Skip to main content

Documentation Index

Fetch the complete documentation index at: https://cantonfoundation-generated-hydration-fix.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Supported Cryptographic Schemes And Formats

Within Canton, we use the cryptographic primitives of signing, symmetric encryption, and asymmetric encryption, with the following supported cryptographic schemes and formats. For asymmetric signing and encryption, each scheme is divided into a key and an algorithm specification.
Legend for the following tables:
  • S = Supported
  • = Partially supported — only supports signature verification, not signing with a private key
  • = Partially supported — only supports encryption, not decryption with a private key
  • Values in brackets ([<scheme>]) indicate the configuration strings to use in Canton
Supported Asymmetric Encryption and Signing Key Specifications
Key SpecJCEKMSPurpose
EC-Curve25519 [ec-curve-25519]SSigning
EC-P256 [ec-p-256]SSSigning, Encryption
EC-P384 [ec-p-384]SSSigning
EC-Secp256k1 [ec-secp-256k-1]SSSigning
RSA-2048 [rsa-2048]SSEncryption
Supported Signing Algorithm Specifications
AlgorithmJCEKMSSupported Key Specs
Ed25519 [ed-25519]SEC-Curve25519
EC-DSA-SHA256 [ec-dsa-sha-256]SSEC-P256, EC-Secp256k1
EC-DSA-SHA384 [ec-dsa-sha-384]SSEC-P384
Supported Asymmetric Encryption Algorithm Specifications
AlgorithmJCEKMSSupported Key Specs
ECIES-HMAC-SHA256-AES128-CBC [ecies-hkdf-hmac-sha-256-aes-128-cbc]SEC-P256
RSA-OAEP-SHA256 [rsa-oaep-sha-256]SSRSA-2048
Crypto providerJCE Default SchemeKMS Default Scheme
Signing key specificationEC-Curve25519EC-P256
Signing algorithm specificationEd25519EC-DSA-SHA256
Asymmetric encryption key specificationEC-P256RSA-2048
Asymmetric encryption algorithmECIES with HMAC-SHA256 and AES128-CBCRSA with OAEP and SHA-256
Symmetric encryption scheme1AES128-GCMSame as JCE
Hash Algorithm2SHA-256Same as JCE
PBKDF3Argon2idSame as JCE
Default Cryptographic Schemes Key configuration for external keys with a Key Management Service (KMS)
ProviderSIGNINGENCRYPTION
AWSKey Purpose: SIGN_VERIFY
Key Algorithms: ECC_NIST_P256 or ECC_NIST_P384		Key Purpose: ENCRYPT_DECRYPT
Key Algorithm: RSA_2048
GCPKey Purpose: ASYMMETRIC_SIGN
Key Algorithms: EC_SIGN_P256_SHA256 or EC_SIGN_P384_SHA384		Key Purpose: ASYMMETRIC_DECRYPT
Key Algorithm: RSA_DECRYPT_OAEP_2048_SHA256
DriverMust be compatible with EC_P256_SHA256 or EC_P384_SHA384Must be compatible with RSA_OAEP_2048_SHA256
Key TypeFormat (Config)Format (gRPC / Protobuf)
Public Keyder-x-509-spkiCRYPTO_KEY_FORMAT_DER_X509_SUBJECT_PUBLIC_KEY_INFO
Private Keyder-pkcs-8-pkiCRYPTO_KEY_FORMAT_DER_PKCS8_PRIVATE_KEY_INFO
Symmetric Key4rawCRYPTO_KEY_FORMAT_RAW
Supported Cryptographic Key Formats by Key Type Commands and Flags to Export Keys in Supported Formats
Key TypeSupported FormatOpenSSLGCP KMSAWS KMSJava.securityPython (cryptography)
Public KeyDER SPKI (X.509 SubjectPublicKeyInfo)-outform DERkeys default to DER SPKIkeys default to DER SPKIkeys default to DER SPKIpublic_bytes(Encoding.DER, PublicFormat.SubjectPublicKeyInfo)
Private KeyDER PKCS#8 PrivateKeyInfo-outform DERn/an/akeys default to DER PKCS#8private_bytes(Encoding.DER, PrivateFormat.PKCS8)
Symmetric Keyraw bytesn/an/an/akeys default to raw byteskeys default to raw bytes
Signing Algorithm SpecificationsSignature Format (Config)Signature Format (gRPC / Protobuf)
Ed25519concatSIGNATURE_FORMAT_CONCAT
EC-DSA-SHA256derSIGNATURE_FORMAT_DER
EC-DSA-SHA384derSIGNATURE_FORMAT_DER
Supported Cryptographic Signature Formats by Signing Algorithm Specifications
The currently supported signature formats in Canton align with the default signature formats used when generating signatures with OpenSSL, Java, or Python (cryptography package).

Footnotes

  1. Default and only supported scheme; not configurable.
  2. Default and only supported hash algorithm; not configurable.
  3. Default and only supported PBKDF; not configurable.
  4. Symmetric keys are only used internally. A node operator will not operate on symmetric keys; this entry is provided for reference only. The only key format a node operator is expected to interact with is X.509 public keys.