Quantum-Sign 🔐

The Digital Notary Stamp That Even Quantum Computers Can't Forge

Simple Answer: Quantum-Sign is a command-line tool that digitally signs software using quantum-resistant cryptography to prove the software is authentic and hasn't been tampered with.

Technical Details: A production-ready, pure-Rust implementation of post-quantum code signing with NIST-approved algorithms. Quantum-Sign provides quantum-resistant digital signatures using ML-DSA-87 (Module-Lattice Digital Signature Algorithm) with support for multi-party quorum signing, offline verification, and comprehensive policy enforcement.

🌟 Key Features

🛡️ Quantum-Resistant: Built on FIPS 204 ML-DSA-87, secure against both classical and quantum computers
🔒 Pure Rust: Zero unsafe code, memory-safe implementation with #![forbid(unsafe_code)]
📦 Supply Chain Security: Strictly crates.io-only dependencies, no FFI or C libraries
✅ Standards Compliant: Full compliance with NIST FIPS 204/205, SP 800-90A/B/C, SP 800-53
👥 Quorum Signing: M-of-N threshold signatures for critical operations
🔍 Offline Verification: Complete verification without network access
📋 Policy Engine: Comprehensive policy enforcement with FIPS-only defaults
🔐 Defense in Depth: Multiple security layers including domain separation, canonical encoding, and zeroization

🚀 Installation

As a CLI Tool

cargo install quantum-sign-cli

As a Library

Add to your Cargo.toml:

[dependencies]
quantum-sign = "0.1.0"
qs-crypto = "0.1.0"
qs-format = "0.1.0"
qs-policy = "0.1.0"

Build from Source

# Clone from crates.io source
cargo install quantum-sign-cli --git
# Or download source archive from crates.io
cargo build --release

⚡ Quick Start

Generate a Signing Key Pair

quantum-sign keygen \
  --profile mldsa-87 \
  --secret key.sk \
  --public key.pub

Sign a File

quantum-sign sign \
  --inp document.pdf \
  --sig document.qsig \
  --policy policy.json

Verify a Signature

quantum-sign verify \
  --inp document.pdf \
  --sig document.qsig \
  --trustdb ./trust

🏗️ Architecture

Quantum-Sign is structured as a workspace with specialized crates:

Crate	Purpose	Dependencies
`qs-crypto`	Core cryptographic operations	`ml-dsa`, `sha2`, `sha3`, `zeroize`
`qs-drbg`	Deterministic random bit generator	`hmac`, `sha2`, `zeroize`
`qs-format`	`.qsig` CBOR format handling	`ciborium`, `serde`
`qs-policy`	Policy engine and validation	`serde`, `sha2`
`qs-cli`	Command-line interface	All above crates
`qs-verify`	Standalone verification	`qs-crypto`, `qs-format`
`qs-tsp`	RFC 3161 timestamping	Future implementation
`qs-transparency`	Transparency log support	Future implementation

Cryptographic Flow

    File → SHA-512/256 Digest → Policy Binding → ML-DSA-87 Sign → CBOR Encode → .qsig File

📖 Usage Guide

Basic Signing

Create a policy file policy.json:

{
  "default_alg": "mldsa-87",
  "allow_algs": ["mldsa-87"],
  "require_fips_only": true,
  "require_level5": true,
  "digest_alg": "sha512",
  "offline_ok": true
}

Sign with policy enforcement:

# Generate keys
quantum-sign keygen --secret alice.sk --public alice.pub

# Import public key to trust store
quantum-sign trust import --public alice.pub --trustdb ./trust

# Sign artifact
quantum-sign sign \
  --inp artifact.bin \
  --sig artifact.qsig \
  --policy policy.json

Quorum Signing (M-of-N)

For critical operations requiring multiple approvals:

{
  "default_alg": "mldsa-87",
  "allow_algs": ["mldsa-87"],
  "required_signatures": {"m": 2, "n": 3},
  "digest_alg": "sha512"
}

# Initialize quorum signing
quantum-sign quorum init \
  --artifact critical.bin \
  --policy quorum-policy.json \
  --allowed-kid $KID1 --allowed-kid $KID2 --allowed-kid $KID3

# Each signer creates a fragment
quantum-sign quorum cosign \
  --intent critical.qsi \
  --secret alice.sk --public alice.pub \
  --fragment alice.csf \
  --append critical.qsig.part

quantum-sign quorum cosign \
  --intent critical.qsi \
  --secret bob.sk --public bob.pub \
  --fragment bob.csf \
  --append critical.qsig.part

