Hi all, I provided the reference that I had most readily at hand, but indeed: there are a number of works starting with Huguenin-Dumittan that are a much better and tighter analysis of exactly the properties we require of TLS 1.3’s key exchange. Anyway, by all of the above: KEM in TLS is very well understood by now.
Cheers, Thom > Op 21 feb 2026 om 19:42 heeft Peter C <[email protected]> > het volgende geschreven: > > As already pointed out by Thom, the proof by Dowling et al applies > essentially unchanged with an IND-1CCA KEM since this equivalent > to the snPRF-ODF assumption for ECDH. If you don't trust Thom's > thesis, then look at section 5 of: > > - L. Huguenin-Dumittan, S. Vaudenay, "On IND-qCCA Security in > the ROM and Its Applications: CPA Security Is Sufficient for TLS 1.3", > EUROCRYPT 2022, DOI 10.1007/978-3-031-07082-2_22. _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
