<required>
# For reference see BSI TR-02102-1 (2025-01):
# https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.pdf?__blob=publicationFile&v=9

# === 2. Asymmetric Encryption Schemes and Key Agreement ===
# Table 2.2: Recommended classical asymmetric encryption and key derivation schemes
rsa
# dlies (deprecated)
ecies
dh
ecdh

# Allowed KDF for ECIES (see 2.3.4)
kdf1_iso18033

# Table 2.4: Recommended formatting method for the RSA encryption algorithm
eme_oaep

# Table 2.5: Recommended parameters for FrodoKEM
frodokem

# Table 2.6: Recommended parameters for ClassicMcEliece-KEM.
classic_mceliece

# Table 2.7: Recommended parameters for ML-KEM
ml_kem

# === 3. Symmetric Encryption Schemes ===
# Table 3.1: Recommended block ciphers
aes

# Table 3.2: Recommended modes of operation for block ciphers
ccm
gcm
cbc
ctr

# Table 3.3: Recommended padding schemes for block ciphers
mode_pad # contains various paddings

# Section 3.3: Protection of Key Material
nist_keywrap

# === 4. Hash Functions ===
# Table 4.1: Recommended hash functions
sha2_32
sha2_64
sha3

# === 5. Data Authentication ===
# Table 5.1: Recommended MAC schemes
cmac
hmac
kmac
gmac

# Table 5.3/5.5: Recommended signature algorithms.
# rsa (already enabled above)
dsa
ecdsa
ecgdsa
eckcdsa
ml_dsa
slh_dsa_shake
slh_dsa_sha2
xmss
hss_lms

# Table 5.4: Recommended padding schemes for the RSA signature algorithm.
emsa_pssr
iso9796 # DS 2 and 3

# === 8. Random Number Generators ===
auto_rng
hmac_drbg

# === Appendix and Others ===
# Table B.1: Recommended method for key derivation
sp800_56c # (Two-Step KDF)
hkdf

# B.1.2. Password-Based Key Derivation
argon2
argon2fmt
</required>

<if_available>
# pcurves
pcurves_brainpool256r1
pcurves_brainpool384r1
pcurves_brainpool512r1

pcurves_secp192r1
pcurves_secp224r1
pcurves_secp256r1
pcurves_secp384r1
pcurves_secp521r1
pcurves_secp256k1

pcurves_frp256v1
pcurves_numsp512d1
pcurves_sm2p256v1

pcurves_generic

# block
aes_ni
aes_vperm
aes_armv8
aes_power8
aes_vaes

# modes
ghash_cpu
ghash_vperm

# hash
sha2_32_x86
sha2_32_armv8
sha2_32_simd
sha2_32_avx2
sha2_64_x86
sha2_64_armv8
sha2_64_avx2
sha2_64_avx512
keccak_perm_bmi2

# entropy sources
getentropy
rdseed
win32_stats

# pbkdf
argon2_avx2
argon2_ssse3

# rng
processor_rng
system_rng

# utils
http_util # needed by x509 for OCSP online checks
locking_allocator
</if_available>

<prohibited>
# block
aria
blowfish
camellia
cascade
cast128
des
gost_28147
idea
idea_sse2
kuznyechik
lion
noekeon
noekeon_simd
seed
serpent
serpent_avx2
serpent_simd
shacal2
shacal2_armv8
shacal2_avx2
shacal2_simd
shacal2_x86
sm4
sm4_armv8
threefish_512
twofish

# modes
chacha20poly1305
eax
ocb
siv
cfb

# stream
chacha
chacha_simd32
chacha_avx2
ofb
rc4
salsa20
#shake_cipher # not recommended, but needed for kyber

# kdf
kdf1
kdf2
prf_x942
sp800_56a

# pubkey
x25519
x448
ed25519
elgamal
gost_3410
mce
rfc6979
sm2

# pk_pad
#eme_pkcs1 // needed for tls
#emsa_pkcs1 // needed for tls
#eme_raw // allows custom paddings
emsa_raw
emsa_x931

# hash
#blake2 # not recommended, but needed for argon2
comb4p
gost_3411
md4
md5
rmd160
#shake # not recommended, but needed for kyber
skein
#sha1 // needed for x509
sm3
streebog
whirlpool
keccak

# rng
chacha_rng

# mac
blake2mac
poly1305
siphash
x919_mac

# passhash
bcrypt

</prohibited>
