noble-curves
Audited & minimal JS implementation of elliptic curve cryptography.
- 🔒 Audited by independent security firms
- 🔻 Tree-shakeable: unused code is excluded from your builds
- 🏎 Fast: hand-optimized for caveats of JS engines
- 🔍 Reliable: cross-library / wycheproof tests and fuzzing ensure correctness
- ➰ Short Weierstrass, Edwards, Montgomery curves
- ✍️ ECDSA, EdDSA, Schnorr, BLS, ECDH, hashing to curves, Poseidon ZK-friendly hash
- 🔖 SUF-CMA, SBS (non-repudiation), ZIP215 (consensus friendliness) features for ed25519 & ed448
- 🪶 93KB for everything with hashes, 26KB (11KB gzipped) for single-curve build
Take a glance at GitHub Discussions for questions and support.
This library belongs to noble cryptography
noble cryptography — high-security, easily auditable set of contained cryptographic libraries and tools.
Usage
npm install @noble/curves
We support all major platforms and runtimes.
For Deno, ensure to use npm specifier.
For React Native, you may need a polyfill for getRandomValues.
A standalone file noble-curves.js is also available.
import { secp256k1 } from '@noble/curves/secp256k1';
Implementations
Implementations use noble-hashes.
If you want to use a different hashing library, abstract API doesn't depend on them.
ECDSA signatures over secp256k1 and others
import { secp256k1 } from '@noble/curves/secp256k1';
const priv = secp256k1.utils.randomPrivateKey();
const pub = secp256k1.getPublicKey(priv);
const msg = new Uint8Array(32).fill(1);
const sig = secp256k1.sign(msg, priv);
const isValid = secp256k1.verify(sig, msg, pub) === true;
const privHex = '46c930bc7bb4db7f55da20798697421b98c4175a52c630294d75a84b9c126236';
const pub2 = secp256k1.getPublicKey(privHex);
The same code would work for NIST P256 (secp256r1), P384 (secp384r1) & P521 (secp521r1).
sig.recoverPublicKey(msg).toRawBytes();
const sigImprovedSecurity = secp256k1.sign(msg, priv, { extraEntropy: true });
ECDH: Elliptic Curve Diffie-Hellman
const someonesPub = secp256k1.getPublicKey(secp256k1.utils.randomPrivateKey());
const shared = secp256k1.getSharedSecret(priv, someonesPub);
Schnorr signatures over secp256k1 (BIP340)
import { schnorr } from '@noble/curves/secp256k1';
const priv = schnorr.utils.randomPrivateKey();
const pub = schnorr.getPublicKey(priv);
const msg = new TextEncoder().encode('hello');
const sig = schnorr.sign(msg, priv);
const isValid = schnorr.verify(sig, msg, pub);
ed25519, X25519, ristretto255
import { ed25519 } from '@noble/curves/ed25519';
const priv = ed25519.utils.randomPrivateKey();
const pub = ed25519.getPublicKey(priv);
const msg = new TextEncoder().encode('hello');
const sig = ed25519.sign(msg, priv);
ed25519.verify(sig, msg, pub);
ed25519.verify(sig, msg, pub, { zip215: false });
Default verify
behavior follows ZIP215 and
can be used in consensus-critical applications.
It has SUF-CMA (strong unforgeability under chosen message attacks).
zip215: false
option switches verification criteria to strict
RFC8032 / FIPS 186-5
and additionally provides non-repudiation with SBS.
X25519 follows RFC7748.
import { ed25519ctx, ed25519ph } from '@noble/curves/ed25519';
import { x25519 } from '@noble/curves/ed25519';
const priv = 'a546e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449ac4';
const pub = 'e6db6867583030db3594c1a424b15f7c726624ec26b3353b10a903a6d0ab1c4c';
x25519.getSharedSecret(priv, pub) === x25519.scalarMult(priv, pub);
x25519.getPublicKey(priv) === x25519.scalarMultBase(priv);
x25519.getPublicKey(x25519.utils.randomPrivateKey());
import { edwardsToMontgomeryPub, edwardsToMontgomeryPriv } from '@noble/curves/ed25519';
edwardsToMontgomeryPub(ed25519.getPublicKey(ed25519.utils.randomPrivateKey()));
edwardsToMontgomeryPriv(ed25519.utils.randomPrivateKey());
ristretto255 follows irtf draft.
