On Thu, Jun 04, 2026 at 06:36:21AM -0600, Nathanael Ritz wrote: > > Of course, symbolic models cannot reason over implementation challenges and > so the next question may be fall more to pure speculation. I am curious if > you might anticipate potential implementation errors moving from classical > DHE or pure PQ-KEM towards a hybrid that risks compromising both methods > due to complexity?
Any kind of Undefined Behavior in implementation would compromise both. The TLS hybrid combiner itself is extremely simple, and can be basically implemented via reading/writing correct places in array. And as for non-UB flaws in component implementations, not reusing keys makes exploiting such flaws much harder. -Ilari _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
