--- title: "How FIPS 186-5 Signature Algorithms Fit FIPS Approval" canonical_url: "https://www.sorena.io/artifacts/global/fips-crypto-algorithms/faq/fips-186-5-signatures" source_url: "https://www.sorena.io/artifacts/global/fips-crypto-algorithms/faq/fips-186-5-signatures" author: "Sorena AI" description: "Use FIPS 186-5 for RSA, ECDSA, deterministic ECDSA, EdDSA, HashEdDSA, DSA verification limits, approved hashes, and CAVP/CMVP evidence boundaries." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "FIPS 186-5" - "RSA signatures" - "ECDSA" - "deterministic ECDSA" - "EdDSA" - "HashEdDSA" - "DSA verification" - "CAVP" - "CMVP" - "digital signatures" - "FIPS-approved cryptographic algorithms" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # How FIPS 186-5 Signature Algorithms Fit FIPS Approval Use FIPS 186-5 for RSA, ECDSA, deterministic ECDSA, EdDSA, HashEdDSA, DSA verification limits, approved hashes, and CAVP/CMVP evidence boundaries. *FAQ* *GLOBAL* *FIPS 186-5 signature evidence* ## FIPS 186-5 digital signatures How should teams use them in FIPS-approved algorithm decisions? Use FIPS 186-5 to select and evidence approved signature algorithms, then keep the algorithm, key-use, operating-environment, and module-validation claims separate. This FAQ focuses on RSA, ECDSA, deterministic ECDSA, EdDSA, HashEdDSA, DSA verification, CAVP certificates, and CMVP module boundaries. Short answer: FIPS 186-5 is the digital-signature standard for approved RSA, ECDSA, deterministic ECDSA, EdDSA, and HashEdDSA use. It does not make every product using those names validated; teams still need implementation-specific CAVP evidence and, for FIPS 140-3 claims, CMVP module evidence. ## Which signature algorithms does FIPS 186-5 support? Use FIPS 186-5 when the decision is about digital signature generation or verification for RSA, ECDSA, deterministic ECDSA, EdDSA, or HashEdDSA. The standard also states that DSA is no longer approved for digital signature generation, although DSA may be used to verify signatures generated before the implementation date. The selection record should name the exact signature family, operation, parameters, key purpose, and approved hash or XOF relationship. For RSA, FIPS 186-5 permits signature generation or verification with modulus sizes at least 2048 bits, while CMVP implementation guidance explains how CAVP testing and Security Policy documentation handle sizes where CAVP testing is or is not available. - Record whether the service performs signature generation, signature verification, or both. - Separate RSA, ECDSA, deterministic ECDSA, EdDSA, HashEdDSA, and legacy DSA verification decisions; do not collapse them into a generic signature claim. - For RSA, document the modulus length, scheme such as RSASSA-PSS or RSASSA-PKCS1-v1.5, approved hash or XOF choice, and whether key generation is performed by the module. Sources for this answer: - [NIST FIPS 186-5 Digital Signature Standard](https://doi.org/10.6028/NIST.FIPS.186-5?ref=sorena.io) - Defines the approved digital signature standard and states that DSA is no longer approved for signature generation. - [NIST FIPS 140-3 Implementation Guidance](https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Clarifies RSA signature parameter sizes, CAVP testing expectations, and Security Policy documentation for FIPS 140-3 module submissions. ## What evidence should support a FIPS 186-5 signature claim? A useful evidence package starts with the standard citation but does not stop there. Keep the FIPS 186-5 algorithm decision, the CAVP algorithm-validation record, and the CMVP module claim as separate records that are linked only when the implementation name, version, parameters, and operating environment match. For a CAVP check, capture the implementation name and version, vendor, certificate or validation-search entry, algorithm and mode, parameter set or modulus size, and tested operating environment. For a CMVP check, tie the signature service to the cryptographic module boundary, approved-mode service list, Security Policy, and