Hi all, On the subject of “have KEMs instead of ECDH for TLS 1.3 been analyzed”, the answer is, very simply: yes. The first few steps of my proof for KEMTLS prove exactly this [0], and you can directly copy-paste these into the computational analysis of TLS 1.3 by Dowling et al. [1].
[0] https://thomwiggers.nl/p/thesis/ <https://thomwiggers.nl/p/thesis> [1] https://eprint.iacr.org/2020/1044 Regards, Thom > Op 20 feb 2026, om 13:26 heeft Muhammad Usama Sardar > <[email protected]> het volgende geschreven: > > From a formal perspective, my concern is about replacing (EC)DHE by > shared_secret [0]. That is a key schedule modification and as per FATT [1]: > > For example a proposal that modifies the TLS key schedule or the > authentication process or any other part of the cryptographic protocol that > has been formally modeled and analyzed in the past would likely result in > asking the FATT, whereas a change such as modifying the SSLKEYLOG format > would not. > > So this draft "modifies the TLS key schedule" and this part has been > "formally modeled and analyzed in the past", such as you analyzed in your > work. Hence, I believe this should need expert review of FATT. What do you > think? Am I missing something? >
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
