dataforge/unibus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor: split web frontend + gateway out to uniweb app (bump 0.13.0)

Browse Source 
The SPA (web/) and the web gateway (cmd/webgw) move to a dedicated app
projects/message_bus/apps/uniweb (its own Gitea sub-repo). unibus is now
strictly the bus plane: membership/keys, the client library and demo peers.
uniweb consumes unibus as a Go module via replace => ../unibus.

No capability lost; same SPA and gateway, in their own service folder.
go build/vet/test green after extraction.
This commit is contained in:
Egutierrez
2026-06-13 21:21:08 +02:00
parent fadee1a7d0
commit 9661a5ce1f
31166 changed files with 2029366 additions and 3677 deletions
Download Patch File Download Diff File Expand all files Collapse all files
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/LICENSE
Generated Vendored
+21
View File
@@ -0,0 +1,21 @@
The MIT License (MIT)
Copyright (c) 2022 Paul Miller (https://paulmillr.com)
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the “Software”), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/README.md
Generated Vendored
+1129
View File
File diff suppressed because it is too large Load Diff
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/abstract/bls.d.ts
Generated Vendored
+411
View File
@@ -0,0 +1,411 @@
/**
* BLS != BLS.
* The file implements BLS (Boneh-Lynn-Shacham) signatures.
* Used in both BLS (Barreto-Lynn-Scott) and BN (Barreto-Naehrig)
* families of pairing-friendly curves.
* Consists of two curves: G1 and G2:
* - G1 is a subgroup of (x, y) E(Fq) over y² = x³ + 4.
* - G2 is a subgroup of ((x₁, x₂+i), (y₁, y₂+i)) E(Fq²) over y² = x³ + 4(1 + i) where i is √-1
* - Gt, created by bilinear (ate) pairing e(G1, G2), consists of p-th roots of unity in
* Fq^k where k is embedding degree. Only degree 12 is currently supported, 24 is not.
* Pairing is used to aggregate and verify signatures.
* There are two modes of operation:
* - Long signatures: X-byte keys + 2X-byte sigs (G1 keys + G2 sigs).
* - Short signatures: 2X-byte keys + X-byte sigs (G2 keys + G1 sigs).
* @module
**/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { type TArg, type TRet } from '../utils.ts';
import { type CurveLengths } from './curve.ts';
import { type H2CHasher, type H2COpts, type MapToCurve } from './hash-to-curve.ts';
import { type IField } from './modular.ts';
import type { Fp12, Fp12Bls, Fp2, Fp2Bls, Fp6Bls } from './tower.ts';
import { type WeierstrassPoint, type WeierstrassPointCons } from './weierstrass.ts';
type Fp = bigint;
/**
* Twist convention used by the pairing formulas for a concrete curve family.
* BLS12-381 uses a multiplicative twist, while BN254 uses a divisive one.
*/
export type BlsTwistType = 'multiplicative' | 'divisive';
/**
* Codec exposed as `curve.shortSignatures.Signature`.
* Use it to parse or serialize G1 signatures in short-signature mode.
* In this mode, public keys live in G2.
*/
export type BlsShortSignatureCoder<Fp> = {
/**
* Parse a compressed signature from raw bytes.
* @param bytes - Compressed signature bytes.
* @returns Parsed signature point.
*/
fromBytes(bytes: TArg<Uint8Array>): WeierstrassPoint<Fp>;
/**
* Parse a compressed signature from a hex string.
* @param hex - Compressed signature hex string.
* @returns Parsed signature point.
*/
fromHex(hex: string): WeierstrassPoint<Fp>;
/**
* Encode a signature point into compressed bytes.
* @param point - Signature point.
* @returns Compressed signature bytes.
*/
toBytes(point: WeierstrassPoint<Fp>): TRet<Uint8Array>;
/**
* Encode a signature point into a hex string.
* @param point - Signature point.
* @returns Compressed signature hex.
*/
toHex(point: WeierstrassPoint<Fp>): string;
};
/**
* Codec exposed as `curve.longSignatures.Signature`.
* Use it to parse or serialize G2 signatures in long-signature mode.
* In this mode, public keys live in G1.
*/
export type BlsLongSignatureCoder<Fp> = {
/**
* Parse a compressed signature from raw bytes.
* @param bytes - Compressed signature bytes.
* @returns Parsed signature point.
*/
fromBytes(bytes: TArg<Uint8Array>): WeierstrassPoint<Fp>;
/**
* Parse a compressed signature from a hex string.
* @param hex - Compressed signature hex string.
* @returns Parsed signature point.
*/
fromHex(hex: string): WeierstrassPoint<Fp>;
/**
* Encode a signature point into compressed bytes.
* @param point - Signature point.
* @returns Compressed signature bytes.
*/
toBytes(point: WeierstrassPoint<Fp>): TRet<Uint8Array>;
/**
* Encode a signature point into a hex string.
* @param point - Signature point.
* @returns Compressed signature hex.
*/
toHex(point: WeierstrassPoint<Fp>): string;
};
/** Tower fields needed by pairing code, hash-to-curve, and subgroup arithmetic. */
export type BlsFields = {
/** Base field of G1 coordinates. */
Fp: IField<Fp>;
/** Scalar field used for secret scalars and subgroup order arithmetic. */
Fr: IField<bigint>;
/** Quadratic extension field used by G2. */
Fp2: Fp2Bls;
/** Sextic extension field used inside pairing arithmetic. */
Fp6: Fp6Bls;
/** Degree-12 extension field that contains the GT target group. */
Fp12: Fp12Bls;
};
/**
* Callback used by pairing post-processing hooks to add one more G2 point to the Miller-loop state.
* @param Rx - Current projective X coordinate.
* @param Ry - Current projective Y coordinate.
* @param Rz - Current projective Z coordinate.
* @param Qx - G2 affine x coordinate.
* @param Qy - G2 affine y coordinate.
* @returns Updated projective accumulator coordinates.
*/
export type BlsPostPrecomputePointAddFn = (Rx: Fp2, Ry: Fp2, Rz: Fp2, Qx: Fp2, Qy: Fp2) => {
Rx: Fp2;
Ry: Fp2;
Rz: Fp2;
};
/**
* Hook for curve-specific pairing cleanup after the Miller loop precomputes are built.
* @param Rx - Current projective X coordinate.
* @param Ry - Current projective Y coordinate.
* @param Rz - Current projective Z coordinate.
* @param Qx - G2 affine x coordinate.
* @param Qy - G2 affine y coordinate.
* @param pointAdd - Callback used to fold one more point into the accumulator.
*/
export type BlsPostPrecomputeFn = (Rx: Fp2, Ry: Fp2, Rz: Fp2, Qx: Fp2, Qy: Fp2, pointAdd: BlsPostPrecomputePointAddFn) => void;
/** Low-level pairing helpers shared by BLS curve bundles. */
export type BlsPairing = {
/** Byte lengths for keys and signatures exposed by this pairing family. */
lengths: CurveLengths;
/** Scalar field used by the pairing and signing helpers. */
Fr: IField<bigint>;
/** Target field used for the GT result of pairings. */
Fp12: Fp12Bls;
/**
* Build Miller-loop precomputes for one G2 point.
* @param p - G2 point to precompute.
* @returns Pairing precompute table.
*/
calcPairingPrecomputes: (p: WeierstrassPoint<Fp2>) => Precompute;
/**
* Evaluate a batch of Miller loops from precomputed line coefficients.
* @param pairs - Precomputed Miller-loop inputs.
* @returns Accumulated GT value before or after final exponentiation.
*/
millerLoopBatch: (pairs: [Precompute, Fp, Fp][]) => Fp12;
/**
* Pair one G1 point with one G2 point.
* @param P - G1 point.
* @param Q - G2 point.
* @param withFinalExponent - Whether to apply the final exponentiation step.
* @returns GT pairing result.
* @throws If either point is the point at infinity. {@link Error}
*/
pairing: (P: WeierstrassPoint<Fp>, Q: WeierstrassPoint<Fp2>, withFinalExponent?: boolean) => Fp12;
/**
* Pair many G1/G2 pairs in one batch.
* @param pairs - Point pairs to accumulate.
* @param withFinalExponent - Whether to apply the final exponentiation step.
* @returns GT pairing result. Empty input returns the multiplicative identity in GT.
*/
pairingBatch: (pairs: {
g1: WeierstrassPoint<Fp>;
g2: WeierstrassPoint<Fp2>;
}[], withFinalExponent?: boolean) => Fp12;
/**
* Generate a random secret key for this pairing family.
* @param seed - Optional seed material.
* @returns Secret key bytes.
*/
randomSecretKey: (seed?: TArg<Uint8Array>) => TRet<Uint8Array>;
};
/**
* Parameters that define the Miller-loop shape and twist handling
* for a concrete pairing family.
*/
export type BlsPairingParams = {
/** Signed loop parameter used by the Miller loop. */
ateLoopSize: bigint;
/** Whether the signed Miller-loop parameter is negative. */
xNegative: boolean;
/**
* Twist convention used by the pairing formulas.
* BLS12-381 is multiplicative; BN254 is divisive.
*/
twistType: BlsTwistType;
/**
* Optional RNG override used by helper constructors.
* Receives the requested byte length and returns random bytes.
*/
randomBytes?: (len?: number) => TRet<Uint8Array>;
/**
* Optional hook for curve-specific untwisting after precomputation.
* Used by BN254 after the Miller loop.
*/
postPrecompute?: BlsPostPrecomputeFn;
};
/** Hash-to-curve settings shared by the G1 and G2 hashers inside a BLS curve bundle. */
export type BlsHasherParams = {
/**
* Optional map-to-curve override for G1.
* Receives the hash-to-field tuple and returns one affine G1 point.
*/
mapToG1?: MapToCurve<Fp>;
/**
* Optional map-to-curve override for G2.
* Receives the hash-to-field tuple and returns one affine G2 point.
*/
mapToG2?: MapToCurve<Fp2>;
/** Shared baseline hash-to-curve options. */
hasherOpts: H2COpts;
/** G1-specific hash-to-curve options merged on top of `hasherOpts`. */
hasherOptsG1: H2COpts;
/** G2-specific hash-to-curve options merged on top of `hasherOpts`. */
hasherOptsG2: H2COpts;
};
type PrecomputeSingle = [Fp2, Fp2, Fp2][];
type Precompute = PrecomputeSingle[];
/**
* BLS consists of two curves: G1 and G2:
* - G1 is a subgroup of (x, y) E(Fq) over y² = x³ + 4.
* - G2 is a subgroup of ((x₁, x₂+i), (y₁, y₂+i)) E(Fq²) over y² = x³ + 4(1 + i) where i is √-1
*/
export interface BlsCurvePair {
/** Byte lengths for keys and signatures exposed by this curve family. */
lengths: CurveLengths;
/**
* Shared Miller-loop batch evaluator.
* @param pairs - Precomputed Miller-loop inputs.
* @returns Accumulated GT value.
*/
millerLoopBatch: BlsPairing['millerLoopBatch'];
/**
* Pair one G1 point with one G2 point.
* @param P - G1 point.
* @param Q - G2 point.
* @param withFinalExponent - Whether to apply the final exponentiation step.
* @returns GT pairing result.
* @throws If either point is the point at infinity. {@link Error}
*/
pairing: BlsPairing['pairing'];
/**
* Pair many G1/G2 pairs in one batch.
* @param pairs - Point pairs to accumulate.
* @param withFinalExponent - Whether to apply the final exponentiation step.
* @returns GT pairing result. Empty input returns the multiplicative identity in GT.
*/
pairingBatch: BlsPairing['pairingBatch'];
/** G1 point constructor for the base field subgroup. */
G1: {
Point: WeierstrassPointCons<Fp>;
};
/** G2 point constructor for the twist subgroup. */
G2: {
Point: WeierstrassPointCons<Fp2>;
};
/** Tower fields exposed by the pairing implementation. */
fields: {
Fp: IField<Fp>;
Fp2: Fp2Bls;
Fp6: Fp6Bls;
Fp12: Fp12Bls;
Fr: IField<bigint>;
};
/** Utility helpers shared by hashers and signers. */
utils: {
randomSecretKey: (seed?: TArg<Uint8Array>) => TRet<Uint8Array>;
calcPairingPrecomputes: BlsPairing['calcPairingPrecomputes'];
};
/** Public pairing parameters exposed for introspection. */
params: {
ateLoopSize: bigint;
twistType: BlsTwistType;
};
}
/** BLS curve bundle extended with hash-to-curve helpers for G1 and G2. */
export interface BlsCurvePairWithHashers extends BlsCurvePair {
/** G1 hasher bundle with RFC 9380 helpers. */
G1: H2CHasher<WeierstrassPointCons<Fp>>;
/** G2 hasher bundle with RFC 9380 helpers. */
G2: H2CHasher<WeierstrassPointCons<Fp2>>;
}
/** BLS curve bundle extended with both hashers and signature helpers. */
export interface BlsCurvePairWithSignatures extends BlsCurvePairWithHashers {
/** Long-signature mode: G1 public keys and G2 signatures. */
longSignatures: BlsSigs<bigint, Fp2>;
/** Short-signature mode: G2 public keys and G1 signatures. */
shortSignatures: BlsSigs<Fp2, bigint>;
}
type BLSInput = TArg<Uint8Array>;
/** BLS signer helpers for one signature mode. */
export interface BlsSigs<P, S> {
/** Byte lengths for secret keys, public keys, and signatures. */
lengths: CurveLengths;
/**
* Generate a secret/public key pair for this signature mode.
* @param seed - Optional seed material.
* @returns Secret and public key pair.
*/
keygen(seed?: TArg<Uint8Array>): {
secretKey: TRet<Uint8Array>;
publicKey: WeierstrassPoint<P>;
};
/**
* Derive the public key from a secret key.
* @param secretKey - Secret key bytes.
* @returns Public-key point.
*/
getPublicKey(secretKey: TArg<Uint8Array>): WeierstrassPoint<P>;
/**
* Sign a message already hashed onto the signature subgroup.
* @param hashedMessage - Message mapped to the signature subgroup.
* @param secretKey - Secret key bytes.
* @returns Signature point.
*/
sign(hashedMessage: WeierstrassPoint<S>, secretKey: TArg<Uint8Array>): WeierstrassPoint<S>;
/**
* Verify one signature against one public key and hashed message.
* @param signature - Signature point or encoded signature.
* @param message - Hashed message point.
* @param publicKey - Public-key point or encoded key.
* @returns Whether the signature is valid.
*/
verify(signature: WeierstrassPoint<S> | BLSInput, message: WeierstrassPoint<S>, publicKey: WeierstrassPoint<P> | BLSInput): boolean;
/**
* Verify one aggregated signature against many `(message, publicKey)` pairs.
* @param signature - Aggregated signature.
* @param items - Message/public-key pairs.
* @returns Whether the aggregated signature is valid. Same-message aggregate verification still
* requires proof of possession or another rogue-key defense from the caller.
*/
verifyBatch: (signature: WeierstrassPoint<S> | BLSInput, items: {
message: WeierstrassPoint<S>;
publicKey: WeierstrassPoint<P> | BLSInput;
}[]) => boolean;
/**
* Add many public keys into one aggregate point.
* @param publicKeys - Public keys to aggregate.
* @returns Aggregated public-key point. This is raw point addition and does not add proof of
* possession or rogue-key protection on its own.
*/
aggregatePublicKeys(publicKeys: (WeierstrassPoint<P> | BLSInput)[]): WeierstrassPoint<P>;
/**
* Add many signatures into one aggregate point.
* @param signatures - Signatures to aggregate.
* @returns Aggregated signature point. This is raw point addition and does not change the proof
* of possession requirements of the aggregate-verification scheme.
*/
aggregateSignatures(signatures: (WeierstrassPoint<S> | BLSInput)[]): WeierstrassPoint<S>;
/**
* Hash an arbitrary message onto the signature subgroup.
* @param message - Message bytes.
* @param DST - Optional domain separation tag.
* @returns Curve point on the signature subgroup.
*/
hash(message: TArg<Uint8Array>, DST?: TArg<string | Uint8Array>): WeierstrassPoint<S>;
/** Signature codec for this mode. */
Signature: BlsLongSignatureCoder<S>;
}
type BlsSignatureCoders = Partial<{
LongSignature: BlsLongSignatureCoder<Fp2>;
ShortSignature: BlsShortSignatureCoder<Fp>;
}>;
/**
* @param fields - Tower field implementations.
* @param G1_Point - G1 point constructor.
* @param G2_Point - G2 point constructor.
* @param params - Pairing parameters. See {@link BlsPairingParams}.
* @returns Pairing-only BLS helpers. The returned pairing surface rejects infinity inputs, while
* empty `pairingBatch(...)` calls return the multiplicative identity in GT. This keeps the
* low-level pairing API fail-closed for BLS-style callers, where identity points usually signal
* broken hash / wiring instead of an intentionally neutral pairing term. This also eagerly
* precomputes the G1 base-point table as a performance side effect.
* @throws If the pairing parameters or underlying curve helpers are inconsistent. {@link Error}
* @example
* ```ts
* import { blsBasic } from '@noble/curves/abstract/bls.js';
* import { bn254 } from '@noble/curves/bn254.js';
* // Pair a G1 point with a G2 point without the higher-level signer helpers.
* const gt = bn254.pairing(bn254.G1.Point.BASE, bn254.G2.Point.BASE);
* ```
*/
export declare function blsBasic(fields: TArg<BlsFields>, G1_Point: WeierstrassPointCons<Fp>, G2_Point: WeierstrassPointCons<Fp2>, params: TArg<BlsPairingParams>): BlsCurvePair;
/**
* @param fields - Tower field implementations.
* @param G1_Point - G1 point constructor.
* @param G2_Point - G2 point constructor.
* @param params - Pairing parameters. See {@link BlsPairingParams}.
* @param hasherParams - Hash-to-curve configuration. See {@link BlsHasherParams}.
* @param signatureCoders - Signature codecs.
* @returns BLS helpers with signers. The inherited pairing surface still rejects infinity inputs,
* and empty `pairingBatch(...)` calls still return the multiplicative identity in GT. Aggregate
* verification still requires proof of possession or another rogue-key defense from the caller.
* @throws If the pairing, hashing, or signature helpers are configured inconsistently. {@link Error}
* @example
* ```ts
* import { bls } from '@noble/curves/abstract/bls.js';
* import { bls12_381 } from '@noble/curves/bls12-381.js';
* const sigs = bls12_381.longSignatures;
* // Use the full BLS helper set when you need hashing, keygen, signing, and verification.
* const { secretKey, publicKey } = sigs.keygen();
* const msg = sigs.hash(new TextEncoder().encode('hello noble'));
* const sig = sigs.sign(msg, secretKey);
* const isValid = sigs.verify(sig, msg, publicKey);
* ```
*/
export declare function bls(fields: TArg<BlsFields>, G1_Point: WeierstrassPointCons<Fp>, G2_Point: WeierstrassPointCons<Fp2>, params: TArg<BlsPairingParams>, hasherParams: TArg<BlsHasherParams>, signatureCoders: BlsSignatureCoders): BlsCurvePairWithSignatures;
export {};
//# sourceMappingURL=bls.d.ts.map
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/abstract/bls.d.ts.map
Generated Vendored
+1
View File
File diff suppressed because one or more lines are too long
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/abstract/bls.js
Generated Vendored
+432
View File
@@ -0,0 +1,432 @@
/**
* BLS != BLS.
* The file implements BLS (Boneh-Lynn-Shacham) signatures.
* Used in both BLS (Barreto-Lynn-Scott) and BN (Barreto-Naehrig)
* families of pairing-friendly curves.
* Consists of two curves: G1 and G2:
* - G1 is a subgroup of (x, y) E(Fq) over y² = x³ + 4.
* - G2 is a subgroup of ((x₁, x₂+i), (y₁, y₂+i)) E(Fq²) over y² = x³ + 4(1 + i) where i is √-1
* - Gt, created by bilinear (ate) pairing e(G1, G2), consists of p-th roots of unity in
* Fq^k where k is embedding degree. Only degree 12 is currently supported, 24 is not.
* Pairing is used to aggregate and verify signatures.
* There are two modes of operation:
* - Long signatures: X-byte keys + 2X-byte sigs (G1 keys + G2 sigs).
* - Short signatures: 2X-byte keys + X-byte sigs (G2 keys + G1 sigs).
* @module
**/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { abytes, notImplemented, randomBytes } from "../utils.js";
import {} from "./curve.js";
import { createHasher, } from "./hash-to-curve.js";
import { getMinHashLength, mapHashToField } from "./modular.js";
import {} from "./weierstrass.js";
// prettier-ignore
const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3);
// Signed non-adjacent decomposition of the spec-defined Miller-loop parameter.
// BN254 benefits most because `6x+2` has multiple adjacent `11` runs, but BLS12-381's
// stored `|x|` still starts with `11`, so the Miller loop must also handle one `-1` digit there.
function NAfDecomposition(a) {
const res = [];
// a>1 because of marker bit
for (; a > _1n; a >>= _1n) {
if ((a & _1n) === _0n)
res.unshift(0);
else if ((a & _3n) === _3n) {
res.unshift(-1);
a += _1n;
}
else
res.unshift(1);
}
return res;
}
function aNonEmpty(arr) {
// Aggregate helpers use this to reject empty variable-length inputs consistently.
// Without the guard, each caller would fall through into a different empty-input / identity
// case and hide missing inputs behind outputs that still look structurally valid.
if (!Array.isArray(arr) || arr.length === 0)
throw new Error('expected non-empty array');
}
// This should be enough for bn254, no need to export full stuff?
function createBlsPairing(fields, G1, G2, params) {
const { Fr, Fp2, Fp12 } = fields;
const { twistType, ateLoopSize, xNegative, postPrecompute } = params;
// Applies sparse multiplication as line function
let lineFunction;
if (twistType === 'multiplicative') {
lineFunction = (c0, c1, c2, f, Px, Py) => Fp12.mul014(f, c0, Fp2.mul(c1, Px), Fp2.mul(c2, Py));
}
else if (twistType === 'divisive') {
// NOTE: it should be [c0, c1, c2], but we use different order here to reduce complexity of
// precompute calculations.
lineFunction = (c0, c1, c2, f, Px, Py) => Fp12.mul034(f, Fp2.mul(c2, Py), Fp2.mul(c1, Px), c0);
}
else
throw new Error('bls: unknown twist type');
const Fp2div2 = Fp2.div(Fp2.ONE, Fp2.mul(Fp2.ONE, _2n));
function pointDouble(ell, Rx, Ry, Rz) {
const t0 = Fp2.sqr(Ry); // Ry²
const t1 = Fp2.sqr(Rz); // Rz²
const t2 = Fp2.mulByB(Fp2.mul(t1, _3n)); // 3 * T1 * B
const t3 = Fp2.mul(t2, _3n); // 3 * T2
const t4 = Fp2.sub(Fp2.sub(Fp2.sqr(Fp2.add(Ry, Rz)), t1), t0); // (Ry + Rz)² - T1 - T0
const c0 = Fp2.sub(t2, t0); // T2 - T0 (i)
const c1 = Fp2.mul(Fp2.sqr(Rx), _3n); // 3 * Rx²
const c2 = Fp2.neg(t4); // -T4 (-h)
ell.push([c0, c1, c2]);
Rx = Fp2.mul(Fp2.mul(Fp2.mul(Fp2.sub(t0, t3), Rx), Ry), Fp2div2); // ((T0 - T3) * Rx * Ry) / 2
// ((T0 + T3) / 2)² - 3 * T2²
Ry = Fp2.sub(Fp2.sqr(Fp2.mul(Fp2.add(t0, t3), Fp2div2)), Fp2.mul(Fp2.sqr(t2), _3n));
Rz = Fp2.mul(t0, t4); // T0 * T4
return { Rx, Ry, Rz };
}
function pointAdd(ell, Rx, Ry, Rz, Qx, Qy) {
// Addition
const t0 = Fp2.sub(Ry, Fp2.mul(Qy, Rz)); // Ry - Qy * Rz
const t1 = Fp2.sub(Rx, Fp2.mul(Qx, Rz)); // Rx - Qx * Rz
const c0 = Fp2.sub(Fp2.mul(t0, Qx), Fp2.mul(t1, Qy)); // T0 * Qx - T1 * Qy == Ry * Qx - Rx * Qy
const c1 = Fp2.neg(t0); // -T0 == Qy * Rz - Ry
const c2 = t1; // == Rx - Qx * Rz
ell.push([c0, c1, c2]);
const t2 = Fp2.sqr(t1); // T1²
const t3 = Fp2.mul(t2, t1); // T2 * T1
const t4 = Fp2.mul(t2, Rx); // T2 * Rx
// T3 - 2 * T4 + T0² * Rz
const t5 = Fp2.add(Fp2.sub(t3, Fp2.mul(t4, _2n)), Fp2.mul(Fp2.sqr(t0), Rz));
Rx = Fp2.mul(t1, t5); // T1 * T5
Ry = Fp2.sub(Fp2.mul(Fp2.sub(t4, t5), t0), Fp2.mul(t3, Ry)); // (T4 - T5) * T0 - T3 * Ry
Rz = Fp2.mul(Rz, t3); // Rz * T3
return { Rx, Ry, Rz };
}
// Pre-compute coefficients for sparse multiplication
// Point addition and point double calculations is reused for coefficients
// pointAdd happens only if bit set, so wNAF is reasonable. Unfortunately we cannot combine
// add + double in windowed precomputes here, otherwise it would be single op (since X is static)
const ATE_NAF = NAfDecomposition(ateLoopSize);
const calcPairingPrecomputes = (point) => {
const p = point;
const { x, y } = p.toAffine();
// prettier-ignore
const Qx = x, Qy = y, negQy = Fp2.neg(y);
// prettier-ignore
let Rx = Qx, Ry = Qy, Rz = Fp2.ONE;
const ell = [];
for (const bit of ATE_NAF) {
const cur = [];
({ Rx, Ry, Rz } = pointDouble(cur, Rx, Ry, Rz));
if (bit)
({ Rx, Ry, Rz } = pointAdd(cur, Rx, Ry, Rz, Qx, bit === -1 ? negQy : Qy));
ell.push(cur);
}
if (postPrecompute) {
const last = ell[ell.length - 1];
postPrecompute(Rx, Ry, Rz, Qx, Qy, pointAdd.bind(null, last));
}
return ell;
};
function millerLoopBatch(pairs, withFinalExponent = false) {
let f12 = Fp12.ONE;
if (pairs.length) {
const ellLen = pairs[0][0].length;
for (let i = 0; i < ellLen; i++) {
f12 = Fp12.sqr(f12); // This allows us to do sqr only one time for all pairings
// NOTE: we apply multiple pairings in parallel here
for (const [ell, Px, Py] of pairs) {
for (const [c0, c1, c2] of ell[i])
f12 = lineFunction(c0, c1, c2, f12, Px, Py);
}
}
}
if (xNegative)
f12 = Fp12.conjugate(f12);
return withFinalExponent ? Fp12.finalExponentiate(f12) : f12;
}
// Calculates product of multiple pairings
// This up to x2 faster than just `map(({g1, g2})=>pairing({g1,g2}))`
function pairingBatch(pairs, withFinalExponent = true) {
const res = [];
for (const { g1, g2 } of pairs) {
// Mathematically, a zero pairing term contributes GT.ONE. We still reject it here because
// this API mainly backs BLS verification, where ZERO inputs usually mean broken hash /
// wiring. Silently skipping them would turn those failures into a neutral pairing product.
// Callers that want the algebraic neutral-element behavior can filter ZERO terms first.
if (g1.is0() || g2.is0())
throw new Error('pairing is not available for ZERO point');
// This uses toAffine inside
g1.assertValidity();
g2.assertValidity();
const Qa = g1.toAffine();
res.push([calcPairingPrecomputes(g2), Qa.x, Qa.y]);
}
return millerLoopBatch(res, withFinalExponent);
}
// Calculates bilinear pairing
function pairing(Q, P, withFinalExponent = true) {
return pairingBatch([{ g1: Q, g2: P }], withFinalExponent);
}
const lengths = {
seed: getMinHashLength(Fr.ORDER),
};
const rand = params.randomBytes === undefined ? randomBytes : params.randomBytes;
// Seeded calls deterministically reduce exactly `lengths.seed` bytes into `1..Fr.ORDER-1`;
// omitting `seed` just fills that input buffer from the configured RNG first.
const randomSecretKey = (seed) => {
seed = seed === undefined ? rand(lengths.seed) : seed;
abytes(seed, lengths.seed, 'seed');
return mapHashToField(seed, Fr.ORDER);
};
Object.freeze(lengths);
return {
lengths,
Fr,
Fp12, // NOTE: we re-export Fp12 here because pairing results are Fp12!
millerLoopBatch,
pairing,
pairingBatch,
calcPairingPrecomputes,
randomSecretKey,
};
}
function createBlsSig(blsPairing, PubPoint, SigPoint, isSigG1, hashToSigCurve, SignatureCoder) {
const { Fr, Fp12, pairingBatch, randomSecretKey, lengths } = blsPairing;
if (!SignatureCoder) {
SignatureCoder = {
fromBytes: notImplemented,
fromHex: notImplemented,
toBytes: notImplemented,
toHex: notImplemented,
};
}
function normPub(point) {
return point instanceof PubPoint ? point : PubPoint.fromBytes(point);
}
function normSig(point) {
return point instanceof SigPoint ? point : SigPoint.fromBytes(point);
}
// Sign/verify here take points already hashed onto the signature subgroup.
// Raw bytes and points from the other subgroup must fail this constructor-brand
// check before later validity checks run.
function amsg(m) {
if (!(m instanceof SigPoint))
throw new Error(`expected valid message hashed to ${!isSigG1 ? 'G2' : 'G1'} curve`);
return m;
}
// What matters here is what point pairing API accepts as G1 or G2, not actual size or names
const pair = !isSigG1
? (a, b) => ({ g1: a, g2: b })
: (a, b) => ({ g1: b, g2: a });
return Object.freeze({
lengths: Object.freeze({ ...lengths, secretKey: Fr.BYTES }),
keygen(seed) {
const secretKey = randomSecretKey(seed);
const publicKey = this.getPublicKey(secretKey);
return { secretKey, publicKey };
},
// P = pk x G
getPublicKey(secretKey) {
let sec;
try {
sec = PubPoint.Fn.fromBytes(secretKey);
}
catch (error) {
// @ts-ignore
throw new Error('invalid private key: ' + typeof secretKey, { cause: error });
}
return PubPoint.BASE.multiply(sec);
},
// S = pk x H(m)
sign(message, secretKey, unusedArg) {
if (unusedArg != null)
throw new Error('sign() expects 2 arguments');
const sec = PubPoint.Fn.fromBytes(secretKey);
amsg(message).assertValidity();
return message.multiply(sec);
},
// Checks if pairing of public key & hash is equal to pairing of generator & signature.
// e(P, H(m)) == e(G, S)
// e(S, G) == e(H(m), P)
verify(signature, message, publicKey, unusedArg) {
if (unusedArg != null)
throw new Error('verify() expects 3 arguments');
signature = normSig(signature);
publicKey = normPub(publicKey);
const P = publicKey.negate();
const G = PubPoint.BASE;
const Hm = amsg(message);
const S = signature;
// This code was changed in 1.9.x:
// Before it was G.negate() in G2, now it's always pubKey.negate
// e(P, -Q)===e(-P, Q)==e(P, Q)^-1. Negate can be done anywhere (as long it is done once per pair).
// We just moving sign, but since pairing is multiplicative, we doing X * X^-1 = 1
try {
const exp = pairingBatch([pair(P, Hm), pair(G, S)]);
return Fp12.eql(exp, Fp12.ONE);
}
catch {
return false;
}
},
// https://ethresear.ch/t/fast-verification-of-multiple-bls-signatures/5407
// e(G, S) = e(G, SUM(n)(Si)) = MUL(n)(e(G, Si))
// TODO: maybe `{message: G2Hex, publicKey: G1Hex}[]` instead?
verifyBatch(signature, items) {
aNonEmpty(items);
const sig = normSig(signature);
const nMessages = items.map((i) => i.message);
const nPublicKeys = items.map((i) => normPub(i.publicKey));
// NOTE: this works only for exact same object
const messagePubKeyMap = new Map();
for (let i = 0; i < nPublicKeys.length; i++) {
const pub = nPublicKeys[i];
const msg = nMessages[i];
let keys = messagePubKeyMap.get(msg);
if (keys === undefined) {
keys = [];
messagePubKeyMap.set(msg, keys);
}
keys.push(pub);
}
const paired = [];
const G = PubPoint.BASE;
try {
for (const [msg, keys] of messagePubKeyMap) {
const groupPublicKey = keys.reduce((acc, msg) => acc.add(msg));
paired.push(pair(groupPublicKey, msg));
}
paired.push(pair(G.negate(), sig));
return Fp12.eql(pairingBatch(paired), Fp12.ONE);
}
catch {
return false;
}
},
// Adds a bunch of public key points together.
// pk1 + pk2 + pk3 = pkA
aggregatePublicKeys(publicKeys) {
aNonEmpty(publicKeys);
publicKeys = publicKeys.map((pub) => normPub(pub));
const agg = publicKeys.reduce((sum, p) => sum.add(p), PubPoint.ZERO);
agg.assertValidity();
return agg;
},
// Adds a bunch of signature points together.
// pk1 + pk2 + pk3 = pkA
aggregateSignatures(signatures) {
aNonEmpty(signatures);
signatures = signatures.map((sig) => normSig(sig));
const agg = signatures.reduce((sum, s) => sum.add(s), SigPoint.ZERO);
agg.assertValidity();
return agg;
},
hash(messageBytes, DST) {
abytes(messageBytes);
const opts = DST ? { DST } : undefined;
return hashToSigCurve(messageBytes, opts);
},
Signature: Object.freeze({ ...SignatureCoder }),
}) /*satisfies Signer */;
}
// NOTE: separate function instead of function override, so we don't depend on hasher in bn254.
/**
* @param fields - Tower field implementations.
* @param G1_Point - G1 point constructor.
* @param G2_Point - G2 point constructor.
* @param params - Pairing parameters. See {@link BlsPairingParams}.
* @returns Pairing-only BLS helpers. The returned pairing surface rejects infinity inputs, while
* empty `pairingBatch(...)` calls return the multiplicative identity in GT. This keeps the
* low-level pairing API fail-closed for BLS-style callers, where identity points usually signal
* broken hash / wiring instead of an intentionally neutral pairing term. This also eagerly
* precomputes the G1 base-point table as a performance side effect.
* @throws If the pairing parameters or underlying curve helpers are inconsistent. {@link Error}
* @example
* ```ts
* import { blsBasic } from '@noble/curves/abstract/bls.js';
* import { bn254 } from '@noble/curves/bn254.js';
* // Pair a G1 point with a G2 point without the higher-level signer helpers.
* const gt = bn254.pairing(bn254.G1.Point.BASE, bn254.G2.Point.BASE);
* ```
*/
export function blsBasic(fields, G1_Point, G2_Point, params) {
// Fields are specific for curve, so for now we'll need to pass them with opts
const { Fp, Fr, Fp2, Fp6, Fp12 } = fields;
// Point on G1 curve: (x, y)
// const G1_Point = weierstrass(CURVE.G1, { Fn: Fr });
const G1 = { Point: G1_Point };
// Point on G2 curve (complex numbers): (x₁, x₂+i), (y₁, y₂+i)
const G2 = { Point: G2_Point };
const pairingRes = createBlsPairing(fields, G1_Point, G2_Point, params);
const { millerLoopBatch, pairing, pairingBatch, calcPairingPrecomputes, randomSecretKey, lengths, } = pairingRes;
G1.Point.BASE.precompute(4);
Object.freeze(G1);
Object.freeze(G2);
return Object.freeze({
lengths: Object.freeze(lengths),
millerLoopBatch,
pairing,
pairingBatch,
G1,
G2,
fields: Object.freeze({ Fr, Fp, Fp2, Fp6, Fp12 }),
params: Object.freeze({
ateLoopSize: params.ateLoopSize,
twistType: params.twistType,
}),
utils: Object.freeze({
randomSecretKey,
calcPairingPrecomputes,
}),
});
}
// We can export this too, but seems there is not much reasons for now? If user wants hasher, they can just create hasher.
function blsHashers(fields, G1_Point, G2_Point, params, hasherParams) {
const base = blsBasic(fields, G1_Point, G2_Point, params);
// Missing map hooks intentionally fail closed via notImplemented on first hash use.
const G1Hasher = createHasher(G1_Point, hasherParams.mapToG1 === undefined ? notImplemented : hasherParams.mapToG1, {
...hasherParams.hasherOpts,
...hasherParams.hasherOptsG1,
});
const G2Hasher = createHasher(G2_Point, hasherParams.mapToG2 === undefined ? notImplemented : hasherParams.mapToG2, {
...hasherParams.hasherOpts,
...hasherParams.hasherOptsG2,
});
return Object.freeze({ ...base, G1: G1Hasher, G2: G2Hasher });
}
// G1_Point: ProjConstructor<bigint>, G2_Point: ProjConstructor<Fp2>,
// Rename to blsSignatures?
/**
* @param fields - Tower field implementations.
* @param G1_Point - G1 point constructor.
* @param G2_Point - G2 point constructor.
* @param params - Pairing parameters. See {@link BlsPairingParams}.
* @param hasherParams - Hash-to-curve configuration. See {@link BlsHasherParams}.
* @param signatureCoders - Signature codecs.
* @returns BLS helpers with signers. The inherited pairing surface still rejects infinity inputs,
* and empty `pairingBatch(...)` calls still return the multiplicative identity in GT. Aggregate
* verification still requires proof of possession or another rogue-key defense from the caller.
* @throws If the pairing, hashing, or signature helpers are configured inconsistently. {@link Error}
* @example
* ```ts
* import { bls } from '@noble/curves/abstract/bls.js';
* import { bls12_381 } from '@noble/curves/bls12-381.js';
* const sigs = bls12_381.longSignatures;
* // Use the full BLS helper set when you need hashing, keygen, signing, and verification.
* const { secretKey, publicKey } = sigs.keygen();
* const msg = sigs.hash(new TextEncoder().encode('hello noble'));
* const sig = sigs.sign(msg, secretKey);
* const isValid = sigs.verify(sig, msg, publicKey);
* ```
*/
export function bls(fields, G1_Point, G2_Point, params, hasherParams, signatureCoders) {
const base = blsHashers(fields, G1_Point, G2_Point, params, hasherParams);
const pairingRes = {
...base,
Fr: base.fields.Fr,
Fp12: base.fields.Fp12,
calcPairingPrecomputes: base.utils.calcPairingPrecomputes,
randomSecretKey: base.utils.randomSecretKey,
};
const longSignatures = createBlsSig(pairingRes, G1_Point, G2_Point, false, base.G2.hashToCurve, signatureCoders?.LongSignature);
const shortSignatures = createBlsSig(pairingRes, G2_Point, G1_Point, true, base.G1.hashToCurve, signatureCoders?.ShortSignature);
return Object.freeze({ ...base, longSignatures, shortSignatures });
}
//# sourceMappingURL=bls.js.map
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/abstract/bls.js.map
Generated Vendored
+1
View File
File diff suppressed because one or more lines are too long
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/abstract/curve.d.ts
Generated Vendored
+442
View File
@@ -0,0 +1,442 @@
/**
* Methods for elliptic curve multiplication by scalars.
* Contains wNAF, pippenger.
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { type Signer, type TArg, type TRet } from '../utils.ts';
import { type IField } from './modular.ts';
/** Affine point coordinates without projective fields. */
export type AffinePoint<T> = {
/** Affine x coordinate. */
x: T;
/** Affine y coordinate. */
y: T;
} & {
Z?: never;
};
/** Base interface for all elliptic-curve point instances. */
export interface CurvePoint<F, P extends CurvePoint<F, P>> {
/** Affine x coordinate. Different from projective / extended X coordinate. */
x: F;
/** Affine y coordinate. Different from projective / extended Y coordinate. */
y: F;
/** Projective Z coordinate when the point keeps projective state. */
Z?: F;
/**
* Double the point.
* @returns Doubled point.
*/
double(): P;
/**
* Negate the point.
* @returns Negated point.
*/
negate(): P;
/**
* Add another point from the same curve.
* @param other - Point to add.
* @returns Sum point.
*/
add(other: P): P;
/**
* Subtract another point from the same curve.
* @param other - Point to subtract.
* @returns Difference point.
*/
subtract(other: P): P;
/**
* Compare two points for equality.
* @param other - Point to compare.
* @returns Whether the points are equal.
*/
equals(other: P): boolean;
/**
* Multiply the point by a scalar in constant time.
* Implementations keep the subgroup-scalar contract strict and may reject
* `0` instead of returning the identity point.
* @param scalar - Scalar multiplier.
* @returns Product point.
*/
multiply(scalar: bigint): P;
/** Assert that the point satisfies the curve equation and subgroup checks. */
assertValidity(): void;
/**
* Map the point into the prime-order subgroup when the curve requires it.
* @returns Prime-order point.
*/
clearCofactor(): P;
/**
* Check whether the point is the point at infinity.
* @returns Whether the point is zero.
*/
is0(): boolean;
/**
* Check whether the point belongs to the prime-order subgroup.
* @returns Whether the point is torsion-free.
*/
isTorsionFree(): boolean;
/**
* Check whether the point lies in a small torsion subgroup.
* @returns Whether the point has small order.
*/
isSmallOrder(): boolean;
/**
* Multiply the point by a scalar without constant-time guarantees.
* Public-scalar callers that need `0` should use this method instead of
* relying on `multiply(...)` to return the identity point.
* @param scalar - Scalar multiplier.
* @returns Product point.
*/
multiplyUnsafe(scalar: bigint): P;
/**
* Massively speeds up `p.multiply(n)` by using precompute tables (caching). See {@link wNAF}.
* Cache state lives in internal WeakMaps keyed by point identity, not on the point object.
* Repeating `precompute(...)` for the same point identity replaces the remembered window size
* and forces table regeneration for that point.
* @param windowSize - Precompute window size.
* @param isLazy - calculate cache now. Default (true) ensures it's deferred to first `multiply()`
* @returns Same point instance with precompute tables attached.
*/
precompute(windowSize?: number, isLazy?: boolean): P;
/**
* Converts point to 2D xy affine coordinates.
* @param invertedZ - Optional inverted Z coordinate for batch normalization.
* @returns Affine x/y coordinates.
*/
toAffine(invertedZ?: F): AffinePoint<F>;
/**
* Encode the point into the curve's canonical byte form.
* @returns Encoded point bytes.
*/
toBytes(): Uint8Array;
/**
* Encode the point into the curve's canonical hex form.
* @returns Encoded point hex.
*/
toHex(): string;
}
/** Base interface for elliptic-curve point constructors. */
export interface CurvePointCons<P extends CurvePoint<any, P>> {
/**
* Runtime brand check for points created by this constructor.
* @param item - Value to test.
* @returns Whether the value is a point from this constructor.
*/
[Symbol.hasInstance]: (item: unknown) => boolean;
/** Canonical subgroup generator. */
BASE: P;
/** Point at infinity. */
ZERO: P;
/** Field for basic curve math */
Fp: IField<P_F<P>>;
/** Scalar field, for scalars in multiply and others */
Fn: IField<bigint>;
/**
* Create one point from affine coordinates.
* Does NOT validate curve, subgroup, or wrapper invariants.
* Use `.assertValidity()` on adversarial inputs.
* @param p - Affine point coordinates.
* @returns Point instance.
*/
fromAffine(p: AffinePoint<P_F<P>>): P;
/**
* Decode a point from the canonical byte encoding.
* @param bytes - Encoded point bytes.
* Implementations MUST treat `bytes` as read-only.
* @returns Point instance.
*/
fromBytes(bytes: Uint8Array): P;
/**
* Decode a point from the canonical hex encoding.
* @param hex - Encoded point hex.
* @returns Point instance.
*/
fromHex(hex: string): P;
}
/** Returns the affine field type for a point instance (`P_F<P> == P.F`). */
export type P_F<P extends CurvePoint<any, P>> = P extends CurvePoint<infer F, P> ? F : never;
/** Returns the affine field type for a point constructor (`PC_F<PC> == PC.P.F`). */
export type PC_F<PC extends CurvePointCons<CurvePoint<any, any>>> = PC['Fp']['ZERO'];
/** Returns the point instance type for a point constructor (`PC_P<PC> == PC.P`). */
export type PC_P<PC extends CurvePointCons<CurvePoint<any, any>>> = PC['ZERO'];
/** Wide point-constructor type used when the concrete curve is not important. */
export type PC_ANY = CurvePointCons<CurvePoint<any, CurvePoint<any, CurvePoint<any, CurvePoint<any, CurvePoint<any, CurvePoint<any, CurvePoint<any, CurvePoint<any, CurvePoint<any, CurvePoint<any, any>>>>>>>>>>>;
/**
* Validates the static surface of a point constructor.
* This is only a cheap sanity check for the constructor hooks and fields consumed by generic
* factories; it does not certify `BASE`/`ZERO` semantics or prove the curve implementation itself.
* @param Point - Runtime point constructor.
* @throws On missing constructor hooks or malformed field metadata. {@link TypeError}
* @example
* Check that one point constructor exposes the static hooks generic helpers need.
*
* ```ts
* import { ed25519 } from '@noble/curves/ed25519.js';
* import { validatePointCons } from '@noble/curves/abstract/curve.js';
* validatePointCons(ed25519.Point);
* ```
*/
export declare function validatePointCons<P extends CurvePoint<any, P>>(Point: CurvePointCons<P>): void;
/** Byte lengths used by one curve implementation. */
export interface CurveLengths {
/** Secret-key length in bytes. */
secretKey?: number;
/** Compressed public-key length in bytes. */
publicKey?: number;
/** Uncompressed public-key length in bytes. */
publicKeyUncompressed?: number;
/** Whether public-key encodings include a format prefix byte. */
publicKeyHasPrefix?: boolean;
/** Signature length in bytes. */
signature?: number;
/** Seed length in bytes when the curve exposes deterministic keygen from seed. */
seed?: number;
}
/** Reorders or otherwise remaps a batch while preserving its element type. */
export type Mapper<T> = (i: T[]) => T[];
/**
* Computes both candidates first, but the final selection still branches on `condition`, so this
* is not a strict constant-time CMOV primitive.
* @param condition - Whether to negate the point.
* @param item - Point-like value.
* @returns Original or negated value.
* @example
* Keep the point or return its negation based on one boolean branch.
*
* ```ts
* import { negateCt } from '@noble/curves/abstract/curve.js';
* import { p256 } from '@noble/curves/nist.js';
* const maybeNegated = negateCt(true, p256.Point.BASE);
* ```
*/
export declare function negateCt<T extends {
negate: () => T;
}>(condition: boolean, item: T): T;
/**
* Takes a bunch of Projective Points but executes only one
* inversion on all of them. Inversion is very slow operation,
* so this improves performance massively.
* Optimization: converts a list of projective points to a list of identical points with Z=1.
* Input points are left unchanged; the normalized points are returned as fresh instances.
* @param c - Point constructor.
* @param points - Projective points.
* @returns Fresh projective points reconstructed from normalized affine coordinates.
* @example
* Batch-normalize projective points with a single shared inversion.
*
* ```ts
* import { normalizeZ } from '@noble/curves/abstract/curve.js';
* import { p256 } from '@noble/curves/nist.js';
* const points = normalizeZ(p256.Point, [p256.Point.BASE, p256.Point.BASE.double()]);
* ```
*/
export declare function normalizeZ<P extends CurvePoint<any, P>, PC extends CurvePointCons<P>>(c: PC, points: P[]): P[];
/**
* Elliptic curve multiplication of Point by scalar. Fragile.
* Table generation takes **30MB of ram and 10ms on high-end CPU**,
* but may take much longer on slow devices. Actual generation will happen on
* first call of `multiply()`. By default, `BASE` point is precomputed.
*
* Scalars should always be less than curve order: this should be checked inside of a curve itself.
* Creates precomputation tables for fast multiplication:
* - private scalar is split by fixed size windows of W bits
* - every window point is collected from window's table & added to accumulator
* - since windows are different, same point inside tables won't be accessed more than once per calc
* - each multiplication is 'Math.ceil(CURVE_ORDER / 𝑊) + 1' point additions (fixed for any scalar)
* - +1 window is neccessary for wNAF
* - wNAF reduces table size: 2x less memory + 2x faster generation, but 10% slower multiplication
*
* TODO: research returning a 2d JS array of windows instead of a single window.
* This would allow windows to be in different memory locations.
* @param Point - Point constructor.
* @param bits - Scalar bit length.
* @example
* Elliptic curve multiplication of Point by scalar.
*
* ```ts
* import { wNAF } from '@noble/curves/abstract/curve.js';
* import { p256 } from '@noble/curves/nist.js';
* const ladder = new wNAF(p256.Point, p256.Point.Fn.BITS);
* ```
*/
export declare class wNAF<PC extends PC_ANY> {
private readonly BASE;
private readonly ZERO;
private readonly Fn;
readonly bits: number;
constructor(Point: PC, bits: number);
_unsafeLadder(elm: PC_P<PC>, n: bigint, p?: PC_P<PC>): PC_P<PC>;
/**
* Creates a wNAF precomputation window. Used for caching.
* Default window size is set by `utils.precompute()` and is equal to 8.
* Number of precomputed points depends on the curve size:
* 2^(𝑊−1) * (Math.ceil(𝑛 / 𝑊) + 1), where:
* - 𝑊 is the window size
* - 𝑛 is the bitlength of the curve order.
* For a 256-bit curve and window size 8, the number of precomputed points is 128 * 33 = 4224.
* @param point - Point instance
* @param W - window size
* @returns precomputed point tables flattened to a single array
*/
private precomputeWindow;
/**
* Implements ec multiplication using precomputed tables and w-ary non-adjacent form.
* More compact implementation:
* https://github.com/paulmillr/noble-secp256k1/blob/47cb1669b6e506ad66b35fe7d76132ae97465da2/index.ts#L502-L541
* @returns real and fake (for const-time) points
*/
private wNAF;
/**
* Implements unsafe EC multiplication using precomputed tables
* and w-ary non-adjacent form.
* @param acc - accumulator point to add result of multiplication
* @returns point
*/
private wNAFUnsafe;
private getPrecomputes;
cached(point: PC_P<PC>, scalar: bigint, transform?: Mapper<PC_P<PC>>): {
p: PC_P<PC>;
f: PC_P<PC>;
};
unsafe(point: PC_P<PC>, scalar: bigint, transform?: Mapper<PC_P<PC>>, prev?: PC_P<PC>): PC_P<PC>;
createCache(P: PC_P<PC>, W: number): void;
hasCache(elm: PC_P<PC>): boolean;
}
/**
* Endomorphism-specific multiplication for Koblitz curves.
* Cost: 128 dbl, 0-256 adds.
* @param Point - Point constructor.
* @param point - Input point.
* @param k1 - First non-negative absolute scalar chunk.
* @param k2 - Second non-negative absolute scalar chunk.
* @returns Partial multiplication results.
* @example
* Endomorphism-specific multiplication for Koblitz curves.
*
* ```ts
* import { mulEndoUnsafe } from '@noble/curves/abstract/curve.js';
* import { secp256k1 } from '@noble/curves/secp256k1.js';
* const parts = mulEndoUnsafe(secp256k1.Point, secp256k1.Point.BASE, 3n, 5n);
* ```
*/
export declare function mulEndoUnsafe<P extends CurvePoint<any, P>, PC extends CurvePointCons<P>>(Point: PC, point: P, k1: bigint, k2: bigint): {
p1: P;
p2: P;
};
/**
* Pippenger algorithm for multi-scalar multiplication (MSM, Pa + Qb + Rc + ...).
* 30x faster vs naive addition on L=4096, 10x faster than precomputes.
* For N=254bit, L=1, it does: 1024 ADD + 254 DBL. For L=5: 1536 ADD + 254 DBL.
* Algorithmically constant-time (for same L), even when 1 point + scalar, or when scalar = 0.
* @param c - Curve Point constructor
* @param points - array of L curve points
* @param scalars - array of L scalars (aka secret keys / bigints)
* @returns MSM result point. Empty input is accepted and returns the identity.
* @throws If the point set, scalar set, or MSM sizing is invalid. {@link Error}
* @example
* Pippenger algorithm for multi-scalar multiplication (MSM, Pa + Qb + Rc + ...).
*
* ```ts
* import { pippenger } from '@noble/curves/abstract/curve.js';
* import { p256 } from '@noble/curves/nist.js';
* const point = pippenger(p256.Point, [p256.Point.BASE, p256.Point.BASE.double()], [2n, 3n]);
* ```
*/
export declare function pippenger<P extends CurvePoint<any, P>, PC extends CurvePointCons<P>>(c: PC, points: P[], scalars: bigint[]): P;
/**
* Precomputed multi-scalar multiplication (MSM, Pa + Qb + Rc + ...).
* @param c - Curve Point constructor
* @param points - array of L curve points
* @param windowSize - Precompute window size.
* @returns Function which multiplies points with scalars. The closure accepts
* `scalars.length <= points.length`, and omitted trailing scalars are treated as zero.
* @throws If the point set or precompute window is invalid. {@link Error}
* @example
* Precomputed multi-scalar multiplication (MSM, Pa + Qb + Rc + ...).
*
* ```ts
* import { precomputeMSMUnsafe } from '@noble/curves/abstract/curve.js';
* import { p256 } from '@noble/curves/nist.js';
* const msm = precomputeMSMUnsafe(p256.Point, [p256.Point.BASE], 4);
* const point = msm([3n]);
* ```
*/
export declare function precomputeMSMUnsafe<P extends CurvePoint<any, P>, PC extends CurvePointCons<P>>(c: PC, points: P[], windowSize: number): (scalars: bigint[]) => P;
/** Minimal curve parameters needed to construct a Weierstrass or Edwards curve. */
export type ValidCurveParams<T> = {
/** Base-field modulus. */
p: bigint;
/** Prime subgroup order. */
n: bigint;
/** Cofactor. */
h: bigint;
/** Curve parameter `a`. */
a: T;
/** Weierstrass curve parameter `b`. */
b?: T;
/** Edwards curve parameter `d`. */
d?: T;
/** Generator x coordinate. */
Gx: T;
/** Generator y coordinate. */
Gy: T;
};
/** Pair of fields used by curve constructors. */
export type FpFn<T> = {
/** Base field used for curve coordinates. */
Fp: IField<T>;
/** Scalar field used for secret scalars and subgroup arithmetic. */
Fn: IField<bigint>;
};
/**
* Validates basic CURVE shape and field membership, then creates fields.
* This does not prove that the generator is on-curve, that subgroup/order data are consistent, or
* that the curve equation itself is otherwise sane.
* @param type - Curve family.
* @param CURVE - Curve parameters.
* @param curveOpts - Optional field overrides:
* - `Fp` (optional): Optional base-field override.
* - `Fn` (optional): Optional scalar-field override.
* @param FpFnLE - Whether field encoding is little-endian.
* @returns Frozen curve parameters and fields.
* @throws If the curve parameters or field overrides are invalid. {@link Error}
* @example
* Build curve fields from raw constants before constructing a curve instance.
*
* ```ts
* const curve = createCurveFields('weierstrass', {
* p: 17n,
* n: 19n,
* h: 1n,
* a: 2n,
* b: 2n,
* Gx: 5n,
* Gy: 1n,
* });
* ```
*/
export declare function createCurveFields<T>(type: 'weierstrass' | 'edwards', CURVE: ValidCurveParams<T>, curveOpts?: TArg<Partial<FpFn<T>>>, FpFnLE?: boolean): TRet<FpFn<T> & {
CURVE: ValidCurveParams<T>;
}>;
type KeygenFn = (seed?: Uint8Array, isCompressed?: boolean) => {
secretKey: Uint8Array;
publicKey: Uint8Array;
};
/**
* @param randomSecretKey - Secret-key generator.
* @param getPublicKey - Public-key derivation helper.
* @returns Keypair generator.
* @example
* Build a `keygen()` helper from existing secret-key and public-key primitives.
*
* ```ts
* import { createKeygen } from '@noble/curves/abstract/curve.js';
* import { p256 } from '@noble/curves/nist.js';
* const keygen = createKeygen(p256.utils.randomSecretKey, p256.getPublicKey);
* const pair = keygen();
* ```
*/
export declare function createKeygen(randomSecretKey: Function, getPublicKey: TArg<Signer['getPublicKey']>): TRet<KeygenFn>;
export {};
//# sourceMappingURL=curve.d.ts.map
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/abstract/curve.d.ts.map
Generated Vendored
+1
View File
File diff suppressed because one or more lines are too long
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/abstract/curve.js
Generated Vendored
+611
View File
@@ -0,0 +1,611 @@
/**
* Methods for elliptic curve multiplication by scalars.
* Contains wNAF, pippenger.
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { bitLen, bitMask, validateObject } from "../utils.js";
import { Field, FpInvertBatch, validateField } from "./modular.js";
const _0n = /* @__PURE__ */ BigInt(0);
const _1n = /* @__PURE__ */ BigInt(1);
/**
* Validates the static surface of a point constructor.
* This is only a cheap sanity check for the constructor hooks and fields consumed by generic
* factories; it does not certify `BASE`/`ZERO` semantics or prove the curve implementation itself.
* @param Point - Runtime point constructor.
* @throws On missing constructor hooks or malformed field metadata. {@link TypeError}
* @example
* Check that one point constructor exposes the static hooks generic helpers need.
*
* ```ts
* import { ed25519 } from '@noble/curves/ed25519.js';
* import { validatePointCons } from '@noble/curves/abstract/curve.js';
* validatePointCons(ed25519.Point);
* ```
*/
export function validatePointCons(Point) {
const pc = Point;
if (typeof pc !== 'function')
throw new TypeError('Point must be a constructor');
// validateObject only accepts plain objects, so copy the constructor statics into one bag first.
validateObject({
Fp: pc.Fp,
Fn: pc.Fn,
fromAffine: pc.fromAffine,
fromBytes: pc.fromBytes,
fromHex: pc.fromHex,
}, {
Fp: 'object',
Fn: 'object',
fromAffine: 'function',
fromBytes: 'function',
fromHex: 'function',
});
validateField(pc.Fp);
validateField(pc.Fn);
}
/**
* Computes both candidates first, but the final selection still branches on `condition`, so this
* is not a strict constant-time CMOV primitive.
* @param condition - Whether to negate the point.
* @param item - Point-like value.
* @returns Original or negated value.
* @example
* Keep the point or return its negation based on one boolean branch.
*
* ```ts
* import { negateCt } from '@noble/curves/abstract/curve.js';
* import { p256 } from '@noble/curves/nist.js';
* const maybeNegated = negateCt(true, p256.Point.BASE);
* ```
*/
export function negateCt(condition, item) {
const neg = item.negate();
return condition ? neg : item;
}
/**
* Takes a bunch of Projective Points but executes only one
* inversion on all of them. Inversion is very slow operation,
* so this improves performance massively.
* Optimization: converts a list of projective points to a list of identical points with Z=1.
* Input points are left unchanged; the normalized points are returned as fresh instances.
* @param c - Point constructor.
* @param points - Projective points.
* @returns Fresh projective points reconstructed from normalized affine coordinates.
* @example
* Batch-normalize projective points with a single shared inversion.
*
* ```ts
* import { normalizeZ } from '@noble/curves/abstract/curve.js';
* import { p256 } from '@noble/curves/nist.js';
* const points = normalizeZ(p256.Point, [p256.Point.BASE, p256.Point.BASE.double()]);
* ```
*/
export function normalizeZ(c, points) {
const invertedZs = FpInvertBatch(c.Fp, points.map((p) => p.Z));
return points.map((p, i) => c.fromAffine(p.toAffine(invertedZs[i])));
}
function validateW(W, bits) {
if (!Number.isSafeInteger(W) || W <= 0 || W > bits)
throw new Error('invalid window size, expected [1..' + bits + '], got W=' + W);
}
function calcWOpts(W, scalarBits) {
validateW(W, scalarBits);
const windows = Math.ceil(scalarBits / W) + 1; // W=8 33. Not 32, because we skip zero
const windowSize = 2 ** (W - 1); // W=8 128. Not 256, because we skip zero
const maxNumber = 2 ** W; // W=8 256
const mask = bitMask(W); // W=8 255 == mask 0b11111111
const shiftBy = BigInt(W); // W=8 8
return { windows, windowSize, mask, maxNumber, shiftBy };
}
function calcOffsets(n, window, wOpts) {
const { windowSize, mask, maxNumber, shiftBy } = wOpts;
let wbits = Number(n & mask); // extract W bits.
let nextN = n >> shiftBy; // shift number by W bits.
// What actually happens here:
// const highestBit = Number(mask ^ (mask >> 1n));
// let wbits2 = wbits - 1; // skip zero
// if (wbits2 & highestBit) { wbits2 ^= Number(mask); // (~);
// split if bits > max: +224 => 256-32
if (wbits > windowSize) {
// we skip zero, which means instead of `>= size-1`, we do `> size`
wbits -= maxNumber; // -32, can be maxNumber - wbits, but then we need to set isNeg here.
nextN += _1n; // +256 (carry)
}
const offsetStart = window * windowSize;
const offset = offsetStart + Math.abs(wbits) - 1; // -1 because we skip zero; ignore when isZero
const isZero = wbits === 0; // is current window slice a 0?
const isNeg = wbits < 0; // is current window slice negative?
const isNegF = window % 2 !== 0; // fake branch noise only
const offsetF = offsetStart; // fake branch noise only
return { nextN, offset, isZero, isNeg, isNegF, offsetF };
}
function validateMSMPoints(points, c) {
if (!Array.isArray(points))
throw new Error('array expected');
points.forEach((p, i) => {
if (!(p instanceof c))
throw new Error('invalid point at index ' + i);
});
}
function validateMSMScalars(scalars, field) {
if (!Array.isArray(scalars))
throw new Error('array of scalars expected');
scalars.forEach((s, i) => {
if (!field.isValid(s))
throw new Error('invalid scalar at index ' + i);
});
}
// Since points in different groups cannot be equal (different object constructor),
// we can have single place to store precomputes.
// Allows to make points frozen / immutable.
const pointPrecomputes = new WeakMap();
const pointWindowSizes = new WeakMap();
function getW(P) {
// To disable precomputes:
// return 1;
// `1` is also the uncached sentinel: use the ladder / non-precomputed path.
return pointWindowSizes.get(P) || 1;
}
function assert0(n) {
// Internal invariant: a non-zero remainder here means the wNAF window decomposition or loop
// count is inconsistent, not that the original caller provided a bad scalar.
if (n !== _0n)
throw new Error('invalid wNAF');
}
/**
* Elliptic curve multiplication of Point by scalar. Fragile.
* Table generation takes **30MB of ram and 10ms on high-end CPU**,
* but may take much longer on slow devices. Actual generation will happen on
* first call of `multiply()`. By default, `BASE` point is precomputed.
*
* Scalars should always be less than curve order: this should be checked inside of a curve itself.
* Creates precomputation tables for fast multiplication:
* - private scalar is split by fixed size windows of W bits
* - every window point is collected from window's table & added to accumulator
* - since windows are different, same point inside tables won't be accessed more than once per calc
* - each multiplication is 'Math.ceil(CURVE_ORDER / 𝑊) + 1' point additions (fixed for any scalar)
* - +1 window is neccessary for wNAF
* - wNAF reduces table size: 2x less memory + 2x faster generation, but 10% slower multiplication
*
* TODO: research returning a 2d JS array of windows instead of a single window.
* This would allow windows to be in different memory locations.
* @param Point - Point constructor.
* @param bits - Scalar bit length.
* @example
* Elliptic curve multiplication of Point by scalar.
*
* ```ts
* import { wNAF } from '@noble/curves/abstract/curve.js';
* import { p256 } from '@noble/curves/nist.js';
* const ladder = new wNAF(p256.Point, p256.Point.Fn.BITS);
* ```
*/
export class wNAF {
BASE;
ZERO;
Fn;
bits;
// Parametrized with a given Point class (not individual point)
constructor(Point, bits) {
this.BASE = Point.BASE;
this.ZERO = Point.ZERO;
this.Fn = Point.Fn;
this.bits = bits;
}
// non-const time multiplication ladder
_unsafeLadder(elm, n, p = this.ZERO) {
let d = elm;
while (n > _0n) {
if (n & _1n)
p = p.add(d);
d = d.double();
n >>= _1n;
}
return p;
}
/**
* Creates a wNAF precomputation window. Used for caching.
* Default window size is set by `utils.precompute()` and is equal to 8.
* Number of precomputed points depends on the curve size:
* 2^(𝑊−1) * (Math.ceil(𝑛 / 𝑊) + 1), where:
* - 𝑊 is the window size
* - 𝑛 is the bitlength of the curve order.
* For a 256-bit curve and window size 8, the number of precomputed points is 128 * 33 = 4224.
* @param point - Point instance
* @param W - window size
* @returns precomputed point tables flattened to a single array
*/
precomputeWindow(point, W) {
const { windows, windowSize } = calcWOpts(W, this.bits);
const points = [];
let p = point;
let base = p;
for (let window = 0; window < windows; window++) {
base = p;
points.push(base);
// i=1, bc we skip 0
for (let i = 1; i < windowSize; i++) {
base = base.add(p);
points.push(base);
}
p = base.double();
}
return points;
}
/**
* Implements ec multiplication using precomputed tables and w-ary non-adjacent form.
* More compact implementation:
* https://github.com/paulmillr/noble-secp256k1/blob/47cb1669b6e506ad66b35fe7d76132ae97465da2/index.ts#L502-L541
* @returns real and fake (for const-time) points
*/
wNAF(W, precomputes, n) {
// Scalar should be smaller than field order
if (!this.Fn.isValid(n))
throw new Error('invalid scalar');
// Accumulators
let p = this.ZERO;
let f = this.BASE;
// This code was first written with assumption that 'f' and 'p' will never be infinity point:
// since each addition is multiplied by 2 ** W, it cannot cancel each other. However,
// there is negate now: it is possible that negated element from low value
// would be the same as high element, which will create carry into next window.
// It's not obvious how this can fail, but still worth investigating later.
const wo = calcWOpts(W, this.bits);
for (let window = 0; window < wo.windows; window++) {
// (n === _0n) is handled and not early-exited. isEven and offsetF are used for noise
const { nextN, offset, isZero, isNeg, isNegF, offsetF } = calcOffsets(n, window, wo);
n = nextN;
if (isZero) {
// bits are 0: add garbage to fake point
// Important part for const-time getPublicKey: add random "noise" point to f.
f = f.add(negateCt(isNegF, precomputes[offsetF]));
}
else {
// bits are 1: add to result point
p = p.add(negateCt(isNeg, precomputes[offset]));
}
}
assert0(n);
// Return both real and fake points so JIT keeps the noise path alive.
// Known caveat: negate/carry interactions can still drive `f` to infinity even when `p` is not,
// which weakens the noise path and leaves this only "less const-time" by about one bigint mul.
return { p, f };
}
/**
* Implements unsafe EC multiplication using precomputed tables
* and w-ary non-adjacent form.
* @param acc - accumulator point to add result of multiplication
* @returns point
*/
wNAFUnsafe(W, precomputes, n, acc = this.ZERO) {
const wo = calcWOpts(W, this.bits);
for (let window = 0; window < wo.windows; window++) {
if (n === _0n)
break; // Early-exit, skip 0 value
const { nextN, offset, isZero, isNeg } = calcOffsets(n, window, wo);
n = nextN;
if (isZero) {
// Window bits are 0: skip processing.
// Move to next window.
continue;
}
else {
const item = precomputes[offset];
acc = acc.add(isNeg ? item.negate() : item); // Re-using acc allows to save adds in MSM
}
}
assert0(n);
return acc;
}
getPrecomputes(W, point, transform) {
// Cache key is only point identity plus the remembered window size; callers must not reuse the
// same point with incompatible `transform(...)` layouts and expect a separate cache entry.
let comp = pointPrecomputes.get(point);
if (!comp) {
comp = this.precomputeWindow(point, W);
if (W !== 1) {
// Doing transform outside of if brings 15% perf hit
if (typeof transform === 'function')
comp = transform(comp);
pointPrecomputes.set(point, comp);
}
}
return comp;
}
cached(point, scalar, transform) {
const W = getW(point);
return this.wNAF(W, this.getPrecomputes(W, point, transform), scalar);
}
unsafe(point, scalar, transform, prev) {
const W = getW(point);
if (W === 1)
return this._unsafeLadder(point, scalar, prev); // For W=1 ladder is ~x2 faster
return this.wNAFUnsafe(W, this.getPrecomputes(W, point, transform), scalar, prev);
}
// We calculate precomputes for elliptic curve point multiplication
// using windowed method. This specifies window size and
// stores precomputed values. Usually only base point would be precomputed.
createCache(P, W) {
validateW(W, this.bits);
pointWindowSizes.set(P, W);
pointPrecomputes.delete(P);
}
hasCache(elm) {
return getW(elm) !== 1;
}
}
/**
* Endomorphism-specific multiplication for Koblitz curves.
* Cost: 128 dbl, 0-256 adds.
* @param Point - Point constructor.
* @param point - Input point.
* @param k1 - First non-negative absolute scalar chunk.
* @param k2 - Second non-negative absolute scalar chunk.
* @returns Partial multiplication results.
* @example
* Endomorphism-specific multiplication for Koblitz curves.
*
* ```ts
* import { mulEndoUnsafe } from '@noble/curves/abstract/curve.js';
* import { secp256k1 } from '@noble/curves/secp256k1.js';
* const parts = mulEndoUnsafe(secp256k1.Point, secp256k1.Point.BASE, 3n, 5n);
* ```
*/
export function mulEndoUnsafe(Point, point, k1, k2) {
let acc = point;
let p1 = Point.ZERO;
let p2 = Point.ZERO;
while (k1 > _0n || k2 > _0n) {
if (k1 & _1n)
p1 = p1.add(acc);
if (k2 & _1n)
p2 = p2.add(acc);
acc = acc.double();
k1 >>= _1n;
k2 >>= _1n;
}
return { p1, p2 };
}
/**
* Pippenger algorithm for multi-scalar multiplication (MSM, Pa + Qb + Rc + ...).
* 30x faster vs naive addition on L=4096, 10x faster than precomputes.
* For N=254bit, L=1, it does: 1024 ADD + 254 DBL. For L=5: 1536 ADD + 254 DBL.
* Algorithmically constant-time (for same L), even when 1 point + scalar, or when scalar = 0.
* @param c - Curve Point constructor
* @param points - array of L curve points
* @param scalars - array of L scalars (aka secret keys / bigints)
* @returns MSM result point. Empty input is accepted and returns the identity.
* @throws If the point set, scalar set, or MSM sizing is invalid. {@link Error}
* @example
* Pippenger algorithm for multi-scalar multiplication (MSM, Pa + Qb + Rc + ...).
*
* ```ts
* import { pippenger } from '@noble/curves/abstract/curve.js';
* import { p256 } from '@noble/curves/nist.js';
* const point = pippenger(p256.Point, [p256.Point.BASE, p256.Point.BASE.double()], [2n, 3n]);
* ```
*/
export function pippenger(c, points, scalars) {
// If we split scalars by some window (let's say 8 bits), every chunk will only
// take 256 buckets even if there are 4096 scalars, also re-uses double.
// TODO:
// - https://eprint.iacr.org/2024/750.pdf
// - https://tches.iacr.org/index.php/TCHES/article/view/10287
// 0 is accepted in scalars
const fieldN = c.Fn;
validateMSMPoints(points, c);
validateMSMScalars(scalars, fieldN);
const plength = points.length;
const slength = scalars.length;
if (plength !== slength)
throw new Error('arrays of points and scalars must have equal length');
// if (plength === 0) throw new Error('array must be of length >= 2');
const zero = c.ZERO;
const wbits = bitLen(BigInt(plength));
let windowSize = 1; // bits
if (wbits > 12)
windowSize = wbits - 3;
else if (wbits > 4)
windowSize = wbits - 2;
else if (wbits > 0)
windowSize = 2;
const MASK = bitMask(windowSize);
const buckets = new Array(Number(MASK) + 1).fill(zero); // +1 for zero array
const lastBits = Math.floor((fieldN.BITS - 1) / windowSize) * windowSize;
let sum = zero;
for (let i = lastBits; i >= 0; i -= windowSize) {
buckets.fill(zero);
for (let j = 0; j < slength; j++) {
const scalar = scalars[j];
const wbits = Number((scalar >> BigInt(i)) & MASK);
buckets[wbits] = buckets[wbits].add(points[j]);
}
let resI = zero; // not using this will do small speed-up, but will lose ct
// Skip first bucket, because it is zero
for (let j = buckets.length - 1, sumI = zero; j > 0; j--) {
sumI = sumI.add(buckets[j]);
resI = resI.add(sumI);
}
sum = sum.add(resI);
if (i !== 0)
for (let j = 0; j < windowSize; j++)
sum = sum.double();
}
return sum;
}
/**
* Precomputed multi-scalar multiplication (MSM, Pa + Qb + Rc + ...).
* @param c - Curve Point constructor
* @param points - array of L curve points
* @param windowSize - Precompute window size.
* @returns Function which multiplies points with scalars. The closure accepts
* `scalars.length <= points.length`, and omitted trailing scalars are treated as zero.
* @throws If the point set or precompute window is invalid. {@link Error}
* @example
* Precomputed multi-scalar multiplication (MSM, Pa + Qb + Rc + ...).
*
* ```ts
* import { precomputeMSMUnsafe } from '@noble/curves/abstract/curve.js';
* import { p256 } from '@noble/curves/nist.js';
* const msm = precomputeMSMUnsafe(p256.Point, [p256.Point.BASE], 4);
* const point = msm([3n]);
* ```
*/
export function precomputeMSMUnsafe(c, points, windowSize) {
/**
* Performance Analysis of Window-based Precomputation
*
* Base Case (256-bit scalar, 8-bit window):
* - Standard precomputation requires:
* - 31 additions per scalar × 256 scalars = 7,936 ops
* - Plus 255 summary additions = 8,191 total ops
* Note: Summary additions can be optimized via accumulator
*
* Chunked Precomputation Analysis:
* - Using 32 chunks requires:
* - 255 additions per chunk
* - 256 doublings
* - Total: (255 × 32) + 256 = 8,416 ops
*
* Memory Usage Comparison:
* Window Size | Standard Points | Chunked Points
* ------------|-----------------|---------------
* 4-bit | 520 | 15
* 8-bit | 4,224 | 255
* 10-bit | 13,824 | 1,023
* 16-bit | 557,056 | 65,535
*
* Key Advantages:
* 1. Enables larger window sizes due to reduced memory overhead
* 2. More efficient for smaller scalar counts:
* - 16 chunks: (16 × 255) + 256 = 4,336 ops
* - ~2x faster than standard 8,191 ops
*
* Limitations:
* - Not suitable for plain precomputes (requires 256 constant doublings)
* - Performance degrades with larger scalar counts:
* - Optimal for ~256 scalars
* - Less efficient for 4096+ scalars (Pippenger preferred)
*/
const fieldN = c.Fn;
validateW(windowSize, fieldN.BITS);
validateMSMPoints(points, c);
const zero = c.ZERO;
const tableSize = 2 ** windowSize - 1; // table size (without zero)
const chunks = Math.ceil(fieldN.BITS / windowSize); // chunks of item
const MASK = bitMask(windowSize);
const tables = points.map((p) => {
const res = [];
for (let i = 0, acc = p; i < tableSize; i++) {
res.push(acc);
acc = acc.add(p);
}
return res;
});
return (scalars) => {
validateMSMScalars(scalars, fieldN);
if (scalars.length > points.length)
throw new Error('array of scalars must be smaller than array of points');
let res = zero;
for (let i = 0; i < chunks; i++) {
// No need to double if accumulator is still zero.
if (res !== zero)
for (let j = 0; j < windowSize; j++)
res = res.double();
const shiftBy = BigInt(chunks * windowSize - (i + 1) * windowSize);
for (let j = 0; j < scalars.length; j++) {
const n = scalars[j];
const curr = Number((n >> shiftBy) & MASK);
if (!curr)
continue; // skip zero scalars chunks
res = res.add(tables[j][curr - 1]);
}
}
return res;
};
}
function createField(order, field, isLE) {
if (field) {
// Reuse supplied field overrides as-is; `isLE` only affects freshly constructed fallback
// fields, and validateField() below only checks the arithmetic subset, not full byte/cmov
// behavior.
if (field.ORDER !== order)
throw new Error('Field.ORDER must match order: Fp == p, Fn == n');
validateField(field);
return field;
}
else {
return Field(order, { isLE });
}
}
/**
* Validates basic CURVE shape and field membership, then creates fields.
* This does not prove that the generator is on-curve, that subgroup/order data are consistent, or
* that the curve equation itself is otherwise sane.
* @param type - Curve family.
* @param CURVE - Curve parameters.
* @param curveOpts - Optional field overrides:
* - `Fp` (optional): Optional base-field override.
* - `Fn` (optional): Optional scalar-field override.
* @param FpFnLE - Whether field encoding is little-endian.
* @returns Frozen curve parameters and fields.
* @throws If the curve parameters or field overrides are invalid. {@link Error}
* @example
* Build curve fields from raw constants before constructing a curve instance.
*
* ```ts
* const curve = createCurveFields('weierstrass', {
* p: 17n,
* n: 19n,
* h: 1n,
* a: 2n,
* b: 2n,
* Gx: 5n,
* Gy: 1n,
* });
* ```
*/
export function createCurveFields(type, CURVE, curveOpts = {}, FpFnLE) {
if (FpFnLE === undefined)
FpFnLE = type === 'edwards';
if (!CURVE || typeof CURVE !== 'object')
throw new Error(`expected valid ${type} CURVE object`);
for (const p of ['p', 'n', 'h']) {
const val = CURVE[p];
if (!(typeof val === 'bigint' && val > _0n))
throw new Error(`CURVE.${p} must be positive bigint`);
}
const Fp = createField(CURVE.p, curveOpts.Fp, FpFnLE);
const Fn = createField(CURVE.n, curveOpts.Fn, FpFnLE);
const _b = type === 'weierstrass' ? 'b' : 'd';
const params = ['Gx', 'Gy', 'a', _b];
for (const p of params) {
// @ts-ignore
if (!Fp.isValid(CURVE[p]))
throw new Error(`CURVE.${p} must be valid field element of CURVE.Fp`);
}
CURVE = Object.freeze(Object.assign({}, CURVE));
return { CURVE, Fp, Fn };
}
/**
* @param randomSecretKey - Secret-key generator.
* @param getPublicKey - Public-key derivation helper.
* @returns Keypair generator.
* @example
* Build a `keygen()` helper from existing secret-key and public-key primitives.
*
* ```ts
* import { createKeygen } from '@noble/curves/abstract/curve.js';
* import { p256 } from '@noble/curves/nist.js';
* const keygen = createKeygen(p256.utils.randomSecretKey, p256.getPublicKey);
* const pair = keygen();
* ```
*/
export function createKeygen(randomSecretKey, getPublicKey) {
return function keygen(seed) {
const secretKey = randomSecretKey(seed);
return { secretKey, publicKey: getPublicKey(secretKey) };
};
}
//# sourceMappingURL=curve.js.map
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/abstract/curve.js.map
Generated Vendored
+1
View File
File diff suppressed because one or more lines are too long
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/abstract/edwards.d.ts
Generated Vendored
+320
View File
@@ -0,0 +1,320 @@
/**
* Twisted Edwards curve. The formula is: ax² + y² = 1 + dx²y².
* For design rationale of types / exports, see weierstrass module documentation.
* Untwisted Edwards curves exist, but they aren't used in real-world protocols.
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { type FHash, type TArg, type TRet } from '../utils.ts';
import { type AffinePoint, type CurveLengths, type CurvePoint, type CurvePointCons } from './curve.ts';
import { type IField } from './modular.ts';
/** Extended Edwards point with X/Y/Z/T coordinates. */
export interface EdwardsPoint extends CurvePoint<bigint, EdwardsPoint> {
/** extended X coordinate. Different from affine x. */
readonly X: bigint;
/** extended Y coordinate. Different from affine y. */
readonly Y: bigint;
/** extended Z coordinate */
readonly Z: bigint;
/** extended T coordinate */
readonly T: bigint;
}
/** Constructor and decoding helpers for extended Edwards points. */
export interface EdwardsPointCons extends CurvePointCons<EdwardsPoint> {
/** Create a point from extended X/Y/Z/T coordinates without validation. */
new (X: bigint, Y: bigint, Z: bigint, T: bigint): EdwardsPoint;
/**
* Return the curve parameters used by this point constructor.
* @returns Curve parameters.
*/
CURVE(): EdwardsOpts;
/**
* Decode a point from bytes, optionally using ZIP-215 rules.
* @param bytes - Encoded point bytes.
* @param zip215 - Whether to accept ZIP-215 encodings.
* @returns Decoded Edwards point.
*/
fromBytes(bytes: Uint8Array, zip215?: boolean): EdwardsPoint;
/**
* Decode a point from hex, optionally using ZIP-215 rules.
* @param hex - Encoded point hex.
* @param zip215 - Whether to accept ZIP-215 encodings.
* @returns Decoded Edwards point.
*/
fromHex(hex: string, zip215?: boolean): EdwardsPoint;
}
/**
* Twisted Edwards curve options.
*
* * a: formula param
* * d: formula param
* * p: prime characteristic (order) of finite field, in which arithmetics is done
* * n: order of prime subgroup a.k.a total amount of valid curve points
* * h: cofactor. h*n is group order; n is subgroup order
* * Gx: x coordinate of generator point a.k.a. base point
* * Gy: y coordinate of generator point
*/
export type EdwardsOpts = Readonly<{
/** Base-field modulus. */
p: bigint;
/** Prime subgroup order. */
n: bigint;
/** Curve cofactor. */
h: bigint;
/** Edwards curve parameter `a`. */
a: bigint;
/** Edwards curve parameter `d`. */
d: bigint;
/** Generator x coordinate. */
Gx: bigint;
/** Generator y coordinate. */
Gy: bigint;
}>;
/**
* Extra curve options for Twisted Edwards.
*
* * Fp: redefined Field over curve.p
* * Fn: redefined Field over curve.n
* * uvRatio: helper function for decompression, calculating √(u/v)
*/
export type EdwardsExtraOpts = Partial<{
/** Optional base-field override. */
Fp: IField<bigint>;
/** Optional scalar-field override. */
Fn: IField<bigint>;
/** Whether field encodings are little-endian. */
FpFnLE: boolean;
/** Square-root ratio helper used during point decompression. */
uvRatio: (u: bigint, v: bigint) => {
isValid: boolean;
value: bigint;
};
}>;
/**
* EdDSA (Edwards Digital Signature algorithm) options.
*
* * hash: hash function used to hash secret keys and messages
* * adjustScalarBytes: clears bits to get valid field element
* * domain: Used for hashing
* * mapToCurve: for hash-to-curve standard
* * prehash: RFC 8032 pre-hashing of messages to sign() / verify()
* * randomBytes: function generating random bytes, used for randomSecretKey
*/
export type EdDSAOpts = Partial<{
/** Clamp or otherwise normalize secret-scalar bytes before reducing mod `n`. */
adjustScalarBytes: (bytes: TArg<Uint8Array>) => TRet<Uint8Array>;
/** Domain-separation helper for contexts and prehash mode. */
domain: (data: TArg<Uint8Array>, ctx: TArg<Uint8Array>, phflag: boolean) => TRet<Uint8Array>;
/** Optional hash-to-curve mapper for protocols like Ristretto hash-to-group. */
mapToCurve: (scalar: bigint[]) => AffinePoint<bigint>;
/** Optional prehash function used before signing or verifying messages. */
prehash: FHash;
/** Default verification decoding policy. ZIP-215 is more permissive than RFC 8032 / NIST. */
zip215: boolean;
/** RNG override used by helper constructors. */
randomBytes: (bytesLength?: number) => TRet<Uint8Array>;
}>;
/**
* EdDSA (Edwards Digital Signature algorithm) helper namespace.
* Allows creating and verifying signatures, and deriving public keys.
*/
export interface EdDSA {
/**
* Generate a secret/public key pair.
* @param seed - Optional seed material.
* @returns Secret/public key pair.
*/
keygen: (seed?: TArg<Uint8Array>) => {
secretKey: TRet<Uint8Array>;
publicKey: TRet<Uint8Array>;
};
/**
* Derive the public key from a secret key.
* @param secretKey - Secret key bytes.
* @returns Encoded public key.
*/
getPublicKey: (secretKey: TArg<Uint8Array>) => TRet<Uint8Array>;
/**
* Sign a message with an EdDSA secret key.
* @param message - Message bytes.
* @param secretKey - Secret key bytes.
* @param options - Optional signature tweaks:
* - `context` (optional): Domain-separation context for Ed25519ctx/Ed448.
* @returns Encoded signature bytes.
*/
sign: (message: TArg<Uint8Array>, secretKey: TArg<Uint8Array>, options?: TArg<{
context?: Uint8Array;
}>) => TRet<Uint8Array>;
/**
* Verify a signature against a message and public key.
* @param sig - Encoded signature bytes.
* @param message - Message bytes.
* @param publicKey - Encoded public key.
* @param options - Optional verification tweaks:
* - `context` (optional): Domain-separation context for Ed25519ctx/Ed448.
* - `zip215` (optional): Whether to accept ZIP-215 encodings.
* @returns Whether the signature is valid.
*/
verify: (sig: TArg<Uint8Array>, message: TArg<Uint8Array>, publicKey: TArg<Uint8Array>, options?: TArg<{
context?: Uint8Array;
zip215?: boolean;
}>) => boolean;
/** Point constructor used by this signature scheme. */
Point: EdwardsPointCons;
/** Helper utilities for key validation and Montgomery conversion. */
utils: {
/**
* Generate a valid random secret key.
* Optional seed bytes are only length-checked and returned unchanged.
*/
randomSecretKey: (seed?: TArg<Uint8Array>) => TRet<Uint8Array>;
/** Check whether a secret key has the expected encoding. */
isValidSecretKey: (secretKey: TArg<Uint8Array>) => boolean;
/** Check whether a public key decodes to a valid point. */
isValidPublicKey: (publicKey: TArg<Uint8Array>, zip215?: boolean) => boolean;
/**
* Converts ed public key to x public key.
*
* There is NO `fromMontgomery`:
* - There are 2 valid ed25519 points for every x25519, with flipped coordinate
* - Sometimes there are 0 valid ed25519 points, because x25519 *additionally*
* accepts inputs on the quadratic twist, which can't be moved to ed25519
*
* @example
* Converts ed public key to x public key.
*
* ```js
* const someonesPub_ed = ed25519.getPublicKey(ed25519.utils.randomSecretKey());
* const someonesPub = ed25519.utils.toMontgomery(someonesPub);
* const aPriv = x25519.utils.randomSecretKey();
* const shared = x25519.getSharedSecret(aPriv, someonesPub)
* ```
*/
toMontgomery: (publicKey: TArg<Uint8Array>) => TRet<Uint8Array>;
/**
* Converts ed secret key to x secret key.
* @example
* Converts ed secret key to x secret key.
*
* ```js
* const someonesPub = x25519.getPublicKey(x25519.utils.randomSecretKey());
* const aPriv_ed = ed25519.utils.randomSecretKey();
* const aPriv = ed25519.utils.toMontgomerySecret(aPriv_ed);
* const shared = x25519.getSharedSecret(aPriv, someonesPub)
* ```
*/
toMontgomerySecret: (secretKey: TArg<Uint8Array>) => TRet<Uint8Array>;
/** Return the expanded private key components used by RFC8032 signing. */
getExtendedPublicKey: (key: TArg<Uint8Array>) => {
head: TRet<Uint8Array>;
prefix: TRet<Uint8Array>;
scalar: bigint;
point: EdwardsPoint;
pointBytes: TRet<Uint8Array>;
};
};
/** Byte lengths for keys and signatures exposed by this scheme. */
lengths: CurveLengths;
}
/**
* @param params - Curve parameters. See {@link EdwardsOpts}.
* @param extraOpts - Optional helpers and overrides. See {@link EdwardsExtraOpts}.
* @returns Edwards point constructor. Generator validation here only checks
* that `(Gx, Gy)` satisfies the affine Edwards equation.
* RFC 8032 base-point constraints like `B != (0,1)` and `[L]B = 0`
* are left to the caller's chosen parameters, since eager subgroup
* validation here adds about 10-15ms to heavyweight imports like ed448.
* The returned constructor also eagerly marks `Point.BASE` for W=8
* precompute caching. Some code paths still assume
* `Fp.BYTES === Fn.BYTES`, so mismatched byte lengths are not fully audited here.
* @throws If the curve parameters or Edwards overrides are invalid. {@link Error}
* @example
* ```ts
* import { edwards } from '@noble/curves/abstract/edwards.js';
* import { jubjub } from '@noble/curves/misc.js';
* // Build a point constructor from explicit curve parameters, then use its base point.
* const Point = edwards(jubjub.Point.CURVE());
* Point.BASE.toHex();
* ```
*/
export declare function edwards(params: TArg<EdwardsOpts>, extraOpts?: TArg<EdwardsExtraOpts>): EdwardsPointCons;
/**
* Base class for prime-order points like Ristretto255 and Decaf448.
* These points eliminate cofactor issues by representing equivalence classes
* of Edwards curve points. Multiple Edwards representatives can describe the
* same abstract wrapper element, so wrapper validity is not the same thing as
* the hidden representative being torsion-free.
* @param ep - Backing Edwards point.
* @example
* Base class for prime-order points like Ristretto255 and Decaf448.
*
* ```ts
* import { ristretto255 } from '@noble/curves/ed25519.js';
* const point = ristretto255.Point.BASE.multiply(2n);
* ```
*/
export declare abstract class PrimeEdwardsPoint<T extends PrimeEdwardsPoint<T>> implements CurvePoint<bigint, T> {
static BASE: PrimeEdwardsPoint<any>;
static ZERO: PrimeEdwardsPoint<any>;
static Fp: IField<bigint>;
static Fn: IField<bigint>;
protected readonly ep: EdwardsPoint;
/**
* Wrap one internal Edwards representative directly.
