Regarding Russ's question:
Has the double-encryption approach that we are considering been analyzed
an AONT? If so, how does it stack up when compared to OAEP?
I'm not aware of any similar analysis on double-encryption, though it would
be an interesting (and not necessarily easy) research exercise. I've asked
Victor Boyko if he's interested in taking a look.
Responding to Bob Jueneman's earlier suggestion:
Is there some specific need to use the same KEK for mailing lists
multiple times or could the same solution be used as in S-S DH?
In other words make the use of a "salt" in the message compulsory
use the mailing list key in place of the DH shared secret (ZZ). This
would then allow the same mailing list key to be used multiple times
because the KEK would be different with each salt.
I think this is architecturally a nice approach, since with static-static
Diffie-Hellman, ZZ is a shared key between two users, and KEKs are derived
from it. The goal is to use a KEK only once in either setting.