NIST, Computer Security Division, Computer Security Resource Center
Digital Signatures
Approved Algorithms
Currently, there exist three (3) Approved* algorithms for generating and verifying digital signatures: DSA, RSA, and ECDSA. All three algorithms are used in conjunction with an Approved hash function.
Digital Signature Algorithm (DSA)
FIPS 186-2, Digital Signature Standard (DSS), February 2000.
FIPS 186-2 contains the complete specification of the Digital Signature Algorithm (DSA), with several examples.
On October 5, 2001 a change notice was appended to the end of FIPS 186-2. Use the link at the head of this section to access the revised document.
Multiple examples of DSA are available. These examples use the 1024-bit modulus size. Additionally, they use the original PRNGs as well as the revised versions found in Change Notice #1 of FIPS 186-2.
Note: A draft of FIPS 186-3 is under development. This draft Standard defines methods for digital signature generation that can be used for the protection of messages, and for the verification and validation of those digital signatures. Comments on the draft of FIPS 186-3 are now available. The comment period closed on June 12, 2006.
January 21, 2007: NIST received many comments when Draft FIPS 186-3 was posted for public comment during the spring of 2006 (see Note above). Several comments concerned the number of tests required for primality testing. In response, NIST surveyed the latest literature available on this topic and is providing alternatives for your consideration. Please provide comments to ebarker@nist.gov by February 23rd, 2007, inserting "Comments on FIPS 186-3 Primality Testing" in the subject line. NIST is particularly interested in comments relating to the security of the new proposal versus the values currently used in Draft FIPS 186-3.
An accompanying document to FIPS 186-3, NIST Special Publication (SP) 800-89, Recommendation for Obtaining Assurances for Digital Signature Applications specifies methods for obtaining the assurances necessary for valid digital signatures.
NIST announces the release of draft Special Publication 800-106, Randomized Hashing Digital Signatures. This Recommendation provides a technique to randomize the input messages to hash functions prior to the generation of digital signatures to strengthen security of the digital signatures. Please submit comments to quynh.dang@nist.gov with "Comments on Draft 800-106" in the subject line. The comment period closes on September 17, 2007.
December 28, 2007: NIST requests comments on revised text for FIPS 186-3 related to the generation of RSA key pairs. Please provide comments by February 1, 2008 to ebarker@nist.gov
RSA Digital Signatures
FIPS 186-2, Digital Signature Standard (DSS), February 2000.
FIPS 186-2 indicates that the RSA digital signature algorithm, as specified in ANSI X9.31, may be used for digital signature generation and verification.
NIST is proposing the extension of the transition period for the use of PKCS #1 (version 1.5 or higher) from July 2001 to December 2002.
See the Notes in DSA section regarding the new drafts.
October 20, 2006: An attack has been found on some implementations of RSA digital signatures using the padding scheme for RSASSA-PKCS1-v1_5 as specified in Public Key Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography Standard-2002. A statement discussing the attack is available. A similar attack could also be applied to implementations of digital signatures as specified in American National Standard (ANS) X9.31. Note that this attack is not on the RSA algorithm itself, but on improper implementations of the signature verification process.
ANSI X9.31-1998, Digital Signatures Using Reversible Public Key Cryptography for the Financial Services Industry, 1998 (available from the ANSI X9 catalog).
ANSI X9.31 contains the complete specification for the RSA signature algorithm.
ECDSA Digital Signature Algorithm
FIPS 186-2, Digital Signature Standard (DSS), February 2000.
FIPS 186-2 indicates that the ECDSA digital signature algorithm, as specified in ANSI X9.62, may be used for digital signature generation and verification.
See the Notes in DSA section regarding the new drafts.
ANSI X9.62-1998, Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA), 1998 (available from the ANSI X9 catalog).
ANSI X9.62 contains the complete specification for the ECDSA signature algorithm.
Elliptic curves recommended for Federal Government use can be found in Appendix 6 of FIPS 186-2. The white paper that originally specified these curves is also available: PDF Postscrpit Word
Back to TopTesting Products
Testing requirements and validation lists are available from the Cryptographic Algorithm Validation Program (CAVP).
Back to TopAdditional Information
ITL Bulletin: Digital Signature Standard, November 1994.
This bulletin provides an overview of the DSS, including some information on patents (however, it does not include information on RSA or ECDSA - only DSA).
Back to TopFuture Plans
NIST is investigating the modification of the DSA to accommodate larger key and message digest sizes, in order to make the algorithm's security commensurate with that of the future AES.
NIST also intends to adopt PKCS #1 as an approved technique for RSA digital signatures. (Currently, this is only allowed under the transition period for FIPS 186-2.)