Announcing Issuance of Federal Information Processing Standard (FIPS) 186-5, Digital Signature Standard, 7410-7413 [2023-02273]
Download as PDF
<![CDATA[
7410
Federal Register / Vol. 88, No. 23 / Friday, February 3, 2023 / Notices
assessment rates based on the ratio of
the total amount of dumping calculated
for the examined sales to the total
entered value of those sales. Where
either the respondent’s weightedaverage dumping margin is zero or de
minimis within the meaning of 19 CFR
351.106(c)(1), or an importer-specific
assessment rate is zero or de minimis,
we will instruct CBP to liquidate the
appropriate entries without regard to
antidumping duties.10 For entries of
subject merchandise during the POR
produced by the mandatory respondents
for which they did not know their
merchandise was destined for the
United States, or for entries associated
with Synn, which had no shipments
during the POR, we will instruct CBP to
liquidate unreviewed entries at the allothers rate if there is no rate for the
intermediate company(ies) involved in
the transaction.
The final results of this review shall
be the basis for the assessment of
antidumping duties on entries of
merchandise covered by the final results
of this review and for future deposits of
estimated duties, where applicable.11
Commerce intends to issue
assessment instructions to CBP no
earlier than 35 days after the date of
publication of the final results of this
review in the Federal Register. If a
timely summons is filed at the U.S.
Court of International Trade, the
assessment instructions will direct CBP
not to liquidate relevant entries until the
time for parties to file a request for a
statutory injunction has expired (i.e.,
within 90 days of publication).
lotter on DSK11XQN23PROD with NOTICES1
Cash Deposit Requirements
The following cash deposit
requirements will be effective for all
shipments of subject merchandise
entered, or withdrawn from warehouse,
for consumption on or after the
publication date of the final results of
this administrative review, as provided
by section 751(a)(2)(C) of the Act: (1) the
cash deposit rate for the companies
listed above will be equal to the
weighted-average dumping margins
established in the final results of this
administrative review; (2) for
merchandise exported by producers or
exporters not covered in this review but
covered in a prior completed segment of
the proceeding, the cash deposit rate
will continue to be the company10 In these final results, Commerce applied the
assessment rate calculation method adopted in
Antidumping Proceedings: Calculation of the
Weighted-Average Dumping Margin and
Assessment Rate in Certain Antidumping Duty
Proceedings; Final Modification, 77 FR 8101
(February 14, 2012).
11 See section 751(a)(2)(C) of the Act.
VerDate Sep<11>2014
17:51 Feb 02, 2023
Jkt 259001
specific rate published for the most
recent period; (3) if the exporter is not
a firm covered in this review, a prior
review, or the original investigation, but
the producer has been covered in a prior
complete segment of this proceeding,
then the cash deposit rate will be the
rate established for the most recent
period for the producer of the
merchandise; (4) the cash deposit rate
for all other manufacturers or exporters
will continue to be 3.66 percent,12 the
all-others rate from the Amended Final
Determination. These cash deposit
requirements, when imposed, shall
remain in effect until further notice.
Notification to Importers
This notice also serves as a final
reminder to importers of their
responsibility under 19 CFR
351.402(f)(2) to file a certificate
regarding the reimbursement of
antidumping duties prior to liquidation
of the relevant entries during this
review period. Failure to comply with
this requirement could result in
Commerce’s presumption that
reimbursement of antidumping duties
occurred and the subsequent assessment
of double antidumping duties.
Administrative Protective Order
This notice also serves as a reminder
to parties subject to an administrative
protective order (APO) of their
responsibility concerning the
disposition of proprietary information
disclosed under APO in accordance
with 19 CFR 351.305(a)(3). Timely
written notification of return/
destruction of APO materials or
conversion to judicial protective order is
hereby requested. Failure to comply
with the regulations and the terms of an
APO is a sanctionable violation.
Notification to Interested Parties
We are issuing and publishing these
final results of administrative review in
accordance with sections 751(a)(1) and
777(i) of the Act, and 19 CFR
351.221(b)(5).
Dated: January 27, 2023.
Lisa W. Wang,
Assistant Secretary for Enforcement and
Compliance.
Appendix—List of Topics Discussed in
the Issues and Decision Memorandum
I. Summary
II. Background
12 See Corrosion-Resistant Steel Products from
Taiwan: Notice of Court Decision Not in Harmony
with Final Determination of Antidumping Duty
Investigation and Notice of Amended Final
Determination of Investigation, 84 FR 6129
(February 26, 2019) (Amended Final
Determination).
PO 00000
Frm 00017
Fmt 4703
Sfmt 4703
III. Scope of the Order
IV. Changes Since the Preliminary Results
V. Discussion of the Issues
Comment 1: Whether to Analyze
Transactions between Prosperity and its
Affiliate, Hong-Ye Steel Co., Ltd. (Hong
Ye), Under Section 773(f)(2) of the Act,
as well as Whether to Include Hong Ye’s
Purchases in the Market Price Valuation
Comment 2: Treatment of All Prosperity’s
Home Market Sales
Comment 3: Whether to Adjust Prosperity’s
Production Quantities Assigned to
Surrogate Costs
VI. Recommendation
[FR Doc. 2023–02213 Filed 2–2–23; 8:45 am]
BILLING CODE 3510–DS–P
DEPARTMENT OF COMMERCE
National Institute of Standards and
Technology
[Docket No. 220923–0199]
Announcing Issuance of Federal
Information Processing Standard
(FIPS) 186–5, Digital Signature
Standard
National Institute of Standards
and Technology (NIST), Commerce.
ACTION: Notice.
AGENCY:
This notice announces the
Secretary of Commerce’s approval of
Federal Information Processing
Standard (FIPS) 186–5, Digital Signature
Standard (DSS). FIPS 186–5 specifies
three techniques for the generation and
verification of digital signatures that can
be used for the protection of data: the
Rivest-Shamir-Adleman (RSA)
Algorithm, the Elliptic Curve Digital
Signature Algorithm (ECDSA), and the
Edwards Curve Digital Signature
Algorithm (EdDSA). The Digital
Signature Algorithm (DSA), specified in
prior versions of this standard, is
retained only for the purposes of
verifying existing signatures.
DATES: FIPS 186–5 is effective on
February 3, 2023.
ADDRESSES: FIPS 186–5 is available
electronically on the NIST Computer
Security Resource Center website at
https://csrc.nist.gov. Comments that
were received on the proposed changes
are published electronically at https://
csrc.nist.gov/publications/detail/fips/
186/5/draft and at https://
www.regulations.gov.
FOR FURTHER INFORMATION CONTACT: Dr.
Dustin Moody, National Institute of
Standards and Technology, 100 Bureau
Drive, Mail Stop 8930, Gaithersburg,
MD 20899–8930, email: Dustin.Moody@
nist.gov, phone: (301) 975–8136.
SUPPLEMENTARY INFORMATION: FIPS 186
was initially developed by NIST in
SUMMARY:
E:\FR\FM\03FEN1.SGM
03FEN1
lotter on DSK11XQN23PROD with NOTICES1
Federal Register / Vol. 88, No. 23 / Friday, February 3, 2023 / Notices
collaboration with the National Security
Agency (NSA), using the NSA-designed
Digital Signature Algorithm (DSA). Later
versions of the standard approved the
use of ECDSA (developed by Certicom)
and RSA (developed by Ron Rivest, Adi
Shamir and Leonard Adleman).
American Standards Committee (ASC)
X9 developed standards specifying both
ECDSA and RSA that were used as the
basis for the later revisions of FIPS 186.
Since its original approval on May 10,
1994 (59 FR 26208), revisions of the
FIPS were approved on December 15,
1998 as FIPS 186–1 (63 FR 69049) to
include RSA, as specified in American
National Standard (ANS) X9.31 (Digital
Signatures Using Reversible Public Key
Cryptography for the Financial Services
Industry (rDSA)), and on February 15,
2000 as FIPS 186–2 (65 FR 7507) to
include ECDSA and recommended
elliptic curves to be used with ECDSA,
as specified in ANS X9.62 (Elliptic
Curve Digital Signature Algorithm
(ECDSA)). On June 9, 2009, a third
revision of the FIPS was approved as
FIPS 186–3 (74 FR 27287) to (1) increase
the key sizes for DSA, (2) provide
additional requirements for the use of
RSA and ECDSA, (3) allow the use of
the RSA algorithm specified in Public
Key Cryptography Standard (PKCS) #1
(RSA Cryptography Standard specified
in Institute of Electrical and Electronics
Engineers (IEEE) P1363, Standard
Specifications for Public Key
Cryptography), (4) include requirements
for obtaining the assurances necessary
for valid digital signatures, and (5)
replace the random number generators
specified in previous versions of the
FIPS with a reference to NIST Special
Publication (SP) 800–90
(Recommendation for Random Number
Generation Using Deterministic Random
Bit Generators). A fourth revision of the
FIPS was approved as FIPS 186–4 (78
FR 43145) on July 19, 2013, which
included (1) a reduction of the
restrictions on the use of random
number generators and the retention
and use of prime number generation
seeds, and (2) aligning the specification
for the use of a random salt value in the
RSASSA–PSS digital signature scheme
with PKCS #1.
Advances in the understanding of
elliptic curves within the cryptographic
community have led to the development
of new elliptic curves and algorithms
whose designers claim to offer better
performance and which are easier to
implement in a secure manner. In 2014,
NIST’s Visiting Committee on Advanced
Technology (VCAT) conducted a review
of NIST’s cryptographic standards
program. As part of their review, the
VCAT recommended that NIST
VerDate Sep<11>2014
17:51 Feb 02, 2023
Jkt 259001
‘‘generate a new set of elliptic curves for
use with ECDSA in FIPS 186.’’ See
https://www.nist.gov/sites/default/files/
documents/2017/05/09/VCAT-Reporton-NIST-Cryptographic-Standards-andGuidelines-Process.pdf.
In June 2015, NIST hosted a technical
workshop on Elliptic Curve
Cryptography Standards to discuss
possible approaches to promote the
adoption of secure, interoperable, and
efficient elliptic curve mechanisms.
Workshop participants expressed
significant interest in the development,
standardization, and adoption of new
elliptic curves.
In October 2015, NIST solicited
comments on the elliptic curves and
signature algorithms specified in FIPS
186–4 (80 FR 63539). The responses
noted the broad use of the NIST prime
curves and ECDSA within industry, but
many commenters called for the
standardization of new elliptic curves
and signature algorithms.
Based on the input received, NIST
published a notice in the Federal
Register (84 FR 58373) on October 31,
2019, requesting public comments on
the proposed revision in draft FIPS 186–
5, along with accompanying technical
guidelines in draft NIST Special
Publication (SP) 800–186,
Recommendations for DiscreteLogarithm Based Cryptography: Elliptic
Curve Domain Parameters. NIST
received 23 sets of comments: 3 from
U.S. federal agencies, 1 from a foreign
government agency, 16 from privatesector organizations, and 3 from private
academics and technologists.
