Cryptography Reference
In-Depth Information
and digital signature schemes do not have sufficient symmetry of this type to
allow such a swap to be conducted.
However, once again, it is worth repeating our caveat of Section 7.3.1. The above
argument applies only to the 'textbook' versions of RSA. Real RSA encryption
schemes and RSA digital signature schemes with appendix, do not work quite
as simply as we have just described, where by 'real' we mean those that follow
established standards such as PKCS and employ schemes such as RSA-OAEP for
encryption and RSA-PSS for digital signatures. Instead, they involve additional
processing stages that result in this straightforward key pair swap not being
possible. That said, it is this symmetry of the simple 'textbook' versions that
permits the very existence of both RSA encryption and RSA digital signature
schemes, hence the observations in this section are relevant.
7.3.5
RSA digital signature scheme with message recovery
We now describe an RSA digital signature scheme based on the second approach
that was identified in Section 7.3.3. Before we describe this scheme, it is worth
identifying what advantages this second approach might offer.
ADVANTAGES OF DIGITAL SIGNATURE SCHEMES WITH MESSAGE
RECOVERY
There are a couple of disadvantages with the digital signature schemes with
appendix approach:
1. It requires the use of a hash function, so it might be advantageous to design
schemes where no hash function is required.
2. Both the data and the digital signature need to be sent to the verifier. This
involves a degree of message expansion, since the message that is sent is
necessarily longer than the underlying data that is digitally signed.
The reasons we discussed for hashing, rather than signing the data directly,
primarily applied to 'long' data that needs to be split into more than one block for
direct processing using RSA. However, if the data to be signed is less than one RSA
block in length (in other words, less than the length of the RSAmodulus) then the
case for hashing before signing is not so strong. Digital signature schemes with
message recovery are typically proposed for precisely this situation. This is why
they are sometimes also referred to as
digital signature schemes for short messages
.
Recall from Section 7.3.3 that if the data does not accompany the digital
signature then the verifier faces the problem of recognising the correct data that
is associated with the digital signature. Digital signature schemes with message
recovery address this problemby adding redundancy to the data before it is signed,
in order to later make it recognisable to a verifier. The data to be digitally signed
must therefore be sufficiently short that it remains less than one RSA block in
length
after
this redundancy has been added.