import { utf8ToBytes } from '@noble/hashes/utils';
import { sha512 } from '@noble/hashes/sha512';
import {
hashToCurve,
encodeToCurve,
RistrettoPoint,
hashToRistretto255,
} from '@noble/curves/ed25519';
const msg = utf8ToBytes('Ristretto is traditionally a short shot of espresso coffee');
hashToCurve(msg);
const rp = RistrettoPoint.fromHex(
'6a493210f7499cd17fecb510ae0cea23a110e8d5b901f8acadd3095c73a3b919'
);
RistrettoPoint.BASE.multiply(2n).add(rp).subtract(RistrettoPoint.BASE).toRawBytes();
RistrettoPoint.ZERO.equals(dp) === false;
RistrettoPoint.hashToCurve(sha512(msg));
hashToRistretto255(msg, { DST: 'ristretto255_XMD:SHA-512_R255MAP_RO_' });
ed448, X448, decaf448
import { ed448 } from '@noble/curves/ed448';
const priv = ed448.utils.randomPrivateKey();
const pub = ed448.getPublicKey(priv);
const msg = new TextEncoder().encode('whatsup');
const sig = ed448.sign(msg, priv);
ed448.verify(sig, msg, pub);
import { ed448ph } from '@noble/curves/ed448';
ECDH using Curve448 aka X448, follows RFC7748.
import { x448 } from '@noble/curves/ed448';
x448.getSharedSecret(priv, pub) === x448.scalarMult(priv, pub);
x448.getPublicKey(priv) === x448.scalarMultBase(priv);
import { edwardsToMontgomeryPub } from '@noble/curves/ed448';
edwardsToMontgomeryPub(ed448.getPublicKey(ed448.utils.randomPrivateKey()));
decaf448 follows irtf draft.
import { utf8ToBytes } from '@noble/hashes/utils';
import { shake256 } from '@noble/hashes/sha3';
import { hashToCurve, encodeToCurve, DecafPoint, hashToDecaf448 } from '@noble/curves/ed448';
const msg = utf8ToBytes('Ristretto is traditionally a short shot of espresso coffee');
hashToCurve(msg);
const dp = DecafPoint.fromHex(
'c898eb4f87f97c564c6fd61fc7e49689314a1f818ec85eeb3bd5514ac816d38778f69ef347a89fca817e66defdedce178c7cc709b2116e75'
);
DecafPoint.BASE.multiply(2n).add(dp).subtract(DecafPoint.BASE).toRawBytes();
DecafPoint.ZERO.equals(dp) === false;
DecafPoint.hashToCurve(shake256(msg, { dkLen: 112 }));
hashToDecaf448(msg, { DST: 'decaf448_XOF:SHAKE256_D448MAP_RO_' });
Same RFC7748 / RFC8032 / IRTF draft are followed.
bls12-381
import { bls12_381 as bls } from '@noble/curves/bls12-381';
const privateKey = '67d53f170b908cabb9eb326c3c337762d59289a8fec79f7bc9254b584b73265c';
const message = '64726e3da8';
const publicKey = bls.getPublicKey(privateKey);
const signature = bls.sign(message, privateKey);
const isValid = bls.verify(signature, message, publicKey);
console.log({ publicKey, signature, isValid });
const htfEthereum = { DST: 'BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_POP_' };
const signatureEth = bls.sign(message, privateKey, htfEthereum);
const isValidEth = bls.verify(signature, message, publicKey, htfEthereum);
const aggregatedKey = bls.aggregatePublicKeys([bls.utils.randomPrivateKey(), bls.utils.randomPrivateKey()])
See abstract/bls.
For example usage, check out the implementation of BLS EVM precompiles.
bn254 aka alt_bn128
import { bn254 } from '@noble/curves/bn254';
console.log(
bn254.G1,
bn254.G2,
bn254.pairing
)
The API mirrors BLS. The curve was previously called alt_bn128.
The implementation is compatible with EIP-196 and
EIP-197.
Keep in mind that we don't implement Point methods toHex / toRawBytes. It's because
different implementations of bn254 do it differently - there is no standard. Points of divergence:
- Endianness: LE vs BE (byte-swapped)
- Flags as first hex bits (similar to BLS) vs no-flags
- Imaginary part last in G2 vs first (c0, c1 vs c1, c0)
For example usage, check out the implementation of bn254 EVM precompiles.
Multi-scalar-multiplication
import { secp256k1 } from '@noble/curves/secp256k1';
const p = secp256k1.ProjectivePoint;
const points = [p.BASE, p.BASE.multiply(2n), p.BASE.multiply(4n), p.BASE.multiply(8n)];
p.msm(points, [3n, 5n, 7n, 11n]).equals(p.BASE.multiply(129n));
Pippenger algorithm is used underneath.
Multi-scalar-multiplication (MSM) is basically (Pa + Qb + Rc + ...)
.
It's 10-30x faster vs naive addition for large amount of points.
All available imports
import { secp256k1, schnorr } from '@noble/curves/secp256k1';
import { ed25519, ed25519ph, ed25519ctx, x25519, RistrettoPoint } from '@noble/curves/ed25519';
import { ed448, ed448ph, ed448ctx, x448 } from '@noble/curves/ed448';
import { p256 } from '@noble/curves/p256';
import { p384 } from '@noble/curves/p384';
import { p521 } from '@noble/curves/p521';
import { pallas, vesta } from '@noble/curves/pasta';
import { bls12_381 } from '@noble/curves/bls12-381';
import { bn254 } from '@noble/curves/bn254';
import { jubjub } from '@noble/curves/jubjub';
import { bytesToHex, hexToBytes, concatBytes, utf8ToBytes } from '@noble/curves/abstract/utils';
Accessing a curve's variables
import { secp256k1 } from '@noble/curves/secp256k1';
console.log(secp256k1.CURVE.p);
console.log(secp256k1.CURVE.n);
console.log(secp256k1.CURVE.a, secp256k1.CURVE.b);
console.log(secp256k1.CURVE.Gx, secp256k1.CURVE.Gy);
Abstract API
Abstract API allows to define custom curves. All arithmetics is done with JS
bigints over finite fields, which is defined from modular
sub-module. For
scalar multiplication, we use
precomputed tables with w-ary non-adjacent form (wNAF).
Precomputes are enabled for weierstrass and edwards BASE points of a curve. You
could precompute any other point (e.g. for ECDH) using utils.precompute()
method: check out examples.
weierstrass: Short Weierstrass curve
import { weierstrass } from '@noble/curves/abstract/weierstrass';
import { Field } from '@noble/curves/abstract/modular';
import { sha256 } from '@noble/hashes/sha256';
import { hmac } from '@noble/hashes/hmac';
import { concatBytes, randomBytes } from '@noble/hashes/utils';
const hmacSha256 = (key: Uint8Array, ...msgs: Uint8Array[]) => hmac(sha256, key, concatBytes(...msgs));
const secq256k1 = weierstrass({
a: 0n,
b: 7n,
Fp: Field(2n ** 256n - 432420386565659656852420866394968145599n),
n: 2n ** 256n - 2n ** 32n - 2n ** 9n - 2n ** 8n - 2n ** 7n - 2n ** 6n - 2n ** 4n - 1n,
Gx: 55066263022277343669578718895168534326250603453777594175500187360389116729240n,
Gy: 32670510020758816978083085130507043184471273380659243275938904335757337482424n,
hash: sha256,
hmac: hmacSha256,
randomBytes,
});
const secp192r1 = weierstrass({
a: BigInt('0xfffffffffffffffffffffffffffffffefffffffffffffffc'),
b: BigInt('0x64210519e59c80e70fa7e9ab72243049feb8deecc146b9b1'),
Fp: Field(BigInt('0xfffffffffffffffffffffffffffffffeffffffffffffffff')),
n: BigInt('0xffffffffffffffffffffffff99def836146bc9b1b4d22831'),
Gx: BigInt('0x188da80eb03090f67cbf20eb43a18800f4ff0afd82ff1012'),
Gy: BigInt('0x07192b95ffc8da78631011ed6b24cdd573f977a11e794811'),
h: BigInt(1),
hash: sha256,
hmac: hmacSha256,
randomBytes,
});
Short Weierstrass curve's formula is y² = x³ + ax + b
. weierstrass
expects arguments a
, b
, field Fp
, curve order n
, cofactor h
and coordinates Gx
, Gy
of generator point.
k
generation is done deterministically, following
RFC6979. It is suggested to use extraEntropy
option, which incorporates randomness into signatures to increase their security.
For k generation, specifying hmac
& hash
is required,
which in our implementations is done by noble-hashes. If
you're using different hashing library, make sure to wrap it in the following interface:
type CHash = {
(message: Uint8Array): Uint8Array;
blockLen: number;
outputLen: number;
create(): any;
};
function sha256(message: Uint8Array) {
return _internal_lowlvl(message);
}
sha256.outputLen = 32;
Message hash is expected instead of message itself:
sign(msgHash, privKey)
is default behavior, assuming you pre-hash msg with sha2, or other hashsign(msg, privKey, {prehash: true})
option can be used if you want to pass the message itself
Weierstrass points:
- Exported as
ProjectivePoint
- Represented in projective (homogeneous) coordinates: (x, y, z) ∋ (x=x/z, y=y/z)
- Use complete exception-free formulas for addition and doubling
- Can be decoded/encoded from/to Uint8Array / hex strings using
ProjectivePoint.fromHex
and ProjectivePoint#toRawBytes()
- Have
assertValidity()
which checks for being on-curve - Have
toAffine()
and x
/ y
getters which convert to 2d xy affine coordinates
type SignOpts = { lowS?: boolean; prehash?: boolean; extraEntropy: boolean | Uint8Array };
type CurveFn = {
CURVE: ReturnType<typeof validateOpts>;
getPublicKey: (privateKey: PrivKey, isCompressed?: boolean) => Uint8Array;
getSharedSecret: (privateA: PrivKey, publicB: Hex, isCompressed?: boolean) => Uint8Array;
sign: (msgHash: Hex, privKey: PrivKey, opts?: SignOpts) => SignatureType;
verify: (
signature: Hex | SignatureType,
msgHash: Hex,
publicKey: Hex,
opts?: { lowS?: boolean; prehash?: boolean; format?: 'compact' | 'der' }
) => boolean;
ProjectivePoint: ProjectivePointConstructor;
Signature: SignatureConstructor;
utils: {
normPrivateKeyToScalar: (key: PrivKey) => bigint;
isValidPrivateKey(key: PrivKey): boolean;
randomPrivateKey: () => Uint8Array;
precompute: (windowSize?: number, point?: ProjPointType<bigint>) => ProjPointType<bigint>;
};
};
interface ProjPointType<T> extends Group<ProjPointType<T>> {
readonly px: T;
readonly py: T;
readonly pz: T;
get x(): bigint;
get y(): bigint;
multiply(scalar: bigint): ProjPointType<T>;
multiplyUnsafe(scalar: bigint): ProjPointType<T>;
multiplyAndAddUnsafe(Q: ProjPointType<T>, a: bigint, b: bigint): ProjPointType<T> | undefined;
toAffine(iz?: T): AffinePoint<T>;
isTorsionFree(): boolean;
clearCofactor(): ProjPointType<T>;
assertValidity(): void;
hasEvenY(): boolean;
toRawBytes(isCompressed?: boolean): Uint8Array;
toHex(isCompressed?: boolean): string;
}
interface ProjConstructor<T> extends GroupConstructor<ProjPointType<T>> {
new (x: T, y: T, z: T): ProjPointType<T>;
fromAffine(p: AffinePoint<T>): ProjPointType<T>;
fromHex(hex: Hex): ProjPointType<T>;
fromPrivateKey(privateKey: PrivKey): ProjPointType<T>;
msm(points: ProjPointType[], scalars: bigint[]): ProjPointType<T>;
}
ECDSA signatures are represented by Signature
instances and can be
described by the interface:
interface SignatureType {
readonly r: bigint;
readonly s: bigint;
readonly recovery?: number;
assertValidity(): void;
addRecoveryBit(recovery: number): SignatureType;
hasHighS(): boolean;
normalizeS(): SignatureType;
recoverPublicKey(msgHash: Hex): ProjPointType<bigint>;
toCompactRawBytes(): Uint8Array;
toCompactHex(): string;
toDERRawBytes(): Uint8Array;
toDERHex(): string;
}
type SignatureConstructor = {
new (r: bigint, s: bigint): SignatureType;
fromCompact(hex: Hex): SignatureType;
fromDER(hex: Hex): SignatureType;
};
More examples:
const priv = secq256k1.utils.randomPrivateKey();
secq256k1.getPublicKey(priv);
const sig = secq256k1.sign(msg, priv);
const sig2 = secq256k1.sign(msg, priv, { prehash: true });
secq256k1.verify(sig, msg, priv);
secq256k1.verify(sig.toCompactHex(), msg, priv, { format: 'compact' });
const Point = secq256k1.ProjectivePoint;
const point = Point.BASE;
point.add(point).equals(point.double());
point.subtract(point).equals(Point.ZERO);
point.negate();
point.multiply(31415n);
point.assertValidity();
point.toAffine();
secq256k1.CURVE.n;
secq256k1.CURVE.p;
secq256k1.CURVE.Fp.mod();
secq256k1.CURVE.hash();
const fast = secq256k1.utils.precompute(8, Point.fromHex(someonesPubKey));
fast.multiply(privKey);
edwards: Twisted Edwards curve
import { twistedEdwards } from '@noble/curves/abstract/edwards';
import { Field } from '@noble/curves/abstract/modular';
import { sha512 } from '@noble/hashes/sha512';
import { randomBytes } from '@noble/hashes/utils';
const Fp = Field(2n ** 255n - 19n);
const ed25519 = twistedEdwards({
a: Fp.create(-1n),
d: Fp.div(-121665n, 121666n),
Fp: Fp,
n: 2n ** 252n + 27742317777372353535851937790883648493n,
h: 8n,
Gx: 15112221349535400772501151409588531511454012693041857206046113283949847762202n,
Gy: 46316835694926478169428394003475163141307993866256225615783033603165251855960n,
hash: sha512,
randomBytes,
adjustScalarBytes(bytes) {
bytes[0] &= 248;
bytes[31] &= 127;
bytes[31] |= 64;
return bytes;
},
} as const);
Twisted Edwards curve's formula is ax² + y² = 1 + dx²y²
. You must specify a
, d
, field Fp
, order n
, cofactor h
and coordinates Gx
, Gy
of generator point.
For EdDSA signatures, hash
param required. adjustScalarBytes
which instructs how to change private scalars could be specified.
We support non-repudiation, which help in following scenarios:
- Contract Signing: if A signed an agreement with B using key that allows repudiation, it can later claim that it signed a different contract
- E-voting: malicious voters may pick keys that allow repudiation in order to deny results
- Blockchains: transaction of amount X might also be valid for a different amount Y
Edwards points:
- Exported as
ExtendedPoint
- Represented in extended coordinates: (x, y, z, t) ∋ (x=x/z, y=y/z)
- Use complete exception-free formulas for addition and doubling
- Can be decoded/encoded from/to Uint8Array / hex strings using
ExtendedPoint.fromHex
and ExtendedPoint#toRawBytes()
- Have
assertValidity()
which checks for being on-curve - Have
toAffine()
and x
/ y
getters which convert to 2d xy affine coordinates - Have
isTorsionFree()
, clearCofactor()
and isSmallOrder()
utilities to handle torsions
type CurveFn = {
CURVE: ReturnType<typeof validateOpts>;
getPublicKey: (privateKey: Hex) => Uint8Array;
sign: (message: Hex, privateKey: Hex, context?: Hex) => Uint8Array;
verify: (sig: SigType, message: Hex, publicKey: Hex, context?: Hex) => boolean;
ExtendedPoint: ExtPointConstructor;
utils: {
randomPrivateKey: () => Uint8Array;
getExtendedPublicKey: (key: PrivKey) => {
head: Uint8Array;
prefix: Uint8Array;
scalar: bigint;
point: PointType;
pointBytes: Uint8Array;
};
};
};
interface ExtPointType extends Group<ExtPointType> {
readonly ex: bigint;
readonly ey: bigint;
readonly ez: bigint;
readonly et: bigint;
get x(): bigint;
get y(): bigint;
assertValidity(): void;
multiply(scalar: bigint): ExtPointType;
multiplyUnsafe(scalar: bigint): ExtPointType;
isSmallOrder(): boolean;
isTorsionFree(): boolean;
clearCofactor(): ExtPointType;
toAffine(iz?: bigint): AffinePoint<bigint>;
toRawBytes(isCompressed?: boolean): Uint8Array;
toHex(isCompressed?: boolean): string;
}
interface ExtPointConstructor extends GroupConstructor<ExtPointType> {
new (x: bigint, y: bigint, z: bigint, t: bigint): ExtPointType;
fromAffine(p: AffinePoint<bigint>): ExtPointType;
fromHex(hex: Hex): ExtPointType;
fromPrivateKey(privateKey: Hex): ExtPointType;
msm(points: ExtPointType[], scalars: bigint[]): ExtPointType;
}
montgomery: Montgomery curve
import { montgomery } from '@noble/curves/abstract/montgomery';
import { Field } from '@noble/curves/abstract/modular';
const x25519 = montgomery({
a: 486662n,
Gu: 9n,
P: 2n ** 255n - 19n,
montgomeryBits: 255,
nByteLength: 32,
adjustScalarBytes(bytes) {
bytes[0] &= 248;
bytes[31] &= 127;
bytes[31] |= 64;
return bytes;
},
});
The module contains methods for x-only ECDH on Curve25519 / Curve448 from RFC7748.
Proper Elliptic Curve Points are not implemented yet.
You must specify curve params Fp
, a
, Gu
coordinate of u, montgomeryBits
and nByteLength
.
bls: Barreto-Lynn-Scott curves
The module abstracts BLS (Barreto-Lynn-Scott) pairing-friendly elliptic curve construction.
They allow to construct zk-SNARKs and
use aggregated, batch-verifiable
threshold signatures,
using Boneh-Lynn-Shacham signature scheme.
The module doesn't expose CURVE
property: use G1.CURVE
, G2.CURVE
instead.
Only BLS12-381 is currently implemented.
Defining BLS12-377 and BLS24 should be straightforward.
The default BLS uses short public keys (with public keys in G1 and signatures in G2).
Short signatures (public keys in G2 and signatures in G1) are also supported.
hash-to-curve: Hashing strings to curve points
The module allows to hash arbitrary strings to elliptic curve points. Implements RFC 9380.
