What is the major difference between FIPS 186-2 and FIPS 186-4?

Question

Can anyone please tell me the major difference between FIPS 186-2 and FIPS 186-4?

I know with FIPS 140-2 they want the DSS standard to be FIPS 186-4, but what difference does it make?

Answer 1

To clarify scope:

• FIPS 140-2 itself doesn't say anything about DSS, though it has 186-2 as a reference. It was published in 2001, before 186-3 and -4, and has not been superseded. After 140-3 spent 8 years in draft they recently decided to consider using ISO/IEC 19790 instead!

• 140-2 Annex A (Approved functions) is updated frequently and does now reference 186-4.

• most people don't want just 140-2 implementation but rather 140-2 certification under the Cryptographic Module Validation Program (CMVP) and that is controlled by the 140-2 Implementation Guidance linked at that page (currently and usually under 'Announcements' because it keeps changing, and always in 'Standards').

The current IG has a section on 'Validating the Transition from FIPS 186-2 to FIPS 186-4' in W.2; formerly it was G.15. As indicated there, the technical changes between 186-2 and -4 were, if I haven't missed any:

• delete several specific RNGs and instead require RBGs Approved by a separate standard, currently SP800-90A

• DSA: add cases for $p$ size 2048 with $q$ size 224 or 256, and 3072 with 256, using hashes from FIPS 180 (now SHA-224 SHA-256 or SHA-512/224 SHA-512/256). Note 186-2 change notice 1 already eliminated $p$ sizes below 1024 which were in -0 through -2 original.

• DSA: expand the parameter generation algorithms to prefer Shawe-Taylor provable primes while still allowing Miller-Rabin with optional Lucas probable primes, and use a strength-matched hash; explicitly specify parameter validation (including legacy parameters using the -2 and earlier method) which had been implicit

• DSA and ECDSA: more robust privatekey and $k$ (nonce) generation

• RSA: allow RSA signature schemes PKCS1-v1_5 and PSS from PKCS#1v2.1 (with a constraint on salt for PSS) in addition to previous X9.31. Note these were already Approved in 140-2 Annex A, so this just moves them to the correct place in the document set.

• RSA: restrict $n$ size to 1024 2048 3072, restrict $e$ to $2^{16}+1$ to $2^{256}-1$, and specify RSA privatekey generation in detail with several options. This prohibits one traditionally popular $e$ namely 3; F4 (65537) is allowed and IME more popular anyway.

There were also major editorial changes between 186-2 and -3, reorganizing some things, changing notation, and adding a lot of explanation about what digital signatures are and aren't good for, and why privatekeys must be private, and so on. I'm not going to try to cover all that; get the docs and read for yourself if you want.