Skip to main content

Supported Algorithms & Functions

Primus HSM & CloudHSM support a wide variety of cryptographic algorithms and functions essential for secure data management. This list includes fundamental standards like AES and RSA, as well as advanced techniques such as ChaCha20–Poly1305 and BLS12-381. Some algorithms come pre-configured for basic security needs, while others are optional and can be activated based on specific application requirements and API configurations.

List valid as of July 2024.

Standard

All the following elements are enabled by default for all the HSM & CloudHSM services.

Asymmetric

AlgorithmDescription
DSA[FIPS 186-4]
Functions: PQG Generation, Key Pair Generation, Signature Generation, Signature Verification
Key sizes: 2048, 3072 bits
ECC operations with non-NIST curves.[FIPS IG A.2]
Elliptic Curve operations with non-NIST curves, as follows:
Curve: Security Strength:
Brainpool 224r1, 256r1, 320r1, 384r1, 512r1 112, 128, 160, 192, 256
Frp 256v1 128
X9.62p239v1, v2, v3 119
secp224k1, 256k1 112, 128
ECDSA[FIPS 186-4]
Functions: Key Pair Generation, Signature Generation, Signature Verification, Public Key Validation
Curves/Key sizes: P-224, P-256, P-384, P-521 (Strength: 112, 128, 192, 260)
ECDSA SigGen Component[FIPS 186-4]
Curves/Key sizes: P-224, P-256, P-384, P-521
KAS (FFC, ECC)[SP 800-56Ar1]
Parameter sets/Key sizes: FC, EB, EC, ED, EE
Modes: dhStatic responder, Static Unified responder
Scheme: SHA2
Note: Key establishment methodology provides between 112 and 256 bits of encryption strength
KAS Component[SP 800-56A Section 5.7.1.2 ECC CDH Primitive]
Parameter sets/Key sizes: EB, EC, ED, EE
KTS (RSA)[SP 800-56B]
Functions: Key Wrap, Key Unwrap
Key sizes: 2048, 3072, 4096 bits
Key {Agreement | Transport} – Provides 112 to 150 bits of encryption strength.
Wrap Methods: RSASVE, RSA-OAEP
RSA[FIPS 186-4, ANSI X9.31-1998, and PKCS #1 v2.1 (PSS and PKCS1.5)]
Functions: Key Pair Generation, Signature Generation, Signature Verification, Key Wrap, Key Unwrap, Encrypt, Decrypt
Key sizes: 512, 1024 (non-FIPS mode only)
Key sizes: 2048, 3072, 4096, 7680, 8192 bits
Some RSA-4096 functions are listed here but not displayed on RSA Cert. #2946. These are vendor-affirmed, as CAVP does not provide testing for these functions.
RSA DP[SP 800-56B]
Key sizes: 2048 bits
RSA SP[FIPS 186-4, ANSI X9.31-1998, and PKCS #1 v2.1 (PSS and PKCS1.5)]
Key sizes: 2048 bits
DHPKCS3
Function: Key agreement, superseded by KAS (FFC)
EdDH[RFC8031]
Function: EC Diffie Hellman using Edwards curve (X25519)
EdDSA[RFC8032]
Function: EC digital signature algorithm using Edwards curve (ED25519)

Symmetric

AlgorithmDescription
AES[FIPS 197, SP 800-38A]
Functions: Encryption, Decryption; Modes: ECB, CBC, CTR
Key sizes: 128, 192, 256 bits
AES-CMAC[SP 800-38B]
Functions: MAC Generation, MAC Verification
Key sizes: 128, 192, 256 bits
AES-GCM[FIPS 197, SP 800-38D]
Functions: Authenticated Encryption, Authenticated Decryption, GMAC Generation, GMAC Verification
Key sizes: 128, 192, 256 bits
AES-KW[SP 800-38F]
Functions: Key Wrap, Key Unwrap
Key sizes: 128, 192, 256 bits
CamelliaTechnical specifications
Function: Encryption, Decryption
Key sizes: 128, 192, 256 bits
ChaChaTechnical specifications
Function: Stream cipher
ChaCha20-Poly1305[RFC 7905]
Function: Authenticated Encryption, Authenticated Decryption
Poly1305Technical specifications
Function: Message Authentication Code
KTS (Symmetric)[SP800-38F]
Functions: Key Wrap, Key Unwrap
Variants:
38D: AES-GCM (256 bits)
38F: AES-KW, AES-KWP
Key Transport – Provides between 128 and 256 bits of encryption strength.
Triple-DES (TDES)[SP 800-67]
Functions: Encryption, Decryption; Modes: TECB, TCBC
Key sizes: 168 bits (effective 112 bits)
Double-DES (DDES)[SP 800-20]
Functions: Encryption, Decryption; Modes: CBC, ECB
Key sizes: 128 bits (effective 112 bits)

