Native signing on Tezos with Android Biometrics (Part 2)

By Benjamin Fuentes

In the first part, we talked about different solutions for signing Tezos transactions on Android but there is no native solution with the highest protection (part 1).

Now, we will see what would be the perfect UX.

Tezos Native signing

A quick reminder of available algorithms on Tezos by address:

  • tz1 : ed25519
  • tz2 : secp256k1
  • tz3 : NIST p256r1 (secp256r1 with Blake2B hash)
  • tz4 : BLS-MinPk

Signing requires an asymmetric keypair and a hash algorithm. These algorithms have been selected for Blockchain performance and security purposes.

Android Keystore Crypto algorithm support

The Android Keystore system lets you store cryptographic keys in a container to make them more difficult to extract from the device. Once keys are in the keystore, you can use them for cryptographic operations, with the key material remaining non-exportable.

This is the most secure way to handle security and integrate the Biometrics feature. An alternative would be to use another keystore that will do software-security protection and encrypt a file on the system. This later solution is less secure and does not leverage Biometrics support.

Once we go with the Android Keystore we have access to a limited list of supported algorithms

Class Recommendation
Cipher AES in either CBC or GCM mode with 256-bit keys (such as AES/GCM/NoPadding)
MessageDigest SHA-2 family (such as SHA-256)
Mac SHA-2 family HMAC (such as HMACSHA256)
Signature SHA-2 family with ECDSA (such as SHA256withECDSA)


Sadly, there is no match between Tezos algorithms and Android ones. The closest match is :

  • Tezos : secp256r1 + BLAKE2B
  • Android : secp256r1 + SHA256

Solution 1: Use an RSA key on the Keystore to encrypt any Tezos private key

This solution is not optimal because the RSA key needs to decrypt the private key on the phone for signing transactions, at this point the Tezos private key is plaintext and this is potentially dangerous

If you want to learn more about this announcement, please read our blog post on Marigold website :point_right: Native signing on Tezos with Android Biometrics (Part 2)