Viktor Dukhovni writes: > However, you'll be thrilled to learn that it is not possible for a TLS > server to reuse its ML-KEM keyshare when a client uses a fresh ephemeral > ML-KEM keyshare.
"Not possible"? In ECDH, or more precisely ElGamal encrypton: Alice sends A = aG; Bob sends B = bG and C = bA+M; Alice recovers M as C-aB. In Kyber, Alice sends G and A = aG+e; Bob sends B = Gb+d and C = Ab+M+c; Alice recovers M by rounding C-aB. Bob can save time by reusing b. The speedup isn't as big as in the ECDH context if Alice chooses fresh G and A, but there's still _some_ savings, notably the time to prepare b for multiplication. I'm not saying that this is safe. I'm saying that it's what will happen if Bob is looking for the best speed that interoperates. It can also happen by accident, of course. ---D. J. Bernstein _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
