# Algorithm Registry

This file is designed to act as a source of truth regarding what signing
algorithms are recommended across the Sigstore ecosystem. Any changes to this
file **must** be reflected in the `PublicKeyDetails` enumeration in
[sigstore_common.proto](../protos/sigstore_common.proto).

Note that Sigstore clients and services aren't required support all algorithms
in this registry and may support algorithms that aren't in the registry. The
algorithm registry is more of a guideline than a rule and is meant to serve as
a secure set of defaults that the community can follow.

Refer to the [Sigstore: Configurable Crypto Algorithms](https://docs.google.com/document/d/18vTKFvTQdRt3OGz6Qd1xf04o-hugRYSup-1EAOWn7MQ/)
specification for the design rationale for this registry.

## Signature Algorithms

| Algorithm | Name                       | Usage       | Notes                                                                            |
|-----------|----------------------------|-------------| -------------------------------------------------------------------------------- |
| RSA       | rsa-sign-pkcs1-2048-sha256 | verify only | Not recommended.                                                                 |
|           | rsa-sign-pkcs1-3072-sha256 | sign/verify |                                                                                  |
|           | rsa-sign-pkcs1-4096-sha256 | sign/verify |                                                                                  |
|           | rsa-sign-pss-2048-sha256   | verify only | Not recommended.                                                                 |
|           | rsa-sign-pss-3072-sha256   | sign/verify |                                                                                  |
|           | rsa-sign-pss-4096-sha256   | sign/verify |                                                                                  |
| ECDSA     | ecdsa-sha2-256-nistp256    | sign/verify |                                                                                  |
|           | ecdsa-sha2-384-nistp384    | sign/verify |                                                                                  |
|           | ecdsa-sha2-512-nistp521    | sign/verify |                                                                                  |
| EdDSA     | ed25519                    | sign/verify |                                                                                  |
|           | ed25519-ph                 | sign/verify | Recommended only for `hashedrekord`.                                             |
| LMS       | lms-sha256                 | sign/verify | Stateful; signer selects the `H` parameter. Not recommended for keyless signing. |
| LM-OTS    | lmots-sha256               | sign/verify | One-time use only; signer selects `n` and `w`.                                   |

### Parameter configuration for LMS and LM-OTS

LMS and LM-OTS are both hash-based signature schemes. Both require the signing party
to make parameter choices during key generation.

In both cases, the selected parameters are encoded in the public key representation.
See [RFC 8554 S5.3](https://www.rfc-editor.org/rfc/rfc8554.html#section-5.3) for LMS and
[RFC 8554 S4.3](https://www.rfc-editor.org/rfc/rfc8554.html#section-4.3) for LM-OTS public key
formats. Additionally, see [RFC 8708 S4](https://www.rfc-editor.org/rfc/rfc8708.html) for
`SubjectPublicKeyInfo` and `AlgorithmIdentifier` encodings for both LMS and LM-OTS
public keys.

## Hash Algorithms

Generally speaking, these hash algorithms are implied by the above signing suites.
However, clients *may* need to list or configure them explicitly, e.g. for custom
signing schemes or as part of a `hashedrekord` entry.

| Algorithm | Name         |
|-----------|--------------|
| SHA2      | sha2-256     |
|           | sha2-384     |
|           | sha2-512     |
| SHA3      | sha3-256     |
|           | sha3-384     |