up:: Classical Cryptography MOC

FIPS 186-5

FIPS 186-5 is the U.S. federal Digital Signature Standard (DSS), published by NIST in February 2023, that specifies the approved classical digital-signature algorithms for federal use: RSA, ECDSA, and EdDSA (the family behind Ed25519 and Ed448). It replaced FIPS 186-4, added EdDSA as a newly approved technique, and retired the original Digital Signature Algorithm (DSA) so that DSA may now only verify old signatures, not generate new ones. Every algorithm the standard approves is a public-key scheme resting on integer factorization or the discrete logarithm problem, which is exactly the math a large quantum computer running Shor’s algorithm solves efficiently, so FIPS 186-5 is the roster of classical signatures the post-quantum transition has to replace, and NIST published the separate standards FIPS 204 and FIPS 205 to do it.

The short version:

  1. FIPS 186-5 is NIST’s Digital Signature Standard, finalized February 3, 2023, superseding FIPS 186-4. It defines which digital-signature algorithms are approved for U.S. federal systems.
  2. It approves three techniques: RSA, ECDSA, and EdDSA (Ed25519 / Ed448). EdDSA is new in this edition.
  3. It retired DSA. The old Digital Signature Algorithm, which anchored the standard since 1994, is kept only for verifying signatures made before this standard took effect.
  4. Every approved algorithm is public-key and quantum-vulnerable. RSA rests on factoring; ECDSA, EdDSA, and legacy DSA rest on the discrete logarithm. Shor’s algorithm breaks all of them.
  5. The replacements live in separate NIST standards. ML-DSA and SLH-DSA are the finalized post-quantum signature standards, with FN-DSA in draft. FIPS 186-5 is the pre-quantum roster they take over from.

Think of FIPS 186-5 as the federal government’s approved-vendor list for one specific job: proving who signed something. It doesn’t invent the signing methods; it names the ones a federal system is allowed to trust, drops one that aged out (DSA), and adds a newer one (EdDSA). The catch is that everyone on this approved list, however modern, is built on a lock that a quantum computer picks in one motion, which is why NIST had to publish a whole second approved list (FIPS 204 and FIPS 205) for the quantum era.

What is FIPS 186-5?

FIPS 186-5 is a Federal Information Processing Standard titled “Digital Signature Standard (DSS),” issued by the National Institute of Standards and Technology (NIST) on February 3, 2023, as the fifth revision of FIPS 186. A FIPS is a mandatory standard for U.S. federal agencies and the systems that serve them, and this one governs digital signatures specifically: the cryptographic mechanism that proves a message, certificate, or piece of software was produced by the holder of a particular private key and has not been altered since.

The standard sets the scope rather than the science. It names the approved digital signature algorithms, points to the companion documents that define their curves and parameters (notably SP 800-186 for the elliptic curves), and states the intended uses of a signature: detecting unauthorized modification of data, authenticating the identity of the signer, and supporting non-repudiation so a signer can’t later credibly deny having signed. FIPS 186-5 superseded FIPS 186-4 (2013), and because insurers, sector regulators, and procurement programs align to NIST, its roster functions as the practical baseline for what counts as an acceptable signature algorithm well beyond federal contracts.

Source: NIST, “Digital Signature Standard (DSS),” FIPS 186-5, February 3, 2023, FIPS 186-5.

Which signature algorithms does FIPS 186-5 approve?

FIPS 186-5 approves three techniques for generating and verifying digital signatures, and NIST names them in the standard as the Rivest-Shamir-Adleman (RSA) algorithm, the Elliptic Curve Digital Signature Algorithm (ECDSA), and the Edwards Curve Digital Signature Algorithm (EdDSA). A fourth algorithm, the legacy DSA, survives in the document only to verify existing signatures. The internals of each live in their own notes; this table is the roster and the one fact that matters most about it, which is that the whole list is quantum-vulnerable.

