Appendix A. WOTS+ XDR Formats
The WOTS+ signature and public key formats are formally defined using XDR [RFC4506] in order to provide an unambiguous, machine readable definition. Though XDR is used, these formats are simple and easy to parse without any special tools. Note that this representation includes all optional parameter sets. The same applies for the XMSS and XMSS^MT formats below.A.1. WOTS+ Parameter Sets
WOTS+ parameter sets are defined using XDR syntax as follows: /* ots_algorithm_type identifies a particular signature algorithm */ enum ots_algorithm_type { wotsp_reserved = 0x00000000, wotsp-sha2_256 = 0x00000001, wotsp-sha2_512 = 0x00000002, wotsp-shake_256 = 0x00000003, wotsp-shake_512 = 0x00000004, };A.2. WOTS+ Signatures
WOTS+ signatures are defined using XDR syntax as follows: /* Byte strings */ typedef opaque bytestring32[32]; typedef opaque bytestring64[64]; union ots_signature switch (ots_algorithm_type type) { case wotsp-sha2_256: case wotsp-shake_256: bytestring32 ots_sig_n32_len67[67]; case wotsp-sha2_512: case wotsp-shake_512: bytestring64 ots_sig_n64_len18[131]; default: void; /* error condition */ };
A.3. WOTS+ Public Keys
WOTS+ public keys are defined using XDR syntax as follows: union ots_pubkey switch (ots_algorithm_type type) { case wotsp-sha2_256: case wotsp-shake_256: bytestring32 ots_pubk_n32_len67[67]; case wotsp-sha2_512: case wotsp-shake_512: bytestring64 ots_pubk_n64_len18[131]; default: void; /* error condition */ };Appendix B. XMSS XDR Formats
B.1. XMSS Parameter Sets
XMSS parameter sets are defined using XDR syntax as follows: /* Byte strings */ typedef opaque bytestring4[4]; /* Definition of parameter sets */ enum xmss_algorithm_type { xmss_reserved = 0x00000000, /* 256 bit classical security, 128 bit post-quantum security */ xmss-sha2_10_256 = 0x00000001, xmss-sha2_16_256 = 0x00000002, xmss-sha2_20_256 = 0x00000003, /* 512 bit classical security, 256 bit post-quantum security */ xmss-sha2_10_512 = 0x00000004, xmss-sha2_16_512 = 0x00000005, xmss-sha2_20_512 = 0x00000006,
/* 256 bit classical security, 128 bit post-quantum security */ xmss-shake_10_256 = 0x00000007, xmss-shake_16_256 = 0x00000008, xmss-shake_20_256 = 0x00000009, /* 512 bit classical security, 256 bit post-quantum security */ xmss-shake_10_512 = 0x0000000A, xmss-shake_16_512 = 0x0000000B, xmss-shake_20_512 = 0x0000000C, };B.2. XMSS Signatures
XMSS signatures are defined using XDR syntax as follows: /* Authentication path types */ union xmss_path switch (xmss_algorithm_type type) { case xmss-sha2_10_256: case xmss-shake_10_256: bytestring32 path_n32_t10[10]; case xmss-sha2_16_256: case xmss-shake_16_256: bytestring32 path_n32_t16[16]; case xmss-sha2_20_256: case xmss-shake_20_256: bytestring32 path_n32_t20[20]; case xmss-sha2_10_512: case xmss-shake_10_512: bytestring64 path_n64_t10[10]; case xmss-sha2_16_512: case xmss-shake_16_512: bytestring64 path_n64_t16[16]; case xmss-sha2_20_512: case xmss-shake_20_512: bytestring64 path_n64_t20[20]; default: void; /* error condition */ };
