nuckle 0.1.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 00a442ba9e5d4c70e543b9f2ec156248c283881fcf2bb774dc592534bc0a79dc
+  data.tar.gz: 478ebf814c22348331fcbbb5692f302425bca6cb4c48365c4508c8c4426f30ed
+SHA512:
+  metadata.gz: a291010aeaa3fce0a12479f2a8b40e0fd089125d295f1890801683350a3ffb7ea34c03ca527ed6e63738d539e305d7d46dce5294adc58b1c0494e26bf5e19835
+  data.tar.gz: '0886502547f3628973eab880936d6bec563bb48807f39b959e7bf390433acffa67d63d30e456ed8f51a5ccb547eb1c1c3739f43f23f098581d241444d003c263'

data/LICENSE

@@ -0,0 +1,13 @@
+Copyright (c) 2026, Patrik Wenger
+
+Permission to use, copy, modify, and/or distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

data/README.md

@@ -0,0 +1,82 @@
+# 🤜 Nuckle
+
+[![Gem Version](https://img.shields.io/gem/v/nuckle)](https://rubygems.org/gems/nuckle)
+[![CI](https://github.com/paddor/nuckle/actions/workflows/ci.yml/badge.svg)](https://github.com/paddor/nuckle/actions/workflows/ci.yml)
+
+NaCl for Knuckleheads — pure Ruby crypto primitives, no libsodium required.
+
+## Is it any good?
+
+No. See [SECURITY.md](SECURITY.md).
+
+## ⚠️ Don't use this
+
+Ruby's bignum arithmetic is not constant-time, so private keys leak
+through timing side channels. Use
+[rbnacl](https://github.com/RubyCrypto/rbnacl) for anything that matters.
+
+## 🤷 Why does this exist?
+
+- Zero-dependency development and CI environments
+- Seeing how well Ruby's YJIT performs at crypto ("just for fun")
+- Educational purposes
+- Environments where installing libsodium is impractical
+
+## Primitives
+
+| Primitive | What it does |
+|-----------|-------------|
+| **Curve25519** | Elliptic-curve Diffie-Hellman (key agreement) |
+| **XSalsa20** | Extended-nonce stream cipher (includes HSalsa20, Salsa20) |
+| **Poly1305** | One-time message authenticator |
+| **Box** | Public-key authenticated encryption (Curve25519-XSalsa20-Poly1305) |
+| **SecretBox** | Symmetric authenticated encryption (XSalsa20-Poly1305) |
+
+## Usage
+
+```ruby
+require "nuckle"
+
+# Generate a keypair
+sk = Nuckle::PrivateKey.generate
+pk = sk.public_key
+
+# Public-key encryption
+alice = Nuckle::PrivateKey.generate
+bob   = Nuckle::PrivateKey.generate
+nonce = Nuckle::Random.random_bytes(24)
+
+box = Nuckle::Box.new(bob.public_key, alice)
+ciphertext = box.encrypt(nonce, "hello")
+
+box2 = Nuckle::Box.new(alice.public_key, bob)
+plaintext = box2.decrypt(nonce, ciphertext)
+# => "hello"
+
+# Symmetric encryption
+key   = Nuckle::Random.random_bytes(32)
+nonce = Nuckle::Random.random_bytes(24)
+box   = Nuckle::SecretBox.new(key)
+
+ciphertext = box.encrypt(nonce, "hello")
+plaintext  = box.decrypt(nonce, ciphertext)
+```
+
+## API Compatibility
+
+The API mirrors [rbnacl](https://github.com/RubyCrypto/rbnacl).
+If you know what you're doing:
+
+```ruby
+RbNaCl = Nuckle
+```
+
+## Verification
+
+All primitives are tested against rbnacl/libsodium test vectors
+(NaCl distribution, RFC 7748, RFC 8439) and cross-validated to
+produce byte-identical output.
+
+## License
+
+ISC

