1
Crypto++: a C++ Class Library of Cryptographic Schemes
2
Version 5.6.0 (3/15/2009)
4
Crypto++ Library is a free C++ class library of cryptographic schemes.
5
Currently the library contains the following algorithms:
9
authenticated encryption schemes GCM, CCM, EAX
11
high speed stream ciphers Panama, Sosemanuk, Salsa20, XSalsa20
13
AES and AES candidates AES (Rijndael), RC6, MARS, Twofish, Serpent,
16
IDEA, Triple-DES (DES-EDE2 and DES-EDE3),
17
other block ciphers Camellia, SEED, RC5, Blowfish, TEA, XTEA,
20
block cipher modes of operation ECB, CBC, CBC ciphertext stealing (CTS),
21
CFB, OFB, counter mode (CTR)
23
message authentication codes VMAC, HMAC, CMAC, CBC-MAC, DMAC,
26
SHA-1, SHA-2 (SHA-224, SHA-256, SHA-384, and
27
hash functions SHA-512), Tiger, WHIRLPOOL, RIPEMD-128,
28
RIPEMD-256, RIPEMD-160, RIPEMD-320
30
RSA, DSA, ElGamal, Nyberg-Rueppel (NR),
31
public-key cryptography Rabin, Rabin-Williams (RW), LUC, LUCELG,
32
DLIES (variants of DHAES), ESIGN
34
padding schemes for public-key PKCS#1 v2.0, OAEP, PSS, PSSR, IEEE P1363
35
systems EMSA2 and EMSA5
37
Diffie-Hellman (DH), Unified Diffie-Hellman
38
key agreement schemes (DH2), Menezes-Qu-Vanstone (MQV), LUCDIF,
41
elliptic curve cryptography ECDSA, ECNR, ECIES, ECDH, ECMQV
43
insecure or obsolescent MD2, MD4, MD5, Panama Hash, DES, ARC4, SEAL
44
algorithms retained for backwards 3.0, WAKE, WAKE-OFB, DESX (DES-XEX3), RC2,
45
compatibility and historical SAFER, 3-WAY, GOST, SHARK, CAST-128, Square
48
Other features include:
50
* pseudo random number generators (PRNG): ANSI X9.17 appendix C, RandomPool
51
* password based key derivation functions: PBKDF1 and PBKDF2 from PKCS #5,
52
PBKDF from PKCS #12 appendix B
53
* Shamir's secret sharing scheme and Rabin's information dispersal algorithm
55
* fast multi-precision integer (bignum) and polynomial operations
56
* finite field arithmetics, including GF(p) and GF(2^n)
57
* prime number generation and verification
58
* useful non-cryptographic algorithms
59
+ DEFLATE (RFC 1951) compression/decompression with gzip (RFC 1952) and
60
zlib (RFC 1950) format support
61
+ hex, base-32, and base-64 coding/decoding
62
+ 32-bit CRC and Adler32 checksum
63
* class wrappers for these operating system features (optional):
64
+ high resolution timers on Windows, Unix, and Mac OS
65
+ Berkeley and Windows style sockets
67
+ /dev/random, /dev/urandom, /dev/srandom
68
+ Microsoft's CryptGenRandom on Windows
69
* A high level interface for most of the above, using a filter/pipeline
71
* benchmarks and validation testing
72
* x86, x86-64 (x64), MMX, and SSE2 assembly code for the most commonly used
73
algorithms, with run-time CPU feature detection and code selection
74
* some versions are available in FIPS 140-2 validated form
76
You are welcome to use it for any purpose without paying me, but see
77
License.txt for the fine print.
79
The following compilers are supported for this release. Please visit
80
http://www.cryptopp.com the most up to date build instructions and porting notes.
85
* Intel C++ Compiler 9 - 11
86
* Sun Studio 12 (CC 5.9)
88
*** Important Usage Notes ***
90
1. If a constructor for A takes a pointer to an object B (except primitive
91
types such as int and char), then A owns B and will delete B at A's
92
destruction. If a constructor for A takes a reference to an object B,
93
then the caller retains ownership of B and should not destroy it until
96
2. Crypto++ is thread safe at the class level. This means you can use
97
Crypto++ safely in a multithreaded application, but you must provide
98
synchronization when multiple threads access a common Crypto++ object.
100
*** MSVC-Specific Information ***
102
On Windows, Crypto++ can be compiled into 3 forms: a static library
103
including all algorithms, a DLL with only FIPS Approved algorithms, and
104
a static library with only algorithms not in the DLL.
105
(FIPS Approved means Approved according to the FIPS 140-2 standard.)
106
The DLL may be used by itself, or it may be used together with the second
107
form of the static library. MSVC project files are included to build
108
all three forms, and sample applications using each of the three forms
111
To compile Crypto++ with MSVC, open the "cryptest.dsw" (for MSVC 6 and MSVC .NET
112
2003) or "cryptest.sln" (for MSVC .NET 2005) workspace file and build one or
113
more of the following projects:
115
cryptdll - This builds the DLL. Please note that if you wish to use Crypto++
116
as a FIPS validated module, you must use a pre-built DLL that has undergone
117
the FIPS validation process instead of building your own.
118
dlltest - This builds a sample application that only uses the DLL.
119
cryptest Non-DLL-Import Configuration - This builds the full static library
120
along with a full test driver.
121
cryptest DLL-Import Configuration - This builds a static library containing
122
only algorithms not in the DLL, along with a full test driver that uses
123
both the DLL and the static library.
125
To use the Crypto++ DLL in your application, #include "dll.h" before including
126
any other Crypto++ header files, and place the DLL in the same directory as
127
your .exe file. dll.h includes the line #pragma comment(lib, "cryptopp")
128
so you don't have to explicitly list the import library in your project
129
settings. To use a static library form of Crypto++, specify it as
130
an additional library to link with in your project settings.
131
In either case you should check the compiler options to
132
make sure that the library and your application are using the same C++
133
run-time libraries and calling conventions.
135
*** DLL Memory Management ***
137
Because it's possible for the Crypto++ DLL to delete objects allocated
138
by the calling application, they must use the same C++ memory heap. Three
139
methods are provided to achieve this.
140
1. The calling application can tell Crypto++ what heap to use. This method
141
is required when the calling application uses a non-standard heap.
142
2. Crypto++ can tell the calling application what heap to use. This method
143
is required when the calling application uses a statically linked C++ Run
144
Time Library. (Method 1 does not work in this case because the Crypto++ DLL
145
is initialized before the calling application's heap is initialized.)
146
3. Crypto++ can automatically use the heap provided by the calling application's
147
dynamically linked C++ Run Time Library. The calling application must
148
make sure that the dynamically linked C++ Run Time Library is initialized
149
before Crypto++ is loaded. (At this time it is not clear if it is possible
150
to control the order in which DLLs are initialized on Windows 9x machines,
151
so it might be best to avoid using this method.)
153
When Crypto++ attaches to a new process, it searches all modules loaded
154
into the process space for exported functions "GetNewAndDeleteForCryptoPP"
155
and "SetNewAndDeleteFromCryptoPP". If one of these functions is found,
156
Crypto++ uses methods 1 or 2, respectively, by calling the function.
157
Otherwise, method 3 is used.
159
*** GCC-Specific Information ***
161
A makefile is included for you to compile Crypto++ with GCC. Make sure
162
you are using GNU Make and GNU ld. The make process will produce two files,
163
libcryptopp.a and cryptest.exe. Run "cryptest.exe v" for the validation
166
*** Documentation and Support ***
168
Crypto++ is documented through inline comments in header files, which are
169
processed through Doxygen to produce an HTML reference manual. You can find
170
a link to the manual from http://www.cryptopp.com. Also at that site is
171
the Crypto++ FAQ, which you should browse through before attempting to
172
use this library, because it will likely answer many of questions that
175
If you run into any problems, please try the Crypto++ mailing list.
176
The subscription information and the list archive are available on
177
http://www.cryptopp.com. You can also email me directly by visiting
178
http://www.weidai.com, but you will probably get a faster response through
183
1.0 - First public release. Withdrawn at the request of RSA DSI.
184
- included Blowfish, BBS, DES, DH, Diamond, DSA, ElGamal, IDEA,
185
MD5, RC4, RC5, RSA, SHA, WAKE, secret sharing, DEFLATE compression
186
- had a serious bug in the RSA key generation code.
188
1.1 - Removed RSA, RC4, RC5
189
- Disabled calls to RSAREF's non-public functions
192
2.0 - a completely new, faster multiprecision integer class
193
- added MD5-MAC, HAVAL, 3-WAY, TEA, SAFER, LUC, Rabin, BlumGoldwasser,
194
elliptic curve algorithms
195
- added the Lucas strong probable primality test
196
- ElGamal encryption and signature schemes modified to avoid weaknesses
197
- Diamond changed to Diamond2 because of key schedule weakness
198
- fixed bug in WAKE key setup
199
- SHS class renamed to SHA
200
- lots of miscellaneous optimizations
202
2.1 - added Tiger, HMAC, GOST, RIPE-MD160, LUCELG, LUCDIF, XOR-MAC,
204
- added precomputation to DH, ElGamal, DSA, and elliptic curve algorithms
205
- added back RC5 and a new RSA
206
- optimizations in elliptic curves over GF(p)
207
- changed Rabin to use OAEP and PSSR
208
- changed many classes to allow copy constructors to work correctly
209
- improved exception generation and handling
211
2.2 - added SEAL, CAST-128, Square
212
- fixed bug in HAVAL (padding problem)
213
- fixed bug in triple-DES (decryption order was reversed)
214
- fixed bug in RC5 (couldn't handle key length not a multiple of 4)
215
- changed HMAC to conform to RFC-2104 (which is not compatible
216
with the original HMAC)
217
- changed secret sharing and information dispersal to use GF(2^32)
219
- removed zero knowledge prover/verifier for graph isomorphism
220
- removed several utility classes in favor of the C++ standard library
223
- fixed incomplete workaround of min/max conflict in MSVC
225
3.0 - placed all names into the "CryptoPP" namespace
226
- added MD2, RC2, RC6, MARS, RW, DH2, MQV, ECDHC, CBC-CTS
227
- added abstract base classes PK_SimpleKeyAgreementDomain and
228
PK_AuthenticatedKeyAgreementDomain
229
- changed DH and LUCDIF to implement the PK_SimpleKeyAgreementDomain
230
interface and to perform domain parameter and key validation
231
- changed interfaces of PK_Signer and PK_Verifier to sign and verify
232
messages instead of message digests
233
- changed OAEP to conform to PKCS#1 v2.0
234
- changed benchmark code to produce HTML tables as output
235
- changed PSSR to track IEEE P1363a
236
- renamed ElGamalSignature to NR and changed it to track IEEE P1363
237
- renamed ECKEP to ECMQVC and changed it to track IEEE P1363
238
- renamed several other classes for clarity
239
- removed support for calling RSAREF
240
- removed option to compile old SHA (SHA-0)
241
- removed option not to throw exceptions
243
3.1 - added ARC4, Rijndael, Twofish, Serpent, CBC-MAC, DMAC
244
- added interface for querying supported key lengths of symmetric ciphers
246
- added sample code for RSA signature and verification
247
- changed CBC-CTS to be compatible with RFC 2040
248
- updated SEAL to version 3.0 of the cipher specification
249
- optimized multiprecision squaring and elliptic curves over GF(p)
250
- fixed bug in MARS key setup
251
- fixed bug with attaching objects to Deflator
253
3.2 - added DES-XEX3, ECDSA, DefaultEncryptorWithMAC
254
- renamed DES-EDE to DES-EDE2 and TripleDES to DES-EDE3
256
- generalized DSA to allow keys longer than 1024 bits
257
- fixed bugs in GF2N and ModularArithmetic that can cause calculation errors
258
- fixed crashing bug in Inflator when given invalid inputs
259
- fixed endian bug in Serpent
260
- fixed padding bug in Tiger
262
4.0 - added Skipjack, CAST-256, Panama, SHA-2 (SHA-256, SHA-384, and SHA-512),
264
- added a faster variant of Rabin's Information Dispersal Algorithm (IDA)
265
- added class wrappers for these operating system features:
266
- high resolution timers on Windows, Unix, and MacOS
267
- Berkeley and Windows style sockets
268
- Windows named pipes
269
- /dev/random and /dev/urandom on Linux and FreeBSD
270
- Microsoft's CryptGenRandom on Windows
271
- added support for SEC 1 elliptic curve key format and compressed points
272
- added support for X.509 public key format (subjectPublicKeyInfo) for
273
RSA, DSA, and elliptic curve schemes
274
- added support for DER and OpenPGP signature format for DSA
275
- added support for ZLIB compressed data format (RFC 1950)
276
- changed elliptic curve encryption to use ECIES (as defined in SEC 1)
277
- changed MARS key schedule to reflect the latest specification
278
- changed BufferedTransformation interface to support multiple channels
280
- changed CAST and SHA-1 implementations to use public domain source code
281
