GlobalPlatform Technology

Cryptographic Algorithm Recommendations

Version 2.0

Public Release
June 2021
Document Reference: GP_TEN_053

Copyright  2019-2021 GlobalPlatform, Inc. All Rights Reserved.

Recipients of this document are invited to submit, with their comments, notification of any relevant patents
or other intellectual property rights (collectively, “IPR”) of which they may be aware which might be
necessarily infringed by the implementation of the specification or other work product set forth in this
document, and to provide supporting documentation. The technology provided or described herein is
subject to updates, revisions, and extensions by GlobalPlatform. Use of this information is governed by
the GlobalPlatform license agreement and any use inconsistent with that agreement is strictly prohibited.
 Cryptographic Algorithm Recommendations – Public Release v2.0

THIS SPECIFICATION OR OTHER WORK PRODUCT IS BEING OFFERED WITHOUT ANY WARRANTY
WHATSOEVER, AND IN PARTICULAR, ANY WARRANTY OF NON-INFRINGEMENT IS EXPRESSLY
DISCLAIMED. ANY IMPLEMENTATION OF THIS SPECIFICATION OR OTHER WORK PRODUCT SHALL
BE MADE ENTIRELY AT THE IMPLEMENTER’S OWN RISK, AND NEITHER THE COMPANY, NOR ANY
OF ITS MEMBERS OR SUBMITTERS, SHALL HAVE ANY LIABILITY WHATSOEVER TO ANY
IMPLEMENTER OR THIRD PARTY FOR ANY DAMAGES OF ANY NATURE WHATSOEVER DIRECTLY
OR INDIRECTLY ARISING FROM THE IMPLEMENTATION OF THIS SPECIFICATION OR OTHER
WORK PRODUCT.

Copyright  2019-2021 GlobalPlatform, Inc. All Rights Reserved.

The technology provided or described herein is subject to updates, revisions, and extensions by GlobalPlatform. Use of this
information is governed by the GlobalPlatform license agreement and any use inconsistent with that agreement is strictly
prohibited.
Cryptographic Algorithm Recommendations – Public Release v2.0 3 / 12

Contents
1 Introduction ............................................................................................................................ 4
1.1 Audience ............................................................................................................................................... 4
1.2 IPR Disclaimer....................................................................................................................................... 4
1.3 References ............................................................................................................................................ 4
1.4 Terminology and Definitions.................................................................................................................. 5
1.5 Abbreviations and Notations ................................................................................................................. 6
1.6 Revision History .................................................................................................................................... 7
2 Cryptographic Algorithm Recommendations....................................................................... 8

Tables
Table 1-1: Normative References ...................................................................................................................... 4
Table 1-2: Informative References .................................................................................................................... 4
Table 1-3: Terminology and Definitions ............................................................................................................. 5
Table 1-4: Abbreviations and Notations ............................................................................................................ 6
Table 1-5: Revision History ............................................................................................................................... 7
Table 2-1: Recommendation Levels .................................................................................................................. 8
Table 2-2: Cryptographic Algorithm Recommendations .................................................................................... 9

Copyright  2019-2021 GlobalPlatform, Inc. All Rights Reserved.

The technology provided or described herein is subject to updates, revisions, and extensions by GlobalPlatform. Use of this
information is governed by the GlobalPlatform license agreement and any use inconsistent with that agreement is strictly
prohibited.
4 / 12 Cryptographic Algorithm Recommendations – Public Release v2.0

1 Introduction
Cryptography is an important pillar of a digital service’s security and impacts the application, the Secure
Component, and the related management systems. In order to help the market to anticipate required migration,
GlobalPlatform has decided to provide regular recommendations about cryptographic algorithms and key
lengths.
The recommendations define the GlobalPlatform technology usage of the cryptographic strengths for the
management of a Secure Component and associated content but also share the targeted security strengths
for future GlobalPlatform specifications.

1.1 Audience
This technical note is intended to provide guidance to GlobalPlatform specification developers and to the
developers of applications based on GlobalPlatform specifications.

1.2 IPR Disclaimer

Attention is drawn to the possibility that some of the elements of this GlobalPlatform specification or other work
product may be the subject of intellectual property rights (IPR) held by GlobalPlatform members or others. For
additional information regarding any such IPR that have been brought to the attention of GlobalPlatform,
please visit https://globalplatform.org/specifications/ip-disclaimers/. GlobalPlatform shall not be held
responsible for identifying any or all such IPR, and takes no position concerning the possible existence or the
evidence, validity, or scope of any such IPR.

1.3 References
Table 1-1: Normative References

Standard / Specification Description Ref

ISO/IEC 10118-3:2018
ISO/IEC 14888-3:2018
ISO/IEC 18033-3:2010
IETF RFC 7748
Information technology – Security techniques – [ISO 10118-3]
Hash functions – Part 3: Dedicated hash functions
Information technology – Security techniques – [ISO 14888-3]
Digital signatures with appendix – Part 3: Discrete
logarithm based mechanisms
Information technology – Security techniques – [ISO 18033-3]
Encryption algorithms – Part 3: Block ciphers
Amendment 2 (under development)
Elliptic Curves for Security [RFC 7748]

Table 1-2: Informative References

Standard / Specification Description Ref

ANSSI TLS Recommandations de sécurité relatives à TLS [ANSSI TLS]
(March 2020)

Copyright  2019-2021 GlobalPlatform, Inc. All Rights Reserved.

The technology provided or described herein is subject to updates, revisions, and extensions by GlobalPlatform. Use of this
information is governed by the GlobalPlatform license agreement and any use inconsistent with that agreement is strictly
prohibited.
Cryptographic Algorithm Recommendations – Public Release v2.0 5 / 12

Standard / Specification Description Ref

BSI-CC-PP-0084 Common Criteria Protection Profile [PP-0084]
Security IC Platform Protection Profile with
Augmentation Packages
BSI TLS Cryptographic Mechanisms: Recommendations and [BSI TR 02102-2]
Key Lengths - Part 2: Use of Transport Layer Security
(TLS) (January 2020)
GlobalPlatform Secure Element Protection Profile [GP SE PP]
GPC_SPE_174
GlobalPlatform TEE Protection Profile [GP TEE PP]
GPD_SPE_021
NIST SP 800-131 Transitioning the use of cryptographic algorithms and [NIST 800-131Ar2]
key lengths (March 2019)
NIST SP 800-57 Recommendation for Key Management: Part 1 – [NIST 800-57pt1r5]
General (May 2020)
NIST SP 800-52 Guidelines for the Selection, Configuration, and Use of [NIST 800-52r2]
Transport Layer Security (TLS) Implementations
(August 2019)
SOG-IS Crypto Crypto Evaluation Scheme – Agreed Cryptographic [SOG-IS]
Mechanisms (January 2020)

1.4 Terminology and Definitions

Table 1-3: Terminology and Definitions
Term Definition
Regular Execution An Execution Environment comprising at least one Regular OS and all other
Environment (REE) components of the device (SoCs, other discrete components, firmware, and
software) which execute, host, and support the Regular OS (excluding any
Secure Components included in the device).
From the viewpoint of a Secure Component, everything in the REE is
considered untrusted, though from the Regular OS point of view there may
be internal trust structures.
(Formerly referred to as a Rich Execution Environment (REE).)
Contrast Trusted Execution Environment (TEE).
Secure Component GlobalPlatform terminology to represent either a Secure Element or a
Trusted Execution Environment.
Secure Element (SE) A tamper-resistant secure hardware component which is used in a device to
provide the security, confidentiality, and multiple application environment
required to support various business models. May exist in any form factor,
such as embedded or integrated SE, SIM/UICC, smart card, smart
microSD, etc.

Copyright  2019-2021 GlobalPlatform, Inc. All Rights Reserved.

The technology provided or described herein is subject to updates, revisions, and extensions by GlobalPlatform. Use of this
information is governed by the GlobalPlatform license agreement and any use inconsistent with that agreement is strictly
prohibited.
6 / 12 Cryptographic Algorithm Recommendations – Public Release v2.0

Term Definition
Tamper-resistant secure Hardware designed to isolate and protect embedded software and data by
hardware implementing appropriate security measures. The hardware and embedded
software meet the requirements of the latest Security IC Platform Protection
Profile ([PP-0084]) including resistance to physical tampering scenarios
described in that Protection Profile.
Trusted Execution An Execution Environment that runs alongside but isolated from an REE.
Environment (TEE) A TEE has security capabilities and meets certain security-related
requirements: It protects TEE assets against a set of defined threats which
include general software attacks as well as some hardware attacks, and
defines rigid safeguards as to data and functions that a program can
access. There are multiple technologies that can be used to implement a
TEE, and the level of security achieved varies accordingly.
Contrast Regular Execution Environment (REE).

