29 December 1998

Source:
http://csrc.nist.gov/fips/fips1861.pdf
(175K)

See Federal Register announcement: http://jya.com/nist121598.htm

FIPS PUB 186-1

FEDERAL INFORMATION

PROCESSING STANDARDS PUBLICATION

1998 December 15

U.S. DEPARTMENT OF COMMERCE/National Institute of Standards and Technology

CATEGORY: COMPUTER SECURITY

U.S. DEPARTMENT OF COMMERCE, William M. Daley, Secretary

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY,

Raymond G. Kammer, Director

**Foreword**

The Federal Information Processing Standards Publication Series of the National Institute of Standards and Technology (NIST) is the official series of publications relating to standards and guidelines adopted and promulgated under the provisions of Section 5131 of the Information Technology Management Reform Act of 1996 (Public Law 104-106), and the Computer Security Act of 1987 (Public Law 100-235). These mandates have given the Secretary of Commerce and NIST important responsibilities for improving the utilization and management of computer and related telecommunications systems in the Federal Government. The NIST, through its Information Technology Laboratory, provides leadership, technical guidance, and coordination of Government efforts in the development of standards and guidelines in these areas.

Comments concerning Federal Information Processing Standards Publications are welcomed and should be addressed to the Director, Information Technology Laboratory, National Institute of Standards and Technology, Gaithersburg, MD 20899.

Shukri Wakid, Director

Information Technology Laboratory

**Abstract**

This standard specifies a suite of algorithms which can be used to generate a digital signature. Digital signatures are used to detect unauthorized modifications to data and to authenticate the identity of the signatory. In addition, the recipient of signed data can use a digital signature in proving to a third party that the signature was in fact generated by the signatory. This is known as nonrepudiation since the signatory cannot, at a later time, repudiate the signature.

Key words: ADP security, computer security, digital signatures, public-key cryptography, Federal Information Processing Standard.

FIPS PUB 186-1

**Federal Information
Processing Standards Publication 186-1 **

**1998 December 15**

** Announcing the **

**Digital Signature Standard (DSS) **

Federal Information Processing Standards Publications (FIPS PUBS) are issued by the National Institute of Standards and Technology (NIST) after approval by the Secretary of Commerce pursuant to Section 5131 of the Information Technology Management Reform Act of 1996 (Public Law 104-106), and the Computer Security Act of 1987 (Public Law 100-235).

**Name of Standard:** Digital Signature Standard (DSS).

**Category of Standard:** Computer Security, Cryptography.

**Explanation:** This Standard specifies algorithms appropriate for
applications requiring a digital, rather than written, signature. A digital
signature is represented in a computer as a string of binary digits. A digital
signature is computed using a set of rules and a set of parameters such that
the identity of the signatory and integrity of the data can be verified.
An algorithm provides the capability to generate and verify signatures. Signature
generation makes use of a private key to generate a digital signature. Signature
verification makes use of a public key which corresponds to, but is not the
same as, the private key. Each user possesses a private and public pair.
Public keys are assumed to be known to the public in general. Private keys
are never shared. Anyone can verify the signature of a user by employing
that user's public key. Signature generation can be performed only by the
possessor of the user's private key.

A hash function is used in the signature generation process to obtain a condensed
version of data, called a message digest (see Figure 1). The message digest
is then input to the digital signature (ds) algorithm to generate the digital
signature. The digital signature is set to the intended verifier along with
the signed data (often called the message). The verifier of the message and
signature verifies the signature by using the sender's public key. The same
hash function must also be used in the verification process. The hash function
is specified in a separate standard, the Secure Hash Standard (SHS), FIPS
180-1. FIPS approved ds algorithms must be implemented with the SHS. Similar
procedures may be used to generate and verify signatures for stored as well
as transmitted data.

*[Figure 1]*

**Approving Authority:** Secretary of Commerce.

**Maintenance Agency:** U.S. Department of Commerce, National Institute
of Standards and Technology (NIST), Information Technology Laboratory (ITL).

