B Algorithm and key type encoding¶
Algorithm identifiers (psa_algorithm_t
) and key types (psa_key_type_t
) in the Crypto API are structured integer values.
Algorithm identifier encoding describes the encoding scheme for algorithm identifiers
Key type encoding describes the encoding scheme for key types
B.1 Algorithm identifier encoding¶
Algorithm identifiers are 32-bit integer values of the type psa_algorithm_t
. Algorithm identifier values have the structure shown in Figure 6.
Figure 6 Encoding of psa_algorithm_t
¶
Table 14 describes the meaning of the bit-fields — some of the bit-fields are used in different ways by different algorithm categories.
Field |
Bits |
Description |
---|---|---|
V |
[31] |
Flag to indicate an implementation-defined algorithm identifier, when V=1. Algorithm identifiers defined by this specification always have V=0. |
CAT |
[30:24] |
Algorithm category. See Algorithm categories. |
S |
[23] |
For a cipher algorithm, this flag indicates a stream cipher when S=1. For a key-derivation algorithm, this flag indicates a key-stretching or password-hashing algorithm when S=1. |
B |
[22] |
Flag to indicate an algorithm built on a block cipher, when B=1. |
LEN/T2 |
[21:16] |
LEN is the length of a MAC or AEAD tag, T2 is a key-agreement algorithm sub-type. |
T1 |
[15:8] |
Algorithm sub-type for most algorithm categories. |
H |
[7:0] |
Hash algorithm sub-type, also used in any algorithm that is parameterized by a hash. |
B.1.1 Algorithm categories¶
The CAT field in an algorithm identifier takes the values shown in Table 15.
Algorithm category |
CAT |
Category details |
---|---|---|
None |
|
See |
Hash |
|
|
MAC |
|
|
Cipher |
|
|
AEAD |
|
|
Key derivation |
|
|
Asymmetric signature |
|
|
Asymmetric encryption |
|
|
Key agreement |
|
|
Key encapsulation |
|
|
PAKE |
|
B.1.2 Hash algorithm encoding¶
The algorithm identifier for hash algorithms defined in this specification are encoded as shown in Figure 7.
Figure 7 Hash algorithm encoding¶
The defined values for HASH-TYPE are shown in Table 16.
Hash algorithm |
HASH-TYPE |
Algorithm identifier |
Algorithm value |
---|---|---|---|
MD2 |
|
|
|
MD4 |
|
|
|
MD5 |
|
|
|
RIPEMD-160 |
|
|
|
SHA1 |
|
|
|
AES-MMO (Zigbee) |
|
|
|
SHA-224 |
|
|
|
SHA-256 |
|
|
|
SHA-384 |
|
|
|
SHA-512 |
|
|
|
SHA-512/224 |
|
|
|
SHA-512/256 |
|
|
|
SHA3-224 |
|
|
|
SHA3-256 |
|
|
|
SHA3-384 |
|
|
|
SHA3-512 |
|
|
|
SM3 |
|
|
|
SHAKE256-512 |
|
|
|
wildcard a |
|
|
The wildcard hash
PSA_ALG_ANY_HASH
can be used to parameterize a signature algorithm which defines a key usage policy, permitting any hash algorithm to be specified in a signature operation using the key.
B.1.3 MAC algorithm encoding¶
The algorithm identifier for MAC algorithms defined in this specification are encoded as shown in Figure 8.
Figure 8 MAC algorithm encoding¶
The defined values for B and MAC-TYPE are shown in Table 17.
LEN = 0 specifies a default length output MAC, other values for LEN specify a truncated MAC.
W is a flag to indicate a wildcard permitted-algorithm policy:
W = 0 indicates a specific MAC algorithm and MAC length.
W = 1 indicates a wildcard key usage policy, which permits the MAC algorithm with a MAC length of at least LEN to be specified in a MAC operation using the key. LEN must not be zero.
H = HASH-TYPE (see Table 16) for hash-based MAC algorithms, otherwise H = 0.
MAC algorithm |
B |
MAC-TYPE |
Algorithm identifier |
Algorithm value |
---|---|---|---|---|
HMAC |
0 |
|
|
|
CBC-MAC c |
1 |
|
|
|
CMAC c |
1 |
|
|
This is the default algorithm identifier, specifying a standard length tag.
PSA_ALG_TRUNCATED_MAC()
generates identifiers with non-default LEN values.PSA_ALG_AT_LEAST_THIS_LENGTH_MAC()
generates permitted-algorithm policies with W = 1.hh
is the HASH-TYPE for the hash algorithm,hash_alg
, used to construct the MAC algorithm.This is a MAC constructed using an underlying block cipher. The block cipher is determined by the key type that is provided to the MAC operation.
B.1.4 Cipher algorithm encoding¶
The algorithm identifier for CIPHER algorithms defined in this specification are encoded as shown in Figure 9.
Figure 9 CIPHER algorithm encoding¶
The defined values for S, B, and CIPHER-TYPE are shown in Table 18.
Cipher algorithm |
S |
B |
CIPHER-TYPE |
Algorithm identifier |
Algorithm value |
---|---|---|---|---|---|
Stream cipher a |
1 |
0 |
|
|
|
CTR mode b |
1 |
1 |
|
|
|
CFB mode b |
1 |
1 |
|
|
|
OFB mode b |
1 |
1 |
|
|
|
CCM* with zero-length tag b |
1 |
1 |
|
|
|
CCM* wildcard c |
1 |
1 |
|
|
|
XTS mode b |
0 |
1 |
|
|
|
CBC mode without padding b |
0 |
1 |
|
|
|
CBC mode with PKCS#7 padding b |
0 |
1 |
|
|
|
ECB mode without padding b |
0 |
1 |
|
|
The stream cipher algorithm identifier
PSA_ALG_STREAM_CIPHER
is used with specific stream cipher key types, such asPSA_KEY_TYPE_CHACHA20
.This is a cipher mode of an underlying block cipher. The block cipher is determined by the key type that is provided to the cipher operation.
The wildcard algorithm
PSA_ALG_CCM_STAR_ANY_TAG
permits a key to be used with any CCM* algorithm: unauthenticated cipherPSA_ALG_CCM_STAR_NO_TAG
, and AEAD algorithmPSA_ALG_CCM
.
B.1.5 AEAD algorithm encoding¶
The algorithm identifier for AEAD algorithms defined in this specification are encoded as shown in Figure 10.
Figure 10 AEAD algorithm encoding¶
The defined values for B and AEAD-TYPE are shown in Table 19.
LEN = 1..31 specifies the output tag length.
W is a flag to indicate a wildcard permitted-algorithm policy:
W = 0 indicates a specific AEAD algorithm and tag length.
W = 1 indicates a wildcard key usage policy, which permits the AEAD algorithm with a tag length of at least LEN to be specified in an AEAD operation using the key.
AEAD algorithm |
B |
AEAD-TYPE |
Algorithm identifier |
Algorithm value |
---|---|---|---|---|
CCM a |
1 |
|
|
|
GCM a |
1 |
|
|
|
ChaCha20-Poly1305 |
0 |
|
|
|
XChaCha20-Poly1305 |
0 |
|
|
This is an AEAD mode of an underlying block cipher. The block cipher is determined by the key type that is provided to the AEAD operation.
This is the default algorithm identifier, specifying the default tag length for the algorithm.
PSA_ALG_AEAD_WITH_SHORTENED_TAG()
generates identifiers with alternative LEN values.PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG()
generates wildcard permitted-algorithm policies with W = 1.
B.1.6 Key-derivation algorithm encoding¶
The algorithm identifier for key-derivation algorithms defined in this specification are encoded as shown in Figure 11.
Figure 11 Key-derivation algorithm encoding¶
The defined values for S and KDF-TYPE are shown in Table 20.
The permitted values of HASH-TYPE (see Table 16) depend on the specific KDF algorithm.
Key-derivation algorithm |
S |
KDF-TYPE |
Algorithm identifier |
Algorithm value |
---|---|---|---|---|
HKDF |
0 |
|
|
|
TLS-1.2 PRF |
0 |
|
|
|
TLS-1.2 PSK-to-MasterSecret |
0 |
|
|
|
HKDF-Extract |
0 |
|
|
|
HKDF-Expand |
0 |
|
|
|
TLS 1.2 ECJPAKE-to-PMS |
0 |
|
|
|
SP 800-108 Counter HMAC |
0 |
|
|
|
SP 800-108 Counter CMAC |
0 |
|
|
|
PBKDF2-HMAC |
1 |
|
|
|
PBKDF2-AES-CMAC-PRF-128 |
1 |
|
|
hh
is the HASH-TYPE for the hash algorithm,hash
, used to construct the key-derivation algorithm.
B.1.7 Asymmetric signature algorithm encoding¶
The algorithm identifier for asymmetric signature algorithms defined in this specification are encoded as shown in Figure 12.
Figure 12 Asymmetric signature algorithm encoding¶
The defined values for SIGN-TYPE are shown in Table 21.
H = HASH-TYPE (see Table 16) for message signature algorithms that are parameterized by a hash algorithm, otherwise H = 0.
Signature algorithm |
SIGN-TYPE |
Algorithm identifier |
Algorithm value |
---|---|---|---|
RSA PKCS#1 v1.5 |
|
|
|
RSA PKCS#1 v1.5 no hash b |
|
|
|
RSA PSS |
|
|
|
RSA PSS any salt length |
|
|
|
Randomized ECDSA |
|
|
|
Randomized ECDSA no hash b |
|
|
|
Deterministic ECDSA |
|
|
|
PureEdDSA |
|
|
|
HashEdDSA |
|
|
hh
is the HASH-TYPE for the hash algorithm,hash_alg
, used to construct the signature algorithm.Asymmetric signature algorithms without hashing can only be used with
psa_sign_hash()
andpsa_verify_hash()
.The HASH-TYPE for HashEdDSA is determined by the curve. SHA-512 is used for Ed25519ph, and the first 64 bytes of output from SHAKE256 is used for Ed448ph.
B.1.8 Asymmetric encryption algorithm encoding¶
The algorithm identifier for asymmetric encryption algorithms defined in this specification are encoded as shown in Figure 13.
Figure 13 Asymmetric encryption algorithm encoding¶
The defined values for ENCRYPT-TYPE are shown in Table 22.
H = HASH-TYPE (see Table 16) for asymmetric encryption algorithms that are parameterized by a hash algorithm, otherwise H = 0.
Asymmetric encryption algorithm |
ENCRYPT-TYPE |
Algorithm identifier |
Algorithm value |
---|---|---|---|
RSA PKCS#1 v1.5 |
|
|
|
RSA OAEP |
|
|
|
hh
is the HASH-TYPE for the hash algorithm,hash_alg
, used to construct the encryption algorithm.
B.1.9 Key-agreement algorithm encoding¶
A key-agreement algorithm identifier can either be for the standalone key-agreement algorithm, or for a combined key-agreement with key-derivation algorithm. The former can only be used with psa_key_agreement()
and psa_raw_key_agreement()
, while the latter are used with psa_key_derivation_key_agreement()
.
The algorithm identifier for standalone key-agreement algorithms defined in this specification are encoded as shown in Figure 14.
Figure 14 Standalone key-agreement algorithm encoding¶
The defined values for KA-TYPE are shown in Table 23.
Key-agreement algorithm |
KA-TYPE |
Algorithm identifier |
Algorithm value |
---|---|---|---|
FFDH |
|
|
|
ECDH |
|
|
A combined key agreement is constructed by a bitwise OR of the standalone key-agreement algorithm identifier and the key-derivation algorithm identifier. This operation is provided by the PSA_ALG_KEY_AGREEMENT()
macro.
Figure 15 Combined key-agreement algorithm encoding¶
The underlying standalone key-agreement algorithm can be extracted from the KA-TYPE field, and the key-derivation algorithm from the KDF-TYPE and HASH-TYPE fields.
B.1.10 Key-encapsulation algorithm encoding¶
The algorithm identifier for key-encapsulation algorithms defined in this specification are encoded as shown in Figure 16.
Figure 16 Encapsulation algorithm encoding¶
The defined values for ENCAPS-TYPE are shown in Table 24.
Encapsulation algorithm |
ENCAPS-TYPE |
Algorithm identifier |
Algorithm value |
---|---|---|---|
ECIES (SEC1) |
|
|
B.1.11 PAKE algorithm encoding¶
The algorithm identifier for PAKE algorithms defined in this specification are encoded as shown in Figure 17.
Figure 17 PAKE algorithm encoding¶
The defined values for PAKE-TYPE are shown in Table 25.
The permitted values of HASH-TYPE (see Table 16) depend on the specific PAKE algorithm.
PAKE algorithm |
PAKE-TYPE |
Algorithm identifier |
Algorithm value |
---|---|---|---|
J-PAKE |
|
|
|
SPAKE2+ with HMAC |
|
|
|
SPAKE2+ with CMAC |
|
|
|
SPAKE2+ for Matter |
|
|
hh
is the HASH-TYPE for the hash algorithm,hash
, used to construct the key-derivation algorithm.
B.2 Key type encoding¶
Key types are 16-bit integer values of the type psa_key_type_t
. Key type values have the structure shown in Figure 18.
Figure 18 Encoding of psa_key_type_t
¶
Table 26 describes the meaning of the bit-fields — some of bit-fields are used in different ways by different key type categories.
Field |
Bits |
Description |
---|---|---|
V |
[15] |
Flag to indicate an implementation-defined key type, when V=1. Key types defined by this specification always have V=0. |
A |
[14] |
Flag to indicate an asymmetric key type, when A=1. |
CAT |
[13:12] |
Key type category. See Key type categories. |
category-specific type |
[11:1] |
The meaning of this field is specific to each key category. |
P |
[0] |
Parity bit. Valid key type values have even parity. |
B.2.1 Key type categories¶
The A and CAT fields in a key type take the values shown in Table 27.
Key type category |
A |
CAT |
Category details |
---|---|---|---|
None |
0 |
0 |
|
Raw data |
0 |
1 |
See Raw key encoding |
Symmetric key |
0 |
2 |
|
Asymmetric public key |
1 |
0 |
|
Asymmetric key pair |
1 |
3 |
B.2.2 Raw key encoding¶
The key type for raw keys defined in this specification are encoded as shown in Figure 19.
Figure 19 Raw key encoding¶
The defined values for RAW-TYPE, SUB-TYPE, and P are shown in Table 28.
Raw key type |
RAW-TYPE |
SUB-TYPE |
P |
Key type |
Key type value |
---|---|---|---|---|---|
Raw data |
0 |
0 |
1 |
|
|
HMAC |
1 |
0 |
0 |
|
|
Derivation secret |
2 |
0 |
0 |
|
|
Password |
2 |
1 |
1 |
|
|
Password hash |
2 |
2 |
1 |
|
|
Derivation pepper |
2 |
3 |
0 |
|
B.2.3 Symmetric key encoding¶
The key type for symmetric keys defined in this specification are encoded as shown in Figure 20.
Figure 20 Symmetric key encoding¶
For block-based cipher keys, the block size for the cipher algorithm is 2BLK.
The defined values for BLK, SYM-TYPE and P are shown in Table 29.
Symmetric key type |
BLK |
SYM-TYPE |
P |
Key type |
Key type value |
---|---|---|---|---|---|
ARC4 |
0 |
1 |
0 |
|
|
ChaCha20 |
0 |
2 |
0 |
|
|
XChaCha20 |
0 |
3 |
1 |
|
|
DES |
3 |
0 |
1 |
|
|
AES |
4 |
0 |
0 |
|
|
CAMELLIA |
4 |
1 |
1 |
|
|
SM4 |
4 |
2 |
1 |
|
|
ARIA |
4 |
3 |
0 |
|
B.2.4 Asymmetric key encoding¶
The key type for asymmetric keys defined in this specification are encoded as shown in Figure 21.
Figure 21 Asymmetric key encoding¶
PAIR is either 0 for a public key, or 3 for a key pair.
The defined values for ASYM-TYPE are shown in Table 30.
The defined values for FAMILY depend on the ASYM-TYPE value. See the details for each asymmetric key sub-type.
Asymmetric key type |
ASYM-TYPE |
Details |
---|---|---|
Non-parameterized |
0 |
|
Elliptic Curve |
2 |
|
Diffie-Hellman |
4 |
|
SPAKE2+ |
8 |
Non-parameterized asymmetric key encoding¶
The key type for non-parameterized asymmetric keys defined in this specification are encoded as shown in Figure 22.
Figure 22 Non-parameterized asymmetric keys encoding¶
PAIR is either 0 for a public key, or 3 for a key pair.
The defined values for NP-FAMILY and P are shown in Table 31.
Key family |
Public/pair |
PAIR |
NP-FAMILY |
P |
Key type |
Key value |
---|---|---|---|---|---|---|
RSA |
Public key |
0 |
0 |
1 |
|
|
Key pair |
3 |
0 |
1 |
|
Elliptic curve key encoding¶
The key type for elliptic curve keys defined in this specification are encoded as shown in Figure 23.
Figure 23 Elliptic curve key encoding¶
PAIR is either 0 for a public key, or 3 for a key pair.
The defined values for ECC-FAMILY and P are shown in Table 32.
ECC key family |
ECC-FAMILY |
P |
ECC family a |
Public-key value |
Key-pair value |
---|---|---|---|---|---|
SECP K1 |
0x0B |
1 |
|
|
|
SECP R1 |
0x09 |
0 |
|
|
|
SECP R2 |
0x0D |
1 |
|
|
|
SECT K1 |
0x13 |
1 |
|
|
|
SECT R1 |
0x11 |
0 |
|
|
|
SECT R2 |
0x15 |
1 |
|
|
|
Brainpool-P R1 |
0x18 |
0 |
|
|
|
FRP |
0x19 |
1 |
|
|
|
Montgomery |
0x20 |
1 |
|
|
|
Twisted Edwards |
0x21 |
0 |
|
|
The elliptic curve family values defined in the API also include the parity bit. The key type value is constructed from the elliptic curve family using either
PSA_KEY_TYPE_ECC_PUBLIC_KEY
(
family
)
orPSA_KEY_TYPE_ECC_KEY_PAIR
(
family
)
as required.
Diffie Hellman key encoding¶
The key type for Diffie Hellman keys defined in this specification are encoded as shown in Figure 24.
Figure 24 Diffie Hellman key encoding¶
PAIR is either 0 for a public key, or 3 for a key pair.
The defined values for DH-FAMILY and P are shown in Table 33.
DH key group |
DH-FAMILY |
P |
DH group a |
Public-key value |
Key-pair value |
---|---|---|---|---|---|
RFC7919 |
0x01 |
1 |
|
|
The Diffie Hellman family values defined in the API also include the parity bit. The key type value is constructed from the Diffie Hellman family using either
PSA_KEY_TYPE_DH_PUBLIC_KEY
(
family
)
orPSA_KEY_TYPE_DH_KEY_PAIR
(
family
)
as required.
SPAKE2+ key encoding¶
The key type for SPAKE2+ keys defined in this specification are encoded as shown in Figure 25.
Figure 25 SPAKE2+ key encoding¶
PAIR is either 0 for a public key, or 3 for a key pair.
The defined values for ECC-FAMILY and P are shown in Table 34.
SPAKE2+ group |
ECC-FAMILY |
P |
ECC family a |
Public-key value |
Key-pair value |
---|---|---|---|---|---|
SECP R1 |
0x09 |
0 |
|
|
|
Twisted Edwards |
0x21 |
0 |
|
|
The elliptic curve family values defined in the API also include the parity bit. The key type value is constructed from the elliptic curve family using either
PSA_KEY_TYPE_SPAKE2P_PUBLIC_KEY
(
family
)
orPSA_KEY_TYPE_SPAKE2P_KEY_PAIR
(
family
)
as required.