On Tue, Jul 07, 2026 at 05:55:45PM +0100, Mark Tehrani wrote:

> We did mention this rationale in the paper. However, it demonstrates that
> an attacker can use *m* and *pk* to *derive sk*.

In TLS, with "sk" ephemeral, if you known "m", you're done.  You don't
need "sk", its only purpose is a one-time key agreement yielding the
same "m" on both sides.

-- 
    Viktor.  🇺🇦 Слава Україні!

_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to