RFC Errata
RFC 8391, "XMSS: eXtended Merkle Signature Scheme", May 2018
Source of RFC: IRTFSee Also: RFC 8391 w/ inline errata
Errata ID: 8383
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Alex J Malozemoff
Date Reported: 2025-04-16
Verifier Name: Nick Sullivan
Date Verified: 2026-01-28
Section 3.1.5 says:
Input: Message M, WOTS+ private key sk, address ADRS, seed SEED
It should say:
Input: private key sk, Message M, WOTS+ seed SEED, address ADRS
Notes:
When used in Algorithm 11 it is called as `WOTS_sign(getWOTS_SK(SK, idx_sig), M', getSEED(SK), ADRS);` that is, the secret key comes first, then the message, then the seed, then finally the address.
--VERIFIER NOTES--
The function signature in Section 3.1.5 lists parameters as (M, sk, ADRS, SEED) but Algorithm 11 calls it with (sk, M', SEED, ADRS). RFC author Andreas Huelsing confirmed the erratum on the CFRG list: https://mailarchive.ietf.org/arch/msg/cfrg/jbfQBMyibkKiQsT4MwOUW1x6lTI/