rfc9858.original   rfc9858.txt 
Crypto Forum Research Group S. Fluhrer Internet Research Task Force (IRTF) S. Fluhrer
Internet-Draft Cisco Systems Request for Comments: 9858 Cisco Systems
Intended status: Informational Q. Dang Category: Informational Q. Dang
Expires: 16 August 2025 NIST ISSN: 2070-1721 NIST
12 February 2025 September 2025
Additional Parameter sets for HSS/LMS Hash-Based Signatures Additional Parameter Sets for HSS/LMS Hash-Based Signatures
draft-fluhrer-lms-more-parm-sets-19
Abstract Abstract
This note extends HSS/LMS (RFC 8554) by defining parameter sets by This document extends HSS/LMS (RFC 8554) by defining parameter sets
including additional hash functions. These include hash functions by including additional hash functions. These include hash functions
that result in signatures with significantly smaller size than the that result in signatures with significantly smaller sizes than the
signatures using the current parameter sets, and should have signatures using the current parameter sets and should have
sufficient security. sufficient security.
This document is a product of the Crypto Forum Research Group (CFRG) This document is a product of the Crypto Forum Research Group (CFRG)
in the IRTF. in the IRTF.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This document is not an Internet Standards Track specification; it is
provisions of BCP 78 and BCP 79. published for informational purposes.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Research Task Force
and may be updated, replaced, or obsoleted by other documents at any (IRTF). The IRTF publishes the results of Internet-related research
time. It is inappropriate to use Internet-Drafts as reference and development activities. These results might not be suitable for
material or to cite them other than as "work in progress." deployment. This RFC represents the consensus of the Crypto Forum
Research Group of the Internet Research Task Force (IRTF). Documents
approved for publication by the IRSG are not candidates for any level
of Internet Standard; see Section 2 of RFC 7841.
This Internet-Draft will expire on 16 August 2025. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc9858.
Copyright Notice Copyright Notice
Copyright (c) 2025 IETF Trust and the persons identified as the Copyright (c) 2025 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents
license-info) in effect on the date of publication of this document. (https://trustee.ietf.org/license-info) in effect on the date of
Please review these documents carefully, as they describe your rights publication of this document. Please review these documents
and restrictions with respect to this document. Code Components carefully, as they describe your rights and restrictions with respect
extracted from this document must include Revised BSD License text as to this document.
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction
2. Additional Hash Function Definitions . . . . . . . . . . . . 3 2. Additional Hash Function Definitions
2.1. 192 bit Hash Function based on SHA-256 . . . . . . . . . 3 2.1. 192-Bit Hash Function Based on SHA-256
2.2. 256 bit Hash Function based on SHAKE256 . . . . . . . . . 4 2.2. 256-Bit Hash Function Based on SHAKE256
2.3. 192 bit Hash Function based on SHAKE256 . . . . . . . . . 4 2.3. 192-Bit Hash Function Based on SHAKE256
3. Additional LM-OTS Parameter Sets . . . . . . . . . . . . . . 4 3. Additional LM-OTS Parameter Sets
4. Additional LM Parameter Sets . . . . . . . . . . . . . . . . 6 4. Additional LM Parameter Sets
5. Usage for these additional hash functions within HSS . . . . 8 5. Usage for These Additional Hash Functions within HSS
6. Parameter Set Selection . . . . . . . . . . . . . . . . . . . 8 6. Parameter Set Selection
7. Comparisons of 192 bit and 256 bit parameter sets . . . . . . 8 7. Comparisons of 192-Bit and 256-Bit Parameter Sets
8. Security Considerations . . . . . . . . . . . . . . . . . . . 11 8. Security Considerations
8.1. Note on the version of SHAKE . . . . . . . . . . . . . . 13 8.1. Note on the Version of SHAKE
9. IANA considerations . . . . . . . . . . . . . . . . . . . . . 13 9. IANA Considerations
10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 14 10. References
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 10.1. Normative References
11.1. Normative References . . . . . . . . . . . . . . . . . . 14 10.2. Informative References
11.2. Informative References . . . . . . . . . . . . . . . . . 14 Appendix A. Test Cases
Appendix A. Test Cases . . . . . . . . . . . . . . . . . . . . . 15 Acknowledgements
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 26 Authors' Addresses
1. Introduction 1. Introduction
Stateful hash based signatures have small private and public keys, Stateful hash-based signatures have small private and public keys,
are efficient to compute, and are believed to have excellent are efficient to compute, and are believed to have excellent
security. One disadvantage is that the signatures they produce tend security. One disadvantage is that the signatures they produce tend
to be somewhat large (possibly 1k - 4kbytes). What this draft to be somewhat large (possibly 1-4 kilobytes). This document
explores is a set of parameter sets to the HSS/LMS (RFC8554) stateful explores a set of parameter sets for the HSS/LMS stateful hash-based
hash based signature method that reduce the size of the signature signature method [RFC8554] that reduce the size of the signature
significantly or rely on a hash function other than SHA-256 (to significantly or rely on a hash function other than SHA-256 (to
increase cryptodiversity). increase cryptodiversity).
This document represents the consensus of the Crypto Forum Research This document represents the consensus of the Crypto Forum Research
Group (CFRG) in the IRTF. It is not an IETF product and is not a Group (CFRG) in the IRTF. It is not an IETF product and is not a
standard. standard.
According to official definitions and common usage, Leighton-Micali According to official definitions and common usage, a Leighton-Micali
Hash-Based Signatures (LMS for short) is a stateful hash based Signature (LMS) is a stateful hash-based signature scheme that is
signature scheme that is based on a single level Merkle tree. based on a single-level Merkle tree. The Hierarchical Signature
Hierarchical Signature System (HSS for short) is a way of binding System (HSS) is a way of binding several LMS signatures together in a
several LMS signatures together in a hierarchical manner, to increase hierarchical manner to increase the number of signatures available.
the number of signatures available. Strictly speaking, all the Strictly speaking, all the signatures discussed in this document are
signatures that this document discusses are HSS signatures (even if HSS signatures (even if the HSS signature consists of a single LMS
the HSS signature consists of a single LMS signature). However, it signature). However, it is common to refer to these signatures as
is common to refer to these signatures as LMS signatures. This "LMS signatures". This document uses the term "HSS/LMS" to cover
document uses the term HSS/LMS to cover both the pedantic and the both the pedantic and the common meanings.
common meanings.
This document is intended to be compatible with the NIST document This document is intended to be compatible with the NIST document
[NIST_SP_800-208]. [NIST_SP_800-208].
2. Additional Hash Function Definitions 2. Additional Hash Function Definitions
This section defines three hash functions that will be used in This section defines three hash functions that are used in Sections 3
Section 3 and Section 4. These hash functions will be used where and 4. These hash functions are used where SHA-256 is used in the
SHA-256 is used in the original parameter sets from RFC 8554. The original parameter sets from [RFC8554]. The hash function used is
hash function used is specified by the parameter set which is specified by the parameter set that is selected.
selected.
2.1. 192 bit Hash Function based on SHA-256 2.1. 192-Bit Hash Function Based on SHA-256
This document defines a SHA-2 based hash function with a 192 bit This document defines a SHA-2-based hash function with a 192-bit
output. As such, we define SHA-256/192 as a truncated version of output. As such, we define SHA-256/192 as a truncated version of
SHA-256 [FIPS180]. That is, it is the result of performing a SHA-256 SHA-256 [FIPS180]. That is, it is the result of performing a SHA-256
operation to a message, and then omitting the final 64 bits of the operation to a message and then omitting the final 64 bits of the
output. This is the procedure found in FIPS 180-4 (section 7) for output. This procedure for truncating the hash output to 192 bits is
truncating the hash output to 192 bits. described in Section 7 of [FIPS180].
