transcrypto 1.1.2__py3-none-any.whl → 1.2.0__py3-none-any.whl

transcrypto/aes.py

@@ -47,7 +47,7 @@ assert _PASSWORD_ITERATIONS == (6075308 + 1) // 3, 'should never happen: constan
 
 
 @dataclasses.dataclass(kw_only=True, slots=True, frozen=True, repr=False)
-class AESKey(base.CryptoKey, base.SymmetricCrypto):
+class AESKey(base.CryptoKey, base.Encryptor, base.Decryptor):
   """Advanced Encryption Standard (AES) 256 bits key (32 bytes).
 
   No measures are taken here to prevent timing attacks.
@@ -112,7 +112,7 @@ class AESKey(base.CryptoKey, base.SymmetricCrypto):
         salt=_PASSWORD_SALT_256, iterations=_PASSWORD_ITERATIONS)
     return cls(key256=kdf.derive(str_password.encode('utf-8')))
 
-  class ECBEncoderClass(base.SymmetricCrypto):
+  class ECBEncoderClass(base.Encryptor, base.Decryptor):
     """The simplest encryption possible (UNSAFE if misused): 128 bit block AES-ECB, 256 bit key.
 
     Please DO **NOT** use this for regular cryptography. For regular crypto use Encrypt()/Decrypt().
@@ -245,7 +245,8 @@ class AESKey(base.CryptoKey, base.SymmetricCrypto):
       InputError: invalid inputs
       CryptoError: internal crypto failures, authentication failure, key mismatch, etc
     """
-    assert len(ciphertext) >= 32, 'should never happen: AES256+GCM should have ≥32 bytes IV/CT/tag'
+    if len(ciphertext) < 32:
+      raise base.InputError(f'AES256+GCM should have ≥32 bytes IV/CT/tag: {len(ciphertext)}')
     iv, tag = ciphertext[:16], ciphertext[-16:]
     decryptor: ciphers.CipherContext = ciphers.Cipher(
         algorithms.AES256(self.key256), modes.GCM(iv, tag)).decryptor()

transcrypto/base.py

@@ -19,12 +19,11 @@ import pickle
 # import pdb
 import secrets
 import time
-from typing import Any, Callable, final, MutableSequence, Self, TypeVar
-
+from typing import Any, Callable, final, MutableSequence, Protocol, runtime_checkable, Self, TypeVar
 import zstandard
 
 __author__ = 'balparda@github.com'
-__version__ = '1.1.2'  # v1.1.2, 2025-08-29
+__version__ = '1.2.0'  # 2025-09-05, Fri
 __version_tuple__: tuple[int, ...] = tuple(int(v) for v in __version__.split('.'))
 
 # MIN_TM = int(  # minimum allowed timestamp
@@ -35,8 +34,8 @@ BytesToInt: Callable[[bytes], int] = lambda b: int.from_bytes(b, 'big', signed=F
 BytesToEncoded: Callable[[bytes], str] = lambda b: base64.urlsafe_b64encode(b).decode('ascii')
 
 HexToBytes: Callable[[str], bytes] = bytes.fromhex
-IntToBytes: Callable[[int], bytes] = lambda i: i.to_bytes(
-    (i.bit_length() + 7) // 8, 'big', signed=False)
+IntToFixedBytes: Callable[[int, int], bytes] = lambda i, n: i.to_bytes(n, 'big', signed=False)
+IntToBytes: Callable[[int], bytes] = lambda i: IntToFixedBytes(i, (i.bit_length() + 7) // 8)
 IntToEncoded: Callable[[int], str] = lambda i: BytesToEncoded(IntToBytes(i))
 EncodedToBytes: Callable[[str], bytes] = lambda e: base64.urlsafe_b64decode(e.encode('ascii'))
 
@@ -46,7 +45,7 @@ PadBytesTo: Callable[[bytes, int], bytes] = lambda b, i: b.rjust((i + 7) // 8, b
 # these control the pickling of data, do NOT ever change, or you will break all databases
 # <https://docs.python.org/3/library/pickle.html#pickle.DEFAULT_PROTOCOL>
 _PICKLE_PROTOCOL = 4  # protocol 4 available since python v3.8 # do NOT ever change!
-_PICKLE_AAD = b'transcrypto.base.Serialize'  # do NOT ever change!
+_PICKLE_AAD = b'transcrypto.base.Serialize.1.0'  # do NOT ever change!
 # these help find compressed files, do NOT change unless zstandard changes
 _ZSTD_MAGIC_FRAME = 0xFD2FB528
 _ZSTD_MAGIC_SKIPPABLE_MIN = 0x184D2A50
@@ -646,11 +645,11 @@ class CryptoKey(abc.ABC):
     return BytesToEncoded(self.blob)
 
