Get MessageRepresentative from signature

>
> Hello!
>
> I am implementing Digital signature scheme 1 described in ISO/IEC FDIS
> 9796-2. I have signature in binary form and public key.
> I know, how to get MessageRepresentative in case of RSA: call member
> ApplyFunction(...) of CryptoPP::RSA::PublicKey-object.
> But I don't know how to get MessageRepresentative in case of DSA and
> ECDSA... What I should do? Is their any general way to get
> MessageRepresentative independent on type of public key?
> >
>

> I'm not familiar with ISO/IEC FDIS 9796-2, and I can't find much information
> about it (without paying to buy the standard). Is it some kind of signature
> scheme with message recovery (SSR)? I never really finished implementing
> support for discrete log-based SSR in Crypto++ (and nobody has complained
> about that before), so the only way to do it is to write your own code
> directly on top of the Integer and elliptic curve classes. You can try to
> reuse DL_Algorithm_GDSA in gfpcrypt.h, or copy the code out and build on top
> of that.
>
> Or, if you want to try to finish the DL SSR framework in Crypto++, take a
> look at DL_VerifierBase::RecoverAndRestart() in pubkey.h. But unlike with
> RSA, message recovery with discrete log based schemes is complicated and
> ultimately kind of pointless.
>
> --------------------------------------------------
> From: "Alexei" <statujal...@...>
> Sent: Thursday, October 22, 2009 12:53 AM
> To: "Crypto++ Users" <cryptopp-users@...>
> Subject: Get MessageRepresentative from signature
>
>
>
>
>
> > Hello!
>
> > I am implementing Digital signature scheme 1 described in ISO/IEC FDIS
> > 9796-2. I have signature in binary form and public key.
> > I know, how to get MessageRepresentative in case of RSA: call member
> > ApplyFunction(...) of CryptoPP::RSA::PublicKey-object.
> > But I don't know how to get MessageRepresentative in case of DSA and
> > ECDSA... What I should do? Is their any general way to get
> > MessageRepresentative independent on type of public key?- Скрыть цитируемый текст -
>
> - Показать цитируемый текст -

>
> ISO/IEC FDIS 9796-2 draft you can take for a free
> http://isotctest.iso.org/livelink/livelink/4459194/SC27N3032_Text_for_FDIS_9796-2.pdf?func=doc.Fetch&nodeid=4459194
> In this document verification scheme is described correctly.
>
> Yes, it is signature scheme with message recovery. To verify signature
> the following steps should be performed:
> 1. Decrypt signature(get MessageRepresentative). Message
> representative in Digital signature scheme 1 consists of [Start byte |
> recoverable part of Message | hash(Message) | trailing byte(s)]
> 2. Construct Message* = [recoverable part of Message | non-recoverable
> part of Message]
> 3. Check that hash(Message) from signature is equal to hash(Message*).
>
> In Internet I have seen only once that somebody had the same problem
> http://www.groupsrv.com/science/about117544.html
>
> On 22 окт, 12:28, "Wei Dai" <wei...@...> wrote:
>> I'm not familiar with ISO/IEC FDIS 9796-2, and I can't find much
>> information
>> about it (without paying to buy the standard). Is it some kind of
>> signature
>> scheme with message recovery (SSR)? I never really finished implementing
>> support for discrete log-based SSR in Crypto++ (and nobody has complained
>> about that before), so the only way to do it is to write your own code
>> directly on top of the Integer and elliptic curve classes. You can try to
>> reuse DL_Algorithm_GDSA in gfpcrypt.h, or copy the code out and build on
>> top
>> of that.
>>
>> Or, if you want to try to finish the DL SSR framework in Crypto++, take a
>> look at DL_VerifierBase::RecoverAndRestart() in pubkey.h. But unlike with
>> RSA, message recovery with discrete log based schemes is complicated and
>> ultimately kind of pointless.
>>
>> --------------------------------------------------
>> From: "Alexei" <statujal...@...>
>> Sent: Thursday, October 22, 2009 12:53 AM
>> To: "Crypto++ Users" <cryptopp-users@...>
>> Subject: Get MessageRepresentative from signature
>>
>>
>>
>>
>>
>> > Hello!
>>
>> > I am implementing Digital signature scheme 1 described in ISO/IEC FDIS
>> > 9796-2. I have signature in binary form and public key.
>> > I know, how to get MessageRepresentative in case of RSA: call member
>> > ApplyFunction(...) of CryptoPP::RSA::PublicKey-object.
>> > But I don't know how to get MessageRepresentative in case of DSA and
>> > ECDSA... What I should do? Is their any general way to get
>> > MessageRepresentative independent on type of public key?- Скрыть
>> > цитируемый текст -
>>
>> - Показать цитируемый текст -
> >
>

> After looking at that standard, I don't think you're supposed to use it with
> DSA or ECDSA, but only with RSA or RW. Also, it's not secure. Seehttp://eprint.iacr.org/2009/203.pdf.
>
> Why do you have to implement this?
>
> --------------------------------------------------
> From: "Alexei" <statujal...@...>
> Sent: Thursday, October 22, 2009 3:01 AM
> To: "Crypto++ Users" <cryptopp-users@...>
> Subject: Re: Get MessageRepresentative from signature
>
>
>
>
>
> > ISO/IEC FDIS 9796-2 draft you can take for a free
> >http://isotctest.iso.org/livelink/livelink/4459194/SC27N3032_Text_for...
> > In this document verification scheme is described correctly.
>
> > Yes, it is signature scheme with message recovery. To verify signature
> > the following steps should be performed:
> > 1. Decrypt signature(get MessageRepresentative). Message
> > representative in Digital signature scheme 1 consists of [Start byte |
> > recoverable part of Message | hash(Message) | trailing byte(s)]
> > 2. Construct Message* = [recoverable part of Message | non-recoverable
> > part of Message]
> > 3. Check that hash(Message) from signature is equal to hash(Message*).
>
> > In Internet I have seen only once that somebody had the same problem
> >http://www.groupsrv.com/science/about117544.html
>
> > On 22 окт, 12:28, "Wei Dai" <wei...@...> wrote:
> >> I'm not familiar with ISO/IEC FDIS 9796-2, and I can't find much
> >> information
> >> about it (without paying to buy the standard). Is it some kind of
> >> signature
> >> scheme with message recovery (SSR)? I never really finished implementing
> >> support for discrete log-based SSR in Crypto++ (and nobody has complained
> >> about that before), so the only way to do it is to write your own code
> >> directly on top of the Integer and elliptic curve classes. You can try to
> >> reuse DL_Algorithm_GDSA in gfpcrypt.h, or copy the code out and build on
> >> top
> >> of that.
>
> >> Or, if you want to try to finish the DL SSR framework in Crypto++, take a
> >> look at DL_VerifierBase::RecoverAndRestart() in pubkey.h. But unlike with
> >> RSA, message recovery with discrete log based schemes is complicated and
> >> ultimately kind of pointless.
>
> >> --------------------------------------------------
> >> From: "Alexei" <statujal...@...>
> >> Sent: Thursday, October 22, 2009 12:53 AM
> >> To: "Crypto++ Users" <cryptopp-users@...>
> >> Subject: Get MessageRepresentative from signature
>
> >> > Hello!
>
> >> > I am implementing Digital signature scheme 1 described in ISO/IEC FDIS
> >> > 9796-2. I have signature in binary form and public key.
> >> > I know, how to get MessageRepresentative in case of RSA: call member
> >> > ApplyFunction(...) of CryptoPP::RSA::PublicKey-object.
> >> > But I don't know how to get MessageRepresentative in case of DSA and
> >> > ECDSA... What I should do? Is their any general way to get
> >> > MessageRepresentative independent on type of public key?- Скрыть
> >> > цитируемый текст -
>
> >> - Показать цитируемый текст -- Скрыть цитируемый текст -
>
> - Показать цитируемый текст -

>
> I am implementing software for reader of ICAO-compliant e-Passport. In
> this document
> http://www.csca-si.gov.si/TR-PKI_mrtds_ICC_read-only_access_v1_1.pdf
> specified procedure Active Authentication and some its requirements.
> Active Authentication is procedure described in ISO/IEC 9796-2,
> Digital signature scheme 1.
>
> Document above gives recommendations for key's size. If you look from
> page 23 then you see that recommendations are given for Active
> Authentication's keys with RSA, DSA and ECDSA.
>
> On 22 окт, 14:14, "Wei Dai" <wei...@...> wrote:
>> After looking at that standard, I don't think you're supposed to use it
>> with
>> DSA or ECDSA, but only with RSA or RW. Also, it's not secure.
>> Seehttp://eprint.iacr.org/2009/203.pdf.
>>
>> Why do you have to implement this?
>>
>> --------------------------------------------------
>> From: "Alexei" <statujal...@...>
>> Sent: Thursday, October 22, 2009 3:01 AM
>> To: "Crypto++ Users" <cryptopp-users@...>
>> Subject: Re: Get MessageRepresentative from signature
>>
>>
>>
>>
>>
>> > ISO/IEC FDIS 9796-2 draft you can take for a free
>> >http://isotctest.iso.org/livelink/livelink/4459194/SC27N3032_Text_for...
>> > In this document verification scheme is described correctly.
>>
>> > Yes, it is signature scheme with message recovery. To verify signature
>> > the following steps should be performed:
>> > 1. Decrypt signature(get MessageRepresentative). Message
>> > representative in Digital signature scheme 1 consists of [Start byte |
>> > recoverable part of Message | hash(Message) | trailing byte(s)]
>> > 2. Construct Message* = [recoverable part of Message | non-recoverable
>> > part of Message]
>> > 3. Check that hash(Message) from signature is equal to hash(Message*).
>>
>> > In Internet I have seen only once that somebody had the same problem
>> >http://www.groupsrv.com/science/about117544.html
>>
>> > On 22 окт, 12:28, "Wei Dai" <wei...@...> wrote:
>> >> I'm not familiar with ISO/IEC FDIS 9796-2, and I can't find much
>> >> information
>> >> about it (without paying to buy the standard). Is it some kind of
>> >> signature
>> >> scheme with message recovery (SSR)? I never really finished
>> >> implementing
>> >> support for discrete log-based SSR in Crypto++ (and nobody has
>> >> complained
>> >> about that before), so the only way to do it is to write your own code
>> >> directly on top of the Integer and elliptic curve classes. You can try
>> >> to
>> >> reuse DL_Algorithm_GDSA in gfpcrypt.h, or copy the code out and build
>> >> on
>> >> top
>> >> of that.
>>
>> >> Or, if you want to try to finish the DL SSR framework in Crypto++,
>> >> take a
>> >> look at DL_VerifierBase::RecoverAndRestart() in pubkey.h. But unlike
>> >> with
>> >> RSA, message recovery with discrete log based schemes is complicated
>> >> and
>> >> ultimately kind of pointless.
>>
>> >> --------------------------------------------------
>> >> From: "Alexei" <statujal...@...>
>> >> Sent: Thursday, October 22, 2009 12:53 AM
>> >> To: "Crypto++ Users" <cryptopp-users@...>
>> >> Subject: Get MessageRepresentative from signature
>>
>> >> > Hello!
>>
>> >> > I am implementing Digital signature scheme 1 described in ISO/IEC
>> >> > FDIS
>> >> > 9796-2. I have signature in binary form and public key.
>> >> > I know, how to get MessageRepresentative in case of RSA: call member
>> >> > ApplyFunction(...) of CryptoPP::RSA::PublicKey-object.
>> >> > But I don't know how to get MessageRepresentative in case of DSA and
>> >> > ECDSA... What I should do? Is their any general way to get
>> >> > MessageRepresentative independent on type of public key?- Скрыть
>> >> > цитируемый текст -
>>
>> >> - Показать цитируемый текст -- Скрыть цитируемый текст -
>>
>> - Показать цитируемый текст -
> >
>

> I'm pretty sure there's an error or misunderstanding on someone's part. Part
> of the title of ISO/IEC FDIS 9796-2 is "Part 2: Integer factorisation based
> mechanisms" and DSA/ECDSA are not factorisation based!
>
> Also, if you look at section 3.3.2 of that ICAO document, it says that for
> RSA you should use RSASSA-PSS, which is different from ISO/IEC FDIS 9796-2's
> Digital Signature Scheme 1. I don't have time to read through this document
> and figure out what is going on. Can you ask someone who is more familiar
> with this standard (maybe its authors?).
>
> --------------------------------------------------
> From: "Alexei" <statujaleha@...>
> Sent: Thursday, October 22, 2009 3:57 AM
> To: "Crypto++ Users" <cryptopp-users@...>
> Subject: Re: Get MessageRepresentative from signature
>
>
>
>
>
> > I am implementing software for reader of ICAO-compliant e-Passport. In
> > this document
> >http://www.csca-si.gov.si/TR-PKI_mrtds_ICC_read-only_access_v1_1.pdf
> > specified procedure Active Authentication and some its requirements.
> > Active Authentication is procedure described in ISO/IEC 9796-2,
> > Digital signature scheme 1.
>
> > Document above gives recommendations for key's size. If you look from
> > page 23 then you see that recommendations are given for Active
> > Authentication's keys with RSA, DSA and ECDSA.
>
> > On 22 окт, 14:14, "Wei Dai" <wei...@...> wrote:
> >> After looking at that standard, I don't think you're supposed to use it
> >> with
> >> DSA or ECDSA, but only with RSA or RW. Also, it's not secure.
> >> Seehttp://eprint.iacr.org/2009/203.pdf.
>
> >> Why do you have to implement this?
>
> >> --------------------------------------------------
> >> From: "Alexei" <statujal...@...>
> >> Sent: Thursday, October 22, 2009 3:01 AM
> >> To: "Crypto++ Users" <cryptopp-users@...>
> >> Subject: Re: Get MessageRepresentative from signature
>
> >> > ISO/IEC FDIS 9796-2 draft you can take for a free
> >> >http://isotctest.iso.org/livelink/livelink/4459194/SC27N3032_Text_for...
> >> > In this document verification scheme is described correctly.
>
> >> > Yes, it is signature scheme with message recovery. To verify signature
> >> > the following steps should be performed:
> >> > 1. Decrypt signature(get MessageRepresentative). Message
> >> > representative in Digital signature scheme 1 consists of [Start byte |
> >> > recoverable part of Message | hash(Message) | trailing byte(s)]
> >> > 2. Construct Message* = [recoverable part of Message | non-recoverable
> >> > part of Message]
> >> > 3. Check that hash(Message) from signature is equal to hash(Message*).
>
> >> > In Internet I have seen only once that somebody had the same problem
> >> >http://www.groupsrv.com/science/about117544.html
>
> >> > On 22 окт, 12:28, "Wei Dai" <wei...@...> wrote:
> >> >> I'm not familiar with ISO/IEC FDIS 9796-2, and I can't find much
> >> >> information
> >> >> about it (without paying to buy the standard). Is it some kind of
> >> >> signature
> >> >> scheme with message recovery (SSR)? I never really finished
> >> >> implementing
> >> >> support for discrete log-based SSR in Crypto++ (and nobody has
> >> >> complained
> >> >> about that before), so the only way to do it is to write your own code
> >> >> directly on top of the Integer and elliptic curve classes. You can try
> >> >> to
> >> >> reuse DL_Algorithm_GDSA in gfpcrypt.h, or copy the code out and build
> >> >> on
> >> >> top
> >> >> of that.
>
> >> >> Or, if you want to try to finish the DL SSR framework in Crypto++,
> >> >> take a
> >> >> look at DL_VerifierBase::RecoverAndRestart() in pubkey.h. But unlike
> >> >> with
> >> >> RSA, message recovery with discrete log based schemes is complicated
> >> >> and
> >> >> ultimately kind of pointless.
>
> >> >> --------------------------------------------------
> >> >> From: "Alexei" <statujal...@...>
> >> >> Sent: Thursday, October 22, 2009 12:53 AM
> >> >> To: "Crypto++ Users" <cryptopp-users@...>
> >> >> Subject: Get MessageRepresentative from signature
>
> >> >> > Hello!
>
> >> >> > I am implementing Digital signature scheme 1 described in ISO/IEC
> >> >> > FDIS
> >> >> > 9796-2. I have signature in binary form and public key.
> >> >> > I know, how to get MessageRepresentative in case of RSA: call member
> >> >> > ApplyFunction(...) of CryptoPP::RSA::PublicKey-object.
> >> >> > But I don't know how to get MessageRepresentative in case of DSA and
> >> >> > ECDSA... What I should do? Is their any general way to get
> >> >> > MessageRepresentative independent on type of public key?- Скрыть
> >> >> > цитируемый текст -
>
> >> >> - Показать цитируемый текст -- Скрыть цитируемый текст -
>
> >> - Показать цитируемый текст -- Скрыть цитируемый текст -
>
> - Показать цитируемый текст -

>
> As I understand Digital signature scheme described in ISO/IEC FDIS
> 9796-2 can be implemented independent on signature generation
> algorithm. Currently I have implemented only support of RSA. We have
> sample ePassports with support of Active Authentication and all of
> them use scheme based on RSA.
>
> I have looked at section 3.3.2. Recommendation about using RSA-PSS
> applies for signature generation of certificates and Document Security
> object of RFID-chip. In Active Authentication is used simple RSA.
>
> We have tried to contact with authors of the document about some other
> questions but haven't got answer yet.
>
> On 22 окт, 15:06, "Wei Dai" <weidai@...> wrote:
>> I'm pretty sure there's an error or misunderstanding on someone's part.
>> Part
>> of the title of ISO/IEC FDIS 9796-2 is "Part 2: Integer factorisation
>> based
>> mechanisms" and DSA/ECDSA are not factorisation based!
>>
>> Also, if you look at section 3.3.2 of that ICAO document, it says that
>> for
>> RSA you should use RSASSA-PSS, which is different from ISO/IEC FDIS
>> 9796-2's
>> Digital Signature Scheme 1. I don't have time to read through this
>> document
>> and figure out what is going on. Can you ask someone who is more familiar
>> with this standard (maybe its authors?).
