Compatibility with Libsodium

With few exceptions, if Monocypher can do it, so can libsodium. The reverse however is not true: Monocypher generally provides “one true way” of doing things, while libsodium almost always has several.

• The main low level primitives implemented in Monocypher are implemented in libsodium as well. This includes ChaCha20 (all 3 versions), Poly1305, BLAKE2b, Argon2i, and X25519.

• crypto_aead_lock() can be replaced by libsodium’s crypto_aead_xchacha20poly1305_ietf_encrypt_detached(). The streaming interface however has a different design, and will have to be re-implemented from libsodium’s low-level primitives.

• crypto_eddsa_sign() is not compatible with libsodium. crypto_ed25519_sign() however, is. The reason for this difference is because crypto_sign() reuses BLAKE2b instead of bringing in yet another hash (namely SHA-512).

• Monocypher’s Argon2 is compatible with libsodium’s crypto_pwhash(), provided you use the right flag (or use libsodium’s default, Argon2id).

  Beware that Monocypher’s Argon2i supports 1 and 2 passes for conformity reasons, while libsodium chooses to crash instead for safety reasons. Likewise, Monocypher supports multiple lanes (for compatibility only), while libsodium does not.

• Elligator implementations are not compatible. Monocypher’s crypto_elligator_map() maps representatives to Montgomery curve points, while libsodium’s crypto_core_ed25519_from_uniform() maps to Edwards points. Additionally, Monocypher does not project the point to the prime order subgroup (the low-order component is naturally ignored by most subsequent operations). Most importantly, Monocypher supports the reverse map, while libsodium does not.