Cryptography Reference
In-Depth Information
⊕
9. Compute
DB = maskedDB
dbMask
.
−
10. Set the leftmost 8
emLen
emBits
of the leftmost byte in
DB
to zero.
11. If the
emLen
−
hLen
−
sLen
−
2 leftmost bytes of
DB
are not zero or if the byte
at position
emLen
−
hLen
−
sLen
−
1 is not 01 then output 'inconsistent' and
stop.
12. Set
salt
equal to the last
sLen
bytes of
DB
.
13. Compute
M
:=
0000000000000000
||
mHash
||
salt
, a byte string of length 8
+
sLen
with eight initial zero bytes.
14. Compute
H
=
hLen
+
M
)
Hash
(
, a byte string of length
hLen
.
H
output 'consistent', otherwise output 'inconsistent'.
16. If EMSA-PSS-Verify
15. If
H
=
(
M
,
EM
,
modBits
−
1
)
=
'consistent' then set
RSASSA-PSS-Verify
((
n
,
e
),
M
,
S
)
:=
'valid', otherwise
RSASSA-PSS-Verify
((
n
,
e
),
M
,
S
)
:=
'invalid'.
Remarks 9.5
1. In the description of the RSASSA-PSS scheme we have kept the notation in
[154]. For example, the parameters
k
0
and
k
1
in [20] are here
sLen
and
hLen
,
respectively. For simplicity, we take
sLen
=
hLen
in our Maple implementation
below.
2. There are some differences between the RSASSA-PSS scheme and the original
PSS scheme but the security reduction for the latter is still valid for this variant.
One of these differences is the fact that the value that is hashed together with
the seed (or salt in [154] terminology) is the result of concatenating a string
of eight bytes '00' with the hash of the message, instead of the message itself.
Thus the message is hashed one more time (with the same hash function) prior
to applying the PSS algorithm, i.e., the PSS algorithm is applied to the hash of
the message rather than to the message itself. This initial hashing may also be
performed outside of the module that does the remaining computations, which
is advantageous in situations where I/O bandwidth is limited. We refer to [154]
for more details on this and other specific aspects of the standard.
9.5.4 RSASSA-PSS in Maple
We are going to implement the RSASSA-PSS signature scheme in Maple. We will
mostly follow the specification and the notation for variable names in [154]. We start
with a couple of auxiliary functions that will be called from the main functions of
the scheme. The first of them,
make0bits
, takes as input
hbyte
(a byte given as a
hexadecimal string) and
numbits
(an integer in the interval
), and returns the
byte obtained by setting to 0 the leftmost
numbits
of
hbyte
. This function will
be called by the EMSA-PSS encoding procedure to perform step number 12 in the
above description of this algorithm, with the purpose of ensuring that the bit length
of the resulting encoded message, when regarded as an integer, is one less than that
[
0
,
7
]