>>
>> --------------------------------------------------
>> From: "Alexei" <statujaleha@...>
>> Sent: Thursday, October 22, 2009 3:57 AM
>> To: "Crypto++ Users" <cryptopp-users@...>
>> Subject: Re: Get MessageRepresentative from signature
>>
>>
>>
>>
>>
>> > I am implementing software for reader of ICAO-compliant e-Passport. In
>> > this document
>> >http://www.csca-si.gov.si/TR-PKI_mrtds_ICC_read-only_access_v1_1.pdf
>> > specified procedure Active Authentication and some its requirements.
>> > Active Authentication is procedure described in ISO/IEC 9796-2,
>> > Digital signature scheme 1.
>>
>> > Document above gives recommendations for key's size. If you look from
>> > page 23 then you see that recommendations are given for Active
>> > Authentication's keys with RSA, DSA and ECDSA.
>>
>> > On 22 окт, 14:14, "Wei Dai" <wei...@...> wrote:
>> >> After looking at that standard, I don't think you're supposed to use
>> >> it
>> >> with
>> >> DSA or ECDSA, but only with RSA or RW. Also, it's not secure.
>> >> Seehttp://eprint.iacr.org/2009/203.pdf.
>>
>> >> Why do you have to implement this?
>>
>> >> --------------------------------------------------
>> >> From: "Alexei" <statujal...@...>
>> >> Sent: Thursday, October 22, 2009 3:01 AM
>> >> To: "Crypto++ Users" <cryptopp-users@...>
>> >> Subject: Re: Get MessageRepresentative from signature
>>
>> >> > ISO/IEC FDIS 9796-2 draft you can take for a free
>> >> >http://isotctest.iso.org/livelink/livelink/4459194/SC27N3032_Text_for...
>> >> > In this document verification scheme is described correctly.
>>
>> >> > Yes, it is signature scheme with message recovery. To verify
>> >> > signature
>> >> > the following steps should be performed:
>> >> > 1. Decrypt signature(get MessageRepresentative). Message
>> >> > representative in Digital signature scheme 1 consists of [Start byte
>> >> > |
>> >> > recoverable part of Message | hash(Message) | trailing byte(s)]
>> >> > 2. Construct Message* = [recoverable part of Message |
>> >> > non-recoverable
>> >> > part of Message]
>> >> > 3. Check that hash(Message) from signature is equal to
>> >> > hash(Message*).
>>
>> >> > In Internet I have seen only once that somebody had the same problem
>> >> >http://www.groupsrv.com/science/about117544.html
>>
>> >> > On 22 окт, 12:28, "Wei Dai" <wei...@...> wrote:
>> >> >> I'm not familiar with ISO/IEC FDIS 9796-2, and I can't find much
>> >> >> information
>> >> >> about it (without paying to buy the standard). Is it some kind of
>> >> >> signature
>> >> >> scheme with message recovery (SSR)? I never really finished
>> >> >> implementing
>> >> >> support for discrete log-based SSR in Crypto++ (and nobody has
>> >> >> complained
>> >> >> about that before), so the only way to do it is to write your own
>> >> >> code
>> >> >> directly on top of the Integer and elliptic curve classes. You can
>> >> >> try
>> >> >> to
>> >> >> reuse DL_Algorithm_GDSA in gfpcrypt.h, or copy the code out and
>> >> >> build
>> >> >> on
>> >> >> top
>> >> >> of that.
>>
>> >> >> Or, if you want to try to finish the DL SSR framework in Crypto++,
>> >> >> take a
>> >> >> look at DL_VerifierBase::RecoverAndRestart() in pubkey.h. But
>> >> >> unlike
>> >> >> with
>> >> >> RSA, message recovery with discrete log based schemes is
>> >> >> complicated
>> >> >> and
>> >> >> ultimately kind of pointless.
>>
>> >> >> --------------------------------------------------
>> >> >> From: "Alexei" <statujal...@...>
>> >> >> Sent: Thursday, October 22, 2009 12:53 AM
>> >> >> To: "Crypto++ Users" <cryptopp-users@...>
>> >> >> Subject: Get MessageRepresentative from signature
>>
>> >> >> > Hello!
>>
>> >> >> > I am implementing Digital signature scheme 1 described in ISO/IEC
>> >> >> > FDIS
>> >> >> > 9796-2. I have signature in binary form and public key.
>> >> >> > I know, how to get MessageRepresentative in case of RSA: call
>> >> >> > member
>> >> >> > ApplyFunction(...) of CryptoPP::RSA::PublicKey-object.
>> >> >> > But I don't know how to get MessageRepresentative in case of DSA
>> >> >> > and
>> >> >> > ECDSA... What I should do? Is their any general way to get
>> >> >> > MessageRepresentative independent on type of public key?- Скрыть
>> >> >> > цитируемый текст -
>>
>> >> >> - Показать цитируемый текст -- Скрыть цитируемый текст -
>>
>> >> - Показать цитируемый текст -- Скрыть цитируемый текст -
>>
>> - Показать цитируемый текст -
> >
>

> Sorry, but I really don't see any possible way that ISO/IEC FDIS 9796-2
> could apply to DSA/ECDSA. They just don't work the same way, and the
> discrete log based SSRs are in general very different from factorisation
> based ones.
>
> Please trust me on this, and look for some other explanation.
>
> --------------------------------------------------
> From: "Alexei" <statujal...@...>
> Sent: Thursday, October 22, 2009 4:19 AM
> To: "Crypto++ Users" <cryptopp-users@...>
> Cc: "Wei Dai" <wei...@...>; "Alexei" <statujal...@...>
> Subject: Re: Get MessageRepresentative from signature
>
>
>
>
>
> > As I understand Digital signature scheme described in ISO/IEC FDIS
> > 9796-2 can be implemented independent on signature generation
> > algorithm. Currently I have implemented only support of RSA. We have
> > sample ePassports with support of Active Authentication and all of
> > them use scheme based on RSA.