The following test vector may illustrate this: The following test vector illustrates this:
SHA-256("abc") = ba7816bf 8f01cfea 414140de 5dae2223 SHA-256("abc") = ba7816bf 8f01cfea 414140de 5dae2223
b00361a3 96177a9c b410ff61 f20015ad b00361a3 96177a9c b410ff61 f20015ad
SHA-256/192("abc") = ba7816bf 8f01cfea 414140de 5dae2223 SHA-256/192("abc") = ba7816bf 8f01cfea 414140de 5dae2223
b00361a3 96177a9c b00361a3 96177a9c
We use the same IV as the untruncated SHA-256, rather than defining a We use the same IV as the untruncated SHA-256, rather than defining a
distinct one, so that we can use a standard SHA-256 hash distinct one, so that we can use a standard SHA-256 hash
implementation without modification. In addition, the fact that implementation without modification. In addition, the fact that
anyone gets partial knowledge of the SHA-256 hash of a message by anyone gets partial knowledge of the SHA-256 hash of a message by
examining the SHA-256/192 hash of the same message is not a concern examining the SHA-256/192 hash of the same message is not a concern
for this application. Each message that is hashed is randomized. for this application. Each message that is hashed is randomized.
Any message being signed includes the C randomizer (a value that is Any message being signed includes the C randomizer (a value that is
selected by the signer and is included in the hash) which varies per selected by the signer and is included in the hash), which varies per
message. Therefore, signing the same message by SHA-256 and by SHA- message. Therefore, signing the same message by SHA-256 and by SHA-
256/192 will not result in the same value being hashed, and so the 256/192 will not result in the same value being hashed, and so the
latter hash value is not a prefix of the former one. In addition, latter hash value is not a prefix of the former one. In addition,
all hashes include the I identifier, which is included as a part of all hashes include the I identifier, which is included as a part of
the [RFC8554] signature process. This I identifier is selected the signature process in [RFC8554]. This I identifier is selected
randomly for each private key (and hence two keys will have different randomly for each private key (and hence two keys will have different
I values with high probability), and so two intermediate hashes I values with high probability), and so two intermediate hashes
computed as a part of signing with two HSS private keys (one with a computed as a part of signing with two HSS private keys (one with a
SHA-256 parameter set and one a SHA-256/192 parameter set) will also SHA-256 parameter set and one with a SHA-256/192 parameter set) will
be distinct with high probability. also be distinct with high probability.
2.2. 256 bit Hash Function based on SHAKE256 2.2. 256-Bit Hash Function Based on SHAKE256
This document defines a SHAKE-based hash function with a 256 bit This document defines a SHAKE-based hash function with a 256-bit
output. As such, we define SHAKE256/256 to be the first 256 bits of output. As such, we define SHAKE256/256 to be the first 256 bits of
the SHAKE256 XOF. That is, it is the result of performing a the SHAKE256 extendable-output function (XOF). That is, it is the
SHAKE-256 operation to a message, and then using the first 256 bits result of performing a SHAKE-256 operation to a message and then
of output. See FIPS 202 [FIPS202] for more detail. using the first 256 bits of output. See [FIPS202] for more detail.
2.3. 192 bit Hash Function based on SHAKE256 2.3. 192-Bit Hash Function Based on SHAKE256
This document defines a SHAKE-based hash function with a 192 bit This document defines a SHAKE-based hash function with a 192-bit
output. As such, we define SHAKE256/192 to be the first 192 bits of output. As such, we define SHAKE256/192 to be the first 192 bits of
the SHAKE256 XOF. That is, it is the result of performing a the SHAKE256 XOF. That is, it is the result of performing a
SHAKE-256 operation to a message, and then using the first 192 bits SHAKE-256 operation to a message and then using the first 192 bits of
of output. See FIPS 202 [FIPS202] for more detail. output. See [FIPS202] for more detail.
3. Additional LM-OTS Parameter Sets 3. Additional LM-OTS Parameter Sets
Here is a table with the Leighton-Micali One-Time Signature (LM-OTS) Here is a table with the Leighton-Micali One-Time Signature (LM-OTS)
parameters defined that use the above hashes: parameters defined that use the above hashes:
+=====================+==============+====+===+=====+====+========+ +=====================+==============+====+===+=====+====+========+
| Parameter Set Name | H | n | w | p | ls | id | | Parameter Set Name | H | n | w | p | ls | id |
+=====================+==============+====+===+=====+====+========+ +=====================+==============+====+===+=====+====+========+
| LMOTS_SHA256_N24_W1 | SHA-256/192 | 24 | 1 | 200 | 8 | 0x0005 | | LMOTS_SHA256_N24_W1 | SHA-256/192 | 24 | 1 | 200 | 8 | 0x0005 |
skipping to change at page 5, line 35 skipping to change at line 194
+---------------------+--------------+----+---+-----+----+--------+ +---------------------+--------------+----+---+-----+----+--------+
| LMOTS_SHAKE_N24_W2 | SHAKE256/192 | 24 | 2 | 101 | 6 | 0x000e | | LMOTS_SHAKE_N24_W2 | SHAKE256/192 | 24 | 2 | 101 | 6 | 0x000e |
+---------------------+--------------+----+---+-----+----+--------+ +---------------------+--------------+----+---+-----+----+--------+
| LMOTS_SHAKE_N24_W4 | SHAKE256/192 | 24 | 4 | 51 | 4 | 0x000f | | LMOTS_SHAKE_N24_W4 | SHAKE256/192 | 24 | 4 | 51 | 4 | 0x000f |
+---------------------+--------------+----+---+-----+----+--------+ +---------------------+--------------+----+---+-----+----+--------+
| LMOTS_SHAKE_N24_W8 | SHAKE256/192 | 24 | 8 | 26 | 0 | 0x0010 | | LMOTS_SHAKE_N24_W8 | SHAKE256/192 | 24 | 8 | 26 | 0 | 0x0010 |
+---------------------+--------------+----+---+-----+----+--------+ +---------------------+--------------+----+---+-----+----+--------+
Table 1 Table 1
Parameter Set Name is the human readable name of the parameter Parameter Set Name: The human-readable name of the parameter set.
set.
H is the second-preimage-resistant cryptographic hash function H: The second-preimage-resistant cryptographic hash function used
used within this parameter set. within this parameter set.
n is the number of bytes of the output of the hash function. n: The number of bytes of the output of the hash function.
w is the width (in bits) of the Winternitz coefficients; that is, w: The width (in bits) of the Winternitz coefficients; that is, the
the number of bits from the hash or checksum that is used with a number of bits from the hash or checksum that is used with a
single Winternitz chain. It is a member of the set { 1, 2, 4, 8 } single Winternitz chain. It is a member of the set { 1, 2, 4,
8 }.
p is the number of n-byte string elements that make up the LM-OTS p: The number of n-byte string elements that make up the LM-OTS
signature. signature.
ls is the number of left-shift bits used in the checksum function ls: The number of left-shift bits used in the checksum function Cksm
Cksm (used by algorithm 2 of RFC 8554). (used by algorithm 2 of [RFC8554]).
id is the IANA-defined identifier used to denote this specific id: The IANA-defined identifier used to denote this specific
parameter set, which appears in both public keys and signatures. parameter set, which appears in both public keys and signatures.
These values are additions to the entries in Table 1 of RFC 8554. These values are additions to the entries in Table 1 of [RFC8554].
The SHA256_N24, SHAKE_N32, SHAKE_N24 in the parameter set name denote The SHA256_N24, SHAKE_N32, and SHAKE_N24 in the parameter set names
the SHA-256/192, SHAKE256/256 and SHAKE256/192 hash functions defined denote the SHA-256/192, SHAKE256/256, and SHAKE256/192 hash functions
in Section 2. defined in Section 2.
