Roadmap
libsodium's roadmap is driven by its user community, and new ideas are always welcome.
New features will gladly be implemented if they are not redundant and solve common problems.
pre-1.0.0 roadmap
- AEAD construction (ChaCha20-Poly1305)
- API to set initial counter value in ChaCha20/Salsa20
- Big-endian compatibility
- BLAKE2
- ChaCha20
- Constant-time comparison
- Cross-compilation support
- Detached authentication for
crypto_box()andcrypto_secretbox() - Detached signatures
- Deterministic key generation for
crypto_box() - Deterministic key generation for
crypto_sign() - Documentation
- Ed25519 signatures
- Emscripten support
- FP rounding mode independent Poly1305 implementation
- Faster portable Curve25519 implementation
- Fix undefined behaviors for C99
- Guarded memory
- HMAC-SHA512, HMAC-SHA256
- Hex codec
- Hide specific implementations, expose wrappers
- Higher-level API for crypto_box
- Higher-level API for crypto_secretbox
- Lift
ZEROBYTESrequirements - Make all constants accessible via public functions
- MinGW port
- Minimal build mode
- NuGet packages
- Password hashing
- Pluggable random number generator
- Portable memory locking
- Position-independent code
- Replace the build system with Autotools/Libtool
- Runtime CPU features detection
- Secure memory zeroing
- Seed and public key extraction from an Ed25519 secret key
- SipHash
- Streaming support for hashing and authentication
- Streaming support for one-time authentication
- Support for arbitrary HMAC key lengths
- Support for architectures requiring strict alignment
- Visual Studio port
- 100% code coverage, static and dynamic analysis
arc4random*()compatible API- Ed25519 to X25519 keys conversion
- iOS/Android compatibility
1.0.x roadmap
- Constant-time bin2hex() [DONE] and hex2bin() [DONE]
- Constant-time base64 codecs [DONE]
- Improve consistency and clarity of function prototypes
- Improve the documentation
- Consider
getrandom(2)[DONE] - Complete the sodium-validation project
- Optimized implementations for ARM w/NEON
- AVX optimized Curve25119 [DONE]
- Precomputed interface for crypto_box_easy() [DONE]
- First-class support for JavaScript [DONE]
- ChaCha20 and ChaCha20-Poly1305 with a 96-bit nonce and a 32-bit counter [DONE]
- IETF-compatible ChaCha20-Poly1305 implementation [DONE]
- SSE-optimized BLAKE2b implementation [DONE]
- AES-GCM [DONE]
- AES-GCM detached mode [DONE]
- Use Montgomery reduction for GHASH
- ChaCha20-Poly1305 detached mode [DONE]
- Argon2i as crypto_pwhash [DONE]
- Argon2id as crypto_pwhash [DONE]
- Multithreaded crypto_pwhash [on hold]
- Generic subkey derivation API [DONE]
- Nonce misuse-resistant scheme
- BLAKE2 AVX2 implementations [DONE]
- Keyed (Hash-then-Encrypt) crypto_pwhash
- Consider yescrypt
- Consider BLAKE2X [on hold]
- Argon2id [DONE]
- Port libhydrogen's key exchange API
- SSSE3 ChaCha20 implementation [DONE]
- SSSE3 Salsa20 implementation [DONE]
- SSSE3 Poly1305 implementation [DONE]
- AVX2 Salsa20 implementation [DONE]
- AVX2 ChaCha20 implementation [DONE]
- AVX2 Poly1305 implementation
- AVX512 implementations [done for Argon2, withhold for other operations due to throttling concerns]
- Key generation API [DONE]
- Nonce/subkey generation API
- WebAssembly support [DONE]
- Stream encryption using a CHAIN-like construction [DONE]
- Security audit by a 3rd party [DONE]
- Formally-verified implementations [on hold]
- Padding API [DONE]
secretstream_inject()for nonce misuse-resistance [on hold]- Point addition, subtraction [DONE]
- Point validation [DONE]
- Hash-to-point (Elligator) [DONE]
- SPAKE2+ [DONE]
- Support server relief in the password hashing API
- Ristretto [DONE]
- Consider a streaming interface for
crypto_shorthash_*() - AEGIS-256 [DONE]
- AEGIS-128L [DONE]
- AEGIS-based
secretstreamAPI - BLAKE3
- HKDF/SHA-512 and HKDF/SHA-256 [DONE]
- Standard hash-to-curve [DONE]
- Consider Pufferfish
- High-level AEAD and
secretstreamAPIs - Consider ECVRF
2.0.0 roadmap
- Switch to a new API (libhydrogen/WASI-crypto)
- Session support
- PQC
Last modified 2mo ago
Copy link