module Dsa:sig
..end
type
priv = {
|
p : |
(* |
Modulus
| *) |
|
q : |
(* |
Subgroup order
| *) |
|
gg : |
(* |
Group Generator
| *) |
|
x : |
(* |
Private key proper
| *) |
|
y : |
(* |
Public component
| *) |
p
, q
and gg
comprise domain parameters.
Sexplib
convertible.
type
pub = {
|
p : |
|
q : |
|
gg : |
|
y : |
Sexplib
convertible.
typekeysize =
[ `Exactly of int * int | `Fips1024 | `Fips2048 | `Fips3072 ]
p
size) and imply the corresponding N (q
size); The last
variants specifies L and N directly.typemask =
[ `No | `Yes | `Yes_with of Nocrypto.Rng.g ]
val pub_of_priv : priv -> pub
val generate : ?g:Nocrypto.Rng.g -> keysize -> priv
generate g size
is a fresh private key. The domain parameters
are derived using a modified FIPS.186-4 probabilistic process, but the
derivation can not be validated.val sign : ?mask:mask ->
?k:Z.t -> key:priv -> Cstruct.t -> Cstruct.t * Cstruct.t
sign mask k fips key digest
is the signature, a pair of Cstruct.t
s
representing r
and s
in big-endian.
digest
is the full digest of the actual message.
k
, the random component, can either be provided, or is deterministically
derived as per RFC6979, using SHA256.
val verify : key:pub -> Cstruct.t * Cstruct.t -> Cstruct.t -> bool
verify fips key (r, s) digest
verifies that the pair (r, s)
is the signature
of digest
, the message digest, under the private counterpart to key
.val massage : key:pub -> Cstruct.t -> Cstruct.t
massage key digest
is the numeric value of digest
taken modulo q
and
represented in the leftmost bits(q)
bits of the result.
Both FIPS.186-4 and RFC6979 specify that only the leftmost bits(q)
bits of
digest
are to be taken into account, but some implementations consider the
entire digest
. In cases where sign and verify seem
incompatible with a given implementation (esp. if sign produces
signatures with the s
component different from the other
implementation's), it might help to pre-process digest
using this
function (e.g. sign ~key (massage ~key:(pub_of_priv key) digest)
).
module K_gen:
K_gen
can be instantiated over a hashing module to obtain an RFC6979
compliant k
-generator for that hash.