Skip to content

Xor-el/CryptoLib4Pascal

BranchesTags

Repository files navigation

CryptoLib4Pascal logo

CryptoLib4Pascal

Comprehensive cryptographic library for modern Object Pascal

Build Status License: MIT Delphi Syndey+ FreePascal 3.2.2+

CryptoLib4Pascal brings production-grade cryptography to Delphi and FreePascal. From AES-GCM and ChaCha20-Poly1305 to ECDSA, EdDSA, RSA, Argon2, NIST post-quantum algorithms (ML-KEM, ML-DSA, SLH-DSA), and X.509 certificates -- everything you need to build secure applications in Object Pascal, released under the permissive MIT License.

Table of Contents

Features

  • Symmetric encryption -- AES, Rijndael, Blowfish, Speck, (X)ChaCha20, (X)Salsa20
  • Authenticated encryption (AEAD) -- GCM, GCM-SIV, CCM, EAX, OCB, (X)ChaCha20-Poly1305
  • Asymmetric cryptography -- RSA, DSA, ECDSA, EdDSA (Ed25519, Ed448), ECNR, Schnorr (Bip340), MuSig2 (Bip327)
  • Post-quantum cryptography (PQC) -- ML-KEM (FIPS 203), ML-DSA (FIPS 204), SLH-DSA (FIPS 205)
  • Key exchange -- DH, ECDH, X25519, X448
  • Hashing -- SHA-2, SHA-3, Blake2, Keccak, RIPEMD, and more
  • Password hashing -- Argon2 (2i/2d/2id), Scrypt, PBKDF2
  • MACs -- HMAC, CMAC, KMAC, GMac, Poly1305, SipHash
  • X.509 certificates -- generation and parsing
  • PEM encoding -- OpenSSL-compatible import/export
  • Cross-platform -- Windows, Linux, macOS, iOS, Android, Solaris, and BSDs

Available Algorithms

Symmetric Encryption

Block Ciphers

AES (128, 192, 256) | Rijndael | Blowfish | Speck

Stream Ciphers

ChaCha | (X)Salsa20

AEAD Ciphers

AES-GCM | AES-GCM-SIV | AES-CCM | AES-EAX | AES-OCB | ChaCha20-Poly1305

Block Cipher Modes

ECB | CBC | CFB | CTR | CTS | OFB | SIC

Block Cipher Padding Schemes

PKCS#5 | PKCS#7 | ISO 10126-2 | ISO 7816-4 | ISO/IEC 9797-1 (Bit) | ANSI X9.23 | TBC | Zero

Asymmetric Cryptography
  • RSA -- PKCS#1, OAEP, PSS, ISO 9796
  • DSA / Deterministic DSA
  • ECDSA -- NIST, X9.62, SEC2, Brainpool curves
  • ECNR
  • EdDSA -- Ed25519, Ed448
  • Schnorr -- Bip340
  • MuSig2 -- Bip327
Key Agreement / Exchange

DH | ECDH | ECDHC | X25519 | X448 | ML-KEM

Post-Quantum Cryptography (PQC)

NIST-standardized post-quantum algorithms with NIST-assigned OIDs, PKCS#8 / SubjectPublicKeyInfo encoding, optional signing/KEM context (FIPS 204 / FIPS 205), and NIST ACVP test-vector coverage.

ML-KEM — FIPS 203

Module-Lattice-Based Key-Encapsulation Mechanism (CRYSTALS-Kyber).

Parameter set NIST security category
ML-KEM-512 1
ML-KEM-768 3
ML-KEM-1024 5

Key generation, encapsulation, and decapsulation via TGeneratorUtilities / TKemUtilities.

ML-DSA — FIPS 204

Module-Lattice-Based Digital Signature Algorithm (CRYSTALS-Dilithium).

Parameter set NIST security category
ML-DSA-44 2
ML-DSA-65 3
ML-DSA-87 5

HashML-DSA pre-hash variants (SHA-512): ML-DSA-44-WITH-SHA512, ML-DSA-65-WITH-SHA512, ML-DSA-87-WITH-SHA512

Sign and verify via TSignerUtilities (TMlDsaSigner, THashMlDsaSigner).

SLH-DSA — FIPS 205

Stateless Hash-Based Digital Signature Algorithm (SPHINCS+).

