Open sfluhrer opened 4 months ago
Good point, I missed mentioning that SLH-DSA must also be used in deterministic mode. I don't see a need to use randomized signing, as the data used for generating a digital signature is unique for each IKEv2 session. It includes session-specific information such as nonces, cryptographic parameters, and identifiers, and the data is signed only once.
You state:
If ML-DSA is used as an authentication method within the IKEv2 protocol, the deterministic version of ML-DSA MUST be used.
Might I ask why this MUST statement is there (and not about SLH-DSA, which gives similar flexibility?