|
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459 |
- TweetNaCl.js
- ============
-
- Port of [TweetNaCl](http://tweetnacl.cr.yp.to) / [NaCl](http://nacl.cr.yp.to/)
- to JavaScript for modern browsers and Node.js. Public domain.
-
- [![Build Status](https://travis-ci.org/dchest/tweetnacl-js.svg?branch=master)
- ](https://travis-ci.org/dchest/tweetnacl-js)
-
- Demo: <https://tweetnacl.js.org>
-
- **:warning: The library is stable and API is frozen, however it has not been
- independently reviewed. If you can help reviewing it, please [contact
- me](mailto:dmitry@codingrobots.com).**
-
- Documentation
- =============
-
- * [Overview](#overview)
- * [Installation](#installation)
- * [Usage](#usage)
- * [Public-key authenticated encryption (box)](#public-key-authenticated-encryption-box)
- * [Secret-key authenticated encryption (secretbox)](#secret-key-authenticated-encryption-secretbox)
- * [Scalar multiplication](#scalar-multiplication)
- * [Signatures](#signatures)
- * [Hashing](#hashing)
- * [Random bytes generation](#random-bytes-generation)
- * [Constant-time comparison](#constant-time-comparison)
- * [System requirements](#system-requirements)
- * [Development and testing](#development-and-testing)
- * [Benchmarks](#benchmarks)
- * [Contributors](#contributors)
- * [Who uses it](#who-uses-it)
-
-
- Overview
- --------
-
- The primary goal of this project is to produce a translation of TweetNaCl to
- JavaScript which is as close as possible to the original C implementation, plus
- a thin layer of idiomatic high-level API on top of it.
-
- There are two versions, you can use either of them:
-
- * `nacl.js` is the port of TweetNaCl with minimum differences from the
- original + high-level API.
-
- * `nacl-fast.js` is like `nacl.js`, but with some functions replaced with
- faster versions.
-
-
- Installation
- ------------
-
- You can install TweetNaCl.js via a package manager:
-
- [Bower](http://bower.io):
-
- $ bower install tweetnacl
-
- [NPM](https://www.npmjs.org/):
-
- $ npm install tweetnacl
-
- or [download source code](https://github.com/dchest/tweetnacl-js/releases).
-
-
- Usage
- -----
-
- All API functions accept and return bytes as `Uint8Array`s. If you need to
- encode or decode strings, use functions from
- <https://github.com/dchest/tweetnacl-util-js> or one of the more robust codec
- packages.
-
- In Node.js v4 and later `Buffer` objects are backed by `Uint8Array`s, so you
- can freely pass them to TweetNaCl.js functions as arguments. The returned
- objects are still `Uint8Array`s, so if you need `Buffer`s, you'll have to
- convert them manually; make sure to convert using copying: `new Buffer(array)`,
- instead of sharing: `new Buffer(array.buffer)`, because some functions return
- subarrays of their buffers.
-
-
- ### Public-key authenticated encryption (box)
-
- Implements *curve25519-xsalsa20-poly1305*.
-
- #### nacl.box.keyPair()
-
- Generates a new random key pair for box and returns it as an object with
- `publicKey` and `secretKey` members:
-
- {
- publicKey: ..., // Uint8Array with 32-byte public key
- secretKey: ... // Uint8Array with 32-byte secret key
- }
-
-
- #### nacl.box.keyPair.fromSecretKey(secretKey)
-
- Returns a key pair for box with public key corresponding to the given secret
- key.
-
- #### nacl.box(message, nonce, theirPublicKey, mySecretKey)
-
- Encrypt and authenticates message using peer's public key, our secret key, and
- the given nonce, which must be unique for each distinct message for a key pair.
-
- Returns an encrypted and authenticated message, which is
- `nacl.box.overheadLength` longer than the original message.
-
- #### nacl.box.open(box, nonce, theirPublicKey, mySecretKey)
-
- Authenticates and decrypts the given box with peer's public key, our secret
- key, and the given nonce.
-
- Returns the original message, or `false` if authentication fails.
-
- #### nacl.box.before(theirPublicKey, mySecretKey)
-
- Returns a precomputed shared key which can be used in `nacl.box.after` and
- `nacl.box.open.after`.
-
- #### nacl.box.after(message, nonce, sharedKey)
-
- Same as `nacl.box`, but uses a shared key precomputed with `nacl.box.before`.
-
- #### nacl.box.open.after(box, nonce, sharedKey)
-
- Same as `nacl.box.open`, but uses a shared key precomputed with `nacl.box.before`.
-
- #### nacl.box.publicKeyLength = 32
-
- Length of public key in bytes.
-
- #### nacl.box.secretKeyLength = 32
-
- Length of secret key in bytes.
-
- #### nacl.box.sharedKeyLength = 32
-
- Length of precomputed shared key in bytes.
-
- #### nacl.box.nonceLength = 24
-
- Length of nonce in bytes.
