| rfc9858v1.txt | rfc9858.txt | |||
|---|---|---|---|---|
| Internet Research Task Force (IRTF) S. Fluhrer | Internet Research Task Force (IRTF) S. Fluhrer | |||
| Request for Comments: 9858 Cisco Systems | Request for Comments: 9858 Cisco Systems | |||
| Category: Informational Q. Dang | Category: Informational Q. Dang | |||
| ISSN: 2070-1721 NIST | ISSN: 2070-1721 NIST | |||
| September 2025 | October 2025 | |||
| Additional Parameter Sets for HSS/LMS Hash-Based Signatures | Additional Parameter Sets for HSS/LMS Hash-Based Signatures | |||
| Abstract | Abstract | |||
| This document extends HSS/LMS (RFC 8554) by defining parameter sets | This document extends HSS/LMS (RFC 8554) by defining parameter sets | |||
| by including additional hash functions. These include hash functions | that use alternative hash functions. These include hash functions | |||
| that result in signatures with significantly smaller sizes than the | that result in signatures with significantly smaller sizes than the | |||
| signatures using the current parameter sets and should have | signatures that use the RFC 8554 parameter sets and should have | |||
| sufficient security. | sufficient security. | |||
| This document is a product of the Crypto Forum Research Group (CFRG) | This document is a product of the Internet Research Task Force | |||
| in the IRTF. | (IRTF). The IRTF publishes the results of Internet-related research | |||
| and development activities. These results might not be suitable for | ||||
| deployment. This RFC represents the consensus of the Crypto Forum | ||||
| Research Group of the Internet Research Task Force (IRTF). Documents | ||||
| approved for publication by the IRSG are not candidates for any level | ||||
| of Internet Standard; see Section 2 of RFC 7841. | ||||
| Status of This Memo | Status of This Memo | |||
| This document is not an Internet Standards Track specification; it is | This document is not an Internet Standards Track specification; it is | |||
| published for informational purposes. | published for informational purposes. | |||
| This document is a product of the Internet Research Task Force | This document is a product of the Internet Research Task Force | |||
| (IRTF). The IRTF publishes the results of Internet-related research | (IRTF). The IRTF publishes the results of Internet-related research | |||
| and development activities. These results might not be suitable for | and development activities. These results might not be suitable for | |||
| deployment. This RFC represents the consensus of the Crypto Forum | deployment. This RFC represents the consensus of the Crypto Forum | |||
| skipping to change at line 58 ¶ | skipping to change at line 63 ¶ | |||
| to this document. | to this document. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction | 1. Introduction | |||
| 2. Additional Hash Function Definitions | 2. Additional Hash Function Definitions | |||
| 2.1. 192-Bit Hash Function Based on SHA-256 | 2.1. 192-Bit Hash Function Based on SHA-256 | |||
| 2.2. 256-Bit Hash Function Based on SHAKE256 | 2.2. 256-Bit Hash Function Based on SHAKE256 | |||
| 2.3. 192-Bit Hash Function Based on SHAKE256 | 2.3. 192-Bit Hash Function Based on SHAKE256 | |||
| 3. Additional LM-OTS Parameter Sets | 3. Additional LM-OTS Parameter Sets | |||
| 4. Additional LM Parameter Sets | 4. Additional LMS Parameter Sets | |||
| 5. Usage for These Additional Hash Functions within HSS | 5. Usage for These Additional Hash Functions within HSS | |||
| 6. Parameter Set Selection | 6. Parameter Set Selection | |||
| 7. Comparisons of 192-Bit and 256-Bit Parameter Sets | 7. Comparisons of 192-Bit and 256-Bit Parameter Sets | |||
| 8. Security Considerations | 8. Security Considerations | |||
| 8.1. Note on the Version of SHAKE | 8.1. Note on the Version of SHAKE | |||
| 9. IANA Considerations | 9. IANA Considerations | |||
| 10. References | 10. References | |||
| 10.1. Normative References | 10.1. Normative References | |||
| 10.2. Informative References | 10.2. Informative References | |||
| Appendix A. Test Cases | Appendix A. Test Cases | |||
| A.1. Test Case 1 - SHA-256/192 | ||||
| A.2. Test vector for SHAKE256/192 | ||||
| A.3. Test vector for SHA-256/256 | ||||
| A.4. Test vector for SHA-256/192, W=4 | ||||
| Acknowledgements | Acknowledgements | |||
| Authors' Addresses | Authors' Addresses | |||
| 1. Introduction | 1. Introduction | |||
| Stateful hash-based signatures have small private and public keys, | Stateful hash-based signatures have small private and public keys, | |||
| are efficient to compute, and are believed to have excellent | are efficient to compute, and are believed to have excellent | |||
| security. One disadvantage is that the signatures they produce tend | security. One disadvantage is that the signatures they produce tend | |||
| to be somewhat large (possibly 1-4 kilobytes). This document | to be somewhat large (possibly 1-4 kilobytes). This document defines | |||
| explores a set of parameter sets for the HSS/LMS stateful hash-based | a set of parameter sets for the HSS/LMS stateful hash-based signature | |||
| signature method [RFC8554] that reduce the size of the signature | method [RFC8554] that reduce the size of the signature significantly | |||
| significantly or rely on a hash function other than SHA-256 (to | or rely on a hash function other than SHA-256 (to increase | |||
| increase cryptodiversity). | cryptodiversity). | |||
| This document represents the consensus of the Crypto Forum Research | This document represents the consensus of the Crypto Forum Research | |||
| Group (CFRG) in the IRTF. It is not an IETF product and is not a | Group (CFRG) in the IRTF. It is not an IETF product and is not a | |||
| standard. | standard. | |||
| According to official definitions and common usage, a Leighton-Micali | According to official definitions and common usage, a Leighton-Micali | |||
| Signature (LMS) is a stateful hash-based signature scheme that is | Signature (LMS) is a stateful hash-based signature scheme that is | |||
| based on a single-level Merkle tree. The Hierarchical Signature | based on a single-level Merkle tree. The Hierarchical Signature | |||
| System (HSS) is a way of binding several LMS signatures together in a | System (HSS) is a way of binding several LMS signatures together in a | |||
| hierarchical manner to increase the number of signatures available. | hierarchical manner to increase the number of signatures available. | |||
| skipping to change at line 103 ¶ | skipping to change at line 112 ¶ | |||
| HSS signatures (even if the HSS signature consists of a single LMS | HSS signatures (even if the HSS signature consists of a single LMS | |||
| signature). However, it is common to refer to these signatures as | signature). However, it is common to refer to these signatures as | |||
| "LMS signatures". This document uses the term "HSS/LMS" to cover | "LMS signatures". This document uses the term "HSS/LMS" to cover | |||
| both the pedantic and the common meanings. | both the pedantic and the common meanings. | |||
| This document is intended to be compatible with the NIST document | This document is intended to be compatible with the NIST document | |||
| [NIST_SP_800-208]. | [NIST_SP_800-208]. | |||
| 2. Additional Hash Function Definitions | 2. Additional Hash Function Definitions | |||
| This section defines three hash functions that are used in Sections 3 | This section defines three hash functions that are used with the | |||
| and 4. These hash functions are used where SHA-256 is used in the | parameter sets defined in Sections 3 and 4. These hash functions are | |||
| original parameter sets from [RFC8554]. The hash function used is | used where SHA-256 is used in the original parameter sets from | |||
| specified by the parameter set that is selected. | [RFC8554]. The hash function used is specified by the parameter set | |||
| that is selected. | ||||
| 2.1. 192-Bit Hash Function Based on SHA-256 | 2.1. 192-Bit Hash Function Based on SHA-256 | |||
| This document defines a SHA-2-based hash function with a 192-bit | This document defines a SHA-2-based hash function with a 192-bit | |||
| output. As such, we define SHA-256/192 as a truncated version of | output. As such, we define SHA-256/192 as a truncated version of | |||
| SHA-256 [FIPS180]. That is, it is the result of performing a SHA-256 | SHA-256 [FIPS180]. That is, it is the result of performing a SHA-256 | |||
| operation to a message and then omitting the final 64 bits of the | operation to a message and then omitting the final 64 bits of the | |||
| output. This procedure for truncating the hash output to 192 bits is | output. This procedure for truncating the hash output to 192 bits is | |||
| described in Section 7 of [FIPS180]. | described in Section 7 of [FIPS180]. | |||
| The following test vector illustrates this: | The following test vector illustrates this: | |||
| SHA-256("abc") = ba7816bf 8f01cfea 414140de 5dae2223 | SHA-256("abc") = ba7816bf 8f01cfea 414140de 5dae2223 | |||
| b00361a3 96177a9c b410ff61 f20015ad | b00361a3 96177a9c b410ff61 f20015ad | |||
| SHA-256/192("abc") = ba7816bf 8f01cfea 414140de 5dae2223 | SHA-256/192("abc") = ba7816bf 8f01cfea 414140de 5dae2223 | |||
| b00361a3 96177a9c | b00361a3 96177a9c | |||
| We use the same IV as the untruncated SHA-256, rather than defining a | We use the same initial hash value (initialization vector) as the | |||
| distinct one, so that we can use a standard SHA-256 hash | untruncated SHA-256, rather than defining a distinct one, so that we | |||
| implementation without modification. In addition, the fact that | can use a standard SHA-256 hash implementation without modification. | |||
| anyone gets partial knowledge of the SHA-256 hash of a message by | In addition, the fact that anyone gets partial knowledge of the | |||
| examining the SHA-256/192 hash of the same message is not a concern | SHA-256 hash of a message by examining the SHA-256/192 hash of the | |||
| for this application. Each message that is hashed is randomized. | same message is not a concern for this application. Each message | |||
| Any message being signed includes the C randomizer (a value that is | that is hashed is randomized. Any message being signed includes the | |||
| selected by the signer and is included in the hash), which varies per | C randomizer (a value that is selected by the signer and is included | |||
| message. Therefore, signing the same message by SHA-256 and by SHA- | in the hash), which varies per message. Therefore, signing the same | |||
| 256/192 will not result in the same value being hashed, and so the | message by SHA-256 and by SHA-256/192 will not result in the same | |||
| latter hash value is not a prefix of the former one. In addition, | value being hashed, and so the latter hash value is not a prefix of | |||
| all hashes include the I identifier, which is included as a part of | the former one. In addition, all hashes include the I identifier, | |||
| the signature process in [RFC8554]. This I identifier is selected | which is included as a part of the signature process in [RFC8554]. | |||
| randomly for each private key (and hence two keys will have different | This I identifier is selected randomly for each private key (and | |||
| I values with high probability), and so two intermediate hashes | hence two keys will have different I values with high probability), | |||
| computed as a part of signing with two HSS private keys (one with a | and so two intermediate hashes computed as a part of signing with two | |||
| SHA-256 parameter set and one with a SHA-256/192 parameter set) will | HSS private keys (one with a SHA-256 parameter set and one with a | |||
| also be distinct with high probability. | SHA-256/192 parameter set) will also be distinct with high | |||
| probability. | ||||
| 2.2. 256-Bit Hash Function Based on SHAKE256 | 2.2. 256-Bit Hash Function Based on SHAKE256 | |||
| This document defines a SHAKE-based hash function with a 256-bit | This document defines a SHAKE-based hash function with a 256-bit | |||
| output. As such, we define SHAKE256/256 to be the first 256 bits of | output. As such, we define SHAKE256/256 to be the first 256 bits of | |||
| the SHAKE256 extendable-output function (XOF). That is, it is the | the SHAKE256 extendable-output function (XOF). That is, it is the | |||
| result of performing a SHAKE-256 operation to a message and then | result of performing a SHAKE-256 operation to a message and then | |||
| using the first 256 bits of output. See [FIPS202] for more detail. | using the first 256 bits of output. See [FIPS202] for more detail. | |||
| 2.3. 192-Bit Hash Function Based on SHAKE256 | 2.3. 192-Bit Hash Function Based on SHAKE256 | |||
| This document defines a SHAKE-based hash function with a 192-bit | This document defines a SHAKE-based hash function with a 192-bit | |||
| output. As such, we define SHAKE256/192 to be the first 192 bits of | output. As such, we define SHAKE256/192 to be the first 192 bits of | |||
| the SHAKE256 XOF. That is, it is the result of performing a | the SHAKE256 XOF. That is, it is the result of performing a | |||
| SHAKE-256 operation to a message and then using the first 192 bits of | SHAKE-256 operation to a message and then using the first 192 bits of | |||
| output. See [FIPS202] for more detail. | output. See [FIPS202] for more detail. | |||
| 3. Additional LM-OTS Parameter Sets | 3. Additional LM-OTS Parameter Sets | |||
| Here is a table with the Leighton-Micali One-Time Signature (LM-OTS) | The table below defines the Leighton-Micali One-Time Signature (LM- | |||
| parameters defined that use the above hashes: | OTS) parameters that use the hashes defined in Section 2: | |||
| +=====================+==============+====+===+=====+====+========+ | +=====================+==============+==+=+=====+====+============+ | |||
| | Parameter Set Name | H | n | w | p | ls | id | | | Parameter Set Name | H | n|w| p | ls | id | | |||
| +=====================+==============+====+===+=====+====+========+ | +=====================+==============+==+=+=====+====+============+ | |||
| | LMOTS_SHA256_N24_W1 | SHA-256/192 | 24 | 1 | 200 | 8 | 0x0005 | | | LMOTS_SHA256_N24_W1 | SHA-256/192 |24|1| 200 | 8 | 0x00000005 | | |||
| +---------------------+--------------+----+---+-----+----+--------+ | +---------------------+--------------+--+-+-----+----+------------+ | |||
| | LMOTS_SHA256_N24_W2 | SHA-256/192 | 24 | 2 | 101 | 6 | 0x0006 | | | LMOTS_SHA256_N24_W2 | SHA-256/192 |24|2| 101 | 6 | 0x00000006 | | |||
| +---------------------+--------------+----+---+-----+----+--------+ | +---------------------+--------------+--+-+-----+----+------------+ | |||
| | LMOTS_SHA256_N24_W4 | SHA-256/192 | 24 | 4 | 51 | 4 | 0x0007 | | | LMOTS_SHA256_N24_W4 | SHA-256/192 |24|4| 51 | 4 | 0x00000007 | | |||
| +---------------------+--------------+----+---+-----+----+--------+ | +---------------------+--------------+--+-+-----+----+------------+ | |||
| | LMOTS_SHA256_N24_W8 | SHA-256/192 | 24 | 8 | 26 | 0 | 0x0008 | | | LMOTS_SHA256_N24_W8 | SHA-256/192 |24|8| 26 | 0 | 0x00000008 | | |||
| +---------------------+--------------+----+---+-----+----+--------+ | +---------------------+--------------+--+-+-----+----+------------+ | |||
| | LMOTS_SHAKE_N32_W1 | SHAKE256/256 | 32 | 1 | 265 | 7 | 0x0009 | | | LMOTS_SHAKE_N32_W1 | SHAKE256/256 |32|1| 265 | 7 | 0x00000009 | | |||
| +---------------------+--------------+----+---+-----+----+--------+ | +---------------------+--------------+--+-+-----+----+------------+ | |||
| | LMOTS_SHAKE_N32_W2 | SHAKE256/256 | 32 | 2 | 133 | 6 | 0x000a | | | LMOTS_SHAKE_N32_W2 | SHAKE256/256 |32|2| 133 | 6 | 0x0000000A | | |||
| +---------------------+--------------+----+---+-----+----+--------+ | +---------------------+--------------+--+-+-----+----+------------+ | |||
| | LMOTS_SHAKE_N32_W4 | SHAKE256/256 | 32 | 4 | 67 | 4 | 0x000b | | | LMOTS_SHAKE_N32_W4 | SHAKE256/256 |32|4| 67 | 4 | 0x0000000B | | |||
