diff --git a/setup.py b/setup.py
index 2bc4518324..396edc43c2 100755
--- a/setup.py
+++ b/setup.py
@@ -117,7 +117,7 @@
     'iso8601>=0.1.12',
     'requests>=2.19.1',
     'six>=1.11.0',
-    'securesystemslib>=0.15.0'
+    'securesystemslib>=0.16.0'
   ],
   tests_require = [
     'mock; python_version < "3.3"'
diff --git a/tuf/client/updater.py b/tuf/client/updater.py
index 19d518e639..9565d2c015 100755
--- a/tuf/client/updater.py
+++ b/tuf/client/updater.py
@@ -952,7 +952,8 @@ def _import_delegations(self, parent_role):
         # We specify the keyid to ensure that it's the correct keyid
         # for the key.
         try:
-          key, _ = securesystemslib.keys.format_metadata_to_key(keyinfo, keyid)
+          key, _ = securesystemslib.keys.format_metadata_to_key(keyinfo, keyid,
+              keyid_hash_algorithms=keyinfo['keyid_hash_algorithms'])
 
           tuf.keydb.add_key(key, repository_name=self.repository_name)
 
diff --git a/tuf/keydb.py b/tuf/keydb.py
index 663d95597a..7f768274db 100755
--- a/tuf/keydb.py
+++ b/tuf/keydb.py
@@ -122,7 +122,8 @@ def create_keydb_from_root_metadata(root_metadata, repository_name='default'):
       # format_metadata_to_key() uses the provided keyid as the default keyid.
       # All other keyids returned are ignored.
 
-      key_dict, _ = securesystemslib.keys.format_metadata_to_key(key_metadata, keyid)
+      key_dict, _ = securesystemslib.keys.format_metadata_to_key(key_metadata,
+          keyid, keyid_hash_algorithms=key_metadata['keyid_hash_algorithms'])
 
       # Make sure to update key_dict['keyid'] to use one of the other valid
       # keyids, otherwise add_key() will have no reference to it.
diff --git a/tuf/repository_lib.py b/tuf/repository_lib.py
index 5a3a4959f6..765d6ac9a2 100644
--- a/tuf/repository_lib.py
+++ b/tuf/repository_lib.py
@@ -645,7 +645,8 @@ def _load_top_level_metadata(repository, top_level_filenames, repository_name):
     for keyid, key_metadata in six.iteritems(targets_metadata['delegations']['keys']):
 
       # Use the keyid found in the delegation
-      key_object, _ = securesystemslib.keys.format_metadata_to_key(key_metadata, keyid)
+      key_object, _ = securesystemslib.keys.format_metadata_to_key(key_metadata,
+          keyid, keyid_hash_algorithms=key_metadata['keyid_hash_algorithms'])
 
       # Add 'key_object' to the list of recognized keys.  Keys may be shared,
       # so do not raise an exception if 'key_object' has already been loaded.
diff --git a/tuf/repository_tool.py b/tuf/repository_tool.py
index 3a2f4dce28..80acad7096 100755
--- a/tuf/repository_tool.py
+++ b/tuf/repository_tool.py
@@ -3187,12 +3187,8 @@ def load_repository(repository_directory, repository_name='default',
       # The repo may have used hashing algorithms for the generated keyids
       # that doesn't match the client's set of hash algorithms.  Make sure
       # to only used the repo's selected hashing algorithms.
-      hash_algorithms = securesystemslib.settings.HASH_ALGORITHMS
-      securesystemslib.settings.HASH_ALGORITHMS = \
-          key_metadata['keyid_hash_algorithms']
-      key_object, keyids = \
-          securesystemslib.keys.format_metadata_to_key(key_metadata)
-      securesystemslib.settings.HASH_ALGORITHMS = hash_algorithms
+      key_object, keyids = securesystemslib.keys.format_metadata_to_key(key_metadata,
+          keyid_hash_algorithms=key_metadata['keyid_hash_algorithms'])
       try:
         for keyid in keyids: # pragma: no branch
           key_object['keyid'] = keyid