-
- #### nacl.box.overheadLength = 16
-
- Length of overhead added to box compared to original message.
-
-
- ### Secret-key authenticated encryption (secretbox)
-
- Implements *xsalsa20-poly1305*.
-
- #### nacl.secretbox(message, nonce, key)
-
- Encrypt and authenticates message using the key and the nonce. The nonce must
- be unique for each distinct message for this key.
-
- Returns an encrypted and authenticated message, which is
- `nacl.secretbox.overheadLength` longer than the original message.
-
- #### nacl.secretbox.open(box, nonce, key)
-
- Authenticates and decrypts the given secret box using the key and the nonce.
-
- Returns the original message, or `false` if authentication fails.
-
- #### nacl.secretbox.keyLength = 32
-
- Length of key in bytes.
-
- #### nacl.secretbox.nonceLength = 24
-
- Length of nonce in bytes.
-
- #### nacl.secretbox.overheadLength = 16
-
- Length of overhead added to secret box compared to original message.
-
-
- ### Scalar multiplication
-
- Implements *curve25519*.
-
- #### nacl.scalarMult(n, p)
-
- Multiplies an integer `n` by a group element `p` and returns the resulting
- group element.
-
- #### nacl.scalarMult.base(n)
-
- Multiplies an integer `n` by a standard group element and returns the resulting
- group element.
-
- #### nacl.scalarMult.scalarLength = 32
-
- Length of scalar in bytes.
-
- #### nacl.scalarMult.groupElementLength = 32
-
- Length of group element in bytes.
-
-
- ### Signatures
-
- Implements [ed25519](http://ed25519.cr.yp.to).
-
- #### nacl.sign.keyPair()
-
- Generates new random key pair for signing and returns it as an object with
- `publicKey` and `secretKey` members:
-
- {
- publicKey: ..., // Uint8Array with 32-byte public key
- secretKey: ... // Uint8Array with 64-byte secret key
- }
-
- #### nacl.sign.keyPair.fromSecretKey(secretKey)
-
- Returns a signing key pair with public key corresponding to the given
- 64-byte secret key. The secret key must have been generated by
- `nacl.sign.keyPair` or `nacl.sign.keyPair.fromSeed`.
-
- #### nacl.sign.keyPair.fromSeed(seed)
-
- Returns a new signing key pair generated deterministically from a 32-byte seed.
- The seed must contain enough entropy to be secure. This method is not
- recommended for general use: instead, use `nacl.sign.keyPair` to generate a new
- key pair from a random seed.
-
- #### nacl.sign(message, secretKey)
-
- Signs the message using the secret key and returns a signed message.
-
- #### nacl.sign.open(signedMessage, publicKey)
-
- Verifies the signed message and returns the message without signature.
-
- Returns `null` if verification failed.
-
- #### nacl.sign.detached(message, secretKey)
-
- Signs the message using the secret key and returns a signature.
-
- #### nacl.sign.detached.verify(message, signature, publicKey)
-
- Verifies the signature for the message and returns `true` if verification
- succeeded or `false` if it failed.
-
- #### nacl.sign.publicKeyLength = 32
-
- Length of signing public key in bytes.
-
- #### nacl.sign.secretKeyLength = 64
-
- Length of signing secret key in bytes.
-
- #### nacl.sign.seedLength = 32
-
- Length of seed for `nacl.sign.keyPair.fromSeed` in bytes.
-
- #### nacl.sign.signatureLength = 64
-
- Length of signature in bytes.
-
-
- ### Hashing
-
- Implements *SHA-512*.
-
- #### nacl.hash(message)
-
- Returns SHA-512 hash of the message.
-
- #### nacl.hash.hashLength = 64
-
- Length of hash in bytes.
-
-
- ### Random bytes generation
-
- #### nacl.randomBytes(length)
-
- Returns a `Uint8Array` of the given length containing random bytes of
- cryptographic quality.
-
- **Implementation note**
-
- TweetNaCl.js uses the following methods to generate random bytes,
- depending on the platform it runs on:
-
- * `window.crypto.getRandomValues` (WebCrypto standard)
- * `window.msCrypto.getRandomValues` (Internet Explorer 11)
- * `crypto.randomBytes` (Node.js)
-
- If the platform doesn't provide a suitable PRNG, the following functions,
- which require random numbers, will throw exception:
-
- * `nacl.randomBytes`
- * `nacl.box.keyPair`
- * `nacl.sign.keyPair`
-
- Other functions are deterministic and will continue working.
-
- If a platform you are targeting doesn't implement secure random number
- generator, but you somehow have a cryptographically-strong source of entropy
- (not `Math.random`!), and you know what you are doing, you can plug it into
- TweetNaCl.js like this:
-
- nacl.setPRNG(function(x, n) {
- // ... copy n random bytes into x ...
- });
-
- Note that `nacl.setPRNG` *completely replaces* internal random byte generator
- with the one provided.
-
-
- ### Constant-time comparison
-
- #### nacl.verify(x, y)
-
- Compares `x` and `y` in constant time and returns `true` if their lengths are
- non-zero and equal, and their contents are equal.
-
- Returns `false` if either of the arguments has zero length, or arguments have
- different lengths, or their contents differ.
-
-
- System requirements
- -------------------
-
- TweetNaCl.js supports modern browsers that have a cryptographically secure
- pseudorandom number generator and typed arrays, including the latest versions
- of:
-
- * Chrome
- * Firefox
- * Safari (Mac, iOS)
- * Internet Explorer 11
-
- Other systems:
-
- * Node.js
-
-
- Development and testing
- ------------------------
-
- Install NPM modules needed for development:
-
- $ npm install
-
- To build minified versions:
-
- $ npm run build
-
- Tests use minified version, so make sure to rebuild it every time you change
- `nacl.js` or `nacl-fast.js`.
-
- ### Testing
-
- To run tests in Node.js:
-
- $ npm run test-node
-
- By default all tests described here work on `nacl.min.js`. To test other
- versions, set environment variable `NACL_SRC` to the file name you want to test.
- For example, the following command will test fast minified version:
-
- $ NACL_SRC=nacl-fast.min.js npm run test-node
-
- To run full suite of tests in Node.js, including comparing outputs of
- JavaScript port to outputs of the original C version:
-
- $ npm run test-node-all
-
- To prepare tests for browsers:
-
- $ npm run build-test-browser
-
- and then open `test/browser/test.html` (or `test/browser/test-fast.html`) to
- run them.
-
- To run headless browser tests with `tape-run` (powered by Electron):
-
- $ npm run test-browser
-
- (If you get `Error: spawn ENOENT`, install *xvfb*: `sudo apt-get install xvfb`.)
-
- To run tests in both Node and Electron:
-
- $ npm test
-
- ### Benchmarking
-
- To run benchmarks in Node.js:
-
- $ npm run bench
- $ NACL_SRC=nacl-fast.min.js npm run bench
-
- To run benchmarks in a browser, open `test/benchmark/bench.html` (or
- `test/benchmark/bench-fast.html`).
-
-
- Benchmarks
- ----------
-
- For reference, here are benchmarks from MacBook Pro (Retina, 13-inch, Mid 2014)
- laptop with 2.6 GHz Intel Core i5 CPU (Intel) in Chrome 53/OS X and Xiaomi Redmi
- Note 3 smartphone with 1.8 GHz Qualcomm Snapdragon 650 64-bit CPU (ARM) in
- Chrome 52/Android:
-
- | | nacl.js Intel | nacl-fast.js Intel | nacl.js ARM | nacl-fast.js ARM |
- | ------------- |:-------------:|:-------------------:|:-------------:|:-----------------:|
- | salsa20 | 1.3 MB/s | 128 MB/s | 0.4 MB/s | 43 MB/s |
- | poly1305 | 13 MB/s | 171 MB/s | 4 MB/s | 52 MB/s |
- | hash | 4 MB/s | 34 MB/s | 0.9 MB/s | 12 MB/s |
- | secretbox 1K | 1113 op/s | 57583 op/s | 334 op/s | 14227 op/s |
- | box 1K | 145 op/s | 718 op/s | 37 op/s | 368 op/s |
- | scalarMult | 171 op/s | 733 op/s | 56 op/s | 380 op/s |
- | sign | 77 op/s | 200 op/s | 20 op/s | 61 op/s |
- | sign.open | 39 op/s | 102 op/s | 11 op/s | 31 op/s |
-
- (You can run benchmarks on your devices by clicking on the links at the bottom
- of the [home page](https://tweetnacl.js.org)).
-
- In short, with *nacl-fast.js* and 1024-byte messages you can expect to encrypt and
- authenticate more than 57000 messages per second on a typical laptop or more than
- 14000 messages per second on a $170 smartphone, sign about 200 and verify 100
- messages per second on a laptop or 60 and 30 messages per second on a smartphone,
- per CPU core (with Web Workers you can do these operations in parallel),
- which is good enough for most applications.
-
-
- Contributors
- ------------
-
- See AUTHORS.md file.
-
-
- Third-party libraries based on TweetNaCl.js
- -------------------------------------------
-
- * [forward-secrecy](https://github.com/alax/forward-secrecy) — Axolotl ratchet implementation
- * [nacl-stream](https://github.com/dchest/nacl-stream-js) - streaming encryption
- * [tweetnacl-auth-js](https://github.com/dchest/tweetnacl-auth-js) — implementation of [`crypto_auth`](http://nacl.cr.yp.to/auth.html)
- * [chloride](https://github.com/dominictarr/chloride) - unified API for various NaCl modules
-
-
- Who uses it
- -----------
-
- Some notable users of TweetNaCl.js:
-
- * [miniLock](http://minilock.io/)
- * [Stellar](https://www.stellar.org/)
|