Package detail

tweetnacl

dchest99.4mUnlicense1.0.3

Port of TweetNaCl cryptographic library to JavaScript

crypto, cryptography, curve25519, ed25519, encrypt, hash, key, nacl, poly1305, public, salsa20, signatures

readme

TweetNaCl.js

Port of TweetNaCl / NaCl to JavaScript for modern browsers and Node.js. Public domain.

Demo: https://dchest.github.io/tweetnacl-js/

Documentation

Overview
Audits
Installation
Examples
Usage
System requirements
Development and testing
Benchmarks
Contributors
Who uses it

Overview

The primary goal of this project is to produce a translation of TweetNaCl to JavaScript which is as close as possible to the original C implementation, plus a thin layer of idiomatic high-level API on top of it.

There are two versions, you can use either of them:

nacl.js is the port of TweetNaCl with minimum differences from the original + high-level API.
nacl-fast.js is like nacl.js, but with some functions replaced with faster versions. (Used by default when importing NPM package.)

Audits

TweetNaCl.js has been audited by Cure53 in January-February 2017 (audit was sponsored by Deletype):

The overall outcome of this audit signals a particularly positive assessment for TweetNaCl-js, as the testing team was unable to find any security problems in the library. It has to be noted that this is an exceptionally rare result of a source code audit for any project and must be seen as a true testament to a development proceeding with security at its core.

To reiterate, the TweetNaCl-js project, the source code was found to be bug-free at this point.

[...]

In sum, the testing team is happy to recommend the TweetNaCl-js project as likely one of the safer and more secure cryptographic tools among its competition.

Read full audit report

Installation

You can install TweetNaCl.js via a package manager:

Yarn:

$ yarn add tweetnacl

NPM:

$ npm install tweetnacl

or download source code.

Examples

You can find usage examples in our wiki.

Usage

All API functions accept and return bytes as Uint8Arrays. If you need to encode or decode strings, use functions from https://github.com/dchest/tweetnacl-util-js or one of the more robust codec packages.

In Node.js v4 and later Buffer objects are backed by Uint8Arrays, so you can freely pass them to TweetNaCl.js functions as arguments. The returned objects are still Uint8Arrays, so if you need Buffers, you'll have to convert them manually; make sure to convert using copying: Buffer.from(array) (or new Buffer(array) in Node.js v4 or earlier), instead of sharing: Buffer.from(array.buffer) (or new Buffer(array.buffer) Node 4 or earlier), because some functions return subarrays of their buffers.

Public-key authenticated encryption (box)

Implements x25519-xsalsa20-poly1305.

nacl.box.keyPair()

Generates a new random key pair for box and returns it as an object with publicKey and secretKey members:

{
   publicKey: ...,  // Uint8Array with 32-byte public key
   secretKey: ...   // Uint8Array with 32-byte secret key
}

nacl.box.keyPair.fromSecretKey(secretKey)

Returns a key pair for box with public key corresponding to the given secret key.

nacl.box(message, nonce, theirPublicKey, mySecretKey)

Encrypts and authenticates message using peer's public key, our secret key, and the given nonce, which must be unique for each distinct message for a key pair.

Returns an encrypted and authenticated message, which is nacl.box.overheadLength longer than the original message.

nacl.box.open(box, nonce, theirPublicKey, mySecretKey)

Authenticates and decrypts the given box with peer's public key, our secret key, and the given nonce.

Returns the original message, or null if authentication fails.

nacl.box.before(theirPublicKey, mySecretKey)

Returns a precomputed shared key which can be used in nacl.box.after and nacl.box.open.after.

nacl.box.after(message, nonce, sharedKey)

Same as nacl.box, but uses a shared key precomputed with nacl.box.before.

nacl.box.open.after(box, nonce, sharedKey)

Same as nacl.box.open, but uses a shared key precomputed with nacl.box.before.

Constants

nacl.box.publicKeyLength = 32

Length of public key in bytes.

nacl.box.secretKeyLength = 32

Length of secret key in bytes.

nacl.box.sharedKeyLength = 32

Length of precomputed shared key in bytes.

nacl.box.nonceLength = 24

Length of nonce in bytes.

nacl.box.overheadLength = 16

Length of overhead added to box compared to original message.

Secret-key authenticated encryption (secretbox)

Implements xsalsa20-poly1305.

nacl.secretbox(message, nonce, key)

Encrypts and authenticates message using the key and the nonce. The nonce must be unique for each distinct message for this key.

