Correction: it turns out that reusing randomness during encapsulation isn't quite as broken as I first thought.
Now, the two clients that you encrypted to can both learn each other's shared secret (and so the MUST NOT statement is perfectly appropriate); however a third party cannot. On 01.03.26 18:18, Scott Fluhrer (sfluhrer) wrote: Oh, and I just noticed (and perhaps this is common knowledge): if you used the same encapsulation randomness to encapsulate to two different public keys (from the same parameter set), then it is fairly easy to recover both shared secrets (assuming access to both ciphertexts and public keys). Hence, the MUST NOT reuse encapsulation randomness statement is there for an extremely good reason.
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
