On 5/29/26, 6:39 AM, "Muhammad Usama Sardar" <[email protected]> wrote:
* I believe I have collected sufficient attestations from the WG that a new proof is required for draft-ietf-tls-mlkem. Can you explain why the synmmetric argument in your draft does not hold for hybrid key exchange? I disagree and agree with John Mattsson about discussion, notably: * - This concerns KEMs in general and is independent of draft-ietf-tls-mlkem, ML-KEM, and PQ. * A proof in the symbolic model would be valuable, but not required, as there are already other proofs supporting the security of KEM use in TLS 1.3.
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
