Page:Fips186-2-change1.pdf/11

 M, is reduced by means of the Secure Hash Algorithm (SHA-1) specified in FIPS 180-1. An adversary, who does not know the private key of the signatory, cannot generate the correct signature of the signatory. In other words, signatures cannot be forged. However, by using the signatory's public key, anyone can verify a correctly signed message. A means of associating public and private key pairs to the corresponding users is required. That is, there must be a binding of a user's identity and the user's public key. This binding may be certified by a mutually trusted party. For example, a certifying authority could sign credentials containing a user's public key and identity to form a certificate. Systems for certifying credentials and distributing certificates are beyond the scope of this standard. NIST intends to publish separate document(s) on certifying credentials and distributing certificates.

The DSA makes use of the following parameters:


 * 1) p = a prime modulus, where 2$L-1$ &lt; p &lt; 2$L$ for 512 ≤ L ≤ 1024 and L a multiple of 64
 * 2) q = a prime divisor of p - 1, where 2$159$ &lt; q &lt; 2$160$
 * 3) g = h$(p-1)/q$ mod p, where h is any integer with 1 &lt; h &lt; p - 1 such that h$(p-1)/q$ mod p &gt; 1 (g has order q mod p)
 * 4) x = a randomly or pseudorandomly generated integer with 0 &lt; x &lt; q
 * 5) y = g$x$ mod p
 * 6) k = a randomly or pseudorandomly generated integer with 0 &lt; k &lt; q

The integers p, q, and g can be public and can be common to a group of users. A user's private and public keys are x and y, respectively. They are normally fixed for a period of time. Parameters x and k are used for signature generation only, and must be kept secret. Parameter k must be regenerated for each signature.

Parameters p and q shall be generated as specified in Appendix 2, or using other FIPS approved security methods. Parameters x and k shall be generated as specified in Appendix 3, or using other FIPS approved security methods.

The signature of a message M is the pair of numbers r and's computed according to the equations below: