Movatterモバイル変換

Digital Signature Algorithm

From Wikipedia, the free encyclopedia

Digital verification standard

TheDigital Signature Algorithm (DSA) is apublic-key cryptosystem andFederal Information Processing Standard fordigital signatures, based on the mathematical concept ofmodular exponentiation and thediscrete logarithm problem. In a digital signature system, there is a keypair involved, consisting of a private and a public key. In this system a signing entity that declared their public key can generate a signature using their private key, and a verifier can assert the source if it verifies the signature correctly using the declared public key. DSA is a variant of theSchnorr andElGamal signature schemes.^[1]^: 486

TheNational Institute of Standards and Technology (NIST) proposed DSA for use in theirDigital Signature Standard (DSS) in 1991, and adopted it as FIPS 186 in 1994.^[2] Five revisions to the initial specification have been released. The newest specification is:FIPS 186-5 from February 2023.^[3] DSA is patented but NIST has made this patent available worldwide royalty-free. SpecificationFIPS 186-5 indicates DSA will no longer be approved for digital signature generation, but may be used to verify signatures generated prior to the implementation date of that standard.

Overview

[edit]

The DSA works in the framework of public-key cryptosystems and is based on the algebraic properties ofmodular exponentiation, together with thediscrete logarithm problem, which is considered to be computationally intractable. The algorithm uses a key pair consisting of a public key and a private key. The private key is used to generate a digital signature for a message, and such a signature can be verified by using the signer's corresponding public key. The digital signature providesmessage authentication (the receiver can verify the origin of the message),integrity (the receiver can verify that the message has not been modified since it was signed) andnon-repudiation (the sender cannot falsely claim that they have not signed the message).

History

[edit]

In 1982, the U.S government solicited proposals for a public key signature standard. In August 1991 theNational Institute of Standards and Technology (NIST) proposed DSA for use in their Digital Signature Standard (DSS). Initially there was significant criticism, especially fromsoftware companies that had already invested effort in developing digital signature software based on theRSA cryptosystem.^[1]^: 484 Nevertheless, NIST adopted DSA as a Federal standard (FIPS 186) in 1994. Five revisions to the initial specification have been released: FIPS 186–1 in 1998,^[4] FIPS 186–2 in 2000,^[5] FIPS 186–3 in 2009,^[6] FIPS 186–4 in 2013,^[3] and FIPS 186–5 in 2023.^[7] Standard FIPS 186-5 forbids signing with DSA, while allowing verification of signatures generated prior to the implementation date of the standard as a document. It is to be replaced by newer signature schemes such asEdDSA.^[8]

DSA is covered byU.S. patent 5,231,668, filed July 26, 1991 and now expired, and attributed to David W. Kravitz,^[9] a formerNSA employee. This patent was given to "The United States of America as represented by theSecretary of Commerce, Washington, D.C.", and NIST has made this patent available worldwide royalty-free.^[10]Claus P. Schnorr claims that hisU.S. patent 4,995,082 (also now expired) covered DSA; this claim is disputed.^[11]

In 1993, Dave Banisar managed to get confirmation, via aFOIA request, that the DSA algorithm hasn't been designed by the NIST, but by theNSA.^[12]

OpenSSH announced that DSA was going to be removed in 2025. The support was entirely dropped in version 10.0.^[13]^[14]

Operation

[edit]

The DSA algorithm involves four operations: key generation (which creates the key pair), key distribution, signing and signature verification.

1. Key generation

[edit]

Key generation has two phases. The first phase is a choice ofalgorithm parameters which may be shared between different users of the system, while the second phase computes a single key pair for one user.

Parameter generation

[edit]

Choose an approvedcryptographic hash function $H {\displaystyle H}$ with output length $|H|$ bits. In the original DSS, $H {\displaystyle H}$ was alwaysSHA-1, but the strongerSHA-2 hash functions are approved for use in the current DSS.^[3]^[15] If $|H|$ is greater than the modulus length $N {\displaystyle N}$ , only the leftmost $N {\displaystyle N}$ bits of the hash output are used.
Choose a key length $L {\displaystyle L}$ . The original DSS constrained $L {\displaystyle L}$ to be a multiple of 64 between 512 and 1024 inclusive. NIST 800-57 recommends lengths of 2048 (or 3072) for keys with security lifetimes extending beyond 2010 (or 2030).^[16]
Choose the modulus length $N {\displaystyle N}$ such that $N<L$ and $N\leq |H|$ . FIPS 186-4 specifies $L {\displaystyle L}$ and $N {\displaystyle N}$ to have one of the values: (1024, 160), (2048, 224), (2048, 256), or (3072, 256).^[3]
Choose an $N {\displaystyle N}$ -bit prime $q {\displaystyle q}$ .
Choose an $L {\displaystyle L}$ -bit prime $p {\displaystyle p}$ such that $p-1$ is a multiple of $q {\displaystyle q}$ .
Choose an integer $h {\displaystyle h}$ randomly from $\{2\ldots p-2\}$ .
Compute $g:=h^{(p-1)/q}\mod p$ . In the rare case that $g=1$ try again with a different $h {\displaystyle h}$ . Commonly $h=2$ is used. Thismodular exponentiation can be computed efficiently even if the values are large.

The algorithm parameters are ( $p {\displaystyle p}$ , $q {\displaystyle q}$ , $g {\displaystyle g}$ ). These may be shared between different users of the system.

Per-user keys

[edit]

Given a set of parameters, the second phase computes the key pair for a single user:

Choose an integer $x {\displaystyle x}$ randomly from $\{1\ldots q-1\}$ .
Compute $y:=g^{x}\mod p$ .

$x {\displaystyle x}$ is the private key and $y {\displaystyle y}$ is the public key.

2. Key distribution

[edit]

The signer should publish the public key $y {\displaystyle y}$ . That is, they should send the key to the receiver via a reliable, but not necessarily secret, mechanism. The signer should keep the private key $x {\displaystyle x}$ secret.

3. Signing

[edit]

A message $m {\displaystyle m}$ is signed as follows:

Choose an integer $k {\displaystyle k}$ randomly from $\{1\ldots q-1\}$
Compute $r:=\left(g^{k}{\bmod {\,}}p\right){\bmod {\,}}q$ . In the unlikely case that $r=0$ , start again with a different random $k {\displaystyle k}$ .
Compute $s:=\left(k^{-1}\left(H(m)+xr\right)\right){\bmod {\,}}q$ . In the unlikely case that $s=0$ , start again with a different random $k {\displaystyle k}$ .

The signature is $\left(r,s\right)$

The calculation of $k {\displaystyle k}$ and $r {\displaystyle r}$ amounts to creating a new per-message key. The modular exponentiation in computing $r {\displaystyle r}$ is the most computationally expensive part of the signing operation, but it may be computed before the message is known.Calculating the modular inverse $k^{-1}{\bmod {\,}}q$ is the second most expensive part, and it may also be computed before the message is known. It may be computed using theextended Euclidean algorithm or usingFermat's little theorem as $k^{q-2}{\bmod {\,}}q$ .

4. Signature Verification

[edit]

One can verify that a signature $\left(r,s\right)$ is a valid signature for a message $m {\displaystyle m}$ as follows:

Verify that $0<r<q$ and $0<s<q$ .
Compute $w:=s^{-1}{\bmod {\,}}q$ .
Compute $u_{1}:=H(m)\cdot w\,{\bmod {\,}}q$ .
Compute $u_{2}:=r\cdot w\,{\bmod {\,}}q$ .
Compute $v:=\left(g^{u_{1}}y^{u_{2}}{\bmod {\,}}p\right){\bmod {\,}}q$ .
The signature is valid if and only if $v=r$ .

