On Mon, Mar 10, 2025 at 10:54:16AM +0000, Peter C wrote:
> In ML-KEM, Bob derives b deterministically from m and H(ek).
> If Bob tried to reuse b with a different public key, then the
> re-encryption check would fail during decapsulation.
Thanks for filling in my "momentary" lapse. Indeed the server is not
free to choose a fixed "b" (ลท). So server-side reuse is not possible as
originally claimed.
--
Viktor.
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org