**Applicability:** This standards is applicable to all Federal departments
and agencies for the protection of sensitive unclassified information that
is not subject to section 2315 of Title 10, United States Code, or section
3502(2) of Title 44, United States Code. This standard shall be used in designing
and implementing public-key based signature systems which Federal departments
and agencies operate or which are operated for them under contract. Adoption
and use of this standard is available to private and commercial organizations.

**Applications:** A digital signature (ds) algorithm authenticates the
integrity of the signed data and the identity of the signatory. A ds algorithm
may also be used in proving to a third party that data was actually signed
by the generator of the signature. A ds algorithm is intended for use in
electronic mail, electronic funds transfer, electronic data interchange,
software distribution, data storage, and other applications which require
data integrity assurance and data origin authentication. The technique specified
in ANSI X9.31 may be used in addition to the Digital Signature Algorithm
(DSA) specified herein.

**Implementations:** A ds algorithm may be implemented in software, firmware,
hardware, or any combination thereof. NIST is developing a validation program
to test implementations for conformance to this standard. Currently, conformance
tests for ANSI X9.31 have not been developed. These tests will be developed
and made available in the future. Information about the planned validation
program can be obtained from the National Institute of Standards and Technology,
Information Technology Laboratory, Attn: DSS Validation, 100 Bureau Drive
Stop 8930, Gaithersburg, MD 20899-8930.

Agencies are advised that separate keys should be used for signature and confidentiality purposes when using the X9.31 standard. This is because the RSA algorithm can be used for both data encryption and digital signature purposes.

**Export Control:** Implementations of this standard are subject to Federal
Government export controls as specified in Title 15, Code of Federal Regulations,
Parts 768 through 799. Exporters are advised to contact the Department of
Commerce, Bureau of Export Administration for more information.

**Patents:** The algorithms in this standard may be covered by U.S. or
foreign patents.

**Implementation Schedule:** This standard becomes effective December
15, 1998.

**Specifications:** Federal Information Processing Standard (FIPS) 186-1
Digital Signature Standard (affixed).

**Cross Index:**

a. FIPS PUB 46-2, Data Encryption Standard.b. FIPS PUB 73, Guidelines for Security of Computer Applications.

c. FIPS PUB 140-1, Security Requirements for Cryptographic Modules.

d. FIPS PUB 171, Key Management Using ANSI X9.17.

e. FIPS PUB 180-1, Secure Hash Standard.

**Qualifications:** The security of a digital signature system is dependent
on maintaining the secrecy of users' private keys. Users must therefore guard
against the unauthorized acquisition of their private keys. While it is the
intent of this standard to specify general security requirements for generating
digital signatures, conformance to this standard does not assure that a
particular implementation is secure. The responsible authority in each agency
or department shall assure that an overall implementation provides an acceptable
level of security. This standard will be reviewed every five years in order
to assess its adequacy.

**Waiver Procedure:** Under certain exceptional circumstances, the heads
of Federal departments and agencies may approve waivers to Federal Information
Processing Standards (FIPS). The head of such agency may redelegate such
authority only to a senior official designated pursuant to section 3506(b)
of Title 44, United States Code. Waiver shall be granted only when:

a. Compliance with a standard would adversely affect the accomplishment of the mission of an operator of a Federal computer system; orb. Cause a major adverse financial impact on the operator which is not offset by Government wide savings.

Agency heads may act upon a written waiver request containing the information detailed above. Agency heads may also act without a written waiver request when they determine that conditions for meeting the standard cannot be met. Agency heads may approve waivers only by a written decision which explains the basis on which the agency head made with required finding(s). A copy of each such decision, with procurement sensitive or classified portions clearly identified, shall be sent to: National Institute of Standards and Technology; ATTN: FIPS Waiver Decisions, 100 Bureau Drive Stop 8970, Gaithersburg, MD 20899- 8970.

In addition, notice of each waiver granted and each delegation of authority to approve waivers shall be sent promptly to the Committee on Government Operations of the House of Representatives and the Committee on Governmental Affairs of the Senate and shall be published promptly in the Federal Register.

When the determination on a waiver applies to the procurement of equipment and/or services, a notice of the waiver determination must be published in the Commerce Business Daily as a part of the notice of solicitation for offers of an acquisition or, if the waiver determination is made after that notice is published, by amendment to such notice.