| +---------------------+--------------+----+---+-----+----+--------+ | +---------------------+--------------+--+-+-----+----+------------+ | |||
| | LMOTS_SHAKE_N32_W8 | SHAKE256/256 | 32 | 8 | 34 | 0 | 0x000c | | | LMOTS_SHAKE_N32_W8 | SHAKE256/256 |32|8| 34 | 0 | 0x0000000C | | |||
| +---------------------+--------------+----+---+-----+----+--------+ | +---------------------+--------------+--+-+-----+----+------------+ | |||
| | LMOTS_SHAKE_N24_W1 | SHAKE256/192 | 24 | 1 | 200 | 8 | 0x000d | | | LMOTS_SHAKE_N24_W1 | SHAKE256/192 |24|1| 200 | 8 | 0x0000000D | | |||
| +---------------------+--------------+----+---+-----+----+--------+ | +---------------------+--------------+--+-+-----+----+------------+ | |||
| | LMOTS_SHAKE_N24_W2 | SHAKE256/192 | 24 | 2 | 101 | 6 | 0x000e | | | LMOTS_SHAKE_N24_W2 | SHAKE256/192 |24|2| 101 | 6 | 0x0000000E | | |||
| +---------------------+--------------+----+---+-----+----+--------+ | +---------------------+--------------+--+-+-----+----+------------+ | |||
| | LMOTS_SHAKE_N24_W4 | SHAKE256/192 | 24 | 4 | 51 | 4 | 0x000f | | | LMOTS_SHAKE_N24_W4 | SHAKE256/192 |24|4| 51 | 4 | 0x0000000F | | |||
| +---------------------+--------------+----+---+-----+----+--------+ | +---------------------+--------------+--+-+-----+----+------------+ | |||
| | LMOTS_SHAKE_N24_W8 | SHAKE256/192 | 24 | 8 | 26 | 0 | 0x0010 | | | LMOTS_SHAKE_N24_W8 | SHAKE256/192 |24|8| 26 | 0 | 0x00000010 | | |||
| +---------------------+--------------+----+---+-----+----+--------+ | +---------------------+--------------+--+-+-----+----+------------+ | |||
| Table 1 | Table 1 | |||
| Parameter Set Name: The human-readable name of the parameter set. | Parameter Set Name: The human-readable name of the parameter set. | |||
| H: The second-preimage-resistant cryptographic hash function used | H: The second-preimage-resistant cryptographic hash function used | |||
| within this parameter set. | within this parameter set. | |||
| n: The number of bytes of the output of the hash function. | n: The number of bytes of the output of the hash function. | |||
| skipping to change at line 226 ¶ | skipping to change at line 237 ¶ | |||
| The SHA256_N24, SHAKE_N32, and SHAKE_N24 in the parameter set names | The SHA256_N24, SHAKE_N32, and SHAKE_N24 in the parameter set names | |||
| denote the SHA-256/192, SHAKE256/256, and SHAKE256/192 hash functions | denote the SHA-256/192, SHAKE256/256, and SHAKE256/192 hash functions | |||
| defined in Section 2. | defined in Section 2. | |||
| Remember that the C message randomizer (which is included in the | Remember that the C message randomizer (which is included in the | |||
| signature) has the same size (n bytes) as the hash output, and so it | signature) has the same size (n bytes) as the hash output, and so it | |||
| shrinks from 32 bytes to 24 bytes for the parameter sets that use | shrinks from 32 bytes to 24 bytes for the parameter sets that use | |||
| either SHA-256/192 or SHAKE256/192. | either SHA-256/192 or SHAKE256/192. | |||
| 4. Additional LM Parameter Sets | 4. Additional LMS Parameter Sets | |||
| Here is a table with the Leighton-Micali (LM) parameters defined that | The table below defines several many-time signature parameters called | |||
| use SHA-256/192, SHAKE256/256, and SHAKE256/192 hash functions: | Leighton-Micali Signature (LMS) parameters, using the SHA-256/192, | |||
| SHAKE256/256, and SHAKE256/192 hash functions: | ||||
| +====================+==============+====+====+========+ | +====================+==============+====+====+============+ | |||
| | Parameter Set Name | H | m | h | id | | | Parameter Set Name | H | m | h | id | | |||
| +====================+==============+====+====+========+ | +====================+==============+====+====+============+ | |||
| | LMS_SHA256_M24_H5 | SHA-256/192 | 24 | 5 | 0x000a | | | LMS_SHA256_M24_H5 | SHA-256/192 | 24 | 5 | 0x0000000A | | |||
| +--------------------+--------------+----+----+--------+ | +--------------------+--------------+----+----+------------+ | |||
| | LMS_SHA256_M24_H10 | SHA-256/192 | 24 | 10 | 0x000b | | | LMS_SHA256_M24_H10 | SHA-256/192 | 24 | 10 | 0x0000000B | | |||
| +--------------------+--------------+----+----+--------+ | +--------------------+--------------+----+----+------------+ | |||
| | LMS_SHA256_M24_H15 | SHA-256/192 | 24 | 15 | 0x000c | | | LMS_SHA256_M24_H15 | SHA-256/192 | 24 | 15 | 0x0000000C | | |||
| +--------------------+--------------+----+----+--------+ | +--------------------+--------------+----+----+------------+ | |||
| | LMS_SHA256_M24_H20 | SHA-256/192 | 24 | 20 | 0x000d | | | LMS_SHA256_M24_H20 | SHA-256/192 | 24 | 20 | 0x0000000D | | |||
| +--------------------+--------------+----+----+--------+ | +--------------------+--------------+----+----+------------+ | |||
| | LMS_SHA256_M24_H25 | SHA-256/192 | 24 | 25 | 0x000e | | | LMS_SHA256_M24_H25 | SHA-256/192 | 24 | 25 | 0x0000000E | | |||
| +--------------------+--------------+----+----+--------+ | +--------------------+--------------+----+----+------------+ | |||
| | LMS_SHAKE_M32_H5 | SHAKE256/256 | 32 | 5 | 0x000f | | | LMS_SHAKE_M32_H5 | SHAKE256/256 | 32 | 5 | 0x0000000F | | |||
| +--------------------+--------------+----+----+--------+ | +--------------------+--------------+----+----+------------+ | |||
| | LMS_SHAKE_M32_H10 | SHAKE256/256 | 32 | 10 | 0x0010 | | | LMS_SHAKE_M32_H10 | SHAKE256/256 | 32 | 10 | 0x00000010 | | |||
| +--------------------+--------------+----+----+--------+ | +--------------------+--------------+----+----+------------+ | |||
| | LMS_SHAKE_M32_H15 | SHAKE256/256 | 32 | 15 | 0x0011 | | | LMS_SHAKE_M32_H15 | SHAKE256/256 | 32 | 15 | 0x00000011 | | |||
| +--------------------+--------------+----+----+--------+ | +--------------------+--------------+----+----+------------+ | |||
| | LMS_SHAKE_M32_H20 | SHAKE256/256 | 32 | 20 | 0x0012 | | | LMS_SHAKE_M32_H20 | SHAKE256/256 | 32 | 20 | 0x00000012 | | |||
| +--------------------+--------------+----+----+--------+ | +--------------------+--------------+----+----+------------+ | |||
| | LMS_SHAKE_M32_H25 | SHAKE256/256 | 32 | 25 | 0x0013 | | | LMS_SHAKE_M32_H25 | SHAKE256/256 | 32 | 25 | 0x00000013 | | |||
| +--------------------+--------------+----+----+--------+ | +--------------------+--------------+----+----+------------+ | |||
| | LMS_SHAKE_M24_H5 | SHAKE256/192 | 24 | 5 | 0x0014 | | | LMS_SHAKE_M24_H5 | SHAKE256/192 | 24 | 5 | 0x00000014 | | |||
| +--------------------+--------------+----+----+--------+ | +--------------------+--------------+----+----+------------+ | |||
| | LMS_SHAKE_M24_H10 | SHAKE256/192 | 24 | 10 | 0x0015 | | | LMS_SHAKE_M24_H10 | SHAKE256/192 | 24 | 10 | 0x00000015 | | |||
| +--------------------+--------------+----+----+--------+ | +--------------------+--------------+----+----+------------+ | |||
| | LMS_SHAKE_M24_H15 | SHAKE256/192 | 24 | 15 | 0x0016 | | | LMS_SHAKE_M24_H15 | SHAKE256/192 | 24 | 15 | 0x00000016 | | |||
| +--------------------+--------------+----+----+--------+ | +--------------------+--------------+----+----+------------+ | |||
| | LMS_SHAKE_M24_H20 | SHAKE256/192 | 24 | 20 | 0x0017 | | | LMS_SHAKE_M24_H20 | SHAKE256/192 | 24 | 20 | 0x00000017 | | |||
| +--------------------+--------------+----+----+--------+ | +--------------------+--------------+----+----+------------+ | |||
| | LMS_SHAKE_M24_H25 | SHAKE256/192 | 24 | 25 | 0x0018 | | | LMS_SHAKE_M24_H25 | SHAKE256/192 | 24 | 25 | 0x00000018 | | |||
| +--------------------+--------------+----+----+--------+ | +--------------------+--------------+----+----+------------+ | |||
| Table 2 | Table 2 | |||
| Parameter Set Name: The human-readable name of the parameter set. | Parameter Set Name: The human-readable name of the parameter set. | |||
| H: The second-preimage-resistant cryptographic hash function used | H: The second-preimage-resistant cryptographic hash function used | |||
| within this parameter set. | within this parameter set. | |||
| m: The size in bytes of the hash function output. | m: The size in bytes of the hash function output. | |||