Every curve has exported hashToCurve
and encodeToCurve
methods. You should always prefer hashToCurve
for security:
import { hashToCurve, encodeToCurve } from '@noble/curves/secp256k1';
import { randomBytes } from '@noble/hashes/utils';
hashToCurve('0102abcd');
console.log(hashToCurve(randomBytes()));
console.log(encodeToCurve(randomBytes()));
import { bls12_381 } from '@noble/curves/bls12-381';
bls12_381.G1.hashToCurve(randomBytes(), { DST: 'another' });
bls12_381.G2.hashToCurve(randomBytes(), { DST: 'custom' });
Low-level methods from the spec:
function expand_message_xmd(
msg: Uint8Array,
DST: Uint8Array,
lenInBytes: number,
H: CHash
): Uint8Array;
function expand_message_xof(
msg: Uint8Array,
DST: Uint8Array,
lenInBytes: number,
k: number,
H: CHash
): Uint8Array;
function hash_to_field(msg: Uint8Array, count: number, options: Opts): bigint[][];
type UnicodeOrBytes = string | Uint8Array;
type Opts = {
DST: UnicodeOrBytes;
p: bigint;
m: number;
k: number;
expand?: 'xmd' | 'xof';
hash: CHash;
};
poseidon: Poseidon hash
Implements Poseidon ZK-friendly hash.
There are many poseidon variants with different constants.
We don't provide them: you should construct them manually.
Check out micro-starknet package for a proper example.
import { poseidon } from '@noble/curves/abstract/poseidon';
type PoseidonOpts = {
Fp: Field<bigint>;
t: number;
roundsFull: number;
roundsPartial: number;
sboxPower?: number;
reversePartialPowIdx?: boolean;
mds: bigint[][];
roundConstants: bigint[][];
};
const instance = poseidon(opts: PoseidonOpts);
modular: Modular arithmetics utilities
import * as mod from '@noble/curves/abstract/modular';
const fp = mod.Field(2n ** 255n - 19n);
fp.mul(591n, 932n);
fp.pow(481n, 11024858120n);
fp.div(5n, 17n);
fp.inv(5n);
fp.sqrt(21n);
mod.mod(21n, 10n);
mod.invert(17n, 10n);
mod.invertBatch([1n, 2n, 4n], 21n);
Field operations are not constant-time: they are using JS bigints, see security.
The fact is mostly irrelevant, but the important method to keep in mind is pow
,
which may leak exponent bits, when used naïvely.
mod.Field
is always field over prime number. Non-prime fields aren't supported for now.
We don't test for prime-ness for speed and because algorithms are probabilistic anyway.
Initializing a non-prime field could make your app suspectible to
DoS (infilite loop) on Tonelli-Shanks square root calculation.
Unlike mod.inv
, mod.invertBatch
won't throw on 0
: make sure to throw an error yourself.
Creating private keys from hashes
You can't simply make a 32-byte private key from a 32-byte hash.
Doing so will make the key biased.
To make the bias negligible, we follow FIPS 186-5 A.2
and RFC 9380.
This means, for 32-byte key, we would need 48-byte hash to get 2^-128 bias, which matches curve security level.
hashToPrivateScalar()
that hashes to private key was created for this purpose.
Use abstract/hash-to-curve
if you need to hash to public key.
import { p256 } from '@noble/curves/p256';
import { sha256 } from '@noble/hashes/sha256';
import { hkdf } from '@noble/hashes/hkdf';
import * as mod from '@noble/curves/abstract/modular';
const someKey = new Uint8Array(32).fill(2);
const derived = hkdf(sha256, someKey, undefined, 'application', 48);
const validPrivateKey = mod.hashToPrivateScalar(derived, p256.CURVE.n);
utils: Useful utilities
import * as utils from '@noble/curves/abstract/utils';
utils.bytesToHex(Uint8Array.from([0xde, 0xad, 0xbe, 0xef]));
utils.hexToBytes('deadbeef');
utils.numberToHexUnpadded(123n);
utils.hexToNumber();
utils.bytesToNumberBE(Uint8Array.from([0xde, 0xad, 0xbe, 0xef]));
utils.bytesToNumberLE(Uint8Array.from([0xde, 0xad, 0xbe, 0xef]));
utils.numberToBytesBE(123n, 32);
utils.numberToBytesLE(123n, 64);
utils.concatBytes(Uint8Array.from([0xde, 0xad]), Uint8Array.from([0xbe, 0xef]));
utils.nLength(255n);
utils.equalBytes(Uint8Array.from([0xde]), Uint8Array.from([0xde]));
Security
The library has been independently audited:
- at version 1.6.0, in Sep 2024, by Cure53
- PDFs: website, in-repo
- Changes since audit
- Scope: ed25519, ed448, their add-ons, bls12-381, bn254,
hash-to-curve, low-level primitives bls, tower, edwards, montgomery.
- The audit has been funded by OpenSats
- at version 1.2.0, in Sep 2023, by Kudelski Security
- at version 0.7.3, in Feb 2023, by Trail of Bits
- PDFs: website,
in-repo
- Changes since audit
- Scope: abstract modules
curve
, hash-to-curve
, modular
, poseidon
, utils
, weierstrass
and
top-level modules _shortw_utils
and secp256k1
- The audit has been funded by Ryan Shea
It is tested against property-based, cross-library and Wycheproof vectors,
and has fuzzing by Guido Vranken's cryptofuzz.
If you see anything unusual: investigate and report.
Constant-timeness
JIT-compiler and Garbage Collector make "constant time" extremely hard to
achieve timing attack resistance
in a scripting language. Which means any other JS library can't have
constant-timeness. Even statically typed Rust, a language without GC,
makes it harder to achieve constant-time
for some cases. If your goal is absolute security, don't use any JS lib — including bindings to native ones.
Use low-level libraries & languages. Nonetheless we're targetting algorithmic constant time.
Supply chain security
- Commits are signed with PGP keys, to prevent forgery. Make sure to verify commit signatures.
- Releases are transparent and built on GitHub CI. Make sure to verify provenance logs
- Rare releasing is followed to ensure less re-audit need for end-users
- Dependencies are minimized and locked-down:
- If your app has 500 dependencies, any dep could get hacked and you'll be downloading
malware with every install. We make sure to use as few dependencies as possible
- We prevent automatic dependency updates by locking-down version ranges. Every update is checked with
npm-diff
- One dependency noble-hashes is used, by the same author, to provide hashing functionality
- Dev Dependencies are only used if you want to contribute to the repo. They are disabled for end-users:
- scure-base, scure-bip32, scure-bip39, micro-bmark and micro-should are developed by the same author and follow identical security practices
- prettier (linter), fast-check (property-based testing) and typescript are used for code quality, vector generation and ts compilation. The packages are big, which makes it hard to audit their source code thoroughly and fully
Randomness
We're deferring to built-in
crypto.getRandomValues
which is considered cryptographically secure (CSPRNG).
In the past, browsers had bugs that made it weak: it may happen again.
Implementing a userspace CSPRNG to get resilient to the weakness
is even worse: there is no reliable userspace source of quality entropy.
Speed
Benchmark results on Apple M2 with node v22:
secp256k1
init x 68 ops/sec @ 14ms/op
getPublicKey x 6,839 ops/sec @ 146μs/op
sign x 5,226 ops/sec @ 191μs/op
verify x 893 ops/sec @ 1ms/op
getSharedSecret x 538 ops/sec @ 1ms/op
recoverPublicKey x 923 ops/sec @ 1ms/op
schnorr.sign x 700 ops/sec @ 1ms/op
schnorr.verify x 919 ops/sec @ 1ms/op
ed25519
init x 51 ops/sec @ 19ms/op
getPublicKey x 9,809 ops/sec @ 101μs/op
sign x 4,976 ops/sec @ 200μs/op
verify x 1,018 ops/sec @ 981μs/op
ed448
init x 19 ops/sec @ 50ms/op
getPublicKey x 3,723 ops/sec @ 268μs/op
sign x 1,759 ops/sec @ 568μs/op
verify x 344 ops/sec @ 2ms/op
p256
init x 39 ops/sec @ 25ms/op
getPublicKey x 6,518 ops/sec @ 153μs/op
sign x 5,148 ops/sec @ 194μs/op
verify x 609 ops/sec @ 1ms/op
p384
init x 17 ops/sec @ 57ms/op
getPublicKey x 2,933 ops/sec @ 340μs/op
sign x 2,327 ops/sec @ 429μs/op
verify x 244 ops/sec @ 4ms/op
p521
init x 8 ops/sec @ 112ms/op
getPublicKey x 1,484 ops/sec @ 673μs/op
sign x 1,264 ops/sec @ 790μs/op
verify x 124 ops/sec @ 8ms/op
ristretto255
add x 680,735 ops/sec @ 1μs/op
multiply x 10,766 ops/sec @ 92μs/op
encode x 15,835 ops/sec @ 63μs/op
decode x 15,972 ops/sec @ 62μs/op
decaf448
add x 345,303 ops/sec @ 2μs/op
multiply x 300 ops/sec @ 3ms/op
encode x 5,987 ops/sec @ 167μs/op
decode x 5,892 ops/sec @ 169μs/op
ecdh
├─x25519 x 1,477 ops/sec @ 676μs/op
├─secp256k1 x 537 ops/sec @ 1ms/op
├─p256 x 512 ops/sec @ 1ms/op
├─p384 x 198 ops/sec @ 5ms/op
├─p521 x 99 ops/sec @ 10ms/op
└─x448 x 504 ops/sec @ 1ms/op
bls12-381
init x 36 ops/sec @ 27ms/op
getPublicKey x 960 ops/sec @ 1ms/op
sign x 60 ops/sec @ 16ms/op
verify x 47 ops/sec @ 21ms/op
pairing x 125 ops/sec @ 7ms/op
pairing10 x 40 ops/sec @ 24ms/op ± 23.27% (min: 21ms, max: 48ms)
MSM 4096 scalars x points x 0 ops/sec @ 4655ms/op
aggregatePublicKeys/8 x 129 ops/sec @ 7ms/op
aggregatePublicKeys/32 x 34 ops/sec @ 28ms/op
aggregatePublicKeys/128 x 8 ops/sec @ 113ms/op
aggregatePublicKeys/512 x 2 ops/sec @ 449ms/op
aggregatePublicKeys/2048 x 0 ops/sec @ 1792ms/op
aggregateSignatures/8 x 62 ops/sec @ 15ms/op
aggregateSignatures/32 x 16 ops/sec @ 60ms/op
aggregateSignatures/128 x 4 ops/sec @ 238ms/op
aggregateSignatures/512 x 1 ops/sec @ 946ms/op
aggregateSignatures/2048 x 0 ops/sec @ 3774ms/op
hash-to-curve
hash_to_field x 91,600 ops/sec @ 10μs/op
secp256k1 x 2,373 ops/sec @ 421μs/op
p256 x 4,310 ops/sec @ 231μs/op
p384 x 1,664 ops/sec @ 600μs/op
p521 x 807 ops/sec @ 1ms/op
ed25519 x 3,088 ops/sec @ 323μs/op
ed448 x 1,247 ops/sec @ 801μs/op
Upgrading
Previously, the library was split into single-feature packages
noble-secp256k1,
noble-ed25519 and
noble-bls12-381.
Curves continue their original work. The single-feature packages changed their
direction towards providing minimal 4kb implementations of cryptography,
which means they have less features.
Upgrading from noble-secp256k1 2.0 or noble-ed25519 2.0: no changes, libraries are compatible.
Upgrading from noble-secp256k1 1.7:
getPublicKey
- now produce 33-byte compressed signatures by default
- to use old behavior, which produced 65-byte uncompressed keys, set
argument
isCompressed
to false
: getPublicKey(priv, false)
sign
- is now sync
- now returns
Signature
instance with { r, s, recovery }
properties canonical
option was renamed to lowS
recovered
option has been removed because recovery bit is always returned nowder
option has been removed. There are 2 options:
- Use compact encoding:
fromCompact
, toCompactRawBytes
, toCompactHex
.
Compact encoding is simply a concatenation of 32-byte r and 32-byte s. - If you must use DER encoding, switch to noble-curves (see above).
verify
- is now sync
strict
option was renamed to lowS
getSharedSecret
- now produce 33-byte compressed signatures by default
- to use old behavior, which produced 65-byte uncompressed keys, set
argument
isCompressed
to false
: getSharedSecret(a, b, false)
recoverPublicKey(msg, sig, rec)
was changed to sig.recoverPublicKey(msg)
number
type for private keys have been removed: use bigint
insteadPoint
(2d xy) has been changed to ProjectivePoint
(3d xyz)utils
were split into utils
(same api as in noble-curves) and
etc
(hmacSha256Sync
and others)
Upgrading from @noble/ed25519 1.7:
- Methods are now sync by default
bigint
is no longer allowed in getPublicKey
, sign
, verify
. Reason: ed25519 is LE, can lead to bugsPoint
(2d xy) has been changed to ExtendedPoint
(xyzt)Signature
was removed: just use raw bytes or hex nowutils
were split into utils
(same api as in noble-curves) and
etc
(sha512Sync
and others)getSharedSecret
was moved to x25519
moduletoX25519
has been moved to edwardsToMontgomeryPub
and edwardsToMontgomeryPriv
methods
Upgrading from @noble/bls12-381:
- Methods and classes were renamed:
- PointG1 -> G1.Point, PointG2 -> G2.Point
- PointG2.fromSignature -> Signature.decode, PointG2.toSignature -> Signature.encode
- Fp2 ORDER was corrected
Contributing & testing
- Clone the repository
npm install
to install build dependencies like TypeScriptnpm run build
to compile TypeScript codenpm run test
will execute all main tests
Resources
Check out paulmillr.com/noble
for useful resources, articles, documentation and demos
related to the library.
License
The MIT License (MIT)
Copyright (c) 2022 Paul Miller (https://paulmillr.com)
See LICENSE file.