   @final
-  def Blob(self, /, *, key: SymmetricCrypto | None = None, silent: bool = True) -> bytes:
+  def Blob(self, /, *, key: Encryptor | None = None, silent: bool = True) -> bytes:
     """Serial (bytes) representation of the object with more options, including encryption.
 
     Args:
-      key (SymmetricCrypto, optional): if given will key.Encrypt() data before saving
+      key (Encryptor, optional): if given will key.Encrypt() data before saving
       silent (bool, optional): if True (default) will not log
 
     Returns:
@@ -659,11 +658,11 @@ class CryptoKey(abc.ABC):
     return Serialize(self, compress=-2, key=key, silent=silent)
 
   @final
-  def Encoded(self, /, *, key: SymmetricCrypto | None = None, silent: bool = True) -> str:
+  def Encoded(self, /, *, key: Encryptor | None = None, silent: bool = True) -> str:
     """Base-64 representation of the object with more options, including encryption.
 
     Args:
-      key (SymmetricCrypto, optional): if given will key.Encrypt() data before saving
+      key (Encryptor, optional): if given will key.Encrypt() data before saving
       silent (bool, optional): if True (default) will not log
 
     Returns:
@@ -674,14 +673,13 @@ class CryptoKey(abc.ABC):
   @final
   @classmethod
   def Load(
-      cls, data: str | bytes, /, *,
-      key: SymmetricCrypto | None = None, silent: bool = True) -> Self:
+      cls, data: str | bytes, /, *, key: Decryptor | None = None, silent: bool = True) -> Self:
     """Load (create) object from serialized bytes or string.
 
     Args:
       data (str | bytes): if bytes is assumed from CryptoKey.blob/Blob(), and
           if string is assumed from CryptoKey.encoded/Encoded()
-      key (SymmetricCrypto, optional): if given will key.Encrypt() data before saving
+      key (Decryptor, optional): if given will key.Encrypt() data before saving
       silent (bool, optional): if True (default) will not log
 
     Returns:
@@ -698,20 +696,21 @@ class CryptoKey(abc.ABC):
     return obj  # type:ignore
 
 
-class SymmetricCrypto(abc.ABC):
-  """Abstract interface for symmetric encryption.
+@runtime_checkable
+class Encryptor(Protocol):  # pylint: disable=too-few-public-methods
+  """Abstract interface for a class that has encryption
 
   Contract:
     - If algorithm accepts a `nonce` or `tag` these have to be handled internally by the
-      implementation and appended to the ciphertext.
+      implementation and appended to the `ciphertext`/`signature`.
     - If AEAD is supported, `associated_data` (AAD) must be authenticated. If not supported
       then `associated_data` different from None must raise InputError.
 
   Notes:
     The interface is deliberately minimal: byte-in / byte-out.
     Metadata like nonce/tag may be:
-      - returned alongside ciphertext, or
-      - bundled/serialized into `ciphertext` by the implementation.
+      - returned alongside `ciphertext`/`signature`, or
+      - bundled/serialized into `ciphertext`/`signature` by the implementation.
   """
 
   @abc.abstractmethod
@@ -732,6 +731,11 @@ class SymmetricCrypto(abc.ABC):
       CryptoError: internal crypto failures
     """
 
+
+@runtime_checkable
+class Decryptor(Protocol):  # pylint: disable=too-few-public-methods
+  """Abstract interface for a class that has decryption (see contract/notes in Encryptor)."""
+
   @abc.abstractmethod
   def Decrypt(self, ciphertext: bytes, /, *, associated_data: bytes | None = None) -> bytes:
     """Decrypt `ciphertext` and return the original `plaintext`.
@@ -749,9 +753,55 @@ class SymmetricCrypto(abc.ABC):
     """
 
 
+@runtime_checkable
+class Verifier(Protocol):  # pylint: disable=too-few-public-methods
+  """Abstract interface for asymmetric signature verify. (see contract/notes in Encryptor)."""
+
+  @abc.abstractmethod
+  def Verify(
+      self, message: bytes, signature: bytes, /, *, associated_data: bytes | None = None) -> bool:
+    """Verify a `signature` for `message`. True if OK; False if failed verification.
+
+    Args:
+      message (bytes): Data that was signed (including any embedded nonce/tag if applicable)
+      signature (bytes): Signature data to verify (including any embedded nonce/tag if applicable)
+      associated_data (bytes, optional): Optional AAD (must match what was used during signing)
+
+    Returns:
+      True if signature is valid, False otherwise
+
+    Raises:
+      InputError: invalid inputs
+      CryptoError: internal crypto failures, authentication failure, key mismatch, etc
+    """
+
+
+@runtime_checkable
+class Signer(Protocol):  # pylint: disable=too-few-public-methods
+  """Abstract interface for asymmetric signing. (see contract/notes in Encryptor)."""
+
+  @abc.abstractmethod
+  def Sign(self, message: bytes, /, *, associated_data: bytes | None = None) -> bytes:
+    """Sign `message` and return the `signature`.
+
+    Args:
+      message (bytes): Data to sign.
+      associated_data (bytes, optional): Optional AAD for AEAD modes; must be
+          provided again on decrypt
+
+    Returns:
+      bytes: Signature; if a nonce/tag is needed for decryption, the implementation
+      must encode it within the returned bytes (or document how to retrieve it)
+
+    Raises:
+      InputError: invalid inputs
+      CryptoError: internal crypto failures
+    """
+
+
 def Serialize(
     python_obj: Any, /, *, file_path: str | None = None,
-    compress: int | None = 3, key: SymmetricCrypto | None = None, silent: bool = False) -> bytes:
+    compress: int | None = 3, key: Encryptor | None = None, silent: bool = False) -> bytes:
   """Serialize a Python object into a BLOB, optionally compress / encrypt / save to disk.
 
   Data path is:
@@ -777,7 +827,7 @@ def Serialize(
     file_path (str, optional): full path to optionally save the data to
     compress (int | None, optional): Compress level before encrypting/saving; -22 ≤ compress ≤ 22;
         None is no compression; default is 3, which is fast, see table above for other values
-    key (SymmetricCrypto, optional): if given will key.Encrypt() data before saving
+    key (Encryptor, optional): if given will key.Encrypt() data before saving
     silent (bool, optional): if True will not log; default is False (will log)
 
   Returns:
@@ -819,7 +869,7 @@ def Serialize(
 
 def DeSerialize(
     *, data: bytes | None = None, file_path: str | None = None,
-    key: SymmetricCrypto | None = None, silent: bool = False) -> Any:
+    key: Decryptor | None = None, silent: bool = False) -> Any:
   """Loads (de-serializes) a BLOB back to a Python object, optionally decrypting / decompressing.
 
   Data path is:
@@ -835,7 +885,7 @@ def DeSerialize(
        if you use this option, `file_path` will be ignored
     file_path (str, optional): if given, use this as file path to load binary data string (input);
        if you use this option, `data` will be ignored
-    key (SymmetricCrypto, optional): if given will key.Decrypt() data before decompressing/loading
+    key (Decryptor, optional): if given will key.Decrypt() data before decompressing/loading
     silent (bool, optional): if True will not log; default is False (will log)
 
   Returns:
@@ -893,7 +943,7 @@ def DeSerialize(
 
 
 @dataclasses.dataclass(kw_only=True, slots=True, frozen=True, repr=False)
-class PublicBid(CryptoKey):
+class PublicBid512(CryptoKey):
   """Public commitment to a (cryptographically secure) bid that can be revealed/validated later.
 
   Bid is computed as: public_hash = Hash512(public_key || private_key || secret_bid)
@@ -901,6 +951,8 @@ class PublicBid(CryptoKey):
   Everything is bytes. The public part is (public_key, public_hash) and the private
   part is (private_key, secret_bid). The whole computation can be checked later.
 
+  No measures are taken here to prevent timing attacks (probably not a concern).
+
   Attributes:
     public_key (bytes): 512-bits random value
     public_hash (bytes): SHA-512 hash of (public_key || private_key || secret_bid)
@@ -915,7 +967,7 @@ class PublicBid(CryptoKey):
     Raises:
       InputError: invalid inputs
     """
-    super(PublicBid, self).__post_init__()  # pylint: disable=super-with-arguments  # needed here b/c: dataclass
+    super(PublicBid512, self).__post_init__()  # pylint: disable=super-with-arguments  # needed here b/c: dataclass
     if len(self.public_key) != 64 or len(self.public_hash) != 64:
       raise InputError(f'invalid public_key or public_hash: {self}')
 
@@ -925,7 +977,8 @@ class PublicBid(CryptoKey):
     Returns:
       string representation of PublicBid
     """
-    return (f'PublicBid(public_key={BytesToEncoded(self.public_key)}, '
+    return ('PublicBid512('
+            f'public_key={BytesToEncoded(self.public_key)}, '
             f'public_hash={BytesToHex(self.public_hash)})')
 
   def VerifyBid(self, private_key: bytes, secret: bytes, /) -> bool:
@@ -943,7 +996,7 @@ class PublicBid(CryptoKey):
     """
     try:
       # creating the PrivateBid object will validate everything; InputError we allow to propagate
-      PrivateBid(
+      PrivateBid512(
           public_key=self.public_key, public_hash=self.public_hash,
           private_key=private_key, secret_bid=secret)
       return True  # if we got here, all is good
@@ -951,13 +1004,13 @@ class PublicBid(CryptoKey):
       return False  # bid does not match the public commitment
 
   @classmethod
-  def Copy(cls, other: PublicBid, /) -> Self:
+  def Copy(cls, other: PublicBid512, /) -> Self:
     """Initialize a public bid by taking the public parts of a public/private bid."""
     return cls(public_key=other.public_key, public_hash=other.public_hash)
 
 
 @dataclasses.dataclass(kw_only=True, slots=True, frozen=True, repr=False)
-class PrivateBid(PublicBid):
+class PrivateBid512(PublicBid512):
   """Private bid that can be revealed and validated against a public commitment (see PublicBid).
 
   Attributes:
@@ -975,7 +1028,7 @@ class PrivateBid(PublicBid):
       InputError: invalid inputs
       CryptoError: bid does not match the public commitment
     """
-    super(PrivateBid, self).__post_init__()  # pylint: disable=super-with-arguments  # needed here b/c: dataclass
+    super(PrivateBid512, self).__post_init__()  # pylint: disable=super-with-arguments  # needed here b/c: dataclass
     if len(self.private_key) != 64 or len(self.secret_bid) < 1:
       raise InputError(f'invalid private_key or secret_bid: {self}')
     if self.public_hash != Hash512(self.public_key + self.private_key + self.secret_bid):
@@ -987,7 +1040,8 @@ class PrivateBid(PublicBid):
     Returns:
       string representation of PrivateBid without leaking secrets
     """
-    return (f'PrivateBid({super(PrivateBid, self).__str__()}, '  # pylint: disable=super-with-arguments
+    return ('PrivateBid512('
+            f'{super(PrivateBid512, self).__str__()}, '  # pylint: disable=super-with-arguments
             f'private_key={ObfuscateSecret(self.private_key)}, '
             f'secret_bid={ObfuscateSecret(self.secret_bid)})')
 

transcrypto/dsa.py

@@ -17,21 +17,30 @@ import logging
 # import pdb
 from typing import Self
 
-from . import base
-from . import modmath
+from . import base, modmath
 
 __author__ = 'balparda@github.com'
 __version__: str = base.__version__  # version comes from base!
 __version_tuple__: tuple[int, ...] = base.__version_tuple__
 
 
-_PRIME_MULTIPLE_SEARCH = 30
+_PRIME_MULTIPLE_SEARCH = 4096  # how many multiples of q to try before restarting
 _MAX_KEY_GENERATION_FAILURES = 15
 
+# fixed prefixes: do NOT ever change! will break all encryption and signature schemes
+_DSA_SIGNATURE_HASH_PREFIX = b'transcrypto.DSA.Signature.1.0\x00'
+
 
 def NBitRandomDSAPrimes(p_bits: int, q_bits: int, /) -> tuple[int, int, int]:
   """Generates 2 random DSA primes p & q with `x_bits` size and (p-1)%q==0.
 
