• Two new address types were defned, WOTS_PRF and FORS_PRF, which are used for WOTS+
and FORS secret key value generation.
• PK.seed was added as an input to PRF in order to mitigate multi-key attacks.
• For the category 3 and 5 parameter sets that use SHA-2, SHA-256 was replaced with
SHA-512 in Hmsg, PRFmsg, H, and Tl based on weaknesses that were discovered when
using SHA-256 to obtain category 5 security [6, 7, 8].
• R and PK.seed were added as inputs to MGF1 when computing Hmsg for the SHA-2
parameter sets in order to mitigate against multi-target long-message second preimage
attacks.
bwesterb
commented
11 months ago
As per NIST publication, following changes are proposed to SPHINCS+ in SLH-DSA
Would be nice if these changes can be incorporated. Thanks in advance!
https://csrc.nist.gov/pubs/fips/205/ipd
• Two new address types were defned, WOTS_PRF and FORS_PRF, which are used for WOTS+ and FORS secret key value generation. • PK.seed was added as an input to PRF in order to mitigate multi-key attacks. • For the category 3 and 5 parameter sets that use SHA-2, SHA-256 was replaced with SHA-512 in Hmsg, PRFmsg, H, and Tl based on weaknesses that were discovered when using SHA-256 to obtain category 5 security [6, 7, 8]. • R and PK.seed were added as inputs to MGF1 when computing Hmsg for the SHA-2 parameter sets in order to mitigate against multi-target long-message second preimage attacks.