Skip to content
NaCL bindings for Q/KDB
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

NaCL bindings for q/kdb.

Table of Contents


You can load qsalt with:

.qsalt:@[`qsalt 2:(`qsalt;1);0]

##Public Key Authenticated Encryption

Generate (public;private) keypair:


Alice creates a ciphertext message for Bob:

message:.qsalt.pencrypt[(.qsalt.nonce`;"this is secret");bob 0;alice 1]

Bob decodes the ciphertext message:

.qsalt.pdecrypt[message;alice 0;bob 1]

If the ciphertext has been corrupted or was not created by Alice, then null will be returned.

##Public Key Signatures

Generate (public;private) keypair:


Alice signs a message for Bob. Note that the message is not encrypted.

message:.qsalt.sign["this is verified";alice 1]

Bob then verifies the signature:

.qsalt.verify[message;alice 0]

If the signature is invalid, then null will be returned.

##Secret Key Authenticated Encryption

There are several ways to generate a secret key; it can be any 32 random bytes:


Encrypting a message requires a nonce; this nonce must not be reused:

message:.qsalt.sencrypt[(.qsalt.nonce`;"this is also secret");secret]

Decrypting the message also verifies it:


If the message was altered, then null will be returned.


Calculates the SHA512 hash of a string/bytearray:

.qsalt.hash "whatever"

##Comparing Strings

.qsalt.cmp16 and .qsalt.cmp32 are constant-time comparison functions and should be used for comparing byte-strings.

.qsalt.cmp16["this is sixteen!";"this is sixteen!"]
.qsalt.cmp16["this is sixteen!";"somethinginvalid"]


The makefile assumes kdb/q is installed in $HOME/q and that you have k.h installed in $HOME/q/c:


qsalt requires NaCL. On Debian systems you can install:

sudo apt-get install libsodium-dev

then build with:

make nacl=-lsodium arch=64

Note if you're building for the 32-bit version of KDB you will need:

sudo apt-get install libsodium-dev:i386

then build with:

make nacl=-lsodium arch=32

on other systems you install it from The NaCL homepage; You can unpack it directly into this tree:

bunzip2 < nacl-20110221.tar.bz2 | tar -xf -
(cd nacl-20110221 && ./do)

Then to build:

make nacl=nacl-20110221/build/*/lib/amd64/libnacl.a

As a convenience, tweetnacl is included, and can be used with:

make nacl=tweetnacl.c arch=32
make nacl=tweetnacl.c arch=64
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.