explaingit

quipnetwork/hashsigs-py

11,535PythonAudience · developerComplexity · 3/5LicenseSetup · moderate

TLDR

A Python package that lets you generate and verify quantum-resistant digital signatures using hash functions, install via pip, with an optional Rust backend for extra speed.

Mindmap

mindmap
  root((hashsigs-py))
    What it does
      Hash-based signing
      Quantum resistant
      Key generation
      Signature verify
    Backends
      Pure Python
      Rust extension
      Auto-detection
    Testing
      Full with Rust
      Reduced no Rust
      Minimal stdlib only
    Setup
      pip install
      Optional Rust build
      keccak provider
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Generate a quantum-resistant key pair and sign messages in a Python application that needs long-term cryptographic security.

USE CASE 2

Verify digital signatures in a system that must remain secure even after quantum computers become practical.

USE CASE 3

Benchmark pure-Python vs Rust-backed hash signature performance to decide whether to compile the Rust extension in your deployment.

Tech stack

PythonRustpipWOTS+keccak

Getting it running

Difficulty · moderate Time to first run · 30min

Pure-Python mode needs only pip, full performance requires the Rust toolchain at install time. Python 3.13 and macOS have known build quirks documented in the README.

Released under AGPL-3.0, you may use and modify the code, but if you distribute or run it as a service you must share your source code under the same license.

In plain English

Hashsigs-py is a Python package that implements WOTS+, a type of cryptographic digital signature based entirely on hash functions. Unlike most signing systems in use today, hash-based signatures are considered resistant to attacks from quantum computers, making this approach relevant to organizations thinking about long-term security. The package is installed with pip and works out of the box using a pure Python implementation. For better performance, it can optionally build a Rust extension at install time. If the Rust toolchain is present on the system, the package detects it automatically and compiles the faster backend. The Python code then checks at runtime whether the Rust extension is available and falls back to pure Python if it is not. This means the package is usable on any machine, with the faster path available when Rust is set up. Using the library involves three steps: generating a key pair from a seed, signing a message with the private key, and verifying the signature using the public key. Both key generation and signing accept raw byte strings. The README includes a one-line shell command that imports the package, runs a sign-and-verify cycle, and prints the result, providing a quick confirmation that the installation is working correctly. The test suite has three tiers depending on what dependencies are available: full tests with vector validation require both the Rust extension and a keccak cryptographic provider, a reduced set runs with keccak but without Rust, and a minimal set runs with only the standard library. The README includes troubleshooting steps for common build failures on Python 3.13 and macOS. The project is released under the AGPL-3.0 license.

Copy-paste prompts

Prompt 1
Using hashsigs-py, write a Python snippet that generates a WOTS+ key pair from a random seed, signs a message, and verifies the signature.
Prompt 2
I want to use hashsigs-py in a project but I cannot install the Rust toolchain on my server. Show me how to install and use the pure-Python fallback mode.
Prompt 3
Explain what WOTS+ is and why it is considered quantum-resistant, then show me how hashsigs-py implements sign and verify so I can audit the flow.
Prompt 4
Set up the full hashsigs-py test suite with Rust extension and keccak provider and run it to confirm my environment is correctly configured.
Open on GitHub → Explain another repo

← quipnetwork on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.