Mike/FrenoCorp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

FRE-600: Fix code review blockers

Browse Source 
- Consolidated duplicate UndoManagers to single instance
- Fixed connection promise to only resolve on 'connected' status
- Fixed WebSocketProvider import (WebsocketProvider)
- Added proper doc.destroy() cleanup
- Renamed isPresenceInitialized property to avoid conflict

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Michael Freno
2026-04-25 00:08:01 -04:00
parent 65b552bb08
commit 7c684a42cc
48450 changed files with 5679671 additions and 383 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
node_modules/@noble/curves/src/_shortw_utils.ts generated vendored Normal file
View File

@@ -0,0 +1,21 @@
/**
* Utilities for short weierstrass curves, combined with noble-hashes.
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { type CurveFn, type CurveType, weierstrass } from './abstract/weierstrass.ts';
import type { CHash } from './utils.ts';
/** connects noble-curves to noble-hashes */
export function getHash(hash: CHash): { hash: CHash } {
return { hash };
}
/** Same API as @noble/hashes, with ability to create curve with custom hash */
export type CurveDef = Readonly<Omit<CurveType, 'hash'>>;
export type CurveFnWithCreate = CurveFn & { create: (hash: CHash) => CurveFn };
/** @deprecated use new `weierstrass()` and `ecdsa()` methods */
export function createCurve(curveDef: CurveDef, defHash: CHash): CurveFnWithCreate {
const create = (hash: CHash): CurveFn => weierstrass({ ...curveDef, hash: hash });
return { ...create(defHash), create };
}

747
node_modules/@noble/curves/src/abstract/bls.ts generated vendored Normal file
View File

@@ -0,0 +1,747 @@
/**
* BLS != BLS.
* The file implements BLS (Boneh-Lynn-Shacham) signatures.
* Used in both BLS (Barreto-Lynn-Scott) and BN (Barreto-Naehrig)
* families of pairing-friendly curves.
* Consists of two curves: G1 and G2:
* - G1 is a subgroup of (x, y) E(Fq) over y² = x³ + 4.
* - G2 is a subgroup of ((x₁, x₂+i), (y₁, y₂+i)) E(Fq²) over y² = x³ + 4(1 + i) where i is √-1
* - Gt, created by bilinear (ate) pairing e(G1, G2), consists of p-th roots of unity in
* Fq^k where k is embedding degree. Only degree 12 is currently supported, 24 is not.
* Pairing is used to aggregate and verify signatures.
* There are two modes of operation:
* - Long signatures: X-byte keys + 2X-byte sigs (G1 keys + G2 sigs).
* - Short signatures: 2X-byte keys + X-byte sigs (G2 keys + G1 sigs).
* @module
**/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import {
abytes,
ensureBytes,
memoized,
randomBytes,
type CHash,
type Hex,
type PrivKey,
} from '../utils.ts';
import { normalizeZ } from './curve.ts';
import {
createHasher,
type H2CHasher,
type H2CHashOpts,
type H2COpts,
type H2CPointConstructor,
type htfBasicOpts,
type MapToCurve,
} from './hash-to-curve.ts';
import { getMinHashLength, mapHashToField, type IField } from './modular.ts';
import type { Fp12, Fp12Bls, Fp2, Fp2Bls, Fp6Bls } from './tower.ts';
import {
_normFnElement,
weierstrassPoints,
type CurvePointsRes,
type CurvePointsType,
type WeierstrassPoint,
type WeierstrassPointCons,
} from './weierstrass.ts';
type Fp = bigint; // Can be different field?
// prettier-ignore
const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3);
export type TwistType = 'multiplicative' | 'divisive';
export type ShortSignatureCoder<Fp> = {
fromBytes(bytes: Uint8Array): WeierstrassPoint<Fp>;
fromHex(hex: Hex): WeierstrassPoint<Fp>;
toBytes(point: WeierstrassPoint<Fp>): Uint8Array;
toHex(point: WeierstrassPoint<Fp>): string;
/** @deprecated use `toBytes` */
toRawBytes(point: WeierstrassPoint<Fp>): Uint8Array;
};
export type SignatureCoder<Fp> = {
fromBytes(bytes: Uint8Array): WeierstrassPoint<Fp>;
fromHex(hex: Hex): WeierstrassPoint<Fp>;
toBytes(point: WeierstrassPoint<Fp>): Uint8Array;
toHex(point: WeierstrassPoint<Fp>): string;
/** @deprecated use `toBytes` */
toRawBytes(point: WeierstrassPoint<Fp>): Uint8Array;
};
export type BlsFields = {
Fp: IField<Fp>;
Fr: IField<bigint>;
Fp2: Fp2Bls;
Fp6: Fp6Bls;
Fp12: Fp12Bls;
};
export type PostPrecomputePointAddFn = (
Rx: Fp2,
Ry: Fp2,
Rz: Fp2,
Qx: Fp2,
Qy: Fp2
) => { Rx: Fp2; Ry: Fp2; Rz: Fp2 };
export type PostPrecomputeFn = (
Rx: Fp2,
Ry: Fp2,
Rz: Fp2,
Qx: Fp2,
Qy: Fp2,
pointAdd: PostPrecomputePointAddFn
) => void;
export type BlsPairing = {
Fp12: Fp12Bls;
calcPairingPrecomputes: (p: WeierstrassPoint<Fp2>) => Precompute;
millerLoopBatch: (pairs: [Precompute, Fp, Fp][]) => Fp12;
pairing: (P: WeierstrassPoint<Fp>, Q: WeierstrassPoint<Fp2>, withFinalExponent?: boolean) => Fp12;
pairingBatch: (
pairs: { g1: WeierstrassPoint<Fp>; g2: WeierstrassPoint<Fp2> }[],
withFinalExponent?: boolean
) => Fp12;
};
// TODO: replace CurveType with this? It doesn't contain r however and has postPrecompute
export type BlsPairingParams = {
// NOTE: MSB is always ignored and used as marker for length,
// otherwise leading zeros will be lost.
// Can be different from 'X' (seed) param!
ateLoopSize: bigint;
xNegative: boolean;
twistType: TwistType; // BLS12-381: Multiplicative, BN254: Divisive
// This is super ugly hack for untwist point in BN254 after miller loop
postPrecompute?: PostPrecomputeFn;
};
export type CurveType = {
G1: CurvePointsType<Fp> & {
ShortSignature: SignatureCoder<Fp>;
mapToCurve: MapToCurve<Fp>;
htfDefaults: H2COpts;
};
G2: CurvePointsType<Fp2> & {
Signature: SignatureCoder<Fp2>;
mapToCurve: MapToCurve<Fp2>;
htfDefaults: H2COpts;
};
fields: BlsFields;
params: {
// NOTE: MSB is always ignored and used as marker for length,
// otherwise leading zeros will be lost.
// Can be different from 'X' (seed) param!
ateLoopSize: BlsPairingParams['ateLoopSize'];
xNegative: BlsPairingParams['xNegative'];
r: bigint; // TODO: remove
twistType: BlsPairingParams['twistType']; // BLS12-381: Multiplicative, BN254: Divisive
};
htfDefaults: H2COpts;
hash: CHash; // Because we need outputLen for DRBG
randomBytes?: (bytesLength?: number) => Uint8Array;
// This is super ugly hack for untwist point in BN254 after miller loop
postPrecompute?: PostPrecomputeFn;
};
type PrecomputeSingle = [Fp2, Fp2, Fp2][];
type Precompute = PrecomputeSingle[];
/**
* BLS consists of two curves: G1 and G2:
* - G1 is a subgroup of (x, y) E(Fq) over y² = x³ + 4.
* - G2 is a subgroup of ((x₁, x₂+i), (y₁, y₂+i)) E(Fq²) over y² = x³ + 4(1 + i) where i is √-1
*/
export interface BLSCurvePair {
longSignatures: BLSSigs<bigint, Fp2>;
shortSignatures: BLSSigs<Fp2, bigint>;
millerLoopBatch: BlsPairing['millerLoopBatch'];
pairing: BlsPairing['pairing'];
pairingBatch: BlsPairing['pairingBatch'];
G1: { Point: WeierstrassPointCons<bigint> } & H2CHasher<Fp>;
G2: { Point: WeierstrassPointCons<Fp2> } & H2CHasher<Fp2>;
fields: {
Fp: IField<Fp>;
Fp2: Fp2Bls;
Fp6: Fp6Bls;
Fp12: Fp12Bls;
Fr: IField<bigint>;
};
utils: {
randomSecretKey: () => Uint8Array;
/** @deprecated use randomSecretKey */
randomPrivateKey: () => Uint8Array;
calcPairingPrecomputes: BlsPairing['calcPairingPrecomputes'];
};
}
export type CurveFn = BLSCurvePair & {
/** @deprecated use `longSignatures.getPublicKey` */
getPublicKey: (secretKey: PrivKey) => Uint8Array;
/** @deprecated use `shortSignatures.getPublicKey` */
getPublicKeyForShortSignatures: (secretKey: PrivKey) => Uint8Array;
/** @deprecated use `longSignatures.sign` */
sign: {
(message: Hex, secretKey: PrivKey, htfOpts?: htfBasicOpts): Uint8Array;
(
message: WeierstrassPoint<Fp2>,
secretKey: PrivKey,
htfOpts?: htfBasicOpts
): WeierstrassPoint<Fp2>;
};
/** @deprecated use `shortSignatures.sign` */
signShortSignature: {
(message: Hex, secretKey: PrivKey, htfOpts?: htfBasicOpts): Uint8Array;
(
message: WeierstrassPoint<Fp>,
secretKey: PrivKey,
htfOpts?: htfBasicOpts
): WeierstrassPoint<Fp>;
};
/** @deprecated use `longSignatures.verify` */
verify: (
signature: Hex | WeierstrassPoint<Fp2>,
message: Hex | WeierstrassPoint<Fp2>,
publicKey: Hex | WeierstrassPoint<Fp>,
htfOpts?: htfBasicOpts
) => boolean;
/** @deprecated use `shortSignatures.verify` */
verifyShortSignature: (
signature: Hex | WeierstrassPoint<Fp>,
message: Hex | WeierstrassPoint<Fp>,
publicKey: Hex | WeierstrassPoint<Fp2>,
htfOpts?: htfBasicOpts
) => boolean;
verifyBatch: (
signature: Hex | WeierstrassPoint<Fp2>,
messages: (Hex | WeierstrassPoint<Fp2>)[],
publicKeys: (Hex | WeierstrassPoint<Fp>)[],
htfOpts?: htfBasicOpts
) => boolean;
/** @deprecated use `longSignatures.aggregatePublicKeys` */
aggregatePublicKeys: {
(publicKeys: Hex[]): Uint8Array;
(publicKeys: WeierstrassPoint<Fp>[]): WeierstrassPoint<Fp>;
};
/** @deprecated use `longSignatures.aggregateSignatures` */
aggregateSignatures: {
(signatures: Hex[]): Uint8Array;
(signatures: WeierstrassPoint<Fp2>[]): WeierstrassPoint<Fp2>;
};
/** @deprecated use `shortSignatures.aggregateSignatures` */
aggregateShortSignatures: {
(signatures: Hex[]): Uint8Array;
(signatures: WeierstrassPoint<Fp>[]): WeierstrassPoint<Fp>;
};
G1: CurvePointsRes<Fp> & H2CHasher<Fp>;
G2: CurvePointsRes<Fp2> & H2CHasher<Fp2>;
/** @deprecated use `longSignatures.Signature` */
Signature: SignatureCoder<Fp2>;
/** @deprecated use `shortSignatures.Signature` */
ShortSignature: ShortSignatureCoder<Fp>;
params: {
ateLoopSize: bigint;
r: bigint;
twistType: TwistType;
/** @deprecated */
G1b: bigint;
/** @deprecated */
G2b: Fp2;
};
};
type BLSInput = Hex | Uint8Array;
export interface BLSSigs<P, S> {
getPublicKey(secretKey: PrivKey): WeierstrassPoint<P>;
sign(hashedMessage: WeierstrassPoint<S>, secretKey: PrivKey): WeierstrassPoint<S>;
verify(
signature: WeierstrassPoint<S> | BLSInput,
message: WeierstrassPoint<S>,
publicKey: WeierstrassPoint<P> | BLSInput
): boolean;
verifyBatch: (
signature: WeierstrassPoint<S> | BLSInput,
messages: WeierstrassPoint<S>[],
publicKeys: (WeierstrassPoint<P> | BLSInput)[]
) => boolean;
aggregatePublicKeys(publicKeys: (WeierstrassPoint<P> | BLSInput)[]): WeierstrassPoint<P>;
aggregateSignatures(signatures: (WeierstrassPoint<S> | BLSInput)[]): WeierstrassPoint<S>;
hash(message: Uint8Array, DST?: string | Uint8Array, hashOpts?: H2CHashOpts): WeierstrassPoint<S>;
Signature: SignatureCoder<S>;
}
// Not used with BLS12-381 (no sequential `11` in X). Useful for other curves.
function NAfDecomposition(a: bigint) {
const res = [];
// a>1 because of marker bit
for (; a > _1n; a >>= _1n) {
if ((a & _1n) === _0n) res.unshift(0);
else if ((a & _3n) === _3n) {
res.unshift(-1);
a += _1n;
} else res.unshift(1);
}
return res;
}
function aNonEmpty(arr: any[]) {
if (!Array.isArray(arr) || arr.length === 0) throw new Error('expected non-empty array');
}
// This should be enough for bn254, no need to export full stuff?
function createBlsPairing(
fields: BlsFields,
G1: WeierstrassPointCons<Fp>,
G2: WeierstrassPointCons<Fp2>,
params: BlsPairingParams
): BlsPairing {
const { Fp2, Fp12 } = fields;
const { twistType, ateLoopSize, xNegative, postPrecompute } = params;
type G1 = typeof G1.BASE;
type G2 = typeof G2.BASE;
// Applies sparse multiplication as line function
let lineFunction: (c0: Fp2, c1: Fp2, c2: Fp2, f: Fp12, Px: Fp, Py: Fp) => Fp12;
if (twistType === 'multiplicative') {
lineFunction = (c0: Fp2, c1: Fp2, c2: Fp2, f: Fp12, Px: Fp, Py: Fp) =>
Fp12.mul014(f, c0, Fp2.mul(c1, Px), Fp2.mul(c2, Py));
} else if (twistType === 'divisive') {
// NOTE: it should be [c0, c1, c2], but we use different order here to reduce complexity of
// precompute calculations.
lineFunction = (c0: Fp2, c1: Fp2, c2: Fp2, f: Fp12, Px: Fp, Py: Fp) =>
Fp12.mul034(f, Fp2.mul(c2, Py), Fp2.mul(c1, Px), c0);
} else throw new Error('bls: unknown twist type');
const Fp2div2 = Fp2.div(Fp2.ONE, Fp2.mul(Fp2.ONE, _2n));
function pointDouble(ell: PrecomputeSingle, Rx: Fp2, Ry: Fp2, Rz: Fp2) {
const t0 = Fp2.sqr(Ry); // Ry²
const t1 = Fp2.sqr(Rz); // Rz²
const t2 = Fp2.mulByB(Fp2.mul(t1, _3n)); // 3 * T1 * B
const t3 = Fp2.mul(t2, _3n); // 3 * T2
const t4 = Fp2.sub(Fp2.sub(Fp2.sqr(Fp2.add(Ry, Rz)), t1), t0); // (Ry + Rz)² - T1 - T0
const c0 = Fp2.sub(t2, t0); // T2 - T0 (i)
const c1 = Fp2.mul(Fp2.sqr(Rx), _3n); // 3 * Rx²
const c2 = Fp2.neg(t4); // -T4 (-h)
ell.push([c0, c1, c2]);
Rx = Fp2.mul(Fp2.mul(Fp2.mul(Fp2.sub(t0, t3), Rx), Ry), Fp2div2); // ((T0 - T3) * Rx * Ry) / 2
Ry = Fp2.sub(Fp2.sqr(Fp2.mul(Fp2.add(t0, t3), Fp2div2)), Fp2.mul(Fp2.sqr(t2), _3n)); // ((T0 + T3) / 2)² - 3 * T2²
Rz = Fp2.mul(t0, t4); // T0 * T4
return { Rx, Ry, Rz };
}
function pointAdd(ell: PrecomputeSingle, Rx: Fp2, Ry: Fp2, Rz: Fp2, Qx: Fp2, Qy: Fp2) {
// Addition
const t0 = Fp2.sub(Ry, Fp2.mul(Qy, Rz)); // Ry - Qy * Rz
const t1 = Fp2.sub(Rx, Fp2.mul(Qx, Rz)); // Rx - Qx * Rz
const c0 = Fp2.sub(Fp2.mul(t0, Qx), Fp2.mul(t1, Qy)); // T0 * Qx - T1 * Qy == Ry * Qx - Rx * Qy
const c1 = Fp2.neg(t0); // -T0 == Qy * Rz - Ry
const c2 = t1; // == Rx - Qx * Rz
ell.push([c0, c1, c2]);
const t2 = Fp2.sqr(t1); // T1²
const t3 = Fp2.mul(t2, t1); // T2 * T1
const t4 = Fp2.mul(t2, Rx); // T2 * Rx
const t5 = Fp2.add(Fp2.sub(t3, Fp2.mul(t4, _2n)), Fp2.mul(Fp2.sqr(t0), Rz)); // T3 - 2 * T4 + T0² * Rz
Rx = Fp2.mul(t1, t5); // T1 * T5
Ry = Fp2.sub(Fp2.mul(Fp2.sub(t4, t5), t0), Fp2.mul(t3, Ry)); // (T4 - T5) * T0 - T3 * Ry
Rz = Fp2.mul(Rz, t3); // Rz * T3
return { Rx, Ry, Rz };
}
// Pre-compute coefficients for sparse multiplication
// Point addition and point double calculations is reused for coefficients
// pointAdd happens only if bit set, so wNAF is reasonable. Unfortunately we cannot combine
// add + double in windowed precomputes here, otherwise it would be single op (since X is static)
const ATE_NAF = NAfDecomposition(ateLoopSize);
const calcPairingPrecomputes = memoized((point: G2) => {
const p = point;
const { x, y } = p.toAffine();
// prettier-ignore
const Qx = x, Qy = y, negQy = Fp2.neg(y);
// prettier-ignore
let Rx = Qx, Ry = Qy, Rz = Fp2.ONE;
const ell: Precompute = [];
for (const bit of ATE_NAF) {
const cur: PrecomputeSingle = [];
({ Rx, Ry, Rz } = pointDouble(cur, Rx, Ry, Rz));
if (bit) ({ Rx, Ry, Rz } = pointAdd(cur, Rx, Ry, Rz, Qx, bit === -1 ? negQy : Qy));
ell.push(cur);
}
if (postPrecompute) {
const last = ell[ell.length - 1];
postPrecompute(Rx, Ry, Rz, Qx, Qy, pointAdd.bind(null, last));
}
return ell;
});
// Main pairing logic is here. Computes product of miller loops + final exponentiate
// Applies calculated precomputes
type MillerInput = [Precompute, Fp, Fp][];
function millerLoopBatch(pairs: MillerInput, withFinalExponent: boolean = false) {
let f12 = Fp12.ONE;
if (pairs.length) {
const ellLen = pairs[0][0].length;
for (let i = 0; i < ellLen; i++) {
f12 = Fp12.sqr(f12); // This allows us to do sqr only one time for all pairings
// NOTE: we apply multiple pairings in parallel here
for (const [ell, Px, Py] of pairs) {
for (const [c0, c1, c2] of ell[i]) f12 = lineFunction(c0, c1, c2, f12, Px, Py);
}
}
}
if (xNegative) f12 = Fp12.conjugate(f12);
return withFinalExponent ? Fp12.finalExponentiate(f12) : f12;
}
type PairingInput = { g1: G1; g2: G2 };
// Calculates product of multiple pairings
// This up to x2 faster than just `map(({g1, g2})=>pairing({g1,g2}))`
function pairingBatch(pairs: PairingInput[], withFinalExponent: boolean = true) {
const res: MillerInput = [];
// Cache precomputed toAffine for all points
normalizeZ(
G1,
pairs.map(({ g1 }) => g1)
);
normalizeZ(
G2,
pairs.map(({ g2 }) => g2)
);
for (const { g1, g2 } of pairs) {
if (g1.is0() || g2.is0()) throw new Error('pairing is not available for ZERO point');
// This uses toAffine inside
g1.assertValidity();
g2.assertValidity();
const Qa = g1.toAffine();
res.push([calcPairingPrecomputes(g2), Qa.x, Qa.y]);
}
return millerLoopBatch(res, withFinalExponent);
}
// Calculates bilinear pairing
function pairing(Q: G1, P: G2, withFinalExponent: boolean = true): Fp12 {
return pairingBatch([{ g1: Q, g2: P }], withFinalExponent);
}
return {
Fp12, // NOTE: we re-export Fp12 here because pairing results are Fp12!
millerLoopBatch,
pairing,
pairingBatch,
calcPairingPrecomputes,
};
}
function createBlsSig<P, S>(
blsPairing: BlsPairing,
PubCurve: CurvePointsRes<P> & H2CHasher<P>,
SigCurve: CurvePointsRes<S> & H2CHasher<S>,
SignatureCoder: SignatureCoder<S>,
isSigG1: boolean
): BLSSigs<P, S> {
const { Fp12, pairingBatch } = blsPairing;
type PubPoint = WeierstrassPoint<P>;
type SigPoint = WeierstrassPoint<S>;
function normPub(point: PubPoint | BLSInput): PubPoint {
return point instanceof PubCurve.Point ? (point as PubPoint) : PubCurve.Point.fromHex(point);
}
function normSig(point: SigPoint | BLSInput): SigPoint {
return point instanceof SigCurve.Point ? (point as SigPoint) : SigCurve.Point.fromHex(point);
}
function amsg(m: unknown): SigPoint {
if (!(m instanceof SigCurve.Point))
throw new Error(`expected valid message hashed to ${!isSigG1 ? 'G2' : 'G1'} curve`);
return m as SigPoint;
}
type G1 = CurvePointsRes<Fp>['Point']['BASE'];
type G2 = CurvePointsRes<Fp2>['Point']['BASE'];
type PairingInput = { g1: G1; g2: G2 };
// What matters here is what point pairing API accepts as G1 or G2, not actual size or names
const pair: (a: PubPoint, b: SigPoint) => PairingInput = !isSigG1
? (a: PubPoint, b: SigPoint) => ({ g1: a, g2: b }) as PairingInput
: (a: PubPoint, b: SigPoint) => ({ g1: b, g2: a }) as PairingInput;
return {
// P = pk x G
getPublicKey(secretKey: PrivKey): PubPoint {
// TODO: replace with
// const sec = PubCurve.Point.Fn.fromBytes(secretKey);
const sec = _normFnElement(PubCurve.Point.Fn, secretKey);
return PubCurve.Point.BASE.multiply(sec);
},
// S = pk x H(m)
sign(message: SigPoint, secretKey: PrivKey, unusedArg?: any): SigPoint {
if (unusedArg != null) throw new Error('sign() expects 2 arguments');
// TODO: replace with
// PubCurve.Point.Fn.fromBytes(secretKey)
const sec = _normFnElement(PubCurve.Point.Fn, secretKey);
amsg(message).assertValidity();
return message.multiply(sec);
},
// Checks if pairing of public key & hash is equal to pairing of generator & signature.
// e(P, H(m)) == e(G, S)
// e(S, G) == e(H(m), P)
verify(
signature: SigPoint | BLSInput,
message: SigPoint,
publicKey: PubPoint | BLSInput,
unusedArg?: any
): boolean {
if (unusedArg != null) throw new Error('verify() expects 3 arguments');
signature = normSig(signature);
publicKey = normPub(publicKey);
const P = publicKey.negate();
const G = PubCurve.Point.BASE;
const Hm = amsg(message);
const S = signature;
// This code was changed in 1.9.x:
// Before it was G.negate() in G2, now it's always pubKey.negate
// e(P, -Q)===e(-P, Q)==e(P, Q)^-1. Negate can be done anywhere (as long it is done once per pair).
// We just moving sign, but since pairing is multiplicative, we doing X * X^-1 = 1
const exp = pairingBatch([pair(P, Hm), pair(G, S)]);
return Fp12.eql(exp, Fp12.ONE);
},
// https://ethresear.ch/t/fast-verification-of-multiple-bls-signatures/5407
// e(G, S) = e(G, SUM(n)(Si)) = MUL(n)(e(G, Si))
// TODO: maybe `{message: G2Hex, publicKey: G1Hex}[]` instead?
verifyBatch(
signature: SigPoint | BLSInput,
messages: SigPoint[],
publicKeys: (PubPoint | BLSInput)[]
): boolean {
aNonEmpty(messages);
if (publicKeys.length !== messages.length)
throw new Error('amount of public keys and messages should be equal');
const sig = normSig(signature);
const nMessages = messages;
const nPublicKeys = publicKeys.map(normPub);
// NOTE: this works only for exact same object
const messagePubKeyMap = new Map<SigPoint, PubPoint[]>();
for (let i = 0; i < nPublicKeys.length; i++) {
const pub = nPublicKeys[i];
const msg = nMessages[i];
let keys = messagePubKeyMap.get(msg);
if (keys === undefined) {
keys = [];
messagePubKeyMap.set(msg, keys);
}
keys.push(pub);
}
const paired = [];
const G = PubCurve.Point.BASE;
try {
for (const [msg, keys] of messagePubKeyMap) {
const groupPublicKey = keys.reduce((acc, msg) => acc.add(msg));
paired.push(pair(groupPublicKey, msg));
}
paired.push(pair(G.negate(), sig));
return Fp12.eql(pairingBatch(paired), Fp12.ONE);
} catch {
return false;
}
},
// Adds a bunch of public key points together.
// pk1 + pk2 + pk3 = pkA
aggregatePublicKeys(publicKeys: (PubPoint | BLSInput)[]): PubPoint {
aNonEmpty(publicKeys);
publicKeys = publicKeys.map((pub) => normPub(pub));
const agg = (publicKeys as PubPoint[]).reduce((sum, p) => sum.add(p), PubCurve.Point.ZERO);
agg.assertValidity();
return agg;
},
// Adds a bunch of signature points together.
// pk1 + pk2 + pk3 = pkA
aggregateSignatures(signatures: (SigPoint | BLSInput)[]): SigPoint {
aNonEmpty(signatures);
signatures = signatures.map((sig) => normSig(sig));
const agg = (signatures as SigPoint[]).reduce((sum, s) => sum.add(s), SigCurve.Point.ZERO);
agg.assertValidity();
return agg;
},
hash(messageBytes: Uint8Array, DST?: string | Uint8Array): SigPoint {
abytes(messageBytes);
const opts = DST ? { DST } : undefined;
return SigCurve.hashToCurve(messageBytes, opts) as SigPoint;
},
Signature: SignatureCoder,
};
}
// G1_Point: ProjConstructor<bigint>, G2_Point: ProjConstructor<Fp2>,
export function bls(CURVE: CurveType): CurveFn {
// Fields are specific for curve, so for now we'll need to pass them with opts
const { Fp, Fr, Fp2, Fp6, Fp12 } = CURVE.fields;
// Point on G1 curve: (x, y)
const G1_ = weierstrassPoints(CURVE.G1);
const G1 = Object.assign(
G1_,
createHasher(G1_.Point, CURVE.G1.mapToCurve, {
...CURVE.htfDefaults,
...CURVE.G1.htfDefaults,
})
);
// Point on G2 curve (complex numbers): (x₁, x₂+i), (y₁, y₂+i)
const G2_ = weierstrassPoints(CURVE.G2);
const G2 = Object.assign(
G2_,
createHasher(G2_.Point as H2CPointConstructor<Fp2>, CURVE.G2.mapToCurve, {
...CURVE.htfDefaults,
...CURVE.G2.htfDefaults,
})
);
type G1 = typeof G1.Point.BASE;
type G2 = typeof G2.Point.BASE;
const pairingRes = createBlsPairing(CURVE.fields, G1.Point, G2.Point, {
...CURVE.params,
postPrecompute: CURVE.postPrecompute,
});
const { millerLoopBatch, pairing, pairingBatch, calcPairingPrecomputes } = pairingRes;
const longSignatures = createBlsSig(pairingRes, G1, G2, CURVE.G2.Signature, false);
const shortSignatures = createBlsSig(pairingRes, G2, G1, CURVE.G1.ShortSignature, true);
const rand = CURVE.randomBytes || randomBytes;
const randomSecretKey = (): Uint8Array => {
const length = getMinHashLength(Fr.ORDER);
return mapHashToField(rand(length), Fr.ORDER);
};
const utils = {
randomSecretKey,
randomPrivateKey: randomSecretKey,
calcPairingPrecomputes,
};
// LEGACY code
type G1Hex = Hex | G1;
type G2Hex = Hex | G2;
const { ShortSignature } = CURVE.G1;
const { Signature } = CURVE.G2;
function normP1Hash(point: G1Hex, htfOpts?: htfBasicOpts): G1 {
return point instanceof G1.Point
? point
: shortSignatures.hash(ensureBytes('point', point), htfOpts?.DST);
}
function normP2Hash(point: G2Hex, htfOpts?: htfBasicOpts): G2 {
return point instanceof G2.Point
? point
: longSignatures.hash(ensureBytes('point', point), htfOpts?.DST);
}
function getPublicKey(privateKey: PrivKey): Uint8Array {
return longSignatures.getPublicKey(privateKey).toBytes(true);
}
function getPublicKeyForShortSignatures(privateKey: PrivKey): Uint8Array {
return shortSignatures.getPublicKey(privateKey).toBytes(true);
}
function sign(message: Hex, privateKey: PrivKey, htfOpts?: htfBasicOpts): Uint8Array;
function sign(message: G2, privateKey: PrivKey, htfOpts?: htfBasicOpts): G2;
function sign(message: G2Hex, privateKey: PrivKey, htfOpts?: htfBasicOpts): Uint8Array | G2 {
const Hm = normP2Hash(message, htfOpts);
const S = longSignatures.sign(Hm, privateKey);
return message instanceof G2.Point ? S : Signature.toBytes(S);
}
function signShortSignature(
message: Hex,
privateKey: PrivKey,
htfOpts?: htfBasicOpts
): Uint8Array;
function signShortSignature(message: G1, privateKey: PrivKey, htfOpts?: htfBasicOpts): G1;
function signShortSignature(
message: G1Hex,
privateKey: PrivKey,
htfOpts?: htfBasicOpts
): Uint8Array | G1 {
const Hm = normP1Hash(message, htfOpts);
const S = shortSignatures.sign(Hm, privateKey);
return message instanceof G1.Point ? S : ShortSignature.toBytes(S);
}
function verify(
signature: G2Hex,
message: G2Hex,
publicKey: G1Hex,
htfOpts?: htfBasicOpts
): boolean {
const Hm = normP2Hash(message, htfOpts);
return longSignatures.verify(signature, Hm, publicKey);
}
function verifyShortSignature(
signature: G1Hex,
message: G1Hex,
publicKey: G2Hex,
htfOpts?: htfBasicOpts
): boolean {
const Hm = normP1Hash(message, htfOpts);
return shortSignatures.verify(signature, Hm, publicKey);
}
function aggregatePublicKeys(publicKeys: Hex[]): Uint8Array;
function aggregatePublicKeys(publicKeys: G1[]): G1;
function aggregatePublicKeys(publicKeys: G1Hex[]): Uint8Array | G1 {
const agg = longSignatures.aggregatePublicKeys(publicKeys);
return publicKeys[0] instanceof G1.Point ? agg : agg.toBytes(true);
}
function aggregateSignatures(signatures: Hex[]): Uint8Array;
function aggregateSignatures(signatures: G2[]): G2;
function aggregateSignatures(signatures: G2Hex[]): Uint8Array | G2 {
const agg = longSignatures.aggregateSignatures(signatures);
return signatures[0] instanceof G2.Point ? agg : Signature.toBytes(agg);
}
function aggregateShortSignatures(signatures: Hex[]): Uint8Array;
function aggregateShortSignatures(signatures: G1[]): G1;
function aggregateShortSignatures(signatures: G1Hex[]): Uint8Array | G1 {
const agg = shortSignatures.aggregateSignatures(signatures);
return signatures[0] instanceof G1.Point ? agg : ShortSignature.toBytes(agg);
}
function verifyBatch(
signature: G2Hex,
messages: G2Hex[],
publicKeys: G1Hex[],
htfOpts?: htfBasicOpts
): boolean {
const Hm = messages.map((m) => normP2Hash(m, htfOpts));
return longSignatures.verifyBatch(signature, Hm, publicKeys);
}
G1.Point.BASE.precompute(4);
return {
longSignatures,
shortSignatures,
millerLoopBatch,
pairing,
pairingBatch,
verifyBatch,
fields: {
Fr,
Fp,
Fp2,
Fp6,
Fp12,
},
params: {
ateLoopSize: CURVE.params.ateLoopSize,
twistType: CURVE.params.twistType,
// deprecated
r: CURVE.params.r,
G1b: CURVE.G1.b,
G2b: CURVE.G2.b,
},
utils,
// deprecated
getPublicKey,
getPublicKeyForShortSignatures,
sign,
signShortSignature,
verify,
verifyShortSignature,
aggregatePublicKeys,
aggregateSignatures,
aggregateShortSignatures,
G1,
G2,
Signature,
ShortSignature,
};
}

692
node_modules/@noble/curves/src/abstract/curve.ts generated vendored Normal file
View File