Remember that the C message randomizer (which is included in the Remember that the C message randomizer (which is included in the
signature) has the same size (n bytes) as the hash output, and so it signature) has the same size (n bytes) as the hash output, and so it
shrinks from 32 bytes to 24 bytes for the parameter sets that use shrinks from 32 bytes to 24 bytes for the parameter sets that use
either SHA-256/192 or SHAKE256/192. either SHA-256/192 or SHAKE256/192.
4. Additional LM Parameter Sets 4. Additional LM Parameter Sets
Here is a table with the Leighton-Micali (LM) parameters defined that Here is a table with the Leighton-Micali (LM) parameters defined that
use SHA-256/192, SHAKE256/256 and SHAKE256/192 hash functions: use SHA-256/192, SHAKE256/256, and SHAKE256/192 hash functions:
+====================+==============+====+====+========+ +====================+==============+====+====+========+
| Parameter Set Name | H | m | h | id | | Parameter Set Name | H | m | h | id |
+====================+==============+====+====+========+ +====================+==============+====+====+========+
| LMS_SHA256_M24_H5 | SHA-256/192 | 24 | 5 | 0x000a | | LMS_SHA256_M24_H5 | SHA-256/192 | 24 | 5 | 0x000a |
+--------------------+--------------+----+----+--------+ +--------------------+--------------+----+----+--------+
| LMS_SHA256_M24_H10 | SHA-256/192 | 24 | 10 | 0x000b | | LMS_SHA256_M24_H10 | SHA-256/192 | 24 | 10 | 0x000b |
+--------------------+--------------+----+----+--------+ +--------------------+--------------+----+----+--------+
| LMS_SHA256_M24_H15 | SHA-256/192 | 24 | 15 | 0x000c | | LMS_SHA256_M24_H15 | SHA-256/192 | 24 | 15 | 0x000c |
+--------------------+--------------+----+----+--------+ +--------------------+--------------+----+----+--------+
| LMS_SHA256_M24_H20 | SHA-256/192 | 24 | 20 | 0x000d | | LMS_SHA256_M24_H20 | SHA-256/192 | 24 | 20 | 0x000d |
+--------------------+--------------+----+----+--------+ +--------------------+--------------+----+----+--------+
| LMS_SHA256_M24_H25 | SHA-256/192 | 24 | 25 | 0x000e | | LMS_SHA256_M24_H25 | SHA-256/192 | 24 | 25 | 0x000e |
+--------------------+--------------+----+----+--------+ +--------------------+--------------+----+----+--------+
| LMS_SHAKE_M32_H5 | SHAKE256/256 | 32 | 5 | 0x000f | | LMS_SHAKE_M32_H5 | SHAKE256/256 | 32 | 5 | 0x000f |
+--------------------+--------------+----+----+--------+ +--------------------+--------------+----+----+--------+
| LMS_SHAKE_M32_H10 | SHAKE256/256 | 32 | 10 | 0x0010 | | LMS_SHAKE_M32_H10 | SHAKE256/256 | 32 | 10 | 0x0010 |
+--------------------+--------------+----+----+--------+ +--------------------+--------------+----+----+--------+
| LMS_SHAKE_M32_H15 | SHAKE256/256 | 32 | 15 | 0x0011 | | LMS_SHAKE_M32_H15 | SHAKE256/256 | 32 | 15 | 0x0011 |
+--------------------+--------------+----+----+--------+ +--------------------+--------------+----+----+--------+
| LMS_SHAKE_M32_H20 | SHAKE256/256 | 32 | 20 | 0x0012 | | LMS_SHAKE_M32_H20 | SHAKE256/256 | 32 | 20 | 0x0012 |
+--------------------+--------------+----+----+--------+ +--------------------+--------------+----+----+--------+
| LMS_SHAKE_M32_H25 | SHAKE256/256 | 32 | 25 | 0x0013 | | LMS_SHAKE_M32_H25 | SHAKE256/256 | 32 | 25 | 0x0013 |
+--------------------+--------------+----+----+--------+ +--------------------+--------------+----+----+--------+
| LMS_SHAKE_M24_H5 | SHAKE256/192 | 24 | 5 | 0x0014 | | LMS_SHAKE_M24_H5 | SHAKE256/192 | 24 | 5 | 0x0014 |
+--------------------+--------------+----+----+--------+ +--------------------+--------------+----+----+--------+
| LMS_SHAKE_M24_H10 | SHAKE256/192 | 24 | 10 | 0x0015 | | LMS_SHAKE_M24_H10 | SHAKE256/192 | 24 | 10 | 0x0015 |
+--------------------+--------------+----+----+--------+ +--------------------+--------------+----+----+--------+
| LMS_SHAKE_M24_H15 | SHAKE256/192 | 24 | 15 | 0x0016 | | LMS_SHAKE_M24_H15 | SHAKE256/192 | 24 | 15 | 0x0016 |
+--------------------+--------------+----+----+--------+ +--------------------+--------------+----+----+--------+
| LMS_SHAKE_M24_H20 | SHAKE256/192 | 24 | 20 | 0x0017 | | LMS_SHAKE_M24_H20 | SHAKE256/192 | 24 | 20 | 0x0017 |
+--------------------+--------------+----+----+--------+ +--------------------+--------------+----+----+--------+
| LMS_SHAKE_M24_H25 | SHAKE256/192 | 24 | 25 | 0x0018 | | LMS_SHAKE_M24_H25 | SHAKE256/192 | 24 | 25 | 0x0018 |
+--------------------+--------------+----+----+--------+ +--------------------+--------------+----+----+--------+
Table 2 Table 2
Parameter Set Name is the human readable name of the parameter Parameter Set Name: The human-readable name of the parameter set.
set.
H is the second-preimage-resistant cryptographic hash function H: The second-preimage-resistant cryptographic hash function used
used within this parameter set. within this parameter set.
m is the the size in bytes of the hash function output. m: The size in bytes of the hash function output.
h is the height of the Merkle tree. h: The height of the Merkle tree.
id is the IANA-defined identifier used to denote this specific id: The IANA-defined identifier used to denote this specific
parameter set, and which appears in both public keys and parameter set, which appears in both public keys and signatures.
signatures.
These values are additions to the entries in Table 2 of RFC 8554. These values are additions to the entries in Table 2 of [RFC8554].
The SHA256_M24, SHAKE_M32, SHAKE_M24 in the parameter set name denote The SHA256_M24, SHAKE_M32, and SHAKE_M24 in the parameter set names
the SHA-256/192, SHAKE256/256 and SHAKE256/192 hash functions defined denote the SHA-256/192, SHAKE256/256, and SHAKE256/192 hash functions
in Section 2. defined in Section 2.
5. Usage for these additional hash functions within HSS 5. Usage for These Additional Hash Functions within HSS
To use the additional hash functions within HSS, one would use the To use the additional hash functions within HSS, one would use the
appropriate LMOTS id from Table 1 and the appropriate LMS id from appropriate LMOTS id from Table 1 and the appropriate LMS id from
Table 2, and use that additional hash function when computing the Table 2 and use that additional hash function when computing the
hashes for key generation, signature generation and signature hashes for key generation, signature generation, and signature
verification. verification.
Note that the size of the I Merkle tree identifier remains 16 bytes, Note that the size of the I Merkle tree identifier remains 16 bytes,
independent of what hash function is used. independent of what hash function is used.