>
> > I have looked at section 3.3.2. Recommendation about using RSA-PSS
> > applies for signature generation of certificates and Document Security
> > object of RFID-chip. In Active Authentication is used simple RSA.
>
> > We have tried to contact with authors of the document about some other
> > questions but haven't got answer yet.
>
> > On 22 окт, 15:06, "Wei Dai" <wei...@...> wrote:
> >> I'm pretty sure there's an error or misunderstanding on someone's part.
> >> Part
> >> of the title of ISO/IEC FDIS 9796-2 is "Part 2: Integer factorisation
> >> based
> >> mechanisms" and DSA/ECDSA are not factorisation based!
>
> >> Also, if you look at section 3.3.2 of that ICAO document, it says that
> >> for
> >> RSA you should use RSASSA-PSS, which is different from ISO/IEC FDIS
> >> 9796-2's
> >> Digital Signature Scheme 1. I don't have time to read through this
> >> document
> >> and figure out what is going on. Can you ask someone who is more familiar
> >> with this standard (maybe its authors?).
>
> >> --------------------------------------------------
> >> From: "Alexei" <statujal...@...>
> >> Sent: Thursday, October 22, 2009 3:57 AM
> >> To: "Crypto++ Users" <cryptopp-users@...>
> >> Subject: Re: Get MessageRepresentative from signature
>
> >> > I am implementing software for reader of ICAO-compliant e-Passport. In
> >> > this document
> >> >http://www.csca-si.gov.si/TR-PKI_mrtds_ICC_read-only_access_v1_1.pdf
> >> > specified procedure Active Authentication and some its requirements.
> >> > Active Authentication is procedure described in ISO/IEC 9796-2,
> >> > Digital signature scheme 1.
>
> >> > Document above gives recommendations for key's size. If you look from
> >> > page 23 then you see that recommendations are given for Active
> >> > Authentication's keys with RSA, DSA and ECDSA.
>
> >> > On 22 окт, 14:14, "Wei Dai" <wei...@...> wrote:
> >> >> After looking at that standard, I don't think you're supposed to use
> >> >> it
> >> >> with
> >> >> DSA or ECDSA, but only with RSA or RW. Also, it's not secure.
> >> >> Seehttp://eprint.iacr.org/2009/203.pdf.
>
> >> >> Why do you have to implement this?
>
> >> >> --------------------------------------------------
> >> >> From: "Alexei" <statujal...@...>
> >> >> Sent: Thursday, October 22, 2009 3:01 AM
> >> >> To: "Crypto++ Users" <cryptopp-users@...>
> >> >> Subject: Re: Get MessageRepresentative from signature
>
> >> >> > ISO/IEC FDIS 9796-2 draft you can take for a free
> >> >> >http://isotctest.iso.org/livelink/livelink/4459194/SC27N3032_Text_for...
> >> >> > In this document verification scheme is described correctly.
>
> >> >> > Yes, it is signature scheme with message recovery. To verify
> >> >> > signature
> >> >> > the following steps should be performed:
> >> >> > 1. Decrypt signature(get MessageRepresentative). Message
> >> >> > representative in Digital signature scheme 1 consists of [Start byte
> >> >> > |
> >> >> > recoverable part of Message | hash(Message) | trailing byte(s)]
> >> >> > 2. Construct Message* = [recoverable part of Message |
> >> >> > non-recoverable
> >> >> > part of Message]
> >> >> > 3. Check that hash(Message) from signature is equal to
> >> >> > hash(Message*).
>
> >> >> > In Internet I have seen only once that somebody had the same problem
> >> >> >http://www.groupsrv.com/science/about117544.html
>
> >> >> > On 22 окт, 12:28, "Wei Dai" <wei...@...> wrote:
> >> >> >> I'm not familiar with ISO/IEC FDIS 9796-2, and I can't find much
> >> >> >> information
> >> >> >> about it (without paying to buy the standard). Is it some kind of
> >> >> >> signature
> >> >> >> scheme with message recovery (SSR)? I never really finished
> >> >> >> implementing
> >> >> >> support for discrete log-based SSR in Crypto++ (and nobody has
> >> >> >> complained
> >> >> >> about that before), so the only way to do it is to write your own
> >> >> >> code
> >> >> >> directly on top of the Integer and elliptic curve classes. You can
> >> >> >> try
> >> >> >> to
> >> >> >> reuse DL_Algorithm_GDSA in gfpcrypt.h, or copy the code out and
> >> >> >> build
> >> >> >> on
> >> >> >> top
> >> >> >> of that.
>
> >> >> >> Or, if you want to try to finish the DL SSR framework in Crypto++,
> >> >> >> take a
> >> >> >> look at DL_VerifierBase::RecoverAndRestart() in pubkey.h. But
> >> >> >> unlike
> >> >> >> with
> >> >> >> RSA, message recovery with discrete log based schemes is
> >> >> >> complicated
> >> >> >> and
> >> >> >> ultimately kind of pointless.
>
> >> >> >> --------------------------------------------------
> >> >> >> From: "Alexei" <statujal...@...>
> >> >> >> Sent: Thursday, October 22, 2009 12:53 AM
> >> >> >> To: "Crypto++ Users" <cryptopp-users@...>
> >> >> >> Subject: Get MessageRepresentative from signature
>
> >> >> >> > Hello!
>
> >> >> >> > I am implementing Digital signature scheme 1 described in ISO/IEC
> >> >> >> > FDIS
> >> >> >> > 9796-2. I have signature in binary form and public key.
> >> >> >> > I know, how to get MessageRepresentative in case of RSA: call
> >> >> >> > member
> >> >> >> > ApplyFunction(...) of CryptoPP::RSA::PublicKey-object.
> >> >> >> > But I don't know how to get MessageRepresentative in case of DSA
> >> >> >> > and
> >> >> >> > ECDSA... What I should do? Is their any general way to get
> >> >> >> > MessageRepresentative independent on type of public key?- Скрыть
> >> >> >> > цитируемый текст -
>
> >> >> >> - Показать цитируемый текст -- Скрыть цитируемый текст -
>
> >> >> - Показать цитируемый текст -- Скрыть цитируемый текст -
>
> >> - Показать цитируемый текст -- Скрыть цитируемый текст -
>
> - Показать цитируемый текст -

>
> I am not familar with DSA/ECDSA in depth. That's I want to ask why DSA/
> ECDSA can't be applied for Digital signature scheme 1 described in ISO/
> IEC 9796-2?
