In the public comments to draft version of NIST Special Publication 800-208, ETSI TC CYBER WG QSC identified a multi-target attack against the method of pseudorandom key generation used in this referrence implementation. ETSI TC CYBER WG QSC suggested using the pseudorandom key generation method from SPHINCS+, however, there is still a multi-user attack against that key generation method.
This commit revises the pseudorandom key generation method by using the method from SPINCS+, but adding SEED as an input in order to protect against multi-user attacks. Since prf() only accepts 32-byte inputs, the new key generation method uses a new PRF. The resulting key generation method is sk[i] = prf_keygen(sk_seed, pub_seed || adrs).
The defined-parameters branch should be the new leading branch,
as it supersedes master. This merge is performed using --strategy ours
as there are numerous conflicting changes regarding the different ways
in which SHA3 was added. The master branch is considered to not contain
anything of value that is not contained in the defined-parameters branch.
Prior to merging, the defined-parameters branch was rebased to prevent
the cherry-picked commits from showing up twice.