6. Parameter Set Selection 6. Parameter Set Selection
This document, along with [RFC8554], defines four hash functions for This document, along with [RFC8554], defines four hash functions for
use within HSS/LMS; namely SHA-256, SHA-256/192, SHAKE256/256 and use within HSS/LMS: SHA-256, SHA-256/192, SHAKE256/256, and
SHAKE256/192. The main reason one would select a hash with a 192 bit SHAKE256/192. The main reason one would select a hash with a 192-bit
output (either SHA-256/192 or SHAKE256/192) would be to reduce the output (either SHA-256/192 or SHAKE256/192) would be to reduce the
signature size; this comes at the cost of reducing the security signature size; this comes at the cost of reducing the security
margin; however the security should be sufficient for most uses. In margin. However, the security should be sufficient for most uses.
contrast, there is no security or signature size difference between
the SHA-256 based parameter sets (SHA-256 or SHA-256/192) versus the In contrast, there is no security or signature size difference
SHAKE based parameter sets (SHAKE256/256 or SHAKE256/192); the reason between the SHA-256-based parameter sets (SHA-256 or SHA-256/192)
for selecting between the two would be based on practical versus the SHAKE-based parameter sets (SHAKE256/256 or SHAKE256/192).
The reason for selecting between the two would be based on practical
considerations, for example, if the implementation happens to have an considerations, for example, if the implementation happens to have an
existing SHA-256 (or SHAKE) implementation or if one of the two existing SHA-256 (or SHAKE) implementation or if one of the two
happens to give better hashing performance on the platform. happens to give better hashing performance on the platform.
7. Comparisons of 192 bit and 256 bit parameter sets 7. Comparisons of 192-Bit and 256-Bit Parameter Sets
Switching to a 192 bit hash affects the signature size, the Switching to a 192-bit hash affects the signature size, the
computation time, and the security strength. It significantly computation time, and the security strength. It significantly
reduces the signature size and somewhat reduces the computation time, reduces the signature size and somewhat reduces the computation time,
at the cost of security strength. See Section 8 for a discussion of at the cost of security strength. See Section 8 for a discussion of
the security strength. the security strength.
The impact on signature size and computation time is based on two The impact on signature size and computation time is based on two
effects: effects:
1. Each hash that appears in the signature is shorter. 1. Each hash that appears in the signature is shorter.
2. We need fewer Winternitz chains (because LM-OTS signs a shorter 2. We need fewer Winternitz chains (because LM-OTS signs a shorter
value). value).
For signature length, both effects are relevant (because the For signature length, both effects are relevant (because the
signature consists of a series of hashes and each hash is shorter, signature consists of a series of hashes and each hash is shorter,
and because we need fewer Winternitz chains, we need fewer hashes in and because we need fewer Winternitz chains, we need fewer hashes in
each LM-OTS signature). each LM-OTS signature).
For computation time (for both signature generation and For computation time (for both signature generation and
verification), effect 1 is irrelevant (we still need to perform verification), effect 1 is irrelevant (we still need to perform
essentially the same hash computation), however effect 2 still essentially the same hash computation), but effect 2 still applies.
applies. For example, with W=8, SHA-256 requires 34 Winternitz For example, with W=8, SHA-256 requires 34 Winternitz chains per LM-
chains per LM-OTS signature, but SHA-256/192 requires only 26. Since OTS signature, but SHA-256/192 requires only 26. Since the vast
the vast majority of time (for both signature generation and majority of time (for both signature generation and verification) is
verification) is spent computing these Winternitz chains, this spent computing these Winternitz chains, this reduction in the number
reduction in the number of chains gives us some performance of chains gives us some performance improvement.
improvement.
Here is a table that gives the space used by both the 256 bit Here is a table that gives the space used by both the 256-bit and
parameter sets and the 192 bit parameter sets, for a range of 192-bit parameter sets for a range of plausible Winternitz parameters
plausible Winternitz parameters and tree heights: and tree heights:
+=========+============+==============+==============+ +=========+============+==============+==============+
| ParmSet | Winternitz | 256 bit hash | 192 bit hash | | ParmSet | Winternitz | 256-bit hash | 192-bit hash |
+=========+============+==============+==============+ +=========+============+==============+==============+
| 15 | 4 | 2672 | 1624 | | 15 | 4 | 2672 | 1624 |
+---------+------------+--------------+--------------+ +---------+------------+--------------+--------------+
| 15 | 8 | 1616 | 1024 | | 15 | 8 | 1616 | 1024 |
+---------+------------+--------------+--------------+ +---------+------------+--------------+--------------+
| 20 | 4 | 2832 | 1744 | | 20 | 4 | 2832 | 1744 |
+---------+------------+--------------+--------------+ +---------+------------+--------------+--------------+
| 20 | 8 | 1776 | 1144 | | 20 | 8 | 1776 | 1144 |
+---------+------------+--------------+--------------+ +---------+------------+--------------+--------------+
| 15/10 | 4 | 5236 | 3172 | | 15/10 | 4 | 5236 | 3172 |
skipping to change at page 10, line 35 skipping to change at line 377
+---------+------------+--------------+--------------+ +---------+------------+--------------+--------------+
| 20/10 | 8 | 3284 | 2092 | | 20/10 | 8 | 3284 | 2092 |
+---------+------------+--------------+--------------+ +---------+------------+--------------+--------------+
| 20/15 | 4 | 5556 | 3412 | | 20/15 | 4 | 5556 | 3412 |
+---------+------------+--------------+--------------+ +---------+------------+--------------+--------------+
| 20/15 | 8 | 3444 | 2212 | | 20/15 | 8 | 3444 | 2212 |
+---------+------------+--------------+--------------+ +---------+------------+--------------+--------------+
Table 3 Table 3
ParmSet: this is the height of the Merkle tree(s), which is the ParmSet: The height of the Merkle tree(s), which is the parameter
parameter "h" from Table 2. Parameter sets listed as a single "h" from Table 2. Parameter sets listed as a single integer have
integer have L=1, and consist of a single Merkle tree of that height; L=1 and consist of a single Merkle tree of that height; parameter
parameter sets with L=2 are listed as x/y, with x being the height of sets with L=2 are listed as x/y, with x being the height of the
the top level Merkle tree, and y being the bottom level. top-level Merkle tree and y being the bottom level.
Winternitz: this is the Winternitz parameter used, which is the Winternitz: The Winternitz parameter used, which is the parameter
parameter "w" from Table 1. For the tests that use multiple trees, "w" from Table 1. For the tests that use multiple trees, this
this applies to all of them. applies to all of them.
256 bit hash: the size in bytes of a signature, assuming that a 256 256-bit hash: The size in bytes of a signature, assuming that a
bit hash is used in the signature (either SHA-256 or SHAKE256/256). 256-bit hash is used in the signature (either SHA-256 or
SHAKE256/256).
192 bit hash: the size in bytes of a signature, assuming that a 192 192-bit hash: The size in bytes of a signature, assuming that a
bit hash is used in the signature (either SHA-256/192 or 192-bit hash is used in the signature (either SHA-256/192 or
SHAKE256/192). SHAKE256/192).
An examination of the signature sizes shows that the 192 bit An examination of the signature sizes shows that the 192-bit
parameters consistently give a 35% - 40% reduction in the size of the parameters consistently give a 35-40% reduction in the size of the
signature in comparison with the 256 bit parameters. signature in comparison with the 256-bit parameters.
For SHA-256/192, there is a smaller (circa 20%) reduction in the For SHA-256/192, there is a smaller (circa 20%) reduction in the
amount of computation required for a signature operation with a 192 amount of computation required for a signature operation with a
bit hash (for reason 2 listed above). The SHAKE256/192 signatures 192-bit hash (for reason 2 listed above). The SHAKE256/192
may have either a faster or slower computation, depending on the signatures may have either a faster or slower computation, depending
implementation speed of SHAKE versus SHA-256 hashes. on the implementation speed of SHAKE versus SHA-256 hashes.
The SHAKE256/256 based parameter sets give no space advantage (or The SHAKE256/256-based parameter sets give no space advantage (or
disadvantage) over the existing SHA-256-based parameter sets; any disadvantage) over the existing SHA-256-based parameter sets; any
performance delta would depend solely on the implementation and performance delta would depend solely on the implementation and
whether they can generate SHAKE hashes faster than SHA-256 ones. whether they can generate SHAKE hashes faster than SHA-256 ones.
