Bas Westerbaan wrote:
> Would you mind explaining how an attacker would use a timing side-
> channel attack against ephemeral use of ML-KEM in TLS?

This point cannot be emphasised enough. Client-side ephemeral key
generation already mitigates many potential ML-KEM implementation
vulnerabilities.

Take the faulty re-encryption check in CVE-2026-6330 as an example.
Exploiting this would require the client to initiate hundreds of
TLS connections with an attacker-controlled server using the same
key pair, where a significant proportion of those connections fail
giving a decrypt_error. It doesn’t seem plausible to me that this
could happen without being noticed and immediately fixed.

Peter

----

If you are going to quote me on social media or in blogs, I ask
that you do not elide important context. Failure to do so will
result in a gentle head shake and sigh. Thanks in advance!







_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to