A copy of the waiver, any supporting documents, the document approving the waiver and any supporting and accompanying documents, with such deletions as the agency is authorized and decides to make under 5 U.S.C. Sec. 552(b), shall be part of the procurement documentation and retained by the agency.

**Where to Obtain Copies of the Standard:** Copies of this publication
are for sale by the National Technical Information
Service, U.S. Department of Commerce, Springfield, VA 22161. When ordering,
refer to Federal Information Processing Standards Publication 186-1
(FIPSPUB186-1), and identify the title. When microfiche is desired, this
should be specified. Prices are published by NTIS in current catalogs and
other issuances. Payment may be made by check, money order, deposit account
or charged to a credit card accepted by NTIS.

**Federal Information
Processing Standards Publication 186-1**

**1998 December 15**

**Specifications for the**

**DIGITAL SIGNATURE STANDARD (DSS)**

**1. INTRODUCTION**

This publication prescribes two algorithms suitable for digital signature
(ds) generation and verification. The first algorithm, the Digital Signature
Algorithm (DSA), is described in sections 4 - 6 and appendices 1 - 5. The
second algorithm, the RSA ds algorithm, is discussed in section 7.

**2. GENERAL**

When a message is received, the recipient may desire to verify that the message has not been altered in transit. Furthermore, the recipient may wish to be certain of the originator's identity. Both of these services can be provided by a ds algorithm. A digital signature is an electronic analogue of a written signature in that the digital signature can be used in proving to the recipient or a third party that the message was, in fact, signed by the originator. Digital signatures may also be generated for stored data and programs so that the integrity of the data and programs may be verified at any later time.

This publication prescribes two algorithms suitable for digital signature
generation and verification.

**3. USE OF A DIGITAL SIGNATURE (ds) ALGORITHM**

A ds algorithm is used by a *signatory* to generate a digital signature
on data and by a *verifier* to verify the authenticity of the signature.
Each signatory has a public and private key. The private key is used in the
signature generation process and the public key is used in the signature
verification process. For both signature generation and verification, the
data which is referred to as a message, M, is reduced by means of the Secure
Hash Algorithm (SHA-1) specified in FIPS 180-1. An adversary, who does not
know the private key of the signatory, cannot generate the correct signature
of the signatory. In other words, signatures cannot be forged. However, by
using the signatory's public key, anyone can verify a correctly signed message.
A means of associating public and private key pairs to the corresponding
users is required. That is, there must be a binding of a user's identity
and the user's public key. This binding may be certified by a mutually trusted
party. For example, a certifying authority could sign credentials containing
a user's public key and identity to form a certificate. Systems for certifying
credentials and distributing certificates are beyond the scope of this standard.
NIST intends to publish separate document(s) on certifying credentials and
distributing certificates.

**4. DSA PARAMETERS**

The DSA makes use of the following parameters:

1. p = a prime modulus, where 2^{L-1}< p < 2^{L}for 512<L<1024 and L a multiple of 642. q = a prime divisor of p - 1, where 2

^{159}< q < 2^{160}3. g = h

^{(p-1)/q}mod p, where h is any integer with 1 < h < p - 1 such that h^{(p-1)/q}mod p > 1 (g has order q mod p)4. x = a randomly or pseudorandomly generated integer with 0 < x < q

5. y = g

^{x}mod p6. k = a randomly or pseudorandomly generated integer with 0 < k < q

The integers p, q, and g can be public and can be common to a group of users. A user's private and public keys are x and y, respectively. They are normally fixed for a period of time. Parameters x and k are used for signature generation only, and must be kept secret. Parameter k must be regenerated for each signature.

Parameters p and q shall be generated as specified in Appendix 2, or using
other FIPS approved security methods. Parameters x and k shall be generated
as specified in Appendix 3, or using other FIPS approved security methods.

**5. DSA SIGNATURE GENERATION**

The signature of a message M is the pair of numbers r and s computed according to the equations below:

r = (g^{k}mod p) mod q ands = (k

^{-1}(SHA-1(M) + xr)) mod q.

