Digital Signature Algorithm (DSA and ECDSA)¶
A variant of the ElGamal signature, specified in FIPS PUB 1864.
It is based on the discrete logarithm problem in a prime finite field (DSA) or in an elliptic curve field (ECDSA).
A sender can use a private key (loaded from a file) to sign a message:
>>> from Crypto.Hash import SHA256
>>> from Crypto.PublicKey import ECC
>>> from Crypto.Signature import DSS
>>>
>>> message = b'I give my permission to order #4355'
>>> key = ECC.import_key(open('privkey.der').read())
>>> h = SHA256.new(message)
>>> signer = DSS.new(key, 'fips1863')
>>> signature = signer.sign(h)
The receiver can use the matching public key to verify authenticity of the received message:
>>> from Crypto.Hash import SHA256
>>> from Crypto.PublicKey import ECC
>>> from Crypto.Signature import DSS
>>>
>>> key = ECC.import_key(open('pubkey.der').read())
>>> h = SHA256.new(received_message)
>>> verifier = DSS.new(key, 'fips1863')
>>> try:
>>> verifier.verify(h, signature):
>>> print "The message is authentic."
>>> except ValueError:
>>> print "The message is not authentic."

Crypto.Signature.DSS.
new
(key, mode, encoding='binary', randfunc=None)¶ Create a signature object
DSS_SigScheme
that can perform (EC)DSA signature or verification.Note
Refer to NIST SP 800 Part 1 Rev 4 (or newer release) for an overview of the recommended key lengths.
Parameters:  key (a key object) –
The key to use for computing the signature (private keys only) or verifying one: it must be either
Crypto.PublicKey.DSA
orCrypto.PublicKey.ECC
.For DSA keys, let
L
andN
be the bit lengths of the modulusp
and ofq
: the pair(L,N)
must appear in the following list, in compliance to section 4.2 of FIPS 1864: (1024, 160) legacy only; do not create new signatures with this
 (2048, 224) deprecated; do not create new signatures with this
 (2048, 256)
 (3072, 256)
For ECC, only keys over P256 are accepted.
 mode (string) –
The parameter can take these values:
 ’fips1863’. The signature generation is randomized and carried out
according to FIPS 1863: the nonce
k
is taken from the RNG.  ’deterministicrfc6979’. The signature generation is not randomized. See RFC6979.
 ’fips1863’. The signature generation is randomized and carried out
according to FIPS 1863: the nonce
 encoding (string) –
How the signature is encoded. This value determines the output of
sign()
and the input toverify()
.The following values are accepted:
 ’binary’ (default), the signature is the raw concatenation
of
r
ands
. For DSA, the size in bytes of the signature isN/4
(e.g. 64 bytes forN=256
). For ECDSA (over P256), the signature is always 64 bytes long.  ’der’, the signature is an ASN.1 SEQUENCE with two
INTEGERs (
r
ands
) encoded with DER. The size of the signature is variable.
 ’binary’ (default), the signature is the raw concatenation
of
 randfunc (callable) – A function that returns random byte strings, of a given length. If omitted, the internal RNG is used. Only applicable for the ‘fips1863’ mode.
 key (a key object) –

class
Crypto.Signature.DSS.
DssSigScheme
(key, encoding, order)¶ A (EC)DSA signature object. Do not instantiate directly. Use
Crypto.Signature.DSS.new()
.
can_sign
()¶ Return
True
if this signature object can be used for signing messages.

sign
(msg_hash)¶ Produce the DSA/ECDSA signature of a message.
Parameters: msg_hash (hash object) –
The hash that was carried out over the message. The object belongs to the
Crypto.Hash
package.Under mode ‘fips1863’, the hash must be a FIPS approved secure hash (SHA1 or a member of the SHA2 family), of cryptographic strength appropriate for the DSA key. For instance, a 3072/256 DSA key can only be used in combination with SHA512.
Returns: The signature as a byte string
Raises:  ValueError – if the hash algorithm is incompatible to the (EC)DSA key
 TypeError – if the (EC)DSA key has no private half

verify
(msg_hash, signature)¶ Check if a certain (EC)DSA signature is authentic.
Parameters:  msg_hash (hash object) –
The hash that was carried out over the message. This is an object belonging to the
Crypto.Hash
module.Under mode ‘fips1863’, the hash must be a FIPS approved secure hash (SHA1 or a member of the SHA2 family), of cryptographic strength appropriate for the DSA key. For instance, a 3072/256 DSA key can only be used in combination with SHA512.
 signature (byte string) – The signature that needs to be validated
Raises: ValueError – if the signature is not authentic
 msg_hash (hash object) –
