On Sun, Mar 01, 2026 at 04:38:55PM -0500, Deirdre Connolly wrote:
> > if you used the same encapsulation randomness to encapsulate to two
> > different public keys (from the same parameter set), then it is fairly easy
> > to recover both shared secrets (assuming access to both ciphertexts and
> > public keys). Hence, the MUST NOT reuse encapsulation randomness statement
> > is there for an extremely good reason.
>
> Can you explain how this works for ML-KEM? Or have a reference?
And even if an independent observer could not recover both shared
secrets, each of the decapsulating parties learns the same `m` and can
therefore obtain the other partie's shared secret, also not desirable.
Consequently, reuse of `m` is bad (only for CI and CMVP testing).
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
