Api.h comment with key format is switched?

[Muzosh]

Hi,

I have generated a sphincs+-sha256-256s-simple keypair and looked at their contents. I think the format in the comment section might be incorrect:
https://github.com/sphincs/sphincsplus/blob/06f42f47491085ac879a72b486ca8edb10891963/ref/api.h#LL44C1-L49C63

According to the comment, the order of "root" and "PUB_SEED" should be switched in SK and PK. But looking at the bytes, the PK is appended to the SK as is, without switching any order of components.

Either my implementation is wrong, or the comment should contain something like this:

/*
 * Generates a SPHINCS+ key pair given a seed.
 * Format sk: [SK_SEED || SK_PRF || root || PUB_SEED]
 * Format pk: [root || PUB_SEED]
 */

or

/*
 * Generates a SPHINCS+ key pair given a seed.
 * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root]
 * Format pk: [PUB_SEED || root]
 */

...depending on what is actually first in PK, root or PUB_SEED (I'm not sure, didn't have chance to study SPHINCS that much yet).

[Kaisiiii]

According the NIST standard, it should be the latter. I think there exsits some inconsistencies between current codes and NIST SLH-DSA standard, such as computation of the subtree's public key which is should be a hashed value of the permutation of all wots-chain public key according the standard. But I am not sure if I misunderstood in some process.