idnits 2.17.00 (12 Aug 2021) /tmp/idnits58485/draft-fluhrer-lms-more-parm-sets-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (December 2021) is 150 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Looks like a reference, but probably isn't: '0' on line 742 -- Looks like a reference, but probably isn't: '1' on line 744 -- Looks like a reference, but probably isn't: '2' on line 746 -- Looks like a reference, but probably isn't: '3' on line 748 -- Looks like a reference, but probably isn't: '4' on line 750 -- Looks like a reference, but probably isn't: '5' on line 681 -- Looks like a reference, but probably isn't: '6' on line 683 -- Looks like a reference, but probably isn't: '7' on line 685 -- Looks like a reference, but probably isn't: '8' on line 687 -- Looks like a reference, but probably isn't: '9' on line 689 -- Looks like a reference, but probably isn't: '10' on line 691 -- Looks like a reference, but probably isn't: '11' on line 693 -- Looks like a reference, but probably isn't: '12' on line 695 -- Looks like a reference, but probably isn't: '13' on line 697 -- Looks like a reference, but probably isn't: '14' on line 699 -- Looks like a reference, but probably isn't: '15' on line 701 -- Looks like a reference, but probably isn't: '16' on line 703 -- Looks like a reference, but probably isn't: '17' on line 706 -- Looks like a reference, but probably isn't: '18' on line 708 -- Looks like a reference, but probably isn't: '19' on line 710 -- Looks like a reference, but probably isn't: '20' on line 712 -- Looks like a reference, but probably isn't: '21' on line 714 -- Looks like a reference, but probably isn't: '22' on line 716 -- Looks like a reference, but probably isn't: '23' on line 718 -- Looks like a reference, but probably isn't: '24' on line 720 -- Looks like a reference, but probably isn't: '25' on line 722 -- Looks like a reference, but probably isn't: '26' on line 724 -- Looks like a reference, but probably isn't: '27' on line 726 -- Looks like a reference, but probably isn't: '28' on line 728 -- Looks like a reference, but probably isn't: '29' on line 730 -- Looks like a reference, but probably isn't: '30' on line 732 -- Looks like a reference, but probably isn't: '31' on line 734 -- Looks like a reference, but probably isn't: '32' on line 736 -- Looks like a reference, but probably isn't: '33' on line 738 == Unused Reference: 'RFC5226' is defined on line 383, but no explicit reference was found in the text == Unused Reference: 'RFC8554' is defined on line 388, but no explicit reference was found in the text == Unused Reference: 'Grover96' is defined on line 394, but no explicit reference was found in the text ** Obsolete normative reference: RFC 3979 (Obsoleted by RFC 8179) ** Obsolete normative reference: RFC 4879 (Obsoleted by RFC 8179) ** Obsolete normative reference: RFC 5226 (Obsoleted by RFC 8126) Summary: 4 errors (**), 0 flaws (~~), 5 warnings (==), 35 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Crypto Forum Research Group S. Fluhrer 3 Internet-Draft Cisco Systems 4 Intended status: Informational Q. Dang 5 Expires: 4 June 2022 NIST 6 December 2021 8 Additional Parameter sets for LMS Hash-Based Signatures 9 draft-fluhrer-lms-more-parm-sets-06 11 Abstract 13 This note extends LMS (RFC 8554) by defining parameter sets by 14 including additional hash functions. Hese include hash functions 15 that result in signatures with significantly smaller than the 16 signatures using the current parameter sets, and should have 17 sufficient security. 19 This document is a product of the Crypto Forum Research Group (CFRG) 20 in the IRTF. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at https://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on 4 June 2022. 39 Copyright Notice 41 Copyright (c) 2021 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 46 license-info) in effect on the date of publication of this document. 