Cryptography Reference
In-Depth Information
d := sk[2];
modBits := intlog[2](n)+1;
EM := EMSAPSSEnc(message, modBits-1, _params['salt'], ':-messagetype' = messagetype,
':-Hash' = Hash, ':-MGF' = MGF);
m := OS2IP(EM);
s := Power(m, d) mod n;
k := intlog[256](n)+1;
I2OSP(s, k)
end proc:
Example 9.4
Let us compute the signature for a message. We will use the RSA key
rsakey
that we already used on a couple of occasions:
> rsakey := RSAKeyGen(1024, 618020429552270915383892324472348012175,
410275671464698780248543572127557803186);
sk := rsakey[2]:
pk := rsakey[1]:
We are going to sign the following ASCII-8 message:
> M := "This is a message to test RSASSA-PSS signatures according to PKCS #1 v2.1":
We need a 32-byte random salt as an input to the signing algorithm. We will use
the following hexadecimal string:
> salt := "01f1698656b7fbccf1c94837d65a041070493da6a05863895867f8620d3ca422":
With these ingredients we can generate the signature of message
M
above:
> S := PSSSign(pk, M, salt, messagetype = 'text');
S:=
"72617c71e7114c4340d2aaedfb7e8435040c6c9242f1a0455e43fbe5f3d5dbe8c99370a6e4fb87ffb\
d1460163a8c5e9ebf2d75350bccc3604f5175a6154c9cde35f61ca9191684966afc831233467dcfa\
c444f60a501ea203818166bede2611e136f785620e0b61f7c19d6b7cd6a5e707d9473be1655bac12\
f6473defa0c6eb7de86045373f150a672e4bd9b92f4ddfc82106d92cd367b4e03776b87169267afa\
21b86d31864f55c86e68d7c2958b6ff0984b7e7e7eed127ed606e34247bcfa5b28cdb022ba09659e\
8d615ec38a5645bc3da279384882f58791b4eaa46a776e8cd75f15f30eaf8a7b63f1f4144ab257c9\
d22e239ac703e97ee75c4b32e2125c7"
As explained in the preceding section, the RSASSA-PSS verification algorithm
is implemented in two parts. First there is RSA verification, which does the part
that involves the application of the RSA primitive, and then EMSA-PSS verification,
which deals with the specific part of the PSS-algorithm. We begin with the EMSA-
PSS verification algorithm, implemented in the function
EMSAPSSVer
below, which
will be called from the general verification function to be defined later on. The input
parameters are similar to those in
EMSAPSSEnc
except that
salt
is not needed here
and there is a new parameter
EM
for the encoded message given as a hexadecimal byte
string. The output is either “consistent” if verification is successful or “inconsistent”
otherwise. These outputs will be interpreted by the PSS verification algorithm to
mean “valid signature” and “invalid signature”, respectively.
> EMSAPSSVer := proc(M::string, EM::string, emBits::posint, {Hash::name := 'SHA256',
hLen::posint := 32, MGF::name := 'MGF1',messagetype::identical(hex,text) := hex})
uses StringTools;
local mHash, emLen, hemLen, hhLen, em, maskedDB, H, dbMask, DB, b, salt, M1, H1;
mHash := Hash(M, messagetype);
emLen := ceil(emBits/8);
hemLen := 2*emLen;
