List of supported algorithms

This table provides an overview of all the algorithms we currently support. This only lists algorithms for which verification is complete. Please refer to documentation for each individual API for the full details.

Algorithm Portable C (HACL*) Intel ASM (Vale) Agile API (EverCrypt)
AEAD      
AES-GCM   ✔︎ (AES-NI + CLMUL) ✔︎
Chacha20-Poly1305 ✔︎ (+ 128-bit, 256-bit)   ✔︎
ECDH      
Curve25519 ✔︎ ✔︎ (BMI2 + ADX)  
P-256 ✔︎    
Signatures      
Ed25519 ✔︎    
P-256 ✔︎    
Hashes      
MD5 ✔︎   ✔︎
SHA1 ✔︎   ✔︎
SHA2-224,256 ✔︎ ✔︎ (SHAEXT) ✔︎
SHA2-384,512 ✔︎   ✔︎
SHA3 ✔︎    
Blake2 ✔︎ (+ 128-bit, 256-bit)    
Key Derivation      
HKDF ✔︎ ✔︎ (see notes below) ✔︎
Ciphers      
Chacha20 ✔︎ (+ 128-bit, 256-bit)    
AES-128,256   ✔︎ (AES-NI + CLMUL)  
MACS      
HMAC ✔︎ ✔︎ (see notes below) ✔︎
Poly1305 ✔︎ (+ 128-bit, 256-bit) ✔︎ (X64)  

Points of interest:

  • Some C implementations also have verified vectorized versions using compiler intrinsics (there is no inline assembly). The 128-bit implementations are supported on Intel AVX, ARM Neon, and recent Power8 and IBM Z platforms. The 256-bit implementations are supported on Intel AVX2.
  • MD5 and SHA1 are provided for legacy purposes and backwards-compatibility (e.g. TLS applications); no particular effort has been made to make them efficient
  • HMAC/HKDF only use ASM implementations if the underlying hash algorithm has one