On Mon, 4 Nov 2024 at 02:52, Peter C <pete...@ncsc.gov.uk> wrote:

> John Mattsson wrote:
>
> > ”Conversely, the fast version prioritizes speed over
>
> > signature size, minimizing the time required to generate
>
> > and verify signatures.”
>
> >
>
> > This is incorrect. The “f” versions only have faster key
>
> > generation and signing. They have *slower* verification.
>
>
>
> Also:
>
>
>
>   “This document specifies the use of the SLH-DSA algorithm in
>
>    TLS at three security levels.  It includes the small (S) or
>
>    fast (F) versions of the algorithm and allows for the use of
>
>    either SHA-256 [FIPS180] or SHAKE256 [FIPS202] as the hash
>
>    function.”
>
>
>
> The SHA2 parameter sets for security categories 3 and 5 use a
>
> mixture of SHA-256 and SHA-512.  This means that you probably
>
> want to rename the SignatureScheme entries to
>

Agreed and we will address this in the next revision.

-Tiru


>
>
>    enum {
>
>      slhdsa128s_sha2  (0x0911),
>
>      slhdsa128f_sha2  (0x0912),
>
>      slhdsa192s_sha2  (0x0913),
>
>      slhdsa192f_sha2  (0x0914),
>
>      slhdsa256s_sha2  (0x0915),
>
>      slhdsa256f_sha2  (0x0916),
>
>      ...
>
>    } SignatureScheme;
>
>
>
> Peter
>
>
>
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org

Reply via email to