the wireguard paper was cited by blake3 https://www.wireguard.com/papers/wireguard.pdf but not as an example of good crypto, and it might even be backhanded? the protocol seems incredibly half-assed:
The responder maintains a secret random value that changes every two minutes
updating my secret random value on a precise schedule? likely generating my "secret" "random" value at precise intervals?
While the public key of the responder itself is not secret, it is sufficiently secret within this attack model
(literally no attack model, just buzzwords every other sentence)
Computing Curve25519 point multiplication is CPU intensive
this remarkable claim is then provided as the sole basis for a "cpu exhaustion attack"????
