RFC Errata
Found 2 records.
Status: Reported (2)
RFC 8554, "Leighton-Micali Hash-Based Signatures", April 2019
Source of RFC: IRTF
Errata ID: 7409
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Peter Campbell
Date Reported: 2023-03-29
Section Section 6.4, Table 3 says:
+---------+------------+---------+-------------+
| ParmSet | KeyGenTime | SigSize | KeyLifetime |
+---------+------------+---------+-------------+
...
| 15/10 | 6 sec | 3172 | 9 hours |
| | | | |
| 15/15 | 6 sec | 3332 | 12 days |
| | | | |
| 20/10 | 3 min | 3332 | 12 days |
| | | | |
| 20/15 | 3 min | 3492 | 1 year |
| | | | |
| 25/10 | 1.5 hour | 3492 | 1 year |
| | | | |
| 25/15 | 1.5 hour | 3652 | 34 years |
+---------+------------+---------+-------------+
It should say:
+---------+------------+---------+-------------+
| ParmSet | KeyGenTime | SigSize | KeyLifetime |
+---------+------------+---------+-------------+
...
| 15/10 | 6 sec | 3124 | 9 hours |
| | | | |
| 15/15 | 6 sec | 3284 | 12 days |
| | | | |
| 20/10 | 3 min | 3284 | 12 days |
| | | | |
| 20/15 | 3 min | 3444 | 1 year |
| | | | |
| 25/10 | 1.5 hour | 3444 | 1 year |
| | | | |
| 25/15 | 1.5 hour | 3604 | 34 years |
+---------+------------+---------+-------------+
Notes:
The signature sizes for the two-level HSS parameters in Table 3 are all 48 bytes larger than they should be. It looks like they were computed assuming a 64-byte identifier I in the level-1 LMS public key pub[1], but the identifier was reduced to 16 bytes in draft -07. The signature sizes for the single-level HSS parameters are all correct because they do not have intermediate LMS public keys.
Errata ID: 7994
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: David Cooper
Date Reported: 2024-06-17
Section 3.3 says:
/* leighton-micali signatures (lms) */
union lms_path switch (lms_algorithm_type type) {
case lms_sha256_n32_h5:
bytestring32 path_n32_h5[5];
case lms_sha256_n32_h10:
bytestring32 path_n32_h10[10];
case lms_sha256_n32_h15:
bytestring32 path_n32_h15[15];
case lms_sha256_n32_h20:
bytestring32 path_n32_h20[20];
case lms_sha256_n32_h25:
bytestring32 path_n32_h25[25];
default:
void; /* error condition */
};
struct lms_signature {
unsigned int q;
lmots_signature lmots_sig;
lms_path nodes;
};
struct lms_key_n32 {
lmots_algorithm_type ots_alg_type;
opaque I[16];
opaque K[32];
};
union lms_public_key switch (lms_algorithm_type type) {
case lms_sha256_n32_h5:
case lms_sha256_n32_h10:
case lms_sha256_n32_h15:
case lms_sha256_n32_h20:
case lms_sha256_n32_h25:
lms_key_n32 z_n32;
It should say:
/* leighton-micali signatures (lms) */
union lms_path switch (lms_algorithm_type type) {
case lms_sha256_m32_h5:
bytestring32 path_m32_h5[5];
case lms_sha256_m32_h10:
bytestring32 path_m32_h10[10];
case lms_sha256_m32_h15:
bytestring32 path_m32_h15[15];
case lms_sha256_m32_h20:
bytestring32 path_m32_h20[20];
case lms_sha256_m32_h25:
bytestring32 path_m32_h25[25];
default:
void; /* error condition */
};
struct lms_signature {
unsigned int q;
lmots_signature lmots_sig;
lms_path nodes;
};
struct lms_key_m32 {
lmots_algorithm_type ots_alg_type;
opaque I[16];
opaque K[32];
};
union lms_public_key switch (lms_algorithm_type type) {
case lms_sha256_m32_h5:
case lms_sha256_m32_h10:
case lms_sha256_m32_h15:
case lms_sha256_m32_h20:
case lms_sha256_m32_h25:
lms_key_m32 z_m32;
Notes:
While "n" is the parameter used in LMOTS, "m" is the parameter used in LMS. In order to be consistent with the other parts of RFC 8554 and with the IANA registry, the LMS parameter set names need to be changed from "_n32_" to "_m32_". For consistency, all other references to the number of bytes in each node should changed from "n32" to "m32".