List of Algorithms and Functions - Firmware v3.2
Primus HSM & CloudHSM support a wide variety of cryptographic algorithms and functions essential for secure data management. This list includes fundamental standards like AES and RSA, as well as advanced techniques such as ChaCha20–Poly1305 and BLS12-381.
Some algorithms are enabled by default for basic security needs, while others are optional and can be activated based on specific application requirements and API configurations.
info
Please verify that the algorithm and its functions are supported by your firmware. For more details check Firmware Version Support in each specific algorithm description.
Standard
All the following elements are enabled by default for all the HSM & CloudHSM services.
List valid as of May 2025.
Asymmetric
DSA
| Description | CC Evaluated Configuration | FIPS Mode |
|---|---|---|
| [FIPS 186-4] Functions: PQG Generation, Key Pair Generation, Signature Generation, Signature Verification Key sizes: 2048, 3072 bits
v3.1 and later | Allowed | Approved, Validation Number: A5693 |
ECC operations with non-NIST curves
| Description | CC Evaluated Configuration | FIPS Mode | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| [FIPS IG A.2] Elliptic Curve operations with non-NIST curves, as follows:
v3.1 and later | Allowed | Non-approved but Allowed |
ECDSA
| Description | CC Evaluated Configuration | FIPS Mode |
|---|---|---|
| [FIPS 186-4] Functions: Key Pair Generation, Signature Generation, Signature Verification, Public Key Validation Curves/Key sizes: P-224, P-256, P-384, P-521 (Strength: 112, 128, 192, 260)
v3.1 and later | Allowed | Approved, Validation Number: A5710 |
KAS (FFC, ECC)
| Description | CC Evaluated Configuration | FIPS Mode |
|---|---|---|
| [P 800-56A Section 5.7.1.2 ECC CDH Primitive, SP 800-56Ar1] Parameter sets/Key sizes: FC, EB, EC, ED, EE Modes: dhStatic responder, Static Unified responder Scheme: SHA2 Note: Key establishment methodology provides between 112 and 256 bits of encryption strength
v3.1 and later | Allowed | Approved, Validation Number: A5699 |
RSA
| Description | CC Evaluated Configuration | FIPS Mode |
|---|---|---|
| [FIPS 186-4, ANSI X9.31-1998, and PKCS #1 v2.1 (PSS and PKCS1.5)] Functions: Key Pair Generation, Signature Generation, Component Test, Signature Verification, Key Wrap, Key Unwrap, Encrypt, Decrypt Key sizes: 512, 1024 (non-FIPS mode only) Key sizes: 2048, 3072, 4096, 7680, 8192 bits Some RSA-4096 functions are listed here but not displayed on RSA Cert. #2946. These are vendor-affirmed, as CAVP does not provide testing for these functions.
v3.1 and later; | Allowed | Approved, exluding vendor-affirmed RSA-4096 functions; Validation Number: A5709 |
| KTS (RSA) [SP 800-56B] Functions: Key Wrap, Key Unwrap, KAS1-basic, KAS 2-basic, RSA-OAEP Key sizes: 2048, 3072, 4096 bits Key {Agreement | Transport} – Provides 112 to 150 bits of encryption strength. Wrap Methods: RSASVE, RSA-OAEP
v3.1 and later | Allowed | Approved, IG D.4; Annex D, A5700, A5697 |
EdDH
| Description | CC Evaluated Configuration | FIPS Mode |
|---|---|---|
| [RFC8031] Function: Edwards-curve Diffie-Hellman using X25519 (Curve25519)
v3.1 and later | Not Allowed | Disabled |
EdDSA
| Description | CC Evaluated Configuration | FIPS Mode |
|---|---|---|
| [RFC8032] Function: EC digital signature algorithm using Edwards curve (ED25519)
v3.1 and later | Allowed | Approved, Validation Number: A5694 |
Symmetric
AES
| Description | CC Evaluated Configuration | FIPS Mode |
|---|---|---|
| [FIPS 197, SP 800-38A] Functions: Encryption, Decryption; Modes: ECB, CBC, CTR Key sizes: 128, 192, 256 bits
v3.1 and later | Allowed | Approved, with exception of ECB/CBC key wrap/unwrap. Validation Number: A5684 |
| AES-CMAC [SP 800-38B] Functions: MAC Generation, MAC Verification Key sizes: 128, 192, 256 bits
v3.1 and later | Allowed | Approved, Validation Number: A5687 |
| AES-GCM/GMAC [FIPS 197, SP 800-38D] Functions: Authenticated Encryption, Authenticated Decryption, GMAC Generation, GMAC Verification Key sizes: 128, 192, 256 bits IV-Construction: RBG-based Construction with 96-bit random field and 0-bit free field. A unique IV is constructed for each usage. For line encryption an IV is calculated for each direction (send/receive) and increased after each packet. Note: The IV is generated internally at its entirety randomly as per technique 2 of IG A.5.
