Comparison of cryptography libraries

The tables below compare cryptography libraries that deal with cryptography algorithms and have application programming interface (API) function calls to each of the supported features.

Cryptography libraries

Name of implementation	Initiative	Main implementation language	Open-source software	Software license	Latest release
Botan	Jack Lloyd	C++	Yes	Simplified BSD	3.8.1 (May 7, 2025; 14 days ago (2025-05-07)[1]) [±]
Bouncy Castle	Legion of the Bouncy Castle Inc.	Java, C#	Yes	MIT License	Java 1.80 / January 14, 2025; 4 months ago (2025-01-14)[2] Java LTS BC-LJA 2.73.7 / November 8, 2024; 6 months ago (2024-11-08)[3] Java FIPS BC-FJA 2.0.0 / July 30, 2024; 9 months ago (2024-07-30)[4] C# 2.5.1 / February 14, 2025; 3 months ago (2025-02-14)[5] C# FIPS BC-FNA 1.0.2 / March 11, 2024; 14 months ago (2024-03-11)[6]
BSAFE	Dell, formerly RSA Security	Java, C, Assembly	No	Proprietary	Crypto-C Micro Edition: 4.1.5 (December 17, 2020; 4 years ago (2020-12-17)[7]) [±] Micro Edition Suite: 5.0.3 (December 3, 2024; 5 months ago (2024-12-03)[8]) [±] Crypto-J: 7.0.1 (March 17, 2025; 2 months ago (2025-03-17)[9]) [±] 6.3.1 (May 15, 2025; 6 days ago (2025-05-15)[10]) [±]
cryptlib	Peter Gutmann	C	Yes	Sleepycat License or commercial license	3.4.5 (2019; 6 years ago (2019)[11]) [±]
Crypto++	The Crypto++ project	C++	Yes	Boost (all individual files are public domain)	Jan 10, 2023 (8.9.0)
GnuTLS	Nikos Mavrogiannopoulos, Simon Josefsson	C	Yes	LGPL-2.1-or-later	3.8.9[12]  2025-02-08
Intel Cryptography Primitives Library	Intel	C, ASM	Yes	Apache 2.0	March 2025 (2025.1.0 / 1.1.0)
Java's default JCA/JCE providers	Oracle	Java	Yes	GNU GPL v2 and commercial license	23.0.1 (October 15, 2024; 7 months ago (2024-10-15)[13]) [±] 21.0.5 LTS (October 15, 2024; 7 months ago (2024-10-15)[14]) [±] 17.0.13 LTS (October 15, 2024; 7 months ago (2024-10-15)[15]) [±] 11.0.25 LTS (October 15, 2024; 7 months ago (2024-10-15)[16]) [±] 8u431 LTS (October 15, 2024; 7 months ago (2024-10-15)[17]) [±]
LibreSSL	OpenBSD Foundation	C	Yes	Apache 1.0	4.1.0[18]  2025-04-30
Libgcrypt	GnuPG community and g10code	C	Yes	GNU LGPL v2.1+	stable 1.11.0 / June 19, 2024; 11 months ago (2024-06-19)[19] LTS 1.8.11 / November 16, 2023; 18 months ago (2023-11-16)[20]
libsodium	Frank Denis	C	Yes	ISC	Sep 13, 2023 (1.0.19)
Mbed TLS	Arm Limited	C	Yes	Apache 2.0	3.0.0 (July 7, 2021; 3 years ago (2021-07-07)[21]) [±] 2.27.0 (July 7, 2021; 3 years ago (2021-07-07)) [±] 2.16.11 (July 7, 2021; 3 years ago (2021-07-07)) [±]
NaCl	Daniel J. Bernstein, Tanja Lange, Peter Schwabe	C	Yes	Public domain	February 21, 2011[22]
Nettle		C	Yes	GNU GPL v2+ or GNU LGPL v3	3.10.1[23]  2024-12-30
Network Security Services (NSS)	Mozilla	C	Yes	MPL 2.0	Standard 3.84 / October 12, 2022; 2 years ago (2022-10-12)[24] Extended Support Release 3.79.1 / August 18, 2022; 2 years ago (2022-08-18)[24]
OpenSSL	The OpenSSL Project	C	Yes	Apache 2.0	3.5.0[25]  2025-04-08
wolfCrypt	wolfSSL, Inc.	C	Yes	GNU GPL v2 or commercial license	5.8.0 (April 24, 2025; 27 days ago (2025-04-24)[26]) [±]