@@ -0,0 +1,692 @@
/**
* Methods for elliptic curve multiplication by scalars.
* Contains wNAF, pippenger.
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { bitLen, bitMask, validateObject } from '../utils.ts';
import { Field, FpInvertBatch, nLength, validateField, type IField } from './modular.ts';
const _0n = BigInt(0);
const _1n = BigInt(1);
export type AffinePoint<T> = {
x: T;
y: T;
} & { Z?: never };
// This was initialy do this way to re-use montgomery ladder in field (add->mul,double->sqr), but
// that didn't happen and there is probably not much reason to have separate Group like this?
export interface Group<T extends Group<T>> {
double(): T;
negate(): T;
add(other: T): T;
subtract(other: T): T;
equals(other: T): boolean;
multiply(scalar: bigint): T;
toAffine?(invertedZ?: any): AffinePoint<any>;
}
// We can't "abstract out" coordinates (X, Y, Z; and T in Edwards): argument names of constructor
// are not accessible. See Typescript gh-56093, gh-41594.
//
// We have to use recursive types, so it will return actual point, not constained `CurvePoint`.
// If, at any point, P is `any`, it will erase all types and replace it
// with `any`, because of recursion, `any implements CurvePoint`,
// but we lose all constrains on methods.
/** Base interface for all elliptic curve Points. */
export interface CurvePoint<F, P extends CurvePoint<F, P>> extends Group<P> {
/** Affine x coordinate. Different from projective / extended X coordinate. */
x: F;
/** Affine y coordinate. Different from projective / extended Y coordinate. */
y: F;
Z?: F;
double(): P;
negate(): P;
add(other: P): P;
subtract(other: P): P;
equals(other: P): boolean;
multiply(scalar: bigint): P;
assertValidity(): void;
clearCofactor(): P;
is0(): boolean;
isTorsionFree(): boolean;
isSmallOrder(): boolean;
multiplyUnsafe(scalar: bigint): P;
/**
* Massively speeds up `p.multiply(n)` by using precompute tables (caching). See {@link wNAF}.
* @param isLazy calculate cache now. Default (true) ensures it's deferred to first `multiply()`
*/
precompute(windowSize?: number, isLazy?: boolean): P;
/** Converts point to 2D xy affine coordinates */
toAffine(invertedZ?: F): AffinePoint<F>;
toBytes(): Uint8Array;
toHex(): string;
}
/** Base interface for all elliptic curve Point constructors. */
export interface CurvePointCons<P extends CurvePoint<any, P>> {
[Symbol.hasInstance]: (item: unknown) => boolean;
BASE: P;
ZERO: P;
/** Field for basic curve math */
Fp: IField<P_F<P>>;
/** Scalar field, for scalars in multiply and others */
Fn: IField<bigint>;
/** Creates point from x, y. Does NOT validate if the point is valid. Use `.assertValidity()`. */
fromAffine(p: AffinePoint<P_F<P>>): P;
fromBytes(bytes: Uint8Array): P;
fromHex(hex: Uint8Array | string): P;
}
// Type inference helpers: PC - PointConstructor, P - Point, Fp - Field element
// Short names, because we use them a lot in result types:
// * we can't do 'P = GetCurvePoint<PC>': this is default value and doesn't constrain anything
// * we can't do 'type X = GetCurvePoint<PC>': it won't be accesible for arguments/return types
// * `CurvePointCons<P extends CurvePoint<any, P>>` constraints from interface definition
// won't propagate, if `PC extends CurvePointCons<any>`: the P would be 'any', which is incorrect
// * PC could be super specific with super specific P, which implements CurvePoint<any, P>.
// this means we need to do stuff like
// `function test<P extends CurvePoint<any, P>, PC extends CurvePointCons<P>>(`
// if we want type safety around P, otherwise PC_P<PC> will be any
/** Returns Fp type from Point (P_F<P> == P.F) */
export type P_F<P extends CurvePoint<any, P>> = P extends CurvePoint<infer F, P> ? F : never;
/** Returns Fp type from PointCons (PC_F<PC> == PC.P.F) */
export type PC_F<PC extends CurvePointCons<CurvePoint<any, any>>> = PC['Fp']['ZERO'];
/** Returns Point type from PointCons (PC_P<PC> == PC.P) */
export type PC_P<PC extends CurvePointCons<CurvePoint<any, any>>> = PC['ZERO'];
// Ugly hack to get proper type inference, because in typescript fails to infer resursively.
// The hack allows to do up to 10 chained operations without applying type erasure.
//
// Types which won't work:
// * `CurvePointCons<CurvePoint<any, any>>`, will return `any` after 1 operation
// * `CurvePointCons<any>: WeierstrassPointCons<bigint> extends CurvePointCons<any> = false`
// * `P extends CurvePoint, PC extends CurvePointCons<P>`
// * It can't infer P from PC alone
// * Too many relations between F, P & PC
// * It will infer P/F if `arg: CurvePointCons<F, P>`, but will fail if PC is generic
// * It will work correctly if there is an additional argument of type P
// * But generally, we don't want to parametrize `CurvePointCons` over `F`: it will complicate
// types, making them un-inferable
// prettier-ignore
export type PC_ANY = CurvePointCons<
CurvePoint<any,
CurvePoint<any,
CurvePoint<any,
CurvePoint<any,
CurvePoint<any,
CurvePoint<any,
CurvePoint<any,
CurvePoint<any,
CurvePoint<any,
CurvePoint<any, any>
>>>>>>>>>
>;
export interface CurveLengths {
secretKey?: number;
publicKey?: number;
publicKeyUncompressed?: number;
publicKeyHasPrefix?: boolean;
signature?: number;
seed?: number;
}
export type GroupConstructor<T> = {
BASE: T;
ZERO: T;
};
/** @deprecated */
export type ExtendedGroupConstructor<T> = GroupConstructor<T> & {
Fp: IField<any>;
Fn: IField<bigint>;
fromAffine(ap: AffinePoint<any>): T;
};
export type Mapper<T> = (i: T[]) => T[];
export function negateCt<T extends { negate: () => T }>(condition: boolean, item: T): T {
const neg = item.negate();
return condition ? neg : item;
}
/**
* Takes a bunch of Projective Points but executes only one
* inversion on all of them. Inversion is very slow operation,
* so this improves performance massively.
* Optimization: converts a list of projective points to a list of identical points with Z=1.
*/
export function normalizeZ<P extends CurvePoint<any, P>, PC extends CurvePointCons<P>>(
c: PC,
points: P[]
): P[] {
const invertedZs = FpInvertBatch(
c.Fp,
points.map((p) => p.Z!)
);
return points.map((p, i) => c.fromAffine(p.toAffine(invertedZs[i])));
}
function validateW(W: number, bits: number) {
if (!Number.isSafeInteger(W) || W <= 0 || W > bits)
throw new Error('invalid window size, expected [1..' + bits + '], got W=' + W);
}
/** Internal wNAF opts for specific W and scalarBits */
export type WOpts = {
windows: number;
windowSize: number;
mask: bigint;
maxNumber: number;
shiftBy: bigint;
};
function calcWOpts(W: number, scalarBits: number): WOpts {
validateW(W, scalarBits);
const windows = Math.ceil(scalarBits / W) + 1; // W=8 33. Not 32, because we skip zero
const windowSize = 2 ** (W - 1); // W=8 128. Not 256, because we skip zero
const maxNumber = 2 ** W; // W=8 256
const mask = bitMask(W); // W=8 255 == mask 0b11111111
const shiftBy = BigInt(W); // W=8 8
return { windows, windowSize, mask, maxNumber, shiftBy };
}
function calcOffsets(n: bigint, window: number, wOpts: WOpts) {
const { windowSize, mask, maxNumber, shiftBy } = wOpts;
let wbits = Number(n & mask); // extract W bits.
let nextN = n >> shiftBy; // shift number by W bits.
// What actually happens here:
// const highestBit = Number(mask ^ (mask >> 1n));
// let wbits2 = wbits - 1; // skip zero
// if (wbits2 & highestBit) { wbits2 ^= Number(mask); // (~);
// split if bits > max: +224 => 256-32
if (wbits > windowSize) {
// we skip zero, which means instead of `>= size-1`, we do `> size`
wbits -= maxNumber; // -32, can be maxNumber - wbits, but then we need to set isNeg here.
nextN += _1n; // +256 (carry)
}
const offsetStart = window * windowSize;
const offset = offsetStart + Math.abs(wbits) - 1; // -1 because we skip zero
const isZero = wbits === 0; // is current window slice a 0?
const isNeg = wbits < 0; // is current window slice negative?
const isNegF = window % 2 !== 0; // fake random statement for noise
const offsetF = offsetStart; // fake offset for noise
return { nextN, offset, isZero, isNeg, isNegF, offsetF };
}
function validateMSMPoints(points: any[], c: any) {
if (!Array.isArray(points)) throw new Error('array expected');
points.forEach((p, i) => {
if (!(p instanceof c)) throw new Error('invalid point at index ' + i);
});
}
function validateMSMScalars(scalars: any[], field: any) {
if (!Array.isArray(scalars)) throw new Error('array of scalars expected');
scalars.forEach((s, i) => {
if (!field.isValid(s)) throw new Error('invalid scalar at index ' + i);
});
}
// Since points in different groups cannot be equal (different object constructor),
// we can have single place to store precomputes.
// Allows to make points frozen / immutable.
const pointPrecomputes = new WeakMap<any, any[]>();
const pointWindowSizes = new WeakMap<any, number>();
function getW(P: any): number {
// To disable precomputes:
// return 1;
return pointWindowSizes.get(P) || 1;
}
function assert0(n: bigint): void {
if (n !== _0n) throw new Error('invalid wNAF');
}
/**
* Elliptic curve multiplication of Point by scalar. Fragile.
* Table generation takes **30MB of ram and 10ms on high-end CPU**,
* but may take much longer on slow devices. Actual generation will happen on
* first call of `multiply()`. By default, `BASE` point is precomputed.
*
* Scalars should always be less than curve order: this should be checked inside of a curve itself.
* Creates precomputation tables for fast multiplication:
* - private scalar is split by fixed size windows of W bits
* - every window point is collected from window's table & added to accumulator
* - since windows are different, same point inside tables won't be accessed more than once per calc
* - each multiplication is 'Math.ceil(CURVE_ORDER / 𝑊) + 1' point additions (fixed for any scalar)
* - +1 window is neccessary for wNAF
* - wNAF reduces table size: 2x less memory + 2x faster generation, but 10% slower multiplication
*
* @todo Research returning 2d JS array of windows, instead of a single window.
* This would allow windows to be in different memory locations
*/
export class wNAF<PC extends PC_ANY> {
private readonly BASE: PC_P<PC>;
private readonly ZERO: PC_P<PC>;
private readonly Fn: PC['Fn'];
readonly bits: number;
// Parametrized with a given Point class (not individual point)
constructor(Point: PC, bits: number) {
this.BASE = Point.BASE;
this.ZERO = Point.ZERO;
this.Fn = Point.Fn;
this.bits = bits;
}
// non-const time multiplication ladder
_unsafeLadder(elm: PC_P<PC>, n: bigint, p: PC_P<PC> = this.ZERO): PC_P<PC> {
let d: PC_P<PC> = elm;
while (n > _0n) {
if (n & _1n) p = p.add(d);
d = d.double();
n >>= _1n;
}
return p;
}
/**
* Creates a wNAF precomputation window. Used for caching.
* Default window size is set by `utils.precompute()` and is equal to 8.
* Number of precomputed points depends on the curve size:
* 2^(𝑊1) * (Math.ceil(𝑛 / 𝑊) + 1), where:
* - 𝑊 is the window size
* - 𝑛 is the bitlength of the curve order.
* For a 256-bit curve and window size 8, the number of precomputed points is 128 * 33 = 4224.
* @param point Point instance
* @param W window size
* @returns precomputed point tables flattened to a single array
*/
private precomputeWindow(point: PC_P<PC>, W: number): PC_P<PC>[] {
const { windows, windowSize } = calcWOpts(W, this.bits);
const points: PC_P<PC>[] = [];
let p: PC_P<PC> = point;
let base = p;
for (let window = 0; window < windows; window++) {
base = p;
points.push(base);
// i=1, bc we skip 0
for (let i = 1; i < windowSize; i++) {
base = base.add(p);
points.push(base);
}
p = base.double();
}
return points;
}
/**
* Implements ec multiplication using precomputed tables and w-ary non-adjacent form.
* More compact implementation:
* https://github.com/paulmillr/noble-secp256k1/blob/47cb1669b6e506ad66b35fe7d76132ae97465da2/index.ts#L502-L541
* @returns real and fake (for const-time) points
*/
private wNAF(W: number, precomputes: PC_P<PC>[], n: bigint): { p: PC_P<PC>; f: PC_P<PC> } {
// Scalar should be smaller than field order
if (!this.Fn.isValid(n)) throw new Error('invalid scalar');
// Accumulators
let p = this.ZERO;
let f = this.BASE;
// This code was first written with assumption that 'f' and 'p' will never be infinity point:
// since each addition is multiplied by 2 ** W, it cannot cancel each other. However,
// there is negate now: it is possible that negated element from low value
// would be the same as high element, which will create carry into next window.
// It's not obvious how this can fail, but still worth investigating later.
const wo = calcWOpts(W, this.bits);
for (let window = 0; window < wo.windows; window++) {
// (n === _0n) is handled and not early-exited. isEven and offsetF are used for noise
const { nextN, offset, isZero, isNeg, isNegF, offsetF } = calcOffsets(n, window, wo);
n = nextN;
if (isZero) {
// bits are 0: add garbage to fake point
// Important part for const-time getPublicKey: add random "noise" point to f.
f = f.add(negateCt(isNegF, precomputes[offsetF]));
} else {
// bits are 1: add to result point
p = p.add(negateCt(isNeg, precomputes[offset]));
}
}
assert0(n);
// Return both real and fake points: JIT won't eliminate f.
// At this point there is a way to F be infinity-point even if p is not,
// which makes it less const-time: around 1 bigint multiply.
return { p, f };
}
/**
* Implements ec unsafe (non const-time) multiplication using precomputed tables and w-ary non-adjacent form.
* @param acc accumulator point to add result of multiplication
* @returns point
*/
private wNAFUnsafe(
W: number,
precomputes: PC_P<PC>[],
n: bigint,
acc: PC_P<PC> = this.ZERO
): PC_P<PC> {
const wo = calcWOpts(W, this.bits);
for (let window = 0; window < wo.windows; window++) {
if (n === _0n) break; // Early-exit, skip 0 value
const { nextN, offset, isZero, isNeg } = calcOffsets(n, window, wo);
n = nextN;
if (isZero) {
// Window bits are 0: skip processing.
// Move to next window.
continue;
} else {
const item = precomputes[offset];
acc = acc.add(isNeg ? item.negate() : item); // Re-using acc allows to save adds in MSM
}
}
assert0(n);
return acc;
}
private getPrecomputes(W: number, point: PC_P<PC>, transform?: Mapper<PC_P<PC>>): PC_P<PC>[] {
// Calculate precomputes on a first run, reuse them after
let comp = pointPrecomputes.get(point);
if (!comp) {
comp = this.precomputeWindow(point, W) as PC_P<PC>[];
if (W !== 1) {
// Doing transform outside of if brings 15% perf hit
if (typeof transform === 'function') comp = transform(comp);
pointPrecomputes.set(point, comp);
}
}
return comp;
}
cached(
point: PC_P<PC>,
scalar: bigint,
transform?: Mapper<PC_P<PC>>
): { p: PC_P<PC>; f: PC_P<PC> } {
const W = getW(point);
return this.wNAF(W, this.getPrecomputes(W, point, transform), scalar);
}
unsafe(point: PC_P<PC>, scalar: bigint, transform?: Mapper<PC_P<PC>>, prev?: PC_P<PC>): PC_P<PC> {
const W = getW(point);
if (W === 1) return this._unsafeLadder(point, scalar, prev); // For W=1 ladder is ~x2 faster
return this.wNAFUnsafe(W, this.getPrecomputes(W, point, transform), scalar, prev);
}
// We calculate precomputes for elliptic curve point multiplication
// using windowed method. This specifies window size and
// stores precomputed values. Usually only base point would be precomputed.
createCache(P: PC_P<PC>, W: number): void {
validateW(W, this.bits);
pointWindowSizes.set(P, W);
pointPrecomputes.delete(P);
}
hasCache(elm: PC_P<PC>): boolean {
return getW(elm) !== 1;
}
}
/**
* Endomorphism-specific multiplication for Koblitz curves.
* Cost: 128 dbl, 0-256 adds.
*/
export function mulEndoUnsafe<P extends CurvePoint<any, P>, PC extends CurvePointCons<P>>(
Point: PC,
point: P,
k1: bigint,
k2: bigint
): { p1: P; p2: P } {
let acc = point;
let p1 = Point.ZERO;
let p2 = Point.ZERO;
while (k1 > _0n || k2 > _0n) {
if (k1 & _1n) p1 = p1.add(acc);
if (k2 & _1n) p2 = p2.add(acc);
acc = acc.double();
k1 >>= _1n;
k2 >>= _1n;
}
return { p1, p2 };
}
/**
* Pippenger algorithm for multi-scalar multiplication (MSM, Pa + Qb + Rc + ...).
* 30x faster vs naive addition on L=4096, 10x faster than precomputes.
* For N=254bit, L=1, it does: 1024 ADD + 254 DBL. For L=5: 1536 ADD + 254 DBL.
* Algorithmically constant-time (for same L), even when 1 point + scalar, or when scalar = 0.
* @param c Curve Point constructor
* @param fieldN field over CURVE.N - important that it's not over CURVE.P
* @param points array of L curve points
* @param scalars array of L scalars (aka secret keys / bigints)
*/
export function pippenger<P extends CurvePoint<any, P>, PC extends CurvePointCons<P>>(
c: PC,
fieldN: IField<bigint>,
points: P[],
scalars: bigint[]
): P {
// If we split scalars by some window (let's say 8 bits), every chunk will only
// take 256 buckets even if there are 4096 scalars, also re-uses double.
// TODO:
// - https://eprint.iacr.org/2024/750.pdf
// - https://tches.iacr.org/index.php/TCHES/article/view/10287
// 0 is accepted in scalars
validateMSMPoints(points, c);
validateMSMScalars(scalars, fieldN);
const plength = points.length;
const slength = scalars.length;
if (plength !== slength) throw new Error('arrays of points and scalars must have equal length');
// if (plength === 0) throw new Error('array must be of length >= 2');
const zero = c.ZERO;
const wbits = bitLen(BigInt(plength));
let windowSize = 1; // bits
if (wbits > 12) windowSize = wbits - 3;
else if (wbits > 4) windowSize = wbits - 2;
else if (wbits > 0) windowSize = 2;
const MASK = bitMask(windowSize);
const buckets = new Array(Number(MASK) + 1).fill(zero); // +1 for zero array
const lastBits = Math.floor((fieldN.BITS - 1) / windowSize) * windowSize;
let sum = zero;
for (let i = lastBits; i >= 0; i -= windowSize) {
buckets.fill(zero);
for (let j = 0; j < slength; j++) {
const scalar = scalars[j];
const wbits = Number((scalar >> BigInt(i)) & MASK);
buckets[wbits] = buckets[wbits].add(points[j]);
}
let resI = zero; // not using this will do small speed-up, but will lose ct
// Skip first bucket, because it is zero
for (let j = buckets.length - 1, sumI = zero; j > 0; j--) {
sumI = sumI.add(buckets[j]);
resI = resI.add(sumI);
}
sum = sum.add(resI);
if (i !== 0) for (let j = 0; j < windowSize; j++) sum = sum.double();
}
return sum as P;
}
/**
* Precomputed multi-scalar multiplication (MSM, Pa + Qb + Rc + ...).
* @param c Curve Point constructor
* @param fieldN field over CURVE.N - important that it's not over CURVE.P
* @param points array of L curve points
* @returns function which multiplies points with scaars
*/
export function precomputeMSMUnsafe<P extends CurvePoint<any, P>, PC extends CurvePointCons<P>>(
c: PC,
fieldN: IField<bigint>,
points: P[],
windowSize: number
): (scalars: bigint[]) => P {
/**
* Performance Analysis of Window-based Precomputation
*
* Base Case (256-bit scalar, 8-bit window):
* - Standard precomputation requires:
* - 31 additions per scalar × 256 scalars = 7,936 ops
* - Plus 255 summary additions = 8,191 total ops
* Note: Summary additions can be optimized via accumulator
*
* Chunked Precomputation Analysis:
* - Using 32 chunks requires:
* - 255 additions per chunk
* - 256 doublings
* - Total: (255 × 32) + 256 = 8,416 ops
*
* Memory Usage Comparison:
* Window Size | Standard Points | Chunked Points
* ------------|-----------------|---------------
* 4-bit | 520 | 15
* 8-bit | 4,224 | 255
* 10-bit | 13,824 | 1,023
* 16-bit | 557,056 | 65,535
*
* Key Advantages:
* 1. Enables larger window sizes due to reduced memory overhead
* 2. More efficient for smaller scalar counts:
* - 16 chunks: (16 × 255) + 256 = 4,336 ops
* - ~2x faster than standard 8,191 ops
*
* Limitations:
* - Not suitable for plain precomputes (requires 256 constant doublings)
* - Performance degrades with larger scalar counts:
* - Optimal for ~256 scalars
* - Less efficient for 4096+ scalars (Pippenger preferred)
*/
validateW(windowSize, fieldN.BITS);
validateMSMPoints(points, c);
const zero = c.ZERO;
const tableSize = 2 ** windowSize - 1; // table size (without zero)
const chunks = Math.ceil(fieldN.BITS / windowSize); // chunks of item
const MASK = bitMask(windowSize);
const tables = points.map((p: P) => {
const res = [];
for (let i = 0, acc = p; i < tableSize; i++) {
res.push(acc);
acc = acc.add(p);
}
return res;
});
return (scalars: bigint[]): P => {
validateMSMScalars(scalars, fieldN);
if (scalars.length > points.length)
throw new Error('array of scalars must be smaller than array of points');
let res = zero;
for (let i = 0; i < chunks; i++) {
// No need to double if accumulator is still zero.
if (res !== zero) for (let j = 0; j < windowSize; j++) res = res.double();
const shiftBy = BigInt(chunks * windowSize - (i + 1) * windowSize);
for (let j = 0; j < scalars.length; j++) {
const n = scalars[j];
const curr = Number((n >> shiftBy) & MASK);
if (!curr) continue; // skip zero scalars chunks
res = res.add(tables[j][curr - 1]);
}
}
return res;
};
}
// TODO: remove
/**
* Generic BasicCurve interface: works even for polynomial fields (BLS): P, n, h would be ok.
* Though generator can be different (Fp2 / Fp6 for BLS).
*/
export type BasicCurve<T> = {
Fp: IField<T>; // Field over which we'll do calculations (Fp)
n: bigint; // Curve order, total count of valid points in the field
nBitLength?: number; // bit length of curve order
nByteLength?: number; // byte length of curve order
h: bigint; // cofactor. we can assign default=1, but users will just ignore it w/o validation
hEff?: bigint; // Number to multiply to clear cofactor
Gx: T; // base point X coordinate
Gy: T; // base point Y coordinate
allowInfinityPoint?: boolean; // bls12-381 requires it. ZERO point is valid, but invalid pubkey
};
// TODO: remove
/** @deprecated */
export function validateBasic<FP, T>(
curve: BasicCurve<FP> & T
): Readonly<
{
readonly nBitLength: number;
readonly nByteLength: number;
} & BasicCurve<FP> &
T & {
p: bigint;
}
> {
validateField(curve.Fp);
validateObject(
curve,
{
n: 'bigint',
h: 'bigint',
Gx: 'field',
Gy: 'field',
},
{
nBitLength: 'isSafeInteger',
nByteLength: 'isSafeInteger',
}
);
// Set defaults
return Object.freeze({
...nLength(curve.n, curve.nBitLength),
...curve,
...{ p: curve.Fp.ORDER },
} as const);
}
export type ValidCurveParams<T> = {
p: bigint;
n: bigint;
h: bigint;
a: T;
b?: T;
d?: T;
Gx: T;
Gy: T;
};
function createField<T>(order: bigint, field?: IField<T>, isLE?: boolean): IField<T> {
if (field) {
if (field.ORDER !== order) throw new Error('Field.ORDER must match order: Fp == p, Fn == n');
validateField(field);
return field;
} else {
return Field(order, { isLE }) as unknown as IField<T>;
}
}
export type FpFn<T> = { Fp: IField<T>; Fn: IField<bigint> };
/** Validates CURVE opts and creates fields */
export function _createCurveFields<T>(
type: 'weierstrass' | 'edwards',
CURVE: ValidCurveParams<T>,
curveOpts: Partial<FpFn<T>> = {},
FpFnLE?: boolean
): FpFn<T> & { CURVE: ValidCurveParams<T> } {
if (FpFnLE === undefined) FpFnLE = type === 'edwards';
if (!CURVE || typeof CURVE !== 'object') throw new Error(`expected valid ${type} CURVE object`);
for (const p of ['p', 'n', 'h'] as const) {
const val = CURVE[p];
if (!(typeof val === 'bigint' && val > _0n))
throw new Error(`CURVE.${p} must be positive bigint`);
}
const Fp = createField(CURVE.p, curveOpts.Fp, FpFnLE);
const Fn = createField(CURVE.n, curveOpts.Fn, FpFnLE);
const _b: 'b' | 'd' = type === 'weierstrass' ? 'b' : 'd';
const params = ['Gx', 'Gy', 'a', _b] as const;
for (const p of params) {
// @ts-ignore
if (!Fp.isValid(CURVE[p]))
throw new Error(`CURVE.${p} must be valid field element of CURVE.Fp`);
}
CURVE = Object.freeze(Object.assign({}, CURVE));
return { CURVE, Fp, Fn };
}

914
node_modules/@noble/curves/src/abstract/edwards.ts generated vendored Normal file
View File

@@ -0,0 +1,914 @@
/**
* Twisted Edwards curve. The formula is: ax² + y² = 1 + dx²y².
* For design rationale of types / exports, see weierstrass module documentation.
* Untwisted Edwards curves exist, but they aren't used in real-world protocols.
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import {
_validateObject,
_abool2 as abool,
_abytes2 as abytes,
aInRange,
bytesToHex,
bytesToNumberLE,
concatBytes,
copyBytes,
ensureBytes,
isBytes,
memoized,
notImplemented,
randomBytes as randomBytesWeb,
type FHash,
type Hex,
} from '../utils.ts';
import {
_createCurveFields,
normalizeZ,
pippenger,
wNAF,
type AffinePoint,
type BasicCurve,
type CurveLengths,
type CurvePoint,
type CurvePointCons,
} from './curve.ts';
import { Field, type IField, type NLength } from './modular.ts';
// Be friendly to bad ECMAScript parsers by not using bigint literals
// prettier-ignore
const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _8n = BigInt(8);
export type UVRatio = (u: bigint, v: bigint) => { isValid: boolean; value: bigint };
/** Instance of Extended Point with coordinates in X, Y, Z, T. */
export interface EdwardsPoint extends CurvePoint<bigint, EdwardsPoint> {
/** extended X coordinate. Different from affine x. */
readonly X: bigint;
/** extended Y coordinate. Different from affine y. */
readonly Y: bigint;
/** extended Z coordinate */
readonly Z: bigint;
/** extended T coordinate */
readonly T: bigint;
/** @deprecated use `toBytes` */
toRawBytes(): Uint8Array;
/** @deprecated use `p.precompute(windowSize)` */
_setWindowSize(windowSize: number): void;
/** @deprecated use .X */
readonly ex: bigint;
/** @deprecated use .Y */
readonly ey: bigint;
/** @deprecated use .Z */
readonly ez: bigint;
/** @deprecated use .T */
readonly et: bigint;
}
/** Static methods of Extended Point with coordinates in X, Y, Z, T. */
export interface EdwardsPointCons extends CurvePointCons<EdwardsPoint> {
new (X: bigint, Y: bigint, Z: bigint, T: bigint): EdwardsPoint;
CURVE(): EdwardsOpts;
fromBytes(bytes: Uint8Array, zip215?: boolean): EdwardsPoint;
fromHex(hex: Hex, zip215?: boolean): EdwardsPoint;
/** @deprecated use `import { pippenger } from '@noble/curves/abstract/curve.js';` */
msm(points: EdwardsPoint[], scalars: bigint[]): EdwardsPoint;
}
/** @deprecated use EdwardsPoint */
export type ExtPointType = EdwardsPoint;
/** @deprecated use EdwardsPointCons */
export type ExtPointConstructor = EdwardsPointCons;
/**
* Twisted Edwards curve options.
*
* * a: formula param
* * d: formula param
* * p: prime characteristic (order) of finite field, in which arithmetics is done
* * n: order of prime subgroup a.k.a total amount of valid curve points
* * h: cofactor. h*n is group order; n is subgroup order
* * Gx: x coordinate of generator point a.k.a. base point
* * Gy: y coordinate of generator point
*/
export type EdwardsOpts = Readonly<{
p: bigint;
n: bigint;
h: bigint;
a: bigint;
d: bigint;
Gx: bigint;
Gy: bigint;
}>;
/**
* Extra curve options for Twisted Edwards.
*
* * Fp: redefined Field over curve.p
* * Fn: redefined Field over curve.n
* * uvRatio: helper function for decompression, calculating √(u/v)
*/
export type EdwardsExtraOpts = Partial<{
Fp: IField<bigint>;
Fn: IField<bigint>;
FpFnLE: boolean;
uvRatio: (u: bigint, v: bigint) => { isValid: boolean; value: bigint };
}>;
/**
* EdDSA (Edwards Digital Signature algorithm) options.
*
* * hash: hash function used to hash secret keys and messages
* * adjustScalarBytes: clears bits to get valid field element
* * domain: Used for hashing
* * mapToCurve: for hash-to-curve standard
* * prehash: RFC 8032 pre-hashing of messages to sign() / verify()
* * randomBytes: function generating random bytes, used for randomSecretKey
*/
export type EdDSAOpts = Partial<{
adjustScalarBytes: (bytes: Uint8Array) => Uint8Array;
domain: (data: Uint8Array, ctx: Uint8Array, phflag: boolean) => Uint8Array;
mapToCurve: (scalar: bigint[]) => AffinePoint<bigint>;
prehash: FHash;
randomBytes: (bytesLength?: number) => Uint8Array;
}>;
/**
* EdDSA (Edwards Digital Signature algorithm) interface.
*
* Allows to create and verify signatures, create public and secret keys.
*/
export interface EdDSA {
keygen: (seed?: Uint8Array) => { secretKey: Uint8Array; publicKey: Uint8Array };
getPublicKey: (secretKey: Hex) => Uint8Array;
sign: (message: Hex, secretKey: Hex, options?: { context?: Hex }) => Uint8Array;
verify: (
sig: Hex,
message: Hex,
publicKey: Hex,
options?: { context?: Hex; zip215: boolean }
) => boolean;
Point: EdwardsPointCons;
utils: {
randomSecretKey: (seed?: Uint8Array) => Uint8Array;
isValidSecretKey: (secretKey: Uint8Array) => boolean;
isValidPublicKey: (publicKey: Uint8Array, zip215?: boolean) => boolean;
/**
* Converts ed public key to x public key.
*
* There is NO `fromMontgomery`:
* - There are 2 valid ed25519 points for every x25519, with flipped coordinate
* - Sometimes there are 0 valid ed25519 points, because x25519 *additionally*
* accepts inputs on the quadratic twist, which can't be moved to ed25519
*
* @example
* ```js
* const someonesPub = ed25519.getPublicKey(ed25519.utils.randomSecretKey());
* const aPriv = x25519.utils.randomSecretKey();
* x25519.getSharedSecret(aPriv, ed25519.utils.toMontgomery(someonesPub))
* ```
*/
toMontgomery: (publicKey: Uint8Array) => Uint8Array;
/**
* Converts ed secret key to x secret key.
* @example
* ```js
* const someonesPub = x25519.getPublicKey(x25519.utils.randomSecretKey());
* const aPriv = ed25519.utils.randomSecretKey();
* x25519.getSharedSecret(ed25519.utils.toMontgomerySecret(aPriv), someonesPub)
* ```
*/
toMontgomerySecret: (privateKey: Uint8Array) => Uint8Array;
getExtendedPublicKey: (key: Hex) => {
head: Uint8Array;
prefix: Uint8Array;
scalar: bigint;
point: EdwardsPoint;
pointBytes: Uint8Array;
};
/** @deprecated use `randomSecretKey` */
randomPrivateKey: (seed?: Uint8Array) => Uint8Array;
/** @deprecated use `point.precompute()` */
precompute: (windowSize?: number, point?: EdwardsPoint) => EdwardsPoint;
};
lengths: CurveLengths;
}
function isEdValidXY(Fp: IField<bigint>, CURVE: EdwardsOpts, x: bigint, y: bigint): boolean {
const x2 = Fp.sqr(x);
const y2 = Fp.sqr(y);
const left = Fp.add(Fp.mul(CURVE.a, x2), y2);
const right = Fp.add(Fp.ONE, Fp.mul(CURVE.d, Fp.mul(x2, y2)));
return Fp.eql(left, right);
}
export function edwards(params: EdwardsOpts, extraOpts: EdwardsExtraOpts = {}): EdwardsPointCons {
const validated = _createCurveFields('edwards', params, extraOpts, extraOpts.FpFnLE);
const { Fp, Fn } = validated;
let CURVE = validated.CURVE as EdwardsOpts;
const { h: cofactor } = CURVE;
_validateObject(extraOpts, {}, { uvRatio: 'function' });
// Important:
// There are some places where Fp.BYTES is used instead of nByteLength.
// So far, everything has been tested with curves of Fp.BYTES == nByteLength.
// TODO: test and find curves which behave otherwise.
const MASK = _2n << (BigInt(Fn.BYTES * 8) - _1n);
const modP = (n: bigint) => Fp.create(n); // Function overrides
// sqrt(u/v)
const uvRatio =
extraOpts.uvRatio ||
((u: bigint, v: bigint) => {
try {
return { isValid: true, value: Fp.sqrt(Fp.div(u, v)) };
} catch (e) {
return { isValid: false, value: _0n };
}
});
// Validate whether the passed curve params are valid.
// equation ax² + y² = 1 + dx²y² should work for generator point.
if (!isEdValidXY(Fp, CURVE, CURVE.Gx, CURVE.Gy))
throw new Error('bad curve params: generator point');
/**
* Asserts coordinate is valid: 0 <= n < MASK.
* Coordinates >= Fp.ORDER are allowed for zip215.
*/
function acoord(title: string, n: bigint, banZero = false) {
const min = banZero ? _1n : _0n;
aInRange('coordinate ' + title, n, min, MASK);
return n;
}
function aextpoint(other: unknown) {
if (!(other instanceof Point)) throw new Error('ExtendedPoint expected');
}
// Converts Extended point to default (x, y) coordinates.
// Can accept precomputed Z^-1 - for example, from invertBatch.
const toAffineMemo = memoized((p: Point, iz?: bigint): AffinePoint<bigint> => {
const { X, Y, Z } = p;
const is0 = p.is0();
if (iz == null) iz = is0 ? _8n : (Fp.inv(Z) as bigint); // 8 was chosen arbitrarily
const x = modP(X * iz);
const y = modP(Y * iz);
const zz = Fp.mul(Z, iz);
if (is0) return { x: _0n, y: _1n };
if (zz !== _1n) throw new Error('invZ was invalid');
return { x, y };
});
const assertValidMemo = memoized((p: Point) => {
const { a, d } = CURVE;
if (p.is0()) throw new Error('bad point: ZERO'); // TODO: optimize, with vars below?
// Equation in affine coordinates: ax² + y² = 1 + dx²y²
// Equation in projective coordinates (X/Z, Y/Z, Z): (aX² + Y²)Z² = Z⁴ + dX²Y²
const { X, Y, Z, T } = p;
const X2 = modP(X * X); // X²
const Y2 = modP(Y * Y); // Y²
const Z2 = modP(Z * Z); // Z²
const Z4 = modP(Z2 * Z2); // Z⁴
const aX2 = modP(X2 * a); // aX²
const left = modP(Z2 * modP(aX2 + Y2)); // (aX² + Y²)Z²
const right = modP(Z4 + modP(d * modP(X2 * Y2))); // Z⁴ + dX²Y²
if (left !== right) throw new Error('bad point: equation left != right (1)');
// In Extended coordinates we also have T, which is x*y=T/Z: check X*Y == Z*T
const XY = modP(X * Y);
const ZT = modP(Z * T);
if (XY !== ZT) throw new Error('bad point: equation left != right (2)');
return true;
});
// Extended Point works in extended coordinates: (X, Y, Z, T) ∋ (x=X/Z, y=Y/Z, T=xy).
// https://en.wikipedia.org/wiki/Twisted_Edwards_curve#Extended_coordinates
class Point implements EdwardsPoint {
// base / generator point
static readonly BASE = new Point(CURVE.Gx, CURVE.Gy, _1n, modP(CURVE.Gx * CURVE.Gy));
// zero / infinity / identity point
static readonly ZERO = new Point(_0n, _1n, _1n, _0n); // 0, 1, 1, 0
// math field
static readonly Fp = Fp;
// scalar field
static readonly Fn = Fn;
readonly X: bigint;
readonly Y: bigint;
readonly Z: bigint;
readonly T: bigint;
constructor(X: bigint, Y: bigint, Z: bigint, T: bigint) {
this.X = acoord('x', X);
this.Y = acoord('y', Y);
this.Z = acoord('z', Z, true);
this.T = acoord('t', T);
Object.freeze(this);
}
static CURVE(): EdwardsOpts {
return CURVE;
}
static fromAffine(p: AffinePoint<bigint>): Point {
if (p instanceof Point) throw new Error('extended point not allowed');
const { x, y } = p || {};
acoord('x', x);
acoord('y', y);
return new Point(x, y, _1n, modP(x * y));
}
// Uses algo from RFC8032 5.1.3.
static fromBytes(bytes: Uint8Array, zip215 = false): Point {
const len = Fp.BYTES;
const { a, d } = CURVE;
bytes = copyBytes(abytes(bytes, len, 'point'));
abool(zip215, 'zip215');
const normed = copyBytes(bytes); // copy again, we'll manipulate it
const lastByte = bytes[len - 1]; // select last byte
normed[len - 1] = lastByte & ~0x80; // clear last bit
const y = bytesToNumberLE(normed);
// zip215=true is good for consensus-critical apps. =false follows RFC8032 / NIST186-5.
// RFC8032 prohibits >= p, but ZIP215 doesn't
// zip215=true: 0 <= y < MASK (2^256 for ed25519)
// zip215=false: 0 <= y < P (2^255-19 for ed25519)
const max = zip215 ? MASK : Fp.ORDER;
aInRange('point.y', y, _0n, max);
// Ed25519: x² = (y²-1)/(dy²+1) mod p. Ed448: x² = (y²-1)/(dy²-1) mod p. Generic case:
// ax²+y²=1+dx²y² => y²-1=dx²y²-ax² => y²-1=x²(dy²-a) => x²=(y²-1)/(dy²-a)
const y2 = modP(y * y); // denominator is always non-0 mod p.
const u = modP(y2 - _1n); // u = y² - 1
const v = modP(d * y2 - a); // v = d y² + 1.
let { isValid, value: x } = uvRatio(u, v); // √(u/v)
if (!isValid) throw new Error('bad point: invalid y coordinate');
const isXOdd = (x & _1n) === _1n; // There are 2 square roots. Use x_0 bit to select proper
const isLastByteOdd = (lastByte & 0x80) !== 0; // x_0, last bit
if (!zip215 && x === _0n && isLastByteOdd)
// if x=0 and x_0 = 1, fail
throw new Error('bad point: x=0 and x_0=1');
if (isLastByteOdd !== isXOdd) x = modP(-x); // if x_0 != x mod 2, set x = p-x
return Point.fromAffine({ x, y });
}
static fromHex(bytes: Uint8Array, zip215 = false): Point {
return Point.fromBytes(ensureBytes('point', bytes), zip215);
}
get x(): bigint {
return this.toAffine().x;
}
get y(): bigint {
return this.toAffine().y;
}
precompute(windowSize: number = 8, isLazy = true) {
wnaf.createCache(this, windowSize);
if (!isLazy) this.multiply(_2n); // random number
return this;
}
// Useful in fromAffine() - not for fromBytes(), which always created valid points.
assertValidity(): void {
assertValidMemo(this);
}
// Compare one point to another.
equals(other: Point): boolean {
aextpoint(other);
const { X: X1, Y: Y1, Z: Z1 } = this;
const { X: X2, Y: Y2, Z: Z2 } = other;
const X1Z2 = modP(X1 * Z2);
const X2Z1 = modP(X2 * Z1);
const Y1Z2 = modP(Y1 * Z2);
const Y2Z1 = modP(Y2 * Z1);
return X1Z2 === X2Z1 && Y1Z2 === Y2Z1;
}
is0(): boolean {
return this.equals(Point.ZERO);
}
negate(): Point {
// Flips point sign to a negative one (-x, y in affine coords)
return new Point(modP(-this.X), this.Y, this.Z, modP(-this.T));
}
// Fast algo for doubling Extended Point.
// https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#doubling-dbl-2008-hwcd
// Cost: 4M + 4S + 1*a + 6add + 1*2.
double(): Point {
const { a } = CURVE;
const { X: X1, Y: Y1, Z: Z1 } = this;
const A = modP(X1 * X1); // A = X12
const B = modP(Y1 * Y1); // B = Y12
const C = modP(_2n * modP(Z1 * Z1)); // C = 2*Z12
const D = modP(a * A); // D = a*A
const x1y1 = X1 + Y1;
const E = modP(modP(x1y1 * x1y1) - A - B); // E = (X1+Y1)2-A-B
const G = D + B; // G = D+B
const F = G - C; // F = G-C
const H = D - B; // H = D-B
const X3 = modP(E * F); // X3 = E*F
const Y3 = modP(G * H); // Y3 = G*H
const T3 = modP(E * H); // T3 = E*H
const Z3 = modP(F * G); // Z3 = F*G
return new Point(X3, Y3, Z3, T3);
}
// Fast algo for adding 2 Extended Points.
// https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#addition-add-2008-hwcd
// Cost: 9M + 1*a + 1*d + 7add.
add(other: Point) {
aextpoint(other);
const { a, d } = CURVE;
const { X: X1, Y: Y1, Z: Z1, T: T1 } = this;
const { X: X2, Y: Y2, Z: Z2, T: T2 } = other;
const A = modP(X1 * X2); // A = X1*X2
const B = modP(Y1 * Y2); // B = Y1*Y2
const C = modP(T1 * d * T2); // C = T1*d*T2
const D = modP(Z1 * Z2); // D = Z1*Z2
const E = modP((X1 + Y1) * (X2 + Y2) - A - B); // E = (X1+Y1)*(X2+Y2)-A-B
const F = D - C; // F = D-C
const G = D + C; // G = D+C
const H = modP(B - a * A); // H = B-a*A
const X3 = modP(E * F); // X3 = E*F
const Y3 = modP(G * H); // Y3 = G*H
const T3 = modP(E * H); // T3 = E*H
const Z3 = modP(F * G); // Z3 = F*G
return new Point(X3, Y3, Z3, T3);
}
subtract(other: Point): Point {
return this.add(other.negate());
}
// Constant-time multiplication.
multiply(scalar: bigint): Point {
// 1 <= scalar < L
if (!Fn.isValidNot0(scalar)) throw new Error('invalid scalar: expected 1 <= sc < curve.n');
const { p, f } = wnaf.cached(this, scalar, (p) => normalizeZ(Point, p));
return normalizeZ(Point, [p, f])[0];
}
// Non-constant-time multiplication. Uses double-and-add algorithm.
// It's faster, but should only be used when you don't care about
// an exposed private key e.g. sig verification.
// Does NOT allow scalars higher than CURVE.n.
// Accepts optional accumulator to merge with multiply (important for sparse scalars)
multiplyUnsafe(scalar: bigint, acc = Point.ZERO): Point {
// 0 <= scalar < L
if (!Fn.isValid(scalar)) throw new Error('invalid scalar: expected 0 <= sc < curve.n');
if (scalar === _0n) return Point.ZERO;
if (this.is0() || scalar === _1n) return this;
return wnaf.unsafe(this, scalar, (p) => normalizeZ(Point, p), acc);
}
// Checks if point is of small order.
// If you add something to small order point, you will have "dirty"
// point with torsion component.
// Multiplies point by cofactor and checks if the result is 0.
isSmallOrder(): boolean {
return this.multiplyUnsafe(cofactor).is0();
}
// Multiplies point by curve order and checks if the result is 0.
// Returns `false` is the point is dirty.
isTorsionFree(): boolean {
return wnaf.unsafe(this, CURVE.n).is0();
}
// Converts Extended point to default (x, y) coordinates.
// Can accept precomputed Z^-1 - for example, from invertBatch.
toAffine(invertedZ?: bigint): AffinePoint<bigint> {
return toAffineMemo(this, invertedZ);
}
clearCofactor(): Point {
if (cofactor === _1n) return this;
return this.multiplyUnsafe(cofactor);
}
toBytes(): Uint8Array {
const { x, y } = this.toAffine();
// Fp.toBytes() allows non-canonical encoding of y (>= p).
const bytes = Fp.toBytes(y);
// Each y has 2 valid points: (x, y), (x,-y).
// When compressing, it's enough to store y and use the last byte to encode sign of x
bytes[bytes.length - 1] |= x & _1n ? 0x80 : 0;
return bytes;
}
toHex(): string {
return bytesToHex(this.toBytes());
}
toString() {
return `<Point ${this.is0() ? 'ZERO' : this.toHex()}>`;
}
// TODO: remove
get ex(): bigint {
return this.X;
}
get ey(): bigint {
return this.Y;
}
get ez(): bigint {
return this.Z;
}
get et(): bigint {
return this.T;
}
static normalizeZ(points: Point[]): Point[] {
return normalizeZ(Point, points);
}
static msm(points: Point[], scalars: bigint[]): Point {
return pippenger(Point, Fn, points, scalars);
}
_setWindowSize(windowSize: number) {
this.precompute(windowSize);
}
toRawBytes(): Uint8Array {
return this.toBytes();
}
}
const wnaf = new wNAF(Point, Fn.BITS);
Point.BASE.precompute(8); // Enable precomputes. Slows down first publicKey computation by 20ms.
return Point;
}
/**
* Base class for prime-order points like Ristretto255 and Decaf448.
* These points eliminate cofactor issues by representing equivalence classes
* of Edwards curve points.
*/
export abstract class PrimeEdwardsPoint<T extends PrimeEdwardsPoint<T>>
implements CurvePoint<bigint, T>
{
static BASE: PrimeEdwardsPoint<any>;
static ZERO: PrimeEdwardsPoint<any>;
static Fp: IField<bigint>;
static Fn: IField<bigint>;
protected readonly ep: EdwardsPoint;
constructor(ep: EdwardsPoint) {
this.ep = ep;
}
// Abstract methods that must be implemented by subclasses
abstract toBytes(): Uint8Array;
abstract equals(other: T): boolean;
// Static methods that must be implemented by subclasses
static fromBytes(_bytes: Uint8Array): any {
notImplemented();
}
static fromHex(_hex: Hex): any {
notImplemented();
}
get x(): bigint {
return this.toAffine().x;
}
get y(): bigint {
return this.toAffine().y;
}
// Common implementations
clearCofactor(): T {
// no-op for prime-order groups
return this as any;
}
assertValidity(): void {
this.ep.assertValidity();
}
toAffine(invertedZ?: bigint): AffinePoint<bigint> {
return this.ep.toAffine(invertedZ);
}
toHex(): string {
return bytesToHex(this.toBytes());
}
toString(): string {
return this.toHex();
}
isTorsionFree(): boolean {
return true;
}
isSmallOrder(): boolean {
return false;
}
add(other: T): T {
this.assertSame(other);
return this.init(this.ep.add(other.ep));
}
subtract(other: T): T {
this.assertSame(other);
return this.init(this.ep.subtract(other.ep));
}
multiply(scalar: bigint): T {
return this.init(this.ep.multiply(scalar));
}
multiplyUnsafe(scalar: bigint): T {
return this.init(this.ep.multiplyUnsafe(scalar));
}
double(): T {
return this.init(this.ep.double());
}
negate(): T {
return this.init(this.ep.negate());
}
precompute(windowSize?: number, isLazy?: boolean): T {
return this.init(this.ep.precompute(windowSize, isLazy));
}
// Helper methods
abstract is0(): boolean;
protected abstract assertSame(other: T): void;
protected abstract init(ep: EdwardsPoint): T;
/** @deprecated use `toBytes` */
toRawBytes(): Uint8Array {
return this.toBytes();
}
}
/**
* Initializes EdDSA signatures over given Edwards curve.
*/
export function eddsa(Point: EdwardsPointCons, cHash: FHash, eddsaOpts: EdDSAOpts = {}): EdDSA {
if (typeof cHash !== 'function') throw new Error('"hash" function param is required');
_validateObject(
eddsaOpts,
{},
{
adjustScalarBytes: 'function',
randomBytes: 'function',
domain: 'function',
prehash: 'function',
mapToCurve: 'function',
}
);
const { prehash } = eddsaOpts;
const { BASE, Fp, Fn } = Point;
const randomBytes = eddsaOpts.randomBytes || randomBytesWeb;
const adjustScalarBytes = eddsaOpts.adjustScalarBytes || ((bytes: Uint8Array) => bytes);
const domain =
eddsaOpts.domain ||
((data: Uint8Array, ctx: Uint8Array, phflag: boolean) => {
abool(phflag, 'phflag');
if (ctx.length || phflag) throw new Error('Contexts/pre-hash are not supported');
return data;
}); // NOOP
// Little-endian SHA512 with modulo n
function modN_LE(hash: Uint8Array): bigint {
return Fn.create(bytesToNumberLE(hash)); // Not Fn.fromBytes: it has length limit
}
// Get the hashed private scalar per RFC8032 5.1.5
function getPrivateScalar(key: Hex) {
const len = lengths.secretKey;
key = ensureBytes('private key', key, len);
// Hash private key with curve's hash function to produce uniformingly random input
// Check byte lengths: ensure(64, h(ensure(32, key)))
const hashed = ensureBytes('hashed private key', cHash(key), 2 * len);
const head = adjustScalarBytes(hashed.slice(0, len)); // clear first half bits, produce FE
const prefix = hashed.slice(len, 2 * len); // second half is called key prefix (5.1.6)
const scalar = modN_LE(head); // The actual private scalar
return { head, prefix, scalar };
}
/** Convenience method that creates public key from scalar. RFC8032 5.1.5 */
function getExtendedPublicKey(secretKey: Hex) {
const { head, prefix, scalar } = getPrivateScalar(secretKey);
const point = BASE.multiply(scalar); // Point on Edwards curve aka public key
const pointBytes = point.toBytes();
return { head, prefix, scalar, point, pointBytes };
}
/** Calculates EdDSA pub key. RFC8032 5.1.5. */
function getPublicKey(secretKey: Hex): Uint8Array {
return getExtendedPublicKey(secretKey).pointBytes;
}
// int('LE', SHA512(dom2(F, C) || msgs)) mod N
function hashDomainToScalar(context: Hex = Uint8Array.of(), ...msgs: Uint8Array[]) {
const msg = concatBytes(...msgs);
return modN_LE(cHash(domain(msg, ensureBytes('context', context), !!prehash)));
}
/** Signs message with privateKey. RFC8032 5.1.6 */
function sign(msg: Hex, secretKey: Hex, options: { context?: Hex } = {}): Uint8Array {
msg = ensureBytes('message', msg);
if (prehash) msg = prehash(msg); // for ed25519ph etc.
const { prefix, scalar, pointBytes } = getExtendedPublicKey(secretKey);
const r = hashDomainToScalar(options.context, prefix, msg); // r = dom2(F, C) || prefix || PH(M)
const R = BASE.multiply(r).toBytes(); // R = rG
const k = hashDomainToScalar(options.context, R, pointBytes, msg); // R || A || PH(M)
const s = Fn.create(r + k * scalar); // S = (r + k * s) mod L
if (!Fn.isValid(s)) throw new Error('sign failed: invalid s'); // 0 <= s < L
const rs = concatBytes(R, Fn.toBytes(s));
return abytes(rs, lengths.signature, 'result');
}
// verification rule is either zip215 or rfc8032 / nist186-5. Consult fromHex:
const verifyOpts: { context?: Hex; zip215?: boolean } = { zip215: true };
/**
* Verifies EdDSA signature against message and public key. RFC8032 5.1.7.
* An extended group equation is checked.
*/
function verify(sig: Hex, msg: Hex, publicKey: Hex, options = verifyOpts): boolean {
const { context, zip215 } = options;
const len = lengths.signature;
sig = ensureBytes('signature', sig, len);
msg = ensureBytes('message', msg);
publicKey = ensureBytes('publicKey', publicKey, lengths.publicKey);
if (zip215 !== undefined) abool(zip215, 'zip215');
if (prehash) msg = prehash(msg); // for ed25519ph, etc
const mid = len / 2;
const r = sig.subarray(0, mid);
const s = bytesToNumberLE(sig.subarray(mid, len));
let A, R, SB;
try {
// zip215=true is good for consensus-critical apps. =false follows RFC8032 / NIST186-5.
// zip215=true: 0 <= y < MASK (2^256 for ed25519)
// zip215=false: 0 <= y < P (2^255-19 for ed25519)
A = Point.fromBytes(publicKey, zip215);
R = Point.fromBytes(r, zip215);
SB = BASE.multiplyUnsafe(s); // 0 <= s < l is done inside
} catch (error) {
return false;
}
if (!zip215 && A.isSmallOrder()) return false; // zip215 allows public keys of small order
const k = hashDomainToScalar(context, R.toBytes(), A.toBytes(), msg);
const RkA = R.add(A.multiplyUnsafe(k));
// Extended group equation
// [8][S]B = [8]R + [8][k]A'
return RkA.subtract(SB).clearCofactor().is0();
}
const _size = Fp.BYTES; // 32 for ed25519, 57 for ed448
const lengths = {
secretKey: _size,
publicKey: _size,
signature: 2 * _size,
seed: _size,
};
function randomSecretKey(seed = randomBytes(lengths.seed)): Uint8Array {
return abytes(seed, lengths.seed, 'seed');
}
function keygen(seed?: Uint8Array) {
const secretKey = utils.randomSecretKey(seed);
return { secretKey, publicKey: getPublicKey(secretKey) };
}
function isValidSecretKey(key: Uint8Array): boolean {
return isBytes(key) && key.length === Fn.BYTES;
}
function isValidPublicKey(key: Uint8Array, zip215?: boolean): boolean {
try {
return !!Point.fromBytes(key, zip215);
} catch (error) {
return false;
}
}
const utils = {
getExtendedPublicKey,
randomSecretKey,
isValidSecretKey,
isValidPublicKey,
/**
* Converts ed public key to x public key. Uses formula:
* - ed25519:
* - `(u, v) = ((1+y)/(1-y), sqrt(-486664)*u/x)`
* - `(x, y) = (sqrt(-486664)*u/v, (u-1)/(u+1))`
* - ed448:
* - `(u, v) = ((y-1)/(y+1), sqrt(156324)*u/x)`
* - `(x, y) = (sqrt(156324)*u/v, (1+u)/(1-u))`
*/
toMontgomery(publicKey: Uint8Array): Uint8Array {
const { y } = Point.fromBytes(publicKey);
const size = lengths.publicKey;
const is25519 = size === 32;
if (!is25519 && size !== 57) throw new Error('only defined for 25519 and 448');
const u = is25519 ? Fp.div(_1n + y, _1n - y) : Fp.div(y - _1n, y + _1n);
return Fp.toBytes(u);
},
toMontgomerySecret(secretKey: Uint8Array): Uint8Array {
const size = lengths.secretKey;
abytes(secretKey, size);
const hashed = cHash(secretKey.subarray(0, size));
return adjustScalarBytes(hashed).subarray(0, size);
},
/** @deprecated */
randomPrivateKey: randomSecretKey,
/** @deprecated */
precompute(windowSize = 8, point: EdwardsPoint = Point.BASE): EdwardsPoint {
return point.precompute(windowSize, false);
},
};
return Object.freeze({
keygen,
getPublicKey,
sign,
verify,
utils,
Point,
lengths,
});
}
// TODO: remove everything below
export type CurveType = BasicCurve<bigint> & {
a: bigint; // curve param a
d: bigint; // curve param d
/** @deprecated the property will be removed in next release */
hash: FHash; // Hashing
randomBytes?: (bytesLength?: number) => Uint8Array; // CSPRNG
adjustScalarBytes?: (bytes: Uint8Array) => Uint8Array; // clears bits to get valid field elemtn
domain?: (data: Uint8Array, ctx: Uint8Array, phflag: boolean) => Uint8Array; // Used for hashing
uvRatio?: UVRatio; // Ratio √(u/v)
prehash?: FHash; // RFC 8032 pre-hashing of messages to sign() / verify()
mapToCurve?: (scalar: bigint[]) => AffinePoint<bigint>; // for hash-to-curve standard
};
export type CurveTypeWithLength = Readonly<CurveType & Partial<NLength>>;
export type CurveFn = {
/** @deprecated the property will be removed in next release */
CURVE: CurveType;
keygen: EdDSA['keygen'];
getPublicKey: EdDSA['getPublicKey'];
sign: EdDSA['sign'];
verify: EdDSA['verify'];
Point: EdwardsPointCons;
/** @deprecated use `Point` */
ExtendedPoint: EdwardsPointCons;
utils: EdDSA['utils'];
lengths: CurveLengths;
};
export type EdComposed = {
CURVE: EdwardsOpts;
curveOpts: EdwardsExtraOpts;
hash: FHash;
eddsaOpts: EdDSAOpts;
};
function _eddsa_legacy_opts_to_new(c: CurveTypeWithLength): EdComposed {
const CURVE: EdwardsOpts = {
a: c.a,
d: c.d,
p: c.Fp.ORDER,
n: c.n,
h: c.h,
Gx: c.Gx,
Gy: c.Gy,
};
const Fp = c.Fp;
const Fn = Field(CURVE.n, c.nBitLength, true);
const curveOpts: EdwardsExtraOpts = { Fp, Fn, uvRatio: c.uvRatio };
const eddsaOpts: EdDSAOpts = {
randomBytes: c.randomBytes,
adjustScalarBytes: c.adjustScalarBytes,
domain: c.domain,
prehash: c.prehash,
mapToCurve: c.mapToCurve,
};
return { CURVE, curveOpts, hash: c.hash, eddsaOpts };
}
function _eddsa_new_output_to_legacy(c: CurveTypeWithLength, eddsa: EdDSA): CurveFn {
const Point = eddsa.Point;
const legacy = Object.assign({}, eddsa, {
ExtendedPoint: Point,
CURVE: c,
nBitLength: Point.Fn.BITS,
nByteLength: Point.Fn.BYTES,
});
return legacy;
}
// TODO: remove. Use eddsa
export function twistedEdwards(c: CurveTypeWithLength): CurveFn {
const { CURVE, curveOpts, hash, eddsaOpts } = _eddsa_legacy_opts_to_new(c);
const Point = edwards(CURVE, curveOpts);
const EDDSA = eddsa(Point, hash, eddsaOpts);
return _eddsa_new_output_to_legacy(c, EDDSA);
}

