Re: FIPS 186 or 186-1

[Bill Sommerfeld <sommerfeld%east.sun.com@localhost>]

[FIPS 186-X is the federal digital signature standard.]

As best as I can tell from some quick googling, it looks like:

FIPS 186 specified DSA.
FIPS 186-1 added RSA as an additional approved algorithm.
FIPS 186-2 added ECC as an additional approved algorithm.

And if that wasn't enough, there's now a "FIPS 186-2 with Change
Notice 1 dated October 5, 2001"

Note that the ssh documents and protocol use "dss" to refer to "dsa",
which was unambiguous until 186-1 came out..

I have not found any mention of changes to DSA in -1 or -2, but "186-2
+ Change Notice 1" mentions some adjustments to recommended DSA key
lengths and random number generation techniques.

Highlights:

    Section 4 of FIPS 186-2 specifies that the prime modulus p of DSA is
    defined for the range of prime integers 2^(L-1) < p < 2^L , where 512 <
    L < 1024 and L is a multiple of 64. This change notice specifies that
    L should assume only the value 1024 for DSA as specified in FIPS
    186-2, i.e., the prime modulus p should be defined in the range 
    2^1023 < p < 2^1024 .

(cut & pasted from PDF page 73 / document page 71 with correction of
formulas)

and:

    Recently, an unpublished attack on DSA3 was found that relies on the
    non-uniformity of the pseudorandom number generators (PRNGs) specified
    in Appendix 3 of the standard. The attack has a workfactor of 2^64 and
    requires 2^22 known signatures. This attack can be defended against by
    either limiting the number of signatures created using a specific key
    pair to no more than 2 million signatures while using the PRNGs
    specified in FIPS 186-2, or by modifying the PRNGs.

references:

http://csrc.nist.gov/cryptval/dss.htm
http://csrc.nist.gov/cryptval/dss/fr000215.html

							- Bill