package nocrypto

  1. Overview
  2. Docs

DSA digital signature algorithm.

DSA signature algorithm

type priv = {
  1. p : Z.t;
    (*

    Modulus

    *)
  2. q : Z.t;
    (*

    Subgroup order

    *)
  3. gg : Z.t;
    (*

    Group Generator

    *)
  4. x : Z.t;
    (*

    Private key proper

    *)
  5. y : Z.t;
    (*

    Public component

    *)
}

Private key. p, q and gg comprise domain parameters.

Sexplib convertible.

type pub = {
  1. p : Z.t;
  2. q : Z.t;
  3. gg : Z.t;
  4. y : Z.t;
}

Public key, a subset of private key.

Sexplib convertible.

type keysize = [
  1. | `Fips1024
  2. | `Fips2048
  3. | `Fips3072
  4. | `Exactly of int * int
]

Key size request. Three Fips variants refer to FIPS-standardized L-values (p size) and imply the corresponding N (q size); The last variants specifies L and N directly.

type mask = [
  1. | `No
  2. | `Yes
  3. | `Yes_with of Rng.g
]

Masking (cryptographic blinding) option.

val pub_of_priv : priv -> pub

Extract the public component from a private key.

val generate : ?g:Rng.g -> keysize -> priv

generate g size is a fresh private key. The domain parameters are derived using a modified FIPS.186-4 probabilistic process, but the derivation can not be validated.

val sign : ?mask:mask -> ?k:Z.t -> key:priv -> Cstruct.t -> Cstruct.t * Cstruct.t

sign mask k fips key digest is the signature, a pair of Cstruct.ts representing r and s in big-endian.

digest is the full digest of the actual message.

k, the random component, can either be provided, or is deterministically derived as per RFC6979, using SHA256.

val verify : key:pub -> (Cstruct.t * Cstruct.t) -> Cstruct.t -> bool

verify fips key (r, s) digest verifies that the pair (r, s) is the signature of digest, the message digest, under the private counterpart to key.

val massage : key:pub -> Cstruct.t -> Cstruct.t

massage key digest is the numeric value of digest taken modulo q and represented in the leftmost bits(q) bits of the result.

Both FIPS.186-4 and RFC6979 specify that only the leftmost bits(q) bits of digest are to be taken into account, but some implementations consider the entire digest. In cases where sign and verify seem incompatible with a given implementation (esp. if sign produces signatures with the s component different from the other implementation's), it might help to pre-process digest using this function (e.g. sign ~key (massage ~key:(pub_of_priv key) digest)).

module K_gen (H : Hash.S) : sig ... end

K_gen can be instantiated over a hashing module to obtain an RFC6979 compliant k-generator for that hash.