Crypto++® Library 8.9
Crypto++ Library is a free C++ class library of cryptographic schemes. The library contains the following algorithms:
| Algorithm | Name |
| authenticated encryption schemes | GCM, CCM, EAX, ChaCha20Poly1305, XChaCha20Poly1305 |
| high speed stream ciphers | ChaCha (8/12/20), ChaCha (IETF) HC (128/256), Panama, Rabbit (128/256), Sosemanuk, Salsa20 (8/12/20), XChaCha (8/12/20), XSalsa20 |
| AES and AES candidates | AES (Rijndael), RC6, MARS, Twofish, Serpent, CAST-256 |
| other block ciphers | ARIA, Blowfish, Camellia, CHAM, HIGHT, IDEA, Kalyna (128/256/512), LEA, SEED, RC5, SHACAL-2, SIMECK, SIMON (64/128), Skipjack, SPECK (64/128), Simeck, SM4,Threefish (256/512/1024), Triple-DES (DES-EDE2 and DES-EDE3), TEA, XTEA |
| block cipher modes of operation | ECB, CBC, CBC ciphertext stealing (CTS), CFB, OFB, counter mode (CTR), XTS |
| message authentication codes | BLAKE2b, BLAKE2s, CMAC, CBC-MAC, DMAC, GMAC (GCM), HMAC, Poly1305, SipHash, Two-Track-MAC, VMAC |
| hash functions | BLAKE2b, BLAKE2s, Keccack (F1600), SHA-1, SHA-2, SHA-3, SHAKE (128/256), SipHash, LSH (128/256), Tiger, RIPEMD (128/160/256/320), SM3, WHIRLPOOL |
| public-key cryptography | RSA, DSA, Determinsitic DSA (RFC 6979), ElGamal, Nyberg-Rueppel (NR), Rabin-Williams (RW), EC-based German Digital Signature (ECGDSA), LUC, LUCELG, DLIES (variants of DHAES), ESIGN |
| padding schemes for public-key systems | PKCS#1 v2.0, OAEP, PSS, PSSR, IEEE P1363 EMSA2 and EMSA5 |
| key agreement schemes | Diffie-Hellman (DH), Unified Diffie-Hellman (DH2), Menezes-Qu-Vanstone (MQV), Hashed MQV (HMQV), Fully Hashed MQV (FHMQV), LUCDIF, XTR-DH |
| elliptic curve cryptography | ECDSA, Determinsitic ECDSA (RFC 6979), ed25519, ECGDSA, ECNR, ECIES, x25519, ECDH, ECMQV |
| insecure or obsolescent algorithms retained for backwards compatibility and historical value | MD2, MD4, MD5, Panama Hash, DES, ARC4, SEAL 3.0, WAKE-OFB, DESX (DES-XEX3), RC2, SAFER, 3-WAY, GOST, SHARK, CAST-128, Square |
Other features include:
- pseudo random number generators (PRNG): ANSI X9.17 appendix C, RandomPool, VIA Padlock, DARN, RDRAND, RDSEED, NIST Hash and HMAC DRBGs
- password based key derivation functions: PBKDF1 and PBKDF2 from PKCS #5, PBKDF from PKCS #12 appendix B, HKDF from RFC 5869, Scrypt from RFC 7914
- Shamir's secret sharing scheme and Rabin's information dispersal algorithm (IDA)
- fast multi-precision integer (bignum) and polynomial operations
- finite field arithmetics, including GF(p) and GF(2^n)
- prime number generation and verification
- useful non-cryptographic algorithms
- DEFLATE (RFC 1951) compression/decompression with gzip (RFC 1952) and zlib (RFC 1950) format support
- Hex, base-32, base-64, URL safe base-64 encoding and decoding
- 32-bit CRC, CRC-C and Adler32 checksum
- class wrappers for these operating system features (optional):
- high resolution timers on Windows, Unix, and Mac OS
- /dev/random, /dev/urandom, /dev/srandom
- Microsoft's CryptGenRandom and BCryptGenRandom on Windows
- x86, x64 (x86-64), x32 (ILP32), ARM A-32, Aarch32, Aarch64, Altivec and POWER8 code for the commonly used algorithms
- run-time CPU feature detection and code selection
- supports GCC-style and MSVC-style inline assembly, and MASM for x64
- x86, x64 (x86-64), x32 provides SSE2, SSE4 and AVX implementations
- ARM A-32, Aarch32 and Aarch64 provides ARMv7, NEON, ASIMD and ARMv8 implementations
- PowerPC provides Altivec, POWER7, POWER8 and POWER9 implementations
- AES, CRC, GCM and SHA use ARM, Intel and PowerPC hardware acceleration when available
- A high level interface for most of the above, using a filter/pipeline metaphore
- benchmarks and validation testing
Crypto++ Library is copyrighted as a compilation and (as of version 5.6.2) licensed under the Boost Software License 1.0, while the individual files in the compilation are all public domain.
