Boring crypto that simply works

introduction to Monocypher

Monocypher is a cryptographic library. It provides functions for authenticated encryption, hashing, password hashing and key derivation, key exchange, and public key signatures.

crypto_aead_lock() and crypto_aead_unlock() use the ChaCha20 cipher and the Poly1305 one-time authenticator. There is also an incremental interface to facilitate file encryption and encrypted streams.

ChaCha20 is a stream cipher based on a cryptographic hash function. It runs efficiently on a wide variety of hardware, and unlike AES naturally runs in constant time on all hardware.

Poly1305 is a one-time authenticator, derived from Carter & Wegman universal hashing. It is very fast and very simple.

crypto_blake2b() implements the BLAKE2b hash. BLAKE2b combines the security of SHA-3 and the speed of MD5. It is immune to length extension attacks and provides a keyed mode that makes it a safe, easy to use authenticator.

crypto_argon2() implements the Argon2 resource intensive hash algorithm, which can be used to hash passwords for storage and to derive keys from passwords. Argon2 won the password hashing competition in 2015. Unlike scrypt, the Argon2i variant is immune to timing attacks.

crypto_x25519() implements X25519, an elliptic curve Diffie Hellman key exchange algorithm based on Curve25519. X25519 derives a shared secret from two private/public key pairs. It is fast, simple, and relatively easy to implement securely.

For specialised protocols that require indistinguishability from random noise, crypto_elligator_rev() gives the option to disguise ephemeral (one-time use) X25519 public keys as random noise.

crypto_eddsa_sign() and crypto_eddsa_check() implement EdDSA, with Curve25519 and BLAKE2b. This is the same as the more famous Ed25519, with SHA-512 replaced by the faster BLAKE2b.

crypto_verify16(), crypto_verify32(), and crypto_verify64() compare buffers in constant time. They should be used to compare secrets to prevent timing attacks.

crypto_wipe() wipes a buffer. It is meant to erase secrets when they are no longer needed, to reduce the chances of leaks.

Optional code

If Monocypher was compiled and installed with the provided makefile, SHA-512 functions become available as well. See crypto_ed25519_sign(), and crypto_sha512().

crypto_aead_init_djb(), crypto_aead_init_ietf(), crypto_aead_init_x(), crypto_aead_lock(), crypto_aead_read(), crypto_aead_unlock(), crypto_aead_write(), crypto_argon2(), crypto_blake2b(), crypto_blake2b_final(), crypto_blake2b_init(), crypto_blake2b_keyed(), crypto_blake2b_keyed_init(), crypto_blake2b_update(), crypto_chacha20_djb(), crypto_chacha20_h(), crypto_chacha20_ietf(), crypto_chacha20_x(), crypto_eddsa_check(), crypto_eddsa_check_equation(), crypto_eddsa_key_pair(), crypto_eddsa_mul_add(), crypto_eddsa_reduce(), crypto_eddsa_scalarbase(), crypto_eddsa_sign(), crypto_eddsa_to_x25519(), crypto_eddsa_trim_scalar(), crypto_elligator_key_pair(), crypto_elligator_map(), crypto_elligator_rev(), crypto_poly1305(), crypto_poly1305_final(), crypto_poly1305_init(), crypto_poly1305_update(), crypto_verify16(), crypto_verify32(), crypto_verify64(), crypto_wipe(), crypto_x25519(), crypto_x25519_dirty_fast(), crypto_x25519_dirty_small(), crypto_x25519_inverse(), crypto_x25519_public_key(), crypto_x25519_to_eddsa()

Optional code

crypto_ed25519_check(), crypto_ed25519_key_pair(), crypto_ed25519_ph_check(), crypto_ed25519_ph_sign(), crypto_ed25519_sign(), crypto_sha512(), crypto_sha512_final(), crypto_sha512_hkdf(), crypto_sha512_hkdf_expand(), crypto_sha512_hmac(), crypto_sha512_hmac_final(), crypto_sha512_hmac_init(), crypto_sha512_hmac_update(), crypto_sha512_init(), crypto_sha512_update()

Monocypher does not perform any input validation. Any deviation from the specified input and output length ranges results in . Make sure your inputs are correct.