>
> I have the following point of view.
> 1. There is the RFID-chip that has public/private key pair. Terminal
> can read public key and algorithm's type used to perform Active
> Authentication.
> 2. Terminal sends some random data to the RFID-chip. This random data
> represents non-recoverable part of the message(M2 in ISO/IEC 9796-2).
> 3. RFID-chip generates M1 and signs message M = [M1 | M2] as described
> in the standard. Sends result to the terminal.
> 4. Terminal can restore MessageRepresentative using public key and
> verify the signature.
>
> What's wrong? What step can't be performed using DSA/ECDSA?
>
> On 22 окт, 15:25, "Wei Dai" <wei...@...> wrote:
>> Sorry, but I really don't see any possible way that ISO/IEC FDIS 9796-2
>> could apply to DSA/ECDSA. They just don't work the same way, and the
>> discrete log based SSRs are in general very different from factorisation
>> based ones.
>>
>> Please trust me on this, and look for some other explanation.
>>
>> --------------------------------------------------
>> From: "Alexei" <statujal...@...>
>> Sent: Thursday, October 22, 2009 4:19 AM
>> To: "Crypto++ Users" <cryptopp-users@...>
>> Cc: "Wei Dai" <wei...@...>; "Alexei" <statujal...@...>
>> Subject: Re: Get MessageRepresentative from signature
>>
>>
>>
>>
>>
>> > As I understand Digital signature scheme described in ISO/IEC FDIS
>> > 9796-2 can be implemented independent on signature generation
>> > algorithm. Currently I have implemented only support of RSA. We have
>> > sample ePassports with support of Active Authentication and all of
>> > them use scheme based on RSA.
>>
>> > I have looked at section 3.3.2. Recommendation about using RSA-PSS
>> > applies for signature generation of certificates and Document Security
>> > object of RFID-chip. In Active Authentication is used simple RSA.
>>
>> > We have tried to contact with authors of the document about some other
>> > questions but haven't got answer yet.
>>
>> > On 22 окт, 15:06, "Wei Dai" <wei...@...> wrote:
>> >> I'm pretty sure there's an error or misunderstanding on someone's
>> >> part.
>> >> Part
>> >> of the title of ISO/IEC FDIS 9796-2 is "Part 2: Integer factorisation
>> >> based
>> >> mechanisms" and DSA/ECDSA are not factorisation based!
>>
>> >> Also, if you look at section 3.3.2 of that ICAO document, it says that
>> >> for
>> >> RSA you should use RSASSA-PSS, which is different from ISO/IEC FDIS
>> >> 9796-2's
>> >> Digital Signature Scheme 1. I don't have time to read through this
>> >> document
>> >> and figure out what is going on. Can you ask someone who is more
>> >> familiar
>> >> with this standard (maybe its authors?).
>>
>> >> --------------------------------------------------
>> >> From: "Alexei" <statujal...@...>
>> >> Sent: Thursday, October 22, 2009 3:57 AM
>> >> To: "Crypto++ Users" <cryptopp-users@...>
>> >> Subject: Re: Get MessageRepresentative from signature
>>
>> >> > I am implementing software for reader of ICAO-compliant e-Passport.
>> >> > In
>> >> > this document
>> >> >http://www.csca-si.gov.si/TR-PKI_mrtds_ICC_read-only_access_v1_1.pdf
>> >> > specified procedure Active Authentication and some its requirements.
>> >> > Active Authentication is procedure described in ISO/IEC 9796-2,
>> >> > Digital signature scheme 1.
>>
>> >> > Document above gives recommendations for key's size. If you look
>> >> > from
>> >> > page 23 then you see that recommendations are given for Active
>> >> > Authentication's keys with RSA, DSA and ECDSA.
>>
>> >> > On 22 окт, 14:14, "Wei Dai" <wei...@...> wrote:
>> >> >> After looking at that standard, I don't think you're supposed to
>> >> >> use
>> >> >> it
>> >> >> with
>> >> >> DSA or ECDSA, but only with RSA or RW. Also, it's not secure.
>> >> >> Seehttp://eprint.iacr.org/2009/203.pdf.
>>
>> >> >> Why do you have to implement this?
>>
>> >> >> --------------------------------------------------
>> >> >> From: "Alexei" <statujal...@...>
>> >> >> Sent: Thursday, October 22, 2009 3:01 AM
>> >> >> To: "Crypto++ Users" <cryptopp-users@...>
>> >> >> Subject: Re: Get MessageRepresentative from signature
>>
>> >> >> > ISO/IEC FDIS 9796-2 draft you can take for a free
>> >> >> >http://isotctest.iso.org/livelink/livelink/4459194/SC27N3032_Text_for...
>> >> >> > In this document verification scheme is described correctly.
>>
>> >> >> > Yes, it is signature scheme with message recovery. To verify
>> >> >> > signature
>> >> >> > the following steps should be performed:
>> >> >> > 1. Decrypt signature(get MessageRepresentative). Message
>> >> >> > representative in Digital signature scheme 1 consists of [Start
>> >> >> > byte
>> >> >> > |
>> >> >> > recoverable part of Message | hash(Message) | trailing byte(s)]
>> >> >> > 2. Construct Message* = [recoverable part of Message |
>> >> >> > non-recoverable
>> >> >> > part of Message]
>> >> >> > 3. Check that hash(Message) from signature is equal to
>> >> >> > hash(Message*).
