2.  The Digital Signature Algorithm (DSA) is a
United States Federal Government standard or FIPS
for digital signatures.
 It was proposed by the
National Institute of Standards and Technology
(NIST) in August 1991 for use in their Digital
Signature Standard (DSS), specified in FIPS 186,
adopted in 1993. A minor revision was issued in 1996
as FIPS 186-1. The standard was expanded further in
2000 as FIPS 186-2 and again in 2009 as FIPS 186-3.

3.  DSA is covered by U.S. Patent 5,231,668, filed July
26, 1991, and attributed to David W. Kravitz, a
former NSA employee.
 This patent was given to "The United States of
America as represented by the Secretary of
Commerce, Washington, D.C." and the NIST has
made this patent available worldwide royalty-free.
Dr. Claus P. Schnorr claims that his
U.S. Patent 4,995,082 (expired) covered DSA; this
claim is disputed. DSA is a variant of the
ElGamal Signature Scheme.

4.  A digital signature is basically a way to ensure that an
electronic document (e-mail, spreadsheet, text file,
etc.) is authentic.
 There are several ways to authenticate a person or
information on a computer:
• Password - The use of a user name and password
provide the most common form of authentication.
• Checksum - Probably one of the oldest methods of
ensuring that data is correct, checksums also provide
a form of authentication since an invalid checksum
suggests that the data has been compromised in some
fashion.

5.  Key generation has two phases. The first phase
is a choice of algorithm parameters which
may be shared between different users of the
system, while the second phase computes
public and private keys for a single user.

6.  Parameter generation
 Choose an approved cryptographic hash function H. In the
original DSS, H was always SHA-1, but the stronger SHA-2
hash functions are approved for use in the current DSS. The
hash output may be truncated to the size of a key pair.
 Decide on a key length L and N. This is the primary measure
of the cryptographic strength of the key. The original DSS
constrainedL to be a multiple of 64 between 512 and 1024
(inclusive). NIST 800-57 recommends lengths of 2048 (or
3072) for keys with security lifetimes extending beyond 2010
(or 2030), using correspondingly longer N. FIPS 186-
3 specifies L and N length pairs of (1024,160), (2048,224),
(2048,256), and (3072,256).

7.  1. p = a prime modulus, where 2L-1 < p < 2L for 512 = <
L = <1024 and L a multiple of 64
2. q = a prime divisor of p - 1, where 2159 < q < 2160
3. g = h(p-1)/q mod p, where h is any integer with 1 < h <
p - 1 such that h(p-1)/q mod p > 1
(g has order q mod p)

8. 4. x = a randomly or pseudo randomly generated
integer with 0 < x < q
5. y = gx mod p
6. k = a randomly or pseudo randomly generated
integer with 0 < k < q
The integers p, q, and g can be public and can be
common to a group of users. A user's private and public
keys are x and y, respectively. They are normally fixed
for a period of time. Parameters x and k are used for
signature generation only, and must be kept secret.
Parameter k must be regenerated for each signature.

9.  Given a set of parameters, the second phase computes
private and public keys for a single user:
 Choose x by some random method, where 0 < x < q.
 Calculate y = gx mod p.
 Public key is (p, q, g, y). Private key is x.
 There exist efficient algorithms for computing
the modular exponentiations h (p–
1)/q mod p and gx mod p, such as exponentiation by
squaring.

10.  Choose an N-bit prime q. N must be less than or equal
to the hash output length.
 Choose an L-bit prime modulus p such that p–1 is a
multiple of q.
 Choose g, a number whose multiplicative order
modulo p is q. This may be done by setting g = h(p–
1)/q mod p for some arbitrary h (1 < h < p−1), and
trying again with a different h if the result comes out
as 1. Most choices of h will lead to a usable g;
commonly h=2 is used.
 The algorithm parameters (p, q, g) may be shared
between different users of the system.

12.  Let H be the hashing function and m the message:
 Generate a random per-message value k where 0 < k < q
 Calculate r = (gk mod p) mod q
 In the unlikely case that r = 0, start again with a different random k
 Calculate s = (k−1(H(m) + x·r)) mod q
 In the unlikely case that s = 0, start again with a different random k
 The signature is (r, s)
 The first two steps amount to creating a new per-message key. The
modular exponentiation here is the most computationally expensive
part of the signing operation, and it may be computed before the
message hash is known. The modular inverse k−1 mod q is the
second most expensive part, and it may also be computed before the
message hash is known. It may be computed using the extended
Euclidean algorithm or using Fermat's little theorem as kq−2 mod q.

13.  Obtain the DSA parameters; see Getting the
Obtain the DSA parameters; see
Digital Signature Algorithm (DSA) Parameters of
a Key Pair BigInteger p = ...; BigInteger q = ...;
BigInteger p = ; BigInteger q =
BigInteger g = ...; BigInteger x = ...; BigInteger y
BigInteger g = ; BigInteger x =
= ...;
=
 Create the DSA key factory KeyFactory
keyFactory = KeyFactory.getInstance("DSA");

14.  Create the DSA private key KeySpec
privateKeySpec = new DSAPrivateKeySpec(x, p,
q, g); PrivateKey privateKey =
keyFactory.generatePrivate(privateKeySpec);
 Create the DSA public key KeySpec
publicKeySpec = new DSAPublicKeySpec(y, p,
q, g); PublicKey publicKey = keyFactory.
generatePublic(publicKeySpec); } catch
(InvalidKeySpecException e) { } catch
(NoSuchAlgorithmException e) { }

15.  Compute r=(gk mod p) mod q
 Compute s=(k-1 * (x * r + i)) mod q
 Verifying a signature; again i is the input, and
(r, s) is the signature.
 u1 = (s-1 * i) mod q
 u2 = (s-1 * r) mod q v = ((gu1 * yu2) mod p)
mod q
 If v equals r, the signature is valid.

16.  Reject the signature if 0 < r < q or 0 < s < q is not
satisfied.
 Calculate w = s−1 mod q
 Calculate u1 = H(m)·w mod q
 Calculate u2 = r·w mod q
 Calculate v = ((gu1·yu2) mod p) mod q
 The signature is valid if v = r
 DSA is similar to the El Gamal signature scheme.

17.  The signature scheme is
correct in the sense that the  Since g has order q (mod p) we
verifier will always accept have
genuine signatures. This can  gk = gH (m)w gxrw
be shown as follows:
= gH (m)w yrw
 First, if g = h(p − 1)/q mod p it
follows that gq ≡ hp − 1 ≡ 1 = gu1 yu2 (mod p)
(mod p) by Fermat's little
theorem. Since g > 1 and q is  Finally, the correctness of
prime, g must have order q. DSA follows from
 The signer computes  r = (gk mod p) mod q
 s = k-1 (H (m) + xr) mod q
= (gu1 yu2 mod p)
 Thus mod q
 k = H (m) s-1 + xrs-1 = v
= H (m) w +xrw (mod q)

18.  With DSA, the entropy, secrecy and
uniqueness of the random signature value k is
critical. It is so critical that violating any one
of those three requirements can reveal your
entire private key to an attacker. Using the
same value twice (even while
keeping k secret), using a predictable value, or
leaking even a few bits of k in each of several
signatures, is enough to break DSA.

19. Ma. Genelyn B. de la
cruz
BSOA – 4B