* This is not a canonical encoding boundary: alternate Edwards
* representatives may still describe the same abstract wrapper element.
*/
constructor(ep: EdwardsPoint);
abstract toBytes(): Uint8Array;
abstract equals(other: T): boolean;
static fromBytes(_bytes: Uint8Array): any;
static fromHex(_hex: string): any;
get x(): bigint;
get y(): bigint;
clearCofactor(): T;
assertValidity(): void;
/**
* Return affine coordinates of the current internal Edwards representative.
* This is a convenience helper, not a canonical Ristretto/Decaf encoding.
* Equal abstract elements may expose different `x` / `y`; use
* `toBytes()` / `fromBytes()` for canonical roundtrips.
*/
toAffine(invertedZ?: bigint): AffinePoint<bigint>;
toHex(): string;
toString(): string;
isTorsionFree(): boolean;
isSmallOrder(): boolean;
add(other: T): T;
subtract(other: T): T;
multiply(scalar: bigint): T;
multiplyUnsafe(scalar: bigint): T;
double(): T;
negate(): T;
precompute(windowSize?: number, isLazy?: boolean): T;
abstract is0(): boolean;
protected abstract assertSame(other: T): void;
protected abstract init(ep: EdwardsPoint): T;
}
/**
* Initializes EdDSA signatures over given Edwards curve.
* @param Point - Edwards point constructor.
* @param cHash - Hash function.
* @param eddsaOpts - Optional signature helpers. See {@link EdDSAOpts}.
* @returns EdDSA helper namespace.
* @throws If the hash function, options, or derived point operations are invalid. {@link Error}
* @example
* Initializes EdDSA signatures over given Edwards curve.
*
* ```ts
* import { eddsa } from '@noble/curves/abstract/edwards.js';
* import { jubjub } from '@noble/curves/misc.js';
* import { sha512 } from '@noble/hashes/sha2.js';
* const sigs = eddsa(jubjub.Point, sha512);
* const { secretKey, publicKey } = sigs.keygen();
* const msg = new TextEncoder().encode('hello noble');
* const sig = sigs.sign(msg, secretKey);
* const isValid = sigs.verify(sig, msg, publicKey);
* ```
*/
export declare function eddsa(Point: EdwardsPointCons, cHash: TArg<FHash>, eddsaOpts?: TArg<EdDSAOpts>): EdDSA;
//# sourceMappingURL=edwards.d.ts.map
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/abstract/edwards.d.ts.map
Generated Vendored
+1
View File
File diff suppressed because one or more lines are too long
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/abstract/edwards.js
Generated Vendored
+693
View File
@@ -0,0 +1,693 @@
/**
* Twisted Edwards curve. The formula is: ax² + y² = 1 + dx²y².
* For design rationale of types / exports, see weierstrass module documentation.
* Untwisted Edwards curves exist, but they aren't used in real-world protocols.
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { abool, abytes, aInRange, asafenumber, bytesToHex, bytesToNumberLE, concatBytes, copyBytes, hexToBytes, isBytes, notImplemented, validateObject, randomBytes as wcRandomBytes, } from "../utils.js";
import { createCurveFields, createKeygen, normalizeZ, wNAF, } from "./curve.js";
import {} from "./modular.js";
// Be friendly to bad ECMAScript parsers by not using bigint literals
// prettier-ignore
const _0n = /* @__PURE__ */ BigInt(0), _1n = /* @__PURE__ */ BigInt(1), _2n = /* @__PURE__ */ BigInt(2), _8n = /* @__PURE__ */ BigInt(8);
// Affine Edwards-equation check only; this does not prove subgroup membership, canonical
// encoding, prime-order base-point requirements, or identity exclusion.
function isEdValidXY(Fp, CURVE, x, y) {
const x2 = Fp.sqr(x);
const y2 = Fp.sqr(y);
const left = Fp.add(Fp.mul(CURVE.a, x2), y2);
const right = Fp.add(Fp.ONE, Fp.mul(CURVE.d, Fp.mul(x2, y2)));
return Fp.eql(left, right);
}
/**
* @param params - Curve parameters. See {@link EdwardsOpts}.
* @param extraOpts - Optional helpers and overrides. See {@link EdwardsExtraOpts}.
* @returns Edwards point constructor. Generator validation here only checks
* that `(Gx, Gy)` satisfies the affine Edwards equation.
* RFC 8032 base-point constraints like `B != (0,1)` and `[L]B = 0`
* are left to the caller's chosen parameters, since eager subgroup
* validation here adds about 10-15ms to heavyweight imports like ed448.
* The returned constructor also eagerly marks `Point.BASE` for W=8
* precompute caching. Some code paths still assume
* `Fp.BYTES === Fn.BYTES`, so mismatched byte lengths are not fully audited here.
* @throws If the curve parameters or Edwards overrides are invalid. {@link Error}
* @example
* ```ts
* import { edwards } from '@noble/curves/abstract/edwards.js';
* import { jubjub } from '@noble/curves/misc.js';
* // Build a point constructor from explicit curve parameters, then use its base point.
* const Point = edwards(jubjub.Point.CURVE());
* Point.BASE.toHex();
* ```
*/
export function edwards(params, extraOpts = {}) {
const opts = extraOpts;
const validated = createCurveFields('edwards', params, opts, opts.FpFnLE);
const { Fp, Fn } = validated;
let CURVE = validated.CURVE;
const { h: cofactor } = CURVE;
validateObject(opts, {}, { uvRatio: 'function' });
// Important:
// There are some places where Fp.BYTES is used instead of nByteLength.
// So far, everything has been tested with curves of Fp.BYTES == nByteLength.
// TODO: test and find curves which behave otherwise.
const MASK = _2n << (BigInt(Fn.BYTES * 8) - _1n);
const modP = (n) => Fp.create(n); // Function overrides
// sqrt(u/v)
const uvRatio = opts.uvRatio === undefined
? (u, v) => {
try {
return { isValid: true, value: Fp.sqrt(Fp.div(u, v)) };
}
catch (e) {
return { isValid: false, value: _0n };
}
}
: opts.uvRatio;
// Validate whether the passed curve params are valid.
// equation ax² + y² = 1 + dx²y² should work for generator point.
if (!isEdValidXY(Fp, CURVE, CURVE.Gx, CURVE.Gy))
throw new Error('bad curve params: generator point');
/**
* Asserts coordinate is valid: 0 <= n < MASK.
* Coordinates >= Fp.ORDER are allowed for zip215.
*/
function acoord(title, n, banZero = false) {
const min = banZero ? _1n : _0n;
aInRange('coordinate ' + title, n, min, MASK);
return n;
}
function aedpoint(other) {
if (!(other instanceof Point))
throw new Error('EdwardsPoint expected');
}
// Extended Point works in extended coordinates: (X, Y, Z, T) ∋ (x=X/Z, y=Y/Z, T=xy).
// https://en.wikipedia.org/wiki/Twisted_Edwards_curve#Extended_coordinates
class Point {
// base / generator point
static BASE = new Point(CURVE.Gx, CURVE.Gy, _1n, modP(CURVE.Gx * CURVE.Gy));
// zero / infinity / identity point
static ZERO = new Point(_0n, _1n, _1n, _0n); // 0, 1, 1, 0
// math field
static Fp = Fp;
// scalar field
static Fn = Fn;
X;
Y;
Z;
T;
constructor(X, Y, Z, T) {
this.X = acoord('x', X);
this.Y = acoord('y', Y);
this.Z = acoord('z', Z, true);
this.T = acoord('t', T);
Object.freeze(this);
}
static CURVE() {
return CURVE;
}
/**
* Create one extended Edwards point from affine coordinates.
* Does NOT validate that the point is on-curve or torsion-free.
* Use `.assertValidity()` on adversarial inputs.
*/
static fromAffine(p) {
if (p instanceof Point)
throw new Error('extended point not allowed');
const { x, y } = p || {};
acoord('x', x);
acoord('y', y);
return new Point(x, y, _1n, modP(x * y));
}
// Uses algo from RFC8032 5.1.3.
static fromBytes(bytes, zip215 = false) {
const len = Fp.BYTES;
const { a, d } = CURVE;
bytes = copyBytes(abytes(bytes, len, 'point'));
abool(zip215, 'zip215');
const normed = copyBytes(bytes); // copy again, we'll manipulate it
const lastByte = bytes[len - 1]; // select last byte
normed[len - 1] = lastByte & ~0x80; // clear last bit
const y = bytesToNumberLE(normed);
// zip215=true is good for consensus-critical apps. =false follows RFC8032 / NIST186-5.
// RFC8032 prohibits >= p, but ZIP215 doesn't
// zip215=true: 0 <= y < MASK (2^256 for ed25519)
// zip215=false: 0 <= y < P (2^255-19 for ed25519)
const max = zip215 ? MASK : Fp.ORDER;
aInRange('point.y', y, _0n, max);
// Ed25519: x² = (y²-1)/(dy²+1) mod p. Ed448: x² = (y²-1)/(dy²-1) mod p. Generic case:
// ax²+y²=1+dx²y² => y²-1=dx²y²-ax² => y²-1=x²(dy²-a) => x²=(y²-1)/(dy²-a)
const y2 = modP(y * y); // denominator is always non-0 mod p.
const u = modP(y2 - _1n); // u = y² - 1
const v = modP(d * y2 - a); // v = d y² + 1.
let { isValid, value: x } = uvRatio(u, v); // √(u/v)
if (!isValid)
throw new Error('bad point: invalid y coordinate');
const isXOdd = (x & _1n) === _1n; // There are 2 square roots. Use x_0 bit to select proper
const isLastByteOdd = (lastByte & 0x80) !== 0; // x_0, last bit
if (!zip215 && x === _0n && isLastByteOdd)
// if x=0 and x_0 = 1, fail
throw new Error('bad point: x=0 and x_0=1');
if (isLastByteOdd !== isXOdd)
x = modP(-x); // if x_0 != x mod 2, set x = p-x
return Point.fromAffine({ x, y });
}
static fromHex(hex, zip215 = false) {
return Point.fromBytes(hexToBytes(hex), zip215);
}
get x() {
return this.toAffine().x;
}
get y() {
return this.toAffine().y;
}
precompute(windowSize = 8, isLazy = true) {
wnaf.createCache(this, windowSize);
if (!isLazy)
this.multiply(_2n); // random number
return this;
}
// Useful in fromAffine() - not for fromBytes(), which always created valid points.
assertValidity() {
const p = this;
const { a, d } = CURVE;
// Keep generic Edwards validation fail-closed on the neutral point.
// Even though ZERO is algebraically valid and can roundtrip through encodings, higher-level
// callers often reach it only through broken hash/scalar plumbing; rejecting it here avoids
// silently treating that degenerate state as an ordinary public point.
if (p.is0())
throw new Error('bad point: ZERO'); // TODO: optimize, with vars below?
// Equation in affine coordinates: ax² + y² = 1 + dx²y²
// Equation in projective coordinates (X/Z, Y/Z, Z): (aX² + Y²)Z² = Z⁴ + dX²Y²
const { X, Y, Z, T } = p;
const X2 = modP(X * X); // X²
const Y2 = modP(Y * Y); // Y²
const Z2 = modP(Z * Z); // Z²
const Z4 = modP(Z2 * Z2); // Z⁴
const aX2 = modP(X2 * a); // aX²
const left = modP(Z2 * modP(aX2 + Y2)); // (aX² + Y²)Z²
const right = modP(Z4 + modP(d * modP(X2 * Y2))); // Z⁴ + dX²Y²
if (left !== right)
throw new Error('bad point: equation left != right (1)');
// In Extended coordinates we also have T, which is x*y=T/Z: check X*Y == Z*T
const XY = modP(X * Y);
const ZT = modP(Z * T);
if (XY !== ZT)
throw new Error('bad point: equation left != right (2)');
}
// Compare one point to another.
equals(other) {
aedpoint(other);
const { X: X1, Y: Y1, Z: Z1 } = this;
const { X: X2, Y: Y2, Z: Z2 } = other;
const X1Z2 = modP(X1 * Z2);
const X2Z1 = modP(X2 * Z1);
const Y1Z2 = modP(Y1 * Z2);
const Y2Z1 = modP(Y2 * Z1);
return X1Z2 === X2Z1 && Y1Z2 === Y2Z1;
}
is0() {
return this.equals(Point.ZERO);
}
negate() {
// Flips point sign to a negative one (-x, y in affine coords)
return new Point(modP(-this.X), this.Y, this.Z, modP(-this.T));
}
// Fast algo for doubling Extended Point.
// https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#doubling-dbl-2008-hwcd
// Cost: 4M + 4S + 1*a + 6add + 1*2.
double() {
const { a } = CURVE;
const { X: X1, Y: Y1, Z: Z1 } = this;
const A = modP(X1 * X1); // A = X12
const B = modP(Y1 * Y1); // B = Y12
const C = modP(_2n * modP(Z1 * Z1)); // C = 2*Z12
const D = modP(a * A); // D = a*A
const x1y1 = X1 + Y1;
const E = modP(modP(x1y1 * x1y1) - A - B); // E = (X1+Y1)2-A-B
const G = D + B; // G = D+B
const F = G - C; // F = G-C
const H = D - B; // H = D-B
const X3 = modP(E * F); // X3 = E*F
const Y3 = modP(G * H); // Y3 = G*H
const T3 = modP(E * H); // T3 = E*H
const Z3 = modP(F * G); // Z3 = F*G
return new Point(X3, Y3, Z3, T3);
}
// Fast algo for adding 2 Extended Points.
// https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#addition-add-2008-hwcd
// Cost: 9M + 1*a + 1*d + 7add.
add(other) {
aedpoint(other);
const { a, d } = CURVE;
const { X: X1, Y: Y1, Z: Z1, T: T1 } = this;
const { X: X2, Y: Y2, Z: Z2, T: T2 } = other;
const A = modP(X1 * X2); // A = X1*X2
const B = modP(Y1 * Y2); // B = Y1*Y2
const C = modP(T1 * d * T2); // C = T1*d*T2
const D = modP(Z1 * Z2); // D = Z1*Z2
const E = modP((X1 + Y1) * (X2 + Y2) - A - B); // E = (X1+Y1)*(X2+Y2)-A-B
const F = D - C; // F = D-C
const G = D + C; // G = D+C
const H = modP(B - a * A); // H = B-a*A
const X3 = modP(E * F); // X3 = E*F
const Y3 = modP(G * H); // Y3 = G*H
const T3 = modP(E * H); // T3 = E*H
const Z3 = modP(F * G); // Z3 = F*G
return new Point(X3, Y3, Z3, T3);
}
subtract(other) {
// Validate before calling `negate()` so wrong inputs fail with the point guard
// instead of leaking a foreign `negate()` error.
aedpoint(other);
return this.add(other.negate());
}
// Constant-time multiplication.
multiply(scalar) {
// 1 <= scalar < L
// Keep the subgroup-scalar contract strict instead of reducing 0 / n to ZERO.
// In keygen/signing-style callers, those values usually mean broken hash/scalar plumbing,
// and failing closed is safer than silently producing the identity point.
if (!Fn.isValidNot0(scalar))
throw new RangeError('invalid scalar: expected 1 <= sc < curve.n');
const { p, f } = wnaf.cached(this, scalar, (p) => normalizeZ(Point, p));
return normalizeZ(Point, [p, f])[0];
}
// Non-constant-time multiplication. Uses double-and-add algorithm.
// It's faster, but should only be used when you don't care about
// an exposed private key e.g. sig verification.
// Keeps the same subgroup-scalar contract: 0 is allowed for public-scalar callers, but
// n and larger values are rejected instead of being reduced mod n to the identity point.
multiplyUnsafe(scalar) {
// 0 <= scalar < L
if (!Fn.isValid(scalar))
throw new RangeError('invalid scalar: expected 0 <= sc < curve.n');
if (scalar === _0n)
return Point.ZERO;
if (this.is0() || scalar === _1n)
return this;
return wnaf.unsafe(this, scalar, (p) => normalizeZ(Point, p));
}
// Checks if point is of small order.
// If you add something to small order point, you will have "dirty"
// point with torsion component.
// Clears cofactor and checks if the result is 0.
isSmallOrder() {
return this.clearCofactor().is0();
}
// Multiplies point by curve order and checks if the result is 0.
// Returns `false` is the point is dirty.
isTorsionFree() {
return wnaf.unsafe(this, CURVE.n).is0();
}
// Converts Extended point to default (x, y) coordinates.
// Can accept precomputed Z^-1 - for example, from invertBatch.
toAffine(invertedZ) {
const p = this;
let iz = invertedZ;
const { X, Y, Z } = p;
const is0 = p.is0();
if (iz == null)
iz = is0 ? _8n : Fp.inv(Z); // 8 was chosen arbitrarily
const x = modP(X * iz);
const y = modP(Y * iz);
const zz = Fp.mul(Z, iz);
if (is0)
return { x: _0n, y: _1n };
if (zz !== _1n)
throw new Error('invZ was invalid');
return { x, y };
}
clearCofactor() {
if (cofactor === _1n)
return this;
return this.multiplyUnsafe(cofactor);
}
toBytes() {
const { x, y } = this.toAffine();
// Fp.toBytes() allows non-canonical encoding of y (>= p).
const bytes = Fp.toBytes(y);
// Each y has 2 valid points: (x, y), (x,-y).
// When compressing, it's enough to store y and use the last byte to encode sign of x
bytes[bytes.length - 1] |= x & _1n ? 0x80 : 0;
return bytes;
}
toHex() {
return bytesToHex(this.toBytes());
}
toString() {
return `<Point ${this.is0() ? 'ZERO' : this.toHex()}>`;
}
}
const wnaf = new wNAF(Point, Fn.BITS);
// Keep constructor work cheap: subgroup/generator validation belongs to the caller's curve
// parameters, and doing the extra checks here adds about 10-15ms to heavy module imports.
// Callers that construct custom curves are responsible for supplying the correct base point.
// try {
// Point.BASE.assertValidity();
// if (!Point.BASE.isTorsionFree()) throw new Error('bad point: not in prime-order subgroup');
// } catch {
// throw new Error('bad curve params: generator point');
// }
// Tiny toy curves can have scalar fields narrower than 8 bits. Skip the
// eager W=8 cache there instead of rejecting an otherwise valid constructor.
if (Fn.BITS >= 8)
Point.BASE.precompute(8); // Enable precomputes. Slows down first publicKey computation by 20ms.
Object.freeze(Point.prototype);
Object.freeze(Point);
return Point;
}
/**
* Base class for prime-order points like Ristretto255 and Decaf448.
* These points eliminate cofactor issues by representing equivalence classes
* of Edwards curve points. Multiple Edwards representatives can describe the
* same abstract wrapper element, so wrapper validity is not the same thing as
* the hidden representative being torsion-free.
* @param ep - Backing Edwards point.
* @example
* Base class for prime-order points like Ristretto255 and Decaf448.
*
* ```ts
* import { ristretto255 } from '@noble/curves/ed25519.js';
* const point = ristretto255.Point.BASE.multiply(2n);
* ```
*/
export class PrimeEdwardsPoint {
static BASE;
static ZERO;
static Fp;
static Fn;
ep;
/**
* Wrap one internal Edwards representative directly.
* This is not a canonical encoding boundary: alternate Edwards
* representatives may still describe the same abstract wrapper element.
*/
constructor(ep) {
this.ep = ep;
}
// Static methods that must be implemented by subclasses
static fromBytes(_bytes) {
notImplemented();
}
static fromHex(_hex) {
notImplemented();
}
get x() {
return this.toAffine().x;
}
get y() {
return this.toAffine().y;
}
// Common implementations
clearCofactor() {
// no-op for the abstract prime-order wrapper group; this is about the
// wrapper element, not the hidden Edwards representative.
return this;
}
assertValidity() {
// Keep wrapper validity at the abstract-group boundary. Canonical decode
// may choose Edwards representatives that differ by small torsion, so
// checking `this.ep.isTorsionFree()` here would reject valid wrapper points.
this.ep.assertValidity();
}
/**
* Return affine coordinates of the current internal Edwards representative.
* This is a convenience helper, not a canonical Ristretto/Decaf encoding.
* Equal abstract elements may expose different `x` / `y`; use
* `toBytes()` / `fromBytes()` for canonical roundtrips.
*/
toAffine(invertedZ) {
return this.ep.toAffine(invertedZ);
}
toHex() {
return bytesToHex(this.toBytes());
}
toString() {
return this.toHex();
}
isTorsionFree() {
// Abstract Ristretto/Decaf elements are already prime-order even when the
// hidden Edwards representative is not torsion-free.
return true;
}
isSmallOrder() {
return false;
}
add(other) {
this.assertSame(other);
return this.init(this.ep.add(other.ep));
}
subtract(other) {
this.assertSame(other);
return this.init(this.ep.subtract(other.ep));
}
multiply(scalar) {
return this.init(this.ep.multiply(scalar));
}
multiplyUnsafe(scalar) {
return this.init(this.ep.multiplyUnsafe(scalar));
}
double() {
return this.init(this.ep.double());
}
negate() {
return this.init(this.ep.negate());
}
precompute(windowSize, isLazy) {
this.ep.precompute(windowSize, isLazy);
// Keep the wrapper identity stable like the backing Edwards API instead of
// allocating a fresh wrapper around the same cached point.
return this;
}
}
/**
* Initializes EdDSA signatures over given Edwards curve.
* @param Point - Edwards point constructor.
* @param cHash - Hash function.
* @param eddsaOpts - Optional signature helpers. See {@link EdDSAOpts}.
* @returns EdDSA helper namespace.
* @throws If the hash function, options, or derived point operations are invalid. {@link Error}
* @example
* Initializes EdDSA signatures over given Edwards curve.
*
* ```ts
* import { eddsa } from '@noble/curves/abstract/edwards.js';
* import { jubjub } from '@noble/curves/misc.js';
* import { sha512 } from '@noble/hashes/sha2.js';
* const sigs = eddsa(jubjub.Point, sha512);
* const { secretKey, publicKey } = sigs.keygen();
* const msg = new TextEncoder().encode('hello noble');
* const sig = sigs.sign(msg, secretKey);
* const isValid = sigs.verify(sig, msg, publicKey);
* ```
*/
export function eddsa(Point, cHash, eddsaOpts = {}) {
if (typeof cHash !== 'function')
throw new Error('"hash" function param is required');
const hash = cHash;
const opts = eddsaOpts;
validateObject(opts, {}, {
adjustScalarBytes: 'function',
randomBytes: 'function',
domain: 'function',
prehash: 'function',
zip215: 'boolean',
mapToCurve: 'function',
});
const { prehash } = opts;
const { BASE, Fp, Fn } = Point;
const outputLen = hash.outputLen;
const expectedLen = 2 * Fp.BYTES;
// When hash metadata is available, reject incompatible EdDSA wrappers at construction time
// instead of deferring the mismatch until the first keygen/sign call.
if (outputLen !== undefined) {
asafenumber(outputLen, 'hash.outputLen');
if (outputLen !== expectedLen)
throw new Error(`hash.outputLen must be ${expectedLen}, got ${outputLen}`);
}
const randomBytes = opts.randomBytes === undefined ? wcRandomBytes : opts.randomBytes;
const adjustScalarBytes = opts.adjustScalarBytes === undefined
? (bytes) => bytes
: opts.adjustScalarBytes;
const domain = opts.domain === undefined
? (data, ctx, phflag) => {
abool(phflag, 'phflag');
if (ctx.length || phflag)
throw new Error('Contexts/pre-hash are not supported');
return data;
}
: opts.domain; // NOOP
// Parse an EdDSA digest as a little-endian integer and reduce it modulo the scalar field order.
function modN_LE(hash) {
return Fn.create(bytesToNumberLE(hash)); // Not Fn.fromBytes: it has length limit
}
// Get the hashed private scalar per RFC8032 5.1.5
function getPrivateScalar(key) {
const len = lengths.secretKey;
abytes(key, lengths.secretKey, 'secretKey');
// Hash private key with curve's hash function to produce uniformingly random input
// Check byte lengths: ensure(64, h(ensure(32, key)))
const hashed = abytes(hash(key), 2 * len, 'hashedSecretKey');
// Slice before clamping so in-place adjustors don't corrupt the prefix half.
const head = adjustScalarBytes(hashed.slice(0, len)); // clear first half bits, produce FE
const prefix = hashed.slice(len, 2 * len); // second half is called key prefix (5.1.6)
const scalar = modN_LE(head); // The actual private scalar
return { head, prefix, scalar };
}
/** Convenience method that creates public key from scalar. RFC8032 5.1.5
* Also exposes the derived scalar/prefix tuple and point form reused by sign().
*/
function getExtendedPublicKey(secretKey) {
const { head, prefix, scalar } = getPrivateScalar(secretKey);
const point = BASE.multiply(scalar); // Point on Edwards curve aka public key
const pointBytes = point.toBytes();
return { head, prefix, scalar, point, pointBytes };
}
/** Calculates EdDSA pub key. RFC8032 5.1.5. */
function getPublicKey(secretKey) {
return getExtendedPublicKey(secretKey).pointBytes;
}
// Hash domain-separated chunks into a little-endian scalar modulo the group order.
function hashDomainToScalar(context = Uint8Array.of(), ...msgs) {
const msg = concatBytes(...msgs);
return modN_LE(hash(domain(msg, abytes(context, undefined, 'context'), !!prehash)));
}
/** Signs message with secret key. RFC8032 5.1.6 */
function sign(msg, secretKey, options = {}) {
msg = abytes(msg, undefined, 'message');
if (prehash)
msg = prehash(msg); // for ed25519ph etc.
const { prefix, scalar, pointBytes } = getExtendedPublicKey(secretKey);
const r = hashDomainToScalar(options.context, prefix, msg); // r = dom2(F, C) || prefix || PH(M)
// RFC 8032 5.1.6 allows r mod L = 0, and SUPERCOP ref10 accepts the resulting identity-point
// signature.
// We intentionally keep the safe multiply() rejection here so a miswired all-zero hash provider
// fails loudly instead of silently producing a degenerate signature.
const R = BASE.multiply(r).toBytes(); // R = rG
const k = hashDomainToScalar(options.context, R, pointBytes, msg); // R || A || PH(M)
const s = Fn.create(r + k * scalar); // S = (r + k * s) mod L
if (!Fn.isValid(s))
throw new Error('sign failed: invalid s'); // 0 <= s < L
const rs = concatBytes(R, Fn.toBytes(s));
return abytes(rs, lengths.signature, 'result');
}
// Keep the shared helper strict by default: RFC 8032 / NIST-style wrappers should reject
// non-canonical encodings unless they explicitly opt into ZIP-215's more permissive decode rules.
const verifyOpts = {
zip215: opts.zip215,
};
/**
* Verifies EdDSA signature against message and public key. RFC 8032 §§5.1.7 and 5.2.7.
* A cofactored verification equation is checked.
*/
function verify(sig, msg, publicKey, options = verifyOpts) {
// Preserve the wrapper-selected default for `{}` / `{ zip215: undefined }`, not just omitted opts.
const { context } = options;
const zip215 = options.zip215 === undefined ? !!verifyOpts.zip215 : options.zip215;
const len = lengths.signature;
sig = abytes(sig, len, 'signature');
msg = abytes(msg, undefined, 'message');
publicKey = abytes(publicKey, lengths.publicKey, 'publicKey');
if (zip215 !== undefined)
abool(zip215, 'zip215');
if (prehash)
msg = prehash(msg); // for ed25519ph, etc
const mid = len / 2;
const r = sig.subarray(0, mid);
const s = bytesToNumberLE(sig.subarray(mid, len));
let A, R, SB;
try {
// ZIP-215 is more permissive than RFC 8032 / NIST186-5. Use it only for wrappers that
// explicitly want consensus-style unreduced encoding acceptance.
// zip215=true: 0 <= y < MASK (2^256 for ed25519)
// zip215=false: 0 <= y < P (2^255-19 for ed25519)
A = Point.fromBytes(publicKey, zip215);
R = Point.fromBytes(r, zip215);
SB = BASE.multiplyUnsafe(s); // 0 <= s < l is done inside
}
catch (error) {
return false;
}
// RFC 8032 §§5.1.7/5.2.7 and FIPS 186-5 §§7.7.2/7.8.2 only decode A' and check the cofactored
// verification equation; they do not add a separate low-order-public-key rejection here.
// Strict mode still rejects small-order A' intentionally for SBS-style non-repudiation and to
// avoid ambiguous verification outcomes where unusual low-order keys can make distinct
// key/signature/message combinations verify.
if (!zip215 && A.isSmallOrder())
return false;
// ZIP-215 accepts noncanonical / unreduced point encodings, so the challenge hash must use the
// exact signature/public-key bytes rather than canonicalized re-encodings of the decoded points.
const k = hashDomainToScalar(context, r, publicKey, msg);
const RkA = R.add(A.multiplyUnsafe(k));
// Check the cofactored verification equation via the curve cofactor h.
// [h][S]B = [h]R + [h][k]A'
return RkA.subtract(SB).clearCofactor().is0();
}
const _size = Fp.BYTES; // 32 for ed25519, 57 for ed448
const lengths = {
secretKey: _size,
publicKey: _size,
signature: 2 * _size,
seed: _size,
};
function randomSecretKey(seed) {
seed = seed === undefined ? randomBytes(lengths.seed) : seed;
return abytes(seed, lengths.seed, 'seed');
}
function isValidSecretKey(key) {
return isBytes(key) && key.length === lengths.secretKey;
}
function isValidPublicKey(key, zip215) {
try {
// Preserve the wrapper-selected default for omitted / `undefined` ZIP-215 flags here too.
return !!Point.fromBytes(key, zip215 === undefined ? verifyOpts.zip215 : zip215);
}
catch (error) {
return false;
}
}
const utils = {
getExtendedPublicKey,
randomSecretKey,
isValidSecretKey,
isValidPublicKey,
/**
* Converts ed public key to x public key. Uses formula:
* - ed25519:
* - `(u, v) = ((1+y)/(1-y), sqrt(-486664)*u/x)`
* - `(x, y) = (sqrt(-486664)*u/v, (u-1)/(u+1))`
* - ed448:
* - `(u, v) = ((y-1)/(y+1), sqrt(156324)*u/x)`
* - `(x, y) = (sqrt(156324)*u/v, (1+u)/(1-u))`
*/
toMontgomery(publicKey) {
const { y } = Point.fromBytes(publicKey);
const size = lengths.publicKey;
const is25519 = size === 32;
if (!is25519 && size !== 57)
throw new Error('only defined for 25519 and 448');
const u = is25519 ? Fp.div(_1n + y, _1n - y) : Fp.div(y - _1n, y + _1n);
return Fp.toBytes(u);
},
toMontgomerySecret(secretKey) {
const size = lengths.secretKey;
abytes(secretKey, size);
const hashed = hash(secretKey.subarray(0, size));
return adjustScalarBytes(hashed).subarray(0, size);
},
};
Object.freeze(lengths);
Object.freeze(utils);
return Object.freeze({
keygen: createKeygen(randomSecretKey, getPublicKey),
getPublicKey,
sign,
verify,
utils,
Point,
lengths,
});
}
//# sourceMappingURL=edwards.js.map
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/abstract/edwards.js.map
Generated Vendored
+1
View File
File diff suppressed because one or more lines are too long
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/abstract/fft.d.ts
Generated Vendored
+439
View File
@@ -0,0 +1,439 @@
/**
* Experimental implementation of NTT / FFT (Fast Fourier Transform) over finite fields.
* API may change at any time. The code has not been audited. Feature requests are welcome.
* @module
*/
import type { TArg } from '../utils.ts';
import type { IField } from './modular.ts';
/** Array-like coefficient storage that can be mutated in place. */
export interface MutableArrayLike<T> {
/** Element access by numeric index. */
[index: number]: T;
/** Current amount of stored coefficients. */
length: number;
/**
* Return a sliced copy using the same storage shape.
* @param start - Inclusive start index.
* @param end - Exclusive end index.
* @returns Sliced copy.
*/
slice(start?: number, end?: number): this;
/**
* Iterate over stored coefficients in order.
* @returns Coefficient iterator.
*/
[Symbol.iterator](): Iterator<T>;
}
/**
* Concrete polynomial containers accepted by the high-level `poly(...)` helpers.
* Lower-level FFT helpers can work with structural `MutableArrayLike`, but `poly(...)`
* intentionally keeps runtime dispatch on plain arrays and typed-array views.
*/
export type PolyStorage<T> = T[] | (MutableArrayLike<T> & ArrayBufferView);
/**
* Checks if integer is in form of `1 << X`.
* @param x - Integer to inspect.
* @returns `true` when the value is a power of two.
* @throws If `x` is not a valid unsigned 32-bit integer. {@link Error}
* @example
* Validate that an FFT size is a power of two.
*
* ```ts
* isPowerOfTwo(8);
* ```
*/
export declare function isPowerOfTwo(x: number): boolean;
/**
* @param n - Input value.
* @returns Next power of two within the u32/array-length domain.
* @throws If `n` is not a valid unsigned 32-bit integer. {@link Error}
* @example
* Round an integer up to the FFT size it needs.
*
* ```ts
* nextPowerOfTwo(9);
* ```
*/
export declare function nextPowerOfTwo(n: number): number;
/**
* @param n - Value to reverse.
* @param bits - Number of bits to use.
* @returns Bit-reversed integer.
* @throws If `n` is not a valid unsigned 32-bit integer. {@link Error}
* @example
* Reverse the low `bits` bits of one index.
*
* ```ts
* reverseBits(3, 3);
* ```
*/
export declare function reverseBits(n: number, bits: number): number;
/**
* Similar to `bitLen(x)-1` but much faster for small integers, like indices.
* @param n - Input value.
* @returns Base-2 logarithm. For `n = 0`, the current implementation returns `-1`.
* @throws If `n` is not a valid unsigned 32-bit integer. {@link Error}
* @example
* Compute the radix-2 stage count for one transform size.
*
* ```ts
* log2(8);
* ```
*/
export declare function log2(n: number): number;
/**
* Moves lowest bit to highest position, which at first step splits
* array on even and odd indices, then it applied again to each part,
* which is core of fft
* @param values - Mutable coefficient array.
* @returns Mutated input array.
* @throws If the array length is not a positive power of two. {@link Error}
* @example
* Reorder coefficients into bit-reversed order in place.
*
* ```ts
* const values = Uint8Array.from([0, 1, 2, 3]);
* bitReversalInplace(values);
* ```
*/
export declare function bitReversalInplace<T extends MutableArrayLike<any>>(values: T): T;
/**
* @param values - Input values.
* @returns Reordered copy.
* @throws If the array length is not a positive power of two. {@link Error}
* @example
* Return a reordered copy instead of mutating the input in place.
*
* ```ts
* const reordered = bitReversalPermutation([0, 1, 2, 3]);
* ```
*/
export declare function bitReversalPermutation<T>(values: T[]): T[];
/** Cached roots-of-unity tables derived from one finite field. */
export type RootsOfUnity = {
/** Generator and 2-adicity metadata for the cached field. */
info: {
G: bigint;
oddFactor: bigint;
powerOfTwo: number;
};
/**
* Return the natural-order roots of unity for one radix-2 size.
* @param bits - Transform size as `log2(N)`.
* @returns Natural-order roots for that size.
*/
roots: (bits: number) => bigint[];
/**
* Return the bit-reversal permutation of the roots for one radix-2 size.
* @param bits - Transform size as `log2(N)`.
* @returns Bit-reversed roots.
*/
brp(bits: number): bigint[];
/**
* Return the inverse roots of unity for one radix-2 size.
* @param bits - Transform size as `log2(N)`.
* @returns Inverse roots.
*/
inverse(bits: number): bigint[];
/**
* Return one primitive root used by a radix-2 stage.
* @param bits - Transform size as `log2(N)`.
* @returns Primitive root for that stage.
*/
omega: (bits: number) => bigint;
/**
* Drop all cached root tables.
* @returns Nothing.
*/
clear: () => void;
};
/**
* We limit roots up to 2**31, which is a lot: 2-billion polynomimal should be rare.
* @param field - Field implementation.
* @param generator - Optional generator override.
* @returns Roots-of-unity cache.
* @example
* Cache roots once, then ask for the omega table of one FFT size.
*
* ```ts
* import { rootsOfUnity } from '@noble/curves/abstract/fft.js';
* import { Field } from '@noble/curves/abstract/modular.js';
* const roots = rootsOfUnity(Field(17n));
* const omega = roots.omega(4);
* ```
*/
export declare function rootsOfUnity(field: TArg<IField<bigint>>, generator?: bigint): RootsOfUnity;
/** Polynomial coefficient container used by the FFT helpers. */
export type Polynomial<T> = MutableArrayLike<T>;
/**
* Arithmetic operations used by the generic FFT implementation.
*
* Maps great to Field<bigint>, but not to Group (EC points):
* - inv from scalar field
* - we need multiplyUnsafe here, instead of multiply for speed
* - multiplyUnsafe is safe in the context: we do mul(rootsOfUnity), which are public and sparse
*/
export type FFTOpts<T, R> = {
/**
* Add two coefficients.
* @param a - Left coefficient.
* @param b - Right coefficient.
* @returns Sum coefficient.
*/
add: (a: T, b: T) => T;
/**
* Subtract two coefficients.
* @param a - Left coefficient.
* @param b - Right coefficient.
* @returns Difference coefficient.
*/
sub: (a: T, b: T) => T;
/**
* Multiply one coefficient by a scalar/root factor.
* @param a - Coefficient value.
* @param scalar - Scalar/root factor.
* @returns Scaled coefficient.
*/
mul: (a: T, scalar: R) => T;
/**
* Invert one scalar/root factor.
* @param a - Scalar/root factor.
* @returns Inverse factor.
*/
inv: (a: R) => R;
};
/** Configuration for one low-level FFT loop. */
export type FFTCoreOpts<R> = {
/** Transform size. Must be a power of two. */
N: number;
/** Stage roots for the selected transform size. */
roots: Polynomial<R>;
/** Whether to run the DIT variant instead of DIF. */
dit: boolean;
/** Whether to invert butterfly placement for decode-oriented layouts. */
invertButterflies?: boolean;
/** Number of initial stages to skip. */
skipStages?: number;
/** Whether to apply bit-reversal permutation at the boundary. */
brp?: boolean;
};
/**
* Callable low-level FFT loop over one polynomial storage shape.
* @param values - Polynomial coefficients to transform in place.
* @returns The mutated input polynomial.
*/
export type FFTCoreLoop<T> = <P extends Polynomial<T>>(values: P) => P;
/**
* Constructs different flavors of FFT. radix2 implementation of low level mutating API. Flavors:
*
* - DIT (Decimation-in-Time): Bottom-Up (leaves to root), Cool-Turkey
* - DIF (Decimation-in-Frequency): Top-Down (root to leaves), Gentleman-Sande
*
* DIT takes brp input, returns natural output.
* DIF takes natural input, returns brp output.
*
* The output is actually identical. Time / frequence distinction is not meaningful
* for Polynomial multiplication in fields.
* Which means if protocol supports/needs brp output/inputs, then we can skip this step.
*
* Cyclic NTT: Rq = Zq[x]/(x^n-1). butterfly_DIT+loop_DIT OR butterfly_DIF+loop_DIT, roots are omega
* Negacyclic NTT: Rq = Zq[x]/(x^n+1). butterfly_DIT+loop_DIF, at least for mlkem / mldsa
* @param F - Field operations.
* @param coreOpts - FFT configuration:
* - `N`: Transform size. Must be a power of two.
* - `roots`: Stage roots for the selected transform size.
* - `dit`: Whether to run the DIT variant instead of DIF.
* - `invertButterflies` (optional): Whether to invert butterfly placement.
* - `skipStages` (optional): Number of initial stages to skip.
* - `brp` (optional): Whether to apply bit-reversal permutation at the boundary.
* @returns Low-level FFT loop.
* @throws If the FFT options or cached roots are invalid for the requested size. {@link Error}
* @example
* Constructs different flavors of FFT.
*
* ```ts
* import { FFTCore, rootsOfUnity } from '@noble/curves/abstract/fft.js';
* import { Field } from '@noble/curves/abstract/modular.js';
* const Fp = Field(17n);
* const roots = rootsOfUnity(Fp).roots(2);
* const loop = FFTCore(Fp, { N: 4, roots, dit: true });
* const values = loop([1n, 2n, 3n, 4n]);
* ```
*/
export declare const FFTCore: <T, R>(F: FFTOpts<T, R>, coreOpts: FFTCoreOpts<R>) => FFTCoreLoop<T>;
/** Forward and inverse FFT helpers for one coefficient domain. */
export type FFTMethods<T> = {
/**
* Apply the forward transform.
* @param values - Polynomial coefficients to transform.
* @param brpInput - Whether the input is already bit-reversed.
* @param brpOutput - Whether to keep the output bit-reversed.
* @returns Transformed copy.
*/
direct<P extends Polynomial<T>>(values: P, brpInput?: boolean, brpOutput?: boolean): P;
/**
* Apply the inverse transform.
* @param values - Polynomial coefficients to transform.
* @param brpInput - Whether the input is already bit-reversed.
* @param brpOutput - Whether to keep the output bit-reversed.
* @returns Inverse-transformed copy.
*/
inverse<P extends Polynomial<T>>(values: P, brpInput?: boolean, brpOutput?: boolean): P;
};
/**
* NTT aka FFT over finite field (NOT over complex numbers).
* Naming mirrors other libraries.
* @param roots - Roots-of-unity cache.
* @param opts - Field operations. See {@link FFTOpts}.
* @returns Forward and inverse FFT helpers.
* @example
* NTT aka FFT over finite field (NOT over complex numbers).
*
* ```ts
* import { FFT, rootsOfUnity } from '@noble/curves/abstract/fft.js';
* import { Field } from '@noble/curves/abstract/modular.js';
* const Fp = Field(17n);
* const fft = FFT(rootsOfUnity(Fp), Fp);
* const values = fft.direct([1n, 2n, 3n, 4n]);
* ```
*/
export declare function FFT<T>(roots: RootsOfUnity, opts: FFTOpts<T, bigint>): FFTMethods<T>;
/**
* Factory that allocates one polynomial storage container.
* Callers must ensure `_create(len)` returns field-zero-filled storage when `elm` is omitted,
* because the quadratic `mul()` / `convolve()` paths and the Kronecker-δ shortcut in
* `lagrange.basis()` rely on that default instead of always passing `field.ZERO` explicitly.
* @param len - Requested amount of coefficients.
* @param elm - Optional fill value.
* @returns Newly allocated polynomial container.
*/
export type CreatePolyFn<P extends PolyStorage<T>, T> = (len: number, elm?: T) => P;
/** High-level polynomial helpers layered on top of FFT and field arithmetic. */
export type PolyFn<P extends PolyStorage<T>, T> = {
/** Roots-of-unity cache used by the helper namespace. */
roots: RootsOfUnity;
/** Factory used to allocate new polynomial containers. */
create: CreatePolyFn<P, T>;
/** Optional enforced polynomial length. */
length?: number;
/**
* Compute the polynomial degree.
* @param a - Polynomial coefficients.
* @returns Polynomial degree.
*/
degree: (a: P) => number;
/**
* Extend or truncate one polynomial to a requested length.
* @param a - Polynomial coefficients.
* @param len - Target length.
* @returns Resized polynomial.
*/
extend: (a: P, len: number) => P;
/**
* Add two polynomials coefficient-wise.
* @param a - Left polynomial.
* @param b - Right polynomial.
* @returns Sum polynomial.
*/
add: (a: P, b: P) => P;
/**
* Subtract two polynomials coefficient-wise.
* @param a - Left polynomial.
* @param b - Right polynomial.
* @returns Difference polynomial.
*/
sub: (a: P, b: P) => P;
/**
* Multiply by another polynomial or by one scalar.
* @param a - Left polynomial.
* @param b - Right polynomial or scalar.
* @returns Product polynomial.
*/
mul: (a: P, b: P | T) => P;
/**
* Multiply coefficients point-wise.
* @param a - Left polynomial.
* @param b - Right polynomial.
* @returns Point-wise product polynomial.
*/
dot: (a: P, b: P) => P;
/**
* Multiply two polynomials with convolution.
* @param a - Left polynomial.
* @param b - Right polynomial.
* @returns Convolution product.
*/
convolve: (a: P, b: P) => P;
/**
* Apply a point-wise coefficient shift by powers of one factor.
* @param p - Polynomial coefficients.
* @param factor - Shift factor.
* @returns Shifted polynomial.
*/
shift: (p: P, factor: bigint) => P;
/**
* Clone one polynomial container.
* @param a - Polynomial coefficients.
* @returns Cloned polynomial.
*/
clone: (a: P) => P;
/**
* Evaluate one polynomial on a basis vector.
* @param a - Polynomial coefficients.
* @param basis - Basis vector.
* @returns Evaluated field element.
*/
eval: (a: P, basis: P) => T;
/** Helpers for monomial-basis polynomials. */
monomial: {
/** Build the monomial basis vector for one evaluation point. */
basis: (x: T, n: number) => P;
/** Evaluate a polynomial in the monomial basis. */
eval: (a: P, x: T) => T;
};
/** Helpers for Lagrange-basis polynomials. */
lagrange: {
/** Build the Lagrange basis vector for one evaluation point. */
basis: (x: T, n: number, brp?: boolean) => P;
/** Evaluate a polynomial in the Lagrange basis. */
eval: (a: P, x: T, brp?: boolean) => T;
};
/**
* Build the vanishing polynomial for a root set.
* @param roots - Root set.
* @returns Vanishing polynomial.
*/
vanishing: (roots: P) => P;
};
/**
* Poly wants a cracker.
*
* Polynomials are functions like `y=f(x)`, which means when we multiply two polynomials, result is
* function `f3(x) = f1(x) * f2(x)`, we don't multiply values. Key takeaways:
*
* - **Polynomial** is an array of coefficients: `f(x) = sum(coeff[i] * basis[i](x))`
* - **Basis** is array of functions
* - **Monominal** is Polynomial where `basis[i](x) == x**i` (powers)
* - **Array size** is domain size
* - **Lattice** is matrix (Polynomial of Polynomials)
* @param field - Field implementation.
* @param roots - Roots-of-unity cache.
* @param create - Optional polynomial factory. Runtime input validation accepts only plain `Array`
* and typed-array polynomial containers; arbitrary structural wrappers are intentionally rejected.
* @param fft - Optional FFT implementation.
* @param length - Optional fixed polynomial length.
* @returns Polynomial helper namespace.
* @example
* Build polynomial helpers, then convolve two coefficient arrays.
*
* ```ts
* import { poly, rootsOfUnity } from '@noble/curves/abstract/fft.js';
* import { Field } from '@noble/curves/abstract/modular.js';
* const Fp = Field(17n);
* const poly17 = poly(Fp, rootsOfUnity(Fp));
* const product = poly17.convolve([1n, 2n], [3n, 4n]);
* ```
*/
export declare function poly<T>(field: TArg<IField<T>>, roots: RootsOfUnity, create?: undefined, fft?: FFTMethods<T>, length?: number): PolyFn<T[], T>;
export declare function poly<T, P extends PolyStorage<T>>(field: TArg<IField<T>>, roots: RootsOfUnity, create: CreatePolyFn<P, T>, fft?: FFTMethods<T>, length?: number): PolyFn<P, T>;
//# sourceMappingURL=fft.d.ts.map
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/abstract/fft.d.ts.map
Generated Vendored
+1
View File
File diff suppressed because one or more lines are too long
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/abstract/fft.js
Generated Vendored
+568
View File
@@ -0,0 +1,568 @@
function checkU32(n) {
// 0xff_ff_ff_ff
if (!Number.isSafeInteger(n) || n < 0 || n > 0xffffffff)
throw new Error('wrong u32 integer:' + n);
return n;
}
/**
* Checks if integer is in form of `1 << X`.
* @param x - Integer to inspect.
* @returns `true` when the value is a power of two.
* @throws If `x` is not a valid unsigned 32-bit integer. {@link Error}
* @example
* Validate that an FFT size is a power of two.
*
* ```ts
* isPowerOfTwo(8);
* ```
*/
export function isPowerOfTwo(x) {
checkU32(x);
return (x & (x - 1)) === 0 && x !== 0;
}
/**
* @param n - Input value.
* @returns Next power of two within the u32/array-length domain.
* @throws If `n` is not a valid unsigned 32-bit integer. {@link Error}
* @example
* Round an integer up to the FFT size it needs.
*
* ```ts
* nextPowerOfTwo(9);
* ```
*/
export function nextPowerOfTwo(n) {
checkU32(n);
if (n <= 1)
return 1;
// FFT sizes here are used as JS array lengths, so `2^32` is not a meaningful result:
// keep the fast u32 bit-twiddling path and fail explicitly instead of wrapping to 1.
if (n > 0x8000_0000)
throw new Error('nextPowerOfTwo overflow: result does not fit u32');
return (1 << (log2(n - 1) + 1)) >>> 0;
}
/**
* @param n - Value to reverse.
* @param bits - Number of bits to use.
* @returns Bit-reversed integer.
* @throws If `n` is not a valid unsigned 32-bit integer. {@link Error}
* @example
* Reverse the low `bits` bits of one index.
*
* ```ts
* reverseBits(3, 3);
* ```
*/
export function reverseBits(n, bits) {
checkU32(n);
if (!Number.isSafeInteger(bits) || bits < 0 || bits > 32)
throw new Error(`expected integer 0 <= bits <= 32, got ${bits}`);
let reversed = 0;
for (let i = 0; i < bits; i++, n >>>= 1)
reversed = (reversed << 1) | (n & 1);
// JS bitwise ops are signed i32; cast back so 32-bit reversals stay in the unsigned u32 domain.
return reversed >>> 0;
}
/**
* Similar to `bitLen(x)-1` but much faster for small integers, like indices.
* @param n - Input value.
* @returns Base-2 logarithm. For `n = 0`, the current implementation returns `-1`.
* @throws If `n` is not a valid unsigned 32-bit integer. {@link Error}
* @example
* Compute the radix-2 stage count for one transform size.
*
* ```ts
* log2(8);
* ```
*/
export function log2(n) {
checkU32(n);
return 31 - Math.clz32(n);
}
/**
* Moves lowest bit to highest position, which at first step splits
* array on even and odd indices, then it applied again to each part,
* which is core of fft
* @param values - Mutable coefficient array.
* @returns Mutated input array.
* @throws If the array length is not a positive power of two. {@link Error}
* @example
* Reorder coefficients into bit-reversed order in place.
*
* ```ts
* const values = Uint8Array.from([0, 1, 2, 3]);
* bitReversalInplace(values);
* ```
*/
export function bitReversalInplace(values) {
const n = values.length;
// Size-1 FFT is the identity, so bit-reversal must stay a no-op there instead of rejecting it.
if (!isPowerOfTwo(n))
throw new Error('expected positive power-of-two length, got ' + n);
const bits = log2(n);
for (let i = 0; i < n; i++) {
const j = reverseBits(i, bits);
if (i < j) {
const tmp = values[i];
values[i] = values[j];
values[j] = tmp;
}
}
return values;
}
/**
* @param values - Input values.
* @returns Reordered copy.
* @throws If the array length is not a positive power of two. {@link Error}
* @example
* Return a reordered copy instead of mutating the input in place.
*
* ```ts
* const reordered = bitReversalPermutation([0, 1, 2, 3]);
* ```
*/
export function bitReversalPermutation(values) {
return bitReversalInplace(values.slice());
}
const _1n = /** @__PURE__ */ BigInt(1);
function findGenerator(field) {
let G = BigInt(2);
for (; field.eql(field.pow(G, field.ORDER >> _1n), field.ONE); G++)
;
return G;
}
/**
* We limit roots up to 2**31, which is a lot: 2-billion polynomimal should be rare.
* @param field - Field implementation.
* @param generator - Optional generator override.
* @returns Roots-of-unity cache.
* @example
* Cache roots once, then ask for the omega table of one FFT size.
*
* ```ts
* import { rootsOfUnity } from '@noble/curves/abstract/fft.js';
* import { Field } from '@noble/curves/abstract/modular.js';
* const roots = rootsOfUnity(Field(17n));
* const omega = roots.omega(4);
* ```
*/
export function rootsOfUnity(field, generator) {
// Factor field.ORDER-1 as oddFactor * 2^powerOfTwo
let oddFactor = field.ORDER - _1n;
let powerOfTwo = 0;
for (; (oddFactor & _1n) !== _1n; powerOfTwo++, oddFactor >>= _1n)
;
// Find non quadratic residue
let G = generator !== undefined ? BigInt(generator) : findGenerator(field);
// Powers of generator
const omegas = new Array(powerOfTwo + 1);
omegas[powerOfTwo] = field.pow(G, oddFactor);
for (let i = powerOfTwo; i > 0; i--)
omegas[i - 1] = field.sqr(omegas[i]);
// Compute all roots of unity for powers up to maxPower
const rootsCache = [];
const checkBits = (bits) => {
checkU32(bits);
if (bits > 31 || bits > powerOfTwo)
throw new Error('rootsOfUnity: wrong bits ' + bits + ' powerOfTwo=' + powerOfTwo);
return bits;
};
const precomputeRoots = (maxPower) => {
checkBits(maxPower);
for (let power = maxPower; power >= 0; power--) {
if (rootsCache[power])
continue; // Skip if we've already computed roots for this power
const rootsAtPower = [];
for (let j = 0, cur = field.ONE; j < 2 ** power; j++, cur = field.mul(cur, omegas[power]))
rootsAtPower.push(cur);
rootsCache[power] = rootsAtPower;
}
return rootsCache[maxPower];
};
const brpCache = new Map();
const inverseCache = new Map();
// roots()/brp()/inverse() expose shared cached arrays by reference for speed; callers must treat them as read-only.
// NOTE: we use bits instead of power, because power = 2**bits,
// but power is not neccesary isPowerOfTwo(power)!
return {
info: { G, powerOfTwo, oddFactor },
roots: (bits) => {
const b = checkBits(bits);
return precomputeRoots(b);
},
brp(bits) {
const b = checkBits(bits);
if (brpCache.has(b))
return brpCache.get(b);
else {
const res = bitReversalPermutation(this.roots(b));
brpCache.set(b, res);
return res;
}
},
inverse(bits) {
const b = checkBits(bits);
if (inverseCache.has(b))
return inverseCache.get(b);
else {
const res = field.invertBatch(this.roots(b));
inverseCache.set(b, res);
return res;
}
},
omega: (bits) => omegas[checkBits(bits)],
clear: () => {
rootsCache.splice(0, rootsCache.length);
brpCache.clear();
inverseCache.clear();
},
};
}
/**
* Constructs different flavors of FFT. radix2 implementation of low level mutating API. Flavors:
*
* - DIT (Decimation-in-Time): Bottom-Up (leaves to root), Cool-Turkey
* - DIF (Decimation-in-Frequency): Top-Down (root to leaves), Gentleman-Sande
*
* DIT takes brp input, returns natural output.
* DIF takes natural input, returns brp output.
*
* The output is actually identical. Time / frequence distinction is not meaningful
* for Polynomial multiplication in fields.
* Which means if protocol supports/needs brp output/inputs, then we can skip this step.
*
* Cyclic NTT: Rq = Zq[x]/(x^n-1). butterfly_DIT+loop_DIT OR butterfly_DIF+loop_DIT, roots are omega
* Negacyclic NTT: Rq = Zq[x]/(x^n+1). butterfly_DIT+loop_DIF, at least for mlkem / mldsa
* @param F - Field operations.
* @param coreOpts - FFT configuration:
* - `N`: Transform size. Must be a power of two.
* - `roots`: Stage roots for the selected transform size.
* - `dit`: Whether to run the DIT variant instead of DIF.
* - `invertButterflies` (optional): Whether to invert butterfly placement.
* - `skipStages` (optional): Number of initial stages to skip.
* - `brp` (optional): Whether to apply bit-reversal permutation at the boundary.
* @returns Low-level FFT loop.
* @throws If the FFT options or cached roots are invalid for the requested size. {@link Error}
* @example
* Constructs different flavors of FFT.
*
* ```ts
* import { FFTCore, rootsOfUnity } from '@noble/curves/abstract/fft.js';
* import { Field } from '@noble/curves/abstract/modular.js';
* const Fp = Field(17n);
* const roots = rootsOfUnity(Fp).roots(2);
* const loop = FFTCore(Fp, { N: 4, roots, dit: true });
* const values = loop([1n, 2n, 3n, 4n]);
* ```
*/
export const FFTCore = (F, coreOpts) => {
const { N, roots, dit, invertButterflies = false, skipStages = 0, brp = true } = coreOpts;
const bits = log2(N);
if (!isPowerOfTwo(N))
throw new Error('FFT: Polynomial size should be power of two');
// Wrong-sized root tables can stay in-bounds for some loop shapes and silently compute nonsense.
if (roots.length !== N)
throw new Error(`FFT: wrong roots length: expected ${N}, got ${roots.length}`);
const isDit = dit !== invertButterflies;
isDit;
return (values) => {
if (values.length !== N)
throw new Error('FFT: wrong Polynomial length');
if (dit && brp)
bitReversalInplace(values);
for (let i = 0, g = 1; i < bits - skipStages; i++) {
// For each stage s (sub-FFT length m = 2^s)
const s = dit ? i + 1 + skipStages : bits - i;
const m = 1 << s;
const m2 = m >> 1;
const stride = N >> s;
// Loop over each subarray of length m
for (let k = 0; k < N; k += m) {
// Loop over each butterfly within the subarray
for (let j = 0, grp = g++; j < m2; j++) {
const rootPos = invertButterflies ? (dit ? N - grp : grp) : j * stride;
const i0 = k + j;
const i1 = k + j + m2;
const omega = roots[rootPos];
const b = values[i1];
const a = values[i0];
// Inlining gives us 10% perf in kyber vs functions
if (isDit) {
const t = F.mul(b, omega); // Standard DIT butterfly
values[i0] = F.add(a, t);
values[i1] = F.sub(a, t);
}
else if (invertButterflies) {
values[i0] = F.add(b, a); // DIT loop + inverted butterflies (Kyber decode)
values[i1] = F.mul(F.sub(b, a), omega);
}
else {
values[i0] = F.add(a, b); // Standard DIF butterfly
values[i1] = F.mul(F.sub(a, b), omega);
}
}
}
}
if (!dit && brp)
bitReversalInplace(values);
return values;
};
};
/**
* NTT aka FFT over finite field (NOT over complex numbers).
* Naming mirrors other libraries.
* @param roots - Roots-of-unity cache.
* @param opts - Field operations. See {@link FFTOpts}.
* @returns Forward and inverse FFT helpers.
* @example
* NTT aka FFT over finite field (NOT over complex numbers).
*
* ```ts
* import { FFT, rootsOfUnity } from '@noble/curves/abstract/fft.js';
* import { Field } from '@noble/curves/abstract/modular.js';
* const Fp = Field(17n);
* const fft = FFT(rootsOfUnity(Fp), Fp);
* const values = fft.direct([1n, 2n, 3n, 4n]);
* ```
*/
export function FFT(roots, opts) {
const getLoop = (N, roots, brpInput = false, brpOutput = false) => {
if (brpInput && brpOutput) {
// we cannot optimize this case, but lets support it anyway
return (values) => FFTCore(opts, { N, roots, dit: false, brp: false })(bitReversalInplace(values));
}
if (brpInput)
return FFTCore(opts, { N, roots, dit: true, brp: false });
if (brpOutput)
return FFTCore(opts, { N, roots, dit: false, brp: false });
return FFTCore(opts, { N, roots, dit: true, brp: true }); // all natural
};
return {
direct(values, brpInput = false, brpOutput = false) {
const N = values.length;
if (!isPowerOfTwo(N))
throw new Error('FFT: Polynomial size should be power of two');
const bits = log2(N);
return getLoop(N, roots.roots(bits), brpInput, brpOutput)(values.slice());
},
inverse(values, brpInput = false, brpOutput = false) {
const N = values.length;
if (!isPowerOfTwo(N))
throw new Error('FFT: Polynomial size should be power of two');
const bits = log2(N);
const res = getLoop(N, roots.inverse(bits), brpInput, brpOutput)(values.slice());
const ivm = opts.inv(BigInt(values.length)); // scale
// we can get brp output if we use dif instead of dit!
for (let i = 0; i < res.length; i++)
res[i] = opts.mul(res[i], ivm);
// Allows to re-use non-inverted roots, but is VERY fragile
// return [res[0]].concat(res.slice(1).reverse());
// inverse calculated as pow(-1), which transforms into ω^{-kn} (-> reverses indices)
return res;
},
};
}
export function poly(field, roots, create, fft, length) {
const F = field;
const _create = create ||
((len, elm) => new Array(len).fill(elm ?? F.ZERO));
// `poly.mul(a, b)` distinguishes polynomial-vs-scalar at runtime, so keep accepted
// polynomial containers concrete instead of trying to support arbitrary wrappers.
const isPoly = (x) => {
if (Array.isArray(x))
return true;
if (!ArrayBuffer.isView(x))
return false;
const v = x;
return (typeof v.length === 'number' &&
typeof v.slice === 'function' &&
typeof v[Symbol.iterator] === 'function');
};
const checkLength = (...lst) => {
if (!lst.length)
return 0;
for (const i of lst)
if (!isPoly(i))
throw new Error('poly: not polynomial: ' + i);
const L = lst[0].length;
for (let i = 1; i < lst.length; i++)
if (lst[i].length !== L)
throw new Error(`poly: mismatched lengths ${L} vs ${lst[i].length}`);
if (length !== undefined && L !== length)
throw new Error(`poly: expected fixed length ${length}, got ${L}`);
return L;
};
function findOmegaIndex(x, n, brp = false) {
const bits = log2(n);
const omega = brp ? roots.brp(bits) : roots.roots(bits);
for (let i = 0; i < n; i++)
if (F.eql(x, omega[i]))
return i;
return -1;
}
// TODO: mutating versions for mlkem/mldsa
return {
roots,
create: _create,
length,
extend: (a, len) => {
checkLength(a);
const out = _create(len, F.ZERO);
// Plain arrays grow when writing past `out.length`, so cap the copy explicitly to keep
// `extend()` consistent with typed arrays and with its documented truncate behavior.
for (let i = 0; i < Math.min(a.length, len); i++)
out[i] = a[i];
return out;
},
degree: (a) => {
checkLength(a);
for (let i = a.length - 1; i >= 0; i--)
if (!F.is0(a[i]))
return i;
return -1;
},
add: (a, b) => {
const len = checkLength(a, b);
const out = _create(len);
for (let i = 0; i < len; i++)
out[i] = F.add(a[i], b[i]);
return out;
},
sub: (a, b) => {
const len = checkLength(a, b);
const out = _create(len);
for (let i = 0; i < len; i++)
out[i] = F.sub(a[i], b[i]);
return out;
},
dot: (a, b) => {
const len = checkLength(a, b);
const out = _create(len);
for (let i = 0; i < len; i++)
out[i] = F.mul(a[i], b[i]);
return out;
},
mul: (a, b) => {
if (isPoly(b)) {
const len = checkLength(a, b);
if (fft) {
const A = fft.direct(a, false, true);
const B = fft.direct(b, false, true);
for (let i = 0; i < A.length; i++)
A[i] = F.mul(A[i], B[i]);
return fft.inverse(A, true, false);
}
else {
// NOTE: this is quadratic and mostly for compat tests with FFT
const res = _create(len);
for (let i = 0; i < len; i++) {
for (let j = 0; j < len; j++) {
const k = (i + j) % len; // wrap mod length
res[k] = F.add(res[k], F.mul(a[i], b[j]));
}
}
return res;
}
}
else {
const out = _create(checkLength(a));
for (let i = 0; i < out.length; i++)
out[i] = F.mul(a[i], b);
return out;
}
},
convolve(a, b) {
const len = nextPowerOfTwo(a.length + b.length - 1);
return this.mul(this.extend(a, len), this.extend(b, len));
},
shift(p, factor) {
const out = _create(checkLength(p));
out[0] = p[0];
for (let i = 1, power = F.ONE; i < p.length; i++) {
power = F.mul(power, factor);
out[i] = F.mul(p[i], power);
}
return out;
},
clone: (a) => {
checkLength(a);
const out = _create(a.length);
for (let i = 0; i < a.length; i++)
out[i] = a[i];
return out;
},
eval: (a, basis) => {
checkLength(a, basis);
let acc = F.ZERO;
for (let i = 0; i < a.length; i++)
acc = F.add(acc, F.mul(a[i], basis[i]));
return acc;
},
monomial: {
basis: (x, n) => {
const out = _create(n);
let pow = F.ONE;
for (let i = 0; i < n; i++) {
out[i] = pow;
pow = F.mul(pow, x);
}
return out;
},
eval: (a, x) => {
checkLength(a);
// Same as eval(a, monomialBasis(x, a.length)), but it is faster this way
let acc = F.ZERO;
for (let i = a.length - 1; i >= 0; i--)
acc = F.add(F.mul(acc, x), a[i]);
return acc;
},
},
lagrange: {
basis: (x, n, brp = false, weights) => {
const bits = log2(n);
const cache = weights || (brp ? roots.brp(bits) : roots.roots(bits)); // [ω⁰, ω¹, ..., ωⁿ⁻¹]
const out = _create(n);
// Fast Kronecker-δ shortcut
const idx = findOmegaIndex(x, n, brp);
if (idx !== -1) {
out[idx] = F.ONE;
return out;
}
const tm = F.pow(x, BigInt(n));
const c = F.mul(F.sub(tm, F.ONE), F.inv(BigInt(n))); // c = (xⁿ - 1)/n
const denom = _create(n);
for (let i = 0; i < n; i++)
denom[i] = F.sub(x, cache[i]);
const inv = F.invertBatch(denom);
for (let i = 0; i < n; i++)
out[i] = F.mul(c, F.mul(cache[i], inv[i]));
return out;
},
eval(a, x, brp = false) {
checkLength(a);
const idx = findOmegaIndex(x, a.length, brp);
if (idx !== -1)
return a[idx]; // fast path
const L = this.basis(x, a.length, brp); // Lᵢ(x)
let acc = F.ZERO;
for (let i = 0; i < a.length; i++)
if (!F.is0(a[i]))
acc = F.add(acc, F.mul(a[i], L[i]));
return acc;
},
},
vanishing(roots) {
checkLength(roots);
const out = _create(roots.length + 1, F.ZERO);
out[0] = F.ONE;
for (const r of roots) {
const neg = F.neg(r);
for (let j = out.length - 1; j > 0; j--)
out[j] = F.add(F.mul(out[j], neg), out[j - 1]);
out[0] = F.mul(out[0], neg);
}
return out;
},
};
}
//# sourceMappingURL=fft.js.map
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/abstract/fft.js.map
Generated Vendored
+1
View File
File diff suppressed because one or more lines are too long
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/abstract/frost.d.ts
Generated Vendored
+293
View File
@@ -0,0 +1,293 @@
import { randomBytes, type TArg, type TRet } from '../utils.ts';
import { type CurvePoint, type CurvePointCons } from './curve.ts';
import { type H2CDSTOpts } from './hash-to-curve.ts';
import { type IField } from './modular.ts';
export type RNG = typeof randomBytes;
export type Identifier = string;
export type Commitment = Uint8Array;
export type Coefficient = Uint8Array;
export type Signature = Uint8Array;
export type Signers = {
min: number;
max: number;
};
export type SecretKey = Uint8Array;
export type Bytes = Uint8Array;
type Point = Uint8Array;
export type DKG_Round1 = {
identifier: Identifier;
commitment: TRet<Commitment[]>;
proofOfKnowledge: TRet<Signature>;
};
export type DKG_Round2 = {
identifier: Identifier;
signingShare: TRet<Bytes>;
};
export type DKG_Secret = {
identifier: bigint;
coefficients?: bigint[];
commitment: TRet<Point[]>;
signers: Signers;
step?: 1 | 2 | 3;
};
export type FrostPublic = {
signers: Signers;
commitments: TRet<Bytes[]>;
verifyingShares: TRet<Record<Identifier, Bytes>>;
};
export type FrostSecret = {
identifier: Identifier;
signingShare: TRet<Bytes>;
};
export type Key = {
public: FrostPublic;
secret: FrostSecret;
};
export type DealerShares = {
public: FrostPublic;
secretShares: Record<Identifier, FrostSecret>;
};
export type Nonces = {
hiding: TRet<Bytes>;
binding: TRet<Bytes>;
};
export type NonceCommitments = {
identifier: Identifier;
hiding: TRet<Bytes>;
binding: TRet<Bytes>;
};
export type GenNonce = {
nonces: Nonces;
commitments: NonceCommitments;
};
export interface FROSTPoint<T extends CurvePoint<any, T>> extends CurvePoint<any, T> {
add(rhs: T): T;
multiply(rhs: bigint): T;
equals(rhs: T): boolean;
toBytes(compressed?: boolean): Bytes;
clearCofactor(): T;
}
export interface FROSTPointConstructor<T extends FROSTPoint<T>> extends CurvePointCons<T> {
fromBytes(a: Bytes): T;
Fn: IField<bigint>;
}
export type FrostOpts<P extends FROSTPoint<P>> = {
readonly name: string;
readonly Point: FROSTPointConstructor<P>;
readonly Fn?: IField<bigint>;
/** Optional suite hook that tightens canonical decoding with subgroup / identity checks. */
readonly validatePoint?: (p: P) => void;
/** Optional public-key parser. Implementations MUST preserve the same subgroup / identity policy
* as `validatePoint`, because this bypasses generic canonical decoding in `parsePoint()`. */
readonly parsePublicKey?: (bytes: TArg<Uint8Array>) => P;
readonly hash: (msg: TArg<Uint8Array>) => TRet<Uint8Array>;
/** Custom scalar hash hook. Implementations MUST treat `msg` and `options` as read-only. */
readonly hashToScalar?: (msg: TArg<Uint8Array>, options?: TArg<H2CDSTOpts>) => bigint;
readonly adjustScalar?: (n: bigint) => bigint;
readonly adjustPoint?: (n: P) => P;
readonly challenge?: (R: P, PK: P, msg: TArg<Uint8Array>) => bigint;
readonly adjustNonces?: (PK: P, nonces: TArg<Nonces>) => TRet<Nonces>;
readonly adjustSecret?: (secret: TArg<FrostSecret>, pub: TArg<FrostPublic>) => TRet<FrostSecret>;
readonly adjustPublic?: (pub: TArg<FrostPublic>) => TRet<FrostPublic>;
readonly adjustGroupCommitmentShare?: (GC: P, GCShare: P) => P;
readonly adjustTx?: {
readonly encode: (tx: TArg<Uint8Array>) => TRet<Uint8Array>;
readonly decode: (tx: TArg<Uint8Array>) => TRet<Uint8Array>;
};
readonly adjustDKG?: (k: TArg<Key>) => TRet<Key>;
readonly H1?: string;
readonly H2?: string;
readonly H3?: string;
readonly H4?: string;
readonly H5?: string;
readonly HDKG?: string;
readonly HID?: string;
};
/**
* FROST: Threshold Protocol for TwoRound Schnorr Signatures
* from [RFC 9591](https://datatracker.ietf.org/doc/rfc9591/).
*/
export type FROST = {
/**
* Methods to construct participant identifiers.
*/
Identifier: {
/**
* Constructs an identifier from a numeric index.
* @param n - A positive integer.
* @returns A canonical serialized Identifier.
*/
fromNumber(n: number): Identifier;
/**
* Derives an identifier deterministically from a string (e.g. an email).
* @param s - Arbitrary string.
* @returns A canonical serialized Identifier.
*/
derive(s: string): Identifier;
};
/**
* Distributed Key Generation (DKG) protocol interface.
* RFC 9591 leaves DKG out of scope; Appendix C only specifies dealer/VSS key generation.
* These helpers follow the split-round API used by frost-rs for interoperable testing.
*/
DKG: {
/**
* Generates the first round of DKG.
* @param id - Participant's identifier.
* @param signers - Set of all participants (min/max threshold).
* @param secret - Optional initial secret scalar.
* @param rng - Optional RNG for nonce generation.
* @returns Public broadcast and private DKG state. The returned `secret` package is mutable
* round state that will be consumed by `round2()` and `round3()`.
*/
round1: (id: Identifier, signers: Signers, secret?: TArg<SecretKey>, rng?: RNG) => {
public: DKG_Round1;
secret: DKG_Secret;
};
/**
* Executes DKG round 2 given public round1 data from others.
* @param secret - Private DKG state from round1. This mutates `secret.step` in place.
* @param others - Public round1 broadcasts from other participants.
* @returns A map of round2 messages to be sent to others.
*/
round2: (secret: TArg<DKG_Secret>, others: TArg<DKG_Round1[]>) => TRet<Record<string, DKG_Round2>>;
/**
* Finalizes key generation in round3 using received round1 + round2 messages.
* @param secret - Private DKG state. This consumes the remaining local polynomial coefficients
* and transitions the package to its final post-round3 state.
* @param round1 - Public round1 broadcasts from all participants.
* @param round2 - Round2 messages received from others.
* @returns Final secret/public key information for the participant.
* Callers MUST pass the same verified remote `round1` package set that was already
* accepted in `round2()`, rather than re-fetching or rebuilding it from the network.
*/
round3: (secret: TArg<DKG_Secret>, round1: TArg<DKG_Round1[]>, round2: TArg<DKG_Round2[]>) => TRet<Key>;
/**
* Best-effort erasure of internal secret state. Bigint/JIT copies may still survive outside the
* local object even after cleanup.
* @param secret - Private DKG state from round1.
*/
clean(secret: TArg<DKG_Secret>): void;
};
/**
* Trusted dealer mode: generates key shares from a central trusted authority.
* Mirrors RFC 9591 Appendix C and returns one shared VSS commitment package
* plus per-participant shares.
* @param signers - Threshold parameters (min/max).
* @param identifiers - Optional explicit participant list.
* @param secret - Optional secret scalar.
* @param rng - Optional RNG.
* @returns One shared public package plus the participant secret-share packages.
*/
trustedDealer(signers: Signers, identifiers?: Identifier[], secret?: TArg<SecretKey>, rng?: RNG): TRet<DealerShares>;
/**
* Validates the consistency of a secret share against the shared public commitments.
* This is the RFC 9591 Appendix C.2 `vss_verify` check against the shared dealer/DKG commitment.
* It does not relax RFC 9591 Section 3.1: public identity elements are still invalid even when
* the scalar/share algebra would otherwise be self-consistent.
* Throws if invalid.
* @param secret - A FrostSecret containing identifier and signing share.
* @param pub - Shared public package containing commitments.
*/
validateSecret(secret: TArg<FrostSecret>, pub: TArg<FrostPublic>): void;
/**
* Produces nonces and public commitments used in signing.
* RFC 9591 Section 5.1 `commit()`.
* @param secret - Participant's secret share.
* @param rng - Optional RNG.
* @returns Nonce values and their public commitments.
* Returned nonces are one-time-use and MUST NOT be reused across signing sessions.
* This API does not mutate or zeroize caller-owned nonce objects.
*/
commit(secret: TArg<FrostSecret>, rng?: RNG): TRet<GenNonce>;
/**
* Signs a message using the participant's secret and nonce.
* @param secret - Participant's secret share.
* @param pub - Shared public package containing commitments.
* @param nonces - Participant's nonce pair.
* @param commitmentList - Commitments from all signing participants.
* @param msg - Message to be signed.
* @returns Signature share as a byte array.
* RFC 9591 Sections 4.1/5.1 require round-one commitments to be one-time-use, and
* Section 5.2 signs with the nonce corresponding to that published commitment.
* The caller MUST pass fresh nonces from `commit()`. On successful signing, this helper
* consumes the caller-owned nonce object by zeroing both nonce byte arrays in place.
* Later calls reject an all-zero nonce package, so same-object reuse fails closed and an
* accidentally generated zero nonce package is not silently used for signing.
*/
signShare(secret: TArg<FrostSecret>, pub: TArg<FrostPublic>, nonces: TArg<Nonces>, commitmentList: TArg<NonceCommitments[]>, msg: TArg<Uint8Array>): TRet<Uint8Array>;
/**
* Verifies a signature share against public commitments.
* Matches the coordinator-side individual-share verification from RFC 9591 Section 5.4.
* @param pub - Group public key information.
* @param commitmentList - Commitments from all signing participants.
* @param msg - Message being signed.
* @param identifier - Identifier of the signer whose share is being verified.
* @param sigShare - Signature share to verify.
* @returns True if valid, false otherwise.
*/
verifyShare(pub: TArg<FrostPublic>, commitmentList: TArg<NonceCommitments[]>, msg: TArg<Uint8Array>, identifier: Identifier, sigShare: TArg<Uint8Array>): boolean;
/**
* Aggregates signature shares into a full signature.
* RFC 9591 Section 5.3 `aggregate()`.
* @param pub - Group public key.
* @param commitmentList - Nonce commitments from all signers.
* @param msg - Message to sign.
* @param sigShares - Map from identifier to their signature share.
* @returns Final aggregated signature.
*/
aggregate(pub: TArg<FrostPublic>, commitmentList: TArg<NonceCommitments[]>, msg: TArg<Uint8Array>, sigShares: TArg<Record<Identifier, Uint8Array>>): TRet<Uint8Array>;
/**
* Signs a message using a raw secret key (e.g. from combineSecret).
* @param msg - Message to sign.
* @param secretKey - Group secret key as bytes.
* @returns Signature bytes.
*/
sign(msg: TArg<Uint8Array>, secretKey: TArg<Uint8Array>): TRet<Uint8Array>;
/**
* Verifies a full signature against the group public key.
* @param sig - Signature bytes.
* @param msg - Message that was signed.
* @param publicKey - Group public key.
* @returns True if valid, false otherwise.
*/
verify(sig: TArg<Signature>, msg: TArg<Uint8Array>, publicKey: TArg<Uint8Array>): boolean;
/**
* Combines multiple secret shares into a single secret key (e.g. for recovery).
* @param shares - Set of FrostSecret shares.
* @param signers - Threshold parameters.
* @returns Group secret key as bytes.
*/
combineSecret(shares: TArg<FrostSecret[]>, signers: Signers): TRet<Uint8Array>;
/**
* Low-level helper utilities (field arithmetic and polynomial tools).
*/
utils: {
/**
* Finite field used for scalars.
*/
Fn: IField<bigint>;
/**
* Generates a random scalar (private key).
* @param rng - Optional RNG source.
* @returns Scalar as 32-byte Uint8Array.
*/
randomScalar: (rng?: RNG) => TRet<Uint8Array>;
/**
* Generates a secret-sharing polynomial and its public commitments.
* @param signers - Threshold parameters.
* @param secret - Optional initial secret scalar.
* @param coeffs - Optional manual coefficients.
* @param rng - Optional RNG.
* @returns Polynomial coefficients, commitments, and secret value.
*/
generateSecretPolynomial: (signers: Signers, secret?: TArg<Uint8Array>, coeffs?: bigint[], rng?: RNG) => {
coefficients: bigint[];
commitment: TRet<Point[]>;
secret: bigint;
};
};
};
export declare function createFROST<P extends FROSTPoint<P>>(opts: FrostOpts<P>): TRet<FROST>;
export {};
//# sourceMappingURL=frost.d.ts.map
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/abstract/frost.d.ts.map
Generated Vendored
+1
View File
File diff suppressed because one or more lines are too long
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/abstract/frost.js
Generated Vendored
+704
View File
@@ -0,0 +1,704 @@
/**
* FROST: Flexible Round-Optimized Schnorr Threshold Protocol for Two-Round Schnorr Signatures.
*
* See [RFC 9591](https://datatracker.ietf.org/doc/rfc9591/) and [frost.zfnd.org](https://frost.zfnd.org).
* @module
*/
import { utf8ToBytes } from '@noble/hashes/utils.js';
import { bytesToHex, bytesToNumberBE, bytesToNumberLE, concatBytes, hexToBytes, randomBytes, validateObject, } from "../utils.js";
import { pippenger, validatePointCons } from "./curve.js";
import { poly } from "./fft.js";
import {} from "./hash-to-curve.js";
import { getMinHashLength, mapHashToField } from "./modular.js";
// PubKey = commitments, verifyingShares
// PrivKey = id, signingShare, commitment
const validateSigners = (signers) => {
if (!Number.isSafeInteger(signers.min) || !Number.isSafeInteger(signers.max))
throw new Error('Wrong signers info: min=' + signers.min + ' max=' + signers.max);
// Compatibility with frost-rs intentionally narrows RFC 9591's positive-nonzero threshold rule
// to `min >= 2`, even though the RFC text itself allows `MIN_PARTICIPANTS = 1`.
// This API is for actual threshold signing across participants; 1-of-n degenerates to ordinary
// single-signer mode, which does not need FROST's network/coordination machinery at all.
if (signers.min < 2 || signers.max < 2 || signers.min > signers.max)
throw new Error('Wrong signers info: min=' + signers.min + ' max=' + signers.max);
};
const validateCommitmentsNum = (signers, len) => {
// RFC 9591 Sections 5.2/5.3 require MIN_PARTICIPANTS <= NUM_PARTICIPANTS <= MAX_PARTICIPANTS.
if (len < signers.min || len > signers.max)
throw new Error('Wrong number of commitments=' + len);
};
class AggErr extends Error {
// Empty means aggregation failed before per-share verification could attribute a signer.
cheaters;
constructor(msg, cheaters) {
super(msg);
this.cheaters = cheaters;
}
}
export function createFROST(opts) {
validateObject(opts, {
name: 'string',
hash: 'function',
}, {
hashToScalar: 'function',
validatePoint: 'function',
parsePublicKey: 'function',
adjustScalar: 'function',
adjustPoint: 'function',
challenge: 'function',
adjustNonces: 'function',
adjustSecret: 'function',
adjustPublic: 'function',
adjustGroupCommitmentShare: 'function',
adjustDKG: 'function',
});
// Cheap constructor-surface sanity check only: this verifies the generic static hooks/fields that
// FROST consumes, but it does not certify point semantics like BASE/ZERO correctness.
validatePointCons(opts.Point);
const { Point } = opts;
const Fn = opts.Fn === undefined ? Point.Fn : opts.Fn;
// Hashes
const hashBytes = opts.hash;
const hashToScalar = opts.hashToScalar === undefined
? (msg, opts = { DST: new Uint8Array() }) => {
const t = hashBytes(concatBytes(opts.DST, msg));
return Fn.create(Fn.isLE ? bytesToNumberLE(t) : bytesToNumberBE(t));
}
: opts.hashToScalar;
const H1Prefix = utf8ToBytes(opts.H1 !== undefined ? opts.H1 : opts.name + 'rho');
const H2Prefix = utf8ToBytes(opts.H2 !== undefined ? opts.H2 : opts.name + 'chal');
const H3Prefix = utf8ToBytes(opts.H3 !== undefined ? opts.H3 : opts.name + 'nonce');
const H4Prefix = utf8ToBytes(opts.H4 !== undefined ? opts.H4 : opts.name + 'msg');
const H5Prefix = utf8ToBytes(opts.H5 !== undefined ? opts.H5 : opts.name + 'com');
const HDKGPrefix = utf8ToBytes(opts.HDKG !== undefined ? opts.HDKG : opts.name + 'dkg');
const HIDPrefix = utf8ToBytes(opts.HID !== undefined ? opts.HID : opts.name + 'id');
const H1 = (msg) => hashToScalar(msg, { DST: H1Prefix });
// Empty H2 still passes `{ DST: new Uint8Array() }` into custom hashToScalar hooks.
// The built-in fallback hashes that identically to omitted DST, which is how
// the Ed25519 suite models RFC 9591's undecorated H2 challenge hash.
const H2 = (msg) => hashToScalar(msg, { DST: H2Prefix });
const H3 = (msg) => hashToScalar(msg, { DST: H3Prefix });
const H4 = (msg) => hashBytes(concatBytes(H4Prefix, msg));
const H5 = (msg) => hashBytes(concatBytes(H5Prefix, msg));
const HDKG = (msg) => hashToScalar(msg, { DST: HDKGPrefix });
const HID = (msg) => hashToScalar(msg, { DST: HIDPrefix });
// /Hashes
const randomScalar = (rng = randomBytes) => {
// Intentional divergence from RFC 9591 §4.1 / §5.1: the RFC nonce_generate helper outputs a
// Scalar in [0, p-1], but round-one commit publishes ScalarBaseMult(nonce) values and §3.1
// requires SerializeElement / DeserializeElement to reject the identity element. Keep noble's
// mapHashToField generation here so round-one public nonce commitments stay in 1..n-1.
const t = mapHashToField(rng(getMinHashLength(Fn.ORDER)), Fn.ORDER, Fn.isLE);
// We cannot use Fn.fromBytes here because the field can have a different
// byte width, like ed448.
return Fn.isLE ? bytesToNumberLE(t) : bytesToNumberBE(t);
};
const serializePoint = (p) => p.toBytes();
const parsePoint = (bytes) => {
// RFC 9591 Section 3.1 requires DeserializeElement validation. Suite-specific validatePoint
// hooks tighten this further for ciphersuites in Section 6. Bare createFROST(...) only gets
// canonical point decoding unless the caller installs those extra subgroup / identity checks.
const p = Point.fromBytes(bytes);
if (opts.validatePoint)
opts.validatePoint(p);
return p;
};
// RFC 9591 Sections 4.1/5.1 model each participant's round-one output as two public commitments.
const nonceCommitments = (identifier, nonces) => ({
identifier,
hiding: serializePoint(Point.BASE.multiply(Fn.fromBytes(nonces.hiding))),
binding: serializePoint(Point.BASE.multiply(Fn.fromBytes(nonces.binding))),
});
const adjustPoint = opts.adjustPoint === undefined ? (n) => n : opts.adjustPoint;
// We use hex to make it easier to use inside objects
const validateIdentifier = (n) => {
// Identifiers are canonical non-zero scalars. Custom / derived identifiers are allowed, so this
// is intentionally not bounded by the current signers.max slot count.
if (!Fn.isValid(n) || Fn.is0(n))
throw new Error('Invalid identifier ' + n);
return n;
};
const serializeIdentifier = (id) => bytesToHex(Fn.toBytes(validateIdentifier(id)));
const parseIdentifier = (id) => {
const n = validateIdentifier(Fn.fromBytes(hexToBytes(id)));
// Keep string-keyed maps stable by accepting only the canonical serialized form.
if (serializeIdentifier(n) !== id)
throw new Error('expected canonical identifier hex');
return n;
};
const Signature = {
// RFC 9591 Appendix A encodes signatures canonically as
// SerializeElement(R) || SerializeScalar(z).
encode: (R, z) => {
let res = concatBytes(serializePoint(R), Fn.toBytes(z));
if (opts.adjustTx)
res = opts.adjustTx.encode(res);
return res;
},
decode: (sig) => {
if (opts.adjustTx)
sig = opts.adjustTx.decode(sig);
// We don't know size of point, but we know size of scalar
const R = parsePoint(sig.subarray(0, -Fn.BYTES));
const z = Fn.fromBytes(sig.subarray(-Fn.BYTES));
return { R, z };
},
};
// Generates pair of (scalar, point)
const genPointScalarPair = (rng = randomBytes) => {
let n = randomScalar(rng);
if (opts.adjustScalar)
n = opts.adjustScalar(n);
let p = Point.BASE.multiply(n);
return { scalar: n, point: p };
};
// No roots here: root-based methods will throw.
// `poly` expects a structured roots-of-unity domain, but FROST uses an
// arbitrary domain and only needs the non-root operations below.
const nrErr = 'roots are unavailable in FROST polynomial mode';
const noRoots = {
info: { G: Fn.ZERO, oddFactor: Fn.ZERO, powerOfTwo: 0 },
roots() {
throw new Error(nrErr);
},
brp() {
throw new Error(nrErr);
},
inverse() {
throw new Error(nrErr);
},
omega() {
throw new Error(nrErr);
},
clear() { },
};
const Poly = poly(Fn, noRoots);
const msm = (points, scalars) => pippenger(Point, points, scalars);
// Internal stuff uses bigints & Points, external Uint8Arrays
const polynomialEvaluate = (x, coeffs) => {
if (!coeffs.length)
throw new Error('empty coefficients');
return Poly.monomial.eval(coeffs, x);
};
const deriveInterpolatingValue = (L, xi) => {
const err = 'invalid parameters';
// Generates lagrange coefficient
if (!L.some((x) => Fn.eql(x, xi)))
throw new Error(err);
// Throws error if any x-coordinate is represented more than once in L.
const Lset = new Set(L);
if (Lset.size !== L.length)
throw new Error(err);
// Or if xi is missing
if (!Lset.has(xi))
throw new Error(err);
let num = Fn.ONE;
let den = Fn.ONE;
for (const x of L) {
if (Fn.eql(x, xi))
continue;
num = Fn.mul(num, x); // num *= x
den = Fn.mul(den, Fn.sub(x, xi)); // RFC 9591 §4.2: denominator *= x_j - x_i
}
return Fn.div(num, den);
};
const evalutateVSS = (identifier, commitment) => {
// RFC 9591 Appendix C.2: S_i' = Σ_j ScalarMult(vss_commitment[j], i^j).
const monomial = Poly.monomial.basis(identifier, commitment.length);
return msm(commitment, monomial);
};
// High-level internal stuff
const generateSecretPolynomial = (signers, secret, coeffs, rng = randomBytes) => {
validateSigners(signers);
// Dealer/DKG polynomial sampling reuses the same hardened scalar derivation as round-one
// nonces: overriding `rng` only swaps the entropy source, not the non-zero `1..n-1` policy.
const secretScalar = secret === undefined ? randomScalar(rng) : Fn.fromBytes(secret);
if (!coeffs) {
coeffs = [];
for (let i = 0; i < signers.min - 1; i++)
coeffs.push(randomScalar(rng));
}
if (coeffs.length !== signers.min - 1)
throw new Error('wrong coefficients length');
const coefficients = [secretScalar, ...coeffs];
// RFC 9591 Appendix C.2 commits to every polynomial coefficient with ScalarBaseMult.
const commitment = coefficients.map((i) => Point.BASE.multiply(i));
return { coefficients, commitment, secret: secretScalar };
};
// Pretty much sign+verify, same as basic
const ProofOfKnowledge = {
challenge: (id, verKey, R) => HDKG(concatBytes(Fn.toBytes(id), serializePoint(verKey), serializePoint(R))),
compute(id, coefficents, commitments, rng = randomBytes) {
if (coefficents.length < 1)
throw new Error('coefficients should have at least one element');
const { point: R, scalar: k } = genPointScalarPair(rng);
const verKey = commitments[0]; // verify key is first one
const c = this.challenge(id, verKey, R);
const mu = Fn.add(k, Fn.mul(coefficents[0], c)); // mu = k + coeff[0] * c
return Signature.encode(R, mu);
},
validate(id, commitment, proof) {
if (commitment.length < 1)
throw new Error('commitment should have at least one element');
const { R, z } = Signature.decode(proof);
const phi = parsePoint(commitment[0]);
const c = this.challenge(id, phi, R);
// R === z*G - phi*c
if (!R.equals(Point.BASE.multiply(z).subtract(phi.multiply(c))))
throw new Error('invalid proof of knowledge');
},
};
const Basic = {
challenge: (R, PK, msg) => {
if (opts.challenge)
return opts.challenge(R, PK, msg);
return H2(concatBytes(serializePoint(R), serializePoint(PK), msg));
},
sign(msg, sk, rng = randomBytes) {
const { point: R, scalar: r } = genPointScalarPair(rng);
const PK = Point.BASE.multiply(sk); // sk*G
const c = this.challenge(R, PK, msg);
const z = Fn.add(r, Fn.mul(c, sk)); // r + c * sk
return [R, z];
},
verify(msg, R, z, PK) {
if (opts.adjustPoint)
PK = opts.adjustPoint(PK);
if (opts.adjustPoint)
R = opts.adjustPoint(R);
const c = this.challenge(R, PK, msg);
const zB = Point.BASE.multiply(z); // z*G
const cA = PK.multiply(c); // c*PK
let check = zB.subtract(cA).subtract(R); // zB - cA - R
// No clearCoffactor on ristretto
if (check.clearCofactor)
check = check.clearCofactor();
return Point.ZERO.equals(check);
},
};
// === vssVerify
const validateSecretShare = (identifier, commitment, signingShare) => {
// RFC 9591 Appendix C.2 `vss_verify(share_i, vss_commitment)` is purely algebraic.
// Public FROST packages still go through Section 3.1 element encoding,
// which rejects identity points, so a zero share or commitment does not
// become valid wire data just because VSS matches.
if (!Point.BASE.multiply(signingShare).equals(evalutateVSS(identifier, commitment)))
throw new Error('invalid secret share');
};
const Identifier = {
fromNumber(n) {
if (!Number.isSafeInteger(n))
throw new Error('expected safe interger');
return serializeIdentifier(BigInt(n));
},
// Not in spec, but in FROST implementation,
// seems useful and nice, no need to sync identifiers (would require more interactions)
derive(s) {
if (typeof s !== 'string')
throw new Error('wrong identifier string: ' + s);
// Derived identifiers may land anywhere in the scalar field; they are not restricted to
// sequential `1..max_signers` values.
return serializeIdentifier(HID(utf8ToBytes(s)));
},
};
// RFC 9591 §4.1: nonce_generate() hashes 32 fresh RNG bytes with SerializeScalar(secret).
const generateNonce = (secret, rng = randomBytes) => H3(concatBytes(rng(32), Fn.toBytes(secret)));
const getGroupCommitment = (GPK, commitmentList, msg) => {
const CL = commitmentList.map((i) => [
i.identifier,
parseIdentifier(i.identifier),
parsePoint(i.hiding),
parsePoint(i.binding),
]);
// RFC 9591 Sections 4.3/4.4/4.5 and 5.2/5.3 treat commitment_list as sorted by identifier.
CL.sort((a, b) => (a[1] < b[1] ? -1 : a[1] > b[1] ? 1 : 0));
// Encode commitment list
const Cbytes = [];
for (const [_, id, hC, bC] of CL)
Cbytes.push(Fn.toBytes(id), serializePoint(hC), serializePoint(bC));
const encodedCommitmentHash = H5(concatBytes(...Cbytes));
const rhoPrefix = concatBytes(serializePoint(GPK), H4(msg), encodedCommitmentHash);
// Compute binding factors
const bindingFactors = {};
for (const [i, id] of CL) {
bindingFactors[i] = H1(concatBytes(rhoPrefix, Fn.toBytes(id)));
}
const points = [];
const scalars = [];
for (const [i, _, hC, bC] of CL) {
if (Point.ZERO.equals(hC) || Point.ZERO.equals(bC))
throw new Error('infinity commitment');
points.push(hC, bC);
scalars.push(Fn.ONE, bindingFactors[i]);
}
const groupCommitment = msm(points, scalars); // GC += hC + bC*bindingFactor
const identifiers = CL.map((i) => i[1]);
return { identifiers, groupCommitment, bindingFactors };
};
const prepareShare = (PK, commitmentList, msg, identifier) => {
// RFC 9591 Sections 4.4/4.5/4.6 feed directly into the Section 5.2 signer computation.
const GPK = adjustPoint(parsePoint(PK));
const id = parseIdentifier(identifier);
const { identifiers, groupCommitment, bindingFactors } = getGroupCommitment(GPK, commitmentList, msg);
const bindingFactor = bindingFactors[identifier];
const lambda = deriveInterpolatingValue(identifiers, id);
const challenge = Basic.challenge(groupCommitment, GPK, msg);
return { lambda, challenge, bindingFactor, groupCommitment };
};
Object.freeze(Identifier);
const frost = {
Identifier,
// DKG is Distributed Key Generation, not Trusted Dealer Key Generation.
DKG: Object.freeze({
// NOTE: we allow to pass secret scalar from user side,
// this way it can be derived, instead of random generation
round1: (id, signers, secret, rng = randomBytes) => {
validateSigners(signers);
const idNum = parseIdentifier(id);
const { coefficients, commitment } = generateSecretPolynomial(signers, secret, undefined, rng);
const proofOfKnowledge = ProofOfKnowledge.compute(idNum, coefficients, commitment, rng);
const commitmentBytes = commitment.map(serializePoint);
const round1Public = {
identifier: serializeIdentifier(idNum),
commitment: commitmentBytes,
proofOfKnowledge,
};
// store secret information for signing
const round1Secret = {
identifier: idNum,
coefficients,
commitment: commitment.map(serializePoint),
// Copy threshold metadata instead of retaining the caller-owned object by reference.
signers: { min: signers.min, max: signers.max },
step: 1,
};
return { public: round1Public, secret: round1Secret };
},
round2: (secret, others) => {
if (others.length !== secret.signers.max - 1)
throw new Error('wrong number of round1 packages');
if (!secret.coefficients || secret.step === 3)
throw new Error('round3 package used in round2');
const res = {};
for (const p of others) {
if (p.commitment.length !== secret.signers.min)
throw new Error('wrong number of commitments');
const id = parseIdentifier(p.identifier);
if (id === secret.identifier)
throw new Error('duplicate id=' + serializeIdentifier(id));
ProofOfKnowledge.validate(id, p.commitment, p.proofOfKnowledge);
for (const c of p.commitment)
parsePoint(c);
if (res[p.identifier])
throw new Error('Duplicate id=' + id);
const signingShare = Fn.toBytes(polynomialEvaluate(id, secret.coefficients));
res[p.identifier] = {
identifier: serializeIdentifier(secret.identifier),
signingShare: signingShare,
};
}
secret.step = 2;
return res;
},
round3: (secret, round1, round2) => {
// DKG is outside RFC 9591's signing flow; callers are expected to reuse the same
// remote round1 packages already accepted in round2, like frost-rs documents.
if (round1.length !== secret.signers.max - 1)
throw new Error('wrong length of round1 packages');
if (!secret.coefficients || secret.step !== 2)
throw new Error('round2 package used in round3');
if (round2.length !== round1.length)
throw new Error('wrong length of round2 packages');
const merged = {};
for (const r1 of round1) {
if (!r1.identifier || !r1.commitment)
throw new Error('wrong round1 share');
merged[r1.identifier] = { ...r1 };
}
for (const r2 of round2) {
if (!r2.identifier || !r2.signingShare)
throw new Error('wrong round2 share');
if (!merged[r2.identifier])
throw new Error('round1 share for ' + r2.identifier + ' is missing');
merged[r2.identifier].signingShare = r2.signingShare;
}
if (Object.keys(merged).length !== round1.length)
throw new Error('mismatch identifiers between rounds');
let signingShare = Fn.ZERO;
if (secret.commitment.length !== secret.signers.min)
throw new Error('wrong commitments length');
const localCommitment = secret.commitment.map(parsePoint);
const localShare = polynomialEvaluate(secret.identifier, secret.coefficients);
validateSecretShare(secret.identifier, localCommitment, localShare);
const localCommitmentBytes = localCommitment.map(serializePoint);
const commitments = {
[serializeIdentifier(secret.identifier)]: localCommitmentBytes,
};
for (const k in merged) {
const v = merged[k];
if (!v.signingShare || !v.commitment)
throw new Error('mismatch identifiers');
const id = parseIdentifier(k); // from
const signingSharePart = Fn.fromBytes(v.signingShare);
const commitment = v.commitment.map(parsePoint);
validateSecretShare(secret.identifier, commitment, signingSharePart);
signingShare = Fn.add(signingShare, signingSharePart);
const idSer = serializeIdentifier(id);
if (commitments[idSer])
throw new Error('duplicated id=' + idSer);
commitments[idSer] = v.commitment;
}
signingShare = Fn.add(signingShare, localShare);
const mergedCommitment = new Array(secret.signers.min).fill(Point.ZERO);
for (const k in commitments) {
const v = commitments[k];
if (v.length !== secret.signers.min)
throw new Error('wrong commitments length');
for (let i = 0; i < v.length; i++)
mergedCommitment[i] = mergedCommitment[i].add(parsePoint(v[i]));
}
const mergedCommitmentBytes = mergedCommitment.map(serializePoint);
const verifyingShares = {};
for (const k in commitments)
verifyingShares[k] = serializePoint(evalutateVSS(parseIdentifier(k), mergedCommitment));
// This is enough to sign stuff
let res = {
public: {
signers: { min: secret.signers.min, max: secret.signers.max },
commitments: mergedCommitmentBytes,
verifyingShares: Object.fromEntries(Object.entries(verifyingShares).map(([k, v]) => [k, v.slice()])),
},
secret: {
identifier: serializeIdentifier(secret.identifier),
signingShare: Fn.toBytes(signingShare),
},
};
if (opts.adjustDKG)
res = opts.adjustDKG(res);
for (let i = 0; i < secret.coefficients.length; i++)
secret.coefficients[i] -= secret.coefficients[i];
delete secret.coefficients;
secret.step = 3;
return res;
},
clean(secret) {
// Instead of replacing secret bigint with another (zero?), we subtract it from itself
// in the hope that JIT will modify it inplace, instead of creating new value.
// This is unverified and may not work, but it is best we can do in regard of bigints.
secret.identifier -= secret.identifier;
if (secret.coefficients) {
for (let i = 0; i < secret.coefficients.length; i++)
secret.coefficients[i] -= secret.coefficients[i];
}
// for (const c of secret.commitment) c.fill(0);
secret.step = 3;
},
}),
// Trusted dealer setup
// Generates keys for all participants
trustedDealer(signers, identifiers, secret, rng = randomBytes) {
// if no identifiers provided, we generated default identifiers
validateSigners(signers);
if (identifiers === undefined) {
identifiers = [];
for (let i = 1; i <= signers.max; i++)
identifiers.push(Identifier.fromNumber(i));
}
else {
if (!Array.isArray(identifiers) || identifiers.length !== signers.max)
throw new Error('identifiers should be array of ' + signers.max);
}
const identifierNums = {};
for (const id of identifiers) {
const idNum = parseIdentifier(id);
if (id in identifierNums)
throw new Error('duplicated id=' + id);
identifierNums[id] = idNum;
}
const sp = generateSecretPolynomial(signers, secret, undefined, rng);
const commitmentBytes = sp.commitment.map(serializePoint);
const secretShares = {};
const verifyingShares = {};
for (const id of identifiers) {
const signingShare = polynomialEvaluate(identifierNums[id], sp.coefficients);
verifyingShares[id] = serializePoint(Point.BASE.multiply(signingShare));
secretShares[id] = {
identifier: id,
signingShare: Fn.toBytes(signingShare),
};
}
return {
public: {
signers: { min: signers.min, max: signers.max },
commitments: commitmentBytes,
verifyingShares,
},
secretShares,
};
},
// Validate secret (from trusted dealer or DKG)
validateSecret(secret, pub) {
const id = parseIdentifier(secret.identifier);
const commitment = pub.commitments.map(parsePoint);
const signingShare = Fn.fromBytes(secret.signingShare);
validateSecretShare(id, commitment, signingShare);
},
// Actual signing
// Round 1: each participant commit to nonces
// Nonces kept private, commitments sent to coordinator (or every other participant)
// NOTE: we don't need the message at this point, which lets a coordinator
// keep multiple nonce commitments per participant in advance and skip
// round1 for signing.
// But then each participant needs to remember generated shares
commit(secret, rng = randomBytes) {
const secretScalar = Fn.fromBytes(secret.signingShare);
const hiding = generateNonce(secretScalar, rng);
const binding = generateNonce(secretScalar, rng);
const nonces = { hiding: Fn.toBytes(hiding), binding: Fn.toBytes(binding) };
return { nonces, commitments: nonceCommitments(secret.identifier, nonces) };
},
// Round2: sign. Each participant creates a signature share from the secret
// and the selected nonce commitments.
signShare(secret, pub, nonces, commitmentList, msg) {
validateCommitmentsNum(pub.signers, commitmentList.length);
const hidingNonce0 = Fn.fromBytes(nonces.hiding);
const bindingNonce0 = Fn.fromBytes(nonces.binding);
if (Fn.is0(hidingNonce0) || Fn.is0(bindingNonce0))
throw new Error('signing nonces already used');
// Reject a coordinator-assigned commitment pair that does not match the signer's own nonce
// pair. This must happen before suite-specific nonce adjustment; secp256k1-tr may negate the
// actual signing nonces later, but the coordinator still assigns the original commitments.
const expectedCommitment = {
identifier: secret.identifier,
hiding: serializePoint(Point.BASE.multiply(hidingNonce0)),
binding: serializePoint(Point.BASE.multiply(bindingNonce0)),
};
const commitment = commitmentList.find((i) => i.identifier === secret.identifier);
if (!commitment)
throw new Error('missing signer commitment');
if (bytesToHex(commitment.hiding) !== bytesToHex(expectedCommitment.hiding) ||
bytesToHex(commitment.binding) !== bytesToHex(expectedCommitment.binding))
throw new Error('incorrect signer commitment');
if (opts.adjustSecret)
secret = opts.adjustSecret(secret, pub);
if (opts.adjustPublic)
pub = opts.adjustPublic(pub);
const SK = Fn.fromBytes(secret.signingShare);
const { lambda, challenge, bindingFactor, groupCommitment } = prepareShare(pub.commitments[0], commitmentList, msg, secret.identifier);
const N = opts.adjustNonces ? opts.adjustNonces(groupCommitment, nonces) : nonces;
const hidingNonce = opts.adjustNonces ? Fn.fromBytes(N.hiding) : hidingNonce0;
const bindingNonce = opts.adjustNonces ? Fn.fromBytes(N.binding) : bindingNonce0;
const t = Fn.mul(Fn.mul(lambda, SK), challenge); // challenge * lambda * SK
const t2 = Fn.mul(bindingNonce, bindingFactor); // bindingNonce * bindingFactor
const r = Fn.toBytes(Fn.add(Fn.add(hidingNonce, t2), t)); // t + t2 + hidingNonce
// RFC 9591 round-one commitments are one-time-use, and round two must use the nonce
// corresponding to the published commitment. This API returns mutable local nonce bytes,
// so consume them after a successful signShare() call: later all-zero reuse fails closed.
nonces.hiding.fill(0);
nonces.binding.fill(0);
return r;
},
// Each participant (or coordinator) can verify signatures from other participants
verifyShare(pub, commitmentList, msg, identifier, sigShare) {
if (opts.adjustPublic)
pub = opts.adjustPublic(pub);
const comm = commitmentList.find((i) => i.identifier === identifier);
if (!comm)
throw new Error('cannot find identifier commitment');
const PK = parsePoint(pub.verifyingShares[identifier]);
const hidingNonceCommitment = parsePoint(comm.hiding);
const bindingNonceCommitment = parsePoint(comm.binding);
const { lambda, challenge, bindingFactor, groupCommitment } = prepareShare(pub.commitments[0], commitmentList, msg, identifier);
// hC + bC * bF
let commShare = hidingNonceCommitment.add(bindingNonceCommitment.multiply(bindingFactor));
if (opts.adjustGroupCommitmentShare)
commShare = opts.adjustGroupCommitmentShare(groupCommitment, commShare);
const l = Point.BASE.multiply(Fn.fromBytes(sigShare)); // sigShare*G
// commShare + PK * (challenge * lambda)
const r = commShare.add(PK.multiply(Fn.mul(challenge, lambda)));
return l.equals(r);
},
// Aggregate multiple signature shares into groupSignature
aggregate(pub, commitmentList, msg, sigShares) {
if (opts.adjustPublic)
pub = opts.adjustPublic(pub);
try {
validateCommitmentsNum(pub.signers, commitmentList.length);
}
catch {
throw new AggErr('aggregation failed', []);
}
const ids = commitmentList.map((i) => i.identifier);
if (ids.length !== Object.keys(sigShares).length)
throw new AggErr('aggregation failed', []);
for (const id of ids) {
if (!(id in sigShares) || !(id in pub.verifyingShares))
throw new AggErr('aggregation failed', []);
}
const GPK = parsePoint(pub.commitments[0]);
const { groupCommitment } = getGroupCommitment(GPK, commitmentList, msg);
let z = Fn.ZERO;
// RFC 9591 Section 5.3 aggregates by summing the validated signature shares.
for (const id of ids)
z = Fn.add(z, Fn.fromBytes(sigShares[id])); // z += zi
if (!Basic.verify(msg, groupCommitment, z, GPK)) {
const cheaters = [];
for (const id of ids) {
if (!this.verifyShare(pub, commitmentList, msg, id, sigShares[id]))
cheaters.push(id);
}
throw new AggErr('aggregation failed', cheaters);
}
return Signature.encode(groupCommitment, z);
},
// Basic sign/verify using single key
sign(msg, secretKey) {
let sk = Fn.fromBytes(secretKey);
// Taproot single-key signing needs the same scalar normalization as threshold keys.
if (opts.adjustScalar)
sk = opts.adjustScalar(sk);
const [R, z] = Basic.sign(msg, sk);
return Signature.encode(R, z);
},
verify(sig, msg, publicKey) {
const PK = opts.parsePublicKey ? opts.parsePublicKey(publicKey) : parsePoint(publicKey);
const { R, z } = Signature.decode(sig);
return Basic.verify(msg, R, z, PK);
},
// Combine multiple secret shares to restore secret
combineSecret(shares, signers) {
validateSigners(signers);
if (!Array.isArray(shares) || shares.length < signers.min)
throw new Error('wrong secret shares array');
const points = [];
const seen = {};
// Interpolate over the full provided share set and reject duplicate identifiers.
for (const s of shares) {
const idNum = parseIdentifier(s.identifier);
const id = serializeIdentifier(idNum);
if (seen[id])
throw new Error('duplicated id=' + id);
seen[id] = true;
points.push([idNum, Fn.fromBytes(s.signingShare)]);
}
const xCoords = points.map(([x]) => x);
let res = Fn.ZERO;
for (const [x, y] of points)
res = Fn.add(res, Fn.mul(y, deriveInterpolatingValue(xCoords, x)));
return Fn.toBytes(res);
},
// Utils
utils: Object.freeze({
Fn, // NOTE: we re-export it here because it may be different from Point.Fn (ed448 is fun!)
// Test RNG overrides still go through noble's non-zero scalar derivation; this is not a raw
// "bytes become scalar" escape hatch.
randomScalar: (rng = randomBytes) => Fn.toBytes(genPointScalarPair(rng).scalar),
generateSecretPolynomial: (signers, secret, coeffs, rng) => {
const res = generateSecretPolynomial(signers, secret, coeffs, rng);
return { ...res, commitment: res.commitment.map(serializePoint) };
},
}),
};
return Object.freeze(frost);
}
//# sourceMappingURL=frost.js.map
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/abstract/frost.js.map
Generated Vendored
+1
View File
File diff suppressed because one or more lines are too long
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/abstract/hash-to-curve.d.ts
Generated Vendored
+239
View File
@@ -0,0 +1,239 @@
/**
* hash-to-curve from RFC 9380.
* Hashes arbitrary-length byte strings to a list of one or more elements of a finite field F.
* https://www.rfc-editor.org/rfc/rfc9380
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import type { CHash, TArg, TRet } from '../utils.ts';
import type { AffinePoint, PC_ANY, PC_F, PC_P } from './curve.ts';
import { type IField } from './modular.ts';
/** ASCII domain-separation tag or raw bytes. */
export type AsciiOrBytes = string | Uint8Array;
type H2CDefaults = {
DST: AsciiOrBytes;
expand: 'xmd' | 'xof';
hash: CHash;
p: bigint;
m: number;
k: number;
encodeDST?: AsciiOrBytes;
};
/**
* * `DST` is a domain separation tag, defined in section 2.2.5
* * `p` characteristic of F, where F is a finite field of characteristic p and order q = p^m
* * `m` is extension degree (1 for prime fields)
* * `k` is the target security target in bits (e.g. 128), from section 5.1
* * `expand` is `xmd` (SHA2, SHA3, BLAKE) or `xof` (SHAKE, BLAKE-XOF)
* * `hash` conforming to `utils.CHash` interface, with `outputLen` / `blockLen` props
*/
export type H2COpts = {
/** Domain separation tag. */
DST: AsciiOrBytes;
/** Expander family used by RFC 9380. */
expand: 'xmd' | 'xof';
/** Hash or XOF implementation used by the expander. */
hash: CHash;
/** Base-field characteristic. */
p: bigint;
/** Extension degree (`1` for prime fields). */
m: number;
/** Target security level in bits. */
k: number;
};
/** Hash-only subset of RFC 9380 options used by per-call overrides. */
export type H2CHashOpts = {
/** Expander family used by RFC 9380. */
expand: 'xmd' | 'xof';
/** Hash or XOF implementation used by the expander. */
hash: CHash;
};
/**
* Map one hash-to-field output tuple onto affine curve coordinates.
* Implementations receive the validated scalar tuple by reference for performance and MUST treat it
* as read-only. Callers that need scratch space should copy before mutating.
* @param scalar - Field-element tuple produced by `hash_to_field`.
* @returns Affine point before subgroup clearing.
*/
export type MapToCurve<T> = (scalar: bigint[]) => AffinePoint<T>;
/** Per-call override for the domain-separation tag. */
export type H2CDSTOpts = {
/** Domain-separation tag override. */
DST: AsciiOrBytes;
};
/** Base hash-to-curve helpers shared by `hashToCurve` and `encodeToCurve`. */
export type H2CHasherBase<PC extends PC_ANY> = {
/**
* Hash arbitrary bytes to one curve point.
* @param msg - Input message bytes.
* @param options - Optional domain-separation override. See {@link H2CDSTOpts}.
* @returns Curve point after hash-to-curve.
*/
hashToCurve(msg: TArg<Uint8Array>, options?: TArg<H2CDSTOpts>): PC_P<PC>;
/**
* Hash arbitrary bytes to one scalar.
* @param msg - Input message bytes.
* @param options - Optional domain-separation override. See {@link H2CDSTOpts}.
* @returns Scalar reduced into the target field.
*/
hashToScalar(msg: TArg<Uint8Array>, options?: TArg<H2CDSTOpts>): bigint;
/**
* Derive one curve point from non-uniform bytes without the random-oracle
* guarantees of `hashToCurve`.
* Accepts the same arguments as `hashToCurve`, but runs the encode-to-curve
* path instead of the random-oracle construction.
*/
deriveToCurve?(msg: TArg<Uint8Array>, options?: TArg<H2CDSTOpts>): PC_P<PC>;
/** Point constructor for the target curve. */
Point: PC;
};
/**
* RFC 9380 methods, with cofactor clearing. See {@link https://www.rfc-editor.org/rfc/rfc9380#section-3 | RFC 9380 section 3}.
*
* * hashToCurve: `map(hash(input))`, encodes RANDOM bytes to curve (WITH hashing)
* * encodeToCurve: `map(hash(input))`, encodes NON-UNIFORM bytes to curve (WITH hashing)
* * mapToCurve: `map(scalars)`, encodes NON-UNIFORM scalars to curve (NO hashing)
*/
export type H2CHasher<PC extends PC_ANY> = H2CHasherBase<PC> & {
/**
* Encode non-uniform bytes to one curve point.
* @param msg - Input message bytes.
* @param options - Optional domain-separation override. See {@link H2CDSTOpts}.
* @returns Curve point after encode-to-curve.
*/
encodeToCurve(msg: TArg<Uint8Array>, options?: TArg<H2CDSTOpts>): PC_P<PC>;
/** Deterministic map from `hash_to_field` tuples into affine coordinates. */
mapToCurve: MapToCurve<PC_F<PC>>;
/** Default RFC 9380 options captured by this hasher bundle. */
defaults: H2CDefaults;
};
/**
* Produces a uniformly random byte string using a cryptographic hash
* function H that outputs b bits.
* See {@link https://www.rfc-editor.org/rfc/rfc9380#section-5.3.1 | RFC 9380 section 5.3.1}.
* @param msg - Input message.
* @param DST - Domain separation tag. This helper normalizes DST, rejects empty DSTs, and
* oversize-hashes DST when needed.
* @param lenInBytes - Output length.
* @param H - Hash function.
* @returns Uniform byte string.
* @throws If the message, DST, hash, or output length is invalid. {@link Error}
* @example
* Expand one message into uniform bytes with the XMD construction.
*
* ```ts
* import { expand_message_xmd } from '@noble/curves/abstract/hash-to-curve.js';
* import { sha256 } from '@noble/hashes/sha2.js';
* const uniform = expand_message_xmd(new TextEncoder().encode('hello noble'), 'DST', 32, sha256);
* ```
*/
export declare function expand_message_xmd(msg: TArg<Uint8Array>, DST: TArg<AsciiOrBytes>, lenInBytes: number, H: TArg<CHash>): TRet<Uint8Array>;
/**
* Produces a uniformly random byte string using an extendable-output function (XOF) H.
* 1. The collision resistance of H MUST be at least k bits.
* 2. H MUST be an XOF that has been proved indifferentiable from
* a random oracle under a reasonable cryptographic assumption.
* See {@link https://www.rfc-editor.org/rfc/rfc9380#section-5.3.2 | RFC 9380 section 5.3.2}.
* @param msg - Input message.
* @param DST - Domain separation tag. This helper normalizes DST, rejects empty DSTs, and
* oversize-hashes DST when needed.
* @param lenInBytes - Output length.
* @param k - Target security level.
* @param H - XOF hash function.
* @returns Uniform byte string.
* @throws If the message, DST, XOF, or output length is invalid. {@link Error}
* @example
* Expand one message into uniform bytes with the XOF construction.
*
* ```ts
* import { expand_message_xof } from '@noble/curves/abstract/hash-to-curve.js';
* import { shake256 } from '@noble/hashes/sha3.js';
* const uniform = expand_message_xof(
* new TextEncoder().encode('hello noble'),
* 'DST',
* 32,
* 128,
* shake256
* );
* ```
*/
export declare function expand_message_xof(msg: TArg<Uint8Array>, DST: TArg<AsciiOrBytes>, lenInBytes: number, k: number, H: TArg<CHash>): TRet<Uint8Array>;
/**
* Hashes arbitrary-length byte strings to a list of one or more elements of a finite field F.
* See {@link https://www.rfc-editor.org/rfc/rfc9380#section-5.2 | RFC 9380 section 5.2}.
* @param msg - Input message bytes.
* @param count - Number of field elements to derive. Must be `>= 1`.
* @param options - RFC 9380 options. See {@link H2COpts}. `m` must be `>= 1`.
* @returns `[u_0, ..., u_(count - 1)]`, a list of field elements.
* @throws If the expander choice or RFC 9380 options are invalid. {@link Error}
* @example
* Hash one message into field elements before mapping it onto a curve.
*
* ```ts
* import { hash_to_field } from '@noble/curves/abstract/hash-to-curve.js';
* import { sha256 } from '@noble/hashes/sha2.js';
* const scalars = hash_to_field(new TextEncoder().encode('hello noble'), 2, {
* DST: 'DST',
* p: 17n,
* m: 1,
* k: 128,
* expand: 'xmd',
* hash: sha256,
* });
* ```
*/
export declare function hash_to_field(msg: TArg<Uint8Array>, count: number, options: TArg<H2COpts>): bigint[][];
type XY<T> = (x: T, y: T) => {
x: T;
y: T;
};
type XYRatio<T> = [T[], T[], T[], T[]];
/**
* @param field - Field implementation.
* @param map - Isogeny coefficients.
* @returns Isogeny mapping helper.
* @example
* Build one rational isogeny map, then apply it to affine x/y coordinates.
*
* ```ts
* import { isogenyMap } from '@noble/curves/abstract/hash-to-curve.js';
* import { Field } from '@noble/curves/abstract/modular.js';
* const Fp = Field(17n);
* const iso = isogenyMap(Fp, [[0n, 1n], [1n], [1n], [1n]]);
* const point = iso(3n, 5n);
* ```
*/
export declare function isogenyMap<T, F extends IField<T>>(field: F, map: XYRatio<T>): XY<T>;
export declare const _DST_scalar: "HashToScalar-";
/**
* Creates hash-to-curve methods from EC Point and mapToCurve function. See {@link H2CHasher}.
* @param Point - Point constructor.
* @param mapToCurve - Map-to-curve function.
* @param defaults - Default hash-to-curve options. This object is frozen in place and reused as
* the shared defaults bundle for the returned helpers.
* @returns Hash-to-curve helper namespace.
* @throws If the map-to-curve callback or default hash-to-curve options are invalid. {@link Error}
* @example
* Bundle hash-to-curve, hash-to-scalar, and encode-to-curve helpers for one curve.
*
* ```ts
* import { createHasher } from '@noble/curves/abstract/hash-to-curve.js';
* import { p256 } from '@noble/curves/nist.js';
* import { sha256 } from '@noble/hashes/sha2.js';
* const hasher = createHasher(p256.Point, () => p256.Point.BASE.toAffine(), {
* DST: 'P256_XMD:SHA-256_SSWU_RO_',
* encodeDST: 'P256_XMD:SHA-256_SSWU_NU_',
* p: p256.Point.Fp.ORDER,
* m: 1,
* k: 128,
* expand: 'xmd',
* hash: sha256,
* });
* const point = hasher.encodeToCurve(new TextEncoder().encode('hello noble'));
* ```
*/
export declare function createHasher<PC extends PC_ANY>(Point: PC, mapToCurve: MapToCurve<PC_F<PC>>, defaults: TArg<H2COpts & {
encodeDST?: AsciiOrBytes;
}>): H2CHasher<PC>;
export {};
//# sourceMappingURL=hash-to-curve.d.ts.map
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/abstract/hash-to-curve.d.ts.map
Generated Vendored
+1
View File
@@ -0,0 +1 @@
{"version":3,"file":"hash-to-curve.d.ts","sourceRoot":"","sources":["../src/abstract/hash-to-curve.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,sEAAsE;AACtE,OAAO,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,aAAa,CAAC;AAWrD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,YAAY,CAAC;AAClE,OAAO,EAAsB,KAAK,MAAM,EAAE,MAAM,cAAc,CAAC;AAE/D,gDAAgD;AAChD,MAAM,MAAM,YAAY,GAAG,MAAM,GAAG,UAAU,CAAC;AAC/C,KAAK,WAAW,GAAG;IACjB,GAAG,EAAE,YAAY,CAAC;IAClB,MAAM,EAAE,KAAK,GAAG,KAAK,CAAC;IACtB,IAAI,EAAE,KAAK,CAAC;IACZ,CAAC,EAAE,MAAM,CAAC;IACV,CAAC,EAAE,MAAM,CAAC;IACV,CAAC,EAAE,MAAM,CAAC;IACV,SAAS,CAAC,EAAE,YAAY,CAAC;CAC1B,CAAC;AAEF;;;;;;;GAOG;AACH,MAAM,MAAM,OAAO,GAAG;IACpB,6BAA6B;IAC7B,GAAG,EAAE,YAAY,CAAC;IAClB,wCAAwC;IACxC,MAAM,EAAE,KAAK,GAAG,KAAK,CAAC;IACtB,uDAAuD;IACvD,IAAI,EAAE,KAAK,CAAC;IACZ,iCAAiC;IACjC,CAAC,EAAE,MAAM,CAAC;IACV,+CAA+C;IAC/C,CAAC,EAAE,MAAM,CAAC;IACV,qCAAqC;IACrC,CAAC,EAAE,MAAM,CAAC;CACX,CAAC;AACF,uEAAuE;AACvE,MAAM,MAAM,WAAW,GAAG;IACxB,wCAAwC;IACxC,MAAM,EAAE,KAAK,GAAG,KAAK,CAAC;IACtB,uDAAuD;IACvD,IAAI,EAAE,KAAK,CAAC;CACb,CAAC;AACF;;;;;;GAMG;AACH,MAAM,MAAM,UAAU,CAAC,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,WAAW,CAAC,CAAC,CAAC,CAAC;AAIjE,uDAAuD;AACvD,MAAM,MAAM,UAAU,GAAG;IACvB,sCAAsC;IACtC,GAAG,EAAE,YAAY,CAAC;CACnB,CAAC;AACF,8EAA8E;AAC9E,MAAM,MAAM,aAAa,CAAC,EAAE,SAAS,MAAM,IAAI;IAC7C;;;;;OAKG;IACH,WAAW,CAAC,GAAG,EAAE,IAAI,CAAC,UAAU,CAAC,EAAE,OAAO,CAAC,EAAE,IAAI,CAAC,UAAU,CAAC,GAAG,IAAI,CAAC,EAAE,CAAC,CAAC;IACzE;;;;;OAKG;IACH,YAAY,CAAC,GAAG,EAAE,IAAI,CAAC,UAAU,CAAC,EAAE,OAAO,CAAC,EAAE,IAAI,CAAC,UAAU,CAAC,GAAG,MAAM,CAAC;IACxE;;;;;OAKG;IACH,aAAa,CAAC,CAAC,GAAG,EAAE,IAAI,CAAC,UAAU,CAAC,EAAE,OAAO,CAAC,EAAE,IAAI,CAAC,UAAU,CAAC,GAAG,IAAI,CAAC,EAAE,CAAC,CAAC;IAC5E,8CAA8C;IAC9C,KAAK,EAAE,EAAE,CAAC;CACX,CAAC;AACF;;;;;;GAMG;AACH,MAAM,MAAM,SAAS,CAAC,EAAE,SAAS,MAAM,IAAI,aAAa,CAAC,EAAE,CAAC,GAAG;IAC7D;;;;;OAKG;IACH,aAAa,CAAC,GAAG,EAAE,IAAI,CAAC,UAAU,CAAC,EAAE,OAAO,CAAC,EAAE,IAAI,CAAC,UAAU,CAAC,GAAG,IAAI,CAAC,EAAE,CAAC,CAAC;IAC3E,6EAA6E;IAC7E,UAAU,EAAE,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;IACjC,+DAA+D;IAC/D,QAAQ,EAAE,WAAW,CAAC;CACvB,CAAC;AAyCF;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,kBAAkB,CAChC,GAAG,EAAE,IAAI,CAAC,UAAU,CAAC,EACrB,GAAG,EAAE,IAAI,CAAC,YAAY,CAAC,EACvB,UAAU,EAAE,MAAM,EAClB,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,GACb,IAAI,CAAC,UAAU,CAAC,CAwBlB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AACH,wBAAgB,kBAAkB,CAChC,GAAG,EAAE,IAAI,CAAC,UAAU,CAAC,EACrB,GAAG,EAAE,IAAI,CAAC,YAAY,CAAC,EACvB,UAAU,EAAE,MAAM,EAClB,CAAC,EAAE,MAAM,EACT,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,GACb,IAAI,CAAC,UAAU,CAAC,CAqBlB;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,wBAAgB,aAAa,CAC3B,GAAG,EAAE,IAAI,CAAC,UAAU,CAAC,EACrB,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,GACrB,MAAM,EAAE,EAAE,CAwCZ;AAED,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,KAAK;IAAE,CAAC,EAAE,CAAC,CAAC;IAAC,CAAC,EAAE,CAAC,CAAA;CAAE,CAAC;AAC5C,KAAK,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC;AACvC;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,UAAU,CAAC,CAAC,EAAE,CAAC,SAAS,MAAM,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAiBnF;AAOD,eAAO,MAAM,WAAW,EAAG,eAAwB,CAAC;AAEpD;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,wBAAgB,YAAY,CAAC,EAAE,SAAS,MAAM,EAC5C,KAAK,EAAE,EAAE,EACT,UAAU,EAAE,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,EAChC,QAAQ,EAAE,IAAI,CAAC,OAAO,GAAG;IAAE,SAAS,CAAC,EAAE,YAAY,CAAA;CAAE,CAAC,GACrD,SAAS,CAAC,EAAE,CAAC,CAyEf"}
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/abstract/hash-to-curve.js
Generated Vendored
+346
View File
@@ -0,0 +1,346 @@
import { abytes, asafenumber, asciiToBytes, bytesToNumberBE, copyBytes, concatBytes, isBytes, validateObject, } from "../utils.js";
import { FpInvertBatch, mod } from "./modular.js";
// Octet Stream to Integer. "spec" implementation of os2ip is 2.5x slower vs bytesToNumberBE.
const os2ip = bytesToNumberBE;
// Integer to Octet Stream (numberToBytesBE).
function i2osp(value, length) {
asafenumber(value);
asafenumber(length);
// This helper stays on the JS bitwise/u32 fast-path. Callers that need wider encodings should
// use bigint + numberToBytesBE instead of routing large widths through this small helper.
if (length < 0 || length > 4)
throw new Error('invalid I2OSP length: ' + length);
if (value < 0 || value > 2 ** (8 * length) - 1)
throw new Error('invalid I2OSP input: ' + value);
const res = Array.from({ length }).fill(0);
for (let i = length - 1; i >= 0; i--) {
res[i] = value & 0xff;
value >>>= 8;
}
return new Uint8Array(res);
}
// RFC 9380 only applies strxor() to equal-length strings; callers must preserve that invariant.
function strxor(a, b) {
const arr = new Uint8Array(a.length);
for (let i = 0; i < a.length; i++) {
arr[i] = a[i] ^ b[i];
}
return arr;
}
// User can always use utf8 if they want, by passing Uint8Array.
// If string is passed, we treat it as ASCII: other formats are likely a mistake.
function normDST(DST) {
if (!isBytes(DST) && typeof DST !== 'string')
throw new Error('DST must be Uint8Array or ascii string');
const dst = typeof DST === 'string' ? asciiToBytes(DST) : DST;
// RFC 9380 §3.1 requirement 2: tags "MUST have nonzero length".
if (dst.length === 0)
throw new Error('DST must be non-empty');
return dst;
}
/**
* Produces a uniformly random byte string using a cryptographic hash
* function H that outputs b bits.
* See {@link https://www.rfc-editor.org/rfc/rfc9380#section-5.3.1 | RFC 9380 section 5.3.1}.
* @param msg - Input message.
* @param DST - Domain separation tag. This helper normalizes DST, rejects empty DSTs, and
* oversize-hashes DST when needed.
* @param lenInBytes - Output length.
* @param H - Hash function.
* @returns Uniform byte string.
* @throws If the message, DST, hash, or output length is invalid. {@link Error}
* @example
* Expand one message into uniform bytes with the XMD construction.
*
* ```ts
* import { expand_message_xmd } from '@noble/curves/abstract/hash-to-curve.js';
* import { sha256 } from '@noble/hashes/sha2.js';
* const uniform = expand_message_xmd(new TextEncoder().encode('hello noble'), 'DST', 32, sha256);
* ```
*/
export function expand_message_xmd(msg, DST, lenInBytes, H) {
abytes(msg);
asafenumber(lenInBytes);
DST = normDST(DST);
// https://www.rfc-editor.org/rfc/rfc9380#section-5.3.3
if (DST.length > 255)
DST = H(concatBytes(asciiToBytes('H2C-OVERSIZE-DST-'), DST));
const { outputLen: b_in_bytes, blockLen: r_in_bytes } = H;
const ell = Math.ceil(lenInBytes / b_in_bytes);
if (lenInBytes > 65535 || ell > 255)
throw new Error('expand_message_xmd: invalid lenInBytes');
const DST_prime = concatBytes(DST, i2osp(DST.length, 1));
const Z_pad = new Uint8Array(r_in_bytes); // RFC 9380: Z_pad = I2OSP(0, s_in_bytes)
const l_i_b_str = i2osp(lenInBytes, 2); // len_in_bytes_str
const b = new Array(ell);
const b_0 = H(concatBytes(Z_pad, msg, l_i_b_str, i2osp(0, 1), DST_prime));
b[0] = H(concatBytes(b_0, i2osp(1, 1), DST_prime));
// `b[0]` already stores RFC `b_1`, so only derive `b_2..b_ell` here. The old `<= ell`
// loop computed one extra tail block, which was usually sliced away but broke at max `ell=255`
// by reaching `I2OSP(256, 1)`.
for (let i = 1; i < ell; i++) {
const args = [strxor(b_0, b[i - 1]), i2osp(i + 1, 1), DST_prime];
b[i] = H(concatBytes(...args));
}
const pseudo_random_bytes = concatBytes(...b);
return pseudo_random_bytes.slice(0, lenInBytes);
}
/**
* Produces a uniformly random byte string using an extendable-output function (XOF) H.
* 1. The collision resistance of H MUST be at least k bits.
* 2. H MUST be an XOF that has been proved indifferentiable from
* a random oracle under a reasonable cryptographic assumption.
* See {@link https://www.rfc-editor.org/rfc/rfc9380#section-5.3.2 | RFC 9380 section 5.3.2}.
* @param msg - Input message.
* @param DST - Domain separation tag. This helper normalizes DST, rejects empty DSTs, and
* oversize-hashes DST when needed.
* @param lenInBytes - Output length.
* @param k - Target security level.
* @param H - XOF hash function.
* @returns Uniform byte string.
* @throws If the message, DST, XOF, or output length is invalid. {@link Error}
* @example
* Expand one message into uniform bytes with the XOF construction.
*
* ```ts
* import { expand_message_xof } from '@noble/curves/abstract/hash-to-curve.js';
* import { shake256 } from '@noble/hashes/sha3.js';
* const uniform = expand_message_xof(
* new TextEncoder().encode('hello noble'),
* 'DST',
* 32,
* 128,
* shake256
* );
* ```
*/
export function expand_message_xof(msg, DST, lenInBytes, k, H) {
abytes(msg);
asafenumber(lenInBytes);
DST = normDST(DST);
// https://www.rfc-editor.org/rfc/rfc9380#section-5.3.3
// RFC 9380 §5.3.3: DST = H("H2C-OVERSIZE-DST-" || a_very_long_DST, ceil(2 * k / 8)).
if (DST.length > 255) {
const dkLen = Math.ceil((2 * k) / 8);
DST = H.create({ dkLen }).update(asciiToBytes('H2C-OVERSIZE-DST-')).update(DST).digest();
}
if (lenInBytes > 65535 || DST.length > 255)
throw new Error('expand_message_xof: invalid lenInBytes');
return (H.create({ dkLen: lenInBytes })
.update(msg)
.update(i2osp(lenInBytes, 2))
// 2. DST_prime = DST || I2OSP(len(DST), 1)
.update(DST)
.update(i2osp(DST.length, 1))
.digest());
}
/**
* Hashes arbitrary-length byte strings to a list of one or more elements of a finite field F.
* See {@link https://www.rfc-editor.org/rfc/rfc9380#section-5.2 | RFC 9380 section 5.2}.
* @param msg - Input message bytes.
* @param count - Number of field elements to derive. Must be `>= 1`.
* @param options - RFC 9380 options. See {@link H2COpts}. `m` must be `>= 1`.
* @returns `[u_0, ..., u_(count - 1)]`, a list of field elements.
* @throws If the expander choice or RFC 9380 options are invalid. {@link Error}
* @example
* Hash one message into field elements before mapping it onto a curve.
*
* ```ts
* import { hash_to_field } from '@noble/curves/abstract/hash-to-curve.js';
* import { sha256 } from '@noble/hashes/sha2.js';
* const scalars = hash_to_field(new TextEncoder().encode('hello noble'), 2, {
* DST: 'DST',
* p: 17n,
* m: 1,
* k: 128,
* expand: 'xmd',
* hash: sha256,
* });
* ```
*/
export function hash_to_field(msg, count, options) {
validateObject(options, {
p: 'bigint',
m: 'number',
k: 'number',
hash: 'function',
});
const { p, k, m, hash, expand, DST } = options;
asafenumber(hash.outputLen, 'valid hash');
abytes(msg);
asafenumber(count);
// RFC 9380 §5.2 defines hash_to_field over a list of one or more field elements and requires
// extension degree `m >= 1`; rejecting here avoids degenerate `[]` / `[[]]` helper outputs.
if (count < 1)
throw new Error('hash_to_field: expected count >= 1');
if (m < 1)
throw new Error('hash_to_field: expected m >= 1');
const log2p = p.toString(2).length;
const L = Math.ceil((log2p + k) / 8); // section 5.1 of ietf draft link above
const len_in_bytes = count * m * L;
let prb; // pseudo_random_bytes
if (expand === 'xmd') {
prb = expand_message_xmd(msg, DST, len_in_bytes, hash);
}
else if (expand === 'xof') {
prb = expand_message_xof(msg, DST, len_in_bytes, k, hash);
}
else if (expand === '_internal_pass') {
// for internal tests only
prb = msg;
}
else {
throw new Error('expand must be "xmd" or "xof"');
}
const u = new Array(count);
for (let i = 0; i < count; i++) {
const e = new Array(m);
for (let j = 0; j < m; j++) {
const elm_offset = L * (j + i * m);
const tv = prb.subarray(elm_offset, elm_offset + L);
e[j] = mod(os2ip(tv), p);
}
u[i] = e;
}
return u;
}
/**
* @param field - Field implementation.
* @param map - Isogeny coefficients.
* @returns Isogeny mapping helper.
* @example
* Build one rational isogeny map, then apply it to affine x/y coordinates.
*
* ```ts
* import { isogenyMap } from '@noble/curves/abstract/hash-to-curve.js';
* import { Field } from '@noble/curves/abstract/modular.js';
* const Fp = Field(17n);
* const iso = isogenyMap(Fp, [[0n, 1n], [1n], [1n], [1n]]);
* const point = iso(3n, 5n);
* ```
*/
export function isogenyMap(field, map) {
// Make same order as in spec
const coeff = map.map((i) => Array.from(i).reverse());
return (x, y) => {
const [xn, xd, yn, yd] = coeff.map((val) => val.reduce((acc, i) => field.add(field.mul(acc, x), i)));
// RFC 9380 §6.6.3 / Appendix E: denominator-zero exceptional cases must
// return the identity on E.
// Shipped Weierstrass consumers encode that affine identity as all-zero
// coordinates, so `passZero=true` intentionally collapses zero
// denominators to `{ x: 0, y: 0 }`.
const [xd_inv, yd_inv] = FpInvertBatch(field, [xd, yd], true);
x = field.mul(xn, xd_inv); // xNum / xDen
y = field.mul(y, field.mul(yn, yd_inv)); // y * (yNum / yDev)
return { x, y };
};
}
// Keep the shared DST removable when the selected bundle never hashes to scalar.
// Callers that need protocol-specific scalar domain separation must override this generic default.
// RFC 9497 §§4.1-4.5 use this ASCII prefix before appending the ciphersuite context string.
// Export a string instead of mutable bytes so callers cannot poison default hash-to-scalar behavior
// by mutating a shared Uint8Array in place.
export const _DST_scalar = 'HashToScalar-';
/**
* Creates hash-to-curve methods from EC Point and mapToCurve function. See {@link H2CHasher}.
* @param Point - Point constructor.
* @param mapToCurve - Map-to-curve function.
* @param defaults - Default hash-to-curve options. This object is frozen in place and reused as
* the shared defaults bundle for the returned helpers.
* @returns Hash-to-curve helper namespace.
* @throws If the map-to-curve callback or default hash-to-curve options are invalid. {@link Error}
* @example
* Bundle hash-to-curve, hash-to-scalar, and encode-to-curve helpers for one curve.
*
* ```ts
* import { createHasher } from '@noble/curves/abstract/hash-to-curve.js';
* import { p256 } from '@noble/curves/nist.js';
* import { sha256 } from '@noble/hashes/sha2.js';
* const hasher = createHasher(p256.Point, () => p256.Point.BASE.toAffine(), {
* DST: 'P256_XMD:SHA-256_SSWU_RO_',
* encodeDST: 'P256_XMD:SHA-256_SSWU_NU_',
* p: p256.Point.Fp.ORDER,
* m: 1,
* k: 128,
* expand: 'xmd',
* hash: sha256,
* });
* const point = hasher.encodeToCurve(new TextEncoder().encode('hello noble'));
* ```
*/
export function createHasher(Point, mapToCurve, defaults) {
if (typeof mapToCurve !== 'function')
throw new Error('mapToCurve() must be defined');
// `Point` is intentionally not shape-validated eagerly here: point constructors vary across
// curve families, so this helper only checks the hooks it can validate cheaply. Misconfigured
// suites fail later when hashing first touches Point.fromAffine / Point.ZERO / clearCofactor().
const snapshot = (src) => Object.freeze({
...src,
DST: isBytes(src.DST) ? copyBytes(src.DST) : src.DST,
...(src.encodeDST === undefined
? {}
: { encodeDST: isBytes(src.encodeDST) ? copyBytes(src.encodeDST) : src.encodeDST }),
});
// Keep one private defaults snapshot for actual hashing and expose fresh
// detached snapshots via the public getter.
// Otherwise a caller could mutate `hasher.defaults.DST` in place and poison
// the singleton hasher for every other consumer in the same process.
const safeDefaults = snapshot(defaults);
function map(num) {
return Point.fromAffine(mapToCurve(num));
}
function clear(initial) {
const P = initial.clearCofactor();
// Keep ZERO as the algebraic cofactor-clearing result here; strict public point-validity
// surfaces may still reject it later, but createHasher.clear() itself is not that boundary.
if (P.equals(Point.ZERO))
return Point.ZERO;
P.assertValidity();
return P;
}
return Object.freeze({
get defaults() {
return snapshot(safeDefaults);
},
Point,
hashToCurve(msg, options) {
const opts = Object.assign({}, safeDefaults, options);
const u = hash_to_field(msg, 2, opts);
const u0 = map(u[0]);
const u1 = map(u[1]);
return clear(u0.add(u1));
},
encodeToCurve(msg, options) {
const optsDst = safeDefaults.encodeDST ? { DST: safeDefaults.encodeDST } : {};
const opts = Object.assign({}, safeDefaults, optsDst, options);
const u = hash_to_field(msg, 1, opts);
const u0 = map(u[0]);
return clear(u0);
},
/** See {@link H2CHasher} */
mapToCurve(scalars) {
// Curves with m=1 accept only single scalar
if (safeDefaults.m === 1) {
if (typeof scalars !== 'bigint')
throw new Error('expected bigint (m=1)');
return clear(map([scalars]));
}
if (!Array.isArray(scalars))
throw new Error('expected array of bigints');
for (const i of scalars)
if (typeof i !== 'bigint')
throw new Error('expected array of bigints');
return clear(map(scalars));
},
// hash_to_scalar can produce 0: https://www.rfc-editor.org/errata/eid8393
// RFC 9380, draft-irtf-cfrg-bbs-signatures-08. Default scalar DST is the shared generic
// `HashToScalar-` prefix above unless the caller overrides it per invocation.
hashToScalar(msg, options) {
// @ts-ignore
const N = Point.Fn.ORDER;
const opts = Object.assign({}, safeDefaults, { p: N, m: 1, DST: _DST_scalar }, options);
return hash_to_field(msg, 1, opts)[0][0];
},
});
}
//# sourceMappingURL=hash-to-curve.js.map
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/abstract/hash-to-curve.js.map
Generated Vendored
+1
View File
File diff suppressed because one or more lines are too long
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/abstract/modular.d.ts
Generated Vendored
+551
View File
@@ -0,0 +1,551 @@
/**
* Utils for modular division and fields.
* Field over 11 is a finite (Galois) field is integer number operations `mod 11`.
* There is no division: it is replaced by modular multiplicative inverse.
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { type TArg, type TRet } from '../utils.ts';
/**
* @param a - Dividend value.
* @param b - Positive modulus.
* @returns Reduced value in `[0, b)` only when `b` is positive.
* @throws If the modulus is not positive. {@link Error}
* @example
* Normalize a bigint into one field residue.
*
* ```ts
* mod(-1n, 5n);
* ```
*/
export declare function mod(a: bigint, b: bigint): bigint;
/**
* Efficiently raise num to a power with modular reduction.
* Unsafe in some contexts: uses ladder, so can expose bigint bits.
* Low-level helper: callers that need canonical residues must pass a valid `num` for the chosen
* modulus instead of relying on the `power===0/1` fast paths to normalize it.
* @param num - Base value.
* @param power - Exponent value.
* @param modulo - Reduction modulus.
* @returns Modular exponentiation result.
* @throws If the modulus or exponent is invalid. {@link Error}
* @example
* Raise one bigint to a modular power.
*
* ```ts
* pow(2n, 6n, 11n) // 64n % 11n == 9n
* ```
*/
export declare function pow(num: bigint, power: bigint, modulo: bigint): bigint;
/**
* Does `x^(2^power)` mod p. `pow2(30, 4)` == `30^(2^4)`.
* Low-level helper: callers that need canonical residues must pass a valid `x` for the chosen
* modulus; the `power===0` fast path intentionally returns the input unchanged.
* @param x - Base value.
* @param power - Number of squarings.
* @param modulo - Reduction modulus.
* @returns Repeated-squaring result.
* @throws If the exponent is negative. {@link Error}
* @example
* Apply repeated squaring inside one field.
*
* ```ts
* pow2(3n, 2n, 11n);
* ```
*/
export declare function pow2(x: bigint, power: bigint, modulo: bigint): bigint;
/**
* Inverses number over modulo.
* Implemented using the {@link https://brilliant.org/wiki/extended-euclidean-algorithm/ | extended Euclidean algorithm}.
* @param number - Value to invert.
* @param modulo - Positive modulus.
* @returns Multiplicative inverse.
* @throws If the modulus is invalid or the inverse does not exist. {@link Error}
* @example
* Compute one modular inverse with the extended Euclidean algorithm.
*
* ```ts
* invert(3n, 11n);
* ```
*/
export declare function invert(number: bigint, modulo: bigint): bigint;
/**
* Tonelli-Shanks square root search algorithm.
* This implementation is variable-time: it searches data-dependently for the first non-residue `Z`
* and for the smallest `i` in the main loop, unlike RFC 9380 Appendix I.4's constant-time shape.
* 1. {@link https://eprint.iacr.org/2012/685.pdf | eprint 2012/685}, page 12
* 2. Square Roots from 1; 24, 51, 10 to Dan Shanks
* @param P - field order
* @returns function that takes field Fp (created from P) and number n
* @throws If the field is too small, non-prime, or the square root does not exist. {@link Error}
* @example
* Construct a square-root helper for primes that need Tonelli-Shanks.
*
* ```ts
* import { Field, tonelliShanks } from '@noble/curves/abstract/modular.js';
* const Fp = Field(17n);
* const sqrt = tonelliShanks(17n)(Fp, 4n);
* ```
*/
export declare function tonelliShanks(P: bigint): TRet<(<T>(Fp: IField<T>, n: T) => T)>;
/**
* Square root for a finite field. Will try optimized versions first:
*
* 1. P ≡ 3 (mod 4)
* 2. P ≡ 5 (mod 8)
* 3. P ≡ 9 (mod 16)
* 4. Tonelli-Shanks algorithm
*
* Different algorithms can give different roots, it is up to user to decide which one they want.
* For example there is FpSqrtOdd/FpSqrtEven to choose a root by oddness
* (used for hash-to-curve).
* @param P - Field order.
* @returns Square-root helper. The generic fallback inherits Tonelli-Shanks' variable-time
* behavior and this selector assumes prime-field-style integer moduli.
* @throws If the field is unsupported or the square root does not exist. {@link Error}
* @example
* Choose the square-root helper appropriate for one field modulus.
*
* ```ts
* import { Field, FpSqrt } from '@noble/curves/abstract/modular.js';
* const Fp = Field(17n);
* const sqrt = FpSqrt(17n)(Fp, 4n);
* ```
*/
export declare function FpSqrt(P: bigint): TRet<(<T>(Fp: IField<T>, n: T) => T)>;
/**
* @param num - Value to inspect.
* @param modulo - Field modulus.
* @returns `true` when the least-significant little-endian bit is set.
* @throws If the modulus is invalid for `mod(...)`. {@link Error}
* @example
* Inspect the low bit used by little-endian sign conventions.
*
* ```ts
* isNegativeLE(3n, 11n);
* ```
*/
export declare const isNegativeLE: (num: bigint, modulo: bigint) => boolean;
/** Generic field interface used by prime and extension fields alike.
* Generic helpers treat field operations as pure functions: implementations MUST treat provided
* values/byte buffers as read-only and return detached results instead of mutating arguments.
*/
export interface IField<T> {
/** Field order `q`, which may be prime or a prime power. */
ORDER: bigint;
/** Canonical encoded byte length. */
BYTES: number;
/** Canonical encoded bit length. */
BITS: number;
/** Whether encoded field elements use little-endian bytes. */
isLE: boolean;
/** Additive identity. */
ZERO: T;
/** Multiplicative identity. */
ONE: T;
/**
* Normalize one value into the field.
* @param num - Input value.
* @returns Normalized field value.
*/
create: (num: T) => T;
/**
* Check whether one value already belongs to the field.
* @param num - Input value.
* Implementations may throw `TypeError` on malformed input types instead of returning `false`.
* @returns Whether the value already belongs to the field.
*/
isValid: (num: T) => boolean;
/**
* Check whether one value is zero.
* @param num - Input value.
* @returns Whether the value is zero.
*/
is0: (num: T) => boolean;
/**
* Check whether one value is non-zero and belongs to the field.
* @param num - Input value.
* Implementations may throw `TypeError` on malformed input types instead of returning `false`.
* @returns Whether the value is non-zero and valid.
*/
isValidNot0: (num: T) => boolean;
/**
* Negate one value.
* @param num - Input value.
* @returns Negated value.
*/
neg(num: T): T;
/**
* Invert one value multiplicatively.
* @param num - Input value.
* @returns Multiplicative inverse.
*/
inv(num: T): T;
/**
* Compute one square root when it exists.
* @param num - Input value.
* @returns Square root.
*/
sqrt(num: T): T;
/**
* Square one value.
* @param num - Input value.
* @returns Squared value.
*/
sqr(num: T): T;
/**
* Compare two field values.
* @param lhs - Left value.
* @param rhs - Right value.
* @returns Whether both values are equal.
*/
eql(lhs: T, rhs: T): boolean;
/**
* Add two normalized field values.
* @param lhs - Left value.
* @param rhs - Right value.
* @returns Sum value.
*/
add(lhs: T, rhs: T): T;
/**
* Subtract two normalized field values.
* @param lhs - Left value.
* @param rhs - Right value.
* @returns Difference value.
*/
sub(lhs: T, rhs: T): T;
/**
* Multiply two field values.
* @param lhs - Left value.
* @param rhs - Right value or scalar.
* @returns Product value.
*/
mul(lhs: T, rhs: T | bigint): T;
/**
* Raise one field value to a power.
* @param lhs - Base value.
* @param power - Exponent.
* @returns Power value.
*/
pow(lhs: T, power: bigint): T;
/**
* Divide one field value by another.
* @param lhs - Dividend.
* @param rhs - Divisor or scalar.
* @returns Quotient value.
*/
div(lhs: T, rhs: T | bigint): T;
/**
* Add two values without re-normalizing the result.
* @param lhs - Left value.
* @param rhs - Right value.
* @returns Non-normalized sum.
*/
addN(lhs: T, rhs: T): T;
/**
* Subtract two values without re-normalizing the result.
* @param lhs - Left value.
* @param rhs - Right value.
* @returns Non-normalized difference.
*/
subN(lhs: T, rhs: T): T;
/**
* Multiply two values without re-normalizing the result.
* @param lhs - Left value.
* @param rhs - Right value or scalar.
* @returns Non-normalized product.
*/
mulN(lhs: T, rhs: T | bigint): T;
/**
* Square one value without re-normalizing the result.
* @param num - Input value.
* @returns Non-normalized square.
*/
sqrN(num: T): T;
/**
* Return the RFC 9380 `sgn0`-style oddness bit when supported.
* This uses oddness instead of evenness so extension fields like Fp2 can expose the same hook.
* Returns whether the value is odd under the field encoding.
*/
isOdd?(num: T): boolean;
/**
* Invert many field elements in one batch.
* @param lst - Values to invert.
* @returns Batch of inverses.
*/
invertBatch: (lst: T[]) => T[];
/**
* Encode one field value into fixed-width bytes.
* Callers that need canonical encodings MUST supply a valid field element.
* Low-level protocols may also use this to serialize raw / non-canonical residues.
* @param num - Input value.
* @returns Fixed-width byte encoding.
*/
toBytes(num: T): Uint8Array;
/**
* Decode one field value from fixed-width bytes.
* @param bytes - Fixed-width byte encoding.
* @param skipValidation - Whether to skip range validation.
* Implementations MUST treat `bytes` as read-only.
* @returns Decoded field value.
*/
fromBytes(bytes: Uint8Array, skipValidation?: boolean): T;
/**
* Constant-time conditional move.
* @param a - Value used when the condition is false.
* @param b - Value used when the condition is true.
* @param c - Selection bit.
* @returns Selected value.
*/
cmov(a: T, b: T, c: boolean): T;
}
/**
* @param field - Field implementation.
* @returns Validated field. This only checks the arithmetic subset needed by generic helpers; it
* does not guarantee full runtime-method coverage for serialization, batching, `cmov`, or
* field-specific extras beyond positive `BYTES` / `BITS`.
* @throws If the field shape or numeric metadata are invalid. {@link Error}
* @example
* Check that a field implementation exposes the operations curve code expects.
*
* ```ts
* import { Field, validateField } from '@noble/curves/abstract/modular.js';
* const Fp = validateField(Field(17n));
* ```
*/
export declare function validateField<T>(field: TArg<IField<T>>): TRet<IField<T>>;
/**
* Same as `pow` but for Fp: non-constant-time.
* Unsafe in some contexts: uses ladder, so can expose bigint bits.
* @param Fp - Field implementation.
* @param num - Base value.
* @param power - Exponent value.
* @returns Powered field element.
* @throws If the exponent is negative. {@link Error}
* @example
* Raise one field element to a public exponent.
*
* ```ts
* import { Field, FpPow } from '@noble/curves/abstract/modular.js';
* const Fp = Field(17n);
* const x = FpPow(Fp, 3n, 5n);
* ```
*/
export declare function FpPow<T>(Fp: TArg<IField<T>>, num: T, power: bigint): T;
/**
* Efficiently invert an array of Field elements.
* Exception-free. Zero-valued field elements stay `undefined` unless `passZero` is enabled.
* @param Fp - Field implementation.
* @param nums - Values to invert.
* @param passZero - map 0 to 0 (instead of undefined)
* @returns Inverted values.
* @example
* Invert several field elements with one shared inversion.
*
* ```ts
* import { Field, FpInvertBatch } from '@noble/curves/abstract/modular.js';
* const Fp = Field(17n);
* const inv = FpInvertBatch(Fp, [1n, 2n, 4n]);
* ```
*/
export declare function FpInvertBatch<T>(Fp: TArg<IField<T>>, nums: T[], passZero?: boolean): T[];
/**
* @param Fp - Field implementation.
* @param lhs - Dividend value.
* @param rhs - Divisor value.
* @returns Division result.
* @throws If the divisor is non-invertible. {@link Error}
* @example
* Divide one field element by another.
*
* ```ts
* import { Field, FpDiv } from '@noble/curves/abstract/modular.js';
* const Fp = Field(17n);
* const x = FpDiv(Fp, 6n, 3n);
* ```
*/
export declare function FpDiv<T>(Fp: TArg<IField<T>>, lhs: T, rhs: T | bigint): T;
/**
* Legendre symbol.
* Legendre constant is used to calculate Legendre symbol (a | p)
* which denotes the value of a^((p-1)/2) (mod p).
*
* * (a | p) ≡ 1 if a is a square (mod p), quadratic residue
* * (a | p) ≡ -1 if a is not a square (mod p), quadratic non residue
* * (a | p) ≡ 0 if a ≡ 0 (mod p)
* @param Fp - Field implementation.
* @param n - Value to inspect.
* @returns Legendre symbol.
* @throws If the field returns an invalid Legendre symbol value. {@link Error}
* @example
* Compute the Legendre symbol of one field element.
*
* ```ts
* import { Field, FpLegendre } from '@noble/curves/abstract/modular.js';
* const Fp = Field(17n);
* const symbol = FpLegendre(Fp, 4n);
* ```
*/
export declare function FpLegendre<T>(Fp: TArg<IField<T>>, n: T): -1 | 0 | 1;
/**
* @param Fp - Field implementation.
* @param n - Value to inspect.
* @returns `true` when `Fp.sqrt(n)` exists. This includes `0`, even though strict "quadratic
* residue" terminology often reserves that name for the non-zero square class.
* @throws If the field returns an invalid Legendre symbol value. {@link Error}
* @example
* Check whether one field element has a square root in the field.
*
* ```ts
* import { Field, FpIsSquare } from '@noble/curves/abstract/modular.js';
* const Fp = Field(17n);
* const isSquare = FpIsSquare(Fp, 4n);
* ```
*/
export declare function FpIsSquare<T>(Fp: TArg<IField<T>>, n: T): boolean;
/** Byte and bit lengths derived from one scalar order. */
export type NLength = {
/** Canonical byte length. */
nByteLength: number;
/** Canonical bit length. */
nBitLength: number;
};
/**
* @param n - Curve order. Callers are expected to pass a positive order.
* @param nBitLength - Optional cached bit length. Callers are expected to pass a positive cached
* value when overriding the derived bit length.
* @returns Byte and bit lengths.
* @throws If the order or cached bit length is invalid. {@link Error}
* @example
* Measure the encoding sizes needed for one modulus.
*
* ```ts
* nLength(255n);
* ```
*/
export declare function nLength(n: bigint, nBitLength?: number): NLength;
type FpField = IField<bigint> & Required<Pick<IField<bigint>, 'isOdd'>>;
type SqrtFn = (n: bigint) => bigint;
type FieldOpts = Partial<{
isLE: boolean;
BITS: number;
sqrt: SqrtFn;
allowedLengths?: readonly number[];
modFromBytes: boolean;
}>;
/**
* Creates a finite field. Major performance optimizations:
* * 1. Denormalized operations like mulN instead of mul.
* * 2. Identical object shape: never add or remove keys.
* * 3. Frozen stable object shape; the lazy sqrt cache lives in a module-level `WeakMap`.
* Fragile: always run a benchmark on a change.
* Security note: operations and low-level serializers like `toBytes` don't check `isValid` for
* all elements for performance and protocol-flexibility reasons; callers are responsible for
* supplying valid elements when they need canonical field behavior.
* This is low-level code, please make sure you know what you're doing.
*
* Note about field properties:
* * CHARACTERISTIC p = prime number, number of elements in main subgroup.
* * ORDER q = similar to cofactor in curves, may be composite `q = p^m`.
*
* @param ORDER - field order, probably prime, or could be composite
* @param opts - Field options such as bit length or endianness. See {@link FieldOpts}.
* @returns Frozen field instance with a stable object shape. This wrapper forwards `opts` straight
* into `_Field`, so it inherits `_Field`'s assumptions about cached sizes and `allowedLengths`.
* @example
* Construct one prime field with optional overrides.
*
* ```ts
* Field(11n);
* ```
*/
export declare function Field(ORDER: bigint, opts?: FieldOpts): TRet<Readonly<FpField>>;
/**
* @param Fp - Field implementation.
* @param elm - Value to square-root.
* @returns Odd square root when two roots exist. The special case `elm = 0` still returns `0`,
* which is the only square root but is not odd.
* @throws If the field lacks oddness checks or the square root does not exist. {@link Error}
* @example
* Select the odd square root when two roots exist.
*
* ```ts
* import { Field, FpSqrtOdd } from '@noble/curves/abstract/modular.js';
* const Fp = Field(17n);
* const root = FpSqrtOdd(Fp, 4n);
* ```
*/
export declare function FpSqrtOdd<T>(Fp: TArg<IField<T>>, elm: T): T;
/**
* @param Fp - Field implementation.
* @param elm - Value to square-root.
* @returns Even square root.
* @throws If the field lacks oddness checks or the square root does not exist. {@link Error}
* @example
* Select the even square root when two roots exist.
*
* ```ts
* import { Field, FpSqrtEven } from '@noble/curves/abstract/modular.js';
* const Fp = Field(17n);
* const root = FpSqrtEven(Fp, 4n);
* ```
*/
export declare function FpSqrtEven<T>(Fp: TArg<IField<T>>, elm: T): T;
/**
* Returns total number of bytes consumed by the field element.
* For example, 32 bytes for usual 256-bit weierstrass curve.
* @param fieldOrder - number of field elements, usually CURVE.n. Callers are expected to pass an
* order greater than 1.
* @returns byte length of field
* @throws If the field order is not a bigint. {@link Error}
* @example
* Read the fixed-width byte length of one field.
*
* ```ts
* getFieldBytesLength(255n);
* ```
*/
export declare function getFieldBytesLength(fieldOrder: bigint): number;
/**
* Returns minimal amount of bytes that can be safely reduced
* by field order.
* Should be 2^-128 for 128-bit curve such as P256.
* This is the reduction / modulo-bias lower bound; higher-level helpers may still impose a larger
* absolute floor for policy reasons.
* @param fieldOrder - number of field elements greater than 1, usually CURVE.n.
* @returns byte length of target hash
* @throws If the field order is invalid. {@link Error}
* @example
* Compute the minimum hash length needed for field reduction.
*
* ```ts
* getMinHashLength(255n);
* ```
*/
export declare function getMinHashLength(fieldOrder: bigint): number;
/**
* "Constant-time" private key generation utility.
* Can take (n + n/2) or more bytes of uniform input e.g. from CSPRNG or KDF
* and convert them into private scalar, with the modulo bias being negligible.
* Needs at least 48 bytes of input for 32-byte private key. The implementation also keeps a hard
* 16-byte minimum even when `getMinHashLength(...)` is smaller, so toy-small inputs do not look
* accidentally acceptable for real scalar derivation.
* See {@link https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/ | Kudelski's modulo-bias guide},
* {@link https://csrc.nist.gov/publications/detail/fips/186/5/final | FIPS 186-5 appendix A.2}, and
* {@link https://www.rfc-editor.org/rfc/rfc9380#section-5 | RFC 9380 section 5}. Unlike RFC 9380
* `hash_to_field`, this helper intentionally maps into the non-zero private-scalar range `1..n-1`.
* @param key - Uniform input bytes.
* @param fieldOrder - Size of subgroup.
* @param isLE - interpret hash bytes as LE num
* @returns valid private scalar
* @throws If the hash length or field order is invalid for scalar reduction. {@link Error}
* @example
* Map hash output into a private scalar range.
*
* ```ts
* mapHashToField(new Uint8Array(48).fill(1), 255n);
* ```
*/
export declare function mapHashToField(key: TArg<Uint8Array>, fieldOrder: bigint, isLE?: boolean): TRet<Uint8Array>;
export {};
//# sourceMappingURL=modular.d.ts.map
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/abstract/modular.d.ts.map
Generated Vendored
+1
View File
File diff suppressed because one or more lines are too long
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/abstract/modular.js
Generated Vendored
+850
View File
@@ -0,0 +1,850 @@
/**
* Utils for modular division and fields.
* Field over 11 is a finite (Galois) field is integer number operations `mod 11`.
* There is no division: it is replaced by modular multiplicative inverse.
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { abool, abytes, anumber, asafenumber, bitLen, bytesToNumberBE, bytesToNumberLE, numberToBytesBE, numberToBytesLE, validateObject, } from "../utils.js";
// Numbers aren't used in x25519 / x448 builds
// prettier-ignore
const _0n = /* @__PURE__ */ BigInt(0), _1n = /* @__PURE__ */ BigInt(1), _2n = /* @__PURE__ */ BigInt(2);
// prettier-ignore
const _3n = /* @__PURE__ */ BigInt(3), _4n = /* @__PURE__ */ BigInt(4), _5n = /* @__PURE__ */ BigInt(5);
// prettier-ignore
const _7n = /* @__PURE__ */ BigInt(7), _8n = /* @__PURE__ */ BigInt(8), _9n = /* @__PURE__ */ BigInt(9);
const _16n = /* @__PURE__ */ BigInt(16);
/**
* @param a - Dividend value.
* @param b - Positive modulus.
* @returns Reduced value in `[0, b)` only when `b` is positive.
* @throws If the modulus is not positive. {@link Error}
* @example
* Normalize a bigint into one field residue.
*
* ```ts
* mod(-1n, 5n);
* ```
*/
export function mod(a, b) {
if (b <= _0n)
throw new Error('mod: expected positive modulus, got ' + b);
const result = a % b;
return result >= _0n ? result : b + result;
}
/**
* Efficiently raise num to a power with modular reduction.
* Unsafe in some contexts: uses ladder, so can expose bigint bits.
* Low-level helper: callers that need canonical residues must pass a valid `num` for the chosen
* modulus instead of relying on the `power===0/1` fast paths to normalize it.
* @param num - Base value.
* @param power - Exponent value.
* @param modulo - Reduction modulus.
* @returns Modular exponentiation result.
* @throws If the modulus or exponent is invalid. {@link Error}
* @example
* Raise one bigint to a modular power.
*
* ```ts
* pow(2n, 6n, 11n) // 64n % 11n == 9n
* ```
*/
export function pow(num, power, modulo) {
return FpPow(Field(modulo), num, power);
}
/**
* Does `x^(2^power)` mod p. `pow2(30, 4)` == `30^(2^4)`.
* Low-level helper: callers that need canonical residues must pass a valid `x` for the chosen
* modulus; the `power===0` fast path intentionally returns the input unchanged.
* @param x - Base value.
* @param power - Number of squarings.
* @param modulo - Reduction modulus.
* @returns Repeated-squaring result.
* @throws If the exponent is negative. {@link Error}
* @example
* Apply repeated squaring inside one field.
*
* ```ts
* pow2(3n, 2n, 11n);
* ```
*/
export function pow2(x, power, modulo) {
if (power < _0n)
throw new Error('pow2: expected non-negative exponent, got ' + power);
let res = x;
while (power-- > _0n) {
res *= res;
res %= modulo;
}
return res;
}
/**
* Inverses number over modulo.
* Implemented using the {@link https://brilliant.org/wiki/extended-euclidean-algorithm/ | extended Euclidean algorithm}.
* @param number - Value to invert.
* @param modulo - Positive modulus.
* @returns Multiplicative inverse.
* @throws If the modulus is invalid or the inverse does not exist. {@link Error}
* @example
* Compute one modular inverse with the extended Euclidean algorithm.
*
* ```ts
* invert(3n, 11n);
* ```
*/
export function invert(number, modulo) {
if (number === _0n)
throw new Error('invert: expected non-zero number');
if (modulo <= _0n)
throw new Error('invert: expected positive modulus, got ' + modulo);
// Fermat's little theorem "CT-like" version inv(n) = n^(m-2) mod m is 30x slower.
let a = mod(number, modulo);
let b = modulo;
// prettier-ignore
let x = _0n, y = _1n, u = _1n, v = _0n;
while (a !== _0n) {
const q = b / a;
const r = b - a * q;
const m = x - u * q;
const n = y - v * q;
// prettier-ignore
b = a, a = r, x = u, y = v, u = m, v = n;
}
const gcd = b;
if (gcd !== _1n)
throw new Error('invert: does not exist');
return mod(x, modulo);
}
function assertIsSquare(Fp, root, n) {
const F = Fp;
if (!F.eql(F.sqr(root), n))
throw new Error('Cannot find square root');
}
// Not all roots are possible! Example which will throw:
// const NUM =
// n = 72057594037927816n;
// Fp = Field(BigInt('0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab'));
function sqrt3mod4(Fp, n) {
const F = Fp;
const p1div4 = (F.ORDER + _1n) / _4n;
const root = F.pow(n, p1div4);
assertIsSquare(F, root, n);
return root;
}
// Equivalent `q = 5 (mod 8)` square-root formula (Atkin-style), not the RFC Appendix I.2 CMOV
// pseudocode verbatim.
function sqrt5mod8(Fp, n) {
const F = Fp;
const p5div8 = (F.ORDER - _5n) / _8n;
const n2 = F.mul(n, _2n);
const v = F.pow(n2, p5div8);
const nv = F.mul(n, v);
const i = F.mul(F.mul(nv, _2n), v);
const root = F.mul(nv, F.sub(i, F.ONE));
assertIsSquare(F, root, n);
return root;
}
// Based on RFC9380, Kong algorithm
// prettier-ignore
function sqrt9mod16(P) {
const Fp_ = Field(P);
const tn = tonelliShanks(P);
const c1 = tn(Fp_, Fp_.neg(Fp_.ONE)); // 1. c1 = sqrt(-1) in F, i.e., (c1^2) == -1 in F
const c2 = tn(Fp_, c1); // 2. c2 = sqrt(c1) in F, i.e., (c2^2) == c1 in F
const c3 = tn(Fp_, Fp_.neg(c1)); // 3. c3 = sqrt(-c1) in F, i.e., (c3^2) == -c1 in F
const c4 = (P + _7n) / _16n; // 4. c4 = (q + 7) / 16 # Integer arithmetic
return ((Fp, n) => {
const F = Fp;
let tv1 = F.pow(n, c4); // 1. tv1 = x^c4
let tv2 = F.mul(tv1, c1); // 2. tv2 = c1 * tv1
const tv3 = F.mul(tv1, c2); // 3. tv3 = c2 * tv1
const tv4 = F.mul(tv1, c3); // 4. tv4 = c3 * tv1
const e1 = F.eql(F.sqr(tv2), n); // 5. e1 = (tv2^2) == x
const e2 = F.eql(F.sqr(tv3), n); // 6. e2 = (tv3^2) == x
tv1 = F.cmov(tv1, tv2, e1); // 7. tv1 = CMOV(tv1, tv2, e1) # Select tv2 if (tv2^2) == x
tv2 = F.cmov(tv4, tv3, e2); // 8. tv2 = CMOV(tv4, tv3, e2) # Select tv3 if (tv3^2) == x
const e3 = F.eql(F.sqr(tv2), n); // 9. e3 = (tv2^2) == x
const root = F.cmov(tv1, tv2, e3); // 10. z = CMOV(tv1, tv2, e3) # Select sqrt from tv1 & tv2
assertIsSquare(F, root, n);
return root;
});
}
/**
* Tonelli-Shanks square root search algorithm.
* This implementation is variable-time: it searches data-dependently for the first non-residue `Z`
* and for the smallest `i` in the main loop, unlike RFC 9380 Appendix I.4's constant-time shape.
* 1. {@link https://eprint.iacr.org/2012/685.pdf | eprint 2012/685}, page 12
* 2. Square Roots from 1; 24, 51, 10 to Dan Shanks
* @param P - field order
* @returns function that takes field Fp (created from P) and number n
* @throws If the field is too small, non-prime, or the square root does not exist. {@link Error}
* @example
* Construct a square-root helper for primes that need Tonelli-Shanks.
*
* ```ts
* import { Field, tonelliShanks } from '@noble/curves/abstract/modular.js';
* const Fp = Field(17n);
* const sqrt = tonelliShanks(17n)(Fp, 4n);
* ```
*/
export function tonelliShanks(P) {
// Initialization (precomputation).
// Caching initialization could boost perf by 7%.
if (P < _3n)
throw new Error('sqrt is not defined for small field');
// Factor P - 1 = Q * 2^S, where Q is odd
let Q = P - _1n;
let S = 0;
while (Q % _2n === _0n) {
Q /= _2n;
S++;
}
// Find the first quadratic non-residue Z >= 2
let Z = _2n;
const _Fp = Field(P);
while (FpLegendre(_Fp, Z) === 1) {
// Basic primality test for P. After x iterations, chance of
// not finding quadratic non-residue is 2^x, so 2^1000.
if (Z++ > 1000)
throw new Error('Cannot find square root: probably non-prime P');
}
// Fast-path; usually done before Z, but we do "primality test".
if (S === 1)
return sqrt3mod4;
// Slow-path
// TODO: test on Fp2 and others
let cc = _Fp.pow(Z, Q); // c = z^Q
const Q1div2 = (Q + _1n) / _2n;
return function tonelliSlow(Fp, n) {
const F = Fp;
if (F.is0(n))
return n;
// Check if n is a quadratic residue using Legendre symbol
if (FpLegendre(F, n) !== 1)
throw new Error('Cannot find square root');
// Initialize variables for the main loop
let M = S;
let c = F.mul(F.ONE, cc); // c = z^Q, move cc from field _Fp into field Fp
let t = F.pow(n, Q); // t = n^Q, first guess at the fudge factor
let R = F.pow(n, Q1div2); // R = n^((Q+1)/2), first guess at the square root
// Main loop
// while t != 1
while (!F.eql(t, F.ONE)) {
if (F.is0(t))
return F.ZERO; // if t=0 return R=0
let i = 1;
// Find the smallest i >= 1 such that t^(2^i) ≡ 1 (mod P)
let t_tmp = F.sqr(t); // t^(2^1)
while (!F.eql(t_tmp, F.ONE)) {
i++;
t_tmp = F.sqr(t_tmp); // t^(2^2)...
if (i === M)
throw new Error('Cannot find square root');
}
// Calculate the exponent for b: 2^(M - i - 1)
const exponent = _1n << BigInt(M - i - 1); // bigint is important
const b = F.pow(c, exponent); // b = 2^(M - i - 1)
// Update variables
M = i;
c = F.sqr(b); // c = b^2
t = F.mul(t, c); // t = (t * b^2)
R = F.mul(R, b); // R = R*b
}
return R;
};
}
/**
* Square root for a finite field. Will try optimized versions first:
*
* 1. P ≡ 3 (mod 4)
* 2. P ≡ 5 (mod 8)
* 3. P ≡ 9 (mod 16)
* 4. Tonelli-Shanks algorithm
*
* Different algorithms can give different roots, it is up to user to decide which one they want.
* For example there is FpSqrtOdd/FpSqrtEven to choose a root by oddness
* (used for hash-to-curve).
* @param P - Field order.
* @returns Square-root helper. The generic fallback inherits Tonelli-Shanks' variable-time
* behavior and this selector assumes prime-field-style integer moduli.
* @throws If the field is unsupported or the square root does not exist. {@link Error}
* @example
* Choose the square-root helper appropriate for one field modulus.
*
* ```ts
* import { Field, FpSqrt } from '@noble/curves/abstract/modular.js';
* const Fp = Field(17n);
* const sqrt = FpSqrt(17n)(Fp, 4n);
* ```
*/
export function FpSqrt(P) {
// P ≡ 3 (mod 4) => √n = n^((P+1)/4)
if (P % _4n === _3n)
return sqrt3mod4;
// P ≡ 5 (mod 8) => Atkin algorithm, page 10 of https://eprint.iacr.org/2012/685.pdf
if (P % _8n === _5n)
return sqrt5mod8;
// P ≡ 9 (mod 16) => Kong algorithm, page 11 of https://eprint.iacr.org/2012/685.pdf (algorithm 4)
if (P % _16n === _9n)
return sqrt9mod16(P);
// Tonelli-Shanks algorithm
return tonelliShanks(P);
}
/**
* @param num - Value to inspect.
* @param modulo - Field modulus.
* @returns `true` when the least-significant little-endian bit is set.
* @throws If the modulus is invalid for `mod(...)`. {@link Error}
* @example
* Inspect the low bit used by little-endian sign conventions.
*
* ```ts
* isNegativeLE(3n, 11n);
* ```
*/
export const isNegativeLE = (num, modulo) => (mod(num, modulo) & _1n) === _1n;
// prettier-ignore
// Arithmetic-only subset checked by validateField(). This is intentionally not the full runtime
// IField contract: helpers like `isValidNot0`, `invertBatch`, `toBytes`, `fromBytes`, `cmov`, and
// field-specific extras like `isOdd` are left to the callers that actually need them.
const FIELD_FIELDS = [
'create', 'isValid', 'is0', 'neg', 'inv', 'sqrt', 'sqr',
'eql', 'add', 'sub', 'mul', 'pow', 'div',
'addN', 'subN', 'mulN', 'sqrN'
];
/**
* @param field - Field implementation.
* @returns Validated field. This only checks the arithmetic subset needed by generic helpers; it
* does not guarantee full runtime-method coverage for serialization, batching, `cmov`, or
* field-specific extras beyond positive `BYTES` / `BITS`.
* @throws If the field shape or numeric metadata are invalid. {@link Error}
* @example
* Check that a field implementation exposes the operations curve code expects.
*
* ```ts
* import { Field, validateField } from '@noble/curves/abstract/modular.js';
* const Fp = validateField(Field(17n));
* ```
*/
export function validateField(field) {
const initial = {
ORDER: 'bigint',
BYTES: 'number',
BITS: 'number',
};
const opts = FIELD_FIELDS.reduce((map, val) => {
map[val] = 'function';
return map;
}, initial);
validateObject(field, opts);
// Runtime field implementations must expose real integer byte/bit sizes; fractional / NaN /
// infinite metadata leaks through validateObject(type='number') but breaks encoders and caches.
asafenumber(field.BYTES, 'BYTES');
asafenumber(field.BITS, 'BITS');
// Runtime field implementations must expose positive byte/bit sizes; zero leaks through the
// numeric shape checks above but still breaks encoding helpers and cached-length assumptions.
if (field.BYTES < 1 || field.BITS < 1)
throw new Error('invalid field: expected BYTES/BITS > 0');
if (field.ORDER <= _1n)
throw new Error('invalid field: expected ORDER > 1, got ' + field.ORDER);
return field;
}
// Generic field functions
/**
* Same as `pow` but for Fp: non-constant-time.
* Unsafe in some contexts: uses ladder, so can expose bigint bits.
* @param Fp - Field implementation.
* @param num - Base value.
* @param power - Exponent value.
* @returns Powered field element.
* @throws If the exponent is negative. {@link Error}
* @example
* Raise one field element to a public exponent.
*
* ```ts
* import { Field, FpPow } from '@noble/curves/abstract/modular.js';
* const Fp = Field(17n);
* const x = FpPow(Fp, 3n, 5n);
* ```
*/
export function FpPow(Fp, num, power) {
const F = Fp;
if (power < _0n)
throw new Error('invalid exponent, negatives unsupported');
if (power === _0n)
return F.ONE;
if (power === _1n)
return num;
let p = F.ONE;
let d = num;
while (power > _0n) {
if (power & _1n)
p = F.mul(p, d);
d = F.sqr(d);
power >>= _1n;
}
return p;
}
/**
* Efficiently invert an array of Field elements.
* Exception-free. Zero-valued field elements stay `undefined` unless `passZero` is enabled.
* @param Fp - Field implementation.
* @param nums - Values to invert.
* @param passZero - map 0 to 0 (instead of undefined)
* @returns Inverted values.
* @example
* Invert several field elements with one shared inversion.
*
* ```ts
* import { Field, FpInvertBatch } from '@noble/curves/abstract/modular.js';
* const Fp = Field(17n);
* const inv = FpInvertBatch(Fp, [1n, 2n, 4n]);
* ```
*/
export function FpInvertBatch(Fp, nums, passZero = false) {
const F = Fp;
const inverted = new Array(nums.length).fill(passZero ? F.ZERO : undefined);
// Walk from first to last, multiply them by each other MOD p
const multipliedAcc = nums.reduce((acc, num, i) => {
if (F.is0(num))
return acc;
inverted[i] = acc;
return F.mul(acc, num);
}, F.ONE);
// Invert last element
const invertedAcc = F.inv(multipliedAcc);
// Walk from last to first, multiply them by inverted each other MOD p
nums.reduceRight((acc, num, i) => {
if (F.is0(num))
return acc;
inverted[i] = F.mul(acc, inverted[i]);
return F.mul(acc, num);
}, invertedAcc);
return inverted;
}
/**
* @param Fp - Field implementation.
* @param lhs - Dividend value.
* @param rhs - Divisor value.
* @returns Division result.
* @throws If the divisor is non-invertible. {@link Error}
* @example
* Divide one field element by another.
*
* ```ts
* import { Field, FpDiv } from '@noble/curves/abstract/modular.js';
* const Fp = Field(17n);
* const x = FpDiv(Fp, 6n, 3n);
* ```
*/
export function FpDiv(Fp, lhs, rhs) {
const F = Fp;
return F.mul(lhs, typeof rhs === 'bigint' ? invert(rhs, F.ORDER) : F.inv(rhs));
}
/**
* Legendre symbol.
* Legendre constant is used to calculate Legendre symbol (a | p)
* which denotes the value of a^((p-1)/2) (mod p).
*
* * (a | p) ≡ 1 if a is a square (mod p), quadratic residue
* * (a | p) ≡ -1 if a is not a square (mod p), quadratic non residue
* * (a | p) ≡ 0 if a ≡ 0 (mod p)
* @param Fp - Field implementation.
* @param n - Value to inspect.
* @returns Legendre symbol.