/* Types for XMSS random strings */ union random_string_xmss switch (xmss_algorithm_type type) { case xmss-sha2_10_256: case xmss-sha2_16_256: case xmss-sha2_20_256: case xmss-shake_10_256: case xmss-shake_16_256: case xmss-shake_20_256: bytestring32 rand_n32; case xmss-sha2_10_512: case xmss-sha2_16_512: case xmss-sha2_20_512: case xmss-shake_10_512: case xmss-shake_16_512: case xmss-shake_20_512: bytestring64 rand_n64; default: void; /* error condition */ }; /* Corresponding WOTS+ type for given XMSS type */ union xmss_ots_signature switch (xmss_algorithm_type type) { case xmss-sha2_10_256: case xmss-sha2_16_256: case xmss-sha2_20_256: wotsp-sha2_256; case xmss-sha2_10_512: case xmss-sha2_16_512: case xmss-sha2_20_512: wotsp-sha2_512; case xmss-shake_10_256: case xmss-shake_16_256: case xmss-shake_20_256: wotsp-shake_256; case xmss-shake_10_512: case xmss-shake_16_512: case xmss-shake_20_512: wotsp-shake_512;
default: void; /* error condition */ }; /* XMSS signature structure */ struct xmss_signature { /* WOTS+ key pair index */ bytestring4 idx_sig; /* Random string for randomized hashing */ random_string_xmss rand_string; /* WOTS+ signature */ xmss_ots_signature sig_ots; /* authentication path */ xmss_path nodes; };B.3. XMSS Public Keys
XMSS public keys are defined using XDR syntax as follows: /* Types for bitmask seed */ union seed switch (xmss_algorithm_type type) { case xmss-sha2_10_256: case xmss-sha2_16_256: case xmss-sha2_20_256: case xmss-shake_10_256: case xmss-shake_16_256: case xmss-shake_20_256: bytestring32 seed_n32; case xmss-sha2_10_512: case xmss-sha2_16_512: case xmss-sha2_20_512: case xmss-shake_10_512: case xmss-shake_16_512: case xmss-shake_20_512: bytestring64 seed_n64; default: void; /* error condition */ };
/* Types for XMSS root node */ union xmss_root switch (xmss_algorithm_type type) { case xmss-sha2_10_256: case xmss-sha2_16_256: case xmss-sha2_20_256: case xmss-shake_10_256: case xmss-shake_16_256: case xmss-shake_20_256: bytestring32 root_n32; case xmss-sha2_10_512: case xmss-sha2_16_512: case xmss-sha2_20_512: case xmss-shake_10_512: case xmss-shake_16_512: case xmss-shake_20_512: bytestring64 root_n64; default: void; /* error condition */ }; /* XMSS public key structure */ struct xmss_public_key { xmss_root root; /* Root node */ seed SEED; /* Seed for bitmasks */ };Appendix C. XMSS^MT XDR Formats
C.1. XMSS^MT Parameter Sets
XMSS^MT parameter sets are defined using XDR syntax as follows: /* Byte strings */ typedef opaque bytestring3[3]; typedef opaque bytestring5[5]; typedef opaque bytestring8[8]; /* Definition of parameter sets */ enum xmssmt_algorithm_type { xmssmt_reserved = 0x00000000,