The current version of Crypto++ supports the following compilers:
- Visual Studio 2003 - 2022
- GCC 3.3 - 13.1
- Apple Clang 4.3 - 12.0
- LLVM Clang 2.9 - 14.0
- C++ Builder 2015
- Intel C++ Compiler 9 - 16.0
- Sun Studio 12u1 - 12.7
- IBM XL C/C++ 10.0 - 14.0
For detailed build status and notes on various compiler/OS/CPU combinations as well as information about compiling earlier versions of Crypto++, please see this wiki entry.
The following is a short list of recent releases and other news. For the complete list please see History.txt.
- 10/01/2023 - Version 8.9.0 released
-
- minor release, recompile of programs required
- expanded community input and support
-
- 88 unique contributors as of this release
- fix SIMON128 Asan finding on POWER8
- fix AES/CFB and AES/CTR modes self test failures when using Cryptogams AES on ARMv7
- fix ARIA/CTR mode self test failures when inString==outString
- fix HIGHT/CTR mode self test failures when inString==outString
- fix Rabbit/CTR mode self test failures when inString==outString
- fix Prime Table and dangling reference to a temporary>
- fix Singleton::Ref when using C++11 memory fences
- remove unneeded call to Crop() in Randomize()
- 06/25/2023 - Version 8.8.0 released
-
- minor release, recompile of programs required
- expanded community input and support
-
- 88 unique contributors as of this release
- fix crash in cryptest.exe when invoked with no options
- fix crash in library due to GCC removing live code
- fix RSA with key size 16 may provide an invalid key
- fix failure to build on 32-bit x86
- fix failure to build on iPhone Simulator for arm64
- fix failure to build on Windows arm64
- test for SSSE3 before using the ISA
- fix include of <x86intrin.h> when using MSVC
- improve performance of CRC32C_Update_SSE42 for x86-64
- update documentation
- 08/07/2022 - Version 8.7.0 released
-
- minor release, recompile of programs required
- expanded community input and support
-
- 81 unique contributors as of this release
- fix RSA key generation for small moduli
- fix AES-GCM with AESNI but without CLMUL
- fix Clang warning with C++17
- fix MinGW builds due to use of O_NOFOLLOW
- rework CFB_CipherTemplate::ProcessData and AdditiveCipherTemplate::ProcessData
-
- restored performance and avoided penalty of a temp buffer
- fix undersized SecBlock buffer in Integer bit operations
- work around several GCC 11 & 12 problems
- 09/24/2021 - Version 8.6.0 released
-
- minor release, recompile of programs required
- expanded community input and support
-
- 74 unique contributors as of this release
- fix ElGamal encryption
- fix ChaCha20 AVX2 implementation
- add octal and decimal literal prefix parsing to Integer
- add missing overload in ed25519Signer and ed25519Verifier
- make SHA-NI independent of AVX and AVX2
- fix OldRandomPool GenerateWord32
- use CPPFLAGS during feature testing
- fix compile on CentOS 5
- fix compile on FreeBSD
- fix feature testing on ARM A-32 and Aarch64
- enable inline ASM for CRC and PMULL on Apple M1
- fix Intel oneAPI compile
- rename test files with *.cpp extension
- fix GCC compile error due to missing _mm256_set_m128i
- add LSH-256 and LSH-512 hash functions
- add ECIES_P1363 for backwards compatibility
- fix AdditiveCipherTemplate<T> ProcessData
- remove CRYPTOPP_NO_CXX11 define
- add -fno-common for Darwin builds
- update documentation
- 03/07/2021 - Version 8.5.0 released
-
- minor release, no recompile of programs required
- expanded community input and support
-
- 70 unique contributors as of this release
- port to Apple M1 hardware
- 01/02/2021 - Version 8.4.0 released
-
- minor release, recompile of programs required
-
- an accidental ABI break in Crypto++ 8.3 may surface under Crypto++ 8.4
- expanded community input and support
-
- 67 unique contributors as of this release
- fix SIGILL on POWER8 when compiling with GCC 10
- fix potential out-of-bounds write in FixedSizeAllocatorWithCleanup
- fix compile on AIX POWER7 with IBM XLC 12.01
- fix compile on Solaris with SunCC 12.6
- revert changes for constant-time elliptic curve algorithms
- fix makefile clean and distclean recipes
- 12/20/2020 - Version 8.3.0 released
-
- minor release, no recompile of programs required
- expanded community input and support
-
