BSD-3-Clause licensed by Vincent Hanquez
Maintained by [email protected]
This version can be pinned in stack with:cryptonite-0.21@sha256:8b44aaa93abea3fe64fc00dc70fd9878df464c4c0a9073977181baef335c9541,13643


Join the chat at Build Status BSD Haskell

Cryptonite is a haskell repository of cryptographic primitives. Each crypto algorithm has specificities that are hard to wrap in common APIs and types, so instead of trying to provide a common ground for algorithms, this package provides a non-consistent low-level API.

If you have no idea what you’re doing, please do not use this directly. Instead, rely on higher level protocols or implementations.

Documentation: cryptonite on hackage


Development versions are an incremental number prefixed by 0. There is no API stability between development versions.

Production versions : TBD

Coding Style

The coding style of this project mostly follows: haskell-style


cryptonite supports the following platforms:

  • Windows >= 8
  • OSX >= 10.8
  • Linux
  • BSDs

On the following architectures:

  • x86-64
  • i386

On the following haskell versions:

  • GHC 7.0.x
  • GHC 7.4.x
  • GHC 7.6.x
  • GHC 7.8.x
  • GHC 7.10.x

Further platforms and architectures probably work too, but since the maintainer(s) don’t have regular access to them, we can’t commit to further support.

Known Building Issues

On OSX <= 10.7, the system compiler doesn’t understand the ‘-maes’ option, and with the lack of autodetection feature builtin in .cabal file, it is left on the user to disable the aesni. See the [Disabling AESNI] section

Disabling AESNI

It may be useful to disable AESNI for building, testing or runtime purposes. This is achieved with the support_aesni flag.

As part of configure of cryptonite:

  cabal configure --flag='-support_aesni'

or as part of an installation:

  cabal install --constraint="cryptonite -support_aesni"

For help with cabal flags, see: stackoverflow : is there a way to define flags for cabal




  • Fixed hash truncation used in ECDSA signature & verification (Olivier Chéron)
  • Fix ECDH when scalar and coordinate bit sizes differ (Olivier Chéron)
  • Speed up ECDSA verification using Shamir’s trick (Olivier Chéron)
  • Fix rdrand on windows


  • Add tutorial (Yann Esposito)
  • Derive Show instance for better interaction with Show pretty printer (Eric Mertens)


  • Re-used standard rdrand instructions instead of bytedump of rdrand instruction
  • Improvement to F2m, including lots of tests (Andrew Lelechenko)
  • Add error check on salt length in bcrypt


  • Add Miyaguchi-Preneel construction (Kei Hibino)
  • Fix buffer length in scrypt (Luke Taylor)
  • build fixes for i686 and arm related to rdrand


  • Fix basepoint for Ed448

  • Enable 64-bit Curve25519 implementation


  • Fix serialization of DH and ECDH


  • Reduce size of SHA3 context instead of allocating all-size fit memory. save up to 72 bytes of memory per context for SHA3-512.
  • Add a Seed capability to the main DRG, to be able to debug/reproduce randomized program where you would want to disable the randomness.
  • Add support for Cipher-based Message Authentication Code (CMAC) (Kei Hibino)
  • CHANGE Change the SharedKey for Crypto.PubKey.DH and Crypto.PubKey.ECC.DH, from an Integer newtype to a ScrubbedBytes newtype. Prevent mistake where the bytes representation is generated without the right padding (when needed).
  • CHANGE Keep The field size in bits, in the Params in Crypto.PubKey.DH, moving from 2 elements to 3 elements in the structure.


  • SECURITY Fix buffer overflow issue in SHA384, copying 16 extra bytes from the SHA512 context to the destination memory pointer leading to memory corruption, segfault. (Mikael Bung)


  • Fix compilation issue with Ed448 on 32 bits machine.


  • Truncate hashing correctly for DSA
  • Add support for HKDF (RFC 5869)
  • Add support for Ed448
  • Extends support for Blake2s to 224 bits version.
  • Compilation workaround for old distribution (RHEL 4.1)
  • Compilation fix for AIX
  • Compilation fix with AESNI and ghci compiling C source in a weird order.
  • Fix example compilation, typo, and warning


  • Add reference implementation of blake2 for non-SSE2 platform
  • Add support_blake2_sse flag


  • Quiet down unused module imports
  • Move Curve25519 over to Crypto.Error instead of using Either String.
  • Add documentation for ChaChaPoly1305
  • Add missing documentation for various modules
  • Add a way to create Poly1305 Auth tag.
  • Added support for the BLAKE2 family of hash algorithms
  • Fix endianness of incrementNonce function for ChaChaPoly1305


  • Add support for ChaChaPoly1305 Nonce Increment (John Galt)
  • Move repository to the haskell-crypto organisation


  • Add PKCS5 / PKCS7 padding and unpadding methods
  • Fix ChaChaPoly1305 Decryption
  • Add support for BCrypt (Luke Taylor)


  • Add ChaChaPoly1305 AE cipher
  • Add instructions in README for building on old OSX
  • Fix blocking /dev/random Andrey Sverdlichenko


  • Fix all strays exports to all be under the cryptonite prefix.


  • Add a System DRG that represent a referentially transparent of evaluated bytes while using lazy evaluation for future entropy values.


  • Allow drgNew to run in any MonadRandom, providing cascading initialization
  • Remove Crypto.PubKey.HashDescr in favor of just having the algorithm specified in PKCS15 RSA function.
  • Fix documentation in cipher sub section (Luke Taylor)
  • Cleanup AES dead functions (Luke Taylor)
  • Fix Show instance of Digest to display without quotes similar to cryptohash
  • Use scrubbed bytes instead of bytes for P256 scalar


  • Fix P256 compilation and exactness, + add tests
  • Add a raw memory number serialization capability (i2osp, os2ip)
  • Improve tests for number serialization
  • Improve tests for ECC arithmetics
  • Add Ord instance for Digest (Nicolas Di Prima)
  • Fix entropy compilation on windows 64 bits.


  • Initial release