On Thu, Jun 04, 2026 at 05:25:01PM +0200, Bas Westerbaan wrote: > Thanks for doing this, Nadim! > > Would you agree that this can be summarized as: our existing informal > understanding is now formalized.
I would agree. This is an another proof that stand-alone ML-KEM and various ECC + ML-KEM hybrids are correctly integrated to TLS 1.3. However, I think some of the informal claims are stronger than what this paper proves. This does not matter for ML-KEM or ECC hybrids thereof — but could matter for another KEM. -Ilari _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
