On Mon, Nov 4, 2024 at 6:31 PM D. J. Bernstein <[email protected]> wrote:
> Speaking for myself, not on behalf of the SPHINCS+ team (or other teams > potentially relevant here). > > Peter C writes: > > Under realistic network conditions, TLS handshakes with full SLH-DSA > > certificate chains seem to be about 5-10 times slower than traditional > > certificate chains and, in some cases, can take on the order of > > seconds. > > For, e.g., sphincsf128shake256simple, a quad-core 3GHz Intel Skylake > from 2015 handles 85 signatures per second and 1300 verifications per > second. (Source: dividing 12 billion cycles/second by the cycle counts > given in https://bench.cr.yp.to/results-sign/amd64-samba.html.) > > Sure, one can come up with scenarios where this isn't fast enough or > where 17KB for a signature is a problem. But there are also environments > where these costs are negligible compared to the transmission and > processing of user data. > Agreed. That SLH-DSA is clearly not suited for all use cases for TLS, doesn't mean we should withhold it for those where it's acceptable.
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
