@noble/curves
Advanced tools
@noble/curves - npm Package Compare versions
Comparing version 0.8.1 to 0.8.2
@@ -0,17 +1,22 @@ | ||
| "use strict"; | ||
| Object.defineProperty(exports, "__esModule", { value: true }); | ||
| exports.createCurve = exports.getHash = void 0; | ||
| /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */ | ||
| import { hmac } from '@noble/hashes/hmac'; | ||
| import { concatBytes, randomBytes } from '@noble/hashes/utils'; | ||
| import { weierstrass } from './abstract/weierstrass.js'; | ||
| const hmac_1 = require("@noble/hashes/hmac"); | ||
| const utils_1 = require("@noble/hashes/utils"); | ||
| const weierstrass_js_1 = require("./abstract/weierstrass.js"); | ||
| // connects noble-curves to noble-hashes | ||
| export function getHash(hash) { | ||
| function getHash(hash) { | ||
| return { | ||
| hash, | ||
| hmac: (key, ...msgs) => hmac(hash, key, concatBytes(...msgs)), | ||
| randomBytes, | ||
| hmac: (key, ...msgs) => (0, hmac_1.hmac)(hash, key, (0, utils_1.concatBytes)(...msgs)), | ||
| randomBytes: utils_1.randomBytes, | ||
| }; | ||
| } | ||
| export function createCurve(curveDef, defHash) { | ||
| const create = (hash) => weierstrass({ ...curveDef, ...getHash(hash) }); | ||
| exports.getHash = getHash; | ||
| function createCurve(curveDef, defHash) { | ||
| const create = (hash) => (0, weierstrass_js_1.weierstrass)({ ...curveDef, ...getHash(hash) }); | ||
| return Object.freeze({ ...create(defHash), create }); | ||
| } | ||
| exports.createCurve = createCurve; | ||
| //# sourceMappingURL=_shortw_utils.js.map |
@@ -1,9 +0,12 @@ | ||
| import { hashToPrivateScalar } from './modular.js'; | ||
| import { bitLen, bitGet, ensureBytes } from './utils.js'; | ||
| import * as htf from './hash-to-curve.js'; | ||
| import { weierstrassPoints, } from './weierstrass.js'; | ||
| export function bls(CURVE) { | ||
| "use strict"; | ||
| Object.defineProperty(exports, "__esModule", { value: true }); | ||
| exports.bls = void 0; | ||
| const modular_js_1 = require("./modular.js"); | ||
| const utils_js_1 = require("./utils.js"); | ||
| const htf = require("./hash-to-curve.js"); | ||
| const weierstrass_js_1 = require("./weierstrass.js"); | ||
| function bls(CURVE) { | ||
| // Fields looks pretty specific for curve, so for now we need to pass them with opts | ||
| const { Fp, Fr, Fp2, Fp6, Fp12 } = CURVE; | ||
| const BLS_X_LEN = bitLen(CURVE.x); | ||
| const BLS_X_LEN = (0, utils_js_1.bitLen)(CURVE.x); | ||
| const groupLen = 32; // TODO: calculate; hardcoded for now | ||
@@ -34,3 +37,3 @@ // Pre-compute coefficients for sparse multiplication | ||
| Rz = Fp2.mul(t0, t4); // T0 * T4 | ||
| if (bitGet(CURVE.x, i)) { | ||
| if ((0, utils_js_1.bitGet)(CURVE.x, i)) { | ||
| // Addition | ||
@@ -63,3 +66,3 @@ let t0 = Fp2.sub(Ry, Fp2.mul(Qy, Rz)); // Ry - Qy * Rz | ||
| f12 = Fp12.multiplyBy014(f12, E[0], Fp2.mul(E[1], Px), Fp2.mul(E[2], Py)); | ||
| if (bitGet(x, i)) { | ||
| if ((0, utils_js_1.bitGet)(x, i)) { | ||
| j += 1; | ||
@@ -76,7 +79,7 @@ const F = ell[j]; | ||
| randomPrivateKey: () => { | ||
| return Fr.toBytes(hashToPrivateScalar(CURVE.randomBytes(groupLen + 8), CURVE.r)); | ||
| return Fr.toBytes((0, modular_js_1.hashToPrivateScalar)(CURVE.randomBytes(groupLen + 8), CURVE.r)); | ||
| }, | ||
| }; | ||
| // Point on G1 curve: (x, y) | ||
| const G1_ = weierstrassPoints({ n: Fr.ORDER, ...CURVE.G1 }); | ||
| const G1_ = (0, weierstrass_js_1.weierstrassPoints)({ n: Fr.ORDER, ...CURVE.G1 }); | ||
| const G1 = Object.assign(G1_, htf.createHasher(G1_.ProjectivePoint, CURVE.G1.mapToCurve, { | ||
@@ -99,3 +102,3 @@ ...CURVE.htfDefaults, | ||
| // Point on G2 curve (complex numbers): (x₁, x₂+i), (y₁, y₂+i) | ||
| const G2_ = weierstrassPoints({ n: Fr.ORDER, ...CURVE.G2 }); | ||
| const G2_ = (0, weierstrass_js_1.weierstrassPoints)({ n: Fr.ORDER, ...CURVE.G2 }); | ||
| const G2 = Object.assign(G2_, htf.createHasher(G2_.ProjectivePoint, CURVE.G2.mapToCurve, { | ||
@@ -126,3 +129,3 @@ ...CURVE.htfDefaults, | ||
| ? point | ||
| : G2.hashToCurve(ensureBytes('point', point), htfOpts); | ||
| : G2.hashToCurve((0, utils_js_1.ensureBytes)('point', point), htfOpts); | ||
| } | ||
@@ -231,2 +234,3 @@ // Multiplies generator by private key. | ||
| } | ||
| exports.bls = bls; | ||
| //# sourceMappingURL=bls.js.map |
@@ -0,5 +1,8 @@ | ||
| "use strict"; | ||
| Object.defineProperty(exports, "__esModule", { value: true }); | ||
| exports.validateBasic = exports.wNAF = void 0; | ||
| /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */ | ||
| // Abelian group utilities | ||
| import { validateField, nLength } from './modular.js'; | ||
| import { validateObject } from './utils.js'; | ||
| const modular_js_1 = require("./modular.js"); | ||
| const utils_js_1 = require("./utils.js"); | ||
| const _0n = BigInt(0); | ||
@@ -18,3 +21,3 @@ const _1n = BigInt(1); | ||
| // windows to be in different memory locations | ||
| export function wNAF(c, bits) { | ||
| function wNAF(c, bits) { | ||
| const constTimeNegate = (condition, item) => { | ||
@@ -139,5 +142,6 @@ const neg = item.negate(); | ||
| } | ||
| export function validateBasic(curve) { | ||
| validateField(curve.Fp); | ||
| validateObject(curve, { | ||
| exports.wNAF = wNAF; | ||
| function validateBasic(curve) { | ||
| (0, modular_js_1.validateField)(curve.Fp); | ||
| (0, utils_js_1.validateObject)(curve, { | ||
| n: 'bigint', | ||
@@ -152,4 +156,5 @@ h: 'bigint', | ||
| // Set defaults | ||
| return Object.freeze({ ...nLength(curve.n, curve.nBitLength), ...curve }); | ||
| return Object.freeze({ ...(0, modular_js_1.nLength)(curve.n, curve.nBitLength), ...curve }); | ||
| } | ||
| exports.validateBasic = validateBasic; | ||
| //# sourceMappingURL=curve.js.map |
@@ -0,7 +1,10 @@ | ||
| "use strict"; | ||
| Object.defineProperty(exports, "__esModule", { value: true }); | ||
| exports.twistedEdwards = void 0; | ||
| /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */ | ||
| // Twisted Edwards curve. The formula is: ax² + y² = 1 + dx²y² | ||
| import { mod } from './modular.js'; | ||
| import * as ut from './utils.js'; | ||
| import { ensureBytes } from './utils.js'; | ||
| import { wNAF, validateBasic } from './curve.js'; | ||
| const modular_js_1 = require("./modular.js"); | ||
| const ut = require("./utils.js"); | ||
| const utils_js_1 = require("./utils.js"); | ||
| const curve_js_1 = require("./curve.js"); | ||
| // Be friendly to bad ECMAScript parsers by not using bigint literals like 123n | ||
@@ -13,3 +16,3 @@ const _0n = BigInt(0); | ||
| function validateOpts(curve) { | ||
| const opts = validateBasic(curve); | ||
| const opts = (0, curve_js_1.validateBasic)(curve); | ||
| ut.validateObject(curve, { | ||
@@ -30,3 +33,3 @@ hash: 'function', | ||
| // It is not generic twisted curve for now, but ed25519/ed448 generic implementation | ||
| export function twistedEdwards(curveDef) { | ||
| function twistedEdwards(curveDef) { | ||
| const CURVE = validateOpts(curveDef); | ||
@@ -280,3 +283,3 @@ const { Fp, n: CURVE_ORDER, preHash, hash: cHash, randomBytes, nByteLength, h: cofactor } = CURVE; | ||
| const len = Fp.BYTES; | ||
| hex = ensureBytes('pointHex', hex, len); // copy hex to a new array | ||
| hex = (0, utils_js_1.ensureBytes)('pointHex', hex, len); // copy hex to a new array | ||
| const normed = hex.slice(); // copy again, we'll manipulate it | ||
@@ -326,5 +329,5 @@ const lastByte = hex[len - 1]; // select last byte | ||
| const { BASE: G, ZERO: I } = Point; | ||
| const wnaf = wNAF(Point, nByteLength * 8); | ||
| const wnaf = (0, curve_js_1.wNAF)(Point, nByteLength * 8); | ||
| function modN(a) { | ||
| return mod(a, CURVE_ORDER); | ||
| return (0, modular_js_1.mod)(a, CURVE_ORDER); | ||
| } | ||
@@ -338,6 +341,6 @@ // Little-endian SHA512 with modulo n | ||
| const len = nByteLength; | ||
| key = ensureBytes('private key', key, len); | ||
| key = (0, utils_js_1.ensureBytes)('private key', key, len); | ||
| // Hash private key with curve's hash function to produce uniformingly random input | ||
| // Check byte lengths: ensure(64, h(ensure(32, key))) | ||
| const hashed = ensureBytes('hashed private key', cHash(key), 2 * len); | ||
| const hashed = (0, utils_js_1.ensureBytes)('hashed private key', cHash(key), 2 * len); | ||
| const head = adjustScalarBytes(hashed.slice(0, len)); // clear first half bits, produce FE | ||
@@ -357,7 +360,7 @@ const prefix = hashed.slice(len, 2 * len); // second half is called key prefix (5.1.6) | ||
| const msg = ut.concatBytes(...msgs); | ||
| return modN_LE(cHash(domain(msg, ensureBytes('context', context), !!preHash))); | ||
| return modN_LE(cHash(domain(msg, (0, utils_js_1.ensureBytes)('context', context), !!preHash))); | ||
| } | ||
| /** Signs message with privateKey. RFC8032 5.1.6 */ | ||
| function sign(msg, privKey, context) { | ||
| msg = ensureBytes('message', msg); | ||
| msg = (0, utils_js_1.ensureBytes)('message', msg); | ||
| if (preHash) | ||
@@ -372,8 +375,8 @@ msg = preHash(msg); // for ed25519ph etc. | ||
| const res = ut.concatBytes(R, ut.numberToBytesLE(s, Fp.BYTES)); | ||
| return ensureBytes('result', res, nByteLength * 2); // 64-byte signature | ||
| return (0, utils_js_1.ensureBytes)('result', res, nByteLength * 2); // 64-byte signature | ||
| } | ||
| function verify(sig, msg, publicKey, context) { | ||
| const len = Fp.BYTES; // Verifies EdDSA signature against message and public key. RFC8032 5.1.7. | ||
| sig = ensureBytes('signature', sig, 2 * len); // An extended group equation is checked. | ||
| msg = ensureBytes('message', msg); // ZIP215 compliant, which means not fully RFC8032 compliant. | ||
| sig = (0, utils_js_1.ensureBytes)('signature', sig, 2 * len); // An extended group equation is checked. | ||
| msg = (0, utils_js_1.ensureBytes)('message', msg); // ZIP215 compliant, which means not fully RFC8032 compliant. | ||
| if (preHash) | ||
@@ -416,2 +419,3 @@ msg = preHash(msg); // for ed25519ph, etc | ||
| } | ||
| exports.twistedEdwards = twistedEdwards; | ||
| //# sourceMappingURL=edwards.js.map |
@@ -1,3 +0,6 @@ | ||
| import { mod } from './modular.js'; | ||
| import { bytesToNumberBE, concatBytes, utf8ToBytes, validateObject } from './utils.js'; | ||
| "use strict"; | ||
| Object.defineProperty(exports, "__esModule", { value: true }); | ||
| exports.createHasher = exports.isogenyMap = exports.hash_to_field = exports.expand_message_xof = exports.expand_message_xmd = void 0; | ||
| const modular_js_1 = require("./modular.js"); | ||
| const utils_js_1 = require("./utils.js"); | ||
| function validateDST(dst) { | ||
@@ -7,7 +10,7 @@ if (dst instanceof Uint8Array) | ||
| if (typeof dst === 'string') | ||
| return utf8ToBytes(dst); | ||
| return (0, utils_js_1.utf8ToBytes)(dst); | ||
| throw new Error('DST must be Uint8Array or string'); | ||
| } | ||
| // Octet Stream to Integer. "spec" implementation of os2ip is 2.5x slower vs bytesToNumberBE. | ||
| const os2ip = bytesToNumberBE; | ||
| const os2ip = utils_js_1.bytesToNumberBE; | ||
| // Integer to Octet Stream (numberToBytesBE) | ||
@@ -42,3 +45,3 @@ function i2osp(value, length) { | ||
| // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#section-5.4.1 | ||
| export function expand_message_xmd(msg, DST, lenInBytes, H) { | ||
| function expand_message_xmd(msg, DST, lenInBytes, H) { | ||
| isBytes(msg); | ||
@@ -49,3 +52,3 @@ isBytes(DST); | ||
| if (DST.length > 255) | ||
| DST = H(concatBytes(utf8ToBytes('H2C-OVERSIZE-DST-'), DST)); | ||
| DST = H((0, utils_js_1.concatBytes)((0, utils_js_1.utf8ToBytes)('H2C-OVERSIZE-DST-'), DST)); | ||
| const { outputLen: b_in_bytes, blockLen: r_in_bytes } = H; | ||
@@ -55,16 +58,17 @@ const ell = Math.ceil(lenInBytes / b_in_bytes); | ||
| throw new Error('Invalid xmd length'); | ||
| const DST_prime = concatBytes(DST, i2osp(DST.length, 1)); | ||
| const DST_prime = (0, utils_js_1.concatBytes)(DST, i2osp(DST.length, 1)); | ||
| const Z_pad = i2osp(0, r_in_bytes); | ||
| const l_i_b_str = i2osp(lenInBytes, 2); // len_in_bytes_str | ||
| const b = new Array(ell); | ||
| const b_0 = H(concatBytes(Z_pad, msg, l_i_b_str, i2osp(0, 1), DST_prime)); | ||
| b[0] = H(concatBytes(b_0, i2osp(1, 1), DST_prime)); | ||
| const b_0 = H((0, utils_js_1.concatBytes)(Z_pad, msg, l_i_b_str, i2osp(0, 1), DST_prime)); | ||
| b[0] = H((0, utils_js_1.concatBytes)(b_0, i2osp(1, 1), DST_prime)); | ||
| for (let i = 1; i <= ell; i++) { | ||
| const args = [strxor(b_0, b[i - 1]), i2osp(i + 1, 1), DST_prime]; | ||
| b[i] = H(concatBytes(...args)); | ||
| b[i] = H((0, utils_js_1.concatBytes)(...args)); | ||
| } | ||
| const pseudo_random_bytes = concatBytes(...b); | ||
| const pseudo_random_bytes = (0, utils_js_1.concatBytes)(...b); | ||
| return pseudo_random_bytes.slice(0, lenInBytes); | ||
| } | ||
| export function expand_message_xof(msg, DST, lenInBytes, k, H) { | ||
| exports.expand_message_xmd = expand_message_xmd; | ||
| function expand_message_xof(msg, DST, lenInBytes, k, H) { | ||
| isBytes(msg); | ||
@@ -77,3 +81,3 @@ isBytes(DST); | ||
| const dkLen = Math.ceil((2 * k) / 8); | ||
| DST = H.create({ dkLen }).update(utf8ToBytes('H2C-OVERSIZE-DST-')).update(DST).digest(); | ||
| DST = H.create({ dkLen }).update((0, utils_js_1.utf8ToBytes)('H2C-OVERSIZE-DST-')).update(DST).digest(); | ||
| } | ||
@@ -90,2 +94,3 @@ if (lenInBytes > 65535 || DST.length > 255) | ||
| } | ||
| exports.expand_message_xof = expand_message_xof; | ||
| /** | ||
@@ -99,4 +104,4 @@ * Hashes arbitrary-length byte strings to a list of one or more elements of a finite field F | ||
| */ | ||
| export function hash_to_field(msg, count, options) { | ||
| validateObject(options, { | ||
| function hash_to_field(msg, count, options) { | ||
| (0, utils_js_1.validateObject)(options, { | ||
| DST: 'string', | ||
@@ -134,3 +139,3 @@ p: 'bigint', | ||
| const tv = prb.subarray(elm_offset, elm_offset + L); | ||
| e[j] = mod(os2ip(tv), p); | ||
| e[j] = (0, modular_js_1.mod)(os2ip(tv), p); | ||
| } | ||
@@ -141,3 +146,4 @@ u[i] = e; | ||
| } | ||
| export function isogenyMap(field, map) { | ||
| exports.hash_to_field = hash_to_field; | ||
| function isogenyMap(field, map) { | ||
| // Make same order as in spec | ||
@@ -152,3 +158,4 @@ const COEFF = map.map((i) => Array.from(i).reverse()); | ||
| } | ||
| export function createHasher(Point, mapToCurve, def) { | ||
| exports.isogenyMap = isogenyMap; | ||
| function createHasher(Point, mapToCurve, def) { | ||
| if (typeof mapToCurve !== 'function') | ||
@@ -176,2 +183,3 @@ throw new Error('mapToCurve() must be defined'); | ||
| } | ||
| exports.createHasher = createHasher; | ||
| //# sourceMappingURL=hash-to-curve.js.map |
@@ -0,4 +1,7 @@ | ||
| "use strict"; | ||
| Object.defineProperty(exports, "__esModule", { value: true }); | ||
| exports.hashToPrivateScalar = exports.FpSqrtEven = exports.FpSqrtOdd = exports.Fp = exports.nLength = exports.FpIsSquare = exports.FpDiv = exports.FpInvertBatch = exports.FpPow = exports.validateField = exports.isNegativeLE = exports.FpSqrt = exports.tonelliShanks = exports.invert = exports.pow2 = exports.pow = exports.mod = void 0; | ||
| /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */ | ||
| // Utilities for modular arithmetics and finite fields | ||
| import { bitMask, numberToBytesBE, numberToBytesLE, bytesToNumberBE, bytesToNumberLE, ensureBytes, validateObject, } from './utils.js'; | ||
| const utils_js_1 = require("./utils.js"); | ||
| // prettier-ignore | ||
@@ -11,6 +14,7 @@ const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3); | ||
| // Calculates a modulo b | ||
| export function mod(a, b) { | ||
| function mod(a, b) { | ||
| const result = a % b; | ||
| return result >= _0n ? result : b + result; | ||
| } | ||
| exports.mod = mod; | ||
| /** | ||
@@ -23,3 +27,3 @@ * Efficiently exponentiate num to power and do modular division. | ||
| // TODO: use field version && remove | ||
| export function pow(num, power, modulo) { | ||
| function pow(num, power, modulo) { | ||
| if (modulo <= _0n || power < _0n) | ||
@@ -38,4 +42,5 @@ throw new Error('Expected power/modulo > 0'); | ||
| } | ||
| exports.pow = pow; | ||
| // Does x ^ (2 ^ power) mod p. pow2(30, 4) == 30 ^ (2 ^ 4) | ||
| export function pow2(x, power, modulo) { | ||
| function pow2(x, power, modulo) { | ||
| let res = x; | ||
@@ -48,4 +53,5 @@ while (power-- > _0n) { | ||
| } | ||
| exports.pow2 = pow2; | ||
| // Inverses number over modulo | ||
| export function invert(number, modulo) { | ||
| function invert(number, modulo) { | ||
| if (number === _0n || modulo <= _0n) { | ||
@@ -74,6 +80,7 @@ throw new Error(`invert: expected positive integers, got n=${number} mod=${modulo}`); | ||
| } | ||
| exports.invert = invert; | ||
| // Tonelli-Shanks algorithm | ||
| // Paper 1: https://eprint.iacr.org/2012/685.pdf (page 12) | ||
| // Paper 2: Square Roots from 1; 24, 51, 10 to Dan Shanks | ||
| export function tonelliShanks(P) { | ||
| function tonelliShanks(P) { | ||
| // Legendre constant: used to calculate Legendre symbol (a | p), | ||
@@ -134,3 +141,4 @@ // which denotes the value of a^((p-1)/2) (mod p). | ||
| } | ||
| export function FpSqrt(P) { | ||
| exports.tonelliShanks = tonelliShanks; | ||
| function FpSqrt(P) { | ||
| // NOTE: different algorithms can give different roots, it is up to user to decide which one they want. | ||
@@ -193,4 +201,6 @@ // For example there is FpSqrtOdd/FpSqrtEven to choice root based on oddness (used for hash-to-curve). | ||
| } | ||
| exports.FpSqrt = FpSqrt; | ||
| // Little-endian check for first LE bit (last BE bit); | ||
| export const isNegativeLE = (num, modulo) => (mod(num, modulo) & _1n) === _1n; | ||
| const isNegativeLE = (num, modulo) => (mod(num, modulo) & _1n) === _1n; | ||
| exports.isNegativeLE = isNegativeLE; | ||
| // prettier-ignore | ||
@@ -202,3 +212,3 @@ const FIELD_FIELDS = [ | ||
| ]; | ||
| export function validateField(field) { | ||
| function validateField(field) { | ||
| const initial = { | ||
@@ -214,6 +224,7 @@ ORDER: 'bigint', | ||
| }, initial); | ||
| return validateObject(field, opts); | ||
| return (0, utils_js_1.validateObject)(field, opts); | ||
| } | ||
| exports.validateField = validateField; | ||
| // Generic field functions | ||
| export function FpPow(f, num, power) { | ||
| function FpPow(f, num, power) { | ||
| // Should have same speed as pow for bigints | ||
@@ -237,3 +248,4 @@ // TODO: benchmark! | ||
| } | ||
| export function FpInvertBatch(f, nums) { | ||
| exports.FpPow = FpPow; | ||
| function FpInvertBatch(f, nums) { | ||
| const tmp = new Array(nums.length); | ||
@@ -258,7 +270,9 @@ // Walk from first to last, multiply them by each other MOD p | ||
| } | ||
| export function FpDiv(f, lhs, rhs) { | ||
| exports.FpInvertBatch = FpInvertBatch; | ||
| function FpDiv(f, lhs, rhs) { | ||
| return f.mul(lhs, typeof rhs === 'bigint' ? invert(rhs, f.ORDER) : f.inv(rhs)); | ||
| } | ||
| exports.FpDiv = FpDiv; | ||
| // This function returns True whenever the value x is a square in the field F. | ||
| export function FpIsSquare(f) { | ||
| function FpIsSquare(f) { | ||
| const legendreConst = (f.ORDER - _1n) / _2n; // Integer arithmetic | ||
@@ -270,4 +284,5 @@ return (x) => { | ||
| } | ||
| exports.FpIsSquare = FpIsSquare; | ||
| // CURVE.n lengths | ||
| export function nLength(n, nBitLength) { | ||
| function nLength(n, nBitLength) { | ||
| // Bit size, byte size of CURVE.n | ||
@@ -278,3 +293,4 @@ const _nBitLength = nBitLength !== undefined ? nBitLength : n.toString(2).length; | ||
| } | ||
| export function Fp(ORDER, bitLen, isLE = false, redef = {}) { | ||
| exports.nLength = nLength; | ||
| function Fp(ORDER, bitLen, isLE = false, redef = {}) { | ||
| if (ORDER <= _0n) | ||
@@ -290,3 +306,3 @@ throw new Error(`Expected Fp ORDER > 0, got ${ORDER}`); | ||
| BYTES, | ||
| MASK: bitMask(BITS), | ||
| MASK: (0, utils_js_1.bitMask)(BITS), | ||
| ZERO: _0n, | ||
@@ -321,7 +337,7 @@ ONE: _1n, | ||
| cmov: (a, b, c) => (c ? b : a), | ||
| toBytes: (num) => (isLE ? numberToBytesLE(num, BYTES) : numberToBytesBE(num, BYTES)), | ||
| toBytes: (num) => (isLE ? (0, utils_js_1.numberToBytesLE)(num, BYTES) : (0, utils_js_1.numberToBytesBE)(num, BYTES)), | ||
| fromBytes: (bytes) => { | ||
| if (bytes.length !== BYTES) | ||
| throw new Error(`Fp.fromBytes: expected ${BYTES}, got ${bytes.length}`); | ||
| return isLE ? bytesToNumberLE(bytes) : bytesToNumberBE(bytes); | ||
| return isLE ? (0, utils_js_1.bytesToNumberLE)(bytes) : (0, utils_js_1.bytesToNumberBE)(bytes); | ||
| }, | ||
@@ -331,3 +347,4 @@ }); | ||
| } | ||
| export function FpSqrtOdd(Fp, elm) { | ||
| exports.Fp = Fp; | ||
| function FpSqrtOdd(Fp, elm) { | ||
| if (!Fp.isOdd) | ||
@@ -338,3 +355,4 @@ throw new Error(`Field doesn't have isOdd`); | ||
| } | ||
| export function FpSqrtEven(Fp, elm) { | ||
| exports.FpSqrtOdd = FpSqrtOdd; | ||
| function FpSqrtEven(Fp, elm) { | ||
| if (!Fp.isOdd) | ||
@@ -345,2 +363,3 @@ throw new Error(`Field doesn't have isOdd`); | ||
| } | ||
| exports.FpSqrtEven = FpSqrtEven; | ||
| /** | ||
@@ -355,4 +374,4 @@ * FIPS 186 B.4.1-compliant "constant-time" private key generation utility. | ||
| */ | ||
| export function hashToPrivateScalar(hash, groupOrder, isLE = false) { | ||
| hash = ensureBytes('privateHash', hash); | ||
| function hashToPrivateScalar(hash, groupOrder, isLE = false) { | ||
| hash = (0, utils_js_1.ensureBytes)('privateHash', hash); | ||
| const hashLen = hash.length; | ||
@@ -362,5 +381,6 @@ const minLen = nLength(groupOrder).nByteLength + 8; | ||
| throw new Error(`hashToPrivateScalar: expected ${minLen}-1024 bytes of input, got ${hashLen}`); | ||
| const num = isLE ? bytesToNumberLE(hash) : bytesToNumberBE(hash); | ||
| const num = isLE ? (0, utils_js_1.bytesToNumberLE)(hash) : (0, utils_js_1.bytesToNumberBE)(hash); | ||
| return mod(num, groupOrder - _1n) + _1n; | ||
| } | ||
| exports.hashToPrivateScalar = hashToPrivateScalar; | ||
| //# sourceMappingURL=modular.js.map |
@@ -0,8 +1,11 @@ | ||
| "use strict"; | ||
| Object.defineProperty(exports, "__esModule", { value: true }); | ||
| exports.montgomery = void 0; | ||
| /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */ | ||
| import { mod, pow } from './modular.js'; | ||
| import { bytesToNumberLE, ensureBytes, numberToBytesLE, validateObject } from './utils.js'; | ||
| const modular_js_1 = require("./modular.js"); | ||
| const utils_js_1 = require("./utils.js"); | ||
| const _0n = BigInt(0); | ||
| const _1n = BigInt(1); | ||
| function validateOpts(curve) { | ||
| validateObject(curve, { | ||
| (0, utils_js_1.validateObject)(curve, { | ||
| a: 'bigint', | ||
@@ -22,6 +25,6 @@ }, { | ||
| // Uses only one coordinate instead of two | ||
| export function montgomery(curveDef) { | ||
| function montgomery(curveDef) { | ||
| const CURVE = validateOpts(curveDef); | ||
| const { P } = CURVE; | ||
| const modP = (n) => mod(n, P); | ||
| const modP = (n) => (0, modular_js_1.mod)(n, P); | ||
| const montgomeryBits = CURVE.montgomeryBits; | ||
@@ -31,3 +34,3 @@ const montgomeryBytes = Math.ceil(montgomeryBits / 8); | ||
| const adjustScalarBytes = CURVE.adjustScalarBytes || ((bytes) => bytes); | ||
| const powPminus2 = CURVE.powPminus2 || ((x) => pow(x, P - BigInt(2), P)); | ||
| const powPminus2 = CURVE.powPminus2 || ((x) => (0, modular_js_1.pow)(x, P - BigInt(2), P)); | ||
| // cswap from RFC7748. But it is not from RFC7748! | ||
@@ -116,3 +119,3 @@ /* | ||
| function encodeUCoordinate(u) { | ||
| return numberToBytesLE(modP(u), montgomeryBytes); | ||
| return (0, utils_js_1.numberToBytesLE)(modP(u), montgomeryBytes); | ||
| } | ||
@@ -124,13 +127,13 @@ function decodeUCoordinate(uEnc) { | ||
| // fieldLen - scalaryBytes = 1 for X448 and = 0 for X25519 | ||
| const u = ensureBytes('u coordinate', uEnc, montgomeryBytes); | ||
| const u = (0, utils_js_1.ensureBytes)('u coordinate', uEnc, montgomeryBytes); | ||
| // u[fieldLen-1] crashes QuickJS (TypeError: out-of-bound numeric index) | ||
| if (fieldLen === montgomeryBytes) | ||
| u[fieldLen - 1] &= 127; // 0b0111_1111 | ||
| return bytesToNumberLE(u); | ||
| return (0, utils_js_1.bytesToNumberLE)(u); | ||
| } | ||
| function decodeScalar(n) { | ||
| const bytes = ensureBytes('scalar', n); | ||
| const bytes = (0, utils_js_1.ensureBytes)('scalar', n); | ||
| if (bytes.length !== montgomeryBytes && bytes.length !== fieldLen) | ||
| throw new Error(`Expected ${montgomeryBytes} or ${fieldLen} bytes, got ${bytes.length}`); | ||
| return bytesToNumberLE(adjustScalarBytes(bytes)); | ||
