RFC Errata
RFC 8391, "XMSS: eXtended Merkle Signature Scheme", May 2018
Source of RFC: IRTF
Errata ID: 7420
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Rafael Misoczki
Date Reported: 2023-04-11
Section 4.2.2 says:
// Generate reduced XMSS private keys ADRS = toByte(0, 32); for ( layer = 0; layer < d; layer++ ) { ADRS.setLayerAddress(layer); for ( tree = 0; tree < (1 << ((d - 1 - layer) * (h / d))); tree++ ) { ADRS.setTreeAddress(tree); for ( i = 0; i < 2^(h / d); i++ ) { wots_sk[i] = WOTS_genSK(); } setXMSS_SK(SK_MT, wots_sk, tree, layer); } }
It should say:
// Generate reduced XMSS private keys ADRS = toByte(0, 32); for ( layer = 0; layer < d; layer++ ) { ADRS.setLayerAddress(layer); for ( tree = 0; tree < (1 << ((d - 1 - layer) * (h / d))); tree++ ) { ADRS.setTreeAddress(tree); for ( i = 0; i < 2^(h / d); i++ ) { wots_sk[i] = WOTS_genSK(); } setXMSS_SK(SK_MT, wots_sk, tree, layer, ADRS); } }
Notes:
The ADRS variable is created and configured (layer address and tree address fields set) but it is not used anywhere in the for-loop.
It would be more precise if the setXMSS_SK function receives the ADRS variable so that implementers understand that both layer address and tree address fields must be set as defined in this for-loop in order to generate the correct XMSS private key in each iteration of this loop.