47 Please review these documents carefully, as they describe your rights 48 and restrictions with respect to this document. Code Components 49 extracted from this document must include Revised BSD License text as 50 described in Section 4.e of the Trust Legal Provisions and are 51 provided without warranty as described in the Revised BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 56 1.1. Disclaimer . . . . . . . . . . . . . . . . . . . . . . . 2 57 2. Conventions Used In This Document . . . . . . . . . . . . . . 3 58 3. Additional Hash Function Definitions . . . . . . . . . . . . 3 59 3.1. 192 bit Hash Function based on SHA256 . . . . . . . . . . 3 60 3.2. 256 bit Hash Function based on SHAKE256 . . . . . . . . . 3 61 3.3. 192 bit Hash Function based on SHAKE256 . . . . . . . . . 4 62 4. Additional LM-OTS Parameter Sets . . . . . . . . . . . . . . 4 63 5. Additional LM Parameter Sets . . . . . . . . . . . . . . . . 5 64 6. Comparisons of 192 bit and 256 bit parameter sets . . . . . . 6 65 7. Security Considerations . . . . . . . . . . . . . . . . . . . 7 66 7.1. Note on the version of SHAKE . . . . . . . . . . . . . . 8 67 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 68 8.1. Normative References . . . . . . . . . . . . . . . . . . 8 69 8.2. Informative References . . . . . . . . . . . . . . . . . 9 70 Appendix A. Test Cases . . . . . . . . . . . . . . . . . . . . . 9 71 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17 73 1. Introduction 75 Stateful hash based signatures have small private and public keys, 76 are efficient to compute, and are believed to have excellent 77 security. One disadvantage is that the signatures they produce tend 78 to be somewhat large (possibly 1k - 4kbytes). What this draft 79 explores are a set of parameter sets to the LMS (RFC8554) stateful 80 hash based signature method that reduce the size of the signature 81 significantly. 83 1.1. Disclaimer 85 This document is not intended as legal advice. Readers are advised 86 to consult with their own legal advisers if they would like a legal 87 interpretation of their rights. 89 The IETF policies and processes regarding intellectual property and 90 patents are outlined in [RFC3979] and [RFC4879] and at 91 https://datatracker.ietf.org/ipr/about. 93 2. Conventions Used In This Document 95 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 96 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 97 document are to be interpreted as described in [RFC2119]. 99 3. Additional Hash Function Definitions 101 3.1. 192 bit Hash Function based on SHA256 103 This document defines a SHA-2 based hash function with a 192 bit 104 output. As such, we define SHA256-192 as a truncated version of 105 SHA256 [FIPS180]. That is, it is the result of performing a SHA256 106 operation to a message, and then omitting the final 64 bits of the 107 output. It is the same procedure used to define SHA224, except that 108 we use the SHA256 IV (rather than using one dedicated to SHA256-192), 109 and you truncate 64 bits, rather than 32. 111 The following test vector may illustrate this: 113 SHA256("abc") = ba7816bf 8f01cfea 414140de 5dae2223 114 b00361a3 96177a9c b410ff61 f20015ad 115 SHA256-192("abc") = ba7816bf 8f01cfea 414140de 5dae2223 116 b00361a3 96177a9c 118 We use the same IV as the untruncated SHA256, rather than defining a 119 distinct one, so that we can use a standard SHA256 hash 120 implementation without modification. In addition, the fact that you 121 get partial knowledge of the SHA256 hash of a message by examining 122 the SHA256-192 hash of the same message is not a concern for this 123 application. Each message that is hashed is randomized. Any message 124 being signed includes the C randomizer which varies per message; in 125 addition, all hashes include the I identifier, which varies depending 126 on the public key. Therefore, signing the same message by SHA256 and 127 by SHA256-192 will not result in the same value being hashed, and so 128 the latter hash value is not a prefix of the former one. 130 3.2. 256 bit Hash Function based on SHAKE256 132 This document defines a SHAKE-based hash function with a 256 bit 133 output. As such, we define SHAKE256-256 as a hash where you submit 134 the preimage to the SHAKE256 XOF, with the output being 256 bits, see 135 FIPS 202 [FIPS202] for more detail. 137 3.3. 192 bit Hash Function based on SHAKE256 139 This document defines a SHAKE-based hash function with a 192 bit 140 output. As such, we define SHAKE256-192 as a hash where you submit 141 the preimage to the SHAKE256 XOF, with the output being 192 bits, see 142 FIPS 202 [FIPS202] for more detail. 144 4. Additional LM-OTS Parameter Sets 146 Here is a table with the LM-OTS parameters defined that use the above 147 hashes: 149 +=====================+==============+====+===+=====+====+========+ 150 | Parameter Set Name | H | n | w | p | ls | id | 151 +=====================+==============+====+===+=====+====+========+ 152 | LMOTS_SHA256_N24_W1 | SHA256-192 | 24 | 1 | 200 | 8 | 0x0005 | 153 +---------------------+--------------+----+---+-----+----+--------+ 154 | LMOTS_SHA256_N24_W2 | SHA256-192 | 24 | 2 | 101 | 6 | 0x0006 | 155 +---------------------+--------------+----+---+-----+----+--------+ 156 | LMOTS_SHA256_N24_W4 | SHA256-192 | 24 | 4 | 51 | 4 | 0x0007 | 157 +---------------------+--------------+----+---+-----+----+--------+ 158 | LMOTS_SHA256_N24_W8 | SHA256-192 | 24 | 8 | 26 | 0 | 0x0008 | 159 +---------------------+--------------+----+---+-----+----+--------+ 160 | LMOTS_SHAKE_N32_W1 | SHAKE256-256 | 32 | 1 | 265 | 7 | 0x0009 | 161 +---------------------+--------------+----+---+-----+----+--------+ 162 | LMOTS_SHAKE_N32_W2 | SHAKE256-256 | 32 | 2 | 133 | 6 | 0x000a | 163 +---------------------+--------------+----+---+-----+----+--------+ 164 | LMOTS_SHAKE_N32_W4 | SHAKE256-256 | 32 | 4 | 67 | 4 | 0x000b | 165 +---------------------+--------------+----+---+-----+----+--------+ 166 | LMOTS_SHAKE_N32_W8 | SHAKE256-256 | 32 | 8 | 34 | 0 | 0x000c | 167 +---------------------+--------------+----+---+-----+----+--------+ 168 | LMOTS_SHAKE_N24_W1 | SHAKE256-192 | 24 | 1 | 200 | 8 | 0x000d | 169 +---------------------+--------------+----+---+-----+----+--------+ 170 | LMOTS_SHAKE_N24_W2 | SHAKE256-192 | 24 | 2 | 101 | 6 | 0x000e | 171 +---------------------+--------------+----+---+-----+----+--------+ 172 | LMOTS_SHAKE_N24_W4 | SHAKE256-192 | 24 | 4 | 51 | 4 | 0x000f | 173 +---------------------+--------------+----+---+-----+----+--------+ 174 | LMOTS_SHAKE_N24_W8 | SHAKE256-192 | 24 | 8 | 26 | 0 | 0x0010 | 175 +---------------------+--------------+----+---+-----+----+--------+ 177 Table 1 179 The id is the IANA-defined identifier used to denote this specific 180 parameter set, and which appears in both public keys and signatures. 182 The SHA256_N24, SHAKE_N32, SHAKE_N24 in the parameter set name denote 183 the SHA256-192, SHAKE256-256 and SHAKE256-192 hash functions defined 184 in Section 3. 186 Remember that the C message randomizer (which is included in the 187 signature) is the size of the hash n, and so it shrinks from 32 bytes 188 to 24 bytes for those the parameter sets that use either SHA256-192 189 or SHAKE256-192. 191 5. Additional LM Parameter Sets 193 Here is a table with the LM parameters defined that use SHA256-192, 194 SHAKE256-256 and SHAKE256-192 hash functions: 196 +====================+==============+====+====+========+ 197 | Parameter Set Name | H | m | h | id | 198 +====================+==============+====+====+========+ 199 | LMS_SHA256_M24_H5 | SHA256-192 | 24 | 5 | 0x000a | 200 +--------------------+--------------+----+----+--------+ 201 | LMS_SHA256_M24_H10 | SHA256-192 | 24 | 10 | 0x000b | 202 +--------------------+--------------+----+----+--------+ 203 | LMS_SHA256_M24_H15 | SHA256-192 | 24 | 15 | 0x000c | 204 +--------------------+--------------+----+----+--------+ 205 | LMS_SHA256_M24_H20 | SHA256-192 | 24 | 20 | 0x000d | 206 +--------------------+--------------+----+----+--------+ 207 | LMS_SHA256_M24_H25 | SHA256-192 | 24 | 25 | 0x000e | 208 +--------------------+--------------+----+----+--------+ 209 | LMS_SHAKE_M32_H5 | SHAKE256-256 | 32 | 5 | 0x000f | 210 +--------------------+--------------+----+----+--------+ 211 | LMS_SHAKE_M32_H10 | SHAKE256-256 | 32 | 10 | 0x0010 | 212 +--------------------+--------------+----+----+--------+ 213 | LMS_SHAKE_M32_H15 | SHAKE256-256 | 32 | 15 | 0x0011 | 214 +--------------------+--------------+----+----+--------+ 