Key types supported by language

  • The tables provide a comprehensive overview of the cryptographic primitives supported by Tink across various programming languages, including Java, C++, Objective-C, Go, and Python.

  • Support for specific primitives can vary depending on the chosen language and underlying cryptographic library (e.g., BoringSSL, OpenSSL).

  • Tink offers a wide range of cryptographic capabilities, encompassing AEAD, Streaming AEAD, Deterministic AEAD, MAC, PRF, Signatures, Hybrid Encryption, and JWT support.

  • While most primitives are widely supported, some exceptions exist, such as limited AES-GCM functionality on older Android versions and the need for Conscrypt for AES-GCM-SIV in Java.

  • Developers should consult the tables to ensure their target language and platform support the required cryptographic primitives for their specific use case.

The following tables list the key types each primitive supports, classified by language.

AEAD

Implementation Java C++
(BoringSSL)		 C++
(OpenSSL)		 Objective-C Go Python
AES-GCM yes1 yes yes yes yes yes
AES-GCM-SIV yes2 yes no no yes yes
AES-CTR-HMAC yes yes yes yes yes yes
AES-EAX yes yes yes yes no yes
KMS Envelope yes yes yes no yes yes
CHACHA20-POLY1305 yes no no no yes no
XCHACHA20-POLY1305 yes yes no yes yes yes

Streaming AEAD

Implementation Java C++
(BoringSSL)		 C++
(OpenSSL)		 Objective-C Go Python
AES-GCM-HKDF-STREAMING yes yes yes no yes yes
AES-CTR-HMAC-STREAMING yes yes yes no yes yes

Deterministic AEAD

Implementation Java C++
(BoringSSL)		 C++
(OpenSSL)		 Objective-C Go Python
AES-SIV yes yes yes yes yes yes

MAC

Implementation Java C++
(BoringSSL)		 C++
(OpenSSL)		 Objective-C Go Python
HMAC-SHA2 yes yes yes yes yes yes
AES-CMAC yes yes yes yes yes yes

PRF

Implementation Java C++
(BoringSSL)		 C++
(OpenSSL)		 Objective-C Go Python
HKDF-SHA2 yes yes yes no yes yes
HMAC-SHA2 yes yes yes no yes yes
AES-CMAC yes yes yes no yes yes

Signature

Implementation Java C++
(BoringSSL)		 C++
(OpenSSL)		 Objective-C Go Python
ECDSA over NIST curves yes yes yes yes yes yes
Ed25519 yes yes yes yes yes yes
RSA-SSA-PKCS1 yes yes yes yes yes yes
RSA-SSA-PSS yes yes yes yes yes yes

Hybrid Encryption

Implementation Java C++
(BoringSSL)		 C++
(OpenSSL)		 Objective-C Go Python
HPKE yes yes no no yes yes
ECIES with AEAD and HKDF yes3 yes yes yes yes yes
ECIES with DeterministicAEAD and HKDF yes4 yes yes no yes yes

JWT MAC

Implementation Java C++
(BoringSSL)		 C++
(OpenSSL)		 Objective-C Go Python
JWT HMAC-SHA2 yes yes yes no yes yes

JWT Signature

Implementation Java C++
(BoringSSL)		 C++
(OpenSSL)		 Objective-C Go Python
JWT ECDSA over NIST curves yes yes yes no yes yes
JWT RSA-SSA-PKCS1 yes yes yes no yes yes
JWT RSA-SSA-PSS yes yes yes no yes yes

  1. AES-GCM does not work properly on Android <=19. 

  2. Requires Conscrypt to be installed as a JCE security provider. 

  3. Requires a NIST curve. 

  4. Requires a NIST curve.