On Mon, Mar 16, 2026 at 03:41:59PM +0000, Salz, Rich wrote: > > I also could see folks trying to avoid the HRR > > altogether and rip the X25519 out of the hybrid key > > share and use immediately. That's not a "reuse", I > > suppose, but still seems a bad idea. > > Can you say why? My inclination would be to codify it and say that > any hybrid keyshare could be used for its constituent parts unless the > definition of the hybrid says otherwise.
Hybrid proponents are adamantly against treating the hybrids as non-atomic. I suspect it comes down to their security proofs/arguments resting on treating them as atomic. _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
