Metadata-Version: 2.4
Name: slh_dsa_multi
Version: 0.2.0
Summary: Multi-backend FIPS-205 SLH-DSA bindings
Author-email: tta <info@archive.rip>
License-Expression: GPL-3.0-only
Project-URL: Homepage, https://codeberg.org/openrip/slh_dsa_multi
Project-URL: Repository, https://codeberg.org/openrip/slh_dsa_multi.git
Project-URL: Issues, https://codeberg.org/openrip/slh_dsa_multi/issues
Keywords: SLH-DSA,FIPS-205,cryptography,post-quantum,signature,sphincs
Classifier: Intended Audience :: Developers
Classifier: Programming Language :: Python :: 3 :: Only
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Programming Language :: Python :: 3.14
Classifier: Topic :: Security :: Cryptography
Requires-Python: >=3.12
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: cffi>=1.16
Requires-Dist: liboqs-python
Dynamic: license-file

> Beware: This package have been generated and has not been audited.

# `slh_dsa_multi`

Multi-backend [FIPS-205 SLH-DSA](https://csrc.nist.gov/pubs/fips/205/final) bindings.

[![PyPI](https://img.shields.io/pypi/v/slh_dsa_multi.svg)](https://pypi.org/project/slh_dsa_multi/)
[![Python](https://img.shields.io/pypi/pyversions/slh_dsa_multi.svg)](https://pypi.org/project/slh_dsa_multi/)
[![License: GPL-3.0-only](https://img.shields.io/badge/license-GPL--3.0--only-blue.svg)](LICENSE)

While waiting for SLH-DSA in [pyca/cryptography](https://cryptography.io) this
exposes a range of SLH-DSA implementations.

The default vendored backend is `slhdsa-c` can be rebuild via `pip install`.

**This an unaudited and experimental library.**

## Backends

| Backend        | Source                        | Selected as  | Pinned |
|----------------|-------------------------------|--------------|--------|
| **slhdsa-c**   | vendored, compiled at install | `"slhdsa-c"` | [`2b111e07`](https://github.com/slh-dsa/slhdsa-c/tree/2b111e076a3bf0b6041651cf8746acf5ade56cc7) |
| **nettle**     | vendored, compiled at install | `"nettle"`   | [`66c7ef01`](https://git.lysator.liu.se/nettle/nettle/-/tree/66c7ef01faabe7ad6293d6b738d4103de77437b4) |
| **botan3**     | system `botan3` bindings      | `"botan3"`   | n/a |
| **liboqs**     | system `oqs` (liboqs-python)  | `"liboqs"`   | n/a |
| **OpenSSL**    | system OpenSSL3.5 or later    | `"openssl"`  | n/a |

Use the `backend=` API argument or `SLH_DSA_BACKEND` environment variable to select.

## Quickstart

```python
from slh_dsa_multi import SLHDSAPrivateKey

sk = SLHDSAPrivateKey.generate("SLH-DSA-SHA2-128s")
pk = sk.public_key()

sig = sk.sign(b"hello world")
pk.verify(sig, b"hello world")

raw = sk.private_bytes_raw()
sk2 = SLHDSAPrivateKey.from_private_bytes(raw, "SLH-DSA-SHA2-128s")
```

Domain separation via `context=b"..."`. No pre-hash variants are supported.

Signing is randomized (hedged) by default for practical security.

Deterministic signing `deterministic=True` should use
a secret seed `addrnd=os.urandom(16)` stored with the private key.

## Benchmarks

See how these bindings perform:

![comparison](https://codeberg.org/openrip/slh_dsa_multi/media/branch/main/bench/comparison.jpg)

This comparison is unfair due to the way these backends have been packaged.

If you don't know which one to pick, use the default or `openssl` as usual.

## License

See [`LICENSE`](LICENSE)

Vendored backends:
 - slhdsa-c (ISC or MIT or Apache-2.0)
 - nettle (LGPLv3+/GPLv2+)

These bindings targets `GPL-3.0-only` and can be reused.