* @throws If the field returns an invalid Legendre symbol value. {@link Error}
* @example
* Compute the Legendre symbol of one field element.
*
* ```ts
* import { Field, FpLegendre } from '@noble/curves/abstract/modular.js';
* const Fp = Field(17n);
* const symbol = FpLegendre(Fp, 4n);
* ```
*/
export function FpLegendre(Fp, n) {
const F = Fp;
// We can use 3rd argument as optional cache of this value
// but seems unneeded for now. The operation is very fast.
const p1mod2 = (F.ORDER - _1n) / _2n;
const powered = F.pow(n, p1mod2);
const yes = F.eql(powered, F.ONE);
const zero = F.eql(powered, F.ZERO);
const no = F.eql(powered, F.neg(F.ONE));
if (!yes && !zero && !no)
throw new Error('invalid Legendre symbol result');
return yes ? 1 : zero ? 0 : -1;
}
/**
* @param Fp - Field implementation.
* @param n - Value to inspect.
* @returns `true` when `Fp.sqrt(n)` exists. This includes `0`, even though strict "quadratic
* residue" terminology often reserves that name for the non-zero square class.
* @throws If the field returns an invalid Legendre symbol value. {@link Error}
* @example
* Check whether one field element has a square root in the field.
*
* ```ts
* import { Field, FpIsSquare } from '@noble/curves/abstract/modular.js';
* const Fp = Field(17n);
* const isSquare = FpIsSquare(Fp, 4n);
* ```
*/
export function FpIsSquare(Fp, n) {
const l = FpLegendre(Fp, n);
// Zero is a square too: 0 = 0^2, and Fp.sqrt(0) already returns 0.
return l !== -1;
}
/**
* @param n - Curve order. Callers are expected to pass a positive order.
* @param nBitLength - Optional cached bit length. Callers are expected to pass a positive cached
* value when overriding the derived bit length.
* @returns Byte and bit lengths.
* @throws If the order or cached bit length is invalid. {@link Error}
* @example
* Measure the encoding sizes needed for one modulus.
*
* ```ts
* nLength(255n);
* ```
*/
export function nLength(n, nBitLength) {
// Bit size, byte size of CURVE.n
if (nBitLength !== undefined)
anumber(nBitLength);
if (n <= _0n)
throw new Error('invalid n length: expected positive n, got ' + n);
if (nBitLength !== undefined && nBitLength < 1)
throw new Error('invalid n length: expected positive bit length, got ' + nBitLength);
const bits = bitLen(n);
// Cached bit lengths smaller than ORDER would truncate serialized scalars/elements and poison
// any math that relies on the derived field metadata.
if (nBitLength !== undefined && nBitLength < bits)
throw new Error(`invalid n length: expected bit length (${bits}) >= n.length (${nBitLength})`);
const _nBitLength = nBitLength !== undefined ? nBitLength : bits;
const nByteLength = Math.ceil(_nBitLength / 8);
return { nBitLength: _nBitLength, nByteLength };
}
// Keep the lazy sqrt cache off-instance so Field(...) can return a frozen object. Otherwise the
// cached helper write would keep the field surface externally mutable.
const FIELD_SQRT = new WeakMap();
class _Field {
ORDER;
BITS;
BYTES;
isLE;
ZERO = _0n;
ONE = _1n;
_lengths;
_mod;
constructor(ORDER, opts = {}) {
// ORDER <= 1 is degenerate: ONE would not be a valid field element and helpers like pow/inv
// would stop modeling field arithmetic.
if (ORDER <= _1n)
throw new Error('invalid field: expected ORDER > 1, got ' + ORDER);
let _nbitLength = undefined;
this.isLE = false;
if (opts != null && typeof opts === 'object') {
// Cached bit lengths are trusted here and should already be positive / consistent with ORDER.
if (typeof opts.BITS === 'number')
_nbitLength = opts.BITS;
if (typeof opts.sqrt === 'function')
// `_Field.prototype` is frozen below, so custom sqrt hooks must become own properties
// explicitly instead of relying on writable prototype shadowing via assignment.
Object.defineProperty(this, 'sqrt', { value: opts.sqrt, enumerable: true });
if (typeof opts.isLE === 'boolean')
this.isLE = opts.isLE;
if (opts.allowedLengths)
this._lengths = Object.freeze(opts.allowedLengths.slice());
if (typeof opts.modFromBytes === 'boolean')
this._mod = opts.modFromBytes;
}
const { nBitLength, nByteLength } = nLength(ORDER, _nbitLength);
if (nByteLength > 2048)
throw new Error('invalid field: expected ORDER of <= 2048 bytes');
this.ORDER = ORDER;
this.BITS = nBitLength;
this.BYTES = nByteLength;
Object.freeze(this);
}
create(num) {
return mod(num, this.ORDER);
}
isValid(num) {
if (typeof num !== 'bigint')
throw new TypeError('invalid field element: expected bigint, got ' + typeof num);
return _0n <= num && num < this.ORDER; // 0 is valid element, but it's not invertible
}
is0(num) {
return num === _0n;
}
// is valid and invertible
isValidNot0(num) {
return !this.is0(num) && this.isValid(num);
}
isOdd(num) {
return (num & _1n) === _1n;
}
neg(num) {
return mod(-num, this.ORDER);
}
eql(lhs, rhs) {
return lhs === rhs;
}
sqr(num) {
return mod(num * num, this.ORDER);
}
add(lhs, rhs) {
return mod(lhs + rhs, this.ORDER);
}
sub(lhs, rhs) {
return mod(lhs - rhs, this.ORDER);
}
mul(lhs, rhs) {
return mod(lhs * rhs, this.ORDER);
}
pow(num, power) {
return FpPow(this, num, power);
}
div(lhs, rhs) {
return mod(lhs * invert(rhs, this.ORDER), this.ORDER);
}
// Same as above, but doesn't normalize
sqrN(num) {
return num * num;
}
addN(lhs, rhs) {
return lhs + rhs;
}
subN(lhs, rhs) {
return lhs - rhs;
}
mulN(lhs, rhs) {
return lhs * rhs;
}
inv(num) {
return invert(num, this.ORDER);
}
sqrt(num) {
// Caching sqrt helpers speeds up sqrt9mod16 by 5x and Tonelli-Shanks by about 10% without keeping
// the field instance itself mutable.
let sqrt = FIELD_SQRT.get(this);
if (!sqrt)
FIELD_SQRT.set(this, (sqrt = FpSqrt(this.ORDER)));
return sqrt(this, num);
}
toBytes(num) {
// Serialize fixed-width limbs without re-validating the field range. Callers that need a
// canonical encoding must pass a valid element; some protocols intentionally serialize raw
// residues here and reduce or validate them elsewhere.
return this.isLE ? numberToBytesLE(num, this.BYTES) : numberToBytesBE(num, this.BYTES);
}
fromBytes(bytes, skipValidation = false) {
abytes(bytes);
const { _lengths: allowedLengths, BYTES, isLE, ORDER, _mod: modFromBytes } = this;
if (allowedLengths) {
// `allowedLengths` must list real positive byte lengths; otherwise empty input would get
// padded into zero and silently decode as a field element.
if (bytes.length < 1 || !allowedLengths.includes(bytes.length) || bytes.length > BYTES) {
throw new Error('Field.fromBytes: expected ' + allowedLengths + ' bytes, got ' + bytes.length);
}
const padded = new Uint8Array(BYTES);
// isLE add 0 to right, !isLE to the left.
padded.set(bytes, isLE ? 0 : padded.length - bytes.length);
bytes = padded;
}
if (bytes.length !== BYTES)
throw new Error('Field.fromBytes: expected ' + BYTES + ' bytes, got ' + bytes.length);
let scalar = isLE ? bytesToNumberLE(bytes) : bytesToNumberBE(bytes);
if (modFromBytes)
scalar = mod(scalar, ORDER);
if (!skipValidation)
if (!this.isValid(scalar))
throw new Error('invalid field element: outside of range 0..ORDER');
// Range validation is optional here because some protocols intentionally decode raw residues
// and reduce or validate them elsewhere.
return scalar;
}
// TODO: we don't need it here, move out to separate fn
invertBatch(lst) {
return FpInvertBatch(this, lst);
}
// We can't move this out because Fp6, Fp12 implement it
// and it's unclear what to return in there.
cmov(a, b, condition) {
// Field elements have `isValid(...)`; the CMOV branch bit is a direct runtime input, so reject
// non-boolean selectors here instead of letting JS truthiness silently change arithmetic.
abool(condition, 'condition');
return condition ? b : a;
}
}
// Freeze the shared method surface too; otherwise callers can still poison every Field instance by
// monkey-patching `_Field.prototype` even if each instance is frozen.
Object.freeze(_Field.prototype);
/**
* Creates a finite field. Major performance optimizations:
* * 1. Denormalized operations like mulN instead of mul.
* * 2. Identical object shape: never add or remove keys.
* * 3. Frozen stable object shape; the lazy sqrt cache lives in a module-level `WeakMap`.
* Fragile: always run a benchmark on a change.
* Security note: operations and low-level serializers like `toBytes` don't check `isValid` for
* all elements for performance and protocol-flexibility reasons; callers are responsible for
* supplying valid elements when they need canonical field behavior.
* This is low-level code, please make sure you know what you're doing.
*
* Note about field properties:
* * CHARACTERISTIC p = prime number, number of elements in main subgroup.
* * ORDER q = similar to cofactor in curves, may be composite `q = p^m`.
*
* @param ORDER - field order, probably prime, or could be composite
* @param opts - Field options such as bit length or endianness. See {@link FieldOpts}.
* @returns Frozen field instance with a stable object shape. This wrapper forwards `opts` straight
* into `_Field`, so it inherits `_Field`'s assumptions about cached sizes and `allowedLengths`.
* @example
* Construct one prime field with optional overrides.
*
* ```ts
* Field(11n);
* ```
*/
export function Field(ORDER, opts = {}) {
return new _Field(ORDER, opts);
}
// Generic random scalar, we can do same for other fields if via Fp2.mul(Fp2.ONE, Fp2.random)?
// This allows unsafe methods like ignore bias or zero. These unsafe, but often used in different protocols (if deterministic RNG).
// which mean we cannot force this via opts.
// Not sure what to do with randomBytes, we can accept it inside opts if wanted.
// Probably need to export getMinHashLength somewhere?
// random(bytes?: Uint8Array, unsafeAllowZero = false, unsafeAllowBias = false) {
// const LEN = !unsafeAllowBias ? getMinHashLength(ORDER) : BYTES;
// if (bytes === undefined) bytes = randomBytes(LEN); // _opts.randomBytes?
// const num = isLE ? bytesToNumberLE(bytes) : bytesToNumberBE(bytes);
// // `mod(x, 11)` can sometimes produce 0. `mod(x, 10) + 1` is the same, but no 0
// const reduced = unsafeAllowZero ? mod(num, ORDER) : mod(num, ORDER - _1n) + _1n;
// return reduced;
// },
/**
* @param Fp - Field implementation.
* @param elm - Value to square-root.
* @returns Odd square root when two roots exist. The special case `elm = 0` still returns `0`,
* which is the only square root but is not odd.
* @throws If the field lacks oddness checks or the square root does not exist. {@link Error}
* @example
* Select the odd square root when two roots exist.
*
* ```ts
* import { Field, FpSqrtOdd } from '@noble/curves/abstract/modular.js';
* const Fp = Field(17n);
* const root = FpSqrtOdd(Fp, 4n);
* ```
*/
export function FpSqrtOdd(Fp, elm) {
const F = Fp;
if (!F.isOdd)
throw new Error("Field doesn't have isOdd");
const root = F.sqrt(elm);
return F.isOdd(root) ? root : F.neg(root);
}
/**
* @param Fp - Field implementation.
* @param elm - Value to square-root.
* @returns Even square root.
* @throws If the field lacks oddness checks or the square root does not exist. {@link Error}
* @example
* Select the even square root when two roots exist.
*
* ```ts
* import { Field, FpSqrtEven } from '@noble/curves/abstract/modular.js';
* const Fp = Field(17n);
* const root = FpSqrtEven(Fp, 4n);
* ```
*/
export function FpSqrtEven(Fp, elm) {
const F = Fp;
if (!F.isOdd)
throw new Error("Field doesn't have isOdd");
const root = F.sqrt(elm);
return F.isOdd(root) ? F.neg(root) : root;
}
/**
* Returns total number of bytes consumed by the field element.
* For example, 32 bytes for usual 256-bit weierstrass curve.
* @param fieldOrder - number of field elements, usually CURVE.n. Callers are expected to pass an
* order greater than 1.
* @returns byte length of field
* @throws If the field order is not a bigint. {@link Error}
* @example
* Read the fixed-width byte length of one field.
*
* ```ts
* getFieldBytesLength(255n);
* ```
*/
export function getFieldBytesLength(fieldOrder) {
if (typeof fieldOrder !== 'bigint')
throw new Error('field order must be bigint');
// Valid field elements are in 0..ORDER-1, so ORDER <= 1 would make the encoded range degenerate.
if (fieldOrder <= _1n)
throw new Error('field order must be greater than 1');
// Valid field elements are < ORDER, so the maximal encoded element is ORDER - 1.
const bitLength = bitLen(fieldOrder - _1n);
return Math.ceil(bitLength / 8);
}
/**
* Returns minimal amount of bytes that can be safely reduced
* by field order.
* Should be 2^-128 for 128-bit curve such as P256.
* This is the reduction / modulo-bias lower bound; higher-level helpers may still impose a larger
* absolute floor for policy reasons.
* @param fieldOrder - number of field elements greater than 1, usually CURVE.n.
* @returns byte length of target hash
* @throws If the field order is invalid. {@link Error}
* @example
* Compute the minimum hash length needed for field reduction.
*
* ```ts
* getMinHashLength(255n);
* ```
*/
export function getMinHashLength(fieldOrder) {
const length = getFieldBytesLength(fieldOrder);
return length + Math.ceil(length / 2);
}
/**
* "Constant-time" private key generation utility.
* Can take (n + n/2) or more bytes of uniform input e.g. from CSPRNG or KDF
* and convert them into private scalar, with the modulo bias being negligible.
* Needs at least 48 bytes of input for 32-byte private key. The implementation also keeps a hard
* 16-byte minimum even when `getMinHashLength(...)` is smaller, so toy-small inputs do not look
* accidentally acceptable for real scalar derivation.
* See {@link https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/ | Kudelski's modulo-bias guide},
* {@link https://csrc.nist.gov/publications/detail/fips/186/5/final | FIPS 186-5 appendix A.2}, and
* {@link https://www.rfc-editor.org/rfc/rfc9380#section-5 | RFC 9380 section 5}. Unlike RFC 9380
* `hash_to_field`, this helper intentionally maps into the non-zero private-scalar range `1..n-1`.
* @param key - Uniform input bytes.
* @param fieldOrder - Size of subgroup.
* @param isLE - interpret hash bytes as LE num
* @returns valid private scalar
* @throws If the hash length or field order is invalid for scalar reduction. {@link Error}
* @example
* Map hash output into a private scalar range.
*
* ```ts
* mapHashToField(new Uint8Array(48).fill(1), 255n);
* ```
*/
export function mapHashToField(key, fieldOrder, isLE = false) {
abytes(key);
const len = key.length;
const fieldLen = getFieldBytesLength(fieldOrder);
const minLen = Math.max(getMinHashLength(fieldOrder), 16);
// No toy-small inputs: the helper is for real scalar derivation, not tiny test curves. No huge
// inputs: easier to reason about JS timing / allocation behavior.
if (len < minLen || len > 1024)
throw new Error('expected ' + minLen + '-1024 bytes of input, got ' + len);
const num = isLE ? bytesToNumberLE(key) : bytesToNumberBE(key);
// `mod(x, 11)` can sometimes produce 0. `mod(x, 10) + 1` is the same, but no 0
const reduced = mod(num, fieldOrder - _1n) + _1n;
return isLE ? numberToBytesLE(reduced, fieldLen) : numberToBytesBE(reduced, fieldLen);
}
//# sourceMappingURL=modular.js.map
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/abstract/modular.js.map
Generated Vendored
+1
View File
File diff suppressed because one or more lines are too long
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/abstract/montgomery.d.ts
Generated Vendored
+96
View File
@@ -0,0 +1,96 @@
/**
* Montgomery curve methods. It's not really whole montgomery curve,
* just bunch of very specific methods for X25519 / X448 from
* [RFC 7748](https://www.rfc-editor.org/rfc/rfc7748)
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { type TArg, type TRet } from '../utils.ts';
import { type CurveLengths } from './curve.ts';
/** Curve-specific hooks required to build one X25519/X448 helper. */
export type MontgomeryOpts = {
/** Prime field modulus. */
P: bigint;
/** RFC 7748 variant name. */
type: 'x25519' | 'x448';
/**
* Clamp or otherwise normalize one scalar byte string before use.
* @param bytes - Raw secret scalar bytes.
* @returns Adjusted scalar bytes ready for Montgomery multiplication.
*/
adjustScalarBytes: (bytes: TArg<Uint8Array>) => TRet<Uint8Array>;
/**
* Invert one field element with exponentiation by `p - 2`.
* @param x - Field element to invert.
* @returns Multiplicative inverse of `x`.
*/
powPminus2: (x: bigint) => bigint;
/**
* Optional randomness source for `keygen()` and `utils.randomSecretKey()`.
* Receives the requested byte length and returns fresh random bytes.
*/
randomBytes?: (bytesLength?: number) => TRet<Uint8Array>;
};
/** Public X25519/X448 ECDH API built on a Montgomery ladder. */
export type MontgomeryECDH = {
/**
* Multiply one scalar by one Montgomery `u` coordinate.
* @param scalar - Secret scalar bytes.
* @param u - Public Montgomery `u` coordinate.
* @returns Shared point encoded as bytes.
*/
scalarMult: (scalar: TArg<Uint8Array>, u: TArg<Uint8Array>) => TRet<Uint8Array>;
/**
* Multiply one scalar by the curve base point.
* @param scalar - Secret scalar bytes.
* @returns Public key bytes.
*/
scalarMultBase: (scalar: TArg<Uint8Array>) => TRet<Uint8Array>;
/**
* Derive a shared secret from a local secret key and peer public key.
* @param secretKeyA - Local secret key bytes.
* @param publicKeyB - Peer public key bytes.
* Rejects low-order public inputs instead of returning the all-zero shared secret.
* @returns Shared secret bytes.
*/
getSharedSecret: (secretKeyA: TArg<Uint8Array>, publicKeyB: TArg<Uint8Array>) => TRet<Uint8Array>;
/**
* Derive one public key from a secret key.
* @param secretKey - Secret key bytes.
* @returns Public key bytes.
*/
getPublicKey: (secretKey: TArg<Uint8Array>) => TRet<Uint8Array>;
/** Utility helpers for secret-key generation. */
utils: {
/** Generate one random secret key with the curve's expected byte length. */
randomSecretKey: () => TRet<Uint8Array>;
};
/** Encoded Montgomery base point `u`. */
GuBytes: TRet<Uint8Array>;
/** Public lengths for keys and seeds. */
lengths: CurveLengths;
/**
* Generate one random secret/public keypair.
* @param seed - Optional seed bytes to use instead of random generation.
* @returns Fresh secret/public keypair.
*/
keygen: (seed?: TArg<Uint8Array>) => {
secretKey: TRet<Uint8Array>;
publicKey: TRet<Uint8Array>;
};
};
/**
* @param curveDef - Montgomery curve definition.
* @returns ECDH helper namespace.
* @throws If the curve definition or derived shared point is invalid. {@link Error}
* @example
* Perform one X25519 key exchange through the generic Montgomery helper.
*
* ```ts
* import { x25519 } from '@noble/curves/ed25519.js';
* const alice = x25519.keygen();
* const shared = x25519.getSharedSecret(alice.secretKey, alice.publicKey);
* ```
*/
export declare function montgomery(curveDef: TArg<MontgomeryOpts>): TRet<MontgomeryECDH>;
//# sourceMappingURL=montgomery.d.ts.map
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/abstract/montgomery.d.ts.map
Generated Vendored
+1
View File
@@ -0,0 +1 @@
{"version":3,"file":"montgomery.d.ts","sourceRoot":"","sources":["../src/abstract/montgomery.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,sEAAsE;AACtE,OAAO,EASL,KAAK,IAAI,EACT,KAAK,IAAI,EACV,MAAM,aAAa,CAAC;AACrB,OAAO,EAAgB,KAAK,YAAY,EAAE,MAAM,YAAY,CAAC;AAO7D,qEAAqE;AACrE,MAAM,MAAM,cAAc,GAAG;IAC3B,2BAA2B;IAC3B,CAAC,EAAE,MAAM,CAAC;IACV,6BAA6B;IAC7B,IAAI,EAAE,QAAQ,GAAG,MAAM,CAAC;IACxB;;;;OAIG;IACH,iBAAiB,EAAE,CAAC,KAAK,EAAE,IAAI,CAAC,UAAU,CAAC,KAAK,IAAI,CAAC,UAAU,CAAC,CAAC;IACjE;;;;OAIG;IACH,UAAU,EAAE,CAAC,CAAC,EAAE,MAAM,KAAK,MAAM,CAAC;IAClC;;;OAGG;IACH,WAAW,CAAC,EAAE,CAAC,WAAW,CAAC,EAAE,MAAM,KAAK,IAAI,CAAC,UAAU,CAAC,CAAC;CAC1D,CAAC;AAEF,gEAAgE;AAChE,MAAM,MAAM,cAAc,GAAG;IAC3B;;;;;OAKG;IACH,UAAU,EAAE,CAAC,MAAM,EAAE,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC,EAAE,IAAI,CAAC,UAAU,CAAC,KAAK,IAAI,CAAC,UAAU,CAAC,CAAC;IAChF;;;;OAIG;IACH,cAAc,EAAE,CAAC,MAAM,EAAE,IAAI,CAAC,UAAU,CAAC,KAAK,IAAI,CAAC,UAAU,CAAC,CAAC;IAC/D;;;;;;OAMG;IACH,eAAe,EAAE,CAAC,UAAU,EAAE,IAAI,CAAC,UAAU,CAAC,EAAE,UAAU,EAAE,IAAI,CAAC,UAAU,CAAC,KAAK,IAAI,CAAC,UAAU,CAAC,CAAC;IAClG;;;;OAIG;IACH,YAAY,EAAE,CAAC,SAAS,EAAE,IAAI,CAAC,UAAU,CAAC,KAAK,IAAI,CAAC,UAAU,CAAC,CAAC;IAChE,iDAAiD;IACjD,KAAK,EAAE;QACL,4EAA4E;QAC5E,eAAe,EAAE,MAAM,IAAI,CAAC,UAAU,CAAC,CAAC;KACzC,CAAC;IACF,yCAAyC;IACzC,OAAO,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;IAC1B,yCAAyC;IACzC,OAAO,EAAE,YAAY,CAAC;IACtB;;;;OAIG;IACH,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,IAAI,CAAC,UAAU,CAAC,KAAK;QACnC,SAAS,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;QAC5B,SAAS,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;KAC7B,CAAC;CACH,CAAC;AAqBF;;;;;;;;;;;;GAYG;AACH,wBAAgB,UAAU,CAAC,QAAQ,EAAE,IAAI,CAAC,cAAc,CAAC,GAAG,IAAI,CAAC,cAAc,CAAC,CA0I/E"}
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/abstract/montgomery.js
Generated Vendored
+178
View File
@@ -0,0 +1,178 @@
/**
* Montgomery curve methods. It's not really whole montgomery curve,
* just bunch of very specific methods for X25519 / X448 from
* [RFC 7748](https://www.rfc-editor.org/rfc/rfc7748)
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { abytes, aInRange, bytesToNumberLE, copyBytes, numberToBytesLE, randomBytes, validateObject, } from "../utils.js";
import { createKeygen } from "./curve.js";
import { mod } from "./modular.js";
const _0n = BigInt(0);
const _1n = BigInt(1);
const _2n = BigInt(2);
function validateOpts(curve) {
// Validate constructor config eagerly, but do not call user-provided hooks here:
// `randomBytes` may be transcript-backed or otherwise contextual. Runtime type checks are
// enough to fail fast on malformed configs without consuming user state.
validateObject(curve, {
P: 'bigint',
type: 'string',
adjustScalarBytes: 'function',
powPminus2: 'function',
}, {
randomBytes: 'function',
});
return Object.freeze({ ...curve });
}
/**
* @param curveDef - Montgomery curve definition.
* @returns ECDH helper namespace.
* @throws If the curve definition or derived shared point is invalid. {@link Error}
* @example
* Perform one X25519 key exchange through the generic Montgomery helper.
*
* ```ts
* import { x25519 } from '@noble/curves/ed25519.js';
* const alice = x25519.keygen();
* const shared = x25519.getSharedSecret(alice.secretKey, alice.publicKey);
* ```
*/
export function montgomery(curveDef) {
const CURVE = validateOpts(curveDef);
const { P, type, adjustScalarBytes, powPminus2, randomBytes: rand } = CURVE;
const is25519 = type === 'x25519';
if (!is25519 && type !== 'x448')
throw new Error('invalid type');
const randomBytes_ = rand === undefined ? randomBytes : rand;
const montgomeryBits = is25519 ? 255 : 448;
const fieldLen = is25519 ? 32 : 56;
const Gu = is25519 ? BigInt(9) : BigInt(5);
// RFC 7748 #5:
// The constant a24 is (486662 - 2) / 4 = 121665 for curve25519/X25519 and
// (156326 - 2) / 4 = 39081 for curve448/X448
// const a = is25519 ? 486662n : 156326n;
const a24 = is25519 ? BigInt(121665) : BigInt(39081);
// RFC: x25519 "the resulting integer is of the form 2^254 plus
// eight times a value between 0 and 2^251 - 1 (inclusive)"
// x448: "2^447 plus four times a value between 0 and 2^445 - 1 (inclusive)"
const minScalar = is25519 ? _2n ** BigInt(254) : _2n ** BigInt(447);
const maxAdded = is25519
? BigInt(8) * _2n ** BigInt(251) - _1n
: BigInt(4) * _2n ** BigInt(445) - _1n;
const maxScalar = minScalar + maxAdded + _1n; // (inclusive)
const modP = (n) => mod(n, P);
const GuBytes = encodeU(Gu);
function encodeU(u) {
return numberToBytesLE(modP(u), fieldLen);
}
function decodeU(u) {
const _u = copyBytes(abytes(u, fieldLen, 'uCoordinate'));
// RFC: When receiving such an array, implementations of X25519
// (but not X448) MUST mask the most significant bit in the final byte.
if (is25519)
_u[31] &= 127; // 0b0111_1111
// RFC: Implementations MUST accept non-canonical values and process them as
// if they had been reduced modulo the field prime. The non-canonical
// values are 2^255 - 19 through 2^255 - 1 for X25519 and 2^448 - 2^224
// - 1 through 2^448 - 1 for X448.
return modP(bytesToNumberLE(_u));
}
function decodeScalar(scalar) {
return bytesToNumberLE(adjustScalarBytes(copyBytes(abytes(scalar, fieldLen, 'scalar'))));
}
function scalarMult(scalar, u) {
const pu = montgomeryLadder(decodeU(u), decodeScalar(scalar));
// Some public keys are useless, of low-order. Curve author doesn't think
// it needs to be validated, but we do it nonetheless.
// https://cr.yp.to/ecdh.html#validate
if (pu === _0n)
throw new Error('invalid private or public key received');
return encodeU(pu);
}
// Computes public key from private. By doing scalar multiplication of base point.
function scalarMultBase(scalar) {
return scalarMult(scalar, GuBytes);
}
const getPublicKey = scalarMultBase;
const getSharedSecret = scalarMult;
// cswap from RFC7748 "example code"
function cswap(swap, x_2, x_3) {
// dummy = mask(swap) AND (x_2 XOR x_3)
// Where mask(swap) is the all-1 or all-0 word of the same length as x_2
// and x_3, computed, e.g., as mask(swap) = 0 - swap.
const dummy = modP(swap * (x_2 - x_3));
x_2 = modP(x_2 - dummy); // x_2 = x_2 XOR dummy
x_3 = modP(x_3 + dummy); // x_3 = x_3 XOR dummy
return { x_2, x_3 };
}
/**
* Montgomery x-only multiplication ladder for the selected X25519/X448 curve.
* @param pointU - decoded Montgomery u coordinate for the selected curve
* @param scalar - decoded clamped scalar by which the point is multiplied
* @returns resulting Montgomery u coordinate for the selected curve
*/
function montgomeryLadder(u, scalar) {
aInRange('u', u, _0n, P);
aInRange('scalar', scalar, minScalar, maxScalar);
const k = scalar;
const x_1 = u;
let x_2 = _1n;
let z_2 = _0n;
let x_3 = u;
let z_3 = _1n;
let swap = _0n;
for (let t = BigInt(montgomeryBits - 1); t >= _0n; t--) {
const k_t = (k >> t) & _1n;
swap ^= k_t;
({ x_2, x_3 } = cswap(swap, x_2, x_3));
({ x_2: z_2, x_3: z_3 } = cswap(swap, z_2, z_3));
swap = k_t;
const A = x_2 + z_2;
const AA = modP(A * A);
const B = x_2 - z_2;
const BB = modP(B * B);
const E = AA - BB;
const C = x_3 + z_3;
const D = x_3 - z_3;
const DA = modP(D * A);
const CB = modP(C * B);
const dacb = DA + CB;
const da_cb = DA - CB;
x_3 = modP(dacb * dacb);
z_3 = modP(x_1 * modP(da_cb * da_cb));
x_2 = modP(AA * BB);
z_2 = modP(E * (AA + modP(a24 * E)));
}
({ x_2, x_3 } = cswap(swap, x_2, x_3));
({ x_2: z_2, x_3: z_3 } = cswap(swap, z_2, z_3));
const z2 = powPminus2(z_2); // `Fp.pow(x, P - _2n)` is much slower equivalent
return modP(x_2 * z2); // Return x_2 * (z_2^(p - 2))
}
const lengths = {
secretKey: fieldLen,
publicKey: fieldLen,
seed: fieldLen,
};
const randomSecretKey = (seed) => {
seed = seed === undefined ? randomBytes_(fieldLen) : seed;
abytes(seed, lengths.seed, 'seed');
// Reuse caller-supplied seed bytes verbatim; clamping is deferred until
// decodeScalar(...) when the secret key is actually used.
return seed;
};
const utils = { randomSecretKey };
Object.freeze(lengths);
Object.freeze(utils);
return Object.freeze({
keygen: createKeygen(randomSecretKey, getPublicKey),
getSharedSecret,
getPublicKey,
scalarMult,
scalarMultBase,
utils,
GuBytes: GuBytes.slice(),
lengths,
});
}
//# sourceMappingURL=montgomery.js.map
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/abstract/montgomery.js.map
Generated Vendored
+1
View File
File diff suppressed because one or more lines are too long
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/abstract/oprf.d.ts
Generated Vendored
+355
View File
@@ -0,0 +1,355 @@
/**
* RFC 9497: Oblivious Pseudorandom Functions (OPRFs) Using Prime-Order Groups.
* https://www.rfc-editor.org/rfc/rfc9497
*
OPRF allows to interactively create an `Output = PRF(Input, serverSecretKey)`:
- Server cannot calculate Output by itself: it doesn't know Input
- Client cannot calculate Output by itself: it doesn't know server secretKey
- An attacker interception the communication can't restore Input/Output/serverSecretKey and can't
link Input to some value.
## Issues
- Low-entropy inputs (e.g. password '123') enable brute-forced dictionary attacks by the server
(solveable by domain separation in POPRF)
- High-level protocol needs to be constructed on top, because OPRF is low-level
## Use cases
1. **Password-Authenticated Key Exchange (PAKE):** Enables secure password login (e.g., OPAQUE)
without revealing the password to the server.
2. **Private Set Intersection (PSI):** Allows two parties to compute the intersection of their
private sets without revealing non-intersecting elements.
3. **Anonymous Credential Systems:** Supports issuance of anonymous, unlinkable credentials
(e.g., Privacy Pass) using blind OPRF evaluation.
4. **Private Information Retrieval (PIR):** Helps users query databases without revealing which
item they accessed.
5. **Encrypted Search / Secure Indexing:** Enables keyword search over encrypted data while keeping
queries private.
6. **Spam Prevention and Rate-Limiting:** Issues anonymous tokens to prevent abuse
(e.g., CAPTCHA bypass) without compromising user privacy.
## Modes
- OPRF: simple mode, client doesn't need to know server public key
- VOPRF: verifiable mode. It lets the client verify that the server used the
secret key corresponding to a known public key
- POPRF: partially oblivious mode, VOPRF + domain separation
There is also non-interactive mode (Evaluate), which creates Output
non-interactively with knowledge of the secret key.
Flow:
- (once) Server generates secret and public keys, distributes public keys to clients
- deterministically: `deriveKeyPair` or just random: `generateKeyPair`
- Client blinds input: `blind(secretInput)`
- Server evaluates blinded input: `blindEvaluate` generated by client, sends result to client
- Client creates output using result of evaluation via 'finalize'
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { randomBytes, type TArg, type TRet } from '../utils.ts';
import { type CurvePoint, type CurvePointCons } from './curve.ts';
import { type H2CDSTOpts } from './hash-to-curve.ts';
/** Serialized group element passed between OPRF participants. */
export type PointBytes = Uint8Array;
/** Serialized scalar used for blinds and server secret keys. */
export type ScalarBytes = Uint8Array;
/** Arbitrary byte input or output used by the OPRF protocol. */
export type Bytes = Uint8Array;
/** Cryptographically secure byte generator used for blinds and proofs. */
export type RNG = typeof randomBytes;
/** Curve and hash hooks required to instantiate one OPRF ciphersuite. */
export type OPRFOpts<P extends CurvePoint<any, P>> = {
/** Human-readable suite identifier used for domain separation. */
name: string;
/**
* Prime-order group used by the OPRF construction.
* Kept generic because the suite returns serialized points.
*/
Point: CurvePointCons<P>;
/**
* Hash function used for transcripts, proofs, and outputs.
* @param msg - Message bytes to hash.
* @returns Digest bytes.
*/
hash(msg: TArg<Bytes>): TRet<Bytes>;
/**
* Hash arbitrary bytes into one scalar in the suite order.
* @param msg - Message bytes to map.
* @param options - Hash-to-field domain-separation options. See {@link H2CDSTOpts}.
* Implementations MUST treat `msg` and `options` as read-only.
* @returns Scalar in the suite order.
*/
hashToScalar(msg: TArg<Uint8Array>, options: TArg<H2CDSTOpts>): bigint;
/**
* Hash arbitrary bytes directly onto one curve point.
* @param msg - Message bytes to map.
* @param options - Hash-to-curve domain-separation options. See {@link H2CDSTOpts}.
* Implementations MUST treat `msg` and `options` as read-only.
* @returns Point on the suite curve.
*/
hashToGroup(msg: TArg<Uint8Array>, options: TArg<H2CDSTOpts>): P;
};
/** Server keypair for one OPRF suite. */
export type OPRFKeys = {
/** Secret scalar kept by the server. */
secretKey: TRet<ScalarBytes>;
/** Public point distributed to clients in verifiable modes. */
publicKey: TRet<PointBytes>;
};
/** Result of the client-side blind step. */
export type OPRFBlind = {
/** Secret blind scalar that the client keeps locally. */
blind: TRet<ScalarBytes>;
/** Blinded group element sent to the server. */
blinded: TRet<PointBytes>;
};
/** Server response for one verifiable OPRF evaluation. */
export type OPRFBlindEval = {
/** Evaluated group element returned by the server. */
evaluated: TRet<PointBytes>;
/** DLEQ proof binding the evaluation to the server public key. */
proof: TRet<Bytes>;
};
/** Server response for a batch of verifiable OPRF evaluations. */
export type OPRFBlindEvalBatch = {
/** Evaluated group elements returned for each blinded input. */
evaluated: TRet<PointBytes[]>;
/** Batch proof covering all evaluated elements. */
proof: TRet<Bytes>;
};
/** One finalized transcript item used by batch verification helpers. */
export type OPRFFinalizeItem = {
/** Original client input. */
input: Bytes;
/** Secret blind scalar used for the input. */
blind: ScalarBytes;
/** Evaluated point returned by the server. */
evaluated: PointBytes;
/** Blinded point originally sent to the server. */
blinded: PointBytes;
};
/** Result of the POPRF client-side blind step with the tweaked server public key. */
export type OPRFBlindTweaked = OPRFBlind & {
tweakedKey: TRet<PointBytes>;
};
/**
* Represents a full OPRF ciphersuite implementation according to RFC 9497.
* This object bundles the three protocol variants (OPRF, VOPRF, POPRF) for a specific
* prime-order group and hash function combination.
*
* @see https://www.rfc-editor.org/rfc/rfc9497.html
*/
export type OPRF = {
/**
* The unique identifier for the ciphersuite, e.g., "ristretto255-SHA512".
* This name is used for domain separation to prevent cross-protocol attacks.
*/
readonly name: string;
/**
* The base Oblivious Pseudorandom Function (OPRF) mode (mode 0x00).
* This is a two-party protocol between a client and a server to compute F(k, x)
* where 'k' is the server's key and 'x' is the client's input.
*
* The client learns the output F(k, x) but nothing about 'k'.
* The server learns nothing about 'x' or F(k, x).
* This mode is NOT verifiable; the client cannot prove the server used a specific key.
*/
readonly oprf: {
/**
* (Server-side) Generates a new random private/public key pair for the server.
* @returns A new key pair.
*/
generateKeyPair(): TRet<OPRFKeys>;
/**
* (Server-side) Deterministically derives a private/public key pair from a seed.
* @param seed - A 32-byte cryptographically secure random seed.
* @param keyInfo - An optional byte string for domain separation.
* @returns The derived key pair.
*/
deriveKeyPair(seed: TArg<Bytes>, keyInfo: TArg<Bytes>): TRet<OPRFKeys>;
/**
* (Client-side) The first step of the protocol. The client blinds its private input.
* @param input - The client's private input bytes.
* @param rng - An optional cryptographically secure random number generator.
* @returns An object containing the `blind` scalar (which the client MUST keep secret)
* and the `blinded` element (which the client sends to the server).
*/
blind(input: TArg<Bytes>, rng?: RNG): TRet<OPRFBlind>;
/**
* (Server-side) The second step. The server evaluates the client's blinded element
* using its secret key.
* @param secretKey - The server's private key.
* @param blinded - The blinded group element received from the client.
* @returns The evaluated group element, to be sent back to the client.
*/
blindEvaluate(secretKey: TArg<ScalarBytes>, blinded: TArg<PointBytes>): TRet<PointBytes>;
/**
* (Client-side) The final step. The client unblinds the server's response to
* compute the final OPRF output.
* @param input - The original private input from the `blind` step.
* @param blind - The secret scalar from the `blind` step.
* @param evaluated - The evaluated group element received from the server.
* @returns The final OPRF output, `Hash(len(input)||input||len(unblinded)||unblinded||"Finalize")`.
*/
finalize(input: TArg<Bytes>, blind: TArg<ScalarBytes>, evaluated: TArg<PointBytes>): TRet<Bytes>;
};
/**
* The Verifiable Oblivious Pseudorandom Function (VOPRF) mode (mode 0x01).
* This mode extends the base OPRF by providing a proof that the server used the
* secret key corresponding to its known public key.
*/
readonly voprf: {
/** (Server-side) Generates a key pair for the VOPRF mode. */
generateKeyPair(): TRet<OPRFKeys>;
/** (Server-side) Deterministically derives a key pair for the VOPRF mode. */
deriveKeyPair(seed: TArg<Bytes>, keyInfo: TArg<Bytes>): TRet<OPRFKeys>;
/** (Client-side) Blinds the client's private input for the VOPRF protocol. */
blind(input: TArg<Bytes>, rng?: RNG): TRet<OPRFBlind>;
/**
* (Server-side) Evaluates the client's blinded element and generates a DLEQ proof
* of correctness.
* @param secretKey - The server's private key.
* @param publicKey - The server's public key, used in proof generation.
* @param blinded - The blinded group element received from the client.
* @param rng - An optional cryptographically secure random number generator for the proof.
* @returns The evaluated element and a proof of correct computation.
*/
blindEvaluate(secretKey: TArg<ScalarBytes>, publicKey: TArg<PointBytes>, blinded: TArg<PointBytes>, rng?: RNG): TRet<OPRFBlindEval>;
/**
* (Server-side) An optimized batch version of `blindEvaluate`. It evaluates multiple
* blinded elements and produces a single, constant-size proof for the entire batch,
* amortizing the cost of proof generation.
* @param secretKey - The server's private key.
* @param publicKey - The server's public key.
* @param blinded - An array of blinded group elements from one or more clients.
* @param rng - An optional cryptographically secure random number generator for the proof.
* @returns An array of evaluated elements and a single proof for the batch.
*/
blindEvaluateBatch(secretKey: TArg<ScalarBytes>, publicKey: TArg<PointBytes>, blinded: TArg<PointBytes[]>, rng?: RNG): TRet<OPRFBlindEvalBatch>;
/**
* (Client-side) The final step. The client verifies the server's proof, and if valid,
* unblinds the result to compute the final VOPRF output.
* @param input - The original private input.
* @param blind - The secret scalar from the `blind` step.
* @param evaluated - The evaluated element from the server.
* @param blinded - The blinded element sent to the server (needed for proof verification).
* @param publicKey - The server's public key against which the proof is verified.
* @param proof - The DLEQ proof from the server.
* @returns The final VOPRF output.
* @throws If the proof verification fails. {@link Error}
*/
finalize(input: TArg<Bytes>, blind: TArg<ScalarBytes>, evaluated: TArg<PointBytes>, blinded: TArg<PointBytes>, publicKey: TArg<PointBytes>, proof: TArg<Bytes>): TRet<Bytes>;
/**
* (Client-side) The batch-aware version of `finalize`. It verifies a single batch proof
* against a list of corresponding inputs and outputs.
* @param items - An array of objects, each containing the parameters for a single finalization.
* @param publicKey - The server's public key.
* @param proof - The single DLEQ proof for the entire batch.
* @returns An array of final VOPRF outputs, one for each item in the input.
* @throws If the proof verification fails. {@link Error}
*/
finalizeBatch(items: TArg<OPRFFinalizeItem[]>, publicKey: TArg<PointBytes>, proof: TArg<Bytes>): TRet<Bytes[]>;
};
/**
* A factory for the Partially Oblivious Pseudorandom Function (POPRF) mode (mode 0x02).
* This mode extends VOPRF to include a public `info` parameter, known to both client and
* server, which is cryptographically bound to the final output.
* This is useful for domain separation at the application level.
* @param info - A public byte string to be mixed into the computation.
* @returns An object with the POPRF protocol functions.
*/
readonly poprf: (info: TArg<Bytes>) => {
/** (Server-side) Generates a key pair for the POPRF mode. */
generateKeyPair(): TRet<OPRFKeys>;
/** (Server-side) Deterministically derives a key pair for the POPRF mode. */
deriveKeyPair(seed: TArg<Bytes>, keyInfo: TArg<Bytes>): TRet<OPRFKeys>;
/**
* (Client-side) Blinds the client's private input and computes the "tweaked key".
* The tweaked key is a public value derived from the server's public key and the public `info`.
* @param input - The client's private input.
* @param publicKey - The server's public key.
* @param rng - An optional cryptographically secure random number generator.
* @returns The `blind`, `blinded` element, and the `tweakedKey`
* the client uses for verification.
*/
blind(input: TArg<Bytes>, publicKey: TArg<PointBytes>, rng?: RNG): TRet<OPRFBlindTweaked>;
/**
* (Server-side) Evaluates the blinded element using a key derived from
* its secret key and the public `info`.
* It generates a DLEQ proof against the tweaked key.
* @param secretKey - The server's private key.
* @param blinded - The blinded element from the client.
* @param rng - An optional RNG for the proof.
* @returns The evaluated element and a proof of correct computation.
*/
blindEvaluate(secretKey: TArg<ScalarBytes>, blinded: TArg<PointBytes>, rng?: RNG): TRet<OPRFBlindEval>;
/**
* (Server-side) A batch-aware version of `blindEvaluate` for the POPRF mode.
* @param secretKey - The server's private key.
* @param blinded - An array of blinded elements.
* @param rng - An optional RNG for the proof.
* @returns An array of evaluated elements and a single proof for the batch.
*/
blindEvaluateBatch(secretKey: TArg<ScalarBytes>, blinded: TArg<PointBytes[]>, rng: RNG): TRet<OPRFBlindEvalBatch>;
/**
* (Client-side) A batch-aware version of `finalize` for the POPRF mode.
* It verifies the proof against the tweaked key.
* @param items - An array containing the parameters for each finalization.
* @param proof - The single DLEQ proof for the batch.
* @param tweakedKey - The tweaked key corresponding to the proof.
* All items must share the same `info` and `publicKey`.
* @returns An array of final POPRF outputs.
* @throws If proof verification fails. {@link Error}
*/
finalizeBatch(items: TArg<OPRFFinalizeItem[]>, proof: TArg<Bytes>, tweakedKey: TArg<PointBytes>): TRet<Bytes[]>;
/**
* (Client-side) Finalizes the POPRF protocol. It verifies the server's proof against the
* `tweakedKey` computed in the `blind` step. The final output is bound to the public `info`.
* @param input - The original private input.
* @param blind - The secret scalar.
* @param evaluated - The evaluated element from the server.
* @param blinded - The blinded element sent to the server.
* @param proof - The DLEQ proof from the server.
* @param tweakedKey - The public tweaked key computed by the client during the `blind` step.
* @returns The final POPRF output.
* @throws If proof verification fails. {@link Error}
*/
finalize(input: TArg<Bytes>, blind: TArg<ScalarBytes>, evaluated: TArg<PointBytes>, blinded: TArg<PointBytes>, proof: TArg<Bytes>, tweakedKey: TArg<PointBytes>): TRet<Bytes>;
/**
* A non-interactive evaluation function for an entity that knows all inputs.
* Computes the final POPRF output directly. Useful for testing or specific applications
* where the server needs to compute the output for a known input.
* @param secretKey - The server's private key.
* @param input - The client's private input.
* @returns The final POPRF output.
*/
evaluate(secretKey: TArg<ScalarBytes>, input: TArg<Bytes>): TRet<Bytes>;
};
};
/**
* @param opts - OPRF ciphersuite options. See {@link OPRFOpts}.
* @returns OPRF helper namespace.
* @example
* Instantiate an OPRF suite from curve-specific hashing hooks.
*
* ```ts
* import { createOPRF } from '@noble/curves/abstract/oprf.js';
* import { p256, p256_hasher } from '@noble/curves/nist.js';
* import { sha256 } from '@noble/hashes/sha2.js';
* const oprf = createOPRF({
* name: 'P256-SHA256',
* Point: p256.Point,
* hash: sha256,
* hashToGroup: p256_hasher.hashToCurve,
* hashToScalar: p256_hasher.hashToScalar,
* });
* const keys = oprf.oprf.generateKeyPair();
* ```
*/
export declare function createOPRF<P extends CurvePoint<any, P>>(opts: OPRFOpts<P>): TRet<OPRF>;
//# sourceMappingURL=oprf.d.ts.map
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/abstract/oprf.d.ts.map
Generated Vendored
+1
View File
File diff suppressed because one or more lines are too long
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/abstract/oprf.js
Generated Vendored
+356
View File
@@ -0,0 +1,356 @@
/**
* RFC 9497: Oblivious Pseudorandom Functions (OPRFs) Using Prime-Order Groups.
* https://www.rfc-editor.org/rfc/rfc9497
*
OPRF allows to interactively create an `Output = PRF(Input, serverSecretKey)`:
- Server cannot calculate Output by itself: it doesn't know Input
- Client cannot calculate Output by itself: it doesn't know server secretKey
- An attacker interception the communication can't restore Input/Output/serverSecretKey and can't
link Input to some value.
## Issues
- Low-entropy inputs (e.g. password '123') enable brute-forced dictionary attacks by the server
(solveable by domain separation in POPRF)
- High-level protocol needs to be constructed on top, because OPRF is low-level
## Use cases
1. **Password-Authenticated Key Exchange (PAKE):** Enables secure password login (e.g., OPAQUE)
without revealing the password to the server.
2. **Private Set Intersection (PSI):** Allows two parties to compute the intersection of their
private sets without revealing non-intersecting elements.
3. **Anonymous Credential Systems:** Supports issuance of anonymous, unlinkable credentials
(e.g., Privacy Pass) using blind OPRF evaluation.
4. **Private Information Retrieval (PIR):** Helps users query databases without revealing which
item they accessed.
5. **Encrypted Search / Secure Indexing:** Enables keyword search over encrypted data while keeping
queries private.
6. **Spam Prevention and Rate-Limiting:** Issues anonymous tokens to prevent abuse
(e.g., CAPTCHA bypass) without compromising user privacy.
## Modes
- OPRF: simple mode, client doesn't need to know server public key
- VOPRF: verifiable mode. It lets the client verify that the server used the
secret key corresponding to a known public key
- POPRF: partially oblivious mode, VOPRF + domain separation
There is also non-interactive mode (Evaluate), which creates Output
non-interactively with knowledge of the secret key.
Flow:
- (once) Server generates secret and public keys, distributes public keys to clients
- deterministically: `deriveKeyPair` or just random: `generateKeyPair`
- Client blinds input: `blind(secretInput)`
- Server evaluates blinded input: `blindEvaluate` generated by client, sends result to client
- Client creates output using result of evaluation via 'finalize'
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { abytes, asciiToBytes, bytesToNumberBE, bytesToNumberLE, concatBytes, numberToBytesBE, randomBytes, validateObject, } from "../utils.js";
import { pippenger, validatePointCons } from "./curve.js";
import { _DST_scalar } from "./hash-to-curve.js";
import { getMinHashLength, mapHashToField } from "./modular.js";
const _DST_scalarBytes = /* @__PURE__ */ asciiToBytes(_DST_scalar);
// welcome to generic hell
/**
* @param opts - OPRF ciphersuite options. See {@link OPRFOpts}.
* @returns OPRF helper namespace.
* @example
* Instantiate an OPRF suite from curve-specific hashing hooks.
*
* ```ts
* import { createOPRF } from '@noble/curves/abstract/oprf.js';
* import { p256, p256_hasher } from '@noble/curves/nist.js';
* import { sha256 } from '@noble/hashes/sha2.js';
* const oprf = createOPRF({
* name: 'P256-SHA256',
* Point: p256.Point,
* hash: sha256,
* hashToGroup: p256_hasher.hashToCurve,
* hashToScalar: p256_hasher.hashToScalar,
* });
* const keys = oprf.oprf.generateKeyPair();
* ```
*/
export function createOPRF(opts) {
validateObject(opts, {
name: 'string',
hash: 'function',
hashToScalar: 'function',
hashToGroup: 'function',
});
// Cheap constructor-surface sanity check only: this verifies the generic static hooks/fields that
// OPRF consumes, but it does not certify point semantics like BASE/ZERO correctness.
validatePointCons(opts.Point);
const { name, Point, hash } = opts;
const { Fn } = Point;
const hashToGroup = (msg, ctx) => opts.hashToGroup(msg, {
DST: concatBytes(asciiToBytes('HashToGroup-'), ctx),
});
const hashToScalarPrefixed = (msg, ctx) => opts.hashToScalar(msg, { DST: concatBytes(_DST_scalarBytes, ctx) });
const randomScalar = (rng = randomBytes) => {
// RFC 9497 §2.1 defines RandomScalar as nonzero; blind inversion and generated public keys
// both rely on keeping this helper in the `1..n-1` range.
const t = mapHashToField(rng(getMinHashLength(Fn.ORDER)), Fn.ORDER, Fn.isLE);
// We cannot use Fn.fromBytes here, because field
// can have different number of bytes (like ed448)
return Fn.isLE ? bytesToNumberLE(t) : bytesToNumberBE(t);
};
const msm = (points, scalars) => pippenger(Point, points, scalars);
const getCtx = (mode) => concatBytes(asciiToBytes('OPRFV1-'), new Uint8Array([mode]), asciiToBytes('-' + name));
const ctxOPRF = getCtx(0x00);
const ctxVOPRF = getCtx(0x01);
const ctxPOPRF = getCtx(0x02);
function encode(...args) {
const res = [];
for (const a of args) {
if (typeof a === 'number')
res.push(numberToBytesBE(a, 2));
else if (typeof a === 'string')
res.push(asciiToBytes(a));
else {
abytes(a);
res.push(numberToBytesBE(a.length, 2), a);
}
}
// No wipe here, since will modify actual bytes
return concatBytes(...res);
}
const inputBytes = (title, bytes) => {
abytes(bytes, undefined, title);
// RFC 9497 §1.2 limits PrivateInput/PublicInput to 2^16 - 1 bytes because these values are
// length-prefixed with two bytes before use throughout the protocol.
if (bytes.length > 0xffff)
throw new Error(`"${title}" expected Uint8Array of length <= 65535, got length=${bytes.length}`);
return bytes;
};
const hashInput = (...bytes) => hash(encode(...bytes, 'Finalize'));
function getTranscripts(B, C, D, ctx) {
const Bm = B.toBytes();
const seed = hash(encode(Bm, concatBytes(asciiToBytes('Seed-'), ctx)));
const res = [];
for (let i = 0; i < C.length; i++) {
const Ci = C[i].toBytes();
const Di = D[i].toBytes();
const di = hashToScalarPrefixed(encode(seed, i, Ci, Di, 'Composite'), ctx);
res.push(di);
}
return res;
}
function computeComposites(B, C, D, ctx) {
const T = getTranscripts(B, C, D, ctx);
const M = msm(C, T);
const Z = msm(D, T);
return { M, Z };
}
function computeCompositesFast(k, B, C, D, ctx) {
const T = getTranscripts(B, C, D, ctx);
const M = msm(C, T);
// RFC 9497 §2.2.1 ComputeCompositesFast derives weights from both C and D in getTranscripts(),
// then uses the server shortcut Z = k * M instead of a second MSM over D.
const Z = M.multiply(k);
return { M, Z };
}
function challengeTranscript(B, M, Z, t2, t3, ctx) {
const [Bm, a0, a1, a2, a3] = [B, M, Z, t2, t3].map((i) => i.toBytes());
return hashToScalarPrefixed(encode(Bm, a0, a1, a2, a3, 'Challenge'), ctx);
}
function generateProof(ctx, k, B, C, D, rng) {
const { M, Z } = computeCompositesFast(k, B, C, D, ctx);
const r = randomScalar(rng);
const t2 = Point.BASE.multiply(r);
const t3 = M.multiply(r);
const c = challengeTranscript(B, M, Z, t2, t3, ctx);
const s = Fn.sub(r, Fn.mul(c, k)); // r - c*k
return concatBytes(...[c, s].map((i) => Fn.toBytes(i)));
}
function verifyProof(ctx, B, C, D, proof) {
abytes(proof, 2 * Fn.BYTES);
const { M, Z } = computeComposites(B, C, D, ctx);
const [c, s] = [proof.subarray(0, Fn.BYTES), proof.subarray(Fn.BYTES)].map((f) => Fn.fromBytes(f));
const t2 = Point.BASE.multiply(s).add(B.multiply(c)); // s*G + c*B
const t3 = M.multiply(s).add(Z.multiply(c)); // s*M + c*Z
const expectedC = challengeTranscript(B, M, Z, t2, t3, ctx);
if (!Fn.eql(c, expectedC))
throw new Error('proof verification failed');
}
function generateKeyPair() {
const skS = randomScalar();
const pkS = Point.BASE.multiply(skS);
return { secretKey: Fn.toBytes(skS), publicKey: pkS.toBytes() };
}
function deriveKeyPair(ctx, seed, info) {
// RFC 9497 §3.2.1 defines `seed[32]`; reject other sizes here because this public API already
// documents a 32-byte seed instead of generic input keying material.
abytes(seed, 32, 'seed');
info = inputBytes('keyInfo', info);
const dst = concatBytes(asciiToBytes('DeriveKeyPair'), ctx);
const msg = concatBytes(seed, encode(info), Uint8Array.of(0));
for (let counter = 0; counter <= 255; counter++) {
msg[msg.length - 1] = counter;
const skS = opts.hashToScalar(msg, { DST: dst });
if (Fn.is0(skS))
continue; // should not happen
return {
secretKey: Fn.toBytes(skS),
publicKey: Point.BASE.multiply(skS).toBytes(),
};
}
throw new Error('Cannot derive key');
}
const wirePoint = (label, bytes) => {
const point = Point.fromBytes(bytes);
// RFC 9497 §3.3 says applications MUST reject group-identity Elements received over the wire
// after deserialization, even if the suite decoder itself accepts the identity encoding.
if (point.equals(Point.ZERO))
throw new Error(label + ' point at infinity');
return point;
};
function blind(ctx, input, rng = randomBytes) {
input = inputBytes('input', input);
const blind = randomScalar(rng);
const inputPoint = hashToGroup(input, ctx);
if (inputPoint.equals(Point.ZERO))
throw new Error('Input point at infinity');
const blinded = inputPoint.multiply(blind);
return { blind: Fn.toBytes(blind), blinded: blinded.toBytes() };
}
function evaluate(ctx, secretKey, input) {
input = inputBytes('input', input);
const skS = Fn.fromBytes(secretKey);
const inputPoint = hashToGroup(input, ctx);
if (inputPoint.equals(Point.ZERO))
throw new Error('Input point at infinity');
const unblinded = inputPoint.multiply(skS).toBytes();
return hashInput(input, unblinded);
}
const oprf = Object.freeze({
generateKeyPair,
deriveKeyPair: (seed, keyInfo) => deriveKeyPair(ctxOPRF, seed, keyInfo),
blind: (input, rng = randomBytes) => blind(ctxOPRF, input, rng),
blindEvaluate(secretKey, blindedPoint) {
const skS = Fn.fromBytes(secretKey);
const elm = wirePoint('blinded', blindedPoint);
return elm.multiply(skS).toBytes();
},
finalize(input, blindBytes, evaluatedBytes) {
input = inputBytes('input', input);
const blind = Fn.fromBytes(blindBytes);
const evalPoint = wirePoint('evaluated', evaluatedBytes);
const unblinded = evalPoint.multiply(Fn.inv(blind)).toBytes();
return hashInput(input, unblinded);
},
evaluate: (secretKey, input) => evaluate(ctxOPRF, secretKey, input),
});
const voprf = Object.freeze({
generateKeyPair,
deriveKeyPair: (seed, keyInfo) => deriveKeyPair(ctxVOPRF, seed, keyInfo),
blind: (input, rng = randomBytes) => blind(ctxVOPRF, input, rng),
blindEvaluateBatch(secretKey, publicKey, blinded, rng = randomBytes) {
if (!Array.isArray(blinded))
throw new Error('expected array');
const skS = Fn.fromBytes(secretKey);
const pkS = wirePoint('public key', publicKey);
const blindedPoints = blinded.map((i) => wirePoint('blinded', i));
const evaluated = blindedPoints.map((i) => i.multiply(skS));
const proof = generateProof(ctxVOPRF, skS, pkS, blindedPoints, evaluated, rng);
return { evaluated: evaluated.map((i) => i.toBytes()), proof };
},
blindEvaluate(secretKey, publicKey, blinded, rng = randomBytes) {
const res = this.blindEvaluateBatch(secretKey, publicKey, [blinded], rng);
return { evaluated: res.evaluated[0], proof: res.proof };
},
finalizeBatch(items, publicKey, proof) {
if (!Array.isArray(items))
throw new Error('expected array');
const pkS = wirePoint('public key', publicKey);
const blindedPoints = items.map((i) => wirePoint('blinded', i.blinded));
const evalPoints = items.map((i) => wirePoint('evaluated', i.evaluated));
verifyProof(ctxVOPRF, pkS, blindedPoints, evalPoints, proof);
return items.map((i) => oprf.finalize(i.input, i.blind, i.evaluated));
},
finalize(input, blind, evaluated, blinded, publicKey, proof) {
return this.finalizeBatch([{ input, blind, evaluated, blinded }], publicKey, proof)[0];
},
evaluate: (secretKey, input) => evaluate(ctxVOPRF, secretKey, input),
});
// NOTE: info is domain separation
const poprf = (info) => {
info = inputBytes('info', info);
const m = hashToScalarPrefixed(encode('Info', info), ctxPOPRF);
const T = Point.BASE.multiply(m);
return Object.freeze({
generateKeyPair,
deriveKeyPair: (seed, keyInfo) => deriveKeyPair(ctxPOPRF, seed, keyInfo),
blind(input, publicKey, rng = randomBytes) {
input = inputBytes('input', input);
const pkS = wirePoint('public key', publicKey);
const tweakedKey = T.add(pkS);
if (tweakedKey.equals(Point.ZERO))
throw new Error('tweakedKey point at infinity');
const blind = randomScalar(rng);
const inputPoint = hashToGroup(input, ctxPOPRF);
if (inputPoint.equals(Point.ZERO))
throw new Error('Input point at infinity');
const blindedPoint = inputPoint.multiply(blind);
return {
blind: Fn.toBytes(blind),
blinded: blindedPoint.toBytes(),
tweakedKey: tweakedKey.toBytes(),
};
},
blindEvaluateBatch(secretKey, blinded, rng = randomBytes) {
if (!Array.isArray(blinded))
throw new Error('expected array');
const skS = Fn.fromBytes(secretKey);
const t = Fn.add(skS, m);
// "Hence, this error can be a signal for the server to replace its
// private key". We throw inside; this should be impossible.
const invT = Fn.inv(t);
const blindedPoints = blinded.map((i) => wirePoint('blinded', i));
const evalPoints = blindedPoints.map((i) => i.multiply(invT));
const tweakedKey = Point.BASE.multiply(t);
const proof = generateProof(ctxPOPRF, t, tweakedKey, evalPoints, blindedPoints, rng);
return { evaluated: evalPoints.map((i) => i.toBytes()), proof };
},
blindEvaluate(secretKey, blinded, rng = randomBytes) {
const res = this.blindEvaluateBatch(secretKey, [blinded], rng);
return { evaluated: res.evaluated[0], proof: res.proof };
},
finalizeBatch(items, proof, tweakedKey) {
if (!Array.isArray(items))
throw new Error('expected array');
const inputs = items.map((i) => inputBytes('input', i.input));
const evalPoints = items.map((i) => wirePoint('evaluated', i.evaluated));
verifyProof(ctxPOPRF, wirePoint('tweakedKey', tweakedKey), evalPoints, items.map((i) => wirePoint('blinded', i.blinded)), proof);
return items.map((i, j) => {
const blind = Fn.fromBytes(i.blind);
const point = evalPoints[j].multiply(Fn.inv(blind)).toBytes();
return hashInput(inputs[j], info, point);
});
},
finalize(input, blind, evaluated, blinded, proof, tweakedKey) {
return this.finalizeBatch([{ input, blind, evaluated, blinded }], proof, tweakedKey)[0];
},
evaluate(secretKey, input) {
input = inputBytes('input', input);
const skS = Fn.fromBytes(secretKey);
const inputPoint = hashToGroup(input, ctxPOPRF);
if (inputPoint.equals(Point.ZERO))
throw new Error('Input point at infinity');
const t = Fn.add(skS, m);
const invT = Fn.inv(t);
const unblinded = inputPoint.multiply(invT).toBytes();
return hashInput(input, info, unblinded);
},
});
};
const res = { name, oprf, voprf, poprf, __tests: Object.freeze({ Fn }) };
return Object.freeze(res);
}
//# sourceMappingURL=oprf.js.map
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/abstract/oprf.js.map
Generated Vendored
+1
View File
File diff suppressed because one or more lines are too long
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/abstract/poseidon.d.ts
Generated Vendored
+199
View File
@@ -0,0 +1,199 @@
/**
* Implements [Poseidon](https://www.poseidon-hash.info) ZK-friendly hash.
*
* There are many poseidon variants with different constants.
* We don't provide them: you should construct them manually.
* Check out [micro-starknet](https://github.com/paulmillr/micro-starknet) package for a proper example.
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { type TArg, type TRet } from '../utils.ts';
import { type IField } from './modular.ts';
/** Core Poseidon permutation parameters shared by all variants. */
export type PoseidonBasicOpts = {
/** Prime field used by the permutation. */
Fp: IField<bigint>;
/** Poseidon width `t = rate + capacity`. */
t: number;
/** Number of full S-box rounds. */
roundsFull: number;
/** Number of partial S-box rounds. */
roundsPartial: number;
/** Whether to use the inverse S-box variant. */
isSboxInverse?: boolean;
};
/** Poseidon settings used by the Grain-LFSR constant generator. */
export type PoseidonGrainOpts = PoseidonBasicOpts & {
/** S-box power used while generating constants. */
sboxPower?: number;
};
type PoseidonConstants = {
mds: bigint[][];
roundConstants: bigint[][];
};
/**
* @param opts - Poseidon grain options. See {@link PoseidonGrainOpts}.
* @param skipMDS - Number of MDS samples to skip.
* @returns Generated constants.
* @throws If the generated MDS matrix contains a zero denominator. {@link Error}
* @example
* Generate Poseidon round constants and an MDS matrix from the Grain LFSR.
*
* ```ts
* import { grainGenConstants } from '@noble/curves/abstract/poseidon.js';
* import { Field } from '@noble/curves/abstract/modular.js';
* const Fp = Field(17n);
* const constants = grainGenConstants({ Fp, t: 2, roundsFull: 8, roundsPartial: 8 });
* ```
*/
export declare function grainGenConstants(opts: TArg<PoseidonGrainOpts>, skipMDS?: number): PoseidonConstants;
/** Fully specified Poseidon permutation options with explicit constants. */
export type PoseidonOpts = PoseidonBasicOpts & PoseidonConstants & {
/** S-box power used by the permutation. */
sboxPower?: number;
/** Whether to reverse the partial-round S-box index. */
reversePartialPowIdx?: boolean;
};
/**
* @param opts - Poseidon options. See {@link PoseidonOpts}.
* @returns Normalized poseidon options.
* @throws If the Poseidon options, constants, or MDS matrix are invalid. {@link Error}
* @example
* Validate generated constants before constructing a permutation.
*
* ```ts
* import { grainGenConstants, validateOpts } from '@noble/curves/abstract/poseidon.js';
* import { Field } from '@noble/curves/abstract/modular.js';
* const Fp = Field(17n);
* const constants = grainGenConstants({ Fp, t: 2, roundsFull: 8, roundsPartial: 8 });
* const opts = validateOpts({ ...constants, Fp, t: 2, roundsFull: 8, roundsPartial: 8, sboxPower: 3 });
* ```
*/
export declare function validateOpts(opts: TArg<PoseidonOpts>): TRet<Readonly<{
rounds: number;
sboxFn: (n: bigint) => bigint;
roundConstants: bigint[][];
mds: bigint[][];
Fp: IField<bigint>;
t: number;
roundsFull: number;
roundsPartial: number;
sboxPower?: number;
reversePartialPowIdx?: boolean;
}>>;
/**
* @param rc - Flattened round constants.
* @param t - Poseidon width.
* @returns Constants grouped by round.
* @throws If the width or flattened constant array is invalid. {@link Error}
* @example
* Regroup a flat constant list into per-round chunks.
*
* ```ts
* const rounds = splitConstants([1n, 2n, 3n, 4n], 2);
* ```
*/
export declare function splitConstants(rc: bigint[], t: number): bigint[][];
/**
* Poseidon permutation callable.
* @param values - Poseidon state vector. Non-canonical bigints are normalized with `Fp.create(...)`.
* @returns Permuted state vector.
*/
export type PoseidonFn = {
(values: bigint[]): bigint[];
/** Round constants captured by the permutation instance. */
roundConstants: bigint[][];
};
/** Poseidon NTT-friendly hash. */
/**
* @param opts - Poseidon options. See {@link PoseidonOpts}.
* @returns Poseidon permutation.
* @throws If the Poseidon options or state vector are invalid. {@link Error}
* @example
* Build a Poseidon permutation from validated parameters and constants.
*
* ```ts
* import { grainGenConstants, poseidon } from '@noble/curves/abstract/poseidon.js';
* import { Field } from '@noble/curves/abstract/modular.js';
* const Fp = Field(17n);
* const constants = grainGenConstants({ Fp, t: 2, roundsFull: 8, roundsPartial: 8 });
* const hash = poseidon({ ...constants, Fp, t: 2, roundsFull: 8, roundsPartial: 8, sboxPower: 3 });
* const state = hash([1n, 2n]);
* ```
*/
export declare function poseidon(opts: TArg<PoseidonOpts>): PoseidonFn;
/**
* @param Fp - Field implementation.
* @param rate - Sponge rate.
* @param capacity - Sponge capacity.
* @param hash - Poseidon permutation.
* @example
* Wrap one Poseidon permutation in a sponge interface.
*
* ```ts
* import { PoseidonSponge, grainGenConstants, poseidon } from '@noble/curves/abstract/poseidon.js';
* import { Field } from '@noble/curves/abstract/modular.js';
* const Fp = Field(17n);
* const constants = grainGenConstants({ Fp, t: 2, roundsFull: 8, roundsPartial: 8 });
* const hash = poseidon({ ...constants, Fp, t: 2, roundsFull: 8, roundsPartial: 8, sboxPower: 3 });
* const sponge = new PoseidonSponge(Fp, 1, 1, hash);
* sponge.absorb([1n]);
* const out = sponge.squeeze(1);
* ```
*/
export declare class PoseidonSponge {
private Fp;
readonly rate: number;
readonly capacity: number;
readonly hash: PoseidonFn;
private state;
private pos;
private isAbsorbing;
constructor(Fp: IField<bigint>, rate: number, capacity: number, hash: PoseidonFn);
private process;
absorb(input: bigint[]): void;
squeeze(count: number): bigint[];
clean(): void;
clone(): PoseidonSponge;
}
/** Options for the non-standard but commonly used Poseidon sponge wrapper. */
export type PoseidonSpongeOpts = Omit<PoseidonOpts, 't'> & {
/** Sponge rate. */
rate: number;
/** Sponge capacity. */
capacity: number;
};
/**
* The method is not defined in spec, but nevertheless used often.
* Check carefully for compatibility: there are many edge cases, like absorbing an empty array.
* We cross-test against:
* - {@link https://github.com/ProvableHQ/snarkVM/tree/staging/algorithms | snarkVM algorithms}
* - {@link https://github.com/arkworks-rs/crypto-primitives/tree/main | arkworks crypto-primitives}
* @param opts - Sponge options. See {@link PoseidonSpongeOpts}.
* @returns Factory for sponge instances.
* @throws If the sponge dimensions or backing permutation options are invalid. {@link Error}
* @example
* Use the sponge helper to absorb several field elements and squeeze one digest.
*
* ```ts
* import { grainGenConstants, poseidonSponge } from '@noble/curves/abstract/poseidon.js';
* import { Field } from '@noble/curves/abstract/modular.js';
* const Fp = Field(17n);
* const constants = grainGenConstants({ Fp, t: 2, roundsFull: 8, roundsPartial: 8 });
* const makeSponge = poseidonSponge({
* ...constants,
* Fp,
* rate: 1,
* capacity: 1,
* roundsFull: 8,
* roundsPartial: 8,
* sboxPower: 3,
* });
* const sponge = makeSponge();
* sponge.absorb([1n]);
* const out = sponge.squeeze(1);
* ```
*/
export declare function poseidonSponge(opts: TArg<PoseidonSpongeOpts>): TRet<() => PoseidonSponge>;
export {};
//# sourceMappingURL=poseidon.d.ts.map
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/abstract/poseidon.d.ts.map
Generated Vendored
+1
View File
@@ -0,0 +1 @@
{"version":3,"file":"poseidon.d.ts","sourceRoot":"","sources":["../src/abstract/poseidon.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,sEAAsE;AACtE,OAAO,EAAuC,KAAK,IAAI,EAAE,KAAK,IAAI,EAAE,MAAM,aAAa,CAAC;AACxF,OAAO,EAAwB,KAAK,MAAM,EAAiB,MAAM,cAAc,CAAC;AA2BhF,mEAAmE;AACnE,MAAM,MAAM,iBAAiB,GAAG;IAC9B,2CAA2C;IAC3C,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;IACnB,4CAA4C;IAC5C,CAAC,EAAE,MAAM,CAAC;IACV,mCAAmC;IACnC,UAAU,EAAE,MAAM,CAAC;IACnB,sCAAsC;IACtC,aAAa,EAAE,MAAM,CAAC;IACtB,gDAAgD;IAChD,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB,CAAC;AAkEF,mEAAmE;AACnE,MAAM,MAAM,iBAAiB,GAAG,iBAAiB,GAAG;IAClD,mDAAmD;IACnD,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF,KAAK,iBAAiB,GAAG;IAAE,GAAG,EAAE,MAAM,EAAE,EAAE,CAAC;IAAC,cAAc,EAAE,MAAM,EAAE,EAAE,CAAA;CAAE,CAAC;AAIzE;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,iBAAiB,CAC/B,IAAI,EAAE,IAAI,CAAC,iBAAiB,CAAC,EAC7B,OAAO,GAAE,MAAU,GAClB,iBAAiB,CA4BnB;AAED,4EAA4E;AAC5E,MAAM,MAAM,YAAY,GAAG,iBAAiB,GAC1C,iBAAiB,GAAG;IAClB,2CAA2C;IAC3C,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,wDAAwD;IACxD,oBAAoB,CAAC,EAAE,OAAO,CAAC;CAChC,CAAC;AAEJ;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,IAAI,CAAC,YAAY,CAAC,GAAG,IAAI,CAC1D,QAAQ,CAAC;IACP,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,CAAC,CAAC,EAAE,MAAM,KAAK,MAAM,CAAC;IAC9B,cAAc,EAAE,MAAM,EAAE,EAAE,CAAC;IAC3B,GAAG,EAAE,MAAM,EAAE,EAAE,CAAC;IAChB,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;IACnB,CAAC,EAAE,MAAM,CAAC;IACV,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,oBAAoB,CAAC,EAAE,OAAO,CAAC;CAChC,CAAC,CACH,CAkEA;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,cAAc,CAAC,EAAE,EAAE,MAAM,EAAE,EAAE,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,EAAE,CAgBlE;AAED;;;;GAIG;AACH,MAAM,MAAM,UAAU,GAAG;IACvB,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC;IAC7B,4DAA4D;IAC5D,cAAc,EAAE,MAAM,EAAE,EAAE,CAAC;CAC5B,CAAC;AACF,kCAAkC;AAClC;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC,YAAY,CAAC,GAAG,UAAU,CAyC7D;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,qBAAa,cAAc;IACzB,OAAO,CAAC,EAAE,CAAiB;IAC3B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAC;IAC1B,OAAO,CAAC,KAAK,CAAW;IACxB,OAAO,CAAC,GAAG,CAAK;IAChB,OAAO,CAAC,WAAW,CAAQ;gBAEf,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU;IAgBhF,OAAO,CAAC,OAAO;IAKf,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,IAAI;IAgB7B,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,EAAE;IAiBhC,KAAK,IAAI,IAAI;IAKb,KAAK,IAAI,cAAc;CAOxB;AAED,8EAA8E;AAC9E,MAAM,MAAM,kBAAkB,GAAG,IAAI,CAAC,YAAY,EAAE,GAAG,CAAC,GAAG;IACzD,mBAAmB;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,uBAAuB;IACvB,QAAQ,EAAE,MAAM,CAAC;CAClB,CAAC;AAaF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,wBAAgB,cAAc,CAAC,IAAI,EAAE,IAAI,CAAC,kBAAkB,CAAC,GAAG,IAAI,CAAC,MAAM,cAAc,CAAC,CAQzF"}
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/abstract/poseidon.js
Generated Vendored
+463
View File
@@ -0,0 +1,463 @@
/**
* Implements [Poseidon](https://www.poseidon-hash.info) ZK-friendly hash.
*
* There are many poseidon variants with different constants.
* We don't provide them: you should construct them manually.
* Check out [micro-starknet](https://github.com/paulmillr/micro-starknet) package for a proper example.
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { asafenumber, bitGet, validateObject } from "../utils.js";
import { FpInvertBatch, FpPow, validateField } from "./modular.js";
// Grain LFSR (Linear-Feedback Shift Register): https://eprint.iacr.org/2009/109.pdf
function grainLFSR(state) {
// Advances the caller-provided 80-entry state array in place; only the length
// is checked here, so entries are assumed to already be bits.
let pos = 0;
if (state.length !== 80)
throw new Error('grainLFRS: wrong state length, should be 80 bits');
const getBit = () => {
const r = (offset) => state[(pos + offset) % 80];
const bit = r(62) ^ r(51) ^ r(38) ^ r(23) ^ r(13) ^ r(0);
state[pos] = bit;
pos = ++pos % 80;
return !!bit;
};
for (let i = 0; i < 160; i++)
getBit();
return () => {
// https://en.wikipedia.org/wiki/Shrinking_generator
while (true) {
const b1 = getBit();
const b2 = getBit();
if (!b1)
continue;
return b2;
}
};
}
function assertValidPosOpts(opts) {
const { Fp, roundsFull } = opts;
validateField(Fp);
validateObject(opts, {
t: 'number',
roundsFull: 'number',
roundsPartial: 'number',
}, {
isSboxInverse: 'boolean',
});
for (const k of ['t', 'roundsFull', 'roundsPartial']) {
asafenumber(opts[k], k);
if (opts[k] < 1)
throw new Error('invalid number ' + k);
}
// Poseidon splits full rounds as `R_F / 2`, then partial rounds, then `R_F / 2` again.
if (roundsFull & 1)
throw new Error('roundsFull is not even' + roundsFull);
}
function poseidonGrain(opts) {
assertValidPosOpts(opts);
const { Fp } = opts;
const state = Array(80).fill(1);
let pos = 0;
const writeBits = (value, bitCount) => {
for (let i = bitCount - 1; i >= 0; i--)
state[pos++] = Number(bitGet(value, i));
};
const _0n = BigInt(0);
const _1n = BigInt(1);
// The Grain seed layout is fixed-width: `Fp.BITS` and `t` use 12 bits,
// `roundsFull` and `roundsPartial` use 10, so larger values are truncated here.
// This is intentional for compatibility with snarkVM / arkworks PoseidonGrainLFSR:
// they write the same fixed-width seed fields without range checks, then still consume
// the LFSR using the caller-provided round count for ARK/MDS generation.
// Normalizing or rejecting here would diverge from those implementations.
writeBits(_1n, 2); // prime field
writeBits(opts.isSboxInverse ? _1n : _0n, 4); // b2..b5
writeBits(BigInt(Fp.BITS), 12); // b6..b17
writeBits(BigInt(opts.t), 12); // b18..b29
writeBits(BigInt(opts.roundsFull), 10); // b30..b39
writeBits(BigInt(opts.roundsPartial), 10); // b40..b49
const getBit = grainLFSR(state);
return (count, reject) => {
const res = [];
for (let i = 0; i < count; i++) {
while (true) {
let num = _0n;
for (let i = 0; i < Fp.BITS; i++) {
num <<= _1n;
if (getBit())
num |= _1n;
}
if (reject && num >= Fp.ORDER)
continue; // rejection sampling
res.push(Fp.create(num));
break;
}
}
return res;
};
}
// NOTE: this is not standard but used often for constant generation for poseidon
// (grain LFRS-like structure)
/**
* @param opts - Poseidon grain options. See {@link PoseidonGrainOpts}.
* @param skipMDS - Number of MDS samples to skip.
* @returns Generated constants.
* @throws If the generated MDS matrix contains a zero denominator. {@link Error}
* @example
* Generate Poseidon round constants and an MDS matrix from the Grain LFSR.
*
* ```ts
* import { grainGenConstants } from '@noble/curves/abstract/poseidon.js';
* import { Field } from '@noble/curves/abstract/modular.js';
* const Fp = Field(17n);
* const constants = grainGenConstants({ Fp, t: 2, roundsFull: 8, roundsPartial: 8 });
* ```
*/
export function grainGenConstants(opts, skipMDS = 0) {
const { Fp, t, roundsFull, roundsPartial } = opts;
// `skipMDS` counts how many candidate matrices to discard before taking one.
asafenumber(skipMDS, 'skipMDS');
if (skipMDS < 0)
throw new Error('invalid number skipMDS');
const rounds = roundsFull + roundsPartial;
// `sboxPower` is carried in the opts shape for Poseidon compatibility, but
// Grain constant generation here only depends on field/size/round counts/inverse flag.
const sample = poseidonGrain(opts);
const roundConstants = [];
for (let r = 0; r < rounds; r++)
roundConstants.push(sample(t, true));
if (skipMDS > 0)
for (let i = 0; i < skipMDS; i++)
sample(2 * t, false);
const xs = sample(t, false);
const ys = sample(t, false);
// Construct MDS Matrix M[i][j] = 1 / (xs[i] + ys[j])
const mds = [];
for (let i = 0; i < t; i++) {
const row = [];
for (let j = 0; j < t; j++) {
const xy = Fp.add(xs[i], ys[j]);
if (Fp.is0(xy))
throw new Error(`Error generating MDS matrix: xs[${i}] + ys[${j}] resulted in zero.`);
row.push(xy);
}
mds.push(FpInvertBatch(Fp, row));
}
return { roundConstants, mds };
}
/**
* @param opts - Poseidon options. See {@link PoseidonOpts}.
* @returns Normalized poseidon options.
* @throws If the Poseidon options, constants, or MDS matrix are invalid. {@link Error}
* @example
* Validate generated constants before constructing a permutation.
*
* ```ts
* import { grainGenConstants, validateOpts } from '@noble/curves/abstract/poseidon.js';
* import { Field } from '@noble/curves/abstract/modular.js';
* const Fp = Field(17n);
* const constants = grainGenConstants({ Fp, t: 2, roundsFull: 8, roundsPartial: 8 });
* const opts = validateOpts({ ...constants, Fp, t: 2, roundsFull: 8, roundsPartial: 8, sboxPower: 3 });
* ```
*/
export function validateOpts(opts) {
// This only normalizes shapes and field membership for the provided constants;
// it does not prove the stronger MDS/security criteria discussed in the specs.
assertValidPosOpts(opts);
const { Fp, mds, reversePartialPowIdx: rev, roundConstants: rc } = opts;
const { roundsFull, roundsPartial, sboxPower, t } = opts;
// MDS is TxT matrix
if (!Array.isArray(mds) || mds.length !== t)
throw new Error('Poseidon: invalid MDS matrix');
const _mds = mds.map((mdsRow) => {
if (!Array.isArray(mdsRow) || mdsRow.length !== t)
throw new Error('invalid MDS matrix row: ' + mdsRow);
return mdsRow.map((i) => {
if (typeof i !== 'bigint')
throw new Error('invalid MDS matrix bigint: ' + i);
// Hardcoded Poseidon MDS matrices often use signed entries like `-1`;
// accept bigint representatives here and reduce them into the field.
return Fp.create(i);
});
});
if (rev !== undefined && typeof rev !== 'boolean')
throw new Error('invalid param reversePartialPowIdx=' + rev);
if (roundsFull & 1)
throw new Error('roundsFull is not even' + roundsFull);
const rounds = roundsFull + roundsPartial;
if (!Array.isArray(rc) || rc.length !== rounds)
throw new Error('Poseidon: invalid round constants');
const roundConstants = rc.map((rc) => {
if (!Array.isArray(rc) || rc.length !== t)
throw new Error('invalid round constants');
return rc.map((i) => {
if (typeof i !== 'bigint' || !Fp.isValid(i))
throw new Error('invalid round constant');
return Fp.create(i);
});
});
// Freeze nested constants so exported handles cannot retune a live permutation instance.
const freezeRows = (rows) => Object.freeze(rows.map((row) => Object.freeze(row)));
if (!sboxPower || ![3, 5, 7, 17].includes(sboxPower))
throw new Error('invalid sboxPower');
const _sboxPower = BigInt(sboxPower);
let sboxFn = (n) => FpPow(Fp, n, _sboxPower);
// Unwrapped sbox power for common cases (195->142μs)
if (sboxPower === 3)
sboxFn = (n) => Fp.mul(Fp.sqrN(n), n);
else if (sboxPower === 5)
sboxFn = (n) => Fp.mul(Fp.sqrN(Fp.sqrN(n)), n);
return Object.freeze({
...opts,
rounds,
sboxFn,
roundConstants: freezeRows(roundConstants),
mds: freezeRows(_mds),
});
}
/**
* @param rc - Flattened round constants.
* @param t - Poseidon width.
* @returns Constants grouped by round.
* @throws If the width or flattened constant array is invalid. {@link Error}
* @example
* Regroup a flat constant list into per-round chunks.
*
* ```ts
* const rounds = splitConstants([1n, 2n, 3n, 4n], 2);
* ```
*/
export function splitConstants(rc, t) {
asafenumber(t, 't');
if (t < 1)
throw new Error('poseidonSplitConstants: invalid t');
if (!Array.isArray(rc) || rc.length % t)
throw new Error('poseidonSplitConstants: invalid rc');
const res = [];
let tmp = [];
for (let i = 0; i < rc.length; i++) {
const c = rc[i];
if (typeof c !== 'bigint')
throw new Error('invalid bigint=' + c);
tmp.push(c);
if (tmp.length === t) {
res.push(tmp);
tmp = [];
}
}
return res;
}
/** Poseidon NTT-friendly hash. */
/**
* @param opts - Poseidon options. See {@link PoseidonOpts}.
* @returns Poseidon permutation.
* @throws If the Poseidon options or state vector are invalid. {@link Error}
* @example
* Build a Poseidon permutation from validated parameters and constants.
*
* ```ts
* import { grainGenConstants, poseidon } from '@noble/curves/abstract/poseidon.js';
* import { Field } from '@noble/curves/abstract/modular.js';
* const Fp = Field(17n);
* const constants = grainGenConstants({ Fp, t: 2, roundsFull: 8, roundsPartial: 8 });
* const hash = poseidon({ ...constants, Fp, t: 2, roundsFull: 8, roundsPartial: 8, sboxPower: 3 });
* const state = hash([1n, 2n]);
* ```
*/
export function poseidon(opts) {
const _opts = validateOpts(opts);
const { Fp, mds, roundConstants, rounds: totalRounds, roundsPartial, sboxFn, t } = _opts;
const halfRoundsFull = _opts.roundsFull / 2;
const partialIdx = _opts.reversePartialPowIdx ? t - 1 : 0;
const poseidonRound = (values, isFull, idx) => {
values = values.map((i, j) => Fp.add(i, roundConstants[idx][j]));
if (isFull)
values = values.map((i) => sboxFn(i));
else
values[partialIdx] = sboxFn(values[partialIdx]);
// Matrix multiplication
values = mds.map((i) => i.reduce((acc, i, j) => Fp.add(acc, Fp.mulN(i, values[j])), Fp.ZERO));
return values;
};
const poseidonHash = function poseidonHash(values) {
if (!Array.isArray(values) || values.length !== t)
throw new Error('invalid values, expected array of bigints with length ' + t);
// `.map()` skips sparse holes, which would leak `undefined` into round math below.
values = values.slice();
for (let j = 0; j < values.length; j++) {
const i = values[j];
if (typeof i !== 'bigint')
throw new Error('invalid bigint=' + i);
values[j] = Fp.create(i);
}
let lastRound = 0;
// Apply r_f/2 full rounds.
for (let i = 0; i < halfRoundsFull; i++)
values = poseidonRound(values, true, lastRound++);
// Apply r_p partial rounds.
for (let i = 0; i < roundsPartial; i++)
values = poseidonRound(values, false, lastRound++);
// Apply r_f/2 full rounds.
for (let i = 0; i < halfRoundsFull; i++)
values = poseidonRound(values, true, lastRound++);
if (lastRound !== totalRounds)
throw new Error('invalid number of rounds');
return values;
};
// For verification in tests
Object.defineProperty(poseidonHash, 'roundConstants', {
value: roundConstants,
enumerable: true,
});
return poseidonHash;
}
/**
* @param Fp - Field implementation.
* @param rate - Sponge rate.
* @param capacity - Sponge capacity.
* @param hash - Poseidon permutation.
* @example
* Wrap one Poseidon permutation in a sponge interface.
*
* ```ts
* import { PoseidonSponge, grainGenConstants, poseidon } from '@noble/curves/abstract/poseidon.js';
* import { Field } from '@noble/curves/abstract/modular.js';
* const Fp = Field(17n);
* const constants = grainGenConstants({ Fp, t: 2, roundsFull: 8, roundsPartial: 8 });
* const hash = poseidon({ ...constants, Fp, t: 2, roundsFull: 8, roundsPartial: 8, sboxPower: 3 });
* const sponge = new PoseidonSponge(Fp, 1, 1, hash);
* sponge.absorb([1n]);
* const out = sponge.squeeze(1);
* ```
*/
export class PoseidonSponge {
Fp;
rate;
capacity;
hash;
state; // [...capacity, ...rate]
pos = 0;
isAbsorbing = true;
constructor(Fp, rate, capacity, hash) {
const width = spongeShape(rate, capacity);
// The direct constructor accepts an arbitrary permutation hook, but callers still
// need to preserve the `PoseidonFn.roundConstants` width metadata. Reject width
// mismatches here instead of deferring them until the first `process()` call.
if (width !== hash.roundConstants[0]?.length)
throw new Error(`invalid sponge width: expected ${hash.roundConstants[0]?.length}, got ${width}`);
this.Fp = Fp;
this.hash = hash;
this.rate = rate;
this.capacity = capacity;
this.state = new Array(width);
this.clean();
}
process() {
// The permutation is expected to return an owned state array. If callers inject a custom
// hook that reuses external storage, `clean()` will zero that shared buffer too.
this.state = this.hash(this.state);
}
absorb(input) {
for (const i of input)
if (typeof i !== 'bigint' || !this.Fp.isValid(i))
throw new Error('invalid input: ' + i);
for (let i = 0; i < input.length;) {
if (!this.isAbsorbing || this.pos === this.rate) {
this.process();
this.pos = 0;
this.isAbsorbing = true;
}
const chunk = Math.min(this.rate - this.pos, input.length - i);
for (let j = 0; j < chunk; j++) {
const idx = this.capacity + this.pos++;
this.state[idx] = this.Fp.add(this.state[idx], input[i++]);
}
}
}
squeeze(count) {
// Rust oracles use unsigned counts. In JS we keep `squeeze(0) => []` for
// compatibility, but still reject negative/fractional counts explicitly.
asafenumber(count, 'count');
if (count < 0)
throw new Error('invalid number count');
const res = [];
while (res.length < count) {
if (this.isAbsorbing || this.pos === this.rate) {
this.process();
this.pos = 0;
this.isAbsorbing = false;
}
const chunk = Math.min(this.rate - this.pos, count - res.length);
for (let i = 0; i < chunk; i++)
res.push(this.state[this.capacity + this.pos++]);
}
return res;
}
clean() {
this.state.fill(this.Fp.ZERO);
this.isAbsorbing = true;
this.pos = 0;
}
clone() {
const c = new PoseidonSponge(this.Fp, this.rate, this.capacity, this.hash);
c.pos = this.pos;
c.isAbsorbing = this.isAbsorbing;
c.state = [...this.state];
return c;
}
}
const spongeShape = (rate, capacity) => {
asafenumber(rate, 'rate');
asafenumber(capacity, 'capacity');
// A sponge with zero rate cannot absorb or squeeze any field elements.
if (rate < 1)
throw new Error('invalid number rate');
// Negative capacity can accidentally keep `rate + capacity` coherent while still
// producing a nonsensical sponge shape.
if (capacity < 0)
throw new Error('invalid number capacity');
return rate + capacity;
};
/**
* The method is not defined in spec, but nevertheless used often.
* Check carefully for compatibility: there are many edge cases, like absorbing an empty array.
* We cross-test against:
* - {@link https://github.com/ProvableHQ/snarkVM/tree/staging/algorithms | snarkVM algorithms}
* - {@link https://github.com/arkworks-rs/crypto-primitives/tree/main | arkworks crypto-primitives}
* @param opts - Sponge options. See {@link PoseidonSpongeOpts}.
* @returns Factory for sponge instances.
* @throws If the sponge dimensions or backing permutation options are invalid. {@link Error}
* @example
* Use the sponge helper to absorb several field elements and squeeze one digest.
*
* ```ts
* import { grainGenConstants, poseidonSponge } from '@noble/curves/abstract/poseidon.js';
* import { Field } from '@noble/curves/abstract/modular.js';
* const Fp = Field(17n);
* const constants = grainGenConstants({ Fp, t: 2, roundsFull: 8, roundsPartial: 8 });
* const makeSponge = poseidonSponge({
* ...constants,
* Fp,
* rate: 1,
* capacity: 1,
* roundsFull: 8,
* roundsPartial: 8,
* sboxPower: 3,
* });
* const sponge = makeSponge();
* sponge.absorb([1n]);
* const out = sponge.squeeze(1);
* ```
*/
export function poseidonSponge(opts) {
const { rate, capacity } = opts;
const t = spongeShape(rate, capacity);
// Re-use one hash instance between sponge instances; isolation depends on
// poseidon(...) itself staying immutable and not carrying mutable call state.
const hash = poseidon({ ...opts, t });
const { Fp } = opts;
return (() => new PoseidonSponge(Fp, rate, capacity, hash));
}
//# sourceMappingURL=poseidon.js.map
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/abstract/poseidon.js.map
Generated Vendored
+1
View File
File diff suppressed because one or more lines are too long
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/abstract/tower.d.ts
Generated Vendored
+214
View File
@@ -0,0 +1,214 @@
/**
* Towered extension fields.
* Rather than implementing a massive 12th-degree extension directly, it is more efficient
* to build it up from smaller extensions: a tower of extensions.
*
* For BLS12-381, the Fp12 field is implemented as a quadratic (degree two) extension,
* on top of a cubic (degree three) extension, on top of a quadratic extension of Fp.
*
* For more info: "Pairings for beginners" by Costello, section 7.3.
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { type TArg, type TRet } from '../utils.ts';
import * as mod from './modular.ts';
import type { WeierstrassPoint, WeierstrassPointCons } from './weierstrass.ts';
/** Pair of bigints used for quadratic-extension tuples. */
export type BigintTuple = [bigint, bigint];
/** Prime-field element. */
export type Fp = bigint;
/** Quadratic-extension field element `c0 + c1 * u`. */
export type Fp2 = {
/** Real component. */
c0: bigint;
/** Imaginary component. */
c1: bigint;
};
/** Six bigints used for sextic-extension tuples. */
export type BigintSix = [bigint, bigint, bigint, bigint, bigint, bigint];
/** Sextic-extension field element `c0 + c1 * v + c2 * v^2`. */
export type Fp6 = {
/** Constant coefficient. */
c0: Fp2;
/** Linear coefficient. */
c1: Fp2;
/** Quadratic coefficient. */
c2: Fp2;
};
/**
* Degree-12 extension field element `c0 + c1 * w`.
* Fp₁₂ = Fp₆² over Fp₂³, with Fp₆(w) / (w² - γ) where γ = v.
*/
export type Fp12 = {
/** Constant coefficient. */
c0: Fp6;
/** Linear coefficient. */
c1: Fp6;
};
/** Twelve bigints used for degree-12 extension tuples. */
export type BigintTwelve = [
bigint,
bigint,
bigint,
bigint,
bigint,
bigint,
bigint,
bigint,
bigint,
bigint,
bigint,
bigint
];
/** BLS-friendly helpers on top of the quadratic extension field. */
export type Fp2Bls = mod.IField<Fp2> & {
/** Underlying prime field. */
Fp: mod.IField<Fp>;
/** Apply one Frobenius map. */
frobeniusMap(num: Fp2, power: number): Fp2;
/** Build one field element from a raw bigint tuple. */
fromBigTuple(num: BigintTuple): Fp2;
/** Multiply by the curve `b` constant. */
mulByB: (num: Fp2) => Fp2;
/** Multiply by the quadratic non-residue. */
mulByNonresidue: (num: Fp2) => Fp2;
/** Split one quadratic element into real and imaginary components. */
reim: (num: Fp2) => {
re: Fp;
im: Fp;
};
/** Specialized helper used by sextic squaring formulas. */
Fp4Square: (a: Fp2, b: Fp2) => {
first: Fp2;
second: Fp2;
};
/** Quadratic non-residue used by the extension. */
NONRESIDUE: Fp2;
};
/** BLS-friendly helpers on top of the sextic extension field. */
export type Fp6Bls = mod.IField<Fp6> & {
/** Underlying quadratic extension field. */
Fp2: Fp2Bls;
/** Apply one Frobenius map. */
frobeniusMap(num: Fp6, power: number): Fp6;
/** Build one field element from a raw six-bigint tuple. */
fromBigSix: (tuple: BigintSix) => Fp6;
/** Multiply by a sparse `(0, b1, 0)` sextic element. */
mul1(num: Fp6, b1: Fp2): Fp6;
/** Multiply by a sparse `(b0, b1, 0)` sextic element. */
mul01(num: Fp6, b0: Fp2, b1: Fp2): Fp6;
/** Multiply by one quadratic-extension element. */
mulByFp2(lhs: Fp6, rhs: Fp2): Fp6;
/** Multiply by the sextic non-residue. */
mulByNonresidue: (num: Fp6) => Fp6;
};
/** BLS-friendly helpers on top of the degree-12 extension field. */
export type Fp12Bls = mod.IField<Fp12> & {
/** Underlying sextic extension field. */
Fp6: Fp6Bls;
/** Apply one Frobenius map. */
frobeniusMap(num: Fp12, power: number): Fp12;
/** Build one field element from a raw twelve-bigint tuple. */
fromBigTwelve: (t: BigintTwelve) => Fp12;
/** Multiply by a sparse `(o0, o1, 0, 0, o4, 0)` element. */
mul014(num: Fp12, o0: Fp2, o1: Fp2, o4: Fp2): Fp12;
/** Multiply by a sparse `(o0, 0, 0, o3, o4, 0)` element. */
mul034(num: Fp12, o0: Fp2, o3: Fp2, o4: Fp2): Fp12;
/** Multiply by one quadratic-extension element. */
mulByFp2(lhs: Fp12, rhs: Fp2): Fp12;
/** Conjugate one degree-12 element. */
conjugate(num: Fp12): Fp12;
/** Apply the final exponentiation from pairing arithmetic. */
finalExponentiate(num: Fp12): Fp12;
/** Apply one cyclotomic square. */
_cyclotomicSquare(num: Fp12): Fp12;
/** Apply one cyclotomic exponentiation. */
_cyclotomicExp(num: Fp12, n: bigint): Fp12;
};
declare function calcFrobeniusCoefficients<T>(Fp: TArg<mod.IField<T>>, nonResidue: T, modulus: bigint, degree: number, num?: number, divisor?: number): T[][];
export declare const __TEST: {
calcFrobeniusCoefficients: typeof calcFrobeniusCoefficients;
};
/**
* @param Fp - Base field implementation.
* @param Fp2 - Quadratic extension field.
* @param base - Twist-specific Frobenius base whose powers yield the `c1` / `c2` constants.
* BLS12-381 uses `1 / NONRESIDUE`; BN254 uses `NONRESIDUE`.
* @returns Frobenius endomorphism helpers.
* @throws If the derived Frobenius constants are inconsistent for the tower. {@link Error}
* @example
* Build Frobenius endomorphism helpers for a BLS extension tower.
*
* ```ts
* import { psiFrobenius } from '@noble/curves/abstract/tower.js';
* import { bls12_381 } from '@noble/curves/bls12-381.js';
* const Fp = bls12_381.fields.Fp;
* const Fp2 = bls12_381.fields.Fp2;
* const frob = psiFrobenius(Fp, Fp2, Fp2.div(Fp2.ONE, Fp2.NONRESIDUE));
* const point = frob.G2psi(bls12_381.G2.Point, bls12_381.G2.Point.BASE);
* ```
*/
export declare function psiFrobenius(Fp: TArg<mod.IField<Fp>>, Fp2: TArg<Fp2Bls>, base: TArg<Fp2>): {
psi: (x: Fp2, y: Fp2) => [Fp2, Fp2];
psi2: (x: Fp2, y: Fp2) => [Fp2, Fp2];
G2psi: (c: WeierstrassPointCons<Fp2>, P: WeierstrassPoint<Fp2>) => WeierstrassPoint<Fp2>;
G2psi2: (c: WeierstrassPointCons<Fp2>, P: WeierstrassPoint<Fp2>) => WeierstrassPoint<Fp2>;
PSI_X: Fp2;
PSI_Y: Fp2;
PSI2_X: Fp2;
PSI2_Y: Fp2;
};
/** Construction options for the BLS-style degree-12 tower. */
export type Tower12Opts = {
/** Prime-field order. */
ORDER: bigint;
/** Bit length of the BLS parameter `x`. */
X_LEN: number;
/** Prime-field non-residue used by the quadratic extension. */
NONRESIDUE?: Fp;
/** Quadratic-extension non-residue used by the sextic tower. */
FP2_NONRESIDUE: BigintTuple;
/**
* Optional custom quadratic square-root helper.
* Receives one quadratic-extension element and returns one square root.
*/
Fp2sqrt?: (num: Fp2) => Fp2;
/**
* Multiply one quadratic element by the curve `b` constant.
* @param num - Quadratic-extension element to scale.
* @returns Product by the curve `b` constant.
*/
Fp2mulByB: (num: Fp2) => Fp2;
/**
* Final exponentiation used by pairing arithmetic.
* @param num - Degree-12 field element to exponentiate.
* @returns Pairing result after final exponentiation.
*/
Fp12finalExponentiate: (num: Fp12) => Fp12;
};
/**
* @param opts - Tower construction options. See {@link Tower12Opts}.
* @returns BLS tower fields.
* @throws If the tower options or derived Frobenius helpers are invalid. {@link Error}
* @example
* Construct the Fp2/Fp6/Fp12 tower used by a pairing-friendly curve.
*
* ```ts
* const fields = tower12({
* ORDER: 17n,
* X_LEN: 4,
* FP2_NONRESIDUE: [1n, 1n],
* Fp2mulByB: (num) => num,
* Fp12finalExponentiate: (num) => num,
* });
* const fp12 = fields.Fp12.ONE;
* ```
*/
export declare function tower12(opts: TArg<Tower12Opts>): TRet<{
Fp: Readonly<mod.IField<bigint> & Required<Pick<mod.IField<bigint>, 'isOdd'>>>;
Fp2: Fp2Bls;
Fp6: Fp6Bls;
Fp12: Fp12Bls;
}>;
export {};
//# sourceMappingURL=tower.d.ts.map
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/abstract/tower.d.ts.map
Generated Vendored
+1
View File
@@ -0,0 +1 @@
{"version":3,"file":"tower.d.ts","sourceRoot":"","sources":["../src/abstract/tower.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,sEAAsE;AACtE,OAAO,EASL,KAAK,IAAI,EACT,KAAK,IAAI,EACV,MAAM,aAAa,CAAC;AACrB,OAAO,KAAK,GAAG,MAAM,cAAc,CAAC;AACpC,OAAO,KAAK,EAAE,gBAAgB,EAAE,oBAAoB,EAAE,MAAM,kBAAkB,CAAC;AAO/E,2DAA2D;AAC3D,MAAM,MAAM,WAAW,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;AAC3C,2BAA2B;AAC3B,MAAM,MAAM,EAAE,GAAG,MAAM,CAAC;AAGxB,uDAAuD;AACvD,MAAM,MAAM,GAAG,GAAG;IAChB,sBAAsB;IACtB,EAAE,EAAE,MAAM,CAAC;IACX,2BAA2B;IAC3B,EAAE,EAAE,MAAM,CAAC;CACZ,CAAC;AACF,oDAAoD;AACpD,MAAM,MAAM,SAAS,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;AACzE,+DAA+D;AAC/D,MAAM,MAAM,GAAG,GAAG;IAChB,4BAA4B;IAC5B,EAAE,EAAE,GAAG,CAAC;IACR,0BAA0B;IAC1B,EAAE,EAAE,GAAG,CAAC;IACR,6BAA6B;IAC7B,EAAE,EAAE,GAAG,CAAC;CACT,CAAC;AACF;;;GAGG;AACH,MAAM,MAAM,IAAI,GAAG;IACjB,4BAA4B;IAC5B,EAAE,EAAE,GAAG,CAAC;IACR,0BAA0B;IAC1B,EAAE,EAAE,GAAG,CAAC;CACT,CAAC;AAEF,0DAA0D;AAC1D,MAAM,MAAM,YAAY,GAAG;IACzB,MAAM;IAAE,MAAM;IAAE,MAAM;IAAE,MAAM;IAAE,MAAM;IAAE,MAAM;IAC9C,MAAM;IAAE,MAAM;IAAE,MAAM;IAAE,MAAM;IAAE,MAAM;IAAE,MAAM;CAC/C,CAAC;AAKF,oEAAoE;AACpE,MAAM,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG;IACrC,8BAA8B;IAC9B,EAAE,EAAE,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IACnB,+BAA+B;IAC/B,YAAY,CAAC,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,MAAM,GAAG,GAAG,CAAC;IAC3C,uDAAuD;IACvD,YAAY,CAAC,GAAG,EAAE,WAAW,GAAG,GAAG,CAAC;IACpC,0CAA0C;IAC1C,MAAM,EAAE,CAAC,GAAG,EAAE,GAAG,KAAK,GAAG,CAAC;IAC1B,6CAA6C;IAC7C,eAAe,EAAE,CAAC,GAAG,EAAE,GAAG,KAAK,GAAG,CAAC;IACnC,sEAAsE;IACtE,IAAI,EAAE,CAAC,GAAG,EAAE,GAAG,KAAK;QAAE,EAAE,EAAE,EAAE,CAAC;QAAC,EAAE,EAAE,EAAE,CAAA;KAAE,CAAC;IACvC,2DAA2D;IAC3D,SAAS,EAAE,CAAC,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,GAAG,KAAK;QAAE,KAAK,EAAE,GAAG,CAAC;QAAC,MAAM,EAAE,GAAG,CAAA;KAAE,CAAC;IAC3D,mDAAmD;IACnD,UAAU,EAAE,GAAG,CAAC;CACjB,CAAC;AAEF,iEAAiE;AACjE,MAAM,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG;IACrC,4CAA4C;IAC5C,GAAG,EAAE,MAAM,CAAC;IACZ,+BAA+B;IAC/B,YAAY,CAAC,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,MAAM,GAAG,GAAG,CAAC;IAC3C,2DAA2D;IAC3D,UAAU,EAAE,CAAC,KAAK,EAAE,SAAS,KAAK,GAAG,CAAC;IACtC,wDAAwD;IACxD,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,EAAE,GAAG,GAAG,GAAG,CAAC;IAC7B,yDAAyD;IACzD,KAAK,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE,GAAG,GAAG,GAAG,CAAC;IACvC,mDAAmD;IACnD,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,GAAG,GAAG,CAAC;IAClC,0CAA0C;IAC1C,eAAe,EAAE,CAAC,GAAG,EAAE,GAAG,KAAK,GAAG,CAAC;CACpC,CAAC;AAEF,oEAAoE;AACpE,MAAM,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG;IACvC,yCAAyC;IACzC,GAAG,EAAE,MAAM,CAAC;IACZ,+BAA+B;IAC/B,YAAY,CAAC,GAAG,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7C,8DAA8D;IAC9D,aAAa,EAAE,CAAC,CAAC,EAAE,YAAY,KAAK,IAAI,CAAC;IACzC,4DAA4D;IAC5D,MAAM,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE,GAAG,GAAG,IAAI,CAAC;IACnD,4DAA4D;IAC5D,MAAM,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE,GAAG,GAAG,IAAI,CAAC;IACnD,mDAAmD;IACnD,QAAQ,CAAC,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,GAAG,GAAG,IAAI,CAAC;IACpC,uCAAuC;IACvC,SAAS,CAAC,GAAG,EAAE,IAAI,GAAG,IAAI,CAAC;IAC3B,8DAA8D;IAC9D,iBAAiB,CAAC,GAAG,EAAE,IAAI,GAAG,IAAI,CAAC;IACnC,mCAAmC;IACnC,iBAAiB,CAAC,GAAG,EAAE,IAAI,GAAG,IAAI,CAAC;IACnC,2CAA2C;IAC3C,cAAc,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC5C,CAAC;AAEF,iBAAS,yBAAyB,CAAC,CAAC,EAClC,EAAE,EAAE,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EACvB,UAAU,EAAE,CAAC,EACb,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,MAAM,EACd,GAAG,GAAE,MAAU,EACf,OAAO,CAAC,EAAE,MAAM,GACf,CAAC,EAAE,EAAE,CA2BP;AAED,eAAO,MAAM,MAAM,EAAE;IAAE,yBAAyB,EAAE,OAAO,yBAAyB,CAAA;CAG9E,CAAC;AAGL;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,YAAY,CAC1B,EAAE,EAAE,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,EACxB,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,EACjB,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC,GACd;IACD,GAAG,EAAE,CAAC,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,GAAG,KAAK,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IACpC,IAAI,EAAE,CAAC,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,GAAG,KAAK,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IACrC,KAAK,EAAE,CAAC,CAAC,EAAE,oBAAoB,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,gBAAgB,CAAC,GAAG,CAAC,KAAK,gBAAgB,CAAC,GAAG,CAAC,CAAC;IACzF,MAAM,EAAE,CAAC,CAAC,EAAE,oBAAoB,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,gBAAgB,CAAC,GAAG,CAAC,KAAK,gBAAgB,CAAC,GAAG,CAAC,CAAC;IAC1F,KAAK,EAAE,GAAG,CAAC;IACX,KAAK,EAAE,GAAG,CAAC;IACX,MAAM,EAAE,GAAG,CAAC;IACZ,MAAM,EAAE,GAAG,CAAC;CACb,CA8BA;AAED,8DAA8D;AAC9D,MAAM,MAAM,WAAW,GAAG;IACxB,yBAAyB;IACzB,KAAK,EAAE,MAAM,CAAC;IACd,2CAA2C;IAC3C,KAAK,EAAE,MAAM,CAAC;IACd,+DAA+D;IAC/D,UAAU,CAAC,EAAE,EAAE,CAAC;IAChB,gEAAgE;IAChE,cAAc,EAAE,WAAW,CAAC;IAC5B;;;OAGG;IACH,OAAO,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,KAAK,GAAG,CAAC;IAC5B;;;;OAIG;IACH,SAAS,EAAE,CAAC,GAAG,EAAE,GAAG,KAAK,GAAG,CAAC;IAC7B;;;;OAIG;IACH,qBAAqB,EAAE,CAAC,GAAG,EAAE,IAAI,KAAK,IAAI,CAAC;CAC5C,CAAC;AAyyBF;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,GAAG,IAAI,CAAC;IACrD,EAAE,EAAE,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC;IAC/E,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,OAAO,CAAC;CACf,CAAC,CA6BD"}
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/abstract/tower.js
Generated Vendored
+926
View File
@@ -0,0 +1,926 @@
/**
* Towered extension fields.
* Rather than implementing a massive 12th-degree extension directly, it is more efficient
* to build it up from smaller extensions: a tower of extensions.
*
* For BLS12-381, the Fp12 field is implemented as a quadratic (degree two) extension,
* on top of a cubic (degree three) extension, on top of a quadratic extension of Fp.
*
* For more info: "Pairings for beginners" by Costello, section 7.3.
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { abytes, aInRange, asafenumber, bitGet, bitLen, concatBytes, notImplemented, validateObject, } from "../utils.js";
import * as mod from "./modular.js";
// Be friendly to bad ECMAScript parsers by not using bigint literals
// prettier-ignore
const _0n = /* @__PURE__ */ BigInt(0), _1n = /* @__PURE__ */ BigInt(1), _2n = /* @__PURE__ */ BigInt(2), _3n = /* @__PURE__ */ BigInt(3), _6n = /* @__PURE__ */ BigInt(6), _12n = /* @__PURE__ */ BigInt(12);
const isObj = (value) => !!value && typeof value === 'object';
function calcFrobeniusCoefficients(Fp, nonResidue, modulus, degree, num = 1, divisor) {
asafenumber(num, 'num');
const F = Fp;
// Generic callers can hit empty / fractional row counts through `__TEST`; fail closed instead of
// silently returning `[]` or deriving extra Frobenius rows from a truncated loop bound.
if (num <= 0)
throw new Error('calcFrobeniusCoefficients: expected positive row count, got ' + num);
const _divisor = BigInt(divisor === undefined ? degree : divisor);
const towerModulus = modulus ** BigInt(degree);
const res = [];
// Derive tower-basis multipliers for the `p^k` Frobenius action. The
// divisions below are expected to be exact for the chosen tower parameters.
for (let i = 0; i < num; i++) {
const a = BigInt(i + 1);
const powers = [];
for (let j = 0, qPower = _1n; j < degree; j++) {
const numer = a * qPower - a;
// Shipped towers divide cleanly here, but generic callers can pick bad
// params. Bigint division would floor and derive the wrong Frobenius table.
if (numer % _divisor)
throw new Error('calcFrobeniusCoefficients: inexact tower exponent');
const power = (numer / _divisor) % towerModulus;
powers.push(F.pow(nonResidue, power));
qPower *= modulus;
}
res.push(powers);
}
return res;
}
export const __TEST =
/* @__PURE__ */ Object.freeze({
calcFrobeniusCoefficients,
});
// This works same at least for bls12-381, bn254 and bls12-377
/**
* @param Fp - Base field implementation.
* @param Fp2 - Quadratic extension field.
* @param base - Twist-specific Frobenius base whose powers yield the `c1` / `c2` constants.
* BLS12-381 uses `1 / NONRESIDUE`; BN254 uses `NONRESIDUE`.
* @returns Frobenius endomorphism helpers.
* @throws If the derived Frobenius constants are inconsistent for the tower. {@link Error}
* @example
* Build Frobenius endomorphism helpers for a BLS extension tower.
*
* ```ts
* import { psiFrobenius } from '@noble/curves/abstract/tower.js';
* import { bls12_381 } from '@noble/curves/bls12-381.js';
* const Fp = bls12_381.fields.Fp;
* const Fp2 = bls12_381.fields.Fp2;
* const frob = psiFrobenius(Fp, Fp2, Fp2.div(Fp2.ONE, Fp2.NONRESIDUE));
* const point = frob.G2psi(bls12_381.G2.Point, bls12_381.G2.Point.BASE);
* ```
*/
export function psiFrobenius(Fp, Fp2, base) {
// GLV endomorphism Ψ(P)
const PSI_X = Fp2.pow(base, (Fp.ORDER - _1n) / _3n); // u^((p-1)/3)
const PSI_Y = Fp2.pow(base, (Fp.ORDER - _1n) / _2n); // u^((p-1)/2)
function psi(x, y) {
// This x10 faster than previous version in bls12-381
const x2 = Fp2.mul(Fp2.frobeniusMap(x, 1), PSI_X);
const y2 = Fp2.mul(Fp2.frobeniusMap(y, 1), PSI_Y);
return [x2, y2];
}
// Ψ²(P) endomorphism (psi2(x) = psi(psi(x)))
const PSI2_X = Fp2.pow(base, (Fp.ORDER ** _2n - _1n) / _3n); // u^((p^2 - 1)/3)
// Current towers rely on this landing on `-1`, which lets psi2 map `y` with
// one negation instead of carrying a separate Frobenius multiplier.
const PSI2_Y = Fp2.pow(base, (Fp.ORDER ** _2n - _1n) / _2n); // u^((p^2 - 1)/2)
if (!Fp2.eql(PSI2_Y, Fp2.neg(Fp2.ONE)))
throw new Error('psiFrobenius: PSI2_Y!==-1');
function psi2(x, y) {
return [Fp2.mul(x, PSI2_X), Fp2.neg(y)];
}
// Map points
const mapAffine = (fn) => (c, P) => {
const affine = P.toAffine();
const p = fn(affine.x, affine.y);
return c.fromAffine({ x: p[0], y: p[1] });
};
const G2psi = mapAffine(psi);
const G2psi2 = mapAffine(psi2);
return { psi, psi2, G2psi, G2psi2, PSI_X, PSI_Y, PSI2_X, PSI2_Y };
}
class _Field2 {
ORDER;
BITS;
BYTES;
isLE;
ZERO;
ONE;
Fp;
NONRESIDUE;
mulByB;
Fp_NONRESIDUE;
Fp_div2;
FROBENIUS_COEFFICIENTS;
constructor(Fp, opts = {}) {
const { NONRESIDUE = BigInt(-1), FP2_NONRESIDUE, Fp2mulByB } = opts;
const ORDER = Fp.ORDER;
const FP2_ORDER = ORDER * ORDER;
this.Fp = Fp;
this.ORDER = FP2_ORDER;
this.BITS = bitLen(FP2_ORDER);
this.BYTES = Math.ceil(bitLen(FP2_ORDER) / 8);
this.isLE = Fp.isLE;
this.ZERO = this.create({ c0: Fp.ZERO, c1: Fp.ZERO });
this.ONE = this.create({ c0: Fp.ONE, c1: Fp.ZERO });
// These knobs only swap constants for the shipped quadratic tower shape:
// arithmetic below assumes `u^2 = -1`, and bytes are handled as two adjacent
// `Fp` limbs (`fromBytes` / `toBytes` expect the shipped `2 * Fp.BYTES` layout).
this.Fp_NONRESIDUE = Fp.create(NONRESIDUE);
this.Fp_div2 = Fp.div(Fp.ONE, _2n); // 1/2
this.NONRESIDUE = this.create({ c0: FP2_NONRESIDUE[0], c1: FP2_NONRESIDUE[1] });
// const Fp2Nonresidue = this.create({ c0: FP2_NONRESIDUE![0], c1: FP2_NONRESIDUE![1] });
this.FROBENIUS_COEFFICIENTS = Object.freeze(calcFrobeniusCoefficients(Fp, this.Fp_NONRESIDUE, Fp.ORDER, 2)[0]);
this.mulByB = (num) => {
// This config hook is trusted to return a canonical Fp2 value already.
// Copy+freeze it to keep the tower immutability invariant without mutating caller objects.
const { c0, c1 } = Fp2mulByB(num);
return Object.freeze({ c0, c1 });
};
Object.freeze(this);
}
fromBigTuple(tuple) {
if (!Array.isArray(tuple) || tuple.length !== 2)
throw new Error('invalid Fp2.fromBigTuple');
const [c0, c1] = tuple;
if (typeof c0 !== 'bigint' || typeof c1 !== 'bigint')
throw new Error('invalid Fp2.fromBigTuple');
return this.create({ c0, c1 });
}
create(num) {
const { Fp } = this;
const c0 = Fp.create(num.c0);
const c1 = Fp.create(num.c1);
// Bigint field elements are immutable values, and higher-level code relies on
// that invariant. Copy+freeze tower values too without mutating caller-owned objects.
return Object.freeze({ c0, c1 });
}
isValid(num) {
if (!isObj(num))
throw new TypeError('invalid field element: expected object, got ' + typeof num);
const { c0, c1 } = num;
const { Fp } = this;
// Match base-field `isValid(...)`: malformed coordinate types are errors, not a `false`
// predicate result.
return Fp.isValid(c0) && Fp.isValid(c1);
}
is0(num) {
if (!isObj(num))
return false;
const { c0, c1 } = num;
const { Fp } = this;
return Fp.is0(c0) && Fp.is0(c1);
}
isValidNot0(num) {
return !this.is0(num) && this.isValid(num);
}
eql({ c0, c1 }, { c0: r0, c1: r1 }) {
const { Fp } = this;
return Fp.eql(c0, r0) && Fp.eql(c1, r1);
}
neg({ c0, c1 }) {
const { Fp } = this;
return Object.freeze({ c0: Fp.neg(c0), c1: Fp.neg(c1) });
}
pow(num, power) {
return mod.FpPow(this, num, power);
}
invertBatch(nums) {
return mod.FpInvertBatch(this, nums);
}
// Normalized
add(f1, f2) {
const { Fp } = this;
const { c0, c1 } = f1;
const { c0: r0, c1: r1 } = f2;
return Object.freeze({
c0: Fp.add(c0, r0),
c1: Fp.add(c1, r1),
});
}
sub({ c0, c1 }, { c0: r0, c1: r1 }) {
const { Fp } = this;
return Object.freeze({
c0: Fp.sub(c0, r0),
c1: Fp.sub(c1, r1),
});
}
mul({ c0, c1 }, rhs) {
const { Fp } = this;
if (typeof rhs === 'bigint')
return Object.freeze({ c0: Fp.mul(c0, rhs), c1: Fp.mul(c1, rhs) });
// (a+bi)(c+di) = (acbd) + (ad+bc)i
const { c0: r0, c1: r1 } = rhs;
let t1 = Fp.mul(c0, r0); // c0 * o0
let t2 = Fp.mul(c1, r1); // c1 * o1
// (T1 - T2) + ((c0 + c1) * (r0 + r1) - (T1 + T2))*i
const o0 = Fp.sub(t1, t2);
const o1 = Fp.sub(Fp.mul(Fp.add(c0, c1), Fp.add(r0, r1)), Fp.add(t1, t2));
return Object.freeze({ c0: o0, c1: o1 });
}
sqr({ c0, c1 }) {
const { Fp } = this;
const a = Fp.add(c0, c1);
const b = Fp.sub(c0, c1);
const c = Fp.add(c0, c0);
return Object.freeze({ c0: Fp.mul(a, b), c1: Fp.mul(c, c1) });
}
// NonNormalized stuff
addN(a, b) {
return this.add(a, b);
}
subN(a, b) {
return this.sub(a, b);
}
mulN(a, b) {
return this.mul(a, b);
}
sqrN(a) {
return this.sqr(a);
}
// Why inversion for bigint inside Fp instead of Fp2? it is even used in that context?
div(lhs, rhs) {
const { Fp } = this;
// @ts-ignore
return this.mul(lhs, typeof rhs === 'bigint' ? Fp.inv(Fp.create(rhs)) : this.inv(rhs));
}
inv({ c0: a, c1: b }) {
// We wish to find the multiplicative inverse of a nonzero
// element a + bu in Fp2. We leverage an identity
//
// (a + bu)(a - bu) = a² + b²
//
// which holds because u² = -1. This can be rewritten as
//
// (a + bu)(a - bu)/(a² + b²) = 1
//
// because a² + b² = 0 has no nonzero solutions for (a, b).
// This gives that (a - bu)/(a² + b²) is the inverse
// of (a + bu). Importantly, this can be computing using
// only a single inversion in Fp.
const { Fp } = this;
const factor = Fp.inv(Fp.create(a * a + b * b));
return Object.freeze({ c0: Fp.mul(factor, Fp.create(a)), c1: Fp.mul(factor, Fp.create(-b)) });
}
sqrt(num) {
// This is generic for all quadratic extensions (Fp2)
const { Fp } = this;
const Fp2 = this;
const { c0, c1 } = num;
if (Fp.is0(c1)) {
// if c0 is quadratic residue
if (mod.FpLegendre(Fp, c0) === 1)
return Fp2.create({ c0: Fp.sqrt(c0), c1: Fp.ZERO });
else
return Fp2.create({ c0: Fp.ZERO, c1: Fp.sqrt(Fp.div(c0, this.Fp_NONRESIDUE)) });
}
const a = Fp.sqrt(Fp.sub(Fp.sqr(c0), Fp.mul(Fp.sqr(c1), this.Fp_NONRESIDUE)));
let d = Fp.mul(Fp.add(a, c0), this.Fp_div2);
const legendre = mod.FpLegendre(Fp, d);
// -1, Quadratic non residue
if (legendre === -1)
d = Fp.sub(d, a);
const a0 = Fp.sqrt(d);
const candidateSqrt = Fp2.create({ c0: a0, c1: Fp.div(Fp.mul(c1, this.Fp_div2), a0) });
if (!Fp2.eql(Fp2.sqr(candidateSqrt), num))
throw new Error('Cannot find square root');
// Normalize root: at this point candidateSqrt ** 2 = num, but also -candidateSqrt ** 2 = num
const x1 = candidateSqrt;
const x2 = Fp2.neg(x1);
const { re: re1, im: im1 } = Fp2.reim(x1);
const { re: re2, im: im2 } = Fp2.reim(x2);
if (im1 > im2 || (im1 === im2 && re1 > re2))
return x1;
return x2;
}
// Same as sgn0_m_eq_2 in RFC 9380
isOdd(x) {
const { re: x0, im: x1 } = this.reim(x);
const sign_0 = x0 % _2n;
const zero_0 = x0 === _0n;
const sign_1 = x1 % _2n;
return BigInt(sign_0 || (zero_0 && sign_1)) == _1n;
}
// Bytes util
fromBytes(b) {
const { Fp } = this;
abytes(b);
if (b.length !== this.BYTES)
throw new Error('fromBytes invalid length=' + b.length);
return this.create({
c0: Fp.fromBytes(b.subarray(0, Fp.BYTES)),
c1: Fp.fromBytes(b.subarray(Fp.BYTES)),
});
}
toBytes({ c0, c1 }) {
return concatBytes(this.Fp.toBytes(c0), this.Fp.toBytes(c1));
}
cmov({ c0, c1 }, { c0: r0, c1: r1 }, c) {
const { Fp } = this;
return this.create({
c0: Fp.cmov(c0, r0, c),
c1: Fp.cmov(c1, r1, c),
});
}
reim({ c0, c1 }) {
return { re: c0, im: c1 };
}
Fp4Square(a, b) {
const Fp2 = this;
const a2 = Fp2.sqr(a);
const b2 = Fp2.sqr(b);
return {
first: Fp2.add(Fp2.mulByNonresidue(b2), a2), // b² * Nonresidue + a²
second: Fp2.sub(Fp2.sub(Fp2.sqr(Fp2.add(a, b)), a2), b2), // (a + b)² - a² - b²
};
}
// multiply by u + 1
mulByNonresidue({ c0, c1 }) {
return this.mul({ c0, c1 }, this.NONRESIDUE);
}
frobeniusMap({ c0, c1 }, power) {
return Object.freeze({
c0,
c1: this.Fp.mul(c1, this.FROBENIUS_COEFFICIENTS[power % 2]),
});
}
}
class _Field6 {
ORDER;
BITS;
BYTES;
isLE;
ZERO;
ONE;
Fp2;
constructor(Fp2) {
this.Fp2 = Fp2;
// `IField.ORDER` is the field cardinality `q`; for sextic extensions that is `p^6`.
// Generic helpers like Frobenius-style `x^q = x` checks rely on the literal field size here.
this.ORDER = Fp2.Fp.ORDER ** _6n;
this.BITS = 3 * Fp2.BITS;
this.BYTES = 3 * Fp2.BYTES;
this.isLE = Fp2.isLE;
this.ZERO = this.create({ c0: Fp2.ZERO, c1: Fp2.ZERO, c2: Fp2.ZERO });
this.ONE = this.create({ c0: Fp2.ONE, c1: Fp2.ZERO, c2: Fp2.ZERO });
Object.freeze(this);
}
// Most callers never touch Frobenius maps, so keep the sextic tables lazy:
// eagerly deriving them dominates `bls12-381.js` / `bn254.js` import time.
get FROBENIUS_COEFFICIENTS_1() {
const frob = _FROBENIUS_COEFFICIENTS_6.get(this);
if (frob)
return frob[0];
const { Fp2 } = this;
const { Fp } = Fp2;
const rows = calcFrobeniusCoefficients(Fp2, Fp2.NONRESIDUE, Fp.ORDER, 6, 2, 3);
const cache = [Object.freeze(rows[0]), Object.freeze(rows[1])];
_FROBENIUS_COEFFICIENTS_6.set(this, cache);
return cache[0];
}
get FROBENIUS_COEFFICIENTS_2() {
const frob = _FROBENIUS_COEFFICIENTS_6.get(this);
if (frob)
return frob[1];
void this.FROBENIUS_COEFFICIENTS_1;
return _FROBENIUS_COEFFICIENTS_6.get(this)[1];
}
add({ c0, c1, c2 }, { c0: r0, c1: r1, c2: r2 }) {
const { Fp2 } = this;
return Object.freeze({
c0: Fp2.add(c0, r0),
c1: Fp2.add(c1, r1),
c2: Fp2.add(c2, r2),
});
}
sub({ c0, c1, c2 }, { c0: r0, c1: r1, c2: r2 }) {
const { Fp2 } = this;
return Object.freeze({
c0: Fp2.sub(c0, r0),
c1: Fp2.sub(c1, r1),
c2: Fp2.sub(c2, r2),
});
}
mul({ c0, c1, c2 }, rhs) {
const { Fp2 } = this;
if (typeof rhs === 'bigint') {
return Object.freeze({
c0: Fp2.mul(c0, rhs),
c1: Fp2.mul(c1, rhs),
c2: Fp2.mul(c2, rhs),
});
}
const { c0: r0, c1: r1, c2: r2 } = rhs;
const t0 = Fp2.mul(c0, r0); // c0 * o0
const t1 = Fp2.mul(c1, r1); // c1 * o1
const t2 = Fp2.mul(c2, r2); // c2 * o2
return Object.freeze({
// t0 + (c1 + c2) * (r1 * r2) - (T1 + T2) * (u + 1)
c0: Fp2.add(t0, Fp2.mulByNonresidue(Fp2.sub(Fp2.mul(Fp2.add(c1, c2), Fp2.add(r1, r2)), Fp2.add(t1, t2)))),
// (c0 + c1) * (r0 + r1) - (T0 + T1) + T2 * (u + 1)
c1: Fp2.add(Fp2.sub(Fp2.mul(Fp2.add(c0, c1), Fp2.add(r0, r1)), Fp2.add(t0, t1)), Fp2.mulByNonresidue(t2)),
// T1 + (c0 + c2) * (r0 + r2) - T0 + T2
c2: Fp2.sub(Fp2.add(t1, Fp2.mul(Fp2.add(c0, c2), Fp2.add(r0, r2))), Fp2.add(t0, t2)),
});
}
sqr({ c0, c1, c2 }) {
const { Fp2 } = this;
let t0 = Fp2.sqr(c0); // c0²
let t1 = Fp2.mul(Fp2.mul(c0, c1), _2n); // 2 * c0 * c1
let t3 = Fp2.mul(Fp2.mul(c1, c2), _2n); // 2 * c1 * c2
let t4 = Fp2.sqr(c2); // c2²
return Object.freeze({
c0: Fp2.add(Fp2.mulByNonresidue(t3), t0), // T3 * (u + 1) + T0
c1: Fp2.add(Fp2.mulByNonresidue(t4), t1), // T4 * (u + 1) + T1
// T1 + (c0 - c1 + c2)² + T3 - T0 - T4
c2: Fp2.sub(Fp2.sub(Fp2.add(Fp2.add(t1, Fp2.sqr(Fp2.add(Fp2.sub(c0, c1), c2))), t3), t0), t4),
});
}
addN(a, b) {
return this.add(a, b);
}
subN(a, b) {
return this.sub(a, b);
}
mulN(a, b) {
return this.mul(a, b);
}
sqrN(a) {
return this.sqr(a);
}
create(num) {
const { Fp2 } = this;
const c0 = Fp2.create(num.c0);
const c1 = Fp2.create(num.c1);
const c2 = Fp2.create(num.c2);
return Object.freeze({ c0, c1, c2 });
}
isValid(num) {
if (!isObj(num))
throw new TypeError('invalid field element: expected object, got ' + typeof num);
const { c0, c1, c2 } = num;
const { Fp2 } = this;
return Fp2.isValid(c0) && Fp2.isValid(c1) && Fp2.isValid(c2);
}
is0(num) {
if (!isObj(num))
return false;
const { c0, c1, c2 } = num;
const { Fp2 } = this;
return Fp2.is0(c0) && Fp2.is0(c1) && Fp2.is0(c2);
}
isValidNot0(num) {
return !this.is0(num) && this.isValid(num);
}
neg({ c0, c1, c2 }) {
const { Fp2 } = this;
return Object.freeze({ c0: Fp2.neg(c0), c1: Fp2.neg(c1), c2: Fp2.neg(c2) });
}
eql({ c0, c1, c2 }, { c0: r0, c1: r1, c2: r2 }) {
const { Fp2 } = this;
return Fp2.eql(c0, r0) && Fp2.eql(c1, r1) && Fp2.eql(c2, r2);
}
sqrt(_) {
// Sextic extensions can use generic odd-field Tonelli-Shanks, but the helper must work
// over `IField<T>` with a quadratic non-residue from Fp6 itself. The current
// `mod.tonelliShanks(P)` precomputation only searches integer residues in the base field.
return notImplemented();
}
// Do we need division by bigint at all? Should be done via order:
div(lhs, rhs) {
const { Fp2 } = this;
const { Fp } = Fp2;
return this.mul(lhs, typeof rhs === 'bigint' ? Fp.inv(Fp.create(rhs)) : this.inv(rhs));
}
pow(num, power) {
return mod.FpPow(this, num, power);
}
invertBatch(nums) {
return mod.FpInvertBatch(this, nums);
}
inv({ c0, c1, c2 }) {
const { Fp2 } = this;
let t0 = Fp2.sub(Fp2.sqr(c0), Fp2.mulByNonresidue(Fp2.mul(c2, c1))); // c0² - c2 * c1 * (u + 1)
let t1 = Fp2.sub(Fp2.mulByNonresidue(Fp2.sqr(c2)), Fp2.mul(c0, c1)); // c2² * (u + 1) - c0 * c1
let t2 = Fp2.sub(Fp2.sqr(c1), Fp2.mul(c0, c2)); // c1² - c0 * c2
// 1/(((c2 * T1 + c1 * T2) * v) + c0 * T0)
let t4 = Fp2.inv(Fp2.add(Fp2.mulByNonresidue(Fp2.add(Fp2.mul(c2, t1), Fp2.mul(c1, t2))), Fp2.mul(c0, t0)));
return Object.freeze({ c0: Fp2.mul(t4, t0), c1: Fp2.mul(t4, t1), c2: Fp2.mul(t4, t2) });
}
// Bytes utils
fromBytes(b) {
const { Fp2 } = this;
abytes(b);
if (b.length !== this.BYTES)
throw new Error('fromBytes invalid length=' + b.length);
const B2 = Fp2.BYTES;
return this.create({
c0: Fp2.fromBytes(b.subarray(0, B2)),
c1: Fp2.fromBytes(b.subarray(B2, B2 * 2)),
c2: Fp2.fromBytes(b.subarray(2 * B2)),
});
}
toBytes({ c0, c1, c2 }) {
const { Fp2 } = this;
return concatBytes(Fp2.toBytes(c0), Fp2.toBytes(c1), Fp2.toBytes(c2));
}
cmov({ c0, c1, c2 }, { c0: r0, c1: r1, c2: r2 }, c) {
const { Fp2 } = this;
return this.create({
c0: Fp2.cmov(c0, r0, c),
c1: Fp2.cmov(c1, r1, c),
c2: Fp2.cmov(c2, r2, c),
});
}
fromBigSix(tuple) {
const { Fp2 } = this;
if (!Array.isArray(tuple) || tuple.length !== 6)
throw new Error('invalid Fp6.fromBigSix');
for (let i = 0; i < 6; i++)
if (typeof tuple[i] !== 'bigint')
throw new Error('invalid Fp6.fromBigSix');
const t = tuple;
return this.create({
c0: Fp2.fromBigTuple(t.slice(0, 2)),
c1: Fp2.fromBigTuple(t.slice(2, 4)),
c2: Fp2.fromBigTuple(t.slice(4, 6)),
});
}
frobeniusMap({ c0, c1, c2 }, power) {
const { Fp2 } = this;
return Object.freeze({
c0: Fp2.frobeniusMap(c0, power),
c1: Fp2.mul(Fp2.frobeniusMap(c1, power), this.FROBENIUS_COEFFICIENTS_1[power % 6]),
c2: Fp2.mul(Fp2.frobeniusMap(c2, power), this.FROBENIUS_COEFFICIENTS_2[power % 6]),
});
}
mulByFp2({ c0, c1, c2 }, rhs) {
const { Fp2 } = this;
return Object.freeze({
c0: Fp2.mul(c0, rhs),
c1: Fp2.mul(c1, rhs),
c2: Fp2.mul(c2, rhs),
});
}
mulByNonresidue({ c0, c1, c2 }) {
const { Fp2 } = this;
return Object.freeze({ c0: Fp2.mulByNonresidue(c2), c1: c0, c2: c1 });
}
// Sparse multiplication
mul1({ c0, c1, c2 }, b1) {
const { Fp2 } = this;
return Object.freeze({
c0: Fp2.mulByNonresidue(Fp2.mul(c2, b1)),
c1: Fp2.mul(c0, b1),
c2: Fp2.mul(c1, b1),
});
}
// Sparse multiplication
mul01({ c0, c1, c2 }, b0, b1) {
const { Fp2 } = this;
let t0 = Fp2.mul(c0, b0); // c0 * b0
let t1 = Fp2.mul(c1, b1); // c1 * b1
return Object.freeze({
// ((c1 + c2) * b1 - T1) * (u + 1) + T0
c0: Fp2.add(Fp2.mulByNonresidue(Fp2.sub(Fp2.mul(Fp2.add(c1, c2), b1), t1)), t0),
// (b0 + b1) * (c0 + c1) - T0 - T1
c1: Fp2.sub(Fp2.sub(Fp2.mul(Fp2.add(b0, b1), Fp2.add(c0, c1)), t0), t1),
// (c0 + c2) * b0 - T0 + T1
c2: Fp2.add(Fp2.sub(Fp2.mul(Fp2.add(c0, c2), b0), t0), t1),
});
}
}
// Keep lazy tower caches off-object: field instances stay frozen, and debugger output
// stays readable without JS private slots while second/subsequent lookups still hit cache.
const _FROBENIUS_COEFFICIENTS_6 = new WeakMap();
class _Field12 {
ORDER;
BITS;
BYTES;
isLE;
ZERO;
ONE;
Fp6;
X_LEN;
finalExponentiate;
constructor(Fp6, opts) {
const { X_LEN, Fp12finalExponentiate } = opts;
const { Fp2 } = Fp6;
const { Fp } = Fp2;
this.Fp6 = Fp6;
// `IField.ORDER` is the field cardinality `q`; for degree-12 extensions that is `p^12`.
// Keeping `p^2` here breaks generic field identities like `x^q = x` on Fp12.
this.ORDER = Fp.ORDER ** _12n;
this.BITS = 2 * Fp6.BITS;
this.BYTES = 2 * Fp6.BYTES;
this.isLE = Fp6.isLE;
// Returned tower values are frozen, so larger constants can safely reuse
// already-frozen child coefficients instead of cloning them.
this.ZERO = this.create({ c0: Fp6.ZERO, c1: Fp6.ZERO });
this.ONE = this.create({ c0: Fp6.ONE, c1: Fp6.ZERO });
this.X_LEN = X_LEN;
this.finalExponentiate = (num) => {
const copy2 = ({ c0, c1 }) => Object.freeze({ c0, c1 });
const copy6 = ({ c0, c1, c2 }) => Object.freeze({ c0: copy2(c0), c1: copy2(c1), c2: copy2(c2) });
// This config hook is trusted to return a canonical Fp12 value already.
// Copy+freeze it to keep the tower immutability invariant without mutating caller objects.
const res = Fp12finalExponentiate(num);
return Object.freeze({ c0: copy6(res.c0), c1: copy6(res.c1) });
};
Object.freeze(this);
}
// Keep the degree-12 Frobenius row lazy too; after the first lookup the cached
// array is reused exactly like the old eager table.
get FROBENIUS_COEFFICIENTS() {
const frob = _FROBENIUS_COEFFICIENTS_12.get(this);
if (frob)
return frob;
const { Fp2 } = this.Fp6;
const { Fp } = Fp2;
const cache = Object.freeze(calcFrobeniusCoefficients(Fp2, Fp2.NONRESIDUE, Fp.ORDER, 12, 1, 6)[0]);
_FROBENIUS_COEFFICIENTS_12.set(this, cache);
return cache;
}
create(num) {
const { Fp6 } = this;
const c0 = Fp6.create(num.c0);
const c1 = Fp6.create(num.c1);
return Object.freeze({ c0, c1 });
}
isValid(num) {
if (!isObj(num))
throw new TypeError('invalid field element: expected object, got ' + typeof num);
const { c0, c1 } = num;
const { Fp6 } = this;
return Fp6.isValid(c0) && Fp6.isValid(c1);
}
is0(num) {
if (!isObj(num))
return false;
const { c0, c1 } = num;
const { Fp6 } = this;
return Fp6.is0(c0) && Fp6.is0(c1);
}
isValidNot0(num) {
return !this.is0(num) && this.isValid(num);
}
neg({ c0, c1 }) {
const { Fp6 } = this;
return Object.freeze({ c0: Fp6.neg(c0), c1: Fp6.neg(c1) });
}
eql({ c0, c1 }, { c0: r0, c1: r1 }) {
const { Fp6 } = this;
return Fp6.eql(c0, r0) && Fp6.eql(c1, r1);
}
sqrt(_) {
// Fp12 is quadratic over Fp6, so a dedicated quadratic-extension sqrt is possible here
// once Fp6.sqrt() exists. Without that lower-level sqrt, only a field-generic
// Tonelli-Shanks path over Fp12 itself would work.
return notImplemented();
}
inv({ c0, c1 }) {
const { Fp6 } = this;
let t = Fp6.inv(Fp6.sub(Fp6.sqr(c0), Fp6.mulByNonresidue(Fp6.sqr(c1)))); // 1 / (c0² - c1² * v)
// ((C0 * T) * T) + (-C1 * T) * w
return Object.freeze({ c0: Fp6.mul(c0, t), c1: Fp6.neg(Fp6.mul(c1, t)) });
}
div(lhs, rhs) {
const { Fp6 } = this;
const { Fp2 } = Fp6;
const { Fp } = Fp2;
return this.mul(lhs, typeof rhs === 'bigint' ? Fp.inv(Fp.create(rhs)) : this.inv(rhs));
}
pow(num, power) {
return mod.FpPow(this, num, power);
}
invertBatch(nums) {
return mod.FpInvertBatch(this, nums);
}
// Normalized
add({ c0, c1 }, { c0: r0, c1: r1 }) {
const { Fp6 } = this;
return Object.freeze({
c0: Fp6.add(c0, r0),
c1: Fp6.add(c1, r1),
});
}
sub({ c0, c1 }, { c0: r0, c1: r1 }) {
const { Fp6 } = this;
return Object.freeze({
c0: Fp6.sub(c0, r0),
c1: Fp6.sub(c1, r1),
});
}
mul({ c0, c1 }, rhs) {
const { Fp6 } = this;
if (typeof rhs === 'bigint')
return Object.freeze({ c0: Fp6.mul(c0, rhs), c1: Fp6.mul(c1, rhs) });
let { c0: r0, c1: r1 } = rhs;
let t1 = Fp6.mul(c0, r0); // c0 * r0
let t2 = Fp6.mul(c1, r1); // c1 * r1
return Object.freeze({
c0: Fp6.add(t1, Fp6.mulByNonresidue(t2)), // T1 + T2 * v
// (c0 + c1) * (r0 + r1) - (T1 + T2)
c1: Fp6.sub(Fp6.mul(Fp6.add(c0, c1), Fp6.add(r0, r1)), Fp6.add(t1, t2)),
});
}
sqr({ c0, c1 }) {
const { Fp6 } = this;
let ab = Fp6.mul(c0, c1); // c0 * c1
return Object.freeze({
// (c1 * v + c0) * (c0 + c1) - AB - AB * v
c0: Fp6.sub(Fp6.sub(Fp6.mul(Fp6.add(Fp6.mulByNonresidue(c1), c0), Fp6.add(c0, c1)), ab), Fp6.mulByNonresidue(ab)),
c1: Fp6.add(ab, ab),
}); // AB + AB
}
// NonNormalized stuff
addN(a, b) {
return this.add(a, b);
}
subN(a, b) {
return this.sub(a, b);
}
mulN(a, b) {
return this.mul(a, b);
}
sqrN(a) {
return this.sqr(a);
}
// Bytes utils
fromBytes(b) {
const { Fp6 } = this;
abytes(b);
if (b.length !== this.BYTES)
throw new Error('fromBytes invalid length=' + b.length);
return this.create({
c0: Fp6.fromBytes(b.subarray(0, Fp6.BYTES)),
c1: Fp6.fromBytes(b.subarray(Fp6.BYTES)),
});
}
toBytes({ c0, c1 }) {
const { Fp6 } = this;
return concatBytes(Fp6.toBytes(c0), Fp6.toBytes(c1));
}
cmov({ c0, c1 }, { c0: r0, c1: r1 }, c) {
const { Fp6 } = this;
return this.create({
c0: Fp6.cmov(c0, r0, c),
c1: Fp6.cmov(c1, r1, c),
});
}
// Utils
// toString() {
// return '' + 'Fp12(' + this.c0 + this.c1 + '* w');
// },
// fromTuple(c: [Fp6, Fp6]) {
// return new Fp12(...c);
// }
fromBigTwelve(tuple) {
const { Fp6 } = this;
if (!Array.isArray(tuple) || tuple.length !== 12)
throw new Error('invalid Fp12.fromBigTwelve');
for (let i = 0; i < 12; i++)
if (typeof tuple[i] !== 'bigint')
throw new Error('invalid Fp12.fromBigTwelve');
const t = tuple;
return this.create({
c0: Fp6.fromBigSix(t.slice(0, 6)),
c1: Fp6.fromBigSix(t.slice(6, 12)),
});
}
// Raises to q**i -th power
frobeniusMap(lhs, power) {
const { Fp6 } = this;
const { Fp2 } = Fp6;
const { c0, c1, c2 } = Fp6.frobeniusMap(lhs.c1, power);
const coeff = this.FROBENIUS_COEFFICIENTS[power % 12];
return Object.freeze({
c0: Fp6.frobeniusMap(lhs.c0, power),
c1: Object.freeze({
c0: Fp2.mul(c0, coeff),
c1: Fp2.mul(c1, coeff),
c2: Fp2.mul(c2, coeff),
}),
});
}
mulByFp2({ c0, c1 }, rhs) {
const { Fp6 } = this;
return Object.freeze({
c0: Fp6.mulByFp2(c0, rhs),
c1: Fp6.mulByFp2(c1, rhs),
});
}
conjugate({ c0, c1 }) {
// Reuse `c0` by reference and only negate the `w` coefficient.
return Object.freeze({ c0, c1: this.Fp6.neg(c1) });
}
// Sparse multiplication
mul014({ c0, c1 }, o0, o1, o4) {
const { Fp6 } = this;
const { Fp2 } = Fp6;
let t0 = Fp6.mul01(c0, o0, o1);
let t1 = Fp6.mul1(c1, o4);
return Object.freeze({
c0: Fp6.add(Fp6.mulByNonresidue(t1), t0), // T1 * v + T0
// (c1 + c0) * [o0, o1+o4] - T0 - T1
c1: Fp6.sub(Fp6.sub(Fp6.mul01(Fp6.add(c1, c0), o0, Fp2.add(o1, o4)), t0), t1),
});
}
mul034({ c0, c1 }, o0, o3, o4) {
const { Fp6 } = this;
const { Fp2 } = Fp6;
const a = Object.freeze({
c0: Fp2.mul(c0.c0, o0),
c1: Fp2.mul(c0.c1, o0),
c2: Fp2.mul(c0.c2, o0),
});
const b = Fp6.mul01(c1, o3, o4);
const e = Fp6.mul01(Fp6.add(c0, c1), Fp2.add(o0, o3), o4);
return Object.freeze({
c0: Fp6.add(Fp6.mulByNonresidue(b), a),
c1: Fp6.sub(e, Fp6.add(a, b)),
});
}
// A cyclotomic group is a subgroup of Fp^n defined by
// GΦₙ(p) = {α ∈ Fpⁿ : α^Φₙ(p) = 1}
// The result of any pairing is in a cyclotomic subgroup
// https://eprint.iacr.org/2009/565.pdf
// https://eprint.iacr.org/2010/354.pdf
_cyclotomicSquare({ c0, c1 }) {
const { Fp6 } = this;
const { Fp2 } = Fp6;
const { c0: c0c0, c1: c0c1, c2: c0c2 } = c0;
const { c0: c1c0, c1: c1c1, c2: c1c2 } = c1;
const { first: t3, second: t4 } = Fp2.Fp4Square(c0c0, c1c1);
const { first: t5, second: t6 } = Fp2.Fp4Square(c1c0, c0c2);
const { first: t7, second: t8 } = Fp2.Fp4Square(c0c1, c1c2);
const t9 = Fp2.mulByNonresidue(t8); // T8 * (u + 1)
return Object.freeze({
c0: Object.freeze({
c0: Fp2.add(Fp2.mul(Fp2.sub(t3, c0c0), _2n), t3), // 2 * (T3 - c0c0) + T3
c1: Fp2.add(Fp2.mul(Fp2.sub(t5, c0c1), _2n), t5), // 2 * (T5 - c0c1) + T5
c2: Fp2.add(Fp2.mul(Fp2.sub(t7, c0c2), _2n), t7),
}), // 2 * (T7 - c0c2) + T7
c1: Object.freeze({
c0: Fp2.add(Fp2.mul(Fp2.add(t9, c1c0), _2n), t9), // 2 * (T9 + c1c0) + T9
c1: Fp2.add(Fp2.mul(Fp2.add(t4, c1c1), _2n), t4), // 2 * (T4 + c1c1) + T4
c2: Fp2.add(Fp2.mul(Fp2.add(t6, c1c2), _2n), t6),
}),
}); // 2 * (T6 + c1c2) + T6
}
// https://eprint.iacr.org/2009/565.pdf
_cyclotomicExp(num, n) {
// The loop only consumes `X_LEN` bits, so out-of-range exponents would otherwise get silently
// truncated (or sign-extended for negatives) instead of matching the caller's requested power.
aInRange('cyclotomic exponent', n, _0n, _1n << BigInt(this.X_LEN));
let z = this.ONE;
for (let i = this.X_LEN - 1; i >= 0; i--) {
z = this._cyclotomicSquare(z);
if (bitGet(n, i))
z = this.mul(z, num);
}
return z;
}
}
const _FROBENIUS_COEFFICIENTS_12 = new WeakMap();
/**
* @param opts - Tower construction options. See {@link Tower12Opts}.
* @returns BLS tower fields.
* @throws If the tower options or derived Frobenius helpers are invalid. {@link Error}
* @example
* Construct the Fp2/Fp6/Fp12 tower used by a pairing-friendly curve.
*
* ```ts
* const fields = tower12({
* ORDER: 17n,
* X_LEN: 4,
* FP2_NONRESIDUE: [1n, 1n],
* Fp2mulByB: (num) => num,
* Fp12finalExponentiate: (num) => num,
* });
* const fp12 = fields.Fp12.ONE;
* ```
*/
export function tower12(opts) {
validateObject(opts, {
ORDER: 'bigint',
X_LEN: 'number',
FP2_NONRESIDUE: 'object',
Fp2mulByB: 'function',
Fp12finalExponentiate: 'function',
}, { NONRESIDUE: 'bigint' });
asafenumber(opts.X_LEN, 'X_LEN');
if (opts.X_LEN < 1)
throw new Error('invalid X_LEN');
const nonresidue = opts.FP2_NONRESIDUE;
if (!Array.isArray(nonresidue) || nonresidue.length !== 2)
throw new Error('invalid FP2_NONRESIDUE');
if (typeof nonresidue[0] !== 'bigint' || typeof nonresidue[1] !== 'bigint')
throw new Error('invalid FP2_NONRESIDUE');
const Fp = mod.Field(opts.ORDER);
const Fp2 = new _Field2(Fp, opts);
const Fp6 = new _Field6(Fp2);
const Fp12 = new _Field12(Fp6, opts);
return { Fp, Fp2, Fp6, Fp12 };
}
//# sourceMappingURL=tower.js.map
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/abstract/tower.js.map
Generated Vendored
+1
View File
File diff suppressed because one or more lines are too long
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/abstract/weierstrass.d.ts
Generated Vendored
+588
View File
@@ -0,0 +1,588 @@
import { type CHash, type HmacFn, type TArg, type TRet } from '../utils.ts';
import { type AffinePoint, type CurveLengths, type CurvePoint, type CurvePointCons } from './curve.ts';
import { type IField } from './modular.ts';
/** Shared affine point shape used by Weierstrass helpers. */
export type { AffinePoint };
type EndoBasis = [[bigint, bigint], [bigint, bigint]];
/**
* When Weierstrass curve has `a=0`, it becomes Koblitz curve.
* Koblitz curves allow using **efficiently-computable GLV endomorphism ψ**.
* Endomorphism uses 2x less RAM, speeds up precomputation by 2x and ECDH / key recovery by 20%.
* For precomputed wNAF it trades off 1/2 init time & 1/3 ram for 20% perf hit.
*
* Endomorphism consists of beta, lambda and splitScalar:
*
* 1. GLV endomorphism ψ transforms a point: `P = (x, y) ↦ ψ(P) = (β·x mod p, y)`
* 2. GLV scalar decomposition transforms a scalar: `k ≡ k₁ + k₂·λ (mod n)`
* 3. Then these are combined: `k·P = k₁·P + k₂·ψ(P)`
* 4. Two 128-bit point-by-scalar multiplications + one point addition is faster than
* one 256-bit multiplication.
*
* where
* * beta: β ∈ Fₚ with β³ = 1, β ≠ 1
* * lambda: λ ∈ Fₙ with λ³ = 1, λ ≠ 1
* * splitScalar decomposes k ↦ k₁, k₂, by using reduced basis vectors.
* Gauss lattice reduction calculates them from initial basis vectors `(n, 0), (-λ, 0)`
*
* Check out `test/misc/endomorphism.js` and
* {@link https://gist.github.com/paulmillr/eb670806793e84df628a7c434a873066 | this endomorphism gist}.
*/
export type EndomorphismOpts = {
/** Cube root of unity used by the GLV endomorphism. */
beta: bigint;
/** Reduced lattice basis used for scalar splitting. */
basises?: EndoBasis;
/**
* Optional custom scalar-splitting helper.
* Receives one scalar and returns two half-sized scalar components.
*/
splitScalar?: (k: bigint) => {
k1neg: boolean;
k1: bigint;
k2neg: boolean;
k2: bigint;
};
};
/** Two half-sized scalar components returned by endomorphism splitting. */
export type ScalarEndoParts = {
/** Whether the first split scalar should be negated. */
k1neg: boolean;
/** Absolute value of the first split scalar. */
k1: bigint;
/** Whether the second split scalar should be negated. */
k2neg: boolean;
/** Absolute value of the second split scalar. */
k2: bigint;
};
/** Splits scalar for GLV endomorphism. */
export declare function _splitEndoScalar(k: bigint, basis: EndoBasis, n: bigint): ScalarEndoParts;
/**
* Option to enable hedged signatures with improved security.
*
* * Randomly generated k is bad, because broken CSPRNG would leak private keys.
* * Deterministic k (RFC6979) is better; but is suspectible to fault attacks.
*
* We allow using technique described in RFC6979 3.6: additional k', a.k.a. adding randomness
* to deterministic sig. If CSPRNG is broken & randomness is weak, it would STILL be as secure
* as ordinary sig without ExtraEntropy.
*
* * `true` means "fetch data, from CSPRNG, incorporate it into k generation"
* * `false` means "disable extra entropy, use purely deterministic k"
* * `Uint8Array` passed means "incorporate following data into k generation"
*
* See {@link https://paulmillr.com/posts/deterministic-signatures/ | deterministic signatures}.
*/
export type ECDSAExtraEntropy = boolean | Uint8Array;
/**
* - `compact` is the default format
* - `recovered` is the same as compact, but with an extra byte indicating recovery byte
* - `der` is ASN.1 DER encoding
*/
export type ECDSASignatureFormat = 'compact' | 'recovered' | 'der';
/**
* - `prehash`: (default: true) indicates whether to do sha256(message).
* When a custom hash is used, it must be set to `false`.
*/
export type ECDSARecoverOpts = {
/** Whether to hash the message before signature recovery. */
prehash?: boolean;
};
/**
* - `prehash`: (default: true) indicates whether to do sha256(message).
* When a custom hash is used, it must be set to `false`.
* - `lowS`: (default: true) prohibits signatures with `sig.s >= CURVE.n/2n`.
* Compatible with BTC/ETH. Setting `lowS: false` allows to create malleable signatures,
* which is default openssl behavior.
* Non-malleable signatures can still be successfully verified in openssl.
* - `format`: (default: 'compact') 'compact' or 'recovered' with recovery byte
*/
export type ECDSAVerifyOpts = {
/** Whether to hash the message before verification. */
prehash?: boolean;
/** Whether to reject high-S signatures. */
lowS?: boolean;
/** Signature encoding to accept. */
format?: ECDSASignatureFormat;
};
/**
* - `prehash`: (default: true) indicates whether to do sha256(message).
* When a custom hash is used, it must be set to `false`.
* - `lowS`: (default: true) prohibits signatures with `sig.s >= CURVE.n/2n`.
* Compatible with BTC/ETH. Setting `lowS: false` allows to create malleable signatures,
* which is default openssl behavior.
* Non-malleable signatures can still be successfully verified in openssl.
* - `format`: (default: 'compact') 'compact' or 'recovered' with recovery byte
* - `extraEntropy`: (default: false) creates signatures with increased
* security, see {@link ECDSAExtraEntropy}
*/
export type ECDSASignOpts = {
/** Whether to hash the message before signing. */
prehash?: boolean;
/** Whether to normalize signatures into the low-S half-order. */
lowS?: boolean;
/** Signature encoding to produce. */
format?: ECDSASignatureFormat;
/** Optional hedging input for deterministic k generation. */
extraEntropy?: ECDSAExtraEntropy;
};
/** Projective XYZ point used by short Weierstrass curves. */
export interface WeierstrassPoint<T> extends CurvePoint<T, WeierstrassPoint<T>> {
/** projective X coordinate. Different from affine x. */
readonly X: T;
/** projective Y coordinate. Different from affine y. */
readonly Y: T;
/** projective z coordinate */
readonly Z: T;
/** affine x coordinate. Different from projective X. */
get x(): T;
/** affine y coordinate. Different from projective Y. */
get y(): T;
/**
* Encode the point into compressed or uncompressed SEC1 bytes.
* @param isCompressed - Whether to use the compressed form.
* @returns Encoded point bytes.
*/
toBytes(isCompressed?: boolean): TRet<Uint8Array>;
/**
* Encode the point into compressed or uncompressed SEC1 hex.
* @param isCompressed - Whether to use the compressed form.
* @returns Encoded point hex.
*/
toHex(isCompressed?: boolean): string;
}
/** Constructor and metadata helpers for Weierstrass points. */
export interface WeierstrassPointCons<T> extends CurvePointCons<WeierstrassPoint<T>> {
/** Does NOT validate if the point is valid. Use `.assertValidity()`. */
new (X: T, Y: T, Z: T): WeierstrassPoint<T>;
/**
* Return the curve parameters captured by this point constructor.
* @returns Curve parameters.
*/
CURVE(): WeierstrassOpts<T>;
}
/**
* Weierstrass curve options.
*
* * p: prime characteristic (order) of finite field, in which arithmetics is done
* * n: order of prime subgroup a.k.a total amount of valid curve points
* * h: cofactor, usually 1. h*n is group order; n is subgroup order
* * a: formula param, must be in field of p
* * b: formula param, must be in field of p
* * Gx: x coordinate of generator point a.k.a. base point
* * Gy: y coordinate of generator point
*/
export type WeierstrassOpts<T> = Readonly<{
/** Base-field modulus. */
p: bigint;
/** Prime subgroup order. */
n: bigint;
/** Curve cofactor. */
h: bigint;
/** Weierstrass curve parameter `a`. */
a: T;
/** Weierstrass curve parameter `b`. */
b: T;
/** Generator x coordinate. */
Gx: T;
/** Generator y coordinate. */
Gy: T;
}>;
/**
* Optional helpers and overrides for a Weierstrass point constructor.
*
* When a cofactor != 1, there can be effective methods to:
* 1. Determine whether a point is torsion-free
* 2. Clear torsion component
*/
export type WeierstrassExtraOpts<T> = Partial<{
/** Optional base-field override. */
Fp: IField<T>;
/** Optional scalar-field override. */
Fn: IField<bigint>;
/** Whether the point constructor accepts infinity points. */
allowInfinityPoint: boolean;
/** Optional GLV endomorphism data. */
endo: EndomorphismOpts;
/** Optional torsion-check override. */
isTorsionFree: (c: WeierstrassPointCons<T>, point: WeierstrassPoint<T>) => boolean;
/** Optional cofactor-clearing override. */
clearCofactor: (c: WeierstrassPointCons<T>, point: WeierstrassPoint<T>) => WeierstrassPoint<T>;
/** Optional custom point decoder. */
fromBytes: (bytes: TArg<Uint8Array>) => AffinePoint<T>;
/** Optional custom point encoder. */
toBytes: (c: WeierstrassPointCons<T>, point: WeierstrassPoint<T>, isCompressed: boolean) => TRet<Uint8Array>;
}>;
/**
* Options for ECDSA signatures over a Weierstrass curve.
*
* * lowS: (default: true) whether produced or verified signatures occupy the
* low half of `ecdsaOpts.n`. Prevents malleability.
* * hmac: (default: noble-hashes hmac) function, would be used to init hmac-drbg for k generation.
* * randomBytes: (default: webcrypto os-level CSPRNG) custom method for fetching secure randomness.
* * bits2int, bits2int_modN: used in sigs, sometimes overridden by curves. Custom hooks are
* treated as pure functions over validated bytes and MUST NOT mutate caller-owned buffers or
* closure-captured option bags. `bits2int_modN` must also return a canonical scalar in
* `[0..Point.Fn.ORDER-1]`.
*/
export type ECDSAOpts = Partial<{
/** Default low-S policy for this ECDSA instance. */
lowS: boolean;
/** HMAC implementation used by RFC6979 DRBG. */
hmac: HmacFn;
/** RNG override used by helper constructors. */
randomBytes: (bytesLength?: number) => TRet<Uint8Array>;
/** Hash-to-integer conversion override. */
bits2int: (bytes: TArg<Uint8Array>) => bigint;
/** Hash-to-integer-mod-n conversion override. Returns a canonical scalar in `[0..Fn.ORDER-1]`. */
bits2int_modN: (bytes: TArg<Uint8Array>) => bigint;
}>;
/** Elliptic Curve Diffie-Hellman helper namespace. */
export interface ECDH {
/**
* Generate a secret/public key pair.
* @param seed - Optional seed material.
* @returns Secret/public key pair.
*/
keygen: (seed?: TArg<Uint8Array>) => {
secretKey: TRet<Uint8Array>;
publicKey: TRet<Uint8Array>;
};
/**
* Derive the public key from a secret key.
* @param secretKey - Secret key bytes.
* @param isCompressed - Whether to emit compressed SEC1 bytes.
* @returns Encoded public key.
*/
getPublicKey: (secretKey: TArg<Uint8Array>, isCompressed?: boolean) => TRet<Uint8Array>;
/**
* Compute the shared secret point from a secret key and peer public key.
* @param secretKeyA - Local secret key bytes.
* @param publicKeyB - Peer public key bytes.
* @param isCompressed - Whether to emit compressed SEC1 bytes.
* @returns Encoded shared point.
*/
getSharedSecret: (secretKeyA: TArg<Uint8Array>, publicKeyB: TArg<Uint8Array>, isCompressed?: boolean) => TRet<Uint8Array>;
/** Point constructor used by this ECDH instance. */
Point: WeierstrassPointCons<bigint>;
/** Validation and random-key helpers. */
utils: {
/** Check whether a secret key has the expected encoding. */
isValidSecretKey: (secretKey: TArg<Uint8Array>) => boolean;
/** Check whether a public key decodes to a valid point. */
isValidPublicKey: (publicKey: TArg<Uint8Array>, isCompressed?: boolean) => boolean;
/** Generate a valid random secret key. */
randomSecretKey: (seed?: TArg<Uint8Array>) => TRet<Uint8Array>;
};
/** Byte lengths for keys and signatures exposed by this curve. */
lengths: CurveLengths;
}
/**
* ECDSA interface.
* Only supported for prime fields, not Fp2 (extension fields).
*/
export interface ECDSA extends ECDH {
/**
* Sign a message with the given secret key.
* @param message - Message bytes.
* @param secretKey - Secret key bytes.
* @param opts - Optional signing tweaks. See {@link ECDSASignOpts}.
* @returns Encoded signature bytes.
*/
sign: (message: TArg<Uint8Array>, secretKey: TArg<Uint8Array>, opts?: TArg<ECDSASignOpts>) => TRet<Uint8Array>;
/**
* Verify a signature against a message and public key.
* @param signature - Encoded signature bytes.
* @param message - Message bytes.
* @param publicKey - Encoded public key.
* @param opts - Optional verification tweaks. See {@link ECDSAVerifyOpts}.
* @returns Whether the signature is valid.
*/
verify: (signature: TArg<Uint8Array>, message: TArg<Uint8Array>, publicKey: TArg<Uint8Array>, opts?: TArg<ECDSAVerifyOpts>) => boolean;
/**
* Recover the public key encoded into a recoverable signature.
* @param signature - Recoverable signature bytes.
* @param message - Message bytes.
* @param opts - Optional recovery tweaks. See {@link ECDSARecoverOpts}.
* @returns Encoded recovered public key.
*/
recoverPublicKey(signature: TArg<Uint8Array>, message: TArg<Uint8Array>, opts?: TArg<ECDSARecoverOpts>): TRet<Uint8Array>;
/** Signature constructor and parser helpers. */
Signature: ECDSASignatureCons;
}
/**
* @param m - Error message.
* @example
* Throw a DER-specific error when signature parsing encounters invalid bytes.
*
* ```ts
* new DERErr('bad der');
* ```
*/
export declare class DERErr extends Error {
constructor(m?: string);
}
/** DER helper namespace used by ECDSA signature parsing and encoding. */
export type IDER = {
/**
* DER-specific error constructor.
* @param m - Error message.
* @returns DER-specific error instance.
*/
Err: typeof DERErr;
/** Low-level tag-length-value helpers used by DER encoders. */
_tlv: {
/**
* Encode one TLV record.
* @param tag - ASN.1 tag byte.
* @param data - Hex-encoded value payload.
* @returns Encoded TLV string.
*/
encode: (tag: number, data: string) => string;
/**
* Decode one TLV record and return the value plus leftover bytes.
* @param tag - Expected ASN.1 tag byte.
* @param data - Remaining DER bytes.
* @returns Parsed value plus leftover bytes.
*/
decode(tag: number, data: TArg<Uint8Array>): TRet<{
v: Uint8Array;
l: Uint8Array;
}>;
};
/** Positive-integer DER helpers used by ECDSA signature encoding. */
_int: {
/**
* Encode one positive bigint as a DER INTEGER.
* @param num - Positive integer to encode.
* @returns Encoded DER INTEGER.
*/
encode(num: bigint): string;
/**
* Decode one DER INTEGER into a bigint.
* @param data - DER INTEGER bytes.
* @returns Decoded bigint.
*/
decode(data: TArg<Uint8Array>): bigint;
};
/**
* Parse a DER signature into `{ r, s }`.
* @param bytes - DER signature bytes.
* @returns Parsed signature components.
*/
toSig(bytes: TArg<Uint8Array>): {
r: bigint;
s: bigint;
};
/**
* Encode `{ r, s }` as a DER signature.
* @param sig - Signature components.
* @returns DER-encoded signature hex.
*/
hexFromSig(sig: {
r: bigint;
s: bigint;
}): string;
};
/**
* ASN.1 DER encoding utilities. ASN is very complex & fragile. Format:
*
* [0x30 (SEQUENCE), bytelength, 0x02 (INTEGER), intLength, R, 0x02 (INTEGER), intLength, S]
*
* Docs: {@link https://letsencrypt.org/docs/a-warm-welcome-to-asn1-and-der/ | Let's Encrypt ASN.1 guide} and
* {@link https://luca.ntop.org/Teaching/Appunti/asn1.html | Luca Deri's ASN.1 notes}.
* @example
* ASN.1 DER encoding utilities.
*
* ```ts
* const der = DER.hexFromSig({ r: 1n, s: 2n });
* ```
*/
export declare const DER: IDER;
/**
* Creates weierstrass Point constructor, based on specified curve options.
*
* See {@link WeierstrassOpts}.
* @param params - Curve parameters. See {@link WeierstrassOpts}.
* @param extraOpts - Optional helpers and overrides. See {@link WeierstrassExtraOpts}.
* @returns Weierstrass point constructor.
* @throws If the curve parameters, overrides, or point codecs are invalid. {@link Error}
*
* @example
* Construct a point type from explicit Weierstrass curve parameters.
*
* ```js
* const opts = {
* p: 0xfffffffffffffffffffffffffffffffeffffac73n,
* n: 0x100000000000000000001b8fa16dfab9aca16b6b3n,
* h: 1n,
* a: 0n,
* b: 7n,
* Gx: 0x3b4c382ce37aa192a4019e763036f4f5dd4d7ebbn,
* Gy: 0x938cf935318fdced6bc28286531733c3f03c4feen,
* };
* const secp160k1_Point = weierstrass(opts);
* ```
*/
export declare function weierstrass<T>(params: WeierstrassOpts<T>, extraOpts?: WeierstrassExtraOpts<T>): WeierstrassPointCons<T>;
/** Parsed ECDSA signature with helpers for recovery and re-encoding. */
export interface ECDSASignature {
/** Signature component `r`. */
readonly r: bigint;
/** Signature component `s`. */
readonly s: bigint;
/** Optional recovery bit for recoverable signatures. */
readonly recovery?: number;
/**
* Return a copy of the signature with a recovery bit attached.
* @param recovery - Recovery bit to attach.
* @returns Signature with an attached recovery bit.
*/
addRecoveryBit(recovery: number): ECDSASignature & {
readonly recovery: number;
};
/**
* Check whether the signature uses the high-S half-order.
* @returns Whether the signature uses the high-S half-order.
*/
hasHighS(): boolean;
/**
* Recover the public key from the hashed message and recovery bit.
* @param messageHash - Hashed message bytes.
* @returns Recovered public-key point.
*/
recoverPublicKey(messageHash: TArg<Uint8Array>): WeierstrassPoint<bigint>;
/**
* Encode the signature into bytes.
* @param format - Signature encoding to produce.
* @returns Encoded signature bytes.
*/
toBytes(format?: string): TRet<Uint8Array>;
/**
* Encode the signature into hex.
* @param format - Signature encoding to produce.
* @returns Encoded signature hex.
*/
toHex(format?: string): string;
}
/** Constructor and decoding helpers for ECDSA signatures. */
export type ECDSASignatureCons = {
/** Create a signature from `r`, `s`, and an optional recovery bit. */
new (r: bigint, s: bigint, recovery?: number): ECDSASignature;
/**
* Decode a signature from bytes.
* @param bytes - Encoded signature bytes.
* @param format - Signature encoding to parse.
* @returns Parsed signature.
*/
fromBytes(bytes: TArg<Uint8Array>, format?: ECDSASignatureFormat): ECDSASignature;
/**
* Decode a signature from hex.
* @param hex - Encoded signature hex.
* @param format - Signature encoding to parse.
* @returns Parsed signature.
*/
fromHex(hex: string, format?: ECDSASignatureFormat): ECDSASignature;
};
/**
* Implementation of the Shallue and van de Woestijne method for any weierstrass curve.
* TODO: check if there is a way to merge this with uvRatio in Edwards; move to modular.
* b = True and y = sqrt(u / v) if (u / v) is square in F, and
* b = False and y = sqrt(Z * (u / v)) otherwise.
* RFC 9380 expects callers to provide `v != 0`; this helper does not enforce it.
* @param Fp - Field implementation.
* @param Z - Simplified SWU map parameter.
* @returns Square-root ratio helper.
* @example
* Build the square-root ratio helper used by SWU map implementations.
*
* ```ts
* import { SWUFpSqrtRatio } from '@noble/curves/abstract/weierstrass.js';
* import { Field } from '@noble/curves/abstract/modular.js';
* const Fp = Field(17n);
* const sqrtRatio = SWUFpSqrtRatio(Fp, 3n);
* const out = sqrtRatio(4n, 1n);
* ```
*/
export declare function SWUFpSqrtRatio<T>(Fp: TArg<IField<T>>, Z: T): (u: T, v: T) => {
isValid: boolean;
value: T;
};
/**
* Simplified Shallue-van de Woestijne-Ulas Method
* See {@link https://www.rfc-editor.org/rfc/rfc9380#section-6.6.2 | RFC 9380 section 6.6.2}.
* @param Fp - Field implementation.
* @param opts - SWU parameters:
* - `A`: Curve parameter `A`.
* - `B`: Curve parameter `B`.
* - `Z`: Simplified SWU map parameter.
* @returns Deterministic map-to-curve function.
* @throws If the SWU parameters are invalid or the field lacks the required helpers. {@link Error}
* @example
* Map one field element to a Weierstrass curve point with the SWU recipe.
*
* ```ts
* import { mapToCurveSimpleSWU } from '@noble/curves/abstract/weierstrass.js';
* import { Field } from '@noble/curves/abstract/modular.js';
* const Fp = Field(17n);
* const map = mapToCurveSimpleSWU(Fp, { A: 1n, B: 2n, Z: 3n });
* const point = map(5n);
* ```
*/
export declare function mapToCurveSimpleSWU<T>(Fp: TArg<IField<T>>, opts: {
A: T;
B: T;
Z: T;
}): (u: T) => {
x: T;
y: T;
};
/**
* Sometimes users only need getPublicKey, getSharedSecret, and secret key handling.
* This helper ensures no signature functionality is present. Less code, smaller bundle size.
* @param Point - Weierstrass point constructor.
* @param ecdhOpts - Optional randomness helpers:
* - `randomBytes` (optional): Optional RNG override.
* @returns ECDH helper namespace.
* @example
* Sometimes users only need getPublicKey, getSharedSecret, and secret key handling.
*
* ```ts
* import { ecdh } from '@noble/curves/abstract/weierstrass.js';
* import { p256 } from '@noble/curves/nist.js';
* const dh = ecdh(p256.Point);
* const alice = dh.keygen();
* const shared = dh.getSharedSecret(alice.secretKey, alice.publicKey);
* ```
*/
export declare function ecdh(Point: WeierstrassPointCons<bigint>, ecdhOpts?: TArg<{
randomBytes?: (bytesLength?: number) => TRet<Uint8Array>;
}>): ECDH;
/**
* Creates ECDSA signing interface for given elliptic curve `Point` and `hash` function.
*
* @param Point - created using {@link weierstrass} function
* @param hash - used for 1) message prehash-ing 2) k generation in `sign`, using hmac_drbg(hash)
* @param ecdsaOpts - rarely needed, see {@link ECDSAOpts}:
* - `lowS`: Default low-S policy.
* - `hmac`: HMAC implementation used by RFC6979 DRBG.
* - `randomBytes`: Optional RNG override.
* - `bits2int`: Optional hash-to-int conversion override.
* - `bits2int_modN`: Optional hash-to-int-mod-n conversion override.
*
* @returns ECDSA helper namespace.
* @example
* Create an ECDSA signer/verifier bundle for one curve implementation.
*
* ```ts
* import { ecdsa } from '@noble/curves/abstract/weierstrass.js';
* import { p256 } from '@noble/curves/nist.js';
* import { sha256 } from '@noble/hashes/sha2.js';
* const p256ecdsa = ecdsa(p256.Point, sha256);
* const { secretKey, publicKey } = p256ecdsa.keygen();
* const msg = new TextEncoder().encode('hello noble');
* const sig = p256ecdsa.sign(msg, secretKey);
* const isValid = p256ecdsa.verify(sig, msg, publicKey);
* ```
*/
export declare function ecdsa(Point: WeierstrassPointCons<bigint>, hash: TArg<CHash>, ecdsaOpts?: TArg<ECDSAOpts>): ECDSA;
//# sourceMappingURL=weierstrass.d.ts.map
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/abstract/weierstrass.d.ts.map
Generated Vendored
+1
View File
File diff suppressed because one or more lines are too long
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/abstract/weierstrass.js
Generated Vendored
+1412
View File
File diff suppressed because it is too large Load Diff
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/abstract/weierstrass.js.map
Generated Vendored
+1
View File
File diff suppressed because one or more lines are too long
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/bls12-381.d.ts
Generated Vendored
+24
View File
@@ -0,0 +1,24 @@
import { type BlsCurvePairWithSignatures } from './abstract/bls.ts';
import { type IField } from './abstract/modular.ts';
import { type TRet } from './utils.ts';
/**
* bls12-381 Fr (Fn) field.
* `fromBytes()` reduces modulo `q` instead of rejecting non-canonical encodings.
*/
export declare const bls12_381_Fr: TRet<IField<bigint>>;
/**
* bls12-381 pairing-friendly curve construction.
* Provides both longSignatures and shortSignatures.
* @example
* bls12-381 pairing-friendly curve construction.
*
* ```ts
* const bls = bls12_381.longSignatures;
* const { secretKey, publicKey } = bls.keygen();
* const msg = bls.hash(new TextEncoder().encode('hello noble'));
* const sig = bls.sign(msg, secretKey);
* const isValid = bls.verify(sig, msg, publicKey);
* ```
*/
export declare const bls12_381: BlsCurvePairWithSignatures;
//# sourceMappingURL=bls12-381.d.ts.map
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/bls12-381.d.ts.map
Generated Vendored
+1
View File
@@ -0,0 +1 @@
{"version":3,"file":"bls12-381.d.ts","sourceRoot":"","sources":["src/bls12-381.ts"],"names":[],"mappings":"AAgFA,OAAO,EAAO,KAAK,0BAA0B,EAAE,MAAM,mBAAmB,CAAC;AACzE,OAAO,EAAS,KAAK,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAC3D,OAAO,EAYL,KAAK,IAAI,EACV,MAAM,YAAY,CAAC;AA2DpB;;;GAGG;AACH,eAAO,MAAM,YAAY,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAEpB,CAAC;AA+Y3B;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,SAAS,EAAE,0BAOvB,CAAC"}
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/bls12-381.js
Generated Vendored
+678
View File
@@ -0,0 +1,678 @@
/**
* bls12-381 is pairing-friendly Barreto-Lynn-Scott elliptic curve construction allowing to:
* Construct zk-SNARKs at the ~120-bit security, as per [Barbulescu-Duquesne 2017](https://hal.science/hal-01534101/file/main.pdf)
* Efficiently verify N aggregate signatures with 1 pairing and N ec additions:
the Boneh-Lynn-Shacham signature scheme is orders of magnitude more efficient than Schnorr
BLS can mean 2 different things:
* Barreto-Lynn-Scott: BLS12, a Pairing Friendly Elliptic Curve
* Boneh-Lynn-Shacham: A Signature Scheme.
### Summary
1. BLS Relies on expensive bilinear pairing
2. Secret Keys: 32 bytes
3. Public Keys: 48 OR 96 bytes - big-endian x coordinate of point on G1 OR G2 curve
4. Signatures: 96 OR 48 bytes - big-endian x coordinate of point on G2 OR G1 curve
5. The 12 stands for the Embedding degree.
Modes of operation:
* Long signatures: 48-byte keys + 96-byte sigs (G1 keys + G2 sigs).
* Short signatures: 96-byte keys + 48-byte sigs (G2 keys + G1 sigs).
### Formulas
- `P = pk x G` - public keys
- `S = pk x H(m)` - signing, uses hash-to-curve on m
- `e(P, H(m)) == e(G, S)` - verification using pairings
- `e(G, S) = e(G, SUM(n)(Si)) = MUL(n)(e(G, Si))` - signature aggregation
### Curves
G1 is ordinary elliptic curve. G2 is extension field curve, think "over complex numbers".
- G1: y² = x³ + 4
- G2: y² = x³ + 4(u + 1) where u = √−1; r-order subgroup of E'(Fp²), M-type twist
### Towers
Pairing G1 + G2 produces element in Fp₁₂, 12-degree polynomial.
Fp₁₂ is usually implemented using tower of lower-degree polynomials for speed.
