Digital Signature Algorithm

The Digital Signature Algorithm (DSA) is a public-key cryptosystem and Federal Information Processing Standard for digital signatures, based on the mathematical concept of modular exponentiation and the discrete logarithm problem. In a public-key cryptosystem, two keys are generated: data can only be encrypted with the public key and encrypted data can only be decrypted with the private key. DSA is a variant of the Schnorr and ElGamal signature schemes.^[1]^: 486

The National Institute of Standards and Technology (NIST) proposed DSA for use in their Digital Signature Standard (DSS) in 1991, and adopted it as FIPS 186 in 1994.^[2] Five revisions to the initial specification have been released. The newest specification is: FIPS 186-5 from February 2023.^[3] DSA is patented but NIST has made this patent available worldwide royalty-free. Specification FIPS 186-5 indicates DSA will no longer be approved for digital signature generation, but may be used to verify signatures generated prior to the implementation date of that standard.

Overview[edit]

The DSA works in the framework of public-key cryptosystems and is based on the algebraic properties of modular exponentiation, together with the discrete logarithm problem, which is considered to be computationally intractable. The algorithm uses a key pair consisting of a public key and a private key. The private key is used to generate a digital signature for a message, and such a signature can be verified by using the signer's corresponding public key. The digital signature provides message authentication (the receiver can verify the origin of the message), integrity (the receiver can verify that the message has not been modified since it was signed) and non-repudiation (the sender cannot falsely claim that they have not signed the message).

History[edit]

In 1982, the U.S government solicited proposals for a public key signature standard. In August 1991 the National Institute of Standards and Technology (NIST) proposed DSA for use in their Digital Signature Standard (DSS). Initially there was significant criticism, especially from software companies that had already invested effort in developing digital signature software based on the RSA cryptosystem.^[1]^: 484 Nevertheless, NIST adopted DSA as a Federal standard (FIPS 186) in 1994. Five revisions to the initial specification have been released: FIPS 186–1 in 1998,^[4] FIPS 186–2 in 2000,^[5] FIPS 186–3 in 2009,^[6] FIPS 186–4 in 2013,^[3] and FIPS 186–5 in 2023.^[7] Standard FIPS 186-5 forbids signing with DSA, while allowing verification of signatures generated prior to the implementation date of the standard as a document. It is to be replaced by newer signature schemes such as EdDSA.^[8]

DSA is covered by U.S. patent 5,231,668, filed July 26, 1991 and now expired, and attributed to David W. Kravitz,^[9] a former NSA employee. This patent was given to "The United States of America as represented by the Secretary of Commerce, Washington, D.C.", and NIST has made this patent available worldwide royalty-free.^[10] Claus P. Schnorr claims that his U.S. patent 4,995,082 (also now expired) covered DSA; this claim is disputed.^[11]

In 1993, Dave Banisar managed to get confirmation, via a FOIA request, that the DSA algorithm hasn't been designed by the NIST, but by the NSA.^[12]

OpenSSH announced that DSA is scheduled to be removed in 2025.^[13]

Choose an approved $H$ with output length $|H|$ bits. In the original DSS, $H$ was always SHA-1, but the stronger SHA-2 hash functions are approved for use in the current DSS.^[3]^[14] If $|H|$ is greater than the modulus length $N$ , only the leftmost $N$ bits of the hash output are used.

cryptographic hash function

Choose a key length $L$ . The original DSS constrained $L$ to be a multiple of 64 between 512 and 1024 inclusive. NIST 800-57 recommends lengths of 2048 (or 3072) for keys with security lifetimes extending beyond 2010 (or 2030).

[15]

Choose the modulus length $N$ such that $N<L$ and $N\leq |H|$ . FIPS 186-4 specifies $L$ and $N$ to have one of the values: (1024, 160), (2048, 224), (2048, 256), or (3072, 256).

[3]

Choose an $N$ -bit prime $q$ .

Choose an $L$ -bit prime $p$ such that $p-1$ is a multiple of $q$ .

Choose an integer $h$ randomly from $\{2\ldots p-2\}$ .

Compute $g:=h^{(p-1)/q}\mod p$ . In the rare case that $g=1$ try again with a different $h$ . Commonly $h=2$ is used. This can be computed efficiently even if the values are large.

modular exponentiation

Sensitivity[edit]

With DSA, the entropy, secrecy, and uniqueness of the random signature value $k$ are critical. It is so critical that violating any one of those three requirements can reveal the entire private key to an attacker.^[16] Using the same value twice (even while keeping $k$ secret), using a predictable value, or leaking even a few bits of $k$ in each of several signatures, is enough to reveal the private key $x$ .^[17]

This issue affects both DSA and Elliptic Curve Digital Signature Algorithm (ECDSA) – in December 2010, the group fail0verflow announced the recovery of the ECDSA private key used by Sony to sign software for the PlayStation 3 game console. The attack was made possible because Sony failed to generate a new random $k$ for each signature.^[18]

This issue can be prevented by deriving $k$ deterministically from the private key and the message hash, as described by RFC 6979. This ensures that $k$ is different for each $H(m)$ and unpredictable for attackers who do not know the private key $x$ .

In addition, malicious implementations of DSA and ECDSA can be created where $k$ is chosen in order to subliminally leak information via signatures. For example, an offline private key could be leaked from a perfect offline device that only released innocent-looking signatures.^[19]

Digital Signature Algorithm

Overview[edit]

History[edit]

cryptographic hash function

[15]

[3]

modular exponentiation

Sensitivity[edit]

Botan

Bouncy Castle

cryptlib

Crypto++

libgcrypt

Nettle

OpenSSL

wolfCrypt

GnuTLS

Modular arithmetic

RSA (cryptosystem)

ECDSA

FIPS PUB 186-4: Digital Signature Standard (DSS)

Recommendation for Key Management -- Part 1: general