On Thu, Jun 25, 2026, at 22:51, Bas Westerbaan wrote:
>> The question in https://github.com/tlswg/draft-ietf-tls-mlkem/pull/24 and 
>> https://github.com/tlswg/draft-ietf-tls-mlkem/pull/25 is perhaps worth 
>> discussing.
>
> I think neither are necessary.
>
> The expanded decapsulation key caches the hash of the encapsulation 
> key. The decapsulation key check is whether that hash is correct. FIPS 
> 203 only requires that check if the key is from an untrusted source. In 
> the case of TLS, you generate the key yourself earlier, so you know the 
> hash is correct.

I'm clearly having a moment, because I'm not following you.  At all.  The 
values being checked here are the untrustworthy ones.

The concern I have is what alert code is used for:

1. length is wrong
2. validation failed
3. Encaps/Decaps failed

The draft draws a line between 1&2 in one case and between 2&3 for another 
case.  #24 proposes a cut between 2&3; #25 proposes a cut between 1&2.

_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to