| return (0, utils_js_1.bytesToNumberLE)(adjustScalarBytes(bytes)); | ||
| } | ||
@@ -161,2 +164,3 @@ function scalarMult(scalar, u) { | ||
| } | ||
| exports.montgomery = montgomery; | ||
| //# sourceMappingURL=montgomery.js.map |
@@ -0,7 +1,10 @@ | ||
| "use strict"; | ||
| Object.defineProperty(exports, "__esModule", { value: true }); | ||
| exports.poseidon = exports.splitConstants = exports.validateOpts = void 0; | ||
| /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */ | ||
| // Poseidon Hash: https://eprint.iacr.org/2019/458.pdf, https://www.poseidon-hash.info | ||
| import { FpPow, validateField } from './modular.js'; | ||
| export function validateOpts(opts) { | ||
| const modular_js_1 = require("./modular.js"); | ||
| function validateOpts(opts) { | ||
| const { Fp } = opts; | ||
| validateField(Fp); | ||
| (0, modular_js_1.validateField)(Fp); | ||
| for (const i of ['t', 'roundsFull', 'roundsPartial']) { | ||
@@ -20,3 +23,3 @@ if (typeof opts[i] !== 'number' || !Number.isSafeInteger(opts[i])) | ||
| const _sboxPower = BigInt(sboxPower); | ||
| let sboxFn = (n) => FpPow(Fp, n, _sboxPower); | ||
| let sboxFn = (n) => (0, modular_js_1.FpPow)(Fp, n, _sboxPower); | ||
| // Unwrapped sbox power for common cases (195->142μs) | ||
@@ -55,3 +58,4 @@ if (sboxPower === 3) | ||
| } | ||
| export function splitConstants(rc, t) { | ||
| exports.validateOpts = validateOpts; | ||
| function splitConstants(rc, t) { | ||
| if (typeof t !== 'number') | ||
@@ -72,3 +76,4 @@ throw new Error('poseidonSplitConstants: wrong t'); | ||
| } | ||
| export function poseidon(opts) { | ||
| exports.splitConstants = splitConstants; | ||
| function poseidon(opts) { | ||
| const { t, Fp, rounds, sboxFn, reversePartialPowIdx } = validateOpts(opts); | ||
@@ -113,2 +118,3 @@ const halfRoundsFull = Math.floor(opts.roundsFull / 2); | ||
| } | ||
| exports.poseidon = poseidon; | ||
| //# sourceMappingURL=poseidon.js.map |
@@ -0,1 +1,4 @@ | ||
| "use strict"; | ||
| Object.defineProperty(exports, "__esModule", { value: true }); | ||
| exports.validateObject = exports.createHmacDrbg = exports.bitMask = exports.bitSet = exports.bitGet = exports.bitLen = exports.utf8ToBytes = exports.equalBytes = exports.concatBytes = exports.ensureBytes = exports.numberToVarBytesBE = exports.numberToBytesLE = exports.numberToBytesBE = exports.bytesToNumberLE = exports.bytesToNumberBE = exports.hexToBytes = exports.hexToNumber = exports.numberToHexUnpadded = exports.bytesToHex = void 0; | ||
| /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */ | ||
@@ -7,3 +10,3 @@ const _0n = BigInt(0); | ||
| const hexes = Array.from({ length: 256 }, (v, i) => i.toString(16).padStart(2, '0')); | ||
| export function bytesToHex(bytes) { | ||
| function bytesToHex(bytes) { | ||
| if (!u8a(bytes)) | ||
@@ -18,7 +21,9 @@ throw new Error('Uint8Array expected'); | ||
| } | ||
| export function numberToHexUnpadded(num) { | ||
| exports.bytesToHex = bytesToHex; | ||
| function numberToHexUnpadded(num) { | ||
| const hex = num.toString(16); | ||
| return hex.length & 1 ? `0${hex}` : hex; | ||
| } | ||
| export function hexToNumber(hex) { | ||
| exports.numberToHexUnpadded = numberToHexUnpadded; | ||
| function hexToNumber(hex) { | ||
| if (typeof hex !== 'string') | ||
@@ -29,4 +34,5 @@ throw new Error('hex string expected, got ' + typeof hex); | ||
| } | ||
| exports.hexToNumber = hexToNumber; | ||
| // Caching slows it down 2-3x | ||
| export function hexToBytes(hex) { | ||
| function hexToBytes(hex) { | ||
| if (typeof hex !== 'string') | ||
@@ -47,7 +53,9 @@ throw new Error('hex string expected, got ' + typeof hex); | ||
| } | ||
| exports.hexToBytes = hexToBytes; | ||
| // Big Endian | ||
| export function bytesToNumberBE(bytes) { | ||
| function bytesToNumberBE(bytes) { | ||
| return hexToNumber(bytesToHex(bytes)); | ||
| } | ||
| export function bytesToNumberLE(bytes) { | ||
| exports.bytesToNumberBE = bytesToNumberBE; | ||
| function bytesToNumberLE(bytes) { | ||
| if (!u8a(bytes)) | ||
@@ -57,7 +65,11 @@ throw new Error('Uint8Array expected'); | ||
| } | ||
| export const numberToBytesBE = (n, len) => hexToBytes(n.toString(16).padStart(len * 2, '0')); | ||
| export const numberToBytesLE = (n, len) => numberToBytesBE(n, len).reverse(); | ||
| exports.bytesToNumberLE = bytesToNumberLE; | ||
| const numberToBytesBE = (n, len) => hexToBytes(n.toString(16).padStart(len * 2, '0')); | ||
| exports.numberToBytesBE = numberToBytesBE; | ||
| const numberToBytesLE = (n, len) => (0, exports.numberToBytesBE)(n, len).reverse(); | ||
| exports.numberToBytesLE = numberToBytesLE; | ||
| // Returns variable number bytes (minimal bigint encoding?) | ||
| export const numberToVarBytesBE = (n) => hexToBytes(numberToHexUnpadded(n)); | ||
| export function ensureBytes(title, hex, expectedLength) { | ||
| const numberToVarBytesBE = (n) => hexToBytes(numberToHexUnpadded(n)); | ||
| exports.numberToVarBytesBE = numberToVarBytesBE; | ||
| function ensureBytes(title, hex, expectedLength) { | ||
| let res; | ||
@@ -85,4 +97,5 @@ if (typeof hex === 'string') { | ||
| } | ||
| exports.ensureBytes = ensureBytes; | ||
| // Copies several Uint8Arrays into one. | ||
| export function concatBytes(...arrs) { | ||
| function concatBytes(...arrs) { | ||
| const r = new Uint8Array(arrs.reduce((sum, a) => sum + a.length, 0)); | ||
@@ -98,3 +111,4 @@ let pad = 0; // walk through each item, ensure they have proper type | ||
| } | ||
| export function equalBytes(b1, b2) { | ||
| exports.concatBytes = concatBytes; | ||
| function equalBytes(b1, b2) { | ||
| // We don't care about timing attacks here | ||
@@ -108,3 +122,4 @@ if (b1.length !== b2.length) | ||
| } | ||
| export function utf8ToBytes(str) { | ||
| exports.equalBytes = equalBytes; | ||
| function utf8ToBytes(str) { | ||
| if (typeof str !== 'string') { | ||
@@ -115,5 +130,6 @@ throw new Error(`utf8ToBytes expected string, got ${typeof str}`); | ||
| } | ||
| exports.utf8ToBytes = utf8ToBytes; | ||
| // Bit operations | ||
| // Amount of bits inside bigint (Same as n.toString(2).length) | ||
| export function bitLen(n) { | ||
| function bitLen(n) { | ||
| let len; | ||
@@ -124,10 +140,14 @@ for (len = 0; n > 0n; n >>= _1n, len += 1) | ||
| } | ||
| exports.bitLen = bitLen; | ||
| // Gets single bit at position. NOTE: first bit position is 0 (same as arrays) | ||
| // Same as !!+Array.from(n.toString(2)).reverse()[pos] | ||
| export const bitGet = (n, pos) => (n >> BigInt(pos)) & 1n; | ||
| const bitGet = (n, pos) => (n >> BigInt(pos)) & 1n; | ||
| exports.bitGet = bitGet; | ||
| // Sets single bit at position | ||
| export const bitSet = (n, pos, value) => n | ((value ? _1n : _0n) << BigInt(pos)); | ||
| const bitSet = (n, pos, value) => n | ((value ? _1n : _0n) << BigInt(pos)); | ||
| exports.bitSet = bitSet; | ||
| // Return mask for N bits (Same as BigInt(`0b${Array(i).fill('1').join('')}`)) | ||
| // Not using ** operator with bigints for old engines. | ||
| export const bitMask = (n) => (_2n << BigInt(n - 1)) - _1n; | ||
| const bitMask = (n) => (_2n << BigInt(n - 1)) - _1n; | ||
| exports.bitMask = bitMask; | ||
| // DRBG | ||
@@ -143,3 +163,3 @@ const u8n = (data) => new Uint8Array(data); // creates Uint8Array | ||
| */ | ||
| export function createHmacDrbg(hashLen, qByteLen, hmacFn) { | ||
| function createHmacDrbg(hashLen, qByteLen, hmacFn) { | ||
| if (typeof hashLen !== 'number' || hashLen < 2) | ||
@@ -195,2 +215,3 @@ throw new Error('hashLen must be a number'); | ||
| } | ||
| exports.createHmacDrbg = createHmacDrbg; | ||
| // Validating curves and fields | ||
@@ -208,3 +229,3 @@ const validatorFns = { | ||
| // type Record<K extends string | number | symbol, T> = { [P in K]: T; } | ||
| export function validateObject(object, validators, optValidators = {}) { | ||
| function validateObject(object, validators, optValidators = {}) { | ||
| const checkField = (fieldName, type, isOptional) => { | ||
@@ -227,2 +248,3 @@ const checkVal = validatorFns[type]; | ||
| } | ||
| exports.validateObject = validateObject; | ||
| // validate type tests | ||
@@ -229,0 +251,0 @@ // const o: { a: number; b: number; c: number } = { a: 1, b: 5, c: 6 }; |
@@ -0,9 +1,12 @@ | ||
| "use strict"; | ||
| Object.defineProperty(exports, "__esModule", { value: true }); | ||
| exports.mapToCurveSimpleSWU = exports.SWUFpSqrtRatio = exports.weierstrass = exports.weierstrassPoints = void 0; | ||
| /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */ | ||
| // Short Weierstrass curve. The formula is: y² = x³ + ax + b | ||
| import * as mod from './modular.js'; | ||
| import * as ut from './utils.js'; | ||
| import { ensureBytes } from './utils.js'; | ||
| import { wNAF, validateBasic } from './curve.js'; | ||
| const mod = require("./modular.js"); | ||
| const ut = require("./utils.js"); | ||
| const utils_js_1 = require("./utils.js"); | ||
| const curve_js_1 = require("./curve.js"); | ||
| function validatePointOpts(curve) { | ||
| const opts = validateBasic(curve); | ||
| const opts = (0, curve_js_1.validateBasic)(curve); | ||
| ut.validateObject(opts, { | ||
@@ -91,3 +94,3 @@ a: 'field', | ||
| const _1n = BigInt(1); | ||
| export function weierstrassPoints(opts) { | ||
| function weierstrassPoints(opts) { | ||
| const CURVE = validatePointOpts(opts); | ||
@@ -130,3 +133,3 @@ const { Fp } = CURVE; // All curves has same field / group length as for now, but they can differ | ||
| ? key | ||
| : ut.bytesToNumberBE(ensureBytes('private key', key, nByteLength)); | ||
| : ut.bytesToNumberBE((0, utils_js_1.ensureBytes)('private key', key, nByteLength)); | ||
| } | ||
@@ -198,3 +201,3 @@ catch (error) { | ||
| static fromHex(hex) { | ||
| const P = Point.fromAffine(CURVE.fromBytes(ensureBytes('pointHex', hex))); | ||
| const P = Point.fromAffine(CURVE.fromBytes((0, utils_js_1.ensureBytes)('pointHex', hex))); | ||
| P.assertValidity(); | ||
@@ -489,3 +492,3 @@ return P; | ||
| const _bits = CURVE.nBitLength; | ||
| const wnaf = wNAF(Point, CURVE.endo ? Math.ceil(_bits / 2) : _bits); | ||
| const wnaf = (0, curve_js_1.wNAF)(Point, CURVE.endo ? Math.ceil(_bits / 2) : _bits); | ||
| return { | ||
@@ -498,4 +501,5 @@ ProjectivePoint: Point, | ||
| } | ||
| exports.weierstrassPoints = weierstrassPoints; | ||
| function validateOpts(curve) { | ||
| const opts = validateBasic(curve); | ||
| const opts = (0, curve_js_1.validateBasic)(curve); | ||
| ut.validateObject(opts, { | ||
@@ -512,3 +516,3 @@ hash: 'hash', | ||
| } | ||
| export function weierstrass(curveDef) { | ||
| function weierstrass(curveDef) { | ||
| const CURVE = validateOpts(curveDef); | ||
@@ -592,3 +596,3 @@ const CURVE_ORDER = CURVE.n; | ||
| const l = CURVE.nByteLength; | ||
| hex = ensureBytes('compactSignature', hex, l * 2); | ||
| hex = (0, utils_js_1.ensureBytes)('compactSignature', hex, l * 2); | ||
| return new Signature(slcNum(hex, 0, l), slcNum(hex, l, 2 * l)); | ||
@@ -599,3 +603,3 @@ } | ||
| static fromDER(hex) { | ||
| const { r, s } = DER.toSig(ensureBytes('DER', hex)); | ||
| const { r, s } = DER.toSig((0, utils_js_1.ensureBytes)('DER', hex)); | ||
| return new Signature(r, s); | ||
@@ -615,3 +619,3 @@ } | ||
| const { r, s, recovery: rec } = this; | ||
| const h = bits2int_modN(ensureBytes('msgHash', msgHash)); // Truncate hash | ||
| const h = bits2int_modN((0, utils_js_1.ensureBytes)('msgHash', msgHash)); // Truncate hash | ||
| if (rec == null || ![0, 1, 2, 3].includes(rec)) | ||
@@ -772,5 +776,5 @@ throw new Error('recovery id invalid'); | ||
| lowS = true; // RFC6979 3.2: we skip step A, because we already provide hash | ||
| msgHash = ensureBytes('msgHash', msgHash); | ||
| msgHash = (0, utils_js_1.ensureBytes)('msgHash', msgHash); | ||
| if (prehash) | ||
| msgHash = ensureBytes('prehashed msgHash', hash(msgHash)); | ||
| msgHash = (0, utils_js_1.ensureBytes)('prehashed msgHash', hash(msgHash)); | ||
| // We can't later call bits2octets, since nested bits2int is broken for curves | ||
@@ -786,3 +790,3 @@ // with nBitLength % 8 !== 0. Because of that, we unwrap it here as int2octets call. | ||
| const e = ent === true ? randomBytes(Fp.BYTES) : ent; // generate random bytes OR pass as-is | ||
| seedArgs.push(ensureBytes('extraEntropy', e, Fp.BYTES)); // check for being of size BYTES | ||