/* 256 bit classical security, 128 bit post-quantum security */ xmssmt-sha2_20/2_256 = 0x00000001, xmssmt-sha2_20/4_256 = 0x00000002, xmssmt-sha2_40/2_256 = 0x00000003, xmssmt-sha2_40/4_256 = 0x00000004, xmssmt-sha2_40/8_256 = 0x00000005, xmssmt-sha2_60/3_256 = 0x00000006, xmssmt-sha2_60/6_256 = 0x00000007, xmssmt-sha2_60/12_256 = 0x00000008, /* 512 bit classical security, 256 bit post-quantum security */ xmssmt-sha2_20/2_512 = 0x00000009, xmssmt-sha2_20/4_512 = 0x0000000A, xmssmt-sha2_40/2_512 = 0x0000000B, xmssmt-sha2_40/4_512 = 0x0000000C, xmssmt-sha2_40/8_512 = 0x0000000D, xmssmt-sha2_60/3_512 = 0x0000000E, xmssmt-sha2_60/6_512 = 0x0000000F, xmssmt-sha2_60/12_512 = 0x00000010, /* 256 bit classical security, 128 bit post-quantum security */ xmssmt-shake_20/2_256 = 0x00000011, xmssmt-shake_20/4_256 = 0x00000012, xmssmt-shake_40/2_256 = 0x00000013, xmssmt-shake_40/4_256 = 0x00000014, xmssmt-shake_40/8_256 = 0x00000015, xmssmt-shake_60/3_256 = 0x00000016, xmssmt-shake_60/6_256 = 0x00000017, xmssmt-shake_60/12_256 = 0x00000018, /* 512 bit classical security, 256 bit post-quantum security */ xmssmt-shake_20/2_512 = 0x00000019, xmssmt-shake_20/4_512 = 0x0000001A, xmssmt-shake_40/2_512 = 0x0000001B, xmssmt-shake_40/4_512 = 0x0000001C, xmssmt-shake_40/8_512 = 0x0000001D, xmssmt-shake_60/3_512 = 0x0000001E, xmssmt-shake_60/6_512 = 0x0000001F, xmssmt-shake_60/12_512 = 0x00000020, };
C.2. XMSS^MT Signatures
XMSS^MT signatures are defined using XDR syntax as follows: /* Type for XMSS^MT key pair index */ /* Depends solely on h */ union idx_sig_xmssmt switch (xmss_algorithm_type type) { case xmssmt-sha2_20/2_256: case xmssmt-sha2_20/4_256: case xmssmt-sha2_20/2_512: case xmssmt-sha2_20/4_512: case xmssmt-shake_20/2_256: case xmssmt-shake_20/4_256: case xmssmt-shake_20/2_512: case xmssmt-shake_20/4_512: bytestring3 idx3; case xmssmt-sha2_40/2_256: case xmssmt-sha2_40/4_256: case xmssmt-sha2_40/8_256: case xmssmt-sha2_40/2_512: case xmssmt-sha2_40/4_512: case xmssmt-sha2_40/8_512: case xmssmt-shake_40/2_256: case xmssmt-shake_40/4_256: case xmssmt-shake_40/8_256: case xmssmt-shake_40/2_512: case xmssmt-shake_40/4_512: case xmssmt-shake_40/8_512: bytestring5 idx5; case xmssmt-sha2_60/3_256: case xmssmt-sha2_60/6_256: case xmssmt-sha2_60/12_256: case xmssmt-sha2_60/3_512: case xmssmt-sha2_60/6_512: case xmssmt-sha2_60/12_512: case xmssmt-shake_60/3_256: case xmssmt-shake_60/6_256: case xmssmt-shake_60/12_256: case xmssmt-shake_60/3_512: case xmssmt-shake_60/6_512: case xmssmt-shake_60/12_512: bytestring8 idx8;
default: void; /* error condition */ }; union random_string_xmssmt switch (xmssmt_algorithm_type type) { case xmssmt-sha2_20/2_256: case xmssmt-sha2_20/4_256: case xmssmt-sha2_40/2_256: case xmssmt-sha2_40/4_256: case xmssmt-sha2_40/8_256: case xmssmt-sha2_60/3_256: case xmssmt-sha2_60/6_256: case xmssmt-sha2_60/12_256: case xmssmt-shake_20/2_256: case xmssmt-shake_20/4_256: case xmssmt-shake_40/2_256: case xmssmt-shake_40/4_256: case xmssmt-shake_40/8_256: case xmssmt-shake_60/3_256: case xmssmt-shake_60/6_256: case xmssmt-shake_60/12_256: bytestring32 rand_n32; case xmssmt-sha2_20/2_512: case xmssmt-sha2_20/4_512: case xmssmt-sha2_40/2_512: case xmssmt-sha2_40/4_512: case xmssmt-sha2_40/8_512: case xmssmt-sha2_60/3_512: case xmssmt-sha2_60/6_512: case xmssmt-sha2_60/12_512: case xmssmt-shake_20/2_512: case xmssmt-shake_20/4_512: case xmssmt-shake_40/2_512: case xmssmt-shake_40/4_512: case xmssmt-shake_40/8_512: case xmssmt-shake_60/3_512: case xmssmt-shake_60/6_512: case xmssmt-shake_60/12_512: bytestring64 rand_n64; default: void; /* error condition */ }; /* Type for reduced XMSS signatures */
