A fully RFC-compliant cryptographic library for .NET featuring high-performance, secure implementations of modern cryptographic algorithms with multi-framework support.
using HeroCrypt;
// Generate a random key
var key = new byte[32];
RandomNumberGenerator.Fill(key);
// Encrypt data
using var cipher = HeroCryptBuilder.ChaCha20Poly1305()
.WithKey(key)
.WithRandomNonce();
var ciphertext = cipher.Encrypt(Encoding.UTF8.GetBytes("Hello, World!"));
// Decrypt data
var plaintext = cipher.Decrypt(ciphertext);
Hashing with Blake2b
using HeroCrypt;
// Compute a 32-byte hash
using var hasher = HeroCryptBuilder.Blake2b()
.WithOutputLength(32);
var hash = hasher.ComputeHash(Encoding.UTF8.GetBytes("Hello, World!"));
// Keyed hash (MAC)
using var mac = HeroCryptBuilder.Blake2b()
.WithOutputLength(32)
.WithKey(key);
var authenticatedHash = mac.ComputeHash(data);
Digital Signatures with Ed25519
using HeroCrypt;
// Generate a key pair
using var signer = HeroCryptBuilder.Ed25519();
var (privateKey, publicKey) = signer.GenerateKeyPair();
// Sign a message
var signature = signer
.WithPrivateKey(privateKey)
.WithMessage(data)
.Sign();
// Verify a signature
bool isValid = signer
.WithPublicKey(publicKey)
.WithMessage(data)
.Verify(signature);
Key Derivation with Argon2
using HeroCrypt;
// Derive a key from a password
using var kdf = HeroCryptBuilder.Argon2()
.WithPassword(Encoding.UTF8.GetBytes("mySecurePassword"))
.WithRandomSalt()
.WithInteractivePreset(); // Balanced security/performance
var derivedKey = kdf.DeriveKey();
PGP Hybrid Encryption
using HeroCrypt;
// Generate RSA key pair
var pgp = HeroCryptBuilder.Pgp();
var keyPair = pgp.GenerateRsaKeyPair();
// Encrypt a message
var envelope = pgp.Encrypt("Secret message", keyPair.PublicKey);
// Decrypt the message
var plaintext = pgp.DecryptToString(envelope, keyPair.PrivateKey);
Working with Text Formats (Hex, Base64, Base64Url)
All builders support convenient text format methods for storing and transmitting cryptographic data:
using HeroCrypt;
// ENCRYPTION: Get key and result as text formats
using var encryptBuilder = HeroCryptBuilder.Encrypt()
.WithAesGcm()
.WithRandomKey();
var keyHex = encryptBuilder.GetKeyAsHex(); // or GetKeyAsBase64(), GetKeyAsBase64Url()
var result = encryptBuilder.Encrypt("Hello, World!");
// Access result as text - perfect for JSON, databases, URLs
var encryptedData = new {
key = keyHex,
ciphertext = result.CiphertextAsBase64Url, // URL-safe encoding
nonce = result.NonceAsBase64Url
};
// DECRYPTION: Use text format inputs directly
var decrypted = HeroCryptBuilder.Decrypt()
.WithAesGcm()
.WithKeyFromHex(encryptedData.key)
.WithNonceFromBase64Url(encryptedData.nonce)
.DecryptFromBase64UrlToString(encryptedData.ciphertext);
Password Hashing with Text Storage
using HeroCrypt;
// Hash a password and get values as text for storage
using var kdf = HeroCryptBuilder.DeriveKey()
.WithArgon2id()
.WithPassword("mySecurePassword")
.WithRandomSalt(16);
var saltHex = kdf.GetSaltAsHex();
var keyHex = kdf.DeriveKeyToHex();
// Store saltHex and keyHex in your database
// Later: Verify password using stored text values
var derivedKey = HeroCryptBuilder.DeriveKey()
.WithArgon2id()
.WithPassword(enteredPassword)
.WithSaltFromHex(storedSaltHex)
.DeriveKeyToHex();
bool isValid = derivedKey == storedKeyHex;
Hybrid Encryption with Text Formats (X25519)
using HeroCrypt;
// Encrypt with X25519 hybrid encryption
var result = HeroCryptBuilder.Encrypt()
.WithAlgorithm(EncryptionAlgorithm.X25519ChaCha20Poly1305)
.WithKey(recipientPublicKey)
.Encrypt("Confidential message");
// All components as URL-safe text for API transmission
var apiPayload = new {
c = result.CiphertextAsBase64Url,
n = result.NonceAsBase64Url,
k = result.EncapsulatedKeyAsBase64Url
};
// Decrypt using text inputs
var plaintext = HeroCryptBuilder.Decrypt()
.WithAlgorithm(EncryptionAlgorithm.X25519ChaCha20Poly1305)
.WithKey(recipientPrivateKey)
.WithNonceFromBase64Url(apiPayload.n)
.WithEncapsulatedKeyFromBase64Url(apiPayload.k)
.DecryptFromBase64UrlToString(apiPayload.c);
Text Encoding Quick Reference
Pattern
When to Use
Example
*AsHex
Properties on result structs
result.CiphertextAsHex
*AsBase64
Properties on result structs
result.NonceAsBase64
*AsBase64Url
URL-safe output for APIs
result.CiphertextAsBase64Url
*ToHex()
Action methods returning hex
kdf.DeriveKeyToHex()
*ToBase64()
Action methods returning Base64
signer.SignToBase64(data)
ComputeHashTo*()
Compute hash with text output
hasher.ComputeHashToHex(data)
Get*AsHex()
Retrieve builder state as hex
builder.GetKeyAsHex()
With*FromHex()
Set value from hex string
.WithKeyFromHex(hexKey)
With*FromBase64Url()
Set value from URL-safe Base64
.WithNonceFromBase64Url(nonce)
*FromHexToString()
Decode, process, return string
.DecryptFromHexToString(hex)
Tip: Use Base64Url for URLs, APIs, and JWTs. Use Hex for logs and debugging. See API Patterns for full details.
Post-Quantum Cryptography (.NET 10+)
using HeroCrypt;
// ML-KEM: Quantum-resistant key encapsulation
using var mlKem = HeroCryptBuilder.MlKem()
.WithParameterSet(MlKemParameterSet.MlKem768);
var (publicKey, privateKey) = mlKem.GenerateKeyPair();
var (ciphertext, sharedSecret) = mlKem.Encapsulate(publicKey);
var decapsulated = mlKem.Decapsulate(ciphertext, privateKey);
// ML-DSA: Quantum-resistant digital signatures
using var mlDsa = HeroCryptBuilder.MlDsa()
.WithParameterSet(MlDsaParameterSet.MlDsa65);
var (signingKey, verifyKey) = mlDsa.GenerateKeyPair();
var signature = mlDsa.Sign(data, signingKey);
bool isValid = mlDsa.Verify(data, signature, verifyKey);
🏗️ Architecture
HeroCrypt is built with a small, layered architecture:
