I've been reading up on the Secure Remote Pasword protocol (SRP). There are a couple different versions of the protocol (the original published version being designated SRP-3, with two subsequent enhancements 6 and 6a).
There was a very limited attack on version 3, where the attacker could submit two password guesses per falsified attempt against the server instead of just one. This was because in step 2 where the client submits ($g^x + g^b$) to the server, they could in fact set $b$ to be a second password guess, and since the server doesn't have the password, it can't tell that $b$ isn't randomly chosen (like it's supposed to be). The attack and remedy are detailed in the paper for SRP-6.
The remedy described in SRP-6 is that the client send $kg^x + g^b$ instead, where $k = 3$. However, there is also a version SRP-6a (which is the version detailed on the page above), which sets $k = H(N, g)$. Since both $N$ and $g$ are publicly known values ($N$ is a large safe prime, and $g$ is it's generator), and the $(g,N)$ group is used for all transactions in a given SRP system (independent of password, user or session), $k$ is still a constant value.
So the question is, what's the justification/benefit of picking this alternate value $H(N,g)$ for $k$? This value of $k$ is used in the TLS/SRP implementation, but I haven't found any explanation for why.
If k is a constant, such as 3, it becomes possible to select a pair (N,g) such that the discrete log of k to the base g is known, which would enable the two-for-one guessing attack again.
External links referenced by this document: