Question 1

How to encrypt and decrypt messages with tweetnacl-js?

Accepted Answer

Use nacl.box for public-key encryption or nacl.secretbox for symmetric encryption, ensuring nonces are unique. Examples are provided in the wiki, and you'll need to encode strings to Uint8Arrays first using a separate library.

Question 2

tweetnacl-js vs libsodium for JavaScript cryptography?

Accepted Answer

TweetNaCl.js is a pure JavaScript port of NaCl, offering a minimal, audited API but slower performance. Libsodium has a JavaScript wrapper with more features and better performance via native bindings, but may have larger bundle sizes. Choose based on speed needs and feature set.

Question 3

Is tweetnacl-js secure for production use?

Accepted Answer

Yes, it has been audited by Cure53 with no critical issues, and is used by notable projects. However, be aware of its security caveats like signature malleability, and ensure proper protocol design as outlined in the README.

Question 4

How to generate Ed25519 signatures in a browser with tweetnacl-js?

Accepted Answer

Use nacl.sign.keyPair() to create a key pair, then nacl.sign.detached() to sign a message. Remember to convert messages to Uint8Arrays, and check the examples wiki for detailed code snippets.

Question 5

What are the main security weaknesses of tweetnacl-js?

Accepted Answer

Key issues include no secret key commitment in encryption, signature malleability with Ed25519, and hash length-extension attacks with SHA-512. The README's Security Considerations section details these, so review them when designing protocols.

Question 6

Can I use tweetnacl-js with TypeScript?

Accepted Answer

Yes, it includes TypeScript definitions in the npm package, making it easy to integrate into TypeScript projects. The API is well-typed, helping catch errors during development.

TweetNaCl.js

What is TweetNaCl.js?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions