`20190`

`20190`

`20190`

`20190`

- Node Set
- A set of nodes, each of which is part of a union of tree structures either as a leaf node whose value is the hash of a single data value, or an internal node whose value is the hash of two child nodes. The node set is acyclic, i.e., every node is either a leaf node or the ancestor of two or more leaf nodes, and no node is an ancestor of itself. Every node set has one or more root nodes, i.e., nodes that have no ancestors.
- Rung
- A node from a node set that can be used to authenticate one or more leaf nodes within that node set.
- Ladder
- A collection of one or more rungs that can be used to verify an authentication path.
- Authentication Path
- The set of sibling hash values from a leaf hash value to a rung
- Message
- A set of bytes that are intended to be signed and later verified.

- Classes and data structures are written in all uppercase (e.g. MTLNS)
- Constant values are also written as all uppercase with _ separating words (e.g. MTL_SIG_CONDENSED)
- Variables are written in all lowercase with _ separating words as needed (e.g. left_hash or tree)
- Functions are written in all lower case and proceeded by a comment block that highlights the input and output parameters.

- The signer maintains a dynamic data structure called a Merkle node set. The leaf nodes of the node set correspond to the messages that are being "signed" for later authentication and the internal nodes of the node sets are the hashes of two child nodes. Similar to a Merkle tree structure, ancestors authenticate or "cover" their descendants. A Merkle node set is more general than a Merkle tree in that more than one node can be a root node (i.e., a node without ancestors). For instance, a Merkle node set could include multiple trees.
- As the node set evolves, the signer occasionally selects a set of nodes from the node set that collectively cover all the leaf nodes. Such a set is called a "ladder" and each node within the set is called a "rung." The rungs are selected according to a "binary rung strategy" where each rung is the root of a perfect binary tree (see Section 6.5).
- The signer signs each ladder with the private key of the underlying signature scheme. The signature on the ladder is the "MTL mode signature" of the set of messages covered by the ladder.
- For each message of interest to a verifier, the signer provides the verifier a Merkle authentication path from the leaf node corresponding to the message to a rung in the then-current ladder. Similar to a Merkle tree structure, the authentication path includes the sibling hashes on the path from the leaf node to a rung on the ladder that covers the leaf node.
- If the verifier has a ladder that is "compatible" with the authentication path, the verifier verifies the authentication path on the message relative to the ladder.
- If not, the verifier requests the ladder that the authentication path was computed relative to. (Alternatively, the verifier may request a "full" signature on the message that includes both the authentication path and the signed ladder that it is computed relative to, which could be the current ladder. See Section 9.4 for a description of a full signature.)
- The signer provides the signed ladder together with its signature. (Or, alternatively, a full signature including the authentication path together with a signed ladder.)
- The verifier verifies the signature on the ladder and returns to Step 5.

- H_msg_mtl(R_mtl, PK.seed, PK.root, M) -> md maps a n-byte randomizer, a n-byte public seed, a n-byte public root and a variable-length message to a n-byte hash value md.

- R_mtl is the randomizer for the message digest operation
- PK.seed the public seed from the public key
- PK.root is the public root from the public key
- M is the message being processed.

- PRF_msg(SK.prf, OptRand, M) -> R_mtl maps a n-byte secret PRF key, a n-byte optional random value, and a variable-length message to a n-byte randomizer R_mtl.

- SK.prf is the secret PRF key from the private key.
- OptRand depends on whether an implementation wants deterministic signing. If it does, then OptRand SHOULD be a fixed value, e.g., all 0s or PK.seed. (The SPHINCS+ specification suggests both options in different places for its internal use of OptRand.) If not, then OptRand MUST be a randomly generated value.
- M is the message being processed.

- F(PK.seed, ADRS, M_1) -> md maps a n-byte public seed, a 32-byte address value and a n-byte message value to a n-byte hash value
- H(PK.seed, ADRS, M_1 || M_2) -> md maps a n-byte public seed, a 32-byte address value and the concatenation of two n-byte message values to a n-byte hash value

- PK.seed is the public seed from the public key. This value is a "tweak" to the hash function that separates uses of the function with different public keys (assuming different public keys have different public seeds, as they almost always will if the public seeds are generated at random).
- ADRS is the address associated with the call to the function. This value is another "tweak" that separates uses of the function for different purposes.
- M_1 (input to F) is a n-byte value being hashed.
- M_1 || M_2 (input to H) is the concatenation of two n-byte values being hashed together.

- MTL Message Hash (type MTL_MSG = 16). This type is used in the address value that is prepended to a message when calling PRF_msg to compute a randomizer or when calling H_msg_mtl to compute a data value from a message. For this type, the sixth and seventh words MUST be 0 and the eighth word MUST be the message index (i.e., the leaf index of the corresponding leaf node).
- MTL Data Value (type MTL_DATA = 17). This type is used when calling F to compute a leaf node hash value from a data value. For this type, the sixth and seventh words MUST be 0 and the eighth word MUST be the leaf index.
- MTL Tree (type MTL_TREE = 18). This type is used when calling H to compute an internal node hash value from two child node hash values. For this type, the sixth word MUST be 0, the seventh word MUST be the left index associated with the internal node and the eighth word MUST be the right index associated with the internal node.
- MTL Ladder (type MTL_LADDER = 19). This address type is used in the address value that is prepended to a message when calling the underlying signature scheme to sign a ladder. For this type, the sixth, seventh and eighth words MUST be 0.