8. Security Considerations 8. Security Considerations
The strength of a signature that uses the SHA-256/192, SHAKE256/256 The strength of a signature that uses the SHA-256/192, SHAKE256/256,
and SHAKE256/192 hash functions is based on the difficulty in finding and SHAKE256/192 hash functions is based on the difficulty in finding
preimages or second preimages to those hash functions. As shown in preimages or second preimages to those hash functions. As shown in
[Katz16], if we assume that the hash function can be modeled as a [Katz16], if we assume that the hash function can be modeled as a
random oracle, then the security of the system is at least 8N-1 bits random oracle, then the security of the system is at least 8N-1 bits
(where N is the size of the hash output in bytes); this gives us a (where N is the size of the hash output in bytes); this gives us a
security level of 255 bits for SHAKE256/256 and 191 bits for SHA- security level of 255 bits for SHAKE256/256 and 191 bits for SHA-
256/192 and SHAKE256/192). That is, the strength of SHA-256/192 and 256/192 and SHAKE256/192). That is, the strength of SHA-256/192 and
SHAKE256/192 can be expected to be equivalent to the strength of AES- SHAKE256/192 can be expected to be equivalent to the strength of AES-
192, while the strength of SHAKE256/256 is equivalent to the strength 192, while the strength of SHAKE256/256 is equivalent to the strength
of AES-256. If AES-192 and AES-256 are Quantum Resistant, so we of AES-256. If AES-192 and AES-256 are quantum-resistant, then we
expect SHA-256/192, SHAKE256/192 and SHAKE256/256 to be. expect SHA-256/192, SHAKE256/192, and SHAKE256/256 to also be.
If we look at this in a different way, we see that the case of If we look at this in a different way, we see that the case of
SHAKE256/256 is essentially the same as the existing SHA-256 based SHAKE256/256 is essentially the same as the existing SHA-256-based
signatures; the difficultly of finding preimages and second preimages signatures; the difficultly of finding preimages and second preimages
is essentially the same, and so they have (barring unexpected is essentially the same, and so they have (barring unexpected
cryptographical advances) essentially the same level of security. cryptographical advances) essentially the same level of security.
The case of SHA-256/192 and SHAKE256/192 requires closer analysis. The case of SHA-256/192 and SHAKE256/192 requires closer analysis.
For a classical (nonquantum) computer, there is no known attack For a classical (non-quantum) computer, there is no known attack
better than performing hashes of a large number of distinct better than performing hashes of a large number of distinct
preimages. Therefore, a successful attack has a high probability of preimages. Therefore, a successful attack has a high probability of
requiring nearly 2**192 hash computations (for either SHA-256/192 or requiring nearly 2^192 hash computations (for either SHA-256/192 or
SHAKE256/192). These can be taken as the expected work effort, and SHAKE256/192). These can be taken as the expected work effort and
would appear to be completely infeasible in practice. would appear to be completely infeasible in practice.
With a Quantum Computer, an attacker could in theory use Grover's In theory, an attacker with a quantum computer could use Grover's
algorithm [Grover96] to reduce the expected complexity to circa 2**96 algorithm [Grover96] to reduce the expected complexity to circa 2**96
hash computations (for N=24). On the other hand, implementing hash computations (for N=24). On the other hand, implementing
Grover's algorithm with this number of hash computations would Grover's algorithm with this number of hash computations would
require performing circa 2**96 hash computations in succession, which require performing circa 2**96 hash computations in succession, which
will take more time than is likely to be acceptable to any attacker. will take more time than is likely to be acceptable to any attacker.
To speed this up, the attacker would need to run a number of To speed this up, the attacker would need to run a number of
instances of Grover's algorithm in parallel. This would necessarily instances of Grover's algorithm in parallel. This would necessarily
increase the total work effort required, and to an extent that makes increase the total work effort required, and to an extent, that makes
it likely to be infeasible. This is because if we limit the time it likely infeasible. This is because if we limit the time taken by
taken by Grover's algorithm to 2**t steps (for t <= 96), then to Grover's algorithm to 2**t steps (for t <= 96), then to attack a hash
attack a hash preimage problem of 192 bits, it requires a total of preimage problem of 192 bits, it requires a total of 2**(192-t) hash
2**(192-t) hash computations (rather than the 2**(192/2) hash computations, rather than the 2**(192/2) hash computations it would
computations it would require if we did not limit the time taken). require if we did not limit the time taken. In other words, the hash
In other words, the hash preimage can be found in 2**t steps by using preimage can be found in 2**t steps by using 2**(192-2t) quantum
2**(192-2t) Quantum Computers (for t <= 96), with one of the Quantum computers (for t <= 96), with one of the quantum computers finding
Computers finding the preimage. For example, if the adversary is the preimage. For example, if the adversary is willing to wait for
willing to wait for 2**64 times the time taken by a hash computation 2**64 times the time taken by a hash computation (which is over 50
(which is over 50 years if a Quantum Computer can compute a hash in years if a quantum computer can compute a hash in 0.1 nanoseconds),
0.1 nsec), this implies that a total of 2**(192-64) = 2**128 hash this implies that a total of 2**(192-64) = 2**128 hash computations
computations will need to be performed, performing the computations will need to be performed, performing the computations on 2**64 (18
on 2**64 (18 quintillion) separate Quantum Computers, each of which quintillion) separate quantum computers, each of which computes 2**64
computes 2**64 hash evaluations. hash evaluations.
Hence, we expect that HSS/LMS based on these hash functions is secure Hence, we expect that HSS/LMS based on these hash functions is secure
against both classical and quantum computers, even though, in both against both classical and quantum computers, even though, in both
cases, the expected work effort is less (for the N=24 case) than cases, the expected work effort is less (for the N=24 case) than
against either SHA-256 or SHAKE256/256. against either SHA-256 or SHAKE256/256.
SHA-256 is subject to a length extension attack. In this attack, if SHA-256 is subject to a length extension attack. In this attack, if
the attacker is given the hash value of an unknown message (and the the attacker is given the hash value of an unknown message (and the
message length) then the attacker can compute the hash of the message message length), then the attacker can compute the hash of the
appended with certain strings (even though the attacker does not know message appended with certain strings (even though the attacker does
the contents of the initial part of the modified message). This not know the contents of the initial part of the modified message).
would appear to be irrelevant to HSS for two reasons: This would appear to be irrelevant to HSS for two reasons:
* For the initial message hash, the hash is entirely on public data. * For the initial message hash, the hash is entirely on public data.
Hence this attack is irrelevant, because the attacker could Hence, this attack is irrelevant, because the attacker could
compute the hash of the message with appended data anyways. compute the hash of the message with appended data anyways.
* The rest of the hashes within HSS are fixed length, and hence
there is no opportunity to perform length extension attacks. * The rest of the hashes within HSS are fixed length. Hence, there
is no opportunity to perform length extension attacks.
In addition, to perform a length extension attack on SHA-256/192, the In addition, to perform a length extension attack on SHA-256/192, the
attacker has to guess the 64 omitted bits (because the attack attacker has to guess the 64 omitted bits (because the attack
requires all 256 bits of the hash value); hence that is even less of requires all 256 bits of the hash value); hence, that is even less of
a concern than it is for the standard SHA256. a concern than it is for the standard SHA256.