Hashes

AlgorithmDescription
CBC-MACFIPS PUB 113
Function: Message authentication (superseded by AES-CMAC)
HMAC[FIPS 198-1]
Functions: Generation, Verification
SHA sizes: SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA3-224, SHA3-256, SHA3-384, SHA3-512
Keccak 1600[FIPS 202]
Function: Hash
KerlFunction: Hash
Iota.org
MD5[RFC1321]
Function: 128-bit hash
RIPEMD160ISO/IEC 10118-3:2018
Function: Hash
SHA[FIPS 180-4, FIPS 202]
Functions: Digital Signature Generation, Digital Signature Verification, component of HMAC and HMAC_DRBG, general hashing
SHA sizes: SHA-1 verification only,
SHA-224, SHA-256, SHA-384, SHA-512,
SHA3-224, SHA3-256, SHA3-384, SHA3-512
SHA-1[FIPS 180-4, FIPS 202]
Function: Hash, for other operations than verification
SHAKE[FIPS 202]
Function: Extendable output
Modes: SHAKE-128, SHAKE-256

Key Derivation

AlgorithmDescription
CKG[SP800-133]
Asymmetric Key Generation (SP800-133 §6)
Symmetric Key Generation (SP800-133 §7: Direct output from DRBG)
DRBG[SP 800-90A]
HMAC DRBG with internal function SHA-512
CTR DRBG with internal function AES-256
HKDF[RFC5869]
Function: Key Derivation
Modes: extract, expand, extract&expand
KDF[SP 800-108]
Modes: Counter, Feedback, Double Pipeline Iteration Mode
PRFs: CMAC(AES-128/192/256), HMAC (SHA-1, 224, 256, 384, 512)
KDFs, Password-based[SP 800-132]
PRFs: HMAC (SHA-1, SHA2 224/256/384/512, SHA3 224/256/384/512)
NDRNG[FIPS IG G.13]
The NDRNG sole purpose is an entropy source for the DRBG built according to SP800-90A.
Securosys TRNGSecurosys hardware specification
Function: Non-deterministic random number generation (NDRNG)
Securosys RNGSecurosys hardware specification
Function: Performant deterministic random number generation (AES-128)

Optional

The following elements might require a specific license to be used on HSM devices & CloudHSM services.

Blockchain

AlgorithmDescription
BLS12-381RFC draft-irtf-cfrg-bls-signature-04 - draft-irtf-cfrg-bls-signature-02 (ietf.org)
Function: Sign & Verify according with ETH 2.0
Cardano ED key derivationFunction: Authenticated encryption / decryption
Documentation
ISSFunction: IOTA Signature Scheme
Iota.org
SLIP-0010Function: Seed import, Key derivation
Curves: SECP256k1, NIST P-256
GitHub
Looking for compatible cryptocurrencies?

Browse the list of 100 cryptocurrencies, including their symbols, signing algorithms, and curves.

Post-Quantum

AlgorithmDescription
CRYSTALS-Kyber[FIPS 203] (FIPS Round-3 Submission)
Function: Key Pair Generation, Key encapsulation
Modes: KYBER512, KYBER768, KYBER1024
CRYSTALS-Dilithium[FIPS 204] (FIPS Round-3 Submission)
Function: Key Pair Generation, Signature Generation, Signature Verification
Modes: DILITHIUM_L2, DILITHIUM_L3, DILITHIUM_L5
SPHINCS+[FIPS 205] (FIPS Round-3 Submission)
Function: Key Pair Generation, Signature Generation, Signature Verification
Modes: SPHINCS_PLUS_SHAKE_L1, SPHINCS_PLUS_SHAKE_L3, SPHINCS_PLUS_SHAKE_L5