Compatibility with Libsodium

With few exceptions, if Monocypher can do it, so can libsodium. The reverse however is not true: Monocypher generally provides "one true way" of doing things, while libsodium almost always has several.

• The main low level primitives implemented in Monocypher are implemented in libsodium as well. This includes ChaCha20 (all 3 versions), Poly1305, BLAKE2b, Argon2i, and X25519.

• crypto_lock() can be replaced by libsodium’s crypto_aead_xchacha20poly1305_ietf_encrypt_detached().

• crypto_sign() is not compatible with libsodium. crypto_ed25519_sign() however, is. The reason for this difference is because crypto_sign() reuses BLAKE2b instead of bringing in yet another hash (namely SHA-512).

• Monocypher’s Argon2i is compatible with libsodium’s crypto_pwhash(), provided you use the crypto_pwhash_ALG_ARGON2I13 flag.

  Beware that Monocypher supports 1 and 2 passes for conformity reasons, while libsodium chooses to crash instead for safety reasons. (Note: use at least 3 passes, 1 and 2 passes aren't safe enough.)

• Elligator implementations are not compatible. Monocypher’s crypto_hidden_to_curve() maps representatives to Montgomery curve points, while libsodium’s crypto_core_ed25519_from_uniform() maps to Edwards points. Additionally, Monocypher does not project the point to the prime order subgroup (the low-order component is naturally ignored by most subsequent operations). Most importantly, Monocypher supports the reverse map, while libsodium does not.