* I also could see folks trying to avoid the HRR * altogether and rip the X25519 out of the hybrid key * share and use immediately. That's not a "reuse", I * suppose, but still seems a bad idea. > Can you say why? My inclination would be to codify it and > say that any hybrid keyshare could be used for its constituent > parts unless the definition of the hybrid says otherwise.
If the client sends an X25519MLKEM768 key share and the server responds with an X25519 key share, wouldn't the client just reject it because it's for a different group? "The server's share MUST be in the same group as one of the client's shares." Peter
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