AlgorithmBasis (hard problem)Status in FIPS 186-5Quantum verdict (Shor’s algorithm)
RSAInteger factorizationApproved, sign and verifyBroken
ECDSAElliptic-curve discrete logarithmApproved, sign and verifyBroken
EdDSA (Ed25519 / Ed448)Elliptic-curve discrete logarithmApproved, sign and verify (new in 186-5)Broken
DSA (legacy)Finite-field discrete logarithmRetired, verify-onlyBroken

For how each one actually signs and verifies, and where each is deployed, follow the algorithm notes: RSA for the factoring-based scheme behind many certificates, ECDSA for the compact elliptic-curve workhorse behind TLS and blockchains, and Ed25519 for the deterministic Edwards-curve scheme behind SSH and modern developer tooling. FIPS 186-5 also folds in a deterministic option for ECDSA (generating the per-signature nonce from the key and message rather than from a random source), which closes ECDSA’s most dangerous implementation trap.

Sources: NIST, “NIST Releases FIPS 186-5 and SP 800-186,” CSRC news, February 3, 2023, csrc.nist.gov.

NIST, “Digital Signature Standard (DSS),” FIPS 186-5, February 3, 2023, FIPS 186-5.

Why did FIPS 186-5 retire DSA?

FIPS 186-5 retired the Digital Signature Algorithm because the industry had already moved to elliptic-curve signatures, and NIST said so directly: the DSA specified in prior versions of FIPS 186 is retained only for verifying existing signatures, not for generating new ones. DSA was the original method the standard was built around when the first Digital Signature Standard appeared in the 1990s, and its finite-field discrete-logarithm design meant large keys for a given strength and no efficiency advantage over the elliptic-curve alternatives that overtook it.

The practical read for a federal system is a hard line with a grace period for the past:

  1. No new DSA signatures. FIPS 186-5 withdrew approval for generating signatures with DSA. Any system still producing DSA signatures needs to move to RSA, ECDSA, or EdDSA.
  2. Verification of old signatures is still allowed. DSA stays in the standard so that signatures made under earlier editions can still be checked, which is what keeps archived and legacy artifacts verifiable during the transition.
  3. This is algorithm deprecation, not a quantum move. DSA was retired on classical grounds (obsolescence and better alternatives), and its retirement is separate from the quantum problem, which comes for the elliptic-curve and RSA schemes that replaced it too.

Source: NIST, “NIST Releases FIPS 186-5 and SP 800-186,” CSRC news, February 3, 2023, csrc.nist.gov.

What changed from FIPS 186-4 to FIPS 186-5?

FIPS 186-5 modernized the roster in three visible ways: it added EdDSA, retired DSA to verification-only, and gave ECDSA a deterministic-nonce option. The changes track where real-world deployment had already gone, toward compact, side-channel-resistant elliptic-curve signatures.

ChangeFIPS 186-4 (2013)FIPS 186-5 (2023)
DSAApproved for signing and verifyingRetired, verify-only
RSAApprovedApproved
ECDSAApprovedApproved, plus a deterministic-nonce option
EdDSA (Ed25519 / Ed448)Not includedNewly approved
Edwards curvesNot specifiedTwo new Edwards curves specified for EdDSA

NIST noted that Edwards curves bring increased performance, side-channel resistance, and simpler implementation compared to the traditional curves, which is the case for adding EdDSA. None of these changes touch the quantum picture, because every algorithm before and after the revision rests on a hard problem Shor’s algorithm dissolves. FIPS 186-5 is a better pre-quantum standard, and it is still entirely a pre-quantum standard.

Source: NIST, “NIST Releases FIPS 186-5 and SP 800-186,” CSRC news, February 3, 2023, csrc.nist.gov.

Are these signatures quantum-safe?

