Bas Westerbaan wrote: > Would you mind explaining how an attacker would use a timing side- > channel attack against ephemeral use of ML-KEM in TLS?
This point cannot be emphasised enough. Client-side ephemeral key generation already mitigates many potential ML-KEM implementation vulnerabilities. Take the faulty re-encryption check in CVE-2026-6330 as an example. Exploiting this would require the client to initiate hundreds of TLS connections with an attacker-controlled server using the same key pair, where a significant proportion of those connections fail giving a decrypt_error. It doesn’t seem plausible to me that this could happen without being noticed and immediately fixed. Peter ---- If you are going to quote me on social media or in blogs, I ask that you do not elide important context. Failure to do so will result in a gentle head shake and sigh. Thanks in advance!
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