+  Uses an aggressive small-prime wheel sieve:
+  Before any Miller-Rabin we reject p = m·q + 1 if it is divisible by a small prime.
+  We precompute forbidden residues for m:
+  • For each small prime r (all primes up to, say, 100 000), we compute
+    m_forbidden ≡ -q⁻¹ (mod r) (because (m·q + 1) % r == 0 ⇔ m ≡ -q⁻¹ (mod r))
+  • When we iterate m, we skip values that hit any forbidden residue class.
+
   Args:
     p_bits (int): Number of guaranteed bits in `p` prime representation,
         p_bits ≥ q_bits + 11
@@ -50,23 +59,45 @@ def NBitRandomDSAPrimes(p_bits: int, q_bits: int, /) -> tuple[int, int, int]:
   if p_bits < q_bits + 11:
     raise base.InputError(f'invalid p_bits length: {p_bits=}')
   # make q
-  q = modmath.NBitRandomPrime(q_bits)
+  q: int = modmath.NBitRandomPrime(q_bits)
+  # make list of small primes to use for sieving
+  approx_q_root: int = 1 << (q_bits // 2)
+  forbidden: dict[int, int] = {}  # (modulus: forbidden residue)
+  for r in modmath.PrimeGenerator(3):
+    forbidden[r] = (-modmath.ModInv(q % r, r)) % r
+    if r > 100000 or r > approx_q_root:
+      break
+
+  def _PassesSieve(m: int) -> bool:
+    for r, f in forbidden.items():
+      if m % r == f:
+        return False
+    return True
+
   # find range of multiples to use
   min_p, max_p = 2 ** (p_bits - 1), 2 ** p_bits - 1
   min_m, max_m = min_p // q + 2, max_p // q - 2
   assert max_m - min_m > 1000  # make sure we'll have options!
   # start searching from a random multiple
   failures: int = 0
+  window: int = max(_PRIME_MULTIPLE_SEARCH, 2 * p_bits)
   while True:
     # try searching starting here
     m: int = base.RandInt(min_m, max_m)
-    for _ in range(_PRIME_MULTIPLE_SEARCH):
+    if m % 2:
+      m += 1  # make even
+    for _ in range(window):
       p: int = q * m + 1
       if p >= max_p:
         break
+      # first do a quick sieve test
+      if not _PassesSieve(m):
+        m += 2
+        continue
+      # passed sieve, do full test
       if modmath.IsPrime(p):
         return (p, q, m)  # found a suitable prime set!
-      m += 1  # next multiple
+      m += 2  # next multiple
     # after _PRIME_MULTIPLE_SEARCH we declare this range failed
     failures += 1
     if failures >= _MAX_KEY_GENERATION_FAILURES:
@@ -78,8 +109,6 @@ def NBitRandomDSAPrimes(p_bits: int, q_bits: int, /) -> tuple[int, int, int]:
 class DSASharedPublicKey(base.CryptoKey):
   """DSA shared public key. This key can be shared by a group.
 
-  BEWARE: This is raw DSA, no ECDSA/EdDSA padding, no hash, no validation!
-  These are pedagogical/raw primitives; do not use for new protocols.
   No measures are taken here to prevent timing attacks.
 
   Attributes:
@@ -116,10 +145,43 @@ class DSASharedPublicKey(base.CryptoKey):
       string representation of DSASharedPublicKey
     """
     return ('DSASharedPublicKey('
+            f'bits=[{self.prime_modulus.bit_length()}, {self.prime_seed.bit_length()}], '
             f'prime_modulus={base.IntToEncoded(self.prime_modulus)}, '
             f'prime_seed={base.IntToEncoded(self.prime_seed)}, '
             f'group_base={base.IntToEncoded(self.group_base)})')
 
