Digital Signature Algorithm

Last updated June 16, 2024

The Digital Signature Algorithm (DSA) is a public-key cryptosystem and Federal Information Processing Standard for digital signatures, based on the mathematical concept of modular exponentiation and the discrete logarithm problem. In a public-key cryptosystem, two keys are generated: data can only be encrypted with the public key and encrypted data can only be decrypted with the private key. DSA is a variant of the Schnorr and ElGamal signature schemes.^[1]^: 486

The National Institute of Standards and Technology (NIST) proposed DSA for use in their Digital Signature Standard (DSS) in 1991, and adopted it as FIPS 186 in 1994.^[2] Five revisions to the initial specification have been released. The newest specification is: FIPS 186-5 from February 2023.^[3] DSA is patented but NIST has made this patent available worldwide royalty-free. Specification FIPS 186-5 indicates DSA will no longer be approved for digital signature generation, but may be used to verify signatures generated prior to the implementation date of that standard.

Overview

The DSA works in the framework of public-key cryptosystems and is based on the algebraic properties of modular exponentiation, together with the discrete logarithm problem, which is considered to be computationally intractable. The algorithm uses a key pair consisting of a public key and a private key. The private key is used to generate a digital signature for a message, and such a signature can be verified by using the signer's corresponding public key. The digital signature provides message authentication (the receiver can verify the origin of the message), integrity (the receiver can verify that the message has not been modified since it was signed) and non-repudiation (the sender cannot falsely claim that they have not signed the message).

History

In 1982, the U.S government solicited proposals for a public key signature standard. In August 1991 the National Institute of Standards and Technology (NIST) proposed DSA for use in their Digital Signature Standard (DSS). Initially there was significant criticism, especially from software companies that had already invested effort in developing digital signature software based on the RSA cryptosystem.^[1]^: 484 Nevertheless, NIST adopted DSA as a Federal standard (FIPS 186) in 1994. Five revisions to the initial specification have been released: FIPS 186–1 in 1998,^[4] FIPS 186–2 in 2000,^[5] FIPS 186–3 in 2009,^[6] FIPS 186–4 in 2013,^[3] and FIPS 186–5 in 2023.^[7] Standard FIPS 186-5 forbids signing with DSA, while allowing verification of signatures generated prior to the implementation date of the standard as a document. It is to be replaced by newer signature schemes such as EdDSA.^[8]

DSA is covered by U.S. patent 5,231,668 , filed July 26, 1991 and now expired, and attributed to David W. Kravitz,^[9] a former NSA employee. This patent was given to "The United States of America as represented by the Secretary of Commerce, Washington, D.C.", and NIST has made this patent available worldwide royalty-free.^[10] Claus P. Schnorr claims that his U.S. patent 4,995,082 (also now expired) covered DSA; this claim is disputed.^[11]

In 1993, Dave Banisar managed to get confirmation, via a FOIA request, that the DSA algorithm hasn't been designed by the NIST, but by the NSA.^[12]

OpenSSH announced that DSA is scheduled to be removed in 2025.^[13]

Operation

The DSA algorithm involves four operations: key generation (which creates the key pair), key distribution, signing and signature verification.

1. Key generation

Key generation has two phases. The first phase is a choice of algorithm parameters which may be shared between different users of the system, while the second phase computes a single key pair for one user.

Parameter generation

Choose an approved cryptographic hash function $H$ with output length $|H|$ bits. In the original DSS, $H$ was always SHA-1, but the stronger SHA-2 hash functions are approved for use in the current DSS.^[3]^[14] If $|H|$ is greater than the modulus length $N$ , only the leftmost $N$ bits of the hash output are used.
Choose a key length $L$ . The original DSS constrained $L$ to be a multiple of 64 between 512 and 1024 inclusive. NIST 800-57 recommends lengths of 2048 (or 3072) for keys with security lifetimes extending beyond 2010 (or 2030).^[15]
Choose the modulus length $N$ such that $N<L$ and $N\leq |H|$ . FIPS 186-4 specifies $L$ and $N$ to have one of the values: (1024, 160), (2048, 224), (2048, 256), or (3072, 256).^[3]
Choose an $N$ -bit prime $q$ .
Choose an $L$ -bit prime $p$ such that $p-1$ is a multiple of $q$ .
Choose an integer $h$ randomly from $\{2\ldots p-2\}$ .
Compute $g:=h^{(p-1)/q}\mod p$ . In the rare case that $g=1$ try again with a different $h$ . Commonly $h=2$ is used. This modular exponentiation can be computed efficiently even if the values are large.

The algorithm parameters are ( $p$ , $q$ , $g$ ). These may be shared between different users of the system.

Per-user keys

Given a set of parameters, the second phase computes the key pair for a single user:

Choose an integer $x$ randomly from $\{1\ldots q-1\}$ .
Compute $y:=g^{x}\mod p$ .

$x$ is the private key and $y$ is the public key.

2. Key distribution

The signer should publish the public key $y$ . That is, they should send the key to the receiver via a reliable, but not necessarily secret, mechanism. The signer should keep the private key $x$ secret.

3. Signing

A message $m$ is signed as follows:

Choose an integer $k$ randomly from $\{1\ldots q-1\}$
Compute $r:=\left(g^{k}{\bmod {\,}}p\right){\bmod {\,}}q$ . In the unlikely case that $r=0$ , start again with a different random $k$ .
Compute $s:=\left(k^{-1}\left(H(m)+xr\right)\right){\bmod {\,}}q$ . In the unlikely case that $s=0$ , start again with a different random $k$ .

The signature is $\left(r,s\right)$

The calculation of $k$ and $r$ amounts to creating a new per-message key. The modular exponentiation in computing $r$ is the most computationally expensive part of the signing operation, but it may be computed before the message is known. Calculating the modular inverse $k^{-1}{\bmod {\,}}q$ is the second most expensive part, and it may also be computed before the message is known. It may be computed using the extended Euclidean algorithm or using Fermat's little theorem as $k^{q-2}{\bmod {\,}}q$ .

4. Signature Verification

One can verify that a signature $\left(r,s\right)$ is a valid signature for a message $m$ as follows:

Verify that $0<r<q$ and $0<s<q$ .
Compute $w:=s^{-1}{\bmod {\,}}q$ .
Compute $u_{1}:=H(m)\cdot w\,{\bmod {\,}}q$ .
Compute $u_{2}:=r\cdot w\,{\bmod {\,}}q$ .
Compute $v:=\left(g^{u_{1}}y^{u_{2}}{\bmod {\,}}p\right){\bmod {\,}}q$ .
The signature is valid if and only if $v=r$ .

Correctness of the algorithm

The signature scheme is correct in the sense that the verifier will always accept genuine signatures. This can be shown as follows:

First, since ${\textstyle g=h^{(p-1)/q}~{\text{mod}}~p}$ , it follows that ${\textstyle g^{q}\equiv h^{p-1}\equiv 1\mod p}$ by Fermat's little theorem. Since $g>0$ and $q$ is prime, $g$ must have order $q$ .

The signer computes

s=k^{-1}(H(m)+xr){\bmod {\,}}q

Thus

{\begin{aligned}k&\equiv H(m)s^{-1}+xrs^{-1}\\&\equiv H(m)w+xrw{\pmod {q}}\end{aligned}}

Since $g$ has order $q$ we have

{\begin{aligned}g^{k}&\equiv g^{H(m)w}g^{xrw}\\&\equiv g^{H(m)w}y^{rw}\\&\equiv g^{u_{1}}y^{u_{2}}{\pmod {p}}\end{aligned}}

Finally, the correctness of DSA follows from

{\begin{aligned}r&=(g^{k}{\bmod {\,}}p){\bmod {\,}}q\\&=(g^{u_{1}}y^{u_{2}}{\bmod {\,}}p){\bmod {\,}}q\\&=v\end{aligned}}

Sensitivity

With DSA, the entropy, secrecy, and uniqueness of the random signature value $k$ are critical. It is so critical that violating any one of those three requirements can reveal the entire private key to an attacker.^[16] Using the same value twice (even while keeping $k$ secret), using a predictable value, or leaking even a few bits of $k$ in each of several signatures, is enough to reveal the private key $x$ .^[17]

This issue affects both DSA and Elliptic Curve Digital Signature Algorithm (ECDSA) – in December 2010, the group fail0verflow announced the recovery of the ECDSA private key used by Sony to sign software for the PlayStation 3 game console. The attack was made possible because Sony failed to generate a new random $k$ for each signature.^[18]

This issue can be prevented by deriving $k$ deterministically from the private key and the message hash, as described by RFC 6979. This ensures that $k$ is different for each $H(m)$ and unpredictable for attackers who do not know the private key $x$ .

