RFC Errata
RFC 8391, "XMSS: eXtended Merkle Signature Scheme", May 2018
Source of RFC: IRTFSee Also: RFC 8391 w/ inline errata
Errata ID: 6821
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Peter Gordon
Date Reported: 2022-01-24
Verifier Name: Nick Sullivan
Date Verified: 2025-01-18
Section 3.1.5 says:
"Note that the checksum may reach a maximum integer value of len_1 * (w - 1) * 2^8"
It should say:
"Note that the checksum may reach a maximum integer value of len_1 * (w - 1)"
Notes:
The "* 2^8" appears to be a mistake. If the checksum integers could reach those values, the checksum field would overflow, which would potentially allow an attacker to forge a message.
In reality, the correct maximum is just "len_1 * (w - 1)"
Verified on CFRG list by Bas Westerbaan.