| skipping to change at line 288 ¶ | skipping to change at line 300 ¶ | |||
| These values are additions to the entries in Table 2 of [RFC8554]. | These values are additions to the entries in Table 2 of [RFC8554]. | |||
| The SHA256_M24, SHAKE_M32, and SHAKE_M24 in the parameter set names | The SHA256_M24, SHAKE_M32, and SHAKE_M24 in the parameter set names | |||
| denote the SHA-256/192, SHAKE256/256, and SHAKE256/192 hash functions | denote the SHA-256/192, SHAKE256/256, and SHAKE256/192 hash functions | |||
| defined in Section 2. | defined in Section 2. | |||
| 5. Usage for These Additional Hash Functions within HSS | 5. Usage for These Additional Hash Functions within HSS | |||
| To use the additional hash functions within HSS, one would use the | To use the additional hash functions within HSS, one would use the | |||
| appropriate LMOTS id from Table 1 and the appropriate LMS id from | appropriate LM-OTS id from Table 1 and the appropriate LMS id from | |||
| Table 2 and use that additional hash function when computing the | Table 2 and use that additional hash function when computing the | |||
| hashes for key generation, signature generation, and signature | hashes for key generation, signature generation, and signature | |||
| verification. | verification. | |||
| Note that the size of the I Merkle tree identifier remains 16 bytes, | Note that the size of the I Merkle tree identifier remains 16 bytes, | |||
| independent of what hash function is used. | independent of what hash function is used. | |||
| 6. Parameter Set Selection | 6. Parameter Set Selection | |||
| This document, along with [RFC8554], defines four hash functions for | This document, along with [RFC8554], defines four hash functions for | |||
| skipping to change at line 329 ¶ | skipping to change at line 341 ¶ | |||
| the security strength. | the security strength. | |||
| The impact on signature size and computation time is based on two | The impact on signature size and computation time is based on two | |||
| effects: | effects: | |||
| 1. Each hash that appears in the signature is shorter. | 1. Each hash that appears in the signature is shorter. | |||
| 2. We need fewer Winternitz chains (because LM-OTS signs a shorter | 2. We need fewer Winternitz chains (because LM-OTS signs a shorter | |||
| value). | value). | |||
| For signature length, both effects are relevant (because the | For signature length, both effects are relevant. The first is | |||
| signature consists of a series of hashes and each hash is shorter, | relevant because the signature consists of a series of hashes and | |||
| and because we need fewer Winternitz chains, we need fewer hashes in | each hash is shorter. The second is relevant because when we need | |||
| each LM-OTS signature). | fewer Winternitz chains, we need fewer hashes in each LM-OTS | |||
| signature. | ||||
| For computation time (for both signature generation and | For computation time (for both signature generation and | |||
| verification), effect 1 is irrelevant (we still need to perform | verification), effect 1 is irrelevant (we still need to perform | |||
| essentially the same hash computation), but effect 2 still applies. | essentially the same hash computation), but effect 2 still applies. | |||
| For example, with W=8, SHA-256 requires 34 Winternitz chains per LM- | For example, with W=8, SHA-256 requires 34 Winternitz chains per LM- | |||
| OTS signature, but SHA-256/192 requires only 26. Since the vast | OTS signature, but SHA-256/192 requires only 26. Since the vast | |||
| majority of time (for both signature generation and verification) is | majority of time (for both signature generation and verification) is | |||
| spent computing these Winternitz chains, this reduction in the number | spent computing these Winternitz chains, this reduction in the number | |||
| of chains gives us some performance improvement. | of chains gives us some performance improvement. | |||
| Here is a table that gives the space used by both the 256-bit and | The table below gives the space used by both the 256-bit and 192-bit | |||
| 192-bit parameter sets for a range of plausible Winternitz parameters | parameter sets for a range of commonly used Winternitz parameters and | |||
| and tree heights: | tree heights: | |||
| +=========+============+==============+==============+ | +=========+============+==============+==============+ | |||
| | ParmSet | Winternitz | 256-bit hash | 192-bit hash | | | ParmSet | Winternitz | 256-bit hash | 192-bit hash | | |||
| +=========+============+==============+==============+ | +=========+============+==============+==============+ | |||
| | 15 | 4 | 2672 | 1624 | | | 15 | 4 | 2672 | 1624 | | |||
| +---------+------------+--------------+--------------+ | +---------+------------+--------------+--------------+ | |||
| | 15 | 8 | 1616 | 1024 | | | 15 | 8 | 1616 | 1024 | | |||
| +---------+------------+--------------+--------------+ | +---------+------------+--------------+--------------+ | |||
| | 20 | 4 | 2832 | 1744 | | | 20 | 4 | 2832 | 1744 | | |||
| +---------+------------+--------------+--------------+ | +---------+------------+--------------+--------------+ | |||
| skipping to change at line 401 ¶ | skipping to change at line 414 ¶ | |||
| 192-bit hash: The size in bytes of a signature, assuming that a | 192-bit hash: The size in bytes of a signature, assuming that a | |||
| 192-bit hash is used in the signature (either SHA-256/192 or | 192-bit hash is used in the signature (either SHA-256/192 or | |||
| SHAKE256/192). | SHAKE256/192). | |||
| An examination of the signature sizes shows that the 192-bit | An examination of the signature sizes shows that the 192-bit | |||
| parameters consistently give a 35-40% reduction in the size of the | parameters consistently give a 35-40% reduction in the size of the | |||
| signature in comparison with the 256-bit parameters. | signature in comparison with the 256-bit parameters. | |||
| For SHA-256/192, there is a smaller (circa 20%) reduction in the | For SHA-256/192, there is a smaller (circa 20%) reduction in the | |||
| amount of computation required for a signature operation with a | amount of computation required for a signature operation with a | |||
| 192-bit hash (for reason 2 listed above). The SHAKE256/192 | 192-bit hash, because fewer Winternitz chains would need to be | |||
| signatures may have either a faster or slower computation, depending | computed. The SHAKE256/192 signatures may have either a faster or | |||
| on the implementation speed of SHAKE versus SHA-256 hashes. | slower computation, depending on the implementation speed of SHAKE | |||
| versus SHA-256 hashes. | ||||
| The SHAKE256/256-based parameter sets give no space advantage (or | The SHAKE256/256-based parameter sets give no space advantage (or | |||
| disadvantage) over the existing SHA-256-based parameter sets; any | disadvantage) over the existing SHA-256-based parameter sets; any | |||
| performance delta would depend solely on the implementation and | performance delta would depend solely on the implementation and | |||
| whether they can generate SHAKE hashes faster than SHA-256 ones. | whether they can generate SHAKE hashes faster than SHA-256 ones. | |||
| 8. Security Considerations | 8. Security Considerations | |||
| The strength of a signature that uses the SHA-256/192, SHAKE256/256, | The strength of a signature that uses the SHA-256/192, SHAKE256/256, | |||
| and SHAKE256/192 hash functions is based on the difficulty in finding | and SHAKE256/192 hash functions is based on the difficulty in finding | |||
| skipping to change at line 441 ¶ | skipping to change at line 455 ¶ | |||
| The case of SHA-256/192 and SHAKE256/192 requires closer analysis. | The case of SHA-256/192 and SHAKE256/192 requires closer analysis. | |||
| For a classical (non-quantum) computer, there is no known attack | For a classical (non-quantum) computer, there is no known attack | |||
| better than performing hashes of a large number of distinct | better than performing hashes of a large number of distinct | |||