In the above, k^{-1} is the multiplicative inverse of k, mod q; i.e.,
(k^{-1} k) mod q = 1 and 0 < k^{-1} < q. The value
of SHA-1(M) is a 160-bit string output by the Secure Hash Algorithm specified
in FIPS 180-1. For use in computing s, this string must be converted to an
integer. The conversion rule is given in Appendix 2.2.

As an option, one may wish to check if r = 0 or s = 0. If either r = 0 or s = 0, a new value of k should be generated and the signature should be recalculated (it is extremely unlikely that r = 0 or s = 0 if signatures are generated properly).

The signature is transmitted along with the message to the verifier.

**6. DSA SIGNATURE VERIFICATION**

Prior to verifying the signature in a signed message, p, q and g plus the sender's public key and identity are made available to the verifier in an authenticated manner.

Let M', r', and s' be the received versions of M, r, and s, respectively, and let y be the public key of the signatory. To verify the signature, the verifier first checks to see that 0 < r' < q and 0 < s' < q; if either condition is violated the signature shall be rejected. If these two conditions are satisfied, the verifier computes

w = (s')^{-1}mod qu1 = ((SHA-1(M'))w) mod q

u2 = ((r')w) mod q

v = (((g)

^{u1}(y)^{u2}) mod p) mod q.

If v = r', then the signature is verified and the verifier can have high confidence that the received message was sent by the party holding the secret key x corresponding to y. For a proof that v = r' when M' = M, r' = r, and s' = s, see Appendix 1.

If v does not equal r', then the message may have been modified, the message
may have been incorrectly signed by the signatory, or the message may have
been signed by an impostor. The message should be considered invalid.

**7. RSA DIGITAL SIGNATURE ALGORITHM**

The RSA ds algorithm is a FIPS approved cryptographic algorithm for digital signature generation and verification. This is described in ANSI X9.31.

**APPENDIX 1. A PROOF THAT v = r' IN THE DSA**

This appendix is for informational purposes only and is not required to meet the standard.

The purpose of this appendix is to show that in the DSA, if M' = M, r' = r and s' = s in the signature verification then v = r'. We need the following easy result.

__LEMMA__. Let p and q be primes so that q divides p - 1, h a positive
integer less than p, and g = h^{(p-1)/q} mod p. Then g q mod p =
1, and if m mod q = n mod q, then g^{m} mod p = g^{n} mod
p.

Proof: We have

g^{q}mod p = (h^{(p-1)/q}mod p)q mod p= h^{(p-1)}mod p= 1

by Fermat's Little Theorem. Now let m mod q = n mod q, i.e., m = n + kq for some integer k. Then

g^{m}mod p = g^{n+kq}mod p= (g^{n}g^{kq}) mod p= ((g

^{n}mod p) (g^{q}mod p)^{k}) mod p= g

^{n}mod p

since g^{q} mod p = 1. **¤**

We are now ready to prove the main result.

__THEOREM__. If M' = M, r' = r, and s' = s in the signature verification,
then v = r'.

Proof: We have

w = (s')^{-1}mod q = s^{-1}mod qu1 = ((SHA-1(M'))w) mod q = ((SHA-1(M))w) mod q

u2 = ((r')w) mod q = (rw) mod q.

Now y = g^{x} mod p, so that by the lemma,

v = ((g^{u1}y^{u2}) mod p) mod q= ((gSHA-1^{(M)w}y^{rw}) mod p) mod q= ((gSHA-1

^{(M)w}g^{xrw}) mod p) mod q= ((g ( SHA-1

^{(M)+xr)w}) mod p) mod q.

Also

s = (k^{-1}(SHA-1(M) + xr)) mod q.

Hence

w = (k(SHA-1(M) + xr)^{-1}) mod q(SHA-1(M) + xr)w mod q = k mod q.

Thus by the lemma,

v = (g^{k}mod p) mod q= r= r'.

¤

**APPENDIX 2. GENERATION OF PRIMES FOR THE DSA**

This appendix includes algorithms for generating the primes p and q used in the DSA. These algorithms require a random number generator (see Appendix 3), and an efficient modular exponentiation algorithm. Generation of p and q shall be performed as specified in this appendix, or using other FIPS approved security methods.

**2.1. A PROBABILISTIC PRIMALITY TEST**

In order to generate the primes p and q, a primality test is required.

There are several fast probabilistic algorithms available. The following
algorithm is a simplified version of a procedure due to M.O. Rabin, based
in part on ideas of Gary L. Miller. [See Knuth, *The Art of Computer
Programming*, Vol. 2, Addison-Wesley, 1981, Algorithm P, page 379.] If
this algorithm is iterated n times, it will produce a false prime with
probability no greater than 1/4^{n}.

Therefore, n __>__ 50 will give an acceptable probability of error.
To test whether an integer is prime:

Step 1. Set i = 1 and n>50.Step 2. Set w = the integer to be tested, w = 1 + 2

^{a}m, where m is odd and 2^{a}is the largest power of 2 dividing w - 1.Step 3. Generate a random integer b in the range 1 < b < w.

Step 4. Set j = 0 and z = b

^{m}mod w.Step 5. If j = 0 and z = 1, or if z = w - 1, go to step 9.

Step 6. If j > 0 and z = 1, go to step 8.

Step 7. j = j + 1. If j < a, set z = z

^{2}mod w and go to step 5.Step 8. w is not prime. Stop.

Step 9. If i < n, set i = i + 1 and go to step 3. Otherwise, w is probably prime.

The DSA requires two primes, p and q, satisfying the following three conditions:

a. 2^{159}< q < 2^{160}b. 2

^{L-1}< p < 2^{L}for a specified L, where L = 512 + 64j for some 0<j<8c. q divides p - 1.

This prime generation scheme starts by using the SHA-1 and a user supplied
SEED to construct a prime, q, in the range 2^{159} < q <
2^{160}. Once this is accomplished, the same SEED value is used to
construct an X in the range 2^{L-1} < X < 2^{L}. The
prime, p, is then formed by rounding X to a number congruent to 1 mod 2q
as described below.

An integer x in the range 0 __<__ x < 2^{g} may be converted
to a g-long sequence of bits by using its binary expansion as shown below:

x = x_{1}*2^{g-1}+ x_{2}*2^{g-2}+ ... + x_{g-1}*2 + x_{g}-> { x_{1},...,x_{g}}.

Conversely, a g-long sequence of bits { x_{1},...,x_{g} }
is converted to an integer by the rule

{ x_{1},...,x_{g}} -> x_{1}*2^{g-1}+ x_{2}*2^{g-2}+ ... + x_{g-1}*2 + x_{g}.

Note that the first bit of a sequence corresponds to the most significant bit of the corresponding integer and the last bit to the least significant bit.

Let L - 1 = n*160 + b, where both b and n are integers and 0 __<__
b < 160.

Step 1. Choose an arbitrary sequence of at least 160 bits and call it SEED. Let g be the length of SEED in bits.Step 2. Compute

U = SHA-1[SEED] XOR SHA-1[(SEED+1) mod 2^{g}].Step 3. Form q from U by setting the most significant bit (the 2

^{159}bit) and the least significant bit to 1. In terms of boolean operations, q = U OR 2^{159}OR 1. Note that 2^{159}< q < 2^{160}.Step 4. Use a robust primality testing algorithm to test whether q is prime

^{1}.Step 5. If q is not prime, go to step 1.

Step 6. Let counter = 0 and offset = 2.

Step 7. For k = 0,...,n let

V_{k}= SHA-1[(SEED + offset + k) mod 2^{g}].

Step 8. Let W be the integerW = V_{0}+ V_{1}*2^{160}+ ... + V_{n-1}*2^{(n-1)*160}+ (V_{n}mod 2^{b}) * 2^{n*160}and let X = W + 2

^{L-1}. Note that 0<W < 2^{L-1}and hence 2^{L-1}<X < 2 L .Step 9. Let c = X mod 2q and set p = X - (c - 1). Note that p is congruent to 1 mod 2q.

Step 10. If p < 2

^{L-1}, then go to step 13.Step 11. Perform a robust primality test on p.

Step 12. If p passes the test performed in step 11, go to step 15.

