Documentation
¶
Index ¶
- Variables
- func SplitHybridSignature(sig []byte) (classical, pq []byte, err error)
- func VerifyHybridSecp256k1MLDSA(classicalPub *secp256k1.PublicKey, pqPub *mldsa.PublicKey, msg []byte, ...) error
- func VerifyHybridSecp256k1SLHDSA(classicalPub *secp256k1.PublicKey, pqPub *slhdsa.PublicKey, msg []byte, ...) error
- type KeyType
- type Keychain
- type PQKeychain
- func (kc *PQKeychain) AddHybrid(classical *secp256k1.PrivateKey, pq interface{}) ids.ShortID
- func (kc *PQKeychain) AddMLDSA(key *mldsa.PrivateKey, keyType KeyType) ids.ShortID
- func (kc *PQKeychain) AddSLHDSA(key *slhdsa.PrivateKey, keyType KeyType) ids.ShortID
- func (kc *PQKeychain) AddSecp256k1(key *secp256k1.PrivateKey) ids.ShortID
- func (kc *PQKeychain) Addresses() []ids.ShortID
- func (kc *PQKeychain) GenerateKey() (ids.ShortID, error)
- func (kc *PQKeychain) Get(addr ids.ShortID) (Signer, bool)
- func (kc *PQKeychain) GetPQSigner(addr ids.ShortID) (*PQSigner, bool)
- func (kc *PQKeychain) SetDefaultType(keyType KeyType)
- type PQSigner
- type Signer
Constants ¶
This section is empty.
Variables ¶
var ( ErrInvalidKeyType = errors.New("invalid key type") ErrKeyNotFound = errors.New("key not found") // ErrHybridSigTruncated is returned when a hybrid signature blob is // too short to carry the two length-prefixed halves. ErrHybridSigTruncated = errors.New("hybrid signature truncated") // ErrHybridSigClassicalFailed is returned when the classical half of // a hybrid signature does not verify under the supplied classical // public key. Under AND-semantics, this fails the whole hybrid // signature — even a valid PQ half cannot rescue it. // // Closes red-team F112 on the classical axis: previously the // implicit "either half verifies" semantics let a forged hybrid // pass as long as ONE half was correct; now both must pass. ErrHybridSigClassicalFailed = errors.New("hybrid signature: classical half failed to verify") // ErrHybridSigPQFailed is returned when the post-quantum half of a // hybrid signature does not verify under the supplied PQ public // key. Closes F112 on the PQ axis. ErrHybridSigPQFailed = errors.New("hybrid signature: post-quantum half failed to verify") )
Functions ¶
func SplitHybridSignature ¶ added in v1.17.0
SplitHybridSignature parses a hybrid signature blob into its classical and PQ halves using the length-prefix layout produced by PQSigner. Returns ErrHybridSigTruncated on any structural failure.
Exported so callers that want to dispatch verification through their own keying setup (e.g. a wallet that holds the two public keys separately) can reuse the parsing without taking the verify path.
func VerifyHybridSecp256k1MLDSA ¶ added in v1.17.0
func VerifyHybridSecp256k1MLDSA( classicalPub *secp256k1.PublicKey, pqPub *mldsa.PublicKey, msg []byte, hybridSig []byte, ) error
VerifyHybridSecp256k1MLDSA verifies a hybrid signature produced by a KeyTypeHybridSecp256k1MLDSA{44,65,87} signer over message msg. BOTH halves must verify; either half failing fails the whole signature. Closes F112.
classicalPub is the secp256k1 public key. pqPub is the ML-DSA public key carrying its own internal Mode setting. The classical half is verified against the SHA-256 hash of msg (matching PQSigner.Sign's hash-then-sign for the classical leg); the PQ half is verified against the raw message (ML-DSA hashes internally).
func VerifyHybridSecp256k1SLHDSA ¶ added in v1.17.0
func VerifyHybridSecp256k1SLHDSA( classicalPub *secp256k1.PublicKey, pqPub *slhdsa.PublicKey, msg []byte, hybridSig []byte, ) error
VerifyHybridSecp256k1SLHDSA verifies a hybrid signature produced by a KeyTypeHybridSecp256k1SLHDSA{128,192,256} signer over message msg. AND-semantics: BOTH halves must verify. Closes F112 on the SLH-DSA axis.