| preimages. Therefore, a successful attack has a high probability of | preimages. Therefore, a successful attack has a high probability of | |||
| requiring nearly 2^192 hash computations (for either SHA-256/192 or | requiring nearly 2^192 hash computations (for either SHA-256/192 or | |||
| SHAKE256/192). These can be taken as the expected work effort and | SHAKE256/192). These can be taken as the expected work effort and | |||
| would appear to be completely infeasible in practice. | would appear to be completely infeasible in practice. | |||
| In theory, an attacker with a quantum computer could use Grover's | In theory, an attacker with a quantum computer could use Grover's | |||
| algorithm [Grover96] to reduce the expected complexity to circa 2**96 | algorithm [Grover96] to reduce the expected complexity to circa 2^96 | |||
| hash computations (for N=24). On the other hand, implementing | hash computations (for N=24). On the other hand, implementing | |||
| Grover's algorithm with this number of hash computations would | Grover's algorithm with this number of hash computations would | |||
| require performing circa 2**96 hash computations in succession, which | require performing circa 2^96 hash computations in succession, which | |||
| will take more time than is likely to be acceptable to any attacker. | will take more time than is likely to be acceptable to any attacker. | |||
| To speed this up, the attacker would need to run a number of | To speed this up, the attacker would need to run a number of | |||
| instances of Grover's algorithm in parallel. This would necessarily | instances of Grover's algorithm in parallel. This would necessarily | |||
| increase the total work effort required, and to an extent, that makes | increase the total work effort required, and to an extent, that makes | |||
| it likely infeasible. This is because if we limit the time taken by | it likely infeasible. This is because if we limit the time taken by | |||
| Grover's algorithm to 2**t steps (for t <= 96), then to attack a hash | Grover's algorithm to 2^t steps (for t <= 96), then to attack a hash | |||
| preimage problem of 192 bits, it requires a total of 2**(192-t) hash | preimage problem of 192 bits, it requires a total of 2^(192-t) hash | |||
| computations, rather than the 2**(192/2) hash computations it would | computations, rather than the 2^(192/2) hash computations it would | |||
| require if we did not limit the time taken. In other words, the hash | require if we did not limit the time taken. In other words, the hash | |||
| preimage can be found in 2**t steps by using 2**(192-2t) quantum | preimage can be found in 2^t steps by using 2^(192-2t) quantum | |||
| computers (for t <= 96), with one of the quantum computers finding | computers (for t <= 96), with one of the quantum computers finding | |||
| the preimage. For example, if the adversary is willing to wait for | the preimage. For example, if the adversary is willing to wait for | |||
| 2**64 times the time taken by a hash computation (which is over 50 | 2^64 times the time taken by a hash computation (which is over 50 | |||
| years if a quantum computer can compute a hash in 0.1 nanoseconds), | years if a quantum computer can compute a hash in 0.1 nanoseconds), | |||
| this implies that a total of 2**(192-64) = 2**128 hash computations | this implies that a total of 2^(192-64) = 2^128 hash computations | |||
| will need to be performed, performing the computations on 2**64 (18 | will need to be performed, on 2^64 (18 quintillion) separate quantum | |||
| quintillion) separate quantum computers, each of which computes 2**64 | computers, each of which computes 2^64 hash evaluations. | |||
| hash evaluations. | ||||
| Hence, we expect that HSS/LMS based on these hash functions is secure | Hence, we expect that HSS/LMS based on these hash functions is secure | |||
| against both classical and quantum computers, even though, in both | against both classical and quantum computers, even though, in both | |||
| cases, the expected work effort is less (for the N=24 case) than | cases, the expected work effort is less (for the N=24 case) than | |||
| against either SHA-256 or SHAKE256/256. | against either SHA-256 or SHAKE256/256. | |||
| SHA-256 is subject to a length extension attack. In this attack, if | SHA-256 is subject to a length extension attack. In this attack, if | |||
| the attacker is given the hash value of an unknown message (and the | the attacker is given the hash value of an unknown message (and the | |||
| message length), then the attacker can compute the hash of the | message length), then the attacker can compute the hash of the | |||
| message appended with certain strings (even though the attacker does | message appended with certain strings (even though the attacker does | |||
| skipping to change at line 486 ¶ | skipping to change at line 499 ¶ | |||
| * For the initial message hash, the hash is entirely on public data. | * For the initial message hash, the hash is entirely on public data. | |||
| Hence, this attack is irrelevant, because the attacker could | Hence, this attack is irrelevant, because the attacker could | |||
| compute the hash of the message with appended data anyways. | compute the hash of the message with appended data anyways. | |||
| * The rest of the hashes within HSS are fixed length. Hence, there | * The rest of the hashes within HSS are fixed length. Hence, there | |||
| is no opportunity to perform length extension attacks. | is no opportunity to perform length extension attacks. | |||
| In addition, to perform a length extension attack on SHA-256/192, the | In addition, to perform a length extension attack on SHA-256/192, the | |||
| attacker has to guess the 64 omitted bits (because the attack | attacker has to guess the 64 omitted bits (because the attack | |||
| requires all 256 bits of the hash value); hence, that is even less of | requires all 256 bits of the hash value); hence, that is even less of | |||
| a concern than it is for the standard SHA256. | a concern than it is for the standard SHA-256. | |||
| There is one corner case for which the security strength is reduced: | There is one corner case for which the security strength is reduced: | |||
| if we need to assume that the signer will never deliberately generate | if we need to assume that the signer will never deliberately generate | |||
| a signature that is valid for two different messages. HSS uses | a signature that is valid for two different messages. HSS uses | |||
| randomized hashing when signing a message. That is, when a message | randomized hashing when signing a message. That is, when a message | |||
| is being presented to be signed, the signer generates a random value | is being presented to be signed, the signer generates a random value | |||
| C and includes that in what is prepended to the message. Because the | C and includes that in what is prepended to the message. Because the | |||
| attacker cannot predict this value, it is infeasible for anyone other | attacker cannot predict this value, it is infeasible for anyone other | |||
| than the signer to find a generic collision. That is, practically | than the signer to find a generic collision. That is, practically | |||
| speaking, a signature that is valid for two colliding messages is | speaking, a signature that is valid for two colliding messages is | |||
| skipping to change at line 508 ¶ | skipping to change at line 521 ¶ | |||
| happen, a signer (that is, the one with the private key and who picks | happen, a signer (that is, the one with the private key and who picks | |||
| the random C value) would have to break the collision resistance of | the random C value) would have to break the collision resistance of | |||
| the hash function to generate those two colliding messages. Note | the hash function to generate those two colliding messages. Note | |||
