Example Configuration File

The following shows a sample MPC node configuration file. It contains explanations of each configuration, and may serve as a summary of many of the topics discussed earlier in the TSM User Manual.

# This is an example TSM node configuration file.
#
# Commented sections means that the feature is either disabled or used with default values.
# Commented variables are listed with their default values.
# Uncommented values are mandatory.
#
# Configuration values can be overridden with environment variables by setting TSM_PATH_TO_VALUE
# e.g. TSM_MPC_THRESHOLD=2 to set MPC.Threshold to 2

# Defines the operating mode of the TSM node.
#[Mode]
  # An embedded node does not listen on any ports and is used when integrating the TSM node directly in an application.
  # When Embedded is enabled the player index must be 0. Usually an embedded node will not use a configuration file,
  # so only set this to true if you know what you are doing.
  #Embedded = false

# General configuration for MPC operations.
[MPC]
  # When migrating from an older version of the TSM this parameter specifies how many players were in that TSM. Now the
  # number of players is set individually for each MPC operation. Once a TSM is migrated to the new format, this
  # parameter is no longer needed.
  #PlayerCount = 0
  # This used to be the security threshold for the entire TSM, but now the threshold is set individually for each key.
  # This parameter is only used when migrating from an older version of the TSM where it is needed to properly convert
  # key material to the new format. Once a TSM is migrated to the new format, this parameter is no longer needed.
  #Threshold = 0
  # Time to wait before all required connections between the MPC nodes have been established.
  # When they have been established the MPC session will begin and the SessionTimeout will be used (see below).
  #ConnectionTimeout = "10s"
  # Time to wait before an MPC session times out.
  #SessionTimeout = "3m"
  # When another node sends us a message related to a session that is not yet started, that message (or connection) is
  # stored as a pending session. We do this since not all sessions can be started at exactly the same time. This
  # parameter allows us to control the number of pending sessions. Note that a malicious player can cause a denial of
  # service attack by filling up this buffer. This can be mitigated to some extent by controlling the order in which
  # sessions are started.
  #MaxPendingSessions = 10000

# Configuration for the local player
[Player]
  # All players in a TSM are identified by a player index. This is the index of the player running this TSM node.
  # We refer to this player as the local player. Other players are called remote players.
  Index = 0
  # This is a base64 encoding of the private key used to authenticate the local player towards the remote players. This
  # must correspond to the public keys configured on the remote players for this player index. A private key can be
  # generated using the following OpenSSL commands:
  #
  # openssl genpkey -algorithm ed25519 -outform DER -out private.key
  # openssl base64 -A -in private.key; echo
  #
  # Instead of P-256 one can use P-384 or P-521 depending on the desired security level (128, 192 or 256 bits).
  PrivateKey = "BA3E64=="
  # This is a list of base64 encodings of DER encoding of the ASN.1 SubjectPublicKeyInfo structure of RSA public keys.
  # This is a white list of public keys that are allowed to be used with export. It is possible to use a single string
  # of "*" to allow any public key to be used.
  ExportWhiteList = []

# The following is a list of players in the TSM with a static public key.
#
# If stream based communication is used (e.g. MPCTCPServer) then all players except player 0 must be configured with a
# static public key. The logic is that lower numbered players open connections to higher numbered players, so URLs
# are not needed for players with a lower number than the local player.
#
# If packet based communication is used (e.g. MPCAMQPServer) then any player can be configured here with a static key.
# Other players can participate in an MPC protocol, but their public key must be provided when the MPC operation is
# started.
[Players.1]
  # The protocol and address of player with index 1. Supported prootocols are tcp, ws and wss. If no protocol is
  # specified then tcp is assumed. For tcp connections it is possible to specify the following additional options:
  # connectionPoolSize: Number of tcp connections to keep alive to this player if multiplexing is used. Default is 2.
  # connectionLifetime: Minimum lifetime of a tcp connection to this player. Default is 4 hours.
  Address = "tcp://player1:9000?connectionPoolSize=2&connectionLifetime=4h"
  # This is a base64 encoding of the players public key. A public key can be generated from the private key using the
  # following OpenSSL commands:
  #
  # openssl pkey -in private.key -pubout -outform DER -out public.key
  # openssl base64 -A -in public.key; echo
  PublicKey = "BA3E64=="

#[Players.2]
  #Address = "..."
  #PublicKey = "..."

# User authentication settings.
#[Authentication]
  # Lifetime of the tokens for password based user authentication
  #TokenLifetime = "5m"
  # List of API keys used for authentication in SDKv2
  #[[Authentication.APIKeys]]
    # Only for SDK V2
    # Base64 encoded hash of the API key. A hash for the API key foobar can be generated with the following command:
    #
    # echo -n "foobar" | openssl dgst -sha256 -binary | openssl base64
    #
    # Crypt hashes with the following algoritms are also supported: MD5, SHA256, SHA512, bcrypt, Argon2i, Argon2id
    #APIKey = ""
    # Users with the given API key will be mapped to this user in the system. If the user does not exist, it will be
    # created automatically. Set this to an existing user ID to migrate from password to API key authentication.
    #ApplicationID = ""

# Setting related to authentication of users based on TLS client certificates.
#[TLSUserAuthentication]
  # Points to a file containing PEM encoded certificates of CAs from which client certificates are accepted.
  #ClientCAFile = ""
  # Contains a comma separated list of base64 encoded certificates of CAs from which client certificates are accepted.
  #ClientCAList = ""
  # Enable OCSP validation of client certificates.
  #OCSP = false
  # Require the client to send a stapled OCSP response, otherwise validation will fail.
  #OCSPRequireStapling = false
  # If true then only the leaf certificate is validated. Otherwise, the entire chain is validated.
  #OCSPValidateLeafOnly = false
  # Lifetime of cached OCSP responses, e.g "1h30m". A value of 0 means that ValidUntil from the OCSP response
  # is used, otherwise the value of CacheTTL is used if it comes before ValidUntil.
  #OCSPCacheTTL = "10m"
  # Use this URL for all OCSP responders, regardless of what the certificate says.
  #OCSPResponderURL = ""

  # If no applications are specified, all certificates will be granted access, and given an ID deduced from the
  # Subject and Issuer of the certificate
  # Access to applications is given based on values set in the certificates matching the values set in the filters below.
  # To get a list of OIDs, here is an example:
  # openssl list -objects | grep -i ", 2.5.4"
  # The following text strings can also be used as keys:
  # "commonName", "country", "locality", "stateOrProvince", "streetAddress", "organization", "organizationalUnit",
  # "postalCode", "serialNumber", "givenName", and "surname"
  # For values expecting an array of strings, use "v1, v2"
  #[[TLSUserAuthentication.Applications]]
  #ID = "MyApplicationID"
  #[[TLSUserAuthentication.Applications.Filters]]
  #"2.5.4.3" = "value 00"             # commonName
  #"2.5.4.6" = "value 01, value 02"   # country
  #"2.5.4.11" = "value 03"            # organizationalUnit
  #[[TLSUserAuthentication.Applications.Filters]]
  #"2.5.4.3" = "value 10"   # commonName
  #"serialnumber" = "value 13"

# Setting related to authentication of users based on OIDC.
#[OIDCUserAuthentication]
  # Lifetime of the OIDC nonce.
  #NonceLifetime = "5m"
  # List of supported OIDC issuer URLs.
  #OIDCIssuers = []
  # List of supported Audiences (client ids)
  # Audiences = []

# Setting related to authentication of users based on OIDC Access Tokens.
#[OIDCAccessTokenAuthentication]
  # List of supported OIDC issuer URLs.
  #OIDCIssuers = []
  # Configuration for applications that are allowed to access the TSM
  #[[OIDCAccessTokenAuthentication.AccessTokens]]
  # The name of the application to authenticate, must match audience (aud) in access token
  #  Audience = "application name"
  # EITHER
  # The URL of the discovery document for this access token, used to retrieve the public key. Defaults to issuer + "/.well-known/openid-configuration".
  #  DiscoveryDocURL = issuer + "/.well-known/openid-configuration"
  # OR
  # if PublicKey is specified, DiscoveryDocURL is ignored
  # This is a base64 encoding of the players public key. A public key can be generated from the private key using the
  # following OpenSSL commands:
  #
  # openssl ec -inform DER -in private.key -pubout -outform DER -out public.key
  # openssl base64 -A -in public.key; echo
  #  PublicKey = "BA3E64=="
  # The claims which the access token needs to match. If no claims are required, you still need to add an empty section.
  #[[OIDCAccessTokenAuthentication.AccessTokens.claims]]
  #  claim0 = "claim value 0"
  #[[OIDCAccessTokenAuthentication.AccessTokens.claims]]
  #  claim1 = "claim value 1"
  #  claim2 = "claim value 2"