The draft of FIPS 186–5 and the
related technical guidelines in draft
NIST SP 800–186 proposed adopting
two new elliptic curves, Ed25519 and
Ed448, for use with EdDSA. EdDSA is
a deterministic elliptic curve signature
scheme currently specified in the
internet Research Task Force (IRTF)
RFC 8032. FIPS 186–5 and SP 800–186
also proposed adopting a deterministic
variant of ECDSA that is currently
specified in RFC 6979. Based on
feedback received on the adoption of the
current elliptic curve standards, the
drafts of FIPS 186–5 and SP 800–186
deprecated curves over binary fields due
to their limited use by industry.
Furthermore, NIST proposed the
removal of DSA from the FIPS as an
approved method for generating digital
signatures because of limited use by
industry and academic analyses finding
that implementations of DSA may be
vulnerable to attacks.
The following is a summary and
analysis of the comments received
during the public comment period and
NIST’s responses to them, including the
PO 00000
Frm 00018
Fmt 4703
Sfmt 4703
7411
interests, concerns, recommendations,
and issues considered in the
development of FIPS 186–5:
1. Comment: One commenter
requested that FIPS 186–5 include an
additional digital signature scheme
using elliptic curve cryptography,
Schnorr 384, in order to support
signatures with short lengths.
Response: NIST does not see a broad
demand or need for the Schnorr 384
signature scheme and declined to
include it in FIPS 186–5.
2. Comment: One commenter
requested that the standard be
simplified and revised to highlight
security tradeoffs of design choices.
Response: The FIPS 186–5 revision
was intended to adopt existing industrydeveloped standards for digital
signature schemes and elliptic curves.
Algorithm and curve specifications were
written to accommodate users of the
existing standard, while still being
readable to those following the industry
standards. To further improve
readability, organization, and
maintainability of the standard, the
elliptic curves and supporting
mathematical algorithm descriptions
were separated into their own Special
Publication supporting FIPS 186–5, and
editorial changes were incorporated to
improve clarity. Both documents
include descriptions of the security
properties provided by the new
signature algorithms and elliptic curves.
3. Comment: One commenter
requested that NIST clarify why DSA
may be used to verify signatures
generated prior to FIPS 186–5 if verifiers
do not know when a signature was
generated.
Response: Since DSA is no longer
included in the FIPS, a discussion of its
use is not appropriate in the FIPS.
Instead, continued use of DSA for
verifying already-generated signatures
(e.g., in existing data records) will be
addressed in a revision to NIST SP 800–
131A, Transitioning the Use of
Cryptographic Algorithms and Key
Lengths. Accordingly, the statement in
Appendix E of the draft FIPS that
mentioned DSA signature verification
was removed. In 2009, NIST SP 800–
102, Recommendation for Digital
Signature Timeliness, was published to
provide guidance on providing
information on the time when digital
signatures are generated. This
publication was referenced in FIPS 186–
3, FIPS 186–4, and in FIPS 186–5.
4. Comment: One commenter
recommended that EdDSA be used in
preference to HashEdDSA except in
applications that cannot afford EdDSA.
Response: NIST specified both EdDSA
and HashEdDSA in FIPS 186–5 to allow
E:\FR\FM\03FEN1.SGM
03FEN1
lotter on DSK11XQN23PROD with NOTICES1
7412
Federal Register / Vol. 88, No. 23 / Friday, February 3, 2023 / Notices
implementers to choose an appropriate
signature algorithm for their
applications and use cases. Section 7.8.3
of FIPS 186–5 provides additional
considerations for implementers when
selecting a signature algorithm.
5. Comment: One commenter noted
that it was difficult to compare Draft
FIPS 186–5 against FIPS 186–4 and
recommended that NIST adopt editing
tools to aid readers in locating and
evaluating changes across revisions.
Response: Revisions made during the
development of FIPS 186–5 have been
documented or summarized using a
variety of methods, including the
revision list in FIPS 186–5, in Federal
Register notices, and in document
announcements. The availability of
electronic documents on the NIST
Computer Security Resource Center
website allows individuals to use thirdparty tools to compare revisions.
However, NIST will continue to
evaluate new document development
and management tools to provide
greater transparency to changes in
cryptographic standards and guidelines.
6. Comment: A commenter noted that
implementations of the RSASSA–PSS
algorithm, approved by reference to RFC
8017 in FIPS 186–5, should validate the
length of the salt when verifying
signatures.
Response: Existing guidance in
Section 5.4 of FIPS 186–4 provided
criteria for validating the length of the
random salt value. FIPS 186–5
strengthened that language by including
explicit validation of the length of the
salt as part of the digital signature
verification process.
7. Comment: A commenter noted that
implementations of the RSASSA–
PKCS–v1.5 algorithm should validate
the encoded hash algorithm identifier
extracted from a digital signature.
Response: NIST revised Section 5.4 to
include the validation of the hash
algorithm identifier as part of the
RSASSA–PKCS–v1.5 signature
verification process.
8. Comment: Some commenters
requested clarifications on the use of
Montgomery and Edwards curves with
approved signature and key-agreement
schemes.
Response: The introductions in FIPS
186–5 and NIST SP 800–186 were
revised to clarify acceptable uses of
recommended elliptic curves.
9. Comment: One commenter
observed that different notation is used
in the specifications of the ECDSA and
EdDSA.
Response: The notation was selected
for consistency with existing standards
that specify the algorithms. The notation
used for ECDSA is consistent with that
VerDate Sep<11>2014
17:51 Feb 02, 2023
Jkt 259001
used in FIPS 186–4 and the original
ANS X9.62 standard used as a basis for
the inclusion of ECDSA in FIPS 186.
The notation used for EdDSA is
consistent with the notation used in the
original RFC 8032 specification.
10. Comment: Two commenters
requested a transition plan for the
removal of DSA and the deprecation of
the binary elliptic curves that had been
approved in FIPS 186–4. One
commenter requested that DSA not be
removed.
Response: FIPS 186–5 removes DSA
as an approved digital signature
algorithm due to a lack of use by
industry and based on academic
analyses that observed that
implementations of DSA may be
vulnerable to attacks if domain
parameters are not properly generated.
To facilitate a transition to the new
standard, FIPS 186–4 will remain in
effect alongside FIPS 186–5 for a period
of one year. In addition, NIST SP 800–
131A and the Cryptographic Module
Validation Program will provide
transition guidance concerning the use
of DSA and the binary elliptic curves.
11. Comment: Commenters requested
that the secp256k1 curve be included as
an approved elliptic curve since it is
widely used in blockchain and
Distributed Ledger Technology (DLT)
applications.
Response: While NIST does not
believe that the secp256k1 curve offers
compelling advantages over the NISTrecommended curves in SP 800–186,
NIST acknowledges the significant use
of the secp256k1 curve in these
applications. NIST technical guidelines
in NIST SP 800–186 will allow the use
of the secp256k1 curve for blockchain
and DLT-related applications.
12. Comment: One commenter
expressed concerns and posed questions
about the inclusion of the Brainpool
Standard Curves as a set of allowed
curves in the NIST SP 800–186
technical guidelines associated with
FIPS 186–5.
Response: The Brainpool Standard
Curves were originally published in
2005 and specified in RFC 5639 in 2010.
The curves have been widely
implemented in a variety of commercial
products and open-source tools.
Existing programmatic guidance from
NIST’s Cryptographic Module
Validation Program has allowed the use
of these curves in several FIPS 140validated modules. While NIST does not
see compelling reasons to prefer the use
of the Brainpool Standard Curves over
the NIST-recommended curves, it is
confident in the security supported by
these curves and does not see a reason
to require these curves to be removed or
PO 00000
Frm 00019
Fmt 4703
Sfmt 4703
disabled in existing products. To
accommodate those existing modules as
well as future products sold on the
international market, NIST SP 800–186
will allow the use of the Brainpool
Standard Curves.
13. Comment: Some commenters
requested the inclusion of cofactorless
EdDSA in FIPS 186–5 for signature
verification.
Response: NIST did not see sufficient
demand or need to facilitate the use of
other elliptic curves with EdDSA to
warrant inclusion of cofactorless EdDSA
in FIPS 186–5. To remain consistent
with RFC 8032, NIST is not extending
the specification of EdDSA to include
these alternative domain parameters.
14. Comment: One commenter
recommended adding a small-subgroup
check to EdDSA or adding a warning
about not providing strong nonrepudiation guarantees.
Response: When signing keys are
generated according to the requirements
in FIPS 186–5, the probability that the
signing key would be a member of a
small subgroup is negligible. Thus,
NIST did not see a need to add a smallsubgroup check to EdDSA.
15. Comment: Several commentors
requested the inclusion of variants of
the deterministic signature scheme that
would include randomness in the
signature computation.
Response: NIST may consider
adopting new standards developed for
signature algorithms that include
deterministic and random components
in future publications.
16. Comment: Comments
recommended discussing side-channel
attacks for ECDSA.
Response: FIPS 186–5 provides
references that describe protections
against side-channel attacks for both
ECDSA and EdDSA.
17. Comment: A comment requested
that more hash functions or extendable
output functions (XOFs) be allowed for
EdDSA.
Response: To remain consistent with
existing standards and specifications,
FIPS 186–5 does not specify other hash
functions or XOFs for use with EdDSA
beyond those specified in RFC 8032.
18. Comment: Several commenters
requested that NIST allow more hash
functions or XOFs for use with ECDSA,
specifically the keccak–256 XOF.
Response: NIST is not allowing other
hash functions or XOFs with ECDSA;
keccak–256 is not an approved hash
function as defined in FIPS 180 or FIPS
202.
19. Comment: One commenter asked
why the bounds on the number of
iterations to run through before
returning a failure indication changed in
E:\FR\FM\03FEN1.SGM
03FEN1
lotter on DSK11XQN23PROD with NOTICES1
Federal Register / Vol. 88, No. 23 / Friday, February 3, 2023 / Notices
a few prime number generation routines
in FIPS 186–5. Specifically, the bounds
were changed in steps 4.7 and 5.8 of
Appendix A.1.3, Generation of Random
Primes that are Probably Prime, as well
as in step 9 of Appendix B.9, Compute
a Probably Prime Factor Based on
Auxiliary Primes.
Response: NIST had observed that the
original bounds led to higher
probabilities of failure than desired
when attempting to generate primes.
The bounds were increased to decrease
the probability of failure.
20. Comment: One commenter
suggested simplifying the deterministic
version of ECDSA.
Response: To remain consistent with
RFC 6979, NIST will keep the
deterministic version of ECDSA as
currently specified.
21. Comment: One commenter
recommended removing signature
algorithms that are not deterministic.
Response: NIST believes that both
deterministic and non-deterministic
signature schemes serve important use
cases and so will keep the specified
algorithms as they are.
22. Comment: The removal of
RSASSA–PKCS–v1.5 as an approved
digital signature algorithm was
recommended by one commenter.
Response: Due to its broad use in
security protocols and products, FIPS
186–5 continues to approve the use of
RSASSA–PKCS–v1.5, subject to the
additional constraints specified in FIPS
186–5 to mitigate known security
vulnerabilities.
