Function fors_node 

pub fn fors_node<P: Params>(
    sk_seed: &[u8],
    pk_seed: &[u8],
    i: u32,
    z: u32,
    adrs: &mut Adrs,
) -> Vec<u8> 

Compute the root of a FORS subtree of height z at leaf index i.

Implements Algorithm 15 of FIPS 205 using an iterative treehash (BDS-style) stack traversal: leaves are produced in order, and any time the two nodes on top of the stack have the same height they are combined with H and pushed back as a single higher-up node. Peak live memory is O(z) nodes (at most z + 1 stack entries), instead of the 2^z materialized leaves of the naïve approach.

For z = 0 this degenerates to a single F evaluation of the secret leaf value. Used during signing to compute authentication path nodes (sibling subtree roots).

Side-channel / memory posture

The iterative treehash is also the SPA-hardening posture for FORS. A recursive implementation would expose a memory-access envelope that matches the tree geometry, indirectly leaking the FORS digit encoded into i. The iterative variant instead keeps a BDS stack of z + 1 nodes and walks the tree with a loop counter that is independent of the secret. See doc/sca/countermeasures/slh_dsa.rst, section Memory / stack- timing — iterative treehash + streaming signature, for the full threat analysis.

RAM impact (SLH-DSA-SHAKE-256s, z = a - 1 = 13, n = 32):

• naïve: 2^13 * 32 = 256 KiB leaf buffer, peaking higher with the transient new_nodes vector during the climb;
• treehash: 14 * 32 ≈ 448 B on the stack of node bytes.