On Thu, Mar 19, 2026 at 12:45:43AM +1100, Viktor Dukhovni wrote: > On Wed, Mar 18, 2026 at 05:59:21PM +1100, Martin Thomson wrote: > > As others have noted, many different analyses of the protocol have > > assumed fresh shares, so the security guarantees rely on having fresh > > shares. So not completely pointless, unless you don't feel like > > security analysis is useful. > > Security analysis provides useful guidance, and is especially valuable > when it helps to identify subtle issues that might otherwise be missed. > > [...] > > For example, ML-KEM (hybrid or standalone) should be robust enough to > allow short-term reuse of a client's ephemeral ML-KEM keyshare.
Ditto X curves. > Suffient additional entropy will be contributed by the server and client > random values as well as the server's ML-KEM ciphertext. > > I am not unduly concerned by a potential lack of a formal proof that > such reuse providers the same security guarantees as single-use. Me either. > And in any case, since the proposed language has "no teeth", I don't > expect it to matter. Eh, it _will_ have teeth. While the _IETF_ has no protocol police, and while live detection is not realistically feasible or likely, there are _auditors_ who can (and do) behave like a protocol police. I believe 'SHOULD' captures the point: do the right thing unless you have a really good reason not to. I'm not opposed to making it a MUST though; I'm just not raring to make that change. > In case someone is worried, there are no plans to add ephemeral key > reuse in OpenSSL, and I am not advocating for that to change. I just > don't see tangible value it the proposed change, it feels to me like > security theatre. +1 Nico -- _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