Correctness of the algorithm

[edit]

The signature scheme is correct in the sense that the verifier will always accept genuine signatures. This can be shown as follows:

First, since ${\textstyle g=h^{(p-1)/q}~{\text{mod}}~p}$ , it follows that ${\textstyle g^{q}\equiv h^{p-1}\equiv 1\mod p}$ byFermat's little theorem. Since $g>0$ and $q {\displaystyle q}$ is prime, $g {\displaystyle g}$ must have order $q {\displaystyle q}$ .

The signer computes

s=k^{-1}(H(m)+xr){\bmod {\,}}q

Thus

{\begin{aligned}k&\equiv H(m)s^{-1}+xrs^{-1}\\&\equiv H(m)w+xrw{\pmod {q}}\end{aligned}}

Since $g {\displaystyle g}$ has order $q {\displaystyle q}$ we have

{\begin{aligned}g^{k}&\equiv g^{H(m)w}g^{xrw}\\&\equiv g^{H(m)w}y^{rw}\\&\equiv g^{u_{1}}y^{u_{2}}{\pmod {p}}\end{aligned}}

Finally, the correctness of DSA follows from

{\begin{aligned}r&=(g^{k}{\bmod {\,}}p){\bmod {\,}}q\\&=(g^{u_{1}}y^{u_{2}}{\bmod {\,}}p){\bmod {\,}}q\\&=v\end{aligned}}

Sensitivity

[edit]

With DSA, the entropy, secrecy, and uniqueness of the random signature value $k {\displaystyle k}$ are critical. It is so critical that violating any one of those three requirements can reveal the entire private key to an attacker.^[17] Using the same value twice (even while keeping $k {\displaystyle k}$ secret), using a predictable value, or leaking even a few bits of $k {\displaystyle k}$ in each of several signatures, is enough to reveal the private key $x {\displaystyle x}$ .^[18]

This issue affects both DSA and Elliptic Curve Digital Signature Algorithm (ECDSA) – in December 2010, the groupfail0verflow announced the recovery of theECDSA private key used bySony to sign software for thePlayStation 3 game console. The attack was made possible because Sony failed to generate a new random $k {\displaystyle k}$ for each signature.^[19]

This issue can be prevented by deriving $k {\displaystyle k}$ deterministically from the private key and the message hash, as described byRFC 6979. This ensures that $k {\displaystyle k}$ is different for each $H(m)$ and unpredictable for attackers who do not know the private key $x {\displaystyle x}$ .

In addition, malicious implementations of DSA and ECDSA can be created where $k {\displaystyle k}$ is chosen in order tosubliminally leak information via signatures. For example, anoffline private key could be leaked from a perfect offline device that only released innocent-looking signatures.^[20]

Implementations

[edit]

This sectiondoes notcite anysources. Please helpimprove this section byadding citations to reliable sources. Unsourced material may be challenged andremoved.(June 2024) (Learn how and when to remove this message)

Below is a list of cryptographic libraries that provide support for DSA:

References

[edit]