FIPS 140

This table denotes, if a cryptography library provides the technical requisites for FIPS 140, and the status of their FIPS 140 certification (according to NIST's CMVP search,^[27] modules in process list^[28] and implementation under test list).^[29]

Implementation	FIPS 140-2 mode	FIPS 140-2 validated	FIPS 140-3 validated
Botan	No	No	No
Bouncy Castle	Yes	Yes[30]	Yes[31]
BSAFE	Yes	Yes[32][33]	Yes[34]
cryptlib	Yes	No	No
Crypto++	No	No[a]	No
GnuTLS	No	Yes[35][b]	In process[36]
Intel Cryptography Primitives Library	No [c]	No [c]	No [c]
Java's default JCA/JCE providers	No	No[37][d]	No
Libgcrypt	Yes	Yes[38][e]	In process[36]
libsodium	No	No	No
Mbed TLS	No	No	No
NaCl	No	No	No
Nettle	No	No	No
Network Security Services (NSS)	Yes	Yes[39][f]	In process[36]
OpenSSL	Yes	Yes[40][g]	In process[36]
wolfCrypt	Yes	Yes[41]	Yes[42]

1. Crypto++ received three FIPS 140 validations from 2003 through 2008. In 2016 NIST moved Crypto++ to the Historical Validation List.
2. While GnuTLS is not FIPS 140-2 validated by GnuTLS.org, validations exist for versions from Amazon Web Services Inc., Oracle Corporation, Red Hat Inc. and SUSE LLC.
3. Intel Cryptography Primitives Library is not FIPS 140-3 validated but FIPS 140-3 compliant.
4. While none of default JDK JCA/JCE providers is FIPS 140-2 validated, there are other JCE/JCA third party providers which are FIPS 140-2 validated.
5. While Libgcrypt is not FIPS 140-2 validated by g10code, validations exist for versions from Amazon Web Services Inc., Canonical Ltd., Oracle Corporation, Red Hat Inc. and SUSE LLC.
6. While the Network Security Services (NSS) are not FIPS 140-2 validated by the Mozilla Foundation, validations exist for versions from Amazon Web Services Inc., Canonical Ltd., Cisco Systems Inc., Hewlett Packard Enterprise, Oracle Corporation, Red Hat Inc., SafeLogic Inc., SUSE LLC and Trend Micro Inc.
7. While OpenSSL is not FIPS 140-2 validated by OpenSSL.org, validations exist for versions from Amazon Web Services Inc., Aqua Security Software Ltd., Broadcom Inc., Canonical Ltd., Cisco Systems Inc., Cohesity Inc., ControlUp Technologies Inc., Crestron Electronics Inc., Dell Inc., Gallagher Group, Hewlett Packard Enterprise, IBM Corporation, ICU Medical Inc., Intelligent Waves, Ixia, KeyPair Consulting Inc., Koninklijke Philips N.V., Lenovo Group Limited, LG Electronics Inc., LogRhythm, McAfee LLC, Metaswitch Networks Ltd, NetBrain Technologies Inc., Nutanix Inc., Onclave Networks Inc., Oracle Corporation, REDCOM Laboratories Inc., Red Hat Inc., SafeLogic Inc., Super Micro Computer Inc., SUSE LLC, Tanium Inc., Trend Micro Inc., Unisys Corporation, Verizon, VMware Inc. and Wickr Inc.

Key operations

Key operations include key generation algorithms, key exchange agreements, and public key cryptography standards.

Public key algorithms

Further information: Public-key cryptography

Implementation	RSA	DSA	ECDSA	EdDSA	Ed448	DH	ECDH	ECIES	ElGamal	NTRU (IEEE P1363.1)	DSS
Botan	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	Yes
Bouncy Castle	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
BSAFE	Yes	Yes	Yes	No	No	Yes	Yes	Yes	No	No	No
cryptlib	Yes	Yes	Yes	No	No	Yes	Yes	No	Yes	No	Yes
Crypto++	Yes	Yes	Yes	No	No	Yes	Yes	Yes	Yes	No	Yes
GnuTLS	Yes	No	No	No	No	No	No	No	No	No	No
Intel Cryptography Primitives Library	Yes	Yes	Yes	Yes	No	Yes	Yes	No	No	No	Yes
Java's default JCA/JCE providers	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	No	No	Yes
Libgcrypt	Yes	Yes	Yes	Yes	Yes	Yes	Yes[a]	No	Yes	No	Yes
libsodium	No	No	No	Yes	No	No	No	No	No	No	No
Mbed TLS	Yes	Yes	Yes	No	No	Yes	Yes	No	No	No	No
Nettle	Yes	Yes	No	Yes	No	No	No	No	No	No	No
OpenSSL	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	No	No	No
wolfCrypt	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	Yes	Yes