519
node_modules/@noble/curves/src/abstract/fft.ts generated vendored Normal file
View File

@@ -0,0 +1,519 @@
/**
* Experimental implementation of NTT / FFT (Fast Fourier Transform) over finite fields.
* API may change at any time. The code has not been audited. Feature requests are welcome.
* @module
*/
import type { IField } from './modular.ts';
export interface MutableArrayLike<T> {
[index: number]: T;
length: number;
slice(start?: number, end?: number): this;
[Symbol.iterator](): Iterator<T>;
}
function checkU32(n: number) {
// 0xff_ff_ff_ff
if (!Number.isSafeInteger(n) || n < 0 || n > 0xffffffff)
throw new Error('wrong u32 integer:' + n);
return n;
}
/** Checks if integer is in form of `1 << X` */
export function isPowerOfTwo(x: number): boolean {
checkU32(x);
return (x & (x - 1)) === 0 && x !== 0;
}
export function nextPowerOfTwo(n: number): number {
checkU32(n);
if (n <= 1) return 1;
return (1 << (log2(n - 1) + 1)) >>> 0;
}
export function reverseBits(n: number, bits: number): number {
checkU32(n);
let reversed = 0;
for (let i = 0; i < bits; i++, n >>>= 1) reversed = (reversed << 1) | (n & 1);
return reversed;
}
/** Similar to `bitLen(x)-1` but much faster for small integers, like indices */
export function log2(n: number): number {
checkU32(n);
return 31 - Math.clz32(n);
}
/**
* Moves lowest bit to highest position, which at first step splits
* array on even and odd indices, then it applied again to each part,
* which is core of fft
*/
export function bitReversalInplace<T extends MutableArrayLike<any>>(values: T): T {
const n = values.length;
if (n < 2 || !isPowerOfTwo(n))
throw new Error('n must be a power of 2 and greater than 1. Got ' + n);
const bits = log2(n);
for (let i = 0; i < n; i++) {
const j = reverseBits(i, bits);
if (i < j) {
const tmp = values[i];
values[i] = values[j];
values[j] = tmp;
}
}
return values;
}
export function bitReversalPermutation<T>(values: T[]): T[] {
return bitReversalInplace(values.slice()) as T[];
}
const _1n = /** @__PURE__ */ BigInt(1);
function findGenerator(field: IField<bigint>) {
let G = BigInt(2);
for (; field.eql(field.pow(G, field.ORDER >> _1n), field.ONE); G++);
return G;
}
export type RootsOfUnity = {
roots: (bits: number) => bigint[];
brp(bits: number): bigint[];
inverse(bits: number): bigint[];
omega: (bits: number) => bigint;
clear: () => void;
};
/** We limit roots up to 2**31, which is a lot: 2-billion polynomimal should be rare. */
export function rootsOfUnity(field: IField<bigint>, generator?: bigint): RootsOfUnity {
// Factor field.ORDER-1 as oddFactor * 2^powerOfTwo
let oddFactor = field.ORDER - _1n;
let powerOfTwo = 0;
for (; (oddFactor & _1n) !== _1n; powerOfTwo++, oddFactor >>= _1n);
// Find non quadratic residue
let G = generator !== undefined ? BigInt(generator) : findGenerator(field);
// Powers of generator
const omegas: bigint[] = new Array(powerOfTwo + 1);
omegas[powerOfTwo] = field.pow(G, oddFactor);
for (let i = powerOfTwo; i > 0; i--) omegas[i - 1] = field.sqr(omegas[i]);
// Compute all roots of unity for powers up to maxPower
const rootsCache: bigint[][] = [];
const checkBits = (bits: number) => {
checkU32(bits);
if (bits > 31 || bits > powerOfTwo)
throw new Error('rootsOfUnity: wrong bits ' + bits + ' powerOfTwo=' + powerOfTwo);
return bits;
};
const precomputeRoots = (maxPower: number) => {
checkBits(maxPower);
for (let power = maxPower; power >= 0; power--) {
if (rootsCache[power]) continue; // Skip if we've already computed roots for this power
const rootsAtPower: bigint[] = [];
for (let j = 0, cur = field.ONE; j < 2 ** power; j++, cur = field.mul(cur, omegas[power]))
rootsAtPower.push(cur);
rootsCache[power] = rootsAtPower;
}
return rootsCache[maxPower];
};
const brpCache = new Map<number, bigint[]>();
const inverseCache = new Map<number, bigint[]>();
// NOTE: we use bits instead of power, because power = 2**bits,
// but power is not neccesary isPowerOfTwo(power)!
return {
roots: (bits: number): bigint[] => {
const b = checkBits(bits);
return precomputeRoots(b);
},
brp(bits: number): bigint[] {
const b = checkBits(bits);
if (brpCache.has(b)) return brpCache.get(b)!;
else {
const res = bitReversalPermutation(this.roots(b));
brpCache.set(b, res);
return res;
}
},
inverse(bits: number): bigint[] {
const b = checkBits(bits);
if (inverseCache.has(b)) return inverseCache.get(b)!;
else {
const res = field.invertBatch(this.roots(b));
inverseCache.set(b, res);
return res;
}
},
omega: (bits: number): bigint => omegas[checkBits(bits)],
clear: (): void => {
rootsCache.splice(0, rootsCache.length);
brpCache.clear();
},
};
}
export type Polynomial<T> = MutableArrayLike<T>;
/**
* Maps great to Field<bigint>, but not to Group (EC points):
* - inv from scalar field
* - we need multiplyUnsafe here, instead of multiply for speed
* - multiplyUnsafe is safe in the context: we do mul(rootsOfUnity), which are public and sparse
*/
export type FFTOpts<T, R> = {
add: (a: T, b: T) => T;
sub: (a: T, b: T) => T;
mul: (a: T, scalar: R) => T;
inv: (a: R) => R;
};
export type FFTCoreOpts<R> = {
N: number;
roots: Polynomial<R>;
dit: boolean;
invertButterflies?: boolean;
skipStages?: number;
brp?: boolean;
};
export type FFTCoreLoop<T> = <P extends Polynomial<T>>(values: P) => P;
/**
* Constructs different flavors of FFT. radix2 implementation of low level mutating API. Flavors:
*
* - DIT (Decimation-in-Time): Bottom-Up (leaves -> root), Cool-Turkey
* - DIF (Decimation-in-Frequency): Top-Down (root -> leaves), GentlemanSande
*
* DIT takes brp input, returns natural output.
* DIF takes natural input, returns brp output.
*
* The output is actually identical. Time / frequence distinction is not meaningful
* for Polynomial multiplication in fields.
* Which means if protocol supports/needs brp output/inputs, then we can skip this step.
*
* Cyclic NTT: Rq = Zq[x]/(x^n-1). butterfly_DIT+loop_DIT OR butterfly_DIF+loop_DIT, roots are omega
* Negacyclic NTT: Rq = Zq[x]/(x^n+1). butterfly_DIT+loop_DIF, at least for mlkem / mldsa
*/
export const FFTCore = <T, R>(F: FFTOpts<T, R>, coreOpts: FFTCoreOpts<R>): FFTCoreLoop<T> => {
const { N, roots, dit, invertButterflies = false, skipStages = 0, brp = true } = coreOpts;
const bits = log2(N);
if (!isPowerOfTwo(N)) throw new Error('FFT: Polynomial size should be power of two');
const isDit = dit !== invertButterflies;
isDit;
return <P extends Polynomial<T>>(values: P): P => {
if (values.length !== N) throw new Error('FFT: wrong Polynomial length');
if (dit && brp) bitReversalInplace(values);
for (let i = 0, g = 1; i < bits - skipStages; i++) {
// For each stage s (sub-FFT length m = 2^s)
const s = dit ? i + 1 + skipStages : bits - i;
const m = 1 << s;
const m2 = m >> 1;
const stride = N >> s;
// Loop over each subarray of length m
for (let k = 0; k < N; k += m) {
// Loop over each butterfly within the subarray
for (let j = 0, grp = g++; j < m2; j++) {
const rootPos = invertButterflies ? (dit ? N - grp : grp) : j * stride;
const i0 = k + j;
const i1 = k + j + m2;
const omega = roots[rootPos];
const b = values[i1];
const a = values[i0];
// Inlining gives us 10% perf in kyber vs functions
if (isDit) {
const t = F.mul(b, omega); // Standard DIT butterfly
values[i0] = F.add(a, t);
values[i1] = F.sub(a, t);
} else if (invertButterflies) {
values[i0] = F.add(b, a); // DIT loop + inverted butterflies (Kyber decode)
values[i1] = F.mul(F.sub(b, a), omega);
} else {
values[i0] = F.add(a, b); // Standard DIF butterfly
values[i1] = F.mul(F.sub(a, b), omega);
}
}
}
}
if (!dit && brp) bitReversalInplace(values);
return values;
};
};
export type FFTMethods<T> = {
direct<P extends Polynomial<T>>(values: P, brpInput?: boolean, brpOutput?: boolean): P;
inverse<P extends Polynomial<T>>(values: P, brpInput?: boolean, brpOutput?: boolean): P;
};
/**
* NTT aka FFT over finite field (NOT over complex numbers).
* Naming mirrors other libraries.
*/
export function FFT<T>(roots: RootsOfUnity, opts: FFTOpts<T, bigint>): FFTMethods<T> {
const getLoop = (
N: number,
roots: Polynomial<bigint>,
brpInput = false,
brpOutput = false
): (<P extends Polynomial<T>>(values: P) => P) => {
if (brpInput && brpOutput) {
// we cannot optimize this case, but lets support it anyway
return (values) =>
FFTCore(opts, { N, roots, dit: false, brp: false })(bitReversalInplace(values));
}
if (brpInput) return FFTCore(opts, { N, roots, dit: true, brp: false });
if (brpOutput) return FFTCore(opts, { N, roots, dit: false, brp: false });
return FFTCore(opts, { N, roots, dit: true, brp: true }); // all natural
};
return {
direct<P extends Polynomial<T>>(values: P, brpInput = false, brpOutput = false): P {
const N = values.length;
if (!isPowerOfTwo(N)) throw new Error('FFT: Polynomial size should be power of two');
const bits = log2(N);
return getLoop(N, roots.roots(bits), brpInput, brpOutput)<P>(values.slice());
},
inverse<P extends Polynomial<T>>(values: P, brpInput = false, brpOutput = false): P {
const N = values.length;
const bits = log2(N);
const res = getLoop(N, roots.inverse(bits), brpInput, brpOutput)(values.slice());
const ivm = opts.inv(BigInt(values.length)); // scale
// we can get brp output if we use dif instead of dit!
for (let i = 0; i < res.length; i++) res[i] = opts.mul(res[i], ivm);
// Allows to re-use non-inverted roots, but is VERY fragile
// return [res[0]].concat(res.slice(1).reverse());
// inverse calculated as pow(-1), which transforms into ω^{-kn} (-> reverses indices)
return res;
},
};
}
export type CreatePolyFn<P extends Polynomial<T>, T> = (len: number, elm?: T) => P;
export type PolyFn<P extends Polynomial<T>, T> = {
roots: RootsOfUnity;
create: CreatePolyFn<P, T>;
length?: number; // optional enforced size
degree: (a: P) => number;
extend: (a: P, len: number) => P;
add: (a: P, b: P) => P; // fc(x) = fa(x) + fb(x)
sub: (a: P, b: P) => P; // fc(x) = fa(x) - fb(x)
mul: (a: P, b: P | T) => P; // fc(x) = fa(x) * fb(x) OR fc(x) = fa(x) * scalar (same as field)
dot: (a: P, b: P) => P; // point-wise coeff multiplication
convolve: (a: P, b: P) => P;
shift: (p: P, factor: bigint) => P; // point-wise coeffcient shift
clone: (a: P) => P;
// Eval
eval: (a: P, basis: P) => T; // y = fc(x)
monomial: {
basis: (x: T, n: number) => P;
eval: (a: P, x: T) => T;
};
lagrange: {
basis: (x: T, n: number, brp?: boolean) => P;
eval: (a: P, x: T, brp?: boolean) => T;
};
// Complex
vanishing: (roots: P) => P; // f(x) = 0 for every x in roots
};
/**
* Poly wants a cracker.
*
* Polynomials are functions like `y=f(x)`, which means when we multiply two polynomials, result is
* function `f3(x) = f1(x) * f2(x)`, we don't multiply values. Key takeaways:
*
* - **Polynomial** is an array of coefficients: `f(x) = sum(coeff[i] * basis[i](x))`
* - **Basis** is array of functions
* - **Monominal** is Polynomial where `basis[i](x) == x**i` (powers)
* - **Array size** is domain size
* - **Lattice** is matrix (Polynomial of Polynomials)
*/
export function poly<T>(
field: IField<T>,
roots: RootsOfUnity,
create?: undefined,
fft?: FFTMethods<T>,
length?: number
): PolyFn<T[], T>;
export function poly<T, P extends Polynomial<T>>(
field: IField<T>,
roots: RootsOfUnity,
create: CreatePolyFn<P, T>,
fft?: FFTMethods<T>,
length?: number
): PolyFn<P, T>;
export function poly<T, P extends Polynomial<T>>(
field: IField<T>,
roots: RootsOfUnity,
create?: CreatePolyFn<P, T>,
fft?: FFTMethods<T>,
length?: number
): PolyFn<any, T> {
const F = field;
const _create =
create ||
(((len: number, elm?: T): Polynomial<T> => new Array(len).fill(elm ?? F.ZERO)) as CreatePolyFn<
P,
T
>);
const isPoly = (x: any): x is P => Array.isArray(x) || ArrayBuffer.isView(x);
const checkLength = (...lst: P[]): number => {
if (!lst.length) return 0;
for (const i of lst) if (!isPoly(i)) throw new Error('poly: not polynomial: ' + i);
const L = lst[0].length;
for (let i = 1; i < lst.length; i++)
if (lst[i].length !== L) throw new Error(`poly: mismatched lengths ${L} vs ${lst[i].length}`);
if (length !== undefined && L !== length)
throw new Error(`poly: expected fixed length ${length}, got ${L}`);
return L;
};
function findOmegaIndex(x: T, n: number, brp = false): number {
const bits = log2(n);
const omega = brp ? roots.brp(bits) : roots.roots(bits);
for (let i = 0; i < n; i++) if (F.eql(x, omega[i] as T)) return i;
return -1;
}
// TODO: mutating versions for mlkem/mldsa
return {
roots,
create: _create,
length,
extend: (a: P, len: number): P => {
checkLength(a);
const out = _create(len, F.ZERO);
for (let i = 0; i < a.length; i++) out[i] = a[i];
return out;
},
degree: (a: P): number => {
checkLength(a);
for (let i = a.length - 1; i >= 0; i--) if (!F.is0(a[i])) return i;
return -1;
},
add: (a: P, b: P): P => {
const len = checkLength(a, b);
const out = _create(len);
for (let i = 0; i < len; i++) out[i] = F.add(a[i], b[i]);
return out;
},
sub: (a: P, b: P): P => {
const len = checkLength(a, b);
const out = _create(len);
for (let i = 0; i < len; i++) out[i] = F.sub(a[i], b[i]);
return out;
},
dot: (a: P, b: P): P => {
const len = checkLength(a, b);
const out = _create(len);
for (let i = 0; i < len; i++) out[i] = F.mul(a[i], b[i]);
return out;
},
mul: (a: P, b: P | T): P => {
if (isPoly(b)) {
const len = checkLength(a, b);
if (fft) {
const A = fft.direct(a, false, true);
const B = fft.direct(b, false, true);
for (let i = 0; i < A.length; i++) A[i] = F.mul(A[i], B[i]);
return fft.inverse(A, true, false) as P;
} else {
// NOTE: this is quadratic and mostly for compat tests with FFT
const res = _create(len);
for (let i = 0; i < len; i++) {
for (let j = 0; j < len; j++) {
const k = (i + j) % len; // wrap mod length
res[k] = F.add(res[k], F.mul(a[i], b[j]));
}
}
return res;
}
} else {
const out = _create(checkLength(a));
for (let i = 0; i < out.length; i++) out[i] = F.mul(a[i], b);
return out;
}
},
convolve(a: P, b: P): P {
const len = nextPowerOfTwo(a.length + b.length - 1);
return this.mul(this.extend(a, len), this.extend(b, len));
},
shift(p: P, factor: bigint): P {
const out = _create(checkLength(p));
out[0] = p[0];
for (let i = 1, power = F.ONE; i < p.length; i++) {
power = F.mul(power, factor);
out[i] = F.mul(p[i], power);
}
return out;
},
clone: (a: P): P => {
checkLength(a);
const out = _create(a.length);
for (let i = 0; i < a.length; i++) out[i] = a[i];
return out;
},
eval: (a: P, basis: P): T => {
checkLength(a);
let acc = F.ZERO;
for (let i = 0; i < a.length; i++) acc = F.add(acc, F.mul(a[i], basis[i]));
return acc;
},
monomial: {
basis: (x: T, n: number): P => {
const out = _create(n);
let pow = F.ONE;
for (let i = 0; i < n; i++) {
out[i] = pow;
pow = F.mul(pow, x);
}
return out;
},
eval: (a: P, x: T): T => {
checkLength(a);
// Same as eval(a, monomialBasis(x, a.length)), but it is faster this way
let acc = F.ZERO;
for (let i = a.length - 1; i >= 0; i--) acc = F.add(F.mul(acc, x), a[i]);
return acc;
},
},
lagrange: {
basis: (x: T, n: number, brp = false, weights?: P): P => {
const bits = log2(n);
const cache = weights || brp ? roots.brp(bits) : roots.roots(bits); // [ω⁰, ω¹, ..., ωⁿ⁻¹]
const out = _create(n);
// Fast Kronecker-δ shortcut
const idx = findOmegaIndex(x, n, brp);
if (idx !== -1) {
out[idx] = F.ONE;
return out;
}
const tm = F.pow(x, BigInt(n));
const c = F.mul(F.sub(tm, F.ONE), F.inv(BigInt(n) as T)); // c = (xⁿ - 1)/n
const denom = _create(n);
for (let i = 0; i < n; i++) denom[i] = F.sub(x, cache[i] as T);
const inv = F.invertBatch(denom as any as T[]);
for (let i = 0; i < n; i++) out[i] = F.mul(c, F.mul(cache[i] as T, inv[i]));
return out;
},
eval(a: P, x: T, brp = false): T {
checkLength(a);
const idx = findOmegaIndex(x, a.length, brp);
if (idx !== -1) return a[idx]; // fast path
const L = this.basis(x, a.length, brp); // Lᵢ(x)
let acc = F.ZERO;
for (let i = 0; i < a.length; i++) if (!F.is0(a[i])) acc = F.add(acc, F.mul(a[i], L[i]));
return acc;
},
},
vanishing(roots: P): P {
checkLength(roots);
const out = _create(roots.length + 1, F.ZERO);
out[0] = F.ONE;
for (const r of roots) {
const neg = F.neg(r);
for (let j = out.length - 1; j > 0; j--) out[j] = F.add(F.mul(out[j], neg), out[j - 1]);
out[0] = F.mul(out[0], neg);
}
return out;
},
};
}

306
node_modules/@noble/curves/src/abstract/hash-to-curve.ts generated vendored Normal file
View File

@@ -0,0 +1,306 @@
/**
* hash-to-curve from RFC 9380.
* Hashes arbitrary-length byte strings to a list of one or more elements of a finite field F.
* https://www.rfc-editor.org/rfc/rfc9380
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import type { CHash } from '../utils.ts';
import {
_validateObject,
abytes,
bytesToNumberBE,
concatBytes,
isBytes,
isHash,
utf8ToBytes,
} from '../utils.ts';
import type { AffinePoint, Group, GroupConstructor } from './curve.ts';
import { FpInvertBatch, mod, type IField } from './modular.ts';
export type UnicodeOrBytes = string | Uint8Array;
/**
* * `DST` is a domain separation tag, defined in section 2.2.5
* * `p` characteristic of F, where F is a finite field of characteristic p and order q = p^m
* * `m` is extension degree (1 for prime fields)
* * `k` is the target security target in bits (e.g. 128), from section 5.1
* * `expand` is `xmd` (SHA2, SHA3, BLAKE) or `xof` (SHAKE, BLAKE-XOF)
* * `hash` conforming to `utils.CHash` interface, with `outputLen` / `blockLen` props
*/
export type H2COpts = {
DST: UnicodeOrBytes;
expand: 'xmd' | 'xof';
hash: CHash;
p: bigint;
m: number;
k: number;
};
export type H2CHashOpts = {
expand: 'xmd' | 'xof';
hash: CHash;
};
// todo: remove
export type Opts = H2COpts;
// Octet Stream to Integer. "spec" implementation of os2ip is 2.5x slower vs bytesToNumberBE.
const os2ip = bytesToNumberBE;
// Integer to Octet Stream (numberToBytesBE)
function i2osp(value: number, length: number): Uint8Array {
anum(value);
anum(length);
if (value < 0 || value >= 1 << (8 * length)) throw new Error('invalid I2OSP input: ' + value);
const res = Array.from({ length }).fill(0) as number[];
for (let i = length - 1; i >= 0; i--) {
res[i] = value & 0xff;
value >>>= 8;
}
return new Uint8Array(res);
}
function strxor(a: Uint8Array, b: Uint8Array): Uint8Array {
const arr = new Uint8Array(a.length);
for (let i = 0; i < a.length; i++) {
arr[i] = a[i] ^ b[i];
}
return arr;
}
function anum(item: unknown): void {
if (!Number.isSafeInteger(item)) throw new Error('number expected');
}
function normDST(DST: UnicodeOrBytes): Uint8Array {
if (!isBytes(DST) && typeof DST !== 'string') throw new Error('DST must be Uint8Array or string');
return typeof DST === 'string' ? utf8ToBytes(DST) : DST;
}
/**
* Produces a uniformly random byte string using a cryptographic hash function H that outputs b bits.
* [RFC 9380 5.3.1](https://www.rfc-editor.org/rfc/rfc9380#section-5.3.1).
*/
export function expand_message_xmd(
msg: Uint8Array,
DST: UnicodeOrBytes,
lenInBytes: number,
H: CHash
): Uint8Array {
abytes(msg);
anum(lenInBytes);
DST = normDST(DST);
// https://www.rfc-editor.org/rfc/rfc9380#section-5.3.3
if (DST.length > 255) DST = H(concatBytes(utf8ToBytes('H2C-OVERSIZE-DST-'), DST));
const { outputLen: b_in_bytes, blockLen: r_in_bytes } = H;
const ell = Math.ceil(lenInBytes / b_in_bytes);
if (lenInBytes > 65535 || ell > 255) throw new Error('expand_message_xmd: invalid lenInBytes');
const DST_prime = concatBytes(DST, i2osp(DST.length, 1));
const Z_pad = i2osp(0, r_in_bytes);
const l_i_b_str = i2osp(lenInBytes, 2); // len_in_bytes_str
const b = new Array<Uint8Array>(ell);
const b_0 = H(concatBytes(Z_pad, msg, l_i_b_str, i2osp(0, 1), DST_prime));
b[0] = H(concatBytes(b_0, i2osp(1, 1), DST_prime));
for (let i = 1; i <= ell; i++) {
const args = [strxor(b_0, b[i - 1]), i2osp(i + 1, 1), DST_prime];
b[i] = H(concatBytes(...args));
}
const pseudo_random_bytes = concatBytes(...b);
return pseudo_random_bytes.slice(0, lenInBytes);
}
/**
* Produces a uniformly random byte string using an extendable-output function (XOF) H.
* 1. The collision resistance of H MUST be at least k bits.
* 2. H MUST be an XOF that has been proved indifferentiable from
* a random oracle under a reasonable cryptographic assumption.
* [RFC 9380 5.3.2](https://www.rfc-editor.org/rfc/rfc9380#section-5.3.2).
*/
export function expand_message_xof(
msg: Uint8Array,
DST: UnicodeOrBytes,
lenInBytes: number,
k: number,
H: CHash
): Uint8Array {
abytes(msg);
anum(lenInBytes);
DST = normDST(DST);
// https://www.rfc-editor.org/rfc/rfc9380#section-5.3.3
// DST = H('H2C-OVERSIZE-DST-' || a_very_long_DST, Math.ceil((lenInBytes * k) / 8));
if (DST.length > 255) {
const dkLen = Math.ceil((2 * k) / 8);
DST = H.create({ dkLen }).update(utf8ToBytes('H2C-OVERSIZE-DST-')).update(DST).digest();
}
if (lenInBytes > 65535 || DST.length > 255)
throw new Error('expand_message_xof: invalid lenInBytes');
return (
H.create({ dkLen: lenInBytes })
.update(msg)
.update(i2osp(lenInBytes, 2))
// 2. DST_prime = DST || I2OSP(len(DST), 1)
.update(DST)
.update(i2osp(DST.length, 1))
.digest()
);
}
/**
* Hashes arbitrary-length byte strings to a list of one or more elements of a finite field F.
* [RFC 9380 5.2](https://www.rfc-editor.org/rfc/rfc9380#section-5.2).
* @param msg a byte string containing the message to hash
* @param count the number of elements of F to output
* @param options `{DST: string, p: bigint, m: number, k: number, expand: 'xmd' | 'xof', hash: H}`, see above
* @returns [u_0, ..., u_(count - 1)], a list of field elements.
*/
export function hash_to_field(msg: Uint8Array, count: number, options: H2COpts): bigint[][] {
_validateObject(options, {
p: 'bigint',
m: 'number',
k: 'number',
hash: 'function',
});
const { p, k, m, hash, expand, DST } = options;
if (!isHash(options.hash)) throw new Error('expected valid hash');
abytes(msg);
anum(count);
const log2p = p.toString(2).length;
const L = Math.ceil((log2p + k) / 8); // section 5.1 of ietf draft link above
const len_in_bytes = count * m * L;
let prb; // pseudo_random_bytes
if (expand === 'xmd') {
prb = expand_message_xmd(msg, DST, len_in_bytes, hash);
} else if (expand === 'xof') {
prb = expand_message_xof(msg, DST, len_in_bytes, k, hash);
} else if (expand === '_internal_pass') {
// for internal tests only
prb = msg;
} else {
throw new Error('expand must be "xmd" or "xof"');
}
const u = new Array(count);
for (let i = 0; i < count; i++) {
const e = new Array(m);
for (let j = 0; j < m; j++) {
const elm_offset = L * (j + i * m);
const tv = prb.subarray(elm_offset, elm_offset + L);
e[j] = mod(os2ip(tv), p);
}
u[i] = e;
}
return u;
}
export type XY<T> = (x: T, y: T) => { x: T; y: T };
export type XYRatio<T> = [T[], T[], T[], T[]]; // xn/xd, yn/yd
export function isogenyMap<T, F extends IField<T>>(field: F, map: XYRatio<T>): XY<T> {
// Make same order as in spec
const coeff = map.map((i) => Array.from(i).reverse());
return (x: T, y: T) => {
const [xn, xd, yn, yd] = coeff.map((val) =>
val.reduce((acc, i) => field.add(field.mul(acc, x), i))
);
// 6.6.3
// Exceptional cases of iso_map are inputs that cause the denominator of
// either rational function to evaluate to zero; such cases MUST return
// the identity point on E.
const [xd_inv, yd_inv] = FpInvertBatch(field, [xd, yd], true);
x = field.mul(xn, xd_inv); // xNum / xDen
y = field.mul(y, field.mul(yn, yd_inv)); // y * (yNum / yDev)
return { x, y };
};
}
/** Point interface, which curves must implement to work correctly with the module. */
export interface H2CPoint<T> extends Group<H2CPoint<T>> {
add(rhs: H2CPoint<T>): H2CPoint<T>;
toAffine(iz?: bigint): AffinePoint<T>;
clearCofactor(): H2CPoint<T>;
assertValidity(): void;
}
export interface H2CPointConstructor<T> extends GroupConstructor<H2CPoint<T>> {
fromAffine(ap: AffinePoint<T>): H2CPoint<T>;
}
export type MapToCurve<T> = (scalar: bigint[]) => AffinePoint<T>;
// Separated from initialization opts, so users won't accidentally change per-curve parameters
// (changing DST is ok!)
export type htfBasicOpts = { DST: UnicodeOrBytes };
export type H2CMethod<T> = (msg: Uint8Array, options?: htfBasicOpts) => H2CPoint<T>;
// TODO: remove
export type HTFMethod<T> = H2CMethod<T>;
export type MapMethod<T> = (scalars: bigint[]) => H2CPoint<T>;
export type H2CHasherBase<T> = {
hashToCurve: H2CMethod<T>;
hashToScalar: (msg: Uint8Array, options: htfBasicOpts) => bigint;
};
/**
* RFC 9380 methods, with cofactor clearing. See https://www.rfc-editor.org/rfc/rfc9380#section-3.
*
* * hashToCurve: `map(hash(input))`, encodes RANDOM bytes to curve (WITH hashing)
* * encodeToCurve: `map(hash(input))`, encodes NON-UNIFORM bytes to curve (WITH hashing)
* * mapToCurve: `map(scalars)`, encodes NON-UNIFORM scalars to curve (NO hashing)
*/
export type H2CHasher<T> = H2CHasherBase<T> & {
encodeToCurve: H2CMethod<T>;
mapToCurve: MapMethod<T>;
defaults: H2COpts & { encodeDST?: UnicodeOrBytes };
};
// TODO: remove
export type Hasher<T> = H2CHasher<T>;
export const _DST_scalar: Uint8Array = utf8ToBytes('HashToScalar-');
/** Creates hash-to-curve methods from EC Point and mapToCurve function. See {@link H2CHasher}. */
export function createHasher<T>(
Point: H2CPointConstructor<T>,
mapToCurve: MapToCurve<T>,
defaults: H2COpts & { encodeDST?: UnicodeOrBytes }
): H2CHasher<T> {
if (typeof mapToCurve !== 'function') throw new Error('mapToCurve() must be defined');
function map(num: bigint[]) {
return Point.fromAffine(mapToCurve(num));
}
function clear(initial: H2CPoint<T>) {
const P = initial.clearCofactor();
if (P.equals(Point.ZERO)) return Point.ZERO; // zero will throw in assert
P.assertValidity();
return P;
}
return {
defaults,
hashToCurve(msg: Uint8Array, options?: htfBasicOpts): H2CPoint<T> {
const opts = Object.assign({}, defaults, options);
const u = hash_to_field(msg, 2, opts);
const u0 = map(u[0]);
const u1 = map(u[1]);
return clear(u0.add(u1));
},
encodeToCurve(msg: Uint8Array, options?: htfBasicOpts): H2CPoint<T> {
const optsDst = defaults.encodeDST ? { DST: defaults.encodeDST } : {};
const opts = Object.assign({}, defaults, optsDst, options);
const u = hash_to_field(msg, 1, opts);
const u0 = map(u[0]);
return clear(u0);
},
/** See {@link H2CHasher} */
mapToCurve(scalars: bigint[]): H2CPoint<T> {
if (!Array.isArray(scalars)) throw new Error('expected array of bigints');
for (const i of scalars)
if (typeof i !== 'bigint') throw new Error('expected array of bigints');
return clear(map(scalars));
},
// hash_to_scalar can produce 0: https://www.rfc-editor.org/errata/eid8393
// RFC 9380, draft-irtf-cfrg-bbs-signatures-08
hashToScalar(msg: Uint8Array, options?: htfBasicOpts): bigint {
// @ts-ignore
const N = Point.Fn.ORDER;
const opts = Object.assign({}, defaults, { p: N, m: 1, DST: _DST_scalar }, options);
return hash_to_field(msg, 1, opts)[0][0];
},
};
}

605
node_modules/@noble/curves/src/abstract/modular.ts generated vendored Normal file
View File

@@ -0,0 +1,605 @@
/**
* Utils for modular division and fields.
* Field over 11 is a finite (Galois) field is integer number operations `mod 11`.
* There is no division: it is replaced by modular multiplicative inverse.
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import {
_validateObject,
anumber,
bitMask,
bytesToNumberBE,
bytesToNumberLE,
ensureBytes,
numberToBytesBE,
numberToBytesLE,
} from '../utils.ts';
// prettier-ignore
const _0n = BigInt(0), _1n = BigInt(1), _2n = /* @__PURE__ */ BigInt(2), _3n = /* @__PURE__ */ BigInt(3);
// prettier-ignore
const _4n = /* @__PURE__ */ BigInt(4), _5n = /* @__PURE__ */ BigInt(5), _7n = /* @__PURE__ */ BigInt(7);
// prettier-ignore
const _8n = /* @__PURE__ */ BigInt(8), _9n = /* @__PURE__ */ BigInt(9), _16n = /* @__PURE__ */ BigInt(16);
// Calculates a modulo b
export function mod(a: bigint, b: bigint): bigint {
const result = a % b;
return result >= _0n ? result : b + result;
}
/**
* Efficiently raise num to power and do modular division.
* Unsafe in some contexts: uses ladder, so can expose bigint bits.
* @example
* pow(2n, 6n, 11n) // 64n % 11n == 9n
*/
export function pow(num: bigint, power: bigint, modulo: bigint): bigint {
return FpPow(Field(modulo), num, power);
}
/** Does `x^(2^power)` mod p. `pow2(30, 4)` == `30^(2^4)` */
export function pow2(x: bigint, power: bigint, modulo: bigint): bigint {
let res = x;
while (power-- > _0n) {
res *= res;
res %= modulo;
}
return res;
}
/**
* Inverses number over modulo.
* Implemented using [Euclidean GCD](https://brilliant.org/wiki/extended-euclidean-algorithm/).
*/
export function invert(number: bigint, modulo: bigint): bigint {
if (number === _0n) throw new Error('invert: expected non-zero number');
if (modulo <= _0n) throw new Error('invert: expected positive modulus, got ' + modulo);
// Fermat's little theorem "CT-like" version inv(n) = n^(m-2) mod m is 30x slower.
let a = mod(number, modulo);
let b = modulo;
// prettier-ignore
let x = _0n, y = _1n, u = _1n, v = _0n;
while (a !== _0n) {
// JIT applies optimization if those two lines follow each other
const q = b / a;
const r = b % a;
const m = x - u * q;
const n = y - v * q;
// prettier-ignore
b = a, a = r, x = u, y = v, u = m, v = n;
}
const gcd = b;
if (gcd !== _1n) throw new Error('invert: does not exist');
return mod(x, modulo);
}
function assertIsSquare<T>(Fp: IField<T>, root: T, n: T): void {
if (!Fp.eql(Fp.sqr(root), n)) throw new Error('Cannot find square root');
}
// Not all roots are possible! Example which will throw:
// const NUM =
// n = 72057594037927816n;
// Fp = Field(BigInt('0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab'));
function sqrt3mod4<T>(Fp: IField<T>, n: T) {
const p1div4 = (Fp.ORDER + _1n) / _4n;
const root = Fp.pow(n, p1div4);
assertIsSquare(Fp, root, n);
return root;
}
function sqrt5mod8<T>(Fp: IField<T>, n: T) {
const p5div8 = (Fp.ORDER - _5n) / _8n;
const n2 = Fp.mul(n, _2n);
const v = Fp.pow(n2, p5div8);
const nv = Fp.mul(n, v);
const i = Fp.mul(Fp.mul(nv, _2n), v);
const root = Fp.mul(nv, Fp.sub(i, Fp.ONE));
assertIsSquare(Fp, root, n);
return root;
}
// Based on RFC9380, Kong algorithm
// prettier-ignore
function sqrt9mod16(P: bigint): <T>(Fp: IField<T>, n: T) => T {
const Fp_ = Field(P);
const tn = tonelliShanks(P);
const c1 = tn(Fp_, Fp_.neg(Fp_.ONE));// 1. c1 = sqrt(-1) in F, i.e., (c1^2) == -1 in F
const c2 = tn(Fp_, c1); // 2. c2 = sqrt(c1) in F, i.e., (c2^2) == c1 in F
const c3 = tn(Fp_, Fp_.neg(c1)); // 3. c3 = sqrt(-c1) in F, i.e., (c3^2) == -c1 in F
const c4 = (P + _7n) / _16n; // 4. c4 = (q + 7) / 16 # Integer arithmetic
return <T>(Fp: IField<T>, n: T) => {
let tv1 = Fp.pow(n, c4); // 1. tv1 = x^c4
let tv2 = Fp.mul(tv1, c1); // 2. tv2 = c1 * tv1
const tv3 = Fp.mul(tv1, c2); // 3. tv3 = c2 * tv1
const tv4 = Fp.mul(tv1, c3); // 4. tv4 = c3 * tv1
const e1 = Fp.eql(Fp.sqr(tv2), n); // 5. e1 = (tv2^2) == x
const e2 = Fp.eql(Fp.sqr(tv3), n); // 6. e2 = (tv3^2) == x
tv1 = Fp.cmov(tv1, tv2, e1); // 7. tv1 = CMOV(tv1, tv2, e1) # Select tv2 if (tv2^2) == x
tv2 = Fp.cmov(tv4, tv3, e2); // 8. tv2 = CMOV(tv4, tv3, e2) # Select tv3 if (tv3^2) == x
const e3 = Fp.eql(Fp.sqr(tv2), n); // 9. e3 = (tv2^2) == x
const root = Fp.cmov(tv1, tv2, e3);// 10. z = CMOV(tv1, tv2, e3) # Select sqrt from tv1 & tv2
assertIsSquare(Fp, root, n);
return root;
};
}
/**
* Tonelli-Shanks square root search algorithm.
* 1. https://eprint.iacr.org/2012/685.pdf (page 12)
* 2. Square Roots from 1; 24, 51, 10 to Dan Shanks
* @param P field order
* @returns function that takes field Fp (created from P) and number n
*/
export function tonelliShanks(P: bigint): <T>(Fp: IField<T>, n: T) => T {
// Initialization (precomputation).
// Caching initialization could boost perf by 7%.
if (P < _3n) throw new Error('sqrt is not defined for small field');
// Factor P - 1 = Q * 2^S, where Q is odd
let Q = P - _1n;
let S = 0;
while (Q % _2n === _0n) {
Q /= _2n;
S++;
}
// Find the first quadratic non-residue Z >= 2
let Z = _2n;
const _Fp = Field(P);
while (FpLegendre(_Fp, Z) === 1) {
// Basic primality test for P. After x iterations, chance of
// not finding quadratic non-residue is 2^x, so 2^1000.
if (Z++ > 1000) throw new Error('Cannot find square root: probably non-prime P');
}
// Fast-path; usually done before Z, but we do "primality test".
if (S === 1) return sqrt3mod4;
// Slow-path
// TODO: test on Fp2 and others
let cc = _Fp.pow(Z, Q); // c = z^Q
const Q1div2 = (Q + _1n) / _2n;
return function tonelliSlow<T>(Fp: IField<T>, n: T): T {
if (Fp.is0(n)) return n;
// Check if n is a quadratic residue using Legendre symbol
if (FpLegendre(Fp, n) !== 1) throw new Error('Cannot find square root');
// Initialize variables for the main loop
let M = S;
let c = Fp.mul(Fp.ONE, cc); // c = z^Q, move cc from field _Fp into field Fp
let t = Fp.pow(n, Q); // t = n^Q, first guess at the fudge factor
let R = Fp.pow(n, Q1div2); // R = n^((Q+1)/2), first guess at the square root
// Main loop
// while t != 1
while (!Fp.eql(t, Fp.ONE)) {
if (Fp.is0(t)) return Fp.ZERO; // if t=0 return R=0
let i = 1;
// Find the smallest i >= 1 such that t^(2^i) ≡ 1 (mod P)
let t_tmp = Fp.sqr(t); // t^(2^1)
while (!Fp.eql(t_tmp, Fp.ONE)) {
i++;
t_tmp = Fp.sqr(t_tmp); // t^(2^2)...
if (i === M) throw new Error('Cannot find square root');
}
// Calculate the exponent for b: 2^(M - i - 1)
const exponent = _1n << BigInt(M - i - 1); // bigint is important
const b = Fp.pow(c, exponent); // b = 2^(M - i - 1)
// Update variables
M = i;
c = Fp.sqr(b); // c = b^2
t = Fp.mul(t, c); // t = (t * b^2)
R = Fp.mul(R, b); // R = R*b
}
return R;
};
}
/**
* Square root for a finite field. Will try optimized versions first:
*
* 1. P ≡ 3 (mod 4)
* 2. P ≡ 5 (mod 8)
* 3. P ≡ 9 (mod 16)
* 4. Tonelli-Shanks algorithm
*
* Different algorithms can give different roots, it is up to user to decide which one they want.
* For example there is FpSqrtOdd/FpSqrtEven to choice root based on oddness (used for hash-to-curve).
*/
export function FpSqrt(P: bigint): <T>(Fp: IField<T>, n: T) => T {
// P ≡ 3 (mod 4) => √n = n^((P+1)/4)
if (P % _4n === _3n) return sqrt3mod4;
// P ≡ 5 (mod 8) => Atkin algorithm, page 10 of https://eprint.iacr.org/2012/685.pdf
if (P % _8n === _5n) return sqrt5mod8;
// P ≡ 9 (mod 16) => Kong algorithm, page 11 of https://eprint.iacr.org/2012/685.pdf (algorithm 4)
if (P % _16n === _9n) return sqrt9mod16(P);
// Tonelli-Shanks algorithm
return tonelliShanks(P);
}
// Little-endian check for first LE bit (last BE bit);
export const isNegativeLE = (num: bigint, modulo: bigint): boolean =>
(mod(num, modulo) & _1n) === _1n;
/** Field is not always over prime: for example, Fp2 has ORDER(q)=p^m. */
export interface IField<T> {
ORDER: bigint;
isLE: boolean;
BYTES: number;
BITS: number;
MASK: bigint;
ZERO: T;
ONE: T;
// 1-arg
create: (num: T) => T;
isValid: (num: T) => boolean;
is0: (num: T) => boolean;
isValidNot0: (num: T) => boolean;
neg(num: T): T;
inv(num: T): T;
sqrt(num: T): T;
sqr(num: T): T;
// 2-args
eql(lhs: T, rhs: T): boolean;
add(lhs: T, rhs: T): T;
sub(lhs: T, rhs: T): T;
mul(lhs: T, rhs: T | bigint): T;
pow(lhs: T, power: bigint): T;
div(lhs: T, rhs: T | bigint): T;
// N for NonNormalized (for now)
addN(lhs: T, rhs: T): T;
subN(lhs: T, rhs: T): T;
mulN(lhs: T, rhs: T | bigint): T;
sqrN(num: T): T;
// Optional
// Should be same as sgn0 function in
// [RFC9380](https://www.rfc-editor.org/rfc/rfc9380#section-4.1).
// NOTE: sgn0 is 'negative in LE', which is same as odd. And negative in LE is kinda strange definition anyway.
isOdd?(num: T): boolean; // Odd instead of even since we have it for Fp2
allowedLengths?: number[];
// legendre?(num: T): T;
invertBatch: (lst: T[]) => T[];
toBytes(num: T): Uint8Array;
fromBytes(bytes: Uint8Array, skipValidation?: boolean): T;
// If c is False, CMOV returns a, otherwise it returns b.
cmov(a: T, b: T, c: boolean): T;
}
// prettier-ignore
const FIELD_FIELDS = [
'create', 'isValid', 'is0', 'neg', 'inv', 'sqrt', 'sqr',
'eql', 'add', 'sub', 'mul', 'pow', 'div',
'addN', 'subN', 'mulN', 'sqrN'
] as const;
export function validateField<T>(field: IField<T>): IField<T> {
const initial = {
ORDER: 'bigint',
MASK: 'bigint',
BYTES: 'number',
BITS: 'number',
} as Record<string, string>;
const opts = FIELD_FIELDS.reduce((map, val: string) => {
map[val] = 'function';
return map;
}, initial);
_validateObject(field, opts);
// const max = 16384;
// if (field.BYTES < 1 || field.BYTES > max) throw new Error('invalid field');
// if (field.BITS < 1 || field.BITS > 8 * max) throw new Error('invalid field');
return field;
}
// Generic field functions
/**
* Same as `pow` but for Fp: non-constant-time.
* Unsafe in some contexts: uses ladder, so can expose bigint bits.
*/
export function FpPow<T>(Fp: IField<T>, num: T, power: bigint): T {
if (power < _0n) throw new Error('invalid exponent, negatives unsupported');
if (power === _0n) return Fp.ONE;
if (power === _1n) return num;
let p = Fp.ONE;
let d = num;
while (power > _0n) {
if (power & _1n) p = Fp.mul(p, d);
d = Fp.sqr(d);
power >>= _1n;
}
return p;
}
/**
* Efficiently invert an array of Field elements.
* Exception-free. Will return `undefined` for 0 elements.
* @param passZero map 0 to 0 (instead of undefined)
*/
export function FpInvertBatch<T>(Fp: IField<T>, nums: T[], passZero = false): T[] {
const inverted = new Array(nums.length).fill(passZero ? Fp.ZERO : undefined);
// Walk from first to last, multiply them by each other MOD p
const multipliedAcc = nums.reduce((acc, num, i) => {
if (Fp.is0(num)) return acc;
inverted[i] = acc;
return Fp.mul(acc, num);
}, Fp.ONE);
// Invert last element
const invertedAcc = Fp.inv(multipliedAcc);
// Walk from last to first, multiply them by inverted each other MOD p
nums.reduceRight((acc, num, i) => {
if (Fp.is0(num)) return acc;
inverted[i] = Fp.mul(acc, inverted[i]);
return Fp.mul(acc, num);
}, invertedAcc);
return inverted;
}
// TODO: remove
export function FpDiv<T>(Fp: IField<T>, lhs: T, rhs: T | bigint): T {
return Fp.mul(lhs, typeof rhs === 'bigint' ? invert(rhs, Fp.ORDER) : Fp.inv(rhs));
}
/**
* Legendre symbol.
* Legendre constant is used to calculate Legendre symbol (a | p)
* which denotes the value of a^((p-1)/2) (mod p).
*
* * (a | p) ≡ 1 if a is a square (mod p), quadratic residue
* * (a | p) ≡ -1 if a is not a square (mod p), quadratic non residue
* * (a | p) ≡ 0 if a ≡ 0 (mod p)
*/
export function FpLegendre<T>(Fp: IField<T>, n: T): -1 | 0 | 1 {
// We can use 3rd argument as optional cache of this value
// but seems unneeded for now. The operation is very fast.
const p1mod2 = (Fp.ORDER - _1n) / _2n;
const powered = Fp.pow(n, p1mod2);
const yes = Fp.eql(powered, Fp.ONE);
const zero = Fp.eql(powered, Fp.ZERO);
const no = Fp.eql(powered, Fp.neg(Fp.ONE));
if (!yes && !zero && !no) throw new Error('invalid Legendre symbol result');
return yes ? 1 : zero ? 0 : -1;
}
// This function returns True whenever the value x is a square in the field F.
export function FpIsSquare<T>(Fp: IField<T>, n: T): boolean {
const l = FpLegendre(Fp, n);
return l === 1;
}
export type NLength = { nByteLength: number; nBitLength: number };
// CURVE.n lengths
export function nLength(n: bigint, nBitLength?: number): NLength {
// Bit size, byte size of CURVE.n
if (nBitLength !== undefined) anumber(nBitLength);
const _nBitLength = nBitLength !== undefined ? nBitLength : n.toString(2).length;
const nByteLength = Math.ceil(_nBitLength / 8);
return { nBitLength: _nBitLength, nByteLength };
}
type FpField = IField<bigint> & Required<Pick<IField<bigint>, 'isOdd'>>;
type SqrtFn = (n: bigint) => bigint;
type FieldOpts = Partial<{
sqrt: SqrtFn;
isLE: boolean;
BITS: number;
modFromBytes: boolean; // bls12-381 requires mod(n) instead of rejecting keys >= n
allowedLengths?: readonly number[]; // for P521 (adds padding for smaller sizes)
}>;
/**
* Creates a finite field. Major performance optimizations:
* * 1. Denormalized operations like mulN instead of mul.
* * 2. Identical object shape: never add or remove keys.
* * 3. `Object.freeze`.
* Fragile: always run a benchmark on a change.
* Security note: operations don't check 'isValid' for all elements for performance reasons,
* it is caller responsibility to check this.
* This is low-level code, please make sure you know what you're doing.
*
* Note about field properties:
* * CHARACTERISTIC p = prime number, number of elements in main subgroup.
* * ORDER q = similar to cofactor in curves, may be composite `q = p^m`.
*
* @param ORDER field order, probably prime, or could be composite
* @param bitLen how many bits the field consumes
* @param isLE (default: false) if encoding / decoding should be in little-endian
* @param redef optional faster redefinitions of sqrt and other methods
*/
export function Field(
ORDER: bigint,
bitLenOrOpts?: number | FieldOpts, // TODO: use opts only in v2?
isLE = false,
opts: { sqrt?: SqrtFn } = {}
): Readonly<FpField> {
if (ORDER <= _0n) throw new Error('invalid field: expected ORDER > 0, got ' + ORDER);
let _nbitLength: number | undefined = undefined;
let _sqrt: SqrtFn | undefined = undefined;
let modFromBytes: boolean = false;
let allowedLengths: undefined | readonly number[] = undefined;
if (typeof bitLenOrOpts === 'object' && bitLenOrOpts != null) {
if (opts.sqrt || isLE) throw new Error('cannot specify opts in two arguments');
const _opts = bitLenOrOpts;
if (_opts.BITS) _nbitLength = _opts.BITS;
if (_opts.sqrt) _sqrt = _opts.sqrt;
if (typeof _opts.isLE === 'boolean') isLE = _opts.isLE;
if (typeof _opts.modFromBytes === 'boolean') modFromBytes = _opts.modFromBytes;
allowedLengths = _opts.allowedLengths;
} else {
if (typeof bitLenOrOpts === 'number') _nbitLength = bitLenOrOpts;
if (opts.sqrt) _sqrt = opts.sqrt;
}
const { nBitLength: BITS, nByteLength: BYTES } = nLength(ORDER, _nbitLength);
if (BYTES > 2048) throw new Error('invalid field: expected ORDER of <= 2048 bytes');
let sqrtP: ReturnType<typeof FpSqrt>; // cached sqrtP
const f: Readonly<FpField> = Object.freeze({
ORDER,
isLE,
BITS,
BYTES,
MASK: bitMask(BITS),
ZERO: _0n,
ONE: _1n,
allowedLengths: allowedLengths,
create: (num) => mod(num, ORDER),
isValid: (num) => {
if (typeof num !== 'bigint')
throw new Error('invalid field element: expected bigint, got ' + typeof num);
return _0n <= num && num < ORDER; // 0 is valid element, but it's not invertible
},
is0: (num) => num === _0n,
// is valid and invertible
isValidNot0: (num: bigint) => !f.is0(num) && f.isValid(num),
isOdd: (num) => (num & _1n) === _1n,
neg: (num) => mod(-num, ORDER),
eql: (lhs, rhs) => lhs === rhs,
sqr: (num) => mod(num * num, ORDER),
add: (lhs, rhs) => mod(lhs + rhs, ORDER),
sub: (lhs, rhs) => mod(lhs - rhs, ORDER),
mul: (lhs, rhs) => mod(lhs * rhs, ORDER),
pow: (num, power) => FpPow(f, num, power),
div: (lhs, rhs) => mod(lhs * invert(rhs, ORDER), ORDER),
// Same as above, but doesn't normalize
sqrN: (num) => num * num,
addN: (lhs, rhs) => lhs + rhs,
subN: (lhs, rhs) => lhs - rhs,
mulN: (lhs, rhs) => lhs * rhs,
inv: (num) => invert(num, ORDER),
sqrt:
_sqrt ||
((n) => {
if (!sqrtP) sqrtP = FpSqrt(ORDER);
return sqrtP(f, n);
}),
toBytes: (num) => (isLE ? numberToBytesLE(num, BYTES) : numberToBytesBE(num, BYTES)),
fromBytes: (bytes, skipValidation = true) => {
if (allowedLengths) {
if (!allowedLengths.includes(bytes.length) || bytes.length > BYTES) {
throw new Error(
'Field.fromBytes: expected ' + allowedLengths + ' bytes, got ' + bytes.length
);
}
const padded = new Uint8Array(BYTES);
// isLE add 0 to right, !isLE to the left.
padded.set(bytes, isLE ? 0 : padded.length - bytes.length);
bytes = padded;
}
if (bytes.length !== BYTES)
throw new Error('Field.fromBytes: expected ' + BYTES + ' bytes, got ' + bytes.length);
let scalar = isLE ? bytesToNumberLE(bytes) : bytesToNumberBE(bytes);
if (modFromBytes) scalar = mod(scalar, ORDER);
if (!skipValidation)
if (!f.isValid(scalar)) throw new Error('invalid field element: outside of range 0..ORDER');
// NOTE: we don't validate scalar here, please use isValid. This done such way because some
// protocol may allow non-reduced scalar that reduced later or changed some other way.
return scalar;
},
// TODO: we don't need it here, move out to separate fn
invertBatch: (lst) => FpInvertBatch(f, lst),
// We can't move this out because Fp6, Fp12 implement it
// and it's unclear what to return in there.
cmov: (a, b, c) => (c ? b : a),
} as FpField);
return Object.freeze(f);
}
// Generic random scalar, we can do same for other fields if via Fp2.mul(Fp2.ONE, Fp2.random)?
// This allows unsafe methods like ignore bias or zero. These unsafe, but often used in different protocols (if deterministic RNG).
// which mean we cannot force this via opts.
// Not sure what to do with randomBytes, we can accept it inside opts if wanted.
// Probably need to export getMinHashLength somewhere?
// random(bytes?: Uint8Array, unsafeAllowZero = false, unsafeAllowBias = false) {
// const LEN = !unsafeAllowBias ? getMinHashLength(ORDER) : BYTES;
// if (bytes === undefined) bytes = randomBytes(LEN); // _opts.randomBytes?
// const num = isLE ? bytesToNumberLE(bytes) : bytesToNumberBE(bytes);
// // `mod(x, 11)` can sometimes produce 0. `mod(x, 10) + 1` is the same, but no 0
// const reduced = unsafeAllowZero ? mod(num, ORDER) : mod(num, ORDER - _1n) + _1n;
// return reduced;
// },
export function FpSqrtOdd<T>(Fp: IField<T>, elm: T): T {
if (!Fp.isOdd) throw new Error("Field doesn't have isOdd");
const root = Fp.sqrt(elm);
return Fp.isOdd(root) ? root : Fp.neg(root);
}
export function FpSqrtEven<T>(Fp: IField<T>, elm: T): T {
if (!Fp.isOdd) throw new Error("Field doesn't have isOdd");
const root = Fp.sqrt(elm);
return Fp.isOdd(root) ? Fp.neg(root) : root;
}
/**
* "Constant-time" private key generation utility.
* Same as mapKeyToField, but accepts less bytes (40 instead of 48 for 32-byte field).
* Which makes it slightly more biased, less secure.
* @deprecated use `mapKeyToField` instead
*/
export function hashToPrivateScalar(
hash: string | Uint8Array,
groupOrder: bigint,
isLE = false
): bigint {
hash = ensureBytes('privateHash', hash);
const hashLen = hash.length;
const minLen = nLength(groupOrder).nByteLength + 8;
if (minLen < 24 || hashLen < minLen || hashLen > 1024)
throw new Error(
'hashToPrivateScalar: expected ' + minLen + '-1024 bytes of input, got ' + hashLen
);
const num = isLE ? bytesToNumberLE(hash) : bytesToNumberBE(hash);
return mod(num, groupOrder - _1n) + _1n;
}
/**
* Returns total number of bytes consumed by the field element.
* For example, 32 bytes for usual 256-bit weierstrass curve.
* @param fieldOrder number of field elements, usually CURVE.n
* @returns byte length of field
*/
export function getFieldBytesLength(fieldOrder: bigint): number {
if (typeof fieldOrder !== 'bigint') throw new Error('field order must be bigint');
const bitLength = fieldOrder.toString(2).length;
return Math.ceil(bitLength / 8);
}
/**
* Returns minimal amount of bytes that can be safely reduced
* by field order.
* Should be 2^-128 for 128-bit curve such as P256.
* @param fieldOrder number of field elements, usually CURVE.n
* @returns byte length of target hash
*/
export function getMinHashLength(fieldOrder: bigint): number {
const length = getFieldBytesLength(fieldOrder);
return length + Math.ceil(length / 2);
}
/**
* "Constant-time" private key generation utility.
* Can take (n + n/2) or more bytes of uniform input e.g. from CSPRNG or KDF
* and convert them into private scalar, with the modulo bias being negligible.
* Needs at least 48 bytes of input for 32-byte private key.
* https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/
* FIPS 186-5, A.2 https://csrc.nist.gov/publications/detail/fips/186/5/final
* RFC 9380, https://www.rfc-editor.org/rfc/rfc9380#section-5
* @param hash hash output from SHA3 or a similar function
* @param groupOrder size of subgroup - (e.g. secp256k1.CURVE.n)
* @param isLE interpret hash bytes as LE num
* @returns valid private scalar
*/
export function mapHashToField(key: Uint8Array, fieldOrder: bigint, isLE = false): Uint8Array {
const len = key.length;
const fieldLen = getFieldBytesLength(fieldOrder);
const minLen = getMinHashLength(fieldOrder);
// No small numbers: need to understand bias story. No huge numbers: easier to detect JS timings.
if (len < 16 || len < minLen || len > 1024)
throw new Error('expected ' + minLen + '-1024 bytes of input, got ' + len);
const num = isLE ? bytesToNumberLE(key) : bytesToNumberBE(key);
// `mod(x, 11)` can sometimes produce 0. `mod(x, 10) + 1` is the same, but no 0
const reduced = mod(num, fieldOrder - _1n) + _1n;
return isLE ? numberToBytesLE(reduced, fieldLen) : numberToBytesBE(reduced, fieldLen);
}

