On Mon, Mar 16, 2026 at 7:20 PM Viktor Dukhovni <[email protected]> wrote:
> On Mon, Mar 16, 2026 at 03:41:59PM +0000, Salz, Rich wrote: > > > I also could see folks trying to avoid the HRR altogether and rip the > > X25519 out of the hybrid key share and use immediately. That's not a > > "reuse", I suppose, but still seems a bad idea. > > > > Can you say why? My inclination would be to codify it and say that > > any hybrid keyshare could be used for its constituent parts unless the > > definition of the hybrid says otherwise. > > The server decomposing a hybrid is of course not viable, the actual > scenario that makes sense (and MUST NOT be considered reuse) is for > the client to use the same public key in multiple parallel keyshares: > > An extreme example of this could be: > > keyshare 1: X25519MLKEM768: <X25519 pk> + <MLKEM 768 pk> > keyshare 2: SecP256r1MLKEM768: <P-256 pk> + <same MLKEM 768 pk> > keyshare 3: X25519: <same X25519 pk> > keyshare 4: P-256: <same P-256 pk> > > This sends 4 keyshares based on just 3, rather than 6 underlying > generated keys. There's no actual "reuse" here, each key is used at > most once for just whichever keyshare the server selects. This text would have no impact on this practice, as it says for "multiple connections", which this is not. -Ekr
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