There is one corner case for which the security strength is reduced: There is one corner case for which the security strength is reduced:
if we need to assume that the signer will never deliberately generate if we need to assume that the signer will never deliberately generate
a signature which is valid for two different messages. HSS uses a signature that is valid for two different messages. HSS uses
randomized hashing when signing a message. That is, when a message randomized hashing when signing a message. That is, when a message
is being presented to be signed, the signer generates a random value is being presented to be signed, the signer generates a random value
C and includes that in what is prepended to the message. Because the C and includes that in what is prepended to the message. Because the
attacker cannot predict this value, it is infeasible for anyone other attacker cannot predict this value, it is infeasible for anyone other
than the signer to find a generic collision. That is, practically than the signer to find a generic collision. That is, practically
speaking, a signature that is valid for two colliding messages is speaking, a signature that is valid for two colliding messages is
feasible only if the signer signed both messages. For this to feasible only if the signer signed both messages. For this to
happen, a signer (that is, the one with the private key and who picks happen, a signer (that is, the one with the private key and who picks
the random C value) would have to break the collision resistance of the random C value) would have to break the collision resistance of
the hash function to generate those two colliding messages. Note the hash function to generate those two colliding messages. Note
that this does not apply to someone who submits the messages for that this does not apply to someone who submits the messages for
signing, only the signer could perform this. This would result in a signing; only the signer could perform this. This would result in a
signature that would be valid for two different selected messages. signature that would be valid for two different selected messages.
This is a nonstandard assumption for signature schemes and is usually This is a nonstandard assumption for signature schemes and is usually
not a concern, as we assume that the signer is trusted to generate not a concern, as we assume that the signer is trusted to generate
signatures for any message. However, if the application needs to signatures for any message. However, if the application needs to
assume that it is infeasible for the signer to generate such a assume that it is infeasible for the signer to generate such a
signature, then the security strength assumptions are reduced; 128 signature, then the security strength assumptions are reduced; 128
bits for SHAKE256/256 and 96 bits for SHA-256/192 and SHAKE256/192. bits for SHAKE256/256 and 96 bits for SHA-256/192 and SHAKE256/192.
Some cryptographers have raised the possibility of a multitarget Some cryptographers have raised the possibility of a multi-target
attack (where the attacker has signatures from a large number of attack (where the attacker has signatures from a large number of
public keys, and succeeds if he can generate a forgery against any public keys and succeeds if they can generate a forgery against any
one of those public keys). While no such method of attack has been one of those public keys). While no such method of attack has been
proposed, the possibility cannot be excluded; if there are a large proposed, the possibility cannot be excluded; if there are a large
number of public keys, it might be prudent to consider the number of public keys, it might be prudent to consider the
possibility of some security loss with N=24. If there are 2**K possibility of some security loss with N=24. If there are 2**K
public keys, this security loss cannot be more than K bits of public keys, this security loss cannot be more than K bits of
security. security.
8.1. Note on the version of SHAKE 8.1. Note on the Version of SHAKE
FIPS 202 [FIPS202] defines both SHAKE128 and SHAKE256. This
specification selects SHAKE256, even though it is, for large
messages, less efficient. The reason is that SHAKE128 has a low
upper bound on the difficulty of finding preimages (due to the
invertibility of its internal permutation), which would limit the
strength of HSS/LMS (whose strength is based on the difficulty of
finding preimages). Hence, we specify the use of SHAKE256, which has
a considerably stronger preimage resistance.
9. IANA considerations
IANA has assigned the code points for all the additional parameter
sets in Section 3 (in the IANA "LM-OTS Signatures" registry) and in
Section 4 (in the IANA "Leighton-Micali Signatures (LMS)" registry).
These assignments are also included in NIST SP 800-208, but the IANA
registrations refer to this document alone.
10. Acknowledgements
We would like to thank Carsten Bormann, Russ Housley, Andrey Jivsov,
Mallory Knodel, Virendra Kumar, Thomas Pornin and Stanislav
Smyshlyaev for their insightful and helpful reviews.
11. References
11.1. Normative References
[FIPS180] National Institute of Standards and Technology, "Secure [FIPS202] defines both SHAKE128 and SHAKE256. This specification
Hash Standard (SHS)", FIPS 180-4, March 2012. selects SHAKE256, even though it is less efficient for large
messages. The reason is that SHAKE128 has a low upper bound on the
difficulty of finding preimages (due to the invertibility of its
internal permutation), which would limit the strength of HSS/LMS
(whose strength is based on the difficulty of finding preimages).
Hence, we specify the use of SHAKE256, which has a considerably
stronger preimage resistance.
[FIPS202] National Institute of Standards and Technology, "SHA-3 9. IANA Considerations
Standard: Permutation-Based Hash and Extendable-Output
Functions", FIPS 202, August 2015.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate IANA has assigned the code points for the parameter sets in Section 3
Requirement Levels", BCP 14, RFC 2119, in the "LM-OTS Signatures" registry and the parameter sets in
DOI 10.17487/RFC2119, March 1997, Section 4 in the "Leighton-Micali Signatures (LMS)" registry. These
<https://www.rfc-editor.org/info/rfc2119>. assignments are included in [NIST_SP_800-208], but the IANA
registrations only reference this document.
[RFC3979] Bradner, S., Ed., "Intellectual Property Rights in IETF 10. References
Technology", RFC 3979, DOI 10.17487/RFC3979, March 2005,
<https://www.rfc-editor.org/info/rfc3979>.
[RFC4879] Narten, T., "Clarification of the Third Party Disclosure 10.1. Normative References
Procedure in RFC 3979", RFC 4879, DOI 10.17487/RFC4879,
April 2007, <https://www.rfc-editor.org/info/rfc4879>.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an [FIPS180] NIST, "Secure Hash Standard", NIST FIPS 180-4,
IANA Considerations Section in RFCs", RFC 5226, DOI 10.6028/NIST.FIPS.180-4, August 2015,
DOI 10.17487/RFC5226, May 2008, <https://nvlpubs.nist.gov/nistpubs/FIPS/
<https://www.rfc-editor.org/info/rfc5226>. NIST.FIPS.180-4.pdf>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [FIPS202] NIST, "SHA-3 Standard: Permutation-Based Hash and
2119 Key Words", RFC 8174, DOI 10.17487/RFC174, May 2017, Extendable-Output Functions", NIST FIPS 202,
<https://www.rfc-editor.org/info/rfc8174>. DOI 10.6028/NIST.FIPS.202, August 2015,
<https://nvlpubs.nist.gov/nistpubs/FIPS/
NIST.FIPS.202.pdf>.
[RFC8554] McGrew, D., Curcio, M., and S. Fluhrer, "Leighton-Micali [RFC8554] McGrew, D., Curcio, M., and S. Fluhrer, "Leighton-Micali
Hash-Based Signatures", RFC 8554, DOI 10.17487/RFC8554, Hash-Based Signatures", RFC 8554, DOI 10.17487/RFC8554,
April 2019, <https://www.rfc-editor.org/info/rfc8554>. April 2019, <https://www.rfc-editor.org/info/rfc8554>.
11.2. Informative References 10.2. Informative References
[Grover96] Grover, L.K., "A fast quantum mechanical algorithm for [Grover96] Grover, L., "A fast quantum mechanical algorithm for
database search", 28th ACM Symposium on the Theory of database search", Proceedings of the twenty-eighth annual
Computing p. 212, 1996. ACM symposium on Theory of Computing (STOC '96), pp.
212-219, DOI 10.1145/237814.237866, July 1996,
<https://doi.org/10.1145/237814.237866>.
[Katz16] Katz, J., "Analysis of a Proposed Hash-Based Signature [Katz16] Katz, J., "Analysis of a Proposed Hash-Based Signature
Standard", SSR 2016: Security Standardisation Research pp. Standard", Security Standardisation Research (SSR 2016),
Lecture Notes in Computer Science, vol. 10074, pp.
261-273, DOI 10.1007/978-3-319-49100-4_12, 2016, 261-273, DOI 10.1007/978-3-319-49100-4_12, 2016,
<https://doi.org/10.1007/978-3-319-49100-4_12>. <https://doi.org/10.1007/978-3-319-49100-4_12>.
