On Wed, Jul 08, 2026 at 11:22:54PM +0300, Markku-Juhani O. Saarinen wrote:
> On Wed, Jul 8, 2026 at 11:08 PM Tanja Lange <[email protected]> wrote:
> 
>     Dear Nick,
>     In ECDH when you get aG from the server and compute the shared b(aG) you
>     don't
>     learn anything about a.
> 
>     In ML-KEM the server encapsulates to your ephemeral public key starting
>     from
>     some seed m. Decapsulating recovers the seed (and needs to, due to FO).
> 
>     In the scenario that the RNG is predictable there is no difference and an
>     outside attacker gets the shared key in either scenario. Hashing the RNG
>     output
>     before using it is at best a band aid.
> 
>     In the Dual-EC scenario there is a big difference because ML-KEM gives you
>     raw
>     RNG output from the server any time you open a connection to it.
> 
> 
> Hi Tanja,
> 
> You know, this is a TLS draft. In a TLS 1.3 handshake the server responds to a
> ClientHello with a ServerHello.random which is 32 random bytes from the
> Server's RNG. ( Unless HelloRetryRequest is issued. )
> 
> Cheers,
> -markku
> 
Dear Markku,
Thank you. I'm aware of the context. 

In our Dual-EC paper (earlier TLS versions) we got the raw Dual-EC output from
"session ID" and "server random", see
        https://projectbullrun.org/dual-ec/index.html
for more details than you're asking for.

Protecting against such issues is why there is RFC 8937. 
        https://www.rfc-editor.org/rfc/rfc8937.html

If you implement your TLS 1.3 server with the best precautions you don't drop
raw randomness at the protocol level.  

All the best
        Tanja

_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to