1.5 Abbreviations and Notations

Table 1-4: Abbreviations and Notations
Abbreviation / Notation Meaning
AAD Additional Authenticated Data
AES Advanced Encryption Standard
CBC Cipher Block Chaining
CCM Cipher Block Chaining – Message Authentication Code
CMAC Cipher-based Message Authentication Code
CTR Counter mode
CTS Ciphertext Stealing
DES Data Encryption Standard
DSA Digital Signature Algorithm
ECB Electronic Codebook
ECDH Elliptic Curve Diffie-Hellman
(EC)DHE Ephemeral Diffie-Hellman over either finite fields or elliptic curves
ECDSA Elliptic Curve DSA
ECKA-EG Elliptic Curve Key Agreement - El Gamal
EdDSA Edwards-curve DSA
eGCM extended GCM
GCM Galois/Counter Mode
HMAC Hash-based MAC
KMAC Keyed MAC
MAC Message Authentication Code

Copyright  2019-2021 GlobalPlatform, Inc. All Rights Reserved.

The technology provided or described herein is subject to updates, revisions, and extensions by GlobalPlatform. Use of this
information is governed by the GlobalPlatform license agreement and any use inconsistent with that agreement is strictly
prohibited.
Cryptographic Algorithm Recommendations – Public Release v2.0 7 / 12

Abbreviation / Notation Meaning

MD5 Message Digest 5
OAEP Optimal Asymmetric Encryption Padding
PFS Perfect Forward Secrecy
PKCS Public Key Cryptography Standards
PQC Post Quantum Cryptography
PSK Pre-Shared Key
PSS Probabilistic Signature Scheme
REE Regular Execution Environment
RSA Rivest / Shamir / Adleman asymmetric algorithm
RSAES RSA Encryption Scheme
RSASSA RSA Signature Scheme with Appendix
SE Secure Element
SHA Secure Hash Algorithm
SM Chinese cryptographic algorithm standard (SM2 for signature, SM3 for
hash, and SM4 for block cipher)
TEE Trusted Execution Environment
TLS Transport Layer Security (protocol)
TMF TEE Management Framework
XEX Xor-Encrypt-Xor
XTS XEX-based tweaked-codebook mode with ciphertext stealing

1.6 Revision History

GlobalPlatform technical documents numbered n.0 are major releases. Those numbered n.1, n.2, etc., are
minor releases where changes typically introduce supplementary items that do not impact backward
compatibility or interoperability of the specifications. Those numbered n.n.1, n.n.2, etc., are maintenance
releases that incorporate errata and precisions; all non-trivial changes are indicated, often with revision marks.

Table 1-5: Revision History

Date Version Description

February 2019 1.0 Public Release
June 2021 2.0 Public Release
• TLS updates
• PQC updates

Copyright  2019-2021 GlobalPlatform, Inc. All Rights Reserved.

The technology provided or described herein is subject to updates, revisions, and extensions by GlobalPlatform. Use of this
information is governed by the GlobalPlatform license agreement and any use inconsistent with that agreement is strictly
prohibited.
8 / 12 Cryptographic Algorithm Recommendations – Public Release v2.0

2 Cryptographic Algorithm Recommendations

Table 2-2 provides GlobalPlatform’s current recommendations on cryptographic algorithms, categorized by
the recommendation levels defined in Table 2-1.

Table 2-1: Recommendation Levels

Recommendation Level Meaning Security Strength

Dep Deprecated Should not be used. 80 bits of security
Specific care is needed for products already
in the market.
Leg Legacy use until 2023 Should not be used for any new 112 bits of security
products/specifications.
Products may already be in the market.
Rec Recommended Should be used for future (near/long-term) 128 bits of security
products / specifications.
Rec PQC Recommended PQC Suggested for post quantum use. TBD
Current research does not support mature
recommendations for PQC; Table 2-2 makes
tentative proposals (or no proposal), to be
confirmed or adjusted in subsequent versions
of this document.

