It supports key renegotiation which is a pretty tricky feature (caused two vulnerabilities in TLS already) and has no detail on how this works. It's also important to specify the shared secret format - it should only be the x-coord so montgomery can be used. Why both nonce and ephemeral key?