Yes, this is the case for all implementations I know of. On Mon, Mar 16, 2026 at 5:25 PM Peter C <Peter.C= [email protected]> wrote:
> > - I also could see folks trying to avoid the HRR > - altogether and rip the X25519 out of the hybrid key > - share and use immediately. That's not a "reuse", I > - suppose, but still seems a bad idea. > > > Can you say why? My inclination would be to codify it and > > say that any hybrid keyshare could be used for its constituent > > parts unless the definition of the hybrid says otherwise. > > > > If the client sends an X25519MLKEM768 key share and the server > responds with an X25519 key share, wouldn’t the client just reject > it because it’s for a different group? > > “The server's share MUST be in the same group as one of the client's > shares.” > > > Peter > _______________________________________________ > TLS mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