For the use of a symmetric algorithm with a particular mode of operation, the recommendation levels must be
aligned, i.e. the lowest is the resulting recommendation level. More generally, the security strength of a
cryptographic scheme using a combination of cryptographic primitives (e.g. MAC) is the lowest security
strength of the primitives.

Copyright  2019-2021 GlobalPlatform, Inc. All Rights Reserved.

The technology provided or described herein is subject to updates, revisions, and extensions by GlobalPlatform. Use of this
information is governed by the GlobalPlatform license agreement and any use inconsistent with that agreement is strictly
prohibited.
Cryptographic Algorithm Recommendations – Public Release v2.0 9 / 12

Table 2-2: Cryptographic Algorithm Recommendations

Cryptographic Recommendation Level (see Table 2-1)

Supported Algorithms
Primitives Dep Leg Rec Rec PQC 1
Block ciphers
DES x
3DES (with 2 keys) x
3DES (with 3 keys) x
AES-128 x x
AES-192 x x
AES-256 x x
SM4 (128-bit block, 128-bit key) x x
See [ISO 18033-3].
Modes of operation
ECB x
CBC x x
CTR x x
CTS x
XTS x x
(AES-
based)
Authenticated encryption
AES-CCM with support for Additional x x
Authenticated Data (AAD)
AES-GCM with support for Additional x x
Authenticated Data (AAD)
AES-eGCM x x
Hash functions
MD5 x
SHA-1 (for signature) x
SHA-1 (in other cases) x
SHA-224 x
SHA-256 x x
SHA-384 x x
SHA-512 x x
SHA3-256 x x

1 See Note 1.

Copyright  2019-2021 GlobalPlatform, Inc. All Rights Reserved.

The technology provided or described herein is subject to updates, revisions, and extensions by GlobalPlatform. Use of this
information is governed by the GlobalPlatform license agreement and any use inconsistent with that agreement is strictly
prohibited.
10 / 12 Cryptographic Algorithm Recommendations – Public Release v2.0

Cryptographic Recommendation Level (see Table 2-1)

Supported Algorithms
Primitives Dep Leg Rec Rec PQC 1
SHA3-384 x x
SHA3-512 x x
SM3 (digest size 256 bits) x x
See [ISO 10118-3].
MAC functions
MAC based on Full 3DES MAC x
block ciphers
Retail MAC x
AES MAC x
AES-CMAC x x
MAC based on HMAC with one of the supported digests SHA-1 others ≥ 256
hash (SHA-1, SHA-256 and over)
KMAC x x
Asymmetric algorithms
Key agreement ECKA-EG with key size in bits ≥ 256 x All these
algorithms
ECDH with key size in bits ≥ 256 x
will be
Signature/ RSA 512; ≥ 2048 ≥ 3k broken and
Encryption 1024 will need
replacement
Signature DSA, ECDSA, EdDSA with key size in bits x
≥ 256
SM2 (here we focus on the digital signature x
algorithm based on elliptic curve)
See [ISO 14888-3].
Padding PKCS#1 v2.1 (PSS, OAEP) x
PKCS#1 v1.5 (RSAES, RSASSA) x
Standardized NIST curves: x
elliptic curves P-256
P-384
P-521
Curve25519 x
Curve448
See [RFC 7748]
Brainpool curves: x
brainpoolP256r1
brainpoolP256t1
brainpoolP384r1
brainpoolP384t1
brainpoolP512r1
brainpoolP512t1

Copyright  2019-2021 GlobalPlatform, Inc. All Rights Reserved.

The technology provided or described herein is subject to updates, revisions, and extensions by GlobalPlatform. Use of this
information is governed by the GlobalPlatform license agreement and any use inconsistent with that agreement is strictly
prohibited.
Cryptographic Algorithm Recommendations – Public Release v2.0 11 / 12

Cryptographic Recommendation Level (see Table 2-1)