+  @property
+  def modulus_size(self) -> tuple[int, int]:
+    """Modulus size in bytes. The number of bytes used in Sign/Verify."""
+    return ((self.prime_modulus.bit_length() + 7) // 8,
+            (self.prime_seed.bit_length() + 7) // 8)
+
+  def _DomainSeparatedHash(
+      self, message: bytes, associated_data: bytes | None, salt: bytes, /) -> int:
+    """Compute the domain-separated hash for signing and verifying.
+
+    Args:
+      message (bytes): message to sign/verify
+      associated_data (bytes | None): optional associated data
+      salt (bytes): salt to use in the hash
+
+    Returns:
+      int: integer representation of the hash output;
+      Hash512("prefix" || len(aad) || aad || message || salt)
+
+    Raises:
+      CryptoError: hash output is out of range
+    """
+    aad: bytes = b'' if associated_data is None else associated_data
+    la: bytes = base.IntToFixedBytes(len(aad), 8)
+    assert len(salt) == 64, 'should never happen: salt should be exactly 64 bytes'
+    y: int = base.BytesToInt(
+        base.Hash512(_DSA_SIGNATURE_HASH_PREFIX + la + aad + message + salt))
+    if not 1 < y < self.prime_seed - 1:
+      # will only reasonably happen if prime seed is small
+      raise base.CryptoError(f'hash output {y} is out of range/invalid {self.prime_seed}')
+    return y
+
   @classmethod
   def NewShared(cls, p_bits: int, q_bits: int, /) -> Self:
     """Make a new shared public key of `bit_length` bits.
@@ -146,11 +208,9 @@ class DSASharedPublicKey(base.CryptoKey):
 
 
 @dataclasses.dataclass(kw_only=True, slots=True, frozen=True, repr=False)
-class DSAPublicKey(DSASharedPublicKey):
+class DSAPublicKey(DSASharedPublicKey, base.Verifier):
   """DSA public key. This is an individual public key.
 
-  BEWARE: This is raw DSA, no ECDSA/EdDSA padding, no hash, no validation!
-  These are pedagogical/raw primitives; do not use for new protocols.
   No measures are taken here to prevent timing attacks.
 
   Attributes:
@@ -176,11 +236,12 @@ class DSAPublicKey(DSASharedPublicKey):
     Returns:
       string representation of DSAPublicKey
     """
-    return (f'DSAPublicKey({super(DSAPublicKey, self).__str__()}, '  # pylint: disable=super-with-arguments
+    return ('DSAPublicKey('
+            f'{super(DSAPublicKey, self).__str__()}, '  # pylint: disable=super-with-arguments
             f'individual_base={base.IntToEncoded(self.individual_base)})')
 
   def _MakeEphemeralKey(self) -> tuple[int, int]:
-    """Make an ephemeral key adequate to be used with El-Gamal.
+    """Make an ephemeral key adequate to be used with DSA.
 
     Returns:
       (key, key_inverse), where 3 ≤ k < p_seed and (k*i) % p_seed == 1
@@ -192,9 +253,11 @@ class DSAPublicKey(DSASharedPublicKey):
       ephemeral_key = base.RandBits(bit_length - 1)
     return (ephemeral_key, modmath.ModInv(ephemeral_key, self.prime_seed))
 
-  def VerifySignature(self, message: int, signature: tuple[int, int], /) -> bool:
+  def RawVerify(self, message: int, signature: tuple[int, int], /) -> bool:
     """Verify a signature. True if OK; False if failed verification.
 
+    BEWARE: This is raw DSA, no ECDSA/EdDSA padding, no hash, no validation!
+    These are pedagogical/raw primitives; do not use for new protocols.
     We explicitly disallow `message` to be zero.
 
     Args:
@@ -221,6 +284,42 @@ class DSAPublicKey(DSASharedPublicKey):
         self.individual_base, (signature[0] * inv) % self.prime_seed, self.prime_modulus)
     return ((a * b) % self.prime_modulus) % self.prime_seed == signature[0]
 
+  def Verify(
+      self, message: bytes, signature: bytes, /, *, associated_data: bytes | None = None) -> bool:
+    """Verify a `signature` for `message`. True if OK; False if failed verification.
+
+    • Let k = ceil(log2(n))/8 be the modulus size in bytes.
+    • Split signature in 3 parts: the first 64 bytes is salt, the rest is s1 and s2
+    • y_check = DSA(s1, s2)
+    • return y_check == Hash512("prefix" || len(aad) || aad || message || salt)
+    • return False for any malformed signature
+
+    Args:
+      message (bytes): Data that was signed
+      signature (bytes): Signature data to verify
+      associated_data (bytes, optional): Optional AAD (must match what was used during signing)
+
+    Returns:
+      True if signature is valid, False otherwise
+
+    Raises:
+      InputError: invalid inputs
+      CryptoError: internal crypto failures, authentication failure, key mismatch, etc
+    """
+    k: int = self.modulus_size[1]  # use prime_seed size
+    if k <= 64:
+      raise base.InputError(f'modulus/seed too small for signing operations: {k} bytes')
+    if len(signature) != (64 + k + k):
+      logging.info(f'invalid signature length: {len(signature)} ; expected {64 + k + k}')
+      return False
+    try:
+      return self.RawVerify(
+          self._DomainSeparatedHash(message, associated_data, signature[:64]),
+          (base.BytesToInt(signature[64:64 + k]), base.BytesToInt(signature[64 + k:])))
+    except base.InputError as err:
+      logging.info(err)
+      return False
+
   @classmethod
   def Copy(cls, other: DSAPublicKey, /) -> Self:
     """Initialize a public key by taking the public parts of a public/private key."""
@@ -232,11 +331,9 @@ class DSAPublicKey(DSASharedPublicKey):
 
