Documentation/DamlView on Daml
Daml

Supported Cryptographic Schemes And Formats

Supported Cryptographic Schemes And Formats

Within Canton, we use the cryptographic primitives of signing, symmetric encryption, and asymmetric encryption, with the following supported cryptographic schemes and formats. For asymmetric signing and encryption, each scheme is divided into a key and an algorithm specification.

Note

Legend for the following tables:

  • S = Supported

  • = Partially supported — only supports signature verification, not signing with a private key

  • = Partially supported — only supports encryption, not decryption with a private key

  • Values in brackets ([<scheme>]) indicate the configuration strings to use in Canton

Supported Asymmetric Encryption and Signing Key Specifications

Key Spec

JCE

KMS

Purpose

EC-Curve25519 [ec-curve-25519]

S

Signing

EC-P256 [ec-p-256]

S

S

Signing, Encryption

EC-P384 [ec-p-384]

S

S

Signing

EC-Secp256k1 [ec-secp-256k-1]

S

S

Signing

RSA-2048 [rsa-2048]

S

S

Encryption
Supported Signing Algorithm Specifications

Algorithm

JCE

KMS

Supported Key Specs

Ed25519 [ed-25519]

S

EC-Curve25519

EC-DSA-SHA256 [ec-dsa-sha-256]

S

S

EC-P256, EC-Secp256k1

EC-DSA-SHA384 [ec-dsa-sha-384]

S

S

EC-P384
Supported Asymmetric Encryption Algorithm Specifications

Algorithm

JCE

KMS

Supported Key Specs

ECIES-HMAC-SHA256-AES128-CBC [ecies-hkdf-hmac-sha-256-aes-128-cbc]

S

EC-P256

RSA-OAEP-SHA256 [rsa-oaep-sha-256]

S

S

RSA-2048
Default Cryptographic Schemes

Crypto provider

JCE Default Scheme

KMS Default Scheme

Signing key specification

EC-Curve25519

EC-P256

Signing algorithm specification

Ed25519

EC-DSA-SHA256

Asymmetric encryption key specification

EC-P256

RSA-2048

Asymmetric encryption algorithm

ECIES with HMAC-SHA256 and AES128-CBC

RSA with OAEP and SHA-256

Symmetric encryption scheme [1]

AES128-GCM

Same as JCE

Hash Algorithm [2]

SHA-256

Same as JCE

PBKDF [3]

Argon2id

Same as JCE
Key configuration for external keys with a Key Management Service (KMS)

Provider

SIGNING

ENCRYPTION

AWS

  • Key Purpose: SIGN_VERIFY

  • Key Algorithms: ECC_NIST_P256 or ECC_NIST_P384

  • Key Purpose: ENCRYPT_DECRYPT

  • Key Algorithm: RSA_2048

GCP

  • Key Purpose: ASYMMETRIC_SIGN

  • Key Algorithms: EC_SIGN_P256_SHA256 or EC_SIGN_P384_SHA384

  • Key Purpose: ASYMMETRIC_DECRYPT

  • Key Algorithm: RSA_DECRYPT_OAEP_2048_SHA256

Driver

  • Must be compatible with EC_P256_SHA256 or EC_P384_SHA384

  • Must be compatible with RSA_OAEP_2048_SHA256
Supported Cryptographic Key Formats by Key Type

Key Type

Format (Config)

Format (gRPC / Protobuf)

Public Key

der-x-509-spki

CRYPTO_KEY_FORMAT_DER_X509_SUBJECT_PUBLIC_KEY_INFO

Private Key

der-pkcs-8-pki

CRYPTO_KEY_FORMAT_DER_PKCS8_PRIVATE_KEY_INFO

Symmetric Key [4]

raw

CRYPTO_KEY_FORMAT_RAW
Commands and Flags to Export Keys in Supported Formats

Key Type

Supported Format

OpenSSL

GCP KMS

AWS KMS

Java.security

Python (cryptography)

Public Key

DER SPKI (X.509 SubjectPublicKeyInfo)

-outform DER

keys default to DER SPKI

keys default to DER SPKI

keys default to DER SPKI

public_bytes(Encoding.DER, PublicFormat.SubjectPublicKeyInfo)

Private Key

DER PKCS#8 PrivateKeyInfo

-outform DER

n/a

n/a

keys default to DER PKCS#8

private_bytes(Encoding.DER, PrivateFormat.PKCS8)

Symmetric Key

raw bytes

n/a

n/a

n/a

keys default to raw bytes

keys default to raw bytes
Supported Cryptographic Signature Formats by Signing Algorithm Specifications

Signing Algorithm Specifications

Signature Format (Config)

Signature Format (gRPC / Protobuf)

Ed25519

concat

SIGNATURE_FORMAT_CONCAT

EC-DSA-SHA256

der

SIGNATURE_FORMAT_DER

EC-DSA-SHA384

der

SIGNATURE_FORMAT_DER

Note

The currently supported signature formats in Canton align with the default signature formats used when generating signatures with OpenSSL, Java, or Python (cryptography package).