| seedArgs.push((0, utils_js_1.ensureBytes)('extraEntropy', e, Fp.BYTES)); // check for being of size BYTES | ||
| } | ||
@@ -853,4 +857,4 @@ const seed = ut.concatBytes(...seedArgs); // Step D of RFC6979 3.2 | ||
| const sg = signature; | ||
| msgHash = ensureBytes('msgHash', msgHash); | ||
| publicKey = ensureBytes('publicKey', publicKey); | ||
| msgHash = (0, utils_js_1.ensureBytes)('msgHash', msgHash); | ||
| publicKey = (0, utils_js_1.ensureBytes)('publicKey', publicKey); | ||
| if ('strict' in opts) | ||
@@ -914,2 +918,3 @@ throw new Error('options.strict was renamed to lowS'); | ||
| } | ||
| exports.weierstrass = weierstrass; | ||
| // Implementation of the Shallue and van de Woestijne method for any Weierstrass curve | ||
@@ -919,3 +924,3 @@ // TODO: check if there is a way to merge this with uvRatio in Edwards && move to modular? | ||
| // b = False and y = sqrt(Z * (u / v)) otherwise. | ||
| export function SWUFpSqrtRatio(Fp, Z) { | ||
| function SWUFpSqrtRatio(Fp, Z) { | ||
| // Generic implementation | ||
@@ -984,4 +989,5 @@ const q = Fp.ORDER; | ||
| } | ||
| exports.SWUFpSqrtRatio = SWUFpSqrtRatio; | ||
| // From draft-irtf-cfrg-hash-to-curve-16 | ||
| export function mapToCurveSimpleSWU(Fp, opts) { | ||
| function mapToCurveSimpleSWU(Fp, opts) { | ||
| mod.validateField(Fp); | ||
@@ -1026,2 +1032,3 @@ if (!Fp.isValid(opts.A) || !Fp.isValid(opts.B) || !Fp.isValid(opts.Z)) | ||
| } | ||
| exports.mapToCurveSimpleSWU = mapToCurveSimpleSWU; | ||
| //# sourceMappingURL=weierstrass.js.map |
129
bls12-381.js
@@ -0,2 +1,5 @@ | ||
| "use strict"; | ||
| /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */ | ||
| Object.defineProperty(exports, "__esModule", { value: true }); | ||
| exports.bls12_381 = void 0; | ||
| // bls12-381 pairing-friendly Barreto-Lynn-Scott elliptic curve construction allows to: | ||
@@ -46,10 +49,10 @@ // - Construct zk-SNARKs at the 128-bit security | ||
| // - Points now have only two coordinates | ||
| import { sha256 } from '@noble/hashes/sha256'; | ||
| import { randomBytes } from '@noble/hashes/utils'; | ||
| import { bls } from './abstract/bls.js'; | ||
| import * as mod from './abstract/modular.js'; | ||
| import { concatBytes as concatB, ensureBytes, numberToBytesBE, bytesToNumberBE, bitLen, bitSet, bitGet, bitMask, } from './abstract/utils.js'; | ||
| const sha256_1 = require("@noble/hashes/sha256"); | ||
| const utils_1 = require("@noble/hashes/utils"); | ||
| const bls_js_1 = require("./abstract/bls.js"); | ||
| const mod = require("./abstract/modular.js"); | ||
| const utils_js_1 = require("./abstract/utils.js"); | ||
| // Types | ||
| import { mapToCurveSimpleSWU, } from './abstract/weierstrass.js'; | ||
| import { isogenyMap } from './abstract/hash-to-curve.js'; | ||
| const weierstrass_js_1 = require("./abstract/weierstrass.js"); | ||
| const hash_to_curve_js_1 = require("./abstract/hash-to-curve.js"); | ||
| // CURVE FIELDS | ||
@@ -96,5 +99,5 @@ // Finite field over p. | ||
| ORDER: FP2_ORDER, | ||
| BITS: bitLen(FP2_ORDER), | ||
| BYTES: Math.ceil(bitLen(FP2_ORDER) / 8), | ||
| MASK: bitMask(bitLen(FP2_ORDER)), | ||
| BITS: (0, utils_js_1.bitLen)(FP2_ORDER), | ||
| BYTES: Math.ceil((0, utils_js_1.bitLen)(FP2_ORDER) / 8), | ||
| MASK: (0, utils_js_1.bitMask)((0, utils_js_1.bitLen)(FP2_ORDER)), | ||
| ZERO: { c0: Fp.ZERO, c1: Fp.ZERO }, | ||
@@ -179,3 +182,3 @@ ONE: { c0: Fp.ONE, c1: Fp.ZERO }, | ||
| }, | ||
| toBytes: ({ c0, c1 }) => concatB(Fp.toBytes(c0), Fp.toBytes(c1)), | ||
| toBytes: ({ c0, c1 }) => (0, utils_js_1.concatBytes)(Fp.toBytes(c0), Fp.toBytes(c1)), | ||
| cmov: ({ c0, c1 }, { c0: r0, c1: r1 }, c) => ({ | ||
@@ -285,3 +288,3 @@ c0: Fp.cmov(c0, r0, c), | ||
| BYTES: 3 * Fp2.BYTES, | ||
| MASK: bitMask(3 * Fp2.BITS), | ||
| MASK: (0, utils_js_1.bitMask)(3 * Fp2.BITS), | ||
| ZERO: { c0: Fp2.ZERO, c1: Fp2.ZERO, c2: Fp2.ZERO }, | ||
@@ -329,3 +332,3 @@ ONE: { c0: Fp2.ONE, c1: Fp2.ZERO, c2: Fp2.ZERO }, | ||
| }, | ||
| toBytes: ({ c0, c1, c2 }) => concatB(Fp2.toBytes(c0), Fp2.toBytes(c1), Fp2.toBytes(c2)), | ||
| toBytes: ({ c0, c1, c2 }) => (0, utils_js_1.concatBytes)(Fp2.toBytes(c0), Fp2.toBytes(c1), Fp2.toBytes(c2)), | ||
| cmov: ({ c0, c1, c2 }, { c0: r0, c1: r1, c2: r2 }, c) => ({ | ||
@@ -428,3 +431,3 @@ c0: Fp2.cmov(c0, r0, c), | ||
| const BLS_X = 0xd201000000010000n; | ||
| const BLS_X_LEN = bitLen(BLS_X); | ||
| const BLS_X_LEN = (0, utils_js_1.bitLen)(BLS_X); | ||
| const Fp12Add = ({ c0, c1 }, { c0: r0, c1: r1 }) => ({ | ||
@@ -470,3 +473,3 @@ c0: Fp6.add(c0, r0), | ||
| BYTES: 2 * Fp2.BYTES, | ||
| MASK: bitMask(2 * Fp2.BITS), | ||
| MASK: (0, utils_js_1.bitMask)(2 * Fp2.BITS), | ||
| ZERO: { c0: Fp6.ZERO, c1: Fp6.ZERO }, | ||
@@ -508,3 +511,3 @@ ONE: { c0: Fp6.ONE, c1: Fp6.ZERO }, | ||
| }, | ||
| toBytes: ({ c0, c1 }) => concatB(Fp6.toBytes(c0), Fp6.toBytes(c1)), | ||
| toBytes: ({ c0, c1 }) => (0, utils_js_1.concatBytes)(Fp6.toBytes(c0), Fp6.toBytes(c1)), | ||
| cmov: ({ c0, c1 }, { c0: r0, c1: r1 }, c) => ({ | ||
@@ -582,3 +585,3 @@ c0: Fp6.cmov(c0, r0, c), | ||
| z = Fp12._cyclotomicSquare(z); | ||
| if (bitGet(n, i)) | ||
| if ((0, utils_js_1.bitGet)(n, i)) | ||
| z = Fp12.mul(z, num); | ||
@@ -661,3 +664,3 @@ } | ||
| // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#appendix-E.3 | ||
| const isogenyMapG2 = isogenyMap(Fp2, [ | ||
| const isogenyMapG2 = (0, hash_to_curve_js_1.isogenyMap)(Fp2, [ | ||
| // xNum | ||
@@ -731,3 +734,3 @@ [ | ||
| // 11-isogeny map from E' to E | ||
| const isogenyMapG1 = isogenyMap(Fp, [ | ||
| const isogenyMapG1 = (0, hash_to_curve_js_1.isogenyMap)(Fp, [ | ||
| // xNum | ||
@@ -802,3 +805,3 @@ [ | ||
| // SWU Map - Fp2 to G2': y² = x³ + 240i * x + 1012 + 1012i | ||
| const G2_SWU = mapToCurveSimpleSWU(Fp2, { | ||
| const G2_SWU = (0, weierstrass_js_1.mapToCurveSimpleSWU)(Fp2, { | ||
| A: Fp2.create({ c0: Fp.create(0n), c1: Fp.create(240n) }), | ||
@@ -809,3 +812,3 @@ B: Fp2.create({ c0: Fp.create(1012n), c1: Fp.create(1012n) }), | ||
| // Optimized SWU Map - Fp to G1 | ||
| const G1_SWU = mapToCurveSimpleSWU(Fp, { | ||
| const G1_SWU = (0, weierstrass_js_1.mapToCurveSimpleSWU)(Fp, { | ||
| A: Fp.create(0x144698a3b8e9433d693a02c96d4982b0ea985383ee66a8d8e8981aefd881ac98936f8da0e0f97f5cf428082d584c1dn), | ||
@@ -875,3 +878,3 @@ B: Fp.create(0x12e2908d11688030018b12e8753eee3b2016c1f0f24f4070a0b9c14fcef35ef55a23215a316ceaa5d1cc48e98e172be0n), | ||
| // BBS+ uses blake2: https://github.com/hyperledger/aries-framework-go/issues/2247 | ||
| hash: sha256, | ||
| hash: sha256_1.sha256, | ||
| }); | ||
@@ -884,3 +887,3 @@ // Encoding utils | ||
| // Compressed point of infinity | ||
| const COMPRESSED_ZERO = Fp.toBytes(bitSet(bitSet(0n, I_BIT_POS, true), S_BIT_POS, true)); // set compressed & point-at-infinity bits | ||
| const COMPRESSED_ZERO = Fp.toBytes((0, utils_js_1.bitSet)((0, utils_js_1.bitSet)(0n, I_BIT_POS, true), S_BIT_POS, true)); // set compressed & point-at-infinity bits | ||
| // To verify curve parameters, see pairing-friendly-curves spec: | ||
@@ -896,3 +899,3 @@ // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-pairing-friendly-curves-09 | ||
| // Here goes constants && point encoding format | ||
| export const bls12_381 = bls({ | ||
| exports.bls12_381 = (0, bls_js_1.bls)({ | ||
| // Fields | ||
@@ -931,4 +934,4 @@ Fr, | ||
| // todo: unroll | ||
| const xP = point.multiplyUnsafe(bls12_381.CURVE.x).negate(); // [x]P | ||
| const u2P = xP.multiplyUnsafe(bls12_381.CURVE.x); // [u2]P | ||
| const xP = point.multiplyUnsafe(exports.bls12_381.CURVE.x).negate(); // [x]P | ||
| const u2P = xP.multiplyUnsafe(exports.bls12_381.CURVE.x); // [u2]P | ||
| return u2P.equals(phi); | ||
@@ -951,3 +954,3 @@ // https://eprint.iacr.org/2019/814.pdf | ||
| // return this.multiplyUnsafe(CURVE.h); | ||
| return point.multiplyUnsafe(bls12_381.CURVE.x).add(point); // x*P + P | ||
| return point.multiplyUnsafe(exports.bls12_381.CURVE.x).add(point); // x*P + P | ||
| }, | ||
@@ -961,4 +964,4 @@ mapToCurve: (scalars) => { | ||
| const P = Fp.ORDER; | ||
| const compressedValue = bytesToNumberBE(bytes); | ||
| const bflag = bitGet(compressedValue, I_BIT_POS); | ||
| const compressedValue = (0, utils_js_1.bytesToNumberBE)(bytes); | ||
| const bflag = (0, utils_js_1.bitGet)(compressedValue, I_BIT_POS); | ||
| // Zero | ||
@@ -968,7 +971,7 @@ if (bflag === 1n) | ||
| const x = Fp.create(compressedValue & Fp.MASK); | ||
| const right = Fp.add(Fp.pow(x, 3n), Fp.create(bls12_381.CURVE.G1.b)); // y² = x³ + b | ||
| const right = Fp.add(Fp.pow(x, 3n), Fp.create(exports.bls12_381.CURVE.G1.b)); // y² = x³ + b | ||
| let y = Fp.sqrt(right); | ||
| if (!y) | ||
| throw new Error('Invalid compressed G1 point'); | ||
| const aflag = bitGet(compressedValue, C_BIT_POS); | ||
| const aflag = (0, utils_js_1.bitGet)(compressedValue, C_BIT_POS); | ||
| if ((y * 2n) / P !== aflag) | ||
@@ -981,5 +984,5 @@ y = Fp.neg(y); | ||
| if ((bytes[0] & (1 << 6)) !== 0) | ||
| return bls12_381.G1.ProjectivePoint.ZERO.toAffine(); | ||
| const x = bytesToNumberBE(bytes.slice(0, Fp.BYTES)); | ||
| const y = bytesToNumberBE(bytes.slice(Fp.BYTES)); | ||
| return exports.bls12_381.G1.ProjectivePoint.ZERO.toAffine(); | ||
| const x = (0, utils_js_1.bytesToNumberBE)(bytes.slice(0, Fp.BYTES)); | ||
| const y = (0, utils_js_1.bytesToNumberBE)(bytes.slice(Fp.BYTES)); | ||
| return { x: Fp.create(x), y: Fp.create(y) }; | ||
@@ -999,5 +1002,5 @@ } | ||
| let num; | ||
| num = bitSet(x, C_BIT_POS, Boolean((y * 2n) / P)); // set aflag | ||
| num = bitSet(num, S_BIT_POS, true); | ||
| return numberToBytesBE(num, Fp.BYTES); | ||
| num = (0, utils_js_1.bitSet)(x, C_BIT_POS, Boolean((y * 2n) / P)); // set aflag | ||
| num = (0, utils_js_1.bitSet)(num, S_BIT_POS, true); | ||
| return (0, utils_js_1.numberToBytesBE)(num, Fp.BYTES); | ||
| } | ||
@@ -1007,7 +1010,7 @@ else { | ||
| // 2x PUBLIC_KEY_LENGTH | ||
| const x = concatB(new Uint8Array([0x40]), new Uint8Array(2 * Fp.BYTES - 1)); | ||
| const x = (0, utils_js_1.concatBytes)(new Uint8Array([0x40]), new Uint8Array(2 * Fp.BYTES - 1)); | ||
| return x; | ||
| } | ||
| else { | ||
| return concatB(numberToBytesBE(x, Fp.BYTES), numberToBytesBE(y, Fp.BYTES)); | ||
| return (0, utils_js_1.concatBytes)((0, utils_js_1.numberToBytesBE)(x, Fp.BYTES), (0, utils_js_1.numberToBytesBE)(y, Fp.BYTES)); | ||
| } | ||
@@ -1051,3 +1054,3 @@ } | ||
| isTorsionFree: (c, P) => { | ||
| return P.multiplyUnsafe(bls12_381.CURVE.x).negate().equals(G2psi(c, P)); // ψ(P) == [u](P) | ||
| return P.multiplyUnsafe(exports.bls12_381.CURVE.x).negate().equals(G2psi(c, P)); // ψ(P) == [u](P) | ||
| // Older version: https://eprint.iacr.org/2019/814.pdf | ||
@@ -1062,3 +1065,3 @@ // Ψ²(P) => Ψ³(P) => [z]Ψ³(P) where z = -x => [z]Ψ³(P) - Ψ²(P) + P == O | ||
| clearCofactor: (c, P) => { | ||
| const { x } = bls12_381.CURVE; | ||
| const { x } = exports.bls12_381.CURVE; | ||
| let t1 = P.multiplyUnsafe(x).negate(); // [-x]P | ||
@@ -1085,5 +1088,5 @@ let t2 = G2psi(c, P); // Ψ(P) | ||
| const L = Fp.BYTES; | ||
| const slc = (b, from, to) => bytesToNumberBE(b.slice(from, to)); | ||
| const slc = (b, from, to) => (0, utils_js_1.bytesToNumberBE)(b.slice(from, to)); | ||
| if (bytes.length === 96 && bitC) { | ||
| const { b } = bls12_381.CURVE.G2; | ||
| const { b } = exports.bls12_381.CURVE.G2; | ||
| const P = Fp.ORDER; | ||
@@ -1128,15 +1131,15 @@ bytes[0] = bytes[0] & 0x1f; // clear flags | ||
| if (isZero) | ||
| return concatB(COMPRESSED_ZERO, numberToBytesBE(0n, Fp.BYTES)); | ||
| return (0, utils_js_1.concatBytes)(COMPRESSED_ZERO, (0, utils_js_1.numberToBytesBE)(0n, Fp.BYTES)); | ||
| const flag = Boolean(y.c1 === 0n ? (y.c0 * 2n) / P : (y.c1 * 2n) / P); | ||
| // set compressed & sign bits (looks like different offsets than for G1/Fp?) | ||
| let x_1 = bitSet(x.c1, C_BIT_POS, flag); | ||
| x_1 = bitSet(x_1, S_BIT_POS, true); | ||
| return concatB(numberToBytesBE(x_1, Fp.BYTES), numberToBytesBE(x.c0, Fp.BYTES)); | ||
| let x_1 = (0, utils_js_1.bitSet)(x.c1, C_BIT_POS, flag); | ||
| x_1 = (0, utils_js_1.bitSet)(x_1, S_BIT_POS, true); | ||
| return (0, utils_js_1.concatBytes)((0, utils_js_1.numberToBytesBE)(x_1, Fp.BYTES), (0, utils_js_1.numberToBytesBE)(x.c0, Fp.BYTES)); | ||
| } | ||
| else { | ||
| if (isZero) | ||
