On Wed, Jul 16, 2025 at 11:15 PM D. J. Bernstein <[email protected]> wrote:
> Bas Westerbaan writes: > > From a security standpoint, I see little value in using SLH-DSA over > > (hybrid) ML-DSA unless you also use a different key agreement. > > Sorry, can you please clarify the rationale here? > > I agree that the security of TLS collapses unless the KEM _and_ the > signature system are both secure. In particular, TLS using ML-KEM and > SLH-DSA needs both ML-KEM and SLH-DSA to be secure; TLS using ML-KEM and > ML-DSA needs both ML-KEM and ML-DSA to be secure. > > But how are you concluding that TLS using ML-KEM and SLH-DSA has risk as > high as TLS using ML-KEM and ML-DSA? > I'm not concluding that, Dan. Instead of turning this into a close reading exercise, let me get back to the heart of the matter (prioritisation), and ask you what should be the top three documents this working group should pursue. Best, Bas > > ---D. J. Bernstein > > _______________________________________________ > TLS mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