Returns an encrypted and authenticated message, which is nacl.secretbox.overheadLength longer than the original message.

nacl.secretbox.open(box, nonce, key)

Authenticates and decrypts the given secret box using the key and the nonce.

Returns the original message, or null if authentication fails.

Constants

nacl.secretbox.keyLength = 32

Length of key in bytes.

nacl.secretbox.nonceLength = 24

Length of nonce in bytes.

nacl.secretbox.overheadLength = 16

Length of overhead added to secret box compared to original message.

Scalar multiplication

Implements x25519.

nacl.scalarMult(n, p)

Multiplies an integer n by a group element p and returns the resulting group element.

nacl.scalarMult.base(n)

Multiplies an integer n by a standard group element and returns the resulting group element.

Constants

nacl.scalarMult.scalarLength = 32

Length of scalar in bytes.

nacl.scalarMult.groupElementLength = 32

Length of group element in bytes.

Signatures

Implements ed25519.

nacl.sign.keyPair()

Generates new random key pair for signing and returns it as an object with publicKey and secretKey members:

{
   publicKey: ...,  // Uint8Array with 32-byte public key
   secretKey: ...   // Uint8Array with 64-byte secret key
}

nacl.sign.keyPair.fromSecretKey(secretKey)

Returns a signing key pair with public key corresponding to the given 64-byte secret key. The secret key must have been generated by nacl.sign.keyPair or nacl.sign.keyPair.fromSeed.

nacl.sign.keyPair.fromSeed(seed)

Returns a new signing key pair generated deterministically from a 32-byte seed. The seed must contain enough entropy to be secure. This method is not recommended for general use: instead, use nacl.sign.keyPair to generate a new key pair from a random seed.

nacl.sign(message, secretKey)

Signs the message using the secret key and returns a signed message.

nacl.sign.open(signedMessage, publicKey)

Verifies the signed message and returns the message without signature.

Returns null if verification failed.

nacl.sign.detached(message, secretKey)

Signs the message using the secret key and returns a signature.

nacl.sign.detached.verify(message, signature, publicKey)

Verifies the signature for the message and returns true if verification succeeded or false if it failed.

Constants

nacl.sign.publicKeyLength = 32

Length of signing public key in bytes.

nacl.sign.secretKeyLength = 64

Length of signing secret key in bytes.

nacl.sign.seedLength = 32

Length of seed for nacl.sign.keyPair.fromSeed in bytes.

nacl.sign.signatureLength = 64

Length of signature in bytes.

Hashing

Implements SHA-512.

nacl.hash(message)

Returns SHA-512 hash of the message.

Constants

nacl.hash.hashLength = 64

Length of hash in bytes.

Random bytes generation

nacl.randomBytes(length)

Returns a Uint8Array of the given length containing random bytes of cryptographic quality.

Implementation note

TweetNaCl.js uses the following methods to generate random bytes, depending on the platform it runs on:

window.crypto.getRandomValues (WebCrypto standard)
window.msCrypto.getRandomValues (Internet Explorer 11)
crypto.randomBytes (Node.js)

If the platform doesn't provide a suitable PRNG, the following functions, which require random numbers, will throw exception:

nacl.randomBytes
nacl.box.keyPair
nacl.sign.keyPair

Other functions are deterministic and will continue working.

If a platform you are targeting doesn't implement secure random number generator, but you somehow have a cryptographically-strong source of entropy (not Math.random!), and you know what you are doing, you can plug it into TweetNaCl.js like this:

nacl.setPRNG(function(x, n) {
  // ... copy n random bytes into x ...
});

Note that nacl.setPRNG completely replaces internal random byte generator with the one provided.

Constant-time comparison

nacl.verify(x, y)

Compares x and y in constant time and returns true if their lengths are non-zero and equal, and their contents are equal.

Returns false if either of the arguments has zero length, or arguments have different lengths, or their contents differ.

System requirements

TweetNaCl.js supports modern browsers that have a cryptographically secure pseudorandom number generator and typed arrays, including the latest versions of:

Chrome
Firefox
Safari (Mac, iOS)
Internet Explorer 11

Other systems:

Node.js

Development and testing

Install NPM modules needed for development:

$ npm install

To build minified versions:

$ npm run build

Tests use minified version, so make sure to rebuild it every time you change nacl.js or nacl-fast.js.

Testing

To run tests in Node.js:

$ npm run test-node

By default all tests described here work on nacl.min.js. To test other versions, set environment variable NACL_SRC to the file name you want to test. For example, the following command will test fast minified version:

$ NACL_SRC=nacl-fast.min.js npm run test-node

To run full suite of tests in Node.js, including comparing outputs of JavaScript port to outputs of the original C version:

$ npm run test-node-all

To prepare tests for browsers:

$ npm run build-test-browser

and then open test/browser/test.html (or test/browser/test-fast.html) to run them.

To run tests in both Node and Electron:

$ npm test

Benchmarking

To run benchmarks in Node.js:

$ npm run bench
$ NACL_SRC=nacl-fast.min.js npm run bench

To run benchmarks in a browser, open test/benchmark/bench.html (or test/benchmark/bench-fast.html).

Benchmarks

For reference, here are benchmarks from MacBook Pro (Retina, 13-inch, Mid 2014) laptop with 2.6 GHz Intel Core i5 CPU (Intel) in Chrome 53/OS X and Xiaomi Redmi Note 3 smartphone with 1.8 GHz Qualcomm Snapdragon 650 64-bit CPU (ARM) in Chrome 52/Android:

| | nacl.js Intel | nacl-fast.js Intel | nacl.js ARM | nacl-fast.js ARM | | ------------- |:-------------:|:-------------------:|:-------------:|:-----------------:| | salsa20 | 1.3 MB/s | 128 MB/s | 0.4 MB/s | 43 MB/s | | poly1305 | 13 MB/s | 171 MB/s | 4 MB/s | 52 MB/s | | hash | 4 MB/s | 34 MB/s | 0.9 MB/s | 12 MB/s | | secretbox 1K | 1113 op/s | 57583 op/s | 334 op/s | 14227 op/s | | box 1K | 145 op/s | 718 op/s | 37 op/s | 368 op/s | | scalarMult | 171 op/s | 733 op/s | 56 op/s | 380 op/s | | sign | 77 op/s | 200 op/s | 20 op/s | 61 op/s | | sign.open | 39 op/s | 102 op/s | 11 op/s | 31 op/s |

(You can run benchmarks on your devices by clicking on the links at the bottom of the home page).

In short, with nacl-fast.js and 1024-byte messages you can expect to encrypt and authenticate more than 57000 messages per second on a typical laptop or more than 14000 messages per second on a $170 smartphone, sign about 200 and verify 100 messages per second on a laptop or 60 and 30 messages per second on a smartphone, per CPU core (with Web Workers you can do these operations in parallel), which is good enough for most applications.

Contributors

See AUTHORS.md file.

Third-party libraries based on TweetNaCl.js

forward-secrecy — Axolotl ratchet implementation
nacl-stream - streaming encryption
tweetnacl-auth-js — implementation of crypto_auth
tweetnacl-sealed-box — implementation of sealed boxes
chloride - unified API for various NaCl modules

Who uses it

Some notable users of TweetNaCl.js:

changelog

TweetNaCl.js Changelog

v1.0.3

IMPORTANT BUG FIX. Due to a bug in calculating carry in modulo reduction that used bit operations on integers larger than 32 bits, nacl.sign or nacl.sign.detached could have created incorrect signatures.

This only affects signing, not verification.

Thanks to @valerini on GitHub for finding and reporting the bug.

v1.0.2

Exported more internal undocumented functions for third-party projects that rely on low-level interface, (something users of TweetNaCl shouldn't care about).

v1.0.1

Updated documentation and typings.

v1.0.0

No code changes from v1.0.0-rc.1.

v1.0.0-rc.1

IMPORTANT! In previous versions, nacl.secretbox.open, nacl.box.open, and nacl.box.after returned false when opening failed (for example, when using incorrect key, nonce, or when input was maliciously or accidentally modified after encryption). This version instead returns null.

The usual way to check for this condition:

if (!result) { ... }

is correct and will continue to work.

However, direct comparison with false:

if (result == false) { ... }

it will no longer work and will not detect failure. Please check your code for this condition.

(nacl.sign.open always returned null, so it is not affected.)

Arguments type check now uses instanceof Uint8Array instead of Object.prototype.toString.
Removed deprecation checks for nacl.util (moved to a separate package in v0.14.0).
Removed deprecation checks for the old signature API (changed in v0.10.0).
Improved benchmarking.

v0.14.5

Fixed incomplete return types in TypeScript typings.
Replaced COPYING.txt with LICENSE file, which now has public domain dedication text from The Unlicense. License fields in package.json and bower.json have been set to "Unlicense". The project was and will be in the public domain -- this change just makes it easier for automated tools to know about this fact by using the widely recognized and SPDX-compatible template for public domain dedication.

v0.14.4

Added TypeScript type definitions (contributed by @AndSDev).
Improved benchmarking code.

v0.14.3

Fixed a bug in the fast version of Poly1305 and brought it back.

Thanks to @floodyberry for promptly responding and fixing the original C code:

"The issue was not properly detecting if st->h was >= 2^130 - 5, coupled with [testing mistake] not catching the failure. The chance of the bug affecting anything in the real world is essentially zero luckily, but it's good to have it fixed."

https://github.com/floodyberry/poly1305-donna/issues/2#issuecomment-202698577

v0.14.2

Switched Poly1305 fast version back to original (slow) version due to a bug.

v0.14.1

No code changes, just tweaked packaging and added COPYING.txt.

v0.14.0

Breaking change! All functions from nacl.util have been removed. These functions are no longer available:
```
nacl.util.decodeUTF8
nacl.util.encodeUTF8
nacl.util.decodeBase64
nacl.util.encodeBase64
```
If want to continue using them, you can include https://github.com/dchest/tweetnacl-util-js package:
```
<script src="nacl.min.js"></script>
<script src="nacl-util.min.js"></script>
```
or
```
var nacl = require('tweetnacl');
nacl.util = require('tweetnacl-util');
```
However it is recommended to use better packages that have wider compatibility and better performance. Functions from nacl.util were never intended to be robust solution for string conversion and were included for convenience: cryptography library is not the right place for them.

Currently calling these functions will throw error pointing to tweetnacl-util-js (in the next version this error message will be removed).
Improved detection of available random number generators, making it possible to use nacl.randomBytes and related functions in Web Workers without changes.
Changes to testing (see README).

v0.13.3

No code changes.

Reverted license field in package.json to "Public domain".
Fixed typo in README.

v0.13.2

Fixed undefined variable bug in fast version of Poly1305. No worries, this bug was never triggered.
Specified CC0 public domain dedication.
Updated development dependencies.

v0.13.1

Exclude crypto and buffer modules from browserify builds.

v0.13.0

Made nacl-fast the default version in NPM package. Now require("tweetnacl") will use fast version; to get the original version, use require("tweetnacl/nacl.js").
Cleanup temporary array after generating random bytes.

v0.12.2

Improved performance of curve operations, making nacl.scalarMult, nacl.box, nacl.sign and related functions up to 3x faster in nacl-fast version.

v0.12.1

Significantly improved performance of Salsa20 (~1.5x faster) and Poly1305 (~3.5x faster) in nacl-fast version.

v0.12.0

Instead of using the given secret key directly, TweetNaCl.js now copies it to a new array in nacl.box.keyPair.fromSecretKey and nacl.sign.keyPair.fromSecretKey.

v0.11.2

Added new constant: nacl.sign.seedLength.

v0.11.1

Even faster hash for both short and long inputs (in nacl-fast).

v0.11.0

Implement nacl.sign.keyPair.fromSeed to enable creation of sign key pairs deterministically from a 32-byte seed. (It behaves like libsodium's crypto_sign_seed_keypair: the seed becomes a secret part of the secret key.)
Fast version now has an improved hash implementation that is 2x-5x faster.
Fixed benchmarks, which may have produced incorrect measurements.

v0.10.1

Exported undocumented nacl.lowlevel.crypto_core_hsalsa20.

v0.10.0

Signature API breaking change! nacl.sign and nacl.sign.open now deal with signed messages, and new nacl.sign.detached and nacl.sign.detached.verify are available.

Previously, nacl.sign returned a signature, and nacl.sign.open accepted a message and "detached" signature. This was unlike NaCl's API, which dealt with signed messages (concatenation of signature and message).

The new API is:
```
nacl.sign(message, secretKey) -> signedMessage
nacl.sign.open(signedMessage, publicKey) -> message | null
```
Since detached signatures are common, two new API functions were introduced:
```
nacl.sign.detached(message, secretKey) -> signature
nacl.sign.detached.verify(message, signature, publicKey) -> true | false
```
(Note that it's verify, not open, and it returns a boolean value, unlike open, which returns an "unsigned" message.)
NPM package now comes without test directory to keep it small.

v0.9.2

Improved documentation.
Fast version: increased theoretical message size limit from 2^32-1 to 2^52 bytes in Poly1305 (and thus, secretbox and box). However this has no impact in practice since JavaScript arrays or ArrayBuffers are limited to 32-bit indexes, and most implementations won't allocate more than a gigabyte or so. (Obviously, there are no tests for the correctness of implementation.) Also, it's not recommended to use messages that large without splitting them into smaller packets anyway.

v0.9.1

Initial release