In addition, malicious implementations of DSA and ECDSA can be created where $k$ is chosen in order to subliminally leak information via signatures. For example, an offline private key could be leaked from a perfect offline device that only released innocent-looking signatures.^[19]

Implementations

Below is a list of cryptographic libraries that provide support for DSA:

Related Research Articles

In mathematics, the Chinese remainder theorem states that if one knows the remainders of the Euclidean division of an integer n by several integers, then one can determine uniquely the remainder of the division of n by the product of these integers, under the condition that the divisors are pairwise coprime.

Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. ECC allows smaller keys to provide equivalent security, compared to cryptosystems based on modular exponentiation in Galois fields, such as the RSA cryptosystem and ElGamal cryptosystem.

<span class="mw-page-title-main">Quadratic reciprocity</span> Gives conditions for the solvability of quadratic equations modulo prime numbers

In number theory, the law of quadratic reciprocity is a theorem about modular arithmetic that gives conditions for the solvability of quadratic equations modulo prime numbers. Due to its subtlety, it has many formulations, but the most standard statement is:

RSA (Rivest–Shamir–Adleman) is a public-key cryptosystem, one of the oldest widely used for secure data transmission. The initialism "RSA" comes from the surnames of Ron Rivest, Adi Shamir and Leonard Adleman, who publicly described the algorithm in 1977. An equivalent system was developed secretly in 1973 at Government Communications Headquarters (GCHQ), the British signals intelligence agency, by the English mathematician Clifford Cocks. That system was declassified in 1997.

<span class="mw-page-title-main">Blind signature</span> Form of digital signature

In cryptography a blind signature, as introduced by David Chaum, is a form of digital signature in which the content of a message is disguised (blinded) before it is signed. The resulting blind signature can be publicly verified against the original, unblinded message in the manner of a regular digital signature. Blind signatures are typically employed in privacy-related protocols where the signer and message author are different parties. Examples include cryptographic election systems and digital cash schemes.

In cryptography, the Elliptic Curve Digital Signature Algorithm (ECDSA) offers a variant of the Digital Signature Algorithm (DSA) which uses elliptic-curve cryptography.

The Rabin cryptosystem is a family of public-key encryption schemes based on a trapdoor function whose security, like that of RSA, is related to the difficulty of integer factorization.

The Paillier cryptosystem, invented by and named after Pascal Paillier in 1999, is a probabilistic asymmetric algorithm for public key cryptography. The problem of computing n-th residue classes is believed to be computationally difficult. The decisional composite residuosity assumption is the intractability hypothesis upon which this cryptosystem is based.

In mathematics, Hensel's lemma, also known as Hensel's lifting lemma, named after Kurt Hensel, is a result in modular arithmetic, stating that if a univariate polynomial has a simple root modulo a prime number $p$ , then this root can be lifted to a unique root modulo any higher power of $p$ . More generally, if a polynomial factors modulo $p$ into two coprime polynomials, this factorization can be lifted to a factorization modulo any higher power of $p$ .

The Digital Signature Standard (DSS) is a Federal Information Processing Standard specifying a suite of algorithms that can be used to generate digital signatures established by the U.S. National Institute of Standards and Technology (NIST) in 1994. Five revisions to the initial specification have been released: FIPS 186-1 in 1998, FIPS 186-2 in 2000, FIPS 186-3 in 2009, FIPS 186-4 in 2013, and FIPS 186-5 in 2023.

The ElGamal signature scheme is a digital signature scheme which is based on the difficulty of computing discrete logarithms. It was described by Taher Elgamal in 1985.

The Blum–Goldwasser (BG) cryptosystem is an asymmetric key encryption algorithm proposed by Manuel Blum and Shafi Goldwasser in 1984. Blum–Goldwasser is a probabilistic, semantically secure cryptosystem with a constant-size ciphertext expansion. The encryption algorithm implements an XOR-based stream cipher using the Blum-Blum-Shub (BBS) pseudo-random number generator to generate the keystream. Decryption is accomplished by manipulating the final state of the BBS generator using the private key, in order to find the initial seed and reconstruct the keystream.

In cryptography, the Rabin signature algorithm is a method of digital signature originally proposed by Michael O. Rabin in 1978.

The Okamoto–Uchiyama cryptosystem is a public key cryptosystem proposed in 1998 by Tatsuaki Okamoto and Shigenori Uchiyama. The system works in the multiplicative group of integers modulo n, $, where n is of the form p 2 q and p and q are large primes.$

Lattice-based cryptography is the generic term for constructions of cryptographic primitives that involve lattices, either in the construction itself or in the security proof. Lattice-based constructions support important standards of post-quantum cryptography. Unlike more widely used and known public-key schemes such as the RSA, Diffie-Hellman or elliptic-curve cryptosystems — which could, theoretically, be defeated using Shor's algorithm on a quantum computer — some lattice-based constructions appear to be resistant to attack by both classical and quantum computers. Furthermore, many lattice-based constructions are considered to be secure under the assumption that certain well-studied computational lattice problems cannot be solved efficiently.

In cryptography, subliminal channels are covert channels that can be used to communicate secretly in normal looking communication over an insecure channel. Subliminal channels in digital signature crypto systems were found in 1984 by Gustavus Simmons.

In cryptography, the Fiat–Shamir heuristic is a technique for taking an interactive proof of knowledge and creating a digital signature based on it. This way, some fact can be publicly proven without revealing underlying information. The technique is due to Amos Fiat and Adi Shamir (1986). For the method to work, the original interactive proof must have the property of being public-coin, i.e. verifier's random coins are made public throughout the proof protocol.

In discrete mathematics, ideal lattices are a special class of lattices and a generalization of cyclic lattices. Ideal lattices naturally occur in many parts of number theory, but also in other areas. In particular, they have a significant place in cryptography. Micciancio defined a generalization of cyclic lattices as ideal lattices. They can be used in cryptosystems to decrease by a square root the number of parameters necessary to describe a lattice, making them more efficient. Ideal lattices are a new concept, but similar lattice classes have been used for a long time. For example, cyclic lattices, a special case of ideal lattices, are used in NTRUEncrypt and NTRUSign.

Badger is a Message Authentication Code (MAC) based on the idea of universal hashing and was developed by Boesgaard, Scavenius, Pedersen, Christensen, and Zenner. It is constructed by strengthening the ∆-universal hash family MMH using an ϵ-almost strongly universal (ASU) hash function family after the application of ENH, where the value of ϵ is $. Since Badger is a MAC function based on the universal hash function approach, the conditions needed for the security of Badger are the same as those for other universal hash functions such as UMAC.$

In public-key cryptography, Edwards-curve Digital Signature Algorithm (EdDSA) is a digital signature scheme using a variant of Schnorr signature based on twisted Edwards curves. It is designed to be faster than existing digital signature schemes without sacrificing security. It was developed by a team including Daniel J. Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and Bo-Yin Yang. The reference implementation is public-domain software.

