Bas Westerbaan writes: > From a security standpoint, I see little value in using SLH-DSA over > (hybrid) ML-DSA unless you also use a different key agreement.
Sorry, can you please clarify the rationale here? I agree that the security of TLS collapses unless the KEM _and_ the signature system are both secure. In particular, TLS using ML-KEM and SLH-DSA needs both ML-KEM and SLH-DSA to be secure; TLS using ML-KEM and ML-DSA needs both ML-KEM and ML-DSA to be secure. But how are you concluding that TLS using ML-KEM and SLH-DSA has risk as high as TLS using ML-KEM and ML-DSA? ---D. J. Bernstein _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