Family Parameter sets
SHA-2 SLH-DSA-SHA2-128s, 128f, 192s, 192f, 256s, 256f
SHAKE SLH-DSA-SHAKE-128s, 128f, 192s, 192f, 256s, 256f

HashSLH-DSA pre-hash variants for each parameter set — SHA-2 sets use WITH-SHA256 (128-bit) or WITH-SHA512 (192/256-bit); SHAKE sets use WITH-SHAKE128 (128-bit) or WITH-SHAKE256 (192/256-bit). Examples: SLH-DSA-SHA2-128F-WITH-SHA256, SLH-DSA-SHAKE-256S-WITH-SHAKE256.

Sign and verify via TSignerUtilities (TSlhDsaSigner, THashSlhDsaSigner).

Key Derivation Functions

HKDF | KDF1 | KDF2

Password Hashing

Argon2 (2i, 2d, 2id) | Scrypt | PBKDF2

MACs

HMAC (all supported hashes) | CMAC | KMAC (128, 256) | GMac | Poly1305 | SipHash

Hash Functions
Family Variants
MD MD2, MD4, MD5
SHA-1 SHA-1
SHA-2 224, 256, 384, 512, 512-224, 512-256
SHA-3 224, 256, 384, 512
Keccak 224, 256, 288, 384, 512
Blake2B 160, 256, 384, 512
Blake2S 128, 160, 224, 256
RIPEMD 128, 160, 256, 320
GOST 3411, 3411-2012 (256, 512)
Others Tiger, WhirlPool
XOF (Extendable Output Functions)

Shake-128 | Shake-256

Utilities
  • System RNG wrappers
  • ASN.1 parsing
  • Base encoding/decoding (Hex, Base64, etc.)
  • X.509 certificate generation and parsing
  • OpenSSL-compatible PEM reader/writer

Getting Started

Prerequisites

Compiler Minimum Version
Delphi Sydney (10.4) or later
FreePascal 3.2.2 or later

Installation

1. Clone the repository:

git clone https://github.com/Xor-el/CryptoLib4Pascal.git

2a. Delphi

  • Open and install the package: CryptoLib/src/Packages/Delphi/CryptoLib4PascalPackage.dpk
  • Also install the required dependency packages: HashLib4Pascal and SimpleBaseLib4Pascal
  • Add the CryptoLib/src subdirectories to your project's search path

2b. FreePascal / Lazarus

  • Open and install the package: CryptoLib/src/Packages/FPC/CryptoLib4PascalPackage.lpk
  • Also install the required dependency packages: HashLib4Pascal and SimpleBaseLib4Pascal

Quick Examples

AES-CBC Encrypt / Decrypt

uses
  ClpIBufferedCipher, ClpCipherUtilities, ClpParameterUtilities,
  ClpParametersWithIV, ClpConverters, ClpSecureRandom, ClpISecureRandom,
  ClpICipherParameters;

var
  LCipher: IBufferedCipher;
  LRandom: ISecureRandom;
  LKey, LIV, LPlain, LCipherText, LDecrypted: TBytes;
  LParams: ICipherParameters;
begin
  LRandom := TSecureRandom.Create();

  // Generate a random 256-bit key and 128-bit IV
  SetLength(LKey, 32);
  SetLength(LIV, 16);
  LRandom.NextBytes(LKey);
  LRandom.NextBytes(LIV);

  LParams := TParametersWithIV.Create(
    TParameterUtilities.CreateKeyParameter('AES', LKey), LIV);

  LPlain := TConverters.ConvertStringToBytes('Secret message', TEncoding.UTF8);

  // Encrypt
  LCipher := TCipherUtilities.GetCipher('AES/CBC/PKCS7PADDING');
  LCipher.Init(True, LParams);
  LCipherText := LCipher.DoFinal(LPlain);

  // Decrypt
  LCipher.Init(False, LParams);
  LDecrypted := LCipher.DoFinal(LCipherText);
end;

SHA-256 Hashing

uses
  ClpIDigest, ClpDigestUtilities, ClpConverters, ClpEncoders;

var
  LDigest: IDigest;
  LInput, LHash: TBytes;
begin
  LInput := TConverters.ConvertStringToBytes('Hello CryptoLib', TEncoding.UTF8);

  LDigest := TDigestUtilities.GetDigest('SHA-256');
  SetLength(LHash, LDigest.GetDigestSize);
  LDigest.BlockUpdate(LInput, 0, Length(LInput));
  LDigest.DoFinal(LHash, 0);

  WriteLn('SHA-256: ', THexEncoder.Encode(LHash, False));
end;

ECDSA Sign / Verify

uses
  ClpECUtilities, ClpIX9ECParametersHolder, ClpECParameters, ClpIECParameters,
  ClpSignerUtilities, ClpISigner, ClpConverters, ClpGeneratorUtilities,
  ClpSecureRandom, ClpISecureRandom, ClpECGenerators, ClpIECGenerators,
  ClpIAsymmetricCipherKeyPair, ClpIAsymmetricCipherKeyPairGenerator;

var
  LCurve: IX9ECParameters;
  LDomain: IECDomainParameters;
  LKpg: IAsymmetricCipherKeyPairGenerator;
  LKp: IAsymmetricCipherKeyPair;
  LSigner: ISigner;
  LMsg, LSig: TBytes;
begin
  // Set up the secp256k1 curve
  LCurve := TECUtilities.FindECCurveByName('secp256k1');
  LDomain := TECDomainParameters.Create(LCurve.Curve, LCurve.G,
    LCurve.N, LCurve.H, LCurve.GetSeed);

  // Generate a key pair
  LKpg := TGeneratorUtilities.GetKeyPairGenerator('ECDSA');
  LKpg.Init(TECKeyGenerationParameters.Create(LDomain,
    TSecureRandom.Create() as ISecureRandom));
  LKp := LKpg.GenerateKeyPair();

  LMsg := TConverters.ConvertStringToBytes('Sign me', TEncoding.UTF8);

  // Sign
  LSigner := TSignerUtilities.GetSigner('SHA-256withECDSA');
  LSigner.Init(True, LKp.Private);
  LSigner.BlockUpdate(LMsg, 0, Length(LMsg));
  LSig := LSigner.GenerateSignature();

  // Verify
  LSigner.Init(False, LKp.Public);
  LSigner.BlockUpdate(LMsg, 0, Length(LMsg));
  Assert(LSigner.VerifySignature(LSig));
end;

More examples (RSA, EC, Ed25519, ML-KEM, ML-DSA, SLH-DSA, certificates, password hashing, etc.) are available in the CryptoLib.Examples directory.

Supported Platforms

OS Delphi FreePascal
Windows (XP and later)
Linux
macOS
Oracle Solaris
BSD (FreeBSD)
Android
iOS 2.0+

✅ Tested and passing · ❓ Untested · ➖ Not applicable

Architectures: I386, X86_64, ARM32, AArch64

Running Tests

Tests use DUnit (Delphi) and FPCUnit (FreePascal).

Delphi: Open CryptoLib.Tests/Delphi.Tests/CryptoLib.Tests.dpr in the IDE and run.

FreePascal / Lazarus: Open CryptoLib.Tests/FreePascal.Tests/CryptoLib.Tests.lpi in the IDE and run.

Dependencies

CryptoLib4Pascal requires two companion libraries that must be installed separately:

Dependency Purpose
HashLib4Pascal Hash function implementations
SimpleBaseLib4Pascal Base encoding/decoding

Contributing

Contributions are welcome. Please open an issue for bug reports or feature requests, and submit pull requests.

Sponsors

Tip Jar

If you find this library useful and would like to support its continued development, tips are greatly appreciated! 🙏

Cryptocurrency Wallet Address
Bitcoin Bitcoin (BTC) bc1quqhe342vw4ml909g334w9ygade64szqupqulmu
Ethereum Ethereum (ETH) 0x53651185b7467c27facab542da5868bfebe2bb69
Solana Solana (SOL) BPZHjY1eYCdQjLecumvrTJRi5TXj3Yz1vAWcmyEB9Miu

License

CryptoLib4Pascal is released under the MIT License.

About

Crypto for Modern Object Pascal

Topics

delphi cryptography rsa fpc ecdsa eddsa

Resources

Readme

License

MIT license
Activity

Stars

245 stars

Watchers

33 watching

Forks

74 forks
Report repository

Releases 1

v3.2 Latest
May 1, 2026

Sponsor this project

  •  
Learn more about GitHub Sponsors

Packages

 
 
 

Contributors

Languages