194
node_modules/@noble/curves/src/abstract/montgomery.ts generated vendored Normal file
View File

@@ -0,0 +1,194 @@
/**
* Montgomery curve methods. It's not really whole montgomery curve,
* just bunch of very specific methods for X25519 / X448 from
* [RFC 7748](https://www.rfc-editor.org/rfc/rfc7748)
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import {
_validateObject,
abytes,
aInRange,
bytesToNumberLE,
ensureBytes,
numberToBytesLE,
randomBytes,
} from '../utils.ts';
import type { CurveLengths } from './curve.ts';
import { mod } from './modular.ts';
const _0n = BigInt(0);
const _1n = BigInt(1);
const _2n = BigInt(2);
type Hex = string | Uint8Array;
export type CurveType = {
P: bigint; // finite field prime
type: 'x25519' | 'x448';
adjustScalarBytes: (bytes: Uint8Array) => Uint8Array;
powPminus2: (x: bigint) => bigint;
randomBytes?: (bytesLength?: number) => Uint8Array;
};
export type MontgomeryECDH = {
scalarMult: (scalar: Hex, u: Hex) => Uint8Array;
scalarMultBase: (scalar: Hex) => Uint8Array;
getSharedSecret: (secretKeyA: Hex, publicKeyB: Hex) => Uint8Array;
getPublicKey: (secretKey: Hex) => Uint8Array;
utils: {
randomSecretKey: () => Uint8Array;
/** @deprecated use `randomSecretKey` */
randomPrivateKey: () => Uint8Array;
};
GuBytes: Uint8Array;
lengths: CurveLengths;
keygen: (seed?: Uint8Array) => { secretKey: Uint8Array; publicKey: Uint8Array };
};
export type CurveFn = MontgomeryECDH;
function validateOpts(curve: CurveType) {
_validateObject(curve, {
adjustScalarBytes: 'function',
powPminus2: 'function',
});
return Object.freeze({ ...curve } as const);
}
export function montgomery(curveDef: CurveType): MontgomeryECDH {
const CURVE = validateOpts(curveDef);
const { P, type, adjustScalarBytes, powPminus2, randomBytes: rand } = CURVE;
const is25519 = type === 'x25519';
if (!is25519 && type !== 'x448') throw new Error('invalid type');
const randomBytes_ = rand || randomBytes;
const montgomeryBits = is25519 ? 255 : 448;
const fieldLen = is25519 ? 32 : 56;
const Gu = is25519 ? BigInt(9) : BigInt(5);
// RFC 7748 #5:
// The constant a24 is (486662 - 2) / 4 = 121665 for curve25519/X25519 and
// (156326 - 2) / 4 = 39081 for curve448/X448
// const a = is25519 ? 156326n : 486662n;
const a24 = is25519 ? BigInt(121665) : BigInt(39081);
// RFC: x25519 "the resulting integer is of the form 2^254 plus
// eight times a value between 0 and 2^251 - 1 (inclusive)"
// x448: "2^447 plus four times a value between 0 and 2^445 - 1 (inclusive)"
const minScalar = is25519 ? _2n ** BigInt(254) : _2n ** BigInt(447);
const maxAdded = is25519
? BigInt(8) * _2n ** BigInt(251) - _1n
: BigInt(4) * _2n ** BigInt(445) - _1n;
const maxScalar = minScalar + maxAdded + _1n; // (inclusive)
const modP = (n: bigint) => mod(n, P);
const GuBytes = encodeU(Gu);
function encodeU(u: bigint): Uint8Array {
return numberToBytesLE(modP(u), fieldLen);
}
function decodeU(u: Hex): bigint {
const _u = ensureBytes('u coordinate', u, fieldLen);
// RFC: When receiving such an array, implementations of X25519
// (but not X448) MUST mask the most significant bit in the final byte.
if (is25519) _u[31] &= 127; // 0b0111_1111
// RFC: Implementations MUST accept non-canonical values and process them as
// if they had been reduced modulo the field prime. The non-canonical
// values are 2^255 - 19 through 2^255 - 1 for X25519 and 2^448 - 2^224
// - 1 through 2^448 - 1 for X448.
return modP(bytesToNumberLE(_u));
}
function decodeScalar(scalar: Hex): bigint {
return bytesToNumberLE(adjustScalarBytes(ensureBytes('scalar', scalar, fieldLen)));
}
function scalarMult(scalar: Hex, u: Hex): Uint8Array {
const pu = montgomeryLadder(decodeU(u), decodeScalar(scalar));
// Some public keys are useless, of low-order. Curve author doesn't think
// it needs to be validated, but we do it nonetheless.
// https://cr.yp.to/ecdh.html#validate
if (pu === _0n) throw new Error('invalid private or public key received');
return encodeU(pu);
}
// Computes public key from private. By doing scalar multiplication of base point.
function scalarMultBase(scalar: Hex): Uint8Array {
return scalarMult(scalar, GuBytes);
}
// cswap from RFC7748 "example code"
function cswap(swap: bigint, x_2: bigint, x_3: bigint): { x_2: bigint; x_3: bigint } {
// dummy = mask(swap) AND (x_2 XOR x_3)
// Where mask(swap) is the all-1 or all-0 word of the same length as x_2
// and x_3, computed, e.g., as mask(swap) = 0 - swap.
const dummy = modP(swap * (x_2 - x_3));
x_2 = modP(x_2 - dummy); // x_2 = x_2 XOR dummy
x_3 = modP(x_3 + dummy); // x_3 = x_3 XOR dummy
return { x_2, x_3 };
}
/**
* Montgomery x-only multiplication ladder.
* @param pointU u coordinate (x) on Montgomery Curve 25519
* @param scalar by which the point would be multiplied
* @returns new Point on Montgomery curve
*/
function montgomeryLadder(u: bigint, scalar: bigint): bigint {
aInRange('u', u, _0n, P);
aInRange('scalar', scalar, minScalar, maxScalar);
const k = scalar;
const x_1 = u;
let x_2 = _1n;
let z_2 = _0n;
let x_3 = u;
let z_3 = _1n;
let swap = _0n;
for (let t = BigInt(montgomeryBits - 1); t >= _0n; t--) {
const k_t = (k >> t) & _1n;
swap ^= k_t;
({ x_2, x_3 } = cswap(swap, x_2, x_3));
({ x_2: z_2, x_3: z_3 } = cswap(swap, z_2, z_3));
swap = k_t;
const A = x_2 + z_2;
const AA = modP(A * A);
const B = x_2 - z_2;
const BB = modP(B * B);
const E = AA - BB;
const C = x_3 + z_3;
const D = x_3 - z_3;
const DA = modP(D * A);
const CB = modP(C * B);
const dacb = DA + CB;
const da_cb = DA - CB;
x_3 = modP(dacb * dacb);
z_3 = modP(x_1 * modP(da_cb * da_cb));
x_2 = modP(AA * BB);
z_2 = modP(E * (AA + modP(a24 * E)));
}
({ x_2, x_3 } = cswap(swap, x_2, x_3));
({ x_2: z_2, x_3: z_3 } = cswap(swap, z_2, z_3));
const z2 = powPminus2(z_2); // `Fp.pow(x, P - _2n)` is much slower equivalent
return modP(x_2 * z2); // Return x_2 * (z_2^(p - 2))
}
const lengths = {
secretKey: fieldLen,
publicKey: fieldLen,
seed: fieldLen,
};
const randomSecretKey = (seed = randomBytes_(fieldLen)) => {
abytes(seed, lengths.seed);
return seed;
};
function keygen(seed?: Uint8Array) {
const secretKey = randomSecretKey(seed);
return { secretKey, publicKey: scalarMultBase(secretKey) };
}
const utils = {
randomSecretKey,
randomPrivateKey: randomSecretKey,
};
return {
keygen,
getSharedSecret: (secretKey: Hex, publicKey: Hex) => scalarMult(secretKey, publicKey),
getPublicKey: (secretKey: Hex): Uint8Array => scalarMultBase(secretKey),
scalarMult,
scalarMultBase,
utils,
GuBytes: GuBytes.slice(),
lengths,
};
}

335
node_modules/@noble/curves/src/abstract/poseidon.ts generated vendored Normal file
View File

@@ -0,0 +1,335 @@
/**
* Implements [Poseidon](https://www.poseidon-hash.info) ZK-friendly hash.
*
* There are many poseidon variants with different constants.
* We don't provide them: you should construct them manually.
* Check out [micro-starknet](https://github.com/paulmillr/micro-starknet) package for a proper example.
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { _validateObject, bitGet } from '../utils.ts';
import { FpInvertBatch, FpPow, type IField, validateField } from './modular.ts';
// Grain LFSR (Linear-Feedback Shift Register): https://eprint.iacr.org/2009/109.pdf
function grainLFSR(state: number[]): () => boolean {
let pos = 0;
if (state.length !== 80) throw new Error('grainLFRS: wrong state length, should be 80 bits');
const getBit = (): boolean => {
const r = (offset: number) => state[(pos + offset) % 80];
const bit = r(62) ^ r(51) ^ r(38) ^ r(23) ^ r(13) ^ r(0);
state[pos] = bit;
pos = ++pos % 80;
return !!bit;
};
for (let i = 0; i < 160; i++) getBit();
return () => {
// https://en.wikipedia.org/wiki/Shrinking_generator
while (true) {
const b1 = getBit();
const b2 = getBit();
if (!b1) continue;
return b2;
}
};
}
export type PoseidonBasicOpts = {
Fp: IField<bigint>;
t: number; // t = rate + capacity
roundsFull: number;
roundsPartial: number;
isSboxInverse?: boolean;
};
function assertValidPosOpts(opts: PoseidonBasicOpts) {
const { Fp, roundsFull } = opts;
validateField(Fp);
_validateObject(
opts,
{
t: 'number',
roundsFull: 'number',
roundsPartial: 'number',
},
{
isSboxInverse: 'boolean',
}
);
for (const i of ['t', 'roundsFull', 'roundsPartial'] as const) {
if (!Number.isSafeInteger(opts[i]) || opts[i] < 1) throw new Error('invalid number ' + i);
}
if (roundsFull & 1) throw new Error('roundsFull is not even' + roundsFull);
}
function poseidonGrain(opts: PoseidonBasicOpts) {
assertValidPosOpts(opts);
const { Fp } = opts;
const state = Array(80).fill(1);
let pos = 0;
const writeBits = (value: bigint, bitCount: number) => {
for (let i = bitCount - 1; i >= 0; i--) state[pos++] = Number(bitGet(value, i));
};
const _0n = BigInt(0);
const _1n = BigInt(1);
writeBits(_1n, 2); // prime field
writeBits(opts.isSboxInverse ? _1n : _0n, 4); // b2..b5
writeBits(BigInt(Fp.BITS), 12); // b6..b17
writeBits(BigInt(opts.t), 12); // b18..b29
writeBits(BigInt(opts.roundsFull), 10); // b30..b39
writeBits(BigInt(opts.roundsPartial), 10); // b40..b49
const getBit = grainLFSR(state);
return (count: number, reject: boolean): bigint[] => {
const res: bigint[] = [];
for (let i = 0; i < count; i++) {
while (true) {
let num = _0n;
for (let i = 0; i < Fp.BITS; i++) {
num <<= _1n;
if (getBit()) num |= _1n;
}
if (reject && num >= Fp.ORDER) continue; // rejection sampling
res.push(Fp.create(num));
break;
}
}
return res;
};
}
export type PoseidonGrainOpts = PoseidonBasicOpts & {
sboxPower?: number;
};
type PoseidonConstants = { mds: bigint[][]; roundConstants: bigint[][] };
// NOTE: this is not standard but used often for constant generation for poseidon
// (grain LFRS-like structure)
export function grainGenConstants(opts: PoseidonGrainOpts, skipMDS: number = 0): PoseidonConstants {
const { Fp, t, roundsFull, roundsPartial } = opts;
const rounds = roundsFull + roundsPartial;
const sample = poseidonGrain(opts);
const roundConstants: bigint[][] = [];
for (let r = 0; r < rounds; r++) roundConstants.push(sample(t, true));
if (skipMDS > 0) for (let i = 0; i < skipMDS; i++) sample(2 * t, false);
const xs = sample(t, false);
const ys = sample(t, false);
// Construct MDS Matrix M[i][j] = 1 / (xs[i] + ys[j])
const mds: bigint[][] = [];
for (let i = 0; i < t; i++) {
const row: bigint[] = [];
for (let j = 0; j < t; j++) {
const xy = Fp.add(xs[i], ys[j]);
if (Fp.is0(xy))
throw new Error(`Error generating MDS matrix: xs[${i}] + ys[${j}] resulted in zero.`);
row.push(xy);
}
mds.push(FpInvertBatch(Fp, row));
}
return { roundConstants, mds };
}
export type PoseidonOpts = PoseidonBasicOpts &
PoseidonConstants & {
sboxPower?: number;
reversePartialPowIdx?: boolean; // Hack for stark
};
export function validateOpts(opts: PoseidonOpts): Readonly<{
rounds: number;
sboxFn: (n: bigint) => bigint;
roundConstants: bigint[][];
mds: bigint[][];
Fp: IField<bigint>;
t: number;
roundsFull: number;
roundsPartial: number;
sboxPower?: number;
reversePartialPowIdx?: boolean; // Hack for stark
}> {
assertValidPosOpts(opts);
const { Fp, mds, reversePartialPowIdx: rev, roundConstants: rc } = opts;
const { roundsFull, roundsPartial, sboxPower, t } = opts;
// MDS is TxT matrix
if (!Array.isArray(mds) || mds.length !== t) throw new Error('Poseidon: invalid MDS matrix');
const _mds = mds.map((mdsRow) => {
if (!Array.isArray(mdsRow) || mdsRow.length !== t)
throw new Error('invalid MDS matrix row: ' + mdsRow);
return mdsRow.map((i) => {
if (typeof i !== 'bigint') throw new Error('invalid MDS matrix bigint: ' + i);
return Fp.create(i);
});
});
if (rev !== undefined && typeof rev !== 'boolean')
throw new Error('invalid param reversePartialPowIdx=' + rev);
if (roundsFull & 1) throw new Error('roundsFull is not even' + roundsFull);
const rounds = roundsFull + roundsPartial;
if (!Array.isArray(rc) || rc.length !== rounds)
throw new Error('Poseidon: invalid round constants');
const roundConstants = rc.map((rc) => {
if (!Array.isArray(rc) || rc.length !== t) throw new Error('invalid round constants');
return rc.map((i) => {
if (typeof i !== 'bigint' || !Fp.isValid(i)) throw new Error('invalid round constant');
return Fp.create(i);
});
});
if (!sboxPower || ![3, 5, 7, 17].includes(sboxPower)) throw new Error('invalid sboxPower');
const _sboxPower = BigInt(sboxPower);
let sboxFn = (n: bigint) => FpPow(Fp, n, _sboxPower);
// Unwrapped sbox power for common cases (195->142μs)
if (sboxPower === 3) sboxFn = (n: bigint) => Fp.mul(Fp.sqrN(n), n);
else if (sboxPower === 5) sboxFn = (n: bigint) => Fp.mul(Fp.sqrN(Fp.sqrN(n)), n);
return Object.freeze({ ...opts, rounds, sboxFn, roundConstants, mds: _mds });
}
export function splitConstants(rc: bigint[], t: number): bigint[][] {
if (typeof t !== 'number') throw new Error('poseidonSplitConstants: invalid t');
if (!Array.isArray(rc) || rc.length % t) throw new Error('poseidonSplitConstants: invalid rc');
const res = [];
let tmp = [];
for (let i = 0; i < rc.length; i++) {
tmp.push(rc[i]);
if (tmp.length === t) {
res.push(tmp);
tmp = [];
}
}
return res;
}
export type PoseidonFn = {
(values: bigint[]): bigint[];
// For verification in tests
roundConstants: bigint[][];
};
/** Poseidon NTT-friendly hash. */
export function poseidon(opts: PoseidonOpts): PoseidonFn {
const _opts = validateOpts(opts);
const { Fp, mds, roundConstants, rounds: totalRounds, roundsPartial, sboxFn, t } = _opts;
const halfRoundsFull = _opts.roundsFull / 2;
const partialIdx = _opts.reversePartialPowIdx ? t - 1 : 0;
const poseidonRound = (values: bigint[], isFull: boolean, idx: number) => {
values = values.map((i, j) => Fp.add(i, roundConstants[idx][j]));
if (isFull) values = values.map((i) => sboxFn(i));
else values[partialIdx] = sboxFn(values[partialIdx]);
// Matrix multiplication
values = mds.map((i) => i.reduce((acc, i, j) => Fp.add(acc, Fp.mulN(i, values[j])), Fp.ZERO));
return values;
};
const poseidonHash = function poseidonHash(values: bigint[]) {
if (!Array.isArray(values) || values.length !== t)
throw new Error('invalid values, expected array of bigints with length ' + t);
values = values.map((i) => {
if (typeof i !== 'bigint') throw new Error('invalid bigint=' + i);
return Fp.create(i);
});
let lastRound = 0;
// Apply r_f/2 full rounds.
for (let i = 0; i < halfRoundsFull; i++) values = poseidonRound(values, true, lastRound++);
// Apply r_p partial rounds.
for (let i = 0; i < roundsPartial; i++) values = poseidonRound(values, false, lastRound++);
// Apply r_f/2 full rounds.
for (let i = 0; i < halfRoundsFull; i++) values = poseidonRound(values, true, lastRound++);
if (lastRound !== totalRounds) throw new Error('invalid number of rounds');
return values;
};
// For verification in tests
poseidonHash.roundConstants = roundConstants;
return poseidonHash;
}
export class PoseidonSponge {
private Fp: IField<bigint>;
readonly rate: number;
readonly capacity: number;
readonly hash: PoseidonFn;
private state: bigint[]; // [...capacity, ...rate]
private pos = 0;
private isAbsorbing = true;
constructor(Fp: IField<bigint>, rate: number, capacity: number, hash: PoseidonFn) {
this.Fp = Fp;
this.hash = hash;
this.rate = rate;
this.capacity = capacity;
this.state = new Array(rate + capacity);
this.clean();
}
private process(): void {
this.state = this.hash(this.state);
}
absorb(input: bigint[]): void {
for (const i of input)
if (typeof i !== 'bigint' || !this.Fp.isValid(i)) throw new Error('invalid input: ' + i);
for (let i = 0; i < input.length; ) {
if (!this.isAbsorbing || this.pos === this.rate) {
this.process();
this.pos = 0;
this.isAbsorbing = true;
}
const chunk = Math.min(this.rate - this.pos, input.length - i);
for (let j = 0; j < chunk; j++) {
const idx = this.capacity + this.pos++;
this.state[idx] = this.Fp.add(this.state[idx], input[i++]);
}
}
}
squeeze(count: number): bigint[] {
const res: bigint[] = [];
while (res.length < count) {
if (this.isAbsorbing || this.pos === this.rate) {
this.process();
this.pos = 0;
this.isAbsorbing = false;
}
const chunk = Math.min(this.rate - this.pos, count - res.length);
for (let i = 0; i < chunk; i++) res.push(this.state[this.capacity + this.pos++]);
}
return res;
}
clean(): void {
this.state.fill(this.Fp.ZERO);
this.isAbsorbing = true;
this.pos = 0;
}
clone(): PoseidonSponge {
const c = new PoseidonSponge(this.Fp, this.rate, this.capacity, this.hash);
c.pos = this.pos;
c.state = [...this.state];
return c;
}
}
export type PoseidonSpongeOpts = Omit<PoseidonOpts, 't'> & {
rate: number;
capacity: number;
};
/**
* The method is not defined in spec, but nevertheless used often.
* Check carefully for compatibility: there are many edge cases, like absorbing an empty array.
* We cross-test against:
* - https://github.com/ProvableHQ/snarkVM/tree/staging/algorithms
* - https://github.com/arkworks-rs/crypto-primitives/tree/main
*/
export function poseidonSponge(opts: PoseidonSpongeOpts): () => PoseidonSponge {
for (const i of ['rate', 'capacity'] as const) {
if (typeof opts[i] !== 'number' || !Number.isSafeInteger(opts[i]))
throw new Error('invalid number ' + i);
}
const { rate, capacity } = opts;
const t = opts.rate + opts.capacity;
// Re-use hash instance between multiple instances
const hash = poseidon({ ...opts, t });
const { Fp } = opts;
return () => new PoseidonSponge(Fp, rate, capacity, hash);
}

867
node_modules/@noble/curves/src/abstract/tower.ts generated vendored Normal file
View File

