The Digital Signature Algorithm (DSA) was published by the National Institute of Standards and Technology (NIST) (see Question 146) in the Digital Signature Standard (DSS), which is a part of the U.S. government's Capstone project (see Question 150). DSS was selected by NIST, in cooperation with the NSA (see Question 148), to be the digital authentication standard of the U.S. government. The standard was issued on May 19, 1994.
DSA is based on the discrete logarithm problem (see Question 52) and derives from cryptosystems proposed by Schnorr and ElGamal (see Question 29). It is for authentication only. For a detailed description of DSA, see [NIS94b] or [NIS92].
In DSA, signature generation is faster than signature verification, whereas in RSA, signature verification is faster than signature generation (if the public and private exponents, respectively, are chosen for this property, which is the usual case). NIST claims that it is an advantage of DSA that signing is faster, but many people in cryptography think that it is better for verification to be the faster operation.
DSA has been criticized by the computer industry since its announcement. Criticism has focused on a few main issues: it lacks key exchange capability; the underlying cryptosystem is too recent and has been subject to too little scrutiny for users to be confident of its strength; verification of signatures with DSA is too slow; the existence of a second authentication standard will cause hardship to computer hardware and software vendors, who have already standardized on RSA; and the process by which NIST chose DSA was too secretive and arbitrary, with too much influence wielded by NSA. Other criticisms were addressed by NIST by modifying the original proposal.