We have just released a beta version of a JavaScript cryptographic library usable in any JavaScript environment and based on very fast big integer arithmetic functionality that may be of interest in its own right.
The Pomcor JavaScript Cryptographic Library (PJCL) is available free of charge for any kind of use, but not under a traditional open source license. The traditional open source paradigm encourages contributions by the developer community at large, but we believe that this paradigm is not well suited to cryptography. To protect the integrity of the cryptographic code, the license prohibits modification of the cryptographic functions.
We have been using the library internally for our own research on authentication and identity proofing, and this first release includes symmetric and asymmetric digital signature functionality, including HMAC, DSA, and ECDSA with NIST curves. Future releases will provide broader cryptographic functionality, including encryption and key exchange. We believe that the library provides the only available JavaScript implementation of DSA, which is important to those wary of the opportunities for hiding backdoors that might be provided by elliptic curve technology.
The underlying big integer functionality includes Karatsuba multiplication. Karatsuba has turned out not to be advantageous for ordinary cryptographic operations, perhaps because our long multiplication is very fast. It may be useful, however, for other applications of big integer arithmetic. With or without Karatsuba, our modular exponentiation is several times faster than the one in SJCL, as reported in section 7.1 of the documentation, and in an earlier blog post related to an early version of the library that was not released. Facilities included with the library allow you to test the performance of modular exponentiation and DSA on your own machines, as explained in the documentation.
Easy-to-use API
A design goal of the library has been to keep its interface simple and easy to use. The library makes no use of ES6 classes and minimal use of objects. The API is synchronous, in contrast with the W3C Web Cryptography API, where API function calls return promises. Most cryptographic operations are fast and need not be performed in the background. When background processing is needed, such as for DSA domain parameter generation, or for applications that make use of the big integer portion of the library to manipulate very large big integers, it can be performed by a web worker. Examples of how to use web workers to perform long computations can be found in DSAPerfTesting.
Ubiquitous cryptography for ubiquitous JavaScript
A key benefit of JavaScript is that it can be used everywhere: in browsers, in servers and native apps. But some cryptographic APIs can only be used in specific environments. For example, the W3C Web cryptography API can only be used in the browser, and Node.js comes with its own cryptography API, provided by its crypto module. By contrast PJCL can be used in any JavaScript environment. To prevent global namespace collisions, all the API functions and variables use the “pjcl” prefix. The acronym PJCL and the string “pjcl” used as a prefix of function and variable names are trademarks of Pomcor.
Extensive documentation with typeset formulas
The library comes with extensive documentation in a PDF file with references to the cryptography literature. Mathematical formulas used to describe API functionality are typeset in LaTeX for readability.
Argument checking
In the file pjcl-withArgChecking.js most of the API functions are augmented with code that checks the validity of their arguments, with a substantial reduction in performance. Substituting that file for pjcl.js during development may help with debugging.
Discussion forum
A
PJCL User Forum
is available for asking questions and making comments.
(Update: The PJCL user forum has been discontinued as of May 27, 2018. Announcements regarding the PJCL library will be posted to the Pomcor blog. You may subscribe to the blog feed to stay informed of new releases.)
Hi Fransico,
Thanks for sharing.
A silly questions but want to understand, am I using it with my web application which runs on browser?
Thanks,
Atul
Yes, definitely. You can use the library for web applications, both on the client side, and on the server side if you are using node.js. You may want to use pcjl-withArgChecking.js while developing your application, and pjcl.js in production; both files are in the zip archive. In production, to minimize download time, you may want to remove the portions of pjcl.js that you don’t need and minify the rest together with your own front-end JavaScript code.