@@ -0,0 +1,867 @@
/**
* Towered extension fields.
* Rather than implementing a massive 12th-degree extension directly, it is more efficient
* to build it up from smaller extensions: a tower of extensions.
*
* For BLS12-381, the Fp12 field is implemented as a quadratic (degree two) extension,
* on top of a cubic (degree three) extension, on top of a quadratic extension of Fp.
*
* For more info: "Pairings for beginners" by Costello, section 7.3.
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { bitGet, bitLen, concatBytes, notImplemented } from '../utils.ts';
import * as mod from './modular.ts';
import type { WeierstrassPoint, WeierstrassPointCons } from './weierstrass.ts';
// Be friendly to bad ECMAScript parsers by not using bigint literals
// prettier-ignore
const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3);
// Fp₂ over complex plane
export type BigintTuple = [bigint, bigint];
export type Fp = bigint;
// Finite extension field over irreducible polynominal.
// Fp(u) / (u² - β) where β = -1
export type Fp2 = { c0: bigint; c1: bigint };
export type BigintSix = [bigint, bigint, bigint, bigint, bigint, bigint];
export type Fp6 = { c0: Fp2; c1: Fp2; c2: Fp2 };
export type Fp12 = { c0: Fp6; c1: Fp6 }; // Fp₁₂ = Fp₆² => Fp₂³, Fp₆(w) / (w² - γ) where γ = v
// prettier-ignore
export type BigintTwelve = [
bigint, bigint, bigint, bigint, bigint, bigint,
bigint, bigint, bigint, bigint, bigint, bigint
];
export type Fp2Bls = mod.IField<Fp2> & {
Fp: mod.IField<Fp>;
frobeniusMap(num: Fp2, power: number): Fp2;
fromBigTuple(num: BigintTuple): Fp2;
mulByB: (num: Fp2) => Fp2;
mulByNonresidue: (num: Fp2) => Fp2;
reim: (num: Fp2) => { re: Fp; im: Fp };
Fp4Square: (a: Fp2, b: Fp2) => { first: Fp2; second: Fp2 };
NONRESIDUE: Fp2;
};
export type Fp6Bls = mod.IField<Fp6> & {
Fp2: Fp2Bls;
frobeniusMap(num: Fp6, power: number): Fp6;
fromBigSix: (tuple: BigintSix) => Fp6;
mul1(num: Fp6, b1: Fp2): Fp6;
mul01(num: Fp6, b0: Fp2, b1: Fp2): Fp6;
mulByFp2(lhs: Fp6, rhs: Fp2): Fp6;
mulByNonresidue: (num: Fp6) => Fp6;
};
export type Fp12Bls = mod.IField<Fp12> & {
Fp6: Fp6Bls;
frobeniusMap(num: Fp12, power: number): Fp12;
fromBigTwelve: (t: BigintTwelve) => Fp12;
mul014(num: Fp12, o0: Fp2, o1: Fp2, o4: Fp2): Fp12;
mul034(num: Fp12, o0: Fp2, o3: Fp2, o4: Fp2): Fp12;
mulByFp2(lhs: Fp12, rhs: Fp2): Fp12;
conjugate(num: Fp12): Fp12;
finalExponentiate(num: Fp12): Fp12;
_cyclotomicSquare(num: Fp12): Fp12;
_cyclotomicExp(num: Fp12, n: bigint): Fp12;
};
function calcFrobeniusCoefficients<T>(
Fp: mod.IField<T>,
nonResidue: T,
modulus: bigint,
degree: number,
num: number = 1,
divisor?: number
) {
const _divisor = BigInt(divisor === undefined ? degree : divisor);
const towerModulus: any = modulus ** BigInt(degree);
const res: T[][] = [];
for (let i = 0; i < num; i++) {
const a = BigInt(i + 1);
const powers: T[] = [];
for (let j = 0, qPower = _1n; j < degree; j++) {
const power = ((a * qPower - a) / _divisor) % towerModulus;
powers.push(Fp.pow(nonResidue, power));
qPower *= modulus;
}
res.push(powers);
}
return res;
}
// This works same at least for bls12-381, bn254 and bls12-377
export function psiFrobenius(
Fp: mod.IField<Fp>,
Fp2: Fp2Bls,
base: Fp2
): {
psi: (x: Fp2, y: Fp2) => [Fp2, Fp2];
psi2: (x: Fp2, y: Fp2) => [Fp2, Fp2];
G2psi: (c: WeierstrassPointCons<Fp2>, P: WeierstrassPoint<Fp2>) => WeierstrassPoint<Fp2>;
G2psi2: (c: WeierstrassPointCons<Fp2>, P: WeierstrassPoint<Fp2>) => WeierstrassPoint<Fp2>;
PSI_X: Fp2;
PSI_Y: Fp2;
PSI2_X: Fp2;
PSI2_Y: Fp2;
} {
// GLV endomorphism Ψ(P)
const PSI_X = Fp2.pow(base, (Fp.ORDER - _1n) / _3n); // u^((p-1)/3)
const PSI_Y = Fp2.pow(base, (Fp.ORDER - _1n) / _2n); // u^((p-1)/2)
function psi(x: Fp2, y: Fp2): [Fp2, Fp2] {
// This x10 faster than previous version in bls12-381
const x2 = Fp2.mul(Fp2.frobeniusMap(x, 1), PSI_X);
const y2 = Fp2.mul(Fp2.frobeniusMap(y, 1), PSI_Y);
return [x2, y2];
}
// Ψ²(P) endomorphism (psi2(x) = psi(psi(x)))
const PSI2_X = Fp2.pow(base, (Fp.ORDER ** _2n - _1n) / _3n); // u^((p^2 - 1)/3)
// This equals -1, which causes y to be Fp2.neg(y).
// But not sure if there are case when this is not true?
const PSI2_Y = Fp2.pow(base, (Fp.ORDER ** _2n - _1n) / _2n); // u^((p^2 - 1)/3)
if (!Fp2.eql(PSI2_Y, Fp2.neg(Fp2.ONE))) throw new Error('psiFrobenius: PSI2_Y!==-1');
function psi2(x: Fp2, y: Fp2): [Fp2, Fp2] {
return [Fp2.mul(x, PSI2_X), Fp2.neg(y)];
}
// Map points
const mapAffine =
<T>(fn: (x: T, y: T) => [T, T]) =>
(c: WeierstrassPointCons<T>, P: WeierstrassPoint<T>) => {
const affine = P.toAffine();
const p = fn(affine.x, affine.y);
return c.fromAffine({ x: p[0], y: p[1] });
};
const G2psi = mapAffine(psi);
const G2psi2 = mapAffine(psi2);
return { psi, psi2, G2psi, G2psi2, PSI_X, PSI_Y, PSI2_X, PSI2_Y };
}
export type Tower12Opts = {
ORDER: bigint;
X_LEN: number;
NONRESIDUE?: Fp;
FP2_NONRESIDUE: BigintTuple;
Fp2sqrt?: (num: Fp2) => Fp2;
Fp2mulByB: (num: Fp2) => Fp2;
Fp12finalExponentiate: (num: Fp12) => Fp12;
};
const Fp2fromBigTuple = (Fp: mod.IField<bigint>, tuple: BigintTuple | bigint[]) => {
if (tuple.length !== 2) throw new Error('invalid tuple');
const fps = tuple.map((n) => Fp.create(n)) as BigintTuple;
return { c0: fps[0], c1: fps[1] };
};
class _Field2 implements mod.IField<Fp2> {
readonly ORDER: bigint;
readonly BITS: number;
readonly BYTES: number;
readonly isLE: boolean;
readonly MASK = _1n;
readonly ZERO: Fp2;
readonly ONE: Fp2;
readonly Fp: mod.IField<bigint>;
readonly NONRESIDUE: Fp2;
readonly mulByB: Tower12Opts['Fp2mulByB'];
readonly Fp_NONRESIDUE: bigint;
readonly Fp_div2: bigint;
readonly FROBENIUS_COEFFICIENTS: Fp[];
constructor(
Fp: mod.IField<bigint>,
opts: Partial<{
NONRESIDUE: bigint;
FP2_NONRESIDUE: BigintTuple;
Fp2mulByB: Tower12Opts['Fp2mulByB'];
}> = {}
) {
const ORDER = Fp.ORDER;
const FP2_ORDER = ORDER * ORDER;
this.Fp = Fp;
this.ORDER = FP2_ORDER;
this.BITS = bitLen(FP2_ORDER);
this.BYTES = Math.ceil(bitLen(FP2_ORDER) / 8);
this.isLE = Fp.isLE;
this.ZERO = { c0: Fp.ZERO, c1: Fp.ZERO };
this.ONE = { c0: Fp.ONE, c1: Fp.ZERO };
this.Fp_NONRESIDUE = Fp.create(opts.NONRESIDUE || BigInt(-1));
this.Fp_div2 = Fp.div(Fp.ONE, _2n); // 1/2
this.NONRESIDUE = Fp2fromBigTuple(Fp, opts.FP2_NONRESIDUE!);
// const Fp2Nonresidue = Fp2fromBigTuple(opts.FP2_NONRESIDUE);
this.FROBENIUS_COEFFICIENTS = calcFrobeniusCoefficients(Fp, this.Fp_NONRESIDUE, Fp.ORDER, 2)[0];
this.mulByB = opts.Fp2mulByB!;
Object.seal(this);
}
fromBigTuple(tuple: BigintTuple) {
return Fp2fromBigTuple(this.Fp, tuple);
}
create(num: Fp2) {
return num;
}
isValid({ c0, c1 }: Fp2) {
function isValidC(num: bigint, ORDER: bigint) {
return typeof num === 'bigint' && _0n <= num && num < ORDER;
}
return isValidC(c0, this.ORDER) && isValidC(c1, this.ORDER);
}
is0({ c0, c1 }: Fp2) {
return this.Fp.is0(c0) && this.Fp.is0(c1);
}
isValidNot0(num: Fp2) {
return !this.is0(num) && this.isValid(num);
}
eql({ c0, c1 }: Fp2, { c0: r0, c1: r1 }: Fp2) {
return this.Fp.eql(c0, r0) && this.Fp.eql(c1, r1);
}
neg({ c0, c1 }: Fp2) {
return { c0: this.Fp.neg(c0), c1: this.Fp.neg(c1) };
}
pow(num: Fp2, power: bigint): Fp2 {
return mod.FpPow(this, num, power);
}
invertBatch(nums: Fp2[]): Fp2[] {
return mod.FpInvertBatch(this, nums);
}
// Normalized
add(f1: Fp2, f2: Fp2): Fp2 {
const { c0, c1 } = f1;
const { c0: r0, c1: r1 } = f2;
return {
c0: this.Fp.add(c0, r0),
c1: this.Fp.add(c1, r1),
};
}
sub({ c0, c1 }: Fp2, { c0: r0, c1: r1 }: Fp2) {
return {
c0: this.Fp.sub(c0, r0),
c1: this.Fp.sub(c1, r1),
};
}
mul({ c0, c1 }: Fp2, rhs: Fp2) {
const { Fp } = this;
if (typeof rhs === 'bigint') return { c0: Fp.mul(c0, rhs), c1: Fp.mul(c1, rhs) };
// (a+bi)(c+di) = (acbd) + (ad+bc)i
const { c0: r0, c1: r1 } = rhs;
let t1 = Fp.mul(c0, r0); // c0 * o0
let t2 = Fp.mul(c1, r1); // c1 * o1
// (T1 - T2) + ((c0 + c1) * (r0 + r1) - (T1 + T2))*i
const o0 = Fp.sub(t1, t2);
const o1 = Fp.sub(Fp.mul(Fp.add(c0, c1), Fp.add(r0, r1)), Fp.add(t1, t2));
return { c0: o0, c1: o1 };
}
sqr({ c0, c1 }: Fp2) {
const { Fp } = this;
const a = Fp.add(c0, c1);
const b = Fp.sub(c0, c1);
const c = Fp.add(c0, c0);
return { c0: Fp.mul(a, b), c1: Fp.mul(c, c1) };
}
// NonNormalized stuff
addN(a: Fp2, b: Fp2): Fp2 {
return this.add(a, b);
}
subN(a: Fp2, b: Fp2): Fp2 {
return this.sub(a, b);
}
mulN(a: Fp2, b: Fp2): Fp2 {
return this.mul(a, b);
}
sqrN(a: Fp2): Fp2 {
return this.sqr(a);
}
// Why inversion for bigint inside Fp instead of Fp2? it is even used in that context?
div(lhs: Fp2, rhs: Fp2): Fp2 {
const { Fp } = this;
// @ts-ignore
return this.mul(lhs, typeof rhs === 'bigint' ? Fp.inv(Fp.create(rhs)) : this.inv(rhs));
}
inv({ c0: a, c1: b }: Fp2): Fp2 {
// We wish to find the multiplicative inverse of a nonzero
// element a + bu in Fp2. We leverage an identity
//
// (a + bu)(a - bu) = a² + b²
//
// which holds because u² = -1. This can be rewritten as
//
// (a + bu)(a - bu)/(a² + b²) = 1
//
// because a² + b² = 0 has no nonzero solutions for (a, b).
// This gives that (a - bu)/(a² + b²) is the inverse
// of (a + bu). Importantly, this can be computing using
// only a single inversion in Fp.
const { Fp } = this;
const factor = Fp.inv(Fp.create(a * a + b * b));
return { c0: Fp.mul(factor, Fp.create(a)), c1: Fp.mul(factor, Fp.create(-b)) };
}
sqrt(num: Fp2) {
// This is generic for all quadratic extensions (Fp2)
const { Fp } = this;
const Fp2 = this;
const { c0, c1 } = num;
if (Fp.is0(c1)) {
// if c0 is quadratic residue
if (mod.FpLegendre(Fp, c0) === 1) return Fp2.create({ c0: Fp.sqrt(c0), c1: Fp.ZERO });
else return Fp2.create({ c0: Fp.ZERO, c1: Fp.sqrt(Fp.div(c0, this.Fp_NONRESIDUE)) });
}
const a = Fp.sqrt(Fp.sub(Fp.sqr(c0), Fp.mul(Fp.sqr(c1), this.Fp_NONRESIDUE)));
let d = Fp.mul(Fp.add(a, c0), this.Fp_div2);
const legendre = mod.FpLegendre(Fp, d);
// -1, Quadratic non residue
if (legendre === -1) d = Fp.sub(d, a);
const a0 = Fp.sqrt(d);
const candidateSqrt = Fp2.create({ c0: a0, c1: Fp.div(Fp.mul(c1, this.Fp_div2), a0) });
if (!Fp2.eql(Fp2.sqr(candidateSqrt), num)) throw new Error('Cannot find square root');
// Normalize root: at this point candidateSqrt ** 2 = num, but also -candidateSqrt ** 2 = num
const x1 = candidateSqrt;
const x2 = Fp2.neg(x1);
const { re: re1, im: im1 } = Fp2.reim(x1);
const { re: re2, im: im2 } = Fp2.reim(x2);
if (im1 > im2 || (im1 === im2 && re1 > re2)) return x1;
return x2;
}
// Same as sgn0_m_eq_2 in RFC 9380
isOdd(x: Fp2) {
const { re: x0, im: x1 } = this.reim(x);
const sign_0 = x0 % _2n;
const zero_0 = x0 === _0n;
const sign_1 = x1 % _2n;
return BigInt(sign_0 || (zero_0 && sign_1)) == _1n;
}
// Bytes util
fromBytes(b: Uint8Array): Fp2 {
const { Fp } = this;
if (b.length !== this.BYTES) throw new Error('fromBytes invalid length=' + b.length);
return { c0: Fp.fromBytes(b.subarray(0, Fp.BYTES)), c1: Fp.fromBytes(b.subarray(Fp.BYTES)) };
}
toBytes({ c0, c1 }: Fp2) {
return concatBytes(this.Fp.toBytes(c0), this.Fp.toBytes(c1));
}
cmov({ c0, c1 }: Fp2, { c0: r0, c1: r1 }: Fp2, c: boolean) {
return {
c0: this.Fp.cmov(c0, r0, c),
c1: this.Fp.cmov(c1, r1, c),
};
}
reim({ c0, c1 }: Fp2) {
return { re: c0, im: c1 };
}
Fp4Square(a: Fp2, b: Fp2): { first: Fp2; second: Fp2 } {
const Fp2 = this;
const a2 = Fp2.sqr(a);
const b2 = Fp2.sqr(b);
return {
first: Fp2.add(Fp2.mulByNonresidue(b2), a2), // b² * Nonresidue + a²
second: Fp2.sub(Fp2.sub(Fp2.sqr(Fp2.add(a, b)), a2), b2), // (a + b)² - a² - b²
};
}
// multiply by u + 1
mulByNonresidue({ c0, c1 }: Fp2) {
return this.mul({ c0, c1 }, this.NONRESIDUE);
}
frobeniusMap({ c0, c1 }: Fp2, power: number): Fp2 {
return {
c0,
c1: this.Fp.mul(c1, this.FROBENIUS_COEFFICIENTS[power % 2]),
};
}
}
class _Field6 implements Fp6Bls {
readonly ORDER: bigint;
readonly BITS: number;
readonly BYTES: number;
readonly isLE: boolean;
readonly MASK = _1n;
readonly ZERO: Fp6;
readonly ONE: Fp6;
readonly Fp2: Fp2Bls;
readonly FROBENIUS_COEFFICIENTS_1: Fp2[];
readonly FROBENIUS_COEFFICIENTS_2: Fp2[];
constructor(Fp2: Fp2Bls) {
this.Fp2 = Fp2;
this.ORDER = Fp2.ORDER; // TODO: unused, but need to verify
this.BITS = 3 * Fp2.BITS;
this.BYTES = 3 * Fp2.BYTES;
this.isLE = Fp2.isLE;
this.ZERO = { c0: Fp2.ZERO, c1: Fp2.ZERO, c2: Fp2.ZERO };
this.ONE = { c0: Fp2.ONE, c1: Fp2.ZERO, c2: Fp2.ZERO };
const { Fp } = Fp2;
const frob = calcFrobeniusCoefficients(Fp2, Fp2.NONRESIDUE, Fp.ORDER, 6, 2, 3);
this.FROBENIUS_COEFFICIENTS_1 = frob[0];
this.FROBENIUS_COEFFICIENTS_2 = frob[1];
Object.seal(this);
}
add({ c0, c1, c2 }: Fp6, { c0: r0, c1: r1, c2: r2 }: Fp6) {
const { Fp2 } = this;
return {
c0: Fp2.add(c0, r0),
c1: Fp2.add(c1, r1),
c2: Fp2.add(c2, r2),
};
}
sub({ c0, c1, c2 }: Fp6, { c0: r0, c1: r1, c2: r2 }: Fp6) {
const { Fp2 } = this;
return {
c0: Fp2.sub(c0, r0),
c1: Fp2.sub(c1, r1),
c2: Fp2.sub(c2, r2),
};
}
mul({ c0, c1, c2 }: Fp6, rhs: Fp6 | bigint) {
const { Fp2 } = this;
if (typeof rhs === 'bigint') {
return {
c0: Fp2.mul(c0, rhs),
c1: Fp2.mul(c1, rhs),
c2: Fp2.mul(c2, rhs),
};
}
const { c0: r0, c1: r1, c2: r2 } = rhs;
const t0 = Fp2.mul(c0, r0); // c0 * o0
const t1 = Fp2.mul(c1, r1); // c1 * o1
const t2 = Fp2.mul(c2, r2); // c2 * o2
return {
// t0 + (c1 + c2) * (r1 * r2) - (T1 + T2) * (u + 1)
c0: Fp2.add(
t0,
Fp2.mulByNonresidue(Fp2.sub(Fp2.mul(Fp2.add(c1, c2), Fp2.add(r1, r2)), Fp2.add(t1, t2)))
),
// (c0 + c1) * (r0 + r1) - (T0 + T1) + T2 * (u + 1)
c1: Fp2.add(
Fp2.sub(Fp2.mul(Fp2.add(c0, c1), Fp2.add(r0, r1)), Fp2.add(t0, t1)),
Fp2.mulByNonresidue(t2)
),
// T1 + (c0 + c2) * (r0 + r2) - T0 + T2
c2: Fp2.sub(Fp2.add(t1, Fp2.mul(Fp2.add(c0, c2), Fp2.add(r0, r2))), Fp2.add(t0, t2)),
};
}
sqr({ c0, c1, c2 }: Fp6) {
const { Fp2 } = this;
let t0 = Fp2.sqr(c0); // c0²
let t1 = Fp2.mul(Fp2.mul(c0, c1), _2n); // 2 * c0 * c1
let t3 = Fp2.mul(Fp2.mul(c1, c2), _2n); // 2 * c1 * c2
let t4 = Fp2.sqr(c2); // c2²
return {
c0: Fp2.add(Fp2.mulByNonresidue(t3), t0), // T3 * (u + 1) + T0
c1: Fp2.add(Fp2.mulByNonresidue(t4), t1), // T4 * (u + 1) + T1
// T1 + (c0 - c1 + c2)² + T3 - T0 - T4
c2: Fp2.sub(Fp2.sub(Fp2.add(Fp2.add(t1, Fp2.sqr(Fp2.add(Fp2.sub(c0, c1), c2))), t3), t0), t4),
};
}
addN(a: Fp6, b: Fp6): Fp6 {
return this.add(a, b);
}
subN(a: Fp6, b: Fp6): Fp6 {
return this.sub(a, b);
}
mulN(a: Fp6, b: Fp6): Fp6 {
return this.mul(a, b);
}
sqrN(a: Fp6): Fp6 {
return this.sqr(a);
}
create(num: Fp6) {
return num;
}
isValid({ c0, c1, c2 }: Fp6) {
const { Fp2 } = this;
return Fp2.isValid(c0) && Fp2.isValid(c1) && Fp2.isValid(c2);
}
is0({ c0, c1, c2 }: Fp6) {
const { Fp2 } = this;
return Fp2.is0(c0) && Fp2.is0(c1) && Fp2.is0(c2);
}
isValidNot0(num: Fp6) {
return !this.is0(num) && this.isValid(num);
}
neg({ c0, c1, c2 }: Fp6) {
const { Fp2 } = this;
return { c0: Fp2.neg(c0), c1: Fp2.neg(c1), c2: Fp2.neg(c2) };
}
eql({ c0, c1, c2 }: Fp6, { c0: r0, c1: r1, c2: r2 }: Fp6) {
const { Fp2 } = this;
return Fp2.eql(c0, r0) && Fp2.eql(c1, r1) && Fp2.eql(c2, r2);
}
sqrt(_: Fp6) {
return notImplemented();
}
// Do we need division by bigint at all? Should be done via order:
div(lhs: Fp6, rhs: Fp6) {
const { Fp2 } = this;
const { Fp } = Fp2;
return this.mul(lhs, typeof rhs === 'bigint' ? Fp.inv(Fp.create(rhs)) : this.inv(rhs));
}
pow(num: Fp6, power: Fp): Fp6 {
return mod.FpPow(this, num, power);
}
invertBatch(nums: Fp6[]): Fp6[] {
return mod.FpInvertBatch(this, nums);
}
inv({ c0, c1, c2 }: Fp6) {
const { Fp2 } = this;
let t0 = Fp2.sub(Fp2.sqr(c0), Fp2.mulByNonresidue(Fp2.mul(c2, c1))); // c0² - c2 * c1 * (u + 1)
let t1 = Fp2.sub(Fp2.mulByNonresidue(Fp2.sqr(c2)), Fp2.mul(c0, c1)); // c2² * (u + 1) - c0 * c1
let t2 = Fp2.sub(Fp2.sqr(c1), Fp2.mul(c0, c2)); // c1² - c0 * c2
// 1/(((c2 * T1 + c1 * T2) * v) + c0 * T0)
let t4 = Fp2.inv(
Fp2.add(Fp2.mulByNonresidue(Fp2.add(Fp2.mul(c2, t1), Fp2.mul(c1, t2))), Fp2.mul(c0, t0))
);
return { c0: Fp2.mul(t4, t0), c1: Fp2.mul(t4, t1), c2: Fp2.mul(t4, t2) };
}
// Bytes utils
fromBytes(b: Uint8Array): Fp6 {
const { Fp2 } = this;
if (b.length !== this.BYTES) throw new Error('fromBytes invalid length=' + b.length);
const B2 = Fp2.BYTES;
return {
c0: Fp2.fromBytes(b.subarray(0, B2)),
c1: Fp2.fromBytes(b.subarray(B2, B2 * 2)),
c2: Fp2.fromBytes(b.subarray(2 * B2)),
};
}
toBytes({ c0, c1, c2 }: Fp6): Uint8Array {
const { Fp2 } = this;
return concatBytes(Fp2.toBytes(c0), Fp2.toBytes(c1), Fp2.toBytes(c2));
}
cmov({ c0, c1, c2 }: Fp6, { c0: r0, c1: r1, c2: r2 }: Fp6, c: boolean) {
const { Fp2 } = this;
return {
c0: Fp2.cmov(c0, r0, c),
c1: Fp2.cmov(c1, r1, c),
c2: Fp2.cmov(c2, r2, c),
};
}
fromBigSix(t: BigintSix): Fp6 {
const { Fp2 } = this;
if (!Array.isArray(t) || t.length !== 6) throw new Error('invalid Fp6 usage');
return {
c0: Fp2.fromBigTuple(t.slice(0, 2) as BigintTuple),
c1: Fp2.fromBigTuple(t.slice(2, 4) as BigintTuple),
c2: Fp2.fromBigTuple(t.slice(4, 6) as BigintTuple),
};
}
frobeniusMap({ c0, c1, c2 }: Fp6, power: number) {
const { Fp2 } = this;
return {
c0: Fp2.frobeniusMap(c0, power),
c1: Fp2.mul(Fp2.frobeniusMap(c1, power), this.FROBENIUS_COEFFICIENTS_1[power % 6]),
c2: Fp2.mul(Fp2.frobeniusMap(c2, power), this.FROBENIUS_COEFFICIENTS_2[power % 6]),
};
}
mulByFp2({ c0, c1, c2 }: Fp6, rhs: Fp2): Fp6 {
const { Fp2 } = this;
return {
c0: Fp2.mul(c0, rhs),
c1: Fp2.mul(c1, rhs),
c2: Fp2.mul(c2, rhs),
};
}
mulByNonresidue({ c0, c1, c2 }: Fp6) {
const { Fp2 } = this;
return { c0: Fp2.mulByNonresidue(c2), c1: c0, c2: c1 };
}
// Sparse multiplication
mul1({ c0, c1, c2 }: Fp6, b1: Fp2): Fp6 {
const { Fp2 } = this;
return {
c0: Fp2.mulByNonresidue(Fp2.mul(c2, b1)),
c1: Fp2.mul(c0, b1),
c2: Fp2.mul(c1, b1),
};
}
// Sparse multiplication
mul01({ c0, c1, c2 }: Fp6, b0: Fp2, b1: Fp2): Fp6 {
const { Fp2 } = this;
let t0 = Fp2.mul(c0, b0); // c0 * b0
let t1 = Fp2.mul(c1, b1); // c1 * b1
return {
// ((c1 + c2) * b1 - T1) * (u + 1) + T0
c0: Fp2.add(Fp2.mulByNonresidue(Fp2.sub(Fp2.mul(Fp2.add(c1, c2), b1), t1)), t0),
// (b0 + b1) * (c0 + c1) - T0 - T1
c1: Fp2.sub(Fp2.sub(Fp2.mul(Fp2.add(b0, b1), Fp2.add(c0, c1)), t0), t1),
// (c0 + c2) * b0 - T0 + T1
c2: Fp2.add(Fp2.sub(Fp2.mul(Fp2.add(c0, c2), b0), t0), t1),
};
}
}
class _Field12 implements Fp12Bls {
readonly ORDER: bigint;
readonly BITS: number;
readonly BYTES: number;
readonly isLE: boolean;
readonly MASK = _1n;
readonly ZERO: Fp12;
readonly ONE: Fp12;
readonly Fp6: Fp6Bls;
readonly FROBENIUS_COEFFICIENTS: Fp2[];
readonly X_LEN: number;
readonly finalExponentiate: Tower12Opts['Fp12finalExponentiate'];
constructor(Fp6: Fp6Bls, opts: Tower12Opts) {
const { Fp2 } = Fp6;
const { Fp } = Fp2;
this.Fp6 = Fp6;
this.ORDER = Fp2.ORDER; // TODO: verify if it's unuesd
this.BITS = 2 * Fp6.BITS;
this.BYTES = 2 * Fp6.BYTES;
this.isLE = Fp6.isLE;
this.ZERO = { c0: Fp6.ZERO, c1: Fp6.ZERO };
this.ONE = { c0: Fp6.ONE, c1: Fp6.ZERO };
this.FROBENIUS_COEFFICIENTS = calcFrobeniusCoefficients(
Fp2,
Fp2.NONRESIDUE,
Fp.ORDER,
12,
1,
6
)[0];
this.X_LEN = opts.X_LEN;
this.finalExponentiate = opts.Fp12finalExponentiate;
}
create(num: Fp12) {
return num;
}
isValid({ c0, c1 }: Fp12) {
const { Fp6 } = this;
return Fp6.isValid(c0) && Fp6.isValid(c1);
}
is0({ c0, c1 }: Fp12) {
const { Fp6 } = this;
return Fp6.is0(c0) && Fp6.is0(c1);
}
isValidNot0(num: Fp12) {
return !this.is0(num) && this.isValid(num);
}
neg({ c0, c1 }: Fp12) {
const { Fp6 } = this;
return { c0: Fp6.neg(c0), c1: Fp6.neg(c1) };
}
eql({ c0, c1 }: Fp12, { c0: r0, c1: r1 }: Fp12) {
const { Fp6 } = this;
return Fp6.eql(c0, r0) && Fp6.eql(c1, r1);
}
sqrt(_: any): any {
notImplemented();
}
inv({ c0, c1 }: Fp12) {
const { Fp6 } = this;
let t = Fp6.inv(Fp6.sub(Fp6.sqr(c0), Fp6.mulByNonresidue(Fp6.sqr(c1)))); // 1 / (c0² - c1² * v)
return { c0: Fp6.mul(c0, t), c1: Fp6.neg(Fp6.mul(c1, t)) }; // ((C0 * T) * T) + (-C1 * T) * w
}
div(lhs: Fp12, rhs: Fp12) {
const { Fp6 } = this;
const { Fp2 } = Fp6;
const { Fp } = Fp2;
return this.mul(lhs, typeof rhs === 'bigint' ? Fp.inv(Fp.create(rhs)) : this.inv(rhs));
}
pow(num: Fp12, power: bigint): Fp12 {
return mod.FpPow(this, num, power);
}
invertBatch(nums: Fp12[]): Fp12[] {
return mod.FpInvertBatch(this, nums);
}
// Normalized
add({ c0, c1 }: Fp12, { c0: r0, c1: r1 }: Fp12) {
const { Fp6 } = this;
return {
c0: Fp6.add(c0, r0),
c1: Fp6.add(c1, r1),
};
}
sub({ c0, c1 }: Fp12, { c0: r0, c1: r1 }: Fp12) {
const { Fp6 } = this;
return {
c0: Fp6.sub(c0, r0),
c1: Fp6.sub(c1, r1),
};
}
mul({ c0, c1 }: Fp12, rhs: Fp12 | bigint) {
const { Fp6 } = this;
if (typeof rhs === 'bigint') return { c0: Fp6.mul(c0, rhs), c1: Fp6.mul(c1, rhs) };
let { c0: r0, c1: r1 } = rhs;
let t1 = Fp6.mul(c0, r0); // c0 * r0
let t2 = Fp6.mul(c1, r1); // c1 * r1
return {
c0: Fp6.add(t1, Fp6.mulByNonresidue(t2)), // T1 + T2 * v
// (c0 + c1) * (r0 + r1) - (T1 + T2)
c1: Fp6.sub(Fp6.mul(Fp6.add(c0, c1), Fp6.add(r0, r1)), Fp6.add(t1, t2)),
};
}
sqr({ c0, c1 }: Fp12) {
const { Fp6 } = this;
let ab = Fp6.mul(c0, c1); // c0 * c1
return {
// (c1 * v + c0) * (c0 + c1) - AB - AB * v
c0: Fp6.sub(
Fp6.sub(Fp6.mul(Fp6.add(Fp6.mulByNonresidue(c1), c0), Fp6.add(c0, c1)), ab),
Fp6.mulByNonresidue(ab)
),
c1: Fp6.add(ab, ab),
}; // AB + AB
}
// NonNormalized stuff
addN(a: Fp12, b: Fp12): Fp12 {
return this.add(a, b);
}
subN(a: Fp12, b: Fp12): Fp12 {
return this.sub(a, b);
}
mulN(a: Fp12, b: Fp12): Fp12 {
return this.mul(a, b);
}
sqrN(a: Fp12): Fp12 {
return this.sqr(a);
}
// Bytes utils
fromBytes(b: Uint8Array): Fp12 {
const { Fp6 } = this;
if (b.length !== this.BYTES) throw new Error('fromBytes invalid length=' + b.length);
return {
c0: Fp6.fromBytes(b.subarray(0, Fp6.BYTES)),
c1: Fp6.fromBytes(b.subarray(Fp6.BYTES)),
};
}
toBytes({ c0, c1 }: Fp12): Uint8Array {
const { Fp6 } = this;
return concatBytes(Fp6.toBytes(c0), Fp6.toBytes(c1));
}
cmov({ c0, c1 }: Fp12, { c0: r0, c1: r1 }: Fp12, c: boolean) {
const { Fp6 } = this;
return {
c0: Fp6.cmov(c0, r0, c),
c1: Fp6.cmov(c1, r1, c),
};
}
// Utils
// toString() {
// return '' + 'Fp12(' + this.c0 + this.c1 + '* w');
// },
// fromTuple(c: [Fp6, Fp6]) {
// return new Fp12(...c);
// }
fromBigTwelve(t: BigintTwelve): Fp12 {
const { Fp6 } = this;
return {
c0: Fp6.fromBigSix(t.slice(0, 6) as BigintSix),
c1: Fp6.fromBigSix(t.slice(6, 12) as BigintSix),
};
}
// Raises to q**i -th power
frobeniusMap(lhs: Fp12, power: number) {
const { Fp6 } = this;
const { Fp2 } = Fp6;
const { c0, c1, c2 } = Fp6.frobeniusMap(lhs.c1, power);
const coeff = this.FROBENIUS_COEFFICIENTS[power % 12];
return {
c0: Fp6.frobeniusMap(lhs.c0, power),
c1: Fp6.create({
c0: Fp2.mul(c0, coeff),
c1: Fp2.mul(c1, coeff),
c2: Fp2.mul(c2, coeff),
}),
};
}
mulByFp2({ c0, c1 }: Fp12, rhs: Fp2): Fp12 {
const { Fp6 } = this;
return {
c0: Fp6.mulByFp2(c0, rhs),
c1: Fp6.mulByFp2(c1, rhs),
};
}
conjugate({ c0, c1 }: Fp12): Fp12 {
return { c0, c1: this.Fp6.neg(c1) };
}
// Sparse multiplication
mul014({ c0, c1 }: Fp12, o0: Fp2, o1: Fp2, o4: Fp2) {
const { Fp6 } = this;
const { Fp2 } = Fp6;
let t0 = Fp6.mul01(c0, o0, o1);
let t1 = Fp6.mul1(c1, o4);
return {
c0: Fp6.add(Fp6.mulByNonresidue(t1), t0), // T1 * v + T0
// (c1 + c0) * [o0, o1+o4] - T0 - T1
c1: Fp6.sub(Fp6.sub(Fp6.mul01(Fp6.add(c1, c0), o0, Fp2.add(o1, o4)), t0), t1),
};
}
mul034({ c0, c1 }: Fp12, o0: Fp2, o3: Fp2, o4: Fp2) {
const { Fp6 } = this;
const { Fp2 } = Fp6;
const a = Fp6.create({
c0: Fp2.mul(c0.c0, o0),
c1: Fp2.mul(c0.c1, o0),
c2: Fp2.mul(c0.c2, o0),
});
const b = Fp6.mul01(c1, o3, o4);
const e = Fp6.mul01(Fp6.add(c0, c1), Fp2.add(o0, o3), o4);
return {
c0: Fp6.add(Fp6.mulByNonresidue(b), a),
c1: Fp6.sub(e, Fp6.add(a, b)),
};
}
// A cyclotomic group is a subgroup of Fp^n defined by
// GΦₙ(p) = {α ∈ Fpⁿ : α^Φₙ(p) = 1}
// The result of any pairing is in a cyclotomic subgroup
// https://eprint.iacr.org/2009/565.pdf
// https://eprint.iacr.org/2010/354.pdf
_cyclotomicSquare({ c0, c1 }: Fp12): Fp12 {
const { Fp6 } = this;
const { Fp2 } = Fp6;
const { c0: c0c0, c1: c0c1, c2: c0c2 } = c0;
const { c0: c1c0, c1: c1c1, c2: c1c2 } = c1;
const { first: t3, second: t4 } = Fp2.Fp4Square(c0c0, c1c1);
const { first: t5, second: t6 } = Fp2.Fp4Square(c1c0, c0c2);
const { first: t7, second: t8 } = Fp2.Fp4Square(c0c1, c1c2);
const t9 = Fp2.mulByNonresidue(t8); // T8 * (u + 1)
return {
c0: Fp6.create({
c0: Fp2.add(Fp2.mul(Fp2.sub(t3, c0c0), _2n), t3), // 2 * (T3 - c0c0) + T3
c1: Fp2.add(Fp2.mul(Fp2.sub(t5, c0c1), _2n), t5), // 2 * (T5 - c0c1) + T5
c2: Fp2.add(Fp2.mul(Fp2.sub(t7, c0c2), _2n), t7),
}), // 2 * (T7 - c0c2) + T7
c1: Fp6.create({
c0: Fp2.add(Fp2.mul(Fp2.add(t9, c1c0), _2n), t9), // 2 * (T9 + c1c0) + T9
c1: Fp2.add(Fp2.mul(Fp2.add(t4, c1c1), _2n), t4), // 2 * (T4 + c1c1) + T4
c2: Fp2.add(Fp2.mul(Fp2.add(t6, c1c2), _2n), t6),
}),
}; // 2 * (T6 + c1c2) + T6
}
// https://eprint.iacr.org/2009/565.pdf
_cyclotomicExp(num: Fp12, n: bigint): Fp12 {
let z = this.ONE;
for (let i = this.X_LEN - 1; i >= 0; i--) {
z = this._cyclotomicSquare(z);
if (bitGet(n, i)) z = this.mul(z, num);
}
return z;
}
}
export function tower12(opts: Tower12Opts): {
Fp: Readonly<mod.IField<bigint> & Required<Pick<mod.IField<bigint>, 'isOdd'>>>;
Fp2: Fp2Bls;
Fp6: Fp6Bls;
Fp12: Fp12Bls;
} {
const Fp = mod.Field(opts.ORDER);
const Fp2 = new _Field2(Fp, opts);
const Fp6 = new _Field6(Fp2);
const Fp12 = new _Field12(Fp6, opts);
return { Fp, Fp2, Fp6, Fp12 };
}

80
node_modules/@noble/curves/src/abstract/utils.ts generated vendored Normal file
View File

@@ -0,0 +1,80 @@
/**
* Deprecated module: moved from curves/abstract/utils.js to curves/utils.js
* @module
*/
import * as u from '../utils.ts';
/** @deprecated moved to `@noble/curves/utils.js` */
export type Hex = u.Hex;
/** @deprecated moved to `@noble/curves/utils.js` */
export type PrivKey = u.PrivKey;
/** @deprecated moved to `@noble/curves/utils.js` */
export type CHash = u.CHash;
/** @deprecated moved to `@noble/curves/utils.js` */
export type FHash = u.FHash;
/** @deprecated moved to `@noble/curves/utils.js` */
export const abytes: typeof u.abytes = u.abytes;
/** @deprecated moved to `@noble/curves/utils.js` */
export const anumber: typeof u.anumber = u.anumber;
/** @deprecated moved to `@noble/curves/utils.js` */
export const bytesToHex: typeof u.bytesToHex = u.bytesToHex;
/** @deprecated moved to `@noble/curves/utils.js` */
export const bytesToUtf8: typeof u.bytesToUtf8 = u.bytesToUtf8;
/** @deprecated moved to `@noble/curves/utils.js` */
export const concatBytes: typeof u.concatBytes = u.concatBytes;
/** @deprecated moved to `@noble/curves/utils.js` */
export const hexToBytes: typeof u.hexToBytes = u.hexToBytes;
/** @deprecated moved to `@noble/curves/utils.js` */
export const isBytes: typeof u.isBytes = u.isBytes;
/** @deprecated moved to `@noble/curves/utils.js` */
export const randomBytes: typeof u.randomBytes = u.randomBytes;
/** @deprecated moved to `@noble/curves/utils.js` */
export const utf8ToBytes: typeof u.utf8ToBytes = u.utf8ToBytes;
/** @deprecated moved to `@noble/curves/utils.js` */
export const abool: typeof u.abool = u.abool;
/** @deprecated moved to `@noble/curves/utils.js` */
export const numberToHexUnpadded: typeof u.numberToHexUnpadded = u.numberToHexUnpadded;
/** @deprecated moved to `@noble/curves/utils.js` */
export const hexToNumber: typeof u.hexToNumber = u.hexToNumber;
/** @deprecated moved to `@noble/curves/utils.js` */
export const bytesToNumberBE: typeof u.bytesToNumberBE = u.bytesToNumberBE;
/** @deprecated moved to `@noble/curves/utils.js` */
export const bytesToNumberLE: typeof u.bytesToNumberLE = u.bytesToNumberLE;
/** @deprecated moved to `@noble/curves/utils.js` */
export const numberToBytesBE: typeof u.numberToBytesBE = u.numberToBytesBE;
/** @deprecated moved to `@noble/curves/utils.js` */
export const numberToBytesLE: typeof u.numberToBytesLE = u.numberToBytesLE;
/** @deprecated moved to `@noble/curves/utils.js` */
export const numberToVarBytesBE: typeof u.numberToVarBytesBE = u.numberToVarBytesBE;
/** @deprecated moved to `@noble/curves/utils.js` */
export const ensureBytes: typeof u.ensureBytes = u.ensureBytes;
/** @deprecated moved to `@noble/curves/utils.js` */
export const equalBytes: typeof u.equalBytes = u.equalBytes;
/** @deprecated moved to `@noble/curves/utils.js` */
export const copyBytes: typeof u.copyBytes = u.copyBytes;
/** @deprecated moved to `@noble/curves/utils.js` */
export const asciiToBytes: typeof u.asciiToBytes = u.asciiToBytes;
/** @deprecated moved to `@noble/curves/utils.js` */
export const inRange: typeof u.inRange = u.inRange;
/** @deprecated moved to `@noble/curves/utils.js` */
export const aInRange: typeof u.aInRange = u.aInRange;
/** @deprecated moved to `@noble/curves/utils.js` */
export const bitLen: typeof u.bitLen = u.bitLen;
/** @deprecated moved to `@noble/curves/utils.js` */
export const bitGet: typeof u.bitGet = u.bitGet;
/** @deprecated moved to `@noble/curves/utils.js` */
export const bitSet: typeof u.bitSet = u.bitSet;
/** @deprecated moved to `@noble/curves/utils.js` */
export const bitMask: typeof u.bitMask = u.bitMask;
/** @deprecated moved to `@noble/curves/utils.js` */
export const createHmacDrbg: typeof u.createHmacDrbg = u.createHmacDrbg;
/** @deprecated moved to `@noble/curves/utils.js` */
export const notImplemented: typeof u.notImplemented = u.notImplemented;
/** @deprecated moved to `@noble/curves/utils.js` */
export const memoized: typeof u.memoized = u.memoized;
/** @deprecated moved to `@noble/curves/utils.js` */
export const validateObject: typeof u.validateObject = u.validateObject;
/** @deprecated moved to `@noble/curves/utils.js` */
export const isHash: typeof u.isHash = u.isHash;

1884
node_modules/@noble/curves/src/abstract/weierstrass.ts generated vendored Normal file
View File

File diff suppressed because it is too large Load Diff

781
node_modules/@noble/curves/src/bls12-381.ts generated vendored Normal file
View File

