Technical Summary
The document specifies the way of SHAKE256 (with 192 or 256 bit output) and
SHA256 (with 192 bit output) usage with LMS signature scheme defined in RFC
8554. It introduces new parameter sets and corresponding IANA identifiers and
provides the guide to choosing the specific parameter set based on practical
and security considerations. All the parameter sets match the parameter sets
introduced in NIST SP 800-208 ("Recommendation for Stateful Hash-Based
Signature Schemes"). The security analysis (Section 9) was significantly
extended compared to the earlier versions of the draft and to the corresponding
section in the NIST document. This document is a product of the Crypto Forum
Research Group (CFRG) in the IRTF.
Research Group Summary
The document was adopted in December 2021.
There was a Research Group Last Call for the draft in 2024 (January-April).
There were no major concerns raised during the RGLC. A number of minor concerns
raised during the RGLC were addressed by the authors. The authors have answered
the questions raised during the Research Group Last Call, no questions have
remained unanswered. Crypto Review Panel review was solicited in 2024 (January
- April). The reviews were provided by Thomas Pornin, Russ Housley, Virendra
Kumar. Comments from that review were addressed in -09, -10, -11 and -12.
Document Quality
There are several publicly available implementations:
https://github.com/cisco/hash-sigs/tree/192, Utimaco, Crypto4A,
https://github.com/russhousley/pyhsslms All authors of the document have
confirmed that they are not aware of any IPRs related to the document.
Personnel
Stanislav Smyshlyaev is the Document Shepherd.
Colin Perkins is the IRTF Chair.