@ Loup's

Impossible? Like that would stop me.


Monocypher is an easy to use crypto library inspired by libsodium and TweetNaCl. Here are its main selling points:


The Mighty Manual.

Source code

Here, shipped with a comprehensive test suite. Alternatively, you can fetch it from github.

Test suite

the test suite. Run thus:

$ tar -xzf monocypher-1.0.1.tar.gz
$ cd monocypher
$ make
$ ./test.sh

You can modify the makefile to run those tests under LLVM sanitisers (ASan, MSan, and UBSan). You can also check code coverage (which is near-perfect).

More thorough analysis is also possible with Frama-C and the TIS interpreter. See README.md for more details.


By default, Monocypher signatures use EdDSA with curve25519 and Blake2b. This is in contrast to the more widespread Ed25519, which uses curve25519 and SHA-512.

Blake2b is faster, more flexible, and harder to misuse than SHA-512. Argon2i already uses Blake2b. Adding SHA-512 just for EdDSA would be inelegant, so I didn't —not by default anyway.

This divergence doesn't prevent future upgrades, nor rigorous testing: Floodyberry's very fast Donna implementation works with a custom hash, and this is used to test Monocypher.

If you want to stick to the official Ed25519 anyway, you can. You need to compile monocypher.c with the preprocessor option -DED25519_SHA512. You must then provide a SHA-512 implementation at link time. You can use Monocypher's own sha512.h and sha512.c.

Current state

Version 1.0.1 Ready for production.

The test suite is comprehensive. Code coverage has been checked with LLVM's code coverage tool, and is is near perfect. The tests have been run under Valgrind, ASan, MSan, and UBSan (all clean). The most important tests have been run under the TIS interpreter (all clean).

I think we have a crypto library.


I benchmarked Monocypher on my laptop (Intel i5 Skylake) with GCC, using -O3 -march=native optimisation options. Symmetric crypto uses big messages (1Mb). Smaller messages (down to 1kb) have a slightly lower throughput.

Chacha20         :  357 Mb/s
Poly1305         : 1219 Mb/s
Auth'd encryption:  277 Mb/s
Blake2b          :  522 Mb/s
Argon2i          :  514 Mb/s (3 passes)
x25519           : 7785 exchanges  per second
EdDSA(sign)      : 6907 signatures per second
EdDSA(check)     : 3569 checks     per second

While you should test the speed on your target platform, I believe Monocypher will be fast enough for all but the most demanding applications (like, Google scale).

changes since 1.0

changes since 0.8

changes since 0.7

changes since 0.6

changes since 0.5

changes since 0.4

Fun fact: TweetNaCl and ref10 have the same bug. Libsodium have corrected the issue, though.

For those who don't comprehend the magnitude of this madness (I didn't until 2 hours ago), yes, the expression -1 << 3 is undefined in C. This is explained in section 6.5.7(§4) of the C11 standard.

changes since 0.3

changes since 0.2

No incompatible change.

changes since 0.1

Future work

I think I'm pretty much done.

The next thing to do, I believe, are bindings to other languages. Except maybe for Rust: a complete rewrite in Rust would leverage its security guarantees.