Types ¶
type KeyType ¶
type KeyType uint8
KeyType represents the type of cryptographic key
const ( // Classical cryptography KeyTypeSecp256k1 KeyType = iota KeyTypeBLS // BLS signatures for consensus // Post-quantum cryptography (NIST FIPS standards) KeyTypeMLDSA44 // FIPS 204 - ML-DSA-44 KeyTypeMLDSA65 // FIPS 204 - ML-DSA-65 KeyTypeMLDSA87 // FIPS 204 - ML-DSA-87 KeyTypeSLHDSA128 // FIPS 205 - SLH-DSA-128 KeyTypeSLHDSA192 // FIPS 205 - SLH-DSA-192 KeyTypeSLHDSA256 // FIPS 205 - SLH-DSA-256 // Key encapsulation (FIPS 203) KeyTypeMLKEM512 // ML-KEM-512 KeyTypeMLKEM768 // ML-KEM-768 KeyTypeMLKEM1024 // ML-KEM-1024 // Privacy-preserving KeyTypeRingSig // Ring signatures // Hybrid modes (classical + post-quantum) KeyTypeHybridSecp256k1MLDSA44 KeyTypeHybridSecp256k1SLHDSA128 KeyTypeHybridBLSMLDSA44 )
type Keychain ¶
Keychain interface that wallet signers can use This allows both secp256k1fx.Keychain and ledger-lux-go/keychain.Keychain to be used Generic across chains, DAGs, and post-quantum crypto
type PQKeychain ¶
type PQKeychain struct {
// contains filtered or unexported fields
}
PQKeychain implements Keychain with post-quantum support
func NewPQKeychain ¶
func NewPQKeychain(defaultType KeyType) *PQKeychain
NewPQKeychain creates a new post-quantum keychain
func (*PQKeychain) AddHybrid ¶
func (kc *PQKeychain) AddHybrid(classical *secp256k1.PrivateKey, pq interface{}) ids.ShortID
AddHybrid adds a hybrid classical+PQ key pair
func (*PQKeychain) AddMLDSA ¶
func (kc *PQKeychain) AddMLDSA(key *mldsa.PrivateKey, keyType KeyType) ids.ShortID
AddMLDSA adds an ML-DSA key to the keychain
func (*PQKeychain) AddSLHDSA ¶
func (kc *PQKeychain) AddSLHDSA(key *slhdsa.PrivateKey, keyType KeyType) ids.ShortID
AddSLHDSA adds an SLH-DSA key to the keychain
func (*PQKeychain) AddSecp256k1 ¶
func (kc *PQKeychain) AddSecp256k1(key *secp256k1.PrivateKey) ids.ShortID
AddSecp256k1 adds a secp256k1 key to the keychain
func (*PQKeychain) Addresses ¶
func (kc *PQKeychain) Addresses() []ids.ShortID
Addresses returns all addresses in the keychain
func (*PQKeychain) GenerateKey ¶
func (kc *PQKeychain) GenerateKey() (ids.ShortID, error)
GenerateKey generates a new key of the default type
func (*PQKeychain) Get ¶
func (kc *PQKeychain) Get(addr ids.ShortID) (Signer, bool)
Get returns the signer for the given address
func (*PQKeychain) GetPQSigner ¶
func (kc *PQKeychain) GetPQSigner(addr ids.ShortID) (*PQSigner, bool)
GetPQSigner returns the PQ signer for advanced operations
func (*PQKeychain) SetDefaultType ¶
func (kc *PQKeychain) SetDefaultType(keyType KeyType)
SetDefaultType sets the default key type for new keys