Computer Security Resource Center

Computer Security Resource Center

Computer Security
Resource Center

Digital Signatures

Project Overview

As an electronic analogue of a written signature, a digital signature provides assurance that:

  1. the claimed signatory signed the information, and
  2. the information was not modified after signature generation.

Federal Information Processing Standard (FIPS) 186-4, Digital Signature Standard (DSS), specifies three NIST-approved digital signature algorithms: DSA, RSA, and ECDSA. All three are used to generate and verify digital signatures, in conjunction with an approved hash function specified in FIPS 180-4, Secure Hash Standard or FIPS 202, SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions.

Testing DSS Implementations

Testing requirements and validation lists for DSS implementations are available from the Cryptographic Algorithm Validation Program (CAVP).


Implementation-related References


History of the DSS (FIPS 186)

FIPS 186 was first published in 1994 and specified a digital signature algorithm (DSA) to generate and verify digital signatures.  Later revisions − FIPS 186-1 (1998) and FIPS 186-2 (2000) − adopted two additional algorithms: the Elliptic Curve Digital Signature Algorithm (ECDSA) and the RSA digital signature algorithm. 

FIPS 186-3 (2009) increased the key sizes allowed for DSA, provided additional requirements for the use of ECDSA and RSA, and included requirements for obtaining the assurances necessary for valid digital signatures. FIPS 186-3 also replaced the random number generator specifications included in previous versions with a reference to SP 800-90.

The latest version, FIPS 186-4 (2013), reduces restrictions on the use of random number generators and the retention and use of prime number generation seeds, and improves alignment with Public-Key Cryptography Standard (PKCS) #1.

Created January 04, 2017, Updated February 22, 2017