No. None of the algorithms FIPS 186-5 approves is quantum-safe, and that is the single most important thing to understand about the standard. RSA rests on the hardness of integer factorization; ECDSA, EdDSA, and legacy DSA rest on the discrete logarithm problem in one form or another. Shor’s algorithm, running on a cryptographically relevant quantum computer, solves both of those problems in polynomial time. Feed it a public key and it returns the matching private key, at which point an attacker can forge any signature that key was trusted to make.

Two features of this threat are worth holding onto:

  1. It’s a forgery risk, not a harvesting risk. Signature-breaking is a Non-HNDL threat: there’s no encrypted traffic to record and decrypt later, because the verification keys an attacker needs are already public by design. The exposure begins the moment a capable quantum computer exists, and it lands as real-time impersonation, forged certificates, forged software updates, forged tokens.
  2. Bigger keys don’t rescue it. Shor’s cost grows only polynomially with key size, so moving to a larger RSA modulus or a bigger curve barely inconveniences a quantum attacker. That’s why the answer is a different family of algorithm, not a bigger version of these ones.

The reason this matters years before the machine arrives is Mosca’s theorem: rebuilding signature infrastructure (certificate hierarchies, firmware anchors, code-signing services, trust stores) takes years, and it has to finish before a quantum computer exists, because a forgery after the fact is undetectable and there’s no clean recovery.

Source: P. Shor, “Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer,” SIAM J. Computing, 1997, quant-ph/9508027.

NIST, “Report on Post-Quantum Cryptography,” NISTIR 8105, April 2016, csrc.nist.gov.

What replaces the algorithms in FIPS 186-5?

The FIPS 186-5 algorithms get replaced by post-quantum signature standards that NIST published separately, because there’s no larger key or newer curve that rescues a scheme once Shor’s algorithm applies. NIST finalized two post-quantum signature standards in August 2024 and has a third in draft, and the right choice depends on the role the classical signature was playing.

ReplacementStandardBasisBest fit
ML-DSAFIPS 204 (final)Lattice (Module-LWE)General-purpose default: TLS certificates, code signing, tokens
SLH-DSAFIPS 205 (final)Hash-basedConservative, long-lived roots of trust
FN-DSAFIPS 206 (draft)Lattice (NTRU)Constrained settings where compact signatures matter most

The clean way to hold the relationship is that FIPS 186-5 is the pre-quantum signature standard and FIPS 204 / 205 / 206 are the post-quantum ones, sitting alongside FIPS 203, which handles the separate job of key establishment. For most environments ML-DSA is the direct successor to an RSA or ECDSA signature. These aren’t drop-in swaps, though: post-quantum signatures are much larger than elliptic-curve ones (the smallest ML-DSA signature runs over 2,400 bytes against roughly 64 bytes for an ECDSA P-256 signature), so the migration cost lands on certificates, parsers, and trust stores. The common transitional pattern is dual signatures or composite certificates, and designing for that flexibility is crypto-agility.

Sources: NIST, “Module-Lattice-Based Digital Signature Standard,” FIPS 204, August 2024, FIPS 204.

NIST, “Stateless Hash-Based Digital Signature Standard,” FIPS 205, August 2024, FIPS 205.

When do FIPS 186-5’s algorithms have to be gone?

The deadline for the classical signatures in FIPS 186-5 is set by NIST IR 8547, NIST’s transition roadmap, which puts every classical public-key algorithm on a deprecation-then-disallowance schedule. FIPS 186-5 says which classical signatures are approved today; NIST IR 8547 says how long that approval lasts.

MilestoneYearWhat it means
Deprecated2030112-bit-strength classical signatures become deprecated, still usable but only with the data owner formally accepting the risk
Disallowed2035All classical signature algorithms become disallowed for federal use, with no exceptions

“Deprecated” and “disallowed” are different instructions. Deprecated means you may still use it while you own the documented risk; disallowed is a hard stop. The roots of trust (Certificate Authorities, firmware anchors, code-signing keys) take the longest to migrate, so they’re the ones to sequence first. Anything signed today under FIPS 186-5 that still needs to be trusted after a quantum computer exists is already living on Mosca’s borrowed time.