- Fp₁₂ = Fp₆² => Fp₂³
- Fp(u) / (u² - β) where β = -1
- Fp₂(v) / (v³ - ξ) where ξ = u + 1
- Fp₆(w) / (w² - γ) where γ = v
- Fp²[u] = Fp/u²+1
- Fp⁶[v] = Fp²/v³-1-u
- Fp¹²[w] = Fp⁶/w²-v
### Params
* Embedding degree (k): 12
* Seed is sometimes named x or t
* t = -15132376222941642752
* p = (t-1)² * (t⁴-t²+1)/3 + t
* r = t⁴-t²+1
* Ate loop size: X
To verify curve parameters, see
[pairing-friendly-curves spec](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-pairing-friendly-curves-11).
Basic math is done over finite fields over p.
More complicated math is done over polynominal extension fields.
### Compatibility and notes
1. It is compatible with Algorand, Chia, Dfinity, Ethereum, Filecoin, ZEC.
Filecoin uses little endian byte arrays for secret keys - make sure to reverse byte order.
2. Make sure to correctly select mode: "long signature" or "short signature".
3. Compatible with specs:
RFC 9380,
[cfrg-pairing-friendly-curves-11](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-pairing-friendly-curves-11),
[cfrg-bls-signature-05](https://datatracker.ietf.org/doc/draft-irtf-cfrg-bls-signature/).
*
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { sha256 } from '@noble/hashes/sha2.js';
import { bls } from "./abstract/bls.js";
import { Field } from "./abstract/modular.js";
import { abytes, bitLen, bitMask, bytesToHex, bytesToNumberBE, concatBytes, copyBytes, hexToBytes, numberToBytesBE, randomBytes, } from "./utils.js";
// Types
import { isogenyMap } from "./abstract/hash-to-curve.js";
import { psiFrobenius, tower12 } from "./abstract/tower.js";
import { mapToCurveSimpleSWU, weierstrass, } from "./abstract/weierstrass.js";
// Be friendly to bad ECMAScript parsers by not using bigint literals
// prettier-ignore
const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3), _4n = BigInt(4);
// To verify math:
// https://tools.ietf.org/html/draft-irtf-cfrg-pairing-friendly-curves-11
// The BLS parameter x (seed) for BLS12-381. The stored constant is `|x|`; call
// sites that need the signed parameter apply the minus sign themselves.
// x = -2^63 - 2^62 - 2^60 - 2^57 - 2^48 - 2^16
const BLS_X = BigInt('0xd201000000010000');
// t = x (called differently in different places)
// const t = -BLS_X;
const BLS_X_LEN = bitLen(BLS_X);
// a=0, b=4
// P is characteristic of field Fp, in which curve calculations are done.
// p = (t-1)² * (t⁴-t²+1)/3 + t
// bls12_381_Fp = (t-1n)**2n * (t**4n - t**2n + 1n) / 3n + t
// r*h is curve order, amount of points on curve,
// where r is order of prime subgroup and h is cofactor.
// r = t⁴-t²+1
// r = (t**4n - t**2n + 1n)
// cofactor h of G1: (t - 1)²/3, with the signed convention `t = -x`
// cofactorG1 = (t-1n)**2n/3n
// x = 3685416753713387016781088315183077757961620795782546409894578378688607592378376318836054947676345821548104185464507
// y = 1339506544944476473020471379941921221584933875938349620426543736416511423956333506472724655353366534992391756441569
const bls12_381_CURVE_G1 = {
p: BigInt('0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab'),
n: BigInt('0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001'),
h: BigInt('0x396c8c005555e1568c00aaab0000aaab'),
a: _0n,
b: _4n,
Gx: BigInt('0x17f1d3a73197d7942695638c4fa9ac0fc3688c4f9774b905a14e3a3f171bac586c55e83ff97a1aeffb3af00adb22c6bb'),
Gy: BigInt('0x08b3f481e3aaa0f1a09e30ed741d8ae4fcf5e095d5d00af600db18cb2c04b3edd03cc744a2888ae40caa232946c5e7e1'),
};
// CURVE FIELDS
// r = z⁴ z² + 1; CURVE.n from other curves
/**
* bls12-381 Fr (Fn) field.
* `fromBytes()` reduces modulo `q` instead of rejecting non-canonical encodings.
*/
export const bls12_381_Fr = Field(bls12_381_CURVE_G1.n, {
modFromBytes: true,
});
const { Fp, Fp2, Fp6, Fp12 } = tower12({
ORDER: bls12_381_CURVE_G1.p,
X_LEN: BLS_X_LEN,
// Finite extension field over irreducible polynominal.
// Fp(u) / (u² - β) where β = -1
// Public `Fp2.NONRESIDUE` below is the sextic-tower value `(1, 1) = u + 1`;
// the quadratic non-residue for the base Fp2 construction is still `-1`.
FP2_NONRESIDUE: [_1n, _1n],
Fp2mulByB: ({ c0, c1 }) => {
const t0 = Fp.mul(c0, _4n); // 4 * c0
const t1 = Fp.mul(c1, _4n); // 4 * c1
// (T0-T1) + (T0+T1)*i
return { c0: Fp.sub(t0, t1), c1: Fp.add(t0, t1) };
},
Fp12finalExponentiate: (num) => {
const x = BLS_X;
// this^(q⁶) / this
const t0 = Fp12.div(Fp12.frobeniusMap(num, 6), num);
// t0^(q²) * t0
const t1 = Fp12.mul(Fp12.frobeniusMap(t0, 2), t0);
const t2 = Fp12.conjugate(Fp12._cyclotomicExp(t1, x));
const t3 = Fp12.mul(Fp12.conjugate(Fp12._cyclotomicSquare(t1)), t2);
const t4 = Fp12.conjugate(Fp12._cyclotomicExp(t3, x));
const t5 = Fp12.conjugate(Fp12._cyclotomicExp(t4, x));
const t6 = Fp12.mul(Fp12.conjugate(Fp12._cyclotomicExp(t5, x)), Fp12._cyclotomicSquare(t2));
const t7 = Fp12.conjugate(Fp12._cyclotomicExp(t6, x));
const t2_t5_pow_q2 = Fp12.frobeniusMap(Fp12.mul(t2, t5), 2);
const t4_t1_pow_q3 = Fp12.frobeniusMap(Fp12.mul(t4, t1), 3);
const t6_t1c_pow_q1 = Fp12.frobeniusMap(Fp12.mul(t6, Fp12.conjugate(t1)), 1);
const t7_t3c_t1 = Fp12.mul(Fp12.mul(t7, Fp12.conjugate(t3)), t1);
// (t2 * t5)^(q²) * (t4 * t1)^(q³) * (t6 * t1.conj)^(q^1) * t7 * t3.conj * t1
return Fp12.mul(Fp12.mul(Fp12.mul(t2_t5_pow_q2, t4_t1_pow_q3), t6_t1c_pow_q1), t7_t3c_t1);
},
});
// GLV endomorphism Ψ(P), for fast cofactor clearing. `Fp2.NONRESIDUE` here is
// the tower value `u + 1`, so the Frobenius base passed to psiFrobenius is
// `1 / (u + 1)`, and psi2 derives the published `1 / 2^((p - 1) / 3)` constant internally.
let frob;
const getFrob = () => frob || (frob = psiFrobenius(Fp, Fp2, Fp2.div(Fp2.ONE, Fp2.NONRESIDUE)));
// Eager psiFrobenius setup now dominates `bls12-381.js` import, so defer it to
// first use. After that these locals are rewritten to the direct helper refs.
let G2psi = (c, P) => {
const fn = getFrob().G2psi;
G2psi = fn;
return fn(c, P);
};
let G2psi2 = (c, P) => {
const fn = getFrob().G2psi2;
G2psi2 = fn;
return fn(c, P);
};
/**
* Default hash_to_field / hash-to-curve for BLS.
* m: 1 for G1, 2 for G2
* k: target security level in bits
* hash: any function, e.g. BBS+ uses BLAKE2: see [github](https://github.com/hyperledger/aries-framework-go/issues/2247).
* Field/hash parameters come from [section 8.8.2 of RFC 9380](https://www.rfc-editor.org/rfc/rfc9380#section-8.8.2),
* but the `DST` / `encodeDST` strings below are the BLS-signature-suite override.
*/
const hasher_opts = Object.freeze({
DST: 'BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_NUL_',
encodeDST: 'BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_NUL_',
p: Fp.ORDER,
m: 2,
k: 128,
expand: 'xmd',
hash: sha256,
});
// a=0, b=4
// cofactor h of G2, derived with the signed convention `t = -x`
// (t^8 - 4t^7 + 5t^6 - 4t^4 + 6t^3 - 4t^2 - 4t + 13)/9
// cofactorG2 = (t**8n - 4n*t**7n + 5n*t**6n - 4n*t**4n + 6n*t**3n - 4n*t**2n - 4n*t+13n)/9n
// x = 3059144344244213709971259814753781636986470325476647558659373206291635324768958432433509563104347017837885763365758*u + 352701069587466618187139116011060144890029952792775240219908644239793785735715026873347600343865175952761926303160
// y = 927553665492332455747201965776037880757740193453592970025027978793976877002675564980949289727957565575433344219582*u + 1985150602287291935568054521177171638300868978215655730859378665066344726373823718423869104263333984641494340347905
const bls12_381_CURVE_G2 = {
p: Fp2.ORDER,
n: bls12_381_CURVE_G1.n,
h: BigInt('0x5d543a95414e7f1091d50792876a202cd91de4547085abaa68a205b2e5a7ddfa628f1cb4d9e82ef21537e293a6691ae1616ec6e786f0c70cf1c38e31c7238e5'),
a: Fp2.ZERO,
b: Fp2.fromBigTuple([_4n, _4n]),
Gx: Fp2.fromBigTuple([
BigInt('0x024aa2b2f08f0a91260805272dc51051c6e47ad4fa403b02b4510b647ae3d1770bac0326a805bbefd48056c8c121bdb8'),
BigInt('0x13e02b6052719f607dacd3a088274f65596bd0d09920b61ab5da61bbdc7f5049334cf11213945d57e5ac7d055d042b7e'),
]),
Gy: Fp2.fromBigTuple([
BigInt('0x0ce5d527727d6e118cc9cdc6da2e351aadfd9baa8cbdd3a76d429a695160d12c923ac9cc3baca289e193548608b82801'),
BigInt('0x0606c4a02ea734cc32acd2b02bc28b99cb3e287e85a763af267492ab572e99ab3f370d275cec1da1aaa9075ff05f79be'),
]),
};
// Encoding utils
const sortBit = (parts, p) => {
for (const part of parts) {
if (part !== _0n)
return Boolean((part * _2n) / p);
}
return false;
};
const fp2 = {
// Generic tower bytes use `c0 || c1`, but the BLS12-381 G2 point/signature wire encoding uses
// `c1 || c0`, so keep this local wrapper instead of changing generic field serialization.
encode({ c0, c1 }) {
const { BYTES: L } = Fp;
return concatBytes(numberToBytesBE(c1, L), numberToBytesBE(c0, L));
},
decode(bytes) {
const { BYTES: L } = Fp;
return Fp2.create({
c0: Fp.create(bytesToNumberBE(bytes.subarray(L))),
c1: Fp.create(bytesToNumberBE(bytes.subarray(0, L))),
});
},
};
const BaseFp = Fp;
// Keep BLS12-381 point/signature codecs on one control-flow skeleton: the G1/G2
// and point/signature variants differ only in field packing, subgroup bytes, and
// whether uncompressed form is allowed. Copy-paste decoders were diverging.
const coder = (name, Fp, b, encode, decode, yparts) => {
const F = Fp;
const enc = encode;
const dec = decode;
const W = F.BYTES;
return (allowUncompressed) => ({
encode(point, compressed = true) {
if (!compressed && !allowUncompressed)
throw new Error('invalid signature: expected compressed encoding');
const infinity = point.is0();
const { x, y } = point.toAffine();
const bytes = compressed ? enc(x) : concatBytes(enc(x), enc(y));
let sort;
if (compressed && !infinity)
sort = sortBit(yparts(y), BaseFp.ORDER);
return setMask(bytes, { compressed, infinity, sort });
},
decode(bytes) {
const raw = allowUncompressed
? abytes(bytes, undefined, 'point')
: abytes(bytes, W, 'signature');
const { compressed, infinity, sort, value } = parseMask(raw);
if (!allowUncompressed && !compressed)
throw new Error('invalid signature: expected compressed encoding');
const len = compressed ? W : 2 * W;
if (value.length !== len)
throw new Error(`invalid ${name} point: expected ${len} bytes`);
if (infinity) {
// Infinity canonicality has to be checked on raw bytes before decode()
// reduces coordinates modulo p and turns non-empty payloads into zero.
for (const b of value) {
if (b)
throw new Error(`invalid ${name} point: non-canonical zero`);
}
return { x: F.ZERO, y: F.ZERO };
}
const x = dec(compressed ? value : value.subarray(0, W));
let y;
if (compressed) {
y = F.sqrt(F.add(F.pow(x, _3n), b));
if (!y)
throw new Error(`invalid ${name} point: compressed`);
if (sortBit(yparts(y), BaseFp.ORDER) !== sort)
y = F.neg(y);
}
else {
y = dec(value.subarray(W));
}
// Noble keeps the permissive coordinate reduction path here, but an
// omitted infinity flag must not still decode to ZERO afterwards.
if (!compressed && F.is0(x) && F.is0(y))
throw new Error(`invalid ${name} point: uncompressed`);
return { x, y };
},
});
};
// Internal helper only: it copies before clearing the top flag bits. The
// pairing-friendly-curves draft C.2 step 1 rejects 0x20 / 0x60 / 0xe0 because
// S_bit must be zero for infinity and for all uncompressed encodings.
function validateMask({ compressed, infinity, sort }) {
if ((!compressed && !infinity && sort) || // 0010_0000 = 0x20
(!compressed && infinity && sort) || // 0110_0000 = 0x60
(compressed && infinity && sort) // 1110_0000 = 0xe0
)
throw new Error('invalid encoding flag');
}
function parseMask(bytes) {
// Copy, so we can remove mask data.
// It will be removed also later, when Fp.create will call modulo.
bytes = copyBytes(bytes);
const mask = bytes[0] & 0b1110_0000;
const compressed = !!((mask >> 7) & 1); // compression bit (0b1000_0000)
const infinity = !!((mask >> 6) & 1); // point at infinity bit (0b0100_0000)
const sort = !!((mask >> 5) & 1); // sort bit (0b0010_0000)
validateMask({ compressed, infinity, sort });
bytes[0] &= 0b0001_1111; // clear mask (zero first 3 bits)
return { compressed, infinity, sort, value: bytes };
}
// Internal helper only: mutates a non-empty fresh buffer in place and just
// sets bits. Keep the same invalid-flag guard as parseMask() so encoders cannot
// manufacture states that decoders already reject.
function setMask(bytes, mask) {
if (bytes[0] & 0b1110_0000)
throw new Error('setMask: non-empty mask');
validateMask({ compressed: !!mask.compressed, infinity: !!mask.infinity, sort: !!mask.sort });
if (mask.compressed)
bytes[0] |= 0b1000_0000;
if (mask.infinity)
bytes[0] |= 0b0100_0000;
if (mask.sort)
bytes[0] |= 0b0010_0000;
return bytes;
}
const g1coder = coder('G1', Fp, Fp.create(bls12_381_CURVE_G1.b), (x) => numberToBytesBE(x, Fp.BYTES), (bytes) => Fp.create(bytesToNumberBE(bytes) & bitMask(Fp.BITS)), (y) => [y]);
const g1 = { point: g1coder(true), sig: g1coder(false) };
const signatureG1ToBytes = (point) => {
point.assertValidity();
return g1.sig.encode(point);
};
function signatureG1FromBytes(bytes) {
const Point = bls12_381.G1.Point;
const point = Point.fromAffine(g1.sig.decode(bytes));
point.assertValidity();
return point;
}
const g2coder = coder('G2', Fp2, bls12_381_CURVE_G2.b, fp2.encode, fp2.decode, (y) => [
y.c1,
y.c0,
]);
const g2 = { point: g2coder(true), sig: g2coder(false) };
const signatureG2ToBytes = (point) => {
point.assertValidity();
return g2.sig.encode(point);
};
function signatureG2FromBytes(bytes) {
const Point = bls12_381.G2.Point;
const point = Point.fromAffine(g2.sig.decode(bytes));
point.assertValidity();
return point;
}
const signatureCoders = {
ShortSignature: {
fromBytes(bytes) {
return signatureG1FromBytes(abytes(bytes));
},
fromHex(hex) {
return signatureG1FromBytes(hexToBytes(hex));
},
toBytes(point) {
return signatureG1ToBytes(point);
},
// Historical alias: BLS signatures have a single compressed byte format here.
toRawBytes(point) {
return signatureG1ToBytes(point);
},
toHex(point) {
return bytesToHex(signatureG1ToBytes(point));
},
},
LongSignature: {
fromBytes(bytes) {
return signatureG2FromBytes(abytes(bytes));
},
fromHex(hex) {
return signatureG2FromBytes(hexToBytes(hex));
},
toBytes(point) {
return signatureG2ToBytes(point);
},
// Historical alias: BLS signatures have a single compressed byte format here.
toRawBytes(point) {
return signatureG2ToBytes(point);
},
toHex(point) {
return bytesToHex(signatureG2ToBytes(point));
},
},
};
const fields = {
Fp,
Fp2,
Fp6,
Fp12,
Fr: bls12_381_Fr,
};
const G1_Point = weierstrass(bls12_381_CURVE_G1, {
// Public point APIs still accept infinity, even though the Zcash proof
// encoding rules cited above only define nonzero point encodings.
allowInfinityPoint: true,
Fn: bls12_381_Fr,
fromBytes: g1.point.decode,
toBytes: (_c, point, isComp) => g1.point.encode(point, isComp),
// Checks is the point resides in prime-order subgroup.
// point.isTorsionFree() should return true for valid points
// It returns false for shitty points.
// https://eprint.iacr.org/2021/1130.pdf
isTorsionFree: (c, point) => {
// GLV endomorphism ψ(P)
const beta = BigInt('0x5f19672fdf76ce51ba69c6076a0f77eaddb3a93be6f89688de17d813620a00022e01fffffffefffe');
const phi = new c(Fp.mul(point.X, beta), point.Y, point.Z);
// TODO: unroll
const xP = point.multiplyUnsafe(BLS_X).negate(); // [x]P
const u2P = xP.multiplyUnsafe(BLS_X); // [u2]P
return u2P.equals(phi);
},
// Clear cofactor of G1
// https://eprint.iacr.org/2019/403
clearCofactor: (_c, point) => {
// return this.multiplyUnsafe(CURVE.h);
return point.multiplyUnsafe(BLS_X).add(point); // x*P + P
},
});
const G2_Point = weierstrass(bls12_381_CURVE_G2, {
Fp: Fp2,
// Public point APIs still accept infinity, even though the Zcash proof
// encoding rules cited above only define nonzero point encodings.
allowInfinityPoint: true,
Fn: bls12_381_Fr,
fromBytes: g2.point.decode,
toBytes: (_c, point, isComp) => g2.point.encode(point, isComp),
// https://eprint.iacr.org/2021/1130.pdf
// Older version: https://eprint.iacr.org/2019/814.pdf
isTorsionFree: (c, P) => {
return P.multiplyUnsafe(BLS_X).negate().equals(G2psi(c, P)); // ψ(P) == [u](P)
},
// clear_cofactor_bls12381_g2 from RFC 9380.
// https://eprint.iacr.org/2017/419.pdf
// prettier-ignore
clearCofactor: (c, P) => {
const x = BLS_X;
let t1 = P.multiplyUnsafe(x).negate(); // [-x]P
let t2 = G2psi(c, P); // Ψ(P)
let t3 = P.double(); // 2P
t3 = G2psi2(c, t3); // Ψ²(2P)
t3 = t3.subtract(t2); // Ψ²(2P) - Ψ(P)
t2 = t1.add(t2); // [-x]P + Ψ(P)
t2 = t2.multiplyUnsafe(x).negate(); // [x²]P - [x]Ψ(P)
t3 = t3.add(t2); // Ψ²(2P) - Ψ(P) + [x²]P - [x]Ψ(P)
t3 = t3.subtract(t1); // Ψ²(2P) - Ψ(P) + [x²]P - [x]Ψ(P) + [x]P
const Q = t3.subtract(P); // Ψ²(2P) - Ψ(P) + [x²]P - [x]Ψ(P) + [x]P - 1P
return Q; // [x²-x-1]P + [x-1]Ψ(P) + Ψ²(2P)
},
});
const bls12_hasher_opts = {
mapToG1: mapToG1,
mapToG2: mapToG2,
hasherOpts: hasher_opts,
// RFC 9380 Appendix J defines distinct G1/G2 RO and NU suite IDs, and
// draft-irtf-cfrg-bls-signature-06 §4.2.1 gives separate G1/G2 `_NUL_` DSTs.
// Keep G1 encode-to-curve on the G1 domain instead of inheriting G2's `encodeDST`.
hasherOptsG1: {
...hasher_opts,
m: 1,
DST: 'BLS_SIG_BLS12381G1_XMD:SHA-256_SSWU_RO_NUL_',
encodeDST: 'BLS_SIG_BLS12381G1_XMD:SHA-256_SSWU_RO_NUL_',
},
hasherOptsG2: { ...hasher_opts },
};
const bls12_params = {
ateLoopSize: BLS_X, // The BLS parameter x for BLS12-381
xNegative: true,
twistType: 'multiplicative',
randomBytes: randomBytes,
};
/**
* bls12-381 pairing-friendly curve construction.
* Provides both longSignatures and shortSignatures.
* @example
* bls12-381 pairing-friendly curve construction.
*
* ```ts
* const bls = bls12_381.longSignatures;
* const { secretKey, publicKey } = bls.keygen();
* const msg = bls.hash(new TextEncoder().encode('hello noble'));
* const sig = bls.sign(msg, secretKey);
* const isValid = bls.verify(sig, msg, publicKey);
* ```
*/
export const bls12_381 = bls(fields, G1_Point, G2_Point, bls12_params, bls12_hasher_opts, signatureCoders);
// 3-isogeny map from E' to E https://www.rfc-editor.org/rfc/rfc9380#appendix-E.3
// Coefficients stay in ascending `k_(?,0)`..`k_(?,d)` order; isogenyMap()
// reverses them internally for Horner evaluation.
const isogenyMapG2 = isogenyMap(Fp2, [
// xNum
[
[
'0x5c759507e8e333ebb5b7a9a47d7ed8532c52d39fd3a042a88b58423c50ae15d5c2638e343d9c71c6238aaaaaaaa97d6',
'0x5c759507e8e333ebb5b7a9a47d7ed8532c52d39fd3a042a88b58423c50ae15d5c2638e343d9c71c6238aaaaaaaa97d6',
],
[
'0x0',
'0x11560bf17baa99bc32126fced787c88f984f87adf7ae0c7f9a208c6b4f20a4181472aaa9cb8d555526a9ffffffffc71a',
],
[
'0x11560bf17baa99bc32126fced787c88f984f87adf7ae0c7f9a208c6b4f20a4181472aaa9cb8d555526a9ffffffffc71e',
'0x8ab05f8bdd54cde190937e76bc3e447cc27c3d6fbd7063fcd104635a790520c0a395554e5c6aaaa9354ffffffffe38d',
],
[
'0x171d6541fa38ccfaed6dea691f5fb614cb14b4e7f4e810aa22d6108f142b85757098e38d0f671c7188e2aaaaaaaa5ed1',
'0x0',
],
],
// xDen
[
[
'0x0',
'0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaa63',
],
[
'0xc',
'0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaa9f',
],
['0x1', '0x0'], // LAST 1
],
// yNum
[
[
'0x1530477c7ab4113b59a4c18b076d11930f7da5d4a07f649bf54439d87d27e500fc8c25ebf8c92f6812cfc71c71c6d706',
'0x1530477c7ab4113b59a4c18b076d11930f7da5d4a07f649bf54439d87d27e500fc8c25ebf8c92f6812cfc71c71c6d706',
],
[
'0x0',
'0x5c759507e8e333ebb5b7a9a47d7ed8532c52d39fd3a042a88b58423c50ae15d5c2638e343d9c71c6238aaaaaaaa97be',
],
[
'0x11560bf17baa99bc32126fced787c88f984f87adf7ae0c7f9a208c6b4f20a4181472aaa9cb8d555526a9ffffffffc71c',
'0x8ab05f8bdd54cde190937e76bc3e447cc27c3d6fbd7063fcd104635a790520c0a395554e5c6aaaa9354ffffffffe38f',
],
[
'0x124c9ad43b6cf79bfbf7043de3811ad0761b0f37a1e26286b0e977c69aa274524e79097a56dc4bd9e1b371c71c718b10',
'0x0',
],
],
// yDen
[
[
'0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffa8fb',
'0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffa8fb',
],
[
'0x0',
'0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffa9d3',
],
[
'0x12',
'0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaa99',
],
['0x1', '0x0'], // LAST 1
],
].map((i) => i.map((pair) => Fp2.fromBigTuple(pair.map(BigInt)))));
// 11-isogeny map from E' to E. Coefficients stay in ascending
// `k_(?,0)`..`k_(?,d)` order; isogenyMap() reverses them for Horner evaluation.
const isogenyMapG1 = isogenyMap(Fp, [
// xNum
[
'0x11a05f2b1e833340b809101dd99815856b303e88a2d7005ff2627b56cdb4e2c85610c2d5f2e62d6eaeac1662734649b7',
'0x17294ed3e943ab2f0588bab22147a81c7c17e75b2f6a8417f565e33c70d1e86b4838f2a6f318c356e834eef1b3cb83bb',
'0xd54005db97678ec1d1048c5d10a9a1bce032473295983e56878e501ec68e25c958c3e3d2a09729fe0179f9dac9edcb0',
'0x1778e7166fcc6db74e0609d307e55412d7f5e4656a8dbf25f1b33289f1b330835336e25ce3107193c5b388641d9b6861',
'0xe99726a3199f4436642b4b3e4118e5499db995a1257fb3f086eeb65982fac18985a286f301e77c451154ce9ac8895d9',
'0x1630c3250d7313ff01d1201bf7a74ab5db3cb17dd952799b9ed3ab9097e68f90a0870d2dcae73d19cd13c1c66f652983',
'0xd6ed6553fe44d296a3726c38ae652bfb11586264f0f8ce19008e218f9c86b2a8da25128c1052ecaddd7f225a139ed84',
'0x17b81e7701abdbe2e8743884d1117e53356de5ab275b4db1a682c62ef0f2753339b7c8f8c8f475af9ccb5618e3f0c88e',
'0x80d3cf1f9a78fc47b90b33563be990dc43b756ce79f5574a2c596c928c5d1de4fa295f296b74e956d71986a8497e317',
'0x169b1f8e1bcfa7c42e0c37515d138f22dd2ecb803a0c5c99676314baf4bb1b7fa3190b2edc0327797f241067be390c9e',
'0x10321da079ce07e272d8ec09d2565b0dfa7dccdde6787f96d50af36003b14866f69b771f8c285decca67df3f1605fb7b',
'0x6e08c248e260e70bd1e962381edee3d31d79d7e22c837bc23c0bf1bc24c6b68c24b1b80b64d391fa9c8ba2e8ba2d229',
],
// xDen
[
'0x8ca8d548cff19ae18b2e62f4bd3fa6f01d5ef4ba35b48ba9c9588617fc8ac62b558d681be343df8993cf9fa40d21b1c',
'0x12561a5deb559c4348b4711298e536367041e8ca0cf0800c0126c2588c48bf5713daa8846cb026e9e5c8276ec82b3bff',
'0xb2962fe57a3225e8137e629bff2991f6f89416f5a718cd1fca64e00b11aceacd6a3d0967c94fedcfcc239ba5cb83e19',
'0x3425581a58ae2fec83aafef7c40eb545b08243f16b1655154cca8abc28d6fd04976d5243eecf5c4130de8938dc62cd8',
'0x13a8e162022914a80a6f1d5f43e7a07dffdfc759a12062bb8d6b44e833b306da9bd29ba81f35781d539d395b3532a21e',
'0xe7355f8e4e667b955390f7f0506c6e9395735e9ce9cad4d0a43bcef24b8982f7400d24bc4228f11c02df9a29f6304a5',
'0x772caacf16936190f3e0c63e0596721570f5799af53a1894e2e073062aede9cea73b3538f0de06cec2574496ee84a3a',
'0x14a7ac2a9d64a8b230b3f5b074cf01996e7f63c21bca68a81996e1cdf9822c580fa5b9489d11e2d311f7d99bbdcc5a5e',
'0xa10ecf6ada54f825e920b3dafc7a3cce07f8d1d7161366b74100da67f39883503826692abba43704776ec3a79a1d641',
'0x95fc13ab9e92ad4476d6e3eb3a56680f682b4ee96f7d03776df533978f31c1593174e4b4b7865002d6384d168ecdd0a',
'0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001', // LAST 1
],
// yNum
[
'0x90d97c81ba24ee0259d1f094980dcfa11ad138e48a869522b52af6c956543d3cd0c7aee9b3ba3c2be9845719707bb33',
'0x134996a104ee5811d51036d776fb46831223e96c254f383d0f906343eb67ad34d6c56711962fa8bfe097e75a2e41c696',
'0xcc786baa966e66f4a384c86a3b49942552e2d658a31ce2c344be4b91400da7d26d521628b00523b8dfe240c72de1f6',
'0x1f86376e8981c217898751ad8746757d42aa7b90eeb791c09e4a3ec03251cf9de405aba9ec61deca6355c77b0e5f4cb',
'0x8cc03fdefe0ff135caf4fe2a21529c4195536fbe3ce50b879833fd221351adc2ee7f8dc099040a841b6daecf2e8fedb',
'0x16603fca40634b6a2211e11db8f0a6a074a7d0d4afadb7bd76505c3d3ad5544e203f6326c95a807299b23ab13633a5f0',
'0x4ab0b9bcfac1bbcb2c977d027796b3ce75bb8ca2be184cb5231413c4d634f3747a87ac2460f415ec961f8855fe9d6f2',
'0x987c8d5333ab86fde9926bd2ca6c674170a05bfe3bdd81ffd038da6c26c842642f64550fedfe935a15e4ca31870fb29',
'0x9fc4018bd96684be88c9e221e4da1bb8f3abd16679dc26c1e8b6e6a1f20cabe69d65201c78607a360370e577bdba587',
'0xe1bba7a1186bdb5223abde7ada14a23c42a0ca7915af6fe06985e7ed1e4d43b9b3f7055dd4eba6f2bafaaebca731c30',
'0x19713e47937cd1be0dfd0b8f1d43fb93cd2fcbcb6caf493fd1183e416389e61031bf3a5cce3fbafce813711ad011c132',
'0x18b46a908f36f6deb918c143fed2edcc523559b8aaf0c2462e6bfe7f911f643249d9cdf41b44d606ce07c8a4d0074d8e',
'0xb182cac101b9399d155096004f53f447aa7b12a3426b08ec02710e807b4633f06c851c1919211f20d4c04f00b971ef8',
'0x245a394ad1eca9b72fc00ae7be315dc757b3b080d4c158013e6632d3c40659cc6cf90ad1c232a6442d9d3f5db980133',
'0x5c129645e44cf1102a159f748c4a3fc5e673d81d7e86568d9ab0f5d396a7ce46ba1049b6579afb7866b1e715475224b',
'0x15e6be4e990f03ce4ea50b3b42df2eb5cb181d8f84965a3957add4fa95af01b2b665027efec01c7704b456be69c8b604',
],
// yDen
[
'0x16112c4c3a9c98b252181140fad0eae9601a6de578980be6eec3232b5be72e7a07f3688ef60c206d01479253b03663c1',
'0x1962d75c2381201e1a0cbd6c43c348b885c84ff731c4d59ca4a10356f453e01f78a4260763529e3532f6102c2e49a03d',
'0x58df3306640da276faaae7d6e8eb15778c4855551ae7f310c35a5dd279cd2eca6757cd636f96f891e2538b53dbf67f2',
'0x16b7d288798e5395f20d23bf89edb4d1d115c5dbddbcd30e123da489e726af41727364f2c28297ada8d26d98445f5416',
'0xbe0e079545f43e4b00cc912f8228ddcc6d19c9f0f69bbb0542eda0fc9dec916a20b15dc0fd2ededda39142311a5001d',
'0x8d9e5297186db2d9fb266eaac783182b70152c65550d881c5ecd87b6f0f5a6449f38db9dfa9cce202c6477faaf9b7ac',
'0x166007c08a99db2fc3ba8734ace9824b5eecfdfa8d0cf8ef5dd365bc400a0051d5fa9c01a58b1fb93d1a1399126a775c',
'0x16a3ef08be3ea7ea03bcddfabba6ff6ee5a4375efa1f4fd7feb34fd206357132b920f5b00801dee460ee415a15812ed9',
'0x1866c8ed336c61231a1be54fd1d74cc4f9fb0ce4c6af5920abc5750c4bf39b4852cfe2f7bb9248836b233d9d55535d4a',
'0x167a55cda70a6e1cea820597d94a84903216f763e13d87bb5308592e7ea7d4fbc7385ea3d529b35e346ef48bb8913f55',
'0x4d2f259eea405bd48f010a01ad2911d9c6dd039bb61a6290e591b36e636a5c871a5c29f4f83060400f8b49cba8f6aa8',
'0xaccbb67481d033ff5852c1e48c50c477f94ff8aefce42d28c0f9a88cea7913516f968986f7ebbea9684b529e2561092',
'0xad6b9514c767fe3c3613144b45f1496543346d98adf02267d5ceef9a00d9b8693000763e3b90ac11e99b138573345cc',
'0x2660400eb2e4f3b628bdd0d53cd76f2bf565b94e72927c1cb748df27942480e420517bd8714cc80d1fadc1326ed06f7',
'0xe0fa1d816ddc03e6b24255e0d7819c171c40f65e273b853324efcd6356caa205ca2f570f13497804415473a1d634b8f',
'0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001', // LAST 1
],
].map((i) => i.map((j) => BigInt(j))));
let G1_SWU;
let G2_SWU;
// SWU setup validates the pre-isogeny curve parameters and builds sqrt-ratio helpers.
// Doing that eagerly adds about 10ms to `bls12-381.js` import here, so keep it lazy; after the
// first map call the cached mapper is reused directly.
const getG1_SWU = () => G1_SWU ||
(G1_SWU = mapToCurveSimpleSWU(Fp, {
A: Fp.create(BigInt('0x144698a3b8e9433d693a02c96d4982b0ea985383ee66a8d8e8981aefd881ac98936f8da0e0f97f5cf428082d584c1d')),
B: Fp.create(BigInt('0x12e2908d11688030018b12e8753eee3b2016c1f0f24f4070a0b9c14fcef35ef55a23215a316ceaa5d1cc48e98e172be0')),
Z: Fp.create(BigInt(11)),
}));
const getG2_SWU = () => G2_SWU ||
(G2_SWU = mapToCurveSimpleSWU(Fp2, {
// SWU map for the RFC 9380 §8.8.2 pre-isogeny G2 curve E':
// y² = x³ + 240i * x + 1012 + 1012i
A: Fp2.create({ c0: Fp.create(_0n), c1: Fp.create(BigInt(240)) }), // A' = 240 * I
B: Fp2.create({ c0: Fp.create(BigInt(1012)), c1: Fp.create(BigInt(1012)) }), // B' = 1012 * (1 + I)
Z: Fp2.create({ c0: Fp.create(BigInt(-2)), c1: Fp.create(BigInt(-1)) }), // Z: -(2 + I)
}));
// Internal hash-to-curve step: G1 uses `m = 1`, so only `scalars[0]` is read,
// and the result is the isogeny image on E before the subgroup clear.
function mapToG1(scalars) {
const { x, y } = getG1_SWU()(Fp.create(scalars[0]));
return isogenyMapG1(x, y);
}
// Internal hash-to-curve step: G2 expects the RFC `m = 2` pair, and the result
// is the isogeny image on E before the subgroup clear.
function mapToG2(scalars) {
const { x, y } = getG2_SWU()(Fp2.fromBigTuple(scalars));
return isogenyMapG2(x, y);
}
//# sourceMappingURL=bls12-381.js.map
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/bls12-381.js.map
Generated Vendored
+1
View File
File diff suppressed because one or more lines are too long
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/bn254.d.ts
Generated Vendored
+75
View File
@@ -0,0 +1,75 @@
/**
* bn254, previously known as alt_bn_128, when it had 128-bit security.
Barbulescu-Duquesne 2017 shown it's weaker: just about 100 bits,
so the naming has been adjusted to its prime bit count:
https://hal.science/hal-01534101/file/main.pdf.
Compatible with EIP-196 and EIP-197.
There are huge compatibility issues in the ecosystem:
1. Different libraries call it in different ways: "bn254", "bn256", "alt_bn128", "bn128".
2. libff has bn128, but it's a different curve with different G2:
https://github.com/scipr-lab/libff/blob/a44f482e18b8ac04d034c193bd9d7df7817ad73f/libff/algebra/curves/bn128/bn128_init.cpp#L166-L169
3. halo2curves bn256 is also incompatible and returns different outputs
We don't implement Point methods toHex / toBytes.
To work around this limitation, has to initialize points on their own from BigInts.
Reason it's not implemented is because [there is no standard](https://github.com/privacy-scaling-explorations/halo2curves/issues/109).
Points of divergence:
- Endianness: LE vs BE (byte-swapped)
- Flags as first hex bits (similar to BLS) vs no-flags
- Imaginary part last in G2 vs first (c0, c1 vs c1, c0)
The goal of our implementation is to support "Ethereum" variant of the curve,
because it at least has specs:
- EIP196 (https://eips.ethereum.org/EIPS/eip-196) describes bn254 ECADD and ECMUL opcodes for EVM
- EIP197 (https://eips.ethereum.org/EIPS/eip-197) describes bn254 pairings
- It's hard: EIPs don't have proper tests. EIP-197 returns boolean output instead of Fp12
- The existing implementations are bad. Some are deprecated:
- https://github.com/paritytech/bn (old version)
- https://github.com/ewasm/ethereum-bn128.rs (uses paritytech/bn)
- https://github.com/zcash-hackworks/bn
- https://github.com/arkworks-rs/curves/blob/master/bn254/src/lib.rs
- Python implementations use different towers and produce different Fp12 outputs:
- https://github.com/ethereum/py_pairing
- https://github.com/ethereum/py_ecc/tree/main/py_ecc/bn128
- Points are encoded differently in different implementations
### Params
Seed (X): 4965661367192848881
Fr: (36x⁴+36x³+18x²+6x+1)
Fp: (36x⁴+36x³+24x²+6x+1)
(E / Fp ): Y² = X³+3
(Et / Fp²): Y² = X³+3/(u+9) (D-type twist)
Ate loop size: 6x+2
### Towers
- Fp²[u] = Fp/u²+1
- Fp⁶[v] = Fp²/v³-9-u
- Fp¹²[w] = Fp⁶/w²-v
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { type BlsCurvePair, type BlsPostPrecomputeFn } from './abstract/bls.ts';
import { type IField } from './abstract/modular.ts';
import { type TRet } from './utils.ts';
/** bn254 scalar field. */
export declare const bn254_Fr: TRet<IField<bigint>>;
export declare const _postPrecompute: BlsPostPrecomputeFn;
/**
* bn254 (a.k.a. alt_bn128) pairing-friendly curve.
* Contains G1 / G2 operations and pairings only; the commented-out
* hash-to-curve and signature surface is intentionally not exposed here.
* @example
* Compute a pairing from the two generator points.
*
* ```ts
* const gt = bn254.pairing(bn254.G1.Point.BASE, bn254.G2.Point.BASE);
* ```
*/
export declare const bn254: BlsCurvePair;
//# sourceMappingURL=bn254.d.ts.map
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/bn254.d.ts.map
Generated Vendored
+1
View File
@@ -0,0 +1 @@
{"version":3,"file":"bn254.d.ts","sourceRoot":"","sources":["src/bn254.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsDG;AACH,sEAAsE;AACtE,OAAO,EAEL,KAAK,YAAY,EACjB,KAAK,mBAAmB,EAEzB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAS,KAAK,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAI3D,OAAO,EAAU,KAAK,IAAI,EAAE,MAAM,YAAY,CAAC;AA8B/C,0BAA0B;AAC1B,eAAO,MAAM,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CACU,CAAC;AA+DrD,eAAO,MAAM,eAAe,EAAE,mBAY7B,CAAC;AAyFF;;;;;;;;;;GAUG;AAEH,eAAO,MAAM,KAAK,EAAE,YAKnB,CAAC"}
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/bn254.js
Generated Vendored
+245
View File
@@ -0,0 +1,245 @@
/**
* bn254, previously known as alt_bn_128, when it had 128-bit security.
Barbulescu-Duquesne 2017 shown it's weaker: just about 100 bits,
so the naming has been adjusted to its prime bit count:
https://hal.science/hal-01534101/file/main.pdf.
Compatible with EIP-196 and EIP-197.
There are huge compatibility issues in the ecosystem:
1. Different libraries call it in different ways: "bn254", "bn256", "alt_bn128", "bn128".
2. libff has bn128, but it's a different curve with different G2:
https://github.com/scipr-lab/libff/blob/a44f482e18b8ac04d034c193bd9d7df7817ad73f/libff/algebra/curves/bn128/bn128_init.cpp#L166-L169
3. halo2curves bn256 is also incompatible and returns different outputs
We don't implement Point methods toHex / toBytes.
To work around this limitation, has to initialize points on their own from BigInts.
Reason it's not implemented is because [there is no standard](https://github.com/privacy-scaling-explorations/halo2curves/issues/109).
Points of divergence:
- Endianness: LE vs BE (byte-swapped)
- Flags as first hex bits (similar to BLS) vs no-flags
- Imaginary part last in G2 vs first (c0, c1 vs c1, c0)
The goal of our implementation is to support "Ethereum" variant of the curve,
because it at least has specs:
- EIP196 (https://eips.ethereum.org/EIPS/eip-196) describes bn254 ECADD and ECMUL opcodes for EVM
- EIP197 (https://eips.ethereum.org/EIPS/eip-197) describes bn254 pairings
- It's hard: EIPs don't have proper tests. EIP-197 returns boolean output instead of Fp12
- The existing implementations are bad. Some are deprecated:
- https://github.com/paritytech/bn (old version)
- https://github.com/ewasm/ethereum-bn128.rs (uses paritytech/bn)
- https://github.com/zcash-hackworks/bn
- https://github.com/arkworks-rs/curves/blob/master/bn254/src/lib.rs
- Python implementations use different towers and produce different Fp12 outputs:
- https://github.com/ethereum/py_pairing
- https://github.com/ethereum/py_ecc/tree/main/py_ecc/bn128
- Points are encoded differently in different implementations
### Params
Seed (X): 4965661367192848881
Fr: (36x⁴+36x³+18x²+6x+1)
Fp: (36x⁴+36x³+24x²+6x+1)
(E / Fp ): Y² = X³+3
(Et / Fp²): Y² = X³+3/(u+9) (D-type twist)
Ate loop size: 6x+2
### Towers
- Fp²[u] = Fp/u²+1
- Fp⁶[v] = Fp²/v³-9-u
- Fp¹²[w] = Fp⁶/w²-v
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { blsBasic, } from "./abstract/bls.js";
import { Field } from "./abstract/modular.js";
import { psiFrobenius, tower12 } from "./abstract/tower.js";
import { weierstrass } from "./abstract/weierstrass.js";
import { bitLen } from "./utils.js";
// prettier-ignore
const _0n = /* @__PURE__ */ BigInt(0), _1n = /* @__PURE__ */ BigInt(1), _2n = /* @__PURE__ */ BigInt(2), _3n = /* @__PURE__ */ BigInt(3);
const _6n = /* @__PURE__ */ BigInt(6);
// Locally documented BN pairing seed. EIP-197 does not name this scalar
// directly; noble stores the positive value and derives any `-x` uses later.
const BN_X = /* @__PURE__ */ BigInt('4965661367192848881');
// Bit width of the stored seed itself, not the derived Miller-loop scalar `6x+2`.
const BN_X_LEN = /* @__PURE__ */ (() => bitLen(BN_X))();
// Derived scalar used by the optimized G2 subgroup test required by EIP-197.
const SIX_X_SQUARED = /* @__PURE__ */ (() => _6n * BN_X ** _2n)();
const bn254_G1_CURVE = {
p: BigInt('0x30644e72e131a029b85045b68181585d97816a916871ca8d3c208c16d87cfd47'),
n: BigInt('0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593f0000001'),
// The Ethereum specs define G1 as prime-order but do not spell out the
// cofactor separately; `h = 1` is the implementation-derived value.
h: _1n,
a: _0n,
b: _3n,
Gx: _1n,
Gy: BigInt(2),
};
// r == n
// Finite field over r. It's for convenience and is not used in the code below,
// and its canonical `fromBytes()` decoder is stricter than the EIP-196 MUL
// scalar rule that accepts any 256-bit integer.
// These factories are side-effect free; mark them pure so single-export bundles can drop the rest.
/** bn254 scalar field. */
export const bn254_Fr = /* @__PURE__ */ (() => Field(bn254_G1_CURVE.n))();
// `3 / (i + 9)` from EIP-197, stored in noble's internal `(c0, c1) = (b, a)`
// order rather than the spec's `a * i + b` notation.
const Fp2B = /* @__PURE__ */ (() => ({
c0: BigInt('19485874751759354771024239261021720505790618469301721065564631296452457478373'),
c1: BigInt('266929791119991161246907387137283842545076965332900288569378510910307636690'),
}))();
// Bootstrap binding: `Fp12finalExponentiate` needs to reference the finished
// field object while `tower12(...)` is still constructing it.
let Fp12;
const tower = /* @__PURE__ */ (() => {
const res = tower12({
ORDER: bn254_G1_CURVE.p,
X_LEN: BN_X_LEN,
// Public `Fp2.NONRESIDUE` below is the sextic-tower seed `(9, 1)`, not the
// quadratic relation `i^2 + 1 = 0` from the EIP text.
FP2_NONRESIDUE: [BigInt(9), _1n],
Fp2mulByB: (num) => Fp2.mul(num, Fp2B),
Fp12finalExponentiate: (num) => {
const powMinusX = (num) => Fp12.conjugate(Fp12._cyclotomicExp(num, BN_X));
const r0 = Fp12.mul(Fp12.conjugate(num), Fp12.inv(num));
const r = Fp12.mul(Fp12.frobeniusMap(r0, 2), r0);
const y1 = Fp12._cyclotomicSquare(powMinusX(r));
const y2 = Fp12.mul(Fp12._cyclotomicSquare(y1), y1);
const y4 = powMinusX(y2);
const y6 = powMinusX(Fp12._cyclotomicSquare(y4));
const y8 = Fp12.mul(Fp12.mul(Fp12.conjugate(y6), y4), Fp12.conjugate(y2));
const y9 = Fp12.mul(y8, y1);
return Fp12.mul(Fp12.frobeniusMap(Fp12.mul(Fp12.conjugate(r), y9), 3), Fp12.mul(Fp12.frobeniusMap(y8, 2), Fp12.mul(Fp12.frobeniusMap(y9, 1), Fp12.mul(Fp12.mul(y8, y4), r))));
},
});
Fp12 = res.Fp12;
return res;
})();
const Fp = /* @__PURE__ */ (() => tower.Fp)();
const Fp2 = /* @__PURE__ */ (() => tower.Fp2)();
// END OF CURVE FIELDS
// BN254 uses the same tower seed `(9, 1)` for the Frobenius helper that powers
// the divisive-twist G2 endomorphism.
let frob;
const getFrob = () => frob || (frob = psiFrobenius(Fp, Fp2, Fp2.NONRESIDUE));
// Eager psiFrobenius setup now dominates `bn254.js` import, so defer it to
// first use. After that these locals are rewritten to the direct helper refs.
let psi = (x, y) => {
const fn = getFrob().psi;
psi = fn;
return fn(x, y);
};
let G2psi = (c, P) => {
const fn = getFrob().G2psi;
G2psi = fn;
return fn(c, P);
};
export const _postPrecompute = (Rx, Ry, Rz, Qx, Qy, pointAdd) => {
const q = psi(Qx, Qy);
({ Rx, Ry, Rz } = pointAdd(Rx, Ry, Rz, q[0], q[1]));
const q2 = psi(q[0], q[1]);
pointAdd(Rx, Ry, Rz, q2[0], Fp2.neg(q2[1]));
};
// cofactor: (36 * X^4) + (36 * X^3) + (30 * X^2) + 6*X + 1
const bn254_G2_CURVE = /* @__PURE__ */ (() => ({
p: Fp2.ORDER,
n: bn254_G1_CURVE.n,
// As with G1, the Ethereum specs do not spell out the G2 cofactor
// separately; this literal is the implementation-derived value.
h: BigInt('0x30644e72e131a029b85045b68181585e06ceecda572a2489345f2299c0f9fa8d'),
a: Fp2.ZERO,
b: Fp2B,
Gx: Fp2.fromBigTuple([
BigInt('10857046999023057135944570762232829481370756359578518086990519993285655852781'),
BigInt('11559732032986387107991004021392285783925812861821192530917403151452391805634'),
]),
Gy: Fp2.fromBigTuple([
BigInt('8495653923123431417604973247489272438418190587263600148770280649306958101930'),
BigInt('4082367875863433681332203403145435568316851327593401208105741076214120093531'),
]),
}))();
const fields = /* @__PURE__ */ (() => ({ Fp, Fp2, Fp6: tower.Fp6, Fp12, Fr: bn254_Fr }))();
const bn254_G1 = /* @__PURE__ */ weierstrass(bn254_G1_CURVE, {
Fp,
Fn: bn254_Fr,
// Ethereum encodes infinity as `(0, 0)`, so the public point API accepts it
// even though it is not an affine curve point, and `fromAffine()` stays lazy:
// adversarial inputs still need `assertValidity()`.
allowInfinityPoint: true,
});
const bn254_G2 = /* @__PURE__ */ weierstrass(bn254_G2_CURVE, {
Fp: Fp2,
Fn: bn254_Fr,
// Ethereum encodes infinity as `((0, 0), (0, 0))`, so the public point API
// accepts it even though it is not an affine curve point.
allowInfinityPoint: true,
// Optimized BN254 G2 subgroup test used to satisfy the EIP-197 order check.
isTorsionFree: (c, P) => P.multiplyUnsafe(SIX_X_SQUARED).equals(G2psi(c, P)), // [p]P = [6X^2]P
});
/*
No hashToCurve for now (and signatures):
- RFC 9380 doesn't mention bn254 and doesn't provide test vectors
- Overall seems like nobody is using BLS signatures on top of bn254
- Seems like it can utilize SVDW, which is not implemented yet
*/
// const htfDefaults = Object.freeze({
// // DST: a domain separation tag defined in section 2.2.5
// DST: 'BN254G2_XMD:SHA-256_SVDW_RO_',
// encodeDST: 'BN254G2_XMD:SHA-256_SVDW_RO_',
// p: Fp.ORDER,
// m: 2,
// k: 128,
// expand: 'xmd',
// hash: sha256,
// });
// const hasherOpts = {
// { ...htfDefaults, m: 1, DST: 'BN254G2_XMD:SHA-256_SVDW_RO_' }
// };
const bn254_params = /* @__PURE__ */ (() => ({
// Optimal-ate Miller loop parameter derived from the positive BN seed.
ateLoopSize: BN_X * _6n + _2n,
r: bn254_Fr.ORDER,
xNegative: false,
// EIP-197 writes G2 as `y^2 = x^3 + 3 / (i + 9)`, so the pairing
// configuration uses the divisive twist convention.
twistType: 'divisive',
postPrecompute: _postPrecompute,
}))();
// const bn254_hasher = {
// hasherOpts: htfDefaults,
// hasherOptsG1: { m: 1, DST: 'BN254G2_XMD:SHA-256_SVDW_RO_' },
// hasherOptsG2: htfDefaults
// };
// G2_heff hEff: BigInt('21888242871839275222246405745257275088844257914179612981679871602714643921549'),
// fromBytes: notImplemented,
// toBytes: notImplemented,
// mapToCurve: notImplemented,
// fromBytes: notImplemented,
// toBytes: notImplemented,
// ShortSignature: {
// fromBytes: notImplemented,
// fromHex: notImplemented,
// toBytes: notImplemented,
// toRawBytes: notImplemented,
// toHex: notImplemented,
// },
/**
* bn254 (a.k.a. alt_bn128) pairing-friendly curve.
* Contains G1 / G2 operations and pairings only; the commented-out
* hash-to-curve and signature surface is intentionally not exposed here.
* @example
* Compute a pairing from the two generator points.
*
* ```ts
* const gt = bn254.pairing(bn254.G1.Point.BASE, bn254.G2.Point.BASE);
* ```
*/
// bn254_hasher
export const bn254 = /* @__PURE__ */ blsBasic(fields, bn254_G1, bn254_G2, bn254_params);
//# sourceMappingURL=bn254.js.map
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/bn254.js.map
Generated Vendored
+1
View File
File diff suppressed because one or more lines are too long
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/ed25519.d.ts
Generated Vendored
+212
View File
@@ -0,0 +1,212 @@
import { type AffinePoint } from './abstract/curve.ts';
import { PrimeEdwardsPoint, type EdDSA, type EdwardsPoint, type EdwardsPointCons } from './abstract/edwards.ts';
import { type FROST } from './abstract/frost.ts';
import { type H2CHasher, type H2CHasherBase } from './abstract/hash-to-curve.ts';
import { type IField } from './abstract/modular.ts';
import { type MontgomeryECDH } from './abstract/montgomery.ts';
import { type OPRF } from './abstract/oprf.ts';
import { type TArg, type TRet } from './utils.ts';
/**
* ed25519 curve with EdDSA signatures.
* Seeded `keygen(seed)` / `utils.randomSecretKey(seed)` reuse the provided
* 32-byte seed buffer instead of copying it.
* @example
* Generate one Ed25519 keypair, sign a message, and verify it.
*
* ```js
* import { ed25519 } from '@noble/curves/ed25519.js';
* const { secretKey, publicKey } = ed25519.keygen();
* // const publicKey = ed25519.getPublicKey(secretKey);
* const msg = new TextEncoder().encode('hello noble');
* const sig = ed25519.sign(msg, secretKey);
* const isValid = ed25519.verify(sig, msg, publicKey); // ZIP215
* // RFC8032 / FIPS 186-5
* const isValid2 = ed25519.verify(sig, msg, publicKey, { zip215: false });
* ```
*/
export declare const ed25519: EdDSA;
/**
* Context version of ed25519 (ctx for domain separation). See {@link ed25519}
* Seeded `keygen(seed)` / `utils.randomSecretKey(seed)` reuse the provided
* 32-byte seed buffer instead of copying it.
* @example
* Sign and verify with Ed25519ctx under one explicit context.
*
* ```ts
* const context = new TextEncoder().encode('docs');
* const { secretKey, publicKey } = ed25519ctx.keygen();
* const msg = new TextEncoder().encode('hello noble');
* const sig = ed25519ctx.sign(msg, secretKey, { context });
* const isValid = ed25519ctx.verify(sig, msg, publicKey, { context });
* ```
*/
export declare const ed25519ctx: EdDSA;
/**
* Prehashed version of ed25519. See {@link ed25519}
* Seeded `keygen(seed)` / `utils.randomSecretKey(seed)` reuse the provided
* 32-byte seed buffer instead of copying it.
* @example
* Use the prehashed Ed25519 variant for one message.
*
* ```ts
* const { secretKey, publicKey } = ed25519ph.keygen();
* const msg = new TextEncoder().encode('hello noble');
* const sig = ed25519ph.sign(msg, secretKey);
* const isValid = ed25519ph.verify(sig, msg, publicKey);
* ```
*/
export declare const ed25519ph: EdDSA;
/**
* FROST threshold signatures over ed25519. RFC 9591.
* @example
* Create one trusted-dealer package for 2-of-3 ed25519 signing.
*
* ```ts
* const alice = ed25519_FROST.Identifier.derive('alice@example.com');
* const bob = ed25519_FROST.Identifier.derive('bob@example.com');
* const carol = ed25519_FROST.Identifier.derive('carol@example.com');
* const deal = ed25519_FROST.trustedDealer({ min: 2, max: 3 }, [alice, bob, carol]);
* ```
*/
export declare const ed25519_FROST: TRet<FROST>;
/**
* ECDH using curve25519 aka x25519.
* `getSharedSecret()` rejects low-order peer inputs by default, and seeded
* `keygen(seed)` reuses the provided 32-byte seed buffer instead of copying it.
* @example
* Derive one shared secret between two X25519 peers.
*
* ```js
* import { x25519 } from '@noble/curves/ed25519.js';
* const alice = x25519.keygen();
* const bob = x25519.keygen();
* const shared = x25519.getSharedSecret(alice.secretKey, bob.publicKey);
* ```
*/
export declare const x25519: TRet<MontgomeryECDH>;
/**
* RFC 9380 method `map_to_curve_elligator2_curve25519`. Experimental name: may be renamed later.
* @private
*/
export declare function _map_to_curve_elligator2_curve25519(u: bigint): {
xMn: bigint;
xMd: bigint;
yMn: bigint;
yMd: bigint;
};
/**
* Hashing to ed25519 points / field. RFC 9380 methods.
* Public `mapToCurve()` returns the cofactor-cleared subgroup point; the
* internal map callback below consumes one field element bigint, not `[bigint]`.
* @example
* Hash one message onto the ed25519 curve.
*
* ```ts
* const point = ed25519_hasher.hashToCurve(new TextEncoder().encode('hello noble'));
* ```
*/
export declare const ed25519_hasher: H2CHasher<EdwardsPointCons>;
/**
* Wrapper over Edwards Point for ristretto255.
*
* Each ed25519/EdwardsPoint has 8 different equivalent points. This can be
* a source of bugs for protocols like ring signatures. Ristretto was created to solve this.
* Ristretto point operates in X:Y:Z:T extended coordinates like EdwardsPoint,
* but it should work in its own namespace: do not combine those two.
* See [RFC9496](https://www.rfc-editor.org/rfc/rfc9496).
*/
declare class _RistrettoPoint extends PrimeEdwardsPoint<_RistrettoPoint> {
static BASE: _RistrettoPoint;
static ZERO: _RistrettoPoint;
static Fp: IField<bigint>;
static Fn: IField<bigint>;
constructor(ep: EdwardsPoint);
/**
* Create one Ristretto255 point from affine Edwards coordinates.
* This wraps the internal Edwards representative directly and is not a
* canonical ristretto255 decoding path.
* Use `toBytes()` / `fromBytes()` if canonical ristretto255 bytes matter.
*/
static fromAffine(ap: AffinePoint<bigint>): _RistrettoPoint;
protected assertSame(other: _RistrettoPoint): void;
protected init(ep: EdwardsPoint): _RistrettoPoint;
static fromBytes(bytes: TArg<Uint8Array>): _RistrettoPoint;
/**
* Converts ristretto-encoded string to ristretto point.
* Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-decode).
* @param hex - Ristretto-encoded 32 bytes. Not every 32-byte string is valid ristretto encoding
*/
static fromHex(hex: string): _RistrettoPoint;
/**
* Encodes ristretto point to Uint8Array.
* Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-encode).
*/
toBytes(): TRet<Uint8Array>;
/**
* Compares two Ristretto points.
* Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-equals).
*/
equals(other: _RistrettoPoint): boolean;
is0(): boolean;
}
/** Prime-order Ristretto255 group bundle. */
export declare const ristretto255: {
Point: typeof _RistrettoPoint;
};
/**
* Hashing to ristretto255 points / field. RFC 9380 methods.
* `hashToCurve()` is RFC 9380 Appendix B, `deriveToCurve()` is the RFC 9496
* §4.3.4 element-derivation building block, and `hashToScalar()` is a
* library-specific helper for OPRF-style use.
* @example
* Hash one message onto ristretto255.
*
* ```ts
* const point = ristretto255_hasher.hashToCurve(new TextEncoder().encode('hello noble'));
* ```
*/
export declare const ristretto255_hasher: H2CHasherBase<typeof _RistrettoPoint>;
/**
* ristretto255 OPRF/VOPRF/POPRF bundle, defined in RFC 9497.
* @example
* Run one blind/evaluate/finalize OPRF round over ristretto255.
*
* ```ts
* const input = new TextEncoder().encode('hello noble');
* const keys = ristretto255_oprf.oprf.generateKeyPair();
* const blind = ristretto255_oprf.oprf.blind(input);
* const evaluated = ristretto255_oprf.oprf.blindEvaluate(keys.secretKey, blind.blinded);
* const output = ristretto255_oprf.oprf.finalize(input, blind.blind, evaluated);
* ```
*/
export declare const ristretto255_oprf: TRet<OPRF>;
/**
* FROST threshold signatures over ristretto255. RFC 9591.
* @example
* Create one trusted-dealer package for 2-of-3 ristretto255 signing.
*
* ```ts
* const alice = ristretto255_FROST.Identifier.derive('alice@example.com');
* const bob = ristretto255_FROST.Identifier.derive('bob@example.com');
* const carol = ristretto255_FROST.Identifier.derive('carol@example.com');
* const deal = ristretto255_FROST.trustedDealer({ min: 2, max: 3 }, [alice, bob, carol]);
* ```
*/
export declare const ristretto255_FROST: TRet<FROST>;
/**
* Weird / bogus points, useful for debugging.
* All 8 ed25519 points of 8-torsion subgroup can be generated from the point
* T = `26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc05`.
* The subgroup generated by `T` is `{ O, T, 2T, 3T, 4T, 5T, 6T, 7T }`; the
* array below is that set, not the powers in that exact index order.
* @example
* Decode one known torsion point for debugging.
*
* ```ts
* import { ED25519_TORSION_SUBGROUP, ed25519 } from '@noble/curves/ed25519.js';
* const point = ed25519.Point.fromHex(ED25519_TORSION_SUBGROUP[1]);
* ```
*/
export declare const ED25519_TORSION_SUBGROUP: readonly string[];
export {};
//# sourceMappingURL=ed25519.d.ts.map
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/ed25519.d.ts.map
Generated Vendored
+1
View File
@@ -0,0 +1 @@
{"version":3,"file":"ed25519.d.ts","sourceRoot":"","sources":["src/ed25519.ts"],"names":[],"mappings":"AAUA,OAAO,EAAE,KAAK,WAAW,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,EAGL,iBAAiB,EACjB,KAAK,KAAK,EAGV,KAAK,YAAY,EACjB,KAAK,gBAAgB,EACtB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAe,KAAK,KAAK,EAAE,MAAM,qBAAqB,CAAC;AAC9D,OAAO,EAKL,KAAK,SAAS,EACd,KAAK,aAAa,EACnB,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAML,KAAK,MAAM,EACZ,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAc,KAAK,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAC3E,OAAO,EAAc,KAAK,IAAI,EAAE,MAAM,oBAAoB,CAAC;AAC3D,OAAO,EAA6C,KAAK,IAAI,EAAE,KAAK,IAAI,EAAE,MAAM,YAAY,CAAC;AAiH7F;;;;;;;;;;;;;;;;;GAiBG;AACH,eAAO,MAAM,OAAO,EAAE,KAA8B,CAAC;AACrD;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,UAAU,EAAE,KAAsD,CAAC;AAChF;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,SAAS,EAAE,KAAuE,CAAC;AAChG;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,aAAa,EAAE,IAAI,CAAC,KAAK,CAa/B,CAAC;AAER;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,MAAM,EAAE,IAAI,CAAC,cAAc,CAYpC,CAAC;AAUL;;;GAGG;AAEH,wBAAgB,mCAAmC,CAAC,CAAC,EAAE,MAAM,GAAG;IAC9D,GAAG,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CACnD,CA8CA;AA0BD;;;;;;;;;;GAUG;AACH,eAAO,MAAM,cAAc,EAAE,SAAS,CAAC,gBAAgB,CAajD,CAAC;AA4DP;;;;;;;;GAQG;AACH,cAAM,eAAgB,SAAQ,iBAAiB,CAAC,eAAe,CAAC;IAI9D,MAAM,CAAC,IAAI,EAAE,eAAe,CACwC;IAEpE,MAAM,CAAC,IAAI,EAAE,eAAe,CACwC;IAEpE,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,CACM;IAE/B,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,CACM;gBAEnB,EAAE,EAAE,YAAY;IAI5B;;;;;OAKG;IACH,MAAM,CAAC,UAAU,CAAC,EAAE,EAAE,WAAW,CAAC,MAAM,CAAC,GAAG,eAAe;IAI3D,SAAS,CAAC,UAAU,CAAC,KAAK,EAAE,eAAe,GAAG,IAAI;IAIlD,SAAS,CAAC,IAAI,CAAC,EAAE,EAAE,YAAY,GAAG,eAAe;IAIjD,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,CAAC,UAAU,CAAC,GAAG,eAAe;IA4B1D;;;;OAIG;IACH,MAAM,CAAC,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG,eAAe;IAI5C;;;OAGG;IACH,OAAO,IAAI,IAAI,CAAC,UAAU,CAAC;IA4B3B;;;OAGG;IACH,MAAM,CAAC,KAAK,EAAE,eAAe,GAAG,OAAO;IAWvC,GAAG,IAAI,OAAO;CAGf;AAMD,6CAA6C;AAC7C,eAAO,MAAM,YAAY,EAAE;IACzB,KAAK,EAAE,OAAO,eAAe,CAAC;CAC6B,CAAC;AAE9D;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,mBAAmB,EAAE,aAAa,CAAC,OAAO,eAAe,CAiDpE,CAAC;AAEH;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,iBAAiB,EAAE,IAAI,CAAC,IAAI,CAOlC,CAAC;AACR;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,kBAAkB,EAAE,IAAI,CAAC,KAAK,CASpC,CAAC;AAER;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,wBAAwB,EAAE,SAAS,MAAM,EASpD,CAAC"}
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/ed25519.js
Generated Vendored
+624
View File
@@ -0,0 +1,624 @@
/**
* ed25519 Twisted Edwards curve with following addons:
* - X25519 ECDH
* - Ristretto cofactor elimination
* - Elligator hash-to-group / point indistinguishability
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { sha512 } from '@noble/hashes/sha2.js';
import { abytes, concatBytes, hexToBytes } from '@noble/hashes/utils.js';
import {} from "./abstract/curve.js";
import { eddsa, edwards, PrimeEdwardsPoint, } from "./abstract/edwards.js";
import { createFROST } from "./abstract/frost.js";
import { _DST_scalar, createHasher, expand_message_xmd, } from "./abstract/hash-to-curve.js";
import { FpInvertBatch, FpSqrtEven, isNegativeLE, mod, pow2, } from "./abstract/modular.js";
import { montgomery } from "./abstract/montgomery.js";
import { createOPRF } from "./abstract/oprf.js";
import { asciiToBytes, bytesToNumberLE, equalBytes } from "./utils.js";
// prettier-ignore
const _0n = /* @__PURE__ */ BigInt(0), _1n = /* @__PURE__ */ BigInt(1), _2n = /* @__PURE__ */ BigInt(2), _3n = /* @__PURE__ */ BigInt(3);
// prettier-ignore
const _5n = /* @__PURE__ */ BigInt(5), _8n = /* @__PURE__ */ BigInt(8);
// P = 2n**255n - 19n
const ed25519_CURVE_p = /* @__PURE__ */ BigInt('0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed');
// N = 2n**252n + 27742317777372353535851937790883648493n
// a = Fp.create(BigInt(-1))
// d = -121665/121666 a.k.a. Fp.neg(121665 * Fp.inv(121666))
const ed25519_CURVE = /* @__PURE__ */ (() => ({
p: ed25519_CURVE_p,
n: BigInt('0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed'),
h: _8n,
a: BigInt('0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffec'),
d: BigInt('0x52036cee2b6ffe738cc740797779e89800700a4d4141d8ab75eb4dca135978a3'),
Gx: BigInt('0x216936d3cd6e53fec0a4e231fdd6dc5c692cc7609525a7b2c9562d608f25d51a'),
Gy: BigInt('0x6666666666666666666666666666666666666666666666666666666666666658'),
}))();
function ed25519_pow_2_252_3(x) {
// prettier-ignore
const _10n = BigInt(10), _20n = BigInt(20), _40n = BigInt(40), _80n = BigInt(80);
const P = ed25519_CURVE_p;
const x2 = (x * x) % P;
const b2 = (x2 * x) % P; // x^3, 11
const b4 = (pow2(b2, _2n, P) * b2) % P; // x^15, 1111
const b5 = (pow2(b4, _1n, P) * x) % P; // x^31
const b10 = (pow2(b5, _5n, P) * b5) % P;
const b20 = (pow2(b10, _10n, P) * b10) % P;
const b40 = (pow2(b20, _20n, P) * b20) % P;
const b80 = (pow2(b40, _40n, P) * b40) % P;
const b160 = (pow2(b80, _80n, P) * b80) % P;
const b240 = (pow2(b160, _80n, P) * b80) % P;
const b250 = (pow2(b240, _10n, P) * b10) % P;
const pow_p_5_8 = (pow2(b250, _2n, P) * x) % P;
// ^ This is x^((p-5)/8); multiply by x once more to get x^((p+3)/8).
return { pow_p_5_8, b2 };
}
// Mutates and returns the provided 32-byte buffer in place.
function adjustScalarBytes(bytes) {
// Section 5: For X25519, in order to decode 32 random bytes as an integer scalar,
// set the three least significant bits of the first byte
bytes[0] &= 248; // 0b1111_1000
// and the most significant bit of the last to zero,
bytes[31] &= 127; // 0b0111_1111
// set the second most significant bit of the last byte to 1
bytes[31] |= 64; // 0b0100_0000
return bytes;
}
// √(-1) aka √(a) aka 2^((p-1)/4)
// Fp.sqrt(Fp.neg(1))
const ED25519_SQRT_M1 = /* @__PURE__ */ BigInt('19681161376707505956807079304988542015446066515923890162744021073123829784752');
// sqrt(u/v). Returns `{ isValid, value }`; on non-squares `value` is still a
// dummy root-shaped field element so callers can stay constant-time.
function uvRatio(u, v) {
const P = ed25519_CURVE_p;
const v3 = mod(v * v * v, P); // v³
const v7 = mod(v3 * v3 * v, P); // v⁷
// (p+3)/8 and (p-5)/8
const pow = ed25519_pow_2_252_3(u * v7).pow_p_5_8;
let x = mod(u * v3 * pow, P); // (uv³)(uv⁷)^(p-5)/8
const vx2 = mod(v * x * x, P); // vx²
const root1 = x; // First root candidate
const root2 = mod(x * ED25519_SQRT_M1, P); // Second root candidate
const useRoot1 = vx2 === u; // If vx² = u (mod p), x is a square root
const useRoot2 = vx2 === mod(-u, P); // If vx² = -u, set x <-- x * 2^((p-1)/4)
const noRoot = vx2 === mod(-u * ED25519_SQRT_M1, P); // There is no valid root, vx² = -u√(-1)
if (useRoot1)
x = root1;
if (useRoot2 || noRoot)
x = root2; // We return root2 anyway, for const-time
if (isNegativeLE(x, P))
x = mod(-x, P);
return { isValid: useRoot1 || useRoot2, value: x };
}
const ed25519_Point = /* @__PURE__ */ edwards(ed25519_CURVE, { uvRatio });
// Public field alias stays stricter than the RFC 8032 Appendix A sample code:
// `Fp.inv(0)` throws instead of returning `0`.
const Fp = /* @__PURE__ */ (() => ed25519_Point.Fp)();
const Fn = /* @__PURE__ */ (() => ed25519_Point.Fn)();
// RFC 8032 `dom2` helper for ctx/ph variants only. Plain Ed25519 keeps the
// empty-domain path in `ed()` and would be wrong if routed through this helper.
function ed25519_domain(data, ctx, phflag) {
if (ctx.length > 255)
throw new Error('Context is too big');
return concatBytes(asciiToBytes('SigEd25519 no Ed25519 collisions'), new Uint8Array([phflag ? 1 : 0, ctx.length]), ctx, data);
}
function ed(opts) {
// Ed25519 keeps ZIP-215 default verification semantics for consensus compatibility.
return eddsa(ed25519_Point, sha512, Object.assign({ adjustScalarBytes, zip215: true }, opts));
}
/**
* ed25519 curve with EdDSA signatures.
* Seeded `keygen(seed)` / `utils.randomSecretKey(seed)` reuse the provided
* 32-byte seed buffer instead of copying it.
* @example
* Generate one Ed25519 keypair, sign a message, and verify it.
*
* ```js
* import { ed25519 } from '@noble/curves/ed25519.js';
* const { secretKey, publicKey } = ed25519.keygen();
* // const publicKey = ed25519.getPublicKey(secretKey);
* const msg = new TextEncoder().encode('hello noble');
* const sig = ed25519.sign(msg, secretKey);
* const isValid = ed25519.verify(sig, msg, publicKey); // ZIP215
* // RFC8032 / FIPS 186-5
* const isValid2 = ed25519.verify(sig, msg, publicKey, { zip215: false });
* ```
*/
export const ed25519 = /* @__PURE__ */ ed({});
/**
* Context version of ed25519 (ctx for domain separation). See {@link ed25519}
* Seeded `keygen(seed)` / `utils.randomSecretKey(seed)` reuse the provided
* 32-byte seed buffer instead of copying it.
* @example
* Sign and verify with Ed25519ctx under one explicit context.
*
* ```ts
* const context = new TextEncoder().encode('docs');
* const { secretKey, publicKey } = ed25519ctx.keygen();
* const msg = new TextEncoder().encode('hello noble');
* const sig = ed25519ctx.sign(msg, secretKey, { context });
* const isValid = ed25519ctx.verify(sig, msg, publicKey, { context });
* ```
*/
export const ed25519ctx = /* @__PURE__ */ ed({ domain: ed25519_domain });
/**
* Prehashed version of ed25519. See {@link ed25519}
* Seeded `keygen(seed)` / `utils.randomSecretKey(seed)` reuse the provided
* 32-byte seed buffer instead of copying it.
* @example
* Use the prehashed Ed25519 variant for one message.
*
* ```ts
* const { secretKey, publicKey } = ed25519ph.keygen();
* const msg = new TextEncoder().encode('hello noble');
* const sig = ed25519ph.sign(msg, secretKey);
* const isValid = ed25519ph.verify(sig, msg, publicKey);
* ```
*/
export const ed25519ph = /* @__PURE__ */ ed({ domain: ed25519_domain, prehash: sha512 });
/**
* FROST threshold signatures over ed25519. RFC 9591.
* @example
* Create one trusted-dealer package for 2-of-3 ed25519 signing.
*
* ```ts
* const alice = ed25519_FROST.Identifier.derive('alice@example.com');
* const bob = ed25519_FROST.Identifier.derive('bob@example.com');
* const carol = ed25519_FROST.Identifier.derive('carol@example.com');
* const deal = ed25519_FROST.trustedDealer({ min: 2, max: 3 }, [alice, bob, carol]);
* ```
*/
export const ed25519_FROST = /* @__PURE__ */ (() => createFROST({
name: 'FROST-ED25519-SHA512-v1',
Point: ed25519_Point,
validatePoint: (p) => {
p.assertValidity();
if (!p.isTorsionFree())
throw new Error('bad point: not torsion-free');
},
hash: sha512,
// RFC 9591 keeps H2 undecorated here for RFC 8032 compatibility. In createFROST(),
// `H2: ''` becomes an empty DST prefix; the built-in hashToScalar fallback treats
// that the same as omitted DST, even though custom hooks can still observe the empty bag.
H2: '',
}))();
/**
* ECDH using curve25519 aka x25519.
* `getSharedSecret()` rejects low-order peer inputs by default, and seeded
* `keygen(seed)` reuses the provided 32-byte seed buffer instead of copying it.
* @example
* Derive one shared secret between two X25519 peers.
*
* ```js
* import { x25519 } from '@noble/curves/ed25519.js';
* const alice = x25519.keygen();
* const bob = x25519.keygen();
* const shared = x25519.getSharedSecret(alice.secretKey, bob.publicKey);
* ```
*/
export const x25519 = /* @__PURE__ */ (() => {
const P = ed25519_CURVE_p;
return montgomery({
P,
type: 'x25519',
powPminus2: (x) => {
// x^(p-2) aka x^(2^255-21)
const { pow_p_5_8, b2 } = ed25519_pow_2_252_3(x);
return mod(pow2(pow_p_5_8, _3n, P) * b2, P);
},
adjustScalarBytes,
});
})();
// Hash To Curve Elligator2 Map (NOTE: different from ristretto255 elligator)
// RFC 9380 Appendix G.2.2 / Err4730 requires `sgn0(c1) = 0` for the Edwards
// map constant below, so use the even root explicitly.
// 1. c1 = (q + 3) / 8 # Integer arithmetic
const ELL2_C1 = /* @__PURE__ */ (() => (ed25519_CURVE_p + _3n) / _8n)();
const ELL2_C2 = /* @__PURE__ */ (() => Fp.pow(_2n, ELL2_C1))(); // 2. c2 = 2^c1
const ELL2_C3 = /* @__PURE__ */ (() => Fp.sqrt(Fp.neg(Fp.ONE)))(); // 3. c3 = sqrt(-1)
/**
* RFC 9380 method `map_to_curve_elligator2_curve25519`. Experimental name: may be renamed later.
* @private
*/
// prettier-ignore
export function _map_to_curve_elligator2_curve25519(u) {
const ELL2_C4 = (ed25519_CURVE_p - _5n) / _8n; // 4. c4 = (q - 5) / 8 # Integer arithmetic
const ELL2_J = BigInt(486662);
let tv1 = Fp.sqr(u); // 1. tv1 = u^2
tv1 = Fp.mul(tv1, _2n); // 2. tv1 = 2 * tv1
// 3. xd = tv1 + 1 # Nonzero: -1 is square (mod p), tv1 is not
let xd = Fp.add(tv1, Fp.ONE);
let x1n = Fp.neg(ELL2_J); // 4. x1n = -J # x1 = x1n / xd = -J / (1 + 2 * u^2)
let tv2 = Fp.sqr(xd); // 5. tv2 = xd^2
let gxd = Fp.mul(tv2, xd); // 6. gxd = tv2 * xd # gxd = xd^3
let gx1 = Fp.mul(tv1, ELL2_J); // 7. gx1 = J * tv1 # x1n + J * xd
gx1 = Fp.mul(gx1, x1n); // 8. gx1 = gx1 * x1n # x1n^2 + J * x1n * xd
gx1 = Fp.add(gx1, tv2); // 9. gx1 = gx1 + tv2 # x1n^2 + J * x1n * xd + xd^2
gx1 = Fp.mul(gx1, x1n); // 10. gx1 = gx1 * x1n # x1n^3 + J * x1n^2 * xd + x1n * xd^2
let tv3 = Fp.sqr(gxd); // 11. tv3 = gxd^2
tv2 = Fp.sqr(tv3); // 12. tv2 = tv3^2 # gxd^4
tv3 = Fp.mul(tv3, gxd); // 13. tv3 = tv3 * gxd # gxd^3
tv3 = Fp.mul(tv3, gx1); // 14. tv3 = tv3 * gx1 # gx1 * gxd^3
tv2 = Fp.mul(tv2, tv3); // 15. tv2 = tv2 * tv3 # gx1 * gxd^7
let y11 = Fp.pow(tv2, ELL2_C4); // 16. y11 = tv2^c4 # (gx1 * gxd^7)^((p - 5) / 8)
y11 = Fp.mul(y11, tv3); // 17. y11 = y11 * tv3 # gx1*gxd^3*(gx1*gxd^7)^((p-5)/8)
let y12 = Fp.mul(y11, ELL2_C3); // 18. y12 = y11 * c3
tv2 = Fp.sqr(y11); // 19. tv2 = y11^2
tv2 = Fp.mul(tv2, gxd); // 20. tv2 = tv2 * gxd
let e1 = Fp.eql(tv2, gx1); // 21. e1 = tv2 == gx1
// 22. y1 = CMOV(y12, y11, e1) # If g(x1) is square, this is its sqrt
let y1 = Fp.cmov(y12, y11, e1);
let x2n = Fp.mul(x1n, tv1); // 23. x2n = x1n * tv1 # x2 = x2n / xd = 2 * u^2 * x1n / xd
let y21 = Fp.mul(y11, u); // 24. y21 = y11 * u
y21 = Fp.mul(y21, ELL2_C2); // 25. y21 = y21 * c2
let y22 = Fp.mul(y21, ELL2_C3); // 26. y22 = y21 * c3
let gx2 = Fp.mul(gx1, tv1); // 27. gx2 = gx1 * tv1 # g(x2) = gx2 / gxd = 2 * u^2 * g(x1)
tv2 = Fp.sqr(y21); // 28. tv2 = y21^2
tv2 = Fp.mul(tv2, gxd); // 29. tv2 = tv2 * gxd
let e2 = Fp.eql(tv2, gx2); // 30. e2 = tv2 == gx2
// 31. y2 = CMOV(y22, y21, e2) # If g(x2) is square, this is its sqrt
let y2 = Fp.cmov(y22, y21, e2);
tv2 = Fp.sqr(y1); // 32. tv2 = y1^2
tv2 = Fp.mul(tv2, gxd); // 33. tv2 = tv2 * gxd
let e3 = Fp.eql(tv2, gx1); // 34. e3 = tv2 == gx1
let xn = Fp.cmov(x2n, x1n, e3); // 35. xn = CMOV(x2n, x1n, e3) # If e3, x = x1, else x = x2
let y = Fp.cmov(y2, y1, e3); // 36. y = CMOV(y2, y1, e3) # If e3, y = y1, else y = y2
let e4 = Fp.isOdd(y); // 37. e4 = sgn0(y) == 1 # Fix sign of y
y = Fp.cmov(y, Fp.neg(y), e3 !== e4); // 38. y = CMOV(y, -y, e3 XOR e4)
return { xMn: xn, xMd: xd, yMn: y, yMd: _1n }; // 39. return (xn, xd, y, 1)
}
// sgn0(c1) MUST equal 0
const ELL2_C1_EDWARDS = /* @__PURE__ */ (() => FpSqrtEven(Fp, Fp.neg(BigInt(486664))))();
function map_to_curve_elligator2_edwards25519(u) {
// 1. (xMn, xMd, yMn, yMd) = map_to_curve_elligator2_curve25519(u)
const { xMn, xMd, yMn, yMd } = _map_to_curve_elligator2_curve25519(u);
// map_to_curve_elligator2_curve25519(u)
let xn = Fp.mul(xMn, yMd); // 2. xn = xMn * yMd
xn = Fp.mul(xn, ELL2_C1_EDWARDS); // 3. xn = xn * c1
let xd = Fp.mul(xMd, yMn); // 4. xd = xMd * yMn # xn / xd = c1 * xM / yM
let yn = Fp.sub(xMn, xMd); // 5. yn = xMn - xMd
// 6. yd = xMn + xMd # (n / d - 1) / (n / d + 1) = (n - d) / (n + d)
let yd = Fp.add(xMn, xMd);
let tv1 = Fp.mul(xd, yd); // 7. tv1 = xd * yd
let e = Fp.eql(tv1, Fp.ZERO); // 8. e = tv1 == 0
xn = Fp.cmov(xn, Fp.ZERO, e); // 9. xn = CMOV(xn, 0, e)
xd = Fp.cmov(xd, Fp.ONE, e); // 10. xd = CMOV(xd, 1, e)
yn = Fp.cmov(yn, Fp.ONE, e); // 11. yn = CMOV(yn, 1, e)
yd = Fp.cmov(yd, Fp.ONE, e); // 12. yd = CMOV(yd, 1, e)
const [xd_inv, yd_inv] = FpInvertBatch(Fp, [xd, yd], true); // batch division
// Noble normalizes the RFC rational representation to affine `{ x, y }`
// before returning from the internal helper.
return { x: Fp.mul(xn, xd_inv), y: Fp.mul(yn, yd_inv) }; // 13. return (xn, xd, yn, yd)
}
/**
* Hashing to ed25519 points / field. RFC 9380 methods.
* Public `mapToCurve()` returns the cofactor-cleared subgroup point; the
* internal map callback below consumes one field element bigint, not `[bigint]`.
* @example
* Hash one message onto the ed25519 curve.
*
* ```ts
* const point = ed25519_hasher.hashToCurve(new TextEncoder().encode('hello noble'));
* ```
*/
export const ed25519_hasher = /* @__PURE__ */ (() => createHasher(ed25519_Point, (scalars) => map_to_curve_elligator2_edwards25519(scalars[0]), {
DST: 'edwards25519_XMD:SHA-512_ELL2_RO_',
encodeDST: 'edwards25519_XMD:SHA-512_ELL2_NU_',
p: ed25519_CURVE_p,
m: 1,
k: 128,
expand: 'xmd',
hash: sha512,
}))();
// √(-1) aka √(a) aka 2^((p-1)/4)
const SQRT_M1 = ED25519_SQRT_M1;
// √(ad - 1)
const SQRT_AD_MINUS_ONE = /* @__PURE__ */ BigInt('25063068953384623474111414158702152701244531502492656460079210482610430750235');
// 1 / √(a-d)
const INVSQRT_A_MINUS_D = /* @__PURE__ */ BigInt('54469307008909316920995813868745141605393597292927456921205312896311721017578');
// 1-d²
const ONE_MINUS_D_SQ = /* @__PURE__ */ BigInt('1159843021668779879193775521855586647937357759715417654439879720876111806838');
// (d-1)²
const D_MINUS_ONE_SQ = /* @__PURE__ */ BigInt('40440834346308536858101042469323190826248399146238708352240133220865137265952');
// `SQRT_RATIO_M1(1, number)` specialization. Returns `{ isValid, value }`,
// where non-squares get the nonnegative `sqrt(SQRT_M1 / number)` branch.
const invertSqrt = (number) => uvRatio(_1n, number);
const MAX_255B = /* @__PURE__ */ BigInt('0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff');
// RFC 9496 §4.3.4 MAP parser: masks bit 255 and reduces modulo p for element
// derivation. The decode path has the opposite contract and rejects that bit.
const bytes255ToNumberLE = (bytes) => Fp.create(bytesToNumberLE(bytes) & MAX_255B);
/**
* Computes Elligator map for Ristretto255.
* Primary formula source is RFC 9496 §4.3.4 MAP; RFC 9380 Appendix B builds
* `hash_to_ristretto255` on top of this helper.
* Returns an internal Edwards representative, not a public `_RistrettoPoint`.
*/
function calcElligatorRistrettoMap(r0) {
const { d } = ed25519_CURVE;
const P = ed25519_CURVE_p;
const mod = (n) => Fp.create(n);
const r = mod(SQRT_M1 * r0 * r0); // 1
const Ns = mod((r + _1n) * ONE_MINUS_D_SQ); // 2
let c = BigInt(-1); // 3
const D = mod((c - d * r) * mod(r + d)); // 4
let { isValid: Ns_D_is_sq, value: s } = uvRatio(Ns, D); // 5
let s_ = mod(s * r0); // 6
if (!isNegativeLE(s_, P))
s_ = mod(-s_);
if (!Ns_D_is_sq)
s = s_; // 7
if (!Ns_D_is_sq)
c = r; // 8
const Nt = mod(c * (r - _1n) * D_MINUS_ONE_SQ - D); // 9
const s2 = s * s;
const W0 = mod((s + s) * D); // 10
const W1 = mod(Nt * SQRT_AD_MINUS_ONE); // 11
const W2 = mod(_1n - s2); // 12
const W3 = mod(_1n + s2); // 13
return new ed25519_Point(mod(W0 * W3), mod(W2 * W1), mod(W1 * W3), mod(W0 * W2));
}
/**
* Wrapper over Edwards Point for ristretto255.
*
* Each ed25519/EdwardsPoint has 8 different equivalent points. This can be
* a source of bugs for protocols like ring signatures. Ristretto was created to solve this.
* Ristretto point operates in X:Y:Z:T extended coordinates like EdwardsPoint,
* but it should work in its own namespace: do not combine those two.
* See [RFC9496](https://www.rfc-editor.org/rfc/rfc9496).
*/
class _RistrettoPoint extends PrimeEdwardsPoint {
// Do NOT change syntax: the following gymnastics is done,
// because typescript strips comments, which makes bundlers disable tree-shaking.
// prettier-ignore
static BASE =
/* @__PURE__ */ (() => new _RistrettoPoint(ed25519_Point.BASE))();
// prettier-ignore
static ZERO =
/* @__PURE__ */ (() => new _RistrettoPoint(ed25519_Point.ZERO))();
// prettier-ignore
static Fp =
/* @__PURE__ */ (() => Fp)();
// prettier-ignore
static Fn =
/* @__PURE__ */ (() => Fn)();
constructor(ep) {
super(ep);
}
/**
* Create one Ristretto255 point from affine Edwards coordinates.
* This wraps the internal Edwards representative directly and is not a
* canonical ristretto255 decoding path.
* Use `toBytes()` / `fromBytes()` if canonical ristretto255 bytes matter.
*/
static fromAffine(ap) {
return new _RistrettoPoint(ed25519_Point.fromAffine(ap));
}
assertSame(other) {
if (!(other instanceof _RistrettoPoint))
throw new Error('RistrettoPoint expected');
}
init(ep) {
return new _RistrettoPoint(ep);
}
static fromBytes(bytes) {
abytes(bytes, 32);
const { a, d } = ed25519_CURVE;
const P = ed25519_CURVE_p;
const mod = (n) => Fp.create(n);
const s = bytes255ToNumberLE(bytes);
// 1. Check that s_bytes is the canonical encoding of a field element, or else abort.