Supported Algorithms
Primitives Dep Leg Rec Rec PQC 1
TLS version / Cipher suite (see Note 2 following the table)
TLS 1.0 & TLS_PSK_WITH_3DES_EDE_CBC_SHA, x
TLS 1.1 RFC 4279
TLS_PSK_WITH_AES_128_CBC_SHA, x
RFC 4279
TLS_PSK_WITH_NULL_SHA, RFC 4785 x
TLS 1.2 TLS_PSK_WITH_AES_128_CBC_SHA256 x x
TLS_PSK_WITH_NULL_SHA256 x
TLS 1.3 TLS_AES_128_GCM_SHA256 x x
TLS_AES_128_CCM_SHA256 x x
TLS_AES_256_GCM_SHA384 x x
TLS 1.3 / Key exchange modes
PSK only 2 x
(EC)DHE x
PSK with (EC)DHE x

Note 1: A conservative approach regarding post-quantum symmetric cryptography is to double the key size
(i.e. migrating from AES-128 to AES-256) and increase the digest size (i.e. migrating from SHA-256 to
SHA-384). However, it seems quite clear from experts 3 that the Grover algorithm (which could theoretically be
used to weaken the security of block ciphers and hash functions) will provide little or no advantage for attacking
symmetric cryptography or hash functions.
AES-128 and SHA-256 are recommended in this version of the document, but might no longer be
recommended if the conservative approach becomes relevant.
This note also applies to:
• block ciphers SM4 and AES-192
• hash functions SHA-256, SHA3-256, and SM3
• TLS cipher suites TLS_PSK_WITH_AES_128_CBC_SHA256, TLS_AES_128_GCM_SHA256, and
TLS_AES_128_CCM_SHA256

2 This mode does not provide Perfect Forward Secrecy.

3 See NISTIR 8105, NIST FAQ, https://eprint.iacr.org/2017/811.pdf, https://arxiv.org/abs/quant-ph/9711070 and

https://arxiv.org/pdf/1902.02332.pdf for references explaining why Grover’s algorithm could be less effective than
theorized.

Copyright  2019-2021 GlobalPlatform, Inc. All Rights Reserved.

The technology provided or described herein is subject to updates, revisions, and extensions by GlobalPlatform. Use of this
information is governed by the GlobalPlatform license agreement and any use inconsistent with that agreement is strictly
prohibited.
12 / 12 Cryptographic Algorithm Recommendations – Public Release v2.0

Note 2: TLS_PSK refers to the Pre-Shared Key version of TLS. Pre-shared keys are symmetric keys that are
already in place prior to the initiation of a TLS session. Major national organizations, including ANSSI
([ANSSI TLS]), BSI ([BSI TR 02102-2]), SOG-IS ([SOG-IS]), and NIST ([NIST 800-52r2]), recommend the use
of Perfect Forward Secrecy cipher suites (PFS) in order to guarantee the confidentiality of the exchanges,
even if its long-term secret keys are compromised in the future. As Pre-Shared Key (PSK) TLS cipher suites
do not ensure PFS, they would be excluded from GlobalPlatform recommendations. However, [NIST 800-52r2]
Annex C states:
... pre-shared keys ... might be appropriate for constrained environments with limited processing, memory,
or power. ... Pre-shared keys shall be distributed in a secure manner, such as a secure manual distribution
or using a key-establishment certificate.
SE and TEE environments are compliant with the NIST exception and requirement:
• In the SE context, these keys are expected to be shared using security mechanisms described in the
GlobalPlatform Card Specification, related amendments, and the new SE PP ([GP SE PP]).
• In the TEE context, these keys are expected to be shared using the TEE TMF provisioning systems,
governed by the TEE PP ([GP TEE PP]), or by a proprietary method defined by the Trusted
Application, outside GlobalPlatform’s direct control. It is recommended that TLS sockets are only
opened with TEE_tlsSocket_tlsVersion == TEE_TLS_VERSION_1v2. Use of
TEE_TLS_VERSION_ALL is not recommended.
The use of PSK cipher suites is consequently authorized.
For TLS 1.2, TLS_PSK_WITH_AES_128_CBC_SHA256 is a recommended pre-shared key (PSK) cipher suite
([NIST 800-52r2] Annex C lists additional TLS 1.2 cipher suites).
For TLS 1.3, all cipher suites can be used with pre-shared keys.

Copyright  2019-2021 GlobalPlatform, Inc. All Rights Reserved.

The technology provided or described herein is subject to updates, revisions, and extensions by GlobalPlatform. Use of this
information is governed by the GlobalPlatform license agreement and any use inconsistent with that agreement is strictly
prohibited.