| return concatB(new Uint8Array([0x40]), new Uint8Array(4 * Fp.BYTES - 1)); // bytes[0] |= 1 << 6; | ||
| return (0, utils_js_1.concatBytes)(new Uint8Array([0x40]), new Uint8Array(4 * Fp.BYTES - 1)); // bytes[0] |= 1 << 6; | ||
| const { re: x0, im: x1 } = Fp2.reim(x); | ||
| const { re: y0, im: y1 } = Fp2.reim(y); | ||
| return concatB(numberToBytesBE(x1, Fp.BYTES), numberToBytesBE(x0, Fp.BYTES), numberToBytesBE(y1, Fp.BYTES), numberToBytesBE(y0, Fp.BYTES)); | ||
| return (0, utils_js_1.concatBytes)((0, utils_js_1.numberToBytesBE)(x1, Fp.BYTES), (0, utils_js_1.numberToBytesBE)(x0, Fp.BYTES), (0, utils_js_1.numberToBytesBE)(y1, Fp.BYTES), (0, utils_js_1.numberToBytesBE)(y0, Fp.BYTES)); | ||
| } | ||
@@ -1147,3 +1150,3 @@ }, | ||
| decode(hex) { | ||
| hex = ensureBytes('signatureHex', hex); | ||
| hex = (0, utils_js_1.ensureBytes)('signatureHex', hex); | ||
| const P = Fp.ORDER; | ||
@@ -1153,12 +1156,12 @@ const half = hex.length / 2; | ||
| throw new Error('Invalid compressed signature length, must be 96 or 192'); | ||
| const z1 = bytesToNumberBE(hex.slice(0, half)); | ||
| const z2 = bytesToNumberBE(hex.slice(half)); | ||
| const z1 = (0, utils_js_1.bytesToNumberBE)(hex.slice(0, half)); | ||
| const z2 = (0, utils_js_1.bytesToNumberBE)(hex.slice(half)); | ||
| // Indicates the infinity point | ||
| const bflag1 = bitGet(z1, I_BIT_POS); | ||
| const bflag1 = (0, utils_js_1.bitGet)(z1, I_BIT_POS); | ||
| if (bflag1 === 1n) | ||
| return bls12_381.G2.ProjectivePoint.ZERO; | ||
| return exports.bls12_381.G2.ProjectivePoint.ZERO; | ||
| const x1 = Fp.create(z1 & Fp.MASK); | ||
| const x2 = Fp.create(z2); | ||
| const x = Fp2.create({ c0: x2, c1: x1 }); | ||
| const y2 = Fp2.add(Fp2.pow(x, 3n), bls12_381.CURVE.G2.b); // y² = x³ + 4 | ||
| const y2 = Fp2.add(Fp2.pow(x, 3n), exports.bls12_381.CURVE.G2.b); // y² = x³ + 4 | ||
| // The slow part | ||
@@ -1171,3 +1174,3 @@ let y = Fp2.sqrt(y2); | ||
| const { re: y0, im: y1 } = Fp2.reim(y); | ||
| const aflag1 = bitGet(z1, 381); | ||
| const aflag1 = (0, utils_js_1.bitGet)(z1, 381); | ||
| const isGreater = y1 > 0n && (y1 * 2n) / P !== aflag1; | ||
@@ -1177,3 +1180,3 @@ const isZero = y1 === 0n && (y0 * 2n) / P !== aflag1; | ||
| y = Fp2.neg(y); | ||
| const point = bls12_381.G2.ProjectivePoint.fromAffine({ x, y }); | ||
| const point = exports.bls12_381.G2.ProjectivePoint.fromAffine({ x, y }); | ||
| point.assertValidity(); | ||
@@ -1185,4 +1188,4 @@ return point; | ||
| point.assertValidity(); | ||
| if (point.equals(bls12_381.G2.ProjectivePoint.ZERO)) | ||
| return concatB(COMPRESSED_ZERO, numberToBytesBE(0n, Fp.BYTES)); | ||
| if (point.equals(exports.bls12_381.G2.ProjectivePoint.ZERO)) | ||
| return (0, utils_js_1.concatBytes)(COMPRESSED_ZERO, (0, utils_js_1.numberToBytesBE)(0n, Fp.BYTES)); | ||
| const a = point.toAffine(); | ||
@@ -1193,5 +1196,5 @@ const { re: x0, im: x1 } = Fp2.reim(a.x); | ||
| const aflag1 = Boolean((tmp / Fp.ORDER) & 1n); | ||
| const z1 = bitSet(bitSet(x1, 381, aflag1), S_BIT_POS, true); | ||
| const z1 = (0, utils_js_1.bitSet)((0, utils_js_1.bitSet)(x1, 381, aflag1), S_BIT_POS, true); | ||
| const z2 = x0; | ||
| return concatB(numberToBytesBE(z1, Fp.BYTES), numberToBytesBE(z2, Fp.BYTES)); | ||
| return (0, utils_js_1.concatBytes)((0, utils_js_1.numberToBytesBE)(z1, Fp.BYTES), (0, utils_js_1.numberToBytesBE)(z2, Fp.BYTES)); | ||
| }, | ||
@@ -1203,5 +1206,5 @@ }, | ||
| htfDefaults, | ||
| hash: sha256, | ||
| randomBytes, | ||
| hash: sha256_1.sha256, | ||
| randomBytes: utils_1.randomBytes, | ||
| }); | ||
| //# sourceMappingURL=bls12-381.js.map |
17
bn.js
@@ -0,6 +1,9 @@ | ||
| "use strict"; | ||
| Object.defineProperty(exports, "__esModule", { value: true }); | ||
| exports.bn254 = void 0; | ||
| /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */ | ||
| import { sha256 } from '@noble/hashes/sha256'; | ||
| import { weierstrass } from './abstract/weierstrass.js'; | ||
| import { getHash } from './_shortw_utils.js'; | ||
| import { Fp } from './abstract/modular.js'; | ||
| const sha256_1 = require("@noble/hashes/sha256"); | ||
| const weierstrass_js_1 = require("./abstract/weierstrass.js"); | ||
| const _shortw_utils_js_1 = require("./_shortw_utils.js"); | ||
| const modular_js_1 = require("./abstract/modular.js"); | ||
| /** | ||
@@ -12,6 +15,6 @@ * bn254 pairing-friendly curve. | ||
| */ | ||
| export const bn254 = weierstrass({ | ||
| exports.bn254 = (0, weierstrass_js_1.weierstrass)({ | ||
| a: BigInt(0), | ||
| b: BigInt(3), | ||
| Fp: Fp(BigInt('0x30644e72e131a029b85045b68181585d97816a916871ca8d3c208c16d87cfd47')), | ||
| Fp: (0, modular_js_1.Fp)(BigInt('0x30644e72e131a029b85045b68181585d97816a916871ca8d3c208c16d87cfd47')), | ||
| n: BigInt('0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593f0000001'), | ||
@@ -21,4 +24,4 @@ Gx: BigInt(1), | ||
| h: BigInt(1), | ||
| ...getHash(sha256), | ||
| ...(0, _shortw_utils_js_1.getHash)(sha256_1.sha256), | ||
| }); | ||
| //# sourceMappingURL=bn.js.map |
150
ed25519.js
@@ -0,9 +1,12 @@ | ||
| "use strict"; | ||
| Object.defineProperty(exports, "__esModule", { value: true }); | ||
| exports.hash_to_ristretto255 = exports.RistrettoPoint = exports.encodeToCurve = exports.hashToCurve = exports.x25519 = exports.ed25519ph = exports.ed25519ctx = exports.ed25519 = exports.ED25519_TORSION_SUBGROUP = void 0; | ||
| /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */ | ||
| import { sha512 } from '@noble/hashes/sha512'; | ||
| import { concatBytes, randomBytes, utf8ToBytes } from '@noble/hashes/utils'; | ||
| import { twistedEdwards } from './abstract/edwards.js'; | ||
| import { montgomery } from './abstract/montgomery.js'; | ||
| import { mod, pow2, isNegativeLE, Fp as Field, FpSqrtEven } from './abstract/modular.js'; | ||
| import { equalBytes, bytesToHex, bytesToNumberLE, numberToBytesLE, ensureBytes, } from './abstract/utils.js'; | ||
| import * as htf from './abstract/hash-to-curve.js'; | ||
| const sha512_1 = require("@noble/hashes/sha512"); | ||
| const utils_1 = require("@noble/hashes/utils"); | ||
| const edwards_js_1 = require("./abstract/edwards.js"); | ||
| const montgomery_js_1 = require("./abstract/montgomery.js"); | ||
| const modular_js_1 = require("./abstract/modular.js"); | ||
| const utils_js_1 = require("./abstract/utils.js"); | ||
| const htf = require("./abstract/hash-to-curve.js"); | ||
| /** | ||
@@ -26,12 +29,12 @@ * ed25519 Twisted Edwards curve with following addons: | ||
| const b2 = (x2 * x) % P; // x^3, 11 | ||
| const b4 = (pow2(b2, _2n, P) * b2) % P; // x^15, 1111 | ||
| const b5 = (pow2(b4, _1n, P) * x) % P; // x^31 | ||
| const b10 = (pow2(b5, _5n, P) * b5) % P; | ||
| const b20 = (pow2(b10, _10n, P) * b10) % P; | ||
| const b40 = (pow2(b20, _20n, P) * b20) % P; | ||
| const b80 = (pow2(b40, _40n, P) * b40) % P; | ||
| const b160 = (pow2(b80, _80n, P) * b80) % P; | ||
| const b240 = (pow2(b160, _80n, P) * b80) % P; | ||
| const b250 = (pow2(b240, _10n, P) * b10) % P; | ||
| const pow_p_5_8 = (pow2(b250, _2n, P) * x) % P; | ||
| const b4 = ((0, modular_js_1.pow2)(b2, _2n, P) * b2) % P; // x^15, 1111 | ||
| const b5 = ((0, modular_js_1.pow2)(b4, _1n, P) * x) % P; // x^31 | ||
| const b10 = ((0, modular_js_1.pow2)(b5, _5n, P) * b5) % P; | ||
| const b20 = ((0, modular_js_1.pow2)(b10, _10n, P) * b10) % P; | ||
| const b40 = ((0, modular_js_1.pow2)(b20, _20n, P) * b20) % P; | ||
| const b80 = ((0, modular_js_1.pow2)(b40, _40n, P) * b40) % P; | ||
| const b160 = ((0, modular_js_1.pow2)(b80, _80n, P) * b80) % P; | ||
| const b240 = ((0, modular_js_1.pow2)(b160, _80n, P) * b80) % P; | ||
| const b250 = ((0, modular_js_1.pow2)(b240, _10n, P) * b10) % P; | ||
| const pow_p_5_8 = ((0, modular_js_1.pow2)(b250, _2n, P) * x) % P; | ||
| // ^ To pow to (p+3)/8, multiply it by x. | ||
@@ -53,13 +56,13 @@ return { pow_p_5_8, b2 }; | ||
| const P = ED25519_P; | ||
| const v3 = mod(v * v * v, P); // v³ | ||
| const v7 = mod(v3 * v3 * v, P); // v⁷ | ||
| const v3 = (0, modular_js_1.mod)(v * v * v, P); // v³ | ||
| const v7 = (0, modular_js_1.mod)(v3 * v3 * v, P); // v⁷ | ||
| // (p+3)/8 and (p-5)/8 | ||
| const pow = ed25519_pow_2_252_3(u * v7).pow_p_5_8; | ||
| let x = mod(u * v3 * pow, P); // (uv³)(uv⁷)^(p-5)/8 | ||
| const vx2 = mod(v * x * x, P); // vx² | ||
| let x = (0, modular_js_1.mod)(u * v3 * pow, P); // (uv³)(uv⁷)^(p-5)/8 | ||
| const vx2 = (0, modular_js_1.mod)(v * x * x, P); // vx² | ||
| const root1 = x; // First root candidate | ||
| const root2 = mod(x * ED25519_SQRT_M1, P); // Second root candidate | ||
| const root2 = (0, modular_js_1.mod)(x * ED25519_SQRT_M1, P); // Second root candidate | ||
| const useRoot1 = vx2 === u; // If vx² = u (mod p), x is a square root | ||
| const useRoot2 = vx2 === mod(-u, P); // If vx² = -u, set x <-- x * 2^((p-1)/4) | ||
| const noRoot = vx2 === mod(-u * ED25519_SQRT_M1, P); // There is no valid root, vx² = -u√(-1) | ||
| const useRoot2 = vx2 === (0, modular_js_1.mod)(-u, P); // If vx² = -u, set x <-- x * 2^((p-1)/4) | ||
| const noRoot = vx2 === (0, modular_js_1.mod)(-u * ED25519_SQRT_M1, P); // There is no valid root, vx² = -u√(-1) | ||
| if (useRoot1) | ||
@@ -69,8 +72,8 @@ x = root1; | ||
| x = root2; // We return root2 anyway, for const-time | ||
| if (isNegativeLE(x, P)) | ||
| x = mod(-x, P); | ||
| if ((0, modular_js_1.isNegativeLE)(x, P)) | ||
| x = (0, modular_js_1.mod)(-x, P); | ||
| return { isValid: useRoot1 || useRoot2, value: x }; | ||
| } | ||
| // Just in case | ||
| export const ED25519_TORSION_SUBGROUP = [ | ||
| exports.ED25519_TORSION_SUBGROUP = [ | ||
| '0100000000000000000000000000000000000000000000000000000000000000', | ||
@@ -85,3 +88,3 @@ 'c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac037a', | ||
| ]; | ||
| const Fp = Field(ED25519_P, undefined, true); | ||
| const Fp = (0, modular_js_1.Fp)(ED25519_P, undefined, true); | ||
| const ED25519_DEF = { | ||
@@ -103,4 +106,4 @@ // Param: a | ||
| Gy: BigInt('46316835694926478169428394003475163141307993866256225615783033603165251855960'), | ||
| hash: sha512, | ||
| randomBytes, | ||
| hash: sha512_1.sha512, | ||
| randomBytes: utils_1.randomBytes, | ||
| adjustScalarBytes, | ||
@@ -112,15 +115,15 @@ // dom2 | ||
| }; | ||
| export const ed25519 = twistedEdwards(ED25519_DEF); | ||
| exports.ed25519 = (0, edwards_js_1.twistedEdwards)(ED25519_DEF); | ||
| function ed25519_domain(data, ctx, phflag) { | ||
| if (ctx.length > 255) | ||
| throw new Error('Context is too big'); | ||
| return concatBytes(utf8ToBytes('SigEd25519 no Ed25519 collisions'), new Uint8Array([phflag ? 1 : 0, ctx.length]), ctx, data); | ||
| return (0, utils_1.concatBytes)((0, utils_1.utf8ToBytes)('SigEd25519 no Ed25519 collisions'), new Uint8Array([phflag ? 1 : 0, ctx.length]), ctx, data); | ||
| } | ||
| export const ed25519ctx = twistedEdwards({ ...ED25519_DEF, domain: ed25519_domain }); | ||
| export const ed25519ph = twistedEdwards({ | ||
| exports.ed25519ctx = (0, edwards_js_1.twistedEdwards)({ ...ED25519_DEF, domain: ed25519_domain }); | ||
| exports.ed25519ph = (0, edwards_js_1.twistedEdwards)({ | ||
| ...ED25519_DEF, | ||
| domain: ed25519_domain, | ||
| preHash: sha512, | ||
| preHash: sha512_1.sha512, | ||
| }); | ||
| export const x25519 = montgomery({ | ||
| exports.x25519 = (0, montgomery_js_1.montgomery)({ | ||
| P: ED25519_P, | ||
@@ -135,6 +138,6 @@ a: BigInt(486662), | ||
| const { pow_p_5_8, b2 } = ed25519_pow_2_252_3(x); | ||
| return mod(pow2(pow_p_5_8, BigInt(3), P) * b2, P); | ||
| return (0, modular_js_1.mod)((0, modular_js_1.pow2)(pow_p_5_8, BigInt(3), P) * b2, P); | ||
| }, | ||
| adjustScalarBytes, | ||
| randomBytes, | ||
| randomBytes: utils_1.randomBytes, | ||
| }); | ||
@@ -191,3 +194,3 @@ // Hash To Curve Elligator2 Map (NOTE: different from ristretto255 elligator) | ||
| } | ||
| const ELL2_C1_EDWARDS = FpSqrtEven(Fp, Fp.neg(BigInt(486664))); // sgn0(c1) MUST equal 0 | ||
| const ELL2_C1_EDWARDS = (0, modular_js_1.FpSqrtEven)(Fp, Fp.neg(BigInt(486664))); // sgn0(c1) MUST equal 0 | ||
| function map_to_curve_elligator2_edwards25519(u) { | ||
@@ -209,3 +212,3 @@ const { xMn, xMd, yMn, yMd } = map_to_curve_elligator2_curve25519(u); // 1. (xMn, xMd, yMn, yMd) = map_to_curve_elligator2_curve25519(u) | ||
| } | ||