- fixed bug in StringSource
282
- optmized multi-precision integer code for better performance
284
4.1 - added more support for the recommended elliptic curve parameters in SEC 2
285
- added Panama MAC, MARC4
286
- added IV stealing feature to CTS mode
287
- added support for PKCS #8 private key format for RSA, DSA, and elliptic
289
- changed Deflate, MD5, Rijndael, and Twofish to use public domain code
290
- fixed a bug with flushing compressed streams
291
- fixed a bug with decompressing stored blocks
292
- fixed a bug with EC point decompression using non-trinomial basis
293
- fixed a bug in NetworkSource::GeneralPump()
294
- fixed a performance issue with EC over GF(p) decryption
295
- fixed syntax to allow GCC to compile without -fpermissive
296
- relaxed some restrictions in the license
298
4.2 - added support for longer HMAC keys
299
- added MD4 (which is not secure so use for compatibility purposes only)
300
- added compatibility fixes/workarounds for STLport 4.5, GCC 3.0.2,
302
- changed MD2 to use public domain code
303
- fixed a bug with decompressing multiple messages with the same object
304
- fixed a bug in CBC-MAC with MACing multiple messages with the same object
305
- fixed a bug in RC5 and RC6 with zero-length keys
306
- fixed a bug in Adler32 where incorrect checksum may be generated
308
5.0 - added ESIGN, DLIES, WAKE-OFB, PBKDF1 and PBKDF2 from PKCS #5
309
- added key validation for encryption and signature public/private keys
310
- renamed StreamCipher interface to SymmetricCipher, which is now implemented
311
by both stream ciphers and block cipher modes including ECB and CBC
312
- added keying interfaces to support resetting of keys and IVs without
313
having to destroy and recreate objects
314
- changed filter interface to support non-blocking input/output
315
- changed SocketSource and SocketSink to use overlapped I/O on Microsoft Windows
316
- grouped related classes inside structs to help templates, for example
317
AESEncryption and AESDecryption are now AES::Encryption and AES::Decryption
318
- where possible, typedefs have been added to improve backwards
319
compatibility when the CRYPTOPP_MAINTAIN_BACKWARDS_COMPATIBILITY macro is defined
320
- changed Serpent, HAVAL and IDEA to use public domain code
321
- implemented SSE2 optimizations for Integer operations
322
- fixed a bug in HMAC::TruncatedFinal()
323
- fixed SKIPJACK byte ordering following NIST clarification dated 5/9/02
325
5.01 - added known answer test for X9.17 RNG in FIPS 140 power-up self test
326
- submitted to NIST/CSE, but not publicly released
328
5.02 - changed EDC test to MAC integrity check using HMAC/SHA1
329
- improved performance of integrity check
330
- added blinding to defend against RSA timing attack
332
5.03 - created DLL version of Crypto++ for FIPS 140-2 validation
333
- fixed vulnerabilities in GetNextIV for CTR and OFB modes
335
5.0.4 - Removed DES, SHA-256, SHA-384, SHA-512 from DLL
337
5.1 - added PSS padding and changed PSSR to track IEEE P1363a draft standard
338
- added blinding for RSA and Rabin to defend against timing attacks
339
on decryption operations
340
- changed signing and decryption APIs to support the above
341
- changed WaitObjectContainer to allow waiting for more than 64
342
objects at a time on Win32 platforms
343
- fixed a bug in CBC and ECB modes with processing non-aligned data
344
- fixed standard conformance bugs in DLIES (DHAES mode) and RW/EMSA2
345
signature scheme (these fixes are not backwards compatible)
346
- fixed a number of compiler warnings, minor bugs, and portability problems
349
5.2 - merged in changes for 5.01 - 5.0.4
350
- added support for using encoding parameters and key derivation parameters
351
with public key encryption (implemented by OAEP and DL/ECIES)
352
- added Camellia, SHACAL-2, Two-Track-MAC, Whirlpool, RIPEMD-320,
353
RIPEMD-128, RIPEMD-256, Base-32 coding, FIPS variant of CFB mode
354
- added ThreadUserTimer for timing thread CPU usage
355
- added option for password-based key derivation functions
356
to iterate until a mimimum elapsed thread CPU time is reached
357
- added option (on by default) for DEFLATE compression to detect
358
uncompressible files and process them more quickly
359
- improved compatibility and performance on 64-bit platforms,
360
including Alpha, IA-64, x86-64, PPC64, Sparc64, and MIPS64
361
- fixed ONE_AND_ZEROS_PADDING to use 0x80 instead 0x01 as padding.
