quantum-sign
| Crates.io | quantum-sign |
| lib.rs | quantum-sign |
| version | 0.1.7 |
| created_at | 2025-10-06 00:57:27.247994+00 |
| updated_at | 2025-10-08 08:02:54.642728+00 |
| description | Quantum-Sign: post-quantum signatures, format, policy, and CLI in one crate |
| homepage | https://crates.io/crates/quantum-sign |
| repository | https://crates.io/crates/quantum-sign |
| max_upload_size | |
| id | 1869605 |
| size | 308,250 |
(AnubisQuantumCipher)
documentation
https://docs.rs/quantum-sign
README
Quantum-Sign 🔐
The Digital Notary Stamp That Even Quantum Computers Can't Forge
Simple Answer: Quantum-Sign is a command-line tool that digitally signs software using quantum-resistant cryptography to prove the software is authentic and hasn't been tampered with.
Technical Details: A production-ready, pure-Rust implementation of post-quantum code signing with NIST-approved algorithms. Quantum-Sign provides quantum-resistant digital signatures using ML-DSA-87 (Module-Lattice Digital Signature Algorithm) with support for multi-party quorum signing, offline verification, and comprehensive policy enforcement.
🌟 Key Features
- 🛡️ Quantum-Resistant: Built on FIPS 204 ML-DSA-87, secure against both classical and quantum computers
- 🔒 Pure Rust: Zero unsafe code, memory-safe implementation with
#![forbid(unsafe_code)] - 📦 Supply Chain Security: Strictly crates.io-only dependencies, no FFI or C libraries
- ✅ Standards Compliant: Full compliance with NIST FIPS 204/205, SP 800-90A/B/C, SP 800-53
- 👥 Quorum Signing: M-of-N threshold signatures for critical operations
- 🔍 Offline Verification: Complete verification without network access
- 📋 Policy Engine: Comprehensive policy enforcement with FIPS-only defaults
- 🔐 Defense in Depth: Multiple security layers including domain separation, canonical encoding, and zeroization
📚 Table of Contents
- Installation
- Quick Start
- Architecture
- Usage Guide
- Verification
- Trust Management
- One‑Shot Packaging
- CLI Reference
- Security
- Documentation
- License
🚀 Installation
As a CLI Tool
cargo install quantum-sign
Prebuilt Binaries (no Rust toolchain)
Use a prebuilt binary distributed via your own channel (e.g., internal artifact storage or local build output). Verify its SHA‑256, then place it in your PATH. On macOS, locally built binaries are not quarantined; if a copied binary was quarantined, remove quarantine only if you trust the source.
As a Library
Add to your Cargo.toml:
[dependencies]
quantum-sign = "0.1.6"
Build from Source
# Clone from crates.io source
cargo install quantum-sign --git
# Or download source archive from crates.io
cargo build --release
Offline/Hermetic Builds (Vendored)
Use the provided vendoring script to bundle all dependencies locally and build without network access:
./scripts/vendor.sh
CARGO_HOME="$PWD/.cargo-vendored" cargo build --locked
See docs/VENDORED.md for details.
⚡ Quick Start
Generate a Signing Key Pair
quantum-sign keygen \
--profile mldsa-87 \
--secret key.sk \
--public key.pub
Prepare a Signing Intent (single‑ or multi‑signer)
quantum-sign sign \
--inp document.pdf \
--sig document.qsig \
--policy policy.json
This prepares `document.qsi` (intent) and `document.qsig.part` (journal). For single‑signer flows, prefer `quorum package` to produce the final `.qsig` in one shot. For multi‑signer flows, collect fragments with `quorum cosign` and finalize with `quorum seal`.
Verify a Signature
quantum-sign verify \
--inp document.pdf \
--sig document.qsig \
--trustdb ./trust
🏗️ Architecture
Single crate: quantum-sign (library + CLI). Internally it exposes modules for
crypto, drbg, format, policy, verify, transparency, and tsp.
Cryptographic Flow
File → SHA-512/256 Digest → Policy Binding → ML-DSA-87 Sign → CBOR Encode → .qsig File
📖 Usage Guide
Basic Signing
Create a policy file policy.json:
{
"default_alg": "mldsa-87",
"allow_algs": ["mldsa-87"],
"require_fips_only": true,
"require_level5": true,
"digest_alg": "sha512",
"offline_ok": true
}
Sign with policy enforcement:
# Generate keys
quantum-sign keygen --secret alice.sk --public alice.pub
# Import public key to trust store
quantum-sign trust import --public alice.pub --trustdb ./trust
# Sign artifact
quantum-sign sign \
--inp artifact.bin \
--sig artifact.qsig \
--policy policy.json
Quorum Signing (M-of-N)
For critical operations requiring multiple approvals:
{
"default_alg": "mldsa-87",
"allow_algs": ["mldsa-87"],
"required_signatures": {"m": 2, "n": 3},
"digest_alg": "sha512"
}
# Initialize quorum signing
quantum-sign quorum init \
--artifact critical.bin \
--policy quorum-policy.json \
--allowed-kid $KID1 --allowed-kid $KID2 --allowed-kid $KID3
# Each signer creates a fragment
quantum-sign quorum cosign \
--intent critical.qsi \
--secret alice.sk --public alice.pub \
--fragment alice.csf \
--append critical.qsig.part
quantum-sign quorum cosign \
--intent critical.qsi \
--secret bob.sk --public bob.pub \
--fragment bob.csf \
--append critical.qsig.part
# Seal into final signature (requires 2 valid signatures)
quantum-sign quorum seal \
--part critical.qsig.part \
--out critical.qsig \
--trust-dir ./trust
Verification
Standard verification:
quantum-sign verify \
--inp document.pdf \
--sig document.qsig \
--trustdb ./trust
JSON output for automation:
quantum-sign verify \
--inp document.pdf \
--sig document.qsig \
--trustdb ./trust \
--json
Output format:
{
"status": "ok",
"alg": "mldsa-87",
"digest_alg": "sha512",
"domain": "quantum-sign-v1",
"canonical": true,
"m": 2,
"n": 3,
"kids_verified": 2,
"verified_kids": ["abc123...", "def456..."],
"policy_hash_hex": "...",
"file_digest_hex": "..."
}
Verification JSON Output
For a complete field breakdown and an example report, see README_VERIFICATION.md.
Trust Management
Import and list trusted public keys:
# Import a public key (PEM or DER format)
quantum-sign trust import --public alice.pub --trustdb ./trust
# Output: imported abc123def456... -> ./trust/abc123def456.spki
# List all trusted keys
quantum-sign trust list --trustdb ./trust
## 🎁 One‑Shot Packaging
Produce a minimal, production‑ready release in a single command. The output contains exactly:
- `<artifact>` (your original file)
- `<artifact>.qsig` (final signature)
- `policy.json` (canonical JSON)
- `trust/<KID>.spki` (SPKI DER of the verifying key)
Nothing else is emitted in the release: no secret keys, `.qsi`, `.qsig.part`, `.csf`, or platform cruft.
```bash
quantum-sign quorum package \
--artifact ./AnubisQuantumCipher.png \
--policy ./policy.json \
--digest sha512 \
--secret ./keys/sicarii.sk \ # optional; if omitted, an in-memory keypair is used
--public ./keys/sicarii.vk \ # optional; required if you pass --secret
--out-dir ./release \ # defaults to ./release
--zip true # creates a zip next to out_dir if 'zip' is available
Verify for recipients (one command):
quantum-sign verify --json \
--inp ./release/AnubisQuantumCipher.png \
--sig ./release/AnubisQuantumCipher.qsig \
--trustdb ./release/trust
Expected JSON fields:
status: "ok",alg: "mldsa-87",digest_alg: "sha512"kids_verified: 1,m=1,n=1canonical: truepolicy_hash_hexmatches yourpolicy.jsonfile_digest_hexmatches your artifact
Tip: Embed human owner info in policy.json (e.g., comments: "Owner: <name>"); the policy’s canonical hash is cryptographically bound into the signature claims.