215 | LMS_SHAKE_M32_H20 | SHAKE256-256 | 32 | 20 | 0x0012 | 216 +--------------------+--------------+----+----+--------+ 217 | LMS_SHAKE_M32_H25 | SHAKE256-256 | 32 | 25 | 0x0013 | 218 +--------------------+--------------+----+----+--------+ 219 | LMS_SHAKE_M24_H5 | SHAKE256-192 | 24 | 5 | 0x0014 | 220 +--------------------+--------------+----+----+--------+ 221 | LMS_SHAKE_M24_H10 | SHAKE256-192 | 24 | 10 | 0x0015 | 222 +--------------------+--------------+----+----+--------+ 223 | LMS_SHAKE_M24_H15 | SHAKE256-192 | 24 | 15 | 0x0016 | 224 +--------------------+--------------+----+----+--------+ 225 | LMS_SHAKE_M24_H20 | SHAKE256-192 | 24 | 20 | 0x0017 | 226 +--------------------+--------------+----+----+--------+ 227 | LMS_SHAKE_M24_H25 | SHAKE256-192 | 24 | 25 | 0x0018 | 228 +--------------------+--------------+----+----+--------+ 230 Table 2 232 The id is the IANA-defined identifier used to denote this specific 233 parameter set, and which appears in both public keys and signatures. 235 The SHA256_M24, SHAKE_M32, SHAKE_M24 in the parameter set name denote 236 the SHA256-192, SHAKE256-256 and SHAKE256-192 hash functions defined 237 in Section 3. 239 6. Comparisons of 192 bit and 256 bit parameter sets 241 Switching to a 192 bit hash affects the signature size, the 242 computation time, and the security strength. 244 The major reason for considering these truncated parameter sets is 245 that they cause the signatures to shrink considerably. 247 Here is a table that gives the space used by both the 256 bit 248 parameter sets and the 192 bit parameter sets, for a range of 249 plausible Winternitz parameters and tree heights 251 +=========+============+==============+==============+ 252 | ParmSet | Winternitz | 256 bit hash | 192 bit hash | 253 +=========+============+==============+==============+ 254 | 15 | 4 | 2672 | 1624 | 255 +---------+------------+--------------+--------------+ 256 | 15 | 8 | 1616 | 1024 | 257 +---------+------------+--------------+--------------+ 258 | 20 | 4 | 2832 | 1744 | 259 +---------+------------+--------------+--------------+ 260 | 20 | 8 | 1776 | 1144 | 261 +---------+------------+--------------+--------------+ 262 | 15/10 | 4 | 5236 | 3172 | 263 +---------+------------+--------------+--------------+ 264 | 15/10 | 8 | 3124 | 1972 | 265 +---------+------------+--------------+--------------+ 266 | 15/15 | 4 | 5396 | 3292 | 267 +---------+------------+--------------+--------------+ 268 | 15/15 | 8 | 3284 | 2092 | 269 +---------+------------+--------------+--------------+ 270 | 20/10 | 4 | 5396 | 3292 | 271 +---------+------------+--------------+--------------+ 272 | 20/10 | 8 | 3284 | 2092 | 273 +---------+------------+--------------+--------------+ 274 | 20/15 | 4 | 5556 | 3412 | 275 +---------+------------+--------------+--------------+ 276 | 20/15 | 8 | 3444 | 2212 | 277 +---------+------------+--------------+--------------+ 279 Table 3 281 ParmSet: this is the height of the Merkle tree(s); parameter sets 282 listed as a single integer have L=1, and consist a single Merkle tree 283 of that height; parameter sets with L=2 are listed as x/y, with x 284 being the height of the top level Merkle tree, and y being the bottom 285 level. 287 Winternitz: this is the Winternitz parameter used (for the tests that 288 use multiple trees, this applies to all of them). 290 256 bit hash: the size in bytes of a signature, assuming that a 256 291 bit hash is used in the signature (either SHA256 or SHAKE256-256). 293 192 bit hash: the size in bytes of a signature, assuming that a 192 294 bit hash is used in the signature (either SHA256-192 or 295 SHAKE256-192). 297 An examination of the signature sizes show that the 192 bit 298 parameters consistently give a 35% - 40% reduction in the size of the 299 signature in comparison with the 256 bit parameters. 301 In addition, for SHA256-192, there is a smaller (circa 20%) reduction 302 in the amount of computation required for a signature operation with 303 a 192 bit hash. The SHAKE256-192 signatures may have either a faster 304 or slower computation, depending on the implementation speed of SHAKE 305 versus SHA256 hashes. 