Step 13. Let counter = counter + 1 and offset = offset + n + 1.

Step 14. If counter

>2^{12}= 4096 go to step 1, otherwise (i.e. if counter < 4096) go to step 7.Step 15. Save the value of SEED and the value of counter for use in certifying the proper generation of p and q.

___________________

^{1}A robust primality test is one where the probability of a non-prime number passing the test is at most 2^{-80}.

**APPENDIX 3. RANDOM NUMBER GENERATION FOR THE DSA**

Any implementation of the DSA requires the ability to generate random or pseudorandom integers. Such numbers are used to derive a user's private key, x, and a user's per message secret number, k. These randomly or pseudorandomly generated integers are selected to be between 0 and the 160-bit prime q (as specified in the standard). They shall be generated by the techniques given in this appendix, or using other FIPS approved security methods.

One FIPS approved pseudorandom integer generator is supplied in Appendix C of ANSI X9.17, "Financial Institution Key Management (Wholesale)."

Other pseudorandom integer generators are given in this appendix. These permit generation of pseudorandom values of x and k for use in the DSA. The algorithm in section 3.1 may be used to generate values for x. An algorithm for k and r is given in section 3.2. The latter algorithm allows most of the signature computation to be precomputed without knowledge of the message to be signed.

The algorithms employ a one-way function G(t,c), where t is 160 bits, c is
b bits (160 __<__ b __<__ 512) and G(t,c) is 160 bits. One way
to construct G is via the Secure Hash Algorithm (SHA-1), as defined in the
Secure Hash Standard (SHS). The 160-bit message digest output of the SHA-1
algorithm when message M is input is denoted by SHA-1(M). A second method
for constructing G is to use the Data Encryption Standard (DES). The construction
of G by these techniques is discussed in sections 3.3 and 3.4 of this appendix.

In the algorithms in sections 3.1 and 3.2, a secret b-bit seed-key is used. The algorithm in section 3.1 optionally allows the use of a user provided input. If G is constructed via the SHA-1 as defined in section 3.3, then b is between 160 and 512. If DES is used to construct G as defined in section 3.4, then b is equal to 160.

**3.1. ALGORITHM FOR COMPUTING m VALUES OF x**

Let x be the signer's private key. The following may be used to generate m values of x:

Step 1. Choose a new, secret value for the seed-key, XKEY.Step 2. In hexadecimal notation let

t =67452301 EFCDAB89 98BADCFE 10325476 C3D2E1F0.This is the initial value for H_{0}|| H_{1}|| H_{2}|| H_{3}|| H_{4}in the SHS.Step 3. For j = 0 to m - 1 do

a. XSEED_{j}= optional user input.b. XVAL = (XKEY + XSEEDj) mod 2

^{b}.c. x

_{j}= G(t,XVAL) mod q.d. XKEY = (1 + XKEY + x

_{j}) mod 2^{b}.

**3.2. ALGORITHM FOR PRECOMPUTING ONE OR MORE k AND r VALUES**

This algorithm can be used to precompute k, k^{-1} , and r for m
messages at a time. Note that implementation of the DSA with precomputation
may be covered by U.S. and foreign patents.

Algorithm:

Step 1. Choose a secret initial value for the seed-key, KKEY.Step 2. In hexadecimal notation let

t =EFCDAB89 98BADCFE 10325476 C3D2E1F0 67452301.This is a cyclic shift of the initial value for H_{0}|| H_{1}|| H_{2}|| H_{3}|| H_{4}in the SHS.Step 3. For j = 0 to m - 1 do

a. k = G(t,KKEY) mod q.b. Compute k

_{j-1}= k^{-1}mod q.c. Compute r

_{j}= (g^{k}mod p) mod q.d. KKEY = (1 + KKEY + k) mod 2

^{b}.Step 4. Suppose M

_{0}, ... , M_{m-1}are the next m messages. For j = 0 to m - 1 doa. Let h = SHA-1(M_{j}).b. Let s

_{j}= (k_{j-1}(h + xr_{j})) mod q.c. The signature for M

_{j}is (r_{j},s_{j}).Step 5. Let t = h.

