Nil Foundation Cryptography Library (libcrypto3)

Modern cryptography backend built in C++. (,

Another one? Srsly? Why?

Yeah. There are few more or less complex and complete cryptography libraries for C (OpenSSL, libsoduim, libtomcrypt) or C++ (Botan, libcryptopp, libsoduim C++ bindings, OpenSSL C++ bindings) or any other languages (e.g. Bouncy Castle for Java and C#), but none of them contain modern cryptographic protocols such as threshold signature/encryption schemes, zero knowlege proof protocols, homomorphic signatures/encryption, incremental signatures/encryption/hashes, verifiable delay functions etc.

Moreover, some of this libraries are not designed to use all of the C++ advances (syntax and performance)(e.g. Botan is designed in a very pythonic way and uses heap extensively which is no good for the low-end systems usage. libcryptopp obviously has Windows-based roots which is no good for the architectural reasons).

And none of C++ cryptographic libraries are designed well enough to be included in standard libraries. This one targets Boost and formal proposal to STL (maybe later).

But why don't you just patch/fork existing libraries?

Just like that?, or

There are so many of these forks and patches which would never be reviewed, that means they would never be safe. Moreover most of these patches/forks are made for some particular purpose (in most cases it is SSL handling) and usually do not get mature and complex enough.

Why this library is not just another patch/fork?

For several reasons:

  • This library accumulates best known implementations of classic cryptography notions (listed below) and modern protocols (listed below), so it is designed to handle this stuff together in a convenient way.
  • This library architecture is redesigned from the scratch to keep the ABI clean out of backward compatibility.
  • This library contains some of the self-designed cryptographic protocols (e.g. ECDSA threshold signature scheme faster and lighter than the Genarro's most recent presented at CCS'18)(Paper coming soon, be patient).
  • This library is designed to be a suite for fast and efficient implementation of experimental cryptographic protocols. It contains literally every primitive required.
    - The ABI is designed in the same way as the STL algorithms do (an example and reference link are provided below).
  • Such an ABI design enables easier implementation of various language bindings. (e.g. Python bindings would never require class object bindings, just a function getting some byte blobs) This (and also byte blob internal structure conversions) makes a library not just a library, but a backend-library (For now in most cases OpenSSL gets used for this purpose. But OpenSSL was not designed for such a usage, 'cause it does not even contains byte blob type conversions, it uses raw data format which differs from platform to platform (sic!) ). Separate foreign functions interface library is responsible for bindings.
  • Coming to C++-specific features, this library ABI supports ranges (Yay!)(for now it is Boost.Range, but Eric Neibler's STL formal proposal library is coming) and adaptors (Yay once again!). This enables full-featured functional-style development.

Since this is a backend, what language bindings are available?

For now there are API available for Rust ( and Python (

Okay. What is inside?

Lots of stuff. But don't be too anticipated. Most of this stuff is still in development or refactoring.

Complete list is available at

Block Ciphers

  • Generic Rjindael cipher implementation. Contains AES-standardized modifications with timing-attack and cache-line leaking attack preventing mechanisms. Optimized for particular architecture used.
  • ARIA implementation. Timing and cache-line leak attacks prevention mechanisms are done.
  • Blowfish, Camellia, Cast128, Cast256, DES, TripleDES, DESX, GOST-28147, IDEA, Kasumi, MD4, MD5, Misty1, Noekeon, Seed, Serpent, Shacal, SM4, Threefish, Twofish, Xtea ciphers implementation.
  • Shacal2 implementation with various optimizations done.

Hash Functions & Checksums

Some of the hash functions are implemented with Merkle-Damgård construction. Some use Davis-Meyer compressor, others use their custom one.

  • Adler, CRC-family checksums
  • Blake2b, Comb4p, Cubehash, GOST-3411, Keccak, Shake, Skein-512, SM3, Streebog, Tiger, Whirlpool
  • MD4, MD5, Ripemd-family, SHA-family hashes (except SHA-3 aka Keccak) are implemented via Merkle-Damgård construction. Ripemd-family hashes use its own compressor, others use Davis-Meyer's one.

Stream Ciphers

  • ChaCha20, Salsa20/XSalsa20, SHAKE-128, and RC4

Message Authentication Codes

  • HMAC, CMAC, Poly1305, SipHash, GMAC, CBC-MAC, X9.19 DES-MAC

Public Key Cryptography

  • RSA signatures and encryption
  • DH and ECDH key agreement
  • Signature schemes: ECDSA, DSA, Ed25519, ECGDSA, ECKCDSA, SM2, and GOST 34.10-2001
  • Threshold signature schemes: ECDSA (constructed by the library author), ECDH (constructed by the library author)
  • Variable-Weight (VW) threshold signature scheme
  • Boneh-Lynn threshold signature scheme
  • Post-quantum signature scheme XMSS
  • Post-quantum key agreement schemes McEliece and NewHope
  • ElGamal encryption
  • Padding schemes OAEP, PSS, PKCS #1 v1.5, X9.31

Public Key Infrastructure

  • X.509v3 certificates and CRL creation and handling
  • PKIX certificate path validation, including name constraints.
  • OCSP request creation and response handling
  • PKCS #10 certificate request generation and processing

Zero-Knowledge Proof Protocols

Ciphers, Hashes, MACs, and Checksums

  • Authenticated cipher modes EAX, OCB, GCM, SIV, CCM, and ChaCha20Poly1305
  • Cipher modes CTR, CBC, XTS, CFB, and OFB
  • Hash function combiners Parallel and Comb4P

Transport Layer Security (TLS) Protocol

  • TLS v1.0, v1.1, and v1.2. The broken SSLv3 protocol is no longer supported.
  • DTLS v1.0 and v1.2 are adaptations of TLS to datagram operation.
  • extensions include session tickets, SNI, ALPN, ocsp staple requests (client side only right now), encipher-then-mac CBC, and extended master secret.
  • Supports authentication using preshared keys (PSK) or passwords (SRP)
  • Supports record encryption with ChaCha20Poly1305, AES/OCB, AES/GCM, AES/CCM, Camellia/GCM, and legacy CBC ciphersuites with AES, Camellia, SEED, or 3DES.
  • Key exchange using Diffie-Hellman, ECDH, RSA, or CECPQ1

Other Useful Things

  • Full C++ PKCS #11 API wrapper
  • Interfaces for TPM v1.2 device access
  • Simple compression API wrapping zlib, bzip2, and lzma libraries
  • RNG wrappers for system RNG and hardware RNGs
  • hmac_drbg and entropy collection system for userspace RNGs
  • PBKDF2 password based key derivation
  • Password hashing function bcrypt and passhash9 (custom PBKDF scheme)
  • SRP-6a password authenticated key exchange
  • Key derivation functions including HKDF, KDF2, SP 800-108, SP 800-56A, SP 800-56C
  • HOTP and TOTP algorithms
  • Format preserving encryption scheme FE1
  • Threshold secret sharing
  • NIST key wrapping
  • Base64, Base32, Hex, Logic encoding