Re: [Cfrg] New Version Notification for draft-irtf-cfrg-xmss-hash-based-signatures-03.txt

"A. Huelsing" <> Mon, 15 February 2016 11:55 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id C8F421B3264 for <>; Mon, 15 Feb 2016 03:55:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 1.149
X-Spam-Level: *
X-Spam-Status: No, score=1.149 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_DE=0.35, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id aELfYGjj1FoU for <>; Mon, 15 Feb 2016 03:55:33 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 153BD1B3255 for <>; Mon, 15 Feb 2016 03:55:33 -0800 (PST)
Received: from [] ( by with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.85) (envelope-from <>) id 1aVHkZ-0004XB-9Z for; Mon, 15 Feb 2016 12:55:31 +0100
Received: from [] (helo=[]) by with esmtpsa (TLSv1.2:DHE-RSA-AES256-SHA:256) (Exim 4.84) (envelope-from <>) id 1aVHkY-0003it-Dx for; Mon, 15 Feb 2016 12:55:30 +0100
To: "" <>
From: "A. Huelsing" <>
Message-ID: <>
Date: Mon, 15 Feb 2016 12:55:29 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: Clear (ClamAV 0.98.7/21371/Mon Feb 15 06:36:51 2016)
Archived-At: <>
Subject: Re: [Cfrg] New Version Notification for draft-irtf-cfrg-xmss-hash-based-signatures-03.txt
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 15 Feb 2016 11:55:34 -0000


we pushed a new version of the XMSS draft for hash-based signatures. The
two main changes are
1. We incorporate the index of a signature to compute the message
representative: M' = H(idx || R || M). This allows to mitigate speed-ups
for attacks that collect many signatures and then try to forge a new
signature, finding a colliding (M,R) pair.
2. We changed the address format to be more implementation friendly,
i.e., fields do not cross byte or word boundaries anymore (one exception
is a 40 bit field that simply does not fit a single word).
Besides we did some minor remaining fixes. A complete change log can be
found at the end of the draft.

>From our side, the content of the draft is done with this update. We are
only considering to publish one more update with test vectors. However,
we are not entirely sure if this makes sense for such a scheme as it
would easily become 50 - 100 pages (we would have to add all signatures
for a key pair...). We would instead prefer to accompany the draft with
a reference implementation that can be used to validate implementations.

We currently got two independent reference implementations of the last
version of the draft that were tested against each other. We will update
them during the coming days to meet this version.


Stefan, Denis & Andreas