Erratum 8396 - RFC 8391

RFC 8391, "XMSS: eXtended Merkle Signature Scheme", May 2018

Source of RFC: cfrg (irtf)

Errata-ID: 8396

Status:: Verified
Type:: Technical
Reported By:: Alex J Malozemoff
Date Reported:: 2025-04-28
Verified by:: Nick Sullivan
Date Verified:: 2026-01-28

Section 4.1.10 says:

pk_ots = WOTS_pkFromSig(sig_ots, M', SEED, ADRS);

It should say:

pk_ots = WOTS_pkFromSig(M', sig_ots, ADRS, SEED);

Notes:

The call to `WOTS_pkFromSig` in `XMSS_rootFromSig` does not match the signature of Algorithm 6 (Section 3.1.6).

--VERIFIER NOTES--
Section 4.1.10 calls WOTS_pkFromSig with (sig, M', SEED, ADRS) but Algorithm 6 defines it as (M, sig, ADRS, SEED). RFC author Andreas Huelsing confirmed the erratum on the CFRG list: https://mailarchive.ietf.org/arch/msg/cfrg/_rNMOiIzKQS28hyN9USauZVwM54/

Report New Erratum Back to Search