1. By using the lower level interface.

Elliptic-curve cryptography (ECC) support

Further information: Elliptic-curve cryptography

Implementation	NIST	SECG	ECC Brainpool	Curve25519	Curve448	GOST R 34.10[43]	SM2
Botan	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Bouncy Castle	Yes	Yes	Yes	Yes	Yes	Yes	Yes
BSAFE	Yes	Yes	No	No	No	No	No
cryptlib	Yes	Yes	Yes	No	No	No	No
Crypto++	Yes	Yes	Yes	Yes	No	No	No
GnuTLS	Yes	No	No	No	No	No	No
Intel Cryptography Primitives Library	Yes	No	No	Yes [a]	No	No	Yes
Java's default JCA/JCE providers	Yes	Yes	No	Yes	Yes	No	No
Libgcrypt	Yes	Yes	Yes	Yes	Yes	Yes	Yes
libsodium	Yes	No	No	Yes	Yes	No	No
Mbed TLS	Yes	Yes	Yes	Yes	No	No	No
Nettle	Yes	Partial	No	Yes	No	No	No
OpenSSL	Yes	Yes	Yes	Yes	Yes	Yes	Yes
wolfCrypt	Yes	Yes	Yes	Yes	Yes	No	Yes

1. Supported in Intel Cryptography Primitives Library multi-buffer API only (not supported in single-buffer API).

Public key cryptography standards

Further information: PKCS

Implementation	PKCS #1	PKCS #5,[44] PBKDF2	PKCS #8	PKCS #12	IEEE P1363	ASN.1
Botan	Yes	Yes	Yes	No	Yes	Yes
Bouncy Castle	Yes	Yes	Yes	Yes	Yes	Yes
BSAFE Crypto-J	Yes	Yes	Yes	Yes	No	Yes
cryptlib	Yes	Yes	Yes	Yes	No	Yes
Crypto++	Yes	Yes	Yes[a]	No	Yes	Yes
GnuTLS
Intel Cryptography Primitives Library	Yes	No	No	No	Yes	No
Java's default JCA/JCE providers	Yes	Yes	Yes	Yes	Yes	Yes
Libgcrypt	Yes	Yes[b]	Yes[b]	Yes[b]	Yes[b]	Yes[b]
libsodium	No	No	No	No	No	No
Mbed TLS	Yes	No	Yes	Yes	No	Yes
Nettle	Yes	Yes	No	No	No	No
OpenSSL	Yes	Yes	Yes	Yes	No	Yes
wolfCrypt	Yes	Yes	Yes	Yes	No	Yes

1. The library offers X.509 and PKCS #8 encoding without PEM by default. For PEM encoding of public and private keys the PEM Pack is needed.
2. These Public Key Cryptographic Standards (PKCS) are supported by accompanying libraries and tools, which are also part of the GnuPG framework, although not by the actual libgcrypt library.

Hash functions

Comparison of supported cryptographic hash functions. Here hash functions are defined as taking an arbitrary length message and producing a fixed size output that is virtually impossible to use for recreating the original message.

Implementation	MD5	SHA-1	SHA-2	SHA-3	RIPEMD-160	Tiger	Whirlpool	BLAKE2	GOST R 34.11-94[45] (aka GOST 34.311-95)	GOST R 34.11-2012 (Stribog)[46]	SM3
Botan	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Bouncy Castle	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
BSAFE Crypto-J	Yes	Yes	Yes	Yes	Yes	No	No	No	No	No	No
cryptlib	Yes	Yes	Yes	Yes	Yes	No	Yes	No	No	No	No
Crypto++	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	Yes
GnuTLS
Intel Cryptography Primitives Library	Yes	Yes	Yes	Yes	No	No	No	No	No	No	Yes
Java's default JCA/JCE providers	Yes	Yes	Yes	Yes	No	No	No	No	No	No	No
Libgcrypt	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
libsodium	No	No	Yes	No	No	No	No	Yes	No	No	No
Mbed TLS	Yes	Yes	Yes	Yes	Yes	No	No	No	No	No	No
Nettle	Yes	Yes	Yes	Yes	Yes	No	No	No	Yes	No	No
OpenSSL	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	Yes
wolfCrypt	Yes	Yes	Yes	Yes	Yes	No	No	Yes	No	No	Yes

MAC algorithms

Comparison of implementations of message authentication code (MAC) algorithms. A MAC is a short piece of information used to authenticate a message—in other words, to confirm that the message came from the stated sender (its authenticity) and has not been changed in transit (its integrity).

