RFC Errata
RFC 8391, "XMSS: eXtended Merkle Signature Scheme", May 2018
Source of RFC: IRTF
Errata ID: 6821
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Peter Gordon
Date Reported: 2022-01-24
Section 3.1.5 says:
"Note that the checksum may reach a maximum integer value of len_1 * (w - 1) * 2^8"
It should say:
"Note that the checksum may reach a maximum integer value of len_1 * (w - 1)"
Notes:
The "* 2^8" appears to be a mistake. If the checksum integers could reach those values, the checksum field would overflow, which would potentially allow an attacker to forge a message.
In reality, the correct maximum is just "len_1 * (w - 1)"