putting the security of the scheme aside, one question that comes to
mind is how Alice (the OP) is going to get an authentic copy of Ricky's
DH public key, y. One way to do this is to include it in the router
descriptors. But then we have to ask if it's worth adding a new public
key for each OR to the Tor PKI to just save one exponentiation during
session key agreement.
-James
We already distribute different keys for the current protocol. But the
one I proposed is insecure so we might as well forget about it. Schnorr
signatures are secure and are intended for this purpose, but we can only
use them after 2008.