daily3014/cryptography
v3.0.0 ·
Luau implementations of popular hashing/encryption algorithms
Luau Cryptography
Luau Cryptography is a library of cryptographic algorithims written in Luau. It supports Post-Quantum (PQ), Elliptic Curve Cryptography (ECC), authenticated encryption and CSPRNG with many utilities.
Authors
daily3014 - Developer - @daily3014
Xoifail - Developer - @xoifail
Acknowledgments
- Thanks to those who gave feedback and testing
- Special thanks to all contributors and bug reporters
- AES was originally made by @RobloxGamerPro200007
- XChaCha20 was originally made by @littleBitsman
- Murmur3 hash was originally made by @kohltastrophe
Disclaimer
While this library has extensive testing, it's always recommended that you do your own tests. Keep in mind that there may be timing vulnerabilities that cannot be fixed due to how Luau compiles functions. This library is NOT intended for exploitation, harassment, illegal activities, or explicit content. All security issues should be reported in the Discord server.
Installation
Wally
[dependencies]
cryptography = "daily3014/[email protected]"Pesde
pesde add daily3014/cryptographyManual Installation
Download the latest release from GitHub and place it in your Roblox Studio project.
List of Algorithms
Elliptic Curve Cryptography
Digital Signature Schemes
- Ed25519 signatures with masked operations for side-channel protection
Key Exchange
- X25519: Elliptic curve Diffie-Hellman over Curve25519
Post-Quantum Cryptography
KEM: Key Encapsulation Methods
- ML-KEM: modes 512, 768, 1024 (Kyber-based, NIST standardized)
Digital Signature Schemes
Symmetric Cryptography
Hash Functions
- SHA-2 Family: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256 with optional salt support
- SHA-3 Family: SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE-128, SHAKE-256 (FIPS 202)
- BLAKE Family: BLAKE3 (fastest available), BLAKE3-Keyed, BLAKE3-DeriveKey, BLAKE2b
Non-cryptographic Hash Functions
Message Authentication
-
HMAC: Hash-based Message Authentication Code (works with any hash function)
-
KMAC: Hash-based Message Authentication Code (uses Keccak)
Authenticated Encryption
- ChaCha20-Poly1305: AEAD construction (RFC 8439)
- AES-GCM: Galois/Counter Mode
Stream & Block Ciphers
- ChaCha20: Stream cipher (RFC 8439)
- AES-GCM: Advanced Encryption Standard
- Simon: Lightweight block cipher
- Speck: Lightweight block cipher
- XOR: Simple additive cipher
Checksums
Utilities
Encoding & Conversion
- Base64: Encode and decode
- Hexadecimal: Buffer to/from hex string conversion
Random Generation
- CSPRNG: Cryptographically Secure Pseudo-Random Number Generator with entropy management
- Random strings and bytes generation
Performance
Performance benchmarks conducted in Roblox Studio on Intel AMD Ryzen 5 7600X using Benchmarker by @boatbomber.
Hashing / Checksum
| Algorithm | Data Size | This Library | HashLib | Alternative | Other Libraries | Improvement |
|---|---|---|---|---|---|---|
| SHA-256 | 20k | 271 μs | 2058 μs | 493 μs (Old Version) | 596 μs (Dekkonot) | 7.6x faster than HashLib |
| SHA-512 | 20k | 421 μs | 4348 μs | 1066 μs (Dekkonot) | - | 10.3x faster than HashLib |
| SHA3-512 | 20k | 826 μs | 10.60 ms | - | - | 12.8x faster than HashLib |
| BLAKE3 | 20k | 133 μs | - | - | - | - |
| HMAC-BLAKE3 | 20k | 145 μs | - | - | - | - |
| KMAC-128 | 20k | 443 μs | - | - | - | - |
| KMAC-256 | 20k | 501 μs | - | - | - | - |
| Adler-32 | 200k | 163 μs | - | 1.65 ms (Naive Approach) | - | 10.1x faster |
| CRC32 | 200k | 1.43 ms | - | 6.26 ms (DevForum) | - | 4.4x faster |
Encryption
| Algorithm | Data Size | This Library | Alternative | Other Libraries | Improvement |
|---|---|---|---|---|---|