362
- fixed encoding/decoding of PKCS #8 privateKeyInfo to properly
363
handle optional attributes
365
5.2.1 - fixed bug in the "dlltest" DLL testing program
366
- fixed compiling with STLport using VC .NET
367
- fixed compiling with -fPIC using GCC
368
- fixed compiling with -msse2 on systems without memalign()
369
- fixed inability to instantiate PanamaMAC
370
- fixed problems with inline documentation
372
5.2.2 - added SHA-224
373
- put SHA-256, SHA-384, SHA-512, RSASSA-PSS into DLL
375
5.2.3 - fixed issues with FIPS algorithm test vectors
376
- put RSASSA-ISO into DLL
378
5.3 - ported to MSVC 2005 with support for x86-64
379
- added defense against AES timing attacks, and more AES test vectors
380
- changed StaticAlgorithmName() of Rijndael to "AES", CTR to "CTR"
383
- updated Whirlpool to version 3.0
384
- ported to GCC 4.1, Sun C++ 5.8, and Borland C++Builder 2006
386
5.5 - added VMAC and Sosemanuk (with x86-64 and SSE2 assembly)
387
- improved speed of integer arithmetic, AES, SHA-512, Tiger, Salsa20,
388
Whirlpool, and PANAMA cipher using assembly (x86-64, MMX, SSE2)
389
- optimized Camellia and added defense against timing attacks
390
- updated benchmarks code to show cycles per byte and to time key/IV setup
391
- started using OpenMP for increased multi-core speed
392
- enabled GCC optimization flags by default in GNUmakefile
393
- added blinding and computational error checking for RW signing
394
- changed RandomPool, X917RNG, GetNextIV, DSA/NR/ECDSA/ECNR to reduce
395
the risk of reusing random numbers and IVs after virtual machine state
397
- changed default FIPS mode RNG from AutoSeededX917RNG<DES_EDE3> to
398
AutoSeededX917RNG<AES>
399
- fixed PANAMA cipher interface to accept 256-bit key and 256-bit IV
400
- moved MD2, MD4, MD5, PanamaHash, ARC4, WAKE_CFB into the namespace "Weak"
401
- removed HAVAL, MD5-MAC, XMAC
403
5.5.1 - fixed VMAC validation failure on 32-bit big-endian machines
405
5.5.2 - ported x64 assembly language code for AES, Salsa20, Sosemanuk, and Panama
406
to MSVC 2005 (using MASM since MSVC doesn't support inline assembly on x64)
407
- fixed Salsa20 initialization crash on non-SSE2 machines
408
- fixed Whirlpool crash on Pentium 2 machines
409
- fixed possible branch prediction analysis (BPA) vulnerability in
410
MontgomeryReduce(), which may affect security of RSA, RW, LUC
411
- fixed link error with MSVC 2003 when using "debug DLL" form of runtime library
412
- fixed crash in SSE2_Add on P4 machines when compiled with
413
MSVC 6.0 SP5 with Processor Pack
414
- ported to MSVC 2008, GCC 4.2, Sun CC 5.9, Intel C++ Compiler 10.0,
415
and Borland C++Builder 2007
417
5.6 - added AuthenticatedSymmetricCipher interface class and Filter wrappers
418
- added CCM, GCM (with SSE2 assembly), EAX, CMAC, XSalsa20, and SEED
419
- added support for variable length IVs
420
- improved AES and SHA-256 speed on x86 and x64
421
- fixed incorrect VMAC computation on message lengths
422
that are >64 mod 128 (x86 assembly version is not affected)
423
- fixed compiler error in vmac.cpp on x86 with GCC -fPIC
424
- fixed run-time validation error on x86-64 with GCC 4.3.2 -O2
425
- fixed HashFilter bug when putMessage=true
426
- removed WORD64_AVAILABLE; compiler support for 64-bit int is now required
427
- ported to GCC 4.3, C++Builder 2009, Sun CC 5.10, Intel C++ Compiler 11
added
removed
cryptopp/Readme.txt
