Cryptography (std.crypto)

const aegis = std.crypto.aead.aegis;

// 128-bit key variants
pub const Aegis128L = aegis.Aegis128L;
pub const Aegis128X2 = aegis.Aegis128X2;
pub const Aegis128X4 = aegis.Aegis128X4;

// 256-bit key variants
pub const Aegis256 = aegis.Aegis256;
pub const Aegis256X2 = aegis.Aegis256X2;
pub const Aegis256X4 = aegis.Aegis256X4;

const key: [32]u8 = ... ; // 256-bit key
const nonce: [32]u8 = ... ; // 256-bit nonce
const plaintext = "Secret message";
const ad = "Additional data";

var ciphertext: [plaintext.len]u8 = undefined;
var tag: [32]u8 = undefined;

std.crypto.aead.aegis.Aegis256.encrypt(
    &ciphertext,
    &tag,
    plaintext,
    ad,
    nonce,
    key
);

const chacha_poly = std.crypto.aead.chacha_poly;

pub const ChaCha20Poly1305 = chacha_poly.ChaCha20Poly1305;
pub const XChaCha20Poly1305 = chacha_poly.XChaCha20Poly1305;

const key: [32]u8 = ... ; // 256-bit key
const nonce: [12]u8 = ... ; // 96-bit nonce

var ciphertext: [msg.len]u8 = undefined;
var tag: [16]u8 = undefined;

std.crypto.aead.chacha_poly.ChaCha20Poly1305.encrypt(
    &ciphertext,
    &tag,
    msg,
    additional_data,
    nonce,
    key
);

const aes_gcm = std.crypto.aead.aes_gcm;

pub const Aes128Gcm = aes_gcm.Aes128Gcm;
pub const Aes256Gcm = aes_gcm.Aes256Gcm;

// AES-GCM-SIV (nonce-misuse resistant)
const Aes128GcmSiv = std.crypto.aead.aes_gcm_siv.Aes128GcmSiv;
const Aes256GcmSiv = std.crypto.aead.aes_gcm_siv.Aes256GcmSiv;

// AES-SIV
const Aes128Siv = std.crypto.aead.aes_siv.Aes128Siv;
const Aes256Siv = std.crypto.aead.aes_siv.Aes256Siv;

// AES-OCB
const Aes128Ocb = std.crypto.aead.aes_ocb.Aes128Ocb;
const Aes256Ocb = std.crypto.aead.aes_ocb.Aes256Ocb;

// AES-CCM
const aes_ccm = std.crypto.aead.aes_ccm;

const sha2 = std.crypto.hash.sha2;

pub const Sha224 = sha2.Sha224;
pub const Sha256 = sha2.Sha256;
pub const Sha384 = sha2.Sha384;
pub const Sha512 = sha2.Sha512;
pub const Sha512_224 = sha2.Sha512_224;
pub const Sha512_256 = sha2.Sha512_256;

const std = @import("std");

var hasher = std.crypto.hash.sha2.Sha256.init(.{});
hasher.update("Hello, ");
hasher.update("World!");

var digest: [32]u8 = undefined;
hasher.final(&digest);

// One-shot hashing
const hash = std.crypto.hash.sha2.Sha256.hash("Hello, World!", .{});

const sha3 = std.crypto.hash.sha3;

pub const Sha3_224 = sha3.Sha3_224;
pub const Sha3_256 = sha3.Sha3_256;
pub const Sha3_384 = sha3.Sha3_384;
pub const Sha3_512 = sha3.Sha3_512;

// Extendable output functions
pub const Shake128 = sha3.Shake128;
pub const Shake256 = sha3.Shake256;

const blake2 = std.crypto.hash.blake2;

pub const Blake2b128 = blake2.Blake2b128;
pub const Blake2b256 = blake2.Blake2b256;
pub const Blake2b384 = blake2.Blake2b384;
pub const Blake2b512 = blake2.Blake2b512;

pub const Blake2s128 = blake2.Blake2s128;
pub const Blake2s224 = blake2.Blake2s224;
pub const Blake2s256 = blake2.Blake2s256;

const Blake3 = std.crypto.hash.Blake3;

var out: [32]u8 = undefined;
std.crypto.hash.Blake3.hash("message", &out, .{});

const Md5 = std.crypto.hash.Md5;     // Legacy, DO NOT USE for security
const Sha1 = std.crypto.hash.Sha1;   // Legacy, DO NOT USE for security

const hmac = std.crypto.auth.hmac;

// Generic HMAC with any hash function
pub fn Hmac(comptime Hash: type) type;

const HmacSha256 = std.crypto.auth.hmac.Hmac(std.crypto.hash.sha2.Sha256);

const key = "secret_key";
var mac: [HmacSha256.mac_length]u8 = undefined;

HmacSha256.create(&mac, "message", key);

const siphash = std.crypto.auth.siphash;

pub const SipHash64 = siphash.SipHash64;
pub const SipHash128 = siphash.SipHash128;

const Poly1305 = std.crypto.onetimeauth.Poly1305;

const argon2 = std.crypto.pwhash.argon2;

pub fn hash(
    allocator: Allocator,
    password: []const u8,
    salt: []const u8,
    params: Params,
    mode: Mode
) ![]u8;

const params = std.crypto.pwhash.argon2.Params{
    .t = 3,      // Time cost (iterations)
    .m = 65536,  // Memory cost (KiB)
    .p = 4,      // Parallelism
};

var hash_buf: [32]u8 = undefined;
try std.crypto.pwhash.argon2.kdf(
    allocator,
    &hash_buf,
    password,
    salt,
    params,
    .argon2id
);

const bcrypt = std.crypto.pwhash.bcrypt;

pub fn hash(
    password: []const u8,
    salt: [16]u8,
    params: Params
) ![60]u8;

const scrypt = std.crypto.pwhash.scrypt;

pub fn kdf(
    allocator: Allocator,
    password: []const u8,
    salt: []const u8,
    params: Params,
    derived_key: []u8
) !void;

pub fn pbkdf2(
    comptime Prf: type,
    password: []const u8,
    salt: []const u8,
    iterations: u32,
    derived_key: []u8
) void;

var key: [32]u8 = undefined;
std.crypto.pwhash.pbkdf2(
    std.crypto.auth.hmac.Hmac(std.crypto.hash.sha2.Sha256),
    password,
    salt,
    100000,
    &key
);

const hkdf = std.crypto.kdf.hkdf;

pub fn Hkdf(comptime Hmac: type) type;

const HkdfSha256 = std.crypto.kdf.hkdf.Hkdf(
    std.crypto.auth.hmac.Hmac(std.crypto.hash.sha2.Sha256)
);

const ikm = "input key material";
const salt = "optional salt";
const info = "app-specific info";

var okm: [32]u8 = undefined;
HkdfSha256.extract(&okm, ikm, salt);
HkdfSha256.expand(&okm, info, okm);

const Ed25519 = std.crypto.sign.Ed25519;

pub const KeyPair = struct {
    public_key: [32]u8,
    secret_key: [64]u8,
    
    pub fn create(seed: [32]u8) KeyPair;
    pub fn sign(self: KeyPair, msg: []const u8, noise: ?[32]u8) [64]u8;
};

pub fn verify(
    sig: [64]u8,
    msg: []const u8,
    public_key: [32]u8
) !void;

var seed: [32]u8 = undefined;
std.crypto.random.bytes(&seed);

const kp = std.crypto.sign.Ed25519.KeyPair.create(seed);
const msg = "Sign this message";
const sig = kp.sign(msg, null);

try std.crypto.sign.Ed25519.verify(sig, msg, kp.public_key);

const ecdsa = std.crypto.sign.ecdsa;

pub fn EcdsaP256Sha256() type;
pub fn EcdsaP384Sha384() type;
pub fn EcdsaSecp256k1Sha256() type;

const mldsa = std.crypto.sign.mldsa;

pub const MlDsa44 = mldsa.MlDsa44;
pub const MlDsa65 = mldsa.MlDsa65;
pub const MlDsa87 = mldsa.MlDsa87;

const Curve25519 = std.crypto.ecc.Curve25519;
const Edwards25519 = std.crypto.ecc.Edwards25519;
const Ristretto255 = std.crypto.ecc.Ristretto255;

const P256 = std.crypto.ecc.P256;
const P384 = std.crypto.ecc.P384;

const Secp256k1 = std.crypto.ecc.Secp256k1;

const X25519 = std.crypto.dh.X25519;

pub fn create(secret_key: [32]u8) [32]u8;  // Generate public key
pub fn scalarmult(secret_key: [32]u8, public_key: [32]u8) ![32]u8;  // Shared secret

var alice_secret: [32]u8 = undefined;
std.crypto.random.bytes(&alice_secret);
const alice_public = std.crypto.dh.X25519.create(alice_secret);

var bob_secret: [32]u8 = undefined;
std.crypto.random.bytes(&bob_secret);
const bob_public = std.crypto.dh.X25519.create(bob_secret);

const shared1 = try std.crypto.dh.X25519.scalarmult(alice_secret, bob_public);
const shared2 = try std.crypto.dh.X25519.scalarmult(bob_secret, alice_public);
// shared1 == shared2

const ml_kem = std.crypto.kem.ml_kem;

pub const MlKem512 = ml_kem.MlKem512;
pub const MlKem768 = ml_kem.MlKem768;
pub const MlKem1024 = ml_kem.MlKem1024;

const random = std.crypto.random;

// Cryptographically secure RNG
pub fn bytes(buffer: []u8) void;
pub fn int(comptime T: type) T;

var key: [32]u8 = undefined;
std.crypto.random.bytes(&key);

const rand_num = std.crypto.random.int(u64);

const timing_safe = std.crypto.timing_safe;

pub fn eql(comptime T: type, a: T, b: T) bool;
pub fn compare(comptime T: type, a: []const T, b: []const T, endian: std.builtin.Endian) std.math.Order;

// Constant-time comparison (prevents timing attacks)
if (std.crypto.timing_safe.eql([32]u8, computed_tag, expected_tag)) {
    // Tags match
}