Using cryptography securely is difficult. Flaws that never manifest under normal use might be exploited by a clever adversary. Cryptographic libraries are easy to catastrophically misuse, and Monocypher is no exception.

Users should follow a formal introduction to cryptography. We currently recommend the Crypto 101 online course.

Use the facilities of your operating system. Avoid user space random number generators, whose misuse has led to countless vulnerabilities in the past. For instance, the random stream may be repeated if one is not careful with multi-threading, and forward secrecy is lost without proper key erasure.

Different system calls are available on different systems:

  • Recent versions of Linux (glibc >= 2.25, Linux >= 3.17), provide getrandom() in <sys/random.h>. Do not set any flag.
  • BSD, Darwin/macOS, illumos, and Solaris provide arc4random_buf() in <stdlib.h> or <bsd/stdlib.h>. This is easier to use than getrandom().
  • Windows provides BCryptGenRandom().

The /dev/urandom special file may be used on systems that do not provide an easy-to-use system call. Be careful though, being a file makes /dev/urandom hard to use correctly and securely. Reads may be interrupted, and more attacks are possible on a file than on a system call.

Monocypher runs in “constant time”. There is no flow from secrets to timings. No secret dependent indices, no secret dependent branches. Nevertheless, there are a couple important caveats.

Comparing secrets should be done with constant-time comparison functions, such as crypto_verify16(), crypto_verify32(), or crypto_verify64(). Do not use standard comparison functions. They tend to stop as soon as a difference is spotted. In many cases this enables attackers to recover the secrets and destroy all security.

The Poly1305 authenticator, X25519, and EdDSA use multiplication. Some older processors do not multiply in constant time. If the target platform is something other than Intel or AMD x86_64, double check how it handles multiplication. In particular, . Some VIA Nano x86 and x86_64 CPUs may lack constant-time multiplication as well.

Encryption does not hide the length of the input plaintext. Most compression algorithms work by using fewer bytes to encode previously seen data or common characters. If an attacker can add data to the input before it is compressed and encrypted, they can observe changes to the ciphertext length to recover secrets from the input. Researchers have demonstrated an attack on HTTPS to steal session cookies when compression is enabled, dubbed “CRIME”.

Long-term secrets cannot be expected to stay safe indefinitely. Users may reveal them by mistake, or the host computer might have a vulnerability and be compromised. To mitigate this problem, some protocols guarantee that past messages are not compromised even if the long-term keys are. This is done by generating temporary keys, then encrypting messages using them.

In general, secrets that went through a computer should not be compromised when this computer is stolen or infected at a later point.

A first layer of defence is to explicitly wipe secrets as soon as they are no longer used. Monocypher already wipes its own temporary buffers, and contexts are erased with the crypto_*_final() functions. The secret keys and messages however are the responsibility of the user. Use crypto_wipe() to erase them.

A second layer of defence is to ensure those secrets are not swapped to disk while they are used. There are several ways to do this. The most secure is to disable swapping entirely. Doing so is recommended on sensitive machines. Another way is to encrypt the swap partition (this is less safe). Finally, swap can be disabled locally – this is often the only way.

UNIX systems can disable swap for specific buffers with mlock() and disable swap for the whole process with mlockall(). Windows can disable swap for specific buffers with VirtualLock().

Core dumps cause similar problems. Disable them. Also beware of suspend to disk (deep sleep mode), which writes all RAM to disk regardless of swap policy, as well as virtual machine snapshots. Erasing secrets with crypto_wipe() is often the only way to mitigate these dangers.

Monocypher is a C library. C is notoriously unsafe. Using Monocypher incorrectly can trigger undefined behaviour. This can lead to data corruption, data theft, or even arbitrary code execution.

Consider binding to a safe language if possible.

February 20, 2022 Debian