I've been working on support for the ML-KEM hybrid key exchanges in
tlsfuzzer[1,2], and I've noticed that the error handling is underspecified:
both key shares (client and server) and both constituent parts (pqc and
classic)
can have key shares are are invalid.
Also, the ECDH key exchange can end up with an all-zero shared secret.
I think we should explicitly document that those errors can happen, and
that they need to be handled by sending an illegal_parameter Alert.
I've proposed a PR that documents that here:
https://github.com/post-quantum-cryptography/draft-kwiatkowski-tls-ecdhe-mlkem/pull/23
1 - https://github.com/tlsfuzzer/tlslite-ng/pull/530
2 - https://github.com/tlsfuzzer/tlsfuzzer/pull/963
--
Regards,
Alicja (nee Hubert) Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00, Brno, Czech Republic
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org
