As far as I know, none of the existing post-quantum cryptography candidates offer a viable replacement for libsodium's crypto_box_seal() functionality. That is: Anonymous public-key encryption.

An example for where this would be useful is encrypting credit card numbers in a database, but only being able to decrypt them with a key that is kept offline.

An attractive solution would be to use SIDH in place of ECDH, building a similar protocol (i.e. ECDH with one ephemeral keypair and one static keypair, then an authenticated cipher). However, as noted in this paper by Galbraith, et al., an active attack against SIDH with static keys is possible.

View client.php
namespace ChronicleClient;
use GuzzleHttp\Client;
use ParagonIE\Chronicle\Chronicle;
use ParagonIE\ConstantTime\Base64UrlSafe;
use ParagonIE\Sapient\Adapter\Guzzle;
use ParagonIE\Sapient\CryptographyKeys\{
View rsa-mult.php
/* Key generation */
$keypair = openssl_pkey_new([
"digest_alg" => "sha512",
"private_key_type" => OPENSSL_KEYTYPE_RSA,
'private_key_bits' => 1024
$secret = null;
if (!openssl_pkey_export($keypair, $secret)) {
View autoload.php
define('DEFUSE_CRYPTO_BASEDIR', __DIR__.'/src/');
* PSR-4 compatible autoloader
\spl_autoload_register(function ($class) {
// Project-specific namespace prefix

Changes to JOSE that will prevent insecurity



Drop the alg header

Neither JOSE users nor JOSE library designers should be required to understand cryptography primitives. At a lower level, this can lead to badly implemented primitives. On a higher level, this can lead to reasoning by lego.

View gist:ea83edfb08af6505d77d1d4bb4e9261a
View Trololol.php
class Foo
* Even if the code that calls isn't using strict_types, it will still TypeError
* if the wrong type is passed.
public function bar($param, $secondParam)
View JWTKiller.php
use ParagonIE\ConstantTime\Base64UrlSafe;
class JWTKiller
public static function sign(string $message, Key $key): string
$mac = sodium_crypto_auth($message, $key->getRaw());

This is a more "how" to the "what":

HTTPS + Digital Signatures

This is a minimalistic secure auto update approach.

  1. Make an API call to a server to get the latest version information. This should be delivered over HTTPS, possibly with HPKP.
  2. If an update is available, the client software should download the update file.
  3. An Ed25519 signature should be available, either as a separate API call or as an HTTP header with the downloaded file.
  4. Verify that the signature is valid for one of the hard-coded Ed25519 public keys.
View sodium-compat-aes-gcm.php
$message = random_bytes(1024);
$key = random_bytes(32);
$nonce = random_bytes(12);
$tag = '';
$aad = random_bytes(random_int(1, 127));
$cipher = openssl_encrypt($message, 'aes-256-gcm', $key, OPENSSL_RAW_DATA, $nonce, $tag, $aad, 16);