Draft
Community
Group
Report
20
August
Copyright © 2025 the Contributors to the Modern Algorithms in the Web Cryptography API Specification, published by the Web Platform Incubator Community Group under the W3C Community Contributor License Agreement (CLA) . A human-readable summary is available.
This specification defines a number of post-quantum secure and modern cryptographic algorithms for the Web Cryptography API , namely ML-KEM, ML-DSA, SLH-DSA, AES-OCB, ChaCha20-Poly1305, SHA-3, cSHAKE, KMAC, and Argon2.
This specification was published by the Web Platform Incubator Community Group . It is not a W3C Standard nor is it on the W3C Standards Track. Please note that under the W3C Community Contributor License Agreement (CLA) there is a limited opt-out and other conditions apply. Learn more about W3C Community and Business Groups .
This is an unofficial proposal.
GitHub Issues are preferred for discussion of this specification.
This section is non-normative.
This proposal aims to modernize the set of cryptographic algorithms available in the Web Cryptography API , such that web applications can make use of post-quantum secure and performant cryptographic algorithms. To this end, the following cryptographic algorithms are added:
To
accommodate
the
usage
of
ML-KEM,
and
possibly
future
other
KEMs,
this
proposal
introduces
functions
for
key
encapsulation
and
decapsulation;
SubtleCrypto.encapsulateKey
,
SubtleCrypto.encapsulateBits
,
SubtleCrypto.decapsulateKey
and
SubtleCrypto.decapsulateBits
.
Additionally,
this
proposal
introduces
the
SubtleCrypto.getPublicKey
function,
which
provides
a
convenient
way
to
derive
a
public
key
from
an
asymmetric
private
key,
eliminating
the
need
to
store
both
the
public
and
private
key
separately
when
only
the
private
key
is
needed.
Finally,
this
proposal
aims
to
make
feature
detection
easier,
by
adding
a
SubtleCrypto.supports
function,
which
can
be
used
to
detect
whether
a
given
algorithm
identifier
(including
any
parameters)
is
supported
for
the
given
operation.
This specification follows the conventions laid out in Section 18.3 of [ webcrypto ]. None of the algorithms defined here are required to be implemented, but if a conforming User Agent implements an algorithm, it MUST implement all of the supported operations specified in this document, and must perform the steps to define an algorithm specified in section 18.4.3 of [ webcrypto ] for each of the supported operations.
This
section
extends
the
SubtleCrypto
interface
of
[
webcrypto
].
WebIDL[SecureContext,Exposed=(Window,Worker)]
partial interface SubtleCrypto {
Promise<EncapsulatedBits> encapsulateBits(
AlgorithmIdentifier encapsulationAlgorithm,
CryptoKey encapsulationKey
);
Promise<ArrayBuffer> decapsulateBits(
AlgorithmIdentifier decapsulationAlgorithm,
CryptoKey decapsulationKey,
BufferSource ciphertext
);
Promise<CryptoKey> getPublicKey(
CryptoKey key,
sequence<KeyUsage> keyUsages
);
static boolean supports(DOMString operation,
AlgorithmIdentifier algorithm,
optional unsigned long? length = null);
static boolean supports(DOMString operation,
AlgorithmIdentifier algorithm,
AlgorithmIdentifier additionalAlgorithm);
};
This
specification
replaces
the
definition
of
KeyFormat
in
[
webcrypto
]
with
the
following:
WebIDL
enum
KeyFormat
{
"
raw-public
"
,
"
raw-private
"
,
"
raw-seed
"
,
"
raw-secret
"
,
"
raw
"
,
"
spki
"
,
"
pkcs8
"
,
"
jwk
"
};
This specification specifies a number of new recognized key format values :
raw-public
raw-private
raw-seed
raw-secret
For
all
existing
symmetric
algorithms
in
[
webcrypto
],
"
raw-secret
"
acts
as
an
alias
of
"
raw
".
For
all
existing
asymmetric
algorithms
in
[
webcrypto
],
"
raw-public
"
acts
as
an
alias
of
"
raw
".
In
the
deriveKey
()
method,
in
the
import
key
step,
"
raw-secret
"
must
be
used
as
the
format
instead
of
"
raw
".
This
specification
replaces
the
definition
of
KeyUsage
in
[
webcrypto
]
with
the
following:
WebIDL
enum
KeyUsage
{
"
encrypt
"
,
"
decrypt
"
,
"
sign
"
,
"
verify
"
,
"
deriveKey
"
,
"
deriveBits
"
,
"
wrapKey
"
,
"
unwrapKey
"
,
"
encapsulateKey
"
,
"
encapsulateBits
"
,
"
decapsulateKey
"
,
"
decapsulateBits
"
};
This specification specifies a number of new recognized key usage values :
encapsulateKey
SubtleCrypto
.
encapsulateKey
.
encapsulateBits
SubtleCrypto
.
encapsulateBits
.
decapsulateKey
SubtleCrypto
.
decapsulateKey
.
decapsulateBits
SubtleCrypto
.
decapsulateBits
.
The
encapsulateKey(
encapsulationAlgorithm
,
encapsulationKey
,
sharedKeyAlgorithm
,
extractable
,
usages
)
method
encapsulates
a
key
and
returns
an
EncapsulatedKey
object.
It
behaves
as
follows:
Let
encapsulationAlgorithm
,
encapsulationKey
,
sharedKeyAlgorithm
,
extractable
and
usages
be
the
encapsulationAlgorithm
,
encapsulationKey
,
sharedKeyAlgorithm
,
extractable
and
keyUsages
parameters
passed
to
the
encapsulateKey
()
method,
respectively.
Let
normalizedEncapsulationAlgorithm
be
the
result
of
normalizing
an
algorithm
,
with
alg
set
to
encapsulationAlgorithm
and
op
set
to
"
encapsulate
".
If an error occurred, return a Promise rejected with normalizedEncapsulationAlgorithm .
Let
normalizedSharedKeyAlgorithm
be
the
result
of
normalizing
an
algorithm
,
with
alg
set
to
sharedKeyAlgorithm
and
op
set
to
"
importKey
".
If an error occurred, return a Promise rejected with normalizedSharedKeyAlgorithm .
Let realm be the relevant realm of this .
Let promise be a new Promise.
Return promise and perform the remaining steps in parallel .
If the following steps or referenced procedures say to throw an error, queue a global task on the crypto task source , given realm 's global object, to reject promise with the returned error; and then terminate the algorithm .
If
the
name
member
of
normalizedEncapsulationAlgorithm
is
not
equal
to
the
name
attribute
of
the
[[algorithm]]
internal
slot
of
encapsulationKey
then
throw
an
InvalidAccessError
.
If
the
[[usages]]
internal
slot
of
encapsulationKey
does
not
contain
an
entry
that
is
"
encapsulateKey
",
then
throw
an
InvalidAccessError
.
Let
encapsulatedBits
be
the
result
of
performing
the
encapsulate
operation
specified
by
the
[[algorithm]]
internal
slot
of
encapsulationKey
using
encapsulationKey
.
Let
sharedKey
be
the
result
of
performing
the
import
key
operation
specified
by
normalizedSharedKeyAlgorithm
using
"
raw-secret
"
as
format
,
the
sharedKey
field
of
encapsulatedBits
as
keyData
,
sharedKeyAlgorithm
as
algorithm
and
using
extractable
and
usages
.
Let
encapsulatedKey
be
a
new
EncapsulatedKey
dictionary
with
sharedKey
set
to
sharedKey
and
ciphertext
set
to
the
ciphertext
field
of
encapsulatedBits
.
Queue a global task on the crypto task source , given realm 's global object, to perform the remaining steps.
Let result be the result of converting encapsulatedKey to an ECMAScript Object in realm , as defined by [ WebIDL ].
Resolve promise with result .
The
encapsulateBits(
encapsulationAlgorithm
,
encapsulationKey
)
method
encapsulates
a
key
and
returns
an
EncapsulatedBits
object.
It
behaves
as
follows:
Let
encapsulationAlgorithm
and
encapsulationKey
be
the
encapsulationAlgorithm
and
encapsulationKey
parameters
passed
to
the
encapsulateBits
()
method,
respectively.
Let
normalizedEncapsulationAlgorithm
be
the
result
of
normalizing
an
algorithm
,
with
alg
set
to
encapsulationAlgorithm
and
op
set
to
"
encapsulate
".
If an error occurred, return a Promise rejected with normalizedEncapsulationAlgorithm .
Let realm be the relevant realm of this .
Let promise be a new Promise.
Return promise and perform the remaining steps in parallel .
If the following steps or referenced procedures say to throw an error, queue a global task on the crypto task source , given realm 's global object, to reject promise with the returned error; and then terminate the algorithm .
If
the
name
member
of
normalizedEncapsulationAlgorithm
is
not
equal
to
the
name
attribute
of
the
[[algorithm]]
internal
slot
of
encapsulationKey
then
throw
an
InvalidAccessError
.
If
the
[[usages]]
internal
slot
of
encapsulationKey
does
not
contain
an
entry
that
is
"
encapsulateBits
",
then
throw
an
InvalidAccessError
.
Let
encapsulatedBits
be
the
result
of
performing
the
encapsulate
operation
specified
by
the
[[algorithm]]
internal
slot
of
encapsulationKey
using
encapsulationKey
.
Queue a global task on the crypto task source , given realm 's global object, to perform the remaining steps.
Let result be the result of converting encapsulatedBits to an ECMAScript Object in realm , as defined by [ WebIDL ].
Resolve promise with result .
The
decapsulateKey(
decapsulationAlgorithm
,
decapsulationKey
,
ciphertext
,
sharedKeyAlgorithm
,
extractable
,
usages
)
method
decapsulates
a
key
and
returns
an
CryptoKey
object.
It
behaves
as
follows:
Let
decapsulationAlgorithm
,
decapsulationKey
,
sharedKeyAlgorithm
,
extractable
and
usages
be
the
decapsulationAlgorithm
,
decapsulationKey
,
sharedKeyAlgorithm
,
extractable
and
keyUsages
parameters
passed
to
the
decapsulateKey
()
method,
respectively.
Let
ciphertext
be
the
result
of
getting
a
copy
of
the
bytes
held
by
the
ciphertext
parameter
passed
to
the
decapsulateKey
()
method.
Let
normalizedDecapsulationAlgorithm
be
the
result
of
normalizing
an
algorithm
,
with
alg
set
to
decapsulationAlgorithm
and
op
set
to
"
decapsulate
".
If an error occurred, return a Promise rejected with normalizedDecapsulationAlgorithm .
Let
normalizedSharedKeyAlgorithm
be
the
result
of
normalizing
an
algorithm
,
with
alg
set
to
sharedKeyAlgorithm
and
op
set
to
"
importKey
".
If an error occurred, return a Promise rejected with normalizedSharedKeyAlgorithm .
Let realm be the relevant realm of this .
Let promise be a new Promise.
Return promise and perform the remaining steps in parallel .
If the following steps or referenced procedures say to throw an error, queue a global task on the crypto task source , given realm 's global object, to reject promise with the returned error; and then terminate the algorithm .
If
the
name
member
of
normalizedDecapsulationAlgorithm
is
not
equal
to
the
name
attribute
of
the
[[algorithm]]
internal
slot
of
decapsulationKey
then
throw
an
InvalidAccessError
.
If
the
[[usages]]
internal
slot
of
decapsulationKey
does
not
contain
an
entry
that
is
"
decapsulateKey
",
then
throw
an
InvalidAccessError
.
Let
decapsulatedBits
be
the
result
of
performing
the
decapsulate
operation
specified
by
the
[[algorithm]]
internal
slot
of
decapsulationKey
using
decapsulationKey
and
ciphertext
.
Let
sharedKey
be
the
result
of
performing
the
import
key
operation
specified
by
normalizedSharedKeyAlgorithm
using
"
raw-secret
"
as
format
,
the
decapsulatedBits
as
keyData
,
sharedKeyAlgorithm
as
algorithm
and
using
extractable
and
usages
.
Queue a global task on the crypto task source , given realm 's global object, to perform the remaining steps.
Let result be the result of converting sharedKey to an ECMAScript Object in realm , as defined by [ WebIDL ].
Resolve promise with result .
The
decapsulateBits(
decapsulationAlgorithm
,
decapsulationKey
,
ciphertext
)
method
decapsulates
a
key
and
returns
an
ArrayBuffer
object.
It
behaves
as
follows:
Let
decapsulationAlgorithm
and
decapsulationKey
be
the
decapsulationAlgorithm
and
decapsulationKey
parameters
passed
to
the
decapsulateBits
()
method,
respectively.
Let
ciphertext
be
the
result
of
getting
a
copy
of
the
bytes
held
by
the
ciphertext
parameter
passed
to
the
decapsulateBits
()
method.
Let
normalizedDecapsulationAlgorithm
be
the
result
of
normalizing
an
algorithm
,
with
alg
set
to
decapsulationAlgorithm
and
op
set
to
"
decapsulate
".
If an error occurred, return a Promise rejected with normalizedDecapsulationAlgorithm .
Let realm be the relevant realm of this .
Let promise be a new Promise.
Return promise and perform the remaining steps in parallel .
If the following steps or referenced procedures say to throw an error, queue a global task on the crypto task source , given realm 's global object, to reject promise with the returned error; and then terminate the algorithm .
If
the
name
member
of
normalizedDecapsulationAlgorithm
is
not
equal
to
the
name
attribute
of
the
[[algorithm]]
internal
slot
of
decapsulationKey
then
throw
an
InvalidAccessError
.
If
the
[[usages]]
internal
slot
of
decapsulationKey
does
not
contain
an
entry
that
is
"
decapsulateBits
",
then
throw
an
InvalidAccessError
.
Let
decapsulatedBits
be
the
result
of
performing
the
decapsulate
operation
specified
by
the
[[algorithm]]
internal
slot
of
decapsulationKey
using
decapsulationKey
and
ciphertext
.
Queue a global task on the crypto task source , given realm 's global object, to perform the remaining steps.
Let
result
be
the
result
of
creating
an
ArrayBuffer
in
realm
,
containing
decapsulatedBits
.
Resolve promise with result .
The
getPublicKey(
key
,
usages
)
method
returns
the
public
key
corresponding
to
a
given
private
key.
It
behaves
as
follows:
Let
key
and
usages
be
the
key
and
keyUsages
parameters
passed
to
the
getPublicKey
()
method,
respectively.
Let
algorithm
be
the
[[algorithm]]
internal
slot
of
key
.
If
the
cryptographic
algorithm
identified
by
algorithm
does
not
support
deriving
a
public
key
from
a
private
key,
then
return
a
Promise
rejected
with
a
NotSupportedError
.
Let realm be the relevant realm of this .
Let promise be a new Promise.
Return promise and perform the remaining steps in parallel .
If the following steps or referenced procedures say to throw an error, queue a global task on the crypto task source , given realm 's global object, to reject promise with the returned error; and then terminate the algorithm .
If
the
[[type]]
internal
slot
of
key
is
not
"
private
",
then
throw
an
InvalidAccessError
.
If
usages
contains
an
entry
which
is
not
supported
for
a
public
key
by
the
algorithm
identified
by
algorithm
,
then
throw
a
SyntaxError
.
Let
publicKey
be
a
new
CryptoKey
representing
the
public
key
corresponding
to
the
private
key
represented
by
the
[[handle]]
internal
slot
of
key
.
If
an
error
occurred,
then
throw
a
OperationError
.
Set
the
[[algorithm]]
internal
slot
of
publicKey
to
algorithm
.
Set
the
[[extractable]]
internal
slot
of
publicKey
to
true.
Set
the
[[usages]]
internal
slot
of
publicKey
to
usages
.
Queue a global task on the crypto task source , given realm 's global object, to perform the remaining steps.
Let result be the result of converting publicKey to an ECMAScript Object in realm , as defined by [ WebIDL ].
Resolve promise with result .
The
supports(
operation
,
algorithm
,
length
)
method
returns
a
boolean
indicating
whether
the
implementation
supports
the
given
operation
using
the
specified
AlgorithmIdentifier
,
with
an
optional
length
parameter
to
indicate
the
number
of
bits
to
be
derived
when
operation
is
"
deriveBits
".
It
behaves
as
follows:
If
operation
is
not
one
of
"
encrypt
",
"
decrypt
",
"
sign
",
"
verify
",
"
digest
",
"
generateKey
",
"
deriveKey
",
"
deriveBits
",
"
importKey
",
"
exportKey
",
"
wrapKey
",
"
unwrapKey
",
"
encapsulateKey
",
"
encapsulateBits
",
"
decapsulateKey
",
"
decapsulateBits
"
or
"
getPublicKey
",
return
false.
Return
the
result
of
checking
support
for
an
algorithm
,
with
op
set
to
operation
,
alg
set
to
algorithm
,
and
length
set
to
length
.
The
supports(
operation
,
algorithm
,
additionalAlgorithm
)
method
returns
a
boolean
indicating
whether
the
implementation
supports
the
given
operation
using
the
specified
AlgorithmIdentifier
.
The
additional
algorithm
indicates
the
type
of
key
to
be
derived
when
operation
is
"
deriveKey
",
the
type
of
key
to
be
exported
before
wrapping
when
operation
is
"
wrapKey
",
and
the
type
of
key
to
be
imported
after
unwrapping
when
operation
is
"
unwrapKey
".
It
behaves
as
follows:
If
operation
is
not
one
of
"
encrypt
",
"
decrypt
",
"
sign
",
"
verify
",
"
digest
",
"
generateKey
",
"
deriveKey
",
"
deriveBits
",
"
importKey
",
"
exportKey
",
"
wrapKey
",
"
unwrapKey
",
"
encapsulateKey
",
"
encapsulateBits
",
"
decapsulateKey
",
"
decapsulateBits
"
or
"
getPublicKey
",
return
false.
deriveKey
",
"
unwrapKey
",
"
encapsulateKey
"
or
"
decapsulateKey
":
If
the
result
of
checking
support
for
an
algorithm
with
op
set
to
"
importKey
"
and
alg
set
to
additionalAlgorithm
is
false,
return
false.
wrapKey
":
If
the
result
of
checking
support
for
an
algorithm
with
op
set
to
"
exportKey
"
and
alg
set
to
additionalAlgorithm
is
false,
return
false.
Let length be null.
deriveKey
":
If
the
result
of
checking
support
for
an
algorithm
with
op
set
to
"
get
key
length
"
and
alg
set
to
additionalAlgorithm
is
false,
return
false.
Let
normalizedAdditionalAlgorithm
be
the
result
of
normalizing
an
algorithm
,
with
alg
set
to
additionalAlgorithm
and
op
set
to
"
get
key
length
".
Let length be the result of performing the get key length algorithm specified by additionalAlgorithm using normalizedAdditionalAlgorithm .
Set
operation
to
"
deriveBits
".
Return
the
result
of
checking
support
for
an
algorithm
,
with
op
set
to
operation
,
alg
set
to
algorithm
,
and
length
set
to
length
.
The
check
support
for
an
algorithm
algorithm
defines
a
process
for
checking
whether
the
given
algorithm
is
supported
for
the
given
operation.
Its
input
is
an
operation
name
op
,
an
AlgorithmIdentifier
alg
,
and
a
length
parameter.
Its
output
is
a
boolean.
It
behaves
as
follows:
If
op
is
"
encapsulateKey
"
or
"
encapsulateBits
",
set
op
to
"
encapsulate
".
If
op
is
"
decapsulateKey
"
or
"
decapsulateBits
",
set
op
to
"
decapsulate
".
getPublicKey
":
Let
normalizedAlgorithm
be
the
result
of
normalizing
an
algorithm
,
with
alg
set
to
alg
and
op
set
to
"
exportKey
".
If an error occurred, return false.
If the cryptographic algorithm identified by normalizedAlgorithm does not support deriving a public key from a private key, then return false.
Otherwise, return true.
Let
normalizedAlgorithm
be
the
result
of
normalizing
an
algorithm
,
with
alg
set
to
alg
and
op
set
to
op
.
If
op
is
"
wrapKey
",
return
the
result
of
checking
support
for
an
algorithm
with
op
set
to
"
encrypt
"
and
alg
set
to
alg
.
If
op
is
"
unwrapKey
",
return
the
result
of
checking
support
for
an
algorithm
with
op
set
to
"
decrypt
"
and
alg
set
to
alg
.
Otherwise, return false.
If the specified operation or algorithm (or one of its parameter values) is expected to fail (for any key and/or data) for an implementation-specific reason (e.g. known nonconformance to the specification), return false.
If
op
is
"
generateKey
"
or
"
importKey
",
let
usages
be
the
empty
list.
For each of the steps of the operation specified by op of the algorithm specified by normalizedAlgorithm :
key
,
plaintext
or
ciphertext
:
The steps in the referenced algorithm may access the normalizedAlgorithm , length , and usages variables from this context.
Assert : this step is never reached, because one of the steps of the operation will have said to return a value or throw an error, causing us to return true or false, respectively.
WebIDLdictionary EncapsulatedKey {
ArrayBuffer ciphertext;
};
dictionary EncapsulatedBits {
ArrayBuffer ciphertext;
};
The
EncapsulatedKey
dictionary
represents
an
encapsulated
key
comprised
of
a
sharedKey
and
a
ciphertext
.
The
EncapsulatedBits
dictionary
represents
encapsulated
key
bits
comprised
of
a
sharedKey
and
a
ciphertext
.
WebIDLdictionary JsonWebKey {
// The following fields are defined in Section 3.1 of JSON Web Key
DOMString kty;
DOMString use;
sequence<DOMString> key_ops;
DOMString alg;
// The following fields are defined in JSON Web Key Parameters Registration
boolean ext;
// The following fields are defined in draft-ietf-cose-dilithium-07
DOMString pub;
DOMString priv;
};
This
version
of
the
JsonWebKey
dictionary
provides
a
way
to
represent
keys
with
the
"AKP"
key
type
defined
in
[
draft-ietf-cose-dilithium-07
].
It
may
be
merged
into
the
definition
of
JsonWebKey
in
[
webcrypto
]
by
adding
the
pub
and
priv
fields
there.
This section is non-normative.
This describes using ML-KEM for key encapsulation and decapsulation, as specified by [ FIPS-203 ].
The
recognized
algorithm
names
for
this
algorithm
are
"
ML-KEM-512
",
"
ML-KEM-768
"
and
"
ML-KEM-1024
".
| Operation | Parameters | Result |
|---|---|---|
| encapsulate | None |
EncapsulatedBits
|
| decapsulate | None | byte sequence |
| generateKey | None |
CryptoKeyPair
|
| importKey | None |
CryptoKey
|
| exportKey | None | object |
If
the
[[type]]
internal
slot
of
key
is
not
"
public
",
then
throw
an
InvalidAccessError
.
Perform
the
encapsulation
key
check
described
in
Section
7.2
of
[
FIPS-203
]
with
the
parameter
set
indicated
by
the
name
member
of
algorithm
,
using
the
key
represented
by
the
[[handle]]
internal
slot
of
key
as
the
ek
input
parameter.
The
result
of
this
check
may
be
cached
or
precomputed
for
the
CryptoKey
object
if
desirable
for
performance.
If
the
encapsulation
key
check
failed,
return
an
OperationError
.
Let
sharedKey
and
ciphertext
be
the
outputs
that
result
from
performing
the
ML-KEM.Encaps
function
described
in
Section
7.2
of
[
FIPS-203
]
with
the
parameter
set
indicated
by
the
name
member
of
algorithm
,
using
the
key
represented
by
the
[[handle]]
internal
slot
of
key
as
the
ek
input
parameter.
If
the
ML-KEM.Encaps
function
returned
an
error,
return
an
OperationError
.
Let
result
be
a
new
EncapsulatedBits
dictionary.
Set
the
sharedKey
attribute
of
result
to
the
result
of
creating
an
ArrayBuffer
containing
sharedKey
.
Set
the
ciphertext
attribute
of
result
to
the
result
of
creating
an
ArrayBuffer
containing
ciphertext
.
Return result .
If
the
[[type]]
internal
slot
of
key
is
not
"
private
",
then
throw
an
InvalidAccessError
.
Perform
the
decapsulation
input
check
described
in
Section
7.3
of
[
FIPS-203
]
with
the
parameter
set
indicated
by
the
name
member
of
algorithm
,
using
the
key
represented
by
the
[[handle]]
internal
slot
of
key
as
the
dk
input
parameter,
and
ciphertext
as
the
c
input
parameter.
The
result
of
the
decapsulation
key
type
check
and
the
hash
check
may
be
cached
or
precomputed
for
the
CryptoKey
object
if
desirable
for
performance.
If
the
decapsulation
key
check
failed,
return
an
OperationError
.
Let
sharedKey
be
the
output
that
results
from
performing
the
ML-KEM.Decaps
function
described
in
Section
7.3
of
[
FIPS-203
]
with
the
parameter
set
indicated
by
the
name
member
of
algorithm
,
using
the
key
represented
by
the
[[handle]]
internal
slot
of
key
as
the
dk
input
parameter,
and
ciphertext
as
the
c
input
parameter.
Return sharedKey .
If
usages
contains
any
entry
which
is
not
one
of
"
encapsulateKey
",
"
encapsulateBits
",
"
decapsulateKey
"
or
"
decapsulateBits
",
then
throw
a
SyntaxError
.
Generate
an
ML-KEM
key
pair,
as
described
in
Section
7.1
of
[
FIPS-203
],
with
the
parameter
set
indicated
by
the
name
member
of
normalizedAlgorithm
.
In
order
to
be
able
to
export
the
seed
(d,
z)
,
d
and
z
need
to
be
stored
as
part
of
the
generated
key
material.
If
the
key
generation
step
fails,
then
throw
an
OperationError
.
Let
algorithm
be
a
new
KeyAlgorithm
object.
Set
the
name
attribute
of
algorithm
to
the
name
attribute
of
normalizedAlgorithm
.
Let
publicKey
be
a
new
CryptoKey
representing
the
encapsulation
key
of
the
generated
key
pair.
Set
the
[[type]]
internal
slot
of
publicKey
to
"
public
".
Set
the
[[algorithm]]
internal
slot
of
publicKey
to
algorithm
.
Set
the
[[extractable]]
internal
slot
of
publicKey
to
true.
Set
the
[[usages]]
internal
slot
of
publicKey
to
be
the
usage
intersection
of
usages
and
[
"encapsulateKey",
"encapsulateBits"
]
.
Let
privateKey
be
a
new
CryptoKey
representing
the
decapsulation
key
of
the
generated
key
pair.
Set
the
[[type]]
internal
slot
of
privateKey
to
"
private
".
Set
the
[[algorithm]]
internal
slot
of
privateKey
to
algorithm
.
Set
the
[[extractable]]
internal
slot
of
privateKey
to
extractable
.
Set
the
[[usages]]
internal
slot
of
privateKey
to
be
the
usage
intersection
of
usages
and
[
"decapsulateKey",
"decapsulateBits"
]
.
Let
result
be
a
new
CryptoKeyPair
dictionary.
Set
the
publicKey
attribute
of
result
to
be
publicKey
.
Set
the
privateKey
attribute
of
result
to
be
privateKey
.
Return result .
Let keyData be the key data to be imported.
spki
":
If
usages
contains
an
entry
which
is
not
"
encapsulateKey
"
or
"
encapsulateBits
"
then
throw
a
SyntaxError
.
Let spki be the result of running the parse a subjectPublicKeyInfo algorithm over keyData .
If
an
error
occurred
while
parsing,
then
throw
a
DataError
.
name
member
of
normalizedAlgorithm
is
"
ML-KEM-512
":
Let
expectedOid
be
id-alg-ml-kem-512
(2.16.840.1.101.3.4.4.1).
name
member
of
normalizedAlgorithm
is
"
ML-KEM-768
":
Let
expectedOid
be
id-alg-ml-kem-768
(2.16.840.1.101.3.4.4.2).
name
member
of
normalizedAlgorithm
is
"
ML-KEM-1024
":
Let
expectedOid
be
id-alg-ml-kem-1024
(2.16.840.1.101.3.4.4.3).
If
the
algorithm
object
identifier
field
of
the
algorithm
AlgorithmIdentifier
field
of
spki
is
not
equal
to
expectedOid
,
then
throw
a
DataError
.
If
the
parameters
field
of
the
algorithm
AlgorithmIdentifier
field
of
spki
is
present,
then
throw
a
DataError
.
Let
publicKey
be
the
ML-KEM
public
key
identified
by
the
subjectPublicKey
field
of
spki
.
Let
key
be
a
new
CryptoKey
that
represents
publicKey
.
Set
the
[[type]]
internal
slot
of
key
to
"
public
"
Let
algorithm
be
a
new
KeyAlgorithm
.
Set
the
name
attribute
of
algorithm
to
the
name
attribute
of
normalizedAlgorithm
.
Set
the
[[algorithm]]
internal
slot
of
key
to
algorithm
.
Set
the
[[extractable]]
internal
slot
of
key
to
extractable
.
Set
the
[[usages]]
internal
slot
of
key
to
usages
.
pkcs8
":
If
usages
contains
an
entry
which
is
not
"
encapsulateKey
"
or
"
encapsulateBits
"
then
throw
a
SyntaxError
.
Let privateKeyInfo be the result of running the parse a privateKeyInfo algorithm over keyData .
name
member
of
normalizedAlgorithm
is
"
ML-KEM-512
":
Let
expectedOid
be
id-alg-ml-kem-512
(2.16.840.1.101.3.4.4.1).
Let
asn1Structure
be
the
ASN.1
ML-KEM-512-PrivateKey
structure.
name
member
of
normalizedAlgorithm
is
"
ML-KEM-768
":
Let
expectedOid
be
id-alg-ml-kem-768
(2.16.840.1.101.3.4.4.2).
Let
asn1Structure
be
the
ASN.1
ML-KEM-768-PrivateKey
structure.
name
member
of
normalizedAlgorithm
is
"
ML-KEM-1024
":
Let
expectedOid
be
id-alg-ml-kem-1024
(2.16.840.1.101.3.4.4.3).
Let
asn1Structure
be
the
ASN.1
ML-KEM-1024-PrivateKey
structure.
If
the
algorithm
object
identifier
field
of
the
privateKeyAlgorithm
PrivateKeyAlgorithm
field
of
privateKeyInfo
is
not
equal
to
expectedOid
,
then
throw
a
DataError
.
If
the
parameters
field
of
the
privateKeyAlgorithm
PrivateKeyAlgorithmIdentifier
field
of
privateKeyInfo
is
present,
then
throw
a
DataError
.
Let
mlKemPrivateKey
be
the
result
of
performing
the
parse
an
ASN.1
structure
algorithm,
with
data
as
the
privateKey
field
of
privateKeyInfo
,
structure
as
asn1Structure
,
and
exactData
set
to
true.
If
an
error
occurred
while
parsing,
then
throw
a
DataError
.
Let
key
be
a
new
CryptoKey
that
represents
the
ML-KEM
private
key
identified
by
mlKemPrivateKey
.
Let
algorithm
be
a
new
KeyAlgorithm
.
Set
the
name
attribute
of
algorithm
to
the
name
attribute
of
normalizedAlgorithm
.
Set
the
[[algorithm]]
internal
slot
of
key
to
algorithm
.
Set
the
[[extractable]]
internal
slot
of
key
to
extractable
.
Set
the
[[usages]]
internal
slot
of
key
to
usages
.
raw-public
":
If
usages
contains
an
entry
which
is
not
"
encapsulateKey
"
or
"
encapsulateBits
"
then
throw
a
SyntaxError
.
Let data be keyData .
Let
key
be
a
new
CryptoKey
that
represents
the
ML-KEM
public
key
data
in
data
.
Let
algorithm
be
a
new
KeyAlgorithm
.
Set
the
name
attribute
of
algorithm
to
the
name
attribute
of
normalizedAlgorithm
.
Set
the
[[algorithm]]
internal
slot
of
key
to
algorithm
.
raw-seed
":
If
usages
contains
an
entry
which
is
not
"
decapsulateKey
"
or
"
decapsulateBits
"
then
throw
a
SyntaxError
.
Let data be keyData .
If
the
length
in
bits
of
data
is
not
512
then
throw
a
DataError
.
Let
privateKey
be
the
result
of
performing
the
ML-KEM.KeyGen_internal
function
described
in
Section
6.1
of
[
FIPS-203
]
with
the
parameter
set
indicated
by
the
name
member
of
normalizedAlgorithm
,
using
the
first
256
bits
of
data
as
d
and
the
last
256
bits
of
data
as
z
.
Let
key
be
a
new
CryptoKey
that
represents
the
ML-KEM
private
key
identified
by
privateKey
.
Let
algorithm
be
a
new
KeyAlgorithm
.
Set
the
name
attribute
of
algorithm
to
the
name
attribute
of
normalizedAlgorithm
.
Set
the
[[algorithm]]
internal
slot
of
key
to
algorithm
.
jwk
":
JsonWebKey
dictionary:
Let jwk equal keyData .
If
the
priv
field
of
jwk
is
present
and
if
usages
contains
an
entry
which
is
not
"
decapsulateKey
"
or
"
decapsulateBits
"
then
throw
a
SyntaxError
.
If
the
priv
field
of
jwk
is
not
present
and
if
usages
contains
an
entry
which
is
not
"
encapsulateKey
"
or
"
encapsulateBits
"
then
throw
a
SyntaxError
.
If
the
kty
field
of
jwk
is
not
"
AKP
",
then
throw
a
DataError
.
If
the
alg
field
of
jwk
is
not
one
of
the
alg
values
corresponding
to
the
name
member
of
normalizedAlgorithm
indicated
in
Section
8
of
[
draft-ietf-jose-pqc-kem-01
]
(Figure
1
or
2),
then
throw
a
DataError
.
For
example,
MLKEM512
and
MLKEM512+A128KW
are
valid
"alg"
values
for
ML-KEM-512.
If
usages
is
non-empty
and
the
use
field
of
jwk
is
present
and
is
not
equal
to
"
enc
",
then
throw
a
DataError
.
If
the
key_ops
field
of
jwk
is
present,
and
is
invalid
according
to
the
requirements
of
JSON
Web
Key
[
JWK
],
or
it
does
not
contain
all
of
the
specified
usages
values,
then
throw
a
DataError
.
If
the
ext
field
of
jwk
is
present
and
has
the
value
false
and
extractable
is
true,
then
throw
a
DataError
.
priv
field
of
jwk
is
present:
If
the
priv
attribute
of
jwk
does
not
contain
a
valid
base64url
encoded
seed
representing
an
ML-KEM
private
key,
then
throw
a
DataError
.
Let
key
be
a
new
CryptoKey
object
that
represents
the
ML-KEM
private
key
identified
by
interpreting
the
priv
attribute
of
jwk
as
a
base64url
encoded
seed.
If
the
pub
attribute
of
jwk
does
not
contain
the
base64url
encoded
public
key
representing
the
ML-KEM
public
key
corresponding
to
key
,
then
throw
a
DataError
.
If
the
pub
attribute
of
jwk
does
not
contain
a
valid
base64url
encoded
public
key
representing
an
ML-KEM
public
key,
then
throw
a
DataError
.
Let
key
be
a
new
CryptoKey
object
that
represents
the
ML-KEM
public
key
identified
by
interpreting
the
pub
attribute
of
jwk
as
a
base64url
encoded
public
key.
Let
algorithm
be
a
new
instance
of
a
KeyAlgorithm
object.
Set
the
name
attribute
of
algorithm
to
the
name
member
of
normalizedAlgorithm
.
Set
the
[[algorithm]]
internal
slot
of
key
to
algorithm
.
NotSupportedError
.
Return key .
If
the
underlying
cryptographic
key
material
represented
by
the
[[handle]]
internal
slot
of
key
cannot
be
accessed,
then
throw
an
OperationError
.
If
the
[[type]]
internal
slot
of
key
is
"
private
"
and
an
ML-KEM
seed
cannot
be
resolved
from
the
[[handle]]
internal
slot
of
key
,
then
throw
an
OperationError
.
spki
":
If
the
[[type]]
internal
slot
of
key
is
not
"
public
",
then
throw
an
InvalidAccessError
.
Let
data
be
an
instance
of
the
SubjectPublicKeyInfo
ASN.1
structure
defined
in
[
RFC5280
]
with
the
following
properties:
Set
the
algorithm
field
to
an
AlgorithmIdentifier
ASN.1
type
with
the
following
properties:
name
member
of
normalizedAlgorithm
is
"
ML-KEM-512
":
Set
the
algorithm
object
identifier
to
the
id-alg-ml-kem-512
(2.16.840.1.101.3.4.4.1)
OID.
name
member
of
normalizedAlgorithm
is
"
ML-KEM-768
":
Set
the
algorithm
object
identifier
to
the
id-alg-ml-kem-768
(2.16.840.1.101.3.4.4.2)
OID.
name
member
of
normalizedAlgorithm
is
"
ML-KEM-1024
":
Set
the
algorithm
object
identifier
to
the
id-alg-ml-kem-1024
(2.16.840.1.101.3.4.4.3)
OID.
Set the subjectPublicKey field to keyData .
Let result be the result of DER-encoding data .
pkcs8
":
If
the
[[type]]
internal
slot
of
key
is
not
"
private
",
then
throw
an
InvalidAccessError
.
Let
data
be
an
instance
of
the
PrivateKeyInfo
ASN.1
structure
defined
in
[
RFC5208
]
with
the
following
properties:
Set
the
version
field
to
0
.
Set
the
privateKeyAlgorithm
field
to
a
PrivateKeyAlgorithmIdentifier
ASN.1
type
with
the
following
properties:
name
member
of
normalizedAlgorithm
is
"
ML-KEM-512
":
Set
the
algorithm
object
identifier
to
the
id-alg-ml-kem-512
(2.16.840.1.101.3.4.4.1)
OID.
name
member
of
normalizedAlgorithm
is
"
ML-KEM-768
":
Set
the
algorithm
object
identifier
to
the
id-alg-ml-kem-768
(2.16.840.1.101.3.4.4.2)
OID.
name
member
of
normalizedAlgorithm
is
"
ML-KEM-1024
":
Set
the
algorithm
object
identifier
to
the
id-alg-ml-kem-1024
(2.16.840.1.101.3.4.4.3)
OID.
Set the privateKey field as follows:
name
member
of
normalizedAlgorithm
is
"
ML-KEM-512
":
Set
the
privateKey
field
to
the
result
of
DER-encoding
a
ML-KEM-512-PrivateKey
ASN.1
type
that
represents
the
ML-KEM
private
key
seed
represented
by
the
[[handle]]
internal
slot
of
key
using
the
seed-only
format
(using
a
context-specific
[0]
primitive
tag
with
an
implicit
encoding
of
OCTET
STRING).
name
member
of
normalizedAlgorithm
is
"
ML-KEM-768
":
Set
the
privateKey
field
to
the
result
of
DER-encoding
a
ML-KEM-768-PrivateKey
ASN.1
type
that
represents
the
ML-KEM
private
key
seed
represented
by
the
[[handle]]
internal
slot
of
key
using
the
seed-only
format
(using
a
context-specific
[0]
primitive
tag
with
an
implicit
encoding
of
OCTET
STRING).
name
member
of
normalizedAlgorithm
is
"
ML-KEM-1024
":
Set
the
privateKey
field
to
the
result
of
DER-encoding
a
ML-KEM-1024-PrivateKey
ASN.1
type
that
represents
the
ML-KEM
private
key
seed
represented
by
the
[[handle]]
internal
slot
of
key
using
the
seed-only
format
(using
a
context-specific
[0]
primitive
tag
with
an
implicit
encoding
of
OCTET
STRING).
Let result be the result of DER-encoding data .
raw-public
":
If
the
[[type]]
internal
slot
of
key
is
not
"
public
",
then
throw
an
InvalidAccessError
.
Let
data
be
a
byte
sequence
containing
the
raw
octets
of
the
key
represented
by
the
[[handle]]
internal
slot
of
key
.
Let result be data .
raw-seed
":
If
the
[[type]]
internal
slot
of
key
is
not
"
private
",
then
throw
an
InvalidAccessError
.
Let
data
be
a
byte
sequence
containing
the
concatenation
of
the
d
and
z
seed
variables
of
the
key
represented
by
the
[[handle]]
internal
slot
of
key
.
The d and z seed variables were sampled in the ML-KEM.KeyGen function as described in Section 7.1 of [ FIPS-203 ].
Let result be data .
jwk
":
Let
jwk
be
a
new
JsonWebKey
dictionary.
Set
the
kty
attribute
of
jwk
to
"
AKP
".
Set
the
alg
attribute
of
jwk
to
the
alg
value
corresponding
to
the
name
member
of
normalizedAlgorithm
indicated
in
Section
8
of
[
draft-ietf-jose-pqc-kem-01
]
(Figure
1).
For
example,
MLKEM512
is
the
"alg"
value
used
for
ML-KEM-512.
Set
the
pub
attribute
of
jwk
to
the
base64url
encoded
public
key
corresponding
to
the
[[handle]]
internal
slot
of
key
.
[[type]]
internal
slot
of
key
is
"
private
":
priv
attribute
of
jwk
to
the
base64url
encoded
seed
represented
by
the
[[handle]]
internal
slot
of
key
.
Set
the
key_ops
attribute
of
jwk
to
the
usages
attribute
of
key
.
Set
the
ext
attribute
of
jwk
to
the
[[extractable]]
internal
slot
of
key
.
Let result be jwk .
Return result .
This section is non-normative.
This describes using ML-DSA for signing and verification, as specified by [ FIPS-204 ].
The
recognized
algorithm
names
for
this
algorithm
are
"
ML-DSA-44
",
"
ML-DSA-65
"
and
"
ML-DSA-87
".
| Operation | Parameters | Result |
|---|---|---|
| sign |
ContextParams
|
byte sequence |
| verify |
ContextParams
|
boolean |
| generateKey | None |
CryptoKeyPair
|
| importKey | None |
CryptoKey
|
| exportKey | None | object |
WebIDLdictionary ContextParams : Algorithm {
BufferSource context;
};
The
context
member
represents
the
optional
context
data
to
associate
with
the
message.
If
the
[[type]]
internal
slot
of
key
is
not
"
private
",
then
throw
an
InvalidAccessError
.
Let
context
be
the
context
member
of
normalizedAlgorithm
or
the
empty
octet
string
if
the
context
member
of
normalizedAlgorithm
is
not
present.
Let
result
be
the
result
of
performing
the
ML-DSA.Sign
signing
algorithm,
as
specified
in
Section
5.2
of
[
FIPS-204
],
with
the
parameter
set
indicated
by
the
name
member
of
normalizedAlgorithm
,
using
the
ML-DSA
private
key
associated
with
key
as
sk
,
message
as
M
and
context
as
ctx
.
If
the
ML-DSA.Sign
algorithm
returned
an
error,
return
an
OperationError
.
Return result .
If
the
[[type]]
internal
slot
of
key
is
not
"
public
",
then
throw
an
InvalidAccessError
.
Let
context
be
the
context
member
of
normalizedAlgorithm
or
the
empty
octet
string
if
the
context
member
of
normalizedAlgorithm
is
not
present.
Let
result
be
the
result
of
performing
the
ML-DSA.Verify
verification
algorithm,
as
specified
in
Section
5.3
of
[
FIPS-204
],
with
the
parameter
set
indicated
by
the
name
member
of
normalizedAlgorithm
,
using
the
ML-DSA
public
key
associated
with
key
as
pk
,
message
as
M
,
signature
as
σ
and
context
as
ctx
.
If
the
ML-DSA.Verify
algorithm
returned
an
error,
return
an
OperationError
.
Return result .
If
usages
contains
a
value
which
is
not
one
of
"
sign
"
or
"
verify
",
then
throw
a
SyntaxError
.
Generate
an
ML-DSA
key
pair,
as
described
in
Section
5.1
of
[
FIPS-204
],
with
the
parameter
set
indicated
by
the
name
member
of
normalizedAlgorithm
.
In
order
to
be
able
to
export
the
seed
ξ
,
it
needs
to
be
stored
as
part
of
the
generated
key
material.
If
the
key
generation
step
fails,
then
throw
an
OperationError
.
Let
algorithm
be
a
new
KeyAlgorithm
object.
Set
the
name
attribute
of
algorithm
to
the
name
attribute
of
normalizedAlgorithm
.
Let
publicKey
be
a
new
CryptoKey
representing
the
public
key
of
the
generated
key
pair.
Set
the
[[type]]
internal
slot
of
publicKey
to
"
public
".
Set
the
[[algorithm]]
internal
slot
of
publicKey
to
algorithm
.
Set
the
[[extractable]]
internal
slot
of
publicKey
to
true.
Set
the
[[usages]]
internal
slot
of
publicKey
to
be
the
usage
intersection
of
usages
and
[
"verify"
]
.
Let
privateKey
be
a
new
CryptoKey
representing
the
private
key
of
the
generated
key
pair.
Set
the
[[type]]
internal
slot
of
privateKey
to
"
private
".
Set
the
[[algorithm]]
internal
slot
of
privateKey
to
algorithm
.
Set
the
[[extractable]]
internal
slot
of
privateKey
to
extractable
.
Set
the
[[usages]]
internal
slot
of
privateKey
to
be
the
usage
intersection
of
usages
and
[
"sign"
]
.
Let
result
be
a
new
CryptoKeyPair
dictionary.
Set
the
publicKey
attribute
of
result
to
be
publicKey
.
Set
the
privateKey
attribute
of
result
to
be
privateKey
.
Return result .
Let keyData be the key data to be imported.
spki
":
If
usages
contains
a
value
which
is
not
"
verify
"
then
throw
a
SyntaxError
.
Let spki be the result of running the parse a subjectPublicKeyInfo algorithm over keyData .
If
an
error
occurred
while
parsing,
then
throw
a
DataError
.
name
member
of
normalizedAlgorithm
is
"
ML-DSA-44
":
Let
expectedOid
be
id-ml-dsa-44
(2.16.840.1.101.3.4.3.17).
name
member
of
normalizedAlgorithm
is
"
ML-DSA-65
":
Let
expectedOid
be
id-ml-dsa-65
(2.16.840.1.101.3.4.3.18).
name
member
of
normalizedAlgorithm
is
"
ML-DSA-87
":
Let
expectedOid
be
id-ml-dsa-87
(2.16.840.1.101.3.4.3.19).
If
the
algorithm
object
identifier
field
of
the
algorithm
AlgorithmIdentifier
field
of
spki
is
not
equal
to
expectedOid
,
then
throw
a
DataError
.
If
the
parameters
field
of
the
algorithm
AlgorithmIdentifier
field
of
spki
is
present,
then
throw
a
DataError
.
Let
publicKey
be
the
ML-DSA
public
key
identified
by
the
subjectPublicKey
field
of
spki
.
Let
key
be
a
new
CryptoKey
that
represents
publicKey
.
Set
the
[[type]]
internal
slot
of
key
to
"
public
"
Let
algorithm
be
a
new
KeyAlgorithm
.
Set
the
name
attribute
of
algorithm
to
the
name
attribute
of
normalizedAlgorithm
.
Set
the
[[algorithm]]
internal
slot
of
key
to
algorithm
.
Set
the
[[extractable]]
internal
slot
of
key
to
extractable
.
Set
the
[[usages]]
internal
slot
of
key
to
usages
.
pkcs8
":
If
usages
contains
a
value
which
is
not
"
sign
"
then
throw
a
SyntaxError
.
Let privateKeyInfo be the result of running the parse a privateKeyInfo algorithm over keyData .
name
member
of
normalizedAlgorithm
is
"
ML-DSA-44
":
Let
expectedOid
be
id-ml-dsa-44
(2.16.840.1.101.3.4.3.17).
Let
asn1Structure
be
the
ASN.1
ML-DSA-44-PrivateKey
structure.
name
member
of
normalizedAlgorithm
is
"
ML-DSA-65
":
Let
expectedOid
be
id-ml-dsa-65
(2.16.840.1.101.3.4.3.18).
Let
asn1Structure
be
the
ASN.1
ML-DSA-65-PrivateKey
structure.
name
member
of
normalizedAlgorithm
is
"
ML-DSA-87
":
Let
expectedOid
be
id-ml-dsa-87
(2.16.840.1.101.3.4.3.19).
Let
asn1Structure
be
the
ASN.1
ML-DSA-87-PrivateKey
structure.
If
the
algorithm
object
identifier
field
of
the
privateKeyAlgorithm
PrivateKeyAlgorithm
field
of
privateKeyInfo
is
not
equal
to
expectedOid
,
then
throw
a
DataError
.
If
the
parameters
field
of
the
privateKeyAlgorithm
PrivateKeyAlgorithmIdentifier
field
of
privateKeyInfo
is
present,
then
throw
a
DataError
.
Let
mlDsaPrivateKey
be
the
result
of
performing
the
parse
an
ASN.1
structure
algorithm,
with
data
as
the
privateKey
field
of
privateKeyInfo
,
structure
as
asn1Structure
,
and
exactData
set
to
true.
If
an
error
occurred
while
parsing,
then
throw
a
DataError
.
Let
key
be
a
new
CryptoKey
that
represents
the
ML-DSA
private
key
identified
by
mlDsaPrivateKey
.
Let
algorithm
be
a
new
KeyAlgorithm
.
Set
the
name
attribute
of
algorithm
to
the
name
attribute
of
normalizedAlgorithm
.
Set
the
[[algorithm]]
internal
slot
of
key
to
algorithm
.
Set
the
[[extractable]]
internal
slot
of
key
to
extractable
.
Set
the
[[usages]]
internal
slot
of
key
to
usages
.
raw-public
":
If
usages
contains
a
value
which
is
not
"
verify
"
then
throw
a
SyntaxError
.
Let
algorithm
be
a
new
KeyAlgorithm
object.
Set
the
name
attribute
of
algorithm
to
the
name
attribute
of
normalizedAlgorithm
.
Let
key
be
a
new
CryptoKey
representing
the
key
data
provided
in
keyData
.
Set
the
[[type]]
internal
slot
of
key
to
"
public
"
Set
the
[[algorithm]]
internal
slot
of
key
to
algorithm
.
raw-seed
":
If
usages
contains
an
entry
which
is
not
"
sign
"
then
throw
a
SyntaxError
.
Let data be keyData .
If
the
length
in
bits
of
data
is
not
256
then
throw
a
DataError
.
Let
privateKey
be
the
result
of
performing
the
ML-DSA.KeyGen_internal
function
described
in
Section
6.1
of
[
FIPS-204
]
with
the
parameter
set
indicated
by
the
name
member
of
normalizedAlgorithm
,
using
data
as
ξ
.
Let
key
be
a
new
CryptoKey
that
represents
the
ML-DSA
private
key
identified
by
privateKey
.
Let
algorithm
be
a
new
KeyAlgorithm
.
Set
the
name
attribute
of
algorithm
to
the
name
attribute
of
normalizedAlgorithm
.
Set
the
[[algorithm]]
internal
slot
of
key
to
algorithm
.
jwk
":
JsonWebKey
dictionary:
Let jwk equal keyData .
If
the
priv
field
is
present
and
usages
contains
a
value
which
is
not
"
sign
",
or,
if
the
priv
field
is
not
present
and
usages
contains
a
value
which
is
not
"
verify
"
then
throw
a
SyntaxError
.
If
the
kty
field
of
jwk
is
not
"
AKP
",
then
throw
a
DataError
.
If
the
alg
field
of
jwk
is
not
equal
to
the
name
member
of
normalizedAlgorithm
,
then
throw
a
DataError
.
If
usages
is
non-empty
and
the
use
field
of
jwk
is
present
and
is
not
equal
to
"
sig
",
then
throw
a
DataError
.
If
the
key_ops
field
of
jwk
is
present,
and
is
invalid
according
to
the
requirements
of
JSON
Web
Key
[
JWK
],
or
it
does
not
contain
all
of
the
specified
usages
values,
then
throw
a
DataError
.
If
the
ext
field
of
jwk
is
present
and
has
the
value
false
and
extractable
is
true,
then
throw
a
DataError
.
priv
field
of
jwk
is
present:
If
the
priv
attribute
of
jwk
does
not
contain
a
valid
base64url
encoded
seed
representing
an
ML-DSA
private
key,
then
throw
a
DataError
.
Let
key
be
a
new
CryptoKey
object
that
represents
the
ML-DSA
private
key
identified
by
interpreting
the
priv
attribute
of
jwk
as
a
base64url
encoded
seed.
If
the
pub
attribute
of
jwk
does
not
contain
the
base64url
encoded
public
key
representing
the
ML-DSA
public
key
corresponding
to
key
,
then
throw
a
DataError
.
If
the
pub
attribute
of
jwk
does
not
contain
a
valid
base64url
encoded
public
key
representing
an
ML-DSA
public
key,
then
throw
a
DataError
.
Let
key
be
a
new
CryptoKey
object
that
represents
the
ML-DSA
public
key
identified
by
interpreting
the
pub
attribute
of
jwk
as
a
base64url
encoded
public
key.
Let
algorithm
be
a
new
instance
of
a
KeyAlgorithm
object.
Set
the
name
attribute
of
algorithm
to
the
name
member
of
normalizedAlgorithm
.
Set
the
[[algorithm]]
internal
slot
of
key
to
algorithm
.
Return key
Let
key
be
the
CryptoKey
to
be
exported.
If
the
underlying
cryptographic
key
material
represented
by
the
[[handle]]
internal
slot
of
key
cannot
be
accessed,
then
throw
an
OperationError
.
If
the
[[type]]
internal
slot
of
key
is
"
private
"
and
an
ML-DSA
seed
cannot
be
resolved
from
the
[[handle]]
internal
slot
of
key
,
then
throw
an
OperationError
.
spki
":
If
the
[[type]]
internal
slot
of
key
is
not
"
public
",
then
throw
an
InvalidAccessError
.
Let
data
be
an
instance
of
the
SubjectPublicKeyInfo
ASN.1
structure
defined
in
[
RFC5280
]
with
the
following
properties:
Set
the
algorithm
field
to
an
AlgorithmIdentifier
ASN.1
type
with
the
following
properties:
name
member
of
normalizedAlgorithm
is
"
ML-DSA-44
":
Set
the
algorithm
object
identifier
to
the
id-ml-dsa-44
(2.16.840.1.101.3.4.3.17)
OID.
name
member
of
normalizedAlgorithm
is
"
ML-DSA-65
":
Set
the
algorithm
object
identifier
to
the
id-ml-dsa-65
(2.16.840.1.101.3.4.3.18)
OID.
name
member
of
normalizedAlgorithm
is
"
ML-DSA-87
":
Set
the
algorithm
object
identifier
to
the
id-ml-dsa-87
(2.16.840.1.101.3.4.3.19)
OID.
Set the subjectPublicKey field to keyData .
Let result be the result of DER-encoding data .
pkcs8
":
If
the
[[type]]
internal
slot
of
key
is
not
"
private
",
then
throw
an
InvalidAccessError
.
Let
data
be
an
instance
of
the
PrivateKeyInfo
ASN.1
structure
defined
in
[
RFC5208
]
with
the
following
properties:
Set
the
version
field
to
0
.
Set
the
privateKeyAlgorithm
field
to
a
PrivateKeyAlgorithmIdentifier
ASN.1
type
with
the
following
properties:
name
member
of
normalizedAlgorithm
is
"
ML-DSA-44
":
Set
the
algorithm
object
identifier
to
the
id-ml-dsa-44
(2.16.840.1.101.3.4.3.17)
OID.
name
member
of
normalizedAlgorithm
is
"
ML-DSA-65
":
Set
the
algorithm
object
identifier
to
the
id-ml-dsa-65
(2.16.840.1.101.3.4.3.18)
OID.
name
member
of
normalizedAlgorithm
is
"
ML-DSA-87
":
Set
the
algorithm
object
identifier
to
the
id-ml-dsa-87
(2.16.840.1.101.3.4.3.19)
OID.
Set the privateKey field as follows:
name
member
of
normalizedAlgorithm
is
"
ML-DSA-44
":
Set
the
privateKey
field
to
the
result
of
DER-encoding
a
ML-DSA-44-PrivateKey
ASN.1
type
that
represents
the
ML-DSA
private
key
seed
represented
by
the
[[handle]]
internal
slot
of
key
using
the
seed-only
format
(using
a
context-specific
[0]
primitive
tag
with
an
implicit
encoding
of
OCTET
STRING).
name
member
of
normalizedAlgorithm
is
"
ML-DSA-65
":
Set
the
privateKey
field
to
the
result
of
DER-encoding
a
ML-DSA-65-PrivateKey
ASN.1
type
that
represents
the
ML-DSA
private
key
seed
represented
by
the
[[handle]]
internal
slot
of
key
using
the
seed-only
format
(using
a
context-specific
[0]
primitive
tag
with
an
implicit
encoding
of
OCTET
STRING).
name
member
of
normalizedAlgorithm
is
"
ML-DSA-87
":
Set
the
privateKey
field
to
the
result
of
DER-encoding
a
ML-DSA-87-PrivateKey
ASN.1
type
that
represents
the
ML-DSA
private
key
seed
represented
by
the
[[handle]]
internal
slot
of
key
using
the
seed-only
format
(using
a
context-specific
[0]
primitive
tag
with
an
implicit
encoding
of
OCTET
STRING).
Let result be the result of DER-encoding data .
raw-public
":
If
the
[[type]]
internal
slot
of
key
is
not
"
public
",
then
throw
an
InvalidAccessError
.
Let
data
be
a
byte
sequence
containing
the
ML-DSA
public
key
represented
by
the
[[handle]]
internal
slot
of
key
.
Let result be data .
raw-seed
":
If
the
[[type]]
internal
slot
of
key
is
not
"
private
",
then
throw
an
InvalidAccessError
.
Let
data
be
a
byte
sequence
containing
the
ξ
seed
variable
of
the
key
represented
by
the
[[handle]]
internal
slot
of
key
.
The ξ seed variable was sampled in the ML-DSA.KeyGen function as described in Section 5.1 of [ FIPS-204 ].
Let result be data .
jwk
":
Let
jwk
be
a
new
JsonWebKey
dictionary.
Set
the
kty
attribute
of
jwk
to
"
AKP
".
Set
the
alg
attribute
of
jwk
to
the
name
member
of
normalizedAlgorithm
.
Set
the
pub
attribute
of
jwk
to
the
base64url
encoded
public
key
corresponding
to
the
[[handle]]
internal
slot
of
key
.
[[type]]
internal
slot
of
key
is
"
private
":
priv
attribute
of
jwk
to
the
base64url
encoded
seed
represented
by
the
[[handle]]
internal
slot
of
key
.
Set
the
key_ops
attribute
of
jwk
to
the
usages
attribute
of
key
.
Set
the
ext
attribute
of
jwk
to
the
[[extractable]]
internal
slot
of
key
.
Let result be jwk .
Return result .
This section is non-normative.
This describes using SLH-DSA for signing and verification, as specified by [ FIPS-205 ].
The
recognized
algorithm
names
for
this
algorithm
are
"
SLH-DSA-SHA2-128s
",
"
SLH-DSA-SHAKE-128s
",
"
SLH-DSA-SHA2-128f
",
"
SLH-DSA-SHAKE-128f
",
"
SLH-DSA-SHA2-192s
",
"
SLH-DSA-SHAKE-192s
",
"
SLH-DSA-SHA2-192f
",
"
SLH-DSA-SHAKE-192f
",
"
SLH-DSA-SHA2-256s
",
"
SLH-DSA-SHAKE-256s
",
"
SLH-DSA-SHA2-256f
"
and
"
SLH-DSA-SHAKE-256f
".
| Operation | Parameters | Result |
|---|---|---|
| sign |
ContextParams
|
byte sequence |
| verify |
ContextParams
|
boolean |
| generateKey | None |
CryptoKeyPair
|
| importKey | None |
CryptoKey
|
| exportKey | None | object |
If
the
[[type]]
internal
slot
of
key
is
not
"
private
",
then
throw
an
InvalidAccessError
.
Let
context
be
the
context
member
of
normalizedAlgorithm
or
the
empty
octet
string
if
the
context
member
of
normalizedAlgorithm
is
not
present.
Let
result
be
the
result
of
performing
the
slh_sign
signing
algorithm,
as
specified
in
Section
10.2.1
of
[
FIPS-205
],
with
the
parameter
set
indicated
by
the
name
member
of
normalizedAlgorithm
,
using
the
SLH-DSA
private
key
associated
with
key
as
SK
,
message
as
M
and
context
as
ctx
.
If
the
slh_sign
algorithm
returned
an
error,
return
an
OperationError
.
Return result .
If
the
[[type]]
internal
slot
of
key
is
not
"
public
",
then
throw
an
InvalidAccessError
.
Let
context
be
the
context
member
of
normalizedAlgorithm
or
the
empty
octet
string
if
the
context
member
of
normalizedAlgorithm
is
not
present.
Let
result
be
the
result
of
performing
the
slh_verify
verification
algorithm,
as
specified
in
Section
10.3
of
[
FIPS-205
],
with
the
parameter
set
indicated
by
the
name
member
of
normalizedAlgorithm
,
using
the
SLH-DSA
public
key
associated
with
key
as
PK
,
message
as
M
,
signature
as
SIG
and
context
as
ctx
.
If
the
slh_verify
algorithm
returned
an
error,
return
an
OperationError
.
Return result .
If
usages
contains
a
value
which
is
not
one
of
"
sign
"
or
"
verify
",
then
throw
a
SyntaxError
.
Generate
an
SLH-DSA
key
pair,
as
described
in
Section
10.1
of
[
FIPS-205
],
with
the
parameter
set
indicated
by
the
name
member
of
normalizedAlgorithm
.
If
the
key
generation
step
fails,
then
throw
an
OperationError
.
Let
algorithm
be
a
new
KeyAlgorithm
object.
Set
the
name
attribute
of
algorithm
to
the
name
attribute
of
normalizedAlgorithm
.
Let
publicKey
be
a
new
CryptoKey
representing
the
public
key
of
the
generated
key
pair.
Set
the
[[type]]
internal
slot
of
publicKey
to
"
public
".
Set
the
[[algorithm]]
internal
slot
of
publicKey
to
algorithm
.
Set
the
[[extractable]]
internal
slot
of
publicKey
to
true.
Set
the
[[usages]]
internal
slot
of
publicKey
to
be
the
usage
intersection
of
usages
and
[
"verify"
]
.
Let
privateKey
be
a
new
CryptoKey
representing
the
private
key
of
the
generated
key
pair.
Set
the
[[type]]
internal
slot
of
privateKey
to
"
private
".
Set
the
[[algorithm]]
internal
slot
of
privateKey
to
algorithm
.
Set
the
[[extractable]]
internal
slot
of
privateKey
to
extractable
.
Set
the
[[usages]]
internal
slot
of
privateKey
to
be
the
usage
intersection
of
usages
and
[
"sign"
]
.
Let
result
be
a
new
CryptoKeyPair
dictionary.
Set
the
publicKey
attribute
of
result
to
be
publicKey
.
Set
the
privateKey
attribute
of
result
to
be
privateKey
.
Return result .
Let keyData be the key data to be imported.
spki
":
If
usages
contains
a
value
which
is
not
"
verify
"
then
throw
a
SyntaxError
.
Let spki be the result of running the parse a subjectPublicKeyInfo algorithm over keyData .
If
an
error
occurred
while
parsing,
then
throw
a
DataError
.
name
member
of
normalizedAlgorithm
is
"
SLH-DSA-SHA2-128s
":
Let
expectedOid
be
id-slh-dsa-sha2-128s
(2.16.840.1.101.3.4.3.20).
name
member
of
normalizedAlgorithm
is
"
SLH-DSA-SHA2-128f
":
Let
expectedOid
be
id-slh-dsa-sha2-128f
(2.16.840.1.101.3.4.3.21).
name
member
of
normalizedAlgorithm
is
"
SLH-DSA-SHA2-192s
":
Let
expectedOid
be
id-slh-dsa-sha2-192s
(2.16.840.1.101.3.4.3.22).
name
member
of
normalizedAlgorithm
is
"
SLH-DSA-SHA2-192f
":
Let
expectedOid
be
id-slh-dsa-sha2-192f
(2.16.840.1.101.3.4.3.23).
name
member
of
normalizedAlgorithm
is
"
SLH-DSA-SHA2-256s
":
Let
expectedOid
be
id-slh-dsa-sha2-256s
(2.16.840.1.101.3.4.3.24).
name
member
of
normalizedAlgorithm
is
"
SLH-DSA-SHA2-256f
":
Let
expectedOid
be
id-slh-dsa-sha2-256f
(2.16.840.1.101.3.4.3.25).
name
member
of
normalizedAlgorithm
is
"
SLH-DSA-SHAKE-128s
":
Let
expectedOid
be
id-slh-dsa-shake-128s
(2.16.840.1.101.3.4.3.26).
name
member
of
normalizedAlgorithm
is
"
SLH-DSA-SHAKE-128f
":
Let
expectedOid
be
id-slh-dsa-shake-128f
(2.16.840.1.101.3.4.3.27).
name
member
of
normalizedAlgorithm
is
"
SLH-DSA-SHAKE-192s
":
Let
expectedOid
be
id-slh-dsa-shake-192s
(2.16.840.1.101.3.4.3.28).
name
member
of
normalizedAlgorithm
is
"
SLH-DSA-SHAKE-192f
":
Let
expectedOid
be
id-slh-dsa-shake-192f
(2.16.840.1.101.3.4.3.29).
name
member
of
normalizedAlgorithm
is
"
SLH-DSA-SHAKE-256s
":
Let
expectedOid
be
id-slh-dsa-shake-256s
(2.16.840.1.101.3.4.3.30).
name
member
of
normalizedAlgorithm
is
"
SLH-DSA-SHAKE-256f
":
Let
expectedOid
be
id-slh-dsa-shake-256f
(2.16.840.1.101.3.4.3.31).
If
the
algorithm
object
identifier
field
of
the
algorithm
AlgorithmIdentifier
field
of
spki
is
not
equal
to
expectedOid
,
then
throw
a
DataError
.
If
the
parameters
field
of
the
algorithm
AlgorithmIdentifier
field
of
spki
is
present,
then
throw
a
DataError
.
Let
publicKey
be
the
SLH-DSA
public
key
identified
by
the
subjectPublicKey
field
of
spki
.
Let
key
be
a
new
CryptoKey
that
represents
publicKey
.
Set
the
[[type]]
internal
slot
of
key
to
"
public
"
Let
algorithm
be
a
new
KeyAlgorithm
.
Set
the
name
attribute
of
algorithm
to
the
name
attribute
of
normalizedAlgorithm
.
Set
the
[[algorithm]]
internal
slot
of
key
to
algorithm
.
Set
the
[[extractable]]
internal
slot
of
key
to
extractable
.
Set
the
[[usages]]
internal
slot
of
key
to
usages
.
pkcs8
":
If
usages
contains
a
value
which
is
not
"
sign
"
then
throw
a
SyntaxError
.
Let privateKeyInfo be the result of running the parse a privateKeyInfo algorithm over keyData .
name
member
of
normalizedAlgorithm
is
"
SLH-DSA-SHA2-128s
":
Let
expectedOid
be
id-slh-dsa-sha2-128s
(2.16.840.1.101.3.4.3.20).
name
member
of
normalizedAlgorithm
is
"
SLH-DSA-SHA2-128f
":
Let
expectedOid
be
id-slh-dsa-sha2-128f
(2.16.840.1.101.3.4.3.21).
name
member
of
normalizedAlgorithm
is
"
SLH-DSA-SHA2-192s
":
Let
expectedOid
be
id-slh-dsa-sha2-192s
(2.16.840.1.101.3.4.3.22).
name
member
of
normalizedAlgorithm
is
"
SLH-DSA-SHA2-192f
":
Let
expectedOid
be
id-slh-dsa-sha2-192f
(2.16.840.1.101.3.4.3.23).
name
member
of
normalizedAlgorithm
is
"
SLH-DSA-SHA2-256s
":
Let
expectedOid
be
id-slh-dsa-sha2-256s
(2.16.840.1.101.3.4.3.24).
name
member
of
normalizedAlgorithm
is
"
SLH-DSA-SHA2-256f
":
Let
expectedOid
be
id-slh-dsa-sha2-256f
(2.16.840.1.101.3.4.3.25).
name
member
of
normalizedAlgorithm
is
"
SLH-DSA-SHAKE-128s
":
Let
expectedOid
be
id-slh-dsa-shake-128s
(2.16.840.1.101.3.4.3.26).
name
member
of
normalizedAlgorithm
is
"
SLH-DSA-SHAKE-128f
":
Let
expectedOid
be
id-slh-dsa-shake-128f
(2.16.840.1.101.3.4.3.27).
name
member
of
normalizedAlgorithm
is
"
SLH-DSA-SHAKE-192s
":
Let
expectedOid
be
id-slh-dsa-shake-192s
(2.16.840.1.101.3.4.3.28).
name
member
of
normalizedAlgorithm
is
"
SLH-DSA-SHAKE-192f
":
Let
expectedOid
be
id-slh-dsa-shake-192f
(2.16.840.1.101.3.4.3.29).
name
member
of
normalizedAlgorithm
is
"
SLH-DSA-SHAKE-256s
":
Let
expectedOid
be
id-slh-dsa-shake-256s
(2.16.840.1.101.3.4.3.30).
name
member
of
normalizedAlgorithm
is
"
SLH-DSA-SHAKE-256f
":
Let
expectedOid
be
id-slh-dsa-shake-256f
(2.16.840.1.101.3.4.3.31).
If
the
algorithm
object
identifier
field
of
the
privateKeyAlgorithm
PrivateKeyAlgorithm
field
of
privateKeyInfo
is
not
equal
to
expectedOid
,
then
throw
a
DataError
.
If
the
parameters
field
of
the
privateKeyAlgorithm
PrivateKeyAlgorithmIdentifier
field
of
privateKeyInfo
is
present,
then
throw
a
DataError
.
Let
slhDsaPrivateKey
be
the
result
of
performing
the
parse
an
ASN.1
structure
algorithm,
with
data
as
the
privateKey
field
of
privateKeyInfo
,
structure
as
OCTET
STRING,
and
exactData
set
to
true.
If
an
error
occurred
while
parsing,
then
throw
a
DataError
.
Let
key
be
a
new
CryptoKey
that
represents
the
SLH-DSA
private
key
identified
by
slhDsaPrivateKey
.
Let
algorithm
be
a
new
KeyAlgorithm
.
Set
the
name
attribute
of
algorithm
to
the
name
attribute
of
normalizedAlgorithm
.
Set
the
[[algorithm]]
internal
slot
of
key
to
algorithm
.
Set
the
[[extractable]]
internal
slot
of
key
to
extractable
.
Set
the
[[usages]]
internal
slot
of
key
to
usages
.
raw-public
":
If
usages
contains
a
value
which
is
not
"
verify
"
then
throw
a
SyntaxError
.
Let
algorithm
be
a
new
KeyAlgorithm
object.
Set
the
name
attribute
of
algorithm
to
the
name
attribute
of
normalizedAlgorithm
.
If
the
length
of
keyData
is
not
the
pk
length
specified
by
Table
2
of
[
FIPS-205
]
for
the
parameter
set
indicated
by
the
name
member
of
normalizedAlgorithm
,
then
throw
a
DataError
.
Let
key
be
a
new
CryptoKey
representing
the
key
data
provided
in
keyData
.
Set
the
[[type]]
internal
slot
of
key
to
"
public
"
Set
the
[[algorithm]]
internal
slot
of
key
to
algorithm
.
raw-private
":
If
usages
contains
an
entry
which
is
not
"
sign
"
then
throw
a
SyntaxError
.
If
the
length
of
keyData
is
not
2
*
the
pk
length
specified
by
Table
2
of
[
FIPS-205
]
for
the
parameter
set
indicated
by
the
name
member
of
normalizedAlgorithm
,
then
throw
a
DataError
.
Let
key
be
a
new
CryptoKey
representing
the
key
data
provided
in
keyData
.
Let
algorithm
be
a
new
KeyAlgorithm
.
Set
the
name
attribute
of
algorithm
to
the
name
attribute
of
normalizedAlgorithm
.
Set
the
[[algorithm]]
internal
slot
of
key
to
algorithm
.
jwk
":
JsonWebKey
dictionary:
Let jwk equal keyData .
If
the
priv
field
is
present
and
usages
contains
a
value
which
is
not
"
sign
",
or,
if
the
priv
field
is
not
present
and
usages
contains
a
value
which
is
not
"
verify
"
then
throw
a
SyntaxError
.
If
the
kty
field
of
jwk
is
not
"
AKP
",
then
throw
a
DataError
.
If
the
alg
field
of
jwk
is
not
equal
to
the
name
member
of
normalizedAlgorithm
,
then
throw
a
DataError
.
If
usages
is
non-empty
and
the
use
field
of
jwk
is
present
and
is
not
equal
to
"
sig
",
then
throw
a
DataError
.
If
the
key_ops
field
of
jwk
is
present,
and
is
invalid
according
to
the
requirements
of
JSON
Web
Key
[
JWK
],
or
it
does
not
contain
all
of
the
specified
usages
values,
then
throw
a
DataError
.
If
the
ext
field
of
jwk
is
present
and
has
the
value
false
and
extractable
is
true,
then
throw
a
DataError
.
priv
field
of
jwk
is
present:
If
the
priv
attribute
of
jwk
does
not
contain
a
valid
base64url
encoded
value
representing
an
SLH-DSA
private
key,
then
throw
a
DataError
.
Let
key
be
a
new
CryptoKey
object
that
represents
the
SLH-DSA
private
key
identified
by
interpreting
the
priv
attribute
of
jwk
as
a
base64url
encoded
private
key.
If
the
pub
attribute
of
jwk
does
not
contain
the
base64url
encoded
public
key
representing
the
SLH-DSA
public
key
corresponding
to
key
,
then
throw
a
DataError
.
If
the
pub
attribute
of
jwk
does
not
contain
a
valid
base64url
encoded
public
key
representing
an
SLH-DSA
public
key,
then
throw
a
DataError
.
Let
key
be
a
new
CryptoKey
object
that
represents
the
SLH-DSA
public
key
identified
by
interpreting
the
pub
attribute
of
jwk
as
a
base64url
encoded
public
key.
Let
algorithm
be
a
new
instance
of
a
KeyAlgorithm
object.
Set
the
name
attribute
of
algorithm
to
the
name
member
of
normalizedAlgorithm
.
Set
the
[[algorithm]]
internal
slot
of
key
to
algorithm
.
Return key
Let
key
be
the
CryptoKey
to
be
exported.
If
the
underlying
cryptographic
key
material
represented
by
the
[[handle]]
internal
slot
of
key
cannot
be
accessed,
then
throw
an
OperationError
.
spki
":
If
the
[[type]]
internal
slot
of
key
is
not
"
public
",
then
throw
an
InvalidAccessError
.
Let
data
be
an
instance
of
the
SubjectPublicKeyInfo
ASN.1
structure
defined
in
[
RFC5280
]
with
the
following
properties:
Set
the
algorithm
field
to
an
AlgorithmIdentifier
ASN.1
type
with
the
following
properties:
name
member
of
normalizedAlgorithm
is
"
SLH-DSA-SHA2-128s
":
Set
the
algorithm
object
identifier
to
the
id-slh-dsa-sha2-128s
(2.16.840.1.101.3.4.3.20)
OID.
name
member
of
normalizedAlgorithm
is
"
SLH-DSA-SHA2-128f
":
Set
the
algorithm
object
identifier
to
the
id-slh-dsa-sha2-128f
(2.16.840.1.101.3.4.3.21)
OID.
name
member
of
normalizedAlgorithm
is
"
SLH-DSA-SHA2-192s
":
Set
the
algorithm
object
identifier
to
the
id-slh-dsa-sha2-192s
(2.16.840.1.101.3.4.3.22)
OID.
name
member
of
normalizedAlgorithm
is
"
SLH-DSA-SHA2-192f
":
Set
the
algorithm
object
identifier
to
the
id-slh-dsa-sha2-192f
(2.16.840.1.101.3.4.3.23)
OID.
name
member
of
normalizedAlgorithm
is
"
SLH-DSA-SHA2-256s
":
Set
the
algorithm
object
identifier
to
the
id-slh-dsa-sha2-256s
(2.16.840.1.101.3.4.3.24)
OID.
name
member
of
normalizedAlgorithm
is
"
SLH-DSA-SHA2-256f
":
Set
the
algorithm
object
identifier
to
the
id-slh-dsa-sha2-256f
(2.16.840.1.101.3.4.3.25)
OID.
name
member
of
normalizedAlgorithm
is
"
SLH-DSA-SHAKE-128s
":
Set
the
algorithm
object
identifier
to
the
id-slh-dsa-shake-128s
(2.16.840.1.101.3.4.3.26)
OID.
name
member
of
normalizedAlgorithm
is
"
SLH-DSA-SHAKE-128f
":
Set
the
algorithm
object
identifier
to
the
id-slh-dsa-shake-128f
(2.16.840.1.101.3.4.3.27)
OID.
name
member
of
normalizedAlgorithm
is
"
SLH-DSA-SHAKE-192s
":
Set
the
algorithm
object
identifier
to
the
id-slh-dsa-shake-192s
(2.16.840.1.101.3.4.3.28)
OID.
name
member
of
normalizedAlgorithm
is
"
SLH-DSA-SHAKE-192f
":
Set
the
algorithm
object
identifier
to
the
id-slh-dsa-shake-192f
(2.16.840.1.101.3.4.3.29)
OID.
name
member
of
normalizedAlgorithm
is
"
SLH-DSA-SHAKE-256s
":
Set
the
algorithm
object
identifier
to
the
id-slh-dsa-shake-256s
(2.16.840.1.101.3.4.3.30)
OID.
name
member
of
normalizedAlgorithm
is
"
SLH-DSA-SHAKE-256f
":
Set
the
algorithm
object
identifier
to
the
id-slh-dsa-shake-256f
(2.16.840.1.101.3.4.3.31)
OID.
Set the subjectPublicKey field to keyData .
Let result be the result of DER-encoding data .
pkcs8
":
If
the
[[type]]
internal
slot
of
key
is
not
"
private
",
then
throw
an
InvalidAccessError
.
Let
data
be
an
instance
of
the
PrivateKeyInfo
ASN.1
structure
defined
in
[
RFC5208
]
with
the
following
properties:
Set
the
version
field
to
0
.
Set
the
privateKeyAlgorithm
field
to
a
PrivateKeyAlgorithmIdentifier
ASN.1
type
with
the
following
properties:
name
member
of
normalizedAlgorithm
is
"
SLH-DSA-SHA2-128s
":
Set
the
algorithm
object
identifier
to
the
id-slh-dsa-sha2-128s
(2.16.840.1.101.3.4.3.20)
OID.
name
member
of
normalizedAlgorithm
is
"
SLH-DSA-SHA2-128f
":
Set
the
algorithm
object
identifier
to
the
id-slh-dsa-sha2-128f
(2.16.840.1.101.3.4.3.21)
OID.
name
member
of
normalizedAlgorithm
is
"
SLH-DSA-SHA2-192s
":
Set
the
algorithm
object
identifier
to
the
id-slh-dsa-sha2-192s
(2.16.840.1.101.3.4.3.22)
OID.
name
member
of
normalizedAlgorithm
is
"
SLH-DSA-SHA2-192f
":
Set
the
algorithm
object
identifier
to
the
id-slh-dsa-sha2-192f
(2.16.840.1.101.3.4.3.23)
OID.
name
member
of
normalizedAlgorithm
is
"
SLH-DSA-SHA2-256s
":
Set
the
algorithm
object
identifier
to
the
id-slh-dsa-sha2-256s
(2.16.840.1.101.3.4.3.24)
OID.
name
member
of
normalizedAlgorithm
is
"
SLH-DSA-SHA2-256f
":
Set
the
algorithm
object
identifier
to
the
id-slh-dsa-sha2-256f
(2.16.840.1.101.3.4.3.25)
OID.
name
member
of
normalizedAlgorithm
is
"
SLH-DSA-SHAKE-128s
":
Set
the
algorithm
object
identifier
to
the
id-slh-dsa-shake-128s
(2.16.840.1.101.3.4.3.26)
OID.
name
member
of
normalizedAlgorithm
is
"
SLH-DSA-SHAKE-128f
":
Set
the
algorithm
object
identifier
to
the
id-slh-dsa-shake-128f
(2.16.840.1.101.3.4.3.27)
OID.
name
member
of
normalizedAlgorithm
is
"
SLH-DSA-SHAKE-192s
":
Set
the
algorithm
object
identifier
to
the
id-slh-dsa-shake-192s
(2.16.840.1.101.3.4.3.28)
OID.
name
member
of
normalizedAlgorithm
is
"
SLH-DSA-SHAKE-192f
":
Set
the
algorithm
object
identifier
to
the
id-slh-dsa-shake-192f
(2.16.840.1.101.3.4.3.29)
OID.
name
member
of
normalizedAlgorithm
is
"
SLH-DSA-SHAKE-256s
":
Set
the
algorithm
object
identifier
to
the
id-slh-dsa-shake-256s
(2.16.840.1.101.3.4.3.30)
OID.
name
member
of
normalizedAlgorithm
is
"
SLH-DSA-SHAKE-256f
":
Set
the
algorithm
object
identifier
to
the
id-slh-dsa-shake-256f
(2.16.840.1.101.3.4.3.31)
OID.
Set
the
privateKey
field
to
the
result
of
DER-encoding
a
OCTET
STRING
ASN.1
type
that
represents
the
SLH-DSA
private
key
represented
by
the
[[handle]]
internal
slot
of
key
Let result be the result of DER-encoding data .
raw-public
":
If
the
[[type]]
internal
slot
of
key
is
not
"
public
",
then
throw
an
InvalidAccessError
.
Let
data
be
a
byte
sequence
containing
the
SLH-DSA
public
key
represented
by
the
[[handle]]
internal
slot
of
key
.
Let result be data .
raw-private
":
If
the
[[type]]
internal
slot
of
key
is
not
"
private
",
then
throw
an
InvalidAccessError
.
Let
data
be
a
byte
sequence
containing
the
SLH-DSA
private
key
represented
by
the
[[handle]]
internal
slot
of
key
.
Let result be data .
jwk
":
Let
jwk
be
a
new
JsonWebKey
dictionary.
Set
the
kty
attribute
of
jwk
to
"
AKP
".
Set
the
alg
attribute
of
jwk
to
the
name
member
of
normalizedAlgorithm
.
Set
the
pub
attribute
of
jwk
to
the
base64url
encoded
public
key
corresponding
to
the
[[handle]]
internal
slot
of
key
.
[[type]]
internal
slot
of
key
is
"
private
":
priv
attribute
of
jwk
to
the
base64url
encoded
private
key
represented
by
the
[[handle]]
internal
slot
of
key
.
Set
the
key_ops
attribute
of
jwk
to
the
usages
attribute
of
key
.
Set
the
ext
attribute
of
jwk
to
the
[[extractable]]
internal
slot
of
key
.
Let result be jwk .
Return result .
This section is non-normative.
The
"
AES-OCB
"
algorithm
identifier
is
used
to
perform
authenticated
encryption
and
decryption
using
AES
in
OCB
mode,
as
described
in
[
RFC7253
].
The
recognized
algorithm
name
for
this
algorithm
is
"
AES-OCB
".
| Operation | Parameters | Result |
|---|---|---|
| encrypt |
AeadParams
|
byte sequence |
| decrypt |
AeadParams
|
byte sequence |
| generateKey |
AesKeyGenParams
|
CryptoKey
|
| importKey | None |
CryptoKey
|
| exportKey | None | object |
| get key length |
AesDerivedKeyParams
|
Integer |
WebIDLdictionary AeadParams : Algorithm {
required BufferSource iv;
BufferSource additionalData;
[EnforceRange] octet tagLength;
};
The
iv
member
represents
the
initialization
vector
to
use.
The
additionalData
member
represents
the
additional
authentication
data
to
include.
The
tagLength
member
represents
the
desired
length
of
the
authentication
tag.
The
AeadParams
dictionary
is
identical
to
the
AesGcmParams
dictionary
of
[
webcrypto
],
and
the
latter
may
be
replaced
by
the
former
when
merging
this
proposal.
If
the
iv
member
of
normalizedAlgorithm
has
a
length
greater
than
15
bytes,
then
throw
an
OperationError
.
tagLength
member
of
normalizedAlgorithm
is
not
present:
tagLength
member
of
normalizedAlgorithm
is
one
of
64,
96
or
128:
tagLength
member
of
normalizedAlgorithm
OperationError
.
Let
additionalData
be
the
additionalData
member
of
normalizedAlgorithm
if
present
or
the
empty
octet
string
otherwise.
Let
C
be
the
output
that
results
from
performing
the
OCB-ENCRYPT
function
described
in
Section
4.2
of
[
RFC7253
]
using
AES
as
the
block
cipher,
using
the
key
represented
by
[[handle]]
internal
slot
of
key
as
the
K
input
parameter,
the
iv
member
of
normalizedAlgorithm
as
the
N
input
parameter,
additionalData
as
the
A
input
parameter,
plaintext
as
the
P
input
parameter,
and
tagLength
as
the
TAGLEN
global
parameter.
Return C .
If
the
iv
member
of
normalizedAlgorithm
has
a
length
greater
than
15
bytes,
then
throw
an
OperationError
.
tagLength
member
of
normalizedAlgorithm
is
not
present:
tagLength
member
of
normalizedAlgorithm
is
one
of
64,
96
or
128:
tagLength
member
of
normalizedAlgorithm
OperationError
.
If
ciphertext
has
a
length
less
than
tagLength
bits,
then
throw
an
OperationError
.
Let
additionalData
be
the
additionalData
member
of
normalizedAlgorithm
if
present
or
the
empty
octet
string
otherwise.
Perform
the
OCB-DECRYPT
function
described
in
Section
4.3
of
[
RFC7253
]
using
AES
as
the
block
cipher,
using
the
key
represented
by
[[handle]]
internal
slot
of
key
as
the
K
input
parameter,
the
iv
member
of
normalizedAlgorithm
as
the
N
input
parameter,
additionalData
as
the
A
input
parameter,
ciphertext
as
the
C
input
parameter,
and
tagLength
as
the
TAGLEN
global
parameter.
OperationError
Return plaintext .
If
usages
contains
any
entry
which
is
not
one
of
"
encrypt
",
"
decrypt
",
"
wrapKey
"
or
"
unwrapKey
",
then
throw
a
SyntaxError
.
If
the
length
member
of
normalizedAlgorithm
is
not
equal
to
one
of
128,
192
or
256,
then
throw
an
OperationError
.
Generate
an
AES
key
of
length
equal
to
the
length
member
of
normalizedAlgorithm
.
If
the
key
generation
step
fails,
then
throw
an
OperationError
.
Let
key
be
a
new
CryptoKey
object
representing
the
generated
AES
key.
Let
algorithm
be
a
new
AesKeyAlgorithm
.
Set
the
name
attribute
of
algorithm
to
"
AES-OCB
".
Set
the
length
attribute
of
algorithm
to
equal
the
length
member
of
normalizedAlgorithm
.
Set
the
[[algorithm]]
internal
slot
of
key
to
algorithm
.
Set
the
[[extractable]]
internal
slot
of
key
to
be
extractable
.
Set
the
[[usages]]
internal
slot
of
key
to
be
usages
.
Return key .
Let keyData be the key data to be imported.
If
usages
contains
an
entry
which
is
not
one
of
"
encrypt
",
"
decrypt
",
"
wrapKey
"
or
"
unwrapKey
",
then
throw
a
SyntaxError
.
raw-secret
":
jwk
":
JsonWebKey
dictionary:
Let jwk equal keyData .
If
the
kty
field
of
jwk
is
not
"
oct
",
then
throw
a
DataError
.
If
jwk
does
not
meet
the
requirements
of
Section
6.4
of
JSON
Web
Algorithms
[
JWA
],
then
throw
a
DataError
.
Let
data
be
the
byte
sequence
obtained
by
decoding
the
k
field
of
jwk
.
alg
field
of
jwk
is
present,
and
is
not
"
A128OCB
",
then
throw
a
DataError
.
alg
field
of
jwk
is
present,
and
is
not
"
A192OCB
",
then
throw
a
DataError
.
alg
field
of
jwk
is
present,
and
is
not
"
A256OCB
",
then
throw
a
DataError
.
DataError
.
If
usages
is
non-empty
and
the
use
field
of
jwk
is
present
and
is
not
"
enc
",
then
throw
a
DataError
.
If
the
key_ops
field
of
jwk
is
present,
and
is
invalid
according
to
the
requirements
of
JSON
Web
Key
[
JWK
]
or
does
not
contain
all
of
the
specified
usages
values,
then
throw
a
DataError
.
If
the
ext
field
of
jwk
is
present
and
has
the
value
false
and
extractable
is
true,
then
throw
a
DataError
.
NotSupportedError
.
Let
key
be
a
new
CryptoKey
object
representing
an
AES
key
with
value
data
.
Let
algorithm
be
a
new
AesKeyAlgorithm
.
Set
the
name
attribute
of
algorithm
to
"
AES-OCB
".
Set
the
length
attribute
of
algorithm
to
the
length,
in
bits,
of
data
.
Set
the
[[algorithm]]
internal
slot
of
key
to
algorithm
.
Return key .
If
the
underlying
cryptographic
key
material
represented
by
the
[[handle]]
internal
slot
of
key
cannot
be
accessed,
then
throw
an
OperationError
.
raw-secret
":
Let
data
be
a
byte
sequence
containing
the
raw
octets
of
the
key
represented
by
[[handle]]
internal
slot
of
key
.
Let result be data .
jwk
":
Let
jwk
be
a
new
JsonWebKey
dictionary.
Set
the
kty
attribute
of
jwk
to
the
string
"
oct
".
Set
the
k
attribute
of
jwk
to
be
a
string
containing
the
raw
octets
of
the
key
represented
by
[[handle]]
internal
slot
of
key
,
encoded
according
to
Section
6.4
of
JSON
Web
Algorithms
[
JWA
].
Set
the
key_ops
attribute
of
jwk
to
equal
the
usages
attribute
of
key
.
Set
the
ext
attribute
of
jwk
to
equal
the
[[extractable]]
internal
slot
of
key
.
Let result be the result of converting jwk to an ECMAScript Object, as defined by [ WebIDL ].
Return result .
If
the
length
member
of
normalizedDerivedKeyAlgorithm
is
not
128,
192
or
256,
then
throw
an
OperationError
.
Return
the
length
member
of
normalizedDerivedKeyAlgorithm
.
This section is non-normative.
The
"
ChaCha20-Poly1305
"
algorithm
identifier
is
used
to
perform
authenticated
encryption
and
decryption
using
AEAD_CHACHA20_POLY1305,
as
described
in
[
RFC8439
].
The
recognized
algorithm
name
for
this
algorithm
is
"
ChaCha20-Poly1305
".
| Operation | Parameters | Result |
|---|---|---|
| encrypt |
AeadParams
|
byte sequence |
| decrypt |
AeadParams
|
byte sequence |
| generateKey | None |
CryptoKey
|
| importKey | None |
CryptoKey
|
| exportKey | None | object |
| get key length | None | Integer |
If
the
iv
member
of
normalizedAlgorithm
does
not
have
a
length
of
12
bytes,
then
throw
an
OperationError
.
If
the
tagLength
member
of
normalizedAlgorithm
is
present
and
is
not
128,
then
throw
an
OperationError
.
Let
additionalData
be
the
additionalData
member
of
normalizedAlgorithm
if
present
or
the
empty
octet
string
otherwise.
Let
ciphertext
be
the
output
that
results
from
performing
the
AEAD_CHACHA20_POLY1305
encryption
algorithm
described
in
Section
2.8
of
[
RFC8439
],
using
the
key
represented
by
[[handle]]
internal
slot
of
key
as
the
key
input
parameter,
the
iv
member
of
normalizedAlgorithm
as
the
nonce
input
parameter,
plaintext
as
the
plaintext
input
parameter,
and
additionalData
as
the
additional
authenticated
data
(AAD)
input
parameter.
Return ciphertext .
If
the
iv
member
of
normalizedAlgorithm
does
not
have
a
length
of
12
bytes,
then
throw
an
OperationError
.
If
the
tagLength
member
of
normalizedAlgorithm
is
present
and
is
not
128,
then
throw
an
OperationError
.
If
ciphertext
has
a
length
less
than
128
bits,
then
throw
an
OperationError
.
Let
additionalData
be
the
additionalData
member
of
normalizedAlgorithm
if
present
or
the
empty
octet
string
otherwise.
Perform
the
AEAD_CHACHA20_POLY1305
decryption
algorithm
described
in
Section
2.8
of
[
RFC8439
],
using
the
key
represented
by
[[handle]]
internal
slot
of
key
as
the
key
input
parameter,
the
iv
member
of
normalizedAlgorithm
as
the
nonce
input
parameter,
ciphertext
as
the
ciphertext
input
parameter,
and
additionalData
as
the
additional
authenticated
data
(AAD)
input
parameter.
OperationError
Return plaintext .
If
usages
contains
any
entry
which
is
not
one
of
"
encrypt
",
"
decrypt
",
"
wrapKey
"
or
"
unwrapKey
",
then
throw
a
SyntaxError
.
Generate a 256-bit key.
If
the
key
generation
step
fails,
then
throw
an
OperationError
.
Let
key
be
a
new
CryptoKey
object
representing
the
generated
key.
Let
algorithm
be
a
new
KeyAlgorithm
.
Set
the
name
attribute
of
algorithm
to
"
ChaCha20-Poly1305
".
Set
the
[[algorithm]]
internal
slot
of
key
to
algorithm
.
Set
the
[[extractable]]
internal
slot
of
key
to
be
extractable
.
Set
the
[[usages]]
internal
slot
of
key
to
be
usages
.
Return key .
Let keyData be the key data to be imported.
If
usages
contains
an
entry
which
is
not
one
of
"
encrypt
",
"
decrypt
",
"
wrapKey
"
or
"
unwrapKey
",
then
throw
a
SyntaxError
.
raw-secret
":
jwk
":
JsonWebKey
dictionary:
Let jwk equal keyData .
If
the
kty
field
of
jwk
is
not
"
oct
",
then
throw
a
DataError
.
If
jwk
does
not
meet
the
requirements
of
Section
6.4
of
JSON
Web
Algorithms
[
JWA
],
then
throw
a
DataError
.
Let
data
be
the
byte
sequence
obtained
by
decoding
the
k
field
of
jwk
.
If
the
alg
field
of
jwk
is
present,
and
is
not
"
C20P
",
then
throw
a
DataError
.
If
usages
is
non-empty
and
the
use
field
of
jwk
is
present
and
is
not
"
enc
",
then
throw
a
DataError
.
If
the
key_ops
field
of
jwk
is
present,
and
is
invalid
according
to
the
requirements
of
JSON
Web
Key
[
JWK
]
or
does
not
contain
all
of
the
specified
usages
values,
then
throw
a
DataError
.
If
the
ext
field
of
jwk
is
present
and
has
the
value
false
and
extractable
is
true,
then
throw
a
DataError
.
NotSupportedError
.
Let
key
be
a
new
CryptoKey
object
representing
a
key
with
value
data
.
Let
algorithm
be
a
new
KeyAlgorithm
.
Set
the
name
attribute
of
algorithm
to
"
ChaCha20-Poly1305
".
Set
the
[[algorithm]]
internal
slot
of
key
to
algorithm
.
Return key .
If
the
underlying
cryptographic
key
material
represented
by
the
[[handle]]
internal
slot
of
key
cannot
be
accessed,
then
throw
an
OperationError
.
raw-secret
":
Let
data
be
a
byte
sequence
containing
the
raw
octets
of
the
key
represented
by
[[handle]]
internal
slot
of
key
.
Let result be data .
jwk
":
Let
jwk
be
a
new
JsonWebKey
dictionary.
Set
the
kty
attribute
of
jwk
to
the
string
"
oct
".
Set
the
k
attribute
of
jwk
to
be
a
string
containing
the
raw
octets
of
the
key
represented
by
[[handle]]
internal
slot
of
key
,
encoded
according
to
Section
6.4
of
JSON
Web
Algorithms
[
JWA
].
Set
the
alg
attribute
of
jwk
to
the
string
"
C20P
".
Set
the
key_ops
attribute
of
jwk
to
equal
the
usages
attribute
of
key
.
Set
the
ext
attribute
of
jwk
to
equal
the
[[extractable]]
internal
slot
of
key
.
Let result be the result of converting jwk to an ECMAScript Object, as defined by [ WebIDL ].
Return result .
Return 256.
This section is non-normative.
This describes the SHA-3 family of hash functions, as specified by [ FIPS-202 ].
The
recognized
algorithm
names
are
"
SHA3-256
",
"
SHA3-384
",
and
"
SHA3-512
"
for
the
respective
SHA-3
algorithms.
| Operation | Parameters | Result |
|---|---|---|
| digest | None | byte sequence |
name
member
of
normalizedAlgorithm
is
a
case-sensitive
string
match
for
"
SHA3-256
":
name
member
of
normalizedAlgorithm
is
a
case-sensitive
string
match
for
"
SHA3-384
":
name
member
of
normalizedAlgorithm
is
a
case-sensitive
string
match
for
"
SHA3-512
":
If
performing
the
operation
results
in
an
error,
then
throw
an
OperationError
.
Return result .
This section is non-normative.
This describes cSHAKE128 and cSHAKE256, as specified by [ NIST-SP800-185 ].
The
recognized
algorithm
names
are
"
cSHAKE128
"
and
"
cSHAKE256
".
| Operation | Parameters | Result |
|---|---|---|
| digest |
CShakeParams
|
byte sequence |
WebIDLdictionary CShakeParams : Algorithm {
required [EnforceRange] unsigned long length;
BufferSource functionName;
BufferSource customization;
};
The
length
member
represents
the
requested
output
length
in
bits.
The
functionName
member
represents
the
function
name,
used
by
NIST
to
define
functions
based
on
cSHAKE.
When
used,
it
should
only
be
set
to
values
defined
by
NIST.
The
customization
member
represents
the
customization
string.
The
application
selects
this
string
to
define
a
variant
of
the
function.
Let
length
be
the
length
member
of
normalizedAlgorithm
.
Let
functionName
be
the
functionName
member
of
normalizedAlgorithm
if
present
or
the
empty
octet
string
otherwise.
Let
customization
be
the
customization
member
of
normalizedAlgorithm
if
present
or
the
empty
octet
string
otherwise.
name
member
of
normalizedAlgorithm
is
a
case-sensitive
string
match
for
"
cSHAKE128
":
name
member
of
normalizedAlgorithm
is
a
case-sensitive
string
match
for
"
cSHAKE256
":
If
performing
the
operation
results
in
an
error,
then
throw
an
OperationError
.
Return result .
This section is non-normative.
This describes KMAC128 and KMAC256, as specified by [ NIST-SP800-185 ].
The
recognized
algorithm
names
are
"
KMAC128
"
and
"
KMAC256
".
| Operation | Parameters | Result |
|---|---|---|
| sign |
KmacParams
|
byte sequence |
| verify |
KmacParams
|
boolean |
| generateKey |
KmacKeyGenParams
|
CryptoKey
|
| importKey |
KmacImportParams
|
CryptoKey
|
| exportKey | None | object |
| get key length |
KmacImportParams
|
Integer |
WebIDLdictionary KmacKeyGenParams : Algorithm {
[EnforceRange] unsigned long length;
};
The
length
member
represents
the
length
(in
bits)
of
the
key
to
generate.
If
unspecified,
the
recommended
length
will
be
used,
which
is
128
for
KMAC128
and
256
for
KMAC256.
WebIDLdictionary KmacImportParams : Algorithm {
[EnforceRange] unsigned long length;
};
The
length
member
represents
the
length
(in
bits)
of
the
key.
WebIDLdictionary KmacKeyAlgorithm : KeyAlgorithm {
required unsigned long length;
};
The
length
member
represents
the
length
(in
bits)
of
the
key.
WebIDLdictionary KmacParams : Algorithm {
required [EnforceRange] unsigned long length;
BufferSource customization;
};
The
length
member
represents
the
requested
output
length
in
bits.
The
customization
member
represents
the
customization
string.
The
application
selects
this
string
to
define
a
variant
of
the
function.
Let
customization
be
the
customization
member
of
normalizedAlgorithm
if
present
or
the
empty
octet
string
otherwise.
name
member
of
normalizedAlgorithm
is
a
case-sensitive
string
match
for
"
KMAC128
":
[[handle]]
internal
slot
of
key
as
the
K
input
parameter,
message
as
the
X
input
parameter,
the
length
member
of
normalizedAlgorithm
as
the
L
input
parameter,
and
customization
as
the
S
input
parameter.
name
member
of
normalizedAlgorithm
is
a
case-sensitive
string
match
for
"
KMAC256
":
[[handle]]
internal
slot
of
key
as
the
K
input
parameter,
message
as
the
X
input
parameter,
the
length
member
of
normalizedAlgorithm
as
the
L
input
parameter,
and
customization
as
the
S
input
parameter.
Return mac .
Let
customization
be
the
customization
member
of
normalizedAlgorithm
if
present
or
the
empty
octet
string
otherwise.
name
member
of
normalizedAlgorithm
is
a
case-sensitive
string
match
for
"
KMAC128
":
[[handle]]
internal
slot
of
key
as
the
K
input
parameter,
message
as
the
X
input
parameter,
the
length
member
of
normalizedAlgorithm
as
the
L
input
parameter,
and
customization
as
the
S
input
parameter.
name
member
of
normalizedAlgorithm
is
a
case-sensitive
string
match
for
"
KMAC256
":
[[handle]]
internal
slot
of
key
as
the
K
input
parameter,
message
as
the
X
input
parameter,
the
length
member
of
normalizedAlgorithm
as
the
L
input
parameter,
and
customization
as
the
S
input
parameter.
Return true if mac is equal to signature and false otherwise.
If
usages
contains
any
entry
which
is
not
"
sign
"
or
"
verify
",
then
throw
a
SyntaxError
.
length
member
of
normalizedAlgorithm
is
present:
length
member
of
normalizedAlgorithm
.
name
member
of
normalizedAlgorithm
is
a
case-sensitive
string
match
for
"
KMAC128
":
name
member
of
normalizedAlgorithm
is
a
case-sensitive
string
match
for
"
KMAC256
":
Generate a key of length length bits.
If
the
key
generation
step
fails,
then
throw
an
OperationError
.
Let
key
be
a
new
CryptoKey
object
representing
the
generated
key.
Let
algorithm
be
a
new
KmacKeyAlgorithm
.
Set
the
name
attribute
of
algorithm
to
"
KMAC
".
Set
the
[[algorithm]]
internal
slot
of
key
to
algorithm
.
Set
the
[[extractable]]
internal
slot
of
key
to
be
extractable
.
Set
the
[[usages]]
internal
slot
of
key
to
be
usages
.
Return key .
Let keyData be the key data to be imported.
If
usages
contains
an
entry
which
is
not
"
sign
"
or
"
verify
",
then
throw
a
SyntaxError
.
raw-secret
":
Let data be keyData .
jwk
":
JsonWebKey
dictionary:
Let jwk equal keyData .
If
the
kty
field
of
jwk
is
not
"
oct
",
then
throw
a
DataError
.
If
jwk
does
not
meet
the
requirements
of
Section
6.4
of
JSON
Web
Algorithms
[
JWA
],
then
throw
a
DataError
.
Let
data
be
the
byte
sequence
obtained
by
decoding
the
k
field
of
jwk
.
name
member
of
normalizedAlgorithm
is
a
case-sensitive
string
match
for
"
KMAC128
":
alg
field
of
jwk
is
present
and
is
not
"
K128
",
then
throw
a
DataError
.
name
member
of
normalizedAlgorithm
is
a
case-sensitive
string
match
for
"
KMAC256
":
alg
field
of
jwk
is
present
and
is
not
"
K256
",
then
throw
a
DataError
.
If
usages
is
non-empty
and
the
use
field
of
jwk
is
present
and
is
not
"
sign
",
then
throw
a
DataError
.
If
the
key_ops
field
of
jwk
is
present,
and
is
invalid
according
to
the
requirements
of
JSON
Web
Key
[
JWK
]
or
does
not
contain
all
of
the
specified
usages
values,
then
throw
a
DataError
.
If
the
ext
field
of
jwk
is
present
and
has
the
value
false
and
extractable
is
true,
then
throw
a
DataError
.
NotSupportedError
.
Let length be the length in bits of data .
length
member
of
normalizedAlgorithm
is
present:
Let
key
be
a
new
CryptoKey
object
representing
an
KMAC
key
with
the
first
length
bits
of
data
.
Let
algorithm
be
a
new
KmacKeyAlgorithm
.
Set
the
name
attribute
of
algorithm
to
"
KMAC
".
Set
the
length
attribute
of
algorithm
to
length
.
Set
the
[[algorithm]]
internal
slot
of
key
to
algorithm
.
Return key .
If
the
underlying
cryptographic
key
material
represented
by
the
[[handle]]
internal
slot
of
key
cannot
be
accessed,
then
throw
an
OperationError
.
Let
bits
be
the
raw
bits
of
the
key
represented
by
[[handle]]
internal
slot
of
key
.
Let data be an byte sequence containing bits .
raw-secret
":
Let result be data .
jwk
":
Let
jwk
be
a
new
JsonWebKey
dictionary.
Set
the
kty
attribute
of
jwk
to
the
string
"
oct
".
Set
the
k
attribute
of
jwk
to
be
a
string
containing
data
,
encoded
according
to
Section
6.4
of
JSON
Web
Algorithms
[
JWA
].
Let
algorithm
be
the
[[algorithm]]
internal
slot
of
key
.
Set
the
key_ops
attribute
of
jwk
to
equal
the
usages
attribute
of
key
.
Set
the
ext
attribute
of
jwk
to
equal
the
[[extractable]]
internal
slot
of
key
.
Let result be the result of converting jwk to an ECMAScript Object, as defined by [ WebIDL ].
Return result .
length
member
of
normalizedAlgorithm
is
present:
length
member
of
normalizedAlgorithm
.
name
member
of
normalizedAlgorithm
is
a
case-sensitive
string
match
for
"
KMAC128
":
name
member
of
normalizedAlgorithm
is
a
case-sensitive
string
match
for
"
KMAC256
":
Return length .
This section is non-normative.
This describes the Argon2 function for password hashing and key derivation, as defined in [ RFC9106 ].
The
recognized
algorithm
names
are
"
Argon2d
",
"
Argon2i
",
and
"
Argon2id
"
for
the
respective
Argon2
types.
| Operation | Parameters | Result |
|---|---|---|
| deriveBits |
Argon2Params
|
byte sequence |
| importKey | None |
CryptoKey
|
| Get key length | None | null |
WebIDLdictionary Argon2Params : Algorithm {
required BufferSource nonce;
required [EnforceRange] unsigned long parallelism;
required [EnforceRange] unsigned long memory;
required [EnforceRange] unsigned long passes;
[EnforceRange] octet version;
BufferSource secretValue;
BufferSource associatedData;
};
The
nonce
member
represents
the
nonce,
which
is
a
salt
for
password
hashing
applications.
The
parallelism
member
represents
the
degree
of
parallelism.
The
memory
member
represents
the
memory
size
in
kibibytes.
It
must
be
at
least
8
times
the
degree
of
parallelism.
The
passes
member
represents
the
number
of
passes.
The
version
member
represents
the
version
number.
The
default
and
currently
only
defined
version
is
19
(0x13).
The
secretValue
member
represents
the
optional
secret
value.
The
associatedData
member
represents
the
optional
associated
data.
For the recommended values of the parameters, see section 4 of [ RFC9106 ].
If
length
is
null,
or
is
less
than
32
(4*8),
then
throw
an
OperationError
.
If
the
version
member
of
normalizedAlgorithm
is
present
and
is
not
19
(0x13),
then
throw
an
OperationError
.
If
the
parallelism
member
of
normalizedAlgorithm
is
zero,
or
greater
than
16777215
(2^24-1),
then
throw
an
OperationError
.
If
the
memory
member
of
normalizedAlgorithm
is
less
than
8
times
the
parallelism
member
of
normalizedAlgorithm
,
then
throw
an
OperationError
.
If
the
passes
member
of
normalizedAlgorithm
is
zero,
then
throw
an
OperationError
.
name
member
of
normalizedAlgorithm
is
a
case-sensitive
string
match
for
"
Argon2d
":
name
member
of
normalizedAlgorithm
is
a
case-sensitive
string
match
for
"
Argon2i
":
name
member
of
normalizedAlgorithm
is
a
case-sensitive
string
match
for
"
Argon2id
":
Let
secretValue
be
the
secretValue
member
of
normalizedAlgorithm
,
if
present.
Let
associatedData
be
the
associatedData
member
of
normalizedAlgorithm
,
if
present.
Let
result
be
the
result
of
performing
the
Argon2
function
defined
in
Section
3
of
[
RFC9106
]
using
the
password
represented
by
[[handle]]
internal
slot
of
key
as
the
message,
P
,
the
nonce
attribute
of
normalizedAlgorithm
as
the
nonce,
S
,
the
value
of
the
parallelism
attribute
of
normalizedAlgorithm
as
the
degree
of
parallelism,
p
,
the
value
of
the
memory
attribute
of
normalizedAlgorithm
as
the
memory
size,
m
,
the
value
of
the
passes
attribute
of
normalizedAlgorithm
as
the
number
of
passes,
t
,
0x13
as
the
version
number,
v
,
secretValue
(if
present)
as
the
secret
value,
K
,
associatedData
(if
present)
as
the
associated
data,
X
,
type
as
the
type,
y
,
and
length
divided
by
8
as
the
tag
length,
T
.
If
the
key
derivation
operation
fails,
then
throw
an
OperationError
.
Return result .
Let keyData be the key data to be imported.
If
format
is
not
"
raw-secret
",
throw
a
NotSupportedError
If
usages
contains
a
value
that
is
not
"
deriveKey
"
or
"
deriveBits
",
then
throw
a
SyntaxError
.
If
extractable
is
not
false
,
then
throw
a
SyntaxError
.
Let
key
be
a
new
CryptoKey
representing
keyData
.
Set
the
[[extractable]]
internal
slot
of
key
to
false
.
Let
algorithm
be
a
new
KeyAlgorithm
object.
Set
the
name
attribute
of
algorithm
to
the
name
member
of
normalizedAlgorithm
.
Set
the
[[algorithm]]
internal
slot
of
key
to
algorithm
.
Return key .
Return null.
This example derives a key from a password using Argon2, if available, or PBKDF2, otherwise; and then encrypts and decrypts some text with it using AES-OCB, if available, and AES-GCM, otherwise.
const password = 'correct horse battery staple';
const derivationAlg =
SubtleCrypto.supports?.('importKey', 'Argon2id') ?
'Argon2id' :
'PBKDF2';
const encryptionAlg =
SubtleCrypto.supports?.('importKey', 'AES-OCB') ?
'AES-OCB' :
'AES-GCM';
const passwordKey = await crypto.subtle.importKey(
derivationAlg === 'Argon2id' ? 'raw-secret' : 'raw',
new TextEncoder().encode(password),
derivationAlg,
/* extractable: */ false,
['deriveKey']
);
const nonce = crypto.getRandomValues(new Uint8Array(16));
const derivationParams =
derivationAlg === 'Argon2id' ?
{
nonce,
parallelism: 4,
memory: 2 ** 21,
passes: 1
} :
{
salt: nonce,
iterations: 100_000,
hash: 'SHA-256'
};
const key = await crypto.subtle.deriveKey(
{
name: derivationAlg,
...derivationParams
},
passwordKey,
{
name: encryptionAlg,
length: 256
},
/* extractable: */ false,
['encrypt', 'decrypt']
);
const plaintext = 'Hello, world!';
const iv = crypto.getRandomValues(new Uint8Array(16));
const encrypted = await crypto.subtle.encrypt(
{ name: encryptionAlg, iv },
key,
new TextEncoder().encode(plaintext)
);
// Store the derivation and encryption algorithm and parameters
// as well as the ciphertext (e.g. in IndexedDB or a database),
// and retrieve them later. Then, derive the key using the
// original parameters and the password. Here we immediately
// use the same key object to decrypt again.
const decrypted = new TextDecoder().decode(await crypto.subtle.decrypt(
{ name: encryptionAlg, iv },
key,
encrypted
));
This section is non-normative.
Refer to algorithm-specific sections for the normative requirements of importing and exporting JWK.
| JSON Web Key | AlgorithmIdentifier |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
This section is non-normative.
Refer to algorithm-specific sections for the normative requirements of importing and exporting PKCS#8 PrivateKeyInfo.
| privateKeyAlgorithm | privateKey format | AlgorithmIdentifier | Reference |
|---|---|---|---|
| id-ml-dsa-44 (2.16.840.1.101.3.4.3.17) | ML-DSA-44-PrivateKey |
"
ML-DSA-44
"
|
[ CSOR ], [ draft-ietf-lamps-dilithium-certificates ] |
| id-ml-dsa-65 (2.16.840.1.101.3.4.3.18) | ML-DSA-65-PrivateKey |
"
ML-DSA-65
"
|
[ CSOR ], [ draft-ietf-lamps-dilithium-certificates ] |
| id-ml-dsa-87 (2.16.840.1.101.3.4.3.19) | ML-DSA-87-PrivateKey |
"
ML-DSA-87
"
|
[ CSOR ], [ draft-ietf-lamps-dilithium-certificates ] |
| id-alg-ml-kem-512 (2.16.840.1.101.3.4.4.1) | ML-KEM-512-PrivateKey |
"
ML-KEM-512
"
|
[ CSOR ], [ draft-ietf-lamps-kyber-certificates ] |
| id-alg-ml-kem-768 (2.16.840.1.101.3.4.4.2) | ML-KEM-768-PrivateKey |
"
ML-KEM-768
"
|
[ CSOR ], [ draft-ietf-lamps-kyber-certificates ] |
| id-alg-ml-kem-1024 (2.16.840.1.101.3.4.4.3) | ML-KEM-1024-PrivateKey |
"
ML-KEM-1024
"
|
[ CSOR ], [ draft-ietf-lamps-kyber-certificates ] |
| id-slh-dsa-sha2-128s (2.16.840.1.101.3.4.3.20) | OCTET STRING |
"
SLH-DSA-SHA2-128s
"
|
[ CSOR ], [ RFC9814 ] |
| id-slh-dsa-sha2-128f (2.16.840.1.101.3.4.3.21) | OCTET STRING |
"
SLH-DSA-SHA2-128f
"
|
[ CSOR ], [ RFC9814 ] |
| id-slh-dsa-sha2-192s (2.16.840.1.101.3.4.3.22) | OCTET STRING |
"
SLH-DSA-SHA2-192s
"
|
[ CSOR ], [ RFC9814 ] |
| id-slh-dsa-sha2-192f (2.16.840.1.101.3.4.3.23) | OCTET STRING |
"
SLH-DSA-SHA2-192f
"
|
[ CSOR ], [ RFC9814 ] |
| id-slh-dsa-sha2-256s (2.16.840.1.101.3.4.3.24) | OCTET STRING |
"
SLH-DSA-SHA2-256s
"
|
[ CSOR ], [ RFC9814 ] |
| id-slh-dsa-sha2-256f (2.16.840.1.101.3.4.3.25) | OCTET STRING |
"
SLH-DSA-SHA2-256f
"
|
[ CSOR ], [ RFC9814 ] |
| id-slh-dsa-shake-128s (2.16.840.1.101.3.4.3.26) | OCTET STRING |
"
SLH-DSA-SHAKE-128s
"
|
[ CSOR ], [ RFC9814 ] |
| id-slh-dsa-shake-128f (2.16.840.1.101.3.4.3.27) | OCTET STRING |
"
SLH-DSA-SHAKE-128f
"
|
[ CSOR ], [ RFC9814 ] |
| id-slh-dsa-shake-192s (2.16.840.1.101.3.4.3.28) | OCTET STRING |
"
SLH-DSA-SHAKE-192s
"
|
[ CSOR ], [ RFC9814 ] |
| id-slh-dsa-shake-192f (2.16.840.1.101.3.4.3.29) | OCTET STRING |
"
SLH-DSA-SHAKE-192f
"
|
[ CSOR ], [ RFC9814 ] |
| id-slh-dsa-shake-256s (2.16.840.1.101.3.4.3.30) | OCTET STRING |
"
SLH-DSA-SHAKE-256s
"
|
[ CSOR ], [ RFC9814 ] |
| id-slh-dsa-shake-256f (2.16.840.1.101.3.4.3.31) | OCTET STRING |
"
SLH-DSA-SHAKE-256f
"
|
[ CSOR ], [ RFC9814 ] |
This section is non-normative.
Refer to algorithm-specific sections for the normative requirements of importing and exporting SPKI.
| Algorithm OID | subjectPublicKey ASN.1 structure | AlgorithmIdentifier | Reference |
|---|---|---|---|
| id-ml-dsa-44 (2.16.840.1.101.3.4.3.17) | BIT STRING |
"
ML-DSA-44
"
|
[ CSOR ], [ draft-ietf-lamps-dilithium-certificates ] |
| id-ml-dsa-65 (2.16.840.1.101.3.4.3.18) | BIT STRING |
"
ML-DSA-65
"
|
[ CSOR ], [ draft-ietf-lamps-dilithium-certificates ] |
| id-ml-dsa-87 (2.16.840.1.101.3.4.3.19) | BIT STRING |
"
ML-DSA-87
"
|
[ CSOR ], [ draft-ietf-lamps-dilithium-certificates ] |
| id-alg-ml-kem-512 (2.16.840.1.101.3.4.4.1) | BIT STRING |
"
ML-KEM-512
"
|
[ CSOR ], [ draft-ietf-lamps-kyber-certificates ] |
| id-alg-ml-kem-768 (2.16.840.1.101.3.4.4.2) | BIT STRING |
"
ML-KEM-768
"
|
[ CSOR ], [ draft-ietf-lamps-kyber-certificates ] |
| id-alg-ml-kem-1024 (2.16.840.1.101.3.4.4.3) | BIT STRING |
"
ML-KEM-1024
"
|
[ CSOR ], [ draft-ietf-lamps-kyber-certificates ] |
| id-slh-dsa-sha2-128s (2.16.840.1.101.3.4.3.20) | BIT STRING |
"
SLH-DSA-SHA2-128s
"
|
[ CSOR ], [ RFC9814 ] |
| id-slh-dsa-sha2-128f (2.16.840.1.101.3.4.3.21) | BIT STRING |
"
SLH-DSA-SHA2-128f
"
|
[ CSOR ], [ RFC9814 ] |
| id-slh-dsa-sha2-192s (2.16.840.1.101.3.4.3.22) | BIT STRING |
"
SLH-DSA-SHA2-192s
"
|
[ CSOR ], [ RFC9814 ] |
| id-slh-dsa-sha2-192f (2.16.840.1.101.3.4.3.23) | BIT STRING |
"
SLH-DSA-SHA2-192f
"
|
[ CSOR ], [ RFC9814 ] |
| id-slh-dsa-sha2-256s (2.16.840.1.101.3.4.3.24) | BIT STRING |
"
SLH-DSA-SHA2-256s
"
|
[ CSOR ], [ RFC9814 ] |
| id-slh-dsa-sha2-256f (2.16.840.1.101.3.4.3.25) | BIT STRING |
"
SLH-DSA-SHA2-256f
"
|
[ CSOR ], [ RFC9814 ] |
| id-slh-dsa-shake-128s (2.16.840.1.101.3.4.3.26) | BIT STRING |
"
SLH-DSA-SHAKE-128s
"
|
[ CSOR ], [ RFC9814 ] |
| id-slh-dsa-shake-128f (2.16.840.1.101.3.4.3.27) | BIT STRING |
"
SLH-DSA-SHAKE-128f
"
|
[ CSOR ], [ RFC9814 ] |
| id-slh-dsa-shake-192s (2.16.840.1.101.3.4.3.28) | BIT STRING |
"
SLH-DSA-SHAKE-192s
"
|
[ CSOR ], [ RFC9814 ] |
| id-slh-dsa-shake-192f (2.16.840.1.101.3.4.3.29) | BIT STRING |
"
SLH-DSA-SHAKE-192f
"
|
[ CSOR ], [ RFC9814 ] |
| id-slh-dsa-shake-256s (2.16.840.1.101.3.4.3.30) | BIT STRING |
"
SLH-DSA-SHAKE-256s
"
|
[ CSOR ], [ RFC9814 ] |
| id-slh-dsa-shake-256f (2.16.840.1.101.3.4.3.31) | BIT STRING |
"
SLH-DSA-SHAKE-256f
"
|
[ CSOR ], [ RFC9814 ] |
As well as sections marked as non-normative, all authoring guidelines, diagrams, examples, and notes in this specification are non-normative. Everything else in this specification is normative.
The key word MUST in this document is to be interpreted as described in BCP 14 [ RFC2119 ] [ RFC8174 ] when, and only when, it appears in all capitals, as shown here.
Referenced in:
Referenced in:
Referenced in:
Referenced in:
Referenced in:
Referenced in:
Referenced in:
Referenced in:
Referenced in:
Referenced in:
Referenced in:
Referenced in:
Referenced in:
Referenced in:
Referenced in:
Referenced in:
Referenced in:
Referenced in:
Referenced in:
Referenced in:
Referenced in:
Referenced in:
Referenced in: