Professional Documents
Culture Documents
DSS - Digital Signature Standard and DSA Algorithm
DSS - Digital Signature Standard and DSA Algorithm
Michael Pace
In this paper I will discuss the Digital Signature Standard (DSS) and the DSA algorithm. This
standard will have will have a great effect on all of our federal agencies because they are
required to use this standard when transmitting information that is not declassified. This
standard is also available to the private sector and commercial organizations. The DSS is
necessary to make sure that our governments’ communications are secure. The standard ensures
that these federal agencies that may have not had a secure algorithm to transmit data will now
have such a means to make sure communications are secure.
Digital signatures are essential in today’s modern world to verify the sender of a
The signature is computer using a set of rules and parameters (algorithm) such that the identity of
the person signing the document as well as the originality of the data can be verified. The
signature is generated by the use of a private key. A private key is known only to the user. The
signature is verified makes use of a public key which corresponds to (but not the same, i.e.
mathematically infeasible to deduct private key from public) the private key. With every user
having a public/private key pair, this is an example of public-key cryptography. Public keys,
which are known by everyone, can be used to verify the signature of a user. The private key,
which is never shared, is used in signature generation, which can only be done by the user.
2
Digital signatures are used to detect unauthorized modifications to data. Also, the
recipient of a digitally signed document in proving to a third party that the document was indeed
signed by the person who it is claimed to be signed by. This is known as nonrepudiation,
because the person who signed the document cannot repudiate the signature at a later time.
Digital signature algorithms can be used in e-mails, electronic funds transfer, electronic data
interchange, software distribution, data storage, and just about any application that would need to
There are three algorithms that are suitable for digital signature generation under the DSS
standard. They are the Digital Signature Algorithm (DSA, which I will talk about more in depth
later), the RSA algorithm, and the Elliptic Curve Digital Signature Algorithm (ECDSA). Also in
this standard is a hash function to be used in the signature generation process. It is used to obtain
a condensed version of the data, which is called a message digest. This message digest is then
put into the digital signature algorithm to generate the digitally signed message. The same hash
function is used in the verification process as well. The hash function used in the DSS standard
is specified in the Secure Hash Standard (SHS), which are the specifications for the Secure Hash
Algorithm (SHA). The SHA is based on principles similar to those used by Professor Ronald L.
Rivest of MIT when designing the MD4 message digest algorithm and is closely modeled after
that algorithm. When a message of any length < 2 64 bits is input, the SHA produces a 160-bit
output (message digest). Signing the message digest rather than the message often improves the
efficiency of the process because the message digest is usually much smaller in size than the
message.
2
3
DSA Parameters:
p = a prime modulus, where 2L-1 < p < 2L for 512 ≤ L ≤ 1024 and L is a multiple of 64. So
L will be one member of the set {512, 576, 640, 704, 768, 832, 896, 960, 1024}
The prime generation scheme starts by using the SHA and a user supplied SEED to construct a
prime, q, in the range 2159 < q < 2160 . Once this is accomplished, the same SEED value is used to
construct an X in the range 2L-1 < X < 2L . The prime, p, is then formed by rounding X to a
number congruent to 1 mod 2q as described below. An integer x in the range 0 ≤ x < 2 g may be
converted to a g-long sequence of bits by using its binary expansion as shown below:
Note that the first bit of a sequence corresponds to the most significant bit of the corresponding
Let L -1 = n* 160 + b, where both b and n are integers and 0 ≤ b < 160.
Step 1. Choose an arbitrary sequence of at least 160 bits and call it SEED. Let g be the length
of SEED in bits.
3
4
Step 2. Compute
Step 3. Form q from U by setting the most significant bit (the 2159 bit) and the least significant
bit to 1. In terms of Boolean operations, q = U OR 2159 OR 1. Note that 2159 < q < 2160 .
1 A robust primality test is one where the probability of a non-prime number passing the test is at
most 2-80
W = V0 + V1* 2160 + ... + Vn-1* 2(n-1)* 160 + (Vn mod 2b ) * 2n* 160
and let X = W + 2L-1 . Note that 0 ≤ W < 2L-1 and hence 2L-1 ≤ X < 2L .
Step 9. Let c = X mod 2q and set p = X -(c -1). Note that p is congruent to 1 mod 2q.
Step 12. If p passes the test performed in step 11, go to step 15.
Step 14. If counter ≥ 212 = 4096 go to step 1, otherwise (i. e. if counter < 4096) go to step 7.
Step 15. Save the value of SEED and the value of counter for use in certifying the proper
generation of p and q.
4
5
g = h(p-1)/ q mod p, where h is any integer with 1 < h < p -1 such that h (p-1)/ q mod p > 1
y = gx mod p
The parameters p, q, and g are made public. The users will have the private key, x, and the
public key y. The parameters x and k are used for signature generation and must be kept private
and k will be randomly or pseudorandomly generated for each signature. This part seems to be
straightforward so far.
The signature of the message M will be a pair of the numbers r and s which will be computed
k-1 is the multiplicative inverse of k (mod q). The value of SHA(M) is a 160-bit string which is
converted into an integer according to the SHS standard. Then the signature is sent to the
verifier.
Verification:
Before getting the digitally signed message the receiver must know the parameters p, q,
5
6
We will let M′, r′, s′ be the received versions of M, r, and s. To verify the signature the verifying
program must check to see that 0 < r′ < q and 0 < s′ < q and if either fails the signature should be
w = (s′)-1 mod q
u1 = ((SHA(M′))w) mod q
u2 = ((r′)w) mod q
Then if v = r′ then the signature is valid and if not then it can be assumed that the data may have
Bibliography
http://www.itl.nist.gov/fipspubs/fip186.htm
http://home.pacbell.net/tpanero/crypto/dsa.html
2.cs.cmu.edu/afs/cs/academic/class/15827-f98/www/Slides/lecture2/base.024.html