| that this does not apply to someone who submits the messages for | that this does not apply to someone who submits the messages for | |||
| signing; only the signer could perform this. This would result in a | signing; only the signer could perform this. This would result in a | |||
| signature that would be valid for two different selected messages. | signature that would be valid for two different selected messages. | |||
| This is a nonstandard assumption for signature schemes and is usually | This is a nonstandard assumption for signature schemes and is usually | |||
| not a concern, as we assume that the signer is trusted to generate | not a concern, as we assume that the signer is trusted to generate | |||
| signatures for any message. However, if the application needs to | signatures for any message. However, if the application needs to | |||
| assume that it is infeasible for the signer to generate such a | assume that it is infeasible for the signer to generate such a | |||
| signature, then the security strength assumptions are reduced; 128 | signature, then the security strength assumptions are reduced (128 | |||
| bits for SHAKE256/256 and 96 bits for SHA-256/192 and SHAKE256/192. | bits for SHAKE256/256 and 96 bits for SHA-256/192 and SHAKE256/192). | |||
| Some cryptographers have raised the possibility of a multi-target | Some cryptographers have raised the possibility of a multi-target | |||
| attack (where the attacker has signatures from a large number of | attack (where the attacker has signatures from a large number of | |||
| public keys and succeeds if they can generate a forgery against any | public keys and succeeds if they can generate a forgery against any | |||
| one of those public keys). While no such method of attack has been | one of those public keys). While no such method of attack has been | |||
| proposed, the possibility cannot be excluded; if there are a large | proposed, the possibility cannot be excluded; if there are a large | |||
| number of public keys, it might be prudent to consider the | number of public keys, it might be prudent to consider the | |||
| possibility of some security loss with N=24. If there are 2**K | possibility of some security loss with N=24. If there are 2^K public | |||
| public keys, this security loss cannot be more than K bits of | keys, this security loss cannot be more than K bits of security. | |||
| security. | ||||
| 8.1. Note on the Version of SHAKE | 8.1. Note on the Version of SHAKE | |||
| [FIPS202] defines both SHAKE128 and SHAKE256. This specification | [FIPS202] defines both SHAKE128 and SHAKE256. This specification | |||
| selects SHAKE256, even though it is less efficient for large | selects SHAKE256, even though it is less efficient for large | |||
| messages. The reason is that SHAKE128 has a low upper bound on the | messages. The reason is that SHAKE128 has a low upper bound on the | |||
| difficulty of finding preimages (due to the invertibility of its | difficulty of finding preimages (due to the invertibility of its | |||
| internal permutation), which would limit the strength of HSS/LMS | internal permutation), which would limit the strength of HSS/LMS | |||
| (whose strength is based on the difficulty of finding preimages). | (whose strength is based on the difficulty of finding preimages). | |||
| Hence, we specify the use of SHAKE256, which has a considerably | Hence, we specify the use of SHAKE256, which has a considerably | |||
| skipping to change at line 590 ¶ | skipping to change at line 602 ¶ | |||
| Appendix A. Test Cases | Appendix A. Test Cases | |||
| This appendix provides four test cases that can be used to verify or | This appendix provides four test cases that can be used to verify or | |||
| debug an implementation. This data is formatted with the name of the | debug an implementation. This data is formatted with the name of the | |||
| elements on the left and the value of the elements on the right, in | elements on the left and the value of the elements on the right, in | |||
| hexadecimal. The concatenation of all of the values within a public | hexadecimal. The concatenation of all of the values within a public | |||
| key or signature produces that public key or signature, and values | key or signature produces that public key or signature, and values | |||
| that do not fit within a single line are listed across successive | that do not fit within a single line are listed across successive | |||
| lines. | lines. | |||
| A.1. Test Case 1 - SHA-256/192 | ||||
| -------------------------------------------- | -------------------------------------------- | |||
| (note: procedure in Appendix A of [RFC8554] is used) | (note: procedure in Appendix A of [RFC8554] is used) | |||
| SEED 000102030405060708090a0b0c0d0e0f | SEED 000102030405060708090a0b0c0d0e0f | |||
| 1011121314151617 | 1011121314151617 | |||
| I 202122232425262728292a2b2c2d2e2f | I 202122232425262728292a2b2c2d2e2f | |||
| -------------------------------------------- | -------------------------------------------- | |||
| -------------------------------------------- | ||||
| Figure 1: Test Case 1 - Private Key for SHA-256/192 | Figure 1: Private Key for SHA-256/192 | |||
| -------------------------------------------- | -------------------------------------------- | |||
| HSS public key | HSS public key | |||
| levels 00000001 | levels 00000001 | |||
| -------------------------------------------- | -------------------------------------------- | |||
| LMS type 0000000a # LMS_SHA256_M24_H5 | LMS type 0000000a # LMS_SHA256_M24_H5 | |||
| LMOTS type 00000008 # LMOTS_SHA256_N24_W8 | LM-OTS type 00000008 # LMOTS_SHA256_N24_W8 | |||
| I 202122232425262728292a2b2c2d2e2f | I 202122232425262728292a2b2c2d2e2f | |||
| K 2c571450aed99cfb4f4ac285da148827 | K 2c571450aed99cfb4f4ac285da148827 | |||
| 96618314508b12d2 | 96618314508b12d2 | |||
| -------------------------------------------- | -------------------------------------------- | |||
| -------------------------------------------- | ||||
| Figure 2: Test Case 1 - Public Key for SHA-256/192 | Figure 2: Public Key for SHA-256/192 | |||
| -------------------------------------------- | -------------------------------------------- | |||
| Message 54657374206d65737361676520666f72 |Test message for| | Message 54657374206d65737361676520666f72 |Test message for| | |||
| 205348413235362d3139320a | SHA-256/192.| | 205348413235362d3139320a | SHA-256/192.| | |||
| -------------------------------------------- | -------------------------------------------- | |||
| Figure 3: Test Case 1 - Message for SHA-256/192 | Figure 3: Message for SHA-256/192 | |||
| -------------------------------------------- | -------------------------------------------- | |||
| HSS signature | HSS signature | |||
| Nspk 00000000 | Nspk 00000000 | |||
| sig[0]: | sig[0]: | |||
| -------------------------------------------- | -------------------------------------------- | |||
| LMS signature | LMS signature | |||
| q 00000005 | q 00000005 | |||
| -------------------------------------------- | -------------------------------------------- | |||
| LMOTS signature | LM-OTS signature | |||
| LMOTS type 00000008 # LMOTS_SHA256_N24_W8 | LM-OTS type 00000008 # LMOTS_SHA256_N24_W8 | |||
| C 0b5040a18c1b5cabcbc85b047402ec62 | C 0b5040a18c1b5cabcbc85b047402ec62 | |||
| 94a30dd8da8fc3da | 94a30dd8da8fc3da | |||
| y[0] e13b9f0875f09361dc77fcc4481ea463 | y[0] e13b9f0875f09361dc77fcc4481ea463 | |||
| c073716249719193 | c073716249719193 | |||
| y[1] 614b835b4694c059f12d3aedd34f3db9 | y[1] 614b835b4694c059f12d3aedd34f3db9 | |||
| 3f3580fb88743b8b | 3f3580fb88743b8b | |||
| y[2] 3d0648c0537b7a50e433d7ea9d6672ff | y[2] 3d0648c0537b7a50e433d7ea9d6672ff | |||
| fc5f42770feab4f9 | fc5f42770feab4f9 | |||
| y[3] 8eb3f3b23fd2061e4d0b38f832860ae7 | y[3] 8eb3f3b23fd2061e4d0b38f832860ae7 | |||
| 6673ad1a1a52a900 | 6673ad1a1a52a900 | |||
| skipping to change at line 698 ¶ | skipping to change at line 710 ¶ | |||
| 4ea64209942fbae3 | 4ea64209942fbae3 | |||
| path[1] 38d19f152182c807d3c40b189d3fcbea | path[1] 38d19f152182c807d3c40b189d3fcbea | |||
