DSA signature algorithm
type priv = {p : Z.t; | Modulus |
q : Z.t; | Subgroup order |
gg : Z.t; | Group Generator |
x : Z.t; | Private key proper |
y : Z.t; | Public component |
}Private key. p, q and gg comprise domain parameters.
Sexplib convertible.
Public key, a subset of private key.
Sexplib convertible.
Key size request. Three Fips variants refer to FIPS-standardized L-values (p size) and imply the corresponding N (q size); The last variants specifies L and N directly.
Masking (cryptographic blinding) option.
generate g size is a fresh private key. The domain parameters are derived using a modified FIPS.186-4 probabilistic process, but the derivation can not be validated.
sign mask k fips key digest is the signature, a pair of Cstruct.ts representing r and s in big-endian.
digest is the full digest of the actual message.
k, the random component, can either be provided, or is deterministically derived as per RFC6979, using SHA256.
verify fips key (r, s) digest verifies that the pair (r, s) is the signature of digest, the message digest, under the private counterpart to key.
massage key digest is the numeric value of digest taken modulo q and represented in the leftmost bits(q) bits of the result.
Both FIPS.186-4 and RFC6979 specify that only the leftmost bits(q) bits of digest are to be taken into account, but some implementations consider the entire digest. In cases where sign and verify seem incompatible with a given implementation (esp. if sign produces signatures with the s component different from the other implementation's), it might help to pre-process digest using this function (e.g. sign ~key (massage ~key:(pub_of_priv key) digest)).