signature_scheme Enum
namespace keychain → enum class signature_scheme
Overview
The signature_scheme enumeration specifies complete digital signature algorithms with specific parameters, curves, hash functions, and key sizes.
Syntax
namespace keychain {
enum class signature_scheme {
// ECDSA schemes
ECDSA_P256_SHA256, // ECDSA with P-256 curve, SHA-256 hash
ECDSA_P256_SHA384, // ECDSA with P-256 curve, SHA-384 hash
ECDSA_P384_SHA256, // ECDSA with P-384 curve, SHA-256 hash
ECDSA_P384_SHA384, // ECDSA with P-384 curve, SHA-384 hash
ECDSA_P521_SHA256, // ECDSA with P-521 curve, SHA-256 hash
ECDSA_P521_SHA512, // ECDSA with P-521 curve, SHA-512 hash
// EdDSA schemes
EDDSA_ED25519, // Ed25519 (EdDSA with Curve25519)
EDDSA_ED448, // Ed448 (EdDSA with Curve448)
// RSA schemes
RSASS_2048_PKCS1_SHA256, // RSA-2048 with PKCS#1 v1.5, SHA-256
RSASS_3072_PKCS1_SHA256, // RSA-3072 with PKCS#1 v1.5, SHA-256
RSASS_4096_PKCS1_SHA256, // RSA-4096 with PKCS#1 v1.5, SHA-256
RSASS_2048_PSS_SHA256, // RSA-2048 with PSS padding, SHA-256
RSASS_3072_PSS_SHA256, // RSA-3072 with PSS padding, SHA-256
RSASS_4096_PSS_SHA256, // RSA-4096 with PSS padding, SHA-256
RSASS_2048_PSS_SHA512, // RSA-2048 with PSS padding, SHA-512
RSASS_3072_PSS_SHA512, // RSA-3072 with PSS padding, SHA-512
RSASS_4096_PSS_SHA512, // RSA-4096 with PSS padding, SHA-512
// DSA schemes
DSA_2048_SHA256, // DSA 2048-bit with SHA-256
DSA_3072_SHA256 // DSA 3072-bit with SHA-256
};
}Members
ECDSA Schemes
ECDSA_P256_SHA256
Value: signature_scheme::ECDSA_P256_SHA256
ECDSA with NIST P-256 curve and SHA-256 hash function.
Security Level: 128-bit
Key Size: 256-bit ECC
Hash Function: SHA-256
Signature Size: ~64 bytes
Performance: Excellent
EdDSA Schemes
Usage
#include <keychain/keychain.h>
// Select signature scheme for persona
keychain::signature_scheme scheme = keychain::signature_scheme::ECDSA_P256_SHA256;
// Create persona with specific scheme
keychain::persona alice = gateway.create_persona(
"alice", "personal",
keychain::security_level::HIGH,
scheme // signature scheme
);
// Check scheme properties
auto algorithm_class = scheme.get_algorithm_class();
if (algorithm_class == keychain::signature_algorithm_class::ECDSA) {
std::cout << "Using ECDSA signatures" << std::endl;
}
// Sign with specific scheme
std::string document = "Contract terms...";
keychain::verifiable_data signed_doc = gateway.sign(alice, document);
// Verify signature
auto verification_results = gateway.verify(alice, signed_doc);
for (const auto& result : verification_results) {
if (result.is_verified()) {
std::cout << "Signature verified with scheme: "
<< to_string(result.get_signature_scheme()) << std::endl;
}
}Security and Performance Comparison
| Scheme | Security Level | Key Size | Signature Size | Sign Speed | Verify Speed | Deterministic |
|---|---|---|---|---|---|---|
ECDSA_P256_SHA256 |
128-bit |
256-bit |
~64 bytes |
★★★★★ |
★★★★★ |
No |
ECDSA_P384_SHA384 |
192-bit |
384-bit |
~96 bytes |
★★★★☆ |
★★★★☆ |
No |
ECDSA_P521_SHA512 |
256-bit |
521-bit |
~132 bytes |
★★★☆☆ |
★★★☆☆ |
No |
EDDSA_ED25519 |
~128-bit |
255-bit |
64 bytes |
★★★★★ |
★★★★★ |
Yes |
EDDSA_ED448 |
~224-bit |
448-bit |
114 bytes |
★★★★☆ |
★★★★☆ |
Yes |
RSASS_3072_PSS_SHA256 |
128-bit |
3072-bit |
384 bytes |
★★☆☆☆ |
★★★☆☆ |
No |
RSASS_4096_PSS_SHA512 |
~140-bit |
4096-bit |
512 bytes |
★☆☆☆☆ |
★★☆☆☆ |
No |
DSA_3072_SHA256 |
128-bit |
3072-bit |
~64 bytes |
★★☆☆☆ |
★★★☆☆ |
No |
Algorithm Selection Guidelines
For New Applications
-
EDDSA_ED25519 - Best overall choice (fast, secure, deterministic)
-
ECDSA_P256_SHA256 - Industry standard with excellent compatibility
-
ECDSA_P384_SHA384 - Conservative choice for future-proofing
For High Security
-
EDDSA_ED448 - Maximum security with modern design
-
ECDSA_P521_SHA512 - Maximum elliptic curve security
-
RSASS_4096_PSS_SHA512 - When RSA is required
Example Usage Patterns
// Performance benchmark
void benchmark_signature_schemes() {
std::vector<keychain::signature_scheme> schemes = {
keychain::signature_scheme::EDDSA_ED25519,
keychain::signature_scheme::ECDSA_P256_SHA256,
keychain::signature_scheme::RSASS_3072_PSS_SHA256
};
std::string test_data = "Benchmark test message";
for (auto scheme : schemes) {
// Benchmark signing
auto start = std::chrono::high_resolution_clock::now();
for (int i = 0; i < 1000; ++i) {