// 3. Check that s is non-negative, or else abort
if (!equalBytes(Fp.toBytes(s), bytes) || isNegativeLE(s, P))
throw new Error('invalid ristretto255 encoding 1');
const s2 = mod(s * s);
const u1 = mod(_1n + a * s2); // 4 (a is -1)
const u2 = mod(_1n - a * s2); // 5
const u1_2 = mod(u1 * u1);
const u2_2 = mod(u2 * u2);
const v = mod(a * d * u1_2 - u2_2); // 6
const { isValid, value: I } = invertSqrt(mod(v * u2_2)); // 7
const Dx = mod(I * u2); // 8
const Dy = mod(I * Dx * v); // 9
let x = mod((s + s) * Dx); // 10
if (isNegativeLE(x, P))
x = mod(-x); // 10
const y = mod(u1 * Dy); // 11
const t = mod(x * y); // 12
if (!isValid || isNegativeLE(t, P) || y === _0n)
throw new Error('invalid ristretto255 encoding 2');
return new _RistrettoPoint(new ed25519_Point(x, y, _1n, t));
}
/**
* Converts ristretto-encoded string to ristretto point.
* Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-decode).
* @param hex - Ristretto-encoded 32 bytes. Not every 32-byte string is valid ristretto encoding
*/
static fromHex(hex) {
return _RistrettoPoint.fromBytes(hexToBytes(hex));
}
/**
* Encodes ristretto point to Uint8Array.
* Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-encode).
*/
toBytes() {
let { X, Y, Z, T } = this.ep;
const P = ed25519_CURVE_p;
const mod = (n) => Fp.create(n);
const u1 = mod(mod(Z + Y) * mod(Z - Y)); // 1
const u2 = mod(X * Y); // 2
// Square root always exists
const u2sq = mod(u2 * u2);
const { value: invsqrt } = invertSqrt(mod(u1 * u2sq)); // 3
const D1 = mod(invsqrt * u1); // 4
const D2 = mod(invsqrt * u2); // 5
const zInv = mod(D1 * D2 * T); // 6
let D; // 7
if (isNegativeLE(T * zInv, P)) {
let _x = mod(Y * SQRT_M1);
let _y = mod(X * SQRT_M1);
X = _x;
Y = _y;
D = mod(D1 * INVSQRT_A_MINUS_D);
}
else {
D = D2; // 8
}
if (isNegativeLE(X * zInv, P))
Y = mod(-Y); // 9
let s = mod((Z - Y) * D); // 10 (check footer's note, no sqrt(-a))
if (isNegativeLE(s, P))
s = mod(-s);
return Fp.toBytes(s); // 11
}
/**
* Compares two Ristretto points.
* Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-equals).
*/
equals(other) {
this.assertSame(other);
const { X: X1, Y: Y1 } = this.ep;
const { X: X2, Y: Y2 } = other.ep;
const mod = (n) => Fp.create(n);
// (x1 * y2 == y1 * x2) | (y1 * y2 == x1 * x2)
const one = mod(X1 * Y2) === mod(Y1 * X2);
const two = mod(Y1 * Y2) === mod(X1 * X2);
return one || two;
}
is0() {
return this.equals(_RistrettoPoint.ZERO);
}
}
Object.freeze(_RistrettoPoint.BASE);
Object.freeze(_RistrettoPoint.ZERO);
Object.freeze(_RistrettoPoint.prototype);
Object.freeze(_RistrettoPoint);
/** Prime-order Ristretto255 group bundle. */
export const ristretto255 = /* @__PURE__ */ Object.freeze({ Point: _RistrettoPoint });
/**
* Hashing to ristretto255 points / field. RFC 9380 methods.
* `hashToCurve()` is RFC 9380 Appendix B, `deriveToCurve()` is the RFC 9496
* §4.3.4 element-derivation building block, and `hashToScalar()` is a
* library-specific helper for OPRF-style use.
* @example
* Hash one message onto ristretto255.
*
* ```ts
* const point = ristretto255_hasher.hashToCurve(new TextEncoder().encode('hello noble'));
* ```
*/
export const ristretto255_hasher = Object.freeze({
Point: _RistrettoPoint,
/**
* Spec: https://www.rfc-editor.org/rfc/rfc9380.html#name-hashing-to-ristretto255. Caveats:
* * There are no test vectors
* * encodeToCurve / mapToCurve is undefined
* * mapToCurve would be `calcElligatorRistrettoMap(scalars[0])`, not ristretto255_map!
* * hashToScalar is undefined too, so we just use OPRF implementation
* * We cannot re-use 'createHasher', because ristretto255_map is different algorithm/RFC
(os2ip -> bytes255ToNumberLE)
* * mapToCurve == calcElligatorRistrettoMap, hashToCurve == ristretto255_map
* * hashToScalar is undefined in RFC9380 for ristretto, so we use the OPRF
version here. Using `bytes255ToNumblerLE` will create a different result
if we use `bytes255ToNumberLE` as os2ip
* * current version is closest to spec.
*/
hashToCurve(msg, options) {
// == 'hash_to_ristretto255'
// Preserve explicit empty/invalid DST overrides so expand_message_xmd() can reject them.
const DST = options?.DST === undefined ? 'ristretto255_XMD:SHA-512_R255MAP_RO_' : options.DST;
const xmd = expand_message_xmd(msg, DST, 64, sha512);
// NOTE: RFC 9380 incorrectly calls this function `ristretto255_map`.
// In RFC 9496, `map` was the per-point function inside the construction.
// That also led to confusion that `ristretto255_map` is `mapToCurve`.
// It is not: it is the older hash-to-curve construction.
return ristretto255_hasher.deriveToCurve(xmd);
},
hashToScalar(msg, options = { DST: _DST_scalar }) {
const xmd = expand_message_xmd(msg, options.DST, 64, sha512);
return Fn.create(bytesToNumberLE(xmd));
},
/**
* HashToCurve-like construction based on RFC 9496 (Element Derivation).
* Converts 64 uniform random bytes into a curve point.
*
* WARNING: This represents an older hash-to-curve construction from before
* RFC 9380 was finalized.
* It was later reused as a component in the newer
* `hash_to_ristretto255` function defined in RFC 9380.
*/
deriveToCurve(bytes) {
// https://www.rfc-editor.org/rfc/rfc9496.html#name-element-derivation
abytes(bytes, 64);
const r1 = bytes255ToNumberLE(bytes.subarray(0, 32));
const R1 = calcElligatorRistrettoMap(r1);
const r2 = bytes255ToNumberLE(bytes.subarray(32, 64));
const R2 = calcElligatorRistrettoMap(r2);
return new _RistrettoPoint(R1.add(R2));
},
});
/**
* ristretto255 OPRF/VOPRF/POPRF bundle, defined in RFC 9497.
* @example
* Run one blind/evaluate/finalize OPRF round over ristretto255.
*
* ```ts
* const input = new TextEncoder().encode('hello noble');
* const keys = ristretto255_oprf.oprf.generateKeyPair();
* const blind = ristretto255_oprf.oprf.blind(input);
* const evaluated = ristretto255_oprf.oprf.blindEvaluate(keys.secretKey, blind.blinded);
* const output = ristretto255_oprf.oprf.finalize(input, blind.blind, evaluated);
* ```
*/
export const ristretto255_oprf = /* @__PURE__ */ (() => createOPRF({
name: 'ristretto255-SHA512',
Point: _RistrettoPoint,
hash: sha512,
hashToGroup: ristretto255_hasher.hashToCurve,
hashToScalar: ristretto255_hasher.hashToScalar,
}))();
/**
* FROST threshold signatures over ristretto255. RFC 9591.
* @example
* Create one trusted-dealer package for 2-of-3 ristretto255 signing.
*
* ```ts
* const alice = ristretto255_FROST.Identifier.derive('alice@example.com');
* const bob = ristretto255_FROST.Identifier.derive('bob@example.com');
* const carol = ristretto255_FROST.Identifier.derive('carol@example.com');
* const deal = ristretto255_FROST.trustedDealer({ min: 2, max: 3 }, [alice, bob, carol]);
* ```
*/
export const ristretto255_FROST = /* @__PURE__ */ (() => createFROST({
name: 'FROST-RISTRETTO255-SHA512-v1',
Point: _RistrettoPoint,
validatePoint: (p) => {
// Prime-order wrappers are torsion-free at the abstract-group level.
p.assertValidity();
},
hash: sha512,
}))();
/**
* Weird / bogus points, useful for debugging.
* All 8 ed25519 points of 8-torsion subgroup can be generated from the point
* T = `26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc05`.
* The subgroup generated by `T` is `{ O, T, 2T, 3T, 4T, 5T, 6T, 7T }`; the
* array below is that set, not the powers in that exact index order.
* @example
* Decode one known torsion point for debugging.
*
* ```ts
* import { ED25519_TORSION_SUBGROUP, ed25519 } from '@noble/curves/ed25519.js';
* const point = ed25519.Point.fromHex(ED25519_TORSION_SUBGROUP[1]);
* ```
*/
export const ED25519_TORSION_SUBGROUP = /* @__PURE__ */ Object.freeze([
'0100000000000000000000000000000000000000000000000000000000000000',
'c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac037a',
'0000000000000000000000000000000000000000000000000000000000000080',
'26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc05',
'ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f',
'26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc85',
'0000000000000000000000000000000000000000000000000000000000000000',
'c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac03fa',
]);
//# sourceMappingURL=ed25519.js.map
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/ed25519.js.map
Generated Vendored
+1
View File
File diff suppressed because one or more lines are too long
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/ed448.d.ts
Generated Vendored
+185
View File
@@ -0,0 +1,185 @@
import type { AffinePoint } from './abstract/curve.ts';
import { PrimeEdwardsPoint, type EdDSA, type EdwardsPoint, type EdwardsPointCons } from './abstract/edwards.ts';
import { type FROST } from './abstract/frost.ts';
import { type H2CHasher, type H2CHasherBase } from './abstract/hash-to-curve.ts';
import { type IField } from './abstract/modular.ts';
import { type MontgomeryECDH } from './abstract/montgomery.ts';
import { type OPRF } from './abstract/oprf.ts';
import { type TArg, type TRet } from './utils.ts';
/**
* ed448 EdDSA curve and methods.
* @example
* Generate one Ed448 keypair, sign a message, and verify it.
*
* ```js
* import { ed448 } from '@noble/curves/ed448.js';
* const { secretKey, publicKey } = ed448.keygen();
* // const publicKey = ed448.getPublicKey(secretKey);
* const msg = new TextEncoder().encode('hello noble');
* const sig = ed448.sign(msg, secretKey);
* const isValid = ed448.verify(sig, msg, publicKey);
* ```
*/
export declare const ed448: EdDSA;
/**
* Prehashed version of ed448. See {@link ed448}
* @example
* Use the prehashed Ed448 variant for one message.
*
* ```ts
* const { secretKey, publicKey } = ed448ph.keygen();
* const msg = new TextEncoder().encode('hello noble');
* const sig = ed448ph.sign(msg, secretKey);
* const isValid = ed448ph.verify(sig, msg, publicKey);
* ```
*/
export declare const ed448ph: EdDSA;
/**
* E448 here is NIST SP 800-186 §3.2.3.3 E448, the Edwards representation of
* Curve448, not RFC 8032 edwards448 / Goldilocks.
* Goldilocks is the separate 4-isogenous curve exposed as `ed448`.
* We keep the corrected prime-order base here; RFC 7748's literal Edwards
* point / map are wrong for this curve model, and the literal point is the
* wrong-sign order-2*n variant.
* @param X - Projective X coordinate.
* @param Y - Projective Y coordinate.
* @param Z - Projective Z coordinate.
* @param T - Projective T coordinate.
* @example
* Multiply the E448 base point.
*
* ```ts
* const point = E448.BASE.multiply(2n);
* ```
*/
export declare const E448: EdwardsPointCons;
/**
* ECDH using curve448 aka x448.
* The wrapper aborts on all-zero shared secrets by default, and seeded
* `keygen(seed)` reuses the provided 56-byte seed buffer instead of copying it.
*
* @example
* Derive one shared secret between two X448 peers.
*
* ```js
* import { x448 } from '@noble/curves/ed448.js';
* const alice = x448.keygen();
* const bob = x448.keygen();
* const shared = x448.getSharedSecret(alice.secretKey, bob.publicKey);
* ```
*/
export declare const x448: TRet<MontgomeryECDH>;
/**
* Hashing / encoding to ed448 points / field. RFC 9380 methods.
* Public `mapToCurve()` consumes one field element bigint for `m = 1`, and RFC
* Appendix J vectors use the special `QUUX-V01-*` test DST overrides rather
* than the default suite IDs below.
* @example
* Hash one message onto the ed448 curve.
*
* ```ts
* const point = ed448_hasher.hashToCurve(new TextEncoder().encode('hello noble'));
* ```
*/
export declare const ed448_hasher: H2CHasher<EdwardsPointCons>;
/**
* FROST threshold signatures over ed448. RFC 9591.
* @example
* Create one trusted-dealer package for 2-of-3 ed448 signing.
*
* ```ts
* const alice = ed448_FROST.Identifier.derive('alice@example.com');
* const bob = ed448_FROST.Identifier.derive('bob@example.com');
* const carol = ed448_FROST.Identifier.derive('carol@example.com');
* const deal = ed448_FROST.trustedDealer({ min: 2, max: 3 }, [alice, bob, carol]);
* ```
*/
export declare const ed448_FROST: TRet<FROST>;
/**
* Each ed448/EdwardsPoint has 4 different equivalent points. This can be
* a source of bugs for protocols like ring signatures. Decaf was created to solve this.
* Decaf point operates in X:Y:Z:T extended coordinates like EdwardsPoint,
* but it should work in its own namespace: do not combine those two.
* See [RFC9496](https://www.rfc-editor.org/rfc/rfc9496).
*/
declare class _DecafPoint extends PrimeEdwardsPoint<_DecafPoint> {
static BASE: _DecafPoint;
static ZERO: _DecafPoint;
static Fp: IField<bigint>;
static Fn: IField<bigint>;
constructor(ep: EdwardsPoint);
/**
* Create one Decaf448 point from affine Edwards coordinates.
* This wraps the internal Edwards representative directly and is not a
* canonical decaf448 decoding path.
* Use `toBytes()` / `fromBytes()` if canonical decaf448 bytes matter.
*/
static fromAffine(ap: AffinePoint<bigint>): _DecafPoint;
protected assertSame(other: _DecafPoint): void;
protected init(ep: EdwardsPoint): _DecafPoint;
static fromBytes(bytes: TArg<Uint8Array>): _DecafPoint;
/**
* Converts decaf-encoded string to decaf point.
* Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-decode-2).
* @param hex - Decaf-encoded 56 bytes. Not every 56-byte string is valid decaf encoding
*/
static fromHex(hex: string): _DecafPoint;
/**
* Encodes decaf point to Uint8Array.
* Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-encode-2).
*/
toBytes(): TRet<Uint8Array>;
/**
* Compare one point to another.
* Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-equals-2).
*/
equals(other: _DecafPoint): boolean;
is0(): boolean;
}
/** Prime-order Decaf448 group bundle. */
export declare const decaf448: {
Point: typeof _DecafPoint;
};
/**
* Hashing to decaf448 points / field. RFC 9380 methods.
* `hashToCurve()` is RFC 9380 `hash_to_decaf448`, `deriveToCurve()` is RFC
* 9496 element derivation, and `hashToScalar()` is a library helper layered on
* top of RFC 9496 scalar reduction.
* @example
* Hash one message onto decaf448.
*
* ```ts
* const point = decaf448_hasher.hashToCurve(new TextEncoder().encode('hello noble'));
* ```
*/
export declare const decaf448_hasher: H2CHasherBase<typeof _DecafPoint>;
/**
* decaf448 OPRF, defined in RFC 9497.
* @example
* Run one blind/evaluate/finalize OPRF round over decaf448.
*
* ```ts
* const input = new TextEncoder().encode('hello noble');
* const keys = decaf448_oprf.oprf.generateKeyPair();
* const blind = decaf448_oprf.oprf.blind(input);
* const evaluated = decaf448_oprf.oprf.blindEvaluate(keys.secretKey, blind.blinded);
* const output = decaf448_oprf.oprf.finalize(input, blind.blind, evaluated);
* ```
*/
export declare const decaf448_oprf: TRet<OPRF>;
/**
* Weird / bogus points, useful for debugging.
* Unlike ed25519, there is no ed448 generator point which can produce full T subgroup.
* Instead, the torsion subgroup here is cyclic of order 4, generated by
* `(1, 0)`, and the array below lists that subgroup set (Klein four-group).
* @example
* Decode one known torsion point for debugging.
*
* ```ts
* import { ED448_TORSION_SUBGROUP, ed448 } from '@noble/curves/ed448.js';
* const point = ed448.Point.fromHex(ED448_TORSION_SUBGROUP[1]);
* ```
*/
export declare const ED448_TORSION_SUBGROUP: readonly string[];
export {};
//# sourceMappingURL=ed448.d.ts.map
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/ed448.d.ts.map
Generated Vendored
+1
View File
@@ -0,0 +1 @@
{"version":3,"file":"ed448.d.ts","sourceRoot":"","sources":["src/ed448.ts"],"names":[],"mappings":"AAWA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,EAGL,iBAAiB,EACjB,KAAK,KAAK,EAGV,KAAK,YAAY,EACjB,KAAK,gBAAgB,EACtB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAe,KAAK,KAAK,EAAE,MAAM,qBAAqB,CAAC;AAC9D,OAAO,EAKL,KAAK,SAAS,EACd,KAAK,aAAa,EACnB,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAiD,KAAK,MAAM,EAAE,MAAM,uBAAuB,CAAC;AACnG,OAAO,EAAc,KAAK,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAC3E,OAAO,EAAc,KAAK,IAAI,EAAE,MAAM,oBAAoB,CAAC;AAC3D,OAAO,EAKL,KAAK,IAAI,EACT,KAAK,IAAI,EACV,MAAM,YAAY,CAAC;AAyJpB;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,KAAK,EAAE,KAA+B,CAAC;AAGpD;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,OAAO,EAAE,KAAqD,CAAC;AAC5E;;;;;;;;;;;;;;;;;GAiBG;AACH,eAAO,MAAM,IAAI,EAAE,gBAAsD,CAAC;AAE1E;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,IAAI,EAAE,IAAI,CAAC,cAAc,CAYlC,CAAC;AAqFL;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,YAAY,EAAE,SAAS,CAAC,gBAAgB,CAS9C,CAAC;AACR;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,WAAW,EAAE,IAAI,CAAC,KAAK,CAa7B,CAAC;AAwER;;;;;;GAMG;AACH,cAAM,WAAY,SAAQ,iBAAiB,CAAC,WAAW,CAAC;IAGtD,MAAM,CAAC,IAAI,EAAE,WAAW,CACoF;IAE5G,MAAM,CAAC,IAAI,EAAE,WAAW,CACsC;IAE9D,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,CACS;IAElC,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,CACS;gBAEtB,EAAE,EAAE,YAAY;IAI5B;;;;;OAKG;IACH,MAAM,CAAC,UAAU,CAAC,EAAE,EAAE,WAAW,CAAC,MAAM,CAAC,GAAG,WAAW;IAIvD,SAAS,CAAC,UAAU,CAAC,KAAK,EAAE,WAAW,GAAG,IAAI;IAI9C,SAAS,CAAC,IAAI,CAAC,EAAE,EAAE,YAAY,GAAG,WAAW;IAI7C,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,CAAC,UAAU,CAAC,GAAG,WAAW;IA6BtD;;;;OAIG;IACH,MAAM,CAAC,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG,WAAW;IAIxC;;;OAGG;IACH,OAAO,IAAI,IAAI,CAAC,UAAU,CAAC;IAe3B;;;OAGG;IACH,MAAM,CAAC,KAAK,EAAE,WAAW,GAAG,OAAO;IAQnC,GAAG,IAAI,OAAO;CAGf;AAMD,yCAAyC;AACzC,eAAO,MAAM,QAAQ,EAAE;IACrB,KAAK,EAAE,OAAO,WAAW,CAAC;CAC6B,CAAC;AAE1D;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,CAAC,OAAO,WAAW,CAsC5D,CAAC;AAEH;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,aAAa,EAAE,IAAI,CAAC,IAAI,CAO9B,CAAC;AAER;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,sBAAsB,EAAE,SAAS,MAAM,EAKlD,CAAC"}
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/ed448.js
Generated Vendored
+594
View File
@@ -0,0 +1,594 @@
/**
* Edwards448 (also called Goldilocks) curve with following addons:
* - X448 ECDH
* - Decaf cofactor elimination
* - Elligator hash-to-group / point indistinguishability
* Conforms to RFC 8032 https://www.rfc-editor.org/rfc/rfc8032.html#section-5.2
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { shake256 } from '@noble/hashes/sha3.js';
import { concatBytes, hexToBytes, createHasher as wrapConstructor } from '@noble/hashes/utils.js';
import { eddsa, edwards, PrimeEdwardsPoint, } from "./abstract/edwards.js";
import { createFROST } from "./abstract/frost.js";
import { _DST_scalar, createHasher, expand_message_xof, } from "./abstract/hash-to-curve.js";
import { Field, FpInvertBatch, isNegativeLE, mod, pow2 } from "./abstract/modular.js";
import { montgomery } from "./abstract/montgomery.js";
import { createOPRF } from "./abstract/oprf.js";
import { abytes, asciiToBytes, bytesToNumberLE, equalBytes, } from "./utils.js";
// edwards448 curve
// a = 1n
// d = Fp.neg(39081n)
// Finite field 2n**448n - 2n**224n - 1n
// Subgroup order
// 2n**446n - 13818066809895115352007386748515426880336692474882178609894547503885n
const ed448_CURVE_p = /* @__PURE__ */ BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffff');
const ed448_CURVE = /* @__PURE__ */ (() => ({
p: ed448_CURVE_p,
n: BigInt('0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffff7cca23e9c44edb49aed63690216cc2728dc58f552378c292ab5844f3'),
h: BigInt(4),
a: BigInt(1),
d: BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffffffffffffffffffffffffffffffffffffffffffffffff6756'),
Gx: BigInt('0x4f1970c66bed0ded221d15a622bf36da9e146570470f1767ea6de324a3d3a46412ae1af72ab66511433b80e18b00938e2626a82bc70cc05e'),
Gy: BigInt('0x693f46716eb6bc248876203756c9c7624bea73736ca3984087789c1e05a0c2d73ad3ff1ce67c39c4fdbd132c4ed7c8ad9808795bf230fa14'),
}))();
// This is not RFC 8032 edwards448 / Goldilocks (`ed448` below, d = -39081).
// It is NIST SP 800-186 §3.2.3.3 E448, the Curve448-isomorphic Edwards model
// also described in draft-ietf-lwig-curve-representations-23 Appendix M, with
// d = 39082/39081 and Gy = 3/2.
// RFC 7748's literal Edwards point / birational map are wrong here: the literal
// point is the wrong-sign (Gx, -Gy) order-2*n variant. Keep the corrected
// prime-order (Gx, Gy) base so Point.BASE stays a subgroup generator, which is
// what noble's generic Edwards API expects.
const E448_CURVE = /* @__PURE__ */ (() => Object.assign({}, ed448_CURVE, {
d: BigInt('0xd78b4bdc7f0daf19f24f38c29373a2ccad46157242a50f37809b1da3412a12e79ccc9c81264cfe9ad080997058fb61c4243cc32dbaa156b9'),
Gx: BigInt('0x79a70b2b70400553ae7c9df416c792c61128751ac92969240c25a07d728bdc93e21f7787ed6972249de732f38496cd11698713093e9c04fc'),
Gy: BigInt('0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffff80000000000000000000000000000000000000000000000000000001'),
}))();
const shake256_114 = /* @__PURE__ */ wrapConstructor(() => shake256.create({ dkLen: 114 }));
const shake256_64 = /* @__PURE__ */ wrapConstructor(() => shake256.create({ dkLen: 64 }));
// prettier-ignore
const _1n = /* @__PURE__ */ BigInt(1), _2n = /* @__PURE__ */ BigInt(2), _3n = /* @__PURE__ */ BigInt(3), _4n = /* @__PURE__ */ BigInt(4), _11n = /* @__PURE__ */ BigInt(11);
// prettier-ignore
const _22n = /* @__PURE__ */ BigInt(22), _44n = /* @__PURE__ */ BigInt(44), _88n = /* @__PURE__ */ BigInt(88), _223n = /* @__PURE__ */ BigInt(223);
// powPminus3div4 calculates z = x^k mod p, where k = (p-3)/4.
// Used for efficient square root calculation.
// ((P-3)/4).toString(2) would produce bits [223x 1, 0, 222x 1]
function ed448_pow_Pminus3div4(x) {
const P = ed448_CURVE_p;
const b2 = (x * x * x) % P;
const b3 = (b2 * b2 * x) % P;
const b6 = (pow2(b3, _3n, P) * b3) % P;
const b9 = (pow2(b6, _3n, P) * b3) % P;
const b11 = (pow2(b9, _2n, P) * b2) % P;
const b22 = (pow2(b11, _11n, P) * b11) % P;
const b44 = (pow2(b22, _22n, P) * b22) % P;
const b88 = (pow2(b44, _44n, P) * b44) % P;
const b176 = (pow2(b88, _88n, P) * b88) % P;
const b220 = (pow2(b176, _44n, P) * b44) % P;
const b222 = (pow2(b220, _2n, P) * b2) % P;
const b223 = (pow2(b222, _1n, P) * x) % P;
return (pow2(b223, _223n, P) * b222) % P;
}
// Mutates and returns the provided buffer in place. The final `bytes[56] = 0`
// write is the Ed448 path; for 56-byte X448 inputs it is an out-of-bounds no-op.
function adjustScalarBytes(bytes) {
// Section 5: Likewise, for X448, set the two least significant bits of the first byte to 0,
bytes[0] &= 252; // 0b11111100
// and the most significant bit of the last byte to 1.
bytes[55] |= 128; // 0b10000000
// NOTE: is NOOP for 56 bytes scalars (X25519/X448)
bytes[56] = 0; // Byte outside of group (456 buts vs 448 bits)
return bytes;
}
// Constant-time Ed448 decode helper for RFC 8032 §5.2.3 steps 2-3. Unlike
// `SQRT_RATIO_M1`, the returned `value` only has the documented meaning when
// `isValid` is true.
function uvRatio(u, v) {
const P = ed448_CURVE_p;
// https://www.rfc-editor.org/rfc/rfc8032#section-5.2.3
// To compute the square root of (u/v), the first step is to compute the
// candidate root x = (u/v)^((p+1)/4). This can be done using the
// following trick, to use a single modular powering for both the
// inversion of v and the square root:
// x = (u/v)^((p+1)/4) = u³v(u⁵v³)^((p-3)/4) (mod p)
const u2v = mod(u * u * v, P); // u²v
const u3v = mod(u2v * u, P); // u³v
const u5v3 = mod(u3v * u2v * v, P); // u⁵v³
const root = ed448_pow_Pminus3div4(u5v3);
const x = mod(u3v * root, P);
// Verify that root is exists
const x2 = mod(x * x, P); // x²
// If vx² = u, the recovered x-coordinate is x. Otherwise, no
// square root exists, and the decoding fails.
return { isValid: mod(x2 * v, P) === u, value: x };
}
// Finite field 2n**448n - 2n**224n - 1n
// RFC 8032 encodes Ed448 field/scalar elements in 57 bytes even though field
// values fit in 448 bits and scalars in 446 bits. Noble models that with a
// 456-bit storage width so the final-octet x-sign bit (bit 455) still fits in
// the shared little-endian container.
const Fp = /* @__PURE__ */ (() => Field(ed448_CURVE_p, { BITS: 456, isLE: true }))();
// Same 57-byte container shape as `Fp`; canonical scalar encodings still have
// the top ten bits clear per RFC 8032.
const Fn = /* @__PURE__ */ (() => Field(ed448_CURVE.n, { BITS: 456, isLE: true }))();
// Generic 56-byte field shape used by decaf448 and raw X448 u-coordinates.
// Plain `Field` decoding stays canonical here, so callers that want RFC 7748's
// modulo-p acceptance must reduce externally.
const Fp448 = /* @__PURE__ */ (() => Field(ed448_CURVE_p, { BITS: 448, isLE: true }))();
// Strict 56-byte scalar parser matching RFC 9496's recommended canonical form.
const Fn448 = /* @__PURE__ */ (() => Field(ed448_CURVE.n, { BITS: 448, isLE: true }))();
// SHAKE256(dom4(phflag,context)||x, 114)
// RFC 8032 `dom4` prefix. Empty contexts are valid; the accepted length range
// is 0..255 octets inclusive.
function dom4(data, ctx, phflag) {
if (ctx.length > 255)
throw new Error('context must be smaller than 255, got: ' + ctx.length);
return concatBytes(asciiToBytes('SigEd448'), new Uint8Array([phflag ? 1 : 0, ctx.length]), ctx, data);
}
const ed448_Point = /* @__PURE__ */ edwards(ed448_CURVE, { Fp, Fn, uvRatio });
// Shared internal factory for both `ed448` and `ed448ph`; callers are only
// expected to override narrow family options such as prehashing.
function ed4(opts) {
return eddsa(ed448_Point, shake256_114, Object.assign({ adjustScalarBytes, domain: dom4 }, opts));
}
/**
* ed448 EdDSA curve and methods.
* @example
* Generate one Ed448 keypair, sign a message, and verify it.
*
* ```js
* import { ed448 } from '@noble/curves/ed448.js';
* const { secretKey, publicKey } = ed448.keygen();
* // const publicKey = ed448.getPublicKey(secretKey);
* const msg = new TextEncoder().encode('hello noble');
* const sig = ed448.sign(msg, secretKey);
* const isValid = ed448.verify(sig, msg, publicKey);
* ```
*/
export const ed448 = /* @__PURE__ */ ed4({});
// There is no ed448ctx, since ed448 supports ctx by default
/**
* Prehashed version of ed448. See {@link ed448}
* @example
* Use the prehashed Ed448 variant for one message.
*
* ```ts
* const { secretKey, publicKey } = ed448ph.keygen();
* const msg = new TextEncoder().encode('hello noble');
* const sig = ed448ph.sign(msg, secretKey);
* const isValid = ed448ph.verify(sig, msg, publicKey);
* ```
*/
export const ed448ph = /* @__PURE__ */ ed4({ prehash: shake256_64 });
/**
* E448 here is NIST SP 800-186 §3.2.3.3 E448, the Edwards representation of
* Curve448, not RFC 8032 edwards448 / Goldilocks.
* Goldilocks is the separate 4-isogenous curve exposed as `ed448`.
* We keep the corrected prime-order base here; RFC 7748's literal Edwards
* point / map are wrong for this curve model, and the literal point is the
* wrong-sign order-2*n variant.
* @param X - Projective X coordinate.
* @param Y - Projective Y coordinate.
* @param Z - Projective Z coordinate.
* @param T - Projective T coordinate.
* @example
* Multiply the E448 base point.
*
* ```ts
* const point = E448.BASE.multiply(2n);
* ```
*/
export const E448 = /* @__PURE__ */ edwards(E448_CURVE);
/**
* ECDH using curve448 aka x448.
* The wrapper aborts on all-zero shared secrets by default, and seeded
* `keygen(seed)` reuses the provided 56-byte seed buffer instead of copying it.
*
* @example
* Derive one shared secret between two X448 peers.
*
* ```js
* import { x448 } from '@noble/curves/ed448.js';
* const alice = x448.keygen();
* const bob = x448.keygen();
* const shared = x448.getSharedSecret(alice.secretKey, bob.publicKey);
* ```
*/
export const x448 = /* @__PURE__ */ (() => {
const P = ed448_CURVE_p;
return montgomery({
P,
type: 'x448',
powPminus2: (x) => {
const Pminus3div4 = ed448_pow_Pminus3div4(x);
const Pminus3 = pow2(Pminus3div4, _2n, P);
return mod(Pminus3 * x, P); // Pminus3 * x = Pminus2
},
adjustScalarBytes,
});
})();
// Hash To Curve Elligator2 Map
// 1. c1 = (q - 3) / 4 # Integer arithmetic
const ELL2_C1 = /* @__PURE__ */ (() => (ed448_CURVE_p - BigInt(3)) / BigInt(4))();
const ELL2_J = /* @__PURE__ */ BigInt(156326);
// Returns RFC 9380 Appendix G.2.3 rational Montgomery numerators/denominators
// `{ xn, xd, yn, yd }`, not an affine point.
function map_to_curve_elligator2_curve448(u) {
let tv1 = Fp.sqr(u); // 1. tv1 = u^2
let e1 = Fp.eql(tv1, Fp.ONE); // 2. e1 = tv1 == 1
tv1 = Fp.cmov(tv1, Fp.ZERO, e1); // 3. tv1 = CMOV(tv1, 0, e1) # If Z * u^2 == -1, set tv1 = 0
let xd = Fp.sub(Fp.ONE, tv1); // 4. xd = 1 - tv1
let x1n = Fp.neg(ELL2_J); // 5. x1n = -J
let tv2 = Fp.sqr(xd); // 6. tv2 = xd^2
let gxd = Fp.mul(tv2, xd); // 7. gxd = tv2 * xd # gxd = xd^3
let gx1 = Fp.mul(tv1, Fp.neg(ELL2_J)); // 8. gx1 = -J * tv1 # x1n + J * xd
gx1 = Fp.mul(gx1, x1n); // 9. gx1 = gx1 * x1n # x1n^2 + J * x1n * xd
gx1 = Fp.add(gx1, tv2); // 10. gx1 = gx1 + tv2 # x1n^2 + J * x1n * xd + xd^2
gx1 = Fp.mul(gx1, x1n); // 11. gx1 = gx1 * x1n # x1n^3 + J * x1n^2 * xd + x1n * xd^2
let tv3 = Fp.sqr(gxd); // 12. tv3 = gxd^2
tv2 = Fp.mul(gx1, gxd); // 13. tv2 = gx1 * gxd # gx1 * gxd
tv3 = Fp.mul(tv3, tv2); // 14. tv3 = tv3 * tv2 # gx1 * gxd^3
let y1 = Fp.pow(tv3, ELL2_C1); // 15. y1 = tv3^c1 # (gx1 * gxd^3)^((p - 3) / 4)
y1 = Fp.mul(y1, tv2); // 16. y1 = y1 * tv2 # gx1 * gxd * (gx1 * gxd^3)^((p - 3) / 4)
// 17. x2n = -tv1 * x1n # x2 = x2n / xd = -1 * u^2 * x1n / xd
let x2n = Fp.mul(x1n, Fp.neg(tv1));
let y2 = Fp.mul(y1, u); // 18. y2 = y1 * u
y2 = Fp.cmov(y2, Fp.ZERO, e1); // 19. y2 = CMOV(y2, 0, e1)
tv2 = Fp.sqr(y1); // 20. tv2 = y1^2
tv2 = Fp.mul(tv2, gxd); // 21. tv2 = tv2 * gxd
let e2 = Fp.eql(tv2, gx1); // 22. e2 = tv2 == gx1
let xn = Fp.cmov(x2n, x1n, e2); // 23. xn = CMOV(x2n, x1n, e2) # If e2, x = x1, else x = x2
let y = Fp.cmov(y2, y1, e2); // 24. y = CMOV(y2, y1, e2) # If e2, y = y1, else y = y2
let e3 = Fp.isOdd(y); // 25. e3 = sgn0(y) == 1 # Fix sign of y
y = Fp.cmov(y, Fp.neg(y), e2 !== e3); // 26. y = CMOV(y, -y, e2 XOR e3)
return { xn, xd, yn: y, yd: Fp.ONE }; // 27. return (xn, xd, y, 1)
}
// Returns affine `{ x, y }` after inverting the Appendix G.2.4 denominators.
function map_to_curve_elligator2_edwards448(u) {
// 1. (xn, xd, yn, yd) = map_to_curve_elligator2_curve448(u)
let { xn, xd, yn, yd } = map_to_curve_elligator2_curve448(u);
let xn2 = Fp.sqr(xn); // 2. xn2 = xn^2
let xd2 = Fp.sqr(xd); // 3. xd2 = xd^2
let xd4 = Fp.sqr(xd2); // 4. xd4 = xd2^2
let yn2 = Fp.sqr(yn); // 5. yn2 = yn^2
let yd2 = Fp.sqr(yd); // 6. yd2 = yd^2
let xEn = Fp.sub(xn2, xd2); // 7. xEn = xn2 - xd2
let tv2 = Fp.sub(xEn, xd2); // 8. tv2 = xEn - xd2
xEn = Fp.mul(xEn, xd2); // 9. xEn = xEn * xd2
xEn = Fp.mul(xEn, yd); // 10. xEn = xEn * yd
xEn = Fp.mul(xEn, yn); // 11. xEn = xEn * yn
xEn = Fp.mul(xEn, _4n); // 12. xEn = xEn * 4
tv2 = Fp.mul(tv2, xn2); // 13. tv2 = tv2 * xn2
tv2 = Fp.mul(tv2, yd2); // 14. tv2 = tv2 * yd2
let tv3 = Fp.mul(yn2, _4n); // 15. tv3 = 4 * yn2
let tv1 = Fp.add(tv3, yd2); // 16. tv1 = tv3 + yd2
tv1 = Fp.mul(tv1, xd4); // 17. tv1 = tv1 * xd4
let xEd = Fp.add(tv1, tv2); // 18. xEd = tv1 + tv2
tv2 = Fp.mul(tv2, xn); // 19. tv2 = tv2 * xn
let tv4 = Fp.mul(xn, xd4); // 20. tv4 = xn * xd4
let yEn = Fp.sub(tv3, yd2); // 21. yEn = tv3 - yd2
yEn = Fp.mul(yEn, tv4); // 22. yEn = yEn * tv4
yEn = Fp.sub(yEn, tv2); // 23. yEn = yEn - tv2
tv1 = Fp.add(xn2, xd2); // 24. tv1 = xn2 + xd2
tv1 = Fp.mul(tv1, xd2); // 25. tv1 = tv1 * xd2
tv1 = Fp.mul(tv1, xd); // 26. tv1 = tv1 * xd
tv1 = Fp.mul(tv1, yn2); // 27. tv1 = tv1 * yn2
tv1 = Fp.mul(tv1, BigInt(-2)); // 28. tv1 = -2 * tv1
let yEd = Fp.add(tv2, tv1); // 29. yEd = tv2 + tv1
tv4 = Fp.mul(tv4, yd2); // 30. tv4 = tv4 * yd2
yEd = Fp.add(yEd, tv4); // 31. yEd = yEd + tv4
tv1 = Fp.mul(xEd, yEd); // 32. tv1 = xEd * yEd
let e = Fp.eql(tv1, Fp.ZERO); // 33. e = tv1 == 0
xEn = Fp.cmov(xEn, Fp.ZERO, e); // 34. xEn = CMOV(xEn, 0, e)
xEd = Fp.cmov(xEd, Fp.ONE, e); // 35. xEd = CMOV(xEd, 1, e)
yEn = Fp.cmov(yEn, Fp.ONE, e); // 36. yEn = CMOV(yEn, 1, e)
yEd = Fp.cmov(yEd, Fp.ONE, e); // 37. yEd = CMOV(yEd, 1, e)
const inv = FpInvertBatch(Fp, [xEd, yEd], true); // batch division
return { x: Fp.mul(xEn, inv[0]), y: Fp.mul(yEn, inv[1]) }; // 38. return (xEn, xEd, yEn, yEd)
}
/**
* Hashing / encoding to ed448 points / field. RFC 9380 methods.
* Public `mapToCurve()` consumes one field element bigint for `m = 1`, and RFC
* Appendix J vectors use the special `QUUX-V01-*` test DST overrides rather
* than the default suite IDs below.
* @example
* Hash one message onto the ed448 curve.
*
* ```ts
* const point = ed448_hasher.hashToCurve(new TextEncoder().encode('hello noble'));
* ```
*/
export const ed448_hasher = /* @__PURE__ */ (() => createHasher(ed448_Point, (scalars) => map_to_curve_elligator2_edwards448(scalars[0]), {
DST: 'edwards448_XOF:SHAKE256_ELL2_RO_',
encodeDST: 'edwards448_XOF:SHAKE256_ELL2_NU_',
p: ed448_CURVE_p,
m: 1,
k: 224,
expand: 'xof',
hash: shake256,
}))();
/**
* FROST threshold signatures over ed448. RFC 9591.
* @example
* Create one trusted-dealer package for 2-of-3 ed448 signing.
*
* ```ts
* const alice = ed448_FROST.Identifier.derive('alice@example.com');
* const bob = ed448_FROST.Identifier.derive('bob@example.com');
* const carol = ed448_FROST.Identifier.derive('carol@example.com');
* const deal = ed448_FROST.trustedDealer({ min: 2, max: 3 }, [alice, bob, carol]);
* ```
*/
export const ed448_FROST = /* @__PURE__ */ (() => createFROST({
name: 'FROST-ED448-SHAKE256-v1',
Point: ed448_Point,
validatePoint: (p) => {
p.assertValidity();
if (!p.isTorsionFree())
throw new Error('bad point: not torsion-free');
},
// Group: edwards448 [RFC8032], where Ne = 57 and Ns = 57.
// Fn is 57 bytes, Fp is 57 bytes too
Fn,
hash: shake256_114,
H2: 'SigEd448\0\0',
}))();
// 1-d
const ONE_MINUS_D = /* @__PURE__ */ BigInt('39082');
// 1-2d
const ONE_MINUS_TWO_D = /* @__PURE__ */ BigInt('78163');
// √(-d)
const SQRT_MINUS_D = /* @__PURE__ */ BigInt('98944233647732219769177004876929019128417576295529901074099889598043702116001257856802131563896515373927712232092845883226922417596214');
// 1 / √(-d)
const INVSQRT_MINUS_D = /* @__PURE__ */ BigInt('315019913931389607337177038330951043522456072897266928557328499619017160722351061360252776265186336876723201881398623946864393857820716');
// RFC 9496 `SQRT_RATIO_M1` must return `CT_ABS(s)`, i.e. the nonnegative root.
// Keep this Decaf-local: RFC 9496 decode/encode/map formulas depend on that
// canonical representative, while ordinary Ed448 decoding still uses `uvRatio()`
// plus the public sign bit from RFC 8032.
const sqrtRatioM1 = (u, v) => {
const P = ed448_CURVE_p;
const { isValid, value } = uvRatio(u, v);
return { isValid, value: isNegativeLE(value, P) ? Fp448.create(-value) : value };
};
const invertSqrt = (number) => sqrtRatioM1(_1n, number);
/**
* Elligator map for hash-to-curve of decaf448.
* Primary formula source is RFC 9496 §5.3.4. Step 1 intentionally reduces the
* input modulo `p`, and the return value is the internal Edwards
* representation, not a public decaf encoding.
*/
function calcElligatorDecafMap(r0) {
const { d, p: P } = ed448_CURVE;
const mod = (n) => Fp448.create(n);
const r = mod(-(r0 * r0)); // 1
const u0 = mod(d * (r - _1n)); // 2
const u1 = mod((u0 + _1n) * (u0 - r)); // 3
const { isValid: was_square, value: v } = sqrtRatioM1(ONE_MINUS_TWO_D, mod((r + _1n) * u1)); // 4
let v_prime = v; // 5
if (!was_square)
v_prime = mod(r0 * v);
let sgn = _1n; // 6
if (!was_square)
sgn = mod(-_1n);
const s = mod(v_prime * (r + _1n)); // 7
let s_abs = s;
if (isNegativeLE(s, P))
s_abs = mod(-s);
const s2 = s * s;
const W0 = mod(s_abs * _2n); // 8
const W1 = mod(s2 + _1n); // 9
const W2 = mod(s2 - _1n); // 10
const W3 = mod(v_prime * s * (r - _1n) * ONE_MINUS_TWO_D + sgn); // 11
return new ed448_Point(mod(W0 * W3), mod(W2 * W1), mod(W1 * W3), mod(W0 * W2));
}
// Keep the Decaf448 base representative literal here: deriving it with
// `new _DecafPoint(ed448_Point.BASE).multiplyUnsafe(2)` forces eager WNAF precomputes and
// adds about 100ms to `ed448.js` import time.
const DECAF_BASE_X = /* @__PURE__ */ BigInt('0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa955555555555555555555555555555555555555555555555555555555');
const DECAF_BASE_Y = /* @__PURE__ */ BigInt('0xae05e9634ad7048db359d6205086c2b0036ed7a035884dd7b7e36d728ad8c4b80d6565833a2a3098bbbcb2bed1cda06bdaeafbcdea9386ed');
const DECAF_BASE_T = /* @__PURE__ */ BigInt('0x696d84643374bace9d70983a12aa9d461da74d2d5c35e8d97ba72c3aba4450a5d29274229bd22c1d5e3a6474ee4ffb0e7a9e200a28eee402');
/**
* Each ed448/EdwardsPoint has 4 different equivalent points. This can be
* a source of bugs for protocols like ring signatures. Decaf was created to solve this.
* Decaf point operates in X:Y:Z:T extended coordinates like EdwardsPoint,
* but it should work in its own namespace: do not combine those two.
* See [RFC9496](https://www.rfc-editor.org/rfc/rfc9496).
*/
class _DecafPoint extends PrimeEdwardsPoint {
// The following gymnastics is done because typescript strips comments otherwise
// prettier-ignore
static BASE =
/* @__PURE__ */ (() => new _DecafPoint(new ed448_Point(DECAF_BASE_X, DECAF_BASE_Y, _1n, DECAF_BASE_T)))();
// prettier-ignore
static ZERO =
/* @__PURE__ */ (() => new _DecafPoint(ed448_Point.ZERO))();
// prettier-ignore
static Fp =
/* @__PURE__ */ (() => Fp448)();
// prettier-ignore
static Fn =
/* @__PURE__ */ (() => Fn448)();
constructor(ep) {
super(ep);
}
/**
* Create one Decaf448 point from affine Edwards coordinates.
* This wraps the internal Edwards representative directly and is not a
* canonical decaf448 decoding path.
* Use `toBytes()` / `fromBytes()` if canonical decaf448 bytes matter.
*/
static fromAffine(ap) {
return new _DecafPoint(ed448_Point.fromAffine(ap));
}
assertSame(other) {
if (!(other instanceof _DecafPoint))
throw new Error('DecafPoint expected');
}
init(ep) {
return new _DecafPoint(ep);
}
static fromBytes(bytes) {
abytes(bytes, 56);
const { d, p: P } = ed448_CURVE;
const mod = (n) => Fp448.create(n);
const s = Fp448.fromBytes(bytes);
// 1. Check that s_bytes is the canonical encoding of a field element, or else abort.
// 2. Check that s is non-negative, or else abort
if (!equalBytes(Fn448.toBytes(s), bytes) || isNegativeLE(s, P))
throw new Error('invalid decaf448 encoding 1');
const s2 = mod(s * s); // 1
const u1 = mod(_1n + s2); // 2
const u1sq = mod(u1 * u1);
const u2 = mod(u1sq - _4n * d * s2); // 3
const { isValid, value: invsqrt } = invertSqrt(mod(u2 * u1sq)); // 4
let u3 = mod((s + s) * invsqrt * u1 * SQRT_MINUS_D); // 5
if (isNegativeLE(u3, P))
u3 = mod(-u3);
const x = mod(u3 * invsqrt * u2 * INVSQRT_MINUS_D); // 6
const y = mod((_1n - s2) * invsqrt * u1); // 7
const t = mod(x * y); // 8
if (!isValid)
throw new Error('invalid decaf448 encoding 2');
return new _DecafPoint(new ed448_Point(x, y, _1n, t));
}
/**
* Converts decaf-encoded string to decaf point.
* Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-decode-2).
* @param hex - Decaf-encoded 56 bytes. Not every 56-byte string is valid decaf encoding
*/
static fromHex(hex) {
return _DecafPoint.fromBytes(hexToBytes(hex));
}
/**
* Encodes decaf point to Uint8Array.
* Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-encode-2).
*/
toBytes() {
const { X, Z, T } = this.ep;
const P = ed448_CURVE.p;
const mod = (n) => Fp448.create(n);
const u1 = mod(mod(X + T) * mod(X - T)); // 1
const x2 = mod(X * X);
const { value: invsqrt } = invertSqrt(mod(u1 * ONE_MINUS_D * x2)); // 2
let ratio = mod(invsqrt * u1 * SQRT_MINUS_D); // 3
if (isNegativeLE(ratio, P))
ratio = mod(-ratio);
const u2 = mod(INVSQRT_MINUS_D * ratio * Z - T); // 4
let s = mod(ONE_MINUS_D * invsqrt * X * u2); // 5
if (isNegativeLE(s, P))
s = mod(-s);
return Fn448.toBytes(s);
}
/**
* Compare one point to another.
* Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-equals-2).
*/
equals(other) {
this.assertSame(other);
const { X: X1, Y: Y1 } = this.ep;
const { X: X2, Y: Y2 } = other.ep;
// (x1 * y2 == y1 * x2)
return Fp448.create(X1 * Y2) === Fp448.create(Y1 * X2);
}
is0() {
return this.equals(_DecafPoint.ZERO);
}
}
Object.freeze(_DecafPoint.BASE);
Object.freeze(_DecafPoint.ZERO);
Object.freeze(_DecafPoint.prototype);
Object.freeze(_DecafPoint);
/** Prime-order Decaf448 group bundle. */
export const decaf448 = /* @__PURE__ */ Object.freeze({ Point: _DecafPoint });
/**
* Hashing to decaf448 points / field. RFC 9380 methods.
* `hashToCurve()` is RFC 9380 `hash_to_decaf448`, `deriveToCurve()` is RFC
* 9496 element derivation, and `hashToScalar()` is a library helper layered on
* top of RFC 9496 scalar reduction.
* @example
* Hash one message onto decaf448.
*
* ```ts
* const point = decaf448_hasher.hashToCurve(new TextEncoder().encode('hello noble'));
* ```
*/
export const decaf448_hasher = Object.freeze({
Point: _DecafPoint,
hashToCurve(msg, options) {
// Preserve explicit empty/invalid DST overrides so expand_message_xof() can reject them.
const DST = options?.DST === undefined ? 'decaf448_XOF:SHAKE256_D448MAP_RO_' : options.DST;
return decaf448_hasher.deriveToCurve(expand_message_xof(msg, DST, 112, 224, shake256));
},
/**
* Warning: has big modulo bias of 2^-64.
* RFC is invalid. RFC says "use 64-byte xof", while for 2^-112 bias
* it must use 84-byte xof (56+56/2), not 64.
*/
hashToScalar(msg, options = { DST: _DST_scalar }) {
// Can't use `Fn448.fromBytes()`. 64-byte input => 56-byte field element
const xof = expand_message_xof(msg, options.DST, 64, 256, shake256);
return Fn448.create(bytesToNumberLE(xof));
},
/**
* HashToCurve-like construction based on RFC 9496 (Element Derivation).
* Converts 112 uniform random bytes into a curve point.
*
* WARNING: This represents an older hash-to-curve construction from before
* RFC 9380 was finalized.
* It was later reused as a component in the newer
* `hash_to_decaf448` function defined in RFC 9380.
*/
deriveToCurve(bytes) {
abytes(bytes, 112);
const skipValidation = true;
// Note: Similar to the field element decoding described in
// [RFC7748], and unlike the field element decoding described in
// Section 5.3.1, non-canonical values are accepted.
const r1 = Fp448.create(Fp448.fromBytes(bytes.subarray(0, 56), skipValidation));
const R1 = calcElligatorDecafMap(r1);
const r2 = Fp448.create(Fp448.fromBytes(bytes.subarray(56, 112), skipValidation));
const R2 = calcElligatorDecafMap(r2);
return new _DecafPoint(R1.add(R2));
},
});
/**
* decaf448 OPRF, defined in RFC 9497.
* @example
* Run one blind/evaluate/finalize OPRF round over decaf448.
*
* ```ts
* const input = new TextEncoder().encode('hello noble');
* const keys = decaf448_oprf.oprf.generateKeyPair();
* const blind = decaf448_oprf.oprf.blind(input);
* const evaluated = decaf448_oprf.oprf.blindEvaluate(keys.secretKey, blind.blinded);
* const output = decaf448_oprf.oprf.finalize(input, blind.blind, evaluated);
* ```
*/
export const decaf448_oprf = /* @__PURE__ */ (() => createOPRF({
name: 'decaf448-SHAKE256',
Point: _DecafPoint,
hash: (msg) => shake256(msg, { dkLen: 64 }),
hashToGroup: decaf448_hasher.hashToCurve,
hashToScalar: decaf448_hasher.hashToScalar,
}))();
/**
* Weird / bogus points, useful for debugging.
* Unlike ed25519, there is no ed448 generator point which can produce full T subgroup.
* Instead, the torsion subgroup here is cyclic of order 4, generated by
* `(1, 0)`, and the array below lists that subgroup set (Klein four-group).
* @example
* Decode one known torsion point for debugging.
*
* ```ts
* import { ED448_TORSION_SUBGROUP, ed448 } from '@noble/curves/ed448.js';
* const point = ed448.Point.fromHex(ED448_TORSION_SUBGROUP[1]);
* ```
*/
export const ED448_TORSION_SUBGROUP = /* @__PURE__ */ Object.freeze([
'010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000',
'fefffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffff00',
'000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000',
'000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080',
]);
//# sourceMappingURL=ed448.js.map
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/ed448.js.map
Generated Vendored
+1
View File
File diff suppressed because one or more lines are too long
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/index.d.ts
Generated Vendored
+2
View File
@@ -0,0 +1,2 @@
export {};
//# sourceMappingURL=index.d.ts.map
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/index.d.ts.map
Generated Vendored
+1
View File
@@ -0,0 +1 @@
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["src/index.ts"],"names":[],"mappings":""}
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/index.js
Generated Vendored
+39
View File
@@ -0,0 +1,39 @@
/**
* Audited & minimal JS implementation of elliptic curve cryptography.
* @module
* @example
```js
import { secp256k1, schnorr } from '@noble/curves/secp256k1.js';
import { ed25519, ed25519ph, ed25519ctx, x25519, ristretto255 } from '@noble/curves/ed25519.js';
import { ed448, ed448ph, x448, decaf448 } from '@noble/curves/ed448.js';
import { p256, p384, p521 } from '@noble/curves/nist.js';
import { bls12_381 } from '@noble/curves/bls12-381.js';
import { bn254 } from '@noble/curves/bn254.js';
import {
jubjub,
babyjubjub,
brainpoolP256r1,
brainpoolP384r1,
brainpoolP512r1,
} from '@noble/curves/misc.js';
import * as webcrypto from '@noble/curves/webcrypto.js';
// hash-to-curve
import { secp256k1_hasher } from '@noble/curves/secp256k1.js';
import { p256_hasher, p384_hasher, p521_hasher } from '@noble/curves/nist.js';
import { ristretto255_hasher } from '@noble/curves/ed25519.js';
import { decaf448_hasher } from '@noble/curves/ed448.js';
// OPRFs
import { p256_oprf, p384_oprf, p521_oprf } from '@noble/curves/nist.js';
import { ristretto255_oprf } from '@noble/curves/ed25519.js';
import { decaf448_oprf } from '@noble/curves/ed448.js';
// utils
import { bytesToHex, hexToBytes, concatBytes } from '@noble/curves/abstract/utils.js';
import { Field } from '@noble/curves/abstract/modular.js';
```
*/
throw new Error('root module cannot be imported: import submodules instead. Check out README');
export {};
//# sourceMappingURL=index.js.map
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/index.js.map
Generated Vendored
+1
View File
@@ -0,0 +1 @@
{"version":3,"file":"index.js","sourceRoot":"","sources":["src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmCG;AACH,MAAM,IAAI,KAAK,CAAC,6EAA6E,CAAC,CAAC"}
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/misc.d.ts
Generated Vendored
+114
View File
@@ -0,0 +1,114 @@
import { type EdDSA, type EdwardsPoint } from './abstract/edwards.ts';
import { type ECDSA } from './abstract/weierstrass.ts';
import { type TArg } from './utils.ts';
/**
* Generic EdDSA-over-Jubjub convenience wrapper with `sha512`.
* This is not the Zcash RedJubjub / Sapling signature scheme.
* @example
* Generate one Jubjub keypair, sign a message, and verify it.
*
* ```ts
* const { secretKey, publicKey } = jubjub.keygen();
* const msg = new TextEncoder().encode('hello noble');
* const sig = jubjub.sign(msg, secretKey);
* const isValid = jubjub.verify(sig, msg, publicKey);
* ```
*/
export declare const jubjub: EdDSA;
/**
* Curve over scalar field of bn254. babyjubjub Fp = bn254 n
* This is a working generic EdDSA-over-BabyJubJub wrapper that uses `blake512` for the 64-byte
* secret expansion required by the shared EdDSA helper.
* It is not the BabyJubJub stack used by iden3/circomlib, `babyjubjub-rs`, or
* `@zk-kit/eddsa-poseidon`: those pair the subgroup base B/B8 with Blake-style secret expansion
* plus dedicated Poseidon / MiMC / Pedersen transcript hashing. This wrapper stays generic and is
* not meant as an interoperability target for those BabyJubJub signing stacks.
* @example
* Access the BabyJubJub base point and round-trip it through the point codec.
*
* ```ts
* import { babyjubjub } from '@noble/curves/misc.js';
* const base = babyjubjub.Point.BASE;
* const encoded = base.toBytes();
* const decoded = babyjubjub.Point.fromBytes(encoded);
* ```
*/
export declare const babyjubjub: EdDSA;
/**
* @param tag - Hash input.
* @param personalization - BLAKE2 personalization bytes.
* @returns Prime-order Jubjub point.
* @throws If the digest does not decode to a Jubjub point, or if the
* cofactor-cleared point has small order. {@link Error}
* @example
* Hash a tag into a prime-order Jubjub point.
*
* ```ts
* import { jubjub_groupHash } from '@noble/curves/misc.js';
* import { asciiToBytes } from '@noble/curves/utils.js';
* const tag = Uint8Array.of(2);
* const personalization = asciiToBytes('Zcash_G_');
* const point = jubjub_groupHash(tag, personalization);
* ```
*/
export declare function jubjub_groupHash(tag: TArg<Uint8Array>, personalization: TArg<Uint8Array>): EdwardsPoint;
/**
* No secret data is leaked here at all.
* It operates over public data.
* @param m - Message prefix.
* @param personalization - 8-byte BLAKE2 personalization bytes.
* @returns First non-zero group hash.
* @throws If the personalization is invalid, or if no non-zero Jubjub group
* hash can be found. {@link Error}
* @example
* Derive the first non-zero Jubjub group hash for one personalization tag.
*
* ```ts
* import { jubjub_findGroupHash } from '@noble/curves/misc.js';
* import { asciiToBytes } from '@noble/curves/utils.js';
* const msg = Uint8Array.of();
* const personalization = asciiToBytes('Zcash_G_');
* const point = jubjub_findGroupHash(msg, personalization);
* ```
*/
export declare function jubjub_findGroupHash(m: TArg<Uint8Array>, personalization: TArg<Uint8Array>): EdwardsPoint;
/**
* Brainpool P256r1 with sha256, from RFC 5639.
* @example
* Generate one Brainpool P256r1 keypair, sign a message, and verify it.
*
* ```ts
* const { secretKey, publicKey } = brainpoolP256r1.keygen();
* const msg = new TextEncoder().encode('hello noble');
* const sig = brainpoolP256r1.sign(msg, secretKey);
* const isValid = brainpoolP256r1.verify(sig, msg, publicKey);
* ```
*/
export declare const brainpoolP256r1: ECDSA;
/**
* Brainpool P384r1 with sha384, from RFC 5639.
* @example
* Generate one Brainpool P384r1 keypair, sign a message, and verify it.
*
* ```ts
* const { secretKey, publicKey } = brainpoolP384r1.keygen();
* const msg = new TextEncoder().encode('hello noble');
* const sig = brainpoolP384r1.sign(msg, secretKey);
* const isValid = brainpoolP384r1.verify(sig, msg, publicKey);
* ```
*/
export declare const brainpoolP384r1: ECDSA;
/**
* Brainpool P512r1 with sha512, from RFC 5639.
* @example
* Generate one Brainpool P512r1 keypair, sign a message, and verify it.
*
* ```ts
* const { secretKey, publicKey } = brainpoolP512r1.keygen();
* const msg = new TextEncoder().encode('hello noble');
* const sig = brainpoolP512r1.sign(msg, secretKey);
* const isValid = brainpoolP512r1.verify(sig, msg, publicKey);
* ```
*/
export declare const brainpoolP512r1: ECDSA;
//# sourceMappingURL=misc.d.ts.map
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/misc.d.ts.map
Generated Vendored
+1
View File
@@ -0,0 +1 @@
{"version":3,"file":"misc.d.ts","sourceRoot":"","sources":["src/misc.ts"],"names":[],"mappings":"AAUA,OAAO,EAGL,KAAK,KAAK,EAEV,KAAK,YAAY,EAClB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAsB,KAAK,KAAK,EAAwB,MAAM,2BAA2B,CAAC;AACjG,OAAO,EAAgB,KAAK,IAAI,EAAE,MAAM,YAAY,CAAC;AAgBrD;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,MAAM,EAAE,KAAsE,CAAC;AAoB5F;;;;;;;;;;;;;;;;;GAiBG;AACH,eAAO,MAAM,UAAU,EAAE,KACsB,CAAC;AAQhD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,gBAAgB,CAC9B,GAAG,EAAE,IAAI,CAAC,UAAU,CAAC,EACrB,eAAe,EAAE,IAAI,CAAC,UAAU,CAAC,GAChC,YAAY,CAUd;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,oBAAoB,CAClC,CAAC,EAAE,IAAI,CAAC,UAAU,CAAC,EACnB,eAAe,EAAE,IAAI,CAAC,UAAU,CAAC,GAChC,YAAY,CAcd;AAWD;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,eAAe,EAAE,KACwB,CAAC;AAuBvD;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,eAAe,EAAE,KACwB,CAAC;AAuBvD;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,eAAe,EAAE,KACwB,CAAC"}
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/misc.js
Generated Vendored
+212
View File
@@ -0,0 +1,212 @@
/**
* Miscellaneous, rarely used curves.
* jubjub, babyjubjub, pallas, vesta.
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { blake512 } from '@noble/hashes/blake1.js';
import { blake2s } from '@noble/hashes/blake2.js';
import { sha256, sha384, sha512 } from '@noble/hashes/sha2.js';
import { abytes, concatBytes } from '@noble/hashes/utils.js';
import { eddsa, edwards, } from "./abstract/edwards.js";
import { ecdsa, weierstrass } from "./abstract/weierstrass.js";
import { asciiToBytes } from "./utils.js";
// Jubjub curves have 𝔽p over scalar fields of other curves. They are friendly to ZK proofs.
// Zcash Protocol Specification "Jubjub" parameters:
// q = BLS12-381 Fr, r, h = 8, a = -1, d = -10240/10241.
// Gx/Gy keep the canonical Jubjub base point used by Zcash implementations.
const jubjub_CURVE = /* @__PURE__ */ (() => ({
p: BigInt('0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001'),
n: BigInt('0xe7db4ea6533afa906673b0101343b00a6682093ccc81082d0970e5ed6f72cb7'),
h: BigInt(8),
a: BigInt('0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000000'),
d: BigInt('0x2a9318e74bfa2b48f5fd9207e6bd7fd4292d7f6d37579d2601065fd6d6343eb1'),
Gx: BigInt('0x11dafe5d23e1218086a365b99fbf3d3be72f6afd7d1f72623e6b071492d1122b'),
Gy: BigInt('0x1d523cf1ddab1a1793132e78c866c0c33e26ba5cc220fed7cc3f870e59d292aa'),
}))();
/**
* Generic EdDSA-over-Jubjub convenience wrapper with `sha512`.
* This is not the Zcash RedJubjub / Sapling signature scheme.
* @example
* Generate one Jubjub keypair, sign a message, and verify it.
*
* ```ts
* const { secretKey, publicKey } = jubjub.keygen();
* const msg = new TextEncoder().encode('hello noble');
* const sig = jubjub.sign(msg, secretKey);
* const isValid = jubjub.verify(sig, msg, publicKey);
* ```
*/
export const jubjub = /* @__PURE__ */ (() => eddsa(edwards(jubjub_CURVE), sha512))();
// BabyJubJub over bn254 Fr. EIP-2494 explicitly defines both the full-group generator G and the
// prime-order subgroup base point B = 8*G.
// noble's Edwards abstraction expects Point.BASE / curve.n to describe the prime-order subgroup, so
// use the EIP base point B here.
// Historical noble incorrectly used the EIP generator G as Point.BASE, which mismatched the
// abstraction and leaked the wrong order into consumers.
// Historical noble used G instead:
// Gx = 995203441582195749578291179787384436505546430278305826713579947235728471134
// Gy = 5472060717959818805561601436314318772137091100104008585924551046643952123905
const babyjubjub_CURVE = /* @__PURE__ */ (() => ({
p: BigInt('0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593f0000001'),
n: BigInt('0x060c89ce5c263405370a08b6d0302b0bab3eedb83920ee0a677297dc392126f1'),
h: BigInt(8),
a: BigInt('168700'),
d: BigInt('168696'),
Gx: BigInt('0xbb77a6ad63e739b4eacb2e09d6277c12ab8d8010534e0b62893f3f6bb957051'),
Gy: BigInt('0x25797203f7a0b24925572e1cd16bf9edfce0051fb9e133774b3c257a872d7d8b'),
}))();
/**
* Curve over scalar field of bn254. babyjubjub Fp = bn254 n
* This is a working generic EdDSA-over-BabyJubJub wrapper that uses `blake512` for the 64-byte
* secret expansion required by the shared EdDSA helper.
* It is not the BabyJubJub stack used by iden3/circomlib, `babyjubjub-rs`, or
* `@zk-kit/eddsa-poseidon`: those pair the subgroup base B/B8 with Blake-style secret expansion
* plus dedicated Poseidon / MiMC / Pedersen transcript hashing. This wrapper stays generic and is
* not meant as an interoperability target for those BabyJubJub signing stacks.
* @example
* Access the BabyJubJub base point and round-trip it through the point codec.
*
* ```ts
* import { babyjubjub } from '@noble/curves/misc.js';
* const base = babyjubjub.Point.BASE;
* const encoded = base.toBytes();
* const decoded = babyjubjub.Point.fromBytes(encoded);
* ```
*/
export const babyjubjub = /* @__PURE__ */ (() => eddsa(edwards(babyjubjub_CURVE), blake512))();
// Sapling URS randomness beacon from the Zcash protocol. This stays as the 64-byte ASCII
// lowercase-hex string used for the first Blake2s block, not 32 raw bytes.
const jubjub_gh_first_block = /* @__PURE__ */ asciiToBytes('096b36a5804bfacef1691e173c366a47ff5ba84a44f26ddd7e8d9f79d5b42df0');
/**
* @param tag - Hash input.
* @param personalization - BLAKE2 personalization bytes.
* @returns Prime-order Jubjub point.
* @throws If the digest does not decode to a Jubjub point, or if the
* cofactor-cleared point has small order. {@link Error}
* @example
* Hash a tag into a prime-order Jubjub point.
*
* ```ts
* import { jubjub_groupHash } from '@noble/curves/misc.js';
* import { asciiToBytes } from '@noble/curves/utils.js';
* const tag = Uint8Array.of(2);
* const personalization = asciiToBytes('Zcash_G_');
* const point = jubjub_groupHash(tag, personalization);
* ```
*/
export function jubjub_groupHash(tag, personalization) {
const h = blake2s.create({ personalization, dkLen: 32 });
h.update(jubjub_gh_first_block);
h.update(tag);
// NOTE: returns EdwardsPoint, in case it will be multiplied later
let p = jubjub.Point.fromBytes(h.digest());
// NOTE: cannot replace with isSmallOrder, returns Point*8
p = p.multiply(jubjub_CURVE.h);
if (p.equals(jubjub.Point.ZERO))
throw new Error('Point has small order');
return p;
}
/**
* No secret data is leaked here at all.
* It operates over public data.
* @param m - Message prefix.
* @param personalization - 8-byte BLAKE2 personalization bytes.
* @returns First non-zero group hash.
* @throws If the personalization is invalid, or if no non-zero Jubjub group
* hash can be found. {@link Error}
* @example
* Derive the first non-zero Jubjub group hash for one personalization tag.
*
* ```ts
* import { jubjub_findGroupHash } from '@noble/curves/misc.js';
* import { asciiToBytes } from '@noble/curves/utils.js';
* const msg = Uint8Array.of();
* const personalization = asciiToBytes('Zcash_G_');
* const point = jubjub_findGroupHash(msg, personalization);
* ```
*/
export function jubjub_findGroupHash(m, personalization) {
// Validate BLAKE2s personalization once up front; otherwise the retry loop swallows the real
// input error and turns it into a misleading "tag overflow".
abytes(personalization, 8, 'personalization');
const tag = concatBytes(m, Uint8Array.of(0));
const hashes = [];
for (let i = 0; i < 256; i++) {
tag[tag.length - 1] = i;
try {
hashes.push(jubjub_groupHash(tag, personalization));
}
catch (e) { }
}
if (!hashes.length)
throw new Error('findGroupHash tag overflow');
return hashes[0];
}
const brainpoolP256r1_CURVE = /* @__PURE__ */ (() => ({
p: BigInt('0xa9fb57dba1eea9bc3e660a909d838d726e3bf623d52620282013481d1f6e5377'),
a: BigInt('0x7d5a0975fc2c3057eef67530417affe7fb8055c126dc5c6ce94a4b44f330b5d9'),
b: BigInt('0x26dc5c6ce94a4b44f330b5d9bbd77cbf958416295cf7e1ce6bccdc18ff8c07b6'),
n: BigInt('0xa9fb57dba1eea9bc3e660a909d838d718c397aa3b561a6f7901e0e82974856a7'),
Gx: BigInt('0x8bd2aeb9cb7e57cb2c4b482ffc81b7afb9de27e1e3bd23c23a4453bd9ace3262'),
Gy: BigInt('0x547ef835c3dac4fd97f8461a14611dc9c27745132ded8e545c1d54c72f046997'),
h: BigInt(1),
}))();
/**
* Brainpool P256r1 with sha256, from RFC 5639.
* @example
* Generate one Brainpool P256r1 keypair, sign a message, and verify it.
*
* ```ts
* const { secretKey, publicKey } = brainpoolP256r1.keygen();
* const msg = new TextEncoder().encode('hello noble');
* const sig = brainpoolP256r1.sign(msg, secretKey);
* const isValid = brainpoolP256r1.verify(sig, msg, publicKey);
* ```
*/
export const brainpoolP256r1 = /* @__PURE__ */ (() => ecdsa(weierstrass(brainpoolP256r1_CURVE), sha256))();
const brainpoolP384r1_CURVE = /* @__PURE__ */ (() => ({
p: BigInt('0x8cb91e82a3386d280f5d6f7e50e641df152f7109ed5456b412b1da197fb71123acd3a729901d1a71874700133107ec53'),
a: BigInt('0x7bc382c63d8c150c3c72080ace05afa0c2bea28e4fb22787139165efba91f90f8aa5814a503ad4eb04a8c7dd22ce2826'),
b: BigInt('0x04a8c7dd22ce28268b39b55416f0447c2fb77de107dcd2a62e880ea53eeb62d57cb4390295dbc9943ab78696fa504c11'),
n: BigInt('0x8cb91e82a3386d280f5d6f7e50e641df152f7109ed5456b31f166e6cac0425a7cf3ab6af6b7fc3103b883202e9046565'),
Gx: BigInt('0x1d1c64f068cf45ffa2a63a81b7c13f6b8847a3e77ef14fe3db7fcafe0cbd10e8e826e03436d646aaef87b2e247d4af1e'),
Gy: BigInt('0x8abe1d7520f9c2a45cb1eb8e95cfd55262b70b29feec5864e19c054ff99129280e4646217791811142820341263c5315'),
h: BigInt(1),
}))();
/**
* Brainpool P384r1 with sha384, from RFC 5639.
* @example
* Generate one Brainpool P384r1 keypair, sign a message, and verify it.
*
* ```ts
* const { secretKey, publicKey } = brainpoolP384r1.keygen();
* const msg = new TextEncoder().encode('hello noble');
* const sig = brainpoolP384r1.sign(msg, secretKey);
* const isValid = brainpoolP384r1.verify(sig, msg, publicKey);
* ```
*/
export const brainpoolP384r1 = /* @__PURE__ */ (() => ecdsa(weierstrass(brainpoolP384r1_CURVE), sha384))();
const brainpoolP512r1_CURVE = /* @__PURE__ */ (() => ({
p: BigInt('0xaadd9db8dbe9c48b3fd4e6ae33c9fc07cb308db3b3c9d20ed6639cca703308717d4d9b009bc66842aecda12ae6a380e62881ff2f2d82c68528aa6056583a48f3'),
a: BigInt('0x7830a3318b603b89e2327145ac234cc594cbdd8d3df91610a83441caea9863bc2ded5d5aa8253aa10a2ef1c98b9ac8b57f1117a72bf2c7b9e7c1ac4d77fc94ca'),
b: BigInt('0x3df91610a83441caea9863bc2ded5d5aa8253aa10a2ef1c98b9ac8b57f1117a72bf2c7b9e7c1ac4d77fc94cadc083e67984050b75ebae5dd2809bd638016f723'),
n: BigInt('0xaadd9db8dbe9c48b3fd4e6ae33c9fc07cb308db3b3c9d20ed6639cca70330870553e5c414ca92619418661197fac10471db1d381085ddaddb58796829ca90069'),
Gx: BigInt('0x81aee4bdd82ed9645a21322e9c4c6a9385ed9f70b5d916c1b43b62eef4d0098eff3b1f78e2d0d48d50d1687b93b97d5f7c6d5047406a5e688b352209bcb9f822'),
Gy: BigInt('0x7dde385d566332ecc0eabfa9cf7822fdf209f70024a57b1aa000c55b881f8111b2dcde494a5f485e5bca4bd88a2763aed1ca2b2fa8f0540678cd1e0f3ad80892'),
h: BigInt(1),
}))();
/**
* Brainpool P512r1 with sha512, from RFC 5639.
* @example
* Generate one Brainpool P512r1 keypair, sign a message, and verify it.
*
* ```ts
* const { secretKey, publicKey } = brainpoolP512r1.keygen();
* const msg = new TextEncoder().encode('hello noble');
* const sig = brainpoolP512r1.sign(msg, secretKey);
* const isValid = brainpoolP512r1.verify(sig, msg, publicKey);
* ```
*/
export const brainpoolP512r1 = /* @__PURE__ */ (() => ecdsa(weierstrass(brainpoolP512r1_CURVE), sha512))();
//# sourceMappingURL=misc.js.map
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/misc.js.map
Generated Vendored
+1
View File
@@ -0,0 +1 @@
{"version":3,"file":"misc.js","sourceRoot":"","sources":["src/misc.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,sEAAsE;AACtE,OAAO,EAAE,QAAQ,EAAE,MAAM,yBAAyB,CAAC;AACnD,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAC/D,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAC7D,OAAO,EACL,KAAK,EACL,OAAO,GAIR,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,KAAK,EAAE,WAAW,EAAoC,MAAM,2BAA2B,CAAC;AACjG,OAAO,EAAE,YAAY,EAAa,MAAM,YAAY,CAAC;AAErD,6FAA6F;AAE7F,oDAAoD;AACpD,wDAAwD;AACxD,4EAA4E;AAC5E,MAAM,YAAY,GAAgB,eAAe,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC;IACxD,CAAC,EAAE,MAAM,CAAC,oEAAoE,CAAC;IAC/E,CAAC,EAAE,MAAM,CAAC,mEAAmE,CAAC;IAC9E,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;IACZ,CAAC,EAAE,MAAM,CAAC,oEAAoE,CAAC;IAC/E,CAAC,EAAE,MAAM,CAAC,oEAAoE,CAAC;IAC/E,EAAE,EAAE,MAAM,CAAC,oEAAoE,CAAC;IAChF,EAAE,EAAE,MAAM,CAAC,oEAAoE,CAAC;CACjF,CAAC,CAAC,EAAE,CAAC;AACN;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,MAAM,MAAM,GAAU,eAAe,CAAC,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC,CAAC,EAAE,CAAC;AAE5F,gGAAgG;AAChG,2CAA2C;AAC3C,oGAAoG;AACpG,iCAAiC;AACjC,4FAA4F;AAC5F,yDAAyD;AACzD,mCAAmC;AACnC,qFAAqF;AACrF,sFAAsF;AACtF,MAAM,gBAAgB,GAAgB,eAAe,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC;IAC5D,CAAC,EAAE,MAAM,CAAC,oEAAoE,CAAC;IAC/E,CAAC,EAAE,MAAM,CAAC,oEAAoE,CAAC;IAC/E,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;IACZ,CAAC,EAAE,MAAM,CAAC,QAAQ,CAAC;IACnB,CAAC,EAAE,MAAM,CAAC,QAAQ,CAAC;IACnB,EAAE,EAAE,MAAM,CAAC,mEAAmE,CAAC;IAC/E,EAAE,EAAE,MAAM,CAAC,oEAAoE,CAAC;CACjF,CAAC,CAAC,EAAE,CAAC;AACN;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,CAAC,MAAM,UAAU,GAAU,eAAe,CAAC,CAAC,GAAG,EAAE,CACrD,KAAK,CAAC,OAAO,CAAC,gBAAgB,CAAC,EAAE,QAAQ,CAAC,CAAC,EAAE,CAAC;AAEhD,yFAAyF;AACzF,2EAA2E;AAC3E,MAAM,qBAAqB,GAAG,eAAe,CAAC,YAAY,CACxD,kEAAkE,CACnE,CAAC;AAEF;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,gBAAgB,CAC9B,GAAqB,EACrB,eAAiC;IAEjC,MAAM,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC,EAAE,eAAe,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,CAAC;IACzD,CAAC,CAAC,MAAM,CAAC,qBAAqB,CAAC,CAAC;IAChC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IACd,kEAAkE;IAClE,IAAI,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;IAC3C,0DAA0D;IAC1D,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC/B,IAAI,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAC1E,OAAO,CAAC,CAAC;AACX,CAAC;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,UAAU,oBAAoB,CAClC,CAAmB,EACnB,eAAiC;IAEjC,6FAA6F;IAC7F,6DAA6D;IAC7D,MAAM,CAAC,eAAe,EAAE,CAAC,EAAE,iBAAiB,CAAC,CAAC;IAC9C,MAAM,GAAG,GAAG,WAAW,CAAC,CAAC,EAAE,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IAC7C,MAAM,MAAM,GAAG,EAAE,CAAC;IAClB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;QAC7B,GAAG,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC;QACxB,IAAI,CAAC;YACH,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC,GAAG,EAAE,eAAe,CAAC,CAAC,CAAC;QACtD,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC,CAAA,CAAC;IAChB,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,MAAM;QAAE,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;IAClE,OAAO,MAAM,CAAC,CAAC,CAAC,CAAC;AACnB,CAAC;AAED,MAAM,qBAAqB,GAA4B,eAAe,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC;IAC7E,CAAC,EAAE,MAAM,CAAC,oEAAoE,CAAC;IAC/E,CAAC,EAAE,MAAM,CAAC,oEAAoE,CAAC;IAC/E,CAAC,EAAE,MAAM,CAAC,oEAAoE,CAAC;IAC/E,CAAC,EAAE,MAAM,CAAC,oEAAoE,CAAC;IAC/E,EAAE,EAAE,MAAM,CAAC,oEAAoE,CAAC;IAChF,EAAE,EAAE,MAAM,CAAC,oEAAoE,CAAC;IAChF,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;CACb,CAAC,CAAC,EAAE,CAAC;AACN;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,MAAM,eAAe,GAAU,eAAe,CAAC,CAAC,GAAG,EAAE,CAC1D,KAAK,CAAC,WAAW,CAAC,qBAAqB,CAAC,EAAE,MAAM,CAAC,CAAC,EAAE,CAAC;AAEvD,MAAM,qBAAqB,GAA4B,eAAe,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC;IAC7E,CAAC,EAAE,MAAM,CACP,oGAAoG,CACrG;IACD,CAAC,EAAE,MAAM,CACP,oGAAoG,CACrG;IACD,CAAC,EAAE,MAAM,CACP,oGAAoG,CACrG;IACD,CAAC,EAAE,MAAM,CACP,oGAAoG,CACrG;IACD,EAAE,EAAE,MAAM,CACR,oGAAoG,CACrG;IACD,EAAE,EAAE,MAAM,CACR,oGAAoG,CACrG;IACD,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;CACb,CAAC,CAAC,EAAE,CAAC;AACN;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,MAAM,eAAe,GAAU,eAAe,CAAC,CAAC,GAAG,EAAE,CAC1D,KAAK,CAAC,WAAW,CAAC,qBAAqB,CAAC,EAAE,MAAM,CAAC,CAAC,EAAE,CAAC;AAEvD,MAAM,qBAAqB,GAA4B,eAAe,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC;IAC7E,CAAC,EAAE,MAAM,CACP,oIAAoI,CACrI;IACD,CAAC,EAAE,MAAM,CACP,oIAAoI,CACrI;IACD,CAAC,EAAE,MAAM,CACP,oIAAoI,CACrI;IACD,CAAC,EAAE,MAAM,CACP,oIAAoI,CACrI;IACD,EAAE,EAAE,MAAM,CACR,oIAAoI,CACrI;IACD,EAAE,EAAE,MAAM,CACR,oIAAoI,CACrI;IACD,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;CACb,CAAC,CAAC,EAAE,CAAC;AACN;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,MAAM,eAAe,GAAU,eAAe,CAAC,CAAC,GAAG,EAAE,CAC1D,KAAK,CAAC,WAAW,CAAC,qBAAqB,CAAC,EAAE,MAAM,CAAC,CAAC,EAAE,CAAC"}
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/nist.d.ts
Generated Vendored
+137
View File
@@ -0,0 +1,137 @@
import { type FROST } from './abstract/frost.ts';
import { type H2CHasher } from './abstract/hash-to-curve.ts';
import { type OPRF } from './abstract/oprf.ts';
import { type ECDSA, type WeierstrassPointCons } from './abstract/weierstrass.ts';
import { type TRet } from './utils.ts';
/**
* NIST P256 (aka secp256r1, prime256v1) curve, ECDSA and ECDH methods.
* Hashes inputs with sha256 by default.
*
* @example
* Generate one P-256 keypair, sign a message, and verify it.
*
* ```js
* import { p256 } from '@noble/curves/nist.js';
* const { secretKey, publicKey } = p256.keygen();
* // const publicKey = p256.getPublicKey(secretKey);
* const msg = new TextEncoder().encode('hello noble');
* const sig = p256.sign(msg, secretKey);
* const isValid = p256.verify(sig, msg, publicKey);
* // const sigKeccak = p256.sign(keccak256(msg), secretKey, { prehash: false });
* ```
*/
export declare const p256: ECDSA;
/**
* Hashing / encoding to p256 points / field. RFC 9380 methods.
* @example
* Hash one message onto the P-256 curve.
*
* ```ts
* const point = p256_hasher.hashToCurve(new TextEncoder().encode('hello noble'));
* ```
*/
export declare const p256_hasher: H2CHasher<WeierstrassPointCons<bigint>>;
/**
* p256 OPRF, defined in RFC 9497.
* @example
* Run one blind/evaluate/finalize OPRF round over P-256.
*
* ```ts
* const input = new TextEncoder().encode('hello noble');
* const keys = p256_oprf.oprf.generateKeyPair();
* const blind = p256_oprf.oprf.blind(input);
* const evaluated = p256_oprf.oprf.blindEvaluate(keys.secretKey, blind.blinded);
* const output = p256_oprf.oprf.finalize(input, blind.blind, evaluated);
* ```
*/
export declare const p256_oprf: TRet<OPRF>;
/**
* FROST threshold signatures over p256. RFC 9591.
* @example
* Create one trusted-dealer package for 2-of-3 p256 signing.
*
* ```ts
* const alice = p256_FROST.Identifier.derive('alice@example.com');
* const bob = p256_FROST.Identifier.derive('bob@example.com');
* const carol = p256_FROST.Identifier.derive('carol@example.com');
* const deal = p256_FROST.trustedDealer({ min: 2, max: 3 }, [alice, bob, carol]);
* ```
*/
export declare const p256_FROST: TRet<FROST>;
/**
* NIST P384 (aka secp384r1) curve, ECDSA and ECDH methods. Hashes inputs with sha384 by default.
* @example
* Generate one P-384 keypair, sign a message, and verify it.
*
* ```ts
* const { secretKey, publicKey } = p384.keygen();
* const msg = new TextEncoder().encode('hello noble');
* const sig = p384.sign(msg, secretKey);
* const isValid = p384.verify(sig, msg, publicKey);
* ```
*/
export declare const p384: ECDSA;
/**
* Hashing / encoding to p384 points / field. RFC 9380 methods.
* @example
* Hash one message onto the P-384 curve.
*
* ```ts
* const point = p384_hasher.hashToCurve(new TextEncoder().encode('hello noble'));
* ```
*/
export declare const p384_hasher: H2CHasher<WeierstrassPointCons<bigint>>;
/**
* p384 OPRF, defined in RFC 9497.
* @example
* Run one blind/evaluate/finalize OPRF round over P-384.
*
* ```ts
* const input = new TextEncoder().encode('hello noble');
* const keys = p384_oprf.oprf.generateKeyPair();
* const blind = p384_oprf.oprf.blind(input);
* const evaluated = p384_oprf.oprf.blindEvaluate(keys.secretKey, blind.blinded);
* const output = p384_oprf.oprf.finalize(input, blind.blind, evaluated);
* ```
*/
export declare const p384_oprf: TRet<OPRF>;
/**
* NIST P521 (aka secp521r1) curve, ECDSA and ECDH methods. Hashes inputs with sha512 by default.
* Deterministic `keygen(seed)` expects 99 seed bytes here because the generic scalar-derivation
* helper uses `getMinHashLength(n)`, not the 66-byte canonical secret-key width.
* @example
* Generate one P-521 keypair, sign a message, and verify it.
*
* ```ts
* const { secretKey, publicKey } = p521.keygen();
* const msg = new TextEncoder().encode('hello noble');
* const sig = p521.sign(msg, secretKey);
* const isValid = p521.verify(sig, msg, publicKey);
* ```
*/
export declare const p521: ECDSA;
/**
* Hashing / encoding to p521 points / field. RFC 9380 methods.
* @example
* Hash one message onto the P-521 curve.
*
* ```ts
* const point = p521_hasher.hashToCurve(new TextEncoder().encode('hello noble'));
* ```
*/
export declare const p521_hasher: H2CHasher<WeierstrassPointCons<bigint>>;
/**
* p521 OPRF, defined in RFC 9497.
* @example
* Run one blind/evaluate/finalize OPRF round over P-521.
*
* ```ts
* const input = new TextEncoder().encode('hello noble');
* const keys = p521_oprf.oprf.generateKeyPair();
* const blind = p521_oprf.oprf.blind(input);
* const evaluated = p521_oprf.oprf.blindEvaluate(keys.secretKey, blind.blinded);
* const output = p521_oprf.oprf.finalize(input, blind.blind, evaluated);
* ```
*/
export declare const p521_oprf: TRet<OPRF>;
//# sourceMappingURL=nist.d.ts.map
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/nist.d.ts.map
Generated Vendored
+1
View File
@@ -0,0 +1 @@
{"version":3,"file":"nist.d.ts","sourceRoot":"","sources":["src/nist.ts"],"names":[],"mappings":"AAOA,OAAO,EAAe,KAAK,KAAK,EAAE,MAAM,qBAAqB,CAAC;AAC9D,OAAO,EAAgB,KAAK,SAAS,EAAE,MAAM,6BAA6B,CAAC;AAC3E,OAAO,EAAc,KAAK,IAAI,EAAE,MAAM,oBAAoB,CAAC;AAC3D,OAAO,EAIL,KAAK,KAAK,EAEV,KAAK,oBAAoB,EAC1B,MAAM,2BAA2B,CAAC;AACnC,OAAO,EAAE,KAAK,IAAI,EAAE,MAAM,YAAY,CAAC;AA4EvC;;;;;;;;;;;;;;;;GAgBG;AACH,eAAO,MAAM,IAAI,EAAE,KAAiD,CAAC;AACrE;;;;;;;;GAQG;AACH,eAAO,MAAM,WAAW,EAAE,SAAS,CAAC,oBAAoB,CAAC,MAAM,CAAC,CAkB5D,CAAC;AACL;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,SAAS,EAAE,IAAI,CAAC,IAAI,CAO1B,CAAC;AACR;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,UAAU,EAAE,IAAI,CAAC,KAAK,CAM5B,CAAC;AAIR;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,IAAI,EAAE,KAAiD,CAAC;AACrE;;;;;;;;GAQG;AACH,eAAO,MAAM,WAAW,EAAE,SAAS,CAAC,oBAAoB,CAAC,MAAM,CAAC,CAkB5D,CAAC;AACL;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,SAAS,EAAE,IAAI,CAAC,IAAI,CAO1B,CAAC;AAmBR;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,IAAI,EAAE,KAAiD,CAAC;AACrE;;;;;;;;GAQG;AACH,eAAO,MAAM,WAAW,EAAE,SAAS,CAAC,oBAAoB,CAAC,MAAM,CAAC,CAkB5D,CAAC;AACL;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,SAAS,EAAE,IAAI,CAAC,IAAI,CAO1B,CAAC"}
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/nist.js
Generated Vendored
+268
View File
@@ -0,0 +1,268 @@
/**
* Internal module for NIST P256, P384, P521 curves.
* Do not use for now.
