[Federal Register Volume 88, Number 23 (Friday, February 3, 2023)]
[Notices]
[Pages 7410-7413]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-02273]
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
National Institute of Standards and Technology
[Docket No. 220923-0199]
Announcing Issuance of Federal Information Processing Standard
(FIPS) 186-5, Digital Signature Standard
AGENCY: National Institute of Standards and Technology (NIST),
Commerce.
ACTION: Notice.
-----------------------------------------------------------------------
SUMMARY: This notice announces the Secretary of Commerce's approval of
Federal Information Processing Standard (FIPS) 186-5, Digital Signature
Standard (DSS). FIPS 186-5 specifies three techniques for the
generation and verification of digital signatures that can be used for
the protection of data: the Rivest-Shamir-Adleman (RSA) Algorithm, the
Elliptic Curve Digital Signature Algorithm (ECDSA), and the Edwards
Curve Digital Signature Algorithm (EdDSA). The Digital Signature
Algorithm (DSA), specified in prior versions of this standard, is
retained only for the purposes of verifying existing signatures.
DATES: FIPS 186-5 is effective on February 3, 2023.
ADDRESSES: FIPS 186-5 is available electronically on the NIST Computer
Security Resource Center website at https://csrc.nist.gov. Comments
that were received on the proposed changes are published electronically
at https://csrc.nist.gov/publications/detail/fips/186/5/draft and at
https://www.regulations.gov.
FOR FURTHER INFORMATION CONTACT: Dr. Dustin Moody, National Institute
of Standards and Technology, 100 Bureau Drive, Mail Stop 8930,
Gaithersburg, MD 20899-8930, email: [email protected], phone: (301)
975-8136.
SUPPLEMENTARY INFORMATION: FIPS 186 was initially developed by NIST in
[[Page 7411]]
collaboration with the National Security Agency (NSA), using the NSA-
designed Digital Signature Algorithm (DSA). Later versions of the
standard approved the use of ECDSA (developed by Certicom) and RSA
(developed by Ron Rivest, Adi Shamir and Leonard Adleman). American
Standards Committee (ASC) X9 developed standards specifying both ECDSA
and RSA that were used as the basis for the later revisions of FIPS
186.
Since its original approval on May 10, 1994 (59 FR 26208),
revisions of the FIPS were approved on December 15, 1998 as FIPS 186-1
(63 FR 69049) to include RSA, as specified in American National
Standard (ANS) X9.31 (Digital Signatures Using Reversible Public Key
Cryptography for the Financial Services Industry (rDSA)), and on
February 15, 2000 as FIPS 186-2 (65 FR 7507) to include ECDSA and
recommended elliptic curves to be used with ECDSA, as specified in ANS
X9.62 (Elliptic Curve Digital Signature Algorithm (ECDSA)). On June 9,
2009, a third revision of the FIPS was approved as FIPS 186-3 (74 FR
27287) to (1) increase the key sizes for DSA, (2) provide additional
requirements for the use of RSA and ECDSA, (3) allow the use of the RSA
algorithm specified in Public Key Cryptography Standard (PKCS) #1 (RSA
Cryptography Standard specified in Institute of Electrical and
Electronics Engineers (IEEE) P1363, Standard Specifications for Public
Key Cryptography), (4) include requirements for obtaining the
assurances necessary for valid digital signatures, and (5) replace the
random number generators specified in previous versions of the FIPS
with a reference to NIST Special Publication (SP) 800-90
(Recommendation for Random Number Generation Using Deterministic Random
Bit Generators). A fourth revision of the FIPS was approved as FIPS
186-4 (78 FR 43145) on July 19, 2013, which included (1) a reduction of
the restrictions on the use of random number generators and the
retention and use of prime number generation seeds, and (2) aligning
the specification for the use of a random salt value in the RSASSA-PSS
digital signature scheme with PKCS #1.
Advances in the understanding of elliptic curves within the
cryptographic community have led to the development of new elliptic
curves and algorithms whose designers claim to offer better performance
and which are easier to implement in a secure manner. In 2014, NIST's
Visiting Committee on Advanced Technology (VCAT) conducted a review of
NIST's cryptographic standards program. As part of their review, the
VCAT recommended that NIST ``generate a new set of elliptic curves for
use with ECDSA in FIPS 186.'' See https://www.nist.gov/sites/default/files/documents/2017/05/09/VCAT-Report-on-NIST-Cryptographic-Standards-and-Guidelines-Process.pdf.
In June 2015, NIST hosted a technical workshop on Elliptic Curve
Cryptography Standards to discuss possible approaches to promote the
adoption of secure, interoperable, and efficient elliptic curve
mechanisms. Workshop participants expressed significant interest in the
development, standardization, and adoption of new elliptic curves.
In October 2015, NIST solicited comments on the elliptic curves and
signature algorithms specified in FIPS 186-4 (80 FR 63539). The
responses noted the broad use of the NIST prime curves and ECDSA within
industry, but many commenters called for the standardization of new
elliptic curves and signature algorithms.
Based on the input received, NIST published a notice in the Federal
Register (84 FR 58373) on October 31, 2019, requesting public comments
on the proposed revision in draft FIPS 186-5, along with accompanying
technical guidelines in draft NIST Special Publication (SP) 800-186,
Recommendations for Discrete-Logarithm Based Cryptography: Elliptic
Curve Domain Parameters. NIST received 23 sets of comments: 3 from U.S.
federal agencies, 1 from a foreign government agency, 16 from private-
sector organizations, and 3 from private academics and technologists.
The draft of FIPS 186-5 and the related technical guidelines in
draft NIST SP 800-186 proposed adopting two new elliptic curves,
Ed25519 and Ed448, for use with EdDSA. EdDSA is a deterministic
elliptic curve signature scheme currently specified in the internet
Research Task Force (IRTF) RFC 8032. FIPS 186-5 and SP 800-186 also
proposed adopting a deterministic variant of ECDSA that is currently
specified in RFC 6979. Based on feedback received on the adoption of
the current elliptic curve standards, the drafts of FIPS 186-5 and SP
800-186 deprecated curves over binary fields due to their limited use
by industry. Furthermore, NIST proposed the removal of DSA from the
FIPS as an approved method for generating digital signatures because of
limited use by industry and academic analyses finding that
implementations of DSA may be vulnerable to attacks.
The following is a summary and analysis of the comments received
during the public comment period and NIST's responses to them,
including the interests, concerns, recommendations, and issues
considered in the development of FIPS 186-5:
1. Comment: One commenter requested that FIPS 186-5 include an
additional digital signature scheme using elliptic curve cryptography,
Schnorr 384, in order to support signatures with short lengths.
Response: NIST does not see a broad demand or need for the Schnorr
384 signature scheme and declined to include it in FIPS 186-5.
2. Comment: One commenter requested that the standard be simplified
and revised to highlight security tradeoffs of design choices.
Response: The FIPS 186-5 revision was intended to adopt existing
industry-developed standards for digital signature schemes and elliptic
curves. Algorithm and curve specifications were written to accommodate
users of the existing standard, while still being readable to those
following the industry standards. To further improve readability,
organization, and maintainability of the standard, the elliptic curves
and supporting mathematical algorithm descriptions were separated into
their own Special Publication supporting FIPS 186-5, and editorial
changes were incorporated to improve clarity. Both documents include
descriptions of the security properties provided by the new signature
algorithms and elliptic curves.
3. Comment: One commenter requested that NIST clarify why DSA may
be used to verify signatures generated prior to FIPS 186-5 if verifiers
do not know when a signature was generated.
Response: Since DSA is no longer included in the FIPS, a discussion
of its use is not appropriate in the FIPS. Instead, continued use of
DSA for verifying already-generated signatures (e.g., in existing data
records) will be addressed in a revision to NIST SP 800-131A,
Transitioning the Use of Cryptographic Algorithms and Key Lengths.
Accordingly, the statement in Appendix E of the draft FIPS that
mentioned DSA signature verification was removed. In 2009, NIST SP 800-
102, Recommendation for Digital Signature Timeliness, was published to
provide guidance on providing information on the time when digital
signatures are generated. This publication was referenced in FIPS 186-
3, FIPS 186-4, and in FIPS 186-5.
4. Comment: One commenter recommended that EdDSA be used in
preference to HashEdDSA except in applications that cannot afford
EdDSA.
Response: NIST specified both EdDSA and HashEdDSA in FIPS 186-5 to
allow
[[Page 7412]]
implementers to choose an appropriate signature algorithm for their
applications and use cases. Section 7.8.3 of FIPS 186-5 provides
additional considerations for implementers when selecting a signature
algorithm.
5. Comment: One commenter noted that it was difficult to compare
Draft FIPS 186-5 against FIPS 186-4 and recommended that NIST adopt
editing tools to aid readers in locating and evaluating changes across
revisions.
Response: Revisions made during the development of FIPS 186-5 have
been documented or summarized using a variety of methods, including the
revision list in FIPS 186-5, in Federal Register notices, and in
document announcements. The availability of electronic documents on the
NIST Computer Security Resource Center website allows individuals to
use third-party tools to compare revisions. However, NIST will continue
to evaluate new document development and management tools to provide
greater transparency to changes in cryptographic standards and
guidelines.
6. Comment: A commenter noted that implementations of the RSASSA-
PSS algorithm, approved by reference to RFC 8017 in FIPS 186-5, should
validate the length of the salt when verifying signatures.
Response: Existing guidance in Section 5.4 of FIPS 186-4 provided
criteria for validating the length of the random salt value. FIPS 186-5
strengthened that language by including explicit validation of the
length of the salt as part of the digital signature verification
process.
7. Comment: A commenter noted that implementations of the RSASSA-
PKCS-v1.5 algorithm should validate the encoded hash algorithm
identifier extracted from a digital signature.
Response: NIST revised Section 5.4 to include the validation of the
hash algorithm identifier as part of the RSASSA-PKCS-v1.5 signature
verification process.
8. Comment: Some commenters requested clarifications on the use of
Montgomery and Edwards curves with approved signature and key-agreement
schemes.
Response: The introductions in FIPS 186-5 and NIST SP 800-186 were
revised to clarify acceptable uses of recommended elliptic curves.
9. Comment: One commenter observed that different notation is used
in the specifications of the ECDSA and EdDSA.
Response: The notation was selected for consistency with existing
standards that specify the algorithms. The notation used for ECDSA is
consistent with that used in FIPS 186-4 and the original ANS X9.62
standard used as a basis for the inclusion of ECDSA in FIPS 186. The
notation used for EdDSA is consistent with the notation used in the
original RFC 8032 specification.
10. Comment: Two commenters requested a transition plan for the
removal of DSA and the deprecation of the binary elliptic curves that
had been approved in FIPS 186-4. One commenter requested that DSA not
be removed.
Response: FIPS 186-5 removes DSA as an approved digital signature
algorithm due to a lack of use by industry and based on academic
analyses that observed that implementations of DSA may be vulnerable to
attacks if domain parameters are not properly generated. To facilitate
a transition to the new standard, FIPS 186-4 will remain in effect
alongside FIPS 186-5 for a period of one year. In addition, NIST SP
800-131A and the Cryptographic Module Validation Program will provide
transition guidance concerning the use of DSA and the binary elliptic
curves.
11. Comment: Commenters requested that the secp256k1 curve be
included as an approved elliptic curve since it is widely used in
blockchain and Distributed Ledger Technology (DLT) applications.
Response: While NIST does not believe that the secp256k1 curve
offers compelling advantages over the NIST-recommended curves in SP
800-186, NIST acknowledges the significant use of the secp256k1 curve
in these applications. NIST technical guidelines in NIST SP 800-186
will allow the use of the secp256k1 curve for blockchain and DLT-
related applications.
12. Comment: One commenter expressed concerns and posed questions
about the inclusion of the Brainpool Standard Curves as a set of
allowed curves in the NIST SP 800-186 technical guidelines associated
with FIPS 186-5.
Response: The Brainpool Standard Curves were originally published
in 2005 and specified in RFC 5639 in 2010. The curves have been widely
implemented in a variety of commercial products and open-source tools.
Existing programmatic guidance from NIST's Cryptographic Module
Validation Program has allowed the use of these curves in several FIPS
140-validated modules. While NIST does not see compelling reasons to
prefer the use of the Brainpool Standard Curves over the NIST-
recommended curves, it is confident in the security supported by these
curves and does not see a reason to require these curves to be removed
or disabled in existing products. To accommodate those existing modules
as well as future products sold on the international market, NIST SP
800-186 will allow the use of the Brainpool Standard Curves.
13. Comment: Some commenters requested the inclusion of
cofactorless EdDSA in FIPS 186-5 for signature verification.
Response: NIST did not see sufficient demand or need to facilitate
the use of other elliptic curves with EdDSA to warrant inclusion of
cofactorless EdDSA in FIPS 186-5. To remain consistent with RFC 8032,
NIST is not extending the specification of EdDSA to include these
alternative domain parameters.
14. Comment: One commenter recommended adding a small-subgroup
check to EdDSA or adding a warning about not providing strong non-
repudiation guarantees.
Response: When signing keys are generated according to the
requirements in FIPS 186-5, the probability that the signing key would
be a member of a small subgroup is negligible. Thus, NIST did not see a
need to add a small-subgroup check to EdDSA.
15. Comment: Several commentors requested the inclusion of variants
of the deterministic signature scheme that would include randomness in
the signature computation.
Response: NIST may consider adopting new standards developed for
signature algorithms that include deterministic and random components
in future publications.
16. Comment: Comments recommended discussing side-channel attacks
for ECDSA.
Response: FIPS 186-5 provides references that describe protections
against side-channel attacks for both ECDSA and EdDSA.
17. Comment: A comment requested that more hash functions or
extendable output functions (XOFs) be allowed for EdDSA.
Response: To remain consistent with existing standards and
specifications, FIPS 186-5 does not specify other hash functions or
XOFs for use with EdDSA beyond those specified in RFC 8032.
18. Comment: Several commenters requested that NIST allow more hash
functions or XOFs for use with ECDSA, specifically the keccak-256 XOF.
Response: NIST is not allowing other hash functions or XOFs with
ECDSA; keccak-256 is not an approved hash function as defined in FIPS
180 or FIPS 202.
19. Comment: One commenter asked why the bounds on the number of
iterations to run through before returning a failure indication changed
in
[[Page 7413]]
a few prime number generation routines in FIPS 186-5. Specifically, the
bounds were changed in steps 4.7 and 5.8 of Appendix A.1.3, Generation
of Random Primes that are Probably Prime, as well as in step 9 of
Appendix B.9, Compute a Probably Prime Factor Based on Auxiliary
Primes.
Response: NIST had observed that the original bounds led to higher
probabilities of failure than desired when attempting to generate
primes. The bounds were increased to decrease the probability of
failure.
20. Comment: One commenter suggested simplifying the deterministic
version of ECDSA.
Response: To remain consistent with RFC 6979, NIST will keep the
deterministic version of ECDSA as currently specified.
21. Comment: One commenter recommended removing signature
algorithms that are not deterministic.
Response: NIST believes that both deterministic and non-
deterministic signature schemes serve important use cases and so will
keep the specified algorithms as they are.
22. Comment: The removal of RSASSA-PKCS-v1.5 as an approved digital
signature algorithm was recommended by one commenter.
Response: Due to its broad use in security protocols and products,
FIPS 186-5 continues to approve the use of RSASSA-PKCS-v1.5, subject to
the additional constraints specified in FIPS 186-5 to mitigate known
security vulnerabilities.
23. Comment: Corrections were recommended for defining encodings
for EdDSA.
Response: NIST accepted the corrections.
24. Comment: A correction in A.3.3 was recommended so that FIPS
186-5 matches RFC 6979 for the per-message secret number generation for
deterministic ECDSA.
Response: NIST accepted the correction.
25. Comment: A few commenters suggested alternate algorithms in
FIPS 186-5 to replace the reference algorithms provided by NIST for
various computations. For example, commenters suggested alternatives to
the square root algorithm for EdDSA in Section 7.3, the square checking
algorithm in Appendix B.4, and the algorithm for inverting a finite
field element in Appendix B.1.
Response: FIPS 186-5 includes language to clarify that alternate
algorithms (including constant-time algorithms) that produce equivalent
results may be used in place of the reference algorithms provided in
the FIPS.
26. Comment: A comment was submitted on a difference between EdDSA
and the other signature schemes in FIPS 186-5. Namely, that revealing
the hash of a private key for EdDSA is a security concern, while it is
not for RSA or ECDSA.
Response: NIST does not believe the concern merits changing EdDSA,
and will maintain consistency with RFC 6979. Furthermore, FIPS 186-5
forbids revealing the hash of the private key of any of the signature
algorithms.
(Authority: 15 U.S.C. 278g-3; 40 U.S.C. 11331)
Alicia Chambers,
NIST Executive Secretariat.
[FR Doc. 2023-02273 Filed 2-2-23; 8:45 am]
BILLING CODE 3510-13-P