Digital Signature Algorithm - Revision history

imported>Folkezoft: /* Implementations */ Tag non-HTML Bare URLs using AutoWikiBrowser

2025-12-17T08:47:00Z

Implementations: Tag non-HTML Bare URLs using AutoWikiBrowser

← Previous revision		Revision as of 08:47, 17 December 2025
Line 12:		Line 12:
	DSA is covered by {{US patent\|5231668}}, filed July 26, 1991 and now expired, and attributed to David W. Kravitz,<ref>[http://www.certicom.com/index.php/dr-david-kravitz Dr. David W. Kravitz] {{webarchive \|url= https://web.archive.org/web/20130109092551/http://www.certicom.com/index.php/dr-david-kravitz \|date= January 9, 2013 }}</ref> a former [[National Security Agency\|NSA]] employee. This patent was given to "The United States of America as represented by the [[United States Secretary of Commerce\|Secretary of Commerce]], Washington, D.C.", and NIST has made this patent available worldwide royalty-free.<ref>Werner Koch. [https://lists.gnupg.org/pipermail/gnupg-devel/1997-December/014123.html "DSA and patents"]</ref> [[Claus P. Schnorr]] claims that his {{US patent\|4995082}} (also now expired) covered DSA; this claim is disputed.<ref>{{cite web\|url=http://csrc.nist.gov/groups/SMA/ispab/documents/94-rpt.txt\|archive-url=https://web.archive.org/web/20090826042831/http://csrc.nist.gov/groups/SMA/ispab/documents/94-rpt.txt\|url-status=dead\|archive-date=26 August 2009\|date=26 August 2009\|title=1994 Annual Report of CSSPAB}}</ref>		DSA is covered by {{US patent\|5231668}}, filed July 26, 1991 and now expired, and attributed to David W. Kravitz,<ref>[http://www.certicom.com/index.php/dr-david-kravitz Dr. David W. Kravitz] {{webarchive \|url= https://web.archive.org/web/20130109092551/http://www.certicom.com/index.php/dr-david-kravitz \|date= January 9, 2013 }}</ref> a former [[National Security Agency\|NSA]] employee. This patent was given to "The United States of America as represented by the [[United States Secretary of Commerce\|Secretary of Commerce]], Washington, D.C.", and NIST has made this patent available worldwide royalty-free.<ref>Werner Koch. [https://lists.gnupg.org/pipermail/gnupg-devel/1997-December/014123.html "DSA and patents"]</ref> [[Claus P. Schnorr]] claims that his {{US patent\|4995082}} (also now expired) covered DSA; this claim is disputed.<ref>{{cite web\|url=http://csrc.nist.gov/groups/SMA/ispab/documents/94-rpt.txt\|archive-url=https://web.archive.org/web/20090826042831/http://csrc.nist.gov/groups/SMA/ispab/documents/94-rpt.txt\|url-status=dead\|archive-date=26 August 2009\|date=26 August 2009\|title=1994 Annual Report of CSSPAB}}</ref>

	In 1993, Dave Banisar managed to get confirmation, via a [[Freedom of Information Act (United States)\|FOIA]] request, that the DSA algorithm hasn't been designed by the NIST, but by the NSA.<ref>{{Cite web \|date=2020-02-29 \|title=The RISKS Digest Volume 14 Issue 59 \|volume=14 \|issue=59 \|url=https://catless.ncl.ac.uk/Risks/14/59 \|access-date=2023-10-03 \|archive-date=2020-02-29 \|archive-url=https://web.archive.org/web/20200229145033/https://catless.ncl.ac.uk/Risks/14/59 \|url-status=bot: unknown \|last1=Neumann \|first1=Peter G. }}</ref>		In 1993, Dave Banisar managed to get confirmation, via a [[Freedom of Information Act (United States)\|FOIA]] request, that the DSA algorithm hasn't been designed by the NIST, but by the [[National Security Agency\|NSA]].<ref>{{Cite web \|date=2020-02-29 \|title=The RISKS Digest Volume 14 Issue 59 \|volume=14 \|issue=59 \|url=https://catless.ncl.ac.uk/Risks/14/59 \|access-date=2023-10-03 \|archive-date=2020-02-29 \|archive-url=https://web.archive.org/web/20200229145033/https://catless.ncl.ac.uk/Risks/14/59 \|url-status=bot: unknown \|last1=Neumann \|first1=Peter G. }}</ref>

	[[OpenSSH]] announced that DSA was going to be removed in 2025. The support was entirely dropped in version 10.0.<ref>{{cite web \|title=OpenSSH announces DSA-removal timeline [LWN.net] \|url=https://lwn.net/Articles/958048/ \|website=lwn.net \|access-date=11 January 2024}}</ref><ref>{{cite web \|title=OpenSSH version 10.0. release notes \|url=https://www.openssh.com/txt/release-10.0 \|access-date=21 April 2025}}</ref>		[[OpenSSH]] announced that DSA was going to be removed in 2025. The support was entirely dropped in version 10.0.<ref>{{cite web \|title=OpenSSH announces DSA-removal timeline [LWN.net] \|url=https://lwn.net/Articles/958048/ \|website=lwn.net \|access-date=11 January 2024}}</ref><ref>{{cite web \|title=OpenSSH version 10.0. release notes \|url=https://www.openssh.com/txt/release-10.0 \|access-date=21 April 2025}}</ref>
Line 106:		Line 106:

	== Implementations ==		== Implementations ==
	~~{{Unreferenced section\|date=June 2024}}~~		Below is a non-exhaustive list of cryptographic libraries that provide support for DSA:
	Below is a list of cryptographic libraries that provide support for DSA:		* [[Botan (programming library)\|Botan]]<ref>{{Cite web \|title=Public Key Cryptography — Botan \|url=https://botan.randombit.net/handbook/api_ref/pubkey.html \|access-date=2025-12-15 \|website=botan.randombit.net}}</ref>
	* [[Botan (programming library)\|Botan]]		* [[Bouncy Castle (cryptography)\|Bouncy Castle]]<ref>{{Cite web \|title=Bouncy Castle Releases Java 1.81 and C# .NET 2.6.1 \|url=https://www.bouncycastle.org/resources/bouncy-castle-releases-java-1-81-and-c-net-2-6-1/ \|access-date=2025-12-15 \|website=Bouncycastle \|language=en-US}}</ref>
	* [[Bouncy Castle (cryptography)\|Bouncy Castle]]		* [[cryptlib]]<ref>https://cryptlib.com/downloads/manual.pdf {{Bare URL PDF\|date=December 2025}}</ref>
	* [[cryptlib]]		* [[Crypto++]]<ref>{{Cite web \|title=Digital Signature Algorithm - Crypto++ Wiki \|url=https://www.cryptopp.com/wiki/Digital_Signature_Algorithm#:~:text=Digital%20Signature%20Algorithm%20(DSA)%20is,in%20a%20multiple%20of%20PRIME_LENGTH_MULTIPLE%20. \|access-date=2025-12-15 \|website=www.cryptopp.com}}</ref>
	* [[Crypto++]]		* [[libgcrypt]]<ref>{{Cite web \|title=Cryptographic Functions (The Libgcrypt Reference Manual) \|url=https://www.gnupg.org/documentation/manuals/gcrypt/Cryptographic-Functions.html#:~:text=Libgcrypt%20supports%20digital%20signatures%20using,hash%20hash-algo%20block%20)) \|access-date=2025-12-15 \|website=www.gnupg.org}}</ref>
	* [[libgcrypt]]		* [[Nettle (cryptographic library)\|Nettle]]<ref>{{Cite web \|title=Nettle: a low-level cryptographic library \|url=https://www.lysator.liu.se/~nisse/nettle/nettle.html#DSA \|access-date=2025-12-15 \|website=www.lysator.liu.se}}</ref>
	* [[Nettle (cryptographic library)\|Nettle]]		* [[OpenSSL]]<ref>{{Cite web \|title=dsa - OpenSSL Documentation \|url=https://docs.openssl.org/1.0.2/man3/dsa/ \|access-date=2025-12-15 \|website=docs.openssl.org}}</ref>
	* [[OpenSSL]]		* [[wolfCrypt]]<ref>{{Cite web \|title=wolfSSL User Manual {{!}} Chapter 10: wolfCrypt Usage Reference {{!}} Docs \|url=https://wolfssl.jp/docs-3/wolfssl-manual/ch10/ \|access-date=2025-12-15 \|website=wolfSSL \|language=ja}}</ref>
	* [[wolfCrypt]]		* [[GnuTLS]]<ref>{{Cite web \|title=Public key algorithms (GnuTLS 3.8.10) \|url=https://www.gnutls.org/manual/html_node/Public-key-algorithms.html#:~:text=1%20Key%20generation.%20All%20supported%20key%20types,Ed25519,%20Ed448)%20can%20be%20generated%20with%20GnuTLS. \|access-date=2025-12-15 \|website=www.gnutls.org}}</ref>
	* [[GnuTLS]]

	==See also==		==See also==

imported>ClueBot NG: Reverting possible vandalism by Kennedylaurynlucy to version by Felix755. Report False Positive? Thanks, ClueBot NG. (4425228) (Bot)

2025-09-25T12:50:41Z

Reverting possible vandalism by Kennedylaurynlucy to version by Felix755. Report False Positive? Thanks, ClueBot NG. (4425228) (Bot)

← Previous revision	Revision as of 12:50, 25 September 2025
(No difference)

imported>Felix755: typo: remove unnecessary 'is'

2025-05-28T09:42:08Z

typo: remove unnecessary 'is'

New page

{{Short description|Digital verification standard}}
The '''Digital Signature Algorithm''' ('''DSA''') is a [[Public-key cryptography|public-key cryptosystem]] and [[Federal Information Processing Standards|Federal Information Processing Standard]] for [[digital signature]]s, based on the mathematical concept of [[modular exponentiation]] and the [[Discrete logarithm|discrete logarithm problem]]. In a digital signature system, there is a keypair involved, consisting of a private and a public key. In this system a signing entity that declared their public key can generate a signature using their private key, and a verifier can assert the source if it verifies the signature correctly using the declared public key. DSA is a variant of the [[Schnorr signature|Schnorr]] and [[ElGamal signature scheme|ElGamal]] signature schemes.<ref name="schneier">{{cite book|last=Schneier|first=Bruce|date=1996|title=Applied Cryptography|publisher=Wiley |url=https://archive.org/details/Applied_Cryptography_2nd_ed._B._Schneier|isbn=0-471-11709-9}}</ref>{{rp|486}}

The [[National Institute of Standards and Technology]] (NIST) proposed DSA for use in their [[Digital Signature Standard]] (DSS) in 1991, and adopted it as FIPS 186 in 1994.<ref name="FIPS-186">{{cite web|url= http://www.itl.nist.gov/fipspubs/fip186.htm |title= FIPS PUB 186: Digital Signature Standard (DSS), 1994-05-19|website= qcsrc.nist.gov|url-status= dead|archive-url= https://web.archive.org/web/20131213131144/http://www.itl.nist.gov/fipspubs/fip186.htm|archive-date= 2013-12-13}}</ref> Five revisions to the initial specification have been released. The newest specification is: [https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf FIPS 186-5] from February 2023.<ref name="FIPS-186-4" /> DSA is patented but NIST has made this patent available worldwide royalty-free. Specification [https://doi.org/10.6028/NIST.FIPS.186-5 FIPS 186-5] indicates DSA will no longer be approved for digital signature generation, but may be used to verify signatures generated prior to the implementation date of that standard.

==Overview==
The DSA works in the framework of public-key cryptosystems and is based on the algebraic properties of [[modular exponentiation]], together with the [[Discrete logarithm#Cryptography|discrete logarithm problem]], which is considered to be computationally intractable. The algorithm uses a key pair consisting of a public key and a private key. The private key is used to generate a digital signature for a message, and such a signature can be verified by using the signer's corresponding public key. The digital signature provides [[message authentication]] (the receiver can verify the origin of the message), [[Data integrity|integrity]] (the receiver can verify that the message has not been modified since it was signed) and [[non-repudiation]] (the sender cannot falsely claim that they have not signed the message).

==History==
In 1982, the U.S government solicited proposals for a public key signature standard. In August 1991 the [[National Institute of Standards and Technology]] (NIST) proposed DSA for use in their Digital Signature Standard (DSS). Initially there was significant criticism, especially from [[software]] companies that had already invested effort in developing digital signature software based on the [[RSA cryptosystem]].<ref name="schneier"/>{{rp|484}} Nevertheless, NIST adopted DSA as a Federal standard (FIPS 186) in 1994. Five revisions to the initial specification have been released: FIPS 186–1 in 1998,<ref name="FIPS-186-1">{{cite web|url= http://csrc.nist.gov/publications/fips/fips1861.pdf|title= FIPS PUB 186-1: Digital Signature Standard (DSS), 1998-12-15|website= csrc.nist.gov|url-status= dead|archive-url= https://web.archive.org/web/20131226115544/http://csrc.nist.gov/publications/fips/fips1861.pdf|archive-date= 2013-12-26}}</ref> FIPS 186–2 in 2000,<ref name="FIPS-186-2">{{cite web|url= http://csrc.nist.gov/publications/fips/archive/fips186-2/fips186-2.pdf|title= FIPS PUB 186-2: Digital Signature Standard (DSS), 2000-01-27|website= csrc.nist.gov}}</ref> FIPS 186–3 in 2009,<ref name="FIPS-186-3">{{cite web|url= http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf|title= FIPS PUB 186-3: Digital Signature Standard (DSS), June 2009|website= csrc.nist.gov}}</ref> FIPS 186–4 in 2013,<ref name="FIPS-186-4">{{cite web|url= http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf|title= FIPS PUB 186-4: Digital Signature Standard (DSS), July 2013|website= csrc.nist.gov}}</ref> and FIPS 186–5 in 2023.<ref name="FIPS-186-5">{{cite web|url= https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf|title= FIPS PUB 186-5: Digital Signature Standard (DSS), February 2023|website= csrc.nist.gov}}</ref> Standard FIPS 186-5 forbids signing with DSA, while allowing verification of signatures generated prior to the implementation date of the standard as a document. It is to be replaced by newer signature schemes such as [[EdDSA]].<ref>{{cite web |title=Digital Signature Standard (DSS) |url=https://csrc.nist.gov/publications/detail/fips/186/5/draft |publisher=U.S. Department of Commerce |access-date=21 July 2020 |language=en |date=31 October 2019}}</ref>

DSA is covered by {{US patent|5231668}}, filed July 26, 1991 and now expired, and attributed to David W. Kravitz,<ref>[http://www.certicom.com/index.php/dr-david-kravitz Dr. David W. Kravitz] {{webarchive |url= https://web.archive.org/web/20130109092551/http://www.certicom.com/index.php/dr-david-kravitz |date= January 9, 2013 }}</ref> a former [[National Security Agency|NSA]] employee. This patent was given to "The United States of America as represented by the [[United States Secretary of Commerce|Secretary of Commerce]], Washington, D.C.", and NIST has made this patent available worldwide royalty-free.<ref>Werner Koch. [https://lists.gnupg.org/pipermail/gnupg-devel/1997-December/014123.html "DSA and patents"]</ref> [[Claus P. Schnorr]] claims that his {{US patent|4995082}} (also now expired) covered DSA; this claim is disputed.<ref>{{cite web|url=http://csrc.nist.gov/groups/SMA/ispab/documents/94-rpt.txt|archive-url=https://web.archive.org/web/20090826042831/http://csrc.nist.gov/groups/SMA/ispab/documents/94-rpt.txt|url-status=dead|archive-date=26 August 2009|date=26 August 2009|title=1994 Annual Report of CSSPAB}}</ref>

In 1993, Dave Banisar managed to get confirmation, via a [[Freedom of Information Act (United States)|FOIA]] request, that the DSA algorithm hasn't been designed by the NIST, but by the NSA.<ref>{{Cite web |date=2020-02-29 |title=The RISKS Digest Volume 14 Issue 59 |volume=14 |issue=59 |url=https://catless.ncl.ac.uk/Risks/14/59 |access-date=2023-10-03 |archive-date=2020-02-29 |archive-url=https://web.archive.org/web/20200229145033/https://catless.ncl.ac.uk/Risks/14/59 |url-status=bot: unknown |last1=Neumann |first1=Peter G. }}</ref>

[[OpenSSH]] announced that DSA was going to be removed in 2025. The support was entirely dropped in version 10.0.<ref>{{cite web |title=OpenSSH announces DSA-removal timeline [LWN.net] |url=https://lwn.net/Articles/958048/ |website=lwn.net |access-date=11 January 2024}}</ref><ref>{{cite web |title=OpenSSH version 10.0. release notes |url=https://www.openssh.com/txt/release-10.0 |access-date=21 April 2025}}</ref>

==Operation==
The DSA algorithm involves four operations: key generation (which creates the key pair), key distribution, signing and signature verification.

===1. Key generation===
Key generation has two phases. The first phase is a choice of ''algorithm parameters'' which may be shared between different users of the system, while the second phase computes a single key pair for one user.

====Parameter generation====
* Choose an approved [[cryptographic hash function]] <math>H</math> with output length <math>|H|</math> bits. In the original DSS, <math>H</math> was always [[SHA-1]], but the stronger [[SHA-2]] hash functions are approved for use in the current DSS.<ref name="FIPS-186-4"/><ref name="FIPS-180-4">{{cite web|url=http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf|title=FIPS PUB 180-4: Secure Hash Standard (SHS), March 2012|website=csrc.nist.gov}}</ref> If <math>|H|</math> is greater than the modulus length <math>N</math>, only the leftmost <math>N</math> bits of the hash output are used.
* Choose a key length <math>L</math>. The original DSS constrained <math>L</math> to be a multiple of 64 between 512 and 1024 inclusive. NIST 800-57 recommends lengths of 2048 (or 3072) for keys with security lifetimes extending beyond 2010 (or 2030).<ref>{{cite web|url=http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf |title=NIST Special Publication 800-57 |website=csrc.nist.gov |url-status=dead |archive-url=https://web.archive.org/web/20140606050814/http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf |archive-date=2014-06-06 }}</ref>
* Choose the modulus length <math>N</math> such that <math>N < L</math> and <math>N \leq |H|</math>. FIPS 186-4 specifies <math>L</math> and <math>N</math> to have one of the values: (1024, 160), (2048, 224), (2048, 256), or (3072, 256).<ref name="FIPS-186-4" />
* Choose an <math>N</math>-bit prime <math>q</math>.
* Choose an <math>L</math>-bit prime <math>p</math> such that <math>p - 1</math> is a multiple of <math>q</math>.
* Choose an integer <math>h</math> randomly from <math>\{ 2 \ldots p-2 \}</math>.
* Compute <math>g := h^{(p - 1)/q} \mod p</math>. In the rare case that <math>g=1</math> try again with a different <math>h</math>. Commonly <math>h=2</math> is used. This [[modular exponentiation]] can be computed efficiently even if the values are large.
The algorithm parameters are (<math>p</math>, <math>q</math>, <math>g</math>). These may be shared between different users of the system.

====Per-user keys====
Given a set of parameters, the second phase computes the key pair for a single user:
* Choose an integer <math>x</math> randomly from <math>\{ 1 \ldots q-1 \}</math>.
* Compute <math>y := g^x \mod p</math>.
<math>x</math> is the private key and <math>y</math> is the public key.

===2. Key distribution===
The signer should publish the public key <math>y</math>. That is, they should send the key to the receiver via a reliable, but not necessarily secret, mechanism. The signer should keep the private key <math>x</math> secret.

===3. Signing===
A message <math>m</math> is signed as follows:
* Choose an integer <math>k</math> randomly from <math>\{ 1 \ldots q-1 \}</math>
* Compute <math>r := \left(g^{k}\bmod\,p\right)\bmod\,q</math>. In the unlikely case that <math>r=0</math>, start again with a different random <math>k</math>.
* Compute <math>s := \left(k^{-1}\left(H(m)+xr\right)\right)\bmod\,q</math>. In the unlikely case that <math>s=0</math>, start again with a different random <math>k</math>.
The signature is <math>\left(r,s\right)</math>

The calculation of <math>k</math> and <math>r</math> amounts to creating a new per-message key. The modular exponentiation in computing <math>r</math> is the most computationally expensive part of the signing operation, but it may be computed before the message is known.
Calculating the modular inverse <math>k^{-1}\bmod\,q</math> is the second most expensive part, and it may also be computed before the message is known. It may be computed using the [[extended Euclidean algorithm]] or using [[Fermat's little theorem]] as <math>k^{q-2}\bmod\,q</math>.

===4. Signature Verification===
One can verify that a signature <math>\left(r,s\right)</math> is a valid signature for a message <math>m</math> as follows:
* Verify that <math>0 < r < q</math> and <math>0 < s < q</math>.
* Compute <math> w := s^{-1} \bmod\,q</math>.
* Compute <math>u_1 := H(m) \cdot w\, \bmod\,q</math>.
* Compute <math>u_2 := r \cdot w\, \bmod\,q</math>.
* Compute <math> v := \left(g^{u_1}y^{u_2} \bmod\,p\right) \bmod\,q</math>.
* The signature is valid if and only if <math>v = r</math>.

==Correctness of the algorithm==
The signature scheme is correct in the sense that the verifier will always accept genuine signatures. This can be shown as follows:

First, since <math display="inline">g=h^{(p-1)/q}~\text{mod}~p</math>, it follows that <math display="inline">g^q \equiv h^{p-1} \equiv 1 \mod p</math> by [[Fermat's little theorem]]. Since <math>g>0</math> and <math>q</math> is prime, <math>g</math> must have order <math>q</math>.

The signer computes

:<math>s=k^{-1}(H(m)+xr)\bmod\,q</math>

Thus

:<math>
\begin{align}
k & \equiv H(m)s^{-1}+xrs^{-1}\\
& \equiv H(m)w + xrw \pmod{q}
\end{align}
</math>

Since <math>g</math> has order <math>q</math> we have

:<math>
\begin{align}
g^k & \equiv g^{H(m)w}g^{xrw}\\
& \equiv g^{H(m)w}y^{rw}\\
& \equiv g^{u_1}y^{u_2} \pmod{p}
\end{align}
</math>

Finally, the correctness of DSA follows from

:<math>\begin{align}
r &= (g^k \bmod\,p) \bmod\,q\\
&= (g^{u_1}y^{u_2} \bmod\,p) \bmod\,q\\
&= v
\end{align}</math>

==Sensitivity==
With DSA, the entropy, secrecy, and uniqueness of the random signature value <math>k</math> are critical. It is so critical that violating any one of those three requirements can reveal the entire private key to an attacker.<ref>{{cite web|url=http://rdist.root.org/2009/05/17/the-debian-pgp-disaster-that-almost-was/|title=The Debian PGP disaster that almost was|work=root labs rdist|date=18 May 2009 }}</ref> Using the same value twice (even while keeping <math>k</math> secret), using a predictable value, or leaking even a few bits of <math>k</math> in each of several signatures, is enough to reveal the private key <math>x</math>.<ref>[https://rdist.root.org/2010/11/19/dsa-requirements-for-random-k-value/ DSA <math>k</math>-value Requirements]</ref>

This issue affects both DSA and Elliptic Curve Digital Signature Algorithm ([[ECDSA]]) – in December 2010, the group ''fail0verflow'' announced the recovery of the [[ECDSA]] private key used by [[Sony]] to sign software for the [[PlayStation 3]] game console. The attack was made possible because Sony failed to generate a new random <math>k</math> for each signature.<ref>{{Cite news|last=Bendel|first=Mike|title=Hackers Describe PS3 Security As Epic Fail, Gain Unrestricted Access|publisher=Exophase.com|date=2010-12-29|url=http://exophase.com/20540/hackers-describe-ps3-security-as-epic-fail-gain-unrestricted-access/|access-date=2011-01-05}}</ref>

This issue can be prevented by deriving <math>k</math> deterministically from the private key and the message hash, as described by {{IETF RFC|6979}}. This ensures that <math>k</math> is different for each <math>H(m)</math> and unpredictable for attackers who do not know the private key <math>x</math>.

In addition, malicious implementations of DSA and ECDSA can be created where <math>k</math> is chosen in order to [[subliminal channel|subliminally]] leak information via signatures. For example, an [[offline private key]] could be leaked from a perfect offline device that only released innocent-looking signatures.<ref>{{cite arXiv|title=How Perfect Offline Wallets Can Still Leak Bitcoin Private Keys|first=Stephan|last=Verbücheln|date=2 January 2015|eprint=1501.00447|class=cs.CR}}</ref>

== Implementations ==
{{Unreferenced section|date=June 2024}}
Below is a list of cryptographic libraries that provide support for DSA:
* [[Botan (programming library)|Botan]]
* [[Bouncy Castle (cryptography)|Bouncy Castle]]
* [[cryptlib]]
* [[Crypto++]]
* [[libgcrypt]]
* [[Nettle (cryptographic library)|Nettle]]
* [[OpenSSL]]
* [[wolfCrypt]]
* [[GnuTLS]]

==See also==
* [[Modular arithmetic]]
* [[RSA (cryptosystem)]]
* [[ECDSA]]

==References==
{{reflist|30em}}

==External links==
* [http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS PUB 186-4: Digital Signature Standard (DSS)], the fourth (and current) revision of the official DSA specification.
* [https://web.archive.org/web/20140606050814/http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf Recommendation for Key Management -- Part 1: general], NIST Special Publication 800-57, p. 62–63

{{Cryptography navbox | public-key}}
[[Category:Public-key cryptography]]
[[Category:Digital signature schemes]]
[[Category:Digital Signature Standard]]
[[Category:1991 introductions]]