307 The SHAKE256-256 based parameter sets give no space advantage (or 308 disadvantage) over the existing SHA256-based parameter sets; any 309 performance delta would depend solely on the implementation and 310 whether they can generate SHAKE hashes faster than SHA256 ones. 312 7. Security Considerations 314 The strength of a signature that uses the SHA256-192, SHAKE256-256 315 and SHAKE256-192 hash functions is based on the difficultly in 316 finding preimages or second preimages to those hash functions. 318 The case of SHAKE256-256 is essentially the same as the existing 319 SHA256 based signatures; the difficultly of finding preimages is 320 essentially the same, and so they have (barring unexpected 321 cryptographical advances) essentially the same level of security. 323 The case of SHA256-192 and SHAKE256-192 requires closer analysis. 325 For a classical (nonquantum) computer, they have no known attack 326 better than performing hashes of a large number of distinct 327 preimages; as a successful attack has a high probability of requiring 328 nearly 2**192 hash computations (for either SHA256-192 or 329 SHAKE256-192). These can be taken as the expected work effort, and 330 would appear to be completely infeasible in practice. 332 For a Quantum Computer, they could in theory use a Grover's algorithm 333 to reduce the expected complexity required to circa 2**96 hash 334 computations (for N=24). On the other hand, to implement Grover's 335 algorithm with this number of hash computations would require 336 performing circa 2**96 hash computations in succession, which will 337 take more time than is likely to be acceptable to any attacker. To 338 speed this up, the attacker would need to run a number of instances 339 of Grover's algorithm in parallel. This would necessarily increase 340 the total work effort required, and to an extent that makes it likely 341 to be infeasible. 343 Hence, we expect that LMS based on these hash functions is secure 344 against both classical and quantum computers, even though, in both 345 cases, the expected work effort is less (for the N=24 case) than 346 against either SHA256 or SHAKE256-256. 348 7.1. Note on the version of SHAKE 350 FIPS 202 defines both SHAKE128 and SHAKE256. This specification 351 selects SHAKE256, even though it is, for large messages, less 352 efficient. The reason is that SHAKE128 has a low upper bound on the 353 difficulty of finding preimages (due to the invertibility of its 354 internal permutation), which would limit the strength of LMS (whose 355 strength is based on the difficulty of finding preimages). Hence, we 356 specify the use of SHAKE256, which has a considerably stronger 357 preimage resistance. 359 8. References 361 8.1. Normative References 363 [FIPS180] National Institute of Standards and Technology, "Secure 364 Hash Standard (SHS)", FIPS 180-4, March 2012. 366 [FIPS202] National Institute of Standards and Technology, "SHA-3 367 Standard: Permutation-Based Hash and Extendable-Output 368 Functions", FIPS 202, August 2015. 370 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 371 Requirement Levels", BCP 14, RFC 2119, 372 DOI 10.17487/RFC2119, March 1997, 373 . 375 [RFC3979] Bradner, S., Ed., "Intellectual Property Rights in IETF 376 Technology", RFC 3979, DOI 10.17487/RFC3979, March 2005, 377 . 379 [RFC4879] Narten, T., "Clarification of the Third Party Disclosure 380 Procedure in RFC 3979", RFC 4879, DOI 10.17487/RFC4879, 381 April 2007, . 383 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an 384 IANA Considerations Section in RFCs", RFC 5226, 385 DOI 10.17487/RFC5226, May 2008, 386 . 388 [RFC8554] McGrew, D., Curcio, M., and S. Fluhrer, "Leighton-Micali 389 Hash-Based Signatures", RFC 8554, DOI 10.17487/RFC8554, 390 April 2019, . 392 8.2. Informative References 394 [Grover96] Grover, L.K., "A fast quantum mechanical algorithm for 395 database search", 28th ACM Symposium on the Theory of 396 Computing p. 212, 1996. 