Cryptographic Algorithm Compatibility: DIDs, VCs, AWS KMS, and Azure Key Vault

This document provides a comprehensive comparison of cryptographic algorithms supported by Decentralized Identifiers (DIDs), Verifiable Credentials (VCs), AWS Key Management Service (KMS), and Azure Key Vault.

Algorithm Support Comparison Table

Algorithm	Description	DID/VC Support	AWS KMS Support	Azure Key Vault Support	Usage & Use Cases
Ed25519	Edwards-curve Digital Signature Algorithm using Curve25519. High-performance elliptic curve signature algorithm with 32-byte public keys and 64-byte signatures.	✅ Widely Supported - Default in TrustWeave - Used in did:key - Ed25519Signature2020 proof type	✅ Supported (Added Nov 2025) - Key spec: ECC_Ed25519 - Signing: EdDSA	❌ Not Supported - No native Ed25519 support - Workaround: Use secp256k1 or P-256	DID/VC Usage: - Most common in DID ecosystems - Recommended for TrustWeave - Compact keys ideal for mobile/IoT - Fast signing/verification When to Use: - General-purpose DID/VC signing - Mobile and IoT applications - When interoperability is key
secp256k1	Elliptic curve used by Bitcoin and Ethereum. 256-bit curve with good performance.	✅ Widely Supported - Used in did:ethr - did:polygonid - Blockchain-based DIDs - JsonWebSignature2020 with ES256K	✅ Supported - Key spec: ECC_SECG_P256K1 - Signing: ES256K	✅ Supported - Key type: EC-P256K - Signing: ES256K	DID/VC Usage: - Blockchain-based DIDs - Ethereum ecosystem - Bitcoin-related applications When to Use: - Integrating with Ethereum/Bitcoin - Blockchain-anchored credentials - Web3 applications
P-256 (NIST)	NIST P-256 elliptic curve (also known as secp256r1). FIPS 140-2 compliant.	✅ Supported - Enterprise/government use - JsonWebSignature2020 with ES256 - FIPS-compliant deployments	✅ Supported - Key spec: ECC_NIST_P256 - Signing: ES256	✅ Supported - Key type: EC-P256 - Signing: ES256	DID/VC Usage: - Government/enterprise deployments - FIPS 140-2 compliance requirements - Healthcare/financial services When to Use: - Regulatory compliance needed - Government contracts - Enterprise security policies
P-384 (NIST)	NIST P-384 elliptic curve. Higher security level than P-256. FIPS 140-2 compliant.	✅ Supported - Higher security requirements - JsonWebSignature2020 with ES384 - Government/defense use	✅ Supported - Key spec: ECC_NIST_P384 - Signing: ES384	✅ Supported - Key type: EC-P384 - Signing: ES384	DID/VC Usage: - High-security applications - Defense/government systems - Long-term credential validity When to Use: - Higher security requirements - Long-term credential storage - Defense/government systems
P-521 (NIST)	NIST P-521 elliptic curve. Highest security level among NIST curves. FIPS 140-2 compliant.	✅ Supported - Maximum security requirements - JsonWebSignature2020 with ES512 - Specialized high-security use	✅ Supported - Key spec: ECC_NIST_P521 - Signing: ES512	✅ Supported - Key type: EC-P521 - Signing: ES512	DID/VC Usage: - Maximum security applications - Long-term archival - Critical infrastructure When to Use: - Maximum security requirements - Long-term credential archival - Critical systems
RSA-2048	Rivest-Shamir-Adleman algorithm with 2048-bit keys. Widely used but larger key sizes.	✅ Supported - Legacy systems - JsonWebSignature2020 with RS256/RS384/RS512 - Backward compatibility	✅ Supported - Key spec: RSA_2048 - Signing: RS256/RS384/RS512 - Encryption: RSAES_OAEP_SHA_1/256	✅ Supported - Key type: RSA - Key size: 2048 bits - Signing: RS256/RS384/RS512	DID/VC Usage: - Legacy system integration - Backward compatibility - Enterprise systems When to Use: - Legacy system requirements - Backward compatibility - Enterprise integrations
RSA-3072	RSA with 3072-bit keys. Higher security than RSA-2048.	✅ Supported - Higher security RSA - JsonWebSignature2020 with RS256/RS384/RS512	✅ Supported - Key spec: RSA_3072 - Signing: RS256/RS384/RS512 - Encryption: RSAES_OAEP_SHA_1/256	✅ Supported - Key type: RSA - Key size: 3072 bits - Signing: RS256/RS384/RS512	DID/VC Usage: - Higher security RSA requirements - Long-term credentials When to Use: - Higher security RSA needs - Long-term credential validity
RSA-4096	RSA with 4096-bit keys. Maximum security for RSA.	✅ Supported - Maximum RSA security - JsonWebSignature2020 with RS256/RS384/RS512	✅ Supported - Key spec: RSA_4096 - Signing: RS256/RS384/RS512 - Encryption: RSAES_OAEP_SHA_1/256	✅ Supported - Key type: RSA - Key size: 4096 bits - Signing: RS256/RS384/RS512	DID/VC Usage: - Maximum RSA security - Critical systems When to Use: - Maximum RSA security - Critical infrastructure
BLS12-381	BLS (Boneh-Lynn-Shacham) signature scheme on BLS12-381 curve. Used for BBS+ signatures.	✅ Supported - BbsBlsSignature2020 proof type - Selective disclosure - Zero-knowledge proofs	❌ Not Supported - No native BLS support - Requires specialized KMS	❌ Not Supported - No native BLS support - Requires specialized KMS	DID/VC Usage: - Selective disclosure - Zero-knowledge proofs - Privacy-preserving credentials When to Use: - Privacy requirements - Selective disclosure - ZK-proof applications

TrustWeave Algorithm Support

Based on the TrustWeave codebase:

Supported Algorithms in TrustWeave

    enum class KeyAlgorithm(val algorithmName: String) {
        /** Ed25519 signature algorithm (recommended) */
        ED25519("Ed25519"),

        /** secp256k1 (Bitcoin/Ethereum curve) */
        SECP256K1("secp256k1"),

        /** P-256 (NIST curve) */
        P256("P-256"),

        /** P-384 (NIST curve) */
        P384("P-384"),

        /** P-521 (NIST curve) */
        P521("P-521");

Supported Proof Types in TrustWeave

object ProofTypes {
    const val ED25519 = "Ed25519Signature2020"
    const val JWT = "JsonWebSignature2020"
    const val BBS_BLS = "BbsBlsSignature2020"
}

Proof Type to Algorithm Mapping

Proof Type	Signature Algorithm	KMS Algorithm Required	AWS KMS Compatible	Azure Key Vault Compatible
Ed25519Signature2020	Ed25519 (EdDSA)	Ed25519	✅ Yes (Nov 2025+)	❌ No
JsonWebSignature2020	JWS (flexible)	ES256K, ES256, ES384, ES512, RS256, RS384, RS512, EdDSA	✅ Yes (varies by algorithm)	✅ Yes (varies by algorithm)
BbsBlsSignature2020	BBS+ (BLS12-381)	BLS12-381	❌ No	❌ No

Cloud KMS Compatibility Summary

AWS KMS

• ✅ Fully Compatible: secp256k1, P-256, P-384, P-521, RSA (all sizes), Ed25519 (Nov 2025+)
• ⚠️ Partial Compatibility: BLS12-381 (not supported)
• ✅ FIPS 140-3 Level 3 Validated: P-256, P-384, P-521, RSA (all sizes), secp256k1 (blockchain only) - Certificate #4884
• ⚠️ FIPS Status: Ed25519 not in current FIPS certificate (added Nov 2025, may use non-FIPS path)
• Best For: Production deployments requiring FIPS 140-3 Level 3 compliance, Ed25519 support

Azure Key Vault

• ✅ Fully Compatible: secp256k1, P-256, P-384, P-521, RSA (all sizes)
• ❌ Not Compatible: Ed25519, BLS12-381
• Best For: Azure ecosystem deployments, NIST-compliant algorithms, JWK native format

Recommendations

For General DID/VC Use Cases

1. Ed25519 (if AWS KMS available) - Best performance, compact keys, widely supported
2. secp256k1 - Good alternative, supported by both cloud KMS providers
3. P-256 - Enterprise/government compliance requirements

For Blockchain Integration

• secp256k1 - Required for Ethereum/Bitcoin-based DIDs

For Enterprise/Government

• P-256/P-384/P-521 - FIPS 140-3 Level 3 validated (AWS KMS Certificate #4884), supported by both cloud providers
• RSA-2048/3072/4096 - FIPS 140-3 Level 3 validated (AWS KMS Certificate #4884)

For Privacy-Preserving Credentials

• BLS12-381 - Requires specialized KMS (not available in AWS/Azure)

Notes

1. Ed25519 Support: AWS KMS added Ed25519 support in November 2025. Azure Key Vault does not yet support Ed25519. Note: Ed25519 is not listed in AWS KMS’s current FIPS 140-3 certificate (#4884) and may use a non-FIPS validated cryptographic path.

2. FIPS 140-3 Compliance: AWS KMS uses FIPS 140-3 Level 3 validated HSMs (Certificate #4884, validated 11/18/2024). The certificate approves ECDSA (FIPS 186-4) on NIST curves, ECDSA secp256k1 (blockchain use only), and RSA (FIPS 186-4) for all key sizes.

3. Algorithm Selection: Choose algorithms based on:
   • Interoperability requirements
   • Regulatory compliance needs
   • Cloud provider constraints
   • Performance requirements

4. TrustWeave Default: TrustWeave defaults to Ed25519 for DID creation and credential signing, which is the recommended algorithm for most use cases.

5. Hybrid Approaches: For Ed25519 requirements with Azure Key Vault, consider:
   • Using secp256k1 or P-256 as alternatives
   • Hybrid KMS approach (Azure for some keys, local/other KMS for Ed25519)
   • Using AWS KMS for Ed25519 support

Related Documentation

• Key Management Guide
• Verifiable Credentials Guide
• DID Guide
• Architecture Overview