[NIST_SP_800-208] [NIST_SP_800-208]
National Institute of Standards and Technology, Cooper, D., Apon, D., Dang, Q., Davidson, M., Dworkin, M.,
"Recommendation for Stateful Hash-Based Signature and C. Miller, "Recommendation for Stateful Hash-Based
Schemes", NIST SP 800-208, October 2020. Signature Schemes", National Institute of Standards and
Technology, NIST SP 800-208, DOI 10.6028/NIST.SP.800-208,
October 2020, <https://doi.org/10.6028/NIST.SP.800-208>.
Appendix A. Test Cases Appendix A. Test Cases
This section provides three test cases that can be used to verify or This appendix provides four test cases that can be used to verify or
debug an implementation, one for each hash function. This data is debug an implementation. This data is formatted with the name of the
formatted with the name of the elements on the left, and the value of elements on the left and the value of the elements on the right, in
the elements on the right, in hexadecimal. The concatenation of all hexadecimal. The concatenation of all of the values within a public
of the values within a public key or signature produces that public key or signature produces that public key or signature, and values
key or signature, and values that do not fit within a single line are that do not fit within a single line are listed across successive
listed across successive lines. lines.
Test Case 1 Private Key for SHA-256/192
-------------------------------------------- --------------------------------------------
(note: procedure in Appendix A of [RFC8554] is used) (note: procedure in Appendix A of [RFC8554] is used)
SEED 000102030405060708090a0b0c0d0e0f SEED 000102030405060708090a0b0c0d0e0f
1011121314151617 1011121314151617
I 202122232425262728292a2b2c2d2e2f I 202122232425262728292a2b2c2d2e2f
-------------------------------------------- --------------------------------------------
-------------------------------------------- --------------------------------------------
Test Case 1 Public Key for SHA-256/192 Figure 1: Test Case 1 - Private Key for SHA-256/192
-------------------------------------------- --------------------------------------------
HSS public key HSS public key
levels 00000001 levels 00000001
-------------------------------------------- --------------------------------------------
LMS type 0000000a # LMS_SHA256_M24_H5 LMS type 0000000a # LMS_SHA256_M24_H5
LMOTS type 00000008 # LMOTS_SHA256_N24_W8 LMOTS type 00000008 # LMOTS_SHA256_N24_W8
I 202122232425262728292a2b2c2d2e2f I 202122232425262728292a2b2c2d2e2f
K 2c571450aed99cfb4f4ac285da148827 K 2c571450aed99cfb4f4ac285da148827
96618314508b12d2 96618314508b12d2
-------------------------------------------- --------------------------------------------
-------------------------------------------- --------------------------------------------
Test Case 1 Message for SHA-256/192 Figure 2: Test Case 1 - Public Key for SHA-256/192
-------------------------------------------- --------------------------------------------
Message 54657374206d65737361676520666f72 |Test message for| Message 54657374206d65737361676520666f72 |Test message for|
205348413235362d3139320a | SHA-256/192.| 205348413235362d3139320a | SHA-256/192.|
-------------------------------------------- --------------------------------------------
Test Case 1 Signature for SHA-256/192 Figure 3: Test Case 1 - Message for SHA-256/192
-------------------------------------------- --------------------------------------------
HSS signature HSS signature
Nspk 00000000 Nspk 00000000
sig[0]: sig[0]:
-------------------------------------------- --------------------------------------------
LMS signature LMS signature
q 00000005 q 00000005
-------------------------------------------- --------------------------------------------
LMOTS signature LMOTS signature
skipping to change at page 17, line 40 skipping to change at line 698
4ea64209942fbae3 4ea64209942fbae3
path[1] 38d19f152182c807d3c40b189d3fcbea path[1] 38d19f152182c807d3c40b189d3fcbea
942f44682439b191 942f44682439b191
path[2] 332d33ae0b761a2a8f984b56b2ac2fd4 path[2] 332d33ae0b761a2a8f984b56b2ac2fd4
ab08223a69ed1f77 ab08223a69ed1f77
path[3] 19c7aa7e9eee96504b0e60c6bb5c942d path[3] 19c7aa7e9eee96504b0e60c6bb5c942d
695f0493eb25f80a 695f0493eb25f80a
path[4] 5871cffd131d0e04ffe5065bc7875e82 path[4] 5871cffd131d0e04ffe5065bc7875e82
d34b40b69dd9f3c1 d34b40b69dd9f3c1
Test Case 2 Private Key for SHAKE256/192 Figure 4: Test Case 1 - Signature for SHA-256/192
-------------------------------------------- --------------------------------------------
(note: procedure in Appendix A of [RFC8554] is used) (note: procedure in Appendix A of [RFC8554] is used)
SEED 303132333435363738393a3b3c3d3e3f SEED 303132333435363738393a3b3c3d3e3f
4041424344454647 4041424344454647
I 505152535455565758595a5b5c5d5e5f I 505152535455565758595a5b5c5d5e5f
-------------------------------------------- --------------------------------------------
-------------------------------------------- --------------------------------------------
Test Case 2 Public Key for SHAKE256/192 Figure 5: Test Case 2 - Private Key for SHAKE256/192
--------------------------------------------- ---------------------------------------------
HSS public key HSS public key
levels 00000001 levels 00000001
-------------------------------------------- --------------------------------------------
LMS type 00000014 # LMS_SHAKE256_N24_H5 LMS type 00000014 # LMS_SHAKE256_N24_H5
LMOTS type 00000010 # LMOTS_SHAKE256_N24_W8 LMOTS type 00000010 # LMOTS_SHAKE256_N24_W8
I 505152535455565758595a5b5c5d5e5f I 505152535455565758595a5b5c5d5e5f
K db54a4509901051c01e26d9990e55034 K db54a4509901051c01e26d9990e55034
7986da87924ff0b1 7986da87924ff0b1
-------------------------------------------- --------------------------------------------
-------------------------------------------- --------------------------------------------
Test Case 2 Message for SHAKE256/192 Figure 6: Test Case 2 - Public Key for SHAKE256/192
-------------------------------------------- --------------------------------------------
Message 54657374206d65737361676520666f72 |Test message for| Message 54657374206d65737361676520666f72 |Test message for|
205348414b453235362d3139320a | SHAKE256/192.| 205348414b453235362d3139320a | SHAKE256/192.|
-------------------------------------------- --------------------------------------------
Test Case 2 Signature for SHAKE256/192 Figure 7: Test Case 2 - Message for SHAKE256/192
-------------------------------------------- --------------------------------------------
HSS signature HSS signature
Nspk 00000000 Nspk 00000000
sig[0]: sig[0]:
-------------------------------------------- --------------------------------------------
LMS signature LMS signature
q 00000006 q 00000006
-------------------------------------------- --------------------------------------------
LMOTS signature LMOTS signature
skipping to change at page 20, line 6 skipping to change at line 808
a7fb05d995b5721a a7fb05d995b5721a
path[1] 27096a5007d82f79d063acd434a04e97 path[1] 27096a5007d82f79d063acd434a04e97
f61552f7f81a9317 f61552f7f81a9317
path[2] b4ec7c87a5ed10c881928fc6ebce6dfc path[2] b4ec7c87a5ed10c881928fc6ebce6dfc
e9daae9cc9dba690 e9daae9cc9dba690
path[3] 7ca9a9dd5f9f573704d5e6cf22a43b04 path[3] 7ca9a9dd5f9f573704d5e6cf22a43b04
e64c1ffc7e1c442e e64c1ffc7e1c442e
path[4] cb495ba265f465c56291a902e62a461f path[4] cb495ba265f465c56291a902e62a461f