398 Appendix A. Test Cases 400 This section provides three test cases that can be used to verify or 401 debug an implementation, one for each hash function. This data is 402 formatted with the name of the elements on the left, and the value of 403 the elements on the right, in hexadecimal. The concatenation of all 404 of the values within a public key or signature produces that public 405 key or signature, and values that do not fit within a single line are 406 listed across successive lines. 408 Test Case 1 Private Key for SHA256-192 410 -------------------------------------------- 411 (note: procedure in Appendix A of RFC8554 is used) 412 SEED 000102030405060708090a0b0c0d0e0f 413 1011121314151617 414 I 202122232425262728292a2b2c2d2e2f 415 -------------------------------------------- 416 -------------------------------------------- 417 Test Case 1 Public Key for SHA256-192 419 -------------------------------------------- 420 HSS public key 421 levels 00000001 422 -------------------------------------------- 423 LMS type 0000000a # LMS_SHA256_N24_H5 424 LMOTS type 00000008 # LMOTS_SHA256_N24_W8 425 I 202122232425262728292a2b2c2d2e2f 426 K 2c571450aed99cfb4f4ac285da148827 427 96618314508b12d2 428 -------------------------------------------- 429 -------------------------------------------- 431 Test Case 1 Message for SHA256-192 433 -------------------------------------------- 434 Message 54657374206d65737361676520666f72 |Test message for| 435 205348413235362d3139320a | SHA256-192.| 436 -------------------------------------------- 438 Test Case 1 Signature for SHA256-192 440 -------------------------------------------- 441 HSS signature 442 Nspk 00000000 443 sig[0]: 444 -------------------------------------------- 445 LMS signature 446 q 00000005 447 -------------------------------------------- 448 LMOTS signature 449 LMOTS type 00000008 # LMOTS_SHA256_N24_W8 450 C 0b5040a18c1b5cabcbc85b047402ec62 451 94a30dd8da8fc3da 452 y[0] e13b9f0875f09361dc77fcc4481ea463 453 c073716249719193 454 y[1] 614b835b4694c059f12d3aedd34f3db9 455 3f3580fb88743b8b 456 y[2] 3d0648c0537b7a50e433d7ea9d6672ff 457 fc5f42770feab4f9 458 y[3] 8eb3f3b23fd2061e4d0b38f832860ae7 459 6673ad1a1a52a900 460 y[4] 5dcf1bfb56fe16ff723627612f9a48f7 461 90f3c47a67f870b8 462 y[5] 1e919d99919c8db48168838cece0abfb 463 683da48b9209868b 464 y[6] e8ec10c63d8bf80d36498dfc205dc45d 465 0dd870572d6d8f1d 466 y[7] 90177cf5137b8bbf7bcb67a46f86f26c 467 fa5a44cbcaa4e18d 468 y[8] a099a98b0b3f96d5ac8ac375d8da2a7c 469 248004ba11d7ac77 470 y[9] 5b9218359cddab4cf8ccc6d54cb7e1b3 471 5a36ddc9265c0870 472 y[10] 63d2fc6742a7177876476a324b03295b 473 fed99f2eaf1f3897 474 y[11] 0583c1b2b616aad0f31cd7a4b1bb0a51 475 e477e94a01bbb4d6 476 y[12] f8866e2528a159df3d6ce244d2b6518d 477 1f0212285a3c2d4a 478 y[13] 927054a1e1620b5b02aab0c8c10ed48a 479 e518ea73cba81fcf 480 y[14] ff88bff461dac51e7ab4ca75f47a6259 481 d24820b9995792d1 482 y[15] 39f61ae2a8186ae4e3c9bfe0af2cc717 483 f424f41aa67f03fa 484 y[16] edb0665115f2067a46843a4cbbd297d5 485 e83bc1aafc18d1d0 486 y[17] 3b3d894e8595a6526073f02ab0f08b99 487 fd9eb208b59ff631 488 y[18] 7e5545e6f9ad5f9c183abd043d5acd6e 489 b2dd4da3f02dbc31 490 y[19] 67b468720a4b8b92ddfe7960998bb7a0 491 ecf2a26a37598299 492 y[20] 413f7b2aecd39a30cec527b4d9710c44 493 73639022451f50d0 494 y[21] 1c0457125da0fa4429c07dad859c846c 495 bbd93ab5b91b01bc 496 y[22] 770b089cfede6f651e86dd7c15989c8b 497 5321dea9ca608c71 498 y[23] fd862323072b827cee7a7e28e4e2b999 499 647233c3456944bb 500 y[24] 7aef9187c96b3f5b79fb98bc76c3574d 501 d06f0e95685e5b3a 502 y[25] ef3a54c4155fe3ad817749629c30adbe 503 897c4f4454c86c49 504 -------------------------------------------- 505 LMS type 0000000a # LMS_SHA256_N24_H5 506 path[0] e9ca10eaa811b22ae07fb195e3590a33 507 4ea64209942fbae3 508 path[1] 38d19f152182c807d3c40b189d3fcbea 509 942f44682439b191 510 path[2] 332d33ae0b761a2a8f984b56b2ac2fd4 511 ab08223a69ed1f77 512 path[3] 19c7aa7e9eee96504b0e60c6bb5c942d 513 695f0493eb25f80a 514 path[4] 5871cffd131d0e04ffe5065bc7875e82 515 d34b40b69dd9f3c1 517 Test Case 2 Private Key for SHAKE256-192 519 -------------------------------------------- 520 (note: procedure in Appendix A of RFC8554 is used) 521 SEED 303132333435363738393a3b3c3d3e3f 522 4041424344454647 523 I 505152535455565758595a5b5c5d5e5f 524 -------------------------------------------- 525 -------------------------------------------- 527 Test Case 2 Public Key for SHAKE256-192 529 --------------------------------------------- 530 HSS public key 531 levels 00000001 532 -------------------------------------------- 533 LMS type 00000014 # LMS_SHAKE256_N24_H5 534 LMOTS type 00000010 # LMOTS_SHAKE256_N24_W8 535 I 505152535455565758595a5b5c5d5e5f 536 K db54a4509901051c01e26d9990e55034 537 7986da87924ff0b1 538 -------------------------------------------- 539 -------------------------------------------- 541 Test Case 2 Message for SHAKE256-192 543 -------------------------------------------- 544 Message 54657374206d65737361676520666f72 |Test message for| 545 205348414b453235362d3139320a | SHAKE256-192.| 546 -------------------------------------------- 548 Test Case 2 Signature for SHAKE256-192 550 -------------------------------------------- 551 HSS signature 552 Nspk 00000000 553 sig[0]: 554 -------------------------------------------- 555 LMS signature 556 q 00000006 557 -------------------------------------------- 558 LMOTS signature 559 LMOTS type 00000010 # LMOTS_SHAKE256_N24_W8 560 C 84219da9ce9fffb16edb94527c6d1056 561 5587db28062deac4 562 y[0] 208e62fc4fbe9d85deb3c6bd2c01640a 563 ccb387d8a6093d68 564 y[1] 511234a6a1a50108091c034cb1777e02 565 b5df466149a66969 566 y[2] a498e4200c0a0c1bf5d100cdb97d2dd4 567 0efd3cada278acc5 568 y[3] a570071a043956112c6deebd1eb3a7b5 569 6f5f6791515a7b5f 570 y[4] fddb0ec2d9094bfbc889ea15c3c7b9be 571 a953efb75ed648f5 572 y[5] 35b9acab66a2e9631e426e4e99b733ca 573 a6c55963929b77fe 574 y[6] c54a7e703d8162e736875cb6a455d4a9 575 015c7a6d8fd5fe75 576 y[7] e402b47036dc3770f4a1dd0a559cb478 577 c7fb1726005321be 578 y[8] 9d1ac2de94d731ee4ca79cff454c811f 579 46d11980909f047b 580 y[9] 2005e84b6e15378446b1ca691efe491e 581 a98acc9d3c0f785c 582 y[10] aba5e2eb3c306811c240ba2280292382 583 7d582639304a1e97 584 y[11] 83ba5bc9d69d999a7db8f749770c3c04 585 a152856dc726d806 586 y[12] 7921465b61b3f847b13b2635a45379e5 587 adc6ff58a99b00e6 588 y[13] 0ac767f7f30175f9f7a140257e218be3 589 07954b1250c9b419 590 y[14] 02c4fa7c90d8a592945c66e86a76defc 591 b84500b55598a199 592 y[15] 0faaa10077c74c94895731585c8f900d 593 e1a1c675bd8b0c18 594 y[16] 0ebe2b5eb3ef8019ece3e1ea7223eb79 595 06a2042b6262b4aa 596 y[17] 25c4b8a05f205c8befeef11ceff12825 597 08d71bc2a8cfa0a9 598 y[18] 9f73f3e3a74bb4b3c0d8ca2abd0e1c2c 599 17dafe18b4ee2298 600 y[19] e87bcfb1305b3c069e6d385569a4067e 601 d547486dd1a50d6f 602 y[20] 4a58aab96e2fa883a9a39e1bd45541ee 603 e94efc32faa9a94b 604 y[21] e66dc8538b2dab05aee5efa6b3b2efb3 605 fd020fe789477a93 606 y[22] afff9a3e636dbba864a5bffa3e28d13d 607 49bb597d94865bde 608 y[23] 88c4627f206ab2b465084d6b780666e9 609 52f8710efd748bd0 610 y[24] f1ae8f1035087f5028f14affcc5fffe3 611 32121ae4f87ac5f1 612 y[25] eac9062608c7d87708f1723f38b23237 613 a4edf4b49a5cd3d7 614 -------------------------------------------- 615 LMS type 00000014 # LMS_SHAKE256_N24_H5 616 path[0] dd4bdc8f928fb526f6fb7cdb944a7eba 617 a7fb05d995b5721a 618 path[1] 27096a5007d82f79d063acd434a04e97 619 f61552f7f81a9317 620 path[2] b4ec7c87a5ed10c881928fc6ebce6dfc 621 e9daae9cc9dba690 622 path[3] 7ca9a9dd5f9f573704d5e6cf22a43b04 623 e64c1ffc7e1c442e 624 path[4] cb495ba265f465c56291a902e62a461f 625 6dfda232457fad14 627 Test Case 3 Private Key for SHAKE256-256 629 -------------------------------------------- 630 (note: procedure in Appendix A of RFC8554 is used) 631 SEED 606162636465666768696a6b6c6d6e6f 632 707172737475767778797a7b7c7d7e7f 633 I 808182838485868788898a8b8c8d8e8f 634 -------------------------------------------- 635 -------------------------------------------- 637 Test Case 3 Public Key for SHAKE256-256 639 -------------------------------------------- 640 HSS public key 641 levels 00000001 642 -------------------------------------------- 643 LMS type 0000000f # LMS_SHAKE256_N32_H5 644 LMOTS type 0000000c # LMOTS_SHAKE256_N32_W8 645 I 808182838485868788898a8b8c8d8e8f 646 K 9bb7faee411cae806c16a466c3191a8b 647 65d0ac31932bbf0c2d07c7a4a36379fe 648 -------------------------------------------- 649 -------------------------------------------- 651 Test Case 3 Message for SHAKE256-256 653 -------------------------------------------- 654 Message 54657374206d657361676520666f7220 |Test mesage for | 655 5348414b453235362d3235360a |SHAKE256-256.