Implementation	HMAC-MD5	HMAC-SHA1	HMAC-SHA2	Poly1305	BLAKE2-MAC
Botan	Yes	Yes	Yes	Yes	Yes
Bouncy Castle	Yes	Yes	Yes	Yes	Yes
BSAFE Crypto-J	Yes	Yes	Yes	Yes	No
cryptlib	Yes	Yes	Yes	No	No
Crypto++	Yes	Yes	Yes	Yes	Yes
GnuTLS
Intel Cryptography Primitives Library	Yes	Yes	Yes	No	No
Java's default JCA/JCE providers	Yes	Yes	Yes	No	No
Libgcrypt	Yes	Yes	Yes	Yes	Yes
libsodium	No	No	Yes	Yes	Yes
Mbed TLS	Yes	Yes	Yes	No	No
Nettle	Yes	Yes	Yes	Yes	No
OpenSSL	Yes	Yes	Yes	Yes	Yes
wolfCrypt	Yes	Yes	Yes	Yes	Yes

Block ciphers

Table compares implementations of block ciphers. Block ciphers are defined as being deterministic and operating on a set number of bits (termed a block) using a symmetric key. Each block cipher can be broken up into the possible key sizes and block cipher modes it can be run with.

Block cipher algorithms

Further information: Block cipher

Implementation	AES	3DES	Camellia	Blowfish	Twofish	IDEA	CAST5	ARIA	GOST 28147-89[47] / GOST R 34.12-2015 (Magma[48] & Kuznyechik[49])	SM4
Botan	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Bouncy Castle[50]	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
BSAFE Crypto-J	Yes	Yes	No	No	No	No	No	No	No	No
cryptlib[51]	Yes	Yes	No	Yes	No	Yes	Yes	No	No	No
Crypto++	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Partial[a]	Yes
GnuTLS	Yes	No	Yes	No	No	No	No	No	No	No
Intel Cryptography Primitives Library	Yes	Yes	No	No	No	No	No	No	No	Yes
Java's default JCA/JCE providers	Yes	Yes	No	Yes	No	No	No	No	No	No
Libgcrypt	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
libsodium	Partial[b]	No	No	No	No	No	No	No	No	No
Mbed TLS	Yes	Yes	Yes	Yes	No	No	No	No	No	No
Nettle	Yes	Yes	Yes	Yes	No	No	No	No	No	No
OpenSSL	Yes	Yes	Yes	Yes	No	Yes	Yes	Yes	Yes	Yes
wolfCrypt	Yes	Yes	Yes	No	No	Yes	No	Yes	No	Yes

1. Crypto++ only supports GOST 28147-89, but not GOST R 34.12-2015.
2. libsodium only supports AES-256, but not AES-128 or AES-192.

Cipher modes

Further information: Block cipher mode of operation

Implementation	ECB	CBC	OFB	CFB	CTR	CCM	GCM	OCB	XTS	AES-Wrap	Stream	EAX
Botan	No	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Bouncy Castle	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	Yes	Yes	Yes
BSAFE	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	Yes	Yes	Yes	No
cryptlib	Yes	Yes	Yes	Yes	No	No	Yes	No	No	No	No	No
Crypto++	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	Yes	No	Yes	Yes
GnuTLS
Intel Cryptography Primitives Library	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	Yes	No	Yes	No
Java's default JCA/JCE providers	Yes	Yes	Yes	Yes	Yes	No	Yes	No	No	Yes	Yes	No
Libgcrypt	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
libsodium	No	No	No	No	Yes	No	Yes	No	No	No	No	No
Mbed TLS	Yes	Yes	No	Yes	Yes	Yes	Yes	No	No	No	No	No
Nettle	Yes	Yes	No	No	Yes	Yes	Yes	No	No	No	No	No
OpenSSL	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No
wolfCrypt	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	Yes	Yes	Yes	Yes

Stream ciphers

The table below shows the support of various stream ciphers. Stream ciphers are defined as using plain text digits that are combined with a pseudorandom cipher digit stream. Stream ciphers are typically faster than block ciphers and may have lower hardware complexity, but may be more susceptible to attacks.