23. Comment: Corrections were
recommended for defining encodings
for EdDSA.
Response: NIST accepted the
corrections.
24. Comment: A correction in A.3.3
was recommended so that FIPS 186–5
matches RFC 6979 for the per-message
secret number generation for
deterministic ECDSA.
Response: NIST accepted the
correction.
25. Comment: A few commenters
suggested alternate algorithms in FIPS
186–5 to replace the reference
algorithms provided by NIST for various
computations. For example,
commenters suggested alternatives to
the square root algorithm for EdDSA in
Section 7.3, the square checking
algorithm in Appendix B.4, and the
algorithm for inverting a finite field
element in Appendix B.1.
Response: FIPS 186–5 includes
language to clarify that alternate
algorithms (including constant-time
algorithms) that produce equivalent
results may be used in place of the
VerDate Sep<11>2014
17:51 Feb 02, 2023
Jkt 259001
7413
reference algorithms provided in the
FIPS.
26. Comment: A comment was
submitted on a difference between
EdDSA and the other signature schemes
in FIPS 186–5. Namely, that revealing
the hash of a private key for EdDSA is
a security concern, while it is not for
RSA or ECDSA.
Response: NIST does not believe the
concern merits changing EdDSA, and
will maintain consistency with RFC
6979. Furthermore, FIPS 186–5 forbids
revealing the hash of the private key of
any of the signature algorithms.
Standard Time (SST) unless otherwise
indicated on the agenda. Public
comment periods will be provided in
the agenda. The order in which agenda
items are addressed may change. The
closed session is for the panel reviewers
to conduct their deliberations and to
consolidate their recommendations. The
meetings will run as late as necessary to
complete scheduled business.
(Authority: 15 U.S.C. 278g–3; 40 U.S.C.
11331)
1. Welcome and Introductions
2. Objectives and Terms of Reference
3. Overview of Previous Stock
Assessments and Management
Framework
4. Fishery Operations for Bottomfish
5. Report out on Data Workshops
6. Data sources utilized in American
Samoa Bottomfish Assessment
7. Public Comment
Alicia Chambers,
NIST Executive Secretariat.
[FR Doc. 2023–02273 Filed 2–2–23; 8:45 am]
BILLING CODE 3510–13–P
DEPARTMENT OF COMMERCE
Agenda for the Western Pacific Stock
Assessment Review Meeting
Day 1—Friday, February 17, 2023, 10
a.m.–5 p.m.
National Oceanic and Atmospheric
Administration
Day 2—Saturday, February 18, 2023, 9
a.m.–5 p.m.
[RTID 0648–XC737]
8. Presentation and Review of Stock
Assessment Methods and Results
9. WPSAR Review Panel Discussion and
Model Run Requests
10. Public Comment
Western Pacific Fishery Management
Council; Public Meetings
National Marine Fisheries
Service (NMFS), National Oceanic and
Atmospheric Administration (NOAA),
Commerce.
ACTION: Notice of a public meeting.
AGENCY:
Day 3—Sunday, February 19, 2023, 9
a.m.–5 p.m.
11. WPSAR Review Panel Discussion
with Presenters
The Western Pacific Fishery
Management Council (Council) and
NMFS will convene a Western Pacific
Stock Assessment Review (WPSAR) on
a benchmark stock assessment of
American Samoa Bottomfish
Management Unit Species (BMUS).
DATES: The WPSAR meeting will be
held between February 17 and February
23, 2023. For specific times and
agendas, see SUPPLEMENTARY
INFORMATION.
Day 4—Monday, February 20, 2023, 9
a.m.–5 p.m.
The meeting will be open to
the public and held in-person at the
Tradewinds Hotel in Pago Pago,
American Samoa located at M779+HP9,
Tafuna, Western District 96799,
American Samoa. For more information
on meeting location and logistics,
contact the Council office at (808) 522–
8220.
FOR FURTHER INFORMATION CONTACT:
Kitty M. Simonds, Executive Director,
Western Pacific Fishery Management
Council; telephone: (808) 522–8220.
SUPPLEMENTARY INFORMATION: The
WPSAR meeting will be held on
February 17 to 23, 2023, and run each
day from 9 a.m. to 5 p.m. Samoa
14. WPSAR Review Panel Discussions
with Presenters
15. WPSAR Review Panel Discussions
(closed, afternoon)
SUMMARY:
ADDRESSES:
PO 00000
Frm 00020
Fmt 4703
Sfmt 4703
12. WPSAR Review Panel Discussion
with Presenters
Day 5—Tuesday, February 21, 2023, 9
a.m.–5 p.m.
13. WPSAR Review Panel Discussions
with Presenters
Day 6—Wednesday, February 22, 2023,
9 a.m.–5 p.m.
Day 7—Thursday, February 23, 2023, 9
a.m.–5 p.m.
16. WPSAR Review Panel Discussions
17. Public Comment
18. WPSAR Panel Report on Review
Outcomes and Recommendations
19. Adjourn
Special Accommodations
These meetings are physically
accessible to people with disabilities.
Requests for sign language
interpretation or other auxiliary aids
E:\FR\FM\03FEN1.SGM
03FEN1
]]>Agencies
[Federal Register Volume 88, Number 23 (Friday, February 3, 2023)]
[Notices]
[Pages 7410-7413]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-02273]
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
National Institute of Standards and Technology
[Docket No. 220923-0199]
Announcing Issuance of Federal Information Processing Standard
(FIPS) 186-5, Digital Signature Standard
AGENCY: National Institute of Standards and Technology (NIST),
Commerce.
ACTION: Notice.
-----------------------------------------------------------------------
SUMMARY: This notice announces the Secretary of Commerce's approval of
Federal Information Processing Standard (FIPS) 186-5, Digital Signature
Standard (DSS). FIPS 186-5 specifies three techniques for the
generation and verification of digital signatures that can be used for
the protection of data: the Rivest-Shamir-Adleman (RSA) Algorithm, the
Elliptic Curve Digital Signature Algorithm (ECDSA), and the Edwards
Curve Digital Signature Algorithm (EdDSA). The Digital Signature
Algorithm (DSA), specified in prior versions of this standard, is
retained only for the purposes of verifying existing signatures.
DATES: FIPS 186-5 is effective on February 3, 2023.
ADDRESSES: FIPS 186-5 is available electronically on the NIST Computer
Security Resource Center website at https://csrc.nist.gov. Comments
that were received on the proposed changes are published electronically
at https://csrc.nist.gov/publications/detail/fips/186/5/draft and at
https://www.regulations.gov.
FOR FURTHER INFORMATION CONTACT: Dr. Dustin Moody, National Institute
of Standards and Technology, 100 Bureau Drive, Mail Stop 8930,
Gaithersburg, MD 20899-8930, email: [email protected], phone: (301)
975-8136.
SUPPLEMENTARY INFORMATION: FIPS 186 was initially developed by NIST in
[[Page 7411]]
collaboration with the National Security Agency (NSA), using the NSA-
designed Digital Signature Algorithm (DSA). Later versions of the
standard approved the use of ECDSA (developed by Certicom) and RSA
(developed by Ron Rivest, Adi Shamir and Leonard Adleman). American
Standards Committee (ASC) X9 developed standards specifying both ECDSA
and RSA that were used as the basis for the later revisions of FIPS
186.
Since its original approval on May 10, 1994 (59 FR 26208),
revisions of the FIPS were approved on December 15, 1998 as FIPS 186-1
(63 FR 69049) to include RSA, as specified in American National
Standard (ANS) X9.31 (Digital Signatures Using Reversible Public Key
Cryptography for the Financial Services Industry (rDSA)), and on
February 15, 2000 as FIPS 186-2 (65 FR 7507) to include ECDSA and
recommended elliptic curves to be used with ECDSA, as specified in ANS
X9.62 (Elliptic Curve Digital Signature Algorithm (ECDSA)). On June 9,
2009, a third revision of the FIPS was approved as FIPS 186-3 (74 FR
27287) to (1) increase the key sizes for DSA, (2) provide additional
requirements for the use of RSA and ECDSA, (3) allow the use of the RSA
algorithm specified in Public Key Cryptography Standard (PKCS) #1 (RSA
Cryptography Standard specified in Institute of Electrical and
Electronics Engineers (IEEE) P1363, Standard Specifications for Public
Key Cryptography), (4) include requirements for obtaining the
assurances necessary for valid digital signatures, and (5) replace the
random number generators specified in previous versions of the FIPS
with a reference to NIST Special Publication (SP) 800-90
(Recommendation for Random Number Generation Using Deterministic Random
Bit Generators). A fourth revision of the FIPS was approved as FIPS
186-4 (78 FR 43145) on July 19, 2013, which included (1) a reduction of
the restrictions on the use of random number generators and the
retention and use of prime number generation seeds, and (2) aligning
the specification for the use of a random salt value in the RSASSA-PSS
digital signature scheme with PKCS #1.
Advances in the understanding of elliptic curves within the
cryptographic community have led to the development of new elliptic
curves and algorithms whose designers claim to offer better performance
and which are easier to implement in a secure manner. In 2014, NIST's
Visiting Committee on Advanced Technology (VCAT) conducted a review of
NIST's cryptographic standards program. As part of their review, the
VCAT recommended that NIST ``generate a new set of elliptic curves for
use with ECDSA in FIPS 186.'' See https://www.nist.gov/sites/default/files/documents/2017/05/09/VCAT-Report-on-NIST-Cryptographic-Standards-and-Guidelines-Process.pdf.
In June 2015, NIST hosted a technical workshop on Elliptic Curve
Cryptography Standards to discuss possible approaches to promote the
adoption of secure, interoperable, and efficient elliptic curve
mechanisms. Workshop participants expressed significant interest in the
development, standardization, and adoption of new elliptic curves.
In October 2015, NIST solicited comments on the elliptic curves and
signature algorithms specified in FIPS 186-4 (80 FR 63539). The
responses noted the broad use of the NIST prime curves and ECDSA within
industry, but many commenters called for the standardization of new
elliptic curves and signature algorithms.
Based on the input received, NIST published a notice in the Federal
Register (84 FR 58373) on October 31, 2019, requesting public comments
on the proposed revision in draft FIPS 186-5, along with accompanying
technical guidelines in draft NIST Special Publication (SP) 800-186,
Recommendations for Discrete-Logarithm Based Cryptography: Elliptic
Curve Domain Parameters. NIST received 23 sets of comments: 3 from U.S.
federal agencies, 1 from a foreign government agency, 16 from private-
sector organizations, and 3 from private academics and technologists.
The draft of FIPS 186-5 and the related technical guidelines in
draft NIST SP 800-186 proposed adopting two new elliptic curves,
Ed25519 and Ed448, for use with EdDSA. EdDSA is a deterministic
elliptic curve signature scheme currently specified in the internet
Research Task Force (IRTF) RFC 8032. FIPS 186-5 and SP 800-186 also
proposed adopting a deterministic variant of ECDSA that is currently
specified in RFC 6979. Based on feedback received on the adoption of
the current elliptic curve standards, the drafts of FIPS 186-5 and SP
800-186 deprecated curves over binary fields due to their limited use
by industry. Furthermore, NIST proposed the removal of DSA from the
FIPS as an approved method for generating digital signatures because of
limited use by industry and academic analyses finding that
implementations of DSA may be vulnerable to attacks.
The following is a summary and analysis of the comments received
during the public comment period and NIST's responses to them,
including the interests, concerns, recommendations, and issues
considered in the development of FIPS 186-5:
1. Comment: One commenter requested that FIPS 186-5 include an
additional digital signature scheme using elliptic curve cryptography,
Schnorr 384, in order to support signatures with short lengths.
Response: NIST does not see a broad demand or need for the Schnorr
384 signature scheme and declined to include it in FIPS 186-5.
2. Comment: One commenter requested that the standard be simplified
and revised to highlight security tradeoffs of design choices.
Response: The FIPS 186-5 revision was intended to adopt existing
industry-developed standards for digital signature schemes and elliptic
curves. Algorithm and curve specifications were written to accommodate
users of the existing standard, while still being readable to those
following the industry standards. To further improve readability,
organization, and maintainability of the standard, the elliptic curves
and supporting mathematical algorithm descriptions were separated into
their own Special Publication supporting FIPS 186-5, and editorial
changes were incorporated to improve clarity. Both documents include
descriptions of the security properties provided by the new signature
algorithms and elliptic curves.
3. Comment: One commenter requested that NIST clarify why DSA may
be used to verify signatures generated prior to FIPS 186-5 if verifiers
do not know when a signature was generated.
Response: Since DSA is no longer included in the FIPS, a discussion
of its use is not appropriate in the FIPS. Instead, continued use of
DSA for verifying already-generated signatures (e.g., in existing data
records) will be addressed in a revision to NIST SP 800-131A,
Transitioning the Use of Cryptographic Algorithms and Key Lengths.
Accordingly, the statement in Appendix E of the draft FIPS that
mentioned DSA signature verification was removed. In 2009, NIST SP 800-
102, Recommendation for Digital Signature Timeliness, was published to
provide guidance on providing information on the time when digital
signatures are generated. This publication was referenced in FIPS 186-
3, FIPS 186-4, and in FIPS 186-5.
4. Comment: One commenter recommended that EdDSA be used in
preference to HashEdDSA except in applications that cannot afford
EdDSA.
Response: NIST specified both EdDSA and HashEdDSA in FIPS 186-5 to
allow
[[Page 7412]]
implementers to choose an appropriate signature algorithm for their
applications and use cases. Section 7.8.3 of FIPS 186-5 provides
additional considerations for implementers when selecting a signature
algorithm.
5. Comment: One commenter noted that it was difficult to compare
Draft FIPS 186-5 against FIPS 186-4 and recommended that NIST adopt
editing tools to aid readers in locating and evaluating changes across
revisions.
Response: Revisions made during the development of FIPS 186-5 have
been documented or summarized using a variety of methods, including the
revision list in FIPS 186-5, in Federal Register notices, and in
document announcements. The availability of electronic documents on the
NIST Computer Security Resource Center website allows individuals to
use third-party tools to compare revisions. However, NIST will continue
to evaluate new document development and management tools to provide
greater transparency to changes in cryptographic standards and
guidelines.
6. Comment: A commenter noted that implementations of the RSASSA-
PSS algorithm, approved by reference to RFC 8017 in FIPS 186-5, should
validate the length of the salt when verifying signatures.
Response: Existing guidance in Section 5.4 of FIPS 186-4 provided
criteria for validating the length of the random salt value. FIPS 186-5
strengthened that language by including explicit validation of the
length of the salt as part of the digital signature verification
process.
7. Comment: A commenter noted that implementations of the RSASSA-
PKCS-v1.5 algorithm should validate the encoded hash algorithm
identifier extracted from a digital signature.
Response: NIST revised Section 5.4 to include the validation of the
hash algorithm identifier as part of the RSASSA-PKCS-v1.5 signature
verification process.
8. Comment: Some commenters requested clarifications on the use of
Montgomery and Edwards curves with approved signature and key-agreement
schemes.
Response: The introductions in FIPS 186-5 and NIST SP 800-186 were
revised to clarify acceptable uses of recommended elliptic curves.
9. Comment: One commenter observed that different notation is used
in the specifications of the ECDSA and EdDSA.
Response: The notation was selected for consistency with existing
standards that specify the algorithms. The notation used for ECDSA is
consistent with that used in FIPS 186-4 and the original ANS X9.62
standard used as a basis for the inclusion of ECDSA in FIPS 186. The
notation used for EdDSA is consistent with the notation used in the
original RFC 8032 specification.
10. Comment: Two commenters requested a transition plan for the
removal of DSA and the deprecation of the binary elliptic curves that
had been approved in FIPS 186-4. One commenter requested that DSA not
be removed.
Response: FIPS 186-5 removes DSA as an approved digital signature
algorithm due to a lack of use by industry and based on academic
analyses that observed that implementations of DSA may be vulnerable to
attacks if domain parameters are not properly generated. To facilitate
a transition to the new standard, FIPS 186-4 will remain in effect
alongside FIPS 186-5 for a period of one year. In addition, NIST SP
800-131A and the Cryptographic Module Validation Program will provide
transition guidance concerning the use of DSA and the binary elliptic
curves.
11. Comment: Commenters requested that the secp256k1 curve be
included as an approved elliptic curve since it is widely used in
blockchain and Distributed Ledger Technology (DLT) applications.
Response: While NIST does not believe that the secp256k1 curve
offers compelling advantages over the NIST-recommended curves in SP
800-186, NIST acknowledges the significant use of the secp256k1 curve
in these applications. NIST technical guidelines in NIST SP 800-186
will allow the use of the secp256k1 curve for blockchain and DLT-
related applications.
12. Comment: One commenter expressed concerns and posed questions
about the inclusion of the Brainpool Standard Curves as a set of
allowed curves in the NIST SP 800-186 technical guidelines associated
with FIPS 186-5.
Response: The Brainpool Standard Curves were originally published
in 2005 and specified in RFC 5639 in 2010. The curves have been widely
implemented in a variety of commercial products and open-source tools.
Existing programmatic guidance from NIST's Cryptographic Module
Validation Program has allowed the use of these curves in several FIPS
140-validated modules. While NIST does not see compelling reasons to
prefer the use of the Brainpool Standard Curves over the NIST-
recommended curves, it is confident in the security supported by these
curves and does not see a reason to require these curves to be removed
or disabled in existing products. To accommodate those existing modules
as well as future products sold on the international market, NIST SP
800-186 will allow the use of the Brainpool Standard Curves.
13. Comment: Some commenters requested the inclusion of
cofactorless EdDSA in FIPS 186-5 for signature verification.
Response: NIST did not see sufficient demand or need to facilitate
the use of other elliptic curves with EdDSA to warrant inclusion of
cofactorless EdDSA in FIPS 186-5. To remain consistent with RFC 8032,
NIST is not extending the specification of EdDSA to include these
alternative domain parameters.
14. Comment: One commenter recommended adding a small-subgroup
check to EdDSA or adding a warning about not providing strong non-
repudiation guarantees.
Response: When signing keys are generated according to the
requirements in FIPS 186-5, the probability that the signing key would
be a member of a small subgroup is negligible. Thus, NIST did not see a
need to add a small-subgroup check to EdDSA.
15. Comment: Several commentors requested the inclusion of variants
of the deterministic signature scheme that would include randomness in
the signature computation.
Response: NIST may consider adopting new standards developed for
signature algorithms that include deterministic and random components
in future publications.
16. Comment: Comments recommended discussing side-channel attacks
for ECDSA.
Response: FIPS 186-5 provides references that describe protections
against side-channel attacks for both ECDSA and EdDSA.
17. Comment: A comment requested that more hash functions or
extendable output functions (XOFs) be allowed for EdDSA.
Response: To remain consistent with existing standards and
specifications, FIPS 186-5 does not specify other hash functions or
XOFs for use with EdDSA beyond those specified in RFC 8032.
18. Comment: Several commenters requested that NIST allow more hash
functions or XOFs for use with ECDSA, specifically the keccak-256 XOF.
Response: NIST is not allowing other hash functions or XOFs with
ECDSA; keccak-256 is not an approved hash function as defined in FIPS
180 or FIPS 202.
19. Comment: One commenter asked why the bounds on the number of
iterations to run through before returning a failure indication changed
in
[[Page 7413]]
a few prime number generation routines in FIPS 186-5. Specifically, the
bounds were changed in steps 4.7 and 5.8 of Appendix A.1.3, Generation
of Random Primes that are Probably Prime, as well as in step 9 of
Appendix B.9, Compute a Probably Prime Factor Based on Auxiliary
Primes.
Response: NIST had observed that the original bounds led to higher
probabilities of failure than desired when attempting to generate
primes. The bounds were increased to decrease the probability of
failure.
20. Comment: One commenter suggested simplifying the deterministic
version of ECDSA.
Response: To remain consistent with RFC 6979, NIST will keep the
deterministic version of ECDSA as currently specified.
21. Comment: One commenter recommended removing signature
algorithms that are not deterministic.
Response: NIST believes that both deterministic and non-
deterministic signature schemes serve important use cases and so will
keep the specified algorithms as they are.
22. Comment: The removal of RSASSA-PKCS-v1.5 as an approved digital
signature algorithm was recommended by one commenter.
Response: Due to its broad use in security protocols and products,
FIPS 186-5 continues to approve the use of RSASSA-PKCS-v1.5, subject to
the additional constraints specified in FIPS 186-5 to mitigate known
security vulnerabilities.
23. Comment: Corrections were recommended for defining encodings
for EdDSA.
Response: NIST accepted the corrections.
24. Comment: A correction in A.3.3 was recommended so that FIPS
186-5 matches RFC 6979 for the per-message secret number generation for
deterministic ECDSA.
Response: NIST accepted the correction.
25. Comment: A few commenters suggested alternate algorithms in
FIPS 186-5 to replace the reference algorithms provided by NIST for
various computations. For example, commenters suggested alternatives to
the square root algorithm for EdDSA in Section 7.3, the square checking
algorithm in Appendix B.4, and the algorithm for inverting a finite
field element in Appendix B.1.
Response: FIPS 186-5 includes language to clarify that alternate
algorithms (including constant-time algorithms) that produce equivalent
results may be used in place of the reference algorithms provided in
the FIPS.
26. Comment: A comment was submitted on a difference between EdDSA
and the other signature schemes in FIPS 186-5. Namely, that revealing
the hash of a private key for EdDSA is a security concern, while it is
not for RSA or ECDSA.
Response: NIST does not believe the concern merits changing EdDSA,
and will maintain consistency with RFC 6979. Furthermore, FIPS 186-5
forbids revealing the hash of the private key of any of the signature
algorithms.
(Authority: 15 U.S.C. 278g-3; 40 U.S.C. 11331)
Alicia Chambers,
NIST Executive Secretariat.
[FR Doc. 2023-02273 Filed 2-2-23; 8:45 am]
BILLING CODE 3510-13-P
