Cryptography Reference
In-Depth Information
Algorithm 15.4
The PSS
Verify
algorithm.
(
n, e, m, s
)
y ← s
e
(mod
n
)
break up
y
as
b w r
∗
γ
r ← r
∗
⊕ g
1
(
w
)
b ←
(
b
=0 and
h
(
m r
)=
w
and
g
2
(
w
)=
γ
)
(
b
)
15.3.2
PSS-R
PSS-R is a DSS with message recovery. This means that the
Sign
algorithm must
fold the message
m
into the signature
s
in such a way that it can be recovered by
the
Recover
algorithm. When the length of the message is sufficiently small, then
one can in fact fold the entire message into the signature. In PSS-R, if the security
parameter is
k
=1
,
024, then one can fold up to 767 message bits into a single
signature.
Similar to the PSS, the PSS-R is parametrized by
k
0
and
k
1
. The PSS-
R
Generate
algorithm is the same as before. Also, the PSS-R
Sign
and
Recover
algorithms make use of the compressor
h
, generator
g
,
g
1
,and
g
2
as defined earlier.
We assume that the messages to be signed have length
l
=
k
1. Suggested
choices are
k
=1
,
024,
k
0
=
k
1
= 128,and
l
= 767. In this case, we produce a
k
-bit enhanced signature from which the verifier can recover the
l
-bit message and
simultaneously check its authenticity.
−
k
0
−
k
1
−
Algorithm 15.5
The PSS-R
Sign
algorithm.
(
n, d, m
)
r ∈
R
{
0
,
1
}
k
0
w ← h
(
m r
)
r
∗
← g
1
(
w
)
⊕ r
m
∗
← g
2
(
w
)
⊕ m
y ←
0
w r
∗
m
∗
s ← y
d
(mod
n
)
(
s
)
The PSS-R
Sign
algorithm is specified in Algorithm 15.5 and illustrated in
Figure 15.2 (again, the figure illustrates how the message is prepared for the RSA
signature generation). The input and output parameters of the PSS-R
Sign
algorithm
are the same as of the PSS
Sign
algorithm. In the PSS-R
Sign
algorithm, however,