libsodium's roadmap is driven by its user community, and new ideas are always welcome.
New features will gladly be implemented if they are not redundant and solve common problems.

pre-1.0.0 roadmap

  • AEAD construction (ChaCha20-Poly1305)
  • API to set initial counter value in ChaCha20/Salsa20
  • Big-endian compatibility
  • BLAKE2
  • ChaCha20
  • Constant-time comparison
  • Cross-compilation support
  • Detached authentication for crypto_box() and crypto_secretbox()
  • Detached signatures
  • Deterministic key generation for crypto_box()
  • Deterministic key generation for crypto_sign()
  • Documentation
  • Ed25519 signatures
  • Emscripten support
  • FP rounding mode independent Poly1305 implementation
  • Faster portable Curve25519 implementation
  • Fix undefined behaviors for C99
  • Guarded memory
  • HMAC-SHA512, HMAC-SHA256
  • Hex codec
  • Hide specific implementations, expose wrappers
  • Higher-level API for crypto_box
  • Higher-level API for crypto_secretbox
  • Lift ZEROBYTES requirements
  • Make all constants accessible via public functions
  • MinGW port
  • Minimal build mode
  • NuGet packages
  • Password hashing
  • Pluggable random number generator
  • Portable memory locking
  • Position-independent code
  • Replace the build system with Autotools/Libtool
  • Runtime CPU features detection
  • Secure memory zeroing
  • Seed and public key extraction from an Ed25519 secret key
  • SipHash
  • Streaming support for hashing and authentication
  • Streaming support for one-time authentication
  • Support for arbitrary HMAC key lengths
  • Support for architectures requiring strict alignment
  • Visual Studio port
  • 100% code coverage, static and dynamic analysis
  • arc4random*() compatible API
  • Ed25519 to X25519 keys conversion
  • iOS/Android compatibility

1.0.x roadmap

  • Constant-time bin2hex() [DONE] and hex2bin() [DONE]
  • Constant-time base64 codecs [DONE]
  • Improve consistency and clarity of function prototypes
  • Improve the documentation
  • Consider getrandom(2) [DONE]
  • Consider Gitian
  • Complete the sodium-validation project
  • Optimized implementations for ARM w/NEON
  • AVX optimized Curve25119 [DONE]
  • Precomputed interface for crypto_box_easy() [DONE]
  • First-class support for JavaScript [DONE]
  • ChaCha20 and ChaCha20-Poly1305 with a 96-bit nonce and a 32-bit counter [DONE]
  • IETF-compatible ChaCha20-Poly1305 implementation [DONE]
  • SSE-optimized BLAKE2b implementation [DONE]
  • AES-GCM detached mode [DONE]
  • Use Montgomery reduction for GHASH
  • ChaCha20-Poly1305 detached mode [DONE]
  • Argon2i as crypto_pwhash [DONE]
  • Argon2id as crypto_pwhash [DONE]
  • Multithreaded crypto_pwhash [on hold]
  • Generic subkey derivation API [DONE]
  • Nonce misuse-resistant scheme
  • BLAKE2 AVX2 implementations [DONE]
  • Keyed (Hash-then-Encrypt) crypto_pwhash
  • Consider yescrypt
  • Consider BLAKE2X [on hold]
  • Argon2id [DONE]
  • Port libhydrogen's key exchange API
  • SSSE3 ChaCha20 implementation [DONE]
  • SSSE3 Salsa20 implementation [DONE]
  • SSSE3 Poly1305 implementation [DONE]
  • AVX2 Salsa20 implementation [DONE]
  • AVX2 ChaCha20 implementation [DONE]
  • AVX2 Poly1305 implementation
  • AVX512 implementations [done for Argon2, withhold for other operations due to throttling concerns]
  • Key generation API [DONE]
  • Nonce/subkey generation API
  • WebAssembly support [DONE]
  • Stream encryption using a CHAIN-like construction [DONE]
  • Security audit by a 3rd party [DONE]
  • Formally-verified implementations [on hold]
  • Padding API [DONE]
  • secretstream_inject() for nonce misuse-resistance [on hold]
  • Point addition, subtraction [DONE]
  • Point validation [DONE]
  • Hash-to-point (Elligator) [DONE]
  • SPAKE2+ [DONE]
  • Support server relief in the password hashing API
  • Ristretto [DONE]
  • Consider a streaming interface for crypto_shorthash_*()
  • AEGIS-256 [DONE]
  • AEGIS-128L [DONE]
  • AEGIS-based secretstream API
  • BLAKE3
  • HKDF/SHA-512 and HKDF/SHA-256 [DONE]
  • Standard hash-to-curve [DONE]
  • Consider signcryption
  • Consider Pufferfish
  • High-level AEAD and secretstream APIs
  • Consider ECVRF
  • Consider using TIMECOP

2.0.0 roadmap

  • Switch to a new API (libhydrogen/WASI-crypto)
  • Session support
  • PQC
Last modified 6mo ago
Copy link
pre-1.0.0 roadmap
1.0.x roadmap
2.0.0 roadmap