- When calling H_msg_mtl to compute a data value from a message, an address value of type MTL_MSG is prepended to the message, where the value also includes the message index
- When calling the underlying signature scheme to sign a ladder, an address value of type MTL_LADDER is prepended to the ladder

- With deterministic hashing, let OptRand be the public seed PK.seed
- With randomized hashing, let OptRand be a random n-byte value
- Compute a randomizer by applying PRF_msg to the secret PRF key, the optional random value and the message prepended with an address value ADRS of type MTL_MSG as described in Section 4.5

- Compute the data value by applying H_msg_mtl to the randomizer, the public seed, the public root and the message prepended with the same address value

- Compute the data value by applying H_msg_mtl to the randomizer, the public seed, the public root and the message prepended with the same address value

- L is the node's left index, a non-negative integer
- R is the node's right index, a non-negative integer
- V is the node's hash value

- L <= leaf_index <= R, ensuring the leaf index is covered by the rung
- (L = 0 or degree <= lsb(L)-1) and R-L+1 = 2^degree, where degree = lsb(R-L+1)-1, ensuring the rung is indeed an apex of a perfect binary tree in the binary rung strategy
- lsb(R-L+1) is less than or equal to the number of sibling hash values in the authentication path, ensuring the authentication path can reach the rung

- flags, a 2-byte string providing future extensibility; the initial value for this field MUST be 0
- sid, the series identifier, a 8-byte string
- rung_count, the number of rungs in the ladder, a positive integer between 1 and 2^16-1
- rungs, one or more rung data structures

- left_index, the left index of the rung, a non-negative integer
- right_index, the right index of the rung, a non-negative integer
- hash, the rung hash value, a n-byte string

- flags, a 2-byte string providing future extensibility; it MUST be 0 for this version of the specification
- sid, the series identifier, a 8-byte string
- leaf_index, the leaf index of the data value being authenticated, a non-negative integer
- sibling_hash_count, the number of sibling hash values in the authentication path, a non-negative integer between 0 and 2^16-1
- sibling_hashes, zero or more sibling hash values, each a n-byte string
- rung_left, the left index of the target rung, a non-negative integer
- rung_right, the right index of the target rung, a non-negative integer

- the public seed MUST be a n-byte string
- the series identifier MUST be a 8-byte string
- the various node indexes (leaf_index, left_index, right_index, etc.) MUST be non-negative integers between 0 and 2^32-1 (so they can be represented as 4-byte strings in big endian notation)
- the data value MUST be a n-byte string
- the various hash values (leaf_hash, left_hash, right_hash, internal_hash, etc.) MUST be a n-byte strings

- Identifying the ladder based on a public key identifier and information in the authentication path itself, i.e., the series identifier and the target index pair. This combination is sufficient to identify the public key, the series of data values (and thus the MTL node set), and the ladder of interest (given the target index pair, with the binary rung strategy).
- Identifying the ladder with a URI or other explicit identifier that refers to a location where the signed ladder is stored or to the signed ladder itself. This URI can be conveyed together with the authentication path in an application.
- Specifying interest in a ladder implicitly by setting a flag in the request for a message and its associated authentication path. When the flag is not set, the message and authentication path would be returned (producing a condensed signature - see Section 9.5). When the flag is set, the message, the signed ladder is also would be returned (producing a full signature - see Section 9.4).

- R_mtl, the randomizer, a n-byte string
- auth_path, the authentication path
- ladder, the ladder
- sig_len, the length in bytes of the underlying signature on the ladder, a positive integer between 1 and 2^32-1 (so it can be represented as 4-byte string in big endian notation)
- sig, the underlying signature on the ladder, a scheme-specific string

- R_mtl, the randomizer, a n-byte string
- auth_path, the authentication path
- ladder, the ladder

- SPHINCS+-MTL-{hash}-{bitsec}{opt}-{variant}

- {hash} is the underlying hash function. For this version of the document, it MUST be "SHAKE" or "SHA2", corresponding to the underlying hash function.
- {bitsec} is the target bit security. It MUST be "128", "192" or "256", corresponding to the "bitsec" value in [SPHINCS+]. The security parameter n is the target bit security level divided by 8, i.e., 16, 24 or 32. The corresponding NIST security levels for these bit security levels are 1, 3 and 5.
- {opt} is the optimization goal. It MUST be "s" or "f". As discussed in [SPHINCS+], the "s" optimization results in smaller signature sizes, while the "f" optimization results in faster signing operations.
- {variant} is the style of the tweakable hash function. It must be "simple" or "robust". As discussed in [SPHINCS+], the "simple" style results in faster operations, while the "robust" style results in more conservative security proofs.