Implementation	RC4	HC-256	Rabbit	Salsa20	ChaCha	SEAL	Panama	WAKE	Grain	VMPC	ISAAC
Botan	Yes	No	No	Yes	Yes	No	No	No	No	No	No
Bouncy Castle	Yes	Yes	No	Yes	Yes	No	No	No	Yes	Yes	Yes
BSAFE Crypto-J	Yes	No	No	No	Yes	No	No	No	No	No	No
cryptlib	Yes	No	No	No	No	No	No	No	No	No	No
Crypto++	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	No	No
GnuTLS
Intel Cryptography Primitives Library	No	No	No	No	No	No	No	No	No	No	No
Java's default JCA/JCE providers	Yes	No	No	No	Yes	No	No	No	No	No	No
Libgcrypt	Yes	No	No	Yes	Yes	No	No	No	No	No	No
libsodium	No	No	No	Yes	Yes	No	No	No	No	No	No
Mbed TLS	Yes	No	No	No	Yes	No	No	No	No	No	No
Nettle	Yes	No	No	Yes	Yes	No	No	No	No	No	No
OpenSSL	Yes	No	No	No	Yes	No	No	No	No	No	No
wolfCrypt	Yes	No	No	Yes	Yes	No	No	No	No	No	No

Hardware-assisted support

These tables compare the ability to use hardware enhanced cryptography. By using the assistance of specific hardware, the library can achieve greater speeds and/or improved security than otherwise.

Smart card, SIM, HSM protocol support

Further information: Smart card, SIM card, and Hardware security module

Implementation	PKCS #11	PC/SC	CCID
Botan	Yes	No	No
Bouncy Castle	Yes[a]	No	No
BSAFE	Yes[b]	No	No
cryptlib	Yes	No	No
Crypto++	No	No	No
GnuTLS	Yes	No	No
Intel Cryptography Primitives Library	No	No	No
Java's default JCA/JCE providers	Yes	No[c]	No[c]
Libgcrypt	Yes[52]	Yes[53]	Yes[53]
libsodium	No	No	No
Mbed TLS	Yes[54]	No	No
OpenSSL	Yes[54]	No	No
wolfCrypt	Yes	No	No

1. In conjunction with the PKCS#11 provider, or through the implementation of operator interfaces providing access to basic operations.
2. When using BSAFE Crypto-J in native mode using BSAFE Crypto-C Micro Edition.
3. Support is available through javax.smartcardio package of JDK.

General purpose CPU, platform acceleration support

Further information: CPU

Implementation	AES-NI	SSSE3, SSE4.1	AVX, AVX2	AVX-512	RDRAND	VIA PadLock	Intel QuickAssist	ARMv7-A NEON	ARMv8-A cryptography instructions	Power ISA v2.03 (AltiVec[a])	Power ISA v2.07 (e.g., POWER8 and later[a])
Botan	Yes	Yes	Yes	Yes	Yes	No	No	Yes	Yes	Yes	Yes
BSAFE	Yes[b]	Yes[b]	Yes[b]	No	Yes[b]	No	No	No	Yes[b]	No	No
cryptlib	Yes	Yes	Yes	No	Yes	Yes	No	No	No	No	No
Crypto++	Yes	Yes	Yes	No	Yes	Yes[c]	No	Yes	Yes	Yes	Yes
GnuTLS	Yes	No	No	No	No	Yes	No	No	No	No	No
Intel Cryptography Primitives Library	Yes	Yes	Yes	Yes	Yes	No	No	No	No	No	No
Java's default JCA/JCE providers	Yes[d]	Yes[d]	Yes[d]	Yes[d]	Yes[d]	No	No	No	Yes[d]	No	Yes[d]
Libgcrypt[55]	Yes	Yes	Yes	Yes	Yes	Yes	No	Yes	Yes	No	Yes
libsodium	Yes	Yes	Yes	No	No	No	No	No	No	No	No
OpenSSL	Yes	Yes	Yes	Yes	Yes[e]	Yes	No	Yes	Yes	Yes	Yes
wolfCrypt	Yes	Yes	Yes	No	Yes	No	Yes[56]	Yes	Yes[57]	No	No

1. AltiVec includes POWER4 through POWER8 SIMD processing. POWER8 added in-core crypto, which provides accelerated AES, SHA and PMUL similar to ARMv8.1.
2. When using RSA BSAFE Crypto-J in native mode using BSAFE Crypto-C Micro Edition
3. Crypto++ only provides access to the Padlock random number generator. Other functions, like AES acceleration, are not provided.
4. When using the HotSpot JVM
5. OpenSSL RDRAND support is provided through the ENGINE interface. The RDRAND generator is not used by default.

