Usama, I remain puzzled why you believe that the apparent symmetry of DH plays such a significant factor in the symbolic analysis. TLS 1.3 is not symmetric in terms of roles - the client always goes first and will reject an unsolicited key exchange value from the server.
As I think has been pointed out before in this thread, the "commutativity" property is really expressing correctness of the key exchange - when both keys are validly generated, both parties will derive the same shared secret. It does not imply that the parties are interchangeable in the protocol. Peter From: Muhammad Usama Sardar <[email protected]> Sent: 02 June 2026 19:16 To: [email protected] Subject: [TLS] Re: Fwd: New Version Notification for draft-usama-tls-risks-of-mlkem-01.txt Hi, [...] The arguments about "some level of symmetry" are unsound. You are right. That was admittedly very informal and with sincere apologies, I revoke the quoted attestation, and have tried to make it more precise. What I meant was DHKE part remains symmetric as before -- at least from symbolic analysis perspective, which is what I am currently interested in. [...] Best regards, -Usama [0] https://muhammad-usama-sardar.github.io/risks-of-mlkem/draft-usama-tls-risks-of-mlkem.html#name-fatt-review-for-hybrid-key- [1] https://muhammad-usama-sardar.github.io/risks-of-mlkem/draft-usama-tls-risks-of-mlkem.html#name-what-if-issue-is-found [2] https://muhammad-usama-sardar.github.io/risks-of-mlkem/draft-usama-tls-risks-of-mlkem.html#name-minimum-viable-modeling [3] https://muhammad-usama-sardar.github.io/risks-of-mlkem/draft-usama-tls-risks-of-mlkem.html#name-fatt-review-is-harmless [4] https://muhammad-usama-sardar.github.io/risks-of-mlkem/draft-usama-tls-risks-of-mlkem.html#name-patents
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
