Elliptic Curve Pinstov Vanstone Signatures (ECPVS) (huecc.h)
ECPVS (functionality are defined in huecc.h. ECPVS (Elliptic Curve Pinstov Vanstone Signature) is a digital signature scheme offering partial message recovery. The size of signatures created using ECPVS is smaller than other schemes (e.g., RSA). ECPVS is specified in IEEE 1363a-2004 and in the ANSI X9.92 draft.
Note that an ECC parameters object is required to generate or verify a signature using ECPVS. The hu_ECCParamsCreate() function creates these objects. An ECC key object is also required.
The ECPVS algorithm is executed by taking a message, M, and splitting it into two parts: a confidential portion, C, which is recoverable, and the plaintext portion, V, which is also referred to as the visible portion.
C is encoded and encrypted. The message representative value r is calculated as part of the encryption operation.
Next, a hash is performed on the encrypted C and V. The result of the hash is then signed using the sender's private key, which produces the signature element, s.
Unlike other types of signature schemes, ECPVS relies on certain characteristics of the recoverable message to determine if the signature is valid. These characteristics, called redundancy, can be inherent in the message (for example, ASCII or all numeric), or can be added in the form of padding. For example, if the recoverable message resembles a random string, then there is no way for the verifier to tell if the signature is valid. Padding can be added to the recoverable message to increase the redundancy so the verifier can validate a signature with high confidence. IEEE 1363a-2004 specifies the padding to be between 1 to 255 bytes. In general, the total redundancy should be half the subgroup order of the elliptic curve, or half the hash function output length. If you are unsure of the redundancy in the recoverable message, use a pad length that equals the total required redundancy.
ECPVS signing can be performed either by calling the one-shot function hu_ECPVSSign(), or by calling the following four functions (which must be called in the order listed):
hu_ECPVSSignBegin() and hu_ECPVSSignEnd() are used to start and finish the ECPVS signing process. hu_ECPVSSignEncrypt() is called to encrypt the confidential message, while hu_ECPVSSignUpdate() is called to update the visible message. Both hu_ECPVSSignEncrypt() and hu_ECPVSSignUpdate() may be called multiple times to encrypt/update the confidential/visible messages in parts.
The one-shot function conforms to IEEE 1363a-2004 and enforces a padding of 1 to 255 bytes. The padding increases the size of r and is generally a tradeoff between signature size and security. If you need more control over the signature size, use the four part functions. Set the flag parameter to HU_ECPVS_FLAG_RAW, and no padding will be added. However, you need to ensure there is enough redundancy in the recoverable message to provide adequate security.
Upon receipt of a message that was signed using ECPVS, the confidential portion of the message can be recovered.
The recovery process consists of hashing the plaintext V with r, the result of which allows for the confidential message portion to be recovered using the sender's public key, Q, and the signature element, s. The confidential message can then be decrypted and a redundancy check performed to validate the signature.
ECPVS recovery can be performed either by calling the one-shot function hu_ECPVSRecover(), or by calling the following four functions (which must be called in the order listed):
hu_ECPVSRecoverBegin() and hu_ECPVSRecoverEnd() are used to start and finish the ECPVS recovery process. hu_ECPVSRecoverUpdate() is called to update the visible message, while hu_ECPVSRecoverDecrypt() is called to decrypt the confidential message. Both hu_ECPVSRecoverUpdate() and hu_ECPVSRecoverDecrypt() may be called multiple times to update/decrypt the visible/confidential messages in parts.
A redundancy check to validate the message signature is built into the functions hu_ECPVSRecover() and hu_ECPVSRecoverDecrypt(), which return the error SB_FAIL_INVALID_SIGNATURE if the signature is invalid.