| ChaCha20 (Encrypt) | 20k | 177 μs | 7.87 ms (EncryptedNet) | - | 44.5x faster |
| ChaCha20 (Roundtrip) | 20k | 338 μs | ~15 ms (EncryptedNet) | - | 44.4x faster |
| ChaCha20-Poly1305 (Encrypt) | 20k | 232 μs | - | - | - |
| ChaCha20-Poly1305 (Roundtrip) | 20k | 448 μs | - | - | - |
| Simon (Encrypt) | 20k | 239 μs | - | - | - |
| Simon (Roundtrip) | 20k | 466 μs | - | - | - |
| Speck (Encrypt) | 20k | 193 μs | - | - | - |
| Speck (Roundtrip) | 20k | 388 μs | - | - | - |
| AES-GCM (Encrypt) | 20k | 833 μs | 1.877 ms (RobloxGamerPro200007 AES256-CTR) | - | 2.3x faster |
| AES-GCM (Roundtrip) | 20k | 1.5 ms | - | - | - |
| XOR (Encrypt) | 1 million | 1.10 ms | ~49.5 ms (Devfourm) | ~171000 ms (daily) | 155,454x faster |
| XOR (Roundtrip) | 1 million | 2.20 ms | 98.9 ms (Devfourm) | ~342000 ms (daily) | 155,454x faster |
Digital Signatures & Key Exchange
| Algorithm | Operation | Time | Alternative | Improvement |
|---|---|---|---|---|
| EdDSA (Roundtrip) | Sign+Verify | 691 μs | - | - |
| ML-DSA-44 (Roundtrip) | Sign+Verify | 3.65 ms | - | - |
| ML-KEM-512 (Roundtrip) | Encap+Decap | 754 μs | - | - |
Utilities
| Algorithm | Data Size | Time | Alternative | Improvement |
|---|---|---|---|---|
| Base64 (Roundtrip) | 1 million | 3.77ms | Lute: 9.11ms Reselim: 12.08ms | 2.4x faster than Lute 3.2x faster than Reselim |
Roundtrip: Complete encrypt/decrypt or sign/verify cycle
API Reference
Hashing Functions
SHA-2 Family:
Hashing.SHA2.SHA224(Message: buffer) -> (string, buffer)
Hashing.SHA2.SHA256(Message: buffer) -> (string, buffer)
Hashing.SHA2.SHA384(Message: buffer) -> (string, buffer)
Hashing.SHA2.SHA512(Message: buffer) -> (string, buffer)SHA-3 Family:
Hashing.SHA3.SHA3_224(Message: buffer) -> (string, buffer)
Hashing.SHA3.SHA3_256(Message: buffer) -> (string, buffer)
Hashing.SHA3.SHA3_384(Message: buffer) -> (string, buffer)
Hashing.SHA3.SHA3_512(Message: buffer) -> (string, buffer)
Hashing.SHA3.SHAKE_128(Message: buffer) -> (string, buffer)
Hashing.SHA3.SHAKE_256(Message: buffer) -> (string, buffer)BLAKE Family:
Hashing.Blake3.Digest(Message: buffer, Length?: number) -> (string, buffer)
Hashing.Blake3.DigestKeyed(Message: buffer, Key: buffer, Length?: number) -> (string, buffer)
Hashing.Blake3.DeriveKey(Context: buffer): (buffer, number?) -> (string, buffer)
Hashing.Blake2b(InputData: buffer, OutputLength: number?, KeyData: buffer?) -> (string, buffer)Authentication:
Hashing.HMAC(Message: buffer, Key: buffer, HashFn: function, BlockSize: number, BigEndian: boolean?) -> (string, buffer)
Hashing.KMAC.KMAC128(Data: buffer, Key: buffer, Output: buffer, CustomBuffer: buffer?) -> (string, buffer)
Hashing.KMAC.KMAC256(Data: buffer, Key: buffer, Output: buffer, CustomBuffer: buffer?) -> (string, buffer)
-- SHA3/Blake family should have BigEndian = falseNon-Cryptographic Hashing:
Hashing.XXH32(Message: buffer, Seed?: number) -> number
Hashing.MurMur(Message: buffer, Seed: number?) -> numberEncryption Functions
Stream Cipher:
Encryption.AEAD.ChaCha20(Data: buffer, Key: buffer, Nonce: buffer, Counter?: number, Rounds?: number) -> buffer
Encryption.AEAD.XChaCha20(Data: buffer, Key: buffer, Nonce: buffer, Counter: number?, Rounds: number?) -> bufferAuthenticated Encryption:
Encryption.AEAD.Encrypt(Message: buffer, Key: buffer, Nonce: buffer, AAD?: buffer, Rounds?: number, UseXChaCha20: boolean?) -> (buffer, buffer)
Encryption.AEAD.Decrypt(Ciphertext: buffer, Key: buffer, Nonce: buffer, Tag: buffer, AAD?: buffer, Rounds?: number, UseXChaCha20: boolean?) -> buffer?Block Ciphers:
-- AES-GCM
AES.Encrypt(Plaintext: buffer, Key: buffer, IV: buffer, AAD: buffer?) -> (buffer, buffer)
AES.Decrypt(Ciphertext: buffer, Key: buffer, IV: buffer, Tag: buffer, AAD: buffer?) -> (boolean, buffer?)