# Database connection configuration.
[Database]
  # The driver used for the database. The following database drivers are supported: sqlite3, mysql and postgres.
  DriverName = "sqlite3"
  # The name of the datasource. This example shows a SQLite file backed database. For MySQL an example of a datasource
  # name could be:
  #
  # USER:PASSWORD@HOST:3306/DATABASE_NAME?parseTime=true
  #
  # and for postgres:
  #
  # postgres://USER:PASSWORD@HOST:5432/DATABASE_NAME?sslmode=disable
  DataSourceName = "/tmp/tsmdb"
  # This specifies a master encryption key used to protect database records. Note that this key is not directly
  # used to encrypt data. Use any long random string here and make sure to keep a backup of it somewhere safe.
  EncryptorMasterPassword = "ENCRYPTION_KEY"
  # An alternative to specifying a password for encryption is to use a key file. Here the content of the key file
  # is hashed and used as the master password. This is useful if one does not want to store the master password
  # in the configuration file. After the TSM node has started up this file is no longer needed until next startup.
  #EncryptorKeyFile = ""
  # Allows specifying a plugin that is loaded and used before the internal TSM encryptions is performed.
  # Any handling of the data is done in addition to the normal encryption. The plugin path can be absolute, or
  # local. If local it will need to be located in the path of LD_LIBRARY_PATH. The plugin must implement the
  # plugin functions defined in the plugin-interface.h header file.
  # The plugin MUST ensure that keyshares are handled securely, as failure to do so may compromise the security
  # of the installation.
  #ExternalEncryptorPlugin = ""
  # The maximum number of idle connections in the database connection pool. When using SQLite this should be set to 1.
  #MaxIdleConns = 500
  # The maximum number of open connections in the database connection pool. When using SQLite this should be set to 1.
  #MaxOpenConns = 500
  # The maximum time a database connection can be open before it is closed. A value of 0 disables closing of connections.
  #ConnMaxLifetime = "3m"
  # The maximum time a database connection can be idle before it is close. A value of 0 disables closing of idle connections.
  #ConnMaxIdleTime = 0
  # Controls how long key shares should be cached in memory. Setting this too high can cause issues when running in a load
  # balanced setup together with operations that modify key shares, such as reshare.
  #KeyShareCacheTTL = "1s"

# MPC server accepting multiplexed TCP connections from other players.
# At least one MPC server must be specified if the player index is greater than 0.
[MPCTCPServer]
  # Port number that this server listens on.
  Port = 9000
  # Settings this to true disables multiplexing.
  #DisableMultiplexing = false

# MPC server accepting WebSocket connections from other players.
# At least one MPC server must be specified if the player index is greater than 0.
#[MPCWebSocketServer]
  # Port number that this server listens on.
  #Port = 9001
  # Points to a file containing a PEM encoded certificate which will be used for this connection. Setting this
  # enables the use of WSS instead of WS.
  #CertificateFile = ""
  # The private key corresponding to the certificate above.
  #CertificateKeyFile = ""

# MPC server using an AMQP message broker to communicate with other players. Cannot be used with other MPC servers.
#[MPCAMQPServer]
  # URL for the AMQP message broker
  # For a local test instance with the default vhost and guest user the following URL can be used:
  #
  # amqp://guest:guest@localhost:5672/
  #ServerURL = ""
  # When connection to the broker drops or sending of a message fails, how long should we wait before retrying
  #RetryDelay = "5s"
  # Specify how many channels should be used when sending messages to the broker. You might want to increase this value
  # if you enable PublisherConfirms below.
  #ChannelPoolSize = 2
  # Use the RabbitMQ specific publisher confirms feature. This configures the RabbitMQ server to confirm each message
  # before that message is considered delivered by the client. This makes the communication with the broker more
  # resillient when the broker restarts or the network connection fails during a session, but it also has a performance
  # impact.
  #PublisherConfirms = false
  # Instruct the message broker to persist messages. If using durable queues this ensures that messages will survice
  # a restart of the broker.
  #PersistMessages = false
  # If DynamicQueues is true then a new queue is created on the broker for each session, instead of using a fixed queue
  # for each player. Dynamic queues are less reliable in case of network failures, but allows for multiple nodes behind
  # a load balancer. The parameters PublisherConfirms, PersistMessages and SkipSetup have no effect on dynamic queues.
  # All players must use the same type of queues.
  #DynamicQueues = false
  # If SkipSetup is false the client will automatically create exchange and queues on the broker. However, if you need
  # more control over who can send and receive messages set this to true and configure the broker like this:
  #
  # First you need to know how to get the player ID of a player. The player ID is computed by first using SHA-256 to
  # hash the public key and then base64 URL encode (without padding) the output of the hash function.
  #
  # 1. Create a direct exchange with the name tsm.direct
  # 2. Create a queue for each player with the name tsm.playerID and an  x-message-ttl of session timeout + connection timeout
  # 3. Bind the queues above to the exchange with the queue name as the binding key
  # 4. Grant all users write access to the exchange
  # 5. Grant all users read access to their own queue
  #SkipSetup = false

# MPC server using Redis to communicate with other players. Cannot be used with other MPC servers.
#
# It's recommended that you restrict what users can do on the Redis server. To create a user 'player0' with
# password 'pw0' for use by a TSM node, you need the following ACL:
#
# ACL SETUSER player0 on >pw0 ~tsm:* +ping +blmpop +rpush +expire
#
# If you have ExpireKeys set to true, you also need to add +expire to the list above.
#[MPCRedisServer]
  # URL for the Redis server
  # For a local instance with no access control the following URL can be used:
  #
  # redis://localhost:6379/0
  #ServerURL = ""
  # Redis pipelining is used when sending messages. This is the maximum number of messages that goes into one pipeline
  # before being sent to the Redis server.
  #SendBatchSize = 20
  # When calling BLMPOP to retrive messages from Redis, this is the maximum number of lists to query in one call.
  #ReceiveBatchSize = 20
  # This controls how many Redis connections are used for fetching messages from the server.
  #MaxMessageReceivers = 30
  # Number of sessions that can be running at the same time on this TSM node. If you don't need that many sessions,
  # you can lower this number and save a little memory.
  #MaxSessions = 10000
  # Choose whether keys will automatically expire or not. Under normal operation keys will be deleted once the MPC
  # session finishes, but in case of MPC session failure some data might remain.
  # Automatically expiring keys are disabled by default since it's normally handled by the servers eviction policy.
  #ExpireKeys = false
  # Set this to true if you are running a Redis cluster. Only use this if you really need a Redis cluster. In most cases
  # you will get much better performance without a cluster.
  #ClusterMode = false

# Server accepting connections from the SDK. This must be specified unless the TSM node is running as a local node.
[SDKServer]
  # Port number that this server listens on.
  Port = 8080
  # Points to a file containing PEM encoded certificates of root CAs for the server certificate. Currently, this is only
  # used when the server is configured to do OCSP stapling.
  #CAFile = ""
  # Contains a comma separated list of base64 encoded certificates of root CAs for the server certificate. Currently,
  # this is only used when the server is configured to do OCSP stapling.
  #CAList = ""
  # Points to a file containing a PEM encoded certificate (and any intermediates) which will be used for this
  # connection. Setting this enables the use of HTTPS instead of HTTP.
  #CertificateFile = ""
  # This contains the base64 certificate inline instead of giving it in a file in the previous entry.
  #CertificateBytes = ""
  # The private key corresponding to the certificate above.
  #CertificateKeyFile = ""
  # This contains the Base64 PKCS#8 private key inline instead of giving it in a file in the previous entry.
  #CertificateKeyBytes = ""
  # Performs OCSP stapling by attaching an OCSP response to the server certificate.
  #OCSPStaple = false
  # Lifetime of cached OCSP responses, e.g "1h30m". A value of 0 means that ValidUntil from the OCSP response
  # is used, otherwise the value of CacheTTL is used if it comes before ValidUntil.
  #OCSPCacheTTL = "10m"
  # Use this URL for all OCSP responders, regardless of what the certificate says.
  #OCSPResponderURL = ""
  #[SDKServer.HTTPResponseHeaders]
  #  Access-Control-Allow-Origin = "*"
  #  Access-Control-Allow-Methods = "POST, PUT, GET, DELETE, OPTIONS"
  #  Access-Control-Allow-Headers = "MPC-SessionID, MPC-Players, Authorization, Content-Type"

