On Thu, Sep 22, 2016 at 4:41 PM, Hugo Krawczyk <h...@ee.technion.ac.il>
> If the problem is the use of forward secrecy then there is a simple
> solution, don't use it.
> That is, you can, as a server, have a fixed key_share for which the secret
> exponent becomes the private key exactly as in the RSA case. It does
> require some careful analysis, though.
I think that this may be possible for TLS1.3 0-RTT data, but not for other
data where an ephemeral key will be generated based also on a parameter
that the client chooses.
TLS mailing list