Code size and code to comment ratio

Implementation	Source code size (kSLOC = 1000 lines of source code)	Code to comment lines ratio
Botan	133[58]	4.55[58]
Bouncy Castle	1359[59]	5.26[59]
BSAFE Crypto-J	271[a]	1.3[a]
cryptlib	241	2.66
Crypto++	115[60]	5.74[60]
GnuTLS	363[61]	7.30[61]
Java's default JCA/JCE providers
Libgcrypt	216[62]	6.27[62]
libsodium	44[63]	21.92[63]
Mbed TLS	105[64]	33.9[64]
Nettle	111[65]	4.08[65]
OpenSSL	472[66]	4.41[66]
wolfCrypt	39	5.69

1. Based on Crypto-J 6.2.5, excluding tests source. Generated using https://github.com/XAMPPRocky/tokei

Portability

Implementation	Supported operating system	Thread safe
Botan	Linux, Windows, macOS, Android, iOS, FreeBSD, NetBSD, OpenBSD, DragonflyBSD, Solaris, AIX, QNX, Haiku	Yes
Bouncy Castle	General Java API: J2ME, Java Runtime Environment 1.1+, Android. Java FIPS API: Java Runtime 1.5+, Android. C# API (General & FIPS): CLR 4.
BSAFE Crypto-J	Solaris, Linux, Android, FreeBSD, AIX, 32 and 64-bit Windows, macOS (Darwin)	Yes
cryptlib	AMX, ARINC 653, BeOS, ChorusOS, CMSIS-RTOS/mbed-rtos, DOS, DOS32, eCOS, embOS, FreeRTOS/OpenRTOS, uItron, MQX, MVS, Nucleus, OS/2, Palm OS, QNX Neutrino, RTEMS, SMX, Tandem NonStop, Telit, ThreadX, uC/OS II, Unix (AIX, FreeBSD, HP-UX, Linux, macOS, Solaris, etc.), VDK, VM/CMS, VxWorks, Win16, Win32, Win64, WinCE/PocketPC/etc, XMK	Yes
Crypto++	Unix (AIX, OpenBSD, Linux, MacOS, Solaris, etc.), Win32, Win64, Android, iOS, ARM	Yes[a]
GnuTLS	Runs on most Unix platforms and Windows[67]	?
Intel Cryptography Primitives Library	Windows 10/11, Windows Server 2019/2022, Red Hat Enterprise Linux (RHEL) 8/9, SUSE Linux Enterprise Server (SLES) 15 SP4 / SP5 / SP6, Ubuntu 22.04 LTS / 24.04 LTS, Rocky Linux 9, Fedora 39 / 40, Debian 12	Yes
Libgcrypt	All 32- and 64-bit Unix Systems (Linux, FreeBSD, NetBSD, macOS etc.), Win32, Win64, WinCE, and more	Yes[68]
libsodium	macOS, Linux, OpenBSD, NetBSD, FreeBSD, DragonflyBSD, Android, iOS, 32 and 64-bit Windows (Visual Studio, MinGW, C++ Builder), NativeClient, QNX, JavaScript, AIX, MINIX, Solaris	Yes
Mbed TLS	Win32/64, Unix Systems, embedded Linux, Micrium's μC/OS, FreeRTOS	?
OpenSSL	Solaris, IRIX, HP-UX, MPE/iX, Tru64, Linux, Android, BSD (OpenBSD, NetBSD, FreeBSD, DragonflyBSD), NextSTEP, QNX, UnixWare, SCO, AIX, 32 and 64-bit Windows (Visual Studio, MinGW, UWIN, CygWin), UEFI, macOS (Darwin), iOS, HURD, VxWorks, uClinux, VMS, DJGPP (DOS), Haiku	Yes
wolfCrypt	Win32/64, Linux, macOS, Solaris, ThreadX, VxWorks, FreeBSD, NetBSD, OpenBSD, embedded Linux, WinCE, Haiku, OpenWRT, iPhone (iOS), Android, Nintendo Wii and Gamecube through DevKitPro, QNX, MontaVista, NonStop, TRON/ITRON/μITRON, Micrium's μC/OS, FreeRTOS, SafeRTOS, Freescale MQX, Nucleus, TinyOS, HP-UX	Yes

1. Crypto++ is thread safe at the object level, i.e. there is no shared data among instances. If two different threads access the same object then the user is responsible for locking.