Hybrid_KEM_* keypair requires at least two keys

src/lib/tls/tls13_pqc/hybrid_public_key.cpp

@@ -115,7 +115,7 @@ std::unique_ptr<Hybrid_KEM_PublicKey> Hybrid_KEM_PublicKey::load_for_group(
 }
 
 Hybrid_KEM_PublicKey::Hybrid_KEM_PublicKey(std::vector<std::unique_ptr<Public_Key>> pks) {
-   BOTAN_ARG_CHECK(!pks.empty(), "List of public keys must not be empty");
+   BOTAN_ARG_CHECK(pks.size() >= 2, "List of public keys must include at least two keys");
    BOTAN_ARG_CHECK(std::all_of(pks.begin(), pks.end(), [](const auto& pk) { return pk != nullptr; }),
                    "List of public keys contains a nullptr");
    BOTAN_ARG_CHECK(std::all_of(pks.begin(),
@@ -280,7 +280,7 @@ std::unique_ptr<Hybrid_KEM_PrivateKey> Hybrid_KEM_PrivateKey::generate_from_grou
 
 Hybrid_KEM_PrivateKey::Hybrid_KEM_PrivateKey(std::vector<std::unique_ptr<Private_Key>> sks) :
       Hybrid_KEM_PublicKey(extract_public_keys(sks)) {
-   BOTAN_ARG_CHECK(!sks.empty(), "List of private keys must not be empty");
+   BOTAN_ARG_CHECK(sks.size() >= 2, "List of private keys must include at least two keys");
    BOTAN_ARG_CHECK(std::all_of(sks.begin(),
                                sks.end(),
                                [](const auto& sk) {

src/lib/tls/tls13_pqc/hybrid_public_key.h

@@ -24,14 +24,18 @@ namespace Botan::TLS {
  * Composes a number of public keys as defined in this IETF draft:
  * https://datatracker.ietf.org/doc/html/draft-ietf-tls-hybrid-design-04
  *
- * To an upstream user, this composite key pair is presented as a KEM.
- * Compositions of at least two (and potentially more) public keys are legal.
- * Each individual key pair must either work as a KEX or as a KEM. Currently,
- * the class can deal with ECC keys and Kyber.
+ * To an upstream user, this composite key pair is presented as a KEM. Each
+ * individual key pair must either work as a KEX or as a KEM. Currently, the
+ * class can deal with ECC keys and Kyber.
+ *
+ * The typical use case provides exactly two keys (one traditional KEX and one
+ * post-quantum secure KEM). However, this class technically allows composing
+ * any number of such keys. Composing more than two keys simply generates a
+ * shared secret based on more algorithms.
  *
  * Note that this class is not generic enough for arbitrary use cases but
- * serializes and parses keys and ciphertexts as described in the above-mentioned
- * IETF draft for a post-quantum TLS 1.3.
+ * serializes and parses keys and ciphertexts as described in the
+ * above-mentioned IETF draft for a post-quantum TLS 1.3.
  */
 class BOTAN_TEST_API Hybrid_KEM_PublicKey : public virtual Public_Key {
    public:

src/tests/test_tls_hybrid_kem_key.cpp

@@ -186,9 +186,13 @@ std::vector<Test::Result> hybrid_kem_keypair() {
                                                [&] { Botan::TLS::Hybrid_KEM_PrivateKey(keys(sig(), kex_dh())); });
                          }),
 
-      Botan_Tests::CHECK("single KEM key", [&](auto& result) { roundtrip_test(result, kem); }),
+      Botan_Tests::CHECK(
+         "single KEM key",
+         [&](auto& result) { result.test_throws("need at least two keys", [&] { roundtrip_test(result, kem); }); }),
       Botan_Tests::CHECK("dual KEM key", [&](auto& result) { roundtrip_test(result, kem, kem); }),
-      Botan_Tests::CHECK("single KEX key", [&](auto& result) { roundtrip_test(result, kex_dh); }),
+      Botan_Tests::CHECK(
+         "single KEX key",
+         [&](auto& result) { result.test_throws("need at least two keys", [&] { roundtrip_test(result, kex_dh); }); }),
       Botan_Tests::CHECK("dual KEX key", [&](auto& result) { roundtrip_test(result, kex_dh, kex_ecdh); }),
       Botan_Tests::CHECK("hybrid KEX/KEM key", [&](auto& result) { roundtrip_test(result, kex_dh, kem); }),
       Botan_Tests::CHECK("hybrid triple key", [&](auto& result) { roundtrip_test(result, kex_dh, kem, kex_ecdh); }),