6dfda232457fad14 6dfda232457fad14
Test Case 3 Private Key for SHAKE256/256 Figure 8: Test Case 2 - Signature for SHAKE256/192
-------------------------------------------- --------------------------------------------
(note: procedure in Appendix A of [RFC8554] is used) (note: procedure in Appendix A of [RFC8554] is used)
SEED 606162636465666768696a6b6c6d6e6f SEED 606162636465666768696a6b6c6d6e6f
707172737475767778797a7b7c7d7e7f 707172737475767778797a7b7c7d7e7f
I 808182838485868788898a8b8c8d8e8f I 808182838485868788898a8b8c8d8e8f
-------------------------------------------- --------------------------------------------
-------------------------------------------- --------------------------------------------
Test Case 3 Public Key for SHAKE256/256 Figure 9: Test Case 3 - Private Key for SHAKE256/256
-------------------------------------------- --------------------------------------------
HSS public key HSS public key
levels 00000001 levels 00000001
-------------------------------------------- --------------------------------------------
LMS type 0000000f # LMS_SHAKE256_N32_H5 LMS type 0000000f # LMS_SHAKE256_N32_H5
LMOTS type 0000000c # LMOTS_SHAKE256_N32_W8 LMOTS type 0000000c # LMOTS_SHAKE256_N32_W8
I 808182838485868788898a8b8c8d8e8f I 808182838485868788898a8b8c8d8e8f
K 9bb7faee411cae806c16a466c3191a8b K 9bb7faee411cae806c16a466c3191a8b
65d0ac31932bbf0c2d07c7a4a36379fe 65d0ac31932bbf0c2d07c7a4a36379fe
-------------------------------------------- --------------------------------------------
-------------------------------------------- --------------------------------------------
Test Case 3 Message for SHAKE256/256 Figure 10: Test Case 3 - Public Key for SHAKE256/256
-------------------------------------------- --------------------------------------------
Message 54657374206d657361676520666f7220 |Test mesage for | Message 54657374206d657361676520666f7220 |Test message for|
5348414b453235362d3235360a |SHAKE256/256.| 5348414b453235362d3235360a |SHAKE256/256.|
-------------------------------------------- --------------------------------------------
Test Case 3 Signature for SHAKE256/256 Figure 11: Test Case 3 - Message for SHAKE256/256
-------------------------------------------- --------------------------------------------
HSS signature HSS signature
Nspk 00000000 Nspk 00000000
sig[0]: sig[0]:
-------------------------------------------- --------------------------------------------
LMS signature LMS signature
q 00000007 q 00000007
-------------------------------------------- --------------------------------------------
LMOTS signature LMOTS signature
skipping to change at page 22, line 36 skipping to change at line 934
5d65b242b714bc5a756ba5e228abfa0d 5d65b242b714bc5a756ba5e228abfa0d
path[1] 1329978a05d5e815cf4d74c1e547ec4a path[1] 1329978a05d5e815cf4d74c1e547ec4a
a3ca956ae927df8b29fb9fab3917a7a4 a3ca956ae927df8b29fb9fab3917a7a4
path[2] ae61ba57e5342e9db12caf6f6dbc5253 path[2] ae61ba57e5342e9db12caf6f6dbc5253
de5268d4b0c4ce4ebe6852f012b162fc de5268d4b0c4ce4ebe6852f012b162fc
path[3] 1c12b9ffc3bcb1d3ac8589777655e22c path[3] 1c12b9ffc3bcb1d3ac8589777655e22c
d9b99ff1e4346fd0efeaa1da044692e7 d9b99ff1e4346fd0efeaa1da044692e7
path[4] ad6bfc337db69849e54411df8920c228 path[4] ad6bfc337db69849e54411df8920c228
a2b7762c11e4b1c49efb74486d3931ea a2b7762c11e4b1c49efb74486d3931ea
Test Case 4 Private Key for for SHA256/192 with W=4 Figure 12: Test Case 3 - Signature for SHAKE256/256
-------------------------------------------- --------------------------------------------
(note: procedure in Appendix A of [RFC8554] is used) (note: procedure in Appendix A of [RFC8554] is used)
SEED 202122232425262728292a2b2c2d2e2f SEED 202122232425262728292a2b2c2d2e2f
3031323334353637 3031323334353637
I 404142434445464748494a4b4c4d4e4f I 404142434445464748494a4b4c4d4e4f
-------------------------------------------- --------------------------------------------
-------------------------------------------- --------------------------------------------
Test Case 4 Public Key for for SHA256/192 with W=4 Figure 13: Test Case 4 - Private Key for SHA256/192 with W=4
-------------------------------------------- --------------------------------------------
HSS public key HSS public key
levels 00000001 levels 00000001
-------------------------------------------- --------------------------------------------
LMS type 0000000d # LMS_SHA256_M24_H20 LMS type 0000000d # LMS_SHA256_M24_H20
LMOTS type 00000007 # LMOTS_SHA256_N24_W4 LMOTS type 00000007 # LMOTS_SHA256_N24_W4
I 404142434445464748494a4b4c4d4e4f I 404142434445464748494a4b4c4d4e4f
K 9c08a50d170406869892802ee4142fcd K 9c08a50d170406869892802ee4142fcd
eac990f110c2460c eac990f110c2460c
-------------------------------------------- --------------------------------------------
-------------------------------------------- --------------------------------------------
Test Case 4 Message for for SHA256/192 with W=4 Figure 14: Test Case 4 - Public Key for SHA256/192 with W=4
-------------------------------------------- --------------------------------------------
Message 54657374206d65737361676520666f72 |Test message for| Message 54657374206d65737361676520666f72 |Test message for|
205348413235362f31393220773d34 | SHA256/192 w=4| 205348413235362f31393220773d34 | SHA256/192 w=4|
-------------------------------------------- --------------------------------------------
Test Case 4 Signature for SHA256/192 with W=4 Figure 15: Test Case 4 - Message for SHA256/192 with W=4
-------------------------------------------- --------------------------------------------
HSS signature HSS signature
Nspk 00000000 Nspk 00000000
sig[0]: sig[0]:
-------------------------------------------- --------------------------------------------
LMS signature LMS signature
q 00000064 q 00000064
-------------------------------------------- --------------------------------------------
LMOTS signature LMOTS signature
skipping to change at page 26, line 38 skipping to change at line 1124
071e572fd032c780 071e572fd032c780
path[16] f44c9503a4c03c37417dc96422ba0849 path[16] f44c9503a4c03c37417dc96422ba0849
c37956f9fd5d33ea c37956f9fd5d33ea
path[17] 4fcab84276effec652ca77d7d47ac93c path[17] 4fcab84276effec652ca77d7d47ac93c
633d99e0a236f03d 633d99e0a236f03d
path[18] 5587d1990ffaef737fced1f5cdd8f373 path[18] 5587d1990ffaef737fced1f5cdd8f373
844e9f316aad41a0 844e9f316aad41a0
path[19] b12302639f83a2d74c9fe30d305a942b path[19] b12302639f83a2d74c9fe30d305a942b
c0c30352a5e44dfb c0c30352a5e44dfb
Figure 16: Test Case 4 - Signature for SHA256/192 with W=4
Acknowledgements
We would like to thank Carsten Bormann, Russ Housley, Andrey Jivsov,
Mallory Knodel, Virendra Kumar, Thomas Pornin, and Stanislav
Smyshlyaev for their insightful and helpful reviews.
Authors' Addresses Authors' Addresses
Scott Fluhrer Scott Fluhrer
Cisco Systems Cisco Systems
170 West Tasman Drive 170 West Tasman Drive
San Jose, CA San Jose, CA
United States of America United States of America
Email: sfluhrer@cisco.com Email: sfluhrer@cisco.com
Quynh Dang Quynh Dang
NIST NIST
100 Bureau Drive 100 Bureau Drive
Gaithersburg, MD Gaithersburg, MD
United States of America United States of America
Email: quynh.dang@nist.gov Email: quynh.dang@nist.gov
 End of changes. 106 change blocks. 
284 lines changed or deleted 270 lines changed or added

This html diff was produced by rfcdiff 1.48.