^^a ^bSchneier, Bruce (1996).Applied Cryptography. Wiley.ISBN 0-471-11709-9.
^"FIPS PUB 186: Digital Signature Standard (DSS), 1994-05-19".qcsrc.nist.gov. Archived fromthe original on 2013-12-13.
^^a ^b ^c ^d"FIPS PUB 186-4: Digital Signature Standard (DSS), July 2013"(PDF).csrc.nist.gov.
^"FIPS PUB 186-1: Digital Signature Standard (DSS), 1998-12-15"(PDF).csrc.nist.gov. Archived fromthe original(PDF) on 2013-12-26.
^"FIPS PUB 186-2: Digital Signature Standard (DSS), 2000-01-27"(PDF).csrc.nist.gov.
^"FIPS PUB 186-3: Digital Signature Standard (DSS), June 2009"(PDF).csrc.nist.gov.
^"FIPS PUB 186-5: Digital Signature Standard (DSS), February 2023"(PDF).csrc.nist.gov.
^"Digital Signature Standard (DSS)". U.S. Department of Commerce. 31 October 2019. Retrieved21 July 2020.
^Dr. David W. Kravitz Archived January 9, 2013, at theWayback Machine
^Werner Koch."DSA and patents"
^"1994 Annual Report of CSSPAB". 26 August 2009. Archived fromthe original on 26 August 2009.
^Neumann, Peter G. (2020-02-29)."The RISKS Digest Volume 14 Issue 59". Archived from the original on 2020-02-29. Retrieved2023-10-03.{{cite web}}: CS1 maint: bot: original URL status unknown (link)
^"OpenSSH announces DSA-removal timeline [LWN.net]".lwn.net. Retrieved11 January 2024.
^"OpenSSH version 10.0. release notes". Retrieved21 April 2025.
^"FIPS PUB 180-4: Secure Hash Standard (SHS), March 2012"(PDF).csrc.nist.gov.
^"NIST Special Publication 800-57"(PDF).csrc.nist.gov. Archived fromthe original(PDF) on 2014-06-06.
^"The Debian PGP disaster that almost was".root labs rdist. 18 May 2009.
^DSA $k {\displaystyle k}$ -value Requirements
^Bendel, Mike (2010-12-29)."Hackers Describe PS3 Security As Epic Fail, Gain Unrestricted Access". Exophase.com. Retrieved2011-01-05.
^Verbücheln, Stephan (2 January 2015). "How Perfect Offline Wallets Can Still Leak Bitcoin Private Keys".arXiv:1501.00447 [cs.CR].

External links

[edit]

FIPS PUB 186-4: Digital Signature Standard (DSS), the fourth (and current) revision of the official DSA specification.
Recommendation for Key Management -- Part 1: general, NIST Special Publication 800-57, p. 62–63

Public-key cryptography

Algorithms

Integer factorization	Benaloh Blum–Goldwasser Cayley–Purser Damgård–Jurik GMR Goldwasser–Micali Naccache–Stern Paillier Rabin RSA Okamoto–Uchiyama Schmidt–Samoa
Discrete logarithm	BLS Cramer–Shoup DH DSA ECDH X25519 X448 ECDSA EdDSA Ed25519 Ed448 ECMQV EKE ElGamal signature scheme MQV Schnorr SPEKE SRP STS
Lattice/SVP/CVP/LWE/SIS	BLISS Kyber NewHope NTRUEncrypt NTRUSign RLWE-KEX RLWE-SIG
Others	AE CEILIDH EPOC HFE IES Lamport McEliece Merkle–Hellman Naccache–Stern knapsack cryptosystem Three-pass protocol XTR SQIsign SPHINCS⁺

Theory

Standardization

Topics

v t e Cryptography
General	History of cryptography Outline of cryptography Classical cipher Cryptographic protocol Authentication protocol Cryptographic primitive Cryptanalysis Cryptocurrency Cryptosystem Cryptographic nonce Cryptovirology Hash function Cryptographic hash function Key derivation function Secure Hash Algorithms Digital signature Kleptography Key (cryptography) Key exchange Key generator Key schedule Key stretching Keygen Machines Ransomware Random number generation Cryptographically secure pseudorandom number generator (CSPRNG) Pseudorandom noise (PRN) Secure channel Insecure channel Subliminal channel Encryption Decryption End-to-end encryption Harvest now, decrypt later Information-theoretic security Plaintext Codetext Ciphertext Shared secret Trapdoor function Trusted timestamping Key-based routing Onion routing Garlic routing Kademlia Mix network
Mathematics	Cryptographic hash function Block cipher Stream cipher Symmetric-key algorithm Authenticated encryption Public-key cryptography Quantum key distribution Quantum cryptography Post-quantum cryptography Message authentication code Random numbers Steganography
Category