| const { hashToCurve, encodeToCurve } = htf.createHasher(ed25519.ExtendedPoint, (scalars) => map_to_curve_elligator2_edwards25519(scalars[0]), { | ||
| const { hashToCurve, encodeToCurve } = htf.createHasher(exports.ed25519.ExtendedPoint, (scalars) => map_to_curve_elligator2_edwards25519(scalars[0]), { | ||
| DST: 'edwards25519_XMD:SHA-512_ELL2_RO_', | ||
@@ -217,5 +220,6 @@ encodeDST: 'edwards25519_XMD:SHA-512_ELL2_NU_', | ||
| expand: 'xmd', | ||
| hash: sha512, | ||
| hash: sha512_1.sha512, | ||
| }); | ||
| export { hashToCurve, encodeToCurve }; | ||
| exports.hashToCurve = hashToCurve; | ||
| exports.encodeToCurve = encodeToCurve; | ||
| function assertRstPoint(other) { | ||
@@ -238,9 +242,9 @@ if (!(other instanceof RistrettoPoint)) | ||
| const MAX_255B = BigInt('0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'); | ||
| const bytes255ToNumberLE = (bytes) => ed25519.CURVE.Fp.create(bytesToNumberLE(bytes) & MAX_255B); | ||
| const bytes255ToNumberLE = (bytes) => exports.ed25519.CURVE.Fp.create((0, utils_js_1.bytesToNumberLE)(bytes) & MAX_255B); | ||
| // Computes Elligator map for Ristretto | ||
| // https://ristretto.group/formulas/elligator.html | ||
| function calcElligatorRistrettoMap(r0) { | ||
| const { d } = ed25519.CURVE; | ||
| const P = ed25519.CURVE.Fp.ORDER; | ||
| const mod = ed25519.CURVE.Fp.create; | ||
| const { d } = exports.ed25519.CURVE; | ||
| const P = exports.ed25519.CURVE.Fp.ORDER; | ||
| const mod = exports.ed25519.CURVE.Fp.create; | ||
| const r = mod(SQRT_M1 * r0 * r0); // 1 | ||
@@ -252,3 +256,3 @@ const Ns = mod((r + _1n) * ONE_MINUS_D_SQ); // 2 | ||
| let s_ = mod(s * r0); // 6 | ||
| if (!isNegativeLE(s_, P)) | ||
| if (!(0, modular_js_1.isNegativeLE)(s_, P)) | ||
| s_ = mod(-s_); | ||
@@ -265,3 +269,3 @@ if (!Ns_D_is_sq) | ||
| const W3 = mod(_1n + s2); // 13 | ||
| return new ed25519.ExtendedPoint(mod(W0 * W3), mod(W2 * W1), mod(W1 * W3), mod(W0 * W2)); | ||
| return new exports.ed25519.ExtendedPoint(mod(W0 * W3), mod(W2 * W1), mod(W1 * W3), mod(W0 * W2)); | ||
| } | ||
@@ -275,3 +279,3 @@ /** | ||
| */ | ||
| export class RistrettoPoint { | ||
| class RistrettoPoint { | ||
| // Private property to discourage combining ExtendedPoint + RistrettoPoint | ||
@@ -283,3 +287,3 @@ // Always use Ristretto encoding/decoding instead. | ||
| static fromAffine(ap) { | ||
| return new RistrettoPoint(ed25519.ExtendedPoint.fromAffine(ap)); | ||
| return new RistrettoPoint(exports.ed25519.ExtendedPoint.fromAffine(ap)); | ||
| } | ||
@@ -294,3 +298,3 @@ /** | ||
| static hashToCurve(hex) { | ||
| hex = ensureBytes('ristrettoHash', hex, 64); | ||
| hex = (0, utils_js_1.ensureBytes)('ristrettoHash', hex, 64); | ||
| const r1 = bytes255ToNumberLE(hex.slice(0, 32)); | ||
@@ -308,6 +312,6 @@ const R1 = calcElligatorRistrettoMap(r1); | ||
| static fromHex(hex) { | ||
| hex = ensureBytes('ristrettoHex', hex, 32); | ||
| const { a, d } = ed25519.CURVE; | ||
| const P = ed25519.CURVE.Fp.ORDER; | ||
| const mod = ed25519.CURVE.Fp.create; | ||
| hex = (0, utils_js_1.ensureBytes)('ristrettoHex', hex, 32); | ||
| const { a, d } = exports.ed25519.CURVE; | ||
| const P = exports.ed25519.CURVE.Fp.ORDER; | ||
| const mod = exports.ed25519.CURVE.Fp.create; | ||
| const emsg = 'RistrettoPoint.fromHex: the hex is not valid encoding of RistrettoPoint'; | ||
@@ -317,3 +321,3 @@ const s = bytes255ToNumberLE(hex); | ||
| // 3. Check that s is non-negative, or else abort | ||
| if (!equalBytes(numberToBytesLE(s, 32), hex) || isNegativeLE(s, P)) | ||
| if (!(0, utils_js_1.equalBytes)((0, utils_js_1.numberToBytesLE)(s, 32), hex) || (0, modular_js_1.isNegativeLE)(s, P)) | ||
| throw new Error(emsg); | ||
@@ -330,9 +334,9 @@ const s2 = mod(s * s); | ||
| let x = mod((s + s) * Dx); // 10 | ||
| if (isNegativeLE(x, P)) | ||
| if ((0, modular_js_1.isNegativeLE)(x, P)) | ||
| x = mod(-x); // 10 | ||
| const y = mod(u1 * Dy); // 11 | ||
| const t = mod(x * y); // 12 | ||
| if (!isValid || isNegativeLE(t, P) || y === _0n) | ||
| if (!isValid || (0, modular_js_1.isNegativeLE)(t, P) || y === _0n) | ||
| throw new Error(emsg); | ||
| return new RistrettoPoint(new ed25519.ExtendedPoint(x, y, _1n, t)); | ||
| return new RistrettoPoint(new exports.ed25519.ExtendedPoint(x, y, _1n, t)); | ||
| } | ||
@@ -345,4 +349,4 @@ /** | ||
| let { ex: x, ey: y, ez: z, et: t } = this.ep; | ||
| const P = ed25519.CURVE.Fp.ORDER; | ||
| const mod = ed25519.CURVE.Fp.create; | ||
| const P = exports.ed25519.CURVE.Fp.ORDER; | ||
| const mod = exports.ed25519.CURVE.Fp.create; | ||
| const u1 = mod(mod(z + y) * mod(z - y)); // 1 | ||
@@ -357,3 +361,3 @@ const u2 = mod(x * y); // 2 | ||
| let D; // 7 | ||
| if (isNegativeLE(t * zInv, P)) { | ||
| if ((0, modular_js_1.isNegativeLE)(t * zInv, P)) { | ||
| let _x = mod(y * SQRT_M1); | ||
@@ -368,11 +372,11 @@ let _y = mod(x * SQRT_M1); | ||
| } | ||
| if (isNegativeLE(x * zInv, P)) | ||
| if ((0, modular_js_1.isNegativeLE)(x * zInv, P)) | ||
| y = mod(-y); // 9 | ||
| let s = mod((z - y) * D); // 10 (check footer's note, no sqrt(-a)) | ||
| if (isNegativeLE(s, P)) | ||
| if ((0, modular_js_1.isNegativeLE)(s, P)) | ||
| s = mod(-s); | ||
| return numberToBytesLE(s, 32); // 11 | ||
| return (0, utils_js_1.numberToBytesLE)(s, 32); // 11 | ||
| } | ||
| toHex() { | ||
| return bytesToHex(this.toRawBytes()); | ||
| return (0, utils_js_1.bytesToHex)(this.toRawBytes()); | ||
| } | ||
@@ -387,3 +391,3 @@ toString() { | ||
| const { ex: X2, ey: Y2 } = other.ep; | ||
| const mod = ed25519.CURVE.Fp.create; | ||
| const mod = exports.ed25519.CURVE.Fp.create; | ||
| // (x1 * y2 == y1 * x2) | (y1 * y2 == x1 * x2) | ||
@@ -409,13 +413,15 @@ const one = mod(X1 * Y2) === mod(Y1 * X2); | ||
| } | ||
| RistrettoPoint.BASE = new RistrettoPoint(ed25519.ExtendedPoint.BASE); | ||
| RistrettoPoint.ZERO = new RistrettoPoint(ed25519.ExtendedPoint.ZERO); | ||
| exports.RistrettoPoint = RistrettoPoint; | ||
| RistrettoPoint.BASE = new RistrettoPoint(exports.ed25519.ExtendedPoint.BASE); | ||
| RistrettoPoint.ZERO = new RistrettoPoint(exports.ed25519.ExtendedPoint.ZERO); | ||
| // https://datatracker.ietf.org/doc/draft-irtf-cfrg-hash-to-curve/14/ | ||
| // Appendix B. Hashing to ristretto255 | ||
| export const hash_to_ristretto255 = (msg, options) => { | ||
| const hash_to_ristretto255 = (msg, options) => { | ||
| const d = options.DST; | ||
| const DST = typeof d === 'string' ? utf8ToBytes(d) : d; | ||
| const uniform_bytes = htf.expand_message_xmd(msg, DST, 64, sha512); | ||
| const DST = typeof d === 'string' ? (0, utils_1.utf8ToBytes)(d) : d; | ||
| const uniform_bytes = htf.expand_message_xmd(msg, DST, 64, sha512_1.sha512); | ||
| const P = RistrettoPoint.hashToCurve(uniform_bytes); | ||
| return P; | ||
| }; | ||
| exports.hash_to_ristretto255 = hash_to_ristretto255; | ||
| //# sourceMappingURL=ed25519.js.map |
78
ed448.js
@@ -0,8 +1,11 @@ | ||
| "use strict"; | ||
| Object.defineProperty(exports, "__esModule", { value: true }); | ||
| exports.encodeToCurve = exports.hashToCurve = exports.x448 = exports.ed448ph = exports.ed448 = void 0; | ||
| /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */ | ||
| import { shake256 } from '@noble/hashes/sha3'; | ||
| import { concatBytes, randomBytes, utf8ToBytes, wrapConstructor } from '@noble/hashes/utils'; | ||
| import { twistedEdwards } from './abstract/edwards.js'; | ||
| import { mod, pow2, Fp as Field } from './abstract/modular.js'; | ||
| import { montgomery } from './abstract/montgomery.js'; | ||
| import * as htf from './abstract/hash-to-curve.js'; | ||
| const sha3_1 = require("@noble/hashes/sha3"); | ||
| const utils_1 = require("@noble/hashes/utils"); | ||
| const edwards_js_1 = require("./abstract/edwards.js"); | ||
| const modular_js_1 = require("./abstract/modular.js"); | ||
| const montgomery_js_1 = require("./abstract/montgomery.js"); | ||
| const htf = require("./abstract/hash-to-curve.js"); | ||
| /** | ||
@@ -13,4 +16,4 @@ * Edwards448 (not Ed448-Goldilocks) curve with following addons: | ||
| */ | ||
| const shake256_114 = wrapConstructor(() => shake256.create({ dkLen: 114 })); | ||
| const shake256_64 = wrapConstructor(() => shake256.create({ dkLen: 64 })); | ||
| const shake256_114 = (0, utils_1.wrapConstructor)(() => sha3_1.shake256.create({ dkLen: 114 })); | ||
| const shake256_64 = (0, utils_1.wrapConstructor)(() => sha3_1.shake256.create({ dkLen: 64 })); | ||
| const ed448P = BigInt('726838724295606890549323807888004534353641360687318060281490199180612328166730772686396383698676545930088884461843637361053498018365439'); | ||
@@ -28,13 +31,13 @@ // powPminus3div4 calculates z = x^k mod p, where k = (p-3)/4. | ||
| const b3 = (b2 * b2 * x) % P; | ||
| const b6 = (pow2(b3, _3n, P) * b3) % P; | ||
| const b9 = (pow2(b6, _3n, P) * b3) % P; | ||
| const b11 = (pow2(b9, _2n, P) * b2) % P; | ||
| const b22 = (pow2(b11, _11n, P) * b11) % P; | ||
| const b44 = (pow2(b22, _22n, P) * b22) % P; | ||
| const b88 = (pow2(b44, _44n, P) * b44) % P; | ||
| const b176 = (pow2(b88, _88n, P) * b88) % P; | ||
| const b220 = (pow2(b176, _44n, P) * b44) % P; | ||
| const b222 = (pow2(b220, _2n, P) * b2) % P; | ||
| const b223 = (pow2(b222, _1n, P) * x) % P; | ||
| return (pow2(b223, _223n, P) * b222) % P; | ||
| const b6 = ((0, modular_js_1.pow2)(b3, _3n, P) * b3) % P; | ||
| const b9 = ((0, modular_js_1.pow2)(b6, _3n, P) * b3) % P; | ||
| const b11 = ((0, modular_js_1.pow2)(b9, _2n, P) * b2) % P; | ||
| const b22 = ((0, modular_js_1.pow2)(b11, _11n, P) * b11) % P; | ||
| const b44 = ((0, modular_js_1.pow2)(b22, _22n, P) * b22) % P; | ||
| const b88 = ((0, modular_js_1.pow2)(b44, _44n, P) * b44) % P; | ||
| const b176 = ((0, modular_js_1.pow2)(b88, _88n, P) * b88) % P; | ||
| const b220 = ((0, modular_js_1.pow2)(b176, _44n, P) * b44) % P; | ||
| const b222 = ((0, modular_js_1.pow2)(b220, _2n, P) * b2) % P; | ||
| const b223 = ((0, modular_js_1.pow2)(b222, _1n, P) * x) % P; | ||
| return ((0, modular_js_1.pow2)(b223, _223n, P) * b222) % P; | ||
| } | ||
@@ -51,3 +54,3 @@ function adjustScalarBytes(bytes) { | ||
| } | ||
| const Fp = Field(ed448P, 456, true); | ||
| const Fp = (0, modular_js_1.Fp)(ed448P, 456, true); | ||
| const ED448_DEF = { | ||
@@ -71,3 +74,3 @@ // Param: a | ||
| hash: shake256_114, | ||
| randomBytes, | ||
| randomBytes: utils_1.randomBytes, | ||
| adjustScalarBytes, | ||
@@ -78,3 +81,3 @@ // dom4 | ||
| throw new Error(`Context is too big: ${ctx.length}`); | ||
| return concatBytes(utf8ToBytes('SigEd448'), new Uint8Array([phflag ? 1 : 0, ctx.length]), ctx, data); | ||
| return (0, utils_1.concatBytes)((0, utils_1.utf8ToBytes)('SigEd448'), new Uint8Array([phflag ? 1 : 0, ctx.length]), ctx, data); | ||
| }, | ||
@@ -91,18 +94,18 @@ // Constant-time ratio of u to v. Allows to combine inversion and square root u/√v. | ||
| // x = (u/v)^((p+1)/4) = u³v(u⁵v³)^((p-3)/4) (mod p) | ||
| const u2v = mod(u * u * v, P); // u²v | ||
| const u3v = mod(u2v * u, P); // u³v | ||
| const u5v3 = mod(u3v * u2v * v, P); // u⁵v³ | ||
| const u2v = (0, modular_js_1.mod)(u * u * v, P); // u²v | ||
| const u3v = (0, modular_js_1.mod)(u2v * u, P); // u³v | ||
| const u5v3 = (0, modular_js_1.mod)(u3v * u2v * v, P); // u⁵v³ | ||
| const root = ed448_pow_Pminus3div4(u5v3); | ||
| const x = mod(u3v * root, P); | ||
| const x = (0, modular_js_1.mod)(u3v * root, P); | ||
| // Verify that root is exists | ||
| const x2 = mod(x * x, P); // x² | ||
| const x2 = (0, modular_js_1.mod)(x * x, P); // x² | ||
| // If vx² = u, the recovered x-coordinate is x. Otherwise, no | ||
| // square root exists, and the decoding fails. | ||
| return { isValid: mod(x2 * v, P) === u, value: x }; | ||
| return { isValid: (0, modular_js_1.mod)(x2 * v, P) === u, value: x }; | ||
| }, | ||
| }; | ||
| export const ed448 = twistedEdwards(ED448_DEF); | ||
| exports.ed448 = (0, edwards_js_1.twistedEdwards)(ED448_DEF); | ||
| // NOTE: there is no ed448ctx, since ed448 supports ctx by default | ||
| export const ed448ph = twistedEdwards({ ...ED448_DEF, preHash: shake256_64 }); | ||
| export const x448 = montgomery({ | ||
| exports.ed448ph = (0, edwards_js_1.twistedEdwards)({ ...ED448_DEF, preHash: shake256_64 }); | ||
| exports.x448 = (0, montgomery_js_1.montgomery)({ | ||
| a: BigInt(156326), | ||
