libsodium's roadmap is driven by its user community and new ideas are always welcome.
New features will be gladly implemented provided that they are not redundant and solve common problems.

pre-1.0.0 roadmap

    AEAD construction (ChaCha20Poly1305)
    API to set initial counter value in ChaCha20/Salsa20
    Big-endian compatibility
    Constant-time comparison
    Cross-compilation support
    Detached authentication for crypto_box() and crypto_secretbox()
    Detached signatures
    Deterministic key generation for crypto_box()
    Deterministic key generation for crypto_sign()
    Ed25519 signatures
    Emscripten support
    FP rounding mode independent poly1305 implementation
    Faster portable curve25519 implementation
    Fix undefined behaviors for C99
    Guarded memory
    HMAC-SHA512, HMAC-SHA256
    Hex codec
    Hide specific implementations, expose wrappers
    Higher-level API for crypto_box
    Higher-level API for crypto_secretbox
    Lift ZEROBYTES requirements
    Make all constants accessible via public functions
    MingW port
    Minimal build mode
    NuGet packages
    Password hashing
    Pluggable random number generator
    Portable memory locking
    Position-independent code
    Replace the build system with autotools/libtool
    Runtime CPU features detection
    Secure memory zeroing
    Seed and public key extraction from an ed25519 secret key
    Streaming support for hashing and authentication
    Streaming support for one-time authentication
    Support for arbitrary HMAC key lengths
    Support for architectures requiring strict alignment
    Visual Studio port
    100% code coverage, static and dynamic analysis
    arc4random*() compatible API
    Ed25519 to X25519 keys conversion
    iOS/Android compatibility

1.0.x roadmap

    Constant-time bin2hex() [DONE] and hex2bin() [DONE]
    Constant-time base64 codecs [DONE]
    Improve consistency and clarity of function prototypes
    Improve the documentation
    Consider getrandom(2) [DONE]
    Consider Gitian
    Complete the sodium-validation project
    Optimized implementations for ARM w/NEON
    AVX optimized Curve25119 [DONE]
    Precomputed interface for crypto_box_easy() [DONE]
    First-class support for Javascript [DONE]
    chacha20 and chacha20poly1305 with a 96 bit nonce and a 32 bit counter [DONE]
    IETF-compatible chacha20poly1305 implementation [DONE]
    SSE-optimized BLAKE2b implementation [DONE]
    AES-GCM detached mode [DONE]
    Use Montgomery reduction for GHASH
    ChaCha20-Poly1305 detached mode [DONE]
    Argon2i as crypto_pwhash [DONE]
    Argon2id as crypto_pwhash [DONE]
    Multithreaded crypto_pwhash [on hold]
    Generic subkey derivation API [DONE]
    Nonce-misuse resistant scheme
    BLAKE2 AVX2 implementations [DONE]
    Keyed (hash-then-encrypt) crypto_pwhash
    Consider Yescrypt
    Consider BLAKE2X [on hold]
    Argon2id [DONE]
    Port libhydrogen's key exchange API
    SSSE3 ChaCha20 implementation [DONE]
    SSSE3 Salsa20 implementation [DONE]
    SSSE3 Poly1305 implementation [DONE]
    AVX2 Salsa20 implementation [DONE]
    AVX2 ChaCha20 implementation [DONE]
    AVX2 Poly1305 implementation
    AVX512 implementations [done for Argon2, withold for other operations due to throttling concerns]
    key generation API [DONE]
    Nonce/subkey generation API
    Webassembly support [DONE]
    Stream encryption using a CHAIN-like construction [DONE]
    Security audit by a 3rd party [DONE]
    Formally-verified implementations [on hold]
    Padding API [DONE]
    secretstream_inject() for nonce misuse-resistance [on hold]
    Point addition, subtraction [DONE]
    Point validation [DONE]
    Hash-to-point (Elligator) [DONE]
    SPAKE2+ [DONE]
    Support server relief in the password hashing API
    Ristretto [DONE]
    Consider a streaming interface for crypto_shorthash_*()
    AEGIS-256 [DONE]
    AEGIS-128L [DONE]
    AEGIS-based secretstream API
    HKDF/SHA-512 and HKDF/SHA-256 [DONE]
    Standard hash-to-curve [DONE]
    Consider signcryption
    Consider Pufferfish
    High-level AEAD and secretstream APIs
    Consider using Timecop

2.0.0 roadmap

    Switch to a new API (libhydrogen/WASI-crypto)
    Session support
Last modified 6d ago