5

I see sometimes signatures schemes with appendix. This is about signatures schemes in which the message is needed in the verification algorithm, that is, the ouput of the signature algorithm is of the form $(M,s)$

The appendix is referred to the message or the signature ?

Thank you.

Dingo13
  • 2,867
  • 3
  • 27
  • 46

1 Answers1

6

In a signature scheme with appendix (such as RSASSA-PSS), the signature $s=\operatorname{Sign}(M,\text{PrivateKey})$ of the message $M$ is usually appended to the unmodified message $M$, forming $(M,s)$ or $M\mathbin\|s$. This is effectively sent, and verified; the signature is an appendix to the message.

Signature scheme with appendix opposes to signature scheme with message recovery (such as ISO/IEC 9796-2). In the later kind, all or some of the message is embedded in the signature. When all of the message is embedded, the verification procedure requires only $s=\operatorname{Sign}(M,\text{PrivateKey})$ as input, and recovers $M$ as a by-product (that's known as total message recovery). Only the signature is sent; it embeds the message.

In the case of RSA, signature schemes with message recovery provide significant bandwidth or space saving for signed messages about the size of the public key used, including public key certificates; that's why they are common in the field of Smart Cards.

fgrieu
  • 140,762
  • 12
  • 307
  • 587
  • Thank you fgrieu, but in what the use of RSA is space saving ? Since the key sizes are much greater than in ECC cryptography ? – Dingo13 Jun 24 '13 at 11:58
  • 1
    @user7060: Indeed, for equivalent security, an RSA Public Key Certificate signed with RSA (even with message recovery) is bigger than an ECDSA Public Key Certificate signed with ECDSA. But when signature verification must be fast on a low-end CPU, or very simple, RSA beats ECDSA by a wide margin, therefore ECDSA might not be an option. Also, there are uses for signatures beyond those in Public Key Certificates, and the increase in size by signing with RSA using message recovery can be about half of the increase in size by signing with ECDSA (with appendix). – fgrieu Jun 24 '13 at 12:10
  • OK, thank you fgrieu. Generally, a little saving is always better than nothing in smart cards ? – Dingo13 Jun 24 '13 at 21:40
  • @Dingo13 Late answer: yes, of course, on a SoC with limited bandwidth to the reader and almost no RAM, smaller is better. Any reason why you haven't accepted this particular answer? – Maarten Bodewes Dec 16 '18 at 13:49
  • +1 since that was the info I was looking for and I don't know why this is not the accepted answer – Andreas H. Aug 06 '19 at 06:06