@@ -116,7 +119,7 @@ montgomeryBits: 448, | ||
| const Pminus3div4 = ed448_pow_Pminus3div4(x); | ||
| const Pminus3 = pow2(Pminus3div4, BigInt(2), P); | ||
| return mod(Pminus3 * x, P); // Pminus3 * x = Pminus2 | ||
| const Pminus3 = (0, modular_js_1.pow2)(Pminus3div4, BigInt(2), P); | ||
| return (0, modular_js_1.mod)(Pminus3 * x, P); // Pminus3 * x = Pminus2 | ||
| }, | ||
| adjustScalarBytes, | ||
| randomBytes, | ||
| randomBytes: utils_1.randomBytes, | ||
| // The 4-isogeny maps between the Montgomery curve and this Edwards | ||
@@ -210,3 +213,3 @@ // curve are: | ||
| } | ||
| const { hashToCurve, encodeToCurve } = htf.createHasher(ed448.ExtendedPoint, (scalars) => map_to_curve_elligator2_edwards448(scalars[0]), { | ||
| const { hashToCurve, encodeToCurve } = htf.createHasher(exports.ed448.ExtendedPoint, (scalars) => map_to_curve_elligator2_edwards448(scalars[0]), { | ||
| DST: 'edwards448_XOF:SHAKE256_ELL2_RO_', | ||
@@ -218,5 +221,6 @@ encodeDST: 'edwards448_XOF:SHAKE256_ELL2_NU_', | ||
| expand: 'xof', | ||
| hash: shake256, | ||
| hash: sha3_1.shake256, | ||
| }); | ||
| export { hashToCurve, encodeToCurve }; | ||
| exports.hashToCurve = hashToCurve; | ||
| exports.encodeToCurve = encodeToCurve; | ||
| //# sourceMappingURL=ed448.js.map |
@@ -0,7 +1,10 @@ | ||
| "use strict"; | ||
| Object.defineProperty(exports, "__esModule", { value: true }); | ||
| exports.findGroupHash = exports.groupHash = exports.jubjub = void 0; | ||
| /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */ | ||
| import { sha512 } from '@noble/hashes/sha512'; | ||
| import { concatBytes, randomBytes, utf8ToBytes } from '@noble/hashes/utils'; | ||
| import { twistedEdwards } from './abstract/edwards.js'; | ||
| import { blake2s } from '@noble/hashes/blake2s'; | ||
| import { Fp } from './abstract/modular.js'; | ||
| const sha512_1 = require("@noble/hashes/sha512"); | ||
| const utils_1 = require("@noble/hashes/utils"); | ||
| const edwards_js_1 = require("./abstract/edwards.js"); | ||
| const blake2s_1 = require("@noble/hashes/blake2s"); | ||
| const modular_js_1 = require("./abstract/modular.js"); | ||
| /** | ||
@@ -12,3 +15,3 @@ * jubjub Twisted Edwards curve. | ||
| */ | ||
| export const jubjub = twistedEdwards({ | ||
| exports.jubjub = (0, edwards_js_1.twistedEdwards)({ | ||
| // Params: a, d | ||
@@ -19,3 +22,3 @@ a: BigInt('0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000000'), | ||
| // Same value as bls12-381 Fr (not Fp) | ||
| Fp: Fp(BigInt('0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001')), | ||
| Fp: (0, modular_js_1.Fp)(BigInt('0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001')), | ||
| // Subgroup order: how many points curve has | ||
@@ -28,21 +31,22 @@ n: BigInt('0xe7db4ea6533afa906673b0101343b00a6682093ccc81082d0970e5ed6f72cb7'), | ||
| Gy: BigInt('0x1d523cf1ddab1a1793132e78c866c0c33e26ba5cc220fed7cc3f870e59d292aa'), | ||
| hash: sha512, | ||
| randomBytes, | ||
| hash: sha512_1.sha512, | ||
| randomBytes: utils_1.randomBytes, | ||
| }); | ||
| const GH_FIRST_BLOCK = utf8ToBytes('096b36a5804bfacef1691e173c366a47ff5ba84a44f26ddd7e8d9f79d5b42df0'); | ||
| const GH_FIRST_BLOCK = (0, utils_1.utf8ToBytes)('096b36a5804bfacef1691e173c366a47ff5ba84a44f26ddd7e8d9f79d5b42df0'); | ||
| // Returns point at JubJub curve which is prime order and not zero | ||
| export function groupHash(tag, personalization) { | ||
| const h = blake2s.create({ personalization, dkLen: 32 }); | ||
| function groupHash(tag, personalization) { | ||
| const h = blake2s_1.blake2s.create({ personalization, dkLen: 32 }); | ||
| h.update(GH_FIRST_BLOCK); | ||
| h.update(tag); | ||
| // NOTE: returns ExtendedPoint, in case it will be multiplied later | ||
| let p = jubjub.ExtendedPoint.fromHex(h.digest()); | ||
| let p = exports.jubjub.ExtendedPoint.fromHex(h.digest()); | ||
| // NOTE: cannot replace with isSmallOrder, returns Point*8 | ||
| p = p.multiply(jubjub.CURVE.h); | ||
| if (p.equals(jubjub.ExtendedPoint.ZERO)) | ||
| p = p.multiply(exports.jubjub.CURVE.h); | ||
| if (p.equals(exports.jubjub.ExtendedPoint.ZERO)) | ||
| throw new Error('Point has small order'); | ||
| return p; | ||
| } | ||
| export function findGroupHash(m, personalization) { | ||
| const tag = concatBytes(m, new Uint8Array([0])); | ||
| exports.groupHash = groupHash; | ||
| function findGroupHash(m, personalization) { | ||
| const tag = (0, utils_1.concatBytes)(m, new Uint8Array([0])); | ||
| for (let i = 0; i < 256; i++) { | ||
@@ -57,2 +61,3 @@ tag[tag.length - 1] = i; | ||
| } | ||
| exports.findGroupHash = findGroupHash; | ||
| //# sourceMappingURL=jubjub.js.map |
30
p256.js
@@ -0,14 +1,17 @@ | ||
| "use strict"; | ||
| Object.defineProperty(exports, "__esModule", { value: true }); | ||
| exports.encodeToCurve = exports.hashToCurve = exports.secp256r1 = exports.P256 = void 0; | ||
| /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */ | ||
| import { createCurve } from './_shortw_utils.js'; | ||
| import { sha256 } from '@noble/hashes/sha256'; | ||
| import { Fp as Field } from './abstract/modular.js'; | ||
| import { mapToCurveSimpleSWU } from './abstract/weierstrass.js'; | ||
| import * as htf from './abstract/hash-to-curve.js'; | ||
| const _shortw_utils_js_1 = require("./_shortw_utils.js"); | ||
| const sha256_1 = require("@noble/hashes/sha256"); | ||
| const modular_js_1 = require("./abstract/modular.js"); | ||
| const weierstrass_js_1 = require("./abstract/weierstrass.js"); | ||
| const htf = require("./abstract/hash-to-curve.js"); | ||
| // NIST secp256r1 aka P256 | ||
| // https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-256 | ||
| // Field over which we'll do calculations; 2n**224n * (2n**32n-1n) + 2n**192n + 2n**96n-1n | ||
| const Fp = Field(BigInt('0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff')); | ||
| const Fp = (0, modular_js_1.Fp)(BigInt('0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff')); | ||
| const CURVE_A = Fp.create(BigInt('-3')); | ||
| const CURVE_B = BigInt('0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b'); | ||
| const mapSWU = mapToCurveSimpleSWU(Fp, { | ||
| const mapSWU = (0, weierstrass_js_1.mapToCurveSimpleSWU)(Fp, { | ||
| A: CURVE_A, | ||
@@ -18,3 +21,3 @@ B: CURVE_B, | ||
| }); | ||
| export const P256 = createCurve({ | ||
| exports.P256 = (0, _shortw_utils_js_1.createCurve)({ | ||
| // Params: a, b | ||
@@ -31,5 +34,5 @@ a: CURVE_A, | ||
| lowS: false, | ||
| }, sha256); | ||
| export const secp256r1 = P256; | ||
| const { hashToCurve, encodeToCurve } = htf.createHasher(secp256r1.ProjectivePoint, (scalars) => mapSWU(scalars[0]), { | ||
| }, sha256_1.sha256); | ||
| exports.secp256r1 = exports.P256; | ||
| const { hashToCurve, encodeToCurve } = htf.createHasher(exports.secp256r1.ProjectivePoint, (scalars) => mapSWU(scalars[0]), { | ||
| DST: 'P256_XMD:SHA-256_SSWU_RO_', | ||
@@ -41,5 +44,6 @@ encodeDST: 'P256_XMD:SHA-256_SSWU_NU_', | ||
| expand: 'xmd', | ||
| hash: sha256, | ||
| hash: sha256_1.sha256, | ||
| }); | ||
| export { hashToCurve, encodeToCurve }; | ||
| exports.hashToCurve = hashToCurve; | ||
| exports.encodeToCurve = encodeToCurve; | ||
| //# sourceMappingURL=p256.js.map |
30
p384.js
@@ -0,7 +1,10 @@ | ||
| "use strict"; | ||
| Object.defineProperty(exports, "__esModule", { value: true }); | ||
| exports.encodeToCurve = exports.hashToCurve = exports.secp384r1 = exports.P384 = void 0; | ||
| /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */ | ||
| import { createCurve } from './_shortw_utils.js'; | ||
| import { sha384 } from '@noble/hashes/sha512'; | ||
| import { Fp as Field } from './abstract/modular.js'; | ||
| import { mapToCurveSimpleSWU } from './abstract/weierstrass.js'; | ||
| import * as htf from './abstract/hash-to-curve.js'; | ||
| const _shortw_utils_js_1 = require("./_shortw_utils.js"); | ||
| const sha512_1 = require("@noble/hashes/sha512"); | ||
| const modular_js_1 = require("./abstract/modular.js"); | ||
| const weierstrass_js_1 = require("./abstract/weierstrass.js"); | ||
| const htf = require("./abstract/hash-to-curve.js"); | ||
| // NIST secp384r1 aka P384 | ||
@@ -12,7 +15,7 @@ // https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-384 | ||
| const P = BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff'); | ||
| const Fp = Field(P); | ||
| const Fp = (0, modular_js_1.Fp)(P); | ||
| const CURVE_A = Fp.create(BigInt('-3')); | ||
| // prettier-ignore | ||
| const CURVE_B = BigInt('0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef'); | ||
| const mapSWU = mapToCurveSimpleSWU(Fp, { | ||
| const mapSWU = (0, weierstrass_js_1.mapToCurveSimpleSWU)(Fp, { | ||
| A: CURVE_A, | ||
@@ -23,3 +26,3 @@ B: CURVE_B, | ||
| // prettier-ignore | ||
| export const P384 = createCurve({ | ||
| exports.P384 = (0, _shortw_utils_js_1.createCurve)({ | ||
| // Params: a, b | ||
@@ -37,5 +40,5 @@ a: CURVE_A, | ||
| lowS: false, | ||
| }, sha384); | ||
| export const secp384r1 = P384; | ||
| const { hashToCurve, encodeToCurve } = htf.createHasher(secp384r1.ProjectivePoint, (scalars) => mapSWU(scalars[0]), { | ||
| }, sha512_1.sha384); | ||
| exports.secp384r1 = exports.P384; | ||
| const { hashToCurve, encodeToCurve } = htf.createHasher(exports.secp384r1.ProjectivePoint, (scalars) => mapSWU(scalars[0]), { | ||
| DST: 'P384_XMD:SHA-384_SSWU_RO_', | ||
@@ -47,5 +50,6 @@ encodeDST: 'P384_XMD:SHA-384_SSWU_NU_', | ||
| expand: 'xmd', | ||
| hash: sha384, | ||
| hash: sha512_1.sha384, | ||
| }); | ||
| export { hashToCurve, encodeToCurve }; | ||
| exports.hashToCurve = hashToCurve; | ||
| exports.encodeToCurve = encodeToCurve; | ||
| //# sourceMappingURL=p384.js.map |
30
p521.js
@@ -0,7 +1,10 @@ | ||
| "use strict"; | ||
| Object.defineProperty(exports, "__esModule", { value: true }); | ||
| exports.encodeToCurve = exports.hashToCurve = exports.secp521r1 = exports.P521 = void 0; | ||
| /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */ | ||
| import { createCurve } from './_shortw_utils.js'; | ||
| import { sha512 } from '@noble/hashes/sha512'; | ||
| import { Fp as Field } from './abstract/modular.js'; | ||
| import { mapToCurveSimpleSWU } from './abstract/weierstrass.js'; | ||
| import * as htf from './abstract/hash-to-curve.js'; | ||
| const _shortw_utils_js_1 = require("./_shortw_utils.js"); | ||
| const sha512_1 = require("@noble/hashes/sha512"); | ||
| const modular_js_1 = require("./abstract/modular.js"); | ||
| const weierstrass_js_1 = require("./abstract/weierstrass.js"); | ||
| const htf = require("./abstract/hash-to-curve.js"); | ||
| // NIST secp521r1 aka P521 | ||
@@ -13,7 +16,7 @@ // Note that it's 521, which differs from 512 of its hash function. | ||
| const P = BigInt('0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'); | ||
| const Fp = Field(P); | ||
| const Fp = (0, modular_js_1.Fp)(P); | ||
| const CURVE_A = Fp.create(BigInt('-3')); | ||
| // prettier-ignore | ||
| const CURVE_B = BigInt('0x0051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00'); | ||
| const mapSWU = mapToCurveSimpleSWU(Fp, { | ||
| const mapSWU = (0, weierstrass_js_1.mapToCurveSimpleSWU)(Fp, { | ||
| A: CURVE_A, | ||
@@ -24,3 +27,3 @@ B: CURVE_B, | ||
| // prettier-ignore | ||
| export const P521 = createCurve({ | ||
| exports.P521 = (0, _shortw_utils_js_1.createCurve)({ | ||
| // Params: a, b | ||
@@ -38,5 +41,5 @@ a: CURVE_A, | ||
| allowedPrivateKeyLengths: [130, 131, 132] // P521 keys are variable-length. Normalize to 132b | ||
| }, sha512); | ||
| export const secp521r1 = P521; | ||
| const { hashToCurve, encodeToCurve } = htf.createHasher(secp521r1.ProjectivePoint, (scalars) => mapSWU(scalars[0]), { | ||
| }, sha512_1.sha512); | ||
| exports.secp521r1 = exports.P521; | ||
| const { hashToCurve, encodeToCurve } = htf.createHasher(exports.secp521r1.ProjectivePoint, (scalars) => mapSWU(scalars[0]), { | ||
| DST: 'P521_XMD:SHA-512_SSWU_RO_', | ||
@@ -48,5 +51,6 @@ encodeDST: 'P521_XMD:SHA-512_SSWU_NU_', | ||
| expand: 'xmd', | ||
| hash: sha512, | ||
| hash: sha512_1.sha512, | ||
| }); | ||
| export { hashToCurve, encodeToCurve }; | ||
| exports.hashToCurve = hashToCurve; | ||
| exports.encodeToCurve = encodeToCurve; | ||
| //# sourceMappingURL=p521.js.map |
| { | ||
| "name": "@noble/curves", | ||
| "version": "0.8.1", | ||
