7

During my master thesis I came across RSA-PSS-R which is in my opinion a quite elegant way of saving bandwidth and space using digital signature. But I didn't find any information about any real world implementation out there. I have the feeling that it's exactly like the Schnorr Signature scheme. Everybody says that it is very efficient, but no one actually uses it.

Maybe I didn't dig deep enough but is there anyone out there actually using message recovery AT ALL in any real world implementation?

Thank you for your feedback

fgrieu
  • 149,326
  • 13
  • 324
  • 622
Mr Anderson
  • 105
  • 1
  • 5

2 Answers2

7

A signature scheme with message recovery is standardized as ISO/IEC 9796-2 (link to preview). Scheme 1 in this standard is commonly used in the Smart Card industry, despite its known weaknesses in a chosen-message setup.

Example real-life uses include the EMV banking application (the free documents linked there include a description of an industry-standard subset of ISO/IEC 9796-2 Scheme 1; there is support for this subset in JavaCard 2.2.2 and up); and the certificates in the European Digital Tachograph system (head to Annex 1B, appendix 11).

Update: As kindly pointed by Maarten Bodewes, that is also used in ICAO e-passport specifications, appendix 4.

fgrieu
  • 149,326
  • 13
  • 324
  • 622
2

Some implementations of RSA PKCS#1v1.5 use message recovery to find out which hash function was applied.

PKCS#11 API defines the C_SignRecover and C_VerifyRecover and allow them to be used with the most RSA mechanisms. Long story short: this means that there is very widely available API which allows the functionality. Thus, it is likely that quite a few pieces of software use it in practice.

user4982
  • 5,379
  • 21
  • 33