# Digital Signature Algorithm (DSA and ECDSA)¶

A variant of the ElGamal signature, specified in FIPS PUB 186-4.

It is based on the discrete logarithm problem in a prime finite field (DSA) or in an elliptic curve field (ECDSA).

A sender can use a private key (loaded from a file) to sign a message:

>>> from Crypto.Hash import SHA256
>>> from Crypto.PublicKey import ECC
>>> from Crypto.Signature import DSS
>>>
>>> message = b'I give my permission to order #4355'
>>> h = SHA256.new(message)
>>> signer = DSS.new(key, 'fips-186-3')
>>> signature = signer.sign(h)


The receiver can use the matching public key to verify authenticity of the received message:

>>> from Crypto.Hash import SHA256
>>> from Crypto.PublicKey import ECC
>>> from Crypto.Signature import DSS
>>>
>>> verifier = DSS.new(key, 'fips-186-3')
>>> try:
>>>     verifier.verify(h, signature)
>>>     print "The message is authentic."
>>> except ValueError:
>>>     print "The message is not authentic."

Crypto.Signature.DSS.new(key, mode, encoding='binary', randfunc=None)

Create a signature object DSS_SigScheme that can perform (EC)DSA signature or verification.

Note

Refer to NIST SP 800 Part 1 Rev 4 (or newer release) for an overview of the recommended key lengths.

Parameters: key (a key object) – The key to use for computing the signature (private keys only) or verifying one: it must be either Crypto.PublicKey.DSA or Crypto.PublicKey.ECC. For DSA keys, let L and N be the bit lengths of the modulus p and of q: the pair (L,N) must appear in the following list, in compliance to section 4.2 of FIPS 186-4: (1024, 160) legacy only; do not create new signatures with this (2048, 224) deprecated; do not create new signatures with this (2048, 256) (3072, 256) For ECC, only keys over P-256, P384, and P-521 are accepted. mode (string) – The parameter can take these values: ’fips-186-3’. The signature generation is randomized and carried out according to FIPS 186-3: the nonce k is taken from the RNG. ’deterministic-rfc6979’. The signature generation is not randomized. See RFC6979. encoding (string) – How the signature is encoded. This value determines the output of sign() and the input to verify(). The following values are accepted: ’binary’ (default), the signature is the raw concatenation of r and s.For DSA, the size in bytes of the signature is N/4 (e.g. 64 bytes for N=256). For ECDSA, the signature is always twice the length of a point coordinate (e.g. 64 bytes for P-256). ’der’, the signature is an ASN.1 SEQUENCE with two INTEGERs (r and s) encoded with DER. The size of the signature is variable. randfunc (callable) – A function that returns random byte strings, of a given length. If omitted, the internal RNG is used. Only applicable for the ‘fips-186-3’ mode.
class Crypto.Signature.DSS.DssSigScheme(key, encoding, order)

A (EC)DSA signature object. Do not instantiate directly. Use Crypto.Signature.DSS.new().

can_sign()

Return True if this signature object can be used for signing messages.

sign(msg_hash)

Produce the DSA/ECDSA signature of a message.

Parameters: msg_hash (hash object) – The hash that was carried out over the message. The object belongs to the Crypto.Hash package. Under mode ‘fips-186-3’, the hash must be a FIPS approved secure hash (SHA-1 or a member of the SHA-2 family), of cryptographic strength appropriate for the DSA key. For instance, a 3072/256 DSA key can only be used in combination with SHA-512. The signature as a byte string ValueError – if the hash algorithm is incompatible to the (EC)DSA key TypeError – if the (EC)DSA key has no private half
verify(msg_hash, signature)

Check if a certain (EC)DSA signature is authentic.

Parameters: msg_hash (hash object) – The hash that was carried out over the message. This is an object belonging to the Crypto.Hash module. Under mode ‘fips-186-3’, the hash must be a FIPS approved secure hash (SHA-1 or a member of the SHA-2 family), of cryptographic strength appropriate for the DSA key. For instance, a 3072/256 DSA key can only be used in combination with SHA-512. signature (byte string) – The signature that needs to be validated ValueError – if the signature is not authentic