| 942f44682439b191 | 942f44682439b191 | |||
| path[2] 332d33ae0b761a2a8f984b56b2ac2fd4 | path[2] 332d33ae0b761a2a8f984b56b2ac2fd4 | |||
| ab08223a69ed1f77 | ab08223a69ed1f77 | |||
| path[3] 19c7aa7e9eee96504b0e60c6bb5c942d | path[3] 19c7aa7e9eee96504b0e60c6bb5c942d | |||
| 695f0493eb25f80a | 695f0493eb25f80a | |||
| path[4] 5871cffd131d0e04ffe5065bc7875e82 | path[4] 5871cffd131d0e04ffe5065bc7875e82 | |||
| d34b40b69dd9f3c1 | d34b40b69dd9f3c1 | |||
| Figure 4: Test Case 1 - Signature for SHA-256/192 | Figure 4: Signature for SHA-256/192 | |||
| A.2. Test vector for SHAKE256/192 | ||||
| -------------------------------------------- | -------------------------------------------- | |||
| (note: procedure in Appendix A of [RFC8554] is used) | (note: procedure in Appendix A of [RFC8554] is used) | |||
| SEED 303132333435363738393a3b3c3d3e3f | SEED 303132333435363738393a3b3c3d3e3f | |||
| 4041424344454647 | 4041424344454647 | |||
| I 505152535455565758595a5b5c5d5e5f | I 505152535455565758595a5b5c5d5e5f | |||
| -------------------------------------------- | -------------------------------------------- | |||
| -------------------------------------------- | ||||
| Figure 5: Test Case 2 - Private Key for SHAKE256/192 | Figure 5: Private Key for SHAKE256/192 | |||
| --------------------------------------------- | --------------------------------------------- | |||
| HSS public key | HSS public key | |||
| levels 00000001 | levels 00000001 | |||
| -------------------------------------------- | -------------------------------------------- | |||
| LMS type 00000014 # LMS_SHAKE256_N24_H5 | LMS type 00000014 # LMS_SHAKE_N24_H5 | |||
| LMOTS type 00000010 # LMOTS_SHAKE256_N24_W8 | LM-OTS type 00000010 # LMOTS_SHAKE_N24_W8 | |||
| I 505152535455565758595a5b5c5d5e5f | I 505152535455565758595a5b5c5d5e5f | |||
| K db54a4509901051c01e26d9990e55034 | K db54a4509901051c01e26d9990e55034 | |||
| 7986da87924ff0b1 | 7986da87924ff0b1 | |||
| -------------------------------------------- | -------------------------------------------- | |||
| -------------------------------------------- | ||||
| Figure 6: Test Case 2 - Public Key for SHAKE256/192 | Figure 6: Public Key for SHAKE256/192 | |||
| -------------------------------------------- | -------------------------------------------- | |||
| Message 54657374206d65737361676520666f72 |Test message for| | Message 54657374206d65737361676520666f72 |Test message for| | |||
| 205348414b453235362d3139320a | SHAKE256/192.| | 205348414b453235362d3139320a | SHAKE256/192.| | |||
| -------------------------------------------- | -------------------------------------------- | |||
| Figure 7: Test Case 2 - Message for SHAKE256/192 | Figure 7: Message for SHAKE256/192 | |||
| -------------------------------------------- | -------------------------------------------- | |||
| HSS signature | HSS signature | |||
| Nspk 00000000 | Nspk 00000000 | |||
| sig[0]: | sig[0]: | |||
| -------------------------------------------- | -------------------------------------------- | |||
| LMS signature | LMS signature | |||
| q 00000006 | q 00000006 | |||
| -------------------------------------------- | -------------------------------------------- | |||
| LMOTS signature | LM-OTS signature | |||
| LMOTS type 00000010 # LMOTS_SHAKE256_N24_W8 | LM-OTS type 00000010 # LMOTS_SHAKE_N24_W8 | |||
| C 84219da9ce9fffb16edb94527c6d1056 | C 84219da9ce9fffb16edb94527c6d1056 | |||
| 5587db28062deac4 | 5587db28062deac4 | |||
| y[0] 208e62fc4fbe9d85deb3c6bd2c01640a | y[0] 208e62fc4fbe9d85deb3c6bd2c01640a | |||
| ccb387d8a6093d68 | ccb387d8a6093d68 | |||
| y[1] 511234a6a1a50108091c034cb1777e02 | y[1] 511234a6a1a50108091c034cb1777e02 | |||
| b5df466149a66969 | b5df466149a66969 | |||
| y[2] a498e4200c0a0c1bf5d100cdb97d2dd4 | y[2] a498e4200c0a0c1bf5d100cdb97d2dd4 | |||
| 0efd3cada278acc5 | 0efd3cada278acc5 | |||
| y[3] a570071a043956112c6deebd1eb3a7b5 | y[3] a570071a043956112c6deebd1eb3a7b5 | |||
| 6f5f6791515a7b5f | 6f5f6791515a7b5f | |||
| skipping to change at line 796 ¶ | skipping to change at line 808 ¶ | |||
| fd020fe789477a93 | fd020fe789477a93 | |||
| y[22] afff9a3e636dbba864a5bffa3e28d13d | y[22] afff9a3e636dbba864a5bffa3e28d13d | |||
| 49bb597d94865bde | 49bb597d94865bde | |||
| y[23] 88c4627f206ab2b465084d6b780666e9 | y[23] 88c4627f206ab2b465084d6b780666e9 | |||
| 52f8710efd748bd0 | 52f8710efd748bd0 | |||
| y[24] f1ae8f1035087f5028f14affcc5fffe3 | y[24] f1ae8f1035087f5028f14affcc5fffe3 | |||
| 32121ae4f87ac5f1 | 32121ae4f87ac5f1 | |||
| y[25] eac9062608c7d87708f1723f38b23237 | y[25] eac9062608c7d87708f1723f38b23237 | |||
| a4edf4b49a5cd3d7 | a4edf4b49a5cd3d7 | |||
| -------------------------------------------- | -------------------------------------------- | |||
| LMS type 00000014 # LMS_SHAKE256_N24_H5 | LMS type 00000014 # LMS_SHAKE_N24_H5 | |||
| path[0] dd4bdc8f928fb526f6fb7cdb944a7eba | path[0] dd4bdc8f928fb526f6fb7cdb944a7eba | |||
| a7fb05d995b5721a | a7fb05d995b5721a | |||
| path[1] 27096a5007d82f79d063acd434a04e97 | path[1] 27096a5007d82f79d063acd434a04e97 | |||
| f61552f7f81a9317 | f61552f7f81a9317 | |||
| path[2] b4ec7c87a5ed10c881928fc6ebce6dfc | path[2] b4ec7c87a5ed10c881928fc6ebce6dfc | |||
| e9daae9cc9dba690 | e9daae9cc9dba690 | |||
| path[3] 7ca9a9dd5f9f573704d5e6cf22a43b04 | path[3] 7ca9a9dd5f9f573704d5e6cf22a43b04 | |||
| e64c1ffc7e1c442e | e64c1ffc7e1c442e | |||
| path[4] cb495ba265f465c56291a902e62a461f | path[4] cb495ba265f465c56291a902e62a461f | |||
| 6dfda232457fad14 | 6dfda232457fad14 | |||
| Figure 8: Test Case 2 - Signature for SHAKE256/192 | Figure 8: Signature for SHAKE256/192 | |||
| A.3. Test vector for SHA-256/256 | ||||
| -------------------------------------------- | -------------------------------------------- | |||
| (note: procedure in Appendix A of [RFC8554] is used) | (note: procedure in Appendix A of [RFC8554] is used) | |||
| SEED 606162636465666768696a6b6c6d6e6f | SEED 606162636465666768696a6b6c6d6e6f | |||
| 707172737475767778797a7b7c7d7e7f | 707172737475767778797a7b7c7d7e7f | |||
| I 808182838485868788898a8b8c8d8e8f | I 808182838485868788898a8b8c8d8e8f | |||
| -------------------------------------------- | -------------------------------------------- | |||
| -------------------------------------------- | ||||
| Figure 9: Test Case 3 - Private Key for SHAKE256/256 | Figure 9: Private Key for SHAKE256/256 | |||
| -------------------------------------------- | -------------------------------------------- | |||
| HSS public key | HSS public key | |||
| levels 00000001 | levels 00000001 | |||
| -------------------------------------------- | -------------------------------------------- | |||
| LMS type 0000000f # LMS_SHAKE256_N32_H5 | LMS type 0000000f # LMS_SHAKE_N32_H5 | |||
| LMOTS type 0000000c # LMOTS_SHAKE256_N32_W8 | LM-OTS type 0000000c # LMOTS_SHAKE_N32_W8 | |||
| I 808182838485868788898a8b8c8d8e8f | I 808182838485868788898a8b8c8d8e8f | |||
| K 9bb7faee411cae806c16a466c3191a8b | K 9bb7faee411cae806c16a466c3191a8b | |||
| 65d0ac31932bbf0c2d07c7a4a36379fe | 65d0ac31932bbf0c2d07c7a4a36379fe | |||
| -------------------------------------------- | -------------------------------------------- | |||
| -------------------------------------------- | ||||
| Figure 10: Test Case 3 - Public Key for SHAKE256/256 | Figure 10: Public Key for SHAKE256/256 | |||
| -------------------------------------------- | -------------------------------------------- | |||
| Message 54657374206d657361676520666f7220 |Test message for| | Message 54657374206d657361676520666f7220 |Test message for| | |||
| 5348414b453235362d3235360a |SHAKE256/256.| | 5348414b453235362d3235360a |SHAKE256/256.| | |||
| -------------------------------------------- | -------------------------------------------- | |||
| Figure 11: Test Case 3 - Message for SHAKE256/256 | Figure 11: Message for SHAKE256/256 | |||
| -------------------------------------------- | -------------------------------------------- | |||
| HSS signature | HSS signature | |||
| Nspk 00000000 | Nspk 00000000 | |||
| sig[0]: | sig[0]: | |||
