Viktor Dukhovni writes:
> I'd expect such designs to be quite unlikely
That's different from "not possible". :-)
I agree with your API comments: one can't build this by simply calling
the FIPS 203 standard keygen-enc-dec functions for ML-KEM. However, if
that were the end of the story then we wouldn't see things like
https://csrc.nist.gov/csrc/media/Presentations/2024/how-multi-recipient-kems-help-deploy-pqc/images-media/prest-how-multi-recipient-kems-pqc2024.pdf
or some people saying that they're storing ML-KEM private keys as seeds.
It also wouldn't be surprising to see reuse of what I labeled as G (even
when A is changing), which in turn would increase the speed incentives
to reuse b. Again, I'm not saying any of this is safe.
---D. J. Bernstein
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org
