Expand description
§pq-jwt
A post-quantum JWT implementation using ML-DSA (Module-Lattice Digital Signature Algorithm) signatures for quantum-resistant authentication tokens.
§Features
- Quantum-Resistant: Uses ML-DSA (FIPS 204) signatures that are secure against quantum attacks
- Multiple Security Levels: Support for ML-DSA-44, ML-DSA-65, and ML-DSA-87
- Standards Compliant: JWT format following RFC 7519
- Easy to Use: Simple API for key generation, signing, and verification
§Quick Start
use pq_jwt::{generate_keypair, sign, verify, MlDsaAlgo};
use std::time::{SystemTime, UNIX_EPOCH};
// Generate a keypair
let (private_key, public_key) = generate_keypair(MlDsaAlgo::Dsa65)?;
// Sign with issuer and expiration
let now = SystemTime::now().duration_since(UNIX_EPOCH).unwrap().as_secs();
let (jwt, _public_key, _jti) = sign(
MlDsaAlgo::Dsa65,
"https://myapp.com",
now + 3600,
&private_key
)?;
// Verify the JWT
let verified_payload = verify(&jwt, &public_key, "https://myapp.com")?;
assert!(verified_payload.contains("https://myapp.com"));§Security Levels
| Variant | NIST Level | Signature Size | Use Case |
|---|---|---|---|
| ML-DSA-44 | Category 2 | ~2.4 KB | IoT, constrained devices |
| ML-DSA-65 | Category 3 | ~3.3 KB | Recommended for most uses |
| ML-DSA-87 | Category 5 | ~4.6 KB | High security requirements |
Re-exports§
pub use keygen::KeySource;pub use keygen::generate_keypair;pub use signer::sign;pub use verifier::verify;
Modules§
Enums§
- MlDsa
Algo - ML-DSA algorithm variants