Peter C writes: > In ML-KEM, Bob derives b deterministically from m and H(ek). > If Bob tried to reuse b with a different public key, then the > re-encryption check would fail during decapsulation.
That check doesn't affect processing of valid ciphertexts, so it often won't be tested, so some implementations will get it wrong (even if they aren't actively suppressing code that doesn't seem necessary), exactly the same way that we keep finding code that fails to check signatures. Again, I'm not saying any of this is safe. I'm just pointing out some of the possibilities that can be triggered by (1) implementors pursuing speed and (2) code having bugs. ---D. J. Bernstein _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
