On Wed, Sep 24, 2025 at 12:13:46PM +0000, John Mattsson wrote:
> ”The key_exchange values for each KeyShareEntry MUST be generated
> independently”
>
> this seems like a weird way to try to partially protect against bad
> implementations that violate NIST requirements and use Key Share
> entries in more than one execution of key-establishment. The right
> approach would be to follow NIST SP 800-227 and do:
>
> “If an application uses an ephemeral key pair, the key pair shall be
> used for only one execution of key-establishment via a KEM and shall
> be destroyed as soon as possible after its use.”
But an ephemeral EC public key that appears verbatim both standalone and
as a verbatim copy in hybrid keyshare is **used** exactly once, because
the TLS server selects just one of the keyshares, and the client then
derives a shared secret via that key **exactly once**.
Though the public key is presented in two parallel contexts, the private
key is used for just one shared secret derivation. IMNSHO forbidding
transient copying of a public key is nonsensical. The key is also
copied by routers as they forward packets with the Client Hello from
client to server, should we forbid that?
While OpenSSL does not currently reuse the EC component of a hybrid
keyshare also in corresponding standalone EC keyshare, if and when
implementation cycles permit, I would not hesitate to do that.
Generating a separate EC keyshare is avoidable CPU overhead.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
