Tech-invite3GPPspaceIETFspace
959493929190898887868584838281807978777675747372717069686766656463626160595857565554535251504948474645444342414039383736353433323130292827262524232221201918171615141312111009080706050403020100
in Index   Prev   Next

RFC 8554

Leighton-Micali Hash-Based Signatures

Pages: 61
Informational
Errata
Part 4 of 4 – Pages 45 to 61
First   Prev   None

Top   ToC   RFC8554 - Page 45   prevText

Appendix A. Pseudorandom Key Generation

An implementation MAY use the following pseudorandom process for generating an LMS private key. SEED is an m-byte value that is generated uniformly at random at the start of the process, I is the LMS key pair identifier, q denotes the LMS leaf number of an LM-OTS private key, x_q denotes the x array of private elements in the LM-OTS private key with leaf number q, i is the index of the private key element, and H is the hash function used in LM-OTS. The elements of the LM-OTS private keys are computed as: x_q[i] = H(I || u32str(q) || u16str(i) || u8str(0xff) || SEED). This process stretches the m-byte random value SEED into a (much larger) set of pseudorandom values, using a unique counter in each invocation of H. The format of the inputs to H are chosen so that they are distinct from all other uses of H in LMS and LM-OTS. A careful reader will note that this is similar to the hash we perform when iterating through the Winternitz chain; however, in that chain, the iteration index will vary between 0 and 254 maximum (for W=8), while the corresponding value in this formula is 255. This algorithm is included in the proof of security in [Fluhrer17] and hence this method is safe when used within the LMS system; however, any other cryptographically secure method of generating private keys would also be safe.

Appendix B. LM-OTS Parameter Options

The LM-OTS one-time signature method uses several internal parameters, which are a function of the selected parameter set. These internal parameters include the following: p This is the number of independent Winternitz chains used in the signature; it will be the number of w-bit digits needed to hold the n-bit hash (u in the below equations), along with the number of digits needed to hold the checksum (v in the below equations)
Top   ToC   RFC8554 - Page 46
   ls    This is the size of the shift needed to move the checksum so
         that it appears in the checksum digits

   ls is needed because, while we express the checksum internally as a
   16-bit value, we don't always express all 16 bits in the signature;
   for example, if w=4, we might use only the top 12 bits.  Because we
   read the checksum in network order, this means that, without the
   shift, we'll use the higher-order bits (which may be always 0) and
   omit the lower-order bits (where the checksum value actually
   resides).  This shift is here to ensure that the parts of the
   checksum we need to express (for security) actually contribute to the
   signature; when multiple such shifts are possible, we take the
   minimal value.

   The parameters ls and p are computed as follows:

     u = ceil(8*n/w)
     v = ceil((floor(lg((2^w - 1) * u)) + 1) / w)
     ls = 16 - (v * w)
     p = u + v

   Here, u and v represent the number of w-bit fields required to
   contain the hash of the message and the checksum byte strings,
   respectively.  And as the value of p is the number of w-bit elements
   of ( H(message) || Cksm(H(message)) ), it is also equivalently the
   number of byte strings that form the private key and the number of
   byte strings in the signature.  The value 16 in the ls computation of
   ls corresponds to the 16-bit value used for the sum variable in
   Algorithm 2 in Section 4.4

   A table illustrating various combinations of n and w with the
   associated values of u, v, ls, and p is provided in Table 6.
Top   ToC   RFC8554 - Page 47
   +---------+------------+-----------+-----------+-------+------------+
   |   Hash  | Winternitz |   w-bit   |   w-bit   |  Left |   Total    |
   |  Length | Parameter  |  Elements |  Elements | Shift | Number of  |
   |    in   |    (w)     |  in Hash  |     in    |  (ls) |   w-bit    |
   |  Bytes  |            |    (u)    |  Checksum |       |  Elements  |
   |   (n)   |            |           |    (v)    |       |    (p)     |
   +---------+------------+-----------+-----------+-------+------------+
   |    32   |     1      |    256    |     9     |   7   |    265     |
   |         |            |           |           |       |            |
   |    32   |     2      |    128    |     5     |   6   |    133     |
   |         |            |           |           |       |            |
   |    32   |     4      |     64    |     3     |   4   |     67     |
   |         |            |           |           |       |            |
   |    32   |     8      |     32    |     2     |   0   |     34     |
   +---------+------------+-----------+-----------+-------+------------+

                                  Table 6

Appendix C. An Iterative Algorithm for Computing an LMS Public Key

The LMS public key can be computed using the following algorithm or any equivalent method. The algorithm uses a stack of hashes for data. It also makes use of a hash function with the typical init/update/final interface to hash functions; the result of the invocations hash_init(), hash_update(N[1]), hash_update(N[2]), ... , hash_update(N[n]), v = hash_final(), in that order, is identical to that of the invocation of H(N[1] || N[2] || ... || N[n]). Generating an LMS Public Key from an LMS Private Key for ( i = 0; i < 2^h; i = i + 1 ) { r = i + num_lmots_keys; temp = H(I || u32str(r) || u16str(D_LEAF) || OTS_PUB_HASH[i]) j = i; while (j % 2 == 1) { r = (r - 1)/2; j = (j-1) / 2; left_side = pop(data stack); temp = H(I || u32str(r) || u16str(D_INTR) || left_side || temp) } push temp onto the data stack } public_key = pop(data stack)
Top   ToC   RFC8554 - Page 48
   Note that this pseudocode expects that all 2^h leaves of the tree
   have equal depth -- that is, it expects num_lmots_keys to be a power
   of 2.  The maximum depth of the stack will be h-1 elements -- that
   is, a total of (h-1)*n bytes; for the currently defined parameter
   sets, this will never be more than 768 bytes of data.

Appendix D. Method for Deriving Authentication Path for a Signature

The LMS signature consists of u32str(q) || lmots_signature || u32str(type) || path[0] || path[1] || ... || path[h-1]. This appendix shows one method of constructing this signature, assuming that the implementation has stored the T[] array that was used to construct the public key. Note that this is not the only possible method; other methods exist that don't assume that you have the entire T[] array in memory. To construct a signature, you perform the following algorithm: Generating an LMS Signature 1. Set type to the typecode of the LMS algorithm. 2. Extract h from the typecode, according to Table 2. 3. Create the LM-OTS signature for the message: ots_signature = lmots_sign(message, LMS_PRIV[q]) 4. Compute the array path as follows: i = 0 r = 2^h + q while (i < h) { temp = (r / 2^i) xor 1 path[i] = T[temp] i = i + 1 } 5. S = u32str(q) || ots_signature || u32str(type) || path[0] || path[1] || ... || path[h-1] 6. q = q + 1 7. Return S. Here "xor" is the bitwise exclusive-or operation, and / is integer division (that is, rounded down to an integer value).
Top   ToC   RFC8554 - Page 49

Appendix E. Example Implementation

An example implementation can be found online at <https://github.com/cisco/hash-sigs>.

Appendix F. Test Cases

This section provides test cases that can be used to verify or debug an implementation. This data is formatted with the name of the elements on the left and the hexadecimal value of the elements on the right. The concatenation of all of the values within a public key or signature produces that public key or signature, and values that do not fit within a single line are listed across successive lines. Test Case 1 Public Key -------------------------------------------- HSS public key levels 00000002 -------------------------------------------- LMS type 00000005 # LM_SHA256_M32_H5 LMOTS type 00000004 # LMOTS_SHA256_N32_W8 I 61a5d57d37f5e46bfb7520806b07a1b8 K 50650e3b31fe4a773ea29a07f09cf2ea 30e579f0df58ef8e298da0434cb2b878 -------------------------------------------- -------------------------------------------- Test Case 1 Message -------------------------------------------- Message 54686520706f77657273206e6f742064 |The powers not d| 656c65676174656420746f2074686520 |elegated to the | 556e6974656420537461746573206279 |United States by| 2074686520436f6e737469747574696f | the Constitutio| 6e2c206e6f722070726f686962697465 |n, nor prohibite| 6420627920697420746f207468652053 |d by it to the S| 74617465732c20617265207265736572 |tates, are reser| 76656420746f20746865205374617465 |ved to the State| 7320726573706563746976656c792c20 |s respectively, | 6f7220746f207468652070656f706c65 |or to the people| 2e0a |..| --------------------------------------------
Top   ToC   RFC8554 - Page 50
   Test Case 1 Signature

   --------------------------------------------
   HSS signature
   Nspk        00000001
   sig[0]:
   --------------------------------------------
   LMS signature
   q           00000005
   --------------------------------------------
   LMOTS signature
   LMOTS type  00000004                         # LMOTS_SHA256_N32_W8
   C           d32b56671d7eb98833c49b433c272586
               bc4a1c8a8970528ffa04b966f9426eb9
   y[0]        965a25bfd37f196b9073f3d4a232feb6
               9128ec45146f86292f9dff9610a7bf95
   y[1]        a64c7f60f6261a62043f86c70324b770
               7f5b4a8a6e19c114c7be866d488778a0
   y[2]        e05fd5c6509a6e61d559cf1a77a970de
               927d60c70d3de31a7fa0100994e162a2
   y[3]        582e8ff1b10cd99d4e8e413ef469559f
               7d7ed12c838342f9b9c96b83a4943d16
   y[4]        81d84b15357ff48ca579f19f5e71f184
               66f2bbef4bf660c2518eb20de2f66e3b
   y[5]        14784269d7d876f5d35d3fbfc7039a46
               2c716bb9f6891a7f41ad133e9e1f6d95
   y[6]        60b960e7777c52f060492f2d7c660e14
               71e07e72655562035abc9a701b473ecb
   y[7]        c3943c6b9c4f2405a3cb8bf8a691ca51
               d3f6ad2f428bab6f3a30f55dd9625563
   y[8]        f0a75ee390e385e3ae0b906961ecf41a
               e073a0590c2eb6204f44831c26dd768c
   y[9]        35b167b28ce8dc988a3748255230cef9
               9ebf14e730632f27414489808afab1d1
   y[10]       e783ed04516de012498682212b078105
               79b250365941bcc98142da13609e9768
   y[11]       aaf65de7620dabec29eb82a17fde35af
               15ad238c73f81bdb8dec2fc0e7f93270
   y[12]       1099762b37f43c4a3c20010a3d72e2f6
               06be108d310e639f09ce7286800d9ef8
   y[13]       a1a40281cc5a7ea98d2adc7c7400c2fe
               5a101552df4e3cccfd0cbf2ddf5dc677
   y[14]       9cbbc68fee0c3efe4ec22b83a2caa3e4
               8e0809a0a750b73ccdcf3c79e6580c15
   y[15]       4f8a58f7f24335eec5c5eb5e0cf01dcf
               4439424095fceb077f66ded5bec73b27
   y[16]       c5b9f64a2a9af2f07c05e99e5cf80f00
               252e39db32f6c19674f190c9fbc506d8
Top   ToC   RFC8554 - Page 51
   y[17]       26857713afd2ca6bb85cd8c107347552
               f30575a5417816ab4db3f603f2df56fb
   y[18]       c413e7d0acd8bdd81352b2471fc1bc4f
               1ef296fea1220403466b1afe78b94f7e
   y[19]       cf7cc62fb92be14f18c2192384ebceaf
               8801afdf947f698ce9c6ceb696ed70e9
   y[20]       e87b0144417e8d7baf25eb5f70f09f01
               6fc925b4db048ab8d8cb2a661ce3b57a
   y[21]       da67571f5dd546fc22cb1f97e0ebd1a6
               5926b1234fd04f171cf469c76b884cf3
   y[22]       115cce6f792cc84e36da58960c5f1d76
               0f32c12faef477e94c92eb75625b6a37
   y[23]       1efc72d60ca5e908b3a7dd69fef02491
               50e3eebdfed39cbdc3ce9704882a2072
   y[24]       c75e13527b7a581a556168783dc1e975
               45e31865ddc46b3c957835da252bb732
   y[25]       8d3ee2062445dfb85ef8c35f8e1f3371
               af34023cef626e0af1e0bc017351aae2
   y[26]       ab8f5c612ead0b729a1d059d02bfe18e
               fa971b7300e882360a93b025ff97e9e0
   y[27]       eec0f3f3f13039a17f88b0cf808f4884
               31606cb13f9241f40f44e537d302c64a
   y[28]       4f1f4ab949b9feefadcb71ab50ef27d6
               d6ca8510f150c85fb525bf25703df720
   y[29]       9b6066f09c37280d59128d2f0f637c7d
               7d7fad4ed1c1ea04e628d221e3d8db77
   y[30]       b7c878c9411cafc5071a34a00f4cf077
               38912753dfce48f07576f0d4f94f42c6
   y[31]       d76f7ce973e9367095ba7e9a3649b7f4
               61d9f9ac1332a4d1044c96aefee67676
   y[32]       401b64457c54d65fef6500c59cdfb69a
               f7b6dddfcb0f086278dd8ad0686078df
   y[33]       b0f3f79cd893d314168648499898fbc0
               ced5f95b74e8ff14d735cdea968bee74
   --------------------------------------------
   LMS type    00000005                         # LM_SHA256_M32_H5
   path[0]     d8b8112f9200a5e50c4a262165bd342c
               d800b8496810bc716277435ac376728d
   path[1]     129ac6eda839a6f357b5a04387c5ce97
               382a78f2a4372917eefcbf93f63bb591
   path[2]     12f5dbe400bd49e4501e859f885bf073
               6e90a509b30a26bfac8c17b5991c157e
   path[3]     b5971115aa39efd8d564a6b90282c316
               8af2d30ef89d51bf14654510a12b8a14
   path[4]     4cca1848cf7da59cc2b3d9d0692dd2a2
               0ba3863480e25b1b85ee860c62bf5136
   --------------------------------------------
Top   ToC   RFC8554 - Page 52
   LMS public key
   LMS type    00000005                         # LM_SHA256_M32_H5
   LMOTS type  00000004                         # LMOTS_SHA256_N32_W8
   I           d2f14ff6346af964569f7d6cb880a1b6
   K           6c5004917da6eafe4d9ef6c6407b3db0
               e5485b122d9ebe15cda93cfec582d7ab
   --------------------------------------------
   final_signature:
   --------------------------------------------
   LMS signature
   q           0000000a
   --------------------------------------------
   LMOTS signature
   LMOTS type  00000004                         # LMOTS_SHA256_N32_W8
   C           0703c491e7558b35011ece3592eaa5da
               4d918786771233e8353bc4f62323185c
   y[0]        95cae05b899e35dffd71705470620998
               8ebfdf6e37960bb5c38d7657e8bffeef
   y[1]        9bc042da4b4525650485c66d0ce19b31
               7587c6ba4bffcc428e25d08931e72dfb
   y[2]        6a120c5612344258b85efdb7db1db9e1
               865a73caf96557eb39ed3e3f426933ac
   y[3]        9eeddb03a1d2374af7bf771855774562
               37f9de2d60113c23f846df26fa942008
   y[4]        a698994c0827d90e86d43e0df7f4bfcd
               b09b86a373b98288b7094ad81a0185ac
   y[5]        100e4f2c5fc38c003c1ab6fea479eb2f
               5ebe48f584d7159b8ada03586e65ad9c
   y[6]        969f6aecbfe44cf356888a7b15a3ff07
               4f771760b26f9c04884ee1faa329fbf4
   y[7]        e61af23aee7fa5d4d9a5dfcf43c4c26c
               e8aea2ce8a2990d7ba7b57108b47dabf
   y[8]        beadb2b25b3cacc1ac0cef346cbb90fb
               044beee4fac2603a442bdf7e507243b7
   y[9]        319c9944b1586e899d431c7f91bcccc8
               690dbf59b28386b2315f3d36ef2eaa3c
   y[10]       f30b2b51f48b71b003dfb08249484201
               043f65f5a3ef6bbd61ddfee81aca9ce6
   y[11]       0081262a00000480dcbc9a3da6fbef5c
               1c0a55e48a0e729f9184fcb1407c3152
   y[12]       9db268f6fe50032a363c9801306837fa
               fabdf957fd97eafc80dbd165e435d0e2
   y[13]       dfd836a28b354023924b6fb7e48bc0b3
               ed95eea64c2d402f4d734c8dc26f3ac5
   y[14]       91825daef01eae3c38e3328d00a77dc6
               57034f287ccb0f0e1c9a7cbdc828f627
   y[15]       205e4737b84b58376551d44c12c3c215
               c812a0970789c83de51d6ad787271963
Top   ToC   RFC8554 - Page 53
   y[16]       327f0a5fbb6b5907dec02c9a90934af5
               a1c63b72c82653605d1dcce51596b3c2
   y[17]       b45696689f2eb382007497557692caac
               4d57b5de9f5569bc2ad0137fd47fb47e
   y[18]       664fcb6db4971f5b3e07aceda9ac130e
               9f38182de994cff192ec0e82fd6d4cb7
   y[19]       f3fe00812589b7a7ce51544045643301
               6b84a59bec6619a1c6c0b37dd1450ed4
   y[20]       f2d8b584410ceda8025f5d2d8dd0d217
               6fc1cf2cc06fa8c82bed4d944e71339e
   y[21]       ce780fd025bd41ec34ebff9d4270a322
               4e019fcb444474d482fd2dbe75efb203
   y[22]       89cc10cd600abb54c47ede93e08c114e
               db04117d714dc1d525e11bed8756192f
   y[23]       929d15462b939ff3f52f2252da2ed64d
               8fae88818b1efa2c7b08c8794fb1b214
   y[24]       aa233db3162833141ea4383f1a6f120b
               e1db82ce3630b3429114463157a64e91
   y[25]       234d475e2f79cbf05e4db6a9407d72c6
               bff7d1198b5c4d6aad2831db61274993
   y[26]       715a0182c7dc8089e32c8531deed4f74
               31c07c02195eba2ef91efb5613c37af7
   y[27]       ae0c066babc69369700e1dd26eddc0d2
               16c781d56e4ce47e3303fa73007ff7b9
   y[28]       49ef23be2aa4dbf25206fe45c20dd888
               395b2526391a724996a44156beac8082
   y[29]       12858792bf8e74cba49dee5e8812e019
               da87454bff9e847ed83db07af3137430
   y[30]       82f880a278f682c2bd0ad6887cb59f65
               2e155987d61bbf6a88d36ee93b6072e6
   y[31]       656d9ccbaae3d655852e38deb3a2dcf8
               058dc9fb6f2ab3d3b3539eb77b248a66
   y[32]       1091d05eb6e2f297774fe6053598457c
               c61908318de4b826f0fc86d4bb117d33
   y[33]       e865aa805009cc2918d9c2f840c4da43
               a703ad9f5b5806163d7161696b5a0adc
   --------------------------------------------
   LMS type    00000005                         # LM_SHA256_M32_H5
   path[0]     d5c0d1bebb06048ed6fe2ef2c6cef305
               b3ed633941ebc8b3bec9738754cddd60
   path[1]     e1920ada52f43d055b5031cee6192520
               d6a5115514851ce7fd448d4a39fae2ab
   path[2]     2335b525f484e9b40d6a4a969394843b
               dcf6d14c48e8015e08ab92662c05c6e9
   path[3]     f90b65a7a6201689999f32bfd368e5e3
               ec9cb70ac7b8399003f175c40885081a
   path[4]     09ab3034911fe125631051df0408b394
               6b0bde790911e8978ba07dd56c73e7ee
Top   ToC   RFC8554 - Page 54
   Test Case 2 Private Key

   --------------------------------------------
   (note: procedure in Appendix A is used)
   Top level LMS tree
   SEED        558b8966c48ae9cb898b423c83443aae
               014a72f1b1ab5cc85cf1d892903b5439
   I           d08fabd4a2091ff0a8cb4ed834e74534
   Second level LMS tree
   SEED        a1c4696e2608035a886100d05cd99945
               eb3370731884a8235e2fb3d4d71f2547
   I           215f83b7ccb9acbcd08db97b0d04dc2b
   --------------------------------------------
   --------------------------------------------

   Test Case 2 Public Key

   --------------------------------------------
   HSS public key
   levels      00000002
   --------------------------------------------
   LMS type    00000006                         # LM_SHA256_M32_H10
   LMOTS type  00000003                         # LMOTS_SHA256_N32_W4
   I           d08fabd4a2091ff0a8cb4ed834e74534
   K           32a58885cd9ba0431235466bff9651c6
               c92124404d45fa53cf161c28f1ad5a8e
   --------------------------------------------
   --------------------------------------------

   Test Case 2 Message

   --------------------------------------------
   Message     54686520656e756d65726174696f6e20  |The enumeration |
               696e2074686520436f6e737469747574  |in the Constitut|
               696f6e2c206f66206365727461696e20  |ion, of certain |
               7269676874732c207368616c6c206e6f  |rights, shall no|
               7420626520636f6e7374727565642074  |t be construed t|
               6f2064656e79206f7220646973706172  |o deny or dispar|
               616765206f7468657273207265746169  |age others retai|
               6e6564206279207468652070656f706c  |ned by the peopl|
               652e0a                            |e..|
   --------------------------------------------
Top   ToC   RFC8554 - Page 55
   Test Case 2 Signature

   --------------------------------------------
   HSS signature
   Nspk        00000001
   sig[0]:
   --------------------------------------------
   LMS signature
   q           00000003
   --------------------------------------------
   LMOTS signature
   LMOTS type  00000003                         # LMOTS_SHA256_N32_W4
   C           3d46bee8660f8f215d3f96408a7a64cf
               1c4da02b63a55f62c666ef5707a914ce
   y[0]        0674e8cb7a55f0c48d484f31f3aa4af9
               719a74f22cf823b94431d01c926e2a76
   y[1]        bb71226d279700ec81c9e95fb11a0d10
               d065279a5796e265ae17737c44eb8c59
   y[2]        4508e126a9a7870bf4360820bdeb9a01
               d9693779e416828e75bddd7d8c70d50a
   y[3]        0ac8ba39810909d445f44cb5bb58de73
               7e60cb4345302786ef2c6b14af212ca1
   y[4]        9edeaa3bfcfe8baa6621ce88480df237
               1dd37add732c9de4ea2ce0dffa53c926
   y[5]        49a18d39a50788f4652987f226a1d481
               68205df6ae7c58e049a25d4907edc1aa
   y[6]        90da8aa5e5f7671773e941d805536021
               5c6b60dd35463cf2240a9c06d694e9cb
   y[7]        54e7b1e1bf494d0d1a28c0d31acc7516
               1f4f485dfd3cb9578e836ec2dc722f37
   y[8]        ed30872e07f2b8bd0374eb57d22c614e
               09150f6c0d8774a39a6e168211035dc5
   y[9]        2988ab46eaca9ec597fb18b4936e66ef
               2f0df26e8d1e34da28cbb3af75231372
   y[10]       0c7b345434f72d65314328bbb030d0f0
               f6d5e47b28ea91008fb11b05017705a8
   y[11]       be3b2adb83c60a54f9d1d1b2f476f9e3
               93eb5695203d2ba6ad815e6a111ea293
   y[12]       dcc21033f9453d49c8e5a6387f588b1e
               a4f706217c151e05f55a6eb7997be09d
   y[13]       56a326a32f9cba1fbe1c07bb49fa04ce
               cf9df1a1b815483c75d7a27cc88ad1b1
   y[14]       238e5ea986b53e087045723ce16187ed
               a22e33b2c70709e53251025abde89396
   y[15]       45fc8c0693e97763928f00b2e3c75af3
               942d8ddaee81b59a6f1f67efda0ef81d
   y[16]       11873b59137f67800b35e81b01563d18
               7c4a1575a1acb92d087b517a8833383f
Top   ToC   RFC8554 - Page 56
   y[17]       05d357ef4678de0c57ff9f1b2da61dfd
               e5d88318bcdde4d9061cc75c2de3cd47
   y[18]       40dd7739ca3ef66f1930026f47d9ebaa
               713b07176f76f953e1c2e7f8f271a6ca
   y[19]       375dbfb83d719b1635a7d8a138919579
               44b1c29bb101913e166e11bd5f34186f
   y[20]       a6c0a555c9026b256a6860f4866bd6d0
               b5bf90627086c6149133f8282ce6c9b3
   y[21]       622442443d5eca959d6c14ca8389d12c
               4068b503e4e3c39b635bea245d9d05a2
   y[22]       558f249c9661c0427d2e489ca5b5dde2
               20a90333f4862aec793223c781997da9
   y[23]       8266c12c50ea28b2c438e7a379eb106e
               ca0c7fd6006e9bf612f3ea0a454ba3bd
   y[24]       b76e8027992e60de01e9094fddeb3349
               883914fb17a9621ab929d970d101e45f
   y[25]       8278c14b032bcab02bd15692d21b6c5c
               204abbf077d465553bd6eda645e6c306
   y[26]       5d33b10d518a61e15ed0f092c3222628
               1a29c8a0f50cde0a8c66236e29c2f310
   y[27]       a375cebda1dc6bb9a1a01dae6c7aba8e
               bedc6371a7d52aacb955f83bd6e4f84d
   y[28]       2949dcc198fb77c7e5cdf6040b0f84fa
               f82808bf985577f0a2acf2ec7ed7c0b0
   y[29]       ae8a270e951743ff23e0b2dd12e9c3c8
               28fb5598a22461af94d568f29240ba28
   y[30]       20c4591f71c088f96e095dd98beae456
               579ebbba36f6d9ca2613d1c26eee4d8c
   y[31]       73217ac5962b5f3147b492e8831597fd
               89b64aa7fde82e1974d2f6779504dc21
   y[32]       435eb3109350756b9fdabe1c6f368081
               bd40b27ebcb9819a75d7df8bb07bb05d
   y[33]       b1bab705a4b7e37125186339464ad8fa
               aa4f052cc1272919fde3e025bb64aa8e
   y[34]       0eb1fcbfcc25acb5f718ce4f7c2182fb
               393a1814b0e942490e52d3bca817b2b2
   y[35]       6e90d4c9b0cc38608a6cef5eb153af08
               58acc867c9922aed43bb67d7b33acc51
   y[36]       9313d28d41a5c6fe6cf3595dd5ee63f0
               a4c4065a083590b275788bee7ad875a7
   y[37]       f88dd73720708c6c6c0ecf1f43bbaada
               e6f208557fdc07bd4ed91f88ce4c0de8
   y[38]       42761c70c186bfdafafc444834bd3418
               be4253a71eaf41d718753ad07754ca3e
   y[39]       ffd5960b0336981795721426803599ed
               5b2b7516920efcbe32ada4bcf6c73bd2
   y[40]       9e3fa152d9adeca36020fdeeee1b7395
               21d3ea8c0da497003df1513897b0f547
Top   ToC   RFC8554 - Page 57
   y[41]       94a873670b8d93bcca2ae47e64424b74
               23e1f078d9554bb5232cc6de8aae9b83
   y[42]       fa5b9510beb39ccf4b4e1d9c0f19d5e1
               7f58e5b8705d9a6837a7d9bf99cd1338
   y[43]       7af256a8491671f1f2f22af253bcff54
               b673199bdb7d05d81064ef05f80f0153
   y[44]       d0be7919684b23da8d42ff3effdb7ca0
               985033f389181f47659138003d712b5e
   y[45]       c0a614d31cc7487f52de8664916af79c
               98456b2c94a8038083db55391e347586
   y[46]       2250274a1de2584fec975fb09536792c
               fbfcf6192856cc76eb5b13dc4709e2f7
   y[47]       301ddff26ec1b23de2d188c999166c74
               e1e14bbc15f457cf4e471ae13dcbdd9c
   y[48]       50f4d646fc6278e8fe7eb6cb5c94100f
               a870187380b777ed19d7868fd8ca7ceb
   y[49]       7fa7d5cc861c5bdac98e7495eb0a2cee
               c1924ae979f44c5390ebedddc65d6ec1
   y[50]       1287d978b8df064219bc5679f7d7b264
               a76ff272b2ac9f2f7cfc9fdcfb6a5142
   y[51]       8240027afd9d52a79b647c90c2709e06
               0ed70f87299dd798d68f4fadd3da6c51
   y[52]       d839f851f98f67840b964ebe73f8cec4
               1572538ec6bc131034ca2894eb736b3b
   y[53]       da93d9f5f6fa6f6c0f03ce43362b8414
               940355fb54d3dfdd03633ae108f3de3e
   y[54]       bc85a3ff51efeea3bc2cf27e1658f178
               9ee612c83d0f5fd56f7cd071930e2946
   y[55]       beeecaa04dccea9f97786001475e0294
               bc2852f62eb5d39bb9fbeef75916efe4
   y[56]       4a662ecae37ede27e9d6eadfdeb8f8b2
               b2dbccbf96fa6dbaf7321fb0e701f4d4
   y[57]       29c2f4dcd153a2742574126e5eaccc77
               686acf6e3ee48f423766e0fc466810a9
   y[58]       05ff5453ec99897b56bc55dd49b99114
               2f65043f2d744eeb935ba7f4ef23cf80
   y[59]       cc5a8a335d3619d781e7454826df720e
               ec82e06034c44699b5f0c44a8787752e
   y[60]       057fa3419b5bb0e25d30981e41cb1361
               322dba8f69931cf42fad3f3bce6ded5b
   y[61]       8bfc3d20a2148861b2afc14562ddd27f
               12897abf0685288dcc5c4982f8260268
   y[62]       46a24bf77e383c7aacab1ab692b29ed8
               c018a65f3dc2b87ff619a633c41b4fad
   y[63]       b1c78725c1f8f922f6009787b1964247
               df0136b1bc614ab575c59a16d089917b
   y[64]       d4a8b6f04d95c581279a139be09fcf6e
               98a470a0bceca191fce476f9370021cb
Top   ToC   RFC8554 - Page 58
   y[65]       c05518a7efd35d89d8577c990a5e1996
               1ba16203c959c91829ba7497cffcbb4b
   y[66]       294546454fa5388a23a22e805a5ca35f
               956598848bda678615fec28afd5da61a
   --------------------------------------------
   LMS type    00000006                         # LM_SHA256_M32_H10
   path[0]     b326493313053ced3876db9d23714818
               1b7173bc7d042cefb4dbe94d2e58cd21
   path[1]     a769db4657a103279ba8ef3a629ca84e
               e836172a9c50e51f45581741cf808315
   path[2]     0b491cb4ecbbabec128e7c81a46e62a6
               7b57640a0a78be1cbf7dd9d419a10cd8
   path[3]     686d16621a80816bfdb5bdc56211d72c
               a70b81f1117d129529a7570cf79cf52a
   path[4]     7028a48538ecdd3b38d3d5d62d262465
               95c4fb73a525a5ed2c30524ebb1d8cc8
   path[5]     2e0c19bc4977c6898ff95fd3d310b0ba
               e71696cef93c6a552456bf96e9d075e3
   path[6]     83bb7543c675842bafbfc7cdb88483b3
               276c29d4f0a341c2d406e40d4653b7e4
   path[7]     d045851acf6a0a0ea9c710b805cced46
               35ee8c107362f0fc8d80c14d0ac49c51
   path[8]     6703d26d14752f34c1c0d2c4247581c1
               8c2cf4de48e9ce949be7c888e9caebe4
   path[9]     a415e291fd107d21dc1f084b11582082
               49f28f4f7c7e931ba7b3bd0d824a4570
   --------------------------------------------
   LMS public key
   LMS type    00000005                         # LM_SHA256_M32_H5
   LMOTS type  00000004                         # LMOTS_SHA256_N32_W8
   I           215f83b7ccb9acbcd08db97b0d04dc2b
   K           a1cd035833e0e90059603f26e07ad2aa
               d152338e7a5e5984bcd5f7bb4eba40b7
   --------------------------------------------
   final_signature:
   --------------------------------------------
   LMS signature
   q           00000004
   --------------------------------------------
   LMOTS signature
   LMOTS type  00000004                         # LMOTS_SHA256_N32_W8
   C           0eb1ed54a2460d512388cad533138d24
               0534e97b1e82d33bd927d201dfc24ebb
   y[0]        11b3649023696f85150b189e50c00e98
               850ac343a77b3638319c347d7310269d
   y[1]        3b7714fa406b8c35b021d54d4fdada7b
               9ce5d4ba5b06719e72aaf58c5aae7aca
Top   ToC   RFC8554 - Page 59
   y[2]        057aa0e2e74e7dcfd17a0823429db629
               65b7d563c57b4cec942cc865e29c1dad
   y[3]        83cac8b4d61aacc457f336e6a10b6632
               3f5887bf3523dfcadee158503bfaa89d
   y[4]        c6bf59daa82afd2b5ebb2a9ca6572a60
               67cee7c327e9039b3b6ea6a1edc7fdc3
   y[5]        df927aade10c1c9f2d5ff446450d2a39
               98d0f9f6202b5e07c3f97d2458c69d3c
   y[6]        8190643978d7a7f4d64e97e3f1c4a08a
               7c5bc03fd55682c017e2907eab07e5bb
   y[7]        2f190143475a6043d5e6d5263471f4ee
               cf6e2575fbc6ff37edfa249d6cda1a09
   y[8]        f797fd5a3cd53a066700f45863f04b6c
               8a58cfd341241e002d0d2c0217472bf1
   y[9]        8b636ae547c1771368d9f317835c9b0e
               f430b3df4034f6af00d0da44f4af7800
   y[10]       bc7a5cf8a5abdb12dc718b559b74cab9
               090e33cc58a955300981c420c4da8ffd
   y[11]       67df540890a062fe40dba8b2c1c548ce
               d22473219c534911d48ccaabfb71bc71
   y[12]       862f4a24ebd376d288fd4e6fb06ed870
               5787c5fedc813cd2697e5b1aac1ced45
   y[13]       767b14ce88409eaebb601a93559aae89
               3e143d1c395bc326da821d79a9ed41dc
   y[14]       fbe549147f71c092f4f3ac522b5cc572
               90706650487bae9bb5671ecc9ccc2ce5
   y[15]       1ead87ac01985268521222fb9057df7e
               d41810b5ef0d4f7cc67368c90f573b1a
   y[16]       c2ce956c365ed38e893ce7b2fae15d36
               85a3df2fa3d4cc098fa57dd60d2c9754
   y[17]       a8ade980ad0f93f6787075c3f680a2ba
               1936a8c61d1af52ab7e21f416be09d2a
   y[18]       8d64c3d3d8582968c2839902229f85ae
               e297e717c094c8df4a23bb5db658dd37
   y[19]       7bf0f4ff3ffd8fba5e383a48574802ed
               545bbe7a6b4753533353d73706067640
   y[20]       135a7ce517279cd683039747d218647c
               86e097b0daa2872d54b8f3e508598762
   y[21]       9547b830d8118161b65079fe7bc59a99
               e9c3c7380e3e70b7138fe5d9be255150
   y[22]       2b698d09ae193972f27d40f38dea264a
               0126e637d74ae4c92a6249fa103436d3
   y[23]       eb0d4029ac712bfc7a5eacbdd7518d6d
               4fe903a5ae65527cd65bb0d4e9925ca2
   y[24]       4fd7214dc617c150544e423f450c99ce
               51ac8005d33acd74f1bed3b17b7266a4
   y[25]       a3bb86da7eba80b101e15cb79de9a207
               852cf91249ef480619ff2af8cabca831
Top   ToC   RFC8554 - Page 60
   y[26]       25d1faa94cbb0a03a906f683b3f47a97
               c871fd513e510a7a25f283b196075778
   y[27]       496152a91c2bf9da76ebe089f4654877
               f2d586ae7149c406e663eadeb2b5c7e8
   y[28]       2429b9e8cb4834c83464f079995332e4
               b3c8f5a72bb4b8c6f74b0d45dc6c1f79
   y[29]       952c0b7420df525e37c15377b5f09843
               19c3993921e5ccd97e097592064530d3
   y[30]       3de3afad5733cbe7703c5296263f7734
               2efbf5a04755b0b3c997c4328463e84c
   y[31]       aa2de3ffdcd297baaaacd7ae646e44b5
               c0f16044df38fabd296a47b3a838a913
   y[32]       982fb2e370c078edb042c84db34ce36b
               46ccb76460a690cc86c302457dd1cde1
   y[33]       97ec8075e82b393d542075134e2a17ee
               70a5e187075d03ae3c853cff60729ba4
   --------------------------------------------
   LMS type    00000005                         # LM_SHA256_M32_H5
   path[0]     4de1f6965bdabc676c5a4dc7c35f97f8
               2cb0e31c68d04f1dad96314ff09e6b3d
   path[1]     e96aeee300d1f68bf1bca9fc58e40323
               36cd819aaf578744e50d1357a0e42867
   path[2]     04d341aa0a337b19fe4bc43c2e79964d
               4f351089f2e0e41c7c43ae0d49e7f404
   path[3]     b0f75be80ea3af098c9752420a8ac0ea
               2bbb1f4eeba05238aef0d8ce63f0c6e5
   path[4]     e4041d95398a6f7f3e0ee97cc1591849
               d4ed236338b147abde9f51ef9fd4e1c1

Acknowledgements

Thanks are due to Chirag Shroff, Andreas Huelsing, Burt Kaliski, Eric Osterweil, Ahmed Kosba, Russ Housley, Philip Lafrance, Alexander Truskovsky, Mark Peruzel, and Jim Schaad for constructive suggestions and valuable detailed review. We especially acknowledge Jerry Solinas, Laurie Law, and Kevin Igoe, who pointed out the security benefits of the approach of Leighton and Micali [USPTO5432852], Jonathan Katz, who gave us security guidance, and Bruno Couillard and Jim Goodman for an especially thorough review.
Top   ToC   RFC8554 - Page 61

Authors' Addresses

David McGrew Cisco Systems 13600 Dulles Technology Drive Herndon, VA 20171 United States of America Email: mcgrew@cisco.com Michael Curcio Cisco Systems 7025-2 Kit Creek Road Research Triangle Park, NC 27709-4987 United States of America Email: micurcio@cisco.com Scott Fluhrer Cisco Systems 170 West Tasman Drive San Jose, CA United States of America Email: sfluhrer@cisco.com