On Mon, 4 Nov 2024 at 02:52, Peter C <pete...@ncsc.gov.uk> wrote: > John Mattsson wrote: > > > ”Conversely, the fast version prioritizes speed over > > > signature size, minimizing the time required to generate > > > and verify signatures.” > > > > > > This is incorrect. The “f” versions only have faster key > > > generation and signing. They have *slower* verification. > > > > Also: > > > > “This document specifies the use of the SLH-DSA algorithm in > > TLS at three security levels. It includes the small (S) or > > fast (F) versions of the algorithm and allows for the use of > > either SHA-256 [FIPS180] or SHAKE256 [FIPS202] as the hash > > function.” > > > > The SHA2 parameter sets for security categories 3 and 5 use a > > mixture of SHA-256 and SHA-512. This means that you probably > > want to rename the SignatureScheme entries to >
Agreed and we will address this in the next revision. -Tiru > > > enum { > > slhdsa128s_sha2 (0x0911), > > slhdsa128f_sha2 (0x0912), > > slhdsa192s_sha2 (0x0913), > > slhdsa192f_sha2 (0x0914), > > slhdsa256s_sha2 (0x0915), > > slhdsa256f_sha2 (0x0916), > > ... > > } SignatureScheme; > > > > Peter > > >
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org