data/lib/nuckle/box.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+module Nuckle
+  # Public-key authenticated encryption: Curve25519-XSalsa20-Poly1305.
+  #
+  # Compatible with NaCl crypto_box / libsodium crypto_box_curve25519xsalsa20poly1305.
+  #
+  class Box
+    NONCEBYTES     = 24
+    PUBLICKEYBYTES = 32
+    PRIVATEKEYBYTES = 32
+    BEFORENMBYTES  = 32
+    MACBYTES       = 16
+
+    def initialize(public_key, private_key)
+      pk = extract_bytes(public_key, PUBLICKEYBYTES, "public key")
+      sk = extract_bytes(private_key, PRIVATEKEYBYTES, "private key")
+
+      # Compute shared secret via Curve25519 DH
+      shared = Internals::Curve25519.scalarmult(sk, pk)
+
+      # Derive symmetric key via HSalsa20 (the "beforenm" step)
+      key = Internals::Salsa20.hsalsa20(shared, "\x00" * 16)
+
+      @secret_box = SecretBox.new(key)
+    end
+
+    def nonce_bytes = NONCEBYTES
+
+    # Encrypt plaintext with 24-byte nonce.
+    def encrypt(nonce, plaintext)
+      @secret_box.encrypt(nonce, plaintext)
+    end
+
+    # Decrypt ciphertext with 24-byte nonce.
+    def decrypt(nonce, ciphertext)
+      @secret_box.decrypt(nonce, ciphertext)
+    end
+
+    alias box encrypt
+    alias open decrypt
+
+    private
+
+    def extract_bytes(key, expected_size, name)
+      bytes = case key
+              when PublicKey, PrivateKey then key.to_s
+              when String               then key.b
+              else raise ArgumentError, "#{name} must be a Key or String"
+              end
+      raise ArgumentError, "#{name} must be #{expected_size} bytes (got #{bytes.bytesize})" unless bytes.bytesize == expected_size
+
+      bytes
+    end
+  end
+end

data/lib/nuckle/crypto_error.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module Nuckle
+  class CryptoError < StandardError; end
+end

data/lib/nuckle/internals/curve25519.rb

@@ -0,0 +1,105 @@
+# frozen_string_literal: true
+
+module Nuckle
+  module Internals
+    # Curve25519 elliptic-curve Diffie-Hellman.
+    #
+    # Montgomery curve: y^2 = x^3 + 486662*x^2 + x over GF(2^255 - 19).
+    # Uses the Montgomery ladder for scalar multiplication.
+    #
+    # Reference: RFC 7748
+    #
+    module Curve25519
+      P      = (1 << 255) - 19
+      A24    = 121666  # (486662 + 2) / 4
+      BASE_U = 9
+
+      MASK64 = 0xFFFFFFFFFFFFFFFF
+
+      module_function
+
+      # Scalar multiplication: compute scalar * point on Curve25519.
+      #
+      # @param scalar [String] 32-byte scalar (private key)
+      # @param u_bytes [String] 32-byte u-coordinate (public key / base point)
+      # @return [String] 32-byte result u-coordinate
+      #
+      def scalarmult(scalar, u_bytes)
+        k = decode_scalar(scalar)
+        u = decode_u(u_bytes)
+
+        x_1 = u
+        x_2 = 1
+        z_2 = 0
+        x_3 = u
+        z_3 = 1
+
+        swap = 0
+
+        254.downto(0) do |t|
+          k_t  = (k >> t) & 1
+          swap ^= k_t
+          # Constant-time conditional swap (XOR mask)
+          mask   = -swap
+          dummy  = (x_2 ^ x_3) & mask; x_2 ^= dummy; x_3 ^= dummy
+          dummy  = (z_2 ^ z_3) & mask; z_2 ^= dummy; z_3 ^= dummy
+          swap = k_t
+
+          a  = (x_2 + z_2) % P
+          aa = (a * a) % P
+          b  = (x_2 - z_2) % P
+          bb = (b * b) % P
+          e  = (aa - bb) % P
+          c  = (x_3 + z_3) % P
+          d  = (x_3 - z_3) % P
+          da = (d * a) % P
+          cb = (c * b) % P
+
+          sum = (da + cb) % P; x_3 = (sum * sum) % P
+          dif = (da - cb) % P; z_3 = (x_1 * ((dif * dif) % P)) % P
+          x_2 = (aa * bb) % P
+          z_2 = (e * ((bb + A24 * e) % P)) % P
+        end
+
+        # Final cswap
+        mask  = -swap
+        dummy = (x_2 ^ x_3) & mask; x_2 ^= dummy
+        dummy = (z_2 ^ z_3) & mask; z_2 ^= dummy
+
+        result = (x_2 * z_2.pow(P - 2, P)) % P
+        encode_u(result)
+      end
+
+      # Scalar multiplication with the standard base point (u=9).
+      #
+      # @param scalar [String] 32-byte scalar (private key)
+      # @return [String] 32-byte public key
+      #
+      def scalarmult_base(scalar)
+        scalarmult(scalar, "\x09".b + "\x00".b * 31)
+      end
+
+      # Decode a 32-byte scalar with clamping (per RFC 7748).
+      def decode_scalar(s)
+        buf = s.b.dup
+        buf.setbyte(0,  buf.getbyte(0)  & 248)
+        buf.setbyte(31, (buf.getbyte(31) & 127) | 64)
+        w = buf.unpack("Q<4")
+        w[0] | (w[1] << 64) | (w[2] << 128) | (w[3] << 192)
+      end
+
+      # Decode a u-coordinate from 32 bytes (little-endian, mask high bit).
+      def decode_u(u_bytes)
+        buf = u_bytes.b.dup
+        buf.setbyte(31, buf.getbyte(31) & 0x7F)
+        w = buf.unpack("Q<4")
+        w[0] | (w[1] << 64) | (w[2] << 128) | (w[3] << 192)
+      end
+
+      # Encode a field element to 32 bytes (little-endian).
+      def encode_u(u)
+        [u & MASK64, (u >> 64) & MASK64, (u >> 128) & MASK64, (u >> 192) & MASK64].pack("Q<4")
+      end
+    end
+  end
+end

