Expand description
§FN-DSA signature generation
This crate implements signature generation for FN-DSA. A SigningKey
instance is created by decoding a signing key (from its encoded
format). Signatures can be generated with the sign() method on the
SigningKey instance. sign() uses the instance mutably because the
process uses relatively large RAM buffers which are part of the
instance (to avoid oversized stack allocation on embedded systems).
The same SigningKey can be used for generating several signatures;
this even allows CPU savings since some computations depend only on
the key and can be reused for several signatures.
The signature process uses a domain-separation context, which is an
arbitrary binary strings (up to 255 bytes in length). If no such
context is required in an application, use DOMAIN_NONE (the empty
context).
The message is supposed to be pre-hashed by the caller: the caller
provides the hashed value, along with an identifier of the used hash
function. The HASH_ID_RAW identifier can be used if the message is
not actually pre-hashed, but is provided directly instead of a hash
value.
FN-DSA is parameterized by a degree, which is a power of two.
Standard versions use degree 512 (“level I security”) or 1024 (“level
V security”); smaller degrees are deemed too weak for production use
and meant only for research and testing. The degree is represented
logarithmically as the logn value, such that the degree is n = 2^logn (thus, degrees 512 and 1024 correspond to logn values 9 and
10, respectively). The signature size is fixed for a given degree
(see signature_size()).
§WARNING
The FN-DSA standard is currently being drafted, but no version has been published yet. When published, it may differ from the exact scheme implemented in this crate, in particular with regard to key encodings, message pre-hashing, and domain separation. Key pairs generated with this crate MAY fail to be interoperable with the final FN-DSA standard. This implementation is expected to be adjusted to the FN-DSA standard when published (before the 1.0 version release).
§Example usage
use rand_core::OsRng;
use fn_dsa_sign::{
sign_key_size, signature_size, FN_DSA_LOGN_512,
SigningKey, SigningKeyStandard,
DOMAIN_NONE, HASH_ID_RAW,
};
let mut sk = SigningKeyStandard::decode(encoded_signing_key)?;
let mut sig = vec![0u8; signature_size(sk.get_logn())];
sk.sign(&mut OsRng, &DOMAIN_NONE, &HASH_ID_RAW, b"message", &mut sig);Structs§
- Domain
Context - When a message is signed or verified, it is accompanied with a domain
separation context, which is an arbitrary sequence of bytes of length
at most 255. Such a context is wrapped in a
DomainContextstructure. - Hash
Identifier - The message for which a signature is to be generated or verified is pre-hashed by the caller and provided as a hash value along with an identifier of the used hash function. The identifier is normally an encoded ASN.1 OID. A special identifier is used for “raw” messages (i.e. not pre-hashed at all); it uses a single byte of value 0x00.
- RngError
- Error type of random number generators
- Signing
Key512 - Signature generator for degrees (
logn) 9 to 9 only. - Signing
Key1024 - Signature generator for degrees (
logn) 10 to 10 only. - Signing
KeyStandard - Signature generator for degrees (
logn) 9 to 10 only. - Signing
KeyWeak - Signature generator for degrees (
logn) 2 to 8 only.
Constants§
- DOMAIN_
NONE - Empty domain separation context.
- FN_
DSA_ LOGN_ 512 - Symbolic constant for FN-DSA with degree 512 (
logn = 9). - FN_
DSA_ LOGN_ 1024 - Symbolic constant for FN-DSA with degree 1024 (
logn = 10). - HASH_
ID_ ORIGINAL_ FALCON - Hash function identifier: original Falcon design.
- HASH_
ID_ RAW - Hash function identifier: none.
- HASH_
ID_ SHA3_ 256 - Hash function identifier: SHA3-256
- HASH_
ID_ SHA3_ 384 - Hash function identifier: SHA3-384
- HASH_
ID_ SHA3_ 512 - Hash function identifier: SHA3-512
- HASH_
ID_ SHA256 - Hash function identifier: SHA-256
- HASH_
ID_ SHA384 - Hash function identifier: SHA-384
- HASH_
ID_ SHA512 - Hash function identifier: SHA-512
- HASH_
ID_ SHA512_ 256 - Hash function identifier: SHA-512-256
- HASH_
ID_ SHAK E128 - Hash function identifier: SHAKE128
- HASH_
ID_ SHAK E256 - Hash function identifier: SHAKE256
Traits§
- Crypto
Rng - A marker trait used to indicate that an
RngCoreorBlockRngCoreimplementation is supposed to be cryptographically secure. - RngCore
- The core of a random number generator.
- Signing
Key - Signing key handler and temporary buffers.
Functions§
- sign_
key_ size - Get the size (in bytes) of a signing key for the provided degree
(degree is
n = 2^logn, with2 <= logn <= 10). - signature_
size - Get the size (in bytes) of a signature for the provided degree
(degree is
n = 2^logn, with2 <= logn <= 10). - vrfy_
key_ size - Get the size (in bytes) of a verifying key for the provided degree
(degree is
n = 2^logn, with2 <= logn <= 10).