package nocrypto
Library
Module
Module type
Parameter
Class
Class type
DSA digital signature algorithm.
DSA signature algorithm
type priv = {
p : Z.t;
(*Modulus
*)q : Z.t;
(*Subgroup order
*)gg : Z.t;
(*Group Generator
*)x : Z.t;
(*Private key proper
*)y : Z.t;
(*Public component
*)
}
Private key. p
, q
and gg
comprise domain parameters.
Sexplib
convertible.
Public key, a subset of private key.
Sexplib
convertible.
Key size request. Three Fips variants refer to FIPS-standardized L-values (p
size) and imply the corresponding N (q
size); The last variants specifies L and N directly.
Masking (cryptographic blinding) option.
generate g size
is a fresh private key. The domain parameters are derived using a modified FIPS.186-4 probabilistic process, but the derivation can not be validated.
sign mask k fips key digest
is the signature, a pair of Cstruct.t
s representing r
and s
in big-endian.
digest
is the full digest of the actual message.
k
, the random component, can either be provided, or is deterministically derived as per RFC6979, using SHA256.
verify fips key (r, s) digest
verifies that the pair (r, s)
is the signature of digest
, the message digest, under the private counterpart to key
.
massage key digest
is the numeric value of digest
taken modulo q
and represented in the leftmost bits(q)
bits of the result.
Both FIPS.186-4 and RFC6979 specify that only the leftmost bits(q)
bits of digest
are to be taken into account, but some implementations consider the entire digest
. In cases where sign and verify seem incompatible with a given implementation (esp. if sign produces signatures with the s
component different from the other implementation's), it might help to pre-process digest
using this function (e.g. sign ~key (massage ~key:(pub_of_priv key) digest)
).