Output:
abc123def456 ./trust/abc123def456.spki
789abcdef012 ./trust/789abcdef012.spki
## 🧭 CLI Reference (All Commands)
- `keygen`
- Generate an ML‑DSA‑87 keypair.
- Example: `quantum-sign keygen --profile mldsa-87 --secret key.sk --public key.vk`
- `sign`
- Prepare signing intent `.qsi` and journal `.qsig.part` using a policy; enforces digest rules.
- Example: `quantum-sign sign --inp file.bin --sig file.qsig --policy policy.json --digest sha512`
- `verify`
- Offline verify a `.qsig` against a trust directory; enforces canonical CBOR and policy binding.
- Example: `quantum-sign verify --inp file.bin --sig file.qsig --trustdb ./trust [--json]`
- `trust import|list`
- Import a public key (PEM/DER) as canonical SPKI under `trust/<KID>.spki`; list trust entries.
- Examples:
- `quantum-sign trust import --public alice.pub --trustdb ./trust`
- `quantum-sign trust list --trustdb ./trust`
- `quorum init`
- Create `.qsi` and `.qsig.part` for M‑of‑N or explicit required signers per policy.
- Example: `quantum-sign quorum init --artifact file.bin --policy policy.json --digest sha512 --allowed-kid $K1 --allowed-kid $K2`
- `quorum cosign`
- Produce a cosign fragment `.csf` (from secret/public) for an intent; optionally append to the journal.
- Example: `quantum-sign quorum cosign --intent file.qsi --secret alice.sk --public alice.vk --fragment alice.csf --append file.qsig.part`
- `quorum add`
- Append a `.csf` fragment to the journal (`.qsig.part`) with atomic merge.
- Example: `quantum-sign quorum add --part file.qsig.part --fragment alice.csf`
- `quorum seal`
- Verify collected fragments against `--trust-dir` and emit final `.qsig`.
- Example: `quantum-sign quorum seal --part file.qsig.part --out file.qsig --trust-dir ./trust`
- `quorum package`
- One‑shot: produce `<artifact>`, `<artifact>.qsig`, `policy.json`, and `trust/<KID>.spki` (optional zip).
- Example: `quantum-sign quorum package --artifact ./image.png --policy ./policy.json --digest sha512 --out-dir ./release --zip true`
- `timestamp add|verify`
- Add an RFC 3161 timestamp to `.qsig` (online) and verify tokens offline against TSA anchors.
- Examples:
- `quantum-sign timestamp add --sig file.qsig --tsa https://tsa.example --policy-oid 1.2.3.4`
- `quantum-sign timestamp verify --sig file.qsig --tsa-trust ./tsa-roots --json`
- `log append|verify|check`
- Append `.qsig` to a transparency log (online), verify stapled inclusion offline, or check STH consistency.
- Examples:
- `quantum-sign log append --sig file.qsig --log https://log.example --log-trust ./log.spki`
- `quantum-sign log verify --sig file.qsig --log-trust ./log.spki --json`
- `quantum-sign log check --from old.sth.cbor --to new.sth.cbor --proof proof.cbor --log-trust ./log.spki --json`
- `man`
- Print CLI reference.
## 🔒 Security
### Threat Model
Quantum-Sign defends against:
- **Quantum computer attacks** on signatures
- **Supply chain attacks** via dependency control
- **Downgrade attacks** via policy enforcement
- **Key compromise** via quorum signing
- **Tampering** via canonical encoding
- **Memory disclosure** via zeroization
### Security Features
1. **Cryptographic Security**
- ML-DSA-87 (NIST Level 5 security)
- HMAC-DRBG with continuous health tests
- Constant-time operations
- Automatic key material zeroization
2. **Implementation Security**
- Pure Rust, zero unsafe code
- Memory-safe by construction
- No FFI or external dependencies
- Strict input validation
3. **Operational Security**
- Offline-first verification
- Policy-bound signatures
- Audit logging support
- Reproducible builds
### Compliance
- **FIPS 204**: ML-DSA specification
- **FIPS 205**: SLH-DSA specification
- **SP 800-90A/B/C**: DRBG requirements
- **SP 800-53 Rev.5**: Security controls
- **SP 800-131A**: Algorithm transitions
## 📚 Documentation
### Core Documentation
- Security Requirements - Comprehensive security analysis
- QSig Format Specification - Detached signature format
- [API Documentation](https://docs.rs/quantum-sign) - Rust API reference
### Examples
Example usage patterns:
**Basic Signing**
```rust
use qs_crypto::{keypair_mldsa87, sign_mldsa87, HmacSha512Drbg};
use qs_policy::Policy;
let mut drbg = HmacSha512Drbg::from_os(Some(b"app-context"))?;
let keypair = keypair_mldsa87(&mut drbg)?;
// Sign with policy binding...
Custom Policy
use qs_policy::{Policy, RequiredSignatures};
let policy = Policy {
default_alg: "mldsa-87".into(),
allow_algs: vec!["mldsa-87".into()],
required_signatures: Some(RequiredSignatures { m: 2, n: 3 }),
require_fips_only: true,
require_level5: true,
digest_alg: "sha512".into(),
..Default::default()
};
Performance
On Apple M1/M2:
- Key generation: ~2ms
- Signing (SHA-512): ~3ms
- Verification: ~2ms
- Quorum seal (3 signatures): ~7ms
🤝 Development
# Run tests
cargo test --workspace --all-features
# Format code
cargo fmt --all
# Lint
cargo clippy --all-targets --all-features -- -D warnings
# Security audit
cargo audit
cargo deny check
# Build documentation
cargo doc --no-deps --open
📜 License
Licensed under either of:
- Apache License, Version 2.0 (LICENSE-APACHE)
- MIT License (LICENSE-MIT)
at your option.
🙏 Acknowledgments
- NIST PQC team for ML-DSA specification
- Rust Crypto community for foundational libraries
- Security researchers and contributors
⚠️ Security Warning
This is cryptographic software. While we've taken extensive precautions:
- Always use the latest version
- Review security advisories on crates.io
- Test thoroughly in your environment
- Consider professional security audit for critical uses
📞 Contact
- Author: Sicarii
- Email: sic.tau@pm.me
- Crates.io: quantum-sign
For security issues, please email sic.tau@pm.me with subject line "[SECURITY] Quantum-Sign".
Building quantum-resistant security for the classical world 🔐
🛡️ Guardrails (Must‑Follow)
- Verify before trusting:
- Always run
quantum-sign verifyagainst a local trust directory before you trust a.qsig. - Verification is offline, enforces canonical CBOR re‑encode, domain separation, digest recompute, and m‑of‑n checks.
- Always run
- Keep trust entries canonical:
- Use SPKI DER files under
trust/<KID>.spki(or.vkwhich is converted). The filename stem must match the SPKI‑derived KID. Mismatches are skipped with a warning.
- Use SPKI DER files under
- Don’t hand‑edit
.qsigfiles:.qsigis canonical CBOR; manual edits will fail verification.
- Secrets never in releases:
quorum packageemits exactly<artifact>,<artifact>.qsig,policy.json, andtrust/<KID>.spki. No secret keys or partial journals are included.
- Multi‑signer policies:
- For quorum policies, pass
--allowed-kidentries to constrain which signers can satisfy the quorum, or use explicitrequired_signatureswithRequiredKidsin the policy.
- For quorum policies, pass
- Offline first:
- Use
./scripts/vendor.shthenCARGO_HOME="$PWD/.cargo-vendored" cargo build --lockedto build/test offline. - Online subcommands (
timestamp add,log append) contact external services; verification paths (timestamp verify,log verify/check) are offline.
- Use