libsodium's roadmap is driven by its user community and new ideas are always welcome.
New features will be gladly implemented provided that they are not redundant and solve common problems.
- AEAD construction (ChaCha20Poly1305)
- API to set initial counter value in ChaCha20/Salsa20
- Big-endian compatibility
- BLAKE2
- ChaCha20
- Constant-time comparison
- Cross-compilation support
- Detached authentication for
crypto_box()andcrypto_secretbox() - Detached signatures
- Deterministic key generation for
crypto_box() - Deterministic key generation for
crypto_sign() - Documentation
- Ed25519 signatures
- Emscripten support
- FP rounding mode independent poly1305 implementation
- Faster portable curve25519 implementation
- Fix undefined behaviors for C99
- Guarded memory
- HMAC-SHA512, HMAC-SHA256
- Hex codec
- Hide specific implementations, expose wrappers
- Higher-level API for crypto_box
- Higher-level API for crypto_secretbox
- Lift
ZEROBYTESrequirements - Make all constants accessible via public functions
- MingW port
- Minimal build mode
- NuGet packages
- Password hashing
- Pluggable random number generator
- Portable memory locking
- Position-independent code
- Replace the build system with autotools/libtool
- Runtime CPU features detection
- Secure memory zeroing
- Seed and public key extraction from an ed25519 secret key
- SipHash
- Streaming support for hashing and authentication
- Streaming support for one-time authentication
- Support for arbitrary HMAC key lengths
- Support for architectures requiring strict alignment
- Visual Studio port
- 100% code coverage, static and dynamic analysis
arc4random*()compatible API- Ed25519 to X25519 keys conversion
- iOS/Android compatibility
- Constant-time bin2hex() [DONE] and hex2bin() [DONE]
- Constant-time base64 codecs [DONE]
- Improve consistency and clarity of function prototypes
- Improve the documentation
- Consider
getrandom(2)[DONE] - Consider Gitian
- Complete the sodium-validation project
- Optimized implementations for ARM w/NEON
- AVX optimized Curve25119 [DONE]
- Precomputed interface for crypto_box_easy() [DONE]
- First-class support for Javascript [DONE]
- chacha20 and chacha20poly1305 with a 96 bit nonce and a 32 bit counter [DONE]
- IETF-compatible chacha20poly1305 implementation [DONE]
- SSE-optimized BLAKE2b implementation [DONE]
- AES-GCM [DONE]
- AES-GCM detached mode [DONE]
- Use Montgomery reduction for GHASH
- ChaCha20-Poly1305 detached mode [DONE]
- Argon2i as crypto_pwhash [DONE]
- Argon2id as crypto_pwhash [DONE]
- Multithreaded crypto_pwhash [on hold]
- Generic subkey derivation API [DONE]
- Nonce-misuse resistant scheme
- BLAKE2 AVX2 implementations [DONE]
- Keyed (hash-then-encrypt) crypto_pwhash
- Consider Yescrypt
- Consider BLAKE2X [on hold]
- Argon2id [DONE]
- Port libhydrogen's key exchange API
- SSSE3 ChaCha20 implementation [DONE]
- SSSE3 Salsa20 implementation [DONE]
- SSSE3 Poly1305 implementation [DONE]
- AVX2 Salsa20 implementation [DONE]
- AVX2 ChaCha20 implementation [DONE]
- AVX2 Poly1305 implementation
- AVX512 implementations [done for Argon2, withold for other operations due to throttling concerns]
- key generation API [DONE]
- Nonce/subkey generation API
- Webassembly support [DONE]
- Stream encryption using a CHAIN-like construction [DONE]
- Security audit by a 3rd party [DONE]
- Formally-verified implementations [on hold]
- Padding API [DONE]
secretstream_inject()for nonce misuse-resistance [on hold]- Point addition, subtraction [DONE]
- Point validation [DONE]
- Hash-to-point (Elligator) [DONE]
- SPAKE2+ [DONE]
- Support server relief in the password hashing API
- Ristretto [DONE]
- Consider a streaming interface for
crypto_shorthash_*() - AEGIS-256 [DONE]
- AEGIS-128L [DONE]
- AEGIS-based
secretstreamAPI - BLAKE3
- HKDF/SHA-512 and HKDF/SHA-256 [DONE]
- Standard hash-to-curve [DONE]
- Consider signcryption
- Consider Pufferfish
- High-level AEAD and
secretstreamAPIs - Consider ECVRF
- Consider using Timecop
- Switch to a new API (libhydrogen/WASI-crypto)
- Session support
- PQC