Step 6. Go to step 3.

Step 3 permits precomputation of the quantities needed to sign the next m messages. Step 4 can begin whenever the first of these m messages is ready. The execution of step 4 can be suspended whenever the next of the m messages is not ready. As soon as steps 4 and 5 have completed, step 3 can be executed, and the results saved until the first member of the next group of m messages is ready.

In addition to space for KKEY, two arrays of length m are needed to store
r_{0} , ... r_{m-1} and k_{0-1} , ...
, k_{m-1-1} when they are computed in step 3. Storage
for s_{0} , ... , s_{m-1} is only needed if the signatures
for a group of messages are stored; otherwise s_{j} in step 4 can
be replaced by s and a single space allocated.

**3.3. CONSTRUCTING THE FUNCTION G FROM THE SHA-1**

G(t,c) may be constructed using steps (a) - (e) in section 7 of the
Specifications for the Secure Hash Standard. Before executing these steps,
{H_{j}} and M_{1} must be initialized as follows:

i. Initialize the {H_{j}} by dividing the 160 bit value t into five 32-bit segments as follows:t = t_{0}|| t_{1}|| t_{2}|| t_{3}|| t_{4}Then H_{j}= t_{j }for j = 0 through 4.ii. There will be only one message block, M

_{1}, which is initialized as follows:M_{1}= c || 0^{512-b}(The first b bits of M_{1}contain c, and the remaining (512-b) bits are set to zero).

Then steps (a) through (e) of section 7 are executed, and G(t,c) is the 160 bit string represented by the five words:

H_{0}|| H_{1}|| H_{2}|| H_{3}|| H_{4}

at the end of step (e).

**3.4. CONSTRUCTING THE FUNCTION G FROM THE DES**

Let a XOR b denote the bitwise exclusive-or of bit strings a and b. Suppose a1, a2, b1, b2 are 32-bit strings. Let b1' be the 24 least significant bits of b1. Let K = b1' || b2 and A = a1 || a2. Define

DES_{b1,b2}(a1,a2) = DESK(A)

In the above, DESK(A) represents ordinary DES encryption of the 64-bit block A using the 56-bit key K. Now suppose t and c are each 160 bits. To compute G(t,c):

Step 1. Writet = t_{1}|| t_{2}|| t_{3}|| t_{4}|| t_{5}c = c_{1}|| c_{2}|| c_{3}|| c_{4}|| c_{5}In the above, each t_{i}and c_{i}is 32 bits.Step 2. For i = 1 to 5 do

x_{i}= t_{i}XOR c_{i}Step 3. For i = 1 to 5 do

b1 = c_{((i+3) mod 5) + 1}b2 = c

_{((i+2) mod 5) + 1}a1 = x

_{i}a2 = x

_{(i mod 5) + 1}XOR x_{((i+3) mod 5) + 1}y

_{i,1 || yi,2}= DES_{b1,b2}(a1,a2) (y_{i,1}, y_{i,2}= 32 bits)Step 4. For i = 1 to 5 do

z_{i}= y_{i,1}XOR y_{((i+1) mod 5)+1,2}XOR y_{((i+2) mod 5)+1,1}Step 5. Let

G(t,c) = z_{1}|| z_{2}|| z_{3}|| z_{4}|| z_{5}

**APPENDIX 4. GENERATION OF OTHER QUANTITIES FOR THE
DSA**

This appendix is for informational purposes only and is not required to meet the standard.

The algorithms given in this appendix may be used to generate the quantities
g, k^{-1} , and s^{-1} used in the DSA.

To generate g:

Step 1. Generate p and q as specified in Appendix 2.Step 2. Let e = (p - 1)/q.

Step 3. Set h = any integer, where 1 < h < p - 1 and h differs from any value previously tried.

Step 4. Set g = h

^{e}mod p.Step 5. If g = 1, go to step 3.

To compute the multiplicative inverse n^{-1} mod q for n with 0 <
n < q, where 0 < n^{-1} < q:

Step 1. Set i = q, h = n, v = 0, and d = 1.Step 2. Let t = i DIV h, where DIV is defined as integer division.

Step 3. Set x = h.

Step 4. Set h = i - tx.

Step 5. Set i = x.

Step 6. Set x = d.

Step 7. Set d = v - tx.

Step 8. Set v = x.

Step 9. If h > 0, go to step 2.

Step 10. Let n

^{-1}= v mod q.

Note that in step 10, v may be negative. The v mod q operation should yield a value between 1 and q - 1 inclusive.

**APPENDIX 5. EXAMPLE OF THE DSA**

This appendix is for informational purposes only and is not required to meet the standard. Let L = 512 (size of p). The values in this example are expressed in hexadecimal notation. The p and q given here were generated by the prime generation standard described in appendix 2 using the 160-bit SEED:

d5014e4b 60ef2ba8 b6211b40 62ba3224 e0427dd3

With this SEED, the algorithm found p and q when the counter was at 105. x was generated by the algorithm described in appendix 3, section 3.1, using the SHA-1 to construct G (as in appendix 3,

section 3.3) and a 160-bit XKEY:

XKEY =

bd029bbe 7f51960b cf9edb2b 61f06f0f eb5a38b6

t =

67452301 EFCDAB89 98BADCFE 10325476 C3D2E1F0

x = G(t,XKEY) mod q

k was generated by the algorithm described in appendix 3, section 3.2, using the SHA-1 to construct

G (as in appendix 3, section 3.3) and a 160-bit KKEY:

KKEY =

687a66d9 0648f993 867e121f 4ddf9ddb 01205584

t =

EFCDAB89 98BADCFE 10325476 C3D2E1F0 67452301

k = G(t,KKEY) mod q

=============

**Finally:**

h = 2

p =

8df2a494 492276aa 3d25759b b06869cb eac0d83a fb8d0cf7 cbb8324f 0d7882e5 d0762fc5 b7210eaf c2e9adac 32ab7aac 49693dfb f83724c2 ec0736ee 31c80291

q =

c773218c 737ec8ee 993b4f2d ed30f48e dace915f

g =

626d0278 39ea0a13 413163a5 5b4cb500 299d5522 956cefcb 3bff10f3 99ce2c2e 71cb9de5 fa24babf 58e5b795 21925c9c c42e9f6f 464b088c c572af53 e6d78802

x =

2070b322 3dba372f de1c0ffc 7b2e3b49 8b260614

k =

358dad57 1462710f 50e254cf 1a376b2b deaadfbf

k^{-1} =

0d516729 8202e49b 4116ac10 4fc3f415 ae52f917

M = ASCII form of "abc" (See FIPS PUB 180-1, Appendix A)

(SHA-1)(M) =

a9993e36 4706816a ba3e2571 7850c26c 9cd0d89d

y =

19131871 d75b1612 a819f29d 78d1b0d7 346f7aa7 7bb62a85 9bfd6c56 75da9d21 2d3a36ef 1672ef66 0b8c7c25 5cc0ec74 858fba33 f44c0669 9630a76b 030ee333

r =

8bac1ab6 6410435c b7181f95 b16ab97c 92b341c0

s =

41e2345f 1f56df24 58f426d1 55b4ba2d b6dcd8c8

w =

9df4ece5 826be95f ed406d41 b43edc0b 1c18841b

u1 =

bf655bd0 46f0b35e c791b004 804afcbb 8ef7d69d

u2 =

821a9263 12e97ade abcc8d08 2b527897 8a2df4b0

g^{u1} mod p =

51b1bf86 7888e5f3 af6fb476 9dd016bc fe667a65 aafc2753 9063bd3d 2b138b4c e02cc0c0 2ec62bb6 7306c63e 4db95bbf 6f96662a 1987a21b e4ec1071 010b6069

y^{u2} mod p =

8b510071 2957e950 50d6b8fd 376a668e 4b0d633c 1e46e665 5c611a72 e2b28483 be52c74d 4b30de61 a668966e dc307a67 c19441f4 22bf3c34 08aeba1f 0a4dbec7

v =

8bac1ab6 6410435c b7181f95 b16ab97c 92b341c0

*[End]*

Conversion to HTML by JYA/Urban Deadline.

Please send errata to jy@jya.com.