| "version": "0.8.2", | ||
| "description": "Minimal, auditable JS implementation of elliptic curve cryptography", | ||
@@ -5,0 +5,0 @@ "files": [ |
35
pasta.js
@@ -0,30 +1,33 @@ | ||
| "use strict"; | ||
| Object.defineProperty(exports, "__esModule", { value: true }); | ||
| exports.vesta = exports.pallas = exports.q = exports.p = void 0; | ||
| /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */ | ||
| import { sha256 } from '@noble/hashes/sha256'; | ||
| import { weierstrass } from './abstract/weierstrass.js'; | ||
| import { getHash } from './_shortw_utils.js'; | ||
| import * as mod from './abstract/modular.js'; | ||
| export const p = BigInt('0x40000000000000000000000000000000224698fc094cf91b992d30ed00000001'); | ||
| export const q = BigInt('0x40000000000000000000000000000000224698fc0994a8dd8c46eb2100000001'); | ||
| const sha256_1 = require("@noble/hashes/sha256"); | ||
| const weierstrass_js_1 = require("./abstract/weierstrass.js"); | ||
| const _shortw_utils_js_1 = require("./_shortw_utils.js"); | ||
| const mod = require("./abstract/modular.js"); | ||
| exports.p = BigInt('0x40000000000000000000000000000000224698fc094cf91b992d30ed00000001'); | ||
| exports.q = BigInt('0x40000000000000000000000000000000224698fc0994a8dd8c46eb2100000001'); | ||
| // https://neuromancer.sk/std/other/Pallas | ||
| export const pallas = weierstrass({ | ||
| exports.pallas = (0, weierstrass_js_1.weierstrass)({ | ||
| a: BigInt(0), | ||
| b: BigInt(5), | ||
| Fp: mod.Fp(p), | ||
| n: q, | ||
| Gx: mod.mod(BigInt(-1), p), | ||
| Fp: mod.Fp(exports.p), | ||
| n: exports.q, | ||
| Gx: mod.mod(BigInt(-1), exports.p), | ||
| Gy: BigInt(2), | ||
| h: BigInt(1), | ||
| ...getHash(sha256), | ||
| ...(0, _shortw_utils_js_1.getHash)(sha256_1.sha256), | ||
| }); | ||
| // https://neuromancer.sk/std/other/Vesta | ||
| export const vesta = weierstrass({ | ||
| exports.vesta = (0, weierstrass_js_1.weierstrass)({ | ||
| a: BigInt(0), | ||
| b: BigInt(5), | ||
| Fp: mod.Fp(q), | ||
| n: p, | ||
| Gx: mod.mod(BigInt(-1), q), | ||
| Fp: mod.Fp(exports.q), | ||
| n: exports.p, | ||
| Gx: mod.mod(BigInt(-1), exports.q), | ||
| Gy: BigInt(2), | ||
| h: BigInt(1), | ||
| ...getHash(sha256), | ||
| ...(0, _shortw_utils_js_1.getHash)(sha256_1.sha256), | ||
| }); | ||
| //# sourceMappingURL=pasta.js.map |
110
secp256k1.js
@@ -0,9 +1,13 @@ | ||
| "use strict"; | ||
| var _a; | ||
| Object.defineProperty(exports, "__esModule", { value: true }); | ||
| exports.encodeToCurve = exports.hashToCurve = exports.schnorr = exports.secp256k1 = void 0; | ||
| /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */ | ||
| import { sha256 } from '@noble/hashes/sha256'; | ||
| import { randomBytes } from '@noble/hashes/utils'; | ||
| import { Fp as Field, mod, pow2 } from './abstract/modular.js'; | ||
| import { mapToCurveSimpleSWU } from './abstract/weierstrass.js'; | ||
| import { bytesToNumberBE, concatBytes, ensureBytes, numberToBytesBE } from './abstract/utils.js'; | ||
| import * as htf from './abstract/hash-to-curve.js'; | ||
| import { createCurve } from './_shortw_utils.js'; | ||
| const sha256_1 = require("@noble/hashes/sha256"); | ||
| const utils_1 = require("@noble/hashes/utils"); | ||
| const modular_js_1 = require("./abstract/modular.js"); | ||
| const weierstrass_js_1 = require("./abstract/weierstrass.js"); | ||
| const utils_js_1 = require("./abstract/utils.js"); | ||
| const htf = require("./abstract/hash-to-curve.js"); | ||
| const _shortw_utils_js_1 = require("./_shortw_utils.js"); | ||
| const secp256k1P = BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f'); | ||
@@ -26,14 +30,14 @@ const secp256k1N = BigInt('0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141'); | ||
| const b3 = (b2 * b2 * y) % P; // x^7 | ||
| const b6 = (pow2(b3, _3n, P) * b3) % P; | ||
| const b9 = (pow2(b6, _3n, P) * b3) % P; | ||
| const b11 = (pow2(b9, _2n, P) * b2) % P; | ||
| const b22 = (pow2(b11, _11n, P) * b11) % P; | ||
| const b44 = (pow2(b22, _22n, P) * b22) % P; | ||
| const b88 = (pow2(b44, _44n, P) * b44) % P; | ||
| const b176 = (pow2(b88, _88n, P) * b88) % P; | ||
| const b220 = (pow2(b176, _44n, P) * b44) % P; | ||
| const b223 = (pow2(b220, _3n, P) * b3) % P; | ||
| const t1 = (pow2(b223, _23n, P) * b22) % P; | ||
| const t2 = (pow2(t1, _6n, P) * b2) % P; | ||
| const root = pow2(t2, _2n, P); | ||
| const b6 = ((0, modular_js_1.pow2)(b3, _3n, P) * b3) % P; | ||
| const b9 = ((0, modular_js_1.pow2)(b6, _3n, P) * b3) % P; | ||
| const b11 = ((0, modular_js_1.pow2)(b9, _2n, P) * b2) % P; | ||
| const b22 = ((0, modular_js_1.pow2)(b11, _11n, P) * b11) % P; | ||
| const b44 = ((0, modular_js_1.pow2)(b22, _22n, P) * b22) % P; | ||
| const b88 = ((0, modular_js_1.pow2)(b44, _44n, P) * b44) % P; | ||
| const b176 = ((0, modular_js_1.pow2)(b88, _88n, P) * b88) % P; | ||
| const b220 = ((0, modular_js_1.pow2)(b176, _44n, P) * b44) % P; | ||
| const b223 = ((0, modular_js_1.pow2)(b220, _3n, P) * b3) % P; | ||
| const t1 = ((0, modular_js_1.pow2)(b223, _23n, P) * b22) % P; | ||
| const t2 = ((0, modular_js_1.pow2)(t1, _6n, P) * b2) % P; | ||
| const root = (0, modular_js_1.pow2)(t2, _2n, P); | ||
| if (!Fp.eql(Fp.sqr(root), y)) | ||
@@ -43,4 +47,4 @@ throw new Error('Cannot find square root'); | ||
| } | ||
| const Fp = Field(secp256k1P, undefined, undefined, { sqrt: sqrtMod }); | ||
| export const secp256k1 = createCurve({ | ||
| const Fp = (0, modular_js_1.Fp)(secp256k1P, undefined, undefined, { sqrt: sqrtMod }); | ||
| exports.secp256k1 = (0, _shortw_utils_js_1.createCurve)({ | ||
| a: BigInt(0), | ||
@@ -72,4 +76,4 @@ b: BigInt(7), | ||
| const c2 = divNearest(-b1 * k, n); | ||
| let k1 = mod(k - c1 * a1 - c2 * a2, n); | ||
| let k2 = mod(-c1 * b1 - c2 * b2, n); | ||
| let k1 = (0, modular_js_1.mod)(k - c1 * a1 - c2 * a2, n); | ||
| let k2 = (0, modular_js_1.mod)(-c1 * b1 - c2 * b2, n); | ||
| const k1neg = k1 > POW_2_128; | ||
@@ -87,3 +91,3 @@ const k2neg = k2 > POW_2_128; | ||
| }, | ||
| }, sha256); | ||
| }, sha256_1.sha256); | ||
| // Schnorr signatures are superior to ECDSA from above. Below is Schnorr-specific BIP0340 code. | ||
@@ -99,18 +103,18 @@ // https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki | ||
| if (tagP === undefined) { | ||
| const tagH = sha256(Uint8Array.from(tag, (c) => c.charCodeAt(0))); | ||
| tagP = concatBytes(tagH, tagH); | ||
| const tagH = (0, sha256_1.sha256)(Uint8Array.from(tag, (c) => c.charCodeAt(0))); | ||
| tagP = (0, utils_js_1.concatBytes)(tagH, tagH); | ||
| TAGGED_HASH_PREFIXES[tag] = tagP; | ||
| } | ||
| return sha256(concatBytes(tagP, ...messages)); | ||
| return (0, sha256_1.sha256)((0, utils_js_1.concatBytes)(tagP, ...messages)); | ||
| } | ||
| // ECDSA compact points are 33-byte. Schnorr is 32: we strip first byte 0x02 or 0x03 | ||
| const pointToBytes = (point) => point.toRawBytes(true).slice(1); | ||
| const numTo32b = (n) => numberToBytesBE(n, 32); | ||
| const modP = (x) => mod(x, secp256k1P); | ||
| const modN = (x) => mod(x, secp256k1N); | ||
| const Point = secp256k1.ProjectivePoint; | ||
| const numTo32b = (n) => (0, utils_js_1.numberToBytesBE)(n, 32); | ||
| const modP = (x) => (0, modular_js_1.mod)(x, secp256k1P); | ||
| const modN = (x) => (0, modular_js_1.mod)(x, secp256k1N); | ||
| const Point = exports.secp256k1.ProjectivePoint; | ||
| const GmulAdd = (Q, a, b) => Point.BASE.multiplyAndAddUnsafe(Q, a, b); | ||
| // Calculate point, scalar and bytes | ||
| function schnorrGetExtPubKey(priv) { | ||
| let d_ = secp256k1.utils.normPrivateKeyToScalar(priv); // same method executed in fromPrivateKey | ||
| let d_ = exports.secp256k1.utils.normPrivateKeyToScalar(priv); // same method executed in fromPrivateKey | ||
| let p = Point.fromPrivateKey(d_); // P = d'⋅G; 0 < d' < n check is done inside | ||
@@ -140,3 +144,3 @@ const scalar = p.hasEvenY() ? d_ : modN(-d_); | ||
| function challenge(...args) { | ||
| return modN(bytesToNumberBE(taggedHash('BIP0340/challenge', ...args))); | ||
| return modN((0, utils_js_1.bytesToNumberBE)(taggedHash('BIP0340/challenge', ...args))); | ||
| } | ||
@@ -153,9 +157,9 @@ /** | ||
| */ | ||
| function schnorrSign(message, privateKey, auxRand = randomBytes(32)) { | ||
| const m = ensureBytes('message', message); | ||
| function schnorrSign(message, privateKey, auxRand = (0, utils_1.randomBytes)(32)) { | ||
| const m = (0, utils_js_1.ensureBytes)('message', message); | ||
| const { bytes: px, scalar: d } = schnorrGetExtPubKey(privateKey); // checks for isWithinCurveOrder | ||
| const a = ensureBytes('auxRand', auxRand, 32); // Auxiliary random data a: a 32-byte array | ||
| const t = numTo32b(d ^ bytesToNumberBE(taggedHash('BIP0340/aux', a))); // Let t be the byte-wise xor of bytes(d) and hash/aux(a) | ||
| const a = (0, utils_js_1.ensureBytes)('auxRand', auxRand, 32); // Auxiliary random data a: a 32-byte array | ||
| const t = numTo32b(d ^ (0, utils_js_1.bytesToNumberBE)(taggedHash('BIP0340/aux', a))); // Let t be the byte-wise xor of bytes(d) and hash/aux(a) | ||
| const rand = taggedHash('BIP0340/nonce', t, px, m); // Let rand = hash/nonce(t || bytes(P) || m) | ||
| const k_ = modN(bytesToNumberBE(rand)); // Let k' = int(rand) mod n | ||
| const k_ = modN((0, utils_js_1.bytesToNumberBE)(rand)); // Let k' = int(rand) mod n | ||
| if (k_ === _0n) | ||
@@ -178,11 +182,11 @@ throw new Error('sign failed: k is zero'); // Fail if k' = 0. | ||
| function schnorrVerify(signature, message, publicKey) { | ||
| const sig = ensureBytes('signature', signature, 64); | ||
| const m = ensureBytes('message', message); | ||
| const pub = ensureBytes('publicKey', publicKey, 32); | ||
| const sig = (0, utils_js_1.ensureBytes)('signature', signature, 64); | ||
| const m = (0, utils_js_1.ensureBytes)('message', message); | ||
| const pub = (0, utils_js_1.ensureBytes)('publicKey', publicKey, 32); | ||
| try { | ||
| const P = lift_x(bytesToNumberBE(pub)); // P = lift_x(int(pk)); fail if that fails | ||
| const r = bytesToNumberBE(sig.subarray(0, 32)); // Let r = int(sig[0:32]); fail if r ≥ p. | ||
| const P = lift_x((0, utils_js_1.bytesToNumberBE)(pub)); // P = lift_x(int(pk)); fail if that fails | ||
| const r = (0, utils_js_1.bytesToNumberBE)(sig.subarray(0, 32)); // Let r = int(sig[0:32]); fail if r ≥ p. | ||
| if (!fe(r)) | ||
| return false; | ||
| const s = bytesToNumberBE(sig.subarray(32, 64)); // Let s = int(sig[32:64]); fail if s ≥ n. | ||
| const s = (0, utils_js_1.bytesToNumberBE)(sig.subarray(32, 64)); // Let s = int(sig[32:64]); fail if s ≥ n. | ||
| if (!ge(s)) | ||
@@ -200,3 +204,3 @@ return false; | ||
| } | ||
| export const schnorr = { | ||
| exports.schnorr = { | ||
| getPublicKey: schnorrGetPublicKey, | ||
@@ -206,9 +210,9 @@ sign: schnorrSign, | ||
| utils: { | ||
| randomPrivateKey: secp256k1.utils.randomPrivateKey, | ||
| randomPrivateKey: exports.secp256k1.utils.randomPrivateKey, | ||
| lift_x, | ||
| pointToBytes, | ||
| numberToBytesBE, | ||
| bytesToNumberBE, | ||
| numberToBytesBE: utils_js_1.numberToBytesBE, | ||
| bytesToNumberBE: utils_js_1.bytesToNumberBE, | ||
| taggedHash, | ||
| mod, | ||
| mod: modular_js_1.mod, | ||
| }, | ||
@@ -245,3 +249,3 @@ }; | ||
| ].map((i) => i.map((j) => BigInt(j)))); | ||
| const mapSWU = mapToCurveSimpleSWU(Fp, { | ||
| const mapSWU = (0, weierstrass_js_1.mapToCurveSimpleSWU)(Fp, { | ||
| A: BigInt('0x3f8731abdd661adca08a5558f0f5d272e953d363cb6f0e5d405447c01a444533'), | ||
@@ -251,3 +255,3 @@ B: BigInt('1771'), | ||
| }); | ||
| export const { hashToCurve, encodeToCurve } = htf.createHasher(secp256k1.ProjectivePoint, (scalars) => { | ||
| _a = htf.createHasher(exports.secp256k1.ProjectivePoint, (scalars) => { | ||
| const { x, y } = mapSWU(Fp.create(scalars[0])); | ||
@@ -262,4 +266,4 @@ return isoMap(x, y); | ||
| expand: 'xmd', | ||
| hash: sha256, | ||
| }); | ||
| hash: sha256_1.sha256, | ||
| }), exports.hashToCurve = _a.hashToCurve, exports.encodeToCurve = _a.encodeToCurve; | ||
| //# sourceMappingURL=secp256k1.js.map |
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
New alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Fixed alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
- increased by0.74%
1246205
- Lines of code
- increased by0.75%
17130
No dependency changes