data/lib/nuckle/internals/poly1305.rb

@@ -0,0 +1,70 @@
+# frozen_string_literal: true
+
+module Nuckle
+  module Internals
+    # Poly1305 one-time message authenticator.
+    #
+    # Reference: https://cr.yp.to/mac/poly1305-20050329.pdf
+    #            RFC 8439 Section 2.5
+    #
+    module Poly1305
+      P = (1 << 130) - 5
+
+      # Clamp mask for r (clear specific bits per spec)
+      R_CLAMP = 0x0ffffffc0ffffffc0ffffffc0fffffff
+
+      MASK128 = (1 << 128) - 1
+
+      module_function
+
+      # Compute Poly1305 MAC.
+      #
+      # @param key [String] 32-byte one-time key (r || s)
+      # @param message [String] message to authenticate
+      # @return [String] 16-byte authentication tag
+      #
+      def mac(key, message)
+        r = le_bytes_to_int(key, 0, 16) & R_CLAMP
+        s = le_bytes_to_int(key, 16, 16)
+
+        h   = 0
+        msg = message.b
+        len = msg.bytesize
+        off = 0
+
+        while off < len
+          remaining = len - off
+          take      = remaining < 16 ? remaining : 16
+          block     = le_bytes_to_int(msg, off, take)
+
+          # Add high bit (2^(8*take)) to mark block as non-zero-padded
+          block |= 1 << (take * 8)
+
+          h = ((h + block) * r) % P
+          off += take
+        end
+
+        # Final: (h + s) mod 2^128
+        tag = (h + s) & MASK128
+        int_to_le_bytes(tag)
+      end
+
+      # Read little-endian integer from a string at offset, length bytes.
+      def le_bytes_to_int(bytes, offset, length)
+        if length == 16
+          lo, hi = bytes.unpack("@#{offset}Q<2")
+          lo | (hi << 64)
+        else
+          n = 0
+          length.times { |i| n |= bytes.getbyte(offset + i) << (8 * i) }
+          n
+        end
+      end
+
+      # Write a 128-bit integer as 16 little-endian bytes.
+      def int_to_le_bytes(n)
+        [n & 0xFFFFFFFFFFFFFFFF, (n >> 64) & 0xFFFFFFFFFFFFFFFF].pack("Q<2")
+      end
+    end
+  end
+end

data/lib/nuckle/internals/salsa20.rb

@@ -0,0 +1,228 @@
+# frozen_string_literal: true
+
+module Nuckle
+  module Internals
+    # Salsa20 stream cipher family: Salsa20 core, HSalsa20, XSalsa20.
+    #
+    # References:
+    # - https://cr.yp.to/snuffle/spec.pdf (Salsa20 specification)
+    # - https://cr.yp.to/snuffle/xsalsa-20110204.pdf (XSalsa20)
+    #
+    module Salsa20
+      MASK32    = 0xFFFFFFFF
+      SIGMA     = "expand 32-byte k".b.freeze
+      SIGMA_V4  = SIGMA.unpack("V4").freeze
+
+      module_function
+
+      # Salsa20 core function: 20 rounds on 16 x 32-bit words.
+      # Returns the 64-byte output block.
+      #
+      # @param input [String] 64-byte input block
+      # @return [String] 64-byte output block
+      #
+      def core(input)
+        x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15 =
+          input.unpack("V16")
+
+        z0  = x0;  z1  = x1;  z2  = x2;  z3  = x3
+        z4  = x4;  z5  = x5;  z6  = x6;  z7  = x7
+        z8  = x8;  z9  = x9;  z10 = x10; z11 = x11
+        z12 = x12; z13 = x13; z14 = x14; z15 = x15
+
+        10.times do
+          # Column rounds
+          t = (z0  + z12) & MASK32; z4  ^= ((t << 7)  | (t >> 25)) & MASK32
+          t = (z4  + z0)  & MASK32; z8  ^= ((t << 9)  | (t >> 23)) & MASK32
+          t = (z8  + z4)  & MASK32; z12 ^= ((t << 13) | (t >> 19)) & MASK32
+          t = (z12 + z8)  & MASK32; z0  ^= ((t << 18) | (t >> 14)) & MASK32
+
+          t = (z5  + z1)  & MASK32; z9  ^= ((t << 7)  | (t >> 25)) & MASK32
+          t = (z9  + z5)  & MASK32; z13 ^= ((t << 9)  | (t >> 23)) & MASK32
+          t = (z13 + z9)  & MASK32; z1  ^= ((t << 13) | (t >> 19)) & MASK32
+          t = (z1  + z13) & MASK32; z5  ^= ((t << 18) | (t >> 14)) & MASK32
+
+          t = (z10 + z6)  & MASK32; z14 ^= ((t << 7)  | (t >> 25)) & MASK32
+          t = (z14 + z10) & MASK32; z2  ^= ((t << 9)  | (t >> 23)) & MASK32
+          t = (z2  + z14) & MASK32; z6  ^= ((t << 13) | (t >> 19)) & MASK32
+          t = (z6  + z2)  & MASK32; z10 ^= ((t << 18) | (t >> 14)) & MASK32
+
+          t = (z15 + z11) & MASK32; z3  ^= ((t << 7)  | (t >> 25)) & MASK32
+          t = (z3  + z15) & MASK32; z7  ^= ((t << 9)  | (t >> 23)) & MASK32
+          t = (z7  + z3)  & MASK32; z11 ^= ((t << 13) | (t >> 19)) & MASK32
+          t = (z11 + z7)  & MASK32; z15 ^= ((t << 18) | (t >> 14)) & MASK32
+
+          # Row rounds
+          t = (z0  + z3)  & MASK32; z1  ^= ((t << 7)  | (t >> 25)) & MASK32
+          t = (z1  + z0)  & MASK32; z2  ^= ((t << 9)  | (t >> 23)) & MASK32
+          t = (z2  + z1)  & MASK32; z3  ^= ((t << 13) | (t >> 19)) & MASK32
+          t = (z3  + z2)  & MASK32; z0  ^= ((t << 18) | (t >> 14)) & MASK32
+
+          t = (z5  + z4)  & MASK32; z6  ^= ((t << 7)  | (t >> 25)) & MASK32
+          t = (z6  + z5)  & MASK32; z7  ^= ((t << 9)  | (t >> 23)) & MASK32
+          t = (z7  + z6)  & MASK32; z4  ^= ((t << 13) | (t >> 19)) & MASK32
+          t = (z4  + z7)  & MASK32; z5  ^= ((t << 18) | (t >> 14)) & MASK32
+
+          t = (z10 + z9)  & MASK32; z11 ^= ((t << 7)  | (t >> 25)) & MASK32
+          t = (z11 + z10) & MASK32; z8  ^= ((t << 9)  | (t >> 23)) & MASK32
+          t = (z8  + z11) & MASK32; z9  ^= ((t << 13) | (t >> 19)) & MASK32
+          t = (z9  + z8)  & MASK32; z10 ^= ((t << 18) | (t >> 14)) & MASK32
+
+          t = (z15 + z14) & MASK32; z12 ^= ((t << 7)  | (t >> 25)) & MASK32
+          t = (z12 + z15) & MASK32; z13 ^= ((t << 9)  | (t >> 23)) & MASK32
+          t = (z13 + z12) & MASK32; z14 ^= ((t << 13) | (t >> 19)) & MASK32
+          t = (z14 + z13) & MASK32; z15 ^= ((t << 18) | (t >> 14)) & MASK32
+        end
+
+        [
+          (z0  + x0)  & MASK32, (z1  + x1)  & MASK32, (z2  + x2)  & MASK32, (z3  + x3)  & MASK32,
+          (z4  + x4)  & MASK32, (z5  + x5)  & MASK32, (z6  + x6)  & MASK32, (z7  + x7)  & MASK32,
+          (z8  + x8)  & MASK32, (z9  + x9)  & MASK32, (z10 + x10) & MASK32, (z11 + x11) & MASK32,
+          (z12 + x12) & MASK32, (z13 + x13) & MASK32, (z14 + x14) & MASK32, (z15 + x15) & MASK32,
+        ].pack("V16")
+      end
+
+      # HSalsa20: derives a 32-byte subkey from a 32-byte key and 16-byte nonce.
+      # Returns words [0,5,10,15,6,7,8,9] from the NON-added state.
+      #
+      # @param key [String] 32-byte key
+      # @param nonce [String] 16-byte nonce
+      # @return [String] 32-byte subkey
+      #
+      def hsalsa20(key, nonce)
+        k0, k1, k2, k3, k4, k5, k6, k7 = key.unpack("V8")
+        n0, n1, n2, n3 = nonce.unpack("V4")
+        s0, s1, s2, s3 = SIGMA_V4
+
+        z0  = s0; z1  = k0; z2  = k1; z3  = k2
+        z4  = k3; z5  = s1; z6  = n0; z7  = n1
+        z8  = n2; z9  = n3; z10 = s2; z11 = k4
+        z12 = k5; z13 = k6; z14 = k7; z15 = s3
+
+        10.times do
+          t = (z0  + z12) & MASK32; z4  ^= ((t << 7)  | (t >> 25)) & MASK32
+          t = (z4  + z0)  & MASK32; z8  ^= ((t << 9)  | (t >> 23)) & MASK32
+          t = (z8  + z4)  & MASK32; z12 ^= ((t << 13) | (t >> 19)) & MASK32
+          t = (z12 + z8)  & MASK32; z0  ^= ((t << 18) | (t >> 14)) & MASK32
+
+          t = (z5  + z1)  & MASK32; z9  ^= ((t << 7)  | (t >> 25)) & MASK32
+          t = (z9  + z5)  & MASK32; z13 ^= ((t << 9)  | (t >> 23)) & MASK32
+          t = (z13 + z9)  & MASK32; z1  ^= ((t << 13) | (t >> 19)) & MASK32
+          t = (z1  + z13) & MASK32; z5  ^= ((t << 18) | (t >> 14)) & MASK32
+
+          t = (z10 + z6)  & MASK32; z14 ^= ((t << 7)  | (t >> 25)) & MASK32
+          t = (z14 + z10) & MASK32; z2  ^= ((t << 9)  | (t >> 23)) & MASK32
+          t = (z2  + z14) & MASK32; z6  ^= ((t << 13) | (t >> 19)) & MASK32
+          t = (z6  + z2)  & MASK32; z10 ^= ((t << 18) | (t >> 14)) & MASK32
+
+          t = (z15 + z11) & MASK32; z3  ^= ((t << 7)  | (t >> 25)) & MASK32
+          t = (z3  + z15) & MASK32; z7  ^= ((t << 9)  | (t >> 23)) & MASK32
+          t = (z7  + z3)  & MASK32; z11 ^= ((t << 13) | (t >> 19)) & MASK32
+          t = (z11 + z7)  & MASK32; z15 ^= ((t << 18) | (t >> 14)) & MASK32
+
+          t = (z0  + z3)  & MASK32; z1  ^= ((t << 7)  | (t >> 25)) & MASK32
+          t = (z1  + z0)  & MASK32; z2  ^= ((t << 9)  | (t >> 23)) & MASK32
+          t = (z2  + z1)  & MASK32; z3  ^= ((t << 13) | (t >> 19)) & MASK32
+          t = (z3  + z2)  & MASK32; z0  ^= ((t << 18) | (t >> 14)) & MASK32
+
+          t = (z5  + z4)  & MASK32; z6  ^= ((t << 7)  | (t >> 25)) & MASK32
+          t = (z6  + z5)  & MASK32; z7  ^= ((t << 9)  | (t >> 23)) & MASK32
+          t = (z7  + z6)  & MASK32; z4  ^= ((t << 13) | (t >> 19)) & MASK32
+          t = (z4  + z7)  & MASK32; z5  ^= ((t << 18) | (t >> 14)) & MASK32
+
+          t = (z10 + z9)  & MASK32; z11 ^= ((t << 7)  | (t >> 25)) & MASK32
+          t = (z11 + z10) & MASK32; z8  ^= ((t << 9)  | (t >> 23)) & MASK32
+          t = (z8  + z11) & MASK32; z9  ^= ((t << 13) | (t >> 19)) & MASK32
+          t = (z9  + z8)  & MASK32; z10 ^= ((t << 18) | (t >> 14)) & MASK32
+
+          t = (z15 + z14) & MASK32; z12 ^= ((t << 7)  | (t >> 25)) & MASK32
+          t = (z12 + z15) & MASK32; z13 ^= ((t << 9)  | (t >> 23)) & MASK32
+          t = (z13 + z12) & MASK32; z14 ^= ((t << 13) | (t >> 19)) & MASK32
+          t = (z14 + z13) & MASK32; z15 ^= ((t << 18) | (t >> 14)) & MASK32
+        end
+
+        # Return words [0,5,10,15,6,7,8,9] — the diagonal + second row
+        [z0, z5, z10, z15, z6, z7, z8, z9].pack("V8")
+      end
+
+      # XSalsa20 stream XOR: encrypts/decrypts message using 32-byte key and 24-byte nonce.
+      #
+      # @param key [String] 32-byte key
+      # @param nonce [String] 24-byte nonce
+      # @param message [String] plaintext/ciphertext
+      # @return [String] XOR'd output (same length as message)
+      #
+      def xsalsa20_xor(key, nonce, message)
+        subkey    = hsalsa20(key, nonce.byteslice(0, 16))
+        sub_nonce = (nonce.byteslice(16, 8) + "\x00\x00\x00\x00\x00\x00\x00\x00").b
+        salsa20_xor(subkey, sub_nonce, message)
+      end
+
+      # Salsa20 stream XOR with 32-byte key and 16-byte nonce/counter.
+      #
+      # @param key [String] 32-byte key
+      # @param nonce [String] 16-byte (8-byte nonce + 8-byte counter, LE)
+      # @param message [String] plaintext/ciphertext
+      # @return [String] XOR'd output
+      #
+      def salsa20_xor(key, nonce, message)
+        k0, k1, k2, k3, k4, k5, k6, k7 = key.unpack("V8")
+        n0, n1, n2, n3 = nonce.unpack("V4")
+        s0, s1, s2, s3 = SIGMA_V4
+
+        msg    = message.b
+        len    = msg.bytesize
+        out    = String.new(capacity: len, encoding: Encoding::BINARY)
+        offset = 0
+
+        while offset < len
+          # Build + run Salsa20 core inline
+          block = core([
+            s0, k0, k1, k2,
+            k3, s1, n0, n1,
+            n2, n3, s2, k4,
+            k5, k6, k7, s3,
+          ].pack("V16"))
+
+          # XOR message bytes with keystream block
+          remaining = len - offset
+          take      = remaining < 64 ? remaining : 64
+
+          if take == 64
+            # Fast path: XOR 8 x uint64
+            m = msg.byteslice(offset, 64).unpack("Q<8")
+            b = block.unpack("Q<8")
+            out << [m[0] ^ b[0], m[1] ^ b[1], m[2] ^ b[2], m[3] ^ b[3],
+                    m[4] ^ b[4], m[5] ^ b[5], m[6] ^ b[6], m[7] ^ b[7]].pack("Q<8")
+          else
+            # Tail: XOR byte-by-byte
+            m = msg.byteslice(offset, take).unpack("C*")
+            b = block.unpack("C*")
+            take.times { |i| m[i] ^= b[i] }
+            out << m.pack("C*")
+          end
+          offset += take
+
+          # Increment 64-bit counter (words n2, n3)
+          counter  = n2 | (n3 << 32)
+          counter += 1
+          n2       = counter & MASK32
+          n3       = (counter >> 32) & MASK32
+        end
+
+        out
+      end
+
+      # Generate XSalsa20 keystream (no XOR, just the stream bytes).
+      #
+      # @param key [String] 32-byte key
+      # @param nonce [String] 24-byte nonce
+      # @param length [Integer] number of bytes to generate
+      # @return [String] keystream bytes
+      #
+      def xsalsa20_stream(key, nonce, length)
+        xsalsa20_xor(key, nonce, "\x00".b * length)
+      end
+    end
+  end
+end

data/lib/nuckle/private_key.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module Nuckle
+  class PrivateKey
+    BYTES = 32
+
+    def self.generate
+      new(Random.random_bytes(BYTES))
+    end
+
+    def initialize(key)
+      key = key.to_s if key.respond_to?(:to_s) && !key.is_a?(String)
+      key = key.b
+      raise ArgumentError, "private key must be #{BYTES} bytes (got #{key.bytesize})" unless key.bytesize == BYTES
+
+      @key = key
+    end
+
+    def public_key
+      PublicKey.new(Internals::Curve25519.scalarmult_base(@key))
+    end
+
+    def to_bytes = @key
+    def to_s     = @key
+  end
+end

data/lib/nuckle/public_key.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Nuckle
+  class PublicKey
+    BYTES = 32
+
+    def initialize(key)
+      key = key.to_s if key.respond_to?(:to_s) && !key.is_a?(String)
+      key = key.b
+      raise ArgumentError, "public key must be #{BYTES} bytes (got #{key.bytesize})" unless key.bytesize == BYTES
+
+      @key = key
+    end
+
+    def to_bytes = @key
+    def to_s     = @key
+
+    def ==(other)
+      other.is_a?(PublicKey) && Util.verify32(@key, other.to_s)
+    end
+  end
+end

data/lib/nuckle/random.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+require "securerandom"
+
+module Nuckle
+  module Random
+    def self.random_bytes(n)
+      SecureRandom.random_bytes(n)
+    end
+  end
+end

data/lib/nuckle/secret_box.rb

@@ -0,0 +1,83 @@
+# frozen_string_literal: true
+
+module Nuckle
+  # Symmetric authenticated encryption: XSalsa20-Poly1305.
+  #
+  # Compatible with NaCl crypto_secretbox / libsodium crypto_secretbox_xsalsa20poly1305.
+  #
+  class SecretBox
+    KEYBYTES     = 32
+    NONCEBYTES   = 24
+    ZEROBYTES    = 32
+    BOXZEROBYTES = 16
+    MACBYTES     = 16
+
+    def initialize(key)
+      key = key.b
+      raise ArgumentError, "key must be #{KEYBYTES} bytes (got #{key.bytesize})" unless key.bytesize == KEYBYTES
+
+      @key = key
+    end
+
+    def nonce_bytes = NONCEBYTES
+    def key_bytes   = KEYBYTES
+
+    # Encrypt plaintext with 24-byte nonce.
+    #
+    # @param nonce [String] 24-byte nonce
+    # @param plaintext [String]
+    # @return [String] authenticator (16 bytes) + ciphertext
+    #
+    def encrypt(nonce, plaintext)
+      nonce     = nonce.b
+      plaintext = plaintext.b
+      raise ArgumentError, "nonce must be #{NONCEBYTES} bytes" unless nonce.bytesize == NONCEBYTES
+
+      # Pad with 32 zero bytes
+      padded = ("\x00" * ZEROBYTES + plaintext).b
+      c      = Internals::Salsa20.xsalsa20_xor(@key, nonce, padded)
+
+      # First 32 bytes of c: bytes 0..31 of XSalsa20 keystream XOR'd with zeros
+      # → bytes 0..31 ARE the keystream. Use first 32 as Poly1305 one-time key.
+      poly_key = c.byteslice(0, ZEROBYTES)
+      mac      = Internals::Poly1305.mac(poly_key, c.byteslice(ZEROBYTES..))
+
+      # Return: 16-byte MAC + ciphertext (skip first 16 zero bytes of c)
+      # Actually NaCl convention: c[0..15] are zeros, c[16..31] replaced by mac
+      mac + c.byteslice(ZEROBYTES..)
+    end
+
+    # Decrypt ciphertext with 24-byte nonce.
+    #
+    # @param nonce [String] 24-byte nonce
+    # @param ciphertext [String] authenticator (16 bytes) + ciphertext
+    # @return [String] plaintext
+    # @raise [CryptoError] on authentication failure
+    #
+    def decrypt(nonce, ciphertext)
+      nonce      = nonce.b
+      ciphertext = ciphertext.b
+      raise ArgumentError, "nonce must be #{NONCEBYTES} bytes" unless nonce.bytesize == NONCEBYTES
+      raise CryptoError, "ciphertext too short" if ciphertext.bytesize < MACBYTES
+
+      mac = ciphertext.byteslice(0, MACBYTES)
+      ct  = ciphertext.byteslice(MACBYTES..)
+
+      # Generate Poly1305 key from first 32 bytes of XSalsa20 keystream
+      poly_key = Internals::Salsa20.xsalsa20_stream(@key, nonce, ZEROBYTES)
+
+      # Verify MAC
+      expected_mac = Internals::Poly1305.mac(poly_key, ct)
+      raise CryptoError, "decryption failed" unless Util.verify16(mac, expected_mac)
+
+      # Decrypt
+      padded = ("\x00" * ZEROBYTES + ct).b
+      m      = Internals::Salsa20.xsalsa20_xor(@key, nonce, padded)
+      m.byteslice(ZEROBYTES..)
+    end
+
+    # Aliases matching rbnacl API
+    alias box encrypt
+    alias open decrypt
+  end
+end

