JavaScript Cryptography

JavaScript was originally intended for performing simple tasks in web pages, but it has grown into a sophisticated general purpose programming language used for both client and server computing. JavaScript is arguably the most important programming language today. Good performance of public key cryptography is difficult to achieve in JavaScript, because JavaScript is an interpreted language inherently slower than a compiled language such as C, and provides floating point arithmetic but no integer arithmetic. But fast JavaScript public key cryptography is worth the effort, because it may radically change the way cryptography is used in web applications.

An alternative to implementing cryptography in JavaScript is to use the Web Cryptography API of the W3C. This approach is appealing because it provides JavaScript applications with access to cryptographic primitives implemented by the browser or the operating system, presumably implemented in C, perhaps with assembly language optimizations. But the API is unfinished and seems to be in a state of flux; it lacks an important cryptosystem, DSA; and it is unnecessarily complicated, requiring cryptographic primitives to be invoked via asynchronous JavaScript Promises. Furthermore, the widespread integration of just-in-time compilers in modern JavaScript engines means that a JavaScript implementation of cryptography may be competitive with an implementation of the Web Cryptography API.

We are currently developing a cryptographic toolkit that will allow developers of web applications to implement cryptographic authentication easily. The toolkit will be based on a high performance big integer library implemented in JavaScript. We have already implemented a key algorithm whose performance determines the performance of the classical cryptosystems (RSA, DSA, DH, etc.), modular exponentiation. Our implementation is between six and ten times faster than the one in the Stanford JavaScript Cryptograpic Library (SJCL). We have reported on this in a blog post and a presentation at the Internet Identity Workshop.