union xmss_reduced (xmss_algorithm_type type) { case xmssmt-sha2_20/2_256: case xmssmt-sha2_40/4_256: case xmssmt-sha2_60/6_256: case xmssmt-shake_20/2_256: case xmssmt-shake_40/4_256: case xmssmt-shake_60/6_256: bytestring32 xmss_reduced_n32_t77[77]; case xmssmt-sha2_20/4_256: case xmssmt-sha2_40/8_256: case xmssmt-sha2_60/12_256: case xmssmt-shake_20/4_256: case xmssmt-shake_40/8_256: case xmssmt-shake_60/12_256: bytestring32 xmss_reduced_n32_t72[72]; case xmssmt-sha2_40/2_256: case xmssmt-sha2_60/3_256: case xmssmt-shake_40/2_256: case xmssmt-shake_60/3_256: bytestring32 xmss_reduced_n32_t87[87]; case xmssmt-sha2_20/2_512: case xmssmt-sha2_40/4_512: case xmssmt-sha2_60/6_512: case xmssmt-shake_20/2_512: case xmssmt-shake_40/4_512: case xmssmt-shake_60/6_512: bytestring64 xmss_reduced_n32_t141[141]; case xmssmt-sha2_20/4_512: case xmssmt-sha2_40/8_512: case xmssmt-sha2_60/12_512: case xmssmt-shake_20/4_512: case xmssmt-shake_40/8_512: case xmssmt-shake_60/12_512: bytestring64 xmss_reduced_n32_t136[136]; case xmssmt-sha2_40/2_512: case xmssmt-sha2_60/3_512: case xmssmt-shake_40/2_512: case xmssmt-shake_60/3_512: bytestring64 xmss_reduced_n32_t151[151];
default: void; /* error condition */ }; /* xmss_reduced_array depends on d */ union xmss_reduced_array (xmss_algorithm_type type) { case xmssmt-sha2_20/2_256: case xmssmt-sha2_20/2_512: case xmssmt-sha2_40/2_256: case xmssmt-sha2_40/2_512: case xmssmt-shake_20/2_256: case xmssmt-shake_20/2_512: case xmssmt-shake_40/2_256: case xmssmt-shake_40/2_512: xmss_reduced xmss_red_arr_d2[2]; case xmssmt-sha2_60/3_256: case xmssmt-sha2_60/3_512: case xmssmt-shake_60/3_256: case xmssmt-shake_60/3_512: xmss_reduced xmss_red_arr_d3[3]; case xmssmt-sha2_20/4_256: case xmssmt-sha2_20/4_512: case xmssmt-sha2_40/4_256: case xmssmt-sha2_40/4_512: case xmssmt-shake_20/4_256: case xmssmt-shake_20/4_512: case xmssmt-shake_40/4_256: case xmssmt-shake_40/4_512: xmss_reduced xmss_red_arr_d4[4]; case xmssmt-sha2_60/6_256: case xmssmt-sha2_60/6_512: case xmssmt-shake_60/6_256: case xmssmt-shake_60/6_512: xmss_reduced xmss_red_arr_d6[6]; case xmssmt-sha2_40/8_256: case xmssmt-sha2_40/8_512: case xmssmt-shake_40/8_256: case xmssmt-shake_40/8_512: xmss_reduced xmss_red_arr_d8[8];
case xmssmt-sha2_60/12_256: case xmssmt-sha2_60/12_512: case xmssmt-shake_60/12_256: case xmssmt-shake_60/12_512: xmss_reduced xmss_red_arr_d12[12]; default: void; /* error condition */ }; /* XMSS^MT signature structure */ struct xmssmt_signature { /* WOTS+ key pair index */ idx_sig_xmssmt idx_sig; /* Random string for randomized hashing */ random_string_xmssmt randomness; /* Array of d reduced XMSS signatures */ xmss_reduced_array; };C.3. XMSS^MT Public Keys
