The situation is, both the client and server support (and prefer) some post-quantum groups (post-quantum later on here) that are super costly to compute. More costly than to do a HelloClient without KeyShare and to wait for the HelloRetryRequest. At the same time, post-quantum groups are not super well deployed so there is a high chance that the other end will not pick the post-quantum group and instead pick another more common group such as x25519. x25519 is less costly to compute than do wait for a HelloRetryRequest.
The client sends the following:
supported_group = [post-quantum, x25519]
key_share = [x25519]
The server has the following configuration:
supported_group = [post-quantum, x25519]
The server at the moment would pick the x25519 group but it should had picked the post-quantum group instead and send a HelloRetryRequest advertising post-quantum.
Julien00859
commented
8 months ago
The situation is, both the client and server support (and prefer) some post-quantum groups (post-quantum later on here) that are super costly to compute. More costly than to do a HelloClient without KeyShare and to wait for the HelloRetryRequest. At the same time, post-quantum groups are not super well deployed so there is a high chance that the other end will not pick the post-quantum group and instead pick another more common group such as x25519. x25519 is less costly to compute than do wait for a HelloRetryRequest.
The client sends the following:
The server has the following configuration:
The server at the moment would pick the x25519 group but it should had picked the post-quantum group instead and send a HelloRetryRequest advertising post-quantum.