v3.1 and later | Allowed | Approved, Validation Number: A5685, A5686 |
| AES-KW [SP 800-38F] Functions: Key Wrap, Key Unwrap Variants: 38D: AES-GCM (256 bits) 38F: AES-KW, AES-KWP Key sizes: 128, 192, 256 bits. Key Transport – Provides between 128 and 256 bits of encryption strength.
v3.1 and later | Allowed | Approved, Validation Number: A5697 |
Camellia
| Description | CC Evaluated Configuration | FIPS Mode |
|---|---|---|
| Technical specifications Function: Encryption, Decryption Key sizes: 128, 192, 256 bits
v3.1 and later | Not Allowed | Disabled |
ChaCha20-Poly1305
| Description | CC Evaluated Configuration | FIPS Mode |
|---|---|---|
| [RFC 7905] Function: Authenticated Encryption, Authenticated Decryption
v3.1 and later | Not Allowed | Disabled |
| ChaCha Technical specifications Function: Stream cipher
v3.1 and later | Not Allowed | Disabled |
| Poly1305 Technical specifications Function: Message Authentication Code
v3.1 and later | Not Allowed | Disabled |
Triple-DES (TDES)
| Description | CC Evaluated Configuration | FIPS Mode |
|---|---|---|
| [SP 800-67] Functions: Encryption (non-FIPS Mode), Decryption, Key Wrap (non-FIPS Mode), Key Unwrap ; Modes: CBC, ECB, TECB, TCBC Key sizes: 168 bits (effective 112 bits)
v3.1 and later; | Allowed | Decryption Approved. Key unwrap Allowed. Key Wrap and Encryption Disabled. Validation Number: A5688 |
Hashes
CBC-MAC
| Description | CC Evaluated Configuration | FIPS Mode |
|---|---|---|
| FIPS PUB 113 Function: Message authentication (superseded by AES-CMAC)
v3.1 and later | Not Allowed | Disabled |
HMAC
| Description | CC Evaluated Configuration | FIPS Mode |
|---|---|---|
| [FIPS 198-1] Functions: Generation, Verification SHA sizes: SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA3-224, SHA3-256, SHA3-384, SHA3-512
v3.1 and later | Not Allowed | Disabled |
Keccak 1600
| Description | CC Evaluated Configuration | FIPS Mode |
|---|---|---|
| [FIPS 202] Function: Hash
v3.1 and later | Not Allowed | Disabled |
Kerl
| Description | CC Evaluated Configuration | FIPS Mode |
|---|---|---|
| Function: Hash Iota.org
v3.1 and later | Not Allowed | Disabled |
MD5
| Description | CC Evaluated Configuration | FIPS Mode |
|---|---|---|
| [RFC1321] Function: 128-bit hash
v3.1 and later | Not Allowed | Disabled |
RIPEMD160
| Description | CC Evaluated Configuration | FIPS Mode |
|---|---|---|
| ISO/IEC 10118-3:2018 Function: Hash
v3.1 and later | Not Allowed | Disabled |
SHA
| Description | CC Evaluated Configuration | FIPS Mode |
|---|---|---|
| [FIPS 180-4, FIPS 202] Functions: Digital Signature Generation, Digital Signature Verification, component of HMAC and HMAC_DRBG, general hashing SHA sizes: SHA-1 verification only (non-verification non-FIPS mode only), SHA-224, SHA-256, SHA-384, SHA-512, SHA3-224, SHA3-256, SHA3-384, SHA3-512
v3.1 and later | Allowed | Approved, with exception of SHA-1 for operations other than verification. Validation Number: A5689, A5690 |
Key Derivation
DRBG
| Description | CC Evaluated Configuration | FIPS Mode |
|---|---|---|
| [SP 800-90A] HMAC DRBG with internal function SHA-512 CTR DRBG with internal function AES-256
v3.2.3 and later; | Not Allowed | Approved, Validation Number: A5692 |
HKDF
| Description | CC Evaluated Configuration | FIPS Mode |
|---|---|---|
| [RFC5869] Function: Key Derivation Modes: extract, expand, extract&expand
v3.1 and later | Not Allowed | Disabled |
KDFs, Password-based
| Description | CC Evaluated Configuration | FIPS Mode |
|---|---|---|
| [SP 800-132] PRFs: HMAC (SHA-1, SHA2 224/256/384/512, SHA3 224/256/384/512)
v3.1 and later | Allowed | Approved, Validation Number: A5695 |
KBKDF
| Description | CC Evaluated Configuration | FIPS Mode |
|---|---|---|
| [SP 800-108] Modes: Counter, Feedback, Double Pipeline Iteration Mode PRFs: CMAC(AES-128/192/256), HMAC (SHA-1, 224, 256, 384, 512)
v3.1 and later | Allowed | Approved, Validation Number: A5696 |
Optional
The following elements might require a specific license to be used on HSM devices & CloudHSM services.
