ncperftest [options]
Only supported in FIPS 140-2 Level 2 Security Worlds.

Tests the performance of various crypto commands using attached nShield hardware.

Supported since Security World version v12.10, it contains all the functionality in sigtest and floodtest. It also supports other tests, and provides greater accuracy and throughput capability in performance management.

The default action is --sign. However, if a mechanism or key type is selected, then the default action is changed to be appropriate to the key type.

For --mechanism the default depends on the action. For example for signing the default is RSApPKCS1.

--key-type selects a default mechanism for the requested key type. For example -S RSA is equivalent to -M RSApPKCS1. For -S HMAC, the default is HMACSHA256.

The default for the --key-size option depends on the mechanism. For RSA and (KC)DSA keys it is 1024, unless a mechanism was selected which requires a larger key. For AES it is 128.

Option Description

Action options


Tests the channel decrypt operation.

-d, --decrypt

Tests the Decrypt operation.

-D, --rsa-sign-decrypt

Tests the RSAImmedSignDecrypt operation.

-e, --encrypt

Tests the Encrypt operation.

-E, --rsa-verify-encrypt

Tests the RSAImmedVerifyEncrypt operation.

-H, --hash

Tests the Hash operation. No Key Options available, always load-balanced due to no module option.

-N, --nop

Tests the NoOp operation. Load-balanced across all modules unless only one module is specified. No Key Options available.

-R, --mod-exp-crt

Test ModExpCrt operation. Always load-balanced.

-s, --sign

Test Sign operation (default).

-U, --channel

Test channel encrypt operation.

-v, --verify

Tests the Verify operation.

-x, --mod-exp

Tests the ModExp operation. Always load-balanced.

Key and mechanism options

-c, --curve=CURVENAME

Uses the curve named NAME. Default: NISTP192.

-l, --key-size=BITS

Sets the key size.
Default: depends on the key type

-M, --mechanism=MECH

Use nCore mechanism MECH.

-p, --plain-type=TYPE

Uses plaintext type TYPE (Bignum, Hash, or Bytes).
The mechanism and plaintext types must be compatible with the key type.


Set PairwiseCheck in key generation command.

-S, --key-type=TYPE

Select key type to use: RSA, DSA, KCDSA, ECDSA, ECDH, X25519, Ed25519, AES, DES3, HMAC


For RSA, use strong (ANSI X9.31) primes. For DSA, use the Strict flag.

Measurement options


Measure data throughput in (bytes/second).


Starts timing after an initial delay of SECONDS. Default: 1 No delay: 0


Measures and reports latences between submitting jobs and receiving replies.


Measures the operation throughput (default).

Behavior options


Displays public keys

-F, --no-failover

Doesn’t failover if the loaded key becomes unusable.


Selects the output format (text, json).

-G, --logging

Attempts audit logging. For this to succeed, all specified modules must report audit logging as active.

-j, --outstanding-jobs=COUNT

Sets the maximum number of outstanding jobs shared over all threads. Default: minimum hardserver recommended, but see also max-jobs-multiplier.

-L, --longjobs

Sets the LongJobs flag in crypto commands.


Applies a multiplier to the maximum outstanding jobs.
Default: 2, which in conjunction with the default for outstanding-jobs means a default of twice the hardserver’s recommended minimum queue across all threads.

-n, --jobs-count=COUNT

Sets the maximum number of jobs.
Default: infinite.

-t, --stop-after=LENGTH

Sets the maximum time to run, in seconds. Default: infinite.


Number of threads to use. Default: 4.

Module and cardset selection

-m, --module=MODULE

Specifies the number of the module to perform the tests on, it can repeated.
If you only have one module, <MODULE> is 1. If you do not specify a module number, the utility uses all modules by default.

Help options

-h, --help

Displays help for ncperftest.

-u, --usage

Displays a brief usage summary for ncperftest.

-V, --version

Displays the version number of the Security World Software that deploys ncperftest.