Algorithm 15.4

The PSS Verify algorithm.

( n, e, m, s )

y ← s e (mod n )

break up y as b w r ∗ γ

r ← r ∗ ⊕ g 1 ( w )

b ← ( b =0 and h ( m r )= w and g 2 ( w )= γ )

( b )

15.3.2

PSS-R

PSS-R is a DSS with message recovery. This means that the Sign algorithm must

fold the message m into the signature s in such a way that it can be recovered by

the Recover algorithm. When the length of the message is sufficiently small, then

one can in fact fold the entire message into the signature. In PSS-R, if the security

parameter is k =1 , 024, then one can fold up to 767 message bits into a single

signature.

Similar to the PSS, the PSS-R is parametrized by k 0 and k 1 . The PSS-

R Generate algorithm is the same as before. Also, the PSS-R Sign and Recover

algorithms make use of the compressor h , generator g , g 1 ,and g 2 as defined earlier.

We assume that the messages to be signed have length l = k

1. Suggested

choices are k =1 , 024, k 0 = k 1 = 128,and l = 767. In this case, we produce a

k -bit enhanced signature from which the verifier can recover the l -bit message and

simultaneously check its authenticity.

−

k 0 −

k 1 −

Algorithm 15.5

The PSS-R Sign algorithm.

( n, d, m )

r ∈ R { 0 , 1 }

k 0

w ← h ( m r )

r ∗ ← g 1 ( w ) ⊕ r

m ∗ ← g 2 ( w ) ⊕ m

y ← 0 w r ∗ m ∗

s ← y d (mod n )

( s )

The PSS-R Sign algorithm is specified in Algorithm 15.5 and illustrated in

Figure 15.2 (again, the figure illustrates how the message is prepared for the RSA

signature generation). The input and output parameters of the PSS-R Sign algorithm

are the same as of the PSS Sign algorithm. In the PSS-R Sign algorithm, however,