// kit 01
PQC Toolkit
Production-ready post-quantum crypto. Pick stack, pick primitive, copy the code.
$ verify_release.php
L1
1 <?php 2 // SLH-DSA-SHA2-128s release artifact verifier. 3 // Verification only — signing is done in CI by release_sign.py. 4 declare(strict_types=1); 5 6 require __DIR__ . '/SlhDsa128sVerify.php'; // FFI wrapper to liboqs 7 8 function verify_release(string $artifactPath, string $sigPath, string $pubB64): bool { 9 $bytes = file_get_contents($artifactPath); 10 $digest = hash('sha384', $bytes, true); 11 $sig = file_get_contents($sigPath); 12 $pub = base64_decode($pubB64); 13 return SlhDsa128sVerify::verify($digest, $sig, $pub); 14 } 15 16 if (php_sapi_name() === 'cli') { 17 [$_, $artifact, $sig, $pub] = $argv; 18 echo verify_release($artifact, $sig, $pub) ? "OK\n" : "BAD\n"; 19 }
KEY SIZE
32 B pub
SIG / CT
7856 B sig
NIST LEVEL
L1
NOTES
PHP SLH-DSA verifier wrapping liboqs via FFI (matching PqcKem.php and PqcSign.php).
- Verification cost: ~3 ms per artifact.
- Signing happens in CI with
release_sign.py(pqc-kit-python) — same wire format. - Drop in
SlhDsa128sVerify.phpnext to this file; both are in the PHP download bundle.