3e28db2362
In the public comments to draft version of NIST Special Publication 800-208, ETSI TC CYBER WG QSC identified a multi-target attack against the method of pseudorandom key generation used in this referrence implementation. ETSI TC CYBER WG QSC suggested using the pseudorandom key generation method from SPHINCS+, however, there is still a multi-user attack against that key generation method. This commit revises the pseudorandom key generation method by using the method from SPINCS+, but adding SEED as an input in order to protect against multi-user attacks. Since prf() only accepts 32-byte inputs, the new key generation method uses a new PRF. The resulting key generation method is sk[i] = prf_keygen(sk_seed, pub_seed || adrs). |
||
|---|---|---|
| test | ||
| ui | ||
| .gitignore | ||
| .travis.yml | ||
| fips202.c | ||
| fips202.h | ||
| hash_address.c | ||
| hash_address.h | ||
| hash.c | ||
| hash.h | ||
| LICENSE | ||
| Makefile | ||
| params.c | ||
| params.h | ||
| randombytes.c | ||
| randombytes.h | ||
| README.md | ||
| utils.c | ||
| utils.h | ||
| wots.c | ||
| wots.h | ||
| xmss_commons.c | ||
| xmss_commons.h | ||
| xmss_core_fast.c | ||
| xmss_core.c | ||
| xmss_core.h | ||
| xmss.c | ||
| xmss.h | ||
XMSS reference code 
This repository contains the reference implementation that accompanies RFC 8391: "XMSS: eXtended Merkle Signature Scheme".
This reference implementation supports all parameter sets as defined in the RFC at run-time (specified by prefixing the public and private keys with a 32-bit oid). Implementations that want to use compile-time parameter sets can remove the struct xmss_params function parameter, and globally replace the use of its attributes by compile-time constants.
Please note that this reference implementation is intended for cross-validation and experimenting. Deploying cryptographic code in practice requires careful consideration of the specific deployment scenario and relevant threat model. This holds perhaps doubly so for stateful signature schemes such as XMSS.
When using the current code base, please be careful, expect changes and watch this document for further documentation. In particular, xmss_core_fast.c is long due for a serious clean-up. While this will not change its public API or output, it may affect the storage format of the BDS state (i.e. part of the secret key).
Dependencies
For the SHA-2 hash functions (i.e. SHA-256 and SHA-512), we rely on OpenSSL. Make sure to install the OpenSSL development headers. On Debian-based systems, this is achieved by installing the OpenSSL development package libssl-dev.
License
This reference implementation was written by Andreas Hülsing and Joost Rijneveld. All included code is available under the CC0 1.0 Universal Public Domain Dedication.