On Mon, Mar 16, 2026 at 03:41:59PM +0000, Salz, Rich wrote:
> I also could see folks trying to avoid the HRR altogether and rip the
> X25519 out of the hybrid key share and use immediately. That's not a
> "reuse", I suppose, but still seems a bad idea.
>
> Can you say why? My inclination would be to codify it and say that
> any hybrid keyshare could be used for its constituent parts unless the
> definition of the hybrid says otherwise.
The server decomposing a hybrid is of course not viable, the actual
scenario that makes sense (and MUST NOT be considered reuse) is for
the client to use the same public key in multiple parallel keyshares:
An extreme example of this could be:
keyshare 1: X25519MLKEM768: <X25519 pk> + <MLKEM 768 pk>
keyshare 2: SecP256r1MLKEM768: <P-256 pk> + <same MLKEM 768 pk>
keyshare 3: X25519: <same X25519 pk>
keyshare 4: P-256: <same P-256 pk>
This sends 4 keyshares based on just 3, rather than 6 underlying
generated keys. There's no actual "reuse" here, each key is used at
most once for just whichever keyshare the server selects.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