- 66 unique contributors as of this release
- fix use of macro CRYPTOPP_ALIGN_DATA
- fix potential out-of-bounds read in ECDSA
- fix std::bad_alloc when using ByteQueue in pipeline
- fix missing CRYPTOPP_CXX17_EXCEPTIONS with Clang
- fix potential out-of-bounds read in GCM mode
- add configure.sh when preprocessor macros fail
- fix potential out-of-bounds read in SipHash
- fix compile error on POWER9 due to vec_xl_be
- fix K233 curve on POWER8
- add Cirrus CI testing
- fix broken encryption for some 64-bit ciphers
- fix Android cpu-features.c using C++ compiler
- disable RDRAND and RDSEED for some AMD processors
- fix BLAKE2 hash calculation using Salt and Personalization
- refresh Android and iOS build scripts
- add XTS mode
- fix circular dependency between misc.h and secblock.h
- add Certificate interface
- fix recursion in AES::Encryption without AESNI
- add missing OID for ElGamal encryption
- fix missing override in KeyDerivationFunction-derived classes
- fix RDSEED assemble under MSVC
- fix elliptic curve timing leaks (CVE-2019-14318)
- add link-library variable to Makefiles
- fix SIZE_MAX definition in misc.h
- add GetWord64 and PutWord64 to BufferedTransformation
- use HKDF in AutoSeededX917RNG::Reseed
- fix Asan finding in VMAC on i686 in inline asm
- fix undeclared identifier _mm_roti_epi64 on Gentoo
- fix ECIES and GetSymmetricKeyLength
- fix possible divide by zero in PKCS5_PBKDF2_HMAC
- refine ASN.1 encoders and decoders
- disable BMI2 code paths in Integer class
- fix use of CRYPTOPP_CLANG_VERSION
- add NEON SHA1, SHA256 and SHA512 from Cryptogams
- add ARM SHA1, SHA256 and SHA512 from Cryptogams
- make config.h more autoconf friendly
- handle Clang triplet armv8l-unknown-linux-gnueabihf
- fix reference binding to misaligned address in xed25519
- clear asserts in TestDataNameValuePairs
- 04/28/2019 - Version 8.2.0 released
-
- minor release, no recompile of programs required
- expanded community input and support
-
- 56 unique contributors as of this release
- use PowerPC unaligned loads and stores with POWER8
- add SKIPJACK test vectors
- fix SHAKE-128 and SHAKE-256 compile
- removed IS_NEON from Makefile
- fix Aarch64 build on Fedora 29
- fix missing GF2NT_233_Multiply_Reduce_CLMUL in FIPS DLL
- add missing BLAKE2 constructors
- fix missing BlockSize() in BLAKE2 classes
- 02/22/2019 - Version 8.1.0 released
-
- minor release, no recompile of programs required
- expanded community input and support
-
- 56 unique contributors as of this release
- fix OS X PowerPC builds with Clang
- add Microsoft ARM64 support
- fix iPhone Simulator build due to missign symbols
- add CRYPTOPP_BUGGY_SIMD_LOAD_AND_STORE
- add carryless multiplies for NIST b233 and k233 curves
- fix OpenMP build due to use of OpenMP 4 with down-level compilers
- add SignStream and VerifyStream for ed25519 and large files
- fix missing AlgorithmProvider in PanamaHash
- add SHAKE-128 and SHAKE-256
- fix AVX2 build due to _mm256_broadcastsi128_si256
- add IETF ChaCha, XChaCha, ChaChaPoly1305 and XChaChaPoly1305
- 12/28/2018 - Version 8.0.0 released
-
- major release, recompile of programs required
- expanded community input and support
-
- 54 unique contributors as of this release
- add x25519 key exchange and ed25519 signature scheme
- add limited Asymmetric Key Package support from RFC 5958
- add POWER9 DARN random number generator support
- add CHAM, HC-128, HC-256, Hight, LEA, Rabbit, Simeck
- fix FixedSizeAllocatorWithCleanup may be unaligned on some platforms
- cutover to GNU Make-based cpu feature tests
- rename files with dashes to underscores
- fix LegacyDecryptor and LegacyDecryptorWithMAC use wrong MAC
- fix incorrect AES/CBC decryption on Windows
- avoid Singleton<T> when possible, avoid std::call_once completely
- fix SPARC alignment problems due to GetAlignmentOf<T>() on word64
- add ARM AES asm implementation from Cryptogams
- remove CRYPTOPP_ALLOW_UNALIGNED_DATA_ACCESS support
The downloads for the most recent Crypto++ libraries from the last several years are below. If you need older downloads, from Crypto++ 5.5 to Crypto++ 2.3, then visit the Downloads page. The Downloads page provides checksums for all releases hosted on the website. Release signatures can be verified using GnuPG according to Release Signing.
Remember to use the "-a" auto-convert text files option when unzipping on a Unix machine. After downloading, please read the Readme.txt included in the zip archive for build instructions and other important notes.
While You Are Downloading
Crypto++ used to supply a compiled DLL for Windows platforms. The library is now listed on the CMVP's Historical Validation List. It effectively means the library is no longer validated. If you are interested in sponsoring a validation, then please send a message to the mailing list to start a conversation.
You can find the FIPS DLL downloads on the Downloads page.
There are two mailing lists for Crypto++. The first is cryptopp-announce@googlegroups.com, and the second is cryptopp-users@googlegroups.com.
As a courtesy, please join the discussion list with your real name instead of an online handle. Alternate webviews are for the lists are available at Crypto++ Announce - Google Groups and Crypto++ Users - Google Groups.
When posting a question to the Crypto++ user mailing list, please provide the following information, if applicable:
- exact error message
- stack trace (please copy from the call stack window of your debugger, or use the "bt" command in gdb)
- a minimal program with a main() function, that reproduces the problem
- version of Crypto++, operating system (output of "uname -a" command if using Unix), and compiler (output of "gcc -v" if using GCC)
Crypto++ attempts to resist side channel attacks using various remediations. We believe the library is hardened but the remdiations may be incomplete. The first line of defense uses hardware instructions when possible. The library also uses constant-time, cache-aware algoirthms and access patterns to minimize leakage. If you suspect or find an information leak then please report it.
Elliptic curves over binary fields are believed to leak information. The task is a work in progress. We don't believe binary fields are used in production, so we feel it is a low risk at the moment.
Crypto++ does not enagage Specter remediations at this time. The GCC options for Specter are -mfunction-return=thunk and -mindirect-branch=thunk. If you want the Specter workarounds then add the GCC options to your CXXFLAGS when building the library. The library tests the options and they should work as expected.
The source code and its planned changes are available at the following locations.
- The Crypto++ GitHub repository allows you to view the latest (unreleased) Crypto++ source code via the Linux kernel's git beginning around June 2015. Its also serves as an incubator to nuture and grow the library.
- The Roadmap on the wiki provides the general direction the library is heading. It includes planned features and releases, and even some wishlist items.
Contributions of all types are welcomed. Contributions include the following.
- Bug finding and fixes
- Features and enhancements
- Test scripts and test cases
- Branch and release testing
- Documentation and updates
If you think you have found a bug in the library, then you should discuss it on the Users mailing list. Discussing it will help bring the issue to the attention of folks who can help resolve the issue. If you want to contribute a bug fix to the library, then make a Pull Request or make a Diff available somewhere. Also see Bug Reports on the wiki.
Features and enhancements are welcomend additions to the library. This category tends to be time consuming because algorithms and their test cases need to be reviewed and merged. Please be mindful of the test cases, and attempt to procure them from an independent source.
The library cherishes test scripts and test cases. They ensure the library is fit and they help uncover issues with the library before users experience them. If you have some time, then write some test cases, especially the ones that are intended to break things.
Branch and release testing is your chance to ensure Master (and planned merges) meets your expectations and perform as expected. If you have a few spare cycles, then please test Master on your favorite platform. We need more testing on MinGW, Windows Phone, Windows Store, Solaris 10 (and below), and modern iOS and OS X (including TV and Watch builds).
Documentation and updates includes both the inline source code annotations using Doxygen, and the online information provided in the wiki. The wiki is more verbose and usually provides more contextual information than the API reference. Besides testing, documentation is one of the highest returns on investment.
If you are interested in paid support for Crypto++ or consulting on a Crypto++ related project, then please see this list of companies and individuals providing services on the wiki. This listing is a free service for the Crypto++ community, and anyone may sign up to be listed by creating an account on the wiki.
| Visitors since April 2014. |  |  |  |
| Originally written by Wei Dai | Last modified: June 2023 | Maintained by the Crypto++ community |
