TLS1.3 hybrid implementation

[Nidhi Damodaran]

Will there be changes to how tls 1.3 hybrid implementation combine shared secrets (concatenation of both secrets) when adapted according to SP800-227 ? Should it include ciphertexts and public keys as well  in KDF?

[Bas Westerbaan]

No. The TLS working group is happy with simple concatenation. Note that the final secret used for bulk encryption does include the cipher text and public key thanks to TLS 1.3 hashing all messages into it (the transcript hash.)

On Mon, Jan 26, 2026 at 10:11 AM Nidhi Damodaran <nidhi...@gmail.com> wrote:

Will there be changes to how tls 1.3 hybrid implementation combine shared secrets (concatenation of both secrets) when adapted according to SP800-227 ? Should it include ciphertexts and public keys as well  in KDF?

--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/4bc05546-8cfe-44b4-a4bf-3a6f80109006n%40list.nist.gov.