[TLS] Re: FW: I-D Action: draft-kwiatkowski-tls-ecdhe-mlkem-03.txt

On Mon, Mar 10, 2025 at 10:54:16AM +, Peter C wrote: > In ML-KEM, Bob derives b deterministically from m and H(ek). > If Bob tried to reuse b with a different public key, then the > re-encryption check would fail during decapsulation. Thanks for filling in my "momentary" lapse. Indeed the s

[TLS] Re: FW: I-D Action: draft-kwiatkowski-tls-ecdhe-mlkem-03.txt

Dang, Quynh wrote: >My guess is that that would be an expensive operation because of many reasons. Yes, and to make sure that the first two keys were not just before and just after a rekeying, you would need to look at three keys… While any timing side channels in X25519MLKEM768 are hopefully mi

[TLS] RFC 8773bis status

draft-ietf-tls-8773bis has been in the “Held By WG” state since the Update to Standards Track / Working Group Last Call ended on 01 January 2024, see [0]. On 23 August 2024, we issued a consensus call to determine whether to require formal analysis in the symbolic model; see [1]. Between then and n

[TLS] Re: FW: I-D Action: draft-kwiatkowski-tls-ecdhe-mlkem-03.txt

The server can detect a reused encapsulation key if it saves the keys which have been received and check the newly received key against the list of its saved keys. The server could just save the hashes of the keys or a "small" portion of the keys as the key IDs. My guess is that that would be a

[TLS] Exporter compatibility pitfall between (D)TLS 1.2 and 1.3

Hi all, I recently spent some time debugging an interop issue between WebRTC + DTLS 1.3 in Chrome and WebRTC + DTLS 1.3 in Firefox. The cause of the issue was a minor but interesting incompatibility between (D)TLS 1.2 and (D)TLS 1.3 that doesn't seem to have been flagged in RFC 8446 anywhere. Noth

[TLS] Re: Exporter compatibility pitfall between (D)TLS 1.2 and 1.3

Hi David, I remember that the same problem was discussed when standardizing EAP-TLS 1.3. The following text is in RFC 9190: “Note that the key derivation MUST use the length values given above. While in TLS 1.2 and earlier it was possible to truncate the output by requesting less data fr

[TLS] Re: FW: I-D Action: draft-kwiatkowski-tls-ecdhe-mlkem-03.txt

In ML-KEM, Bob derives b deterministically from m and H(ek). If Bob tried to reuse b with a different public key, then the re-encryption check would fail during decapsulation. Peter > -Original Message- > From: Viktor Dukhovni > Sent: 10 March 2025 00:47 > To: tls@ietf.org > Subject: [T