List of Algorithms and Functions - Firmware v2.8

Primus HSM & CloudHSM support a wide variety of cryptographic algorithms and functions essential for secure data management. This list includes fundamental standards like AES and RSA, as well as advanced techniques such as ChaCha20–Poly1305 and BLS12-381.

Some algorithms are enabled by default for basic security needs, while others are optional and can be activated based on specific application requirements and API configurations.

info

Please verify that the algorithm and its functions are supported by your firmware. For more details check Firmware Version Support in each specific algorithm description.

Standard

All the following elements are enabled by default for all the HSM & CloudHSM services.

List valid as of May 2025.

Asymmetric

DSA

Description	CC Evaluated Configuration	FIPS Mode
[FIPS 186-4] Functions: PQG Generation, Key Pair Generation, Signature Generation, Signature Verification Key sizes: 2048, 3072 bits `Firmware Version Support` v2.8.21 and later	Allowed	Approved, Validation Number: 1412, C1899

ECC operations with non-NIST curves

Description CC Evaluated Configuration FIPS Mode

[FIPS IG A.2]
Elliptic Curve operations with non-NIST curves, as follows:

Curve:	Security Strength:
Brainpool 224r1, 256r1, 320r1, 384r1, 512r1	112, 128, 160, 192, 256
Frp 256v1	128
X9.62p239v1, v2, v3	119
secp224k1, 256k1	112, 128

Firmware Version Support

v2.8.21 and later

Allowed

Non-approved but Allowed

ECDSA

Description	CC Evaluated Configuration	FIPS Mode
[FIPS 186-4] Functions: Key Pair Generation, Signature Generation, Signature Verification, Public Key Validation Curves/Key sizes: P-224, P-256, P-384, P-521 (Strength: 112, 128, 192, 260) `Firmware Version Support` v2.8.21 and later	Allowed	Approved, Validation Number: 1941, C1899

KAS (FFC, ECC)

Description	CC Evaluated Configuration	FIPS Mode
[SP 800-56Ar1, RFC8031, SP 800-56A Section 5.7.1.2 ECC CDH Primitive] Parameter sets/Key sizes: FC, EB, EC, ED, EE, ECC (EcDH), FCC (DH), Safe Primes, PKCS#3 DH, x25519 EcDH, x448 EcDH Modes: dhStatic responder, Static Unified responder Scheme: SHA2 Note: Key establishment methodology provides between 112 and 256 bits of encryption strength `Firmware Version Support` v2.8.21 and later	Allowed, excluding PKCS#3 DH, x25519 EcDH, x448 EcDH.	Approved, excluding PKCS#3 DH, x25519 EcDH, x448 EcDH. Validation Number: 184, 1938, C1899

RSA

Description	CC Evaluated Configuration	FIPS Mode
[FIPS 186-4, ANSI X9.31-1998, and PKCS #1 v2.1 (PSS and PKCS1.5), SP 800-56B] Functions: Key Pair Generation, Signature Generation, Component Test, Signature Verification, Key Wrap, Key Unwrap, Encrypt, Decrypt Key sizes: 512, 1024 (non-FIPS mode only) Key sizes: 2048, 3072, 4096, 7680, 8192 bits Some RSA-4096 functions are listed here but not displayed on RSA Cert. #2946. These are vendor-affirmed, as CAVP does not provide testing for these functions. `Firmware Version Support` v2.8.21 and later; v2.8.44 and later; Support for Signature Verification, Key Wrap, Key Unwrap, Encrypt, Decrypt	Allowed	Approved, exluding vendor-affirmed RSA-4096 functions and Keysizes 512, 1024; Validation Number: 1939, 2946, C1899
KTS (RSA) [SP 800-56B] Functions: Key Wrap, Key Unwrap Key sizes: 2048, 3072, 4096 bits Key {Agreement \| Transport} – Provides 112 to 150 bits of encryption strength. Wrap Methods: RSASVE, RSA-OAEP `Firmware Version Support` v2.8.21 and later	Not Allowed	Allowed, IG D.4; Annex D

EdDSA

Description	CC Evaluated Configuration	FIPS Mode
[RFC8032] Function: EC digital signature algorithm using Edwards curve (ED25519) `Firmware Version Support` v2.8.21 and later	Allowed	Disabled

Symmetric

AES

Description	CC Evaluated Configuration	FIPS Mode
[FIPS 197, SP 800-38A] Functions: Encryption, Decryption; Modes: ECB, CBC, CTR Key sizes: 128, 192, 256 bits `Firmware Version Support` v2.8.21 and later; v3.0.6 and later; AES ECB/CBC key wrap/unwrap [Found in release notes] Version 3.2.2 and later; ECB/CBC encryption based key derivation functions	Allowed	Approved, with exception of ECB/CBC key wrap/unwrap. Validation Number: 5485, C1899
AES CMAC [SP 800-38B] Functions: MAC Generation, MAC Verification Key sizes: 128, 192, 256 bits `Firmware Version Support` v2.8.21 and later	Allowed	Approved, Validation Number: 5485, C1899
AES GCM/GMAC [FIPS 197, SP 800-38D] Functions: Authenticated Encryption, Authenticated Decryption, GMAC Generation, GMAC Verification Key sizes: 128, 192, 256 bits IV-Construction: RBG-based Construction with 96-bit random field and 0-bit free field. A unique IV is constructed for each usage. For line encryption an IV is calculated for each direction (send/receive) and increased after each packet. Note: The IV is generated internally at its entirety randomly as per technique 2 of IG A.5. `Firmware Version Support` v2.8.21 and later	Allowed	Allowed, Validation Number: 5485, C1899
AES KW [SP800-38F] Functions: Key Wrap, Key Unwrap Variants: 38D: AES-GCM (256 bits) 38F: AES-KW, AES-KWP, Key Size: 128, 192, 256 bits Key Transport – Provides between 128 and 256 bits of encryption strength. `Firmware Version Support` v2.8.21 and later	Allowed	Approved, Validation Number: 5485, C1899

Camellia

Description	CC Evaluated Configuration	FIPS Mode
Technical specifications Function: Encryption, Decryption Key sizes: 128, 192, 256 bits `Firmware Version Support` v2.8.21 and later	Not Allowed	Disabled

ChaCha20-Poly1305

Description	CC Evaluated Configuration	FIPS Mode
[RFC 7905] Function: Authenticated Encryption, Authenticated Decryption `Firmware Version Support` v2.8.21 and later	Not Allowed	Disabled
ChaCha Technical specifications Function: Stream cipher `Firmware Version Support` v2.8.21 and later	Not Allowed	Disabled
Poly1305 Technical specifications Function: Message Authentication Code `Firmware Version Support` v2.8.21 and later	Not Allowed	Disabled

Triple-DES (TDES)

Description	CC Evaluated Configuration	FIPS Mode
[SP 800-20, SP 800-67] Functions: Encryption, Decryption; Modes: TECB, TCBC Key sizes: 168 bits (effective 112 bits) `Firmware Version Support` Decryption: v2.8.21 and later; Encryption: v2.8.21 up to 2.8.51	Allowed	Approved, with exception of Encryption Validation Number: 2762, C1899

Hashes

CBC-MAC

Description	CC Evaluated Configuration	FIPS Mode
FIPS PUB 113 Function: Message authentication (superseded by AES-CMAC) `Firmware Version Support` v2.8.21 and later	Not Allowed	Disabled

HMAC

Description	CC Evaluated Configuration	FIPS Mode
[FIPS 198-1] Functions: Generation, Verification SHA sizes: SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA3-224, SHA3-256, SHA3-384, SHA3-512 `Firmware Version Support` v2.8.21 and later	Not Allowed	Disabled

Keccak 1600

Description	CC Evaluated Configuration	FIPS Mode
[FIPS 202] Function: Hash `Firmware Version Support` v2.8.21 and later	Not Allowed	Disabled

Kerl

Description	CC Evaluated Configuration	FIPS Mode
Function: Hash Iota.org `Firmware Version Support` v2.8.21 and later	Not Allowed	Disabled

MD5

Description	CC Evaluated Configuration	FIPS Mode
[RFC1321] Function: 128-bit hash `Firmware Version Support` v2.8.21 and later	Not Allowed	Disabled

RIPEMD160

Description	CC Evaluated Configuration	FIPS Mode
ISO/IEC 10118-3:2018 Function: Hash `Firmware Version Support` v2.8.21 and later	Not Allowed	Disabled

SHA

Description	CC Evaluated Configuration	FIPS Mode
[FIPS 180-4, FIPS 202] Functions: Digital Signature Generation, Digital Signature Verification, component of HMAC and HMAC_DRBG, general hashing SHA sizes: SHA-1 verification only, SHA-224, SHA-256, SHA-384, SHA-512, SHA3-224, SHA3-256, SHA3-384, SHA3-512 `Firmware Version Support` v2.8.21 and later	Allowed	Approved, Validation Number: 4402, 48 (SHA-3), C1899

Key Derivation

KDF

Description	CC Evaluated Configuration	FIPS Mode
[SP 800-108] Modes: Counter, Feedback, Double Pipeline Iteration Mode PRFs: CMAC(AES-128/192/256), HMAC (SHA-1, 224, 256, 384, 512) `Firmware Version Support` v2.8.21 up to v3.0.11	Allowed	Approved, Validation Number: 226, C1899

KDFs, Password-based

Description	CC Evaluated Configuration	FIPS Mode
[SP 800-132] PRFs: HMAC (SHA-1, SHA2 224/256/384/512, SHA3 224/256/384/512) `Firmware Version Support` v2.8.21 and later; v2.8.51; support for SHA3 224/256/384/512	Allowed	Non-approved but allowed

Optional

The following elements might require a specific license to be used on HSM devices & CloudHSM services.

Blockchain

Bip32

Description	CC Evaluated Configuration	FIPS Mode
Technical specifications Function: Key derivation `Firmware Version Support` v2.8.21 up to v2.8.56	Not Allowed	Disabled

ISS

Description	CC Evaluated Configuration	FIPS Mode
Function: IOTA Signature Scheme Iota.org `Firmware Version Support` v2.8.21 and later	Not Allowed	Disabled

Looking for compatible cryptocurrencies?

Browse the list of 100 cryptocurrencies, including their symbols, signing algorithms, and curves.

Post-Quantum Algorithms

Post-Quantum Algorithms are only available after firmware v3.0.6 and above.

See Firmware v3.2 - Algorithms and Functions

Further content:

Standard​

Asymmetric​

DSA​

ECC operations with non-NIST curves​

ECDSA​

KAS (FFC, ECC)​

RSA​

EdDSA​

Symmetric​

AES​

Camellia​

ChaCha20-Poly1305​

Triple-DES (TDES)​

Hashes​

CBC-MAC​

HMAC​

Keccak 1600​

Kerl​

MD5​

RIPEMD160​

SHA​

Key Derivation​

KDF​

KDFs, Password-based​

Optional​

Blockchain​

Bip32​

ISS​

Post-Quantum Algorithms​