The protocols here are modeled according to their description in the
SPORE library.

In the 'key-compromise' directory one can find the same protocols, but
modified to model the compromise of earlier sessions and the leakage of
the corresponding local values.