Cryptography Reference
In-Depth Information
•
=
/
The encoded message
EM
, a byte string of length
emLen
emBits
8
obtained
by applying the EMSA-PSS encoding to
M
.
•
The signature
S
, a byte string of length
k
, where
k
is the byte length of the RSA
modulus
n
.
We next describe the algorithms used by RSASSA-PSS in the order they are
applied, first to sign a message and then to verify the signature.
EMSA-PSS encoding
.
1. Set
emBits
=
modBits
−
1 and compute the encoded message:
EM
=
EMSA-PSS-Encode
(
M
,
emBits
)
=
EMSA-PSS-Encode
(
M
,
modBits
−
1
)
as follows.
2. If the length of
M
is greater than the input limitation for the hash function, output
“message too long” and stop.
3. Compute
mHash
=
Hash
(
M
)
, a byte string of length
hLen
.
4. If
emLen
2 then output “encoding error” and stop.
5. Generate a random byte string
salt
of length
sLen
.
6. Compute
M
<
hLen
+
sLen
+
:=
0000000000000000
||
mHash
||
salt
, a byte string of length
8
+
hLen
+
sLen
with eight initial zero bytes.
M
)
7. Compute
H
, a byte string of length
hLen
.
8. Set
PS
equal to the byte string of length
emLen
=
Hash
(
−
−
−
2 consisting
of zero bytes (the length of the string may be 0, in which case it is the empty
string).
9. Compute
DB
sLen
hLen
:=
PS
||
01
||
salt
, a byte string of length
emLen
−
hLen
−
1.
10. Compute
dbMask
:=
MGF
(
H
,
emLen
−
hLen
−
1
)
.
11. Compute
maskedDB
:=
DB
⊕
dbMask
.
12. Set the leftmost 8
emLen
emBits
of the leftmost byte in
maskedDB
to zero.
13. Output the encoded message
EM
, obtained by concatenating
maskedDB
,
H
and
the byte given by the hexadecimal string 'bc':
−
EM
:=
maskedDB
||
H
||
bc
.
Once the message is encoded by means of EMSA-PSS, it can be signed with the
RSA private key. For this the encoded message
EM
is converted to an integer by
means of the function OS2IP that we have already used in Sect.
8.3.7
(later on, the
integer signature will be converted back to a byte string by means of I2OSP).
EM
has byte length
emLen
=
emBits
/
8
and the integer OS2IP(
EM
) will have at most
modBits
−
1 bits. Thus the signature is obtained as follows:
RSA signing
.
1. Compute
m
:=
OS2IP
(
EM
)
.
2. Check whether
m
∈[
0
,
n
−
1
]
and, if not, output an error message and stop.