Skip to main content

Supported Cryptographic Schemes And Formats

Within Canton, we use the cryptographic primitives of signing, symmetric encryption, and asymmetric encryption, with the following supported cryptographic schemes and formats. For asymmetric signing and encryption, each scheme is divided into a key and an algorithm specification.
Legend for the following tables:
  • S = Supported
  • = Partially supported — only supports signature verification, not signing with a private key
  • = Partially supported — only supports encryption, not decryption with a private key
  • Values in brackets ([<scheme>]) indicate the configuration strings to use in Canton
Supported Asymmetric Encryption and Signing Key Specifications Supported Signing Algorithm Specifications Supported Asymmetric Encryption Algorithm Specifications Default Cryptographic Schemes Key configuration for external keys with a Key Management Service (KMS) Supported Cryptographic Key Formats by Key Type Commands and Flags to Export Keys in Supported Formats Supported Cryptographic Signature Formats by Signing Algorithm Specifications
The currently supported signature formats in Canton align with the default signature formats used when generating signatures with OpenSSL, Java, or Python (cryptography package).

Footnotes

  1. Default and only supported scheme; not configurable.
  2. Default and only supported hash algorithm; not configurable.
  3. Default and only supported PBKDF; not configurable.
  4. Symmetric keys are only used internally. A node operator will not operate on symmetric keys; this entry is provided for reference only. The only key format a node operator is expected to interact with is X.509 public keys.