| 656 -------------------------------------------- 657 Test Case 2 Signature for SHAKE256-256 659 -------------------------------------------- 660 HSS signature 661 Nspk 00000000 662 sig[0]: 663 -------------------------------------------- 664 LMS signature 665 q 00000007 666 -------------------------------------------- 667 LMOTS signature 668 LMOTS type 0000000c # LMOTS_SHAKE256_N32_W8 669 C b82709f0f00e83759190996233d1ee4f 670 4ec50534473c02ffa145e8ca2874e32b 671 y[0] 16b228118c62b96c9c77678b33183730 672 debaade8fe607f05c6697bc971519a34 673 y[1] 1d69c00129680b67e75b3bd7d8aa5c8b 674 71f02669d177a2a0eea896dcd1660f16 675 y[2] 864b302ff321f9c4b8354408d0676050 676 4f768ebd4e545a9b0ac058c575078e6c 677 y[3] 1403160fb45450d61a9c8c81f6bd69bd 678 fa26a16e12a265baf79e9e233eb71af6 679 y[4] 34ecc66dc88e10c6e0142942d4843f70 680 a0242727bc5a2aabf7b0ec12a99090d8 681 y[5] caeef21303f8ac58b9f200371dc9e41a 682 b956e1a3efed9d4bbb38975b46c28d5f 683 y[6] 5b3ed19d847bd0a737177263cbc1a226 684 2d40e80815ee149b6cce2714384c9b7f 685 y[7] ceb3bbcbd25228dda8306536376f8793 686 ecadd6020265dab9075f64c773ef97d0 687 y[8] 7352919995b74404cc69a6f3b469445c 688 9286a6b2c9f6dc839be76618f053de76 689 y[9] 3da3571ef70f805c9cc54b8e501a98b9 690 8c70785eeb61737eced78b0e380ded4f 691 y[10] 769a9d422786def59700eef3278017ba 692 bbe5f9063b468ae0dd61d94f9f99d5cc 693 y[11] 36fbec4178d2bda3ad31e1644a2bcce2 694 08d72d50a7637851aa908b94dc437612 695 y[12] 0d5beab0fb805e1945c41834dd6085e6 696 db1a3aa78fcb59f62bde68236a10618c 697 y[13] ff123abe64dae8dabb2e84ca705309c2 698 ab986d4f8326ba0642272cb3904eb96f 699 y[14] 6f5e3bb8813997881b6a33cac0714e4b 700 5e7a882ad87e141931f97d612b84e903 701 y[15] e773139ae377f5ba19ac86198d485fca 702 97742568f6ff758120a89bf19059b8a6 703 y[16] bfe2d86b12778164436ab2659ba86676 704 7fcc435584125fb7924201ee67b535da 706 y[17] f72c5cb31f5a0b1d926324c26e67d4c3 707 836e301aa09bae8fb3f91f1622b1818c 708 y[18] cf440f52ca9b5b9b99aba8a6754aae2b 709 967c4954fa85298ad9b1e74f27a46127 710 y[19] c36131c8991f0cc2ba57a15d35c91cf8 711 bc48e8e20d625af4e85d8f9402ec44af 712 y[20] bd4792b924b839332a64788a7701a300 713 94b9ec4b9f4b648f168bf457fbb3c959 714 y[21] 4fa87920b645e42aa2fecc9e21e000ca 715 7d3ff914e15c40a8bc533129a7fd3952 716 y[22] 9376430f355aaf96a0a13d13f2419141 717 b3cc25843e8c90d0e551a355dd90ad77 718 y[23] 0ea7255214ce11238605de2f000d2001 719 04d0c3a3e35ae64ea10a3eff37ac7e95 720 y[24] 49217cdf52f307172e2f6c7a2a4543e1 721 4314036525b1ad53eeaddf0e24b1f369 722 y[25] 14ed22483f2889f61e62b6fb78f5645b 723 dbb02c9e5bf97db7a0004e87c2a55399 724 y[26] b61958786c97bd52fa199c27f6bb4d68 725 c4907933562755bfec5d4fb52f06c289 726 y[27] d6e852cf6bc773ffd4c07ee2d6cc55f5 727 7edcfbc8e8692a49ad47a121fe3c1b16 728 y[28] cab1cc285faf6793ffad7a8c341a49c5 729 d2dce7069e464cb90a00b2903648b23c 730 y[29] 81a68e21d748a7e7b1df8a593f3894b2 731 477e8316947ca725d141135202a9442e 732 y[30] 1db33bbd390d2c04401c39b253b78ce2 733 97b0e14755e46ec08a146d279c67af70 734 y[31] de256890804d83d6ec5ca3286f1fca9c 735 72abf6ef868e7f6eb0fddda1b040ecec 736 y[32] 9bbc69e2fd8618e9db3bdb0af13dda06 737 c6617e95afa522d6a2552de15324d991 738 y[33] 19f55e9af11ae3d5614b564c642dbfec 739 6c644198ce80d2433ac8ee738f9d825e 740 -------------------------------------------- 741 LMS type 0000000f # LMS_SHAKE256_N32_H5 742 path[0] 71d585a35c3a908379f4072d070311db 743 5d65b242b714bc5a756ba5e228abfa0d 744 path[1] 1329978a05d5e815cf4d74c1e547ec4a 745 a3ca956ae927df8b29fb9fab3917a7a4 746 path[2] ae61ba57e5342e9db12caf6f6dbc5253 747 de5268d4b0c4ce4ebe6852f012b162fc 748 path[3] 1c12b9ffc3bcb1d3ac8589777655e22c 749 d9b99ff1e4346fd0efeaa1da044692e7 750 path[4] ad6bfc337db69849e54411df8920c228 751 a2b7762c11e4b1c49efb74486d3931ea 753 Authors' Addresses 755 Scott Fluhrer 756 Cisco Systems 757 170 West Tasman Drive 758 San Jose, CA 759 United States of America 761 Email: sfluhrer@cisco.com 763 Quynh Dang 764 NIST 765 100 Bureau Drive 766 Gaithersburg, MD 767 United States of America 769 Email: quynh.dang@nist.gov