World Library  
Flag as Inappropriate
Email this Article

Digital Signature Algorithm

Article Id: WHEBN0000059470
Reproduction Date:

Title: Digital Signature Algorithm  
Author: World Heritage Encyclopedia
Language: English
Subject: Public-key cryptography, Elliptic curve cryptography, ElGamal encryption, Pretty Good Privacy, Digital signature
Collection: Digital Signature Schemes
Publisher: World Heritage Encyclopedia

Digital Signature Algorithm

The Digital Signature Algorithm (DSA) is a Federal Information Processing Standard for digital signatures. It was proposed by the National Institute of Standards and Technology (NIST) in August 1991 for use in their Digital Signature Standard (DSS) and adopted as FIPS 186 in 1993.[1] Four revisions to the initial specification have been released: FIPS 186-1 in 1996,[2] FIPS 186-2 in 2000,[3] FIPS 186-3 in 2009,[4] and FIPS 186-4 in 2013.[5]

DSA is covered by U.S. Patent 5,231,668, filed July 26, 1991 and attributed to David W. Kravitz,[6] a former NSA employee. This patent was given to "The United States of America as represented by the Secretary of Commerce, Washington, D.C.", and NIST has made this patent available worldwide royalty-free.[7] Claus P. Schnorr claims that his U.S. Patent 4,995,082 (expired) covered DSA; this claim is disputed.[8] DSA is a variant of the ElGamal Signature Scheme


  • Key generation 1
    • Parameter generation 1.1
    • Per-user keys 1.2
  • Signing 2
  • Verifying 3
  • Correctness of the algorithm 4
  • Sensitivity 5
  • See also 6
  • References 7
  • External links 8

Key generation

Key generation has two phases. The first phase is a choice of algorithm parameters which may be shared between different users of the system, while the second phase computes public and private keys for a single user.

Parameter generation

  • Choose an approved cryptographic hash function H. In the original DSS, H was always SHA-1, but the stronger SHA-2 hash functions are approved for use in the current DSS.[5][9] The hash output may be truncated to the size of a key pair.
  • Decide on a key length L and N. This is the primary measure of the cryptographic strength of the key. The original DSS constrained L to be a multiple of 64 between 512 and 1024 (inclusive). NIST 800-57 recommends lengths of 2048 (or 3072) for keys with security lifetimes extending beyond 2010 (or 2030), using correspondingly longer N.[10] FIPS 186-3 specifies L and N length pairs of (1024,160), (2048,224), (2048,256), and (3072,256).[4]
  • Choose an N-bit prime q. N must be less than or equal to the hash output length.
  • Choose an L-bit prime modulus p such that p–1 is a multiple of q.
  • Choose g, a number whose multiplicative order modulo p is q. This may be done by setting g = h(p–1)/q mod p for some arbitrary h (1 < h < p−1), and trying again with a different h if the result comes out as 1. Most choices of h will lead to a usable g; commonly h=2 is used.

The algorithm parameters (p, q, g) may be shared between different users of the system.

Per-user keys

Given a set of parameters, the second phase computes private and public keys for a single user:

  • Choose x by some random method, where 0 < x < q.
  • Calculate y = gx mod p.
  • Public key is (p, q, g, y). Private key is x.

There exist efficient algorithms for computing the modular exponentiations h(p–1)/q mod p and gx mod p, such as exponentiation by squaring.


Let H be the hashing function and m the message:

  • Generate a random per-message value k where 0 < k < q
  • Calculate r=\left(g^{k}\bmod\,p\right)\bmod\,q
  • In the unlikely case that r=0, start again with a different random k
  • Calculate s=k^{-1}\left(H\left(m\right)+xr\right)\bmod\,q
  • In the unlikely case that s=0, start again with a different random k
  • The signature is \left(r,s\right)

The first two steps amount to creating a new per-message key. The modular exponentiation here is the most computationally expensive part of the signing operation, and it may be computed before the message hash is known. The modular inverse k^{-1}\bmod\,q is the second most expensive part, and it may also be computed before the message hash is known. It may be computed using the extended Euclidean algorithm or using Fermat's little theorem as k^{q-2}\bmod\,q.


  • Reject the signature if 0 or 0 is not satisfied.
  • Calculate w=s^{-1}\bmod\,q
  • Calculate u_{1}=H\left(m\right)\cdot w\,\bmod\,q
  • Calculate u_{2}=r\cdot w\,\bmod\,q
  • Calculate v=\left(\left(g^{u_{1}}y^{u_{2}}\right)\bmod\,p\right)\bmod\,q
  • The signature is valid if v=r

DSA is similar to the ElGamal signature scheme.

Correctness of the algorithm

The signature scheme is correct in the sense that the verifier will always accept genuine signatures. This can be shown as follows:

First, if g = h(p − 1)/q mod p it follows that gqhp − 1 ≡ 1 (mod p) by Fermat's little theorem. Since g > 1 and q is prime, g must have order q.

The signer computes



\begin{align} k & \equiv H(m)s^{-1}+xrs^{-1}\\ & \equiv H(m)w + xrw \pmod{q} \end{align}

Since g has order q (mod p) we have

\begin{align} g^k & \equiv g^{H(m)w}g^{xrw}\\ & \equiv g^{H(m)w}y^{rw}\\ & \equiv g^{u1}y^{u2} \pmod{p} \end{align}

Finally, the correctness of DSA follows from

\begin{align} r &= (g^k \bmod\,p) \bmod\,q\\ &= (g^{u1}y^{u2} \bmod\,p) \bmod\,q\\ &= v \end{align}


With DSA, the entropy, secrecy, and uniqueness of the random signature value k is critical. It is so critical that violating any one of those three requirements can reveal the entire private key to an attacker.[11] Using the same value twice (even while keeping k secret), using a predictable value, or leaking even a few bits of k in each of several signatures, is enough to break DSA.[12]

In December 2010, a group calling itself fail0verflow announced recovery of the ECDSA private key used by Sony to sign software for the PlayStation 3 game console. The attack was made possible because Sony failed to generate a new random k for each signature.[13]

This issue can be prevented by deriving k deterministically from the private key and the message hash, as described by RFC 6979. This ensures that k is different for each H(m) and unpredictable for attackers who do not know the private key x.

See also


  1. ^ FIPS PUB 186: Digital Signature Standard (DSS), 1994-05-19
  2. ^ FIPS PUB 186-1: Digital Signature Standard (DSS), 1998-12-15
  3. ^ FIPS PUB 186-2: Digital Signature Standard (DSS), 2000-01-27
  4. ^ a b FIPS PUB 186-3: Digital Signature Standard (DSS), June 2009
  5. ^ a b FIPS PUB 186-4: Digital Signature Standard (DSS), July 2013
  6. ^ Dr. David W. Kravitz
  7. ^ Werner Koch. DSA and patents
  8. ^ Minutes of the Sept. 94 meeting of the Computer System Security and Privacy Advisory Board
  9. ^ FIPS PUB 180-4: Secure Hash Standard (SHS), March 2012
  10. ^ NIST Special Publication 800-57
  11. ^ The Debian PGP disaster that almost was
  12. ^ -value RequirementskDSA
  13. ^ Bendel, Mike (2010-12-29). "Hackers Describe PS3 Security As Epic Fail, Gain Unrestricted Access". Retrieved 2011-01-05. 

External links

  • FIPS PUB 186-4: Digital Signature Standard (DSS), the fourth (and current) revision of the official DSA specification.
  • Recommendation for Key Management -- Part 1: general, NIST Special Publication 800-57, p. 62–63
This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.

Copyright © World Library Foundation. All rights reserved. eBooks from Project Gutenberg are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.