Skip to main content

SignatureAlgorithm

a1::hybrid

Enum SignatureAlgorithm 

Source 
#[repr(u8)]
pub enum SignatureAlgorithm {
    Ed25519 = 1,
    HybridMlDsa44Ed25519 = 2,
    HybridMlDsa65Ed25519 = 3,
}
Expand description

Wire-stable numeric tag for the signature algorithm used in a DelegationCert.

Every cert carries exactly one of these tags, written as a single byte in DelegationCert::version ≥ 2 certs. Verifiers that encounter an unknown tag MUST reject the cert with A1Error::UnsupportedAlgorithm. The numeric representation is frozen for the lifetime of the protocol.

§Forward compatibility

New variants are additive. A verifier compiled against an older version of this library simply cannot validate the new variant and rejects it — it does not silently fall back to a weaker scheme.

§Quantum migration path

  1. Today: issue all certs with Ed25519 (default). No changes required.
  2. Transition: issue root passports with HybridMlDsa44Ed25519. Classical sub-delegations remain valid — see ChainAlgorithmCompatibility.
  3. Post-migration: all certs use a hybrid or pure-PQ algorithm.

The post-quantum feature flag wires in the real ML-DSA signer backend; until then the framework validates the Ed25519 component and the binding context in HybridSignature::pq_context, ensuring the wire format is identical and no migration is required when PQ support is activated.

Variants§

§

Ed25519 = 1

Pure Ed25519 — the default for all v2.8.0 deployments.

§

HybridMlDsa44Ed25519 = 2

CRYSTALS-Dilithium 2 (ML-DSA-44) + Ed25519 hybrid.

Both components are required for verification. A verifier that cannot evaluate the ML-DSA component MUST reject with UnsupportedAlgorithm. Security category: 128-bit post-quantum, NIST ML-DSA-44.

§

HybridMlDsa65Ed25519 = 3

CRYSTALS-Dilithium 3 (ML-DSA-65) + Ed25519 hybrid.

Higher-assurance variant. Security category: 192-bit post-quantum, NIST ML-DSA-65. Recommended for financial and government deployments.

Implementations§

Source§

impl SignatureAlgorithm

Source

pub fn as_u8(self) -> u8

Source

pub fn from_u8(v: u8) -> Result<Self, A1Error>

Source

pub fn requires_pq(self) -> bool

Whether this algorithm requires a post-quantum signing component.

Source

pub fn pq_public_key_len(self) -> usize

Expected byte length of the PQ public key for this algorithm.

ML-DSA-44: 1312 bytes. ML-DSA-65: 1952 bytes. Ed25519: 0.

Source

pub fn pq_signature_len(self) -> usize

Expected byte length of the PQ signature for this algorithm.

ML-DSA-44: 2420 bytes. ML-DSA-65: 3309 bytes. Ed25519: 0.

Source

pub fn name(self) -> &'static str

Canonical string name for logging and diagnostics.

Trait Implementations§

Source§

impl Clone for SignatureAlgorithm

Source§

fn clone(&self) -> SignatureAlgorithm

Returns a duplicate of the value. Read more
1.0.0 (const: unstable) · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for SignatureAlgorithm

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Default for SignatureAlgorithm

Source§

fn default() -> SignatureAlgorithm

Returns the “default value” for a type. Read more
Source§

impl<'de> Deserialize<'de> for SignatureAlgorithm

Source§

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>
where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer. Read more
Source§

impl Display for SignatureAlgorithm

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Hash for SignatureAlgorithm

Source§

fn hash<__H: Hasher>(&self, state: &mut __H)

Feeds this value into the given Hasher. Read more
1.3.0 · Source§

fn hash_slice<H>(data: &[Self], state: &mut H)
where H: Hasher, Self: Sized,

Feeds a slice of this type into the given Hasher. Read more
Source§

impl PartialEq for SignatureAlgorithm

Source§

fn eq(&self, other: &SignatureAlgorithm) -> bool

Tests for self and other values to be equal, and is used by ==.
1.0.0 (const: unstable) · Source§

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.
Source§

impl Serialize for SignatureAlgorithm

Source§

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>
where __S: Serializer,

Serialize this value into the given Serde serializer. Read more
Source§

impl Copy for SignatureAlgorithm

Source§

impl Eq for SignatureAlgorithm

Source§

impl StructuralPartialEq for SignatureAlgorithm

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<Q, K> Equivalent<K> for Q
where Q: Eq + ?Sized, K: Borrow<Q> + ?Sized,

Source§

fn equivalent(&self, key: &K) -> bool

Checks if this value is equivalent to the given key. Read more
Source§

impl<Q, K> Equivalent<K> for Q
where Q: Eq + ?Sized, K: Borrow<Q> + ?Sized,

Source§

fn equivalent(&self, key: &K) -> bool

Compare self to key and return true if they are equal.
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> FutureExt for T

Source§

fn with_context(self, otel_cx: Context) -> WithContext<Self>

Attaches the provided Context to this type, returning a WithContext wrapper. Read more
Source§

fn with_current_context(self) -> WithContext<Self>

Attaches the current Context to this type, returning a WithContext wrapper. Read more
Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T> ToString for T
where T: Display + ?Sized,

Source§

fn to_string(&self) -> String

Converts the given value to a String. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

Source§

fn vzip(self) -> V

Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

impl<T> DeserializeOwned for T
where T: for<'de> Deserialize<'de>,