In the public comments to draft version of NIST Special Publication 800-208, ETSI TC CYBER WG QSC identified a multi-target attack against the method of pseudorandom key generation used in this referrence implementation. ETSI TC CYBER WG QSC suggested using the pseudorandom key generation method from SPHINCS+, however, there is still a multi-user attack against that key generation method.
This commit revises the pseudorandom key generation method by using the method from SPINCS+, but adding SEED as an input in order to protect against multi-user attacks. Since prf() only accepts 32-byte inputs, the new key generation method uses a new PRF. The resulting key generation method is sk[i] = prf_keygen(sk_seed, pub_seed || adrs).
The RFC suggests root||pubseed (in algorithm 10); note that
this choice does not influence interoperability.
Thanks go to Rafael Misoczki for bringing this up.
This ensures that xmss_core and xmss_core_fast offer the same API.
Note that xmss_core_fast still needs a major refactor, and this
wrapper is not exactly very clean. There is a considerable chance
this refactor will change the format of the state in the secret key.
Previous code allocated an array on the stack of mlen bytes, but
it should be possible to also sign heap-space messages. By relying
on the fact that sm and m fit the message + signature, we move
the message so that 4*n bytes of prefix can be added.
This allows different backends to store additional state information
in the secret key while the rest of the codebase remains agnostic.
In particular, this prepares for a common xmss_core.h API for both
the standard and the BDS-traversal-based implementations.