Signature algorithms

The naming scheme described here is different from that described in Sun's documentation for the Java Cryptography Architecture. Several name formats have been used up to now for signature algorithms:

These names are now deprecated (but are still specified temporarily as aliases). The new preferred format is "signature-primitive/signature-encoding". For this format, the signature encoding will usually have a message digest name as a creation parameter, e.g. "RSA/PKCS1-1.5(SHA-1)".

All of the algorithms defined here use either modular exponentiation or elliptic curve multiplication, which are potentially vulnerable to timing attacks. See the following paper for details and possible countermeasures:

DSA[(outputFormat)] Signature
Description:
The Digital Signature Algorithm, as defined in NIST FIPS PUB 186. (This is technically equivalent to the version of DSA defined in NIST FIPS PUB 186-2. However, Change Notice 1 to FIPS PUB 186-2 requires keys to have a modulus length of exactly 1024 bits. This algorithm does not impose that requirement, which would be an incompatible change.)

The default outputFormat is "DER".

This algorithm is separated from the generalisation, "DSA-1363", described below, in order to ensure that an implementation of DSA by a provider earlier in the priority list does not 'mask' an implementation of DSA-1363.

Aliases:
References:
Comment:
Some providers may implement a "RawDSA" algorithm, which takes a 20-byte input corresponding to the SHA-1 hash of the message to be signed. This is not formally defined as an algorithm name in SCAN; "DSA-1363(DER)/Raw" is similar but not identical (since it uses a generalisation of DSA).
Security comments:

DSA-1363[(outputFormat)][/encoding] Signature
Description:
A generalisation of the Digital Signature Algorithm, as defined in IEEE Std 1363-2000. By default, the EMSA1 encoding method specified by IEEE Std 1363-2000 is used, with the SHA-1 message digest algorithm.

If an encoding method is explicitly specified, it is used instead of the default (this requires that the order of the base in the DSA parameters, usually denoted q, is large enough to accomodate message representatives generated by this encoding method).

This algorithm also differs from the "DSA" algorithm, in having "1363" as the default outputFormat. The "DER" and "OpenPGP" output formats SHOULD normally also be supported.

Aliases:
References:
Comment:
It is recommended that implementations make no practical restriction on the lengths of the key parameters p, q, g and x (in particular, values of p up to at least 4096 bits SHOULD be supported).
Security comments:

ECDSA[(outputFormat)][/encoding] Signature
Description:
A generalisation of the Elliptic Curve Digital Signature Algorithm, as defined in IEEE Std 1363-2000. By default, the EMSA1 encoding method specified by IEEE Std 1363-2000 is used, with the SHA-1 message digest algorithm.

If an encoding method is explicitly specified, it is used instead of the default (this requires that the order of the base point in the elliptic curve parameters, usually denoted n, is large enough to accomodate message representatives generated by this encoding method).

The default outputFormat is "1363".

Alias:
"ecdsa-sha1" is an alias to "ECDSA(1363)/EMSA1(SHA-1)" (for SPKI support).
"1.2.840.10045.4.1" is an alias to "ECDSA(DER)/EMSA1(SHA-1)".
References:
Comment:
It is recommended that implementations make no practical restriction on the lengths of the key parameters.
Security comment:
Patent status:
[see general elliptic curve patents]

ECNR(outputFormat)/encoding Signature
Designers:
Kaisa Nyberg, Rainer A. Rueppel
Description:
The elliptic curve analogue of the Nyberg-Rueppel signature scheme, as defined in IEEE Std 1363-2000. This algorithm is specified by the ECSSA signature scheme used with the ECSP-NR signature primitive, and the ECVP-NR verification primitive.
References:
Comment:
It is recommended that implementations make no practical restriction on the lengths of the key parameters.
Security Comment:
To prevent the attacks by Nguyen and Shparlinski, the random nonces generated for each signature must be independent and uniformly distributed.
Patent status:
r3 Security Engineering (now merged with Entrust Technologies) is the assignee of a patent on the Nyberg-Rueppel signature scheme. Certicom Corp., in a letter to the IEEE P1363 Chair, claims to have the exclusive North American license rights to this patent. It is not clear whether or not the patent also applies to ECNR.

ElgamalSig(outputFormat)/encoding Signature
Designer:
Taher Elgamal
Aliases:
References:
Comments:
Security comments:

× ESIGN/encoding Signature
Designers:
Eiichiro Fujisaki, Tatsuaki Okamoto
Published:
Submission dated November 1998.
Description:
The ESIGN signature algorithm, as defined in the IEEE P1363a draft standard. Note that P1363a only allows use of ESIGN with the EMSA5-MGF1 encoding method.
References:
Comments:

NR(outputFormat)/encoding Signature
Designers:
Kaisa Nyberg, Rainer A. Rueppel
Description:
The Nyberg-Rueppel signature scheme, with message encoding as defined in IEEE Std 1363-2000. This algorithm is specified by the DLSSA signature scheme used with the DLSP-NR signature primitive, and the DLVP-NR verification primitive.
References:
Comment:
It is recommended that implementations make no practical restriction on the lengths of the key parameters p, q, g and x (in particular, values of p up to at least 4096 bits SHOULD be supported).
Security Comment:
To prevent the attacks by Nguyen and Shparlinski, the random nonces generated for each signature must be independent and uniformly distributed.
Patent status:
r3 Security Engineering (now merged with Entrust Technologies) is the assignee of a patent on the Nyberg-Rueppel signature scheme. Certicom Corp., in a letter to the IEEE P1363 Chair, claims to have the exclusive North American license rights to this patent.

RSA/encoding Signature
Designers:
Ron Rivest, Adi Shamir, Leonard Adelman
Aliases:
References:
Comment:
It is recommended that implementations make no practical restriction on the lengths of the key parameters n and e (in particular, values of n up to at least 4096 bits SHOULD be supported).
Patent status:
RSA was previously patented in the United States and Canada; the patent has now expired.

RSA2/encoding Signature
Designers:
Ron Rivest, Adi Shamir, Leonard Adelman
Description:
The variant of RSA defined by the IFSP-RSA2 and IFVP-RSA2 primitives from IEEE Std 1363-2000. If the modulus is n and the output of a normal RSA private key operation is t, then the output of the corresponding operation for this algorithm is min(t, n-t).

This variant of RSA is normally used only with the EMSA2 encoding method, and only for compatibility with ISO/IEC 9796:1991.

References:
Comment:
[see comment for RSA]
Patent status:
RSA was previously patented in the United States and Canada; the patent has now expired.

RW/encoding Signature
Designer:
Michael O. Rabin, Hugh C. Williams
Description:
The Rabin-Williams signature scheme as defined in IEEE Std 1363-2000.
References:
Comments:
It is recommended that implementations make no practical restriction on the length of the key parameter n (in particular, values of n up to at least 4096 bits SHOULD be supported).

Signature Encoding Methods

Note that any parameters required by Signature Encoding Methods are set and retrieved by calling set/getParameter on the Signature object, since there is not necessarily any object explicitly representing the encoding method.

EMSA1(digest) Signature Encoding Method
Description:
The encoding scheme described as "EMSA1" in IEEE Std 1363-2000.
References:
Parameters:
Comment:
EMSA1(SHA-1) is compatible with the encoding used for DSA in FIPS 186, and for ECDSA in X9.62 and FIPS 186-2.
Security comment:
The message representatives output by this encoding method do not contain any specification of which message digest algorithm was used. Therefore, unless public keys are certified in such a way that each key is tied to use of only one digest algorithm, there is the risk of a collision between different algorithms (i.e. Hash1(X) == Hash2(Y) for distinct algorithms Hash1 and Hash2, and messages X and Y). To reduce the possibility of such collisions, implementations of this encoding MUST NOT support message digests other than SHA-1 and RIPEMD-160, and application designers are strongly advised to use only SHA-1 for the digest, if they use this encoding method.

EMSA2(digest) Signature Encoding Method
Description:
The encoding scheme described as "EMSA2" in IEEE Std 1363-2000, based on ANSI-X9.31. This should be capable of being used with both the RSA and RSA2 signature primitives.
Alias:
"X9.31"
References:
Parameters:

× EMSA5-MGF1(digest) Signature Encoding Method
Designers:
Eiichiro Fujisaki, Tatsuaki Okamoto
Description:
The "EMSA5" encoding defined in the IEEE P1363a draft standard, with the MGF1 Mask Generation Function. This encoding method is intended only for use with ESIGN.
References:
Parameters:

PKCS1-1.5(digest) Signature Encoding Method
Designers:
RSA Data Security, Inc.
Description:
Block type 01, described in section 10.1 of PKCS #1 v1.5.
Aliases:
"PKCS#1", "EMSA-PKCS1-v1_5", "EMSA3"
References:
Parameters:
Comments:

× PSS-MGF1(digest) Signature Encoding Method
Designers:
Mihir Bellare, Phillip Rogaway
Description:
Probably, the "EMSA-PSS" encoding defined in PKCS #1 v2.1. Note that there are several incompatible versions of PSS, and it is not clear precisely which version will become standard.
Aliases:
"EMSA-PSS"
References:
Parameters:
Comments:
Security comment:
[[Talk about hash function substitution attacks, and difference between P1363a D3 and D4.]]
Patent status:
The University of California has a patent pending on PSS. It has stated, in a letter to the IEEE, that:
If PSS is included in an IEEE standard, the University of California will, when that standard is adopted, FREELY license any conforming implementation of PSS as a technique for achieving a digital signature with appendix. No registration fee or other administrative procedure will be required.
Note that this is different to the licensing position for PSSR.

× PSSR-MGF1(digest) Signature Encoding Method
Designers:
Mihir Bellare, Phillip Rogaway
Description:
Probably, the "EMSA-PSSR" encoding defined in PKCS #1 v2.1. Note that there are several incompatible versions of PSS, and it is not clear precisely which version will become standard.
Aliases:
"EMSR-PSSR"
References:
Parameters:
Patent status:
The University of California has a patent pending on PSSR. It has stated, in a letter to the IEEE, that use of this technique will require a license to be acquired "under very reasonable terms and conditions". Note that this is different to the licensing position for PSS.

SSL3 Signature Encoding Method
Designers:
Netscape Communications Corp.
Description:
The signature encoding method used for RSA in SSL version 3.0, consisting of MD5 and SHA-1 hashes, encoded using PKCS #1 v1.5 block type 0.
References:
Missing information:
Test vectors.
Comment:
"RSA/SSL3" is equivalent to "RSA/EMSA1(Parallel(MD5,SHA-1))". It is defined as a separate algorithm because EMSA1 is not normally used with RSA.

TLS Signature Encoding Method
Designers:
Netscape Communications Corp., IETF Transport Layer Security Working Group
Description:
The signature encoding method used for RSA in TLS, consisting of MD5 and SHA-1 hashes, encoded using PKCS #1 v1.5 block type 1. Block type 0 MUST also be accepted when verifying a signature.
References:
Missing information:
Test vectors.
Comment:
For generation of signatures, "RSA/TLS" is equivalent to "RSA/PKCS1-1.5(Parallel(MD5,SHA-1))". It is defined as a separate algorithm because it also accepts PKCS #1 block type 0 on verification.

Raw Signature Encoding Method
Description:
A "null" encoding method, that passes its input directly to the underlying primitive. The block length is as large as necessary to ensure that all inputs to the public key primitive are possible (and no larger). This usually means that some block contents will not be valid; these will cause the signature to be rejected when the Signature object's verify method is called, or an IllegalArgumentException to be thrown when the sign method is called.
Security comment:
There are many attacks possible on public key signature algorithms when this encoding method is used. It is intended only as a way to obtain access to a public key primitive (for those providers that support it), in order to implement encoding methods at the application rather than the provider level, or to maintain compatibility with legacy protocols.

Output Formats

1363 Output Format
Description:
Where there are several possible output formats for a signature algorithm, this name indicates that the alternative consistent with IEEE Std 1363-2000 Annex E must be used.

The convention used by 1363 for formatting more than one arbitrary-length integer, is to concatenate their big-endian unsigned representations. Each integer is padded on the left with zeroes, to the length defined by the algorithm parameters (for example if an integer is in the range 0..n-1, the result will have the same number of bytes as is needed to represent n-1). The signature algorithm is assumed to specify a canonical order for the integers.

To parse this format, the receiver must split it into blocks of the correct lengths (usually equal), one for each integer. If this cannot be done, the signature MUST be treated as invalid.

DER Output Format
Description:
Where there are several possible output formats for a signature algorithm, this name indicates that the DER-encoded alternative must be used.

The type used to DER-encode more than one arbitrary-length integer, is SEQUENCE { INTEGER a, INTEGER b, ... }. The signature algorithm is assumed to specify a canonical order for the integers.

To parse this format, the receiver must always interpret it as DER, not BER. If the signature is not a DER encoding of the correct type, it MUST be treated as invalid.

OpenPGP Output Format
Description:
Where there are several possible output formats for a signature algorithm, this name indicates that the alternative specified by OpenPGP must be used.

The convention used by OpenPGP for formatting more than one arbitrary-length integer, is to encode each integer as a two-byte big-endian length field indicating the bit length of the integer, followed by the bytes of the integer in big-endian order, with no leading zeroes (see section 3.2 of RFC 2440). The signature algorithm is assumed to specify a canonical order for the integers.

When parsing this format, if the length fields are inconsistent with the total length of the signature, it MUST be treated as invalid.

References:
Valid HTML 4.0 Valid CSS Copyright and trademarks