On Mon, Mar 16, 2026 at 07:23:13PM -0700, Eric Rescorla wrote:
> > An extreme example of this could be:
> >
> > keyshare 1: X25519MLKEM768: <X25519 pk> + <MLKEM 768 pk>
> > keyshare 2: SecP256r1MLKEM768: <P-256 pk> + <same MLKEM 768 pk>
> > keyshare 3: X25519: <same X25519 pk>
> > keyshare 4: P-256: <same P-256 pk>
> >
> > This sends 4 keyshares based on just 3, rather than 6 underlying
> > generated keys. There's no actual "reuse" here, each key is used at
> > most once for just whichever keyshare the server selects.
>
> This text would have no impact on this practice, as it says for
> "multiple connections", which this is not.
No worries, thanks, so that optimisation remains possible in theory. I
am not aware of any TLS stacks that do this in practice, but perhaps
some day someone might be sufficiently motivated to go there, and then
it should work.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