XMSS^MT public keys are defined using XDR syntax as follows: /* Types for bitmask seed */ union seed switch (xmssmt_algorithm_type type) { case xmssmt-sha2_20/2_256: case xmssmt-sha2_40/4_256: case xmssmt-sha2_60/6_256: case xmssmt-sha2_20/4_256: case xmssmt-sha2_40/8_256: case xmssmt-sha2_60/12_256: case xmssmt-sha2_40/2_256: case xmssmt-sha2_60/3_256: case xmssmt-shake_20/2_256: case xmssmt-shake_40/4_256: case xmssmt-shake_60/6_256: case xmssmt-shake_20/4_256: case xmssmt-shake_40/8_256: case xmssmt-shake_60/12_256: case xmssmt-shake_40/2_256: case xmssmt-shake_60/3_256: bytestring32 seed_n32;
case xmssmt-sha2_20/2_512: case xmssmt-sha2_40/4_512: case xmssmt-sha2_60/6_512: case xmssmt-sha2_20/4_512: case xmssmt-sha2_40/8_512: case xmssmt-sha2_60/12_512: case xmssmt-sha2_40/2_512: case xmssmt-sha2_60/3_512: case xmssmt-shake_20/2_512: case xmssmt-shake_40/4_512: case xmssmt-shake_60/6_512: case xmssmt-shake_20/4_512: case xmssmt-shake_40/8_512: case xmssmt-shake_60/12_512: case xmssmt-shake_40/2_512: case xmssmt-shake_60/3_512: bytestring64 seed_n64; default: void; /* error condition */ }; /* Types for XMSS^MT root node */ union xmssmt_root switch (xmssmt_algorithm_type type) { case xmssmt-sha2_20/2_256: case xmssmt-sha2_20/4_256: case xmssmt-sha2_40/2_256: case xmssmt-sha2_40/4_256: case xmssmt-sha2_40/8_256: case xmssmt-sha2_60/3_256: case xmssmt-sha2_60/6_256: case xmssmt-sha2_60/12_256: case xmssmt-shake_20/2_256: case xmssmt-shake_20/4_256: case xmssmt-shake_40/2_256: case xmssmt-shake_40/4_256: case xmssmt-shake_40/8_256: case xmssmt-shake_60/3_256: case xmssmt-shake_60/6_256: case xmssmt-shake_60/12_256: bytestring32 root_n32; case xmssmt-sha2_20/2_512: case xmssmt-sha2_20/4_512: case xmssmt-sha2_40/2_512: case xmssmt-sha2_40/4_512: case xmssmt-sha2_40/8_512:
case xmssmt-sha2_60/3_512: case xmssmt-sha2_60/6_512: case xmssmt-sha2_60/12_512: case xmssmt-shake_20/2_512: case xmssmt-shake_20/4_512: case xmssmt-shake_40/2_512: case xmssmt-shake_40/4_512: case xmssmt-shake_40/8_512: case xmssmt-shake_60/3_512: case xmssmt-shake_60/6_512: case xmssmt-shake_60/12_512: bytestring64 root_n64; default: void; /* error condition */ }; /* XMSS^MT public key structure */ struct xmssmt_public_key { xmssmt_root root; /* Root node */ seed SEED; /* Seed for bitmasks */ };Acknowledgements
We would like to thank Johannes Braun, Peter Campbell, Florian Caullery, Stephen Farrell, Scott Fluhrer, Burt Kaliski, Adam Langley, Marcos Manzano, David McGrew, Rafael Misoczki, Sean Parkinson, Sebastian Roland, and the Keccak team for their help and comments.
Authors' Addresses
Andreas Huelsing TU Eindhoven P.O. Box 513 Eindhoven 5600 MB The Netherlands Email: ietf@huelsing.net Denis Butin TU Darmstadt Hochschulstrasse 10 Darmstadt 64289 Germany Email: dbutin@cdc.informatik.tu-darmstadt.de Stefan-Lukas Gazdag genua GmbH Domagkstrasse 7 Kirchheim bei Muenchen 85551 Germany Email: ietf@gazdag.de Joost Rijneveld Radboud University Toernooiveld 212 Nijmegen 6525 EC The Netherlands Email: ietf@joostrijneveld.nl Aziz Mohaisen University of Central Florida 4000 Central Florida Blvd Orlando, FL 32816 United States of America Phone: +1 407 823-1294 Email: mohaisen@ieee.org