Crate fips204

source ·
Expand description

§IntegrityChain: FIPS 204 Module-Lattice-Based Digital Signature Standard

crate Docs Build Status Apache2/MIT licensed Rust Version

FIPS 204 (Initial Public Draft) Module-Lattice-Based Digital Signature Standard written in pure Rust for server, desktop, browser and embedded applications. The source repository includes examples demonstrating benchmarking, an embedded target, constant-time statistical measurements, fuzzing, WASM execution, C FFI and Python bindings.

This crate implements the FIPS 204 draft standard in pure Rust with minimal and mainstream dependencies, and without any unsafe code. All three security parameter sets are fully functional and tested. The implementation operates in constant-time (TKTK EXCEPTIONS HERE), does not require the standard library, e.g. #[no_std], has no heap allocations, e.g. no alloc needed, and exposes the RNG so it is suitable for the full range of applications down to the bare-metal. The API is stabilized and the code is heavily biased towards safety and correctness; further performance optimizations will be implemented as the standard matures. This crate will quickly follow any changes to FIPS 204 as they become available.

See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.ipd.pdf for a full description of the target functionality.

The functionality is extremely simple to use, as demonstrated by the following example.

// Use the desired target parameter set.
use fips204::ml_dsa_44; // Could also be ml_dsa_65 or ml_dsa_87. 
use fips204::traits::{SerDes, Signer, Verifier};

let message = [0u8, 1, 2, 3, 4, 5, 6, 7];

// Generate key pair and signature
let (pk1, sk) = ml_dsa_44::try_keygen_vt()?;  // Generate both public and secret keys
let sig = sk.try_sign_ct(&message)?;  // Use the secret key to generate a message signature

// Serialize then send the public key, message and signature
let (pk_send, msg_send, sig_send) = (pk1.into_bytes(), message, sig);
let (pk_recv, msg_recv, sig_recv) = (pk_send, msg_send, sig_send);

// Deserialize the public key and signature, then verify the message
let pk2 = ml_dsa_44::PublicKey::try_from_bytes(pk_recv)?;
let v = pk2.try_verify_vt(&msg_recv, &sig_recv)?; // Use the public to verify message signature
assert!(v);

The Rust Documentation lives under each Module corresponding to the desired security parameter below.

§Notes

  • This crate is fully functional and corresponds to the first initial public draft of FIPS 204.
  • Constant-time assurances target the source-code level only on MSRV, with confirmation via manual review/inspection, the embedded target, and the dudect dynamic tests.
  • Note that FIPS 204 places specific requirements on randomness per section 3.5.1, hence the exposed RNG.
  • Requires Rust 1.70 or higher. The minimum supported Rust version may be changed in the future, but it will be done with a minor version bump (when the major version is larger than 0)..
  • All on-by-default features of this library are covered by SemVer.
  • The FIPS 204 draft standard and this software is experimental – USE AT YOUR OWN RISK!

§License

Contents are licensed under either the Apache License, Version 2.0 or MIT license at your option.

§Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.

Modules§

  • ml_dsa_44
    Functionality for the ML-DSA-44 security parameter set. This includes specific sizes for the public key, secret key, and signature along with a number of internal constants. The ML-DSA-44 parameter set is claimed to be in security strength category 2.
  • ml_dsa_65
    Functionality for the ML-DSA-65 security parameter set. This includes specific sizes for the public key, secret key, and signature along with a number of internal constants. The ML-DSA-65 parameter set is claimed to be in security strength category 3.
  • ml_dsa_87
    Functionality for the ML-DSA-87 security parameter set. This includes specific sizes for the public key, secret key, and signature along with a number of internal constants. The ML-DSA-87 parameter set is claimed to be in security strength category 5.
  • traits
    All functionality is covered by traits, such that consumers can utilize trait objects as desired.

Structs§

  • RngError
    The rand_core types are re-exported so that users of fips203 do not have to worry about using the exact correct version of rand_core. Error type of random number generators

Traits§

  • CryptoRng
    The rand_core types are re-exported so that users of fips203 do not have to worry about using the exact correct version of rand_core. A marker trait used to indicate that an RngCore or BlockRngCore implementation is supposed to be cryptographically secure.
  • RngCore
    The rand_core types are re-exported so that users of fips203 do not have to worry about using the exact correct version of rand_core. The core of a random number generator.