> On a more technical level, the primary use of a KEM in TLS is to derive a > secret key, and as long as the PQ-KEM spits out anything at all during normal > program flow, whatever output this is could be treated as part of the nonce, > as far as security goes. So the additional attack surface is basically > nonexistent.
Correction: I meant to write "as long as the DH spits out anything" of course, since that is the "extra" part being questioned :) -- TBB
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