@@ -0,0 +1,781 @@
/**
* bls12-381 is pairing-friendly Barreto-Lynn-Scott elliptic curve construction allowing to:
* Construct zk-SNARKs at the ~120-bit security, as per [Barbulescu-Duquesne 2017](https://hal.science/hal-01534101/file/main.pdf)
* Efficiently verify N aggregate signatures with 1 pairing and N ec additions:
the Boneh-Lynn-Shacham signature scheme is orders of magnitude more efficient than Schnorr
BLS can mean 2 different things:
* Barreto-Lynn-Scott: BLS12, a Pairing Friendly Elliptic Curve
* Boneh-Lynn-Shacham: A Signature Scheme.
### Summary
1. BLS Relies on expensive bilinear pairing
2. Secret Keys: 32 bytes
3. Public Keys: 48 OR 96 bytes - big-endian x coordinate of point on G1 OR G2 curve
4. Signatures: 96 OR 48 bytes - big-endian x coordinate of point on G2 OR G1 curve
5. The 12 stands for the Embedding degree.
Modes of operation:
* Long signatures: 48-byte keys + 96-byte sigs (G1 keys + G2 sigs).
* Short signatures: 96-byte keys + 48-byte sigs (G2 keys + G1 sigs).
### Formulas
- `P = pk x G` - public keys
- `S = pk x H(m)` - signing, uses hash-to-curve on m
- `e(P, H(m)) == e(G, S)` - verification using pairings
- `e(G, S) = e(G, SUM(n)(Si)) = MUL(n)(e(G, Si))` - signature aggregation
### Curves
G1 is ordinary elliptic curve. G2 is extension field curve, think "over complex numbers".
- G1: y² = x³ + 4
- G2: y² = x³ + 4(u + 1) where u = √1; r-order subgroup of E'(Fp²), M-type twist
### Towers
Pairing G1 + G2 produces element in Fp₁₂, 12-degree polynomial.
Fp₁₂ is usually implemented using tower of lower-degree polynomials for speed.
- Fp₁₂ = Fp₆² => Fp₂³
- Fp(u) / (u² - β) where β = -1
- Fp₂(v) / (v³ - ξ) where ξ = u + 1
- Fp₆(w) / (w² - γ) where γ = v
- Fp²[u] = Fp/u²+1
- Fp⁶[v] = Fp²/v³-1-u
- Fp¹²[w] = Fp⁶/w²-v
### Params
* Embedding degree (k): 12
* Seed is sometimes named x or t
* t = -15132376222941642752
* p = (t-1)² * (t⁴-t²+1)/3 + t
* r = t⁴-t²+1
* Ate loop size: X
To verify curve parameters, see
[pairing-friendly-curves spec](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-pairing-friendly-curves-11).
Basic math is done over finite fields over p.
More complicated math is done over polynominal extension fields.
### Compatibility and notes
1. It is compatible with Algorand, Chia, Dfinity, Ethereum, Filecoin, ZEC.
Filecoin uses little endian byte arrays for secret keys - make sure to reverse byte order.
2. Make sure to correctly select mode: "long signature" or "short signature".
3. Compatible with specs:
RFC 9380,
[cfrg-pairing-friendly-curves-11](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-pairing-friendly-curves-11),
[cfrg-bls-signature-05](https://datatracker.ietf.org/doc/draft-irtf-cfrg-bls-signature/).
*
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { sha256 } from '@noble/hashes/sha2.js';
import { bls, type CurveFn } from './abstract/bls.ts';
import { Field, type IField } from './abstract/modular.ts';
import {
abytes,
bitLen,
bitMask,
bytesToHex,
bytesToNumberBE,
concatBytes,
ensureBytes,
numberToBytesBE,
type Hex,
} from './utils.ts';
// Types
import { isogenyMap } from './abstract/hash-to-curve.ts';
import type { BigintTuple, Fp, Fp12, Fp2, Fp6 } from './abstract/tower.ts';
import { psiFrobenius, tower12 } from './abstract/tower.ts';
import {
mapToCurveSimpleSWU,
type AffinePoint,
type WeierstrassOpts,
type WeierstrassPoint,
type WeierstrassPointCons,
} from './abstract/weierstrass.ts';
// Be friendly to bad ECMAScript parsers by not using bigint literals
// prettier-ignore
const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3), _4n = BigInt(4);
// To verify math:
// https://tools.ietf.org/html/draft-irtf-cfrg-pairing-friendly-curves-11
// The BLS parameter x (seed) for BLS12-381. NOTE: it is negative!
// x = -2^63 - 2^62 - 2^60 - 2^57 - 2^48 - 2^16
const BLS_X = BigInt('0xd201000000010000');
// t = x (called differently in different places)
// const t = -BLS_X;
const BLS_X_LEN = bitLen(BLS_X);
// a=0, b=4
// P is characteristic of field Fp, in which curve calculations are done.
// p = (t-1)² * (t⁴-t²+1)/3 + t
// bls12_381_Fp = (t-1n)**2n * (t**4n - t**2n + 1n) / 3n + t
// r*h is curve order, amount of points on curve,
// where r is order of prime subgroup and h is cofactor.
// r = t⁴-t²+1
// r = (t**4n - t**2n + 1n)
// cofactor h of G1: (t - 1)²/3
// cofactorG1 = (t-1n)**2n/3n
// x = 3685416753713387016781088315183077757961620795782546409894578378688607592378376318836054947676345821548104185464507
// y = 1339506544944476473020471379941921221584933875938349620426543736416511423956333506472724655353366534992391756441569
const bls12_381_CURVE_G1: WeierstrassOpts<bigint> = {
p: BigInt(
'0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab'
),
n: BigInt('0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001'),
h: BigInt('0x396c8c005555e1568c00aaab0000aaab'),
a: _0n,
b: _4n,
Gx: BigInt(
'0x17f1d3a73197d7942695638c4fa9ac0fc3688c4f9774b905a14e3a3f171bac586c55e83ff97a1aeffb3af00adb22c6bb'
),
Gy: BigInt(
'0x08b3f481e3aaa0f1a09e30ed741d8ae4fcf5e095d5d00af600db18cb2c04b3edd03cc744a2888ae40caa232946c5e7e1'
),
};
// CURVE FIELDS
export const bls12_381_Fr: IField<bigint> = Field(bls12_381_CURVE_G1.n, {
modFromBytes: true,
isLE: true,
});
const { Fp, Fp2, Fp6, Fp12 } = tower12({
ORDER: bls12_381_CURVE_G1.p,
X_LEN: BLS_X_LEN,
// Finite extension field over irreducible polynominal.
// Fp(u) / (u² - β) where β = -1
FP2_NONRESIDUE: [_1n, _1n],
Fp2mulByB: ({ c0, c1 }) => {
const t0 = Fp.mul(c0, _4n); // 4 * c0
const t1 = Fp.mul(c1, _4n); // 4 * c1
// (T0-T1) + (T0+T1)*i
return { c0: Fp.sub(t0, t1), c1: Fp.add(t0, t1) };
},
Fp12finalExponentiate: (num) => {
const x = BLS_X;
// this^(q⁶) / this
const t0 = Fp12.div(Fp12.frobeniusMap(num, 6), num);
// t0^(q²) * t0
const t1 = Fp12.mul(Fp12.frobeniusMap(t0, 2), t0);
const t2 = Fp12.conjugate(Fp12._cyclotomicExp(t1, x));
const t3 = Fp12.mul(Fp12.conjugate(Fp12._cyclotomicSquare(t1)), t2);
const t4 = Fp12.conjugate(Fp12._cyclotomicExp(t3, x));
const t5 = Fp12.conjugate(Fp12._cyclotomicExp(t4, x));
const t6 = Fp12.mul(Fp12.conjugate(Fp12._cyclotomicExp(t5, x)), Fp12._cyclotomicSquare(t2));
const t7 = Fp12.conjugate(Fp12._cyclotomicExp(t6, x));
const t2_t5_pow_q2 = Fp12.frobeniusMap(Fp12.mul(t2, t5), 2);
const t4_t1_pow_q3 = Fp12.frobeniusMap(Fp12.mul(t4, t1), 3);
const t6_t1c_pow_q1 = Fp12.frobeniusMap(Fp12.mul(t6, Fp12.conjugate(t1)), 1);
const t7_t3c_t1 = Fp12.mul(Fp12.mul(t7, Fp12.conjugate(t3)), t1);
// (t2 * t5)^(q²) * (t4 * t1)^(q³) * (t6 * t1.conj)^(q^1) * t7 * t3.conj * t1
return Fp12.mul(Fp12.mul(Fp12.mul(t2_t5_pow_q2, t4_t1_pow_q3), t6_t1c_pow_q1), t7_t3c_t1);
},
});
// GLV endomorphism Ψ(P), for fast cofactor clearing
const { G2psi, G2psi2 } = psiFrobenius(Fp, Fp2, Fp2.div(Fp2.ONE, Fp2.NONRESIDUE)); // 1/(u+1)
/**
* Default hash_to_field / hash-to-curve for BLS.
* m: 1 for G1, 2 for G2
* k: target security level in bits
* hash: any function, e.g. BBS+ uses BLAKE2: see [github](https://github.com/hyperledger/aries-framework-go/issues/2247).
* Parameter values come from [section 8.8.2 of RFC 9380](https://www.rfc-editor.org/rfc/rfc9380#section-8.8.2).
*/
const htfDefaults = Object.freeze({
DST: 'BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_NUL_',
encodeDST: 'BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_NUL_',
p: Fp.ORDER,
m: 2,
k: 128,
expand: 'xmd',
hash: sha256,
});
// a=0, b=4
// cofactor h of G2
// (t^8 - 4t^7 + 5t^6 - 4t^4 + 6t^3 - 4t^2 - 4t + 13)/9
// cofactorG2 = (t**8n - 4n*t**7n + 5n*t**6n - 4n*t**4n + 6n*t**3n - 4n*t**2n - 4n*t+13n)/9n
// x = 3059144344244213709971259814753781636986470325476647558659373206291635324768958432433509563104347017837885763365758*u + 352701069587466618187139116011060144890029952792775240219908644239793785735715026873347600343865175952761926303160
// y = 927553665492332455747201965776037880757740193453592970025027978793976877002675564980949289727957565575433344219582*u + 1985150602287291935568054521177171638300868978215655730859378665066344726373823718423869104263333984641494340347905
const bls12_381_CURVE_G2 = {
p: Fp2.ORDER,
n: bls12_381_CURVE_G1.n,
h: BigInt(
'0x5d543a95414e7f1091d50792876a202cd91de4547085abaa68a205b2e5a7ddfa628f1cb4d9e82ef21537e293a6691ae1616ec6e786f0c70cf1c38e31c7238e5'
),
a: Fp2.ZERO,
b: Fp2.fromBigTuple([_4n, _4n]),
Gx: Fp2.fromBigTuple([
BigInt(
'0x024aa2b2f08f0a91260805272dc51051c6e47ad4fa403b02b4510b647ae3d1770bac0326a805bbefd48056c8c121bdb8'
),
BigInt(
'0x13e02b6052719f607dacd3a088274f65596bd0d09920b61ab5da61bbdc7f5049334cf11213945d57e5ac7d055d042b7e'
),
]),
Gy: Fp2.fromBigTuple([
BigInt(
'0x0ce5d527727d6e118cc9cdc6da2e351aadfd9baa8cbdd3a76d429a695160d12c923ac9cc3baca289e193548608b82801'
),
BigInt(
'0x0606c4a02ea734cc32acd2b02bc28b99cb3e287e85a763af267492ab572e99ab3f370d275cec1da1aaa9075ff05f79be'
),
]),
};
// Encoding utils
// Compressed point of infinity
// Set compressed & point-at-infinity bits
const COMPZERO = setMask(Fp.toBytes(_0n), { infinity: true, compressed: true });
function parseMask(bytes: Uint8Array) {
// Copy, so we can remove mask data. It will be removed also later, when Fp.create will call modulo.
bytes = bytes.slice();
const mask = bytes[0] & 0b1110_0000;
const compressed = !!((mask >> 7) & 1); // compression bit (0b1000_0000)
const infinity = !!((mask >> 6) & 1); // point at infinity bit (0b0100_0000)
const sort = !!((mask >> 5) & 1); // sort bit (0b0010_0000)
bytes[0] &= 0b0001_1111; // clear mask (zero first 3 bits)
return { compressed, infinity, sort, value: bytes };
}
function setMask(
bytes: Uint8Array,
mask: { compressed?: boolean; infinity?: boolean; sort?: boolean }
) {
if (bytes[0] & 0b1110_0000) throw new Error('setMask: non-empty mask');
if (mask.compressed) bytes[0] |= 0b1000_0000;
if (mask.infinity) bytes[0] |= 0b0100_0000;
if (mask.sort) bytes[0] |= 0b0010_0000;
return bytes;
}
function pointG1ToBytes(
_c: WeierstrassPointCons<Fp>,
point: WeierstrassPoint<Fp>,
isComp: boolean
) {
const { BYTES: L, ORDER: P } = Fp;
const is0 = point.is0();
const { x, y } = point.toAffine();
if (isComp) {
if (is0) return COMPZERO.slice();
const sort = Boolean((y * _2n) / P);
return setMask(numberToBytesBE(x, L), { compressed: true, sort });
} else {
if (is0) {
return concatBytes(Uint8Array.of(0x40), new Uint8Array(2 * L - 1));
} else {
return concatBytes(numberToBytesBE(x, L), numberToBytesBE(y, L));
}
}
}
function signatureG1ToBytes(point: WeierstrassPoint<Fp>) {
point.assertValidity();
const { BYTES: L, ORDER: P } = Fp;
const { x, y } = point.toAffine();
if (point.is0()) return COMPZERO.slice();
const sort = Boolean((y * _2n) / P);
return setMask(numberToBytesBE(x, L), { compressed: true, sort });
}
function pointG1FromBytes(bytes: Uint8Array): AffinePoint<Fp> {
const { compressed, infinity, sort, value } = parseMask(bytes);
const { BYTES: L, ORDER: P } = Fp;
if (value.length === 48 && compressed) {
const compressedValue = bytesToNumberBE(value);
// Zero
const x = Fp.create(compressedValue & bitMask(Fp.BITS));
if (infinity) {
if (x !== _0n) throw new Error('invalid G1 point: non-empty, at infinity, with compression');
return { x: _0n, y: _0n };
}
const right = Fp.add(Fp.pow(x, _3n), Fp.create(bls12_381_CURVE_G1.b)); // y² = x³ + b
let y = Fp.sqrt(right);
if (!y) throw new Error('invalid G1 point: compressed point');
if ((y * _2n) / P !== BigInt(sort)) y = Fp.neg(y);
return { x: Fp.create(x), y: Fp.create(y) };
} else if (value.length === 96 && !compressed) {
// Check if the infinity flag is set
const x = bytesToNumberBE(value.subarray(0, L));
const y = bytesToNumberBE(value.subarray(L));
if (infinity) {
if (x !== _0n || y !== _0n) throw new Error('G1: non-empty point at infinity');
return bls12_381.G1.Point.ZERO.toAffine();
}
return { x: Fp.create(x), y: Fp.create(y) };
} else {
throw new Error('invalid G1 point: expected 48/96 bytes');
}
}
function signatureG1FromBytes(hex: Hex): WeierstrassPoint<Fp> {
const { infinity, sort, value } = parseMask(ensureBytes('signatureHex', hex, 48));
const P = Fp.ORDER;
const Point = bls12_381.G1.Point;
const compressedValue = bytesToNumberBE(value);
// Zero
if (infinity) return Point.ZERO;
const x = Fp.create(compressedValue & bitMask(Fp.BITS));
const right = Fp.add(Fp.pow(x, _3n), Fp.create(bls12_381_CURVE_G1.b)); // y² = x³ + b
let y = Fp.sqrt(right);
if (!y) throw new Error('invalid G1 point: compressed');
const aflag = BigInt(sort);
if ((y * _2n) / P !== aflag) y = Fp.neg(y);
const point = Point.fromAffine({ x, y });
point.assertValidity();
return point;
}
function pointG2ToBytes(
_c: WeierstrassPointCons<Fp2>,
point: WeierstrassPoint<Fp2>,
isComp: boolean
) {
const { BYTES: L, ORDER: P } = Fp;
const is0 = point.is0();
const { x, y } = point.toAffine();
if (isComp) {
if (is0) return concatBytes(COMPZERO, numberToBytesBE(_0n, L));
const flag = Boolean(y.c1 === _0n ? (y.c0 * _2n) / P : (y.c1 * _2n) / P);
return concatBytes(
setMask(numberToBytesBE(x.c1, L), { compressed: true, sort: flag }),
numberToBytesBE(x.c0, L)
);
} else {
if (is0) return concatBytes(Uint8Array.of(0x40), new Uint8Array(4 * L - 1));
const { re: x0, im: x1 } = Fp2.reim(x);
const { re: y0, im: y1 } = Fp2.reim(y);
return concatBytes(
numberToBytesBE(x1, L),
numberToBytesBE(x0, L),
numberToBytesBE(y1, L),
numberToBytesBE(y0, L)
);
}
}
function signatureG2ToBytes(point: WeierstrassPoint<Fp2>) {
point.assertValidity();
const { BYTES: L } = Fp;
if (point.is0()) return concatBytes(COMPZERO, numberToBytesBE(_0n, L));
const { x, y } = point.toAffine();
const { re: x0, im: x1 } = Fp2.reim(x);
const { re: y0, im: y1 } = Fp2.reim(y);
const tmp = y1 > _0n ? y1 * _2n : y0 * _2n;
const sort = Boolean((tmp / Fp.ORDER) & _1n);
const z2 = x0;
return concatBytes(
setMask(numberToBytesBE(x1, L), { sort, compressed: true }),
numberToBytesBE(z2, L)
);
}
function pointG2FromBytes(bytes: Uint8Array): AffinePoint<Fp2> {
const { BYTES: L, ORDER: P } = Fp;
const { compressed, infinity, sort, value } = parseMask(bytes);
if (
(!compressed && !infinity && sort) || // 00100000
(!compressed && infinity && sort) || // 01100000
(sort && infinity && compressed) // 11100000
) {
throw new Error('invalid encoding flag: ' + (bytes[0] & 0b1110_0000));
}
const slc = (b: Uint8Array, from: number, to?: number) => bytesToNumberBE(b.slice(from, to));
if (value.length === 96 && compressed) {
if (infinity) {
// check that all bytes are 0
if (value.reduce((p, c) => (p !== 0 ? c + 1 : c), 0) > 0) {
throw new Error('invalid G2 point: compressed');
}
return { x: Fp2.ZERO, y: Fp2.ZERO };
}
const x_1 = slc(value, 0, L);
const x_0 = slc(value, L, 2 * L);
const x = Fp2.create({ c0: Fp.create(x_0), c1: Fp.create(x_1) });
const right = Fp2.add(Fp2.pow(x, _3n), bls12_381_CURVE_G2.b); // y² = x³ + 4 * (u+1) = x³ + b
let y = Fp2.sqrt(right);
const Y_bit = y.c1 === _0n ? (y.c0 * _2n) / P : (y.c1 * _2n) / P ? _1n : _0n;
y = sort && Y_bit > 0 ? y : Fp2.neg(y);
return { x, y };
} else if (value.length === 192 && !compressed) {
if (infinity) {
if (value.reduce((p, c) => (p !== 0 ? c + 1 : c), 0) > 0) {
throw new Error('invalid G2 point: uncompressed');
}
return { x: Fp2.ZERO, y: Fp2.ZERO };
}
const x1 = slc(value, 0 * L, 1 * L);
const x0 = slc(value, 1 * L, 2 * L);
const y1 = slc(value, 2 * L, 3 * L);
const y0 = slc(value, 3 * L, 4 * L);
return { x: Fp2.fromBigTuple([x0, x1]), y: Fp2.fromBigTuple([y0, y1]) };
} else {
throw new Error('invalid G2 point: expected 96/192 bytes');
}
}
function signatureG2FromBytes(hex: Hex) {
const { ORDER: P } = Fp;
// TODO: Optimize, it's very slow because of sqrt.
const { infinity, sort, value } = parseMask(ensureBytes('signatureHex', hex));
const Point = bls12_381.G2.Point;
const half = value.length / 2;
if (half !== 48 && half !== 96)
throw new Error('invalid compressed signature length, expected 96/192 bytes');
const z1 = bytesToNumberBE(value.slice(0, half));
const z2 = bytesToNumberBE(value.slice(half));
// Indicates the infinity point
if (infinity) return Point.ZERO;
const x1 = Fp.create(z1 & bitMask(Fp.BITS));
const x2 = Fp.create(z2);
const x = Fp2.create({ c0: x2, c1: x1 });
const y2 = Fp2.add(Fp2.pow(x, _3n), bls12_381_CURVE_G2.b); // y² = x³ + 4
// The slow part
let y = Fp2.sqrt(y2);
if (!y) throw new Error('Failed to find a square root');
// Choose the y whose leftmost bit of the imaginary part is equal to the a_flag1
// If y1 happens to be zero, then use the bit of y0
const { re: y0, im: y1 } = Fp2.reim(y);
const aflag1 = BigInt(sort);
const isGreater = y1 > _0n && (y1 * _2n) / P !== aflag1;
const is0 = y1 === _0n && (y0 * _2n) / P !== aflag1;
if (isGreater || is0) y = Fp2.neg(y);
const point = Point.fromAffine({ x, y });
point.assertValidity();
return point;
}
/**
* bls12-381 pairing-friendly curve.
* @example
* import { bls12_381 as bls } from '@noble/curves/bls12-381';
* // G1 keys, G2 signatures
* const privateKey = '67d53f170b908cabb9eb326c3c337762d59289a8fec79f7bc9254b584b73265c';
* const message = '64726e3da8';
* const publicKey = bls.getPublicKey(privateKey);
* const signature = bls.sign(message, privateKey);
* const isValid = bls.verify(signature, message, publicKey);
*/
export const bls12_381: CurveFn = bls({
// Fields
fields: {
Fp,
Fp2,
Fp6,
Fp12,
Fr: bls12_381_Fr,
},
// G1: y² = x³ + 4
G1: {
...bls12_381_CURVE_G1,
Fp,
htfDefaults: { ...htfDefaults, m: 1, DST: 'BLS_SIG_BLS12381G1_XMD:SHA-256_SSWU_RO_NUL_' },
wrapPrivateKey: true,
allowInfinityPoint: true,
// Checks is the point resides in prime-order subgroup.
// point.isTorsionFree() should return true for valid points
// It returns false for shitty points.
// https://eprint.iacr.org/2021/1130.pdf
isTorsionFree: (c, point): boolean => {
// GLV endomorphism ψ(P)
const beta = BigInt(
'0x5f19672fdf76ce51ba69c6076a0f77eaddb3a93be6f89688de17d813620a00022e01fffffffefffe'
);
const phi = new c(Fp.mul(point.X, beta), point.Y, point.Z);
// TODO: unroll
const xP = point.multiplyUnsafe(BLS_X).negate(); // [x]P
const u2P = xP.multiplyUnsafe(BLS_X); // [u2]P
return u2P.equals(phi);
},
// Clear cofactor of G1
// https://eprint.iacr.org/2019/403
clearCofactor: (_c, point) => {
// return this.multiplyUnsafe(CURVE.h);
return point.multiplyUnsafe(BLS_X).add(point); // x*P + P
},
mapToCurve: mapToG1,
fromBytes: pointG1FromBytes,
toBytes: pointG1ToBytes,
ShortSignature: {
fromBytes(bytes: Uint8Array) {
abytes(bytes);
return signatureG1FromBytes(bytes);
},
fromHex(hex: Hex): WeierstrassPoint<Fp> {
return signatureG1FromBytes(hex);
},
toBytes(point: WeierstrassPoint<Fp>) {
return signatureG1ToBytes(point);
},
toRawBytes(point: WeierstrassPoint<Fp>) {
return signatureG1ToBytes(point);
},
toHex(point: WeierstrassPoint<Fp>) {
return bytesToHex(signatureG1ToBytes(point));
},
},
},
G2: {
...bls12_381_CURVE_G2,
Fp: Fp2,
// https://datatracker.ietf.org/doc/html/rfc9380#name-clearing-the-cofactor
// https://datatracker.ietf.org/doc/html/rfc9380#name-cofactor-clearing-for-bls12
hEff: BigInt(
'0xbc69f08f2ee75b3584c6a0ea91b352888e2a8e9145ad7689986ff031508ffe1329c2f178731db956d82bf015d1212b02ec0ec69d7477c1ae954cbc06689f6a359894c0adebbf6b4e8020005aaa95551'
),
htfDefaults: { ...htfDefaults },
wrapPrivateKey: true,
allowInfinityPoint: true,
mapToCurve: mapToG2,
// Checks is the point resides in prime-order subgroup.
// point.isTorsionFree() should return true for valid points
// It returns false for shitty points.
// https://eprint.iacr.org/2021/1130.pdf
// Older version: https://eprint.iacr.org/2019/814.pdf
isTorsionFree: (c, P): boolean => {
return P.multiplyUnsafe(BLS_X).negate().equals(G2psi(c, P)); // ψ(P) == [u](P)
},
// Maps the point into the prime-order subgroup G2.
// clear_cofactor_bls12381_g2 from RFC 9380.
// https://eprint.iacr.org/2017/419.pdf
// prettier-ignore
clearCofactor: (c, P) => {
const x = BLS_X;
let t1 = P.multiplyUnsafe(x).negate(); // [-x]P
let t2 = G2psi(c, P); // Ψ(P)
let t3 = P.double(); // 2P
t3 = G2psi2(c, t3); // Ψ²(2P)
t3 = t3.subtract(t2); // Ψ²(2P) - Ψ(P)
t2 = t1.add(t2); // [-x]P + Ψ(P)
t2 = t2.multiplyUnsafe(x).negate(); // [x²]P - [x]Ψ(P)
t3 = t3.add(t2); // Ψ²(2P) - Ψ(P) + [x²]P - [x]Ψ(P)
t3 = t3.subtract(t1); // Ψ²(2P) - Ψ(P) + [x²]P - [x]Ψ(P) + [x]P
const Q = t3.subtract(P); // Ψ²(2P) - Ψ(P) + [x²]P - [x]Ψ(P) + [x]P - 1P
return Q; // [x²-x-1]P + [x-1]Ψ(P) + Ψ²(2P)
},
fromBytes: pointG2FromBytes,
toBytes: pointG2ToBytes,
Signature: {
fromBytes(bytes: Uint8Array): WeierstrassPoint<Fp2> {
abytes(bytes);
return signatureG2FromBytes(bytes);
},
fromHex(hex: Hex): WeierstrassPoint<Fp2> {
return signatureG2FromBytes(hex);
},
toBytes(point: WeierstrassPoint<Fp2>) {
return signatureG2ToBytes(point);
},
toRawBytes(point: WeierstrassPoint<Fp2>) {
return signatureG2ToBytes(point);
},
toHex(point: WeierstrassPoint<Fp2>) {
return bytesToHex(signatureG2ToBytes(point));
},
},
},
params: {
ateLoopSize: BLS_X, // The BLS parameter x for BLS12-381
r: bls12_381_CURVE_G1.n, // order; z⁴ z² + 1; CURVE.n from other curves
xNegative: true,
twistType: 'multiplicative',
},
htfDefaults,
hash: sha256,
});
// 3-isogeny map from E' to E https://www.rfc-editor.org/rfc/rfc9380#appendix-E.3
const isogenyMapG2 = isogenyMap(
Fp2,
[
// xNum
[
[
'0x5c759507e8e333ebb5b7a9a47d7ed8532c52d39fd3a042a88b58423c50ae15d5c2638e343d9c71c6238aaaaaaaa97d6',
'0x5c759507e8e333ebb5b7a9a47d7ed8532c52d39fd3a042a88b58423c50ae15d5c2638e343d9c71c6238aaaaaaaa97d6',
],
[
'0x0',
'0x11560bf17baa99bc32126fced787c88f984f87adf7ae0c7f9a208c6b4f20a4181472aaa9cb8d555526a9ffffffffc71a',
],
[
'0x11560bf17baa99bc32126fced787c88f984f87adf7ae0c7f9a208c6b4f20a4181472aaa9cb8d555526a9ffffffffc71e',
'0x8ab05f8bdd54cde190937e76bc3e447cc27c3d6fbd7063fcd104635a790520c0a395554e5c6aaaa9354ffffffffe38d',
],
[
'0x171d6541fa38ccfaed6dea691f5fb614cb14b4e7f4e810aa22d6108f142b85757098e38d0f671c7188e2aaaaaaaa5ed1',
'0x0',
],
],
// xDen
[
[
'0x0',
'0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaa63',
],
[
'0xc',
'0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaa9f',
],
['0x1', '0x0'], // LAST 1
],
// yNum
[
[
'0x1530477c7ab4113b59a4c18b076d11930f7da5d4a07f649bf54439d87d27e500fc8c25ebf8c92f6812cfc71c71c6d706',
'0x1530477c7ab4113b59a4c18b076d11930f7da5d4a07f649bf54439d87d27e500fc8c25ebf8c92f6812cfc71c71c6d706',
],
[
'0x0',
'0x5c759507e8e333ebb5b7a9a47d7ed8532c52d39fd3a042a88b58423c50ae15d5c2638e343d9c71c6238aaaaaaaa97be',
],
[
'0x11560bf17baa99bc32126fced787c88f984f87adf7ae0c7f9a208c6b4f20a4181472aaa9cb8d555526a9ffffffffc71c',
'0x8ab05f8bdd54cde190937e76bc3e447cc27c3d6fbd7063fcd104635a790520c0a395554e5c6aaaa9354ffffffffe38f',
],
[
'0x124c9ad43b6cf79bfbf7043de3811ad0761b0f37a1e26286b0e977c69aa274524e79097a56dc4bd9e1b371c71c718b10',
'0x0',
],
],
// yDen
[
[
'0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffa8fb',
'0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffa8fb',
],
[
'0x0',
'0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffa9d3',
],
[
'0x12',
'0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaa99',
],
['0x1', '0x0'], // LAST 1
],
].map((i) => i.map((pair) => Fp2.fromBigTuple(pair.map(BigInt) as BigintTuple))) as [
Fp2[],
Fp2[],
Fp2[],
Fp2[],
]
);
// 11-isogeny map from E' to E
const isogenyMapG1 = isogenyMap(
Fp,
[
// xNum
[
'0x11a05f2b1e833340b809101dd99815856b303e88a2d7005ff2627b56cdb4e2c85610c2d5f2e62d6eaeac1662734649b7',
'0x17294ed3e943ab2f0588bab22147a81c7c17e75b2f6a8417f565e33c70d1e86b4838f2a6f318c356e834eef1b3cb83bb',
'0xd54005db97678ec1d1048c5d10a9a1bce032473295983e56878e501ec68e25c958c3e3d2a09729fe0179f9dac9edcb0',
'0x1778e7166fcc6db74e0609d307e55412d7f5e4656a8dbf25f1b33289f1b330835336e25ce3107193c5b388641d9b6861',
'0xe99726a3199f4436642b4b3e4118e5499db995a1257fb3f086eeb65982fac18985a286f301e77c451154ce9ac8895d9',
'0x1630c3250d7313ff01d1201bf7a74ab5db3cb17dd952799b9ed3ab9097e68f90a0870d2dcae73d19cd13c1c66f652983',
'0xd6ed6553fe44d296a3726c38ae652bfb11586264f0f8ce19008e218f9c86b2a8da25128c1052ecaddd7f225a139ed84',
'0x17b81e7701abdbe2e8743884d1117e53356de5ab275b4db1a682c62ef0f2753339b7c8f8c8f475af9ccb5618e3f0c88e',
'0x80d3cf1f9a78fc47b90b33563be990dc43b756ce79f5574a2c596c928c5d1de4fa295f296b74e956d71986a8497e317',
'0x169b1f8e1bcfa7c42e0c37515d138f22dd2ecb803a0c5c99676314baf4bb1b7fa3190b2edc0327797f241067be390c9e',
'0x10321da079ce07e272d8ec09d2565b0dfa7dccdde6787f96d50af36003b14866f69b771f8c285decca67df3f1605fb7b',
'0x6e08c248e260e70bd1e962381edee3d31d79d7e22c837bc23c0bf1bc24c6b68c24b1b80b64d391fa9c8ba2e8ba2d229',
],
// xDen
[
'0x8ca8d548cff19ae18b2e62f4bd3fa6f01d5ef4ba35b48ba9c9588617fc8ac62b558d681be343df8993cf9fa40d21b1c',
'0x12561a5deb559c4348b4711298e536367041e8ca0cf0800c0126c2588c48bf5713daa8846cb026e9e5c8276ec82b3bff',
'0xb2962fe57a3225e8137e629bff2991f6f89416f5a718cd1fca64e00b11aceacd6a3d0967c94fedcfcc239ba5cb83e19',
'0x3425581a58ae2fec83aafef7c40eb545b08243f16b1655154cca8abc28d6fd04976d5243eecf5c4130de8938dc62cd8',
'0x13a8e162022914a80a6f1d5f43e7a07dffdfc759a12062bb8d6b44e833b306da9bd29ba81f35781d539d395b3532a21e',
'0xe7355f8e4e667b955390f7f0506c6e9395735e9ce9cad4d0a43bcef24b8982f7400d24bc4228f11c02df9a29f6304a5',
'0x772caacf16936190f3e0c63e0596721570f5799af53a1894e2e073062aede9cea73b3538f0de06cec2574496ee84a3a',
'0x14a7ac2a9d64a8b230b3f5b074cf01996e7f63c21bca68a81996e1cdf9822c580fa5b9489d11e2d311f7d99bbdcc5a5e',
'0xa10ecf6ada54f825e920b3dafc7a3cce07f8d1d7161366b74100da67f39883503826692abba43704776ec3a79a1d641',
'0x95fc13ab9e92ad4476d6e3eb3a56680f682b4ee96f7d03776df533978f31c1593174e4b4b7865002d6384d168ecdd0a',
'0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001', // LAST 1
],
// yNum
[
'0x90d97c81ba24ee0259d1f094980dcfa11ad138e48a869522b52af6c956543d3cd0c7aee9b3ba3c2be9845719707bb33',
'0x134996a104ee5811d51036d776fb46831223e96c254f383d0f906343eb67ad34d6c56711962fa8bfe097e75a2e41c696',
'0xcc786baa966e66f4a384c86a3b49942552e2d658a31ce2c344be4b91400da7d26d521628b00523b8dfe240c72de1f6',
'0x1f86376e8981c217898751ad8746757d42aa7b90eeb791c09e4a3ec03251cf9de405aba9ec61deca6355c77b0e5f4cb',
'0x8cc03fdefe0ff135caf4fe2a21529c4195536fbe3ce50b879833fd221351adc2ee7f8dc099040a841b6daecf2e8fedb',
'0x16603fca40634b6a2211e11db8f0a6a074a7d0d4afadb7bd76505c3d3ad5544e203f6326c95a807299b23ab13633a5f0',
'0x4ab0b9bcfac1bbcb2c977d027796b3ce75bb8ca2be184cb5231413c4d634f3747a87ac2460f415ec961f8855fe9d6f2',
'0x987c8d5333ab86fde9926bd2ca6c674170a05bfe3bdd81ffd038da6c26c842642f64550fedfe935a15e4ca31870fb29',
'0x9fc4018bd96684be88c9e221e4da1bb8f3abd16679dc26c1e8b6e6a1f20cabe69d65201c78607a360370e577bdba587',
'0xe1bba7a1186bdb5223abde7ada14a23c42a0ca7915af6fe06985e7ed1e4d43b9b3f7055dd4eba6f2bafaaebca731c30',
'0x19713e47937cd1be0dfd0b8f1d43fb93cd2fcbcb6caf493fd1183e416389e61031bf3a5cce3fbafce813711ad011c132',
'0x18b46a908f36f6deb918c143fed2edcc523559b8aaf0c2462e6bfe7f911f643249d9cdf41b44d606ce07c8a4d0074d8e',
'0xb182cac101b9399d155096004f53f447aa7b12a3426b08ec02710e807b4633f06c851c1919211f20d4c04f00b971ef8',
'0x245a394ad1eca9b72fc00ae7be315dc757b3b080d4c158013e6632d3c40659cc6cf90ad1c232a6442d9d3f5db980133',
'0x5c129645e44cf1102a159f748c4a3fc5e673d81d7e86568d9ab0f5d396a7ce46ba1049b6579afb7866b1e715475224b',
'0x15e6be4e990f03ce4ea50b3b42df2eb5cb181d8f84965a3957add4fa95af01b2b665027efec01c7704b456be69c8b604',
],
// yDen
[
'0x16112c4c3a9c98b252181140fad0eae9601a6de578980be6eec3232b5be72e7a07f3688ef60c206d01479253b03663c1',
'0x1962d75c2381201e1a0cbd6c43c348b885c84ff731c4d59ca4a10356f453e01f78a4260763529e3532f6102c2e49a03d',
'0x58df3306640da276faaae7d6e8eb15778c4855551ae7f310c35a5dd279cd2eca6757cd636f96f891e2538b53dbf67f2',
'0x16b7d288798e5395f20d23bf89edb4d1d115c5dbddbcd30e123da489e726af41727364f2c28297ada8d26d98445f5416',
'0xbe0e079545f43e4b00cc912f8228ddcc6d19c9f0f69bbb0542eda0fc9dec916a20b15dc0fd2ededda39142311a5001d',
'0x8d9e5297186db2d9fb266eaac783182b70152c65550d881c5ecd87b6f0f5a6449f38db9dfa9cce202c6477faaf9b7ac',
'0x166007c08a99db2fc3ba8734ace9824b5eecfdfa8d0cf8ef5dd365bc400a0051d5fa9c01a58b1fb93d1a1399126a775c',
'0x16a3ef08be3ea7ea03bcddfabba6ff6ee5a4375efa1f4fd7feb34fd206357132b920f5b00801dee460ee415a15812ed9',
'0x1866c8ed336c61231a1be54fd1d74cc4f9fb0ce4c6af5920abc5750c4bf39b4852cfe2f7bb9248836b233d9d55535d4a',
'0x167a55cda70a6e1cea820597d94a84903216f763e13d87bb5308592e7ea7d4fbc7385ea3d529b35e346ef48bb8913f55',
'0x4d2f259eea405bd48f010a01ad2911d9c6dd039bb61a6290e591b36e636a5c871a5c29f4f83060400f8b49cba8f6aa8',
'0xaccbb67481d033ff5852c1e48c50c477f94ff8aefce42d28c0f9a88cea7913516f968986f7ebbea9684b529e2561092',
'0xad6b9514c767fe3c3613144b45f1496543346d98adf02267d5ceef9a00d9b8693000763e3b90ac11e99b138573345cc',
'0x2660400eb2e4f3b628bdd0d53cd76f2bf565b94e72927c1cb748df27942480e420517bd8714cc80d1fadc1326ed06f7',
'0xe0fa1d816ddc03e6b24255e0d7819c171c40f65e273b853324efcd6356caa205ca2f570f13497804415473a1d634b8f',
'0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001', // LAST 1
],
].map((i) => i.map((j) => BigInt(j))) as [Fp[], Fp[], Fp[], Fp[]]
);
// Optimized SWU Map - Fp to G1
const G1_SWU = mapToCurveSimpleSWU(Fp, {
A: Fp.create(
BigInt(
'0x144698a3b8e9433d693a02c96d4982b0ea985383ee66a8d8e8981aefd881ac98936f8da0e0f97f5cf428082d584c1d'
)
),
B: Fp.create(
BigInt(
'0x12e2908d11688030018b12e8753eee3b2016c1f0f24f4070a0b9c14fcef35ef55a23215a316ceaa5d1cc48e98e172be0'
)
),
Z: Fp.create(BigInt(11)),
});
// SWU Map - Fp2 to G2': y² = x³ + 240i * x + 1012 + 1012i
const G2_SWU = mapToCurveSimpleSWU(Fp2, {
A: Fp2.create({ c0: Fp.create(_0n), c1: Fp.create(BigInt(240)) }), // A' = 240 * I
B: Fp2.create({ c0: Fp.create(BigInt(1012)), c1: Fp.create(BigInt(1012)) }), // B' = 1012 * (1 + I)
Z: Fp2.create({ c0: Fp.create(BigInt(-2)), c1: Fp.create(BigInt(-1)) }), // Z: -(2 + I)
});
function mapToG1(scalars: bigint[]) {
const { x, y } = G1_SWU(Fp.create(scalars[0]));
return isogenyMapG1(x, y);
}
function mapToG2(scalars: bigint[]) {
const { x, y } = G2_SWU(Fp2.fromBigTuple(scalars as BigintTuple));
return isogenyMapG2(x, y);
}

243
node_modules/@noble/curves/src/bn254.ts generated vendored Normal file
View File

@@ -0,0 +1,243 @@
/**
* bn254, previously known as alt_bn_128, when it had 128-bit security.
Barbulescu-Duquesne 2017 shown it's weaker: just about 100 bits,
so the naming has been adjusted to its prime bit count:
https://hal.science/hal-01534101/file/main.pdf.
Compatible with EIP-196 and EIP-197.
There are huge compatibility issues in the ecosystem:
1. Different libraries call it in different ways: "bn254", "bn256", "alt_bn128", "bn128".
2. libff has bn128, but it's a different curve with different G2:
https://github.com/scipr-lab/libff/blob/a44f482e18b8ac04d034c193bd9d7df7817ad73f/libff/algebra/curves/bn128/bn128_init.cpp#L166-L169
3. halo2curves bn256 is also incompatible and returns different outputs
We don't implement Point methods toHex / toBytes.
To work around this limitation, has to initialize points on their own from BigInts.
Reason it's not implemented is because [there is no standard](https://github.com/privacy-scaling-explorations/halo2curves/issues/109).
Points of divergence:
- Endianness: LE vs BE (byte-swapped)
- Flags as first hex bits (similar to BLS) vs no-flags
- Imaginary part last in G2 vs first (c0, c1 vs c1, c0)
The goal of our implementation is to support "Ethereum" variant of the curve,
because it at least has specs:
- EIP196 (https://eips.ethereum.org/EIPS/eip-196) describes bn254 ECADD and ECMUL opcodes for EVM
- EIP197 (https://eips.ethereum.org/EIPS/eip-197) describes bn254 pairings
- It's hard: EIPs don't have proper tests. EIP-197 returns boolean output instead of Fp12
- The existing implementations are bad. Some are deprecated:
- https://github.com/paritytech/bn (old version)
- https://github.com/ewasm/ethereum-bn128.rs (uses paritytech/bn)
- https://github.com/zcash-hackworks/bn
- https://github.com/arkworks-rs/curves/blob/master/bn254/src/lib.rs
- Python implementations use different towers and produce different Fp12 outputs:
- https://github.com/ethereum/py_pairing
- https://github.com/ethereum/execution-specs/blob/master/src/ethereum/crypto/alt_bn128.py
- Points are encoded differently in different implementations
### Params
Seed (X): 4965661367192848881
Fr: (36x⁴+36x³+18x²+6x+1)
Fp: (36x⁴+36x³+24x²+6x+1)
(E / Fp ): Y² = X³+3
(Et / Fp²): Y² = X³+3/(u+9) (D-type twist)
Ate loop size: 6x+2
### Towers
- Fp²[u] = Fp/u²+1
- Fp⁶[v] = Fp²/v³-9-u
- Fp¹²[w] = Fp⁶/w²-v
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { sha256 } from '@noble/hashes/sha2.js';
import {
bls,
type CurveFn as BLSCurveFn,
type PostPrecomputeFn,
type PostPrecomputePointAddFn,
} from './abstract/bls.ts';
import { Field, type IField } from './abstract/modular.ts';
import type { Fp, Fp12, Fp2, Fp6 } from './abstract/tower.ts';
import { psiFrobenius, tower12 } from './abstract/tower.ts';
import { type CurveFn, weierstrass, type WeierstrassOpts } from './abstract/weierstrass.ts';
import { bitLen, notImplemented } from './utils.ts';
// prettier-ignore
const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3);
const _6n = BigInt(6);
const BN_X = BigInt('4965661367192848881');
const BN_X_LEN = bitLen(BN_X);
const SIX_X_SQUARED = _6n * BN_X ** _2n;
const bn254_G1_CURVE: WeierstrassOpts<bigint> = {
p: BigInt('0x30644e72e131a029b85045b68181585d97816a916871ca8d3c208c16d87cfd47'),
n: BigInt('0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593f0000001'),
h: _1n,
a: _0n,
b: _3n,
Gx: _1n,
Gy: BigInt(2),
};
// r == n
// Finite field over r. It's for convenience and is not used in the code below.
export const bn254_Fr: IField<bigint> = Field(bn254_G1_CURVE.n);
// Fp2.div(Fp2.mul(Fp2.ONE, _3n), Fp2.NONRESIDUE)
const Fp2B = {
c0: BigInt('19485874751759354771024239261021720505790618469301721065564631296452457478373'),
c1: BigInt('266929791119991161246907387137283842545076965332900288569378510910307636690'),
};
const { Fp, Fp2, Fp6, Fp12 } = tower12({
ORDER: bn254_G1_CURVE.p,
X_LEN: BN_X_LEN,
FP2_NONRESIDUE: [BigInt(9), _1n],
Fp2mulByB: (num) => Fp2.mul(num, Fp2B),
Fp12finalExponentiate: (num) => {
const powMinusX = (num: Fp12) => Fp12.conjugate(Fp12._cyclotomicExp(num, BN_X));
const r0 = Fp12.mul(Fp12.conjugate(num), Fp12.inv(num));
const r = Fp12.mul(Fp12.frobeniusMap(r0, 2), r0);
const y1 = Fp12._cyclotomicSquare(powMinusX(r));
const y2 = Fp12.mul(Fp12._cyclotomicSquare(y1), y1);
const y4 = powMinusX(y2);
const y6 = powMinusX(Fp12._cyclotomicSquare(y4));
const y8 = Fp12.mul(Fp12.mul(Fp12.conjugate(y6), y4), Fp12.conjugate(y2));
const y9 = Fp12.mul(y8, y1);
return Fp12.mul(
Fp12.frobeniusMap(Fp12.mul(Fp12.conjugate(r), y9), 3),
Fp12.mul(
Fp12.frobeniusMap(y8, 2),
Fp12.mul(Fp12.frobeniusMap(y9, 1), Fp12.mul(Fp12.mul(y8, y4), r))
)
);
},
});
// END OF CURVE FIELDS
const { G2psi, psi } = psiFrobenius(Fp, Fp2, Fp2.NONRESIDUE);
/*
No hashToCurve for now (and signatures):
- RFC 9380 doesn't mention bn254 and doesn't provide test vectors
- Overall seems like nobody is using BLS signatures on top of bn254
- Seems like it can utilize SVDW, which is not implemented yet
*/
const htfDefaults = Object.freeze({
// DST: a domain separation tag defined in section 2.2.5
DST: 'BN254G2_XMD:SHA-256_SVDW_RO_',
encodeDST: 'BN254G2_XMD:SHA-256_SVDW_RO_',
p: Fp.ORDER,
m: 2,
k: 128,
expand: 'xmd',
hash: sha256,
});
export const _postPrecompute: PostPrecomputeFn = (
Rx: Fp2,
Ry: Fp2,
Rz: Fp2,
Qx: Fp2,
Qy: Fp2,
pointAdd: PostPrecomputePointAddFn
) => {
const q = psi(Qx, Qy);
({ Rx, Ry, Rz } = pointAdd(Rx, Ry, Rz, q[0], q[1]));
const q2 = psi(q[0], q[1]);
pointAdd(Rx, Ry, Rz, q2[0], Fp2.neg(q2[1]));
};
// cofactor: (36 * X^4) + (36 * X^3) + (30 * X^2) + 6*X + 1
const bn254_G2_CURVE: WeierstrassOpts<Fp2> = {
p: Fp2.ORDER,
n: bn254_G1_CURVE.n,
h: BigInt('0x30644e72e131a029b85045b68181585e06ceecda572a2489345f2299c0f9fa8d'),
a: Fp2.ZERO,
b: Fp2B,
Gx: Fp2.fromBigTuple([
BigInt('10857046999023057135944570762232829481370756359578518086990519993285655852781'),
BigInt('11559732032986387107991004021392285783925812861821192530917403151452391805634'),
]),
Gy: Fp2.fromBigTuple([
BigInt('8495653923123431417604973247489272438418190587263600148770280649306958101930'),
BigInt('4082367875863433681332203403145435568316851327593401208105741076214120093531'),
]),
};
/**
* bn254 (a.k.a. alt_bn128) pairing-friendly curve.
* Contains G1 / G2 operations and pairings.
*/
export const bn254: BLSCurveFn = bls({
// Fields
fields: { Fp, Fp2, Fp6, Fp12, Fr: bn254_Fr },
G1: {
...bn254_G1_CURVE,
Fp,
htfDefaults: { ...htfDefaults, m: 1, DST: 'BN254G2_XMD:SHA-256_SVDW_RO_' },
wrapPrivateKey: true,
allowInfinityPoint: true,
mapToCurve: notImplemented,
fromBytes: notImplemented,
toBytes: notImplemented,
ShortSignature: {
fromBytes: notImplemented,
fromHex: notImplemented,
toBytes: notImplemented,
toRawBytes: notImplemented,
toHex: notImplemented,
},
},
G2: {
...bn254_G2_CURVE,
Fp: Fp2,
hEff: BigInt('21888242871839275222246405745257275088844257914179612981679871602714643921549'),
htfDefaults: { ...htfDefaults },
wrapPrivateKey: true,
allowInfinityPoint: true,
isTorsionFree: (c, P) => P.multiplyUnsafe(SIX_X_SQUARED).equals(G2psi(c, P)), // [p]P = [6X^2]P
mapToCurve: notImplemented,
fromBytes: notImplemented,
toBytes: notImplemented,
Signature: {
fromBytes: notImplemented,
fromHex: notImplemented,
toBytes: notImplemented,
toRawBytes: notImplemented,
toHex: notImplemented,
},
},
params: {
ateLoopSize: BN_X * _6n + _2n,
r: bn254_Fr.ORDER,
xNegative: false,
twistType: 'divisive',
},
htfDefaults,
hash: sha256,
postPrecompute: _postPrecompute,
});
/**
* bn254 weierstrass curve with ECDSA.
* This is very rare and probably not used anywhere.
* Instead, you should use G1 / G2, defined above.
* @deprecated
*/
export const bn254_weierstrass: CurveFn = weierstrass({
a: BigInt(0),
b: BigInt(3),
Fp,
n: BigInt('21888242871839275222246405745257275088548364400416034343698204186575808495617'),
Gx: BigInt(1),
Gy: BigInt(2),
h: BigInt(1),
hash: sha256,
});

554
node_modules/@noble/curves/src/ed25519.ts generated vendored Normal file
View File

@@ -0,0 +1,554 @@
/**
* ed25519 Twisted Edwards curve with following addons:
* - X25519 ECDH
* - Ristretto cofactor elimination
* - Elligator hash-to-group / point indistinguishability
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { sha512 } from '@noble/hashes/sha2.js';
import { abytes, concatBytes, utf8ToBytes } from '@noble/hashes/utils.js';
import { pippenger, type AffinePoint } from './abstract/curve.ts';
import {
PrimeEdwardsPoint,
twistedEdwards,
type CurveFn,
type EdwardsOpts,
type EdwardsPoint,
} from './abstract/edwards.ts';
import {
_DST_scalar,
createHasher,
expand_message_xmd,
type H2CHasher,
type H2CHasherBase,
type H2CMethod,
type htfBasicOpts,
} from './abstract/hash-to-curve.ts';
import {
Field,
FpInvertBatch,
FpSqrtEven,
isNegativeLE,
mod,
pow2,
type IField,
} from './abstract/modular.ts';
import { montgomery, type MontgomeryECDH as XCurveFn } from './abstract/montgomery.ts';
import { bytesToNumberLE, ensureBytes, equalBytes, type Hex } from './utils.ts';
// prettier-ignore
const _0n = /* @__PURE__ */ BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3);
// prettier-ignore
const _5n = BigInt(5), _8n = BigInt(8);
// P = 2n**255n-19n
const ed25519_CURVE_p = BigInt(
'0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed'
);
// N = 2n**252n + 27742317777372353535851937790883648493n
// a = Fp.create(BigInt(-1))
// d = -121665/121666 a.k.a. Fp.neg(121665 * Fp.inv(121666))
const ed25519_CURVE: EdwardsOpts = /* @__PURE__ */ (() => ({
p: ed25519_CURVE_p,
n: BigInt('0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed'),
h: _8n,
a: BigInt('0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffec'),
d: BigInt('0x52036cee2b6ffe738cc740797779e89800700a4d4141d8ab75eb4dca135978a3'),
Gx: BigInt('0x216936d3cd6e53fec0a4e231fdd6dc5c692cc7609525a7b2c9562d608f25d51a'),
Gy: BigInt('0x6666666666666666666666666666666666666666666666666666666666666658'),
}))();
function ed25519_pow_2_252_3(x: bigint) {
// prettier-ignore
const _10n = BigInt(10), _20n = BigInt(20), _40n = BigInt(40), _80n = BigInt(80);
const P = ed25519_CURVE_p;
const x2 = (x * x) % P;
const b2 = (x2 * x) % P; // x^3, 11
const b4 = (pow2(b2, _2n, P) * b2) % P; // x^15, 1111
const b5 = (pow2(b4, _1n, P) * x) % P; // x^31
const b10 = (pow2(b5, _5n, P) * b5) % P;
const b20 = (pow2(b10, _10n, P) * b10) % P;
const b40 = (pow2(b20, _20n, P) * b20) % P;
const b80 = (pow2(b40, _40n, P) * b40) % P;
const b160 = (pow2(b80, _80n, P) * b80) % P;
const b240 = (pow2(b160, _80n, P) * b80) % P;
const b250 = (pow2(b240, _10n, P) * b10) % P;
const pow_p_5_8 = (pow2(b250, _2n, P) * x) % P;
// ^ To pow to (p+3)/8, multiply it by x.
return { pow_p_5_8, b2 };
}
function adjustScalarBytes(bytes: Uint8Array): Uint8Array {
// Section 5: For X25519, in order to decode 32 random bytes as an integer scalar,
// set the three least significant bits of the first byte
bytes[0] &= 248; // 0b1111_1000
// and the most significant bit of the last to zero,
bytes[31] &= 127; // 0b0111_1111
// set the second most significant bit of the last byte to 1
bytes[31] |= 64; // 0b0100_0000
return bytes;
}
// √(-1) aka √(a) aka 2^((p-1)/4)
// Fp.sqrt(Fp.neg(1))
const ED25519_SQRT_M1 = /* @__PURE__ */ BigInt(
'19681161376707505956807079304988542015446066515923890162744021073123829784752'
);
// sqrt(u/v)
function uvRatio(u: bigint, v: bigint): { isValid: boolean; value: bigint } {
const P = ed25519_CURVE_p;
const v3 = mod(v * v * v, P); // v³
const v7 = mod(v3 * v3 * v, P); // v⁷
// (p+3)/8 and (p-5)/8
const pow = ed25519_pow_2_252_3(u * v7).pow_p_5_8;
let x = mod(u * v3 * pow, P); // (uv³)(uv⁷)^(p-5)/8
const vx2 = mod(v * x * x, P); // vx²
const root1 = x; // First root candidate
const root2 = mod(x * ED25519_SQRT_M1, P); // Second root candidate
const useRoot1 = vx2 === u; // If vx² = u (mod p), x is a square root
const useRoot2 = vx2 === mod(-u, P); // If vx² = -u, set x <-- x * 2^((p-1)/4)
const noRoot = vx2 === mod(-u * ED25519_SQRT_M1, P); // There is no valid root, vx² = -u√(-1)
if (useRoot1) x = root1;
if (useRoot2 || noRoot) x = root2; // We return root2 anyway, for const-time
if (isNegativeLE(x, P)) x = mod(-x, P);
return { isValid: useRoot1 || useRoot2, value: x };
}
const Fp = /* @__PURE__ */ (() => Field(ed25519_CURVE.p, { isLE: true }))();
const Fn = /* @__PURE__ */ (() => Field(ed25519_CURVE.n, { isLE: true }))();
const ed25519Defaults = /* @__PURE__ */ (() => ({
...ed25519_CURVE,
Fp,
hash: sha512,
adjustScalarBytes,
// dom2
// Ratio of u to v. Allows us to combine inversion and square root. Uses algo from RFC8032 5.1.3.
// Constant-time, u/√v
uvRatio,
}))();
/**
* ed25519 curve with EdDSA signatures.
* @example
* import { ed25519 } from '@noble/curves/ed25519';
* const { secretKey, publicKey } = ed25519.keygen();
* const msg = new TextEncoder().encode('hello');
* const sig = ed25519.sign(msg, priv);
* ed25519.verify(sig, msg, pub); // Default mode: follows ZIP215
* ed25519.verify(sig, msg, pub, { zip215: false }); // RFC8032 / FIPS 186-5
*/
export const ed25519: CurveFn = /* @__PURE__ */ (() => twistedEdwards(ed25519Defaults))();
function ed25519_domain(data: Uint8Array, ctx: Uint8Array, phflag: boolean) {
if (ctx.length > 255) throw new Error('Context is too big');
return concatBytes(
utf8ToBytes('SigEd25519 no Ed25519 collisions'),
new Uint8Array([phflag ? 1 : 0, ctx.length]),
ctx,
data
);
}
/** Context of ed25519. Uses context for domain separation. */
export const ed25519ctx: CurveFn = /* @__PURE__ */ (() =>
twistedEdwards({
...ed25519Defaults,
domain: ed25519_domain,
}))();
/** Prehashed version of ed25519. Accepts already-hashed messages in sign() and verify(). */
export const ed25519ph: CurveFn = /* @__PURE__ */ (() =>
twistedEdwards(
Object.assign({}, ed25519Defaults, {
domain: ed25519_domain,
prehash: sha512,
})
))();
/**
* ECDH using curve25519 aka x25519.
* @example
* import { x25519 } from '@noble/curves/ed25519';
* const priv = 'a546e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449ac4';
* const pub = 'e6db6867583030db3594c1a424b15f7c726624ec26b3353b10a903a6d0ab1c4c';
* x25519.getSharedSecret(priv, pub) === x25519.scalarMult(priv, pub); // aliases
* x25519.getPublicKey(priv) === x25519.scalarMultBase(priv);
* x25519.getPublicKey(x25519.utils.randomSecretKey());
*/
export const x25519: XCurveFn = /* @__PURE__ */ (() => {
const P = Fp.ORDER;
return montgomery({
P,
type: 'x25519',
powPminus2: (x: bigint): bigint => {
// x^(p-2) aka x^(2^255-21)
const { pow_p_5_8, b2 } = ed25519_pow_2_252_3(x);
return mod(pow2(pow_p_5_8, _3n, P) * b2, P);
},
adjustScalarBytes,
});
})();
// Hash To Curve Elligator2 Map (NOTE: different from ristretto255 elligator)
// NOTE: very important part is usage of FpSqrtEven for ELL2_C1_EDWARDS, since
// SageMath returns different root first and everything falls apart
const ELL2_C1 = /* @__PURE__ */ (() => (ed25519_CURVE_p + _3n) / _8n)(); // 1. c1 = (q + 3) / 8 # Integer arithmetic
const ELL2_C2 = /* @__PURE__ */ (() => Fp.pow(_2n, ELL2_C1))(); // 2. c2 = 2^c1
const ELL2_C3 = /* @__PURE__ */ (() => Fp.sqrt(Fp.neg(Fp.ONE)))(); // 3. c3 = sqrt(-1)
// prettier-ignore
function map_to_curve_elligator2_curve25519(u: bigint) {
const ELL2_C4 = (ed25519_CURVE_p - _5n) / _8n; // 4. c4 = (q - 5) / 8 # Integer arithmetic
const ELL2_J = BigInt(486662);
let tv1 = Fp.sqr(u); // 1. tv1 = u^2
tv1 = Fp.mul(tv1, _2n); // 2. tv1 = 2 * tv1
let xd = Fp.add(tv1, Fp.ONE); // 3. xd = tv1 + 1 # Nonzero: -1 is square (mod p), tv1 is not
let x1n = Fp.neg(ELL2_J); // 4. x1n = -J # x1 = x1n / xd = -J / (1 + 2 * u^2)
let tv2 = Fp.sqr(xd); // 5. tv2 = xd^2
let gxd = Fp.mul(tv2, xd); // 6. gxd = tv2 * xd # gxd = xd^3
let gx1 = Fp.mul(tv1, ELL2_J);// 7. gx1 = J * tv1 # x1n + J * xd
gx1 = Fp.mul(gx1, x1n); // 8. gx1 = gx1 * x1n # x1n^2 + J * x1n * xd
gx1 = Fp.add(gx1, tv2); // 9. gx1 = gx1 + tv2 # x1n^2 + J * x1n * xd + xd^2
gx1 = Fp.mul(gx1, x1n); // 10. gx1 = gx1 * x1n # x1n^3 + J * x1n^2 * xd + x1n * xd^2
let tv3 = Fp.sqr(gxd); // 11. tv3 = gxd^2
tv2 = Fp.sqr(tv3); // 12. tv2 = tv3^2 # gxd^4
tv3 = Fp.mul(tv3, gxd); // 13. tv3 = tv3 * gxd # gxd^3
tv3 = Fp.mul(tv3, gx1); // 14. tv3 = tv3 * gx1 # gx1 * gxd^3
tv2 = Fp.mul(tv2, tv3); // 15. tv2 = tv2 * tv3 # gx1 * gxd^7
let y11 = Fp.pow(tv2, ELL2_C4); // 16. y11 = tv2^c4 # (gx1 * gxd^7)^((p - 5) / 8)
y11 = Fp.mul(y11, tv3); // 17. y11 = y11 * tv3 # gx1*gxd^3*(gx1*gxd^7)^((p-5)/8)
let y12 = Fp.mul(y11, ELL2_C3); // 18. y12 = y11 * c3
tv2 = Fp.sqr(y11); // 19. tv2 = y11^2
tv2 = Fp.mul(tv2, gxd); // 20. tv2 = tv2 * gxd
let e1 = Fp.eql(tv2, gx1); // 21. e1 = tv2 == gx1
let y1 = Fp.cmov(y12, y11, e1); // 22. y1 = CMOV(y12, y11, e1) # If g(x1) is square, this is its sqrt
let x2n = Fp.mul(x1n, tv1); // 23. x2n = x1n * tv1 # x2 = x2n / xd = 2 * u^2 * x1n / xd
let y21 = Fp.mul(y11, u); // 24. y21 = y11 * u
y21 = Fp.mul(y21, ELL2_C2); // 25. y21 = y21 * c2
let y22 = Fp.mul(y21, ELL2_C3); // 26. y22 = y21 * c3
let gx2 = Fp.mul(gx1, tv1); // 27. gx2 = gx1 * tv1 # g(x2) = gx2 / gxd = 2 * u^2 * g(x1)
tv2 = Fp.sqr(y21); // 28. tv2 = y21^2
tv2 = Fp.mul(tv2, gxd); // 29. tv2 = tv2 * gxd
let e2 = Fp.eql(tv2, gx2); // 30. e2 = tv2 == gx2
let y2 = Fp.cmov(y22, y21, e2); // 31. y2 = CMOV(y22, y21, e2) # If g(x2) is square, this is its sqrt
tv2 = Fp.sqr(y1); // 32. tv2 = y1^2
tv2 = Fp.mul(tv2, gxd); // 33. tv2 = tv2 * gxd
let e3 = Fp.eql(tv2, gx1); // 34. e3 = tv2 == gx1
let xn = Fp.cmov(x2n, x1n, e3); // 35. xn = CMOV(x2n, x1n, e3) # If e3, x = x1, else x = x2
let y = Fp.cmov(y2, y1, e3); // 36. y = CMOV(y2, y1, e3) # If e3, y = y1, else y = y2
let e4 = Fp.isOdd!(y); // 37. e4 = sgn0(y) == 1 # Fix sign of y
y = Fp.cmov(y, Fp.neg(y), e3 !== e4); // 38. y = CMOV(y, -y, e3 XOR e4)
return { xMn: xn, xMd: xd, yMn: y, yMd: _1n }; // 39. return (xn, xd, y, 1)
}
const ELL2_C1_EDWARDS = /* @__PURE__ */ (() => FpSqrtEven(Fp, Fp.neg(BigInt(486664))))(); // sgn0(c1) MUST equal 0
function map_to_curve_elligator2_edwards25519(u: bigint) {
const { xMn, xMd, yMn, yMd } = map_to_curve_elligator2_curve25519(u); // 1. (xMn, xMd, yMn, yMd) =
// map_to_curve_elligator2_curve25519(u)
let xn = Fp.mul(xMn, yMd); // 2. xn = xMn * yMd
xn = Fp.mul(xn, ELL2_C1_EDWARDS); // 3. xn = xn * c1
let xd = Fp.mul(xMd, yMn); // 4. xd = xMd * yMn # xn / xd = c1 * xM / yM
let yn = Fp.sub(xMn, xMd); // 5. yn = xMn - xMd
let yd = Fp.add(xMn, xMd); // 6. yd = xMn + xMd # (n / d - 1) / (n / d + 1) = (n - d) / (n + d)
let tv1 = Fp.mul(xd, yd); // 7. tv1 = xd * yd
let e = Fp.eql(tv1, Fp.ZERO); // 8. e = tv1 == 0
xn = Fp.cmov(xn, Fp.ZERO, e); // 9. xn = CMOV(xn, 0, e)
xd = Fp.cmov(xd, Fp.ONE, e); // 10. xd = CMOV(xd, 1, e)
yn = Fp.cmov(yn, Fp.ONE, e); // 11. yn = CMOV(yn, 1, e)
yd = Fp.cmov(yd, Fp.ONE, e); // 12. yd = CMOV(yd, 1, e)
const [xd_inv, yd_inv] = FpInvertBatch(Fp, [xd, yd], true); // batch division
return { x: Fp.mul(xn, xd_inv), y: Fp.mul(yn, yd_inv) }; // 13. return (xn, xd, yn, yd)
}
/** Hashing to ed25519 points / field. RFC 9380 methods. */
export const ed25519_hasher: H2CHasher<bigint> = /* @__PURE__ */ (() =>
createHasher(
ed25519.Point,
(scalars: bigint[]) => map_to_curve_elligator2_edwards25519(scalars[0]),
{
DST: 'edwards25519_XMD:SHA-512_ELL2_RO_',
encodeDST: 'edwards25519_XMD:SHA-512_ELL2_NU_',
p: ed25519_CURVE_p,
m: 1,
k: 128,
expand: 'xmd',
hash: sha512,
}
))();
// √(-1) aka √(a) aka 2^((p-1)/4)
const SQRT_M1 = ED25519_SQRT_M1;
// √(ad - 1)
const SQRT_AD_MINUS_ONE = /* @__PURE__ */ BigInt(
'25063068953384623474111414158702152701244531502492656460079210482610430750235'
);
// 1 / √(a-d)
const INVSQRT_A_MINUS_D = /* @__PURE__ */ BigInt(
'54469307008909316920995813868745141605393597292927456921205312896311721017578'
);
// 1-d²
const ONE_MINUS_D_SQ = /* @__PURE__ */ BigInt(
'1159843021668779879193775521855586647937357759715417654439879720876111806838'
);
// (d-1)²
const D_MINUS_ONE_SQ = /* @__PURE__ */ BigInt(
'40440834346308536858101042469323190826248399146238708352240133220865137265952'
);
// Calculates 1/√(number)
const invertSqrt = (number: bigint) => uvRatio(_1n, number);
const MAX_255B = /* @__PURE__ */ BigInt(
'0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
);
const bytes255ToNumberLE = (bytes: Uint8Array) =>
ed25519.Point.Fp.create(bytesToNumberLE(bytes) & MAX_255B);
type ExtendedPoint = EdwardsPoint;
/**
* Computes Elligator map for Ristretto255.
* Described in [RFC9380](https://www.rfc-editor.org/rfc/rfc9380#appendix-B) and on
* the [website](https://ristretto.group/formulas/elligator.html).
*/
function calcElligatorRistrettoMap(r0: bigint): ExtendedPoint {
const { d } = ed25519_CURVE;
const P = ed25519_CURVE_p;
const mod = (n: bigint) => Fp.create(n);
const r = mod(SQRT_M1 * r0 * r0); // 1
const Ns = mod((r + _1n) * ONE_MINUS_D_SQ); // 2
let c = BigInt(-1); // 3
const D = mod((c - d * r) * mod(r + d)); // 4
let { isValid: Ns_D_is_sq, value: s } = uvRatio(Ns, D); // 5
let s_ = mod(s * r0); // 6
if (!isNegativeLE(s_, P)) s_ = mod(-s_);
if (!Ns_D_is_sq) s = s_; // 7
if (!Ns_D_is_sq) c = r; // 8
const Nt = mod(c * (r - _1n) * D_MINUS_ONE_SQ - D); // 9
const s2 = s * s;
const W0 = mod((s + s) * D); // 10
const W1 = mod(Nt * SQRT_AD_MINUS_ONE); // 11
const W2 = mod(_1n - s2); // 12
const W3 = mod(_1n + s2); // 13
return new ed25519.Point(mod(W0 * W3), mod(W2 * W1), mod(W1 * W3), mod(W0 * W2));
}
function ristretto255_map(bytes: Uint8Array): _RistrettoPoint {
abytes(bytes, 64);
const r1 = bytes255ToNumberLE(bytes.subarray(0, 32));
const R1 = calcElligatorRistrettoMap(r1);
const r2 = bytes255ToNumberLE(bytes.subarray(32, 64));
const R2 = calcElligatorRistrettoMap(r2);
return new _RistrettoPoint(R1.add(R2));
}
/**
* Wrapper over Edwards Point for ristretto255.
*
* Each ed25519/ExtendedPoint has 8 different equivalent points. This can be
* a source of bugs for protocols like ring signatures. Ristretto was created to solve this.
* Ristretto point operates in X:Y:Z:T extended coordinates like ExtendedPoint,
* but it should work in its own namespace: do not combine those two.
* See [RFC9496](https://www.rfc-editor.org/rfc/rfc9496).
*/
class _RistrettoPoint extends PrimeEdwardsPoint<_RistrettoPoint> {
// Do NOT change syntax: the following gymnastics is done,
// because typescript strips comments, which makes bundlers disable tree-shaking.
// prettier-ignore
static BASE: _RistrettoPoint =
/* @__PURE__ */ (() => new _RistrettoPoint(ed25519.Point.BASE))();
// prettier-ignore
static ZERO: _RistrettoPoint =
/* @__PURE__ */ (() => new _RistrettoPoint(ed25519.Point.ZERO))();
// prettier-ignore
static Fp: IField<bigint> =
/* @__PURE__ */ (() => Fp)();
// prettier-ignore
static Fn: IField<bigint> =
/* @__PURE__ */ (() => Fn)();
constructor(ep: ExtendedPoint) {
super(ep);
}
static fromAffine(ap: AffinePoint<bigint>): _RistrettoPoint {
return new _RistrettoPoint(ed25519.Point.fromAffine(ap));
}
protected assertSame(other: _RistrettoPoint): void {
if (!(other instanceof _RistrettoPoint)) throw new Error('RistrettoPoint expected');
}
protected init(ep: EdwardsPoint): _RistrettoPoint {
return new _RistrettoPoint(ep);
}
/** @deprecated use `import { ristretto255_hasher } from '@noble/curves/ed25519.js';` */
static hashToCurve(hex: Hex): _RistrettoPoint {
return ristretto255_map(ensureBytes('ristrettoHash', hex, 64));
}
static fromBytes(bytes: Uint8Array): _RistrettoPoint {
abytes(bytes, 32);
const { a, d } = ed25519_CURVE;
const P = ed25519_CURVE_p;
const mod = (n: bigint) => Fp.create(n);
const s = bytes255ToNumberLE(bytes);
// 1. Check that s_bytes is the canonical encoding of a field element, or else abort.
// 3. Check that s is non-negative, or else abort
if (!equalBytes(Fp.toBytes(s), bytes) || isNegativeLE(s, P))
throw new Error('invalid ristretto255 encoding 1');
const s2 = mod(s * s);
const u1 = mod(_1n + a * s2); // 4 (a is -1)
const u2 = mod(_1n - a * s2); // 5
const u1_2 = mod(u1 * u1);
const u2_2 = mod(u2 * u2);
const v = mod(a * d * u1_2 - u2_2); // 6
const { isValid, value: I } = invertSqrt(mod(v * u2_2)); // 7
const Dx = mod(I * u2); // 8
const Dy = mod(I * Dx * v); // 9
let x = mod((s + s) * Dx); // 10
if (isNegativeLE(x, P)) x = mod(-x); // 10
const y = mod(u1 * Dy); // 11
const t = mod(x * y); // 12
if (!isValid || isNegativeLE(t, P) || y === _0n)
throw new Error('invalid ristretto255 encoding 2');
return new _RistrettoPoint(new ed25519.Point(x, y, _1n, t));
}
/**
* Converts ristretto-encoded string to ristretto point.
* Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-decode).
* @param hex Ristretto-encoded 32 bytes. Not every 32-byte string is valid ristretto encoding
*/
static fromHex(hex: Hex): _RistrettoPoint {
return _RistrettoPoint.fromBytes(ensureBytes('ristrettoHex', hex, 32));
}
static msm(points: _RistrettoPoint[], scalars: bigint[]): _RistrettoPoint {
return pippenger(_RistrettoPoint, ed25519.Point.Fn, points, scalars);
}
/**
* Encodes ristretto point to Uint8Array.
* Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-encode).
*/
toBytes(): Uint8Array {
let { X, Y, Z, T } = this.ep;
const P = ed25519_CURVE_p;
const mod = (n: bigint) => Fp.create(n);
const u1 = mod(mod(Z + Y) * mod(Z - Y)); // 1
const u2 = mod(X * Y); // 2
// Square root always exists
const u2sq = mod(u2 * u2);
const { value: invsqrt } = invertSqrt(mod(u1 * u2sq)); // 3
const D1 = mod(invsqrt * u1); // 4
const D2 = mod(invsqrt * u2); // 5
const zInv = mod(D1 * D2 * T); // 6
let D: bigint; // 7
if (isNegativeLE(T * zInv, P)) {
let _x = mod(Y * SQRT_M1);
let _y = mod(X * SQRT_M1);
X = _x;
Y = _y;
D = mod(D1 * INVSQRT_A_MINUS_D);
} else {
D = D2; // 8
}
if (isNegativeLE(X * zInv, P)) Y = mod(-Y); // 9
let s = mod((Z - Y) * D); // 10 (check footer's note, no sqrt(-a))
if (isNegativeLE(s, P)) s = mod(-s);
return Fp.toBytes(s); // 11
}
/**
* Compares two Ristretto points.
* Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-equals).
*/
equals(other: _RistrettoPoint): boolean {
this.assertSame(other);
const { X: X1, Y: Y1 } = this.ep;
const { X: X2, Y: Y2 } = other.ep;
const mod = (n: bigint) => Fp.create(n);
// (x1 * y2 == y1 * x2) | (y1 * y2 == x1 * x2)
const one = mod(X1 * Y2) === mod(Y1 * X2);
const two = mod(Y1 * Y2) === mod(X1 * X2);
return one || two;
}
is0(): boolean {
return this.equals(_RistrettoPoint.ZERO);
}
}
export const ristretto255: {
Point: typeof _RistrettoPoint;
} = { Point: _RistrettoPoint };
/** Hashing to ristretto255 points / field. RFC 9380 methods. */
export const ristretto255_hasher: H2CHasherBase<bigint> = {
hashToCurve(msg: Uint8Array, options?: htfBasicOpts): _RistrettoPoint {
const DST = options?.DST || 'ristretto255_XMD:SHA-512_R255MAP_RO_';
const xmd = expand_message_xmd(msg, DST, 64, sha512);
return ristretto255_map(xmd);
},
hashToScalar(msg: Uint8Array, options: htfBasicOpts = { DST: _DST_scalar }) {
const xmd = expand_message_xmd(msg, options.DST, 64, sha512);
return Fn.create(bytesToNumberLE(xmd));
},
};
// export const ristretto255_oprf: OPRF = createORPF({
// name: 'ristretto255-SHA512',
// Point: RistrettoPoint,
// hash: sha512,
// hashToGroup: ristretto255_hasher.hashToCurve,
// hashToScalar: ristretto255_hasher.hashToScalar,
// });
/**
* Weird / bogus points, useful for debugging.
* All 8 ed25519 points of 8-torsion subgroup can be generated from the point
* T = `26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc05`.
* ⟨T⟩ = { O, T, 2T, 3T, 4T, 5T, 6T, 7T }
*/
export const ED25519_TORSION_SUBGROUP: string[] = [
'0100000000000000000000000000000000000000000000000000000000000000',
'c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac037a',
'0000000000000000000000000000000000000000000000000000000000000080',
'26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc05',
'ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f',
'26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc85',
'0000000000000000000000000000000000000000000000000000000000000000',
'c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac03fa',
];
/** @deprecated use `ed25519.utils.toMontgomery` */
export function edwardsToMontgomeryPub(edwardsPub: Hex): Uint8Array {
return ed25519.utils.toMontgomery(ensureBytes('pub', edwardsPub));
}
/** @deprecated use `ed25519.utils.toMontgomery` */
export const edwardsToMontgomery: typeof edwardsToMontgomeryPub = edwardsToMontgomeryPub;
/** @deprecated use `ed25519.utils.toMontgomerySecret` */
export function edwardsToMontgomeryPriv(edwardsPriv: Uint8Array): Uint8Array {
return ed25519.utils.toMontgomerySecret(ensureBytes('pub', edwardsPriv));
}
/** @deprecated use `ristretto255.Point` */
export const RistrettoPoint: typeof _RistrettoPoint = _RistrettoPoint;
/** @deprecated use `import { ed25519_hasher } from '@noble/curves/ed25519.js';` */
export const hashToCurve: H2CMethod<bigint> = /* @__PURE__ */ (() => ed25519_hasher.hashToCurve)();
/** @deprecated use `import { ed25519_hasher } from '@noble/curves/ed25519.js';` */
export const encodeToCurve: H2CMethod<bigint> = /* @__PURE__ */ (() =>
ed25519_hasher.encodeToCurve)();
type RistHasher = (msg: Uint8Array, options: htfBasicOpts) => _RistrettoPoint;
/** @deprecated use `import { ristretto255_hasher } from '@noble/curves/ed25519.js';` */
export const hashToRistretto255: RistHasher = /* @__PURE__ */ (() =>
ristretto255_hasher.hashToCurve as RistHasher)();
/** @deprecated use `import { ristretto255_hasher } from '@noble/curves/ed25519.js';` */
export const hash_to_ristretto255: RistHasher = /* @__PURE__ */ (() =>
ristretto255_hasher.hashToCurve as RistHasher)();

552
node_modules/@noble/curves/src/ed448.ts generated vendored Normal file
View File

@@ -0,0 +1,552 @@
/**
* Edwards448 (not Ed448-Goldilocks) curve with following addons:
* - X448 ECDH
* - Decaf cofactor elimination
* - Elligator hash-to-group / point indistinguishability
* Conforms to RFC 8032 https://www.rfc-editor.org/rfc/rfc8032.html#section-5.2
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { shake256 } from '@noble/hashes/sha3.js';
import { abytes, concatBytes, createHasher as wrapConstructor } from '@noble/hashes/utils.js';
import type { AffinePoint } from './abstract/curve.ts';
import { pippenger } from './abstract/curve.ts';
import {
edwards,
PrimeEdwardsPoint,
twistedEdwards,
type CurveFn,
type EdwardsOpts,
type EdwardsPoint,
type EdwardsPointCons,
} from './abstract/edwards.ts';
import {
_DST_scalar,
createHasher,
expand_message_xof,
type H2CHasher,
type H2CHasherBase,
type H2CMethod,
type htfBasicOpts,
} from './abstract/hash-to-curve.ts';
import { Field, FpInvertBatch, isNegativeLE, mod, pow2, type IField } from './abstract/modular.ts';
import { montgomery, type MontgomeryECDH as XCurveFn } from './abstract/montgomery.ts';
import { asciiToBytes, bytesToNumberLE, ensureBytes, equalBytes, type Hex } from './utils.ts';
// edwards448 curve
// a = 1n
// d = Fp.neg(39081n)
// Finite field 2n**448n - 2n**224n - 1n
// Subgroup order
// 2n**446n - 13818066809895115352007386748515426880336692474882178609894547503885n
const ed448_CURVE: EdwardsOpts = {
p: BigInt(
'0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
),
n: BigInt(
'0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffff7cca23e9c44edb49aed63690216cc2728dc58f552378c292ab5844f3'
),
h: BigInt(4),
a: BigInt(1),
d: BigInt(
'0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffffffffffffffffffffffffffffffffffffffffffffffff6756'
),
Gx: BigInt(
'0x4f1970c66bed0ded221d15a622bf36da9e146570470f1767ea6de324a3d3a46412ae1af72ab66511433b80e18b00938e2626a82bc70cc05e'
),
Gy: BigInt(
'0x693f46716eb6bc248876203756c9c7624bea73736ca3984087789c1e05a0c2d73ad3ff1ce67c39c4fdbd132c4ed7c8ad9808795bf230fa14'
),
};
// E448 NIST curve is identical to edwards448, except for:
// d = 39082/39081
// Gx = 3/2
const E448_CURVE: EdwardsOpts = Object.assign({}, ed448_CURVE, {
d: BigInt(
'0xd78b4bdc7f0daf19f24f38c29373a2ccad46157242a50f37809b1da3412a12e79ccc9c81264cfe9ad080997058fb61c4243cc32dbaa156b9'
),
Gx: BigInt(
'0x79a70b2b70400553ae7c9df416c792c61128751ac92969240c25a07d728bdc93e21f7787ed6972249de732f38496cd11698713093e9c04fc'
),
Gy: BigInt(
'0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffff80000000000000000000000000000000000000000000000000000001'
),
});
const shake256_114 = /* @__PURE__ */ wrapConstructor(() => shake256.create({ dkLen: 114 }));
const shake256_64 = /* @__PURE__ */ wrapConstructor(() => shake256.create({ dkLen: 64 }));
// prettier-ignore
const _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3), _4n = BigInt(4), _11n = BigInt(11);
// prettier-ignore
const _22n = BigInt(22), _44n = BigInt(44), _88n = BigInt(88), _223n = BigInt(223);
// powPminus3div4 calculates z = x^k mod p, where k = (p-3)/4.
// Used for efficient square root calculation.
// ((P-3)/4).toString(2) would produce bits [223x 1, 0, 222x 1]
function ed448_pow_Pminus3div4(x: bigint): bigint {
const P = ed448_CURVE.p;
const b2 = (x * x * x) % P;
const b3 = (b2 * b2 * x) % P;
const b6 = (pow2(b3, _3n, P) * b3) % P;
const b9 = (pow2(b6, _3n, P) * b3) % P;
const b11 = (pow2(b9, _2n, P) * b2) % P;
const b22 = (pow2(b11, _11n, P) * b11) % P;
const b44 = (pow2(b22, _22n, P) * b22) % P;
const b88 = (pow2(b44, _44n, P) * b44) % P;
const b176 = (pow2(b88, _88n, P) * b88) % P;
const b220 = (pow2(b176, _44n, P) * b44) % P;
const b222 = (pow2(b220, _2n, P) * b2) % P;
const b223 = (pow2(b222, _1n, P) * x) % P;
return (pow2(b223, _223n, P) * b222) % P;
}
function adjustScalarBytes(bytes: Uint8Array): Uint8Array {
// Section 5: Likewise, for X448, set the two least significant bits of the first byte to 0,
bytes[0] &= 252; // 0b11111100
// and the most significant bit of the last byte to 1.
bytes[55] |= 128; // 0b10000000
// NOTE: is NOOP for 56 bytes scalars (X25519/X448)
bytes[56] = 0; // Byte outside of group (456 buts vs 448 bits)
return bytes;
}
// Constant-time ratio of u to v. Allows to combine inversion and square root u/√v.
// Uses algo from RFC8032 5.1.3.
function uvRatio(u: bigint, v: bigint): { isValid: boolean; value: bigint } {
const P = ed448_CURVE.p;
// https://www.rfc-editor.org/rfc/rfc8032#section-5.2.3
// To compute the square root of (u/v), the first step is to compute the
// candidate root x = (u/v)^((p+1)/4). This can be done using the
// following trick, to use a single modular powering for both the
// inversion of v and the square root:
// x = (u/v)^((p+1)/4) = u³v(u⁵v³)^((p-3)/4) (mod p)
const u2v = mod(u * u * v, P); // u²v
const u3v = mod(u2v * u, P); // u³v
const u5v3 = mod(u3v * u2v * v, P); // u⁵v³
const root = ed448_pow_Pminus3div4(u5v3);
const x = mod(u3v * root, P);
// Verify that root is exists
const x2 = mod(x * x, P); // x²
// If vx² = u, the recovered x-coordinate is x. Otherwise, no
// square root exists, and the decoding fails.
return { isValid: mod(x2 * v, P) === u, value: x };
}
// Finite field 2n**448n - 2n**224n - 1n
// The value fits in 448 bits, but we use 456-bit (57-byte) elements because of bitflags.
// - ed25519 fits in 255 bits, allowing using last 1 byte for specifying bit flag of point negation.
// - ed448 fits in 448 bits. We can't use last 1 byte: we can only use a bit 224 in the middle.
const Fp = /* @__PURE__ */ (() => Field(ed448_CURVE.p, { BITS: 456, isLE: true }))();
const Fn = /* @__PURE__ */ (() => Field(ed448_CURVE.n, { BITS: 456, isLE: true }))();
// decaf448 uses 448-bit (56-byte) keys
const Fp448 = /* @__PURE__ */ (() => Field(ed448_CURVE.p, { BITS: 448, isLE: true }))();
const Fn448 = /* @__PURE__ */ (() => Field(ed448_CURVE.n, { BITS: 448, isLE: true }))();
// SHAKE256(dom4(phflag,context)||x, 114)
function dom4(data: Uint8Array, ctx: Uint8Array, phflag: boolean) {
if (ctx.length > 255) throw new Error('context must be smaller than 255, got: ' + ctx.length);
return concatBytes(
asciiToBytes('SigEd448'),
new Uint8Array([phflag ? 1 : 0, ctx.length]),
ctx,
data
);
}
// const ed448_eddsa_opts = { adjustScalarBytes, domain: dom4 };
// const ed448_Point = edwards(ed448_CURVE, { Fp, Fn, uvRatio });
const ED448_DEF = /* @__PURE__ */ (() => ({
...ed448_CURVE,
Fp,
Fn,
nBitLength: Fn.BITS,
hash: shake256_114,
adjustScalarBytes,
domain: dom4,
uvRatio,
}))();
/**
* ed448 EdDSA curve and methods.
* @example
* import { ed448 } from '@noble/curves/ed448';
* const { secretKey, publicKey } = ed448.keygen();
* const msg = new TextEncoder().encode('hello');
* const sig = ed448.sign(msg, secretKey);
* const isValid = ed448.verify(sig, msg, publicKey);
*/
export const ed448: CurveFn = twistedEdwards(ED448_DEF);
// There is no ed448ctx, since ed448 supports ctx by default
/** Prehashed version of ed448. Accepts already-hashed messages in sign() and verify(). */
export const ed448ph: CurveFn = /* @__PURE__ */ (() =>
twistedEdwards({
...ED448_DEF,
prehash: shake256_64,
}))();
/**
* E448 curve, defined by NIST.
* E448 != edwards448 used in ed448.
* E448 is birationally equivalent to edwards448.
*/
export const E448: EdwardsPointCons = edwards(E448_CURVE);
/**
* ECDH using curve448 aka x448.
* x448 has 56-byte keys as per RFC 7748, while
* ed448 has 57-byte keys as per RFC 8032.
*/
export const x448: XCurveFn = /* @__PURE__ */ (() => {
const P = ed448_CURVE.p;
return montgomery({
P,
type: 'x448',
powPminus2: (x: bigint): bigint => {
const Pminus3div4 = ed448_pow_Pminus3div4(x);
const Pminus3 = pow2(Pminus3div4, _2n, P);
return mod(Pminus3 * x, P); // Pminus3 * x = Pminus2
},
adjustScalarBytes,
});
})();
// Hash To Curve Elligator2 Map
const ELL2_C1 = /* @__PURE__ */ (() => (Fp.ORDER - BigInt(3)) / BigInt(4))(); // 1. c1 = (q - 3) / 4 # Integer arithmetic
const ELL2_J = /* @__PURE__ */ BigInt(156326);
function map_to_curve_elligator2_curve448(u: bigint) {
let tv1 = Fp.sqr(u); // 1. tv1 = u^2
let e1 = Fp.eql(tv1, Fp.ONE); // 2. e1 = tv1 == 1
tv1 = Fp.cmov(tv1, Fp.ZERO, e1); // 3. tv1 = CMOV(tv1, 0, e1) # If Z * u^2 == -1, set tv1 = 0
let xd = Fp.sub(Fp.ONE, tv1); // 4. xd = 1 - tv1
let x1n = Fp.neg(ELL2_J); // 5. x1n = -J
let tv2 = Fp.sqr(xd); // 6. tv2 = xd^2
let gxd = Fp.mul(tv2, xd); // 7. gxd = tv2 * xd # gxd = xd^3
let gx1 = Fp.mul(tv1, Fp.neg(ELL2_J)); // 8. gx1 = -J * tv1 # x1n + J * xd
gx1 = Fp.mul(gx1, x1n); // 9. gx1 = gx1 * x1n # x1n^2 + J * x1n * xd
gx1 = Fp.add(gx1, tv2); // 10. gx1 = gx1 + tv2 # x1n^2 + J * x1n * xd + xd^2
gx1 = Fp.mul(gx1, x1n); // 11. gx1 = gx1 * x1n # x1n^3 + J * x1n^2 * xd + x1n * xd^2
let tv3 = Fp.sqr(gxd); // 12. tv3 = gxd^2
tv2 = Fp.mul(gx1, gxd); // 13. tv2 = gx1 * gxd # gx1 * gxd
tv3 = Fp.mul(tv3, tv2); // 14. tv3 = tv3 * tv2 # gx1 * gxd^3
let y1 = Fp.pow(tv3, ELL2_C1); // 15. y1 = tv3^c1 # (gx1 * gxd^3)^((p - 3) / 4)
y1 = Fp.mul(y1, tv2); // 16. y1 = y1 * tv2 # gx1 * gxd * (gx1 * gxd^3)^((p - 3) / 4)
let x2n = Fp.mul(x1n, Fp.neg(tv1)); // 17. x2n = -tv1 * x1n # x2 = x2n / xd = -1 * u^2 * x1n / xd
let y2 = Fp.mul(y1, u); // 18. y2 = y1 * u
y2 = Fp.cmov(y2, Fp.ZERO, e1); // 19. y2 = CMOV(y2, 0, e1)
tv2 = Fp.sqr(y1); // 20. tv2 = y1^2
tv2 = Fp.mul(tv2, gxd); // 21. tv2 = tv2 * gxd
let e2 = Fp.eql(tv2, gx1); // 22. e2 = tv2 == gx1
let xn = Fp.cmov(x2n, x1n, e2); // 23. xn = CMOV(x2n, x1n, e2) # If e2, x = x1, else x = x2
let y = Fp.cmov(y2, y1, e2); // 24. y = CMOV(y2, y1, e2) # If e2, y = y1, else y = y2
let e3 = Fp.isOdd(y); // 25. e3 = sgn0(y) == 1 # Fix sign of y
y = Fp.cmov(y, Fp.neg(y), e2 !== e3); // 26. y = CMOV(y, -y, e2 XOR e3)
return { xn, xd, yn: y, yd: Fp.ONE }; // 27. return (xn, xd, y, 1)
}
function map_to_curve_elligator2_edwards448(u: bigint) {
let { xn, xd, yn, yd } = map_to_curve_elligator2_curve448(u); // 1. (xn, xd, yn, yd) = map_to_curve_elligator2_curve448(u)
let xn2 = Fp.sqr(xn); // 2. xn2 = xn^2
let xd2 = Fp.sqr(xd); // 3. xd2 = xd^2
let xd4 = Fp.sqr(xd2); // 4. xd4 = xd2^2
let yn2 = Fp.sqr(yn); // 5. yn2 = yn^2
let yd2 = Fp.sqr(yd); // 6. yd2 = yd^2
let xEn = Fp.sub(xn2, xd2); // 7. xEn = xn2 - xd2
let tv2 = Fp.sub(xEn, xd2); // 8. tv2 = xEn - xd2
xEn = Fp.mul(xEn, xd2); // 9. xEn = xEn * xd2
xEn = Fp.mul(xEn, yd); // 10. xEn = xEn * yd
xEn = Fp.mul(xEn, yn); // 11. xEn = xEn * yn
xEn = Fp.mul(xEn, _4n); // 12. xEn = xEn * 4
tv2 = Fp.mul(tv2, xn2); // 13. tv2 = tv2 * xn2
tv2 = Fp.mul(tv2, yd2); // 14. tv2 = tv2 * yd2
let tv3 = Fp.mul(yn2, _4n); // 15. tv3 = 4 * yn2
let tv1 = Fp.add(tv3, yd2); // 16. tv1 = tv3 + yd2
tv1 = Fp.mul(tv1, xd4); // 17. tv1 = tv1 * xd4
let xEd = Fp.add(tv1, tv2); // 18. xEd = tv1 + tv2
tv2 = Fp.mul(tv2, xn); // 19. tv2 = tv2 * xn
let tv4 = Fp.mul(xn, xd4); // 20. tv4 = xn * xd4
let yEn = Fp.sub(tv3, yd2); // 21. yEn = tv3 - yd2
yEn = Fp.mul(yEn, tv4); // 22. yEn = yEn * tv4
yEn = Fp.sub(yEn, tv2); // 23. yEn = yEn - tv2
tv1 = Fp.add(xn2, xd2); // 24. tv1 = xn2 + xd2
tv1 = Fp.mul(tv1, xd2); // 25. tv1 = tv1 * xd2
tv1 = Fp.mul(tv1, xd); // 26. tv1 = tv1 * xd
tv1 = Fp.mul(tv1, yn2); // 27. tv1 = tv1 * yn2
tv1 = Fp.mul(tv1, BigInt(-2)); // 28. tv1 = -2 * tv1
let yEd = Fp.add(tv2, tv1); // 29. yEd = tv2 + tv1
tv4 = Fp.mul(tv4, yd2); // 30. tv4 = tv4 * yd2
yEd = Fp.add(yEd, tv4); // 31. yEd = yEd + tv4
tv1 = Fp.mul(xEd, yEd); // 32. tv1 = xEd * yEd
let e = Fp.eql(tv1, Fp.ZERO); // 33. e = tv1 == 0
xEn = Fp.cmov(xEn, Fp.ZERO, e); // 34. xEn = CMOV(xEn, 0, e)
xEd = Fp.cmov(xEd, Fp.ONE, e); // 35. xEd = CMOV(xEd, 1, e)
yEn = Fp.cmov(yEn, Fp.ONE, e); // 36. yEn = CMOV(yEn, 1, e)
yEd = Fp.cmov(yEd, Fp.ONE, e); // 37. yEd = CMOV(yEd, 1, e)
const inv = FpInvertBatch(Fp, [xEd, yEd], true); // batch division
return { x: Fp.mul(xEn, inv[0]), y: Fp.mul(yEn, inv[1]) }; // 38. return (xEn, xEd, yEn, yEd)
}
/** Hashing / encoding to ed448 points / field. RFC 9380 methods. */
export const ed448_hasher: H2CHasher<bigint> = /* @__PURE__ */ (() =>
createHasher(ed448.Point, (scalars: bigint[]) => map_to_curve_elligator2_edwards448(scalars[0]), {
DST: 'edwards448_XOF:SHAKE256_ELL2_RO_',
encodeDST: 'edwards448_XOF:SHAKE256_ELL2_NU_',
p: Fp.ORDER,
m: 1,
k: 224,
expand: 'xof',
hash: shake256,
}))();
// 1-d
const ONE_MINUS_D = /* @__PURE__ */ BigInt('39082');
// 1-2d
const ONE_MINUS_TWO_D = /* @__PURE__ */ BigInt('78163');
// √(-d)
const SQRT_MINUS_D = /* @__PURE__ */ BigInt(
'98944233647732219769177004876929019128417576295529901074099889598043702116001257856802131563896515373927712232092845883226922417596214'
);
// 1 / √(-d)
const INVSQRT_MINUS_D = /* @__PURE__ */ BigInt(
'315019913931389607337177038330951043522456072897266928557328499619017160722351061360252776265186336876723201881398623946864393857820716'
);
// Calculates 1/√(number)
const invertSqrt = (number: bigint) => uvRatio(_1n, number);
/**
* Elligator map for hash-to-curve of decaf448.
* Described in [RFC9380](https://www.rfc-editor.org/rfc/rfc9380#appendix-C)
* and [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-element-derivation-2).
*/
function calcElligatorDecafMap(r0: bigint): EdwardsPoint {
const { d } = ed448_CURVE;
const P = Fp.ORDER;
const mod = (n: bigint) => Fp.create(n);
const r = mod(-(r0 * r0)); // 1
const u0 = mod(d * (r - _1n)); // 2
const u1 = mod((u0 + _1n) * (u0 - r)); // 3
const { isValid: was_square, value: v } = uvRatio(ONE_MINUS_TWO_D, mod((r + _1n) * u1)); // 4
let v_prime = v; // 5
if (!was_square) v_prime = mod(r0 * v);
let sgn = _1n; // 6
if (!was_square) sgn = mod(-_1n);
const s = mod(v_prime * (r + _1n)); // 7
let s_abs = s;
if (isNegativeLE(s, P)) s_abs = mod(-s);
const s2 = s * s;
const W0 = mod(s_abs * _2n); // 8
const W1 = mod(s2 + _1n); // 9
const W2 = mod(s2 - _1n); // 10
const W3 = mod(v_prime * s * (r - _1n) * ONE_MINUS_TWO_D + sgn); // 11
return new ed448.Point(mod(W0 * W3), mod(W2 * W1), mod(W1 * W3), mod(W0 * W2));
}
function decaf448_map(bytes: Uint8Array): _DecafPoint {
abytes(bytes, 112);
const skipValidation = true;
// Note: Similar to the field element decoding described in
// [RFC7748], and unlike the field element decoding described in
// Section 5.3.1, non-canonical values are accepted.
const r1 = Fp448.create(Fp448.fromBytes(bytes.subarray(0, 56), skipValidation));
const R1 = calcElligatorDecafMap(r1);
const r2 = Fp448.create(Fp448.fromBytes(bytes.subarray(56, 112), skipValidation));
const R2 = calcElligatorDecafMap(r2);
return new _DecafPoint(R1.add(R2));
}
/**
* Each ed448/EdwardsPoint has 4 different equivalent points. This can be
* a source of bugs for protocols like ring signatures. Decaf was created to solve this.
* Decaf point operates in X:Y:Z:T extended coordinates like EdwardsPoint,
* but it should work in its own namespace: do not combine those two.
* See [RFC9496](https://www.rfc-editor.org/rfc/rfc9496).
*/
class _DecafPoint extends PrimeEdwardsPoint<_DecafPoint> {
// The following gymnastics is done because typescript strips comments otherwise
// prettier-ignore
static BASE: _DecafPoint =
/* @__PURE__ */ (() => new _DecafPoint(ed448.Point.BASE).multiplyUnsafe(_2n))();
// prettier-ignore
static ZERO: _DecafPoint =
/* @__PURE__ */ (() => new _DecafPoint(ed448.Point.ZERO))();
// prettier-ignore
static Fp: IField<bigint> =
/* @__PURE__ */ (() => Fp448)();
// prettier-ignore
static Fn: IField<bigint> =
/* @__PURE__ */ (() => Fn448)();
constructor(ep: EdwardsPoint) {
super(ep);
}
static fromAffine(ap: AffinePoint<bigint>): _DecafPoint {
return new _DecafPoint(ed448.Point.fromAffine(ap));
}
protected assertSame(other: _DecafPoint): void {
if (!(other instanceof _DecafPoint)) throw new Error('DecafPoint expected');
}
protected init(ep: EdwardsPoint): _DecafPoint {
return new _DecafPoint(ep);
}
/** @deprecated use `import { decaf448_hasher } from '@noble/curves/ed448.js';` */
static hashToCurve(hex: Hex): _DecafPoint {
return decaf448_map(ensureBytes('decafHash', hex, 112));
}
static fromBytes(bytes: Uint8Array): _DecafPoint {
abytes(bytes, 56);
const { d } = ed448_CURVE;
const P = Fp.ORDER;
const mod = (n: bigint) => Fp448.create(n);
const s = Fp448.fromBytes(bytes);
// 1. Check that s_bytes is the canonical encoding of a field element, or else abort.
// 2. Check that s is non-negative, or else abort
if (!equalBytes(Fn448.toBytes(s), bytes) || isNegativeLE(s, P))
throw new Error('invalid decaf448 encoding 1');
const s2 = mod(s * s); // 1
const u1 = mod(_1n + s2); // 2
const u1sq = mod(u1 * u1);
const u2 = mod(u1sq - _4n * d * s2); // 3
const { isValid, value: invsqrt } = invertSqrt(mod(u2 * u1sq)); // 4
let u3 = mod((s + s) * invsqrt * u1 * SQRT_MINUS_D); // 5
if (isNegativeLE(u3, P)) u3 = mod(-u3);
const x = mod(u3 * invsqrt * u2 * INVSQRT_MINUS_D); // 6
const y = mod((_1n - s2) * invsqrt * u1); // 7
const t = mod(x * y); // 8
if (!isValid) throw new Error('invalid decaf448 encoding 2');
return new _DecafPoint(new ed448.Point(x, y, _1n, t));
}
/**
* Converts decaf-encoded string to decaf point.
* Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-decode-2).
* @param hex Decaf-encoded 56 bytes. Not every 56-byte string is valid decaf encoding
*/
static fromHex(hex: Hex): _DecafPoint {
return _DecafPoint.fromBytes(ensureBytes('decafHex', hex, 56));
}
/** @deprecated use `import { pippenger } from '@noble/curves/abstract/curve.js';` */
static msm(points: _DecafPoint[], scalars: bigint[]): _DecafPoint {
return pippenger(_DecafPoint, Fn, points, scalars);
}
/**
* Encodes decaf point to Uint8Array.
* Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-encode-2).
*/
toBytes(): Uint8Array {
const { X, Z, T } = this.ep;
const P = Fp.ORDER;
const mod = (n: bigint) => Fp.create(n);
const u1 = mod(mod(X + T) * mod(X - T)); // 1
const x2 = mod(X * X);
const { value: invsqrt } = invertSqrt(mod(u1 * ONE_MINUS_D * x2)); // 2
let ratio = mod(invsqrt * u1 * SQRT_MINUS_D); // 3
if (isNegativeLE(ratio, P)) ratio = mod(-ratio);
const u2 = mod(INVSQRT_MINUS_D * ratio * Z - T); // 4
let s = mod(ONE_MINUS_D * invsqrt * X * u2); // 5
if (isNegativeLE(s, P)) s = mod(-s);
return Fn448.toBytes(s);
}
/**
* Compare one point to another.
* Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-equals-2).
*/
equals(other: _DecafPoint): boolean {
this.assertSame(other);
const { X: X1, Y: Y1 } = this.ep;
const { X: X2, Y: Y2 } = other.ep;
// (x1 * y2 == y1 * x2)
return Fp.create(X1 * Y2) === Fp.create(Y1 * X2);
}
is0(): boolean {
return this.equals(_DecafPoint.ZERO);
}
}
export const decaf448: {
Point: typeof _DecafPoint;
} = { Point: _DecafPoint };
/** Hashing to decaf448 points / field. RFC 9380 methods. */
export const decaf448_hasher: H2CHasherBase<bigint> = {
hashToCurve(msg: Uint8Array, options?: htfBasicOpts): _DecafPoint {
const DST = options?.DST || 'decaf448_XOF:SHAKE256_D448MAP_RO_';
return decaf448_map(expand_message_xof(msg, DST, 112, 224, shake256));
},
// Warning: has big modulo bias of 2^-64.
// RFC is invalid. RFC says "use 64-byte xof", while for 2^-112 bias
// it must use 84-byte xof (56+56/2), not 64.
hashToScalar(msg: Uint8Array, options: htfBasicOpts = { DST: _DST_scalar }) {
// Can't use `Fn448.fromBytes()`. 64-byte input => 56-byte field element
const xof = expand_message_xof(msg, options.DST, 64, 256, shake256);
return Fn448.create(bytesToNumberLE(xof));
},
};
// export const decaf448_oprf: OPRF = createORPF({
// name: 'decaf448-SHAKE256',
// Point: DecafPoint,
// hash: (msg: Uint8Array) => shake256(msg, { dkLen: 64 }),
// hashToGroup: decaf448_hasher.hashToCurve,
// hashToScalar: decaf448_hasher.hashToScalar,
// });
/**
* Weird / bogus points, useful for debugging.
* Unlike ed25519, there is no ed448 generator point which can produce full T subgroup.
* Instead, there is a Klein four-group, which spans over 2 independent 2-torsion points:
* (0, 1), (0, -1), (-1, 0), (1, 0).
*/
export const ED448_TORSION_SUBGROUP: string[] = [
'010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000',
'fefffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffff00',
'000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000',
'000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080',
];
type DcfHasher = (msg: Uint8Array, options: htfBasicOpts) => _DecafPoint;
/** @deprecated use `decaf448.Point` */
export const DecafPoint: typeof _DecafPoint = _DecafPoint;
/** @deprecated use `import { ed448_hasher } from '@noble/curves/ed448.js';` */
export const hashToCurve: H2CMethod<bigint> = /* @__PURE__ */ (() => ed448_hasher.hashToCurve)();
/** @deprecated use `import { ed448_hasher } from '@noble/curves/ed448.js';` */
export const encodeToCurve: H2CMethod<bigint> = /* @__PURE__ */ (() =>
ed448_hasher.encodeToCurve)();
/** @deprecated use `import { decaf448_hasher } from '@noble/curves/ed448.js';` */
export const hashToDecaf448: DcfHasher = /* @__PURE__ */ (() =>
decaf448_hasher.hashToCurve as DcfHasher)();
/** @deprecated use `import { decaf448_hasher } from '@noble/curves/ed448.js';` */
export const hash_to_decaf448: DcfHasher = /* @__PURE__ */ (() =>
decaf448_hasher.hashToCurve as DcfHasher)();
/** @deprecated use `ed448.utils.toMontgomery` */
export function edwardsToMontgomeryPub(edwardsPub: string | Uint8Array): Uint8Array {
return ed448.utils.toMontgomery(ensureBytes('pub', edwardsPub));
}
/** @deprecated use `ed448.utils.toMontgomery` */
export const edwardsToMontgomery: typeof edwardsToMontgomeryPub = edwardsToMontgomeryPub;

15
node_modules/@noble/curves/src/index.ts generated vendored Normal file
View File

@@ -0,0 +1,15 @@
/**
* Audited & minimal JS implementation of elliptic curve cryptography.
* @module
* @example
```js
import { secp256k1, schnorr } from '@noble/curves/secp256k1.js';
import { ed25519, ed25519ph, ed25519ctx, x25519, RistrettoPoint } from '@noble/curves/ed25519.js';
import { ed448, ed448ph, ed448ctx, x448 } from '@noble/curves/ed448.js';
import { p256, p384, p521 } from '@noble/curves/nist.js';
import { bls12_381 } from '@noble/curves/bls12-381.js';
import { bn254 } from '@noble/curves/bn254.js';
import { bytesToHex, hexToBytes, concatBytes, utf8ToBytes } from '@noble/curves/abstract/utils.js';
```
*/
throw new Error('root module cannot be imported: import submodules instead. Check out README');

12
node_modules/@noble/curves/src/jubjub.ts generated vendored Normal file
View File

@@ -0,0 +1,12 @@
/**
* @deprecated
* @module
*/
import { jubjub_findGroupHash, jubjub_groupHash, jubjub as jubjubn } from './misc.ts';
/** @deprecated use `import { jubjub } from '@noble/curves/misc.js';` */
export const jubjub: typeof jubjubn = jubjubn;
/** @deprecated use `import { jubjub_findGroupHash } from '@noble/curves/misc.js';` */
export const findGroupHash: typeof jubjub_findGroupHash = jubjub_findGroupHash;
/** @deprecated use `import { jubjub_groupHash } from '@noble/curves/misc.js';` */
export const groupHash: typeof jubjub_groupHash = jubjub_groupHash;

124
node_modules/@noble/curves/src/misc.ts generated vendored Normal file
View File

@@ -0,0 +1,124 @@
/**
* Miscellaneous, rarely used curves.
* jubjub, babyjubjub, pallas, vesta.
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { blake256 } from '@noble/hashes/blake1.js';
import { blake2s } from '@noble/hashes/blake2.js';
import { sha256, sha512 } from '@noble/hashes/sha2.js';
import { concatBytes, utf8ToBytes } from '@noble/hashes/utils.js';
import {
twistedEdwards,
type CurveFn,
type EdwardsOpts,
type EdwardsPoint,
} from './abstract/edwards.ts';
import { Field, mod } from './abstract/modular.ts';
import { weierstrass, type CurveFn as WCurveFn } from './abstract/weierstrass.ts';
import { bls12_381_Fr } from './bls12-381.ts';
import { bn254_Fr } from './bn254.ts';
// Jubjub curves have 𝔽p over scalar fields of other curves. They are friendly to ZK proofs.
// jubjub Fp = bls n. babyjubjub Fp = bn254 n.
// verify manually, check bls12-381.ts and bn254.ts.
const jubjub_CURVE: EdwardsOpts = {
p: bls12_381_Fr.ORDER,
n: BigInt('0xe7db4ea6533afa906673b0101343b00a6682093ccc81082d0970e5ed6f72cb7'),
h: BigInt(8),
a: BigInt('0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000000'),
d: BigInt('0x2a9318e74bfa2b48f5fd9207e6bd7fd4292d7f6d37579d2601065fd6d6343eb1'),
Gx: BigInt('0x11dafe5d23e1218086a365b99fbf3d3be72f6afd7d1f72623e6b071492d1122b'),
Gy: BigInt('0x1d523cf1ddab1a1793132e78c866c0c33e26ba5cc220fed7cc3f870e59d292aa'),
};
/** Curve over scalar field of bls12-381. jubjub Fp = bls n */
export const jubjub: CurveFn = /* @__PURE__ */ twistedEdwards({
...jubjub_CURVE,
Fp: bls12_381_Fr,
hash: sha512,
});
const babyjubjub_CURVE: EdwardsOpts = {
p: bn254_Fr.ORDER,
n: BigInt('0x30644e72e131a029b85045b68181585d59f76dc1c90770533b94bee1c9093788'),
h: BigInt(8),
a: BigInt('168700'),
d: BigInt('168696'),
Gx: BigInt('0x23343e3445b673d38bcba38f25645adb494b1255b1162bb40f41a59f4d4b45e'),
Gy: BigInt('0xc19139cb84c680a6e14116da06056174a0cfa121e6e5c2450f87d64fc000001'),
};
/** Curve over scalar field of bn254. babyjubjub Fp = bn254 n */
export const babyjubjub: CurveFn = /* @__PURE__ */ twistedEdwards({
...babyjubjub_CURVE,
Fp: bn254_Fr,
hash: blake256,
});
const jubjub_gh_first_block = utf8ToBytes(
'096b36a5804bfacef1691e173c366a47ff5ba84a44f26ddd7e8d9f79d5b42df0'
);
// Returns point at JubJub curve which is prime order and not zero
export function jubjub_groupHash(tag: Uint8Array, personalization: Uint8Array): EdwardsPoint {
const h = blake2s.create({ personalization, dkLen: 32 });
h.update(jubjub_gh_first_block);
h.update(tag);
// NOTE: returns ExtendedPoint, in case it will be multiplied later
let p = jubjub.Point.fromBytes(h.digest());
// NOTE: cannot replace with isSmallOrder, returns Point*8
p = p.multiply(jubjub_CURVE.h);
if (p.equals(jubjub.Point.ZERO)) throw new Error('Point has small order');
return p;
}
// No secret data is leaked here at all.
// It operates over public data:
// const G_SPEND = jubjub.findGroupHash(Uint8Array.of(), utf8ToBytes('Item_G_'));
export function jubjub_findGroupHash(m: Uint8Array, personalization: Uint8Array): EdwardsPoint {
const tag = concatBytes(m, Uint8Array.of(0));
const hashes = [];
for (let i = 0; i < 256; i++) {
tag[tag.length - 1] = i;
try {
hashes.push(jubjub_groupHash(tag, personalization));
} catch (e) {}
}
if (!hashes.length) throw new Error('findGroupHash tag overflow');
return hashes[0];
}
// Pasta curves. See [Spec](https://o1-labs.github.io/proof-systems/specs/pasta.html).
export const pasta_p: bigint = BigInt(
'0x40000000000000000000000000000000224698fc094cf91b992d30ed00000001'
);
export const pasta_q: bigint = BigInt(
'0x40000000000000000000000000000000224698fc0994a8dd8c46eb2100000001'
);
/**
* @deprecated
*/
export const pallas: WCurveFn = weierstrass({
a: BigInt(0),
b: BigInt(5),
Fp: Field(pasta_p),
n: pasta_q,
Gx: mod(BigInt(-1), pasta_p),
Gy: BigInt(2),
h: BigInt(1),
hash: sha256,
});
/**
* @deprecated
*/
export const vesta: WCurveFn = weierstrass({
a: BigInt(0),
b: BigInt(5),
Fp: Field(pasta_q),
n: pasta_p,
Gx: mod(BigInt(-1), pasta_q),
Gy: BigInt(2),
h: BigInt(1),
hash: sha256,
});

197
node_modules/@noble/curves/src/nist.ts generated vendored Normal file
View File

@@ -0,0 +1,197 @@
/**
* Internal module for NIST P256, P384, P521 curves.
* Do not use for now.
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { sha256, sha384, sha512 } from '@noble/hashes/sha2.js';
import { createCurve, type CurveFnWithCreate } from './_shortw_utils.ts';
import { createHasher, type H2CHasher } from './abstract/hash-to-curve.ts';
import { Field } from './abstract/modular.ts';
import {
mapToCurveSimpleSWU,
type WeierstrassOpts,
type WeierstrassPointCons,
} from './abstract/weierstrass.ts';
// p = 2n**224n * (2n**32n-1n) + 2n**192n + 2n**96n - 1n
// a = Fp256.create(BigInt('-3'));
const p256_CURVE: WeierstrassOpts<bigint> = {
p: BigInt('0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff'),
n: BigInt('0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551'),
h: BigInt(1),
a: BigInt('0xffffffff00000001000000000000000000000000fffffffffffffffffffffffc'),
b: BigInt('0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b'),
Gx: BigInt('0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296'),
Gy: BigInt('0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5'),
};
// p = 2n**384n - 2n**128n - 2n**96n + 2n**32n - 1n
const p384_CURVE: WeierstrassOpts<bigint> = {
p: BigInt(
'0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff'
),
n: BigInt(
'0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973'
),
h: BigInt(1),
a: BigInt(
'0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffc'
),
b: BigInt(
'0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef'
),
Gx: BigInt(
'0xaa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7'
),
Gy: BigInt(
'0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f'
),
};
// p = 2n**521n - 1n
const p521_CURVE: WeierstrassOpts<bigint> = {
p: BigInt(
'0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
),
n: BigInt(
'0x01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409'
),
h: BigInt(1),
a: BigInt(
'0x1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc'
),
b: BigInt(
'0x0051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00'
),
Gx: BigInt(
'0x00c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66'
),
Gy: BigInt(
'0x011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650'
),
};
const Fp256 = Field(p256_CURVE.p);
const Fp384 = Field(p384_CURVE.p);
const Fp521 = Field(p521_CURVE.p);
type SwuOpts = {
A: bigint;
B: bigint;
Z: bigint;
};
function createSWU(Point: WeierstrassPointCons<bigint>, opts: SwuOpts) {
const map = mapToCurveSimpleSWU(Point.Fp, opts);
return (scalars: bigint[]) => map(scalars[0]);
}
/** NIST P256 (aka secp256r1, prime256v1) curve, ECDSA and ECDH methods. */
export const p256: CurveFnWithCreate = createCurve(
{ ...p256_CURVE, Fp: Fp256, lowS: false },
sha256
);
/** Hashing / encoding to p256 points / field. RFC 9380 methods. */
export const p256_hasher: H2CHasher<bigint> = /* @__PURE__ */ (() => {
return createHasher(
p256.Point,
createSWU(p256.Point, {
A: p256_CURVE.a,
B: p256_CURVE.b,
Z: p256.Point.Fp.create(BigInt('-10')),
}),
{
DST: 'P256_XMD:SHA-256_SSWU_RO_',
encodeDST: 'P256_XMD:SHA-256_SSWU_NU_',
p: p256_CURVE.p,
m: 1,
k: 128,
expand: 'xmd',
hash: sha256,
}
);
})();
// export const p256_oprf: OPRF = createORPF({
// name: 'P256-SHA256',
// Point: p256.Point,
// hash: sha256,
// hashToGroup: p256_hasher.hashToCurve,
// hashToScalar: p256_hasher.hashToScalar,
// });
/** NIST P384 (aka secp384r1) curve, ECDSA and ECDH methods. */
export const p384: CurveFnWithCreate = createCurve(
{ ...p384_CURVE, Fp: Fp384, lowS: false },
sha384
);
/** Hashing / encoding to p384 points / field. RFC 9380 methods. */
export const p384_hasher: H2CHasher<bigint> = /* @__PURE__ */ (() => {
return createHasher(
p384.Point,
createSWU(p384.Point, {
A: p384_CURVE.a,
B: p384_CURVE.b,
Z: p384.Point.Fp.create(BigInt('-12')),
}),
{
DST: 'P384_XMD:SHA-384_SSWU_RO_',
encodeDST: 'P384_XMD:SHA-384_SSWU_NU_',
p: p384_CURVE.p,
m: 1,
k: 192,
expand: 'xmd',
hash: sha384,
}
);
})();
// export const p384_oprf: OPRF = createORPF({
// name: 'P384-SHA384',
// Point: p384.Point,
// hash: sha384,
// hashToGroup: p384_hasher.hashToCurve,
// hashToScalar: p384_hasher.hashToScalar,
// });
// const Fn521 = Field(p521_CURVE.n, { allowedScalarLengths: [65, 66] });
/** NIST P521 (aka secp521r1) curve, ECDSA and ECDH methods. */
export const p521: CurveFnWithCreate = createCurve(
{ ...p521_CURVE, Fp: Fp521, lowS: false, allowedPrivateKeyLengths: [130, 131, 132] },
sha512
);
/** @deprecated use `p256` for consistency with `p256_hasher` */
export const secp256r1: typeof p256 = p256;
/** @deprecated use `p384` for consistency with `p384_hasher` */
export const secp384r1: typeof p384 = p384;
/** @deprecated use `p521` for consistency with `p521_hasher` */
export const secp521r1: typeof p521 = p521;
/** Hashing / encoding to p521 points / field. RFC 9380 methods. */
export const p521_hasher: H2CHasher<bigint> = /* @__PURE__ */ (() => {
return createHasher(
p521.Point,
createSWU(p521.Point, {
A: p521_CURVE.a,
B: p521_CURVE.b,
Z: p521.Point.Fp.create(BigInt('-4')),
}),
{
DST: 'P521_XMD:SHA-512_SSWU_RO_',
encodeDST: 'P521_XMD:SHA-512_SSWU_NU_',
p: p521_CURVE.p,
m: 1,
k: 256,
expand: 'xmd',
hash: sha512,
}
);
})();
// export const p521_oprf: OPRF = createORPF({
// name: 'P521-SHA512',
// Point: p521.Point,
// hash: sha512,
// hashToGroup: p521_hasher.hashToCurve,
// hashToScalar: p521_hasher.hashToScalar, // produces L=98 just like in RFC
// });

15
node_modules/@noble/curves/src/p256.ts generated vendored Normal file
View File

@@ -0,0 +1,15 @@
/**
* NIST secp256r1 aka p256.
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { type H2CMethod } from './abstract/hash-to-curve.ts';
import { p256_hasher, p256 as p256n } from './nist.ts';
/** @deprecated use `import { p256 } from '@noble/curves/nist.js';` */
export const p256: typeof p256n = p256n;
/** @deprecated use `import { p256 } from '@noble/curves/nist.js';` */
export const secp256r1: typeof p256n = p256n;
/** @deprecated use `import { p256_hasher } from '@noble/curves/nist.js';` */
export const hashToCurve: H2CMethod<bigint> = /* @__PURE__ */ (() => p256_hasher.hashToCurve)();
/** @deprecated use `import { p256_hasher } from '@noble/curves/nist.js';` */
export const encodeToCurve: H2CMethod<bigint> = /* @__PURE__ */ (() => p256_hasher.encodeToCurve)();

15
node_modules/@noble/curves/src/p384.ts generated vendored Normal file
View File

@@ -0,0 +1,15 @@
/**
* NIST secp384r1 aka p384.
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { type H2CMethod } from './abstract/hash-to-curve.ts';
import { p384_hasher, p384 as p384n } from './nist.ts';
/** @deprecated use `import { p384 } from '@noble/curves/nist.js';` */
export const p384: typeof p384n = p384n;
/** @deprecated use `import { p384 } from '@noble/curves/nist.js';` */
export const secp384r1: typeof p384n = p384n;
/** @deprecated use `import { p384_hasher } from '@noble/curves/nist.js';` */
export const hashToCurve: H2CMethod<bigint> = /* @__PURE__ */ (() => p384_hasher.hashToCurve)();
/** @deprecated use `import { p384_hasher } from '@noble/curves/nist.js';` */
export const encodeToCurve: H2CMethod<bigint> = /* @__PURE__ */ (() => p384_hasher.encodeToCurve)();

15
node_modules/@noble/curves/src/p521.ts generated vendored Normal file
View File

@@ -0,0 +1,15 @@
/**
* NIST secp521r1 aka p521.
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { type H2CMethod } from './abstract/hash-to-curve.ts';
import { p521_hasher, p521 as p521n } from './nist.ts';
/** @deprecated use `import { p521 } from '@noble/curves/nist.js';` */
export const p521: typeof p521n = p521n;
/** @deprecated use `import { p521 } from '@noble/curves/nist.js';` */
export const secp521r1: typeof p521n = p521n;
/** @deprecated use `import { p521_hasher } from '@noble/curves/nist.js';` */
export const hashToCurve: H2CMethod<bigint> = /* @__PURE__ */ (() => p521_hasher.hashToCurve)();
/** @deprecated use `import { p521_hasher } from '@noble/curves/nist.js';` */
export const encodeToCurve: H2CMethod<bigint> = /* @__PURE__ */ (() => p521_hasher.encodeToCurve)();

3
node_modules/@noble/curves/src/package.json generated vendored Normal file
View File

@@ -0,0 +1,3 @@
{
"type": "module"
}

9
node_modules/@noble/curves/src/pasta.ts generated vendored Normal file
View File

@@ -0,0 +1,9 @@
/**
* @deprecated
* @module
*/
import { pallas as pn, vesta as vn } from './misc.ts';
/** @deprecated */
export const pallas: typeof pn = pn;
/** @deprecated */
export const vesta: typeof vn = vn;

362
node_modules/@noble/curves/src/secp256k1.ts generated vendored Normal file
View File

@@ -0,0 +1,362 @@
/**
* SECG secp256k1. See [pdf](https://www.secg.org/sec2-v2.pdf).
*
* Belongs to Koblitz curves: it has efficiently-computable GLV endomorphism ψ,
* check out {@link EndomorphismOpts}. Seems to be rigid (not backdoored).
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { sha256 } from '@noble/hashes/sha2.js';
import { randomBytes } from '@noble/hashes/utils.js';
import { createCurve, type CurveFnWithCreate } from './_shortw_utils.ts';
import type { CurveLengths } from './abstract/curve.ts';
import {
createHasher,
type H2CHasher,
type H2CMethod,
isogenyMap,
} from './abstract/hash-to-curve.ts';
import { Field, mapHashToField, mod, pow2 } from './abstract/modular.ts';
import {
_normFnElement,
type EndomorphismOpts,
mapToCurveSimpleSWU,
type WeierstrassPoint as PointType,
type WeierstrassOpts,
type WeierstrassPointCons,
} from './abstract/weierstrass.ts';
import type { Hex, PrivKey } from './utils.ts';
import {
bytesToNumberBE,
concatBytes,
ensureBytes,
inRange,
numberToBytesBE,
utf8ToBytes,
} from './utils.ts';
// Seems like generator was produced from some seed:
// `Point.BASE.multiply(Point.Fn.inv(2n, N)).toAffine().x`
// // gives short x 0x3b78ce563f89a0ed9414f5aa28ad0d96d6795f9c63n
const secp256k1_CURVE: WeierstrassOpts<bigint> = {
p: BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f'),
n: BigInt('0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141'),
h: BigInt(1),
a: BigInt(0),
b: BigInt(7),
Gx: BigInt('0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798'),
Gy: BigInt('0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8'),
};
const secp256k1_ENDO: EndomorphismOpts = {
beta: BigInt('0x7ae96a2b657c07106e64479eac3434e99cf0497512f58995c1396c28719501ee'),
basises: [
[BigInt('0x3086d221a7d46bcde86c90e49284eb15'), -BigInt('0xe4437ed6010e88286f547fa90abfe4c3')],
[BigInt('0x114ca50f7a8e2f3f657c1108d9d44cfd8'), BigInt('0x3086d221a7d46bcde86c90e49284eb15')],
],
};
const _0n = /* @__PURE__ */ BigInt(0);
const _1n = /* @__PURE__ */ BigInt(1);
const _2n = /* @__PURE__ */ BigInt(2);
/**
* √n = n^((p+1)/4) for fields p = 3 mod 4. We unwrap the loop and multiply bit-by-bit.
* (P+1n/4n).toString(2) would produce bits [223x 1, 0, 22x 1, 4x 0, 11, 00]
*/
function sqrtMod(y: bigint): bigint {
const P = secp256k1_CURVE.p;
// prettier-ignore
const _3n = BigInt(3), _6n = BigInt(6), _11n = BigInt(11), _22n = BigInt(22);
// prettier-ignore
const _23n = BigInt(23), _44n = BigInt(44), _88n = BigInt(88);
const b2 = (y * y * y) % P; // x^3, 11
const b3 = (b2 * b2 * y) % P; // x^7
const b6 = (pow2(b3, _3n, P) * b3) % P;
const b9 = (pow2(b6, _3n, P) * b3) % P;
const b11 = (pow2(b9, _2n, P) * b2) % P;
const b22 = (pow2(b11, _11n, P) * b11) % P;
const b44 = (pow2(b22, _22n, P) * b22) % P;
const b88 = (pow2(b44, _44n, P) * b44) % P;
const b176 = (pow2(b88, _88n, P) * b88) % P;
const b220 = (pow2(b176, _44n, P) * b44) % P;
const b223 = (pow2(b220, _3n, P) * b3) % P;
const t1 = (pow2(b223, _23n, P) * b22) % P;
const t2 = (pow2(t1, _6n, P) * b2) % P;
const root = pow2(t2, _2n, P);
if (!Fpk1.eql(Fpk1.sqr(root), y)) throw new Error('Cannot find square root');
return root;
}
const Fpk1 = Field(secp256k1_CURVE.p, { sqrt: sqrtMod });
/**
* secp256k1 curve, ECDSA and ECDH methods.
*
* Field: `2n**256n - 2n**32n - 2n**9n - 2n**8n - 2n**7n - 2n**6n - 2n**4n - 1n`
*
* @example
* ```js
* import { secp256k1 } from '@noble/curves/secp256k1';
* const { secretKey, publicKey } = secp256k1.keygen();
* const msg = new TextEncoder().encode('hello');
* const sig = secp256k1.sign(msg, secretKey);
* const isValid = secp256k1.verify(sig, msg, publicKey) === true;
* ```
*/
export const secp256k1: CurveFnWithCreate = createCurve(
{ ...secp256k1_CURVE, Fp: Fpk1, lowS: true, endo: secp256k1_ENDO },
sha256
);
// Schnorr signatures are superior to ECDSA from above. Below is Schnorr-specific BIP0340 code.
// https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki
/** An object mapping tags to their tagged hash prefix of [SHA256(tag) | SHA256(tag)] */
const TAGGED_HASH_PREFIXES: { [tag: string]: Uint8Array } = {};
function taggedHash(tag: string, ...messages: Uint8Array[]): Uint8Array {
let tagP = TAGGED_HASH_PREFIXES[tag];
if (tagP === undefined) {
const tagH = sha256(utf8ToBytes(tag));
tagP = concatBytes(tagH, tagH);
TAGGED_HASH_PREFIXES[tag] = tagP;
}
return sha256(concatBytes(tagP, ...messages));
}
// ECDSA compact points are 33-byte. Schnorr is 32: we strip first byte 0x02 or 0x03
const pointToBytes = (point: PointType<bigint>) => point.toBytes(true).slice(1);
const Pointk1 = /* @__PURE__ */ (() => secp256k1.Point)();
const hasEven = (y: bigint) => y % _2n === _0n;
// Calculate point, scalar and bytes
function schnorrGetExtPubKey(priv: PrivKey) {
const { Fn, BASE } = Pointk1;
const d_ = _normFnElement(Fn, priv);
const p = BASE.multiply(d_); // P = d'⋅G; 0 < d' < n check is done inside
const scalar = hasEven(p.y) ? d_ : Fn.neg(d_);
return { scalar, bytes: pointToBytes(p) };
}
/**
* lift_x from BIP340. Convert 32-byte x coordinate to elliptic curve point.
* @returns valid point checked for being on-curve
*/
function lift_x(x: bigint): PointType<bigint> {
const Fp = Fpk1;
if (!Fp.isValidNot0(x)) throw new Error('invalid x: Fail if x ≥ p');
const xx = Fp.create(x * x);
const c = Fp.create(xx * x + BigInt(7)); // Let c = x³ + 7 mod p.
let y = Fp.sqrt(c); // Let y = c^(p+1)/4 mod p. Same as sqrt().
// Return the unique point P such that x(P) = x and
// y(P) = y if y mod 2 = 0 or y(P) = p-y otherwise.
if (!hasEven(y)) y = Fp.neg(y);
const p = Pointk1.fromAffine({ x, y });
p.assertValidity();
return p;
}
const num = bytesToNumberBE;
/**
* Create tagged hash, convert it to bigint, reduce modulo-n.
*/
function challenge(...args: Uint8Array[]): bigint {
return Pointk1.Fn.create(num(taggedHash('BIP0340/challenge', ...args)));
}
/**
* Schnorr public key is just `x` coordinate of Point as per BIP340.
*/
function schnorrGetPublicKey(secretKey: Hex): Uint8Array {
return schnorrGetExtPubKey(secretKey).bytes; // d'=int(sk). Fail if d'=0 or d'≥n. Ret bytes(d'⋅G)
}
/**
* Creates Schnorr signature as per BIP340. Verifies itself before returning anything.
* auxRand is optional and is not the sole source of k generation: bad CSPRNG won't be dangerous.
*/
function schnorrSign(message: Hex, secretKey: PrivKey, auxRand: Hex = randomBytes(32)): Uint8Array {
const { Fn } = Pointk1;
const m = ensureBytes('message', message);
const { bytes: px, scalar: d } = schnorrGetExtPubKey(secretKey); // checks for isWithinCurveOrder
const a = ensureBytes('auxRand', auxRand, 32); // Auxiliary random data a: a 32-byte array
const t = Fn.toBytes(d ^ num(taggedHash('BIP0340/aux', a))); // Let t be the byte-wise xor of bytes(d) and hash/aux(a)
const rand = taggedHash('BIP0340/nonce', t, px, m); // Let rand = hash/nonce(t || bytes(P) || m)
// Let k' = int(rand) mod n. Fail if k' = 0. Let R = k'⋅G
const { bytes: rx, scalar: k } = schnorrGetExtPubKey(rand);
const e = challenge(rx, px, m); // Let e = int(hash/challenge(bytes(R) || bytes(P) || m)) mod n.
const sig = new Uint8Array(64); // Let sig = bytes(R) || bytes((k + ed) mod n).
sig.set(rx, 0);
sig.set(Fn.toBytes(Fn.create(k + e * d)), 32);
// If Verify(bytes(P), m, sig) (see below) returns failure, abort
if (!schnorrVerify(sig, m, px)) throw new Error('sign: Invalid signature produced');
return sig;
}
/**
* Verifies Schnorr signature.
* Will swallow errors & return false except for initial type validation of arguments.
*/
function schnorrVerify(signature: Hex, message: Hex, publicKey: Hex): boolean {
const { Fn, BASE } = Pointk1;
const sig = ensureBytes('signature', signature, 64);
const m = ensureBytes('message', message);
const pub = ensureBytes('publicKey', publicKey, 32);
try {
const P = lift_x(num(pub)); // P = lift_x(int(pk)); fail if that fails
const r = num(sig.subarray(0, 32)); // Let r = int(sig[0:32]); fail if r ≥ p.
if (!inRange(r, _1n, secp256k1_CURVE.p)) return false;
const s = num(sig.subarray(32, 64)); // Let s = int(sig[32:64]); fail if s ≥ n.
if (!inRange(s, _1n, secp256k1_CURVE.n)) return false;
// int(challenge(bytes(r)||bytes(P)||m))%n
const e = challenge(Fn.toBytes(r), pointToBytes(P), m);
// R = s⋅G - e⋅P, where -eP == (n-e)P
const R = BASE.multiplyUnsafe(s).add(P.multiplyUnsafe(Fn.neg(e)));
const { x, y } = R.toAffine();
// Fail if is_infinite(R) / not has_even_y(R) / x(R) ≠ r.
if (R.is0() || !hasEven(y) || x !== r) return false;
return true;
} catch (error) {
return false;
}
}
export type SecpSchnorr = {
keygen: (seed?: Uint8Array) => { secretKey: Uint8Array; publicKey: Uint8Array };
getPublicKey: typeof schnorrGetPublicKey;
sign: typeof schnorrSign;
verify: typeof schnorrVerify;
Point: WeierstrassPointCons<bigint>;
utils: {
randomSecretKey: (seed?: Uint8Array) => Uint8Array;
pointToBytes: (point: PointType<bigint>) => Uint8Array;
lift_x: typeof lift_x;
taggedHash: typeof taggedHash;
/** @deprecated use `randomSecretKey` */
randomPrivateKey: (seed?: Uint8Array) => Uint8Array;
/** @deprecated use `utils` */
numberToBytesBE: typeof numberToBytesBE;
/** @deprecated use `utils` */
bytesToNumberBE: typeof bytesToNumberBE;
/** @deprecated use `modular` */
mod: typeof mod;
};
lengths: CurveLengths;
};
/**
* Schnorr signatures over secp256k1.
* https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki
* @example
* ```js
* import { schnorr } from '@noble/curves/secp256k1';
* const { secretKey, publicKey } = schnorr.keygen();
* // const publicKey = schnorr.getPublicKey(secretKey);
* const msg = new TextEncoder().encode('hello');
* const sig = schnorr.sign(msg, secretKey);
* const isValid = schnorr.verify(sig, msg, publicKey);
* ```
*/
export const schnorr: SecpSchnorr = /* @__PURE__ */ (() => {
const size = 32;
const seedLength = 48;
const randomSecretKey = (seed = randomBytes(seedLength)): Uint8Array => {
return mapHashToField(seed, secp256k1_CURVE.n);
};
// TODO: remove
secp256k1.utils.randomSecretKey;
function keygen(seed?: Uint8Array) {
const secretKey = randomSecretKey(seed);
return { secretKey, publicKey: schnorrGetPublicKey(secretKey) };
}
return {
keygen,
getPublicKey: schnorrGetPublicKey,
sign: schnorrSign,
verify: schnorrVerify,
Point: Pointk1,
utils: {
randomSecretKey: randomSecretKey,
randomPrivateKey: randomSecretKey,
taggedHash,
// TODO: remove
lift_x,
pointToBytes,
numberToBytesBE,
bytesToNumberBE,
mod,
},
lengths: {
secretKey: size,
publicKey: size,
publicKeyHasPrefix: false,
signature: size * 2,
seed: seedLength,
},
};
})();
const isoMap = /* @__PURE__ */ (() =>
isogenyMap(
Fpk1,
[
// xNum
[
'0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38daaaaa8c7',
'0x7d3d4c80bc321d5b9f315cea7fd44c5d595d2fc0bf63b92dfff1044f17c6581',
'0x534c328d23f234e6e2a413deca25caece4506144037c40314ecbd0b53d9dd262',
'0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38daaaaa88c',
],
// xDen
[
'0xd35771193d94918a9ca34ccbb7b640dd86cd409542f8487d9fe6b745781eb49b',
'0xedadc6f64383dc1df7c4b2d51b54225406d36b641f5e41bbc52a56612a8c6d14',
'0x0000000000000000000000000000000000000000000000000000000000000001', // LAST 1
],
// yNum
[
'0x4bda12f684bda12f684bda12f684bda12f684bda12f684bda12f684b8e38e23c',
'0xc75e0c32d5cb7c0fa9d0a54b12a0a6d5647ab046d686da6fdffc90fc201d71a3',
'0x29a6194691f91a73715209ef6512e576722830a201be2018a765e85a9ecee931',
'0x2f684bda12f684bda12f684bda12f684bda12f684bda12f684bda12f38e38d84',
],
// yDen
[
'0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffff93b',
'0x7a06534bb8bdb49fd5e9e6632722c2989467c1bfc8e8d978dfb425d2685c2573',
'0x6484aa716545ca2cf3a70c3fa8fe337e0a3d21162f0d6299a7bf8192bfd2a76f',
'0x0000000000000000000000000000000000000000000000000000000000000001', // LAST 1
],
].map((i) => i.map((j) => BigInt(j))) as [bigint[], bigint[], bigint[], bigint[]]
))();
const mapSWU = /* @__PURE__ */ (() =>
mapToCurveSimpleSWU(Fpk1, {
A: BigInt('0x3f8731abdd661adca08a5558f0f5d272e953d363cb6f0e5d405447c01a444533'),
B: BigInt('1771'),
Z: Fpk1.create(BigInt('-11')),
}))();
/** Hashing / encoding to secp256k1 points / field. RFC 9380 methods. */
export const secp256k1_hasher: H2CHasher<bigint> = /* @__PURE__ */ (() =>
createHasher(
secp256k1.Point,
(scalars: bigint[]) => {
const { x, y } = mapSWU(Fpk1.create(scalars[0]));
return isoMap(x, y);
},
{
DST: 'secp256k1_XMD:SHA-256_SSWU_RO_',
encodeDST: 'secp256k1_XMD:SHA-256_SSWU_NU_',
p: Fpk1.ORDER,
m: 1,
k: 128,
expand: 'xmd',
hash: sha256,
}
))();
/** @deprecated use `import { secp256k1_hasher } from '@noble/curves/secp256k1.js';` */
export const hashToCurve: H2CMethod<bigint> = /* @__PURE__ */ (() =>
secp256k1_hasher.hashToCurve)();
/** @deprecated use `import { secp256k1_hasher } from '@noble/curves/secp256k1.js';` */
export const encodeToCurve: H2CMethod<bigint> = /* @__PURE__ */ (() =>
secp256k1_hasher.encodeToCurve)();

376
node_modules/@noble/curves/src/utils.ts generated vendored Normal file
View File

@@ -0,0 +1,376 @@
/**
* Hex, bytes and number utilities.
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import {
abytes as abytes_,
bytesToHex as bytesToHex_,
concatBytes as concatBytes_,
hexToBytes as hexToBytes_,
isBytes as isBytes_,
} from '@noble/hashes/utils.js';
export {
abytes,
anumber,
bytesToHex,
bytesToUtf8,
concatBytes,
hexToBytes,
isBytes,
randomBytes,
utf8ToBytes,
} from '@noble/hashes/utils.js';
const _0n = /* @__PURE__ */ BigInt(0);
const _1n = /* @__PURE__ */ BigInt(1);
export type Hex = Uint8Array | string; // hex strings are accepted for simplicity
export type PrivKey = Hex | bigint; // bigints are accepted to ease learning curve
export type CHash = {
(message: Uint8Array | string): Uint8Array;
blockLen: number;
outputLen: number;
create(opts?: { dkLen?: number }): any; // For shake
};
export type FHash = (message: Uint8Array | string) => Uint8Array;
export function abool(title: string, value: boolean): void {
if (typeof value !== 'boolean') throw new Error(title + ' boolean expected, got ' + value);
}
// tmp name until v2
export function _abool2(value: boolean, title: string = ''): boolean {
if (typeof value !== 'boolean') {
const prefix = title && `"${title}"`;
throw new Error(prefix + 'expected boolean, got type=' + typeof value);
}
return value;
}
// tmp name until v2
/** Asserts something is Uint8Array. */
export function _abytes2(value: Uint8Array, length?: number, title: string = ''): Uint8Array {
const bytes = isBytes_(value);
const len = value?.length;
const needsLen = length !== undefined;
if (!bytes || (needsLen && len !== length)) {
const prefix = title && `"${title}" `;
const ofLen = needsLen ? ` of length ${length}` : '';
const got = bytes ? `length=${len}` : `type=${typeof value}`;
throw new Error(prefix + 'expected Uint8Array' + ofLen + ', got ' + got);
}
return value;
}
// Used in weierstrass, der
export function numberToHexUnpadded(num: number | bigint): string {
const hex = num.toString(16);
return hex.length & 1 ? '0' + hex : hex;
}
export function hexToNumber(hex: string): bigint {
if (typeof hex !== 'string') throw new Error('hex string expected, got ' + typeof hex);
return hex === '' ? _0n : BigInt('0x' + hex); // Big Endian
}
// BE: Big Endian, LE: Little Endian
export function bytesToNumberBE(bytes: Uint8Array): bigint {
return hexToNumber(bytesToHex_(bytes));
}
export function bytesToNumberLE(bytes: Uint8Array): bigint {
abytes_(bytes);
return hexToNumber(bytesToHex_(Uint8Array.from(bytes).reverse()));
}
export function numberToBytesBE(n: number | bigint, len: number): Uint8Array {
return hexToBytes_(n.toString(16).padStart(len * 2, '0'));
}
export function numberToBytesLE(n: number | bigint, len: number): Uint8Array {
return numberToBytesBE(n, len).reverse();
}
// Unpadded, rarely used
export function numberToVarBytesBE(n: number | bigint): Uint8Array {
return hexToBytes_(numberToHexUnpadded(n));
}
/**
* Takes hex string or Uint8Array, converts to Uint8Array.
* Validates output length.
* Will throw error for other types.
* @param title descriptive title for an error e.g. 'secret key'
* @param hex hex string or Uint8Array
* @param expectedLength optional, will compare to result array's length
* @returns
*/
export function ensureBytes(title: string, hex: Hex, expectedLength?: number): Uint8Array {
let res: Uint8Array;
if (typeof hex === 'string') {
try {
res = hexToBytes_(hex);
} catch (e) {
throw new Error(title + ' must be hex string or Uint8Array, cause: ' + e);
}
} else if (isBytes_(hex)) {
// Uint8Array.from() instead of hash.slice() because node.js Buffer
// is instance of Uint8Array, and its slice() creates **mutable** copy
res = Uint8Array.from(hex);
} else {
throw new Error(title + ' must be hex string or Uint8Array');
}
const len = res.length;
if (typeof expectedLength === 'number' && len !== expectedLength)
throw new Error(title + ' of length ' + expectedLength + ' expected, got ' + len);
return res;
}
// Compares 2 u8a-s in kinda constant time
export function equalBytes(a: Uint8Array, b: Uint8Array): boolean {
if (a.length !== b.length) return false;
let diff = 0;
for (let i = 0; i < a.length; i++) diff |= a[i] ^ b[i];
return diff === 0;
}
/**
* Copies Uint8Array. We can't use u8a.slice(), because u8a can be Buffer,
* and Buffer#slice creates mutable copy. Never use Buffers!
*/
export function copyBytes(bytes: Uint8Array): Uint8Array {
return Uint8Array.from(bytes);
}
/**
* Decodes 7-bit ASCII string to Uint8Array, throws on non-ascii symbols
* Should be safe to use for things expected to be ASCII.
* Returns exact same result as utf8ToBytes for ASCII or throws.
*/
export function asciiToBytes(ascii: string): Uint8Array {
return Uint8Array.from(ascii, (c, i) => {
const charCode = c.charCodeAt(0);
if (c.length !== 1 || charCode > 127) {
throw new Error(
`string contains non-ASCII character "${ascii[i]}" with code ${charCode} at position ${i}`
);
}
return charCode;
});
}
/**
* @example utf8ToBytes('abc') // new Uint8Array([97, 98, 99])
*/
// export const utf8ToBytes: typeof utf8ToBytes_ = utf8ToBytes_;
/**
* Converts bytes to string using UTF8 encoding.
* @example bytesToUtf8(Uint8Array.from([97, 98, 99])) // 'abc'
*/
// export const bytesToUtf8: typeof bytesToUtf8_ = bytesToUtf8_;
// Is positive bigint
const isPosBig = (n: bigint) => typeof n === 'bigint' && _0n <= n;
export function inRange(n: bigint, min: bigint, max: bigint): boolean {
return isPosBig(n) && isPosBig(min) && isPosBig(max) && min <= n && n < max;
}
/**
* Asserts min <= n < max. NOTE: It's < max and not <= max.
* @example
* aInRange('x', x, 1n, 256n); // would assume x is in (1n..255n)
*/
export function aInRange(title: string, n: bigint, min: bigint, max: bigint): void {
// Why min <= n < max and not a (min < n < max) OR b (min <= n <= max)?
// consider P=256n, min=0n, max=P
// - a for min=0 would require -1: `inRange('x', x, -1n, P)`
// - b would commonly require subtraction: `inRange('x', x, 0n, P - 1n)`
// - our way is the cleanest: `inRange('x', x, 0n, P)
if (!inRange(n, min, max))
throw new Error('expected valid ' + title + ': ' + min + ' <= n < ' + max + ', got ' + n);
}
// Bit operations
/**
* Calculates amount of bits in a bigint.
* Same as `n.toString(2).length`
* TODO: merge with nLength in modular
*/
export function bitLen(n: bigint): number {
let len;
for (len = 0; n > _0n; n >>= _1n, len += 1);
return len;
}
/**
* Gets single bit at position.
* NOTE: first bit position is 0 (same as arrays)
* Same as `!!+Array.from(n.toString(2)).reverse()[pos]`
*/
export function bitGet(n: bigint, pos: number): bigint {
return (n >> BigInt(pos)) & _1n;
}
/**
* Sets single bit at position.
*/
export function bitSet(n: bigint, pos: number, value: boolean): bigint {
return n | ((value ? _1n : _0n) << BigInt(pos));
}
/**
* Calculate mask for N bits. Not using ** operator with bigints because of old engines.
* Same as BigInt(`0b${Array(i).fill('1').join('')}`)
*/
export const bitMask = (n: number): bigint => (_1n << BigInt(n)) - _1n;
// DRBG
type Pred<T> = (v: Uint8Array) => T | undefined;
/**
* Minimal HMAC-DRBG from NIST 800-90 for RFC6979 sigs.
* @returns function that will call DRBG until 2nd arg returns something meaningful
* @example
* const drbg = createHmacDRBG<Key>(32, 32, hmac);
* drbg(seed, bytesToKey); // bytesToKey must return Key or undefined
*/
export function createHmacDrbg<T>(
hashLen: number,
qByteLen: number,
hmacFn: (key: Uint8Array, ...messages: Uint8Array[]) => Uint8Array
): (seed: Uint8Array, predicate: Pred<T>) => T {
if (typeof hashLen !== 'number' || hashLen < 2) throw new Error('hashLen must be a number');
if (typeof qByteLen !== 'number' || qByteLen < 2) throw new Error('qByteLen must be a number');
if (typeof hmacFn !== 'function') throw new Error('hmacFn must be a function');
// Step B, Step C: set hashLen to 8*ceil(hlen/8)
const u8n = (len: number) => new Uint8Array(len); // creates Uint8Array
const u8of = (byte: number) => Uint8Array.of(byte); // another shortcut
let v = u8n(hashLen); // Minimal non-full-spec HMAC-DRBG from NIST 800-90 for RFC6979 sigs.
let k = u8n(hashLen); // Steps B and C of RFC6979 3.2: set hashLen, in our case always same
let i = 0; // Iterations counter, will throw when over 1000
const reset = () => {
v.fill(1);
k.fill(0);
i = 0;
};
const h = (...b: Uint8Array[]) => hmacFn(k, v, ...b); // hmac(k)(v, ...values)
const reseed = (seed = u8n(0)) => {
// HMAC-DRBG reseed() function. Steps D-G
k = h(u8of(0x00), seed); // k = hmac(k || v || 0x00 || seed)
v = h(); // v = hmac(k || v)
if (seed.length === 0) return;
k = h(u8of(0x01), seed); // k = hmac(k || v || 0x01 || seed)
v = h(); // v = hmac(k || v)
};
const gen = () => {
// HMAC-DRBG generate() function
if (i++ >= 1000) throw new Error('drbg: tried 1000 values');
let len = 0;
const out: Uint8Array[] = [];
while (len < qByteLen) {
v = h();
const sl = v.slice();
out.push(sl);
len += v.length;
}
return concatBytes_(...out);
};
const genUntil = (seed: Uint8Array, pred: Pred<T>): T => {
reset();
reseed(seed); // Steps D-G
let res: T | undefined = undefined; // Step H: grind until k is in [1..n-1]
while (!(res = pred(gen()))) reseed();
reset();
return res;
};
return genUntil;
}
// Validating curves and fields
const validatorFns = {
bigint: (val: any): boolean => typeof val === 'bigint',
function: (val: any): boolean => typeof val === 'function',
boolean: (val: any): boolean => typeof val === 'boolean',
string: (val: any): boolean => typeof val === 'string',
stringOrUint8Array: (val: any): boolean => typeof val === 'string' || isBytes_(val),
isSafeInteger: (val: any): boolean => Number.isSafeInteger(val),
array: (val: any): boolean => Array.isArray(val),
field: (val: any, object: any): any => (object as any).Fp.isValid(val),
hash: (val: any): boolean => typeof val === 'function' && Number.isSafeInteger(val.outputLen),
} as const;
type Validator = keyof typeof validatorFns;
type ValMap<T extends Record<string, any>> = { [K in keyof T]?: Validator };
// type Record<K extends string | number | symbol, T> = { [P in K]: T; }
export function validateObject<T extends Record<string, any>>(
object: T,
validators: ValMap<T>,
optValidators: ValMap<T> = {}
): T {
const checkField = (fieldName: keyof T, type: Validator, isOptional: boolean) => {
const checkVal = validatorFns[type];
if (typeof checkVal !== 'function') throw new Error('invalid validator function');
const val = object[fieldName as keyof typeof object];
if (isOptional && val === undefined) return;
if (!checkVal(val, object)) {
throw new Error(
'param ' + String(fieldName) + ' is invalid. Expected ' + type + ', got ' + val
);
}
};
for (const [fieldName, type] of Object.entries(validators)) checkField(fieldName, type!, false);
for (const [fieldName, type] of Object.entries(optValidators)) checkField(fieldName, type!, true);
return object;
}
// validate type tests
// const o: { a: number; b: number; c: number } = { a: 1, b: 5, c: 6 };
// const z0 = validateObject(o, { a: 'isSafeInteger' }, { c: 'bigint' }); // Ok!
// // Should fail type-check
// const z1 = validateObject(o, { a: 'tmp' }, { c: 'zz' });
// const z2 = validateObject(o, { a: 'isSafeInteger' }, { c: 'zz' });
// const z3 = validateObject(o, { test: 'boolean', z: 'bug' });
// const z4 = validateObject(o, { a: 'boolean', z: 'bug' });
export function isHash(val: CHash): boolean {
return typeof val === 'function' && Number.isSafeInteger(val.outputLen);
}
export function _validateObject(
object: Record<string, any>,
fields: Record<string, string>,
optFields: Record<string, string> = {}
): void {
if (!object || typeof object !== 'object') throw new Error('expected valid options object');
type Item = keyof typeof object;
function checkField(fieldName: Item, expectedType: string, isOpt: boolean) {
const val = object[fieldName];
if (isOpt && val === undefined) return;
const current = typeof val;
if (current !== expectedType || val === null)
throw new Error(`param "${fieldName}" is invalid: expected ${expectedType}, got ${current}`);
}
Object.entries(fields).forEach(([k, v]) => checkField(k, v, false));
Object.entries(optFields).forEach(([k, v]) => checkField(k, v, true));
}
/**
* throws not implemented error
*/
export const notImplemented = (): never => {
throw new Error('not implemented');
};
/**
* Memoizes (caches) computation result.
* Uses WeakMap: the value is going auto-cleaned by GC after last reference is removed.
*/
export function memoized<T extends object, R, O extends any[]>(
fn: (arg: T, ...args: O) => R
): (arg: T, ...args: O) => R {
const map = new WeakMap<T, R>();
return (arg: T, ...args: O): R => {
const val = map.get(arg);
if (val !== undefined) return val;
const computed = fn(arg, ...args);
map.set(arg, computed);
return computed;
};
}