| -------------------------------------------- | -------------------------------------------- | |||
| LMS signature | LMS signature | |||
| q 00000007 | q 00000007 | |||
| -------------------------------------------- | -------------------------------------------- | |||
| LMOTS signature | LM-OTS signature | |||
| LMOTS type 0000000c # LMOTS_SHAKE256_N32_W8 | LM-OTS type 0000000c # LMOTS_SHAKE_N32_W8 | |||
| C b82709f0f00e83759190996233d1ee4f | C b82709f0f00e83759190996233d1ee4f | |||
| 4ec50534473c02ffa145e8ca2874e32b | 4ec50534473c02ffa145e8ca2874e32b | |||
| y[0] 16b228118c62b96c9c77678b33183730 | y[0] 16b228118c62b96c9c77678b33183730 | |||
| debaade8fe607f05c6697bc971519a34 | debaade8fe607f05c6697bc971519a34 | |||
| y[1] 1d69c00129680b67e75b3bd7d8aa5c8b | y[1] 1d69c00129680b67e75b3bd7d8aa5c8b | |||
| 71f02669d177a2a0eea896dcd1660f16 | 71f02669d177a2a0eea896dcd1660f16 | |||
| y[2] 864b302ff321f9c4b8354408d0676050 | y[2] 864b302ff321f9c4b8354408d0676050 | |||
| 4f768ebd4e545a9b0ac058c575078e6c | 4f768ebd4e545a9b0ac058c575078e6c | |||
| y[3] 1403160fb45450d61a9c8c81f6bd69bd | y[3] 1403160fb45450d61a9c8c81f6bd69bd | |||
| fa26a16e12a265baf79e9e233eb71af6 | fa26a16e12a265baf79e9e233eb71af6 | |||
| skipping to change at line 922 ¶ | skipping to change at line 934 ¶ | |||
| 477e8316947ca725d141135202a9442e | 477e8316947ca725d141135202a9442e | |||
| y[30] 1db33bbd390d2c04401c39b253b78ce2 | y[30] 1db33bbd390d2c04401c39b253b78ce2 | |||
| 97b0e14755e46ec08a146d279c67af70 | 97b0e14755e46ec08a146d279c67af70 | |||
| y[31] de256890804d83d6ec5ca3286f1fca9c | y[31] de256890804d83d6ec5ca3286f1fca9c | |||
| 72abf6ef868e7f6eb0fddda1b040ecec | 72abf6ef868e7f6eb0fddda1b040ecec | |||
| y[32] 9bbc69e2fd8618e9db3bdb0af13dda06 | y[32] 9bbc69e2fd8618e9db3bdb0af13dda06 | |||
| c6617e95afa522d6a2552de15324d991 | c6617e95afa522d6a2552de15324d991 | |||
| y[33] 19f55e9af11ae3d5614b564c642dbfec | y[33] 19f55e9af11ae3d5614b564c642dbfec | |||
| 6c644198ce80d2433ac8ee738f9d825e | 6c644198ce80d2433ac8ee738f9d825e | |||
| -------------------------------------------- | -------------------------------------------- | |||
| LMS type 0000000f # LMS_SHAKE256_N32_H5 | LMS type 0000000f # LMS_SHAKE_N32_H5 | |||
| path[0] 71d585a35c3a908379f4072d070311db | path[0] 71d585a35c3a908379f4072d070311db | |||
| 5d65b242b714bc5a756ba5e228abfa0d | 5d65b242b714bc5a756ba5e228abfa0d | |||
| path[1] 1329978a05d5e815cf4d74c1e547ec4a | path[1] 1329978a05d5e815cf4d74c1e547ec4a | |||
| a3ca956ae927df8b29fb9fab3917a7a4 | a3ca956ae927df8b29fb9fab3917a7a4 | |||
| path[2] ae61ba57e5342e9db12caf6f6dbc5253 | path[2] ae61ba57e5342e9db12caf6f6dbc5253 | |||
| de5268d4b0c4ce4ebe6852f012b162fc | de5268d4b0c4ce4ebe6852f012b162fc | |||
| path[3] 1c12b9ffc3bcb1d3ac8589777655e22c | path[3] 1c12b9ffc3bcb1d3ac8589777655e22c | |||
| d9b99ff1e4346fd0efeaa1da044692e7 | d9b99ff1e4346fd0efeaa1da044692e7 | |||
| path[4] ad6bfc337db69849e54411df8920c228 | path[4] ad6bfc337db69849e54411df8920c228 | |||
| a2b7762c11e4b1c49efb74486d3931ea | a2b7762c11e4b1c49efb74486d3931ea | |||
| Figure 12: Test Case 3 - Signature for SHAKE256/256 | Figure 12: Signature for SHAKE256/256 | |||
| A.4. Test vector for SHA-256/192, W=4 | ||||
| -------------------------------------------- | -------------------------------------------- | |||
| (note: procedure in Appendix A of [RFC8554] is used) | (note: procedure in Appendix A of [RFC8554] is used) | |||
| SEED 202122232425262728292a2b2c2d2e2f | SEED 202122232425262728292a2b2c2d2e2f | |||
| 3031323334353637 | 3031323334353637 | |||
| I 404142434445464748494a4b4c4d4e4f | I 404142434445464748494a4b4c4d4e4f | |||
| -------------------------------------------- | -------------------------------------------- | |||
| -------------------------------------------- | ||||
| Figure 13: Test Case 4 - Private Key for SHA256/192 with W=4 | Figure 13: Private Key for SHA256/192 with W=4 | |||
| -------------------------------------------- | -------------------------------------------- | |||
| HSS public key | HSS public key | |||
| levels 00000001 | levels 00000001 | |||
| -------------------------------------------- | -------------------------------------------- | |||
| LMS type 0000000d # LMS_SHA256_M24_H20 | LMS type 0000000d # LMS_SHA256_M24_H20 | |||
| LMOTS type 00000007 # LMOTS_SHA256_N24_W4 | LM-OTS type 00000007 # LMOTS_SHA256_N24_W4 | |||
| I 404142434445464748494a4b4c4d4e4f | I 404142434445464748494a4b4c4d4e4f | |||
| K 9c08a50d170406869892802ee4142fcd | K 9c08a50d170406869892802ee4142fcd | |||
| eac990f110c2460c | eac990f110c2460c | |||
| -------------------------------------------- | -------------------------------------------- | |||
| -------------------------------------------- | ||||
| Figure 14: Test Case 4 - Public Key for SHA256/192 with W=4 | Figure 14: Public Key for SHA256/192 with W=4 | |||
| -------------------------------------------- | -------------------------------------------- | |||
| Message 54657374206d65737361676520666f72 |Test message for| | Message 54657374206d65737361676520666f72 |Test message for| | |||
| 205348413235362f31393220773d34 | SHA256/192 w=4| | 205348413235362f31393220773d34 | SHA256/192 w=4| | |||
| -------------------------------------------- | -------------------------------------------- | |||
| Figure 15: Test Case 4 - Message for SHA256/192 with W=4 | Figure 15: Message for SHA256/192 with W=4 | |||
| -------------------------------------------- | -------------------------------------------- | |||
| HSS signature | HSS signature | |||
| Nspk 00000000 | Nspk 00000000 | |||
| sig[0]: | sig[0]: | |||
| -------------------------------------------- | -------------------------------------------- | |||
| LMS signature | LMS signature | |||
| q 00000064 | q 00000064 | |||
| -------------------------------------------- | -------------------------------------------- | |||
| LMOTS signature | LM-OTS signature | |||
| LMOTS type 00000007 # LMOTS_SHA256_N24_W4 | LM-OTS type 00000007 # LMOTS_SHA256_N24_W4 | |||
| C 853fa6e1a65fef076acd2485505b93be | C 853fa6e1a65fef076acd2485505b93be | |||
| 9aeb2641e3d3805c | 9aeb2641e3d3805c | |||
| y[0] 1887f26f4bcdb6ac0337b76fa5d66038 | y[0] 1887f26f4bcdb6ac0337b76fa5d66038 | |||
| 34287e010b20516f | 34287e010b20516f | |||
| y[1] 7c336df2134c0a981f1ec2bb7baee516 | y[1] 7c336df2134c0a981f1ec2bb7baee516 | |||
| e91e67d3bd16c8d9 | e91e67d3bd16c8d9 | |||
| y[2] 45a7f2be4fd84a604ae3743efc609ee0 | y[2] 45a7f2be4fd84a604ae3743efc609ee0 | |||
| e69572e9c6d4a682 | e69572e9c6d4a682 | |||
| y[3] 50e877b75d3cae63e9d5c15a32bb3cd1 | y[3] 50e877b75d3cae63e9d5c15a32bb3cd1 | |||
| 7045f6b3e195284f | 7045f6b3e195284f | |||
| skipping to change at line 1124 ¶ | skipping to change at line 1136 ¶ | |||
| 071e572fd032c780 | 071e572fd032c780 | |||
| path[16] f44c9503a4c03c37417dc96422ba0849 | path[16] f44c9503a4c03c37417dc96422ba0849 | |||
| c37956f9fd5d33ea | c37956f9fd5d33ea | |||
| path[17] 4fcab84276effec652ca77d7d47ac93c | path[17] 4fcab84276effec652ca77d7d47ac93c | |||
| 633d99e0a236f03d | 633d99e0a236f03d | |||
| path[18] 5587d1990ffaef737fced1f5cdd8f373 | path[18] 5587d1990ffaef737fced1f5cdd8f373 | |||
| 844e9f316aad41a0 | 844e9f316aad41a0 | |||
| path[19] b12302639f83a2d74c9fe30d305a942b | path[19] b12302639f83a2d74c9fe30d305a942b | |||
| c0c30352a5e44dfb | c0c30352a5e44dfb | |||
| Figure 16: Test Case 4 - Signature for SHA256/192 with W=4 | Figure 16: Signature for SHA256/192 with W=4 | |||
| Acknowledgements | Acknowledgements | |||
| We would like to thank Carsten Bormann, Russ Housley, Andrey Jivsov, | We would like to thank Carsten Bormann, Russ Housley, Andrey Jivsov, | |||
| Mallory Knodel, Virendra Kumar, Thomas Pornin, and Stanislav | Mallory Knodel, Virendra Kumar, Thomas Pornin, and Stanislav | |||
| Smyshlyaev for their insightful and helpful reviews. | Smyshlyaev for their insightful and helpful reviews. | |||
| Authors' Addresses | Authors' Addresses | |||
| Scott Fluhrer | Scott Fluhrer | |||
| End of changes. 62 change blocks. | ||||
| 166 lines changed or deleted | 178 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||