 
 @dataclasses.dataclass(kw_only=True, slots=True, frozen=True, repr=False)
-class DSAPrivateKey(DSAPublicKey):
+class DSAPrivateKey(DSAPublicKey, base.Signer):  # pylint: disable=too-many-ancestors
   """DSA private key.
 
-  BEWARE: This is raw DSA, no ECDSA/EdDSA padding, no hash, no validation!
-  These are pedagogical/raw primitives; do not use for new protocols.
   No measures are taken here to prevent timing attacks.
 
   Attributes:
@@ -266,12 +363,15 @@ class DSAPrivateKey(DSAPublicKey):
     Returns:
       string representation of DSAPrivateKey without leaking secrets
     """
-    return (f'DSAPrivateKey({super(DSAPrivateKey, self).__str__()}, '  # pylint: disable=super-with-arguments
+    return ('DSAPrivateKey('
+            f'{super(DSAPrivateKey, self).__str__()}, '  # pylint: disable=super-with-arguments
             f'decrypt_exp={base.ObfuscateSecret(self.decrypt_exp)})')
 
-  def Sign(self, message: int, /) -> tuple[int, int]:
+  def RawSign(self, message: int, /) -> tuple[int, int]:
     """Sign `message` with this private key.
 
+    BEWARE: This is raw DSA, no ECDSA/EdDSA padding, no hash, no validation!
+    These are pedagogical/raw primitives; do not use for new protocols.
     We explicitly disallow `message` to be zero.
 
     Args:
@@ -294,6 +394,40 @@ class DSAPrivateKey(DSAPublicKey):
       b = (ephemeral_inv * ((message + a * self.decrypt_exp) % self.prime_seed)) % self.prime_seed
     return (a, b)
 
+  def Sign(self, message: bytes, /, *, associated_data: bytes | None = None) -> bytes:
+    """Sign `message` and return the `signature`.
+
+    • Let k = ceil(log2(n))/8 be the modulus size in bytes.
+    • Pick random salt of 64 bytes
+    • s1, s2 = DSA(Hash512("prefix" || len(aad) || aad || message || salt))
+    • return salt || Padded(s1, k) || Padded(s2, k)
+
+    This is basically Full-Domain Hash DSA with a 512-bit hash and per-signature salt,
+    which is EUF-CMA secure in the ROM. Our domain-separation prefix and explicit AAD
+    length prefix are both correct and remove composition/ambiguity pitfalls.
+    There are no Bleichenbacher-style issue because we do not expose any padding semantics.
+
+    Args:
+      message (bytes): Data to sign.
+      associated_data (bytes, optional): Optional AAD for AEAD modes; must be
+          provided again on decrypt
+
+    Returns:
+      bytes: Signature; salt || Padded(s, k) - see above
+
+    Raises:
+      InputError: invalid inputs
+      CryptoError: internal crypto failures
+    """
+    k: int = self.modulus_size[1]  # use prime_seed size
+    if k <= 64:
+      raise base.InputError(f'modulus/seed too small for signing operations: {k} bytes')
+    salt: bytes = base.RandBytes(64)
+    s_int: tuple[int, int] = self.RawSign(self._DomainSeparatedHash(message, associated_data, salt))
+    s_bytes: bytes = base.IntToFixedBytes(s_int[0], k) + base.IntToFixedBytes(s_int[1], k)
+    assert len(s_bytes) == 2 * k, 'should never happen: s_bytes should be exactly 2k bytes'
+    return salt + s_bytes
+
   @classmethod
   def New(cls, shared_key: DSASharedPublicKey, /) -> Self:
     """Make a new private key based on an existing shared public key.