Lua wrapper arount the Tweet NaCl cryptographic library
C Lua Makefile
Latest commit ef46bc0 Nov 18, 2016 philanc adjusted rockspec (supported platform)


This is a Lua binding to the wonderful NaCl crypto library by Dan Bernstein, Tanja Lange et al. --

The version included here is the "Tweet" version ("NaCl in 100 tweets") by Dan Bernstein et al. -- (all the tweet nacl code is included in this library.

To understand the NaCl specs, the reader is referred to the NaCl specs at This binding is very thin and should be easy to use for anybody knowing NaCl.

The Lua binding hides the NaCl idiosynchrasies (32 mandatory leading null bytes for the text to encrypt and 16 leading null bytes in the encrypted text). So the user does not need to provide or take care of these leading null spaces.

The binding has been built and tested on Linux with Lua-5.3.3, Lua-5.2.4 and Lua-5.1.5

It should work for any POSIXy system featuring /dev/urandom (used by function 'randombytes()')


    return a string containing n random bytes

    generate a curve25519 keypair to be used with box()
    return publickey, secretkey

    return the public key associated to secret key sk
    sk must be 32 bytes
    Note: this function is not in NaCl but may be useful in some 
    contexts. Actually, 
        pk, sk = keypair()
    is strictly equivalent to:
        sk = randombytes(32); pk = box_getpk(sk)

box(plain, nonce, bpk, ask)
    plain is the plain text that Alice encrypts for Bob
    nonce is 24 bytes (must be different for each encryption)
    bpk (32 bytes):  Bob's public key 
    ask (32 bytes):  Alice's secret key
    return the encrypted text or (nil, error msg)
    the box() and box_open functions perform the following steps:
    - generate a session key common to Alice and Bob with a 
      Diffie-Hellman based on the elliptic curve 25519 scalar multiplication
    - authenticated en(de)cryption with Salsa20 stream encryption
      and Poly1305 MAC generation/verification using the session key
    (see for details and rationale!)

box_open(encr, nonce, apk, bsk)
    decrypt the text encrypted by Alice for Bob
    nonce is 24 bytes (must be the nonce used for encryption)
    apk (32 bytes):  Alice's public key 
    bsk (32 bytes):  Bob's secret key
    return the decrypted text or (nil, error msg)

box_beforenm(bpk, ask)
    perform the 1st step of box()
    return a session key (32 bytes) derived from bpk and ask
    bpk and ask are 32-byte strings.

box_stream_key() is an alias of box_beforenm()
box_afternm() is an alias of secretbox()
box_open_afternm() is an alias of secretbox_open()

secretbox(plain, n, k)
    encrypt plain string with key k and nonce n
    k: a 32-byte string
    n: a 24-byte nonce
    return the encrypted text
    example: to encrypt string 'abc'  with key 'kkk...' and nonce 'nnn...':
       e = secretbox('abc', ('n'):rep(24), ('k'):rep(32))
    Note: secretbox() performs an authenticated encryption, that is
    encrypt the plain test (with Salsa20) and compute a MAC (with Poly1305)
    of the encrypted text. It allows the receiver of the encrypted text to
    detect if it has been tampered with. The MAC is embedded in the
    encrypted text (at the beginning, bytes 1-16)

secretbox_open(encr, n, k)
    decrypt encrypted string encr with key k and nonce n. The MAC
    embedded in 'encr' is checked before the actual decryption.
    k: a 32-byte string
    n: a 24-byte nonce
    return the decrypted text
    or (nil, error msg) if the MAC is wrong of if the nonce or key 
    lengths are not valid.

stream(ln, n, k)
    generate an encrypting stream with the salsa20 algorithm
    ln: integer, number of bytes to generate
    k: a 32-byte string
    n: a 24-byte nonce
    return a ln-byte long string or (nil error message) if the 
    nonce or key lengths are not valid.

stream_xor(text, n, k)
    encrypt or decrypt text with the salsa20 algorithm. The same 
    function is used to encrypt and decrypt.
    k: a 32-byte string
    n: a 24-byte nonce
    return an encrypted or decrypted string or (nil, error message) if the 
    nonce or key lengths are not valid. 

onetimeauth(text, k)
    compute the 16-byte MAC for the text and key k.
    the MAC algorithm is Poly1305
    k: a 32-byte string
    return the 16-byte MAC as a string or (nil, error message) if the 
    key length is not valid.    

poly1305() is an alias of onetimeauth()

    compute the SHA2-512 hash of string s
    return the hash as a 64-byte binary string (no hex encoding)

sha512() is an alias of hash()

    generate a random key pair for the siganture algorithm (ed25519)
    return pk, sk
    where pk is the public key (a 32-byte string)
    where sk is the secret key (a 64-byte string)
    (actually, the last 32 bytes of the secret key are the public key)

sign(text, sk)
    sign a text with a secret key
    sk: a 64-byte string
    return the signed text, including the text and the signature
    return (nil, error msg) if the sk lemgth is not valid (not 64)

sign_open(text, pk)
    verify a signed text with the corresponding public key
    pk: a 32-byte string
    if the signature is valid, return the original text 
    (ie. without the signature)
    return (nil, error msg) if the signature is not valid or if the 
    pk lemgth is not valid (not 32)


luatweetnacl is distributed under the terms of the MIT License. The "tweet" NaCl core implementation is public domain, by Daniel Bernstein et al.

Copyright (c) 2016 Phil Leblanc