Digital Signature Algorithm (DSA and ECDSA)¶
A variant of the ElGamal signature, specified in FIPS PUB 186-4.
It is based on the discrete logarithm problem in a prime finite field (DSA) or in an elliptic curve field (ECDSA).
A sender can use a private key (loaded from a file) to sign a message:
>>> from Crypto.Hash import SHA256 >>> from Crypto.PublicKey import ECC >>> from Crypto.Signature import DSS >>> >>> message = b'I give my permission to order #4355' >>> key = ECC.import_key(open('privkey.der').read()) >>> h = SHA256.new(message) >>> signer = DSS.new(key, 'fips-186-3') >>> signature = signer.sign(h)
The receiver can use the matching public key to verify authenticity of the received message:
>>> from Crypto.Hash import SHA256 >>> from Crypto.PublicKey import ECC >>> from Crypto.Signature import DSS >>> >>> key = ECC.import_key(open('pubkey.der').read()) >>> h = SHA256.new(received_message) >>> verifier = DSS.new(key, 'fips-186-3') >>> try: >>> verifier.verify(h, signature) >>> print "The message is authentic." >>> except ValueError: >>> print "The message is not authentic."
new(key, mode, encoding='binary', randfunc=None)¶
Create a signature object
DSS_SigSchemethat can perform (EC)DSA signature or verification.
Refer to NIST SP 800 Part 1 Rev 4 (or newer release) for an overview of the recommended key lengths.
- key (a key object) –
For DSA keys, let
Nbe the bit lengths of the modulus
q: the pair
(L,N)must appear in the following list, in compliance to section 4.2 of FIPS 186-4:
- (1024, 160) legacy only; do not create new signatures with this
- (2048, 224) deprecated; do not create new signatures with this
- (2048, 256)
- (3072, 256)
For ECC, only keys over P-256, P384, and P-521 are accepted.
- mode (string) –
The parameter can take these values:
- encoding (string) –
How the signature is encoded. This value determines the output of
sign()and the input to
The following values are accepted:
- ’binary’ (default), the signature is the raw concatenation
s. It is defined in the IEEE P.1363 standard.
For DSA, the size in bytes of the signature is
N/4bytes (e.g. 64 for
For ECDSA, the signature is always twice the length of a point coordinate (e.g. 64 bytes for P-256).
- ’der’, the signature is a ASN.1 DER SEQUENCE
with two INTEGERs (
s). It is defined in RFC3279. The size of the signature is variable.
- ’binary’ (default), the signature is the raw concatenation of
- randfunc (callable) – A function that returns random byte strings, of a given length. If omitted, the internal RNG is used. Only applicable for the ‘fips-186-3’ mode.
- key (a key object) –