B. Algorithm and key type encoding¶
Algorithm identifiers (psa_algorithm_t
) and key types (psa_key_type_t
) in the Crypto API are structured integer values.
Algorithm identifier encoding describes the encoding scheme for algorithm identifiers
Key type encoding describes the encoding scheme for key types
B.1. Algorithm identifier encoding¶
Algorithm identifiers are 32-bit integer values of the type psa_algorithm_t
. Algorithm identifier values have the structure shown in Figure 2.
Table 9 describes the meaning of the bit-fields — some of the bit-fields are used in different ways by different algorithm categories.
Field |
Bits |
Description |
---|---|---|
V |
[31] |
Flag to indicate an implementation-defined algorithm identifier, when V=1. Algorithm identifiers defined by this specification always have V=0. |
CAT |
[30:24] |
Algorithm category. See Algorithm categories. |
S |
[23] |
For a cipher algorithm, this flag indicates a stream cipher when S=1. For a key derivation algorithm, this flag indicates a key-stretching or password-hashing algorithm when S=1. |
B |
[22] |
Flag to indicate an algorithm built on a block cipher, when B=1. |
LEN/T2 |
[21:16] |
LEN is the length of a MAC or AEAD tag, T2 is a key agreement algorithm sub-type. |
T1 |
[15:8] |
Algorithm sub-type for most algorithm categories. |
H |
[7:0] |
Hash algorithm sub-type, also used in any algorithm that is parameterized by a hash. |
B.1.1. Algorithm categories¶
The CAT field in an algorithm identifier takes the values shown in Table 10.
Algorithm category |
CAT |
Category details |
---|---|---|
None |
|
See |
Hash |
|
|
MAC |
|
|
Cipher |
|
|
AEAD |
|
|
Key derivation |
|
|
Asymmetric signature |
|
|
Asymmetric encryption |
|
|
Key agreement |
|
B.1.2. Hash algorithm encoding¶
The algorithm identifier for hash algorithms defined in this specification are encoded as shown in Figure 3.
The defined values for HASH-TYPE are shown in Table 11.
Hash algorithm |
HASH-TYPE |
Algorithm identifier |
Algorithm value |
---|---|---|---|
MD2 |
|
|
|
MD4 |
|
|
|
MD5 |
|
|
|
RIPEMD-160 |
|
|
|
SHA1 |
|
|
|
AES-MMO (Zigbee) |
|
|
|
SHA-224 |
|
|
|
SHA-256 |
|
|
|
SHA-384 |
|
|
|
SHA-512 |
|
|
|
SHA-512/224 |
|
|
|
SHA-512/256 |
|
|
|
SHA3-224 |
|
|
|
SHA3-256 |
|
|
|
SHA3-384 |
|
|
|
SHA3-512 |
|
|
|
SM3 |
|
|
|
SHAKE256-512 |
|
|
|
wildcard a |
|
|
The wildcard hash
PSA_ALG_ANY_HASH
can be used to parameterize a signature algorithm which defines a key usage policy, permitting any hash algorithm to be specified in a signature operation using the key.
B.1.3. MAC algorithm encoding¶
The algorithm identifier for MAC algorithms defined in this specification are encoded as shown in Figure 4.
The defined values for B and MAC-TYPE are shown in Table 12.
LEN = 0 specifies a default length output MAC, other values for LEN specify a truncated MAC.
W is a flag to indicate a wildcard permitted-algorithm policy:
W = 0 indicates a specific MAC algorithm and MAC length.
W = 1 indicates a wildcard key usage policy, which permits the MAC algorithm with a MAC length of at least LEN to be specified in a MAC operation using the key. LEN must not be zero.
H = HASH-TYPE (see Table 11) for hash-based MAC algorithms, otherwise H = 0.
MAC algorithm |
B |
MAC-TYPE |
Algorithm identifier |
Algorithm value |
---|---|---|---|---|
HMAC |
0 |
|
|
|
CBC-MAC c |
1 |
|
|
|
CMAC c |
1 |
|
|
This is the default algorithm identifier, specifying a standard length tag.
PSA_ALG_TRUNCATED_MAC()
generates identifiers with non-default LEN values.PSA_ALG_AT_LEAST_THIS_LENGTH_MAC()
generates permitted-algorithm policies with W = 1.hh
is the HASH-TYPE for the hash algorithm,hash_alg
, used to construct the MAC algorithm.This is a MAC constructed using an underlying block cipher. The block cipher is determined by the key type that is provided to the MAC operation.
B.1.4. Cipher algorithm encoding¶
The algorithm identifier for CIPHER algorithms defined in this specification are encoded as shown in Figure 5.
The defined values for S, B, and CIPHER-TYPE are shown in Table 13.
Cipher algorithm |
S |
B |
CIPHER-TYPE |
Algorithm identifier |
Algorithm value |
---|---|---|---|---|---|
Stream cipher a |
1 |
0 |
|
|
|
CTR mode b |
1 |
1 |
|
|
|
CFB mode b |
1 |
1 |
|
|
|
OFB mode b |
1 |
1 |
|
|
|
CCM* with zero-length tag b |
1 |
1 |
|
|
|
CCM* wildcard c |
1 |
1 |
|
|
|
XTS mode b |
0 |
1 |
|
|
|
CBC mode without padding b |
0 |
1 |
|
|
|
CBC mode with PKCS#7 padding b |
0 |
1 |
|
|
|
ECB mode without padding b |
0 |
1 |
|
|
The stream cipher algorithm identifier
PSA_ALG_STREAM_CIPHER
is used with specific stream cipher key types, such asPSA_KEY_TYPE_CHACHA20
.This is a cipher mode of an underlying block cipher. The block cipher is determined by the key type that is provided to the cipher operation.
The wildcard algorithm
PSA_ALG_CCM_STAR_ANY_TAG
permits a key to be used with any CCM* algorithm: unauthenticated cipherPSA_ALG_CCM_STAR_NO_TAG
, and AEAD algorithmPSA_ALG_CCM
.
B.1.5. AEAD algorithm encoding¶
The algorithm identifier for AEAD algorithms defined in this specification are encoded as shown in Figure 6.
The defined values for B and AEAD-TYPE are shown in Table 14.
LEN = 1..31 specifies the output tag length.
W is a flag to indicate a wildcard permitted-algorithm policy:
W = 0 indicates a specific AEAD algorithm and tag length.
W = 1 indicates a wildcard key usage policy, which permits the AEAD algorithm with a tag length of at least LEN to be specified in an AEAD operation using the key.
AEAD algorithm |
B |
AEAD-TYPE |
Algorithm identifier |
Algorithm value |
---|---|---|---|---|
CCM a |
1 |
|
|
|
GCM a |
1 |
|
|
|
ChaCha20-Poly1305 |
0 |
|
|
|
XChaCha20-Poly1305 |
0 |
|
|
This is an AEAD mode of an underlying block cipher. The block cipher is determined by the key type that is provided to the AEAD operation.
This is the default algorithm identifier, specifying the default tag length for the algorithm.
PSA_ALG_AEAD_WITH_SHORTENED_TAG()
generates identifiers with alternative LEN values.PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG()
generates wildcard permitted-algorithm policies with W = 1.
B.1.6. Key derivation algorithm encoding¶
The algorithm identifier for key derivation algorithms defined in this specification are encoded as shown in Figure 7.
The defined values for S and KDF-TYPE are shown in Table 15.
The permitted values of HASH-TYPE (see Table 11) depend on the specific KDF algorithm.
Key derivation algorithm |
S |
KDF-TYPE |
Algorithm identifier |
Algorithm value |
---|---|---|---|---|
HKDF |
0 |
|
|
|
TLS-1.2 PRF |
0 |
|
|
|
TLS-1.2 PSK-to-MasterSecret |
0 |
|
|
|
HKDF-Extract |
0 |
|
|
|
HKDF-Expand |
0 |
|
|
|
TLS 1.2 ECJPAKE-to-PMS |
0 |
|
|
|
SP 800-108 Counter HMAC |
0 |
|
|
|
SP 800-108 Counter CMAC |
0 |
|
|
|
PBKDF2-HMAC |
1 |
|
|
|
PBKDF2-AES-CMAC-PRF-128 |
1 |
|
|
hh
is the HASH-TYPE for the hash algorithm,hash
, used to construct the key derivation algorithm.
B.1.7. Asymmetric signature algorithm encoding¶
The algorithm identifier for asymmetric signature algorithms defined in this specification are encoded as shown in Figure 8.
The defined values for SIGN-TYPE are shown in Table 16.
H = HASH-TYPE (see Table 11) for message signature algorithms that are parameterized by a hash algorithm, otherwise H = 0.
Signature algorithm |
SIGN-TYPE |
Algorithm identifier |
Algorithm value |
---|---|---|---|
RSA PKCS#1 v1.5 |
|
|
|
RSA PKCS#1 v1.5 no hash b |
|
|
|
RSA PSS |
|
|
|
RSA PSS any salt length |
|
|
|
Randomized ECDSA |
|
|
|
Randomized ECDSA no hash b |
|
|
|
Deterministic ECDSA |
|
|
|
PureEdDSA |
|
|
|
HashEdDSA |
|
|
hh
is the HASH-TYPE for the hash algorithm,hash_alg
, used to construct the signature algorithm.Asymmetric signature algorithms without hashing can only be used with
psa_sign_hash()
andpsa_verify_hash()
.The HASH-TYPE for HashEdDSA is determined by the curve. SHA-512 is used for Ed25519ph, and the first 64 bytes of output from SHAKE256 is used for Ed448ph.
B.1.8. Asymmetric encryption algorithm encoding¶
The algorithm identifier for asymmetric encryption algorithms defined in this specification are encoded as shown in Figure 9.
The defined values for ENCRYPT-TYPE are shown in Table 17.
H = HASH-TYPE (see Table 11) for asymmetric encryption algorithms that are parameterized by a hash algorithm, otherwise H = 0.
Asymmetric encryption algorithm |
ENCRYPT-TYPE |
Algorithm identifier |
Algorithm value |
---|---|---|---|
RSA PKCS#1 v1.5 |
|
|
|
RSA OAEP |
|
|
|
hh
is the HASH-TYPE for the hash algorithm,hash_alg
, used to construct the encryption algorithm.
B.1.9. Key agreement algorithm encoding¶
A key agreement algorithm identifier can either be for the standalone key agreement algorithm, or for a combined key agreement with key derivation algorithm. The former can only be used with psa_key_agreement()
and psa_raw_key_agreement()
, while the latter are used with psa_key_derivation_key_agreement()
.
The algorithm identifier for standalone key agreement algorithms defined in this specification are encoded as shown in Figure 10.
The defined values for KA-TYPE are shown in Table 18.
Key agreement algorithm |
KA-TYPE |
Algorithm identifier |
Algorithm value |
---|---|---|---|
FFDH |
|
|
|
ECDH |
|
|
A combined key agreement is constructed by a bitwise OR of the standalone key agreement algorithm identifier and the key derivation algorithm identifier. This operation is provided by the PSA_ALG_KEY_AGREEMENT()
macro.
The underlying standalone key agreement algorithm can be extracted from the KA-TYPE field, and the key derivation algorithm from the KDF-TYPE and HASH-TYPE fields.
B.2. Key type encoding¶
Key types are 16-bit integer values of the type psa_key_type_t
. Key type values have the structure shown in Figure 12.
Table 19 describes the meaning of the bit-fields — some of bit-fields are used in different ways by different key type categories.
Field |
Bits |
Description |
---|---|---|
V |
[15] |
Flag to indicate an implementation-defined key type, when V=1. Key types defined by this specification always have V=0. |
A |
[14] |
Flag to indicate an asymmetric key type, when A=1. |
CAT |
[13:12] |
Key type category. See Key type categories. |
category-specific type |
[11:1] |
The meaning of this field is specific to each key category. |
P |
[0] |
Parity bit. Valid key type values have even parity. |
B.2.1. Key type categories¶
The A and CAT fields in a key type take the values shown in Table 20.
Key type category |
A |
CAT |
Category details |
---|---|---|---|
None |
0 |
0 |
|
Raw data |
0 |
1 |
See Raw key encoding |
Symmetric key |
0 |
2 |
|
Asymmetric public key |
1 |
0 |
|
Asymmetric key pair |
1 |
3 |
B.2.2. Raw key encoding¶
The key type for raw keys defined in this specification are encoded as shown in Figure 13.
The defined values for RAW-TYPE, SUB-TYPE, and P are shown in Table 21.
Raw key type |
RAW-TYPE |
SUB-TYPE |
P |
Key type |
Key type value |
---|---|---|---|---|---|
Raw data |
0 |
0 |
1 |
|
|
HMAC |
1 |
0 |
0 |
|
|
Derivation secret |
2 |
0 |
0 |
|
|
Password |
2 |
1 |
1 |
|
|
Password hash |
2 |
2 |
1 |
|
|
Derivation pepper |
2 |
3 |
0 |
|
B.2.3. Symmetric key encoding¶
The key type for symmetric keys defined in this specification are encoded as shown in Figure 14.
For block-based cipher keys, the block size for the cipher algorithm is 2BLK.
The defined values for BLK, SYM-TYPE and P are shown in Table 22.
Symmetric key type |
BLK |
SYM-TYPE |
P |
Key type |
Key type value |
---|---|---|---|---|---|
ARC4 |
0 |
1 |
0 |
|
|
ChaCha20 |
0 |
2 |
0 |
|
|
XChaCha20 |
0 |
3 |
1 |
|
|
DES |
3 |
0 |
1 |
|
|
AES |
4 |
0 |
0 |
|
|
CAMELLIA |
4 |
1 |
1 |
|
|
SM4 |
4 |
2 |
1 |
|
|
ARIA |
4 |
3 |
0 |
|
B.2.4. Asymmetric key encoding¶
The key type for asymmetric keys defined in this specification are encoded as shown in Figure 15.
PAIR is either 0 for a public key, or 3 for a key pair.
The defined values for ASYM-TYPE are shown in Table 23.
Asymmetric key type |
ASYM-TYPE |
Details |
---|---|---|
RSA |
0 |
See RSA key encoding |
Elliptic Curve |
1 |
|
Diffie-Hellman |
2 |
RSA key encoding¶
The key type for RSA keys defined in this specification are encoded as shown in Figure 16.
PAIR is either 0 for a public key, or 3 for a key pair.
The defined values for RSA keys are shown in Table 24.
RSA key type |
Key type |
Key type value |
---|---|---|
Public key |
|
|
Key pair |
|
Elliptic Curve key encoding¶
The key type for Elliptic Curve keys defined in this specification are encoded as shown in Figure 17.
PAIR is either 0 for a public key, or 3 for a key pair.
The defined values for ECC-FAMILY and P are shown in Table 25.
ECC key family |
ECC-FAMILY |
P |
ECC family a |
Public key value |
Key pair value |
---|---|---|---|---|---|
SECP K1 |
0x0B |
1 |
|
|
|
SECP R1 |
0x09 |
0 |
|
|
|
SECP R2 |
0x0D |
1 |
|
|
|
SECT K1 |
0x13 |
1 |
|
|
|
SECT R1 |
0x11 |
0 |
|
|
|
SECT R2 |
0x15 |
1 |
|
|
|
Brainpool-P R1 |
0x18 |
0 |
|
|
|
FRP |
0x19 |
1 |
|
|
|
Montgomery |
0x20 |
1 |
|
|
|
Twisted Edwards |
0x21 |
0 |
|
|
The key type value is constructed from the Elliptic Curve family using either
PSA_KEY_TYPE_ECC_PUBLIC_KEY
(
family
)
orPSA_KEY_TYPE_ECC_KEY_PAIR
(
family
)
as required.
Diffie Hellman key encoding¶
The key type for Diffie Hellman keys defined in this specification are encoded as shown in Figure 18.
PAIR is either 0 for a public key, or 3 for a key pair.
The defined values for DH-FAMILY and P are shown in Table 26.
DH key group |
DH-FAMILY |
P |
DH group a |
Public key value |
Key pair value |
---|---|---|---|---|---|
RFC7919 |
0x01 |
1 |
|
|
The key type value is constructed from the Diffie Hellman family using either
PSA_KEY_TYPE_DH_PUBLIC_KEY
(
family
)
orPSA_KEY_TYPE_DH_KEY_PAIR
(
family
)
as required.