// kit 01

PQC Toolkit

Production-ready post-quantum crypto. Pick stack, pick primitive, copy the code.

$ verify_release.php
L1
PHP
1<?php
2// SLH-DSA-SHA2-128s release artifact verifier.
3// Verification only — signing is done in CI by release_sign.py.
4declare(strict_types=1);
5 
6require __DIR__ . '/SlhDsa128sVerify.php'; // FFI wrapper to liboqs
7 
8function verify_release(string $artifactPath, string $sigPath, string $pubB64): bool {
9 $bytes = file_get_contents($artifactPath);
10 $digest = hash('sha384', $bytes, true);
11 $sig = file_get_contents($sigPath);
12 $pub = base64_decode($pubB64);
13 return SlhDsa128sVerify::verify($digest, $sig, $pub);
14}
15 
16if (php_sapi_name() === 'cli') {
17 [$_, $artifact, $sig, $pub] = $argv;
18 echo verify_release($artifact, $sig, $pub) ? "OK\n" : "BAD\n";
19}
KEY SIZE
32 B pub
SIG / CT
7856 B sig
NIST LEVEL
L1
NOTES

PHP SLH-DSA verifier wrapping liboqs via FFI (matching PqcKem.php and PqcSign.php).

  • Verification cost: ~3 ms per artifact.
  • Signing happens in CI with release_sign.py (pqc-kit-python) — same wire format.
  • Drop in SlhDsa128sVerify.php next to this file; both are in the PHP download bundle.