The The Digital Signature Algorithm (DSA)Digital Signature Algorithm (DSA) is a  is a United States Federal Government  standard or  or FIPS for  for digital signatures. .

It was proposed by the It was proposed by the National Institute of Standards and Technology (NIST) in August 1991 for use in their  (NIST) in August 1991 for use in their Digital Digital Signature Standard (DSS)Signature Standard (DSS), specified in , specified in FIPS 186,  186, adopted in 1993. A minor revision was issued in 1996 adopted in 1993. A minor revision was issued in 1996 as FIPS 186-1. The standard was expanded further in as FIPS 186-1. The standard was expanded further in 2000 as FIPS 186-2 and again in 2009 as FIPS 186-3.2000 as FIPS 186-2 and again in 2009 as FIPS 186-3.

DSA is covered by DSA is covered by U.S. Patent 5,231,668, filed July , filed July 26, 1991, and attributed to David W. Kravitz, a 26, 1991, and attributed to David W. Kravitz, a former former NSA employee.  employee.

This patent was given to "The United States of This patent was given to "The United States of America as represented by the Secretary of America as represented by the Secretary of Commerce, Washington, D.C." and the NIST has Commerce, Washington, D.C." and the NIST has made this patent available worldwide made this patent available worldwide royalty-free. -free. Dr. Claus P. Schnorr claims that his  claims that his U.S. Patent 4,995,082 (expired) covered DSA; this  (expired) covered DSA; this claim is disputed. DSA is a variant of the claim is disputed. DSA is a variant of the ElGamal Signature Scheme..

A digital signature is basically a way to ensure that an A digital signature is basically a way to ensure that an electronic document (e-mail, spreadsheet, text file, electronic document (e-mail, spreadsheet, text file, etc.) is authentic. etc.) is authentic.

There are several ways to authenticate a person or There are several ways to authenticate a person or information on a computer:information on a computer:

• • PasswordPassword - The use of a user name and password - The use of a user name and password provide the most common form of authentication.provide the most common form of authentication.

• • ChecksumChecksum - Probably one of the oldest methods of - Probably one of the oldest methods of ensuring that data is correct, checksums also provide ensuring that data is correct, checksums also provide a form of authentication since an invalid checksum a form of authentication since an invalid checksum suggests that the data has been compromised in some suggests that the data has been compromised in some fashion. fashion.

Key generation has two phases. The first phase Key generation has two phases. The first phase is a choice of is a choice of algorithm parametersalgorithm parameters which  which may be shared between different users of the may be shared between different users of the system, while the second phase computes system, while the second phase computes public and private keys for a single user. public and private keys for a single user.

Parameter generationParameter generation Choose an approved Choose an approved cryptographic hash function  HH. In the . In the

original DSS, original DSS, HH was always  was always SHA-1, but the stronger , but the stronger SHA-2 hash functions are approved for use in the current DSS. The  hash functions are approved for use in the current DSS. The hash output may be truncated to the size of a key pair.hash output may be truncated to the size of a key pair.

Decide on a key length Decide on a key length LL and  and NN. This is the primary measure . This is the primary measure of the cryptographic strength of the key. The original DSS of the cryptographic strength of the key. The original DSS constrainedconstrainedLL to be a multiple of 64 between 512 and 1024  to be a multiple of 64 between 512 and 1024 (inclusive). NIST 800-57 recommends lengths of 2048 (or (inclusive). NIST 800-57 recommends lengths of 2048 (or 3072) for keys with security lifetimes extending beyond 2010 3072) for keys with security lifetimes extending beyond 2010 (or 2030), using correspondingly longer (or 2030), using correspondingly longer NN. FIPS 186-. FIPS 186-3 specifies 3 specifies LL and  and NN length pairs of (1024,160), (2048,224),  length pairs of (1024,160), (2048,224), (2048,256), and (3072,256).(2048,256), and (3072,256).

1. p = a prime modulus, where 21. p = a prime modulus, where 2L-1L-1 < p < 2 < p < 2LL for 512 = < L = for 512 = < L = <1024 and L a multiple of 64<1024 and L a multiple of 64

2. q = a prime divisor of p - 1, where 22. q = a prime divisor of p - 1, where 2159159 < q < 2 < q < 2160160

3. g = h3. g = h(p-1)/q(p-1)/q mod p, where h is any integer with 1 < h < p - 1 such mod p, where h is any integer with 1 < h < p - 1 such that hthat h(p-1)/q(p-1)/q mod p > 1 mod p > 1(g has order q mod p)(g has order q mod p)

4. x = a randomly or pseudo randomly generated 4. x = a randomly or pseudo randomly generated integer with 0 < x < qinteger with 0 < x < q

5. y = g5. y = gxx mod p mod p

6. k = a randomly or pseudo randomly generated 6. k = a randomly or pseudo randomly generated integer with 0 < k < q integer with 0 < k < q

The integers p, q, and g can be public and can be The integers p, q, and g can be public and can be common to a group of users. A user's private and public common to a group of users. A user's private and public keys are x and y, respectively. They are normally fixed keys are x and y, respectively. They are normally fixed for a period of time. Parameters x and k are used for for a period of time. Parameters x and k are used for signature generation only, and must be kept secret. signature generation only, and must be kept secret. Parameter k must be regenerated for each signature. Parameter k must be regenerated for each signature.

Given a set of parameters, the second phase computes Given a set of parameters, the second phase computes private and public keys for a single user:private and public keys for a single user:

Choose Choose xx by some random method, where 0 <  by some random method, where 0 < xx <  < qq.. Calculate Calculate yy =  = gxgx mod  mod pp.. Public key is (Public key is (pp, , qq, , gg, , yy). Private key is ). Private key is xx.. There exist efficient algorithms for computing There exist efficient algorithms for computing

the modular exponentiations the modular exponentiations h h ((pp–1)/–1)/qq mod  mod pp and  and gxgx mod  mod pp, such as exponentiation , such as exponentiation by squaring.by squaring.

Choose an Choose an NN-bit prime -bit prime qq. . NN must be less than or equal  must be less than or equal to the hash output length.to the hash output length.

Choose an Choose an LL-bit prime modulus -bit prime modulus pp such that  such that pp–1 is a –1 is a multiple of multiple of qq..

Choose Choose gg, a number whose multiplicative order , a number whose multiplicative order modulo modulo pp is  is qq. This may be done by setting . This may be done by setting gg =  = hh((pp––1)/1)/qq mod  mod pp for some arbitrary  for some arbitrary hh (1 <  (1 < hh <  < pp−1), and −1), and trying again with a different trying again with a different hh if the result comes out  if the result comes out as 1. Most choices of as 1. Most choices of hh will lead to a usable  will lead to a usable gg; ; commonly commonly hh=2 is used.=2 is used.

The algorithm parameters (The algorithm parameters (pp, , qq, , gg) may be shared ) may be shared between different users of the system.between different users of the system.

Let Let HH be the hashing function and  be the hashing function and mm the message: the message: Generate a random per-message value Generate a random per-message value kk where 0 <  where 0 < kk <  < qq Calculate Calculate rr = ( = (gkgk mod  mod pp) mod ) mod qq In the unlikely case that In the unlikely case that rr = 0, start again with a different random  = 0, start again with a different random kk Calculate Calculate ss = ( = (kk−1(−1(HH((mm) + ) + xx··rr)) mod )) mod qq In the unlikely case that In the unlikely case that ss = 0, start again with a different random  = 0, start again with a different random kk The signature is (The signature is (rr, , ss)) The first two steps amount to creating a new per-message key. The The first two steps amount to creating a new per-message key. The

modular exponentiation here is the most computationally expensive modular exponentiation here is the most computationally expensive part of the signing operation, and it may be computed before the part of the signing operation, and it may be computed before the message hash is known. The modular inverse message hash is known. The modular inverse kk−1 mod −1 mod qq is the  is the second most expensive part, and it may also be computed before the second most expensive part, and it may also be computed before the message hash is known. It may be computed using the extended message hash is known. It may be computed using the extended Euclidean algorithm or using Fermat's little theorem as Euclidean algorithm or using Fermat's little theorem as kqkq−2 mod −2 mod qq..

Obtain the DSA parameters; see Obtain the DSA parameters; see Getting the Digital Signature Algorithm (DSA) Parameters of a Key Pair BigInteger p = BigInteger p = ...; BigInteger q = ; BigInteger q = ...; BigInteger ; BigInteger g = g = ...; BigInteger x = ; BigInteger x = ...; BigInteger y = ; BigInteger y = ...; ;

Create the DSA key factory KeyFactory keyFactory Create the DSA key factory KeyFactory keyFactory = KeyFactory.getInstance("DSA"); = KeyFactory.getInstance("DSA");

Create the DSA private key KeySpec Create the DSA private key KeySpec privateKeySpec = new DSAPrivateKeySpec(x, p, privateKeySpec = new DSAPrivateKeySpec(x, p, q, g); PrivateKey privateKey = q, g); PrivateKey privateKey = keyFactory.generatePrivate(privateKeySpec); keyFactory.generatePrivate(privateKeySpec);

Create the DSA public key KeySpec Create the DSA public key KeySpec publicKeySpec = new DSAPublicKeySpec(y, p, publicKeySpec = new DSAPublicKeySpec(y, p, q, g); PublicKey publicKey = keyFactory. q, g); PublicKey publicKey = keyFactory. generatePublic(publicKeySpec); } catch generatePublic(publicKeySpec); } catch (InvalidKeySpecException e) { } catch (InvalidKeySpecException e) { } catch (NoSuchAlgorithmException e) { }(NoSuchAlgorithmException e) { }

Compute r=(gk mod p) mod q Compute r=(gk mod p) mod q Compute s=(k-1 * (x * r + i)) mod q Compute s=(k-1 * (x * r + i)) mod q Verifying a signature; again i is the input, and Verifying a signature; again i is the input, and

(r, s) is the signature. (r, s) is the signature. u1 = (s-1 * i) mod q u1 = (s-1 * i) mod q u2 = (s-1 * r) mod q v = ((gu1 * yu2) mod p) u2 = (s-1 * r) mod q v = ((gu1 * yu2) mod p)

mod qmod q If v equals r, the signature is valid.If v equals r, the signature is valid.

Reject the signature if 0 < Reject the signature if 0 < rr <  < qq or 0 <  or 0 < ss <  < qq is not  is not satisfied.satisfied.

Calculate Calculate ww =  = ss−1 mod −1 mod qq Calculate Calculate uu1 = 1 = HH((mm)·)·ww mod  mod qq Calculate Calculate uu2 = 2 = rr··ww mod  mod qq Calculate Calculate vv = (( = ((gugu1·1·yuyu2) mod 2) mod pp) mod ) mod qq The signature is valid if The signature is valid if vv =  = rr DSA is similar to the El Gamal signature scheme.DSA is similar to the El Gamal signature scheme.

The signature scheme is correct The signature scheme is correct in the sense that the verifier will in the sense that the verifier will always accept genuine always accept genuine signatures. This can be shown as signatures. This can be shown as follows:follows:

First, if First, if gg =  = h(h(pp − 1)/ − 1)/q mod q mod pp it  it follows that follows that gqgq ≡  ≡ hphp − 1 ≡ 1  − 1 ≡ 1 (mod (mod pp) by Fermat's little ) by Fermat's little theorem. Since theorem. Since gg > 1 and  > 1 and qq is  is prime, prime, gg must have order  must have order qq..

The signer computesThe signer computes s = k-1 (H (m) + xr) mod qs = k-1 (H (m) + xr) mod q

ThusThus k = H (m) s-1 + xrs-1k = H (m) s-1 + xrs-1 = H (m) w +xrw (mod q)= H (m) w +xrw (mod q)

Since Since gg has order  has order qq (mod p) we  (mod p) we havehave gk = gH (m)w gxrwgk = gH (m)w gxrw = gH (m)w yrw= gH (m)w yrw = gu1 yu2 (mod p)= gu1 yu2 (mod p)

Finally, the correctness of Finally, the correctness of DSA follows fromDSA follows from r = (gk mod p) mod qr = (gk mod p) mod q = (gu1 yu2 mod p) = (gu1 yu2 mod p)

mod qmod q = v= v

With DSA, the entropy, secrecy and With DSA, the entropy, secrecy and uniqueness of the random signature value uniqueness of the random signature value kk is  is critical. It is so critical that violating any one critical. It is so critical that violating any one of those three requirements can reveal your of those three requirements can reveal your entire private key to an attacker. Using the entire private key to an attacker. Using the same value twice (even while same value twice (even while keeping keeping kk secret), using a predictable value, or  secret), using a predictable value, or leaking even a few bits of leaking even a few bits of kk in each of several  in each of several signatures, is enough to break DSA.signatures, is enough to break DSA.

Ma. Genelyn B. de la cruzMa. Genelyn B. de la cruz

BSOA – 4BBSOA – 4B