On Mon, 4 Nov 2024 at 02:52, Peter C <pete...@ncsc.gov.uk> wrote:
> John Mattsson wrote:
>
> > ”Conversely, the fast version prioritizes speed over
>
> > signature size, minimizing the time required to generate
>
> > and verify signatures.”
>
> >
>
> > This is incorrect. The “f” versions only have faster key
>
> > generation and signing. They have *slower* verification.
>
>
>
> Also:
>
>
>
> “This document specifies the use of the SLH-DSA algorithm in
>
> TLS at three security levels. It includes the small (S) or
>
> fast (F) versions of the algorithm and allows for the use of
>
> either SHA-256 [FIPS180] or SHAKE256 [FIPS202] as the hash
>
> function.”
>
>
>
> The SHA2 parameter sets for security categories 3 and 5 use a
>
> mixture of SHA-256 and SHA-512. This means that you probably
>
> want to rename the SignatureScheme entries to
>
Agreed and we will address this in the next revision.
-Tiru
>
>
> enum {
>
> slhdsa128s_sha2 (0x0911),
>
> slhdsa128f_sha2 (0x0912),
>
> slhdsa192s_sha2 (0x0913),
>
> slhdsa192f_sha2 (0x0914),
>
> slhdsa256s_sha2 (0x0915),
>
> slhdsa256f_sha2 (0x0916),
>
> ...
>
> } SignatureScheme;
>
>
>
> Peter
>
>
>
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org
