DEV Community

Paragon Initiative Enterprises

PHP 7.2: The First Programming Language to Add Modern Cryptography to its Standard Library

paragoniescott profile image Scott Arciszewski ・1 min read

Discussion (16)

Editor guide
philippgruber profile image
Philipp Gruber

I quite like this, but couldn't they come up with a better function name than

inkeliz profile image

I agree, this function name is so short, can be longer. :P

my1 profile image

does it REALLY need to be that long?
I mean sodium_dh_create() would work too.

bcalik profile image
Burak Çalık

Wow, this is probably the longest function name ever.

hengels profile image
Harald Engels

The long function name was probably chosen to increase security by obscurity (joking) :-)

alicewonder32 profile image
Alice Wonder

Thank you so much, I wasted roughly 12 hours trying to get something to work where python signed a message that a PHP script on a different machine could properly and safely verify. I was messing around with phpecc (github project) and other stuff and was getting rather frustrated.

Saw the post on libsodium in php 7.2, built the PECL module for PHP 7.1 and the python library pysodium - and within an hour had something that actually worked with very little code.

Again, thank you so much. With the convoluted stuff I was trying, I was really afraid my app would end up being an example in the wild where cryptography went bad because the developer messed up.

mistermantas profile image

Damn, that is cool! Shame I don’t know what any of that meant though…

lazzu profile image

How about C#? That hasn't got modern cryptography built-in?

paragoniescott profile image
Scott Arciszewski Author

No, it doesn't.

Please, everyone, look at the documentation for the language you're writing in and compare it to the established criteria of this post before you ask about it.

C# gives you NIST curves, not modern ECC (RFC 7748). C# doesn't give you a simple misuse-resistant AEAD interface like crypto_secretbox() or crypto_box() as part of the standard API. Therefore, it's not modern cryptography.

Weierstrass curves are not modern.

You can get that if you install libsodium-net by Adam Caudill. But that's not part of the language, that's a community-provided addon.

thdev profile image

8th has had built-in crypto, using AES+GCM by default, since its inception.

my1 profile image

hope it's also simple to use. having to work with objects and bla bla bla isnt needed imo.

the most simple would be just
put in message and key and it will automatically do IV, and all the other needed stuff for AESGCM.

thdev profile image

It does do all that pretty much. It's not an OOP language.

For example:

"some plaintext" "mypassword" "salt" 100 cr:genkey
cr:>encrypt cr:encrypt>

After that, you'll have an AES+GCM+256 encrypted buffer. You could also have skipped all the "mypassword"... genkey by using cr:randkey ... but then you would need to store that key somewhere.

If you choose to use CTR mode, you need to supply an IV, but the default is GCM.

Oh, and the reason there are two encrypt words there, is that one starts encryption and the other ends it. You can keep adding stuff to be encrypted, so for example you could encrypt a very large data stream on the fly if you wanted.

Thread Thread
paragoniescott profile image
Scott Arciszewski Author


  1. 8th isn't really a well-known language. It's not even in the less than 0.1% section of the server-side or client-side lists.
  2. According to your manual, you're still offering RSA for public-key encryption. (It doesn't specify which mode you're using but hopefully it isn't PKCS1v1.5.) This disqualifies 8th for being modern crypto. You want ECDH over a twist-secure Montgomery curve, preferably Curve25519 or Curve448.
jonnyplatt profile image
Jonny Platt

Did this article get deleted somehow?

andelafokosun profile image

The what does this mean for me part was a sweet relief, everything before it was :eyes_rolling:

extremety1989 profile image

Can you make a tutorial with real exemple on php 7.2 ?, would be great !