>>
>> >> >> > In Internet I have seen only once that somebody had the same
>> >> >> > problem
>> >> >> >http://www.groupsrv.com/science/about117544.html
>>
>> >> >> > On 22 окт, 12:28, "Wei Dai" <wei...@...> wrote:
>> >> >> >> I'm not familiar with ISO/IEC FDIS 9796-2, and I can't find much
>> >> >> >> information
>> >> >> >> about it (without paying to buy the standard). Is it some kind
>> >> >> >> of
>> >> >> >> signature
>> >> >> >> scheme with message recovery (SSR)? I never really finished
>> >> >> >> implementing
>> >> >> >> support for discrete log-based SSR in Crypto++ (and nobody has
>> >> >> >> complained
>> >> >> >> about that before), so the only way to do it is to write your
>> >> >> >> own
>> >> >> >> code
>> >> >> >> directly on top of the Integer and elliptic curve classes. You
>> >> >> >> can
>> >> >> >> try
>> >> >> >> to
>> >> >> >> reuse DL_Algorithm_GDSA in gfpcrypt.h, or copy the code out and
>> >> >> >> build
>> >> >> >> on
>> >> >> >> top
>> >> >> >> of that.
>>
>> >> >> >> Or, if you want to try to finish the DL SSR framework in
>> >> >> >> Crypto++,
>> >> >> >> take a
>> >> >> >> look at DL_VerifierBase::RecoverAndRestart() in pubkey.h. But
>> >> >> >> unlike
>> >> >> >> with
>> >> >> >> RSA, message recovery with discrete log based schemes is
>> >> >> >> complicated
>> >> >> >> and
>> >> >> >> ultimately kind of pointless.
>>
>> >> >> >> --------------------------------------------------
>> >> >> >> From: "Alexei" <statujal...@...>
>> >> >> >> Sent: Thursday, October 22, 2009 12:53 AM
>> >> >> >> To: "Crypto++ Users" <cryptopp-users@...>
>> >> >> >> Subject: Get MessageRepresentative from signature
>>
>> >> >> >> > Hello!
>>
>> >> >> >> > I am implementing Digital signature scheme 1 described in
>> >> >> >> > ISO/IEC
>> >> >> >> > FDIS
>> >> >> >> > 9796-2. I have signature in binary form and public key.
>> >> >> >> > I know, how to get MessageRepresentative in case of RSA: call
>> >> >> >> > member
>> >> >> >> > ApplyFunction(...) of CryptoPP::RSA::PublicKey-object.
>> >> >> >> > But I don't know how to get MessageRepresentative in case of
>> >> >> >> > DSA
>> >> >> >> > and
>> >> >> >> > ECDSA... What I should do? Is their any general way to get
>> >> >> >> > MessageRepresentative independent on type of public key?-
>> >> >> >> > Скрыть
>> >> >> >> > цитируемый текст -
>>
>> >> >> >> - Показать цитируемый текст -- Скрыть цитируемый текст -
>>
>> >> >> - Показать цитируемый текст -- Скрыть цитируемый текст -
>>
>> >> - Показать цитируемый текст -- Скрыть цитируемый текст -
>>
>> - Показать цитируемый текст -
> >
>

> It's the fourth step. If you take a look athttp://en.wikipedia.org/wiki/Digital_Signature_Algorithm#Verifying, there is
> no step where a message representative is restored.
>
> --------------------------------------------------
> From: "Alexei" <statujal...@...>
> Sent: Thursday, October 22, 2009 4:39 AM
> To: "Crypto++ Users" <cryptopp-users@...>
> Subject: Re: Get MessageRepresentative from signature
>
>
>
>
>
> > I am not familar with DSA/ECDSA in depth. That's I want to ask why DSA/
> > ECDSA can't be applied for Digital signature scheme 1 described in ISO/
> > IEC 9796-2?
>
> > I have the following point of view.
> > 1. There is the RFID-chip that has public/private key pair. Terminal
> > can read public key and algorithm's type used to perform Active
> > Authentication.
> > 2. Terminal sends some random data to the RFID-chip. This random data
> > represents non-recoverable part of the message(M2 in ISO/IEC 9796-2).
> > 3. RFID-chip generates M1 and signs message M = [M1 | M2] as described
> > in the standard. Sends result to the terminal.
> > 4. Terminal can restore MessageRepresentative using public key and
> > verify the signature.
>
> > What's wrong? What step can't be performed using DSA/ECDSA?
>
> > On 22 окт, 15:25, "Wei Dai" <wei...@...> wrote:
> >> Sorry, but I really don't see any possible way that ISO/IEC FDIS 9796-2
> >> could apply to DSA/ECDSA. They just don't work the same way, and the
> >> discrete log based SSRs are in general very different from factorisation
> >> based ones.
>
> >> Please trust me on this, and look for some other explanation.
>
> >> --------------------------------------------------
> >> From: "Alexei" <statujal...@...>
> >> Sent: Thursday, October 22, 2009 4:19 AM
> >> To: "Crypto++ Users" <cryptopp-users@...>
> >> Cc: "Wei Dai" <wei...@...>; "Alexei" <statujal...@...>
> >> Subject: Re: Get MessageRepresentative from signature
>
> >> > As I understand Digital signature scheme described in ISO/IEC FDIS
> >> > 9796-2 can be implemented independent on signature generation
> >> > algorithm. Currently I have implemented only support of RSA. We have
> >> > sample ePassports with support of Active Authentication and all of
> >> > them use scheme based on RSA.
>
> >> > I have looked at section 3.3.2. Recommendation about using RSA-PSS
> >> > applies for signature generation of certificates and Document Security
> >> > object of RFID-chip. In Active Authentication is used simple RSA.
>
> >> > We have tried to contact with authors of the document about some other
> >> > questions but haven't got answer yet.
>
> >> > On 22 окт, 15:06, "Wei Dai" <wei...@...> wrote:
> >> >> I'm pretty sure there's an error or misunderstanding on someone's
> >> >> part.
> >> >> Part
> >> >> of the title of ISO/IEC FDIS 9796-2 is "Part 2: Integer factorisation
> >> >> based
> >> >> mechanisms" and DSA/ECDSA are not factorisation based!
>
> >> >> Also, if you look at section 3.3.2 of that ICAO document, it says that
> >> >> for
> >> >> RSA you should use RSASSA-PSS, which is different from ISO/IEC FDIS
> >> >> 9796-2's
> >> >> Digital Signature Scheme 1. I don't have time to read through this
> >> >> document
> >> >> and figure out what is going on. Can you ask someone who is more
> >> >> familiar
> >> >> with this standard (maybe its authors?).
>
> >> >> --------------------------------------------------
> >> >> From: "Alexei" <statujal...@...>
> >> >> Sent: Thursday, October 22, 2009 3:57 AM
> >> >> To: "Crypto++ Users" <cryptopp-users@...>
> >> >> Subject: Re: Get MessageRepresentative from signature
>
> >> >> > I am implementing software for reader of ICAO-compliant e-Passport.
> >> >> > In
> >> >> > this document
> >> >> >http://www.csca-si.gov.si/TR-PKI_mrtds_ICC_read-only_access_v1_1.pdf
> >> >> > specified procedure Active Authentication and some its requirements.
> >> >> > Active Authentication is procedure described in ISO/IEC 9796-2,
> >> >> > Digital signature scheme 1.
>
> >> >> > Document above gives recommendations for key's size. If you look
> >> >> > from
> >> >> > page 23 then you see that recommendations are given for Active
> >> >> > Authentication's keys with RSA, DSA and ECDSA.
>
> >> >> > On 22 окт, 14:14, "Wei Dai" <wei...@...> wrote:
> >> >> >> After looking at that standard, I don't think you're supposed to
> >> >> >> use
> >> >> >> it
> >> >> >> with
> >> >> >> DSA or ECDSA, but only with RSA or RW. Also, it's not secure.
> >> >> >> Seehttp://eprint.iacr.org/2009/203.pdf.
>
> >> >> >> Why do you have to implement this?
>
> >> >> >> --------------------------------------------------
> >> >> >> From: "Alexei" <statujal...@...>
> >> >> >> Sent: Thursday, October 22, 2009 3:01 AM
> >> >> >> To: "Crypto++ Users" <cryptopp-users@...>
> >> >> >> Subject: Re: Get MessageRepresentative from signature
>
> >> >> >> > ISO/IEC FDIS 9796-2 draft you can take for a free
> >> >> >> >http://isotctest.iso.org/livelink/livelink/4459194/SC27N3032_Text_for...
> >> >> >> > In this document verification scheme is described correctly.
>
> >> >> >> > Yes, it is signature scheme with message recovery. To verify
> >> >> >> > signature
> >> >> >> > the following steps should be performed:
> >> >> >> > 1. Decrypt signature(get MessageRepresentative). Message
> >> >> >> > representative in Digital signature scheme 1 consists of [Start
> >> >> >> > byte
> >> >> >> > |
> >> >> >> > recoverable part of Message | hash(Message) | trailing byte(s)]
> >> >> >> > 2. Construct Message* = [recoverable part of Message |
> >> >> >> > non-recoverable
> >> >> >> > part of Message]
> >> >> >> > 3. Check that hash(Message) from signature is equal to
> >> >> >> > hash(Message*).
>
> >> >> >> > In Internet I have seen only once that somebody had the same
> >> >> >> > problem
> >> >> >> >http://www.groupsrv.com/science/about117544.html
>
> >> >> >> > On 22 окт, 12:28, "Wei Dai" <wei...@...> wrote:
> >> >> >> >> I'm not familiar with ISO/IEC FDIS 9796-2, and I can't find much
> >> >> >> >> information
> >> >> >> >> about it (without paying to buy the standard). Is it some kind
> >> >> >> >> of
> >> >> >> >> signature
> >> >> >> >> scheme with message recovery (SSR)? I never really finished
> >> >> >> >> implementing
> >> >> >> >> support for discrete log-based SSR in Crypto++ (and nobody has
> >> >> >> >> complained
> >> >> >> >> about that before), so the only way to do it is to write your
> >> >> >> >> own
> >> >> >> >> code
> >> >> >> >> directly on top of the Integer and elliptic curve classes. You
> >> >> >> >> can
> >> >> >> >> try
> >> >> >> >> to
> >> >> >> >> reuse DL_Algorithm_GDSA in gfpcrypt.h, or copy the code out and
> >> >> >> >> build
> >> >> >> >> on
> >> >> >> >> top
> >> >> >> >> of that.
>
> >> >> >> >> Or, if you want to try to finish the DL SSR framework in
> >> >> >> >> Crypto++,
> >> >> >> >> take a
> >> >> >> >> look at DL_VerifierBase::RecoverAndRestart() in pubkey.h. But
> >> >> >> >> unlike
> >> >> >> >> with
> >> >> >> >> RSA, message recovery with discrete log based schemes is
> >> >> >> >> complicated
> >> >> >> >> and
> >> >> >> >> ultimately kind of pointless.
>
> >> >> >> >> --------------------------------------------------
> >> >> >> >> From: "Alexei" <statujal...@...>
> >> >> >> >> Sent: Thursday, October 22, 2009 12:53 AM
> >> >> >> >> To: "Crypto++ Users" <cryptopp-users@...>
> >> >> >> >> Subject: Get MessageRepresentative from signature
>
> >> >> >> >> > Hello!
>
> >> >> >> >> > I am implementing Digital signature scheme 1 described in
> >> >> >> >> > ISO/IEC
> >> >> >> >> > FDIS
> >> >> >> >> > 9796-2. I have signature in binary form and public key.
> >> >> >> >> > I know, how to get MessageRepresentative in case of RSA: call
> >> >> >> >> > member
> >> >> >> >> > ApplyFunction(...) of CryptoPP::RSA::PublicKey-object.
> >> >> >> >> > But I don't know how to get MessageRepresentative in case of
> >> >> >> >> > DSA
> >> >> >> >> > and
> >> >> >> >> > ECDSA... What I should do? Is their any general way to get
> >> >> >> >> > MessageRepresentative independent on type of public key?-
> >> >> >> >> > Скрыть
> >> >> >> >> > цитируемый текст -
>
> >> >> >> >> - Показать цитируемый текст -- Скрыть цитируемый текст -
>
> >> >> >> - Показать цитируемый текст -- Скрыть цитируемый текст -
>
> >> >> - Показать цитируемый текст -- Скрыть цитируемый текст -
>
> >> - Показать цитируемый текст -- Скрыть цитируемый текст -
>
> - Показать цитируемый текст -