Questions tagged [message-recovery]

Message recovery is a feature of some digital signature schemes, whereas some or all of the message signed is embedded in the signature, recovered as part of signature verification, and thus needs not be transmitted.

A signature scheme with message recovery embeds at least a portion of the message (the recoverable part) in the signature. Signature verification will produce that part of the message, which thus needs not be transmitted. Some schemes allow partial message recovery, where another non-empty portion of the message (the non-recoverable part) is allowed and must be available to the verifier.

Signature schemes with message recovery have been codified by standards of the ISO/IEC 9796 family:

ISO/IEC 9796 was withdrawn in 2000; it is also known as ISO/IEC 9796-1, by the name of a draft.
ISO/IEC 9796-2 codifies three schemes based on integer factorization (RSA or Rabin); see this answer for details.
ISO/IEC 9796-3 codifies six schemes based on the discrete logarithm problem.

25 questions

votes

1 answer

Message-Recovery variant of Ed25519 signature?

What would be a Message-Recovery variant of the Ed25519 signature scheme? Ed25519-MR should be simple to use, fast, with a strong security argument, and striving to stay out of the patent minefield, as the original does. [Ed25519] is a signature…

ed25519 message-recovery

asked Sep 27 '16 at 08:32

fgrieu

149,326
13
324
622

votes

1 answer

Description of signatures with message recovery (as in ISO/IEC 9796-2 and EMV Signatures)

I'd like to get an overview of how the signatures with message recovery work, especially in case EMV and other smart card systems. Is there a nice overview available without being required to read the whole ISO/IEC 9796-2? I've already had a look…

hash signature reference-request message-recovery

asked Jun 20 '14 at 13:46

OnTarget

votes

2 answers

Any real world implementation using message recovery?

During my master thesis I came across RSA-PSS-R which is in my opinion a quite elegant way of saving bandwidth and space using digital signature. But I didn't find any information about any real world implementation out there. I have the feeling…

rsa implementation message-recovery

asked Nov 14 '13 at 15:20

Mr Anderson

votes

1 answer

Why ISO/IEC 9796 (signature with message recovery) instead of just encrypt the short message with private key?

I've had a look at “Practical Cryptanalysis of ISO/IEC 9796-2 and EMV Signatures” and read the very good answer https://crypto.stackexchange.com/a/17846/59673 and I understand that signature and encryption are usually different algorithms. For…

rsa public-key signature message-recovery

asked Jun 13 '18 at 11:19

Kzar

votes

1 answer

Minimizing size of signed message with discrete-log scheme

How can we sign a small message with a discrete-log scheme so as to minimize the size of the whole signed message? Detailed objectives, notation: It is of paramount importance to minimize the total bit size $c$ of the cryptogram $C$ carrying the…

signature discrete-logarithm message-recovery

asked Jun 18 '17 at 12:26

fgrieu

149,326
13
324
622

votes

7 answers

Understanding why Semantic Security implies Message Recovery Security

I am stuck in the proof where it says $$p_0=\frac{1}{|M|},$$ I just do not understand how we can infer this equality. Also, am I right in understanding that B is defined as choosing his two messages at random each time (i.e sampled uniformly from…

semantic-security probabilistic-encryption message-recovery

asked May 30 '20 at 10:23

PhantomR

votes

2 answers

521-bit ECC keys are the same strength as RSA 15,360-bit keys

521 bit ECC uses key sizes 7.5 times smaller than the RSA standard while offering encryption that is magnitudes more secure. An RSA 2048-bit key's secure enough for banking, but a 521-bit ECC key is the equivalent of a 15,360-bit RSA key. I read it…

elliptic-curves sha-256 sha-512 message-recovery

asked Apr 14 '20 at 00:22

djuture

votes

2 answers

Signature check decrypts ciphertext

Can somebody lead me to existing literature on making the extraction of plaintext dependent on a valid signature check first? I didn't think it was possible to force signatures to be checked; but this is possible, and I have an implementation of it…

rsa signature message-recovery

asked Jun 23 '22 at 18:55

Rob

votes

1 answer

What is the modern terminology for a digital signature scheme with a shadow?

In Guillou and Quisquater's 1988 paper "A 'Paradoxical' Indentity-Based Signature Scheme Resulting from Zero-Knowledge", they say that an RSA identity has a shadow and go on to state that this property is being standardized: Let us mention that ISO…

rsa signature zero-knowledge-proofs terminology message-recovery

asked Mar 16 '23 at 16:47

Ethan Heilman

2,326
2
20
40

votes

0 answers

Elgamal security if same key used twice

Assume that user A sends to user B a message, unencrypted, and signs it with an Elgamal signature. Can some adversary, call it C, who eavesdrops, learn the private key if user A signed both messages using the same random variable k? if so, how? to…

signature elgamal-signature message-recovery

asked Apr 21 '20 at 18:12

beginningcrypto

votes

1 answer

In ISO/IEC 9796-2 (signature with message recovery), why are some message representatives bigger than the modulus?

I have implemented signature scheme 2 from ISO/IEC 9796-2 in C using OpenSSL for the underlying crypto operations. To generate the message representative (F in the standard), I just call PKCS1_MGF1() (defined here), and then XOR that to the data to…

rsa message-recovery

asked Oct 29 '19 at 13:59

aja

votes

2 answers

Build a cipher that is secure against message recovery attack but not semantically secure

I know the definitions of both of the securities (against message recovery and semantic), but I don't know how to actually build a cipher that meets these conditions, I mean, I don't know how to define "let $\mathcal{E} = (E,D)$ where $E(k,m) =…

encryption semantic-security message-recovery

asked Apr 29 '18 at 20:30

Daniel

votes

1 answer

Forgery attack against Textbook RSA with simple redundancy

I know how to forge vanilla Textbook RSA message signatures (easy). I've learnt that by adding a good redundancy to the message, it cannot be forged anymore. How can one add redundancy so that the message could be recovered from the signature (RSA…

rsa signature message-recovery

asked Jun 19 '16 at 19:44

Jjang

votes

2 answers

Can signer identity be recovered from a signature in ML-DSA (FIPS 204)? If not, is there any PQC signature scheme that supports this?

I have been reviewing the FIPS 204 draft specification for the ML-DSA (Module-Lattice-based Digital Signature Algorithm), which is part of NIST’s Post-Quantum Cryptography (PQC) standardization effort. Question: Is it possible to recover the public…

public-key post-quantum-cryptography secp256k1 message-recovery

asked Apr 07 '25 at 15:21

Geek

vote

2 answers

What's the Apostrophe or single quote of a variable means in cryptography?

What's the meaning of Apostrophe over a variable in the context conversations of verification? Reference number: https://people.eecs.berkeley.edu/~jfc/'mender/IEEESP02.pdf

signature modular-arithmetic commitments message-recovery

asked Feb 27 '22 at 18:56

Sheldon

2 Next