Blockchain
BLS12-381
| Description | CC Evaluated Configuration | FIPS Mode |
|---|---|---|
| RFC draft-irtf-cfrg-bls-signature-04 - draft-irtf-cfrg-bls-signature-02 (ietf.org) Function: Sign & Verify according with ETH 2.0
v3.1 and later | Not Allowed | Disabled |
Cardano ED key derivation
| Description | CC Evaluated Configuration | FIPS Mode |
|---|---|---|
| Function: Authenticated encryption / decryption Documentation
v3.1 and later | Not Allowed | Disabled |
ISS
| Description | CC Evaluated Configuration | FIPS Mode |
|---|---|---|
| Function: IOTA Signature Scheme Iota.org
v3.1 and later | Not Allowed | Disabled |
Looking for compatible cryptocurrencies?
Browse the list of 100 cryptocurrencies, including their symbols, signing algorithms, and curves.
Post-Quantum Algorithms
ML-KEM (CRYSTALS-Kyber)
| Description | CC Evaluated Configuration | FIPS Mode |
|---|---|---|
| [FIPS 203] (Module-Lattice-Based Key-Encapsulation Mechanism Standard (nist.gov)) Function: Key pair generation, key encapsulation, key decapsulation Modes: ML-KEM-512, ML-KEM-768, ML-KEM-1024 (formerly CRYSTALS-Kyber)
v3.1 and later | Allowed | Approved, Validation Number: A6129 |
| FIPS Round-3 Submission Function: Key Pair Generation, Key encapsulation Modes: KYBER512, KYBER768, KYBER1024
v3.1 and later; | Not Allowed | Disabled |
ML-DSA (CRYSTALS-Dilithium)
| Description | CC Evaluated Configuration | FIPS Mode |
|---|---|---|
| [FIPS 204] (Module-Lattice-Based Digital Signature Standard (nist.gov)) Functions: Key pair generation, deterministic signature generation, randomized signature generation, signature verification Modes: ML-DSA-44, ML-DSA-65, ML-DSA-87 (formerly CRYSTALS-Dilithium)
v3.1 and later | Allowed | Approved, Validation Number: A6130 |
| FIPS Round-3 Submission Function: Key Pair Generation, Signature Generation, Signature Verification Modes: DILITHIUM_L2, DILITHIUM_L3, DILITHIUM_L5
v3.1 and later | Not Allowed | Disabled |
SLH-DSA (SPHINCS+)
| Description | CC Evaluated Configuration | FIPS Mode |
|---|---|---|
| [FIPS 205] ((Stateless Hash-Based Digital Signature Standard (nist.gov)) Functions: Key pair generation, deterministic signature generation, randomized signature generation, signature verification Modes: SLH-DSA-SHA2-128s, SLH-DSA-SHAKE-128s, SLH-DSA-SHA2-128f, SLH-DSA-SHAKE-128f, SLH-DSA-SHA2-192s, SLH-DSA-SHAKE-192s, SLH-DSA-SHA2-192f, SLH-DSA-SHAKE-192f, SLH-DSA-SHA2-256s, SLH-DSA-SHAKE-256s, SLH-DSA-SHA2-256f, SLH-DSA-SHAKE-256f (formerly SPHINCS+)
v3.1 and later | Allowed | Approved, Validation Number: A6131 |
| FIPS Round-3 Submission Function: Key Pair Generation, Signature Generation, Signature Verification Modes: SPHINCS_PLUS_SHAKE_L1, SPHINCS_PLUS_SHAKE_L3, SPHINCS_PLUS_SHAKE_L5
v3.1 and later | Not Allowed | Disabled |
HSS-LMS
| Description | CC Evaluated Configuration | FIPS Mode |
|---|---|---|
| [NIST SP 800-208] (Recommendation for Stateful Hash-Based Signature Schemes (nist.gov)) Functions: Key pair generation, signature generation, signature verification Modes: SHA-256, SHA-256(192), SHAKE-256(256), SHAKE-256(192)
v3.1 and later | Not Allowed | Approved, Validation Number: A5702, A5703 |
XMSS
| Description | CC Evaluated Configuration | FIPS Mode |
|---|---|---|
| [NIST SP 800-208] (Recommendation for Stateful Hash-Based Signature Schemes (nist.gov)) Functions: Key pair generation, signature generation, signature verification Modes: XMSS-SHA2_10_256, XMSS-SHA2_16_256, XMSS-SHA2_20_256, XMSS-SHAKE256_10_256, XMSS-SHAKE256_16_256, XMSS-SHAKE256_20_256
v3.1 and later | Allowed | Non-approved but allowed |
Further content: