Monocypher is an easy to use crypto library inspired by libsodium and TweetNaCl. It is:


The Fine Manual.

Source code

In the download section.

Test suite

The test suite includes official test vectors for Chacha20, Poly1305, and X25519, random test vectors generated with libsodium, and property-based tests.

$ tar -xzf monocypher-2.0.0.tar.gz
$ cd monocypher
$ make test

There are options to run those tests under LLVM sanitisers (ASan, MSan, UBSan, and code coverage). More thorough analysis is also possible with Frama-C and the TIS interpreter. See for more details.


By default, Monocypher signatures use EdDSA with Curve25519 and Blake2b. This is in contrast to the more widespread Ed25519, which uses Curve25519 and SHA-512.

Blake2b is faster, more flexible, and harder to misuse than SHA-512. Argon2i already uses Blake2b. Using SHA-512 for EdDSA would be inelegant, so it is only provided as an option.

This divergence doesn't prevent future upgrades, nor rigorous testing: Floodyberry's very fast Donna implementation works with a custom hash, and this is used to test Monocypher.


I benchmarked Monocypher on my laptop (Intel i5 Skylake) with GCC, using -O3 -march=native optimisation options.

Chacha20         :   379 megabytes  per second
Poly1305         :  1173 megabytes  per second
Auth'd encryption:   287 megabytes  per second
Blake2b          :   658 megabytes  per second
Sha512           :   283 megabytes  per second
Argon2i, 3 passes:   387 megabytes  per second
x25519           :  7776 exchanges  per second
EdDSA(sign)      :  6872 signatures per second
EdDSA(check)     :  3577 checks     per second

This should be fast enough for most applications. Here are libsodium's results for comparison. Note that libsodium uses optimised assembly for many of its primitives.

Chacha20         :  1965 megabytes  per second
Poly1305         :  2304 megabytes  per second
Auth'd encryption:  1034 megabytes  per second
Blake2b          :   754 megabytes  per second
Sha512           :   338 megabytes  per second
Argon2i, 3 passes:   608 megabytes  per second
x25519           : 19656 exchanges  per second
EdDSA(sign)      : 18284 signatures per second
EdDSA(check)     :  6685 checks     per second

Future work