On 4/10/26 22:51, Rob Sayre wrote:
It's whether the hybrid schemes are better at protecting against side-channel attacks.
If the threat model requires SCA resistance, both schemes must be protected. Consider a composition of EdDSA and ML-DSA where only EdDSA has SCA protections applied. In this case, an attacker could trivially break ML-DSA through a side-channel attack - rendering its inclusion pointless.
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