Source: NIST IR 8547 (Initial Public Draft), “Transition to Post-Quantum Cryptography Standards,” November 2024, NIST IR 8547 ipd.

Common misconceptions

  1. “FIPS 186-5 is a post-quantum standard.” It’s the opposite. Every algorithm it approves is a classical public-key scheme that Shor’s algorithm breaks. The post-quantum signature standards are FIPS 204, FIPS 205, and the draft FIPS 206, published separately.
  2. “FIPS 186-5 defines ML-DSA or the PQC signatures.” No. FIPS 186-5 covers RSA, ECDSA, and EdDSA only. ML-DSA lives in FIPS 204 and SLH-DSA in FIPS 205, which are their own documents.
  3. “DSA is still fine because it’s in the standard.” DSA is retained only for verifying old signatures. FIPS 186-5 withdrew approval for generating new DSA signatures, so any system still signing with DSA is out of compliance.
  4. “EdDSA is newer, so it’s safer against quantum.” EdDSA’s improvements are classical: deterministic signing and side-channel resistance. Against a quantum computer, EdDSA falls to Shor’s algorithm exactly like ECDSA and RSA, because they all rest on the same kind of hard problem.
  5. “Following FIPS 186-5 means my signatures are future-proof.” Compliance with FIPS 186-5 makes your classical signatures correct and approved today. It says nothing about quantum resistance, and NIST’s own schedule disallows these algorithms for federal use by 2035.
  6. “FIPS 186-5 covers encryption too.” It covers signatures only. Confidentiality and key establishment are separate jobs handled by different standards, with ML-KEM taking over post-quantum key establishment.

Questions people ask

Is FIPS 186-5 finalized? Yes. FIPS 186-5 is a final standard, published February 3, 2023, and it superseded FIPS 186-4. It’s the current federal Digital Signature Standard.

Which algorithms does FIPS 186-5 approve? Three: RSA, ECDSA, and EdDSA (the family that includes Ed25519 and Ed448). The legacy DSA is retained only to verify signatures that already exist, not to make new ones.

Is DSA still allowed under FIPS 186-5? Only for verification. You may use DSA to check signatures generated before the standard took effect, but FIPS 186-5 withdrew approval for generating new DSA signatures. New signing uses RSA, ECDSA, or EdDSA.

What’s the difference between FIPS 186-5 and FIPS 204? FIPS 186-5 is the classical (pre-quantum) signature standard covering RSA, ECDSA, and EdDSA. FIPS 204 is the post-quantum signature standard defining ML-DSA. FIPS 204 is one of the replacements for the algorithms in FIPS 186-5.

Are the signatures in FIPS 186-5 quantum-safe? No. All of them rest on integer factorization or the discrete logarithm problem, both of which Shor’s algorithm solves efficiently on a quantum computer. The quantum-safe replacements are in FIPS 204 and FIPS 205.

Do I have to replace my FIPS 186-5 signatures right now? Not overnight, but you should be inventorying them now and moving the high-stakes, long-lived uses first. NIST’s schedule (NIST IR 8547) disallows classical signatures for federal use by 2035, and roots of trust take the longest to migrate.

Does FIPS 186-5 include a deterministic version of ECDSA? Yes. FIPS 186-5 added a deterministic option for ECDSA, where the per-signature nonce is derived from the private key and the message rather than from a random source, which removes ECDSA’s most dangerous implementation failure mode. Ed25519 bakes this behavior in by design.

Where are the elliptic curves for ECDSA and EdDSA actually defined? In the companion publication SP 800-186, which NIST released alongside FIPS 186-5 to specify the recommended elliptic-curve domain parameters, including the two new Edwards curves used by EdDSA.


Everything here is the map, given freely. When your team needs its own signatures and certificates found, sized, and sequenced off FIPS 186-5 and onto a post-quantum path, that’s the work I do. Request an alignment briefing.

Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.