Skip to main content


NanoCrypto is a sophisticated, FIPS-certified cryptographic engine purpose-built for resource-constrained embedded systems environments. With out-of-the-box support for more than 35 operating systems (including environments without an OS), NanoCrypto allows device OEMs and ISVs to build confidentiality, integrity, and authentication features directly into almost any type of device or application. As the core cryptographic engine securing millions of devices from hundreds of technology manufacturers worldwide, NanoCrypto is, quite simply, one of the smallest, fastest, and most comprehensive cryptographic cores on the market.

NanoCrypto also supports NSA Suite B crypto algorithms to provide a holistic approach for securing networked devices and services, ideally suited for high-traffic enterprise and federal environments where performance is critical. Suite B cryptography is a set of cryptographic algorithms and protocols specified by NIST that are approved by the NSA for protecting classified and unclassified National Security Systems (NSS) (see US Export Restricted Algorithms).

Key features

NanoCrypto provides these key features:

  • Small memory footprint and high performance

  • Speeds integration and testing of complex cryptographic functions for your product

  • Open standards-based, RFC compliant

  • PKCS standards-based

  • Support for PEM, DER, and PKCS#12 certificate formats

  • Support for TPM-generated keys

  • Support for post-quantum ciphers

  • Operators for hardware acceleration

  • Abstraction platform for compliance with export/import controls

  • Simple APIs available for C, C++, and Java applications

  • OS- and platform-agnostic for easy portability

  • Threadless architecture, synchronous and asynchronous

  • Guaranteed GPL-free code that protects your intellectual property

System requirements

Memory requirements

NanoCrypto Basic has a minimum memory footprint of 250KB (estimate based on Intel x86 builds).

Typical memory usage is with a full set of ciphers and may vary (decrease or increase) based on 32/64-bit, x86/ARM/MIPS, reduced set of ciphers, static/shared library, and compile flags.

Supported operating systems

NanoCrypto is currently supported on these operating systems:

  • Linux (Ubuntu, Debian, Raspbian, CentOS)

  • Solaris

  • Microsoft® Windows

  • CygWin

  • FreeBSD

  • FreeRTOS

  • ThreadX

  • QNX

For other operating systems, if required, DigiCert can provide a guide to assist with porting to another operating system or RTOS.

Supported operating platforms

NanoCrypto is currently supported on these operating platforms:

  • Intel® x86

  • ARM A/M Series

  • Hardware Acceleration — Intel AES-NI, Vendor Extensions via NanoCAP operators or NanoCrypto Callbacks

  • Secure Element — TPM 2.0/1.2, NXP A71CH, Renesas S5, PKCS#11 SIM, ARM TrustZone

Random number generation

NanoCrypto provides multiple implementations for the secure and efficient generation of random numbers. These implementations are platform independent, but still take advantage of hardware when available. NanoCrypto currently supports these algorithms for random number generation:

  • CTR DRBG: Defined in NIST 800-90A and can be used in FIPS Inside products.

  • FIPS186 RNG: Defined in NIST FIPS-186 but cannot be used in FIPS Inside products.

Supported algorithms

The TrustCore SDK-supported algorithms in NanoCrypto are as follows:

Message digests (hash)

NanoCrypto supports these message digest (hash) algorithms:

  • MD2 (only for backwards compatibility)

  • MD4 (only for backwards compatibility)

  • MD5 (only for backwards compatibility)

  • SHA-1

  • SHA-224

  • SHA-256

  • SHA-384

  • SHA-512

  • SHA3-224

  • SHA3-256

  • SHA3-384

  • SHA3-512

  • SHAKE-128

  • SHAKE-256

  • BLAKE2s

  • BLAKE2b

Message authenticate checksum (MAC)

NanoCrypto supports these message authenticate checksum (MAC) algorithms:

  • HMAC with MD5 (only for backwards compatibility)

  • HMAC with SHA-1, SHA-224, SHA-256, SHA-384, SHA-512

  • Poly 1305 MAC

  • BLAKE2s

  • BLAKE2b

Symmetric ciphers

NanoCrypto supports these symmetric ciphers:

  • AES

    • ECB

    • CBC

    • CTR

    • OFB

    • CFB 128

  • DES

    • ECB

    • CBC

  • Triple-DES

    • ECB

    • CBC

  • RC2

    • ECB

  • AEAD Ciphers

    • AES CCM

    • AES-GCM

  • ChaCha20-Poly1305

  • RC4 (Stream Cipher)

    • RC4

Asymmetric ciphers

NanoCrypto supports these asymmetric ciphers:

  • Diffie-Hellman (DH)

  • DSA

  • RSA

    • PKCS 1.5


    • PKCS PSS

  • ECC (Prime Field Curves and Edward's Curves)

    • ECDH

    • EdDH

    • ECDSA

    • EdDSA

    • El Gamal

PBE and key derivation

NanoCrypto supports these PBE and key derivation algorithms:

  • ANSI X9.63 KDF

  • NIST KDF 800-108

  • PKCS#5 PBKDF2 (NIST SP 800-132)

  • PKCS#12 PBE

  • TKIP

  • AESKW (RFC 3394, RFC 5649, NIST SP 800-38f)

Certificate formats

NanoCrypto supports these certificate formats:

  • .pem

  • .der

  • .p12

US export restricted algorithms

This table lists algorithms that are subject to US export restrictions.

Table 1. US Export Restricted Algorithms



Classification level





128-bit key

256-bit key



256-bit digest

384-bit digest

Digital Signature


256-bit key

384-bit key

Key Exchange


256-bit key

384-bit key

FIPS and Suite B support