any bound or embedded module caveats. - Use CAVP evidence to support the tested algorithm implementation, not to claim that the whole product or module is FIPS 140-3 validated. - Use CMVP evidence to support module validation, approved-mode operation, module boundary, and approved-service claims. - Refresh the evidence when the implementation version, operating environment, module boundary, processor acceleration path, key-generation path, or approved-service listing changes. Sources for this answer: - [NIST CAVP validation search](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation-search?ref=sorena.io) - Public search source for checking algorithm validation entries for signature implementations, modes, parameters, and environments. - [NIST Cryptographic Module Validation Program](https://www.nist.gov/cmvp?ref=sorena.io) - Program source for cryptographic module validation, which is distinct from algorithm implementation testing. - [NIST FIPS 140-3 Implementation Guidance](https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Explains that CAVP algorithm certificates identify implementation details and tested operational environments for module submissions. ## What FIPS 186-5 signature mistakes should teams avoid? The first mistake is key reuse. FIPS 186-5 says digital signature key pairs must not be used for other purposes such as key establishment, and it repeats that RSA and ECDSA signature keys are signature-only. A key inventory should therefore show a signature-only purpose rather than a shared public-key bucket. The second mistake is treating successful signature verification as the whole validation decision. For ECDSA and EdDSA, verifiers also need domain-parameter assurance; verifiers need public-key validity, claimed-signatory identity, and possession assurance before accepting a signature as valid. The third mistake is assuming conformance to FIPS 186-5 guarantees system security; the standard explicitly leaves implementation security and overall system assurance to the responsible implementer or authority. - Do not use a signature key pair for key establishment, encryption, or other non-signature purposes. - Do not claim DSA signature generation as approved under FIPS 186-5; limit DSA to the legacy verification context supported by the standard. - Do not reuse a CAVP certificate across a different implementation, version, operating environment, parameter set, or module boundary without confirming the scope. Sources for this answer: - [NIST FIPS 186-5 Digital Signature Standard](https://doi.org/10.6028/NIST.FIPS.186-5?ref=sorena.io) - Supports key-purpose separation, assurance checks before accepting signatures as valid, and the limits of conformance claims. - [NIST FIPS 140-3 Implementation Guidance](https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Clarifies that approved-service indicators may depend on the signature algorithm, hash algorithm, and key size used by the service. ## Primary sources - [NIST FIPS 186-5 Digital Signature Standard](https://doi.org/10.6028/NIST.FIPS.186-5?ref=sorena.io) - Defines FIPS-approved digital signature algorithm requirements, key-purpose limits, assurance steps, and DSA generation status. - Quote: "Digital Signature Standard (DSS)" - [NIST CAVP validation search](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation-search?ref=sorena.io) - Use to verify implementation-specific CAVP entries for signature algorithms, modes, parameter sets, and tested operating environments. - Quote: "validation-search" - [NIST Cryptographic Module Validation Program](https://www.nist.gov/cmvp?ref=sorena.io) - Use for CMVP module-validation context when a signature service is part of a FIPS 140-3 module claim. - Quote: "CMVP" - [NIST FIPS 140-3 Implementation Guidance](https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Clarifies CMVP/CAVP handling for signature algorithms, RSA parameter sizes, operating environments, approved services, and Security Policy documentation. - Quote: "FIPS 186-5" ## Topic Guides - [AES FIPS 197 requirements and evidence](/artifacts/global/fips-crypto-algorithms/aes-fips-197.md): AES FIPS 197 guidance for identifying supported key sizes, separating the block cipher from modes of operation, and avoiding unsupported FIPS validation claims. - [CAVP and ACVP validation evidence for FIPS algorithms](/artifacts/global/fips-crypto-algorithms/cavp-and-acvp-validation.md): How to read CAVP algorithm certificates, ACVTS/ACVP test coverage, CMVP module validation, and FIPS 140-3 procurement evidence without overstating the claim. - [CAVP Validation Evidence Workflow for FIPS Algorithms](/artifacts/global/fips-crypto-algorithms/cavp-validation-evidence-workflow.md): Workflow for collecting CAVP and ACVP evidence: algorithm certificates, implementation names, tested parameters, operating environments, and CMVP handoff records. - [FIPS 180-4 and FIPS 202 secure hash guidance](/artifacts/global/fips-crypto-algorithms/secure-hash-fips-180-4-and-fips-202.md): Choose and evidence SHA-2, SHA-3, and SHAKE use under FIPS 180-4, FIPS 202, CAVP validation, and FIPS 140-3 module claims. - [FIPS 186-5 and FIPS 204 digital signatures](/artifacts/global/fips-crypto-algorithms/digital-signatures-fips-186-5-and-fips-204.md): Compare FIPS 186-5 classical digital signatures with FIPS 204 ML-DSA, including scope, algorithm choices, key-use limits, and validation evidence boundaries. - [FIPS 203 ML-KEM vs RSA and ECDH key establishment](/artifacts/global/fips-crypto-algorithms/ml-kem-vs-rsa-and-ecdh.md): Compare FIPS 203 ML-KEM with RSA and ECDH key-establishment schemes using NIST SP 800-56A, SP 800-56B, CAVP, and CMVP grounding. - [FIPS 203, 204, and 205 Post-Quantum Algorithms](/artifacts/global/fips-crypto-algorithms/faq/fips-203-204-and-205-post-quantum-algorithms.md): FAQ on how FIPS 203 ML-KEM, FIPS 204 ML-DSA, and FIPS 205 SLH-DSA fit FIPS-approved cryptographic algorithm planning, implementation evidence, and validation checks. - [FIPS Algorithm Procurement Evidence FAQ](/artifacts/global/fips-crypto-algorithms/faq/procurement-evidence.md): What procurement teams should collect before accepting FIPS algorithm or module claims: CAVP certificates, CMVP module status, security policy scope, and supplier change triggers. - [FIPS approved algorithm selector workflow](/artifacts/global/fips-crypto-algorithms/approved-algorithm-selector-workflow.md): A source-linked workflow for selecting FIPS and NIST-approved cryptographic algorithms without overstating module validation, CAVP evidence, or approved-mode claims. - [FIPS approved mode procurement: certificates, boundaries, and evidence](/artifacts/global/fips-crypto-algorithms/approved-mode-procurement.md): Procurement guidance for FIPS approved mode claims: how to check CMVP certificates, CAVP evidence, module boundaries, tested environments, and supplier evidence before purchase. - [FIPS crypto transition and deprecation tracker](/artifacts/global/fips-crypto-algorithms/transition-and-deprecation-tracker.md): Track FIPS algorithm transitions, withdrawn guidance, CAVP evidence, CMVP module impact, procurement triggers, and approved-mode caveats without overstating validation status. - [FIPS cryptographic algorithm selector](/artifacts/global/fips-crypto-algorithms/algorithm-selector.md): Choose between FIPS algorithm standards for AES, SHA-2, SHA-3, digital signatures, ML-KEM, ML-DSA, and SLH-DSA without overstating validation scope. - [FIPS KDF and MAC coverage for validated modules](/artifacts/global/fips-crypto-algorithms/kdf-and-mac-coverage.md): Map FIPS 140-3 KDF and MAC coverage to approved security functions, CAVP evidence, self-tests, service indicators, and module security policy entries. - [FIPS Key Management Mapping for Algorithms and SSP Evidence](/artifacts/global/fips-crypto-algorithms/key-management-mapping.md): Map FIPS 140-3 key management requirements to approved algorithms, SSP establishment methods, CAVP evidence, module boundaries, and key-use records. - [FIPS Procurement Evidence Review Workflow: CAVP, CMVP, Approved Mode](/artifacts/global/fips-crypto-algorithms/procurement-evidence-review-workflow.md): Review FIPS crypto procurement evidence by separating CAVP algorithm certificates from CMVP module certificates, Security Policy scope, approved mode, operating environment, change impact, and retention records. - [FIPS validation certificates for cryptographic algorithms](/artifacts/global/fips-crypto-algorithms/faq/validation-certificates.md): How to read CAVP algorithm validation certificates and CMVP module validation certificates without overstating FIPS-approved cryptographic algorithm claims. - [FIPS-approved cryptographic algorithms FAQ](/artifacts/global/fips-crypto-algorithms/faq.md): Answers to common FIPS algorithm questions: approved security functions, CAVP validation, CMVP module scope, AES modes, SHA-2, SHA-3, signatures, and post-quantum algorithms. - [How FIPS 180-4 and FIPS 202 Hash Functions Fit FIPS Algorithm Approval](/artifacts/global/fips-crypto-algorithms/faq/fips-180-4-and-fips-202-hash-functions.md): Use FIPS 180-4 for SHA-1 and SHA-2 hash algorithms, FIPS 202 for SHA-3 and SHAKE functions, and CAVP/CMVP evidence without treating a hash certificate as module validation. - [ML-DSA vs ECDSA under FIPS 204 and FIPS 186-5](/artifacts/global/fips-crypto-algorithms/ml-dsa-vs-ecdsa.md): Compare ML-DSA and ECDSA for FIPS-aligned digital signature designs, including parameter choices, key handling, CAVP algorithm evidence, and CMVP module boundaries. - [Post-quantum FIPS 203, 204, and 205: ML-KEM, ML-DSA, and SLH-DSA](/artifacts/global/fips-crypto-algorithms/post-quantum-fips-203-204-205.md): A grounded guide to the three NIST post-quantum FIPS standards: when ML-KEM, ML-DSA, and SLH-DSA apply, what evidence to keep, and how CAVP and CMVP claims differ. - [Post-Quantum Migration for FIPS Cryptography](/artifacts/global/fips-crypto-algorithms/post-quantum-migration.md): Plan post-quantum migration for FIPS cryptography by separating ML-KEM key establishment, ML-DSA and SLH-DSA signatures, CAVP algorithm evidence, and CMVP module validation boundaries. - [Post-Quantum Migration Tracker for FIPS 203, 204, and 205](/artifacts/global/fips-crypto-algorithms/post-quantum-migration-tracker.md): Track post-quantum cryptography migration evidence for FIPS 203 ML-KEM, FIPS 204 ML-DSA, FIPS 205 SLH-DSA, CAVP algorithm certificates, and CMVP module boundaries. - [SHA-2 vs SHA-3 under FIPS 180-4 and FIPS 202](/artifacts/global/fips-crypto-algorithms/sha-2-vs-sha-3.md): Compare SHA-2 and SHA-3 for FIPS use: approved functions, validation evidence, compatibility, procurement checks, and when migration is not required. - [TLS use-case mapping for FIPS algorithm evidence](/artifacts/global/fips-crypto-algorithms/tls-use-case-mapping.md): Map TLS uses to FIPS algorithm, CAVP, CMVP, approved-mode, certificate-authority, and evidence checks without overstating protocol validation claims. - [What does FIPS 197 AES mean for FIPS-approved algorithms?](/artifacts/global/fips-crypto-algorithms/faq/fips-197-aes.md): FIPS 197 defines AES as a FIPS-approved block cipher, but AES use alone is not the same as CAVP algorithm testing or FIPS 140-3 module validation. *Recommended next step* *Placement: after signature evidence* ## Separate algorithm selection, CAVP evidence, and CMVP module claims Use this FAQ to review signature algorithm choices, key-use boundaries, operating environments, approved-mode services, and validation evidence before relying on a FIPS claim. - [Check the signature boundary](/solutions/assessment.md): Review whether signature algorithms, keys, parameters, and module claims point to the right validation records. - [Resolve a scoped FIPS question](/solutions/research-copilot.md): Compare FIPS 186-5, CAVP, and CMVP source support when a signature claim depends on implementation details. - [Talk through implementation](/contact.md): Review the product boundary, signature services, operating environment, and validation evidence in scope. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/fips-crypto-algorithms/faq/fips-186-5-signatures