data/lib/nuckle/util.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module Nuckle
+  module Util
+    # Compare two 16-byte strings.
+    def self.verify16(a, b)
+      verify(a, b, 16)
+    end
+
+    # Compare two 32-byte strings.
+    def self.verify32(a, b)
+      verify(a, b, 32)
+    end
+
+    # Compare two 64-byte strings.
+    def self.verify64(a, b)
+      verify(a, b, 64)
+    end
+
+    def self.verify(a, b, expected_size = nil)
+      a = a.b if a.encoding != Encoding::BINARY
+      b = b.b if b.encoding != Encoding::BINARY
+      return false if expected_size && (a.bytesize != expected_size || b.bytesize != expected_size)
+
+      a == b
+    end
+  end
+end

data/lib/nuckle/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module Nuckle
+  VERSION = "0.1.1"
+end

data/lib/nuckle.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+require_relative "nuckle/version"
+require_relative "nuckle/crypto_error"
+require_relative "nuckle/random"
+require_relative "nuckle/util"
+require_relative "nuckle/internals/curve25519"
+require_relative "nuckle/internals/salsa20"
+require_relative "nuckle/internals/poly1305"
+require_relative "nuckle/public_key"
+require_relative "nuckle/private_key"
+require_relative "nuckle/box"
+require_relative "nuckle/secret_box"

metadata

@@ -0,0 +1,55 @@
+--- !ruby/object:Gem::Specification
+name: nuckle
+version: !ruby/object:Gem::Version
+  version: 0.1.1
+platform: ruby
+authors:
+- Patrik Wenger
+bindir: bin
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
+dependencies: []
+description: Pure Ruby implementation of the NaCl crypto primitives (Curve25519, XSalsa20,
+  Poly1305). No C extensions, no FFI, no libsodium. Is it any good? No.
+email:
+- paddor@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE
+- README.md
+- lib/nuckle.rb
+- lib/nuckle/box.rb
+- lib/nuckle/crypto_error.rb
+- lib/nuckle/internals/curve25519.rb
+- lib/nuckle/internals/poly1305.rb
+- lib/nuckle/internals/salsa20.rb
+- lib/nuckle/private_key.rb
+- lib/nuckle/public_key.rb
+- lib/nuckle/random.rb
+- lib/nuckle/secret_box.rb
+- lib/nuckle/util.rb
+- lib/nuckle/version.rb
+homepage: https://github.com/paddor/nuckle
+licenses:
+- ISC
+metadata: {}
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '3.3'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 4.0.6
+specification_version: 4
+summary: Pure Ruby NaCl crypto primitives
+test_files: []