Quantum-resistant, purely Hash-based, Stateful, One-Time Digital Signatures for OCaml.
For further information, see:
This library uses the Blake2B hash algorithm, but further / additional hashes are planned as well. Currently, the following things are implemented now:
- Importing/exporting encrypted private key (by now using AES ECB).
- Public Key serialization+validation (to share and receive such key for verification).
- Built-in one-time invariant protected by a blacklist of used private keys.
- Tests covering the things here and there.
- Benchmarks against currently famous Digital Signatures algorithms (RSA family,
Elliptic Curves family, etc -
by now only RSAsee below). - API documentation for the project (I should prefer automatic generation of documentation tools and provide the API documentation online under GH pages).
- Stress tests and prediction/timing simulated attacks, to prove the underlying library security and Private Key collision-free/resistance semantics.
The novel approach of this library is to sign every piece of hexadecimal character from a given hash, so our range to sign and verify bits/bytes is smaller (we only need 16 characters offset plus digest / fingerprint length of the message hash, in the case of Blake2B, 128 characters). By hashing beforehand our message, we can sign any size/length of input message, our signature, private key and public key stay on the same size.
If this library is available on OPAM:
$ opam install hieroglyphsOtherwise, through Dune build system:
$ dune install(Assuming you've linked this library as hieroglyphs...)
module Hg = Hieroglyphs
let (priv, pub) = Hg.pair ( ) in
let msg = "Hello, World!" in
match Hg.sign ~priv ~msg with
| None -> failwith "Private key was already signed!"
| Some signature -> assert (Hg.verify ~pub ~msg ~signature)A blacklist of revoked Private Key unique & deterministic IDs is maintained at
the directory $HOME/.hieroglyphs/state/blacklist. It's used to preserve the
one-time signing invariant. You can inspect the additional bare Git repository
provided by the Irmin library at $HOME/.hieroglyphs/state. If you don't like
to pollute your home directory with configuration noise / garbage, you may
override that with the environment variable $HIEROGLYPHS_ROOT. For instance,
if you define:
HIEROGLYPHS_ROOT=/tmp/hg-data
export HIEROGLYPHS_ROOTThen, your blacklist will be available under /tmp/hg-data/state/blacklist, and
your Git repository under /tmp/hg-data/state.
For the complete API reference, check the docs here. Coverage reports are shown at this page.
Currently, we run benchmarks against the nocrypto RSA/PSS+SHA256
implementation, and the secp256k1 library (using a SHA256 hash as well on the
message), besides our implementation in pure OCaml code using Blake2B (although
future plans include C bindings). The benchmark test suite is available under
the command $ make bench. It uses the quite good Jane Street's core_bench
library. The cached benchmark report is generated by dune build system at the
file test/bench/bench.expected whenever you type $ make bench.
This library was not yet fully tested against many sort of attacks, such as timing
attacks, but nevertheless the real security lies behind the digestif and nocrypto
libraries, which both provide strong hashes, strong RNGs and strong encryption. Use
with care and take responsibility by your own acts.
