search

randombit / botan

Cryptography Toolkit
https://botan.randombit.net
BSD 2-Clause "Simplified" License
2.58k stars 566 forks source link

XMSS SHAKE parameter identifiers do not match NIST SP 800-208 #4399

Open zugzwang opened 4 days ago

zugzwang commented 4 days ago

After generating a XMSS-SHAKE_10_256 private key and obtaining the public key, the first four bytes are used to identify the parameter set:

$ botan --version
3.6.0
$ botan keygen --algo=XMSS --params=XMSS-SHAKE_10_256 > xmss-shake-10-256.priv
$ botan pkcs8 --pub-out xmss-shake-10-256.priv > xmss-shake-10-256.pub
$ botan asn1print xmss-shake-10-256.pub 
  d= 0, l=  86: SEQUENCE
  d= 1, l=  11:  SEQUENCE
  d= 2, l=   9:   OBJECT                                    XMSS [0.4.0.127.0.15.1.1.13.0]
  d= 1, l=  71:  BIT STRING
  d= 2, l=  68:   OCTET STRING                              0000000749D9FA7DFA0218C96864410A870649ED6F547B5B2D89C4224EDC5C21B8DA78FFE60C74A63394BBBBA11155692EDD8C8439A3CD8BFF12F58A9C31BF58EEE2C6AE

I was expecting to see the identifier 0x00000010 from NIST SP 800-208 (see table 14).

Instead, it looks like the identifier 0x00000007 is matched against the list in appendix B.1 of RFC8391 or Section 8.10.14 of the Botan handbook.

Botan migrated to NIST SP 800-208 (as indicated in the "XMSS Signature Changes", section 6.26 of the handbook), so perhaps the identifiers could also be updated, or else, state in that same section that identifiers will remain as before.

FAlbertDev commented 3 days ago

Hi @zugzwang, we also support the parameter sets from NIST SP.800-208. Unfortunately, these sets look very similar to the instances defined in RFC 8391: XMSS-SHAKE256_10_256 (SP.800-208) vs XMSS-SHAKE_10_256 (RFC)

Calling keygen with XMSS-SHAKE256_10_256 should work.