-- Simon
Encryption.Simon.Encrypt(PlaintextBuffer: buffer, KeyBuffer: buffer) -> buffer
Encryption.Simon.Decrypt(CipherBuffer: buffer, KeyBuffer: buffer) -> buffer
-- Speck
Encryption.Speck.Encrypt(PlaintextBuffer: buffer, KeyBuffer: buffer) -> buffer
Encryption.Speck.Decrypt(CipherBuffer: buffer, KeyBuffer: buffer) -> bufferSimple Cipher:
Encryption.XOR(Data: buffer, Key: buffer) -> bufferDigital Signatures
EdDSA (Ed25519):
Verification.EdDSA.PublicKey(SecretKey: buffer) -> buffer
Verification.EdDSA.Sign(Message: buffer, SecretKey: buffer, PublicKey: buffer) -> buffer
Verification.EdDSA.Verify(Message: buffer, PublicKey: buffer, Signature: buffer) -> booleanMasked X25519:
Verification.EdDSA.X25519.Mask(SecretKey: buffer) -> buffer
Verification.EdDSA.X25519.MaskSignature(SignatureSecretKey: buffer) -> buffer
Verification.EdDSA.X25519.Remask(MaskedKey: buffer) -> buffer
Verification.EdDSA.X25519.PublicKey(MaskedKey: buffer) -> buffer
Verification.EdDSA.X25519.Exchange(MaskedSecretKey: buffer, TheirPublicKey: buffer) -> (buffer, buffer)
Verification.EdDSA.X25519.MaskComponent(MaskedKey: buffer) -> bufferML-DSA (Post-Quantum):
Mldsa.ML_DSA_44.GenerateKeys() -> (PublicKey: buffer, SecretKey: buffer)
Mldsa.ML_DSA_44.Sign(Message: buffer, RandomSeed: buffer, SecretKey: buffer, Context: buffer, Signature: buffer) -> boolean
Mldsa.ML_DSA_44.Verify(Message: buffer, PublicKey: buffer, Context: buffer, Signature: buffer) -> boolean
Mldsa.ML_DSA_65.GenerateKeys() -> (PublicKey: buffer, SecretKey: buffer)
Mldsa.ML_DSA_65.Sign(Message: buffer, RandomSeed: buffer, SecretKey: buffer, Context: buffer, Signature: buffer) -> boolean
Mldsa.ML_DSA_65.Verify(Message: buffer, PublicKey: buffer, Context: buffer, Signature: buffer) -> boolean
Mldsa.ML_DSA_87.GenerateKeys() -> (PublicKey: buffer, SecretKey: buffer)
Mldsa.ML_DSA_87.Sign(Message: buffer, RandomSeed: buffer, SecretKey: buffer, Context: buffer, Signature: buffer) -> boolean
Mldsa.ML_DSA_87.Verify(Message: buffer, PublicKey: buffer, Context: buffer, Signature: buffer) -> booleanKey Encapsulation
ML-KEM (Post-Quantum):
MlKem.MLKEM_512.GenerateKeys() -> (PublicKey: buffer, SecretKey: buffer)
MlKem.MLKEM_512.KeyGen(D: buffer, Z: buffer) -> (PublicKey: buffer, SecretKey: buffer)
MlKem.MLKEM_512.Encapsulate(Message: buffer, PublicKey: buffer) -> (Ciphertext: buffer?, SharedSecret: buffer?)
MlKem.MLKEM_512.Decapsulate(Ciphertext: buffer, SecretKey: buffer) -> SharedSecret: buffer
MlKem.MLKEM_768.GenerateKeys() -> (PublicKey: buffer, SecretKey: buffer)
MlKem.MLKEM_768.KeyGen(D: buffer, Z: buffer) -> (PublicKey: buffer, SecretKey: buffer)
MlKem.MLKEM_768.Encapsulate(Message: buffer, PublicKey: buffer) -> (Ciphertext: buffer?, SharedSecret: buffer?)
MlKem.MLKEM_768.Decapsulate(Ciphertext: buffer, SecretKey: buffer) -> SharedSecret: buffer
MlKem.MLKEM_1024.GenerateKeys() -> (PublicKey: buffer, SecretKey: buffer)
MlKem.MLKEM_1024.KeyGen(D: buffer, Z: buffer) -> (PublicKey: buffer, SecretKey: buffer)
MlKem.MLKEM_1024.Encapsulate(Message: buffer, PublicKey: buffer) -> (Ciphertext: buffer?, SharedSecret: buffer?)
MlKem.MLKEM_1024.Decapsulate(Ciphertext: buffer, SecretKey: buffer) -> SharedSecret: bufferUtility Functions
Encoding:
Utilities.Base64.Encode(Input: buffer) -> buffer
Utilities.Base64.Decode(Input: buffer) -> bufferConversions:
Utilities.Conversions.ToHex(Buffer: buffer) -> string
Utilities.Conversions.FromHex(Hex: string) -> bufferRandom Generation:
Utilities.RandomString(Length: number, AsBuffer: false) -> string
Utilities.RandomString(Length: number, AsBuffer: true) -> bufferCSPRNG:
Utilities.CSPRNG.Random() -> number
Utilities.CSPRNG.RandomInt(Min: number, Max: number?) -> number
Utilities.CSPRNG.RandomNumber(Min: number, Max: number?) -> number
Utilities.CSPRNG.RandomBytes(Count: number) -> buffer
Utilities.CSPRNG.RandomHex(Length: number) -> string
Utilities.CSPRNG.RandomString(Length: number, AsBuffer: boolean?) -> buffer | string
Utilities.CSPRNG.Ed25519ClampedBytes(Input: buffer) -> buffer
Utilities.CSPRNG.Ed25519Random() -> buffer
Utilities.CSPRNG.Reseed(CustomEntropy: buffer?)
Utilities.CSPRNG.AddEntropyProvider(ProviderFunction: () -> buffer?)
Utilities.CSPRNG.RemoveEntropyProvider(ProviderFunction: () -> buffer?)Checksum Functions
Checksums.CRC32(Message: buffer, Mode: "Jam" | "Iso"?, Hex: boolean?) -> number
Checksums.Adler(Message: buffer) -> numberTesting and Benchmarking
Running Tests
To run the complete test suite:
bash scripts/test.shThis will launch Roblox Studio, execute all tests, and display results in your terminal.
Development Testing
For continuous testing during development:
bash scripts/dev.shThis starts a Rojo server. Open Roblox Studio and sync Rojo into a Baseplate. Whenever you run the game server, the test suites will run and results will show in the Output widget.
Contributing
To contribute, fork this repository and make your changes, and then make a Pull Request. A Pull Request needs approval.
Please read the CONTRIBUTING.md file for detailed guidelines.
FAQ
Will you add other algorithms?
Maybe! It depends on whether the algorithm is feasible to implement in Luau without requiring extremely expensive calculations like RSA/Argon.
How is this library faster?
Through extensive optimizations including efficient buffer operations, algorithm tuning, and Luau-specific optimizations.
Which algorithms should I use?
- Hashing: SHA-256 for general use, XXH32 for speed, BLAKE3 for speed and security, SHA3-256 for latest standards
- Encryption: ChaCha20-Poly1305 AEAD for authenticated encryption, AES-GCM for compatibility and security
- Signatures: Ed25519 for fast digital signatures and key exchange, ML-DSA for post-quantum security
- Key Exchange: ML-KEM for post-quantum key encapsulation, X25519 for compatibility
License
This project is licensed under the MIT License. See the LICENSE file for details.