Compatibility with Libsodium
With few exceptions, if Monocypher can do it, so can libsodium. The reverse however is not true: Monocypher generally provides "one true way" of doing things, while libsodium almost always has several.
The main low level primitives implemented in Monocypher are implemented in libsodium as well. This includes ChaCha20 (all 3 versions), Poly1305, BLAKE2b, Argon2i, and X25519.
crypto_lock()
can be replaced by libsodium’scrypto_aead_xchacha20poly1305_ietf_encrypt_detached()
.crypto_sign()
is not compatible with libsodium.crypto_ed25519_sign()
however, is. The reason for this difference is becausecrypto_sign()
reuses BLAKE2b instead of bringing in yet another hash (namely SHA-512).Monocypher’s Argon2i is compatible with libsodium’s crypto_pwhash(), provided you use the
crypto_pwhash_ALG_ARGON2I13
flag.Beware that Monocypher supports 1 and 2 passes for conformity reasons, while libsodium chooses to crash instead for safety reasons. (Note: use at least 3 passes, 1 and 2 passes aren't safe enough.)
Elligator implementations are not compatible. Monocypher’s
crypto_hidden_to_curve()
maps representatives to Montgomery curve points, while libsodium’scrypto_core_ed25519_from_uniform()
maps to Edwards points. Additionally, Monocypher does not project the point to the prime order subgroup (the low-order component is naturally ignored by most subsequent operations). Most importantly, Monocypher supports the reverse map, while libsodium does not.