RFC 8391, "XMSS: eXtended Merkle Signature Scheme", May 2018

Errata ID: 8396
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Alex J Malozemoff
Date Reported: 2025-04-28
Verifier Name: Nick Sullivan
Date Verified: 2026-01-28

Section 4.1.10 says:

pk_ots = WOTS_pkFromSig(sig_ots, M', SEED, ADRS);

It should say:

pk_ots = WOTS_pkFromSig(M', sig_ots, ADRS, SEED);

Notes:

The call to `WOTS_pkFromSig` in `XMSS_rootFromSig` does not match the signature of Algorithm 6 (Section 3.1.6).

--VERIFIER NOTES--
Section 4.1.10 calls WOTS_pkFromSig with (sig, M', SEED, ADRS) but Algorithm 6 defines it as (M, sig, ADRS, SEED). RFC author Andreas Huelsing confirmed the erratum on the CFRG list: https://mailarchive.ietf.org/arch/msg/cfrg/_rNMOiIzKQS28hyN9USauZVwM54/

Report New Errata