# This setting enables multiple instances of the same player to be placed behind a load balancer. Each instance will
# either handle sessions itself or route the traffic to other instances.
#[MultiInstance]
  # IP address where this instance can be reached from other the instances. If not specified an auto-detected address is
  # used and this might not be the address you want if there are multiple IP addresses associated with the system.
  #Address = ""
  # SDK port announced to the other nodes. If not specified it defaults to the SDK port from the [SDKServer] section.
  #SDKPort = 0
  # MPC port announced to the other nodes. If not specified it defaults to the SDK port from the [MPCTCPServer] section.
  #MPCPort = 0
  # How often should we run a cleanup job that purges old routing entries from the database.
  #CleanupInterval = "5m"
  # Every CleanupInteval the cleanup job will run with this probability. 0 means never and 100 means always.
  #CleanupProbability = 25

# This section is used for initializing the server with values specified in the configuration instead of other sources.
#[Initializers]
  # This adds the option to set the wrapping key used for exporting key shares. It will only work if the wrapping key has not already been set
  # or generated. This must be an RSA key in a DER encoded PKCS#1 structure.
  #WrappingPrivateKey = "BA3E64=="
  # The following two entries can be used to bootstrap the node to a specific Administrator name and password. If used, both
  # entries must be set in which case the administrator will be created with the specified password. This will only work if
  # an administrator have not already been created.
  #AdministratorUsername = ""
  #AdministratorPassword = ""

# Server used to access various internal performance counters, both Golang and MPC related. Default format is Golang's build-in
# expvar. Can be configured to be Prometheus
#[MetricsServer]
  #Port = 10000
  #Prometheus = false
  #[MetricsServer.HTTPResponseHeaders]
  # For use in a browser (e.g. WASM), the following values should be set
  #  Access-Control-Allow-Origin = "*"
  #  Access-Control-Allow-Methods = "POST, PUT, GET, DELETE, OPTIONS"
  #  Access-Control-Allow-Headers = "MPC-SessionID, MPC-Players, Authorization, Content-Type"

# Server used for serving runtime profiling data in the format expected by the pprof visualization tool. This requires
# that the TSM node is compiled with profiling enabled. Only used for internal debugging.
#[ProfilingServer]
  #Port = 11000

# Configures system logging for the TSM node.
#[Logging]
  # Log level. If not specified it default to "info".
  #Level = ""

# If this section is present then certain operations on the TSM node are stored in an audit log. The
# audit log is periodically signed and uploaded to an audit receiver.
#[Audit]
  # URL of the audit receiver. Audit logs are sent to this URL using HTTP POST requests.
  # Can be a file, HTTP location or s3 location: file://, https://, s3://
  #ReceiverURL = ""
  # Public key of the audit receiver. This corresponds to the public key in the TLS certificate.
  #ReceiverPublicKey = "BA3E64=="
  # Private key used to establish a connection to the audit receiver using mTLS.
  #ClientPrivateKey = "BA3E64=="
  # Log entries are signed before they are uploaded to the audit receiver. This is the 32 byte seed used to generate
  # an Ed25519 signing key per RFC-8032.
  #LogEntrySigningKeySeed = "BA3E64=="
  # Maximum number of audit log entries that are sent in one request.
  #MaxBatchSize = 50
  # Minimum time to wait before checking for new audit log entries to upload.
  #MinWaitTime = "15s"
  # Maximum time to wait before checking for new audit log entries to upload.
  #MaxWaitTime = "2m"

# When using an S3-compatible API as the ReceiverURL in [Audit], specify any
# non-standard S3 related parameters here
#[Audit.S3EndpointConfig]
  # If not using the default S3 endpoint, specify the custom one here
	#EndpointURL = ""
  # AWS or S3-compatible API region
	#Region = ""
  # Authorization keys for the S3-compatible API
	#SecretAccessKey = ""
	#AccessKeyId = ""
	#SessionToken = ""

# The configurations below are for the individual MPC protocols supported by the TSM. Comment a protocol to
# disable it. In the following n denotes the total number of players and t is the security threshold.

# Computes ECDSA signatures. This protocol requires n >= 2t+1. Cannot be enabled together with DKLS19.
#[SEPH18S]
  # Shortest allowed BIP-32 chain path.
  #MinChainPathLength = 0
  # Cache size for intermediate public keys when using BIP-32 chain paths.
  #Bip32CacheSize = 1024
  # Maximum number of presignatures that can be generated in one request.
  #PresigGenRequestLimit = 1000
  # Maximum number of presignatures that can be generated concurrently for the entire TSM node.
  #PresigGenGlobalLimit = 50000

# Controls which features of SEPH18S to enable. Each field corresponds to a method in the SDK.
#[SEPH18S.Features]
  #GenerateKey = false
  #GeneratePresignatures = false
  #Sign = false
  #SignWithPresignature = false
  #GenerateRecoveryData = false
  #PublicKey = false
  #ChainCode = false
  #Reshare = false
  #CopyKey = false
  #BackupKeyShare = false
  #RestoreKeyShare = false
  #ExportKeyShares = false
  #ImportKeyShares = false
  #BIP32GenerateSeed = false
  #BIP32DeriveFromSeed = false
  #BIP32DeriveFromKey = false
  #BIP32ConvertKey = false
  #BIP32ExportSeed = false
  #BIP32ImportSeed = false
  #BIP32Info = false

# Computes ECDSA signatures. This protocol only requires t < n. Cannot be enabled together with SEPH18S.
#[DKLS19]
  # Shortest allowed BIP-32 chain path.
  #MinChainPathLength = 0
  # Cache size for intermediate public keys when using BIP-32 chain paths.
  #Bip32CacheSize = 1024
  # Maximum number of presignatures that can be generated in one request.
  #PresigGenRequestLimit = 100
  # Maximum number of presignatures that can be generated concurrently for the entire TSM node.
  #PresigGenGlobalLimit = 5000

# Controls which features of DKLS19 to enable. Each field corresponds to a method in the SDK.
#[DKLS19.Features]
  #GenerateKey = false
  #GeneratePresignatures = false
  #Sign = false
  #SignWithPresignature = false
  #GenerateRecoveryData = false
  #PublicKey = false
  #ChainCode = false
  #Reshare = false
  #CopyKey = false
  #BackupKeyShare = false
  #RestoreKeyShare = false
  #ExportKeyShares = false
  #ImportKeyShares = false
  #BIP32GenerateSeed = false
  #BIP32DeriveFromSeed = false
  #BIP32DeriveFromKey = false
  #BIP32ConvertKey = false
  #BIP32ExportSeed = false
  #BIP32ImportSeed = false
  #BIP32Info = false

# Computes Ed25519 and Ed448 signatures. This protocol only requires t < n.
#[SEPD19S]
  # Shortest allowed chain path. A chain path is used to derive many keys from a single master key.
  #MinChainPathLength = 0
  # Maximum number of presignatures that can be generated in one request.
  #PresigGenRequestLimit = 1000
  # Maximum number of presignatures that can be generated concurrently for the entire TSM node.
  #PresigGenGlobalLimit = 100000

# Controls which features of SEPD19S to enable. Each field corresponds to a method in the SDK.
#[SEPD19S.Features]
  #GenerateKey = false
  #GeneratePresignatures = false
  #Sign = false
  #SignWithPresignature = false
  #GenerateRecoveryData = false
  #PublicKey = false
  #ChainCode = false
  #Reshare = false
  #CopyKey = false
  #BackupKeyShare = false
  #RestoreKeyShare = false
  #ExportKeyShares = false
  #ImportKeyShares = false

# Computes RSA signing and decryption.
#[ADN06]

# Controls which features of ADN06 to enable. Each field corresponds to a method in the SDK.
#[ADN06.Features]
  #PublicKey = false
  #SignPKCS1v15 = false
  #SignPSS = false
  #Decrypt = false
  #ExportKeyShares = false
  #ImportKeyShares = false

# Computes a pseudo random function based on AES-CTR.
#[SEPH15PRF]
  #KeySize = 16

# Controls which features of SEPH15PRF to enable. Each field corresponds to a method in the SDK.
#[SEPH15PRF.Features]
  #GenerateKey = false
  #KeyStream = false

# Computes the ECDH function. This protocol only requires t < n.
#[SEPD20ECDH]

# Controls which features of SEPD20ECDH to enable. Each field corresponds to a method in the SDK.
#[SEPD20ECDH.Features]
  #GenerateKey = false
  #ComputeSecret = false
  #PublicKey = false

# XOR sharing of byte arrays
#[XORSHARE]

# Controls which features of XORSHARE to enable. Each field corresponds to a method in the SDK.
#[XORSHARE.Features]
  #Export = false
  #Import = false

# Sends a message to all players.
#[BROADCAST]
  # Maximum size in bytes for a broadcast message.
  #MaxMessageLength = 65536

# Controls which features of BROADCAST to enable. Each field corresponds to a method in the SDK.
#[BROADCAST.Features]
  #SimpleBroadcast = false
  #AdvancedBroadcast = false

# The following protocols are general MPC protocols used for AES, HMAC, AN10992 and RFC5649.
# At most one of them can be enabled at the same time. When in doubt use MRZ15.

# General MPC protocol for n = 3 and t = 1. Based on https://eprint.iacr.org/2015/931
#[MRZ15]

# Controls which AES features are enabled for MRZ15. Each field corresponds to a method in the SDK.
#[MRZ15.AESFeatures]
  #GenerateKey = false
  #ExportKeyShares = false
  #ImportKeyShares = false
  #CTRKeyStream = false
  #CBCEncrypt = false
  #CBCDecrypt = false
  #GCMEncrypt = false
  #GCMDecrypt = false
  #CMAC = false

# Controls which HMAC features are enabled for MRZ15. Each field corresponds to a method in the SDK.
#[MRZ15.HMACFeatures]
  #GenerateKey = false
  #ExportKeyShares = false
  #ImportKeyShares = false
  #HMACSHA256 = false
  #HMACSHA512 = false

# Controls which AN10922 features are enabled for MRZ15. Each field corresponds to a method in the SDK.
#[MRZ15.AN10922Features]
  #ImportKeyShares = false
  #DeriveAESKey = false
  #Checksum = false

# Controls which RFC5649 features are enabled for MRZ15. Each field corresponds to a method in the SDK.
#[MRZ15.RFC5649Features]
  #ImportKeyShares = false
  #AesWrapBlobWithPadding = false

# General MPC protocol for n = 2. Based on https://eprint.iacr.org/2017/189
#[WRK17]
  #KeySize = 16
  #Rho = 40
  #BucketSize = 4

# Controls which AES features are enabled for WRK17. Each field corresponds to a method in the SDK.
#[WRK17.AESFeatures]
  #GenerateKey = false
  #ExportKeyShares = false
  #ImportKeyShares = false
  #CTRKeyStream = false
  #CBCEncrypt = false
  #CBCDecrypt = false
  #GCMEncrypt = false
  #GCMDecrypt = false
  #CMAC = false

# Controls which HMAC features are enabled for WRK17. Each field corresponds to a method in the SDK.
#[WRK17.HMACFeatures]
  #GenerateKey = false
  #ExportKeyShares = false
  #ImportKeyShares = false
  #HMACSHA256 = false
  #HMACSHA512 = false

# Controls which AN10922 features are enabled for WRK17. Each field corresponds to a method in the SDK.
#[WRK17.AN10922Features]
  #ImportKeyShares = false
  #DeriveAESKey = false
  #Checksum = false