# Seal into final signature (requires 2 valid signatures)
quantum-sign quorum seal \
  --part critical.qsig.part \
  --out critical.qsig \
  --trust-dir ./trust

Verification

Standard verification:

quantum-sign verify \
  --inp document.pdf \
  --sig document.qsig \
  --trustdb ./trust

JSON output for automation:

quantum-sign verify \
  --inp document.pdf \
  --sig document.qsig \
  --trustdb ./trust \
  --json

Output format:

{
  "status": "ok",
  "alg": "mldsa-87",
  "digest_alg": "sha512",
  "domain": "quantum-sign-v1",
  "canonical": true,
  "m": 2,
  "n": 3,
  "kids_verified": 2,
  "verified_kids": ["abc123...", "def456..."],
  "policy_hash_hex": "...",
  "file_digest_hex": "..."
}

Trust Management

Import and list trusted public keys:

# Import a public key (PEM or DER format)
quantum-sign trust import --public alice.pub --trustdb ./trust
# Output: imported abc123def456... -> ./trust/abc123def456.spki

# List all trusted keys
quantum-sign trust list --trustdb ./trust
# Output:
# abc123def456 ./trust/abc123def456.spki
# 789abcdef012 ./trust/789abcdef012.spki

🔒 Security

Threat Model

Quantum-Sign defends against:

Quantum computer attacks on signatures
Supply chain attacks via dependency control
Downgrade attacks via policy enforcement
Key compromise via quorum signing
Tampering via canonical encoding
Memory disclosure via zeroization

Security Features

Cryptographic Security
- ML-DSA-87 (NIST Level 5 security)
- HMAC-DRBG with continuous health tests
- Constant-time operations
- Automatic key material zeroization
Implementation Security
- Pure Rust, zero unsafe code
- Memory-safe by construction
- No FFI or external dependencies
- Strict input validation
Operational Security
- Offline-first verification
- Policy-bound signatures
- Audit logging support
- Reproducible builds

Compliance

FIPS 204: ML-DSA specification
FIPS 205: SLH-DSA specification
SP 800-90A/B/C: DRBG requirements
SP 800-53 Rev.5: Security controls
SP 800-131A: Algorithm transitions

📚 Documentation

Core Documentation

Security Requirements - Comprehensive security analysis
QSig Format Specification - Detached signature format
API Documentation - Rust API reference

Examples

Example usage patterns:

Basic Signing

use qs_crypto::{keypair_mldsa87, sign_mldsa87, HmacSha512Drbg};
use qs_policy::Policy;

let mut drbg = HmacSha512Drbg::from_os(Some(b"app-context"))?;
let keypair = keypair_mldsa87(&mut drbg)?;
// Sign with policy binding...

Custom Policy

use qs_policy::{Policy, RequiredSignatures};

let policy = Policy {
    default_alg: "mldsa-87".into(),
    allow_algs: vec!["mldsa-87".into()],
    required_signatures: Some(RequiredSignatures { m: 2, n: 3 }),
    require_fips_only: true,
    require_level5: true,
    digest_alg: "sha512".into(),
    ..Default::default()
};

Performance

On Apple M1/M2:

Key generation: ~2ms
Signing (SHA-512): ~3ms
Verification: ~2ms
Quorum seal (3 signatures): ~7ms

🤝 Development

# Run tests
cargo test --workspace --all-features

# Format code
cargo fmt --all

# Lint
cargo clippy --all-targets --all-features -- -D warnings

# Security audit
cargo audit
cargo deny check

# Build documentation
cargo doc --no-deps --open

📜 License

Licensed under either of:

Apache License, Version 2.0 (LICENSE-APACHE)
MIT License (LICENSE-MIT)

at your option.

🙏 Acknowledgments

NIST PQC team for ML-DSA specification
Rust Crypto community for foundational libraries
Security researchers and contributors

⚠️ Security Warning

This is cryptographic software. While we've taken extensive precautions:

Always use the latest version
Review security advisories on crates.io
Test thoroughly in your environment
Consider professional security audit for critical uses

📞 Contact

Author: Sicarii
Email: sic.tau@pm.me
Crates.io: quantum-sign

For security issues, please email sic.tau@pm.me with subject line "[SECURITY] Quantum-Sign".

Building quantum-resistant security for the classical world 🔐

quantum-sign 0.1.0