZ] CT secret, encrypted with H1
*/
+#define FWS_GREET 0x01
+#define FWS_CHALL 0x11
+#define FWS_RESP 0x02
+#define FWS_REPLY 0x12
+
/*----- Listening for requests --------------------------------------------*/
/* Rate limiting parameters.