dsa 0.6.3

Pure Rust implementation of the Digital Signature Algorithm (DSA) as specified in FIPS 186-4 (Digital Signature Standard), providing RFC6979 deterministic signatures as well as support for added entropy
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96

//!
//! Generate a per-message secret number
//!

use crate::{Components, SigningKey};
use alloc::{vec, vec::Vec};
use core::cmp::min;
use digest::{core_api::BlockSizeUser, Digest, FixedOutputReset};
use num_bigint::{BigUint, ModInverse, RandBigInt};
use num_traits::{One, Zero};
use rfc6979::HmacDrbg;
use signature::rand_core::CryptoRngCore;
use zeroize::Zeroize;

/// Reduce the hash into an RFC-6979 appropriate form
fn reduce_hash(q: &BigUint, hash: &[u8]) -> Vec<u8> {
    // Reduce the hash modulo Q
    let q_byte_len = q.bits() / 8;

    let hash_len = min(hash.len(), q_byte_len);
    let hash = &hash[..hash_len];

    let hash = BigUint::from_bytes_be(hash);
    let mut reduced = (hash % q).to_bytes_be();

    while reduced.len() < q_byte_len {
        reduced.insert(0, 0);
    }

    reduced
}

/// Generate a per-message secret number k deterministically using the method described in RFC 6979
///
/// # Returns
///
/// Secret number k and its modular multiplicative inverse with q
#[inline]
pub fn secret_number_rfc6979<D>(signing_key: &SigningKey, hash: &[u8]) -> (BigUint, BigUint)
where
    D: Digest + BlockSizeUser + FixedOutputReset,
{
    let q = signing_key.verifying_key().components().q();
    let k_size = q.bits() / 8;
    let hash = reduce_hash(q, hash);

    let mut x_bytes = signing_key.x().to_bytes_be();
    let mut hmac = HmacDrbg::<D>::new(&x_bytes, &hash, &[]);
    x_bytes.zeroize();

    let mut buffer = vec![0; k_size];
    loop {
        hmac.fill_bytes(&mut buffer);

        let k = BigUint::from_bytes_be(&buffer);
        if let Some(inv_k) = (&k).mod_inverse(q) {
            let inv_k = inv_k.to_biguint().unwrap();

            if k > BigUint::zero() && &k < q {
                return (k, inv_k);
            }
        }
    }
}

/// Generate a per-message secret number k according to Appendix B.2.1
///
/// # Returns
///
/// Secret number k and its modular multiplicative inverse with q
#[inline]
pub fn secret_number(
    rng: &mut impl CryptoRngCore,
    components: &Components,
) -> Option<(BigUint, BigUint)> {
    let q = components.q();
    let n = q.bits();

    // Attempt to try a fitting secret number
    // Give up after 4096 tries
    for _ in 0..4096 {
        let c = rng.gen_biguint(n + 64);
        let k = (c % (q - BigUint::one())) + BigUint::one();

        if let Some(inv_k) = (&k).mod_inverse(q) {
            let inv_k = inv_k.to_biguint().unwrap();

            // `k` and `k^-1` both have to be in the range `[1, q-1]`
            if (inv_k > BigUint::zero() && &inv_k < q) && (k > BigUint::zero() && &k < q) {
                return Some((k, inv_k));
            }
        }
    }

    None
}