F.3 Digital signature giving message recovery

F.3.1 Signature generation

The signature is computed by the signer on a message M = M _R M ² , where M _R is the part recoverable from the signature and M ² is the part that must be separately sent by the signer. The byte-length of the message M is L . The secret RSA operation is performed with respect to the modulus n _S of bytelength N and the secret exponent d _S . In this setup the signature generation algorithm takes place in the following way.

Case 1: Message M entirely recoverable from S In this case M = M _R and M ² is empty, which is equivalent to L ‰ N “ 22.

1. Compute the hash code of M through the SHA-1 algorithm and store the result of 20 bytes in H .

2. When L = N “ 22, define B = 4A. Otherwise, define block B as a byte string of N “ 21 “ L bytes, B = (4B BB BB BA).

3. Define E = BC.

4. Define the N -byte block X as the concatenation of B , M , H , and E (i.e., X = B M H E ).

5. Compute the RSA secret operation on X corresponding to the signature generation mode and obtain the signature S = Sign ( KS _A )[ X ] = S ( n _S , d _S )[ X ] = X ^( d _S ) mod n _S .

Case 2: Message M is not entirely recoverable from S In this case M = M _R M ² , where M _R is N “ 22 bytes and M ² is L “ N + 22 bytes.

1. Compute the hash code of M through the SHA-1 algorithm and store the result of 20 bytes in H .

2. Split M = M _R M ² , where M _R is N “ 22 bytes and M ² is L “ N + 22 bytes.

3. Define B = 6A.

4. Define E = BC.

5. Define the N -byte block X as the concatenation of B, M _R , H , and E (i.e., X = B M _R H E ).

6. Compute the RSA secret operation on X corresponding to the signature generation mode and obtain the signature S = Sign ( KS _A )[ X ] = S ( n _S , d _S )[ X ] = X ^( d _S ) mod n _S .

F.3.2 Signature verification

The verifier performs the signature verification on the signature S .If the message M is bigger than N “ 22 bytes, then the part M ² of the message that can not be retrieved from S is also an input to the recover predicate. The public RSA operation is performed with respect to the modulus n _S of bytelength N and the public exponent e _S . In this setup the signature verification algorithm takes place in the following way.

Case 1: Message M entirely recoverable from S In this case M = M _R and M ² is empty, which is equivalent to L ‰ N “ 22.

1. Check that the byte-length of S is N .

2. Retrieve the N byte number X from the digital signature S with the formula X = Recover ( KV _A )[ S , M ² = empty ] = P ( n _S , e _S )[ S ] = S ^( e _S )mod n _S .

3. Check the redundancy of X . To this end X is first split in X = B M H E , where:

   • B = ˜4A or B is a leading byte string of the form B = (4B BB BB BA).

   • H is 20 bytes long.

   • E is 1 byte long.

   • M = M _R consists of the remaining bytes.

4. Check whether the byte E is equal to BC.

5. Check whether SHA-1( M )?= H .

If and only if all the checks from steps 3 to 5 are passed, is the signature accepted as genuine .

Case 2: Message M is not entirely recoverable from S. In this case M = M _R M ² , where M _R is N “ 22 bytes and can be recovered from the signature. The part M ² is L “ N + 22 bytes and has to be separately sent to the verifier.

1. Check that the byte-length of S is N .

2. Retrieve the N byte number X from the digital signature S with the formula X = Recover ( KV _A )[ S , M ² ] = P ( n _S , e _S )[ S ] = S ^( e _S )mod n _S .

3. Check the redundancy of X . To this end X is first split in X = B M _R H E , where:

   • B is 1 byte long.

   • H is 20 bytes long.

   • E is 1 byte long.

   • M _R consists of the remaining N “ 22 bytes.

4. Check whether the byte B is equal to 6A.

5. Check whether the byte E is equal to BC.

6. Concatenate the part M _R recovered from X with the part sent separately by the signer M ² (i.e., compute M = M _R M ² ). Check whether SHA-1( M ) = H .

If and only if all the checks from steps 3 to 6 are passed is the signature accepted as genuine.