auto signature = gateway.sign_with_scheme(persona, test_data, scheme);
}
auto end = std::chrono::high_resolution_clock::now();
auto sign_duration = std::chrono::duration_cast<std::chrono::microseconds>(end - start);
std::cout << "Scheme " << to_string(scheme)
<< " signing: " << sign_duration.count() << " μs/1000" << std::endl;
}
}
// Scheme validation
bool validate_signature_scheme(keychain::signature_scheme scheme,
keychain::security_level required_level) {
// Check minimum security requirements
switch (required_level) {
case keychain::security_level::HIGH:
return scheme != keychain::signature_scheme::RSASS_2048_PKCS1_SHA256;
case keychain::security_level::ULTRA:
return scheme == keychain::signature_scheme::EDDSA_ED448 ||
scheme == keychain::signature_scheme::ECDSA_P521_SHA512 ||
scheme == keychain::signature_scheme::RSASS_4096_PSS_SHA512;
default:
return true;
}
}
// Multi-scheme verification
bool verify_with_fallback_schemes(const keychain::verifiable_data& data,
const std::vector<keychain::signature_scheme>& accepted_schemes) {
auto verification_results = gateway.verify(persona, data);
for (const auto& result : verification_results) {
auto used_scheme = result.get_signature_scheme();
// Check if scheme is in accepted list
if (std::find(accepted_schemes.begin(), accepted_schemes.end(), used_scheme)
!= accepted_schemes.end()) {
if (result.is_verified()) {
std::cout << "Verified with accepted scheme: " << to_string(used_scheme) << std::endl;
return true;
}
} else {
std::cout << "Warning: Signature uses non-accepted scheme: "
<< to_string(used_scheme) << std::endl;
}
}
return false;
}Migration Considerations
// Scheme migration example
keychain::signature_scheme legacy_scheme = keychain::signature_scheme::RSASS_2048_PKCS1_SHA256;
keychain::signature_scheme modern_scheme = keychain::signature_scheme::EDDSA_ED25519;
// Check if migration is needed
bool should_migrate_scheme(keychain::signature_scheme current_scheme) {
// Migrate away from deprecated schemes
std::vector<keychain::signature_scheme> deprecated = {
keychain::signature_scheme::RSASS_2048_PKCS1_SHA256,
keychain::signature_scheme::DSA_2048_SHA256
};
return std::find(deprecated.begin(), deprecated.end(), current_scheme)
!= deprecated.end();
}
// Gradual migration strategy
void migrate_persona_scheme(keychain::persona& persona) {
auto current_scheme = persona.get_signature_scheme();
if (should_migrate_scheme(current_scheme)) {
// Create new keychain with modern scheme
auto new_scheme = keychain::signature_scheme::EDDSA_ED25519;
persona.add_keychain(keychain::keychain_type::SIGNATURE, new_scheme);
// Keep old keychain for verification of existing signatures
std::cout << "Added new keychain with " << to_string(new_scheme)
<< ", keeping old " << to_string(current_scheme)
<< " for compatibility" << std::endl;
}
}Deterministic vs Non-Deterministic Signatures
// EdDSA provides deterministic signatures
void demonstrate_deterministic_signatures() {
keychain::signature_scheme det_scheme = keychain::signature_scheme::EDDSA_ED25519;
keychain::signature_scheme non_det_scheme = keychain::signature_scheme::ECDSA_P256_SHA256;
std::string message = "Test message";
// EdDSA - same input always produces same signature
auto sig1 = gateway.sign_with_scheme(persona, message, det_scheme);
auto sig2 = gateway.sign_with_scheme(persona, message, det_scheme);
assert(sig1.get_signature() == sig2.get_signature()); // Always equal
// ECDSA - same input produces different signatures (randomized)
auto sig3 = gateway.sign_with_scheme(persona, message, non_det_scheme);
auto sig4 = gateway.sign_with_scheme(persona, message, non_det_scheme);
assert(sig3.get_signature() != sig4.get_signature()); // Usually different
// Both verify correctly
assert(gateway.verify(persona, sig1).front().is_verified());
assert(gateway.verify(persona, sig3).front().is_verified());
}Related Types
-
signature_algorithm_class - Signature algorithm families
-
encryption_scheme - Encryption algorithms
-
security_level - Security level configuration
-
attestation - Digital signatures with metadata
See Also
-
gateway - Signature operations
-
verifiable_data - Signed data containers
-
{nist-fips-186-4}[NIST FIPS 186-4] - Digital Signature Standard
-
{rfc-8032}[RFC 8032] - EdDSA Specification
-
{rfc-3447}[RFC 3447] - RSA PKCS#1