References

1 2 Schneier, Bruce (1996). Applied Cryptography. Wiley. ISBN 0-471-11709-9.
↑ "FIPS PUB 186: Digital Signature Standard (DSS), 1994-05-19". qcsrc.nist.gov. Archived from the original on 2013-12-13.
1 2 3 4 "FIPS PUB 186-4: Digital Signature Standard (DSS), July 2013" (PDF). csrc.nist.gov.
↑ "FIPS PUB 186-1: Digital Signature Standard (DSS), 1998-12-15" (PDF). csrc.nist.gov. Archived from the original (PDF) on 2013-12-26.
↑ "FIPS PUB 186-2: Digital Signature Standard (DSS), 2000-01-27" (PDF). csrc.nist.gov.
↑ "FIPS PUB 186-3: Digital Signature Standard (DSS), June 2009" (PDF). csrc.nist.gov.
↑ "FIPS PUB 186-5: Digital Signature Standard (DSS), February 2023" (PDF). csrc.nist.gov.
↑ "Digital Signature Standard (DSS)". U.S. Department of Commerce. 31 October 2019. Retrieved 21 July 2020.
↑ Dr. David W. Kravitz Archived January 9, 2013, at the Wayback Machine
↑ Werner Koch. "DSA and patents"
↑ "1994 Annual Report of CSSPAB". 26 August 2009. Archived from the original on 26 August 2009.
↑ Neumann, Peter G. (2020-02-29). "The RISKS Digest Volume 14 Issue 59". Archived from the original on 2020-02-29. Retrieved 2023-10-03.{{cite web}}: CS1 maint: bot: original URL status unknown (link)
↑ "OpenSSH announces DSA-removal timeline [LWN.net]". lwn.net. Retrieved 11 January 2024.
↑ "FIPS PUB 180-4: Secure Hash Standard (SHS), March 2012" (PDF). csrc.nist.gov.
↑ "NIST Special Publication 800-57" (PDF). csrc.nist.gov. Archived from the original (PDF) on 2014-06-06.
↑ "The Debian PGP disaster that almost was". root labs rdist. 18 May 2009.
↑ DSA $k$ -value Requirements
↑ Bendel, Mike (2010-12-29). "Hackers Describe PS3 Security As Epic Fail, Gain Unrestricted Access". Exophase.com. Retrieved 2011-01-05.
↑ Verbücheln, Stephan (2 January 2015). "How Perfect Offline Wallets Can Still Leak Bitcoin Private Keys". arXiv: 1501.00447 [cs.CR].

External links

FIPS PUB 186-4: Digital Signature Standard (DSS), the fourth (and current) revision of the official DSA specification.
Recommendation for Key Management -- Part 1: general, NIST Special Publication 800-57, p. 62–63

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[schneier-1] 1 2 Schneier, Bruce (1996). Applied Cryptography. Wiley. ISBN 0-471-11709-9.

[FIPS-186-2] "FIPS PUB 186: Digital Signature Standard (DSS), 1994-05-19". qcsrc.nist.gov. Archived from the original on 2013-12-13.

[FIPS-186-4-3] 1 2 3 4 "FIPS PUB 186-4: Digital Signature Standard (DSS), July 2013" (PDF). csrc.nist.gov.

[FIPS-186-1-4] "FIPS PUB 186-1: Digital Signature Standard (DSS), 1998-12-15" (PDF). csrc.nist.gov. Archived from the original (PDF) on 2013-12-26.

[FIPS-186-2-5] "FIPS PUB 186-2: Digital Signature Standard (DSS), 2000-01-27" (PDF). csrc.nist.gov.

[FIPS-186-3-6] "FIPS PUB 186-3: Digital Signature Standard (DSS), June 2009" (PDF). csrc.nist.gov.

[FIPS-186-5-7] "FIPS PUB 186-5: Digital Signature Standard (DSS), February 2023" (PDF). csrc.nist.gov.

[8] "Digital Signature Standard (DSS)". U.S. Department of Commerce. 31 October 2019. Retrieved 21 July 2020.

[9] Dr. David W. Kravitz Archived January 9, 2013, at the Wayback Machine

[10] Werner Koch. "DSA and patents"

[11] "1994 Annual Report of CSSPAB". 26 August 2009. Archived from the original on 26 August 2009.

[12] Neumann, Peter G. (2020-02-29). "The RISKS Digest Volume 14 Issue 59". Archived from the original on 2020-02-29. Retrieved 2023-10-03.{{cite web}}: CS1 maint: bot: original URL status unknown (link)

[13] "OpenSSH announces DSA-removal timeline [LWN.net]". lwn.net. Retrieved 11 January 2024.

[FIPS-180-4-14] "FIPS PUB 180-4: Secure Hash Standard (SHS), March 2012" (PDF). csrc.nist.gov.

[15] "NIST Special Publication 800-57" (PDF). csrc.nist.gov. Archived from the original (PDF) on 2014-06-06.

[16] "The Debian PGP disaster that almost was". root labs rdist. 18 May 2009.

[17] DSA $k$ -value Requirements

[18] Bendel, Mike (2010-12-29). "Hackers Describe PS3 Security As Epic Fail, Gain Unrestricted Access". Exophase.com. Retrieved 2011-01-05.

[19] Verbücheln, Stephan (2 January 2015). "How Perfect Offline Wallets Can Still Leak Bitcoin Private Keys". arXiv: 1501.00447 [cs.CR].

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]