Open questions about ephemeral key reuse (and I don't know the answers; that's why they're open questions) - the answers to these questions may help us guide us as to whether to forbid it or not:
- To what extent do the proofs of security for TLS 1.3 depend on the non-reuse of key shares (either (EC)DH or KEM or hybrid)? I asked this question about 5 years ago (at a NIST conference, not on this list), and I believe the answer was "yes", at the time, but the proofs may have advanced (or I might have misunderstood the answer). - To what extent was we concerned about ultralow power devices (battery powered)? After all, reusing previous keys would use less power than creating new ones - not a huge amount of power (both ML-KEM and ECDH are fairly power efficient), but I could see someone making the case. Would we take that case seriously? (One could make a similar case about performance, but given the overhead of doing a TLS exchange, that's a lesser concern, at least IMHO). > -----Original Message----- > From: Stephen Farrell <stephen.farr...@cs.tcd.ie> > Sent: Friday, December 13, 2024 7:20 AM > To: tls@ietf.org > Subject: [TLS] Re: Disallowing reuse of ephemeral keys > > > Hiya, > > On 12/12/2024 17:59, Richard Barnes wrote: > > My preference order would be 3 > 1 >> 2. > > I agree with the above for reasons already stated on the list. > > Cheers, > S. _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