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { sha256, sha384, sha512 } from '@noble/hashes/sha2.js';
import { createFROST } from "./abstract/frost.js";
import { createHasher } from "./abstract/hash-to-curve.js";
import { createOPRF } from "./abstract/oprf.js";
import { ecdsa, mapToCurveSimpleSWU, weierstrass, } from "./abstract/weierstrass.js";
import {} from "./utils.js";
// p = 2n**224n * (2n**32n-1n) + 2n**192n + 2n**96n - 1n
// a = Fp256.create(BigInt('-3'));
const p256_CURVE = /* @__PURE__ */ (() => ({
p: BigInt('0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff'),
n: BigInt('0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551'),
h: BigInt(1),
a: BigInt('0xffffffff00000001000000000000000000000000fffffffffffffffffffffffc'),
b: BigInt('0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b'),
Gx: BigInt('0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296'),
Gy: BigInt('0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5'),
}))();
// p = 2n**384n - 2n**128n - 2n**96n + 2n**32n - 1n
const p384_CURVE = /* @__PURE__ */ (() => ({
p: BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff'),
n: BigInt('0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973'),
h: BigInt(1),
a: BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffc'),
b: BigInt('0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef'),
Gx: BigInt('0xaa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7'),
Gy: BigInt('0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f'),
}))();
// p = 2n**521n - 1n
const p521_CURVE = /* @__PURE__ */ (() => ({
p: BigInt('0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'),
n: BigInt('0x01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409'),
h: BigInt(1),
a: BigInt('0x1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc'),
b: BigInt('0x0051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00'),
Gx: BigInt('0x00c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66'),
Gy: BigInt('0x011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650'),
}))();
function createSWU(Point, opts) {
let map;
// RFC 9380's NIST suites here all use m = 1, so createHasher passes one field element per map.
// Building the SWU sqrt-ratio helper eagerly adds noticeable `nist.js` import cost, so defer it
// to first use; after that the cached mapper is reused directly.
return (scalars) => (map || (map = mapToCurveSimpleSWU(Point.Fp, opts)))(scalars[0]);
}
// NIST P256
const p256_Point = /* @__PURE__ */ weierstrass(p256_CURVE);
/**
* NIST P256 (aka secp256r1, prime256v1) curve, ECDSA and ECDH methods.
* Hashes inputs with sha256 by default.
*
* @example
* Generate one P-256 keypair, sign a message, and verify it.
*
* ```js
* import { p256 } from '@noble/curves/nist.js';
* const { secretKey, publicKey } = p256.keygen();
* // const publicKey = p256.getPublicKey(secretKey);
* const msg = new TextEncoder().encode('hello noble');
* const sig = p256.sign(msg, secretKey);
* const isValid = p256.verify(sig, msg, publicKey);
* // const sigKeccak = p256.sign(keccak256(msg), secretKey, { prehash: false });
* ```
*/
export const p256 = /* @__PURE__ */ ecdsa(p256_Point, sha256);
/**
* Hashing / encoding to p256 points / field. RFC 9380 methods.
* @example
* Hash one message onto the P-256 curve.
*
* ```ts
* const point = p256_hasher.hashToCurve(new TextEncoder().encode('hello noble'));
* ```
*/
export const p256_hasher = /* @__PURE__ */ (() => {
return createHasher(p256_Point, createSWU(p256_Point, {
A: p256_CURVE.a,
B: p256_CURVE.b,
Z: p256_Point.Fp.create(BigInt('-10')),
}), {
DST: 'P256_XMD:SHA-256_SSWU_RO_',
encodeDST: 'P256_XMD:SHA-256_SSWU_NU_',
p: p256_CURVE.p,
m: 1,
k: 128,
expand: 'xmd',
hash: sha256,
});
})();
/**
* p256 OPRF, defined in RFC 9497.
* @example
* Run one blind/evaluate/finalize OPRF round over P-256.
*
* ```ts
* const input = new TextEncoder().encode('hello noble');
* const keys = p256_oprf.oprf.generateKeyPair();
* const blind = p256_oprf.oprf.blind(input);
* const evaluated = p256_oprf.oprf.blindEvaluate(keys.secretKey, blind.blinded);
* const output = p256_oprf.oprf.finalize(input, blind.blind, evaluated);
* ```
*/
export const p256_oprf = /* @__PURE__ */ (() => createOPRF({
name: 'P256-SHA256',
Point: p256_Point,
hash: sha256,
hashToGroup: p256_hasher.hashToCurve,
hashToScalar: p256_hasher.hashToScalar,
}))();
/**
* FROST threshold signatures over p256. RFC 9591.
* @example
* Create one trusted-dealer package for 2-of-3 p256 signing.
*
* ```ts
* const alice = p256_FROST.Identifier.derive('alice@example.com');
* const bob = p256_FROST.Identifier.derive('bob@example.com');
* const carol = p256_FROST.Identifier.derive('carol@example.com');
* const deal = p256_FROST.trustedDealer({ min: 2, max: 3 }, [alice, bob, carol]);
* ```
*/
export const p256_FROST = /* @__PURE__ */ (() => createFROST({
name: 'FROST-P256-SHA256-v1',
Point: p256_Point,
hashToScalar: p256_hasher.hashToScalar,
hash: sha256,
}))();
// NIST P384
const p384_Point = /* @__PURE__ */ weierstrass(p384_CURVE);
/**
* NIST P384 (aka secp384r1) curve, ECDSA and ECDH methods. Hashes inputs with sha384 by default.
* @example
* Generate one P-384 keypair, sign a message, and verify it.
*
* ```ts
* const { secretKey, publicKey } = p384.keygen();
* const msg = new TextEncoder().encode('hello noble');
* const sig = p384.sign(msg, secretKey);
* const isValid = p384.verify(sig, msg, publicKey);
* ```
*/
export const p384 = /* @__PURE__ */ ecdsa(p384_Point, sha384);
/**
* Hashing / encoding to p384 points / field. RFC 9380 methods.
* @example
* Hash one message onto the P-384 curve.
*
* ```ts
* const point = p384_hasher.hashToCurve(new TextEncoder().encode('hello noble'));
* ```
*/
export const p384_hasher = /* @__PURE__ */ (() => {
return createHasher(p384_Point, createSWU(p384_Point, {
A: p384_CURVE.a,
B: p384_CURVE.b,
Z: p384_Point.Fp.create(BigInt('-12')),
}), {
DST: 'P384_XMD:SHA-384_SSWU_RO_',
encodeDST: 'P384_XMD:SHA-384_SSWU_NU_',
p: p384_CURVE.p,
m: 1,
k: 192,
expand: 'xmd',
hash: sha384,
});
})();
/**
* p384 OPRF, defined in RFC 9497.
* @example
* Run one blind/evaluate/finalize OPRF round over P-384.
*
* ```ts
* const input = new TextEncoder().encode('hello noble');
* const keys = p384_oprf.oprf.generateKeyPair();
* const blind = p384_oprf.oprf.blind(input);
* const evaluated = p384_oprf.oprf.blindEvaluate(keys.secretKey, blind.blinded);
* const output = p384_oprf.oprf.finalize(input, blind.blind, evaluated);
* ```
*/
export const p384_oprf = /* @__PURE__ */ (() => createOPRF({
name: 'P384-SHA384',
Point: p384_Point,
hash: sha384,
hashToGroup: p384_hasher.hashToCurve,
hashToScalar: p384_hasher.hashToScalar,
}))();
// NIST P521
// RFC 7518 fixes the canonical JWK/JOSE width at 66 bytes:
// - Section 3.4 says ECDSA octet strings must not omit leading zero octets
// - Sections 6.2.1.2/6.2.1.3 say P-521 coordinates "x"/"y" must be 66 octets
// - Section 6.2.2.1 says private scalar "d" must be ceil(log2(n)/8) octets, i.e. 66 for P-521
// NIST FIPS 186-5 Appendix A.3.3 also routes deterministic ECDSA private keys through Appendix
// B.2.3, whose Integer-to-Octet-String output has explicit fixed length L; for P-521 that is the
// same 66-byte order width.
// RFC 6979 matches that width too: private key x is an integer, while `int2octets(x)` uses
// rlen = 8 * ceil(qlen/8); for P-521, qlen = 521 so the canonical octet width is 66 bytes.
// Wycheproof ECDH stores private values as integers, not fixed-width scalar bytes, so it does not
// require a dedicated 65-byte parser path; the repo tests now normalize those integer fixtures to
// the canonical 66-byte width before use. There is no good standards or oracle reason to accept
// exactly 65 bytes here: the coherent choices are canonical 66 only, or a broader integer-style
// parser across many widths. Since this field parser is fixed-width, keep it canonical and use the
// default exact-66-byte scalar field path.
const p521_Point = /* @__PURE__ */ weierstrass(p521_CURVE);
/**
* NIST P521 (aka secp521r1) curve, ECDSA and ECDH methods. Hashes inputs with sha512 by default.
* Deterministic `keygen(seed)` expects 99 seed bytes here because the generic scalar-derivation
* helper uses `getMinHashLength(n)`, not the 66-byte canonical secret-key width.
* @example
* Generate one P-521 keypair, sign a message, and verify it.
*
* ```ts
* const { secretKey, publicKey } = p521.keygen();
* const msg = new TextEncoder().encode('hello noble');
* const sig = p521.sign(msg, secretKey);
* const isValid = p521.verify(sig, msg, publicKey);
* ```
*/
export const p521 = /* @__PURE__ */ ecdsa(p521_Point, sha512);
/**
* Hashing / encoding to p521 points / field. RFC 9380 methods.
* @example
* Hash one message onto the P-521 curve.
*
* ```ts
* const point = p521_hasher.hashToCurve(new TextEncoder().encode('hello noble'));
* ```
*/
export const p521_hasher = /* @__PURE__ */ (() => {
return createHasher(p521_Point, createSWU(p521_Point, {
A: p521_CURVE.a,
B: p521_CURVE.b,
Z: p521_Point.Fp.create(BigInt('-4')),
}), {
DST: 'P521_XMD:SHA-512_SSWU_RO_',
encodeDST: 'P521_XMD:SHA-512_SSWU_NU_',
p: p521_CURVE.p,
m: 1,
k: 256,
expand: 'xmd',
hash: sha512,
});
})();
/**
* p521 OPRF, defined in RFC 9497.
* @example
* Run one blind/evaluate/finalize OPRF round over P-521.
*
* ```ts
* const input = new TextEncoder().encode('hello noble');
* const keys = p521_oprf.oprf.generateKeyPair();
* const blind = p521_oprf.oprf.blind(input);
* const evaluated = p521_oprf.oprf.blindEvaluate(keys.secretKey, blind.blinded);
* const output = p521_oprf.oprf.finalize(input, blind.blind, evaluated);
* ```
*/
export const p521_oprf = /* @__PURE__ */ (() => createOPRF({
name: 'P521-SHA512',
Point: p521_Point,
hash: sha512,
hashToGroup: p521_hasher.hashToCurve,
hashToScalar: p521_hasher.hashToScalar, // produces L=98 just like in RFC
}))();
//# sourceMappingURL=nist.js.map
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/nist.js.map
Generated Vendored
+1
View File
@@ -0,0 +1 @@
{"version":3,"file":"nist.js","sourceRoot":"","sources":["src/nist.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,sEAAsE;AACtE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAC/D,OAAO,EAAE,WAAW,EAAc,MAAM,qBAAqB,CAAC;AAC9D,OAAO,EAAE,YAAY,EAAkB,MAAM,6BAA6B,CAAC;AAC3E,OAAO,EAAE,UAAU,EAAa,MAAM,oBAAoB,CAAC;AAC3D,OAAO,EACL,KAAK,EACL,mBAAmB,EACnB,WAAW,GAIZ,MAAM,2BAA2B,CAAC;AACnC,OAAO,EAAa,MAAM,YAAY,CAAC;AAEvC,wDAAwD;AACxD,kCAAkC;AAClC,MAAM,UAAU,GAA4B,eAAe,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC;IAClE,CAAC,EAAE,MAAM,CAAC,oEAAoE,CAAC;IAC/E,CAAC,EAAE,MAAM,CAAC,oEAAoE,CAAC;IAC/E,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;IACZ,CAAC,EAAE,MAAM,CAAC,oEAAoE,CAAC;IAC/E,CAAC,EAAE,MAAM,CAAC,oEAAoE,CAAC;IAC/E,EAAE,EAAE,MAAM,CAAC,oEAAoE,CAAC;IAChF,EAAE,EAAE,MAAM,CAAC,oEAAoE,CAAC;CACjF,CAAC,CAAC,EAAE,CAAC;AAEN,mDAAmD;AACnD,MAAM,UAAU,GAA4B,eAAe,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC;IAClE,CAAC,EAAE,MAAM,CACP,oGAAoG,CACrG;IACD,CAAC,EAAE,MAAM,CACP,oGAAoG,CACrG;IACD,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;IACZ,CAAC,EAAE,MAAM,CACP,oGAAoG,CACrG;IACD,CAAC,EAAE,MAAM,CACP,oGAAoG,CACrG;IACD,EAAE,EAAE,MAAM,CACR,oGAAoG,CACrG;IACD,EAAE,EAAE,MAAM,CACR,oGAAoG,CACrG;CACF,CAAC,CAAC,EAAE,CAAC;AAEN,oBAAoB;AACpB,MAAM,UAAU,GAA4B,eAAe,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC;IAClE,CAAC,EAAE,MAAM,CACP,uIAAuI,CACxI;IACD,CAAC,EAAE,MAAM,CACP,wIAAwI,CACzI;IACD,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;IACZ,CAAC,EAAE,MAAM,CACP,uIAAuI,CACxI;IACD,CAAC,EAAE,MAAM,CACP,wIAAwI,CACzI;IACD,EAAE,EAAE,MAAM,CACR,wIAAwI,CACzI;IACD,EAAE,EAAE,MAAM,CACR,wIAAwI,CACzI;CACF,CAAC,CAAC,EAAE,CAAC;AAQN,SAAS,SAAS,CAAC,KAAmC,EAAE,IAAa;IACnE,IAAI,GAA0D,CAAC;IAC/D,+FAA+F;IAC/F,gGAAgG;IAChG,iEAAiE;IACjE,OAAO,CAAC,OAAiB,EAAE,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,GAAG,GAAG,mBAAmB,CAAC,KAAK,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC;AACjG,CAAC;AAED,YAAY;AACZ,MAAM,UAAU,GAAG,eAAe,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;AAC3D;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,CAAC,MAAM,IAAI,GAAU,eAAe,CAAC,KAAK,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;AACrE;;;;;;;;GAQG;AACH,MAAM,CAAC,MAAM,WAAW,GAA4C,eAAe,CAAC,CAAC,GAAG,EAAE;IACxF,OAAO,YAAY,CACjB,UAAU,EACV,SAAS,CAAC,UAAU,EAAE;QACpB,CAAC,EAAE,UAAU,CAAC,CAAC;QACf,CAAC,EAAE,UAAU,CAAC,CAAC;QACf,CAAC,EAAE,UAAU,CAAC,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;KACvC,CAAC,EACF;QACE,GAAG,EAAE,2BAA2B;QAChC,SAAS,EAAE,2BAA2B;QACtC,CAAC,EAAE,UAAU,CAAC,CAAC;QACf,CAAC,EAAE,CAAC;QACJ,CAAC,EAAE,GAAG;QACN,MAAM,EAAE,KAAK;QACb,IAAI,EAAE,MAAM;KACb,CACF,CAAC;AACJ,CAAC,CAAC,EAAE,CAAC;AACL;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,MAAM,SAAS,GAAe,eAAe,CAAC,CAAC,GAAG,EAAE,CACzD,UAAU,CAAC;IACT,IAAI,EAAE,aAAa;IACnB,KAAK,EAAE,UAAU;IACjB,IAAI,EAAE,MAAM;IACZ,WAAW,EAAE,WAAW,CAAC,WAAW;IACpC,YAAY,EAAE,WAAW,CAAC,YAAY;CACvC,CAAC,CAAC,EAAE,CAAC;AACR;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,MAAM,UAAU,GAAgB,eAAe,CAAC,CAAC,GAAG,EAAE,CAC3D,WAAW,CAAC;IACV,IAAI,EAAE,sBAAsB;IAC5B,KAAK,EAAE,UAAU;IACjB,YAAY,EAAE,WAAW,CAAC,YAAY;IACtC,IAAI,EAAE,MAAM;CACb,CAAC,CAAC,EAAE,CAAC;AAER,YAAY;AACZ,MAAM,UAAU,GAAG,eAAe,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;AAC3D;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,MAAM,IAAI,GAAU,eAAe,CAAC,KAAK,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;AACrE;;;;;;;;GAQG;AACH,MAAM,CAAC,MAAM,WAAW,GAA4C,eAAe,CAAC,CAAC,GAAG,EAAE;IACxF,OAAO,YAAY,CACjB,UAAU,EACV,SAAS,CAAC,UAAU,EAAE;QACpB,CAAC,EAAE,UAAU,CAAC,CAAC;QACf,CAAC,EAAE,UAAU,CAAC,CAAC;QACf,CAAC,EAAE,UAAU,CAAC,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;KACvC,CAAC,EACF;QACE,GAAG,EAAE,2BAA2B;QAChC,SAAS,EAAE,2BAA2B;QACtC,CAAC,EAAE,UAAU,CAAC,CAAC;QACf,CAAC,EAAE,CAAC;QACJ,CAAC,EAAE,GAAG;QACN,MAAM,EAAE,KAAK;QACb,IAAI,EAAE,MAAM;KACb,CACF,CAAC;AACJ,CAAC,CAAC,EAAE,CAAC;AACL;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,MAAM,SAAS,GAAe,eAAe,CAAC,CAAC,GAAG,EAAE,CACzD,UAAU,CAAC;IACT,IAAI,EAAE,aAAa;IACnB,KAAK,EAAE,UAAU;IACjB,IAAI,EAAE,MAAM;IACZ,WAAW,EAAE,WAAW,CAAC,WAAW;IACpC,YAAY,EAAE,WAAW,CAAC,YAAY;CACvC,CAAC,CAAC,EAAE,CAAC;AAER,YAAY;AACZ,2DAA2D;AAC3D,2EAA2E;AAC3E,6EAA6E;AAC7E,8FAA8F;AAC9F,+FAA+F;AAC/F,iGAAiG;AACjG,4BAA4B;AAC5B,2FAA2F;AAC3F,2FAA2F;AAC3F,kGAAkG;AAClG,kGAAkG;AAClG,gGAAgG;AAChG,gGAAgG;AAChG,mGAAmG;AACnG,2CAA2C;AAC3C,MAAM,UAAU,GAAG,eAAe,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;AAC3D;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,MAAM,IAAI,GAAU,eAAe,CAAC,KAAK,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;AACrE;;;;;;;;GAQG;AACH,MAAM,CAAC,MAAM,WAAW,GAA4C,eAAe,CAAC,CAAC,GAAG,EAAE;IACxF,OAAO,YAAY,CACjB,UAAU,EACV,SAAS,CAAC,UAAU,EAAE;QACpB,CAAC,EAAE,UAAU,CAAC,CAAC;QACf,CAAC,EAAE,UAAU,CAAC,CAAC;QACf,CAAC,EAAE,UAAU,CAAC,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;KACtC,CAAC,EACF;QACE,GAAG,EAAE,2BAA2B;QAChC,SAAS,EAAE,2BAA2B;QACtC,CAAC,EAAE,UAAU,CAAC,CAAC;QACf,CAAC,EAAE,CAAC;QACJ,CAAC,EAAE,GAAG;QACN,MAAM,EAAE,KAAK;QACb,IAAI,EAAE,MAAM;KACb,CACF,CAAC;AACJ,CAAC,CAAC,EAAE,CAAC;AACL;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,MAAM,SAAS,GAAe,eAAe,CAAC,CAAC,GAAG,EAAE,CACzD,UAAU,CAAC;IACT,IAAI,EAAE,aAAa;IACnB,KAAK,EAAE,UAAU;IACjB,IAAI,EAAE,MAAM;IACZ,WAAW,EAAE,WAAW,CAAC,WAAW;IACpC,YAAY,EAAE,WAAW,CAAC,YAAY,EAAE,iCAAiC;CAC1E,CAAC,CAAC,EAAE,CAAC"}
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/package.json
Generated Vendored
+103
View File
@@ -0,0 +1,103 @@
{
"name": "@noble/curves",
"version": "2.2.0",
"description": "Audited & minimal JS implementation of elliptic curve cryptography",
"files": [
"*.js",
"*.js.map",
"*.d.ts",
"*.d.ts.map",
"abstract",
"src"
],
"dependencies": {
"@noble/hashes": "2.2.0"
},
"devDependencies": {
"@paulmillr/jsbt": "0.5.0",
"@types/node": "25.3.0",
"fast-check": "4.2.0",
"prettier": "3.6.2",
"typescript": "6.0.2"
},
"scripts": {
"bench": "cd test/benchmark; node secp256k1.ts; node curves.ts; node utils.ts; node bls.ts",
"bench:install": "cd test/benchmark; npm install; npm install ../.. --install-links",
"build": "tsc",
"build:release": "npx --no @paulmillr/jsbt esbuild test/build",
"check": "npm run check:readme && npm run check:treeshake && npm run check:jsdoc",
"check:readme": "npx --no @paulmillr/jsbt readme package.json",
"check:treeshake": "npx --no @paulmillr/jsbt treeshake package.json test/build/out-treeshake",
"check:jsdoc": "npx --no @paulmillr/jsbt tsdoc package.json",
"build:clean": "rm {.,abstract}/*.{js,d.ts,d.ts.map,js.map} 2> /dev/null",
"format": "prettier --write 'src/**/*.{js,ts}' 'test/*.{js,ts}'",
"test": "node test/index.ts",
"test:bun": "bun test/index.ts",
"test:deno": "deno --allow-env --allow-read test/index.ts",
"test:node20": "cd test; npx tsc; node compiled/test/index.js",
"test:coverage": "npm install --no-save c8@10.1.2 && npx c8 npm test"
},
"exports": {
".": "./index.js",
"./abstract/bls.js": "./abstract/bls.js",
"./abstract/curve.js": "./abstract/curve.js",
"./abstract/edwards.js": "./abstract/edwards.js",
"./abstract/fft.js": "./abstract/fft.js",
"./abstract/frost.js": "./abstract/frost.js",
"./abstract/hash-to-curve.js": "./abstract/hash-to-curve.js",
"./abstract/modular.js": "./abstract/modular.js",
"./abstract/montgomery.js": "./abstract/montgomery.js",
"./abstract/oprf.js": "./abstract/oprf.js",
"./abstract/poseidon.js": "./abstract/poseidon.js",
"./abstract/tower.js": "./abstract/tower.js",
"./abstract/weierstrass.js": "./abstract/weierstrass.js",
"./bls12-381.js": "./bls12-381.js",
"./bn254.js": "./bn254.js",
"./ed448.js": "./ed448.js",
"./ed25519.js": "./ed25519.js",
"./misc.js": "./misc.js",
"./nist.js": "./nist.js",
"./secp256k1.js": "./secp256k1.js",
"./utils.js": "./utils.js",
"./webcrypto.js": "./webcrypto.js"
},
"engines": {
"node": ">= 20.19.0"
},
"keywords": [
"cryptography",
"secp256k1",
"ed25519",
"p256",
"p384",
"p521",
"secp256r1",
"ed448",
"x25519",
"ed25519",
"bls12-381",
"bn254",
"alt_bn128",
"bls",
"noble",
"ecc",
"ecdsa",
"eddsa",
"oprf",
"schnorr",
"fft"
],
"homepage": "https://paulmillr.com/noble/",
"funding": "https://paulmillr.com/funding/",
"repository": {
"type": "git",
"url": "git+https://github.com/paulmillr/noble-curves.git"
},
"type": "module",
"main": "index.js",
"module": "index.js",
"types": "index.d.ts",
"sideEffects": false,
"author": "Paul Miller (https://paulmillr.com)",
"license": "MIT"
}
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/secp256k1.d.ts
Generated Vendored
+153
View File
@@ -0,0 +1,153 @@
import { type CurveLengths } from './abstract/curve.ts';
import { type FROST } from './abstract/frost.ts';
import { type H2CHasher } from './abstract/hash-to-curve.ts';
import { type ECDSA, type WeierstrassPoint as PointType, type WeierstrassPointCons } from './abstract/weierstrass.ts';
import { type TArg, type TRet } from './utils.ts';
/**
* secp256k1 curve: ECDSA and ECDH methods.
*
* Uses sha256 to hash messages. To use a different hash,
* pass `{ prehash: false }` to sign / verify.
*
* @example
* Generate one secp256k1 keypair, sign a message, and verify it.
*
* ```js
* import { secp256k1 } from '@noble/curves/secp256k1.js';
* const { secretKey, publicKey } = secp256k1.keygen();
* // const publicKey = secp256k1.getPublicKey(secretKey);
* const msg = new TextEncoder().encode('hello noble');
* const sig = secp256k1.sign(msg, secretKey);
* const isValid = secp256k1.verify(sig, msg, publicKey);
* // const sigKeccak = secp256k1.sign(keccak256(msg), secretKey, { prehash: false });
* ```
*/
export declare const secp256k1: ECDSA;
declare function taggedHash(tag: string, ...messages: TArg<Uint8Array[]>): TRet<Uint8Array>;
/**
* lift_x from BIP340. Convert 32-byte x coordinate to elliptic curve point.
* @returns valid point checked for being on-curve
*/
declare function lift_x(x: bigint): PointType<bigint>;
/** Schnorr public key is just `x` coordinate of Point as per BIP340. */
declare function schnorrGetPublicKey(secretKey: TArg<Uint8Array>): TRet<Uint8Array>;
/**
* Creates Schnorr signature as per BIP340. Verifies itself before returning anything.
* `auxRand` is optional and is not the sole source of `k` generation: bad CSPRNG output will not
* be catastrophic, but BIP-340 still recommends fresh auxiliary randomness when available to harden
* deterministic signing against side-channel and fault-injection attacks.
*/
declare function schnorrSign(message: TArg<Uint8Array>, secretKey: TArg<Uint8Array>, auxRand?: TArg<Uint8Array>): TRet<Uint8Array>;
/**
* Verifies Schnorr signature.
* Will swallow errors & return false except for initial type validation of arguments.
*/
declare function schnorrVerify(signature: TArg<Uint8Array>, message: TArg<Uint8Array>, publicKey: TArg<Uint8Array>): boolean;
export declare const __TEST: {
lift_x: typeof lift_x;
};
/** Schnorr-specific secp256k1 API from BIP340. */
export type SecpSchnorr = {
/**
* Generate one Schnorr secret/public keypair.
* @param seed - Optional seed for deterministic testing or custom randomness.
* @returns Fresh secret/public keypair.
*/
keygen: (seed?: TArg<Uint8Array>) => {
secretKey: TRet<Uint8Array>;
publicKey: TRet<Uint8Array>;
};
/**
* Derive the x-only public key from a secret key.
* @param secretKey - Secret key bytes.
* @returns X-only public key bytes.
*/
getPublicKey: typeof schnorrGetPublicKey;
/**
* Create one BIP340 Schnorr signature.
* @param message - Message bytes to sign.
* @param secretKey - Secret key bytes.
* @param auxRand - Optional auxiliary randomness.
* @returns Compact Schnorr signature bytes.
*/
sign: typeof schnorrSign;
/**
* Verify one BIP340 Schnorr signature.
* @param signature - Compact signature bytes.
* @param message - Signed message bytes.
* @param publicKey - X-only public key bytes.
* @returns `true` when the signature is valid.
*/
verify: typeof schnorrVerify;
/** Underlying secp256k1 point constructor. */
Point: WeierstrassPointCons<bigint>;
/** Helper utilities for Schnorr-specific key handling and tagged hashing. */
utils: {
/** Generate one Schnorr secret key. */
randomSecretKey: (seed?: TArg<Uint8Array>) => TRet<Uint8Array>;
/** Convert one point into its x-only BIP340 byte encoding. */
pointToBytes: (point: TArg<PointType<bigint>>) => TRet<Uint8Array>;
/** Lift one x coordinate into the unique even-Y point. */
lift_x: typeof lift_x;
/** Compute a BIP340 tagged hash. */
taggedHash: typeof taggedHash;
};
/** Public byte lengths for keys, signatures, and seeds. */
lengths: CurveLengths;
};
/**
* Schnorr signatures over secp256k1.
* See {@link https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki | BIP 340}.
* @example
* Generate one BIP340 Schnorr keypair, sign a message, and verify it.
*
* ```js
* import { schnorr } from '@noble/curves/secp256k1.js';
* const { secretKey, publicKey } = schnorr.keygen();
* // const publicKey = schnorr.getPublicKey(secretKey);
* const msg = new TextEncoder().encode('hello');
* const sig = schnorr.sign(msg, secretKey);
* const isValid = schnorr.verify(sig, msg, publicKey);
* ```
*/
export declare const schnorr: SecpSchnorr;
/**
* Hashing / encoding to secp256k1 points / field. RFC 9380 methods.
* @example
* Hash one message onto secp256k1.
*
* ```ts
* const point = secp256k1_hasher.hashToCurve(new TextEncoder().encode('hello noble'));
* ```
*/
export declare const secp256k1_hasher: H2CHasher<WeierstrassPointCons<bigint>>;
/**
* FROST threshold signatures over secp256k1. RFC 9591.
* @example
* Create one trusted-dealer package for 2-of-3 secp256k1 signing.
*
* ```ts
* const alice = secp256k1_FROST.Identifier.derive('alice@example.com');
* const bob = secp256k1_FROST.Identifier.derive('bob@example.com');
* const carol = secp256k1_FROST.Identifier.derive('carol@example.com');
* const deal = secp256k1_FROST.trustedDealer({ min: 2, max: 3 }, [alice, bob, carol]);
* ```
*/
export declare const secp256k1_FROST: TRet<FROST>;
/**
* FROST threshold signatures over secp256k1-schnorr-taproot. RFC 9591.
* DKG outputs are auto-tweaked with the empty Taproot merkle root for compatibility, while
* `trustedDealer()` outputs stay untweaked unless callers apply the Taproot tweak themselves.
* @example
* Create one trusted-dealer package for Taproot-compatible FROST signing.
*
* ```ts
* const alice = schnorr_FROST.Identifier.derive('alice@example.com');
* const bob = schnorr_FROST.Identifier.derive('bob@example.com');
* const carol = schnorr_FROST.Identifier.derive('carol@example.com');
* const deal = schnorr_FROST.trustedDealer({ min: 2, max: 3 }, [alice, bob, carol]);
* ```
*/
export declare const schnorr_FROST: TRet<FROST>;
export {};
//# sourceMappingURL=secp256k1.d.ts.map
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/secp256k1.d.ts.map
Generated Vendored
+1
View File
@@ -0,0 +1 @@
{"version":3,"file":"secp256k1.d.ts","sourceRoot":"","sources":["src/secp256k1.ts"],"names":[],"mappings":"AAUA,OAAO,EAAgB,KAAK,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACtE,OAAO,EAEL,KAAK,KAAK,EAIX,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAgB,KAAK,SAAS,EAAc,MAAM,6BAA6B,CAAC;AAEvF,OAAO,EACL,KAAK,KAAK,EAIV,KAAK,gBAAgB,IAAI,SAAS,EAGlC,KAAK,oBAAoB,EAC1B,MAAM,2BAA2B,CAAC;AACnC,OAAO,EAKL,KAAK,IAAI,EACT,KAAK,IAAI,EACV,MAAM,YAAY,CAAC;AA4DpB;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,SAAS,EAAE,KAA8C,CAAC;AAOvE,iBAAS,UAAU,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,QAAQ,EAAE,IAAI,CAAC,UAAU,EAAE,CAAC,GAAG,IAAI,CAAC,UAAU,CAAC,CAQlF;AAeD;;;GAGG;AACH,iBAAS,MAAM,CAAC,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC,MAAM,CAAC,CAY5C;AASD,wEAAwE;AACxE,iBAAS,mBAAmB,CAAC,SAAS,EAAE,IAAI,CAAC,UAAU,CAAC,GAAG,IAAI,CAAC,UAAU,CAAC,CAE1E;AAED;;;;;GAKG;AACH,iBAAS,WAAW,CAClB,OAAO,EAAE,IAAI,CAAC,UAAU,CAAC,EACzB,SAAS,EAAE,IAAI,CAAC,UAAU,CAAC,EAC3B,OAAO,GAAE,IAAI,CAAC,UAAU,CAAmB,GAC1C,IAAI,CAAC,UAAU,CAAC,CAwBlB;AAED;;;GAGG;AACH,iBAAS,aAAa,CACpB,SAAS,EAAE,IAAI,CAAC,UAAU,CAAC,EAC3B,OAAO,EAAE,IAAI,CAAC,UAAU,CAAC,EACzB,SAAS,EAAE,IAAI,CAAC,UAAU,CAAC,GAC1B,OAAO,CA0BT;AAED,eAAO,MAAM,MAAM,EAAE;IAAE,MAAM,EAAE,OAAO,MAAM,CAAA;CAA8C,CAAC;AAE3F,kDAAkD;AAClD,MAAM,MAAM,WAAW,GAAG;IACxB;;;;OAIG;IACH,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,IAAI,CAAC,UAAU,CAAC,KAAK;QAAE,SAAS,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;QAAC,SAAS,EAAE,IAAI,CAAC,UAAU,CAAC,CAAA;KAAE,CAAC;IAClG;;;;OAIG;IACH,YAAY,EAAE,OAAO,mBAAmB,CAAC;IACzC;;;;;;OAMG;IACH,IAAI,EAAE,OAAO,WAAW,CAAC;IACzB;;;;;;OAMG;IACH,MAAM,EAAE,OAAO,aAAa,CAAC;IAC7B,8CAA8C;IAC9C,KAAK,EAAE,oBAAoB,CAAC,MAAM,CAAC,CAAC;IACpC,6EAA6E;IAC7E,KAAK,EAAE;QACL,uCAAuC;QACvC,eAAe,EAAE,CAAC,IAAI,CAAC,EAAE,IAAI,CAAC,UAAU,CAAC,KAAK,IAAI,CAAC,UAAU,CAAC,CAAC;QAC/D,8DAA8D;QAC9D,YAAY,EAAE,CAAC,KAAK,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,KAAK,IAAI,CAAC,UAAU,CAAC,CAAC;QACnE,0DAA0D;QAC1D,MAAM,EAAE,OAAO,MAAM,CAAC;QACtB,oCAAoC;QACpC,UAAU,EAAE,OAAO,UAAU,CAAC;KAC/B,CAAC;IACF,2DAA2D;IAC3D,OAAO,EAAE,YAAY,CAAC;CACvB,CAAC;AACF;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,OAAO,EAAE,WA2BlB,CAAC;AAiDL;;;;;;;;GAQG;AACH,eAAO,MAAM,gBAAgB,EAAE,SAAS,CAAC,oBAAoB,CAAC,MAAM,CAAC,CAgB/D,CAAC;AACP;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,eAAe,EAAE,IAAI,CAAC,KAAK,CAMjC,CAAC;AAqFR;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,aAAa,EAAE,IAAI,CAAC,KAAK,CAuC/B,CAAC"}
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/secp256k1.js
Generated Vendored
+466
View File
@@ -0,0 +1,466 @@
/**
* SECG secp256k1. See [pdf](https://www.secg.org/sec2-v2.pdf).
*
* Belongs to Koblitz curves: it has efficiently-computable GLV endomorphism ψ,
* check out {@link EndomorphismOpts}. Seems to be rigid (not backdoored).
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { sha256 } from '@noble/hashes/sha2.js';
import { randomBytes } from '@noble/hashes/utils.js';
import { createKeygen } from "./abstract/curve.js";
import { createFROST, } from "./abstract/frost.js";
import { createHasher, isogenyMap } from "./abstract/hash-to-curve.js";
import { Field, mapHashToField, pow2 } from "./abstract/modular.js";
import { ecdsa, mapToCurveSimpleSWU, weierstrass, } from "./abstract/weierstrass.js";
import { abytes, asciiToBytes, bytesToNumberBE, concatBytes, } from "./utils.js";
// Seems like generator was produced from some seed:
// `Pointk1.BASE.multiply(Pointk1.Fn.inv(2n, N)).toAffine().x`
// // gives short x 0x3b78ce563f89a0ed9414f5aa28ad0d96d6795f9c63n
const secp256k1_CURVE = {
p: BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f'),
n: BigInt('0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141'),
h: BigInt(1),
a: BigInt(0),
b: BigInt(7),
Gx: BigInt('0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798'),
Gy: BigInt('0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8'),
};
const secp256k1_ENDO = {
beta: BigInt('0x7ae96a2b657c07106e64479eac3434e99cf0497512f58995c1396c28719501ee'),
basises: [
[BigInt('0x3086d221a7d46bcde86c90e49284eb15'), -BigInt('0xe4437ed6010e88286f547fa90abfe4c3')],
[BigInt('0x114ca50f7a8e2f3f657c1108d9d44cfd8'), BigInt('0x3086d221a7d46bcde86c90e49284eb15')],
],
};
const _0n = /* @__PURE__ */ BigInt(0);
const _2n = /* @__PURE__ */ BigInt(2);
/**
* √n = n^((p+1)/4) for fields p = 3 mod 4. We unwrap the loop and multiply bit-by-bit.
* (P+1n/4n).toString(2) would produce bits [223x 1, 0, 22x 1, 4x 0, 11, 00]
*/
function sqrtMod(y) {
const P = secp256k1_CURVE.p;
// prettier-ignore
const _3n = BigInt(3), _6n = BigInt(6), _11n = BigInt(11), _22n = BigInt(22);
// prettier-ignore
const _23n = BigInt(23), _44n = BigInt(44), _88n = BigInt(88);
const b2 = (y * y * y) % P; // x^3, 11
const b3 = (b2 * b2 * y) % P; // x^7
const b6 = (pow2(b3, _3n, P) * b3) % P;
const b9 = (pow2(b6, _3n, P) * b3) % P;
const b11 = (pow2(b9, _2n, P) * b2) % P;
const b22 = (pow2(b11, _11n, P) * b11) % P;
const b44 = (pow2(b22, _22n, P) * b22) % P;
const b88 = (pow2(b44, _44n, P) * b44) % P;
const b176 = (pow2(b88, _88n, P) * b88) % P;
const b220 = (pow2(b176, _44n, P) * b44) % P;
const b223 = (pow2(b220, _3n, P) * b3) % P;
const t1 = (pow2(b223, _23n, P) * b22) % P;
const t2 = (pow2(t1, _6n, P) * b2) % P;
const root = pow2(t2, _2n, P);
if (!Fpk1.eql(Fpk1.sqr(root), y))
throw new Error('Cannot find square root');
return root;
}
const Fpk1 = Field(secp256k1_CURVE.p, { sqrt: sqrtMod });
const Pointk1 = /* @__PURE__ */ weierstrass(secp256k1_CURVE, {
Fp: Fpk1,
endo: secp256k1_ENDO,
});
/**
* secp256k1 curve: ECDSA and ECDH methods.
*
* Uses sha256 to hash messages. To use a different hash,
* pass `{ prehash: false }` to sign / verify.
*
* @example
* Generate one secp256k1 keypair, sign a message, and verify it.
*
* ```js
* import { secp256k1 } from '@noble/curves/secp256k1.js';
* const { secretKey, publicKey } = secp256k1.keygen();
* // const publicKey = secp256k1.getPublicKey(secretKey);
* const msg = new TextEncoder().encode('hello noble');
* const sig = secp256k1.sign(msg, secretKey);
* const isValid = secp256k1.verify(sig, msg, publicKey);
* // const sigKeccak = secp256k1.sign(keccak256(msg), secretKey, { prehash: false });
* ```
*/
export const secp256k1 = /* @__PURE__ */ ecdsa(Pointk1, sha256);
// Schnorr signatures are superior to ECDSA from above. Below is Schnorr-specific BIP0340 code.
// https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki
/** An object mapping tags to their tagged hash prefix of [SHA256(tag) | SHA256(tag)] */
const TAGGED_HASH_PREFIXES = {};
// BIP-340 phrases tags as UTF-8, but all current standardized names here are 7-bit ASCII.
function taggedHash(tag, ...messages) {
let tagP = TAGGED_HASH_PREFIXES[tag];
if (tagP === undefined) {
const tagH = sha256(asciiToBytes(tag));
tagP = concatBytes(tagH, tagH);
TAGGED_HASH_PREFIXES[tag] = tagP;
}
return sha256(concatBytes(tagP, ...messages));
}
// ECDSA compact points are 33-byte. Schnorr is 32: we strip first byte 0x02 or 0x03
const pointToBytes = (point) => point.toBytes(true).slice(1);
const hasEven = (y) => y % _2n === _0n;
// Calculate point, scalar and bytes
function schnorrGetExtPubKey(priv) {
const { Fn, BASE } = Pointk1;
const d_ = Fn.fromBytes(priv);
const p = BASE.multiply(d_); // P = d'⋅G; 0 < d' < n check is done inside
const scalar = hasEven(p.y) ? d_ : Fn.neg(d_);
return { scalar, bytes: pointToBytes(p) };
}
/**
* lift_x from BIP340. Convert 32-byte x coordinate to elliptic curve point.
* @returns valid point checked for being on-curve
*/
function lift_x(x) {
const Fp = Fpk1;
if (!Fp.isValidNot0(x))
throw new Error('invalid x: Fail if x ≥ p');
const xx = Fp.create(x * x);
const c = Fp.create(xx * x + BigInt(7)); // Let c = x³ + 7 mod p.
let y = Fp.sqrt(c); // Let y = c^(p+1)/4 mod p. Same as sqrt().
// Return the unique point P such that x(P) = x and
// y(P) = y if y mod 2 = 0 or y(P) = p-y otherwise.
if (!hasEven(y))
y = Fp.neg(y);
const p = Pointk1.fromAffine({ x, y });
p.assertValidity();
return p;
}
// BIP-340 callers still need to supply canonical 32-byte inputs where required; this alias only
// parses big-endian bytes and does not enforce the fixed-width contract itself.
const num = bytesToNumberBE;
/** Create tagged hash, convert it to bigint, reduce modulo-n. */
function challenge(...args) {
return Pointk1.Fn.create(num(taggedHash('BIP0340/challenge', ...args)));
}
/** Schnorr public key is just `x` coordinate of Point as per BIP340. */
function schnorrGetPublicKey(secretKey) {
return schnorrGetExtPubKey(secretKey).bytes; // d'=int(sk). Fail if d'=0 or d'≥n. Ret bytes(d'⋅G)
}
/**
* Creates Schnorr signature as per BIP340. Verifies itself before returning anything.
* `auxRand` is optional and is not the sole source of `k` generation: bad CSPRNG output will not
* be catastrophic, but BIP-340 still recommends fresh auxiliary randomness when available to harden
* deterministic signing against side-channel and fault-injection attacks.
*/
function schnorrSign(message, secretKey, auxRand = randomBytes(32)) {
const { Fn, BASE } = Pointk1;
const m = abytes(message, undefined, 'message');
const { bytes: px, scalar: d } = schnorrGetExtPubKey(secretKey); // checks for isWithinCurveOrder
const a = abytes(auxRand, 32, 'auxRand'); // Auxiliary random data a: a 32-byte array
// Let t be the byte-wise xor of bytes(d) and hash/aux(a).
const t = Fn.toBytes(d ^ num(taggedHash('BIP0340/aux', a)));
const rand = taggedHash('BIP0340/nonce', t, px, m); // Let rand = hash/nonce(t || bytes(P) || m)
// BIP340 defines k' = int(rand) mod n. We can't reuse schnorrGetExtPubKey(rand)
// here: that helper parses canonical secret keys and rejects rand >= n instead
// of reducing the nonce hash modulo the group order.
const k_ = Fn.create(num(rand));
// BIP-340: "Let k' = int(rand) mod n. Fail if k' = 0. Let R = k'⋅G."
if (k_ === 0n)
throw new Error('sign failed: k is zero');
const p = BASE.multiply(k_); // Rejects zero; only the raw nonce hash needs reduction.
const k = hasEven(p.y) ? k_ : Fn.neg(k_);
const rx = pointToBytes(p);
const e = challenge(rx, px, m); // Let e = int(hash/challenge(bytes(R) || bytes(P) || m)) mod n.
const sig = new Uint8Array(64); // Let sig = bytes(R) || bytes((k + ed) mod n).
sig.set(rx, 0);
sig.set(Fn.toBytes(Fn.create(k + e * d)), 32);
// If Verify(bytes(P), m, sig) (see below) returns failure, abort
if (!schnorrVerify(sig, m, px))
throw new Error('sign: Invalid signature produced');
return sig;
}
/**
* Verifies Schnorr signature.
* Will swallow errors & return false except for initial type validation of arguments.
*/
function schnorrVerify(signature, message, publicKey) {
const { Fp, Fn, BASE } = Pointk1;
const sig = abytes(signature, 64, 'signature');
const m = abytes(message, undefined, 'message');
const pub = abytes(publicKey, 32, 'publicKey');
try {
const P = lift_x(num(pub)); // P = lift_x(int(pk)); fail if that fails
const r = num(sig.subarray(0, 32)); // Let r = int(sig[0:32]); fail if r ≥ p.
if (!Fp.isValidNot0(r))
return false;
const s = num(sig.subarray(32, 64)); // Let s = int(sig[32:64]); fail if s ≥ n.
// Stricter than BIP-340/libsecp256k1, which only reject s >= n. Honest signing reaches
// s = 0 only with negligible probability (k + e*d ≡ 0 mod n), so treat zero-s inputs as
// crafted edge cases and fail closed instead of carrying that extra verification surface.
if (!Fn.isValidNot0(s))
return false;
// int(challenge(bytes(r) || bytes(P) || m)) % n
const e = challenge(Fn.toBytes(r), pointToBytes(P), m);
// R = s⋅G - e⋅P, where -eP == (n-e)P
const R = BASE.multiplyUnsafe(s).add(P.multiplyUnsafe(Fn.neg(e)));
const { x, y } = R.toAffine();
// Fail if is_infinite(R) / not has_even_y(R) / x(R) ≠ r.
if (R.is0() || !hasEven(y) || x !== r)
return false;
return true;
}
catch (error) {
return false;
}
}
export const __TEST = /* @__PURE__ */ Object.freeze({ lift_x });
/**
* Schnorr signatures over secp256k1.
* See {@link https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki | BIP 340}.
* @example
* Generate one BIP340 Schnorr keypair, sign a message, and verify it.
*
* ```js
* import { schnorr } from '@noble/curves/secp256k1.js';
* const { secretKey, publicKey } = schnorr.keygen();
* // const publicKey = schnorr.getPublicKey(secretKey);
* const msg = new TextEncoder().encode('hello');
* const sig = schnorr.sign(msg, secretKey);
* const isValid = schnorr.verify(sig, msg, publicKey);
* ```
*/
export const schnorr = /* @__PURE__ */ (() => {
const size = 32;
const seedLength = 48;
const randomSecretKey = (seed) => {
seed = seed === undefined ? randomBytes(seedLength) : seed;
return mapHashToField(seed, secp256k1_CURVE.n);
};
return Object.freeze({
keygen: createKeygen(randomSecretKey, schnorrGetPublicKey),
getPublicKey: schnorrGetPublicKey,
sign: schnorrSign,
verify: schnorrVerify,
Point: Pointk1,
utils: Object.freeze({
randomSecretKey,
taggedHash,
lift_x,
pointToBytes,
}),
lengths: Object.freeze({
secretKey: size,
publicKey: size,
publicKeyHasPrefix: false,
signature: size * 2,
seed: seedLength,
}),
});
})();
// RFC 9380 Appendix E.1 3-isogeny coefficients for secp256k1, stored in ascending degree order.
// The final `1` in each denominator array is the explicit monic leading term.
const isoMap = /* @__PURE__ */ (() => isogenyMap(Fpk1, [
// xNum
[
'0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38daaaaa8c7',
'0x7d3d4c80bc321d5b9f315cea7fd44c5d595d2fc0bf63b92dfff1044f17c6581',
'0x534c328d23f234e6e2a413deca25caece4506144037c40314ecbd0b53d9dd262',
'0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38daaaaa88c',
],
// xDen
[
'0xd35771193d94918a9ca34ccbb7b640dd86cd409542f8487d9fe6b745781eb49b',
'0xedadc6f64383dc1df7c4b2d51b54225406d36b641f5e41bbc52a56612a8c6d14',
'0x0000000000000000000000000000000000000000000000000000000000000001', // LAST 1
],
// yNum
[
'0x4bda12f684bda12f684bda12f684bda12f684bda12f684bda12f684b8e38e23c',
'0xc75e0c32d5cb7c0fa9d0a54b12a0a6d5647ab046d686da6fdffc90fc201d71a3',
'0x29a6194691f91a73715209ef6512e576722830a201be2018a765e85a9ecee931',
'0x2f684bda12f684bda12f684bda12f684bda12f684bda12f684bda12f38e38d84',
],
// yDen
[
'0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffff93b',
'0x7a06534bb8bdb49fd5e9e6632722c2989467c1bfc8e8d978dfb425d2685c2573',
'0x6484aa716545ca2cf3a70c3fa8fe337e0a3d21162f0d6299a7bf8192bfd2a76f',
'0x0000000000000000000000000000000000000000000000000000000000000001', // LAST 1
],
].map((i) => i.map((j) => BigInt(j)))))();
// RFC 9380 §8.7 secp256k1 E' parameters for the SWU-to-isogeny pipeline below.
let mapSWU;
const getMapSWU = () => mapSWU ||
(mapSWU = mapToCurveSimpleSWU(Fpk1, {
// Building the SWU sqrt-ratio helper eagerly adds noticeable `secp256k1.js` import cost, so
// defer it to first use; after that the cached mapper is reused directly.
A: BigInt('0x3f8731abdd661adca08a5558f0f5d272e953d363cb6f0e5d405447c01a444533'),
B: BigInt('1771'),
Z: Fpk1.create(BigInt('-11')),
}));
/**
* Hashing / encoding to secp256k1 points / field. RFC 9380 methods.
* @example
* Hash one message onto secp256k1.
*
* ```ts
* const point = secp256k1_hasher.hashToCurve(new TextEncoder().encode('hello noble'));
* ```
*/
export const secp256k1_hasher = /* @__PURE__ */ (() => createHasher(Pointk1, (scalars) => {
const { x, y } = getMapSWU()(Fpk1.create(scalars[0]));
return isoMap(x, y);
}, {
DST: 'secp256k1_XMD:SHA-256_SSWU_RO_',
encodeDST: 'secp256k1_XMD:SHA-256_SSWU_NU_',
p: Fpk1.ORDER,
m: 1,
k: 128,
expand: 'xmd',
hash: sha256,
}))();
/**
* FROST threshold signatures over secp256k1. RFC 9591.
* @example
* Create one trusted-dealer package for 2-of-3 secp256k1 signing.
*
* ```ts
* const alice = secp256k1_FROST.Identifier.derive('alice@example.com');
* const bob = secp256k1_FROST.Identifier.derive('bob@example.com');
* const carol = secp256k1_FROST.Identifier.derive('carol@example.com');
* const deal = secp256k1_FROST.trustedDealer({ min: 2, max: 3 }, [alice, bob, carol]);
* ```
*/
export const secp256k1_FROST = /* @__PURE__ */ (() => createFROST({
name: 'FROST-secp256k1-SHA256-v1',
Point: Pointk1,
hashToScalar: secp256k1_hasher.hashToScalar,
hash: sha256,
}))();
// Taproot utils
// `undefined` means "disable TapTweak entirely"; callers that want the BIP-341/BIP-386 empty
// merkle root must pass `new Uint8Array(0)` explicitly.
function tweak(point, merkleRoot) {
if (merkleRoot === undefined)
return _0n;
const x = pointToBytes(point);
const t = bytesToNumberBE(taggedHash('TapTweak', x, merkleRoot));
// BIP-341 taproot_tweak_pubkey/taproot_tweak_seckey: "if t >= SECP256K1_ORDER:
// raise ValueError". TapTweak must reject overflow instead of reducing modulo n.
if (!Pointk1.Fn.isValid(t))
throw new Error('invalid TapTweak hash');
return t;
}
function frostPubToEvenY(pub) {
const VK = Pointk1.fromBytes(pub.commitments[0]);
// Keep aliasing on the already-even path so wrapper callers can skip unnecessary cloning.
if (hasEven(VK.y))
return pub;
return {
signers: { min: pub.signers.min, max: pub.signers.max },
commitments: pub.commitments.map((i) => Pointk1.fromBytes(i).negate().toBytes()),
verifyingShares: Object.fromEntries(Object.entries(pub.verifyingShares).map(([k, v]) => [
k,
Pointk1.fromBytes(v).negate().toBytes(),
])),
};
}
function frostSecretToEvenY(s, pub) {
const VK = Pointk1.fromBytes(pub.commitments[0]);
// Keep aliasing on the already-even path so wrapper callers can preserve package identity.
if (hasEven(VK.y))
return s;
const Fn = Pointk1.Fn;
return {
...s,
signingShare: Fn.toBytes(Fn.neg(Fn.fromBytes(s.signingShare))),
};
}
function frostNoncesToEvenY(PK, nonces) {
if (hasEven(PK.y))
return nonces;
const Fn = Pointk1.Fn;
return {
binding: Fn.toBytes(Fn.neg(Fn.fromBytes(nonces.binding))),
hiding: Fn.toBytes(Fn.neg(Fn.fromBytes(nonces.hiding))),
};
}
function frostTweakSecret(s, pub, merkleRoot) {
const Fn = Pointk1.Fn;
const keyPackage = frostSecretToEvenY(s, pub);
const evenPub = frostPubToEvenY(pub);
const t = tweak(Pointk1.fromBytes(evenPub.commitments[0]), merkleRoot);
const signingShare = Fn.toBytes(Fn.add(Fn.fromBytes(keyPackage.signingShare), t));
return {
identifier: keyPackage.identifier,
signingShare,
};
}
function frostTweakPublic(pub, merkleRoot) {
const PKPackage = frostPubToEvenY(pub);
const t = tweak(Pointk1.fromBytes(PKPackage.commitments[0]), merkleRoot);
const tp = Pointk1.BASE.multiply(t);
const commitments = PKPackage.commitments.map((c, i) => (i === 0 ? Pointk1.fromBytes(c).add(tp) : Pointk1.fromBytes(c)).toBytes());
const verifyingShares = {};
for (const k in PKPackage.verifyingShares) {
verifyingShares[k] = Pointk1.fromBytes(PKPackage.verifyingShares[k]).add(tp).toBytes();
}
return {
signers: { min: PKPackage.signers.min, max: PKPackage.signers.max },
commitments,
verifyingShares,
};
}
/**
* FROST threshold signatures over secp256k1-schnorr-taproot. RFC 9591.
* DKG outputs are auto-tweaked with the empty Taproot merkle root for compatibility, while
* `trustedDealer()` outputs stay untweaked unless callers apply the Taproot tweak themselves.
* @example
* Create one trusted-dealer package for Taproot-compatible FROST signing.
*
* ```ts
* const alice = schnorr_FROST.Identifier.derive('alice@example.com');
* const bob = schnorr_FROST.Identifier.derive('bob@example.com');
* const carol = schnorr_FROST.Identifier.derive('carol@example.com');
* const deal = schnorr_FROST.trustedDealer({ min: 2, max: 3 }, [alice, bob, carol]);
* ```
*/
export const schnorr_FROST = /* @__PURE__ */ (() => createFROST({
name: 'FROST-secp256k1-SHA256-TR-v1',
Point: Pointk1,
hashToScalar: secp256k1_hasher.hashToScalar,
hash: sha256,
// Taproot related hacks
parsePublicKey(publicKey) {
// External Taproot keys are x-only, but local key packages still use compressed points.
if (publicKey.length === 32)
return lift_x(bytesToNumberBE(publicKey));
if (publicKey.length === 33)
return Pointk1.fromBytes(publicKey);
throw new Error(`expected x-only or compressed public key, got length=${publicKey.length}`);
},
adjustScalar(n) {
const PK = Pointk1.BASE.multiply(n);
return hasEven(PK.y) ? n : Pointk1.Fn.neg(n);
},
adjustPoint: (p) => (hasEven(p.y) ? p : p.negate()),
challenge(R, PK, msg) {
return challenge(pointToBytes(R), pointToBytes(PK), msg);
},
adjustNonces: frostNoncesToEvenY,
adjustGroupCommitmentShare: (GC, GCShare) => (!hasEven(GC.y) ? GCShare.negate() : GCShare),
adjustPublic: frostPubToEvenY,
adjustSecret: frostSecretToEvenY,
adjustTx: {
// Compat with official implementation
encode: (tx) => tx.subarray(1),
decode: (tx) => concatBytes(Uint8Array.of(0x02), tx),
},
adjustDKG: (k) => {
// Compatibility with frost-secp256k1-tr: DKG output is auto-tweaked with the
// empty Taproot merkle root, while dealer-generated keys stay untweaked.
const merkleRoot = new Uint8Array(0);
return {
public: frostTweakPublic(k.public, merkleRoot),
secret: frostTweakSecret(k.secret, k.public, merkleRoot),
};
},
}))();
//# sourceMappingURL=secp256k1.js.map
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/secp256k1.js.map
Generated Vendored
+1
View File
File diff suppressed because one or more lines are too long
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/src/abstract/bls.ts
Generated Vendored
+887
View File
@@ -0,0 +1,887 @@
/**
* BLS != BLS.
* The file implements BLS (Boneh-Lynn-Shacham) signatures.
* Used in both BLS (Barreto-Lynn-Scott) and BN (Barreto-Naehrig)
* families of pairing-friendly curves.
* Consists of two curves: G1 and G2:
* - G1 is a subgroup of (x, y) E(Fq) over y² = x³ + 4.
* - G2 is a subgroup of ((x₁, x₂+i), (y₁, y₂+i)) E(Fq²) over y² = x³ + 4(1 + i) where i is √-1
* - Gt, created by bilinear (ate) pairing e(G1, G2), consists of p-th roots of unity in
* Fq^k where k is embedding degree. Only degree 12 is currently supported, 24 is not.
* Pairing is used to aggregate and verify signatures.
* There are two modes of operation:
* - Long signatures: X-byte keys + 2X-byte sigs (G1 keys + G2 sigs).
* - Short signatures: 2X-byte keys + X-byte sigs (G2 keys + G1 sigs).
* @module
**/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { abytes, notImplemented, randomBytes, type TArg, type TRet } from '../utils.ts';
import { type CurveLengths } from './curve.ts';
import {
createHasher,
type H2CDSTOpts,
type H2CHasher,
type H2COpts,
type MapToCurve,
} from './hash-to-curve.ts';
import { getMinHashLength, mapHashToField, type IField } from './modular.ts';
import type { Fp12, Fp12Bls, Fp2, Fp2Bls, Fp6Bls } from './tower.ts';
import { type WeierstrassPoint, type WeierstrassPointCons } from './weierstrass.ts';
type Fp = bigint; // Can be different field?
// prettier-ignore
const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3);
/**
* Twist convention used by the pairing formulas for a concrete curve family.
* BLS12-381 uses a multiplicative twist, while BN254 uses a divisive one.
*/
export type BlsTwistType = 'multiplicative' | 'divisive';
/**
* Codec exposed as `curve.shortSignatures.Signature`.
* Use it to parse or serialize G1 signatures in short-signature mode.
* In this mode, public keys live in G2.
*/
export type BlsShortSignatureCoder<Fp> = {
/**
* Parse a compressed signature from raw bytes.
* @param bytes - Compressed signature bytes.
* @returns Parsed signature point.
*/
fromBytes(bytes: TArg<Uint8Array>): WeierstrassPoint<Fp>;
/**
* Parse a compressed signature from a hex string.
* @param hex - Compressed signature hex string.
* @returns Parsed signature point.
*/
fromHex(hex: string): WeierstrassPoint<Fp>;
/**
* Encode a signature point into compressed bytes.
* @param point - Signature point.
* @returns Compressed signature bytes.
*/
toBytes(point: WeierstrassPoint<Fp>): TRet<Uint8Array>;
/**
* Encode a signature point into a hex string.
* @param point - Signature point.
* @returns Compressed signature hex.
*/
toHex(point: WeierstrassPoint<Fp>): string;
};
/**
* Codec exposed as `curve.longSignatures.Signature`.
* Use it to parse or serialize G2 signatures in long-signature mode.
* In this mode, public keys live in G1.
*/
export type BlsLongSignatureCoder<Fp> = {
/**
* Parse a compressed signature from raw bytes.
* @param bytes - Compressed signature bytes.
* @returns Parsed signature point.
*/
fromBytes(bytes: TArg<Uint8Array>): WeierstrassPoint<Fp>;
/**
* Parse a compressed signature from a hex string.
* @param hex - Compressed signature hex string.
* @returns Parsed signature point.
*/
fromHex(hex: string): WeierstrassPoint<Fp>;
/**
* Encode a signature point into compressed bytes.
* @param point - Signature point.
* @returns Compressed signature bytes.
*/
toBytes(point: WeierstrassPoint<Fp>): TRet<Uint8Array>;
/**
* Encode a signature point into a hex string.
* @param point - Signature point.
* @returns Compressed signature hex.
*/
toHex(point: WeierstrassPoint<Fp>): string;
};
/** Tower fields needed by pairing code, hash-to-curve, and subgroup arithmetic. */
export type BlsFields = {
/** Base field of G1 coordinates. */
Fp: IField<Fp>;
/** Scalar field used for secret scalars and subgroup order arithmetic. */
Fr: IField<bigint>;
/** Quadratic extension field used by G2. */
Fp2: Fp2Bls;
/** Sextic extension field used inside pairing arithmetic. */
Fp6: Fp6Bls;
/** Degree-12 extension field that contains the GT target group. */
Fp12: Fp12Bls;
};
/**
* Callback used by pairing post-processing hooks to add one more G2 point to the Miller-loop state.
* @param Rx - Current projective X coordinate.
* @param Ry - Current projective Y coordinate.
* @param Rz - Current projective Z coordinate.
* @param Qx - G2 affine x coordinate.
* @param Qy - G2 affine y coordinate.
* @returns Updated projective accumulator coordinates.
*/
export type BlsPostPrecomputePointAddFn = (
Rx: Fp2,
Ry: Fp2,
Rz: Fp2,
Qx: Fp2,
Qy: Fp2
) => { Rx: Fp2; Ry: Fp2; Rz: Fp2 };
/**
* Hook for curve-specific pairing cleanup after the Miller loop precomputes are built.
* @param Rx - Current projective X coordinate.
* @param Ry - Current projective Y coordinate.
* @param Rz - Current projective Z coordinate.
* @param Qx - G2 affine x coordinate.
* @param Qy - G2 affine y coordinate.
* @param pointAdd - Callback used to fold one more point into the accumulator.
*/
export type BlsPostPrecomputeFn = (
Rx: Fp2,
Ry: Fp2,
Rz: Fp2,
Qx: Fp2,
Qy: Fp2,
pointAdd: BlsPostPrecomputePointAddFn
) => void;
/** Low-level pairing helpers shared by BLS curve bundles. */
export type BlsPairing = {
/** Byte lengths for keys and signatures exposed by this pairing family. */
lengths: CurveLengths;
/** Scalar field used by the pairing and signing helpers. */
Fr: IField<bigint>;
/** Target field used for the GT result of pairings. */
Fp12: Fp12Bls;
/**
* Build Miller-loop precomputes for one G2 point.
* @param p - G2 point to precompute.
* @returns Pairing precompute table.
*/
calcPairingPrecomputes: (p: WeierstrassPoint<Fp2>) => Precompute;
/**
* Evaluate a batch of Miller loops from precomputed line coefficients.
* @param pairs - Precomputed Miller-loop inputs.
* @returns Accumulated GT value before or after final exponentiation.
*/
millerLoopBatch: (pairs: [Precompute, Fp, Fp][]) => Fp12;
/**
* Pair one G1 point with one G2 point.
* @param P - G1 point.
* @param Q - G2 point.
* @param withFinalExponent - Whether to apply the final exponentiation step.
* @returns GT pairing result.
* @throws If either point is the point at infinity. {@link Error}
*/
pairing: (P: WeierstrassPoint<Fp>, Q: WeierstrassPoint<Fp2>, withFinalExponent?: boolean) => Fp12;
/**
* Pair many G1/G2 pairs in one batch.
* @param pairs - Point pairs to accumulate.
* @param withFinalExponent - Whether to apply the final exponentiation step.
* @returns GT pairing result. Empty input returns the multiplicative identity in GT.
*/
pairingBatch: (
pairs: { g1: WeierstrassPoint<Fp>; g2: WeierstrassPoint<Fp2> }[],
withFinalExponent?: boolean
) => Fp12;
/**
* Generate a random secret key for this pairing family.
* @param seed - Optional seed material.
* @returns Secret key bytes.
*/
randomSecretKey: (seed?: TArg<Uint8Array>) => TRet<Uint8Array>;
};
/**
* Parameters that define the Miller-loop shape and twist handling
* for a concrete pairing family.
*/
export type BlsPairingParams = {
// MSB is always ignored and used as marker for length, otherwise leading zeros will be lost.
// Can be different from `X` (seed) param.
/** Signed loop parameter used by the Miller loop. */
ateLoopSize: bigint;
/** Whether the signed Miller-loop parameter is negative. */
xNegative: boolean;
/**
* Twist convention used by the pairing formulas.
* BLS12-381 is multiplicative; BN254 is divisive.
*/
twistType: BlsTwistType;
/**
* Optional RNG override used by helper constructors.
* Receives the requested byte length and returns random bytes.
*/
randomBytes?: (len?: number) => TRet<Uint8Array>;
/**
* Optional hook for curve-specific untwisting after precomputation.
* Used by BN254 after the Miller loop.
*/
postPrecompute?: BlsPostPrecomputeFn;
};
/** Hash-to-curve settings shared by the G1 and G2 hashers inside a BLS curve bundle. */
export type BlsHasherParams = {
/**
* Optional map-to-curve override for G1.
* Receives the hash-to-field tuple and returns one affine G1 point.
*/
mapToG1?: MapToCurve<Fp>;
/**
* Optional map-to-curve override for G2.
* Receives the hash-to-field tuple and returns one affine G2 point.
*/
mapToG2?: MapToCurve<Fp2>;
/** Shared baseline hash-to-curve options. */
hasherOpts: H2COpts;
/** G1-specific hash-to-curve options merged on top of `hasherOpts`. */
hasherOptsG1: H2COpts;
/** G2-specific hash-to-curve options merged on top of `hasherOpts`. */
hasherOptsG2: H2COpts;
};
type PrecomputeSingle = [Fp2, Fp2, Fp2][];
type Precompute = PrecomputeSingle[];
/**
* BLS consists of two curves: G1 and G2:
* - G1 is a subgroup of (x, y) E(Fq) over y² = x³ + 4.
* - G2 is a subgroup of ((x₁, x₂+i), (y₁, y₂+i)) E(Fq²) over y² = x³ + 4(1 + i) where i is √-1
*/
export interface BlsCurvePair {
/** Byte lengths for keys and signatures exposed by this curve family. */
lengths: CurveLengths;
/**
* Shared Miller-loop batch evaluator.
* @param pairs - Precomputed Miller-loop inputs.
* @returns Accumulated GT value.
*/
millerLoopBatch: BlsPairing['millerLoopBatch'];
/**
* Pair one G1 point with one G2 point.
* @param P - G1 point.
* @param Q - G2 point.
* @param withFinalExponent - Whether to apply the final exponentiation step.
* @returns GT pairing result.
* @throws If either point is the point at infinity. {@link Error}
*/
pairing: BlsPairing['pairing'];
/**
* Pair many G1/G2 pairs in one batch.
* @param pairs - Point pairs to accumulate.
* @param withFinalExponent - Whether to apply the final exponentiation step.
* @returns GT pairing result. Empty input returns the multiplicative identity in GT.
*/
pairingBatch: BlsPairing['pairingBatch'];
/** G1 point constructor for the base field subgroup. */
G1: { Point: WeierstrassPointCons<Fp> };
/** G2 point constructor for the twist subgroup. */
G2: { Point: WeierstrassPointCons<Fp2> };
/** Tower fields exposed by the pairing implementation. */
fields: {
Fp: IField<Fp>;
Fp2: Fp2Bls;
Fp6: Fp6Bls;
Fp12: Fp12Bls;
Fr: IField<bigint>;
};
/** Utility helpers shared by hashers and signers. */
utils: {
randomSecretKey: (seed?: TArg<Uint8Array>) => TRet<Uint8Array>;
calcPairingPrecomputes: BlsPairing['calcPairingPrecomputes'];
};
/** Public pairing parameters exposed for introspection. */
params: {
ateLoopSize: bigint;
twistType: BlsTwistType;
};
}
/** BLS curve bundle extended with hash-to-curve helpers for G1 and G2. */
export interface BlsCurvePairWithHashers extends BlsCurvePair {
/** G1 hasher bundle with RFC 9380 helpers. */
G1: H2CHasher<WeierstrassPointCons<Fp>>;
/** G2 hasher bundle with RFC 9380 helpers. */
G2: H2CHasher<WeierstrassPointCons<Fp2>>;
}
/** BLS curve bundle extended with both hashers and signature helpers. */
export interface BlsCurvePairWithSignatures extends BlsCurvePairWithHashers {
/** Long-signature mode: G1 public keys and G2 signatures. */
longSignatures: BlsSigs<bigint, Fp2>;
/** Short-signature mode: G2 public keys and G1 signatures. */
shortSignatures: BlsSigs<Fp2, bigint>;
}
type BLSInput = TArg<Uint8Array>;
/** BLS signer helpers for one signature mode. */
export interface BlsSigs<P, S> {
/** Byte lengths for secret keys, public keys, and signatures. */
lengths: CurveLengths;
/**
* Generate a secret/public key pair for this signature mode.
* @param seed - Optional seed material.
* @returns Secret and public key pair.
*/
keygen(seed?: TArg<Uint8Array>): {
secretKey: TRet<Uint8Array>;
publicKey: WeierstrassPoint<P>;
};
/**
* Derive the public key from a secret key.
* @param secretKey - Secret key bytes.
* @returns Public-key point.
*/
getPublicKey(secretKey: TArg<Uint8Array>): WeierstrassPoint<P>;
/**
* Sign a message already hashed onto the signature subgroup.
* @param hashedMessage - Message mapped to the signature subgroup.
* @param secretKey - Secret key bytes.
* @returns Signature point.
*/
sign(hashedMessage: WeierstrassPoint<S>, secretKey: TArg<Uint8Array>): WeierstrassPoint<S>;
/**
* Verify one signature against one public key and hashed message.
* @param signature - Signature point or encoded signature.
* @param message - Hashed message point.
* @param publicKey - Public-key point or encoded key.
* @returns Whether the signature is valid.
*/
verify(
signature: WeierstrassPoint<S> | BLSInput,
message: WeierstrassPoint<S>,
publicKey: WeierstrassPoint<P> | BLSInput
): boolean;
/**
* Verify one aggregated signature against many `(message, publicKey)` pairs.
* @param signature - Aggregated signature.
* @param items - Message/public-key pairs.
* @returns Whether the aggregated signature is valid. Same-message aggregate verification still
* requires proof of possession or another rogue-key defense from the caller.
*/
verifyBatch: (
signature: WeierstrassPoint<S> | BLSInput,
items: { message: WeierstrassPoint<S>; publicKey: WeierstrassPoint<P> | BLSInput }[]
) => boolean;
/**
* Add many public keys into one aggregate point.
* @param publicKeys - Public keys to aggregate.
* @returns Aggregated public-key point. This is raw point addition and does not add proof of
* possession or rogue-key protection on its own.
*/
aggregatePublicKeys(publicKeys: (WeierstrassPoint<P> | BLSInput)[]): WeierstrassPoint<P>;
/**
* Add many signatures into one aggregate point.
* @param signatures - Signatures to aggregate.
* @returns Aggregated signature point. This is raw point addition and does not change the proof
* of possession requirements of the aggregate-verification scheme.
*/
aggregateSignatures(signatures: (WeierstrassPoint<S> | BLSInput)[]): WeierstrassPoint<S>;
/**
* Hash an arbitrary message onto the signature subgroup.
* @param message - Message bytes.
* @param DST - Optional domain separation tag.
* @returns Curve point on the signature subgroup.
*/
hash(message: TArg<Uint8Array>, DST?: TArg<string | Uint8Array>): WeierstrassPoint<S>;
/** Signature codec for this mode. */
Signature: BlsLongSignatureCoder<S>;
}
// Signed non-adjacent decomposition of the spec-defined Miller-loop parameter.
// BN254 benefits most because `6x+2` has multiple adjacent `11` runs, but BLS12-381's
// stored `|x|` still starts with `11`, so the Miller loop must also handle one `-1` digit there.
function NAfDecomposition(a: bigint) {
const res = [];
// a>1 because of marker bit
for (; a > _1n; a >>= _1n) {
if ((a & _1n) === _0n) res.unshift(0);
else if ((a & _3n) === _3n) {
res.unshift(-1);
a += _1n;
} else res.unshift(1);
}
return res;
}
function aNonEmpty(arr: any[]) {
// Aggregate helpers use this to reject empty variable-length inputs consistently.
// Without the guard, each caller would fall through into a different empty-input / identity
// case and hide missing inputs behind outputs that still look structurally valid.
if (!Array.isArray(arr) || arr.length === 0) throw new Error('expected non-empty array');
}
// This should be enough for bn254, no need to export full stuff?
function createBlsPairing(
fields: TArg<BlsFields>,
G1: WeierstrassPointCons<Fp>,
G2: WeierstrassPointCons<Fp2>,
params: TArg<BlsPairingParams>
): BlsPairing {
const { Fr, Fp2, Fp12 } = fields;
const { twistType, ateLoopSize, xNegative, postPrecompute } = params;
type G1 = typeof G1.BASE;
type G2 = typeof G2.BASE;
// Applies sparse multiplication as line function
let lineFunction: (c0: Fp2, c1: Fp2, c2: Fp2, f: Fp12, Px: Fp, Py: Fp) => Fp12;
if (twistType === 'multiplicative') {
lineFunction = (c0: Fp2, c1: Fp2, c2: Fp2, f: Fp12, Px: Fp, Py: Fp) =>
Fp12.mul014(f, c0, Fp2.mul(c1, Px), Fp2.mul(c2, Py));
} else if (twistType === 'divisive') {
// NOTE: it should be [c0, c1, c2], but we use different order here to reduce complexity of
// precompute calculations.
lineFunction = (c0: Fp2, c1: Fp2, c2: Fp2, f: Fp12, Px: Fp, Py: Fp) =>
Fp12.mul034(f, Fp2.mul(c2, Py), Fp2.mul(c1, Px), c0);
} else throw new Error('bls: unknown twist type');
const Fp2div2 = Fp2.div(Fp2.ONE, Fp2.mul(Fp2.ONE, _2n));
function pointDouble(ell: PrecomputeSingle, Rx: Fp2, Ry: Fp2, Rz: Fp2) {
const t0 = Fp2.sqr(Ry); // Ry²
const t1 = Fp2.sqr(Rz); // Rz²
const t2 = Fp2.mulByB(Fp2.mul(t1, _3n)); // 3 * T1 * B
const t3 = Fp2.mul(t2, _3n); // 3 * T2
const t4 = Fp2.sub(Fp2.sub(Fp2.sqr(Fp2.add(Ry, Rz)), t1), t0); // (Ry + Rz)² - T1 - T0
const c0 = Fp2.sub(t2, t0); // T2 - T0 (i)
const c1 = Fp2.mul(Fp2.sqr(Rx), _3n); // 3 * Rx²
const c2 = Fp2.neg(t4); // -T4 (-h)
ell.push([c0, c1, c2]);
Rx = Fp2.mul(Fp2.mul(Fp2.mul(Fp2.sub(t0, t3), Rx), Ry), Fp2div2); // ((T0 - T3) * Rx * Ry) / 2
// ((T0 + T3) / 2)² - 3 * T2²
Ry = Fp2.sub(Fp2.sqr(Fp2.mul(Fp2.add(t0, t3), Fp2div2)), Fp2.mul(Fp2.sqr(t2), _3n));
Rz = Fp2.mul(t0, t4); // T0 * T4
return { Rx, Ry, Rz };
}
function pointAdd(ell: PrecomputeSingle, Rx: Fp2, Ry: Fp2, Rz: Fp2, Qx: Fp2, Qy: Fp2) {
// Addition
const t0 = Fp2.sub(Ry, Fp2.mul(Qy, Rz)); // Ry - Qy * Rz
const t1 = Fp2.sub(Rx, Fp2.mul(Qx, Rz)); // Rx - Qx * Rz
const c0 = Fp2.sub(Fp2.mul(t0, Qx), Fp2.mul(t1, Qy)); // T0 * Qx - T1 * Qy == Ry * Qx - Rx * Qy
const c1 = Fp2.neg(t0); // -T0 == Qy * Rz - Ry
const c2 = t1; // == Rx - Qx * Rz
ell.push([c0, c1, c2]);
const t2 = Fp2.sqr(t1); // T1²
const t3 = Fp2.mul(t2, t1); // T2 * T1
const t4 = Fp2.mul(t2, Rx); // T2 * Rx
// T3 - 2 * T4 + T0² * Rz
const t5 = Fp2.add(Fp2.sub(t3, Fp2.mul(t4, _2n)), Fp2.mul(Fp2.sqr(t0), Rz));
Rx = Fp2.mul(t1, t5); // T1 * T5
Ry = Fp2.sub(Fp2.mul(Fp2.sub(t4, t5), t0), Fp2.mul(t3, Ry)); // (T4 - T5) * T0 - T3 * Ry
Rz = Fp2.mul(Rz, t3); // Rz * T3
return { Rx, Ry, Rz };
}
// Pre-compute coefficients for sparse multiplication
// Point addition and point double calculations is reused for coefficients
// pointAdd happens only if bit set, so wNAF is reasonable. Unfortunately we cannot combine
// add + double in windowed precomputes here, otherwise it would be single op (since X is static)
const ATE_NAF = NAfDecomposition(ateLoopSize);
const calcPairingPrecomputes = (point: G2) => {
const p = point;
const { x, y } = p.toAffine();
// prettier-ignore
const Qx = x, Qy = y, negQy = Fp2.neg(y);
// prettier-ignore
let Rx = Qx, Ry = Qy, Rz = Fp2.ONE;
const ell: Precompute = [];
for (const bit of ATE_NAF) {
const cur: PrecomputeSingle = [];
({ Rx, Ry, Rz } = pointDouble(cur, Rx, Ry, Rz));
if (bit) ({ Rx, Ry, Rz } = pointAdd(cur, Rx, Ry, Rz, Qx, bit === -1 ? negQy : Qy));
ell.push(cur);
}
if (postPrecompute) {
const last = ell[ell.length - 1];
postPrecompute(Rx, Ry, Rz, Qx, Qy, pointAdd.bind(null, last));
}
return ell;
};
// Main pairing logic is here. Computes product of miller loops + final exponentiate
// Applies calculated precomputes
type MillerInput = [Precompute, Fp, Fp][];
function millerLoopBatch(pairs: MillerInput, withFinalExponent: boolean = false) {
let f12 = Fp12.ONE;
if (pairs.length) {
const ellLen = pairs[0][0].length;
for (let i = 0; i < ellLen; i++) {
f12 = Fp12.sqr(f12); // This allows us to do sqr only one time for all pairings
// NOTE: we apply multiple pairings in parallel here
for (const [ell, Px, Py] of pairs) {
for (const [c0, c1, c2] of ell[i]) f12 = lineFunction(c0, c1, c2, f12, Px, Py);
}
}
}
if (xNegative) f12 = Fp12.conjugate(f12);
return withFinalExponent ? Fp12.finalExponentiate(f12) : f12;
}
type PairingInput = { g1: G1; g2: G2 };
// Calculates product of multiple pairings
// This up to x2 faster than just `map(({g1, g2})=>pairing({g1,g2}))`
function pairingBatch(pairs: PairingInput[], withFinalExponent: boolean = true) {
const res: MillerInput = [];
for (const { g1, g2 } of pairs) {
// Mathematically, a zero pairing term contributes GT.ONE. We still reject it here because
// this API mainly backs BLS verification, where ZERO inputs usually mean broken hash /
// wiring. Silently skipping them would turn those failures into a neutral pairing product.
// Callers that want the algebraic neutral-element behavior can filter ZERO terms first.
if (g1.is0() || g2.is0()) throw new Error('pairing is not available for ZERO point');
// This uses toAffine inside
g1.assertValidity();
g2.assertValidity();
const Qa = g1.toAffine();
res.push([calcPairingPrecomputes(g2), Qa.x, Qa.y]);
}
return millerLoopBatch(res, withFinalExponent);
}
// Calculates bilinear pairing
function pairing(Q: G1, P: G2, withFinalExponent: boolean = true): Fp12 {
return pairingBatch([{ g1: Q, g2: P }], withFinalExponent);
}
const lengths = {
seed: getMinHashLength(Fr.ORDER),
};
const rand = params.randomBytes === undefined ? randomBytes : params.randomBytes;
// Seeded calls deterministically reduce exactly `lengths.seed` bytes into `1..Fr.ORDER-1`;
// omitting `seed` just fills that input buffer from the configured RNG first.
const randomSecretKey = (seed?: TArg<Uint8Array>): TRet<Uint8Array> => {
seed = seed === undefined ? rand(lengths.seed) : seed;
abytes(seed, lengths.seed, 'seed');
return mapHashToField(seed, Fr.ORDER) as TRet<Uint8Array>;
};
Object.freeze(lengths);
return {
lengths,
Fr,
Fp12, // NOTE: we re-export Fp12 here because pairing results are Fp12!
millerLoopBatch,
pairing,
pairingBatch,
calcPairingPrecomputes,
randomSecretKey,
};
}
function createBlsSig<P, S>(
blsPairing: BlsPairing,
PubPoint: WeierstrassPointCons<P>,
SigPoint: WeierstrassPointCons<S>,
isSigG1: boolean,
hashToSigCurve: (msg: TArg<Uint8Array>, options?: TArg<H2CDSTOpts>) => WeierstrassPoint<S>,
SignatureCoder?: BlsLongSignatureCoder<S>
): BlsSigs<P, S> {
const { Fr, Fp12, pairingBatch, randomSecretKey, lengths } = blsPairing;
if (!SignatureCoder) {
SignatureCoder = {
fromBytes: notImplemented,
fromHex: notImplemented,
toBytes: notImplemented,
toHex: notImplemented,
};
}
type PubPoint = WeierstrassPoint<P>;
type SigPoint = WeierstrassPoint<S>;
function normPub(point: PubPoint | BLSInput): PubPoint {
return point instanceof PubPoint ? (point as PubPoint) : PubPoint.fromBytes(point);
}
function normSig(point: SigPoint | BLSInput): SigPoint {
return point instanceof SigPoint ? (point as SigPoint) : SigPoint.fromBytes(point);
}
// Sign/verify here take points already hashed onto the signature subgroup.
// Raw bytes and points from the other subgroup must fail this constructor-brand
// check before later validity checks run.
function amsg(m: unknown): SigPoint {
if (!(m instanceof SigPoint))
throw new Error(`expected valid message hashed to ${!isSigG1 ? 'G2' : 'G1'} curve`);
return m as SigPoint;
}
type G1 = WeierstrassPoint<Fp>;
type G2 = WeierstrassPoint<Fp2>;
type PairingInput = { g1: G1; g2: G2 };
// What matters here is what point pairing API accepts as G1 or G2, not actual size or names
const pair: (a: PubPoint, b: SigPoint) => PairingInput = !isSigG1
? (a: PubPoint, b: SigPoint) => ({ g1: a, g2: b }) as PairingInput
: (a: PubPoint, b: SigPoint) => ({ g1: b, g2: a }) as PairingInput;
return Object.freeze({
lengths: Object.freeze({ ...lengths, secretKey: Fr.BYTES }),
keygen(seed?: TArg<Uint8Array>) {
const secretKey = randomSecretKey(seed);
const publicKey = this.getPublicKey(secretKey);
return { secretKey, publicKey };
},
// P = pk x G
getPublicKey(secretKey: TArg<Uint8Array>): PubPoint {
let sec;
try {
sec = PubPoint.Fn.fromBytes(secretKey);
} catch (error) {
// @ts-ignore
throw new Error('invalid private key: ' + typeof secretKey, { cause: error });
}
return PubPoint.BASE.multiply(sec);
},
// S = pk x H(m)
sign(message: SigPoint, secretKey: TArg<Uint8Array>, unusedArg?: any): SigPoint {
if (unusedArg != null) throw new Error('sign() expects 2 arguments');
const sec = PubPoint.Fn.fromBytes(secretKey);
amsg(message).assertValidity();
return message.multiply(sec);
},
// Checks if pairing of public key & hash is equal to pairing of generator & signature.
// e(P, H(m)) == e(G, S)
// e(S, G) == e(H(m), P)
verify(
signature: SigPoint | BLSInput,
message: SigPoint,
publicKey: PubPoint | BLSInput,
unusedArg?: any
): boolean {
if (unusedArg != null) throw new Error('verify() expects 3 arguments');
signature = normSig(signature);
publicKey = normPub(publicKey);
const P = publicKey.negate();
const G = PubPoint.BASE;
const Hm = amsg(message);
const S = signature;
// This code was changed in 1.9.x:
// Before it was G.negate() in G2, now it's always pubKey.negate
// e(P, -Q)===e(-P, Q)==e(P, Q)^-1. Negate can be done anywhere (as long it is done once per pair).
// We just moving sign, but since pairing is multiplicative, we doing X * X^-1 = 1
try {
const exp = pairingBatch([pair(P, Hm), pair(G, S)]);
return Fp12.eql(exp, Fp12.ONE);
} catch {
return false;
}
},
// https://ethresear.ch/t/fast-verification-of-multiple-bls-signatures/5407
// e(G, S) = e(G, SUM(n)(Si)) = MUL(n)(e(G, Si))
// TODO: maybe `{message: G2Hex, publicKey: G1Hex}[]` instead?
verifyBatch(
signature: SigPoint | BLSInput,
items: { message: SigPoint; publicKey: PubPoint | BLSInput }[]
): boolean {
aNonEmpty(items);
const sig = normSig(signature);
const nMessages = items.map((i) => i.message);
const nPublicKeys = items.map((i) => normPub(i.publicKey));
// NOTE: this works only for exact same object
const messagePubKeyMap = new Map<SigPoint, PubPoint[]>();
for (let i = 0; i < nPublicKeys.length; i++) {
const pub = nPublicKeys[i];
const msg = nMessages[i];
let keys = messagePubKeyMap.get(msg);
if (keys === undefined) {
keys = [];
messagePubKeyMap.set(msg, keys);
}
keys.push(pub);
}
const paired = [];
const G = PubPoint.BASE;
try {
for (const [msg, keys] of messagePubKeyMap) {
const groupPublicKey = keys.reduce((acc, msg) => acc.add(msg));
paired.push(pair(groupPublicKey, msg));
}
paired.push(pair(G.negate(), sig));
return Fp12.eql(pairingBatch(paired), Fp12.ONE);
} catch {
return false;
}
},
// Adds a bunch of public key points together.
// pk1 + pk2 + pk3 = pkA
aggregatePublicKeys(publicKeys: (PubPoint | BLSInput)[]): PubPoint {
aNonEmpty(publicKeys);
publicKeys = publicKeys.map((pub) => normPub(pub));
const agg = (publicKeys as PubPoint[]).reduce((sum, p) => sum.add(p), PubPoint.ZERO);
agg.assertValidity();
return agg;
},
// Adds a bunch of signature points together.
// pk1 + pk2 + pk3 = pkA
aggregateSignatures(signatures: (SigPoint | BLSInput)[]): SigPoint {
aNonEmpty(signatures);
signatures = signatures.map((sig) => normSig(sig));
const agg = (signatures as SigPoint[]).reduce((sum, s) => sum.add(s), SigPoint.ZERO);
agg.assertValidity();
return agg;
},
hash(messageBytes: TArg<Uint8Array>, DST?: TArg<string | Uint8Array>): SigPoint {
abytes(messageBytes);
const opts = DST ? { DST } : undefined;
return hashToSigCurve(messageBytes, opts);
},
Signature: Object.freeze({ ...SignatureCoder }),
}) /*satisfies Signer */;
}
type BlsSignatureCoders = Partial<{
LongSignature: BlsLongSignatureCoder<Fp2>;
ShortSignature: BlsShortSignatureCoder<Fp>;
}>;
// NOTE: separate function instead of function override, so we don't depend on hasher in bn254.
/**
* @param fields - Tower field implementations.
* @param G1_Point - G1 point constructor.
* @param G2_Point - G2 point constructor.
* @param params - Pairing parameters. See {@link BlsPairingParams}.
* @returns Pairing-only BLS helpers. The returned pairing surface rejects infinity inputs, while
* empty `pairingBatch(...)` calls return the multiplicative identity in GT. This keeps the
* low-level pairing API fail-closed for BLS-style callers, where identity points usually signal
* broken hash / wiring instead of an intentionally neutral pairing term. This also eagerly
* precomputes the G1 base-point table as a performance side effect.
* @throws If the pairing parameters or underlying curve helpers are inconsistent. {@link Error}
* @example
* ```ts
* import { blsBasic } from '@noble/curves/abstract/bls.js';
* import { bn254 } from '@noble/curves/bn254.js';
* // Pair a G1 point with a G2 point without the higher-level signer helpers.
* const gt = bn254.pairing(bn254.G1.Point.BASE, bn254.G2.Point.BASE);
* ```
*/
export function blsBasic(
fields: TArg<BlsFields>,
G1_Point: WeierstrassPointCons<Fp>,
G2_Point: WeierstrassPointCons<Fp2>,
params: TArg<BlsPairingParams>
): BlsCurvePair {
// Fields are specific for curve, so for now we'll need to pass them with opts
const { Fp, Fr, Fp2, Fp6, Fp12 } = fields;
// Point on G1 curve: (x, y)
// const G1_Point = weierstrass(CURVE.G1, { Fn: Fr });
const G1 = { Point: G1_Point };
// Point on G2 curve (complex numbers): (x₁, x₂+i), (y₁, y₂+i)
const G2 = { Point: G2_Point };
const pairingRes = createBlsPairing(fields, G1_Point, G2_Point, params);
const {
millerLoopBatch,
pairing,
pairingBatch,
calcPairingPrecomputes,
randomSecretKey,
lengths,
} = pairingRes;
G1.Point.BASE.precompute(4);
Object.freeze(G1);
Object.freeze(G2);
return Object.freeze({
lengths: Object.freeze(lengths),
millerLoopBatch,
pairing,
pairingBatch,
G1,
G2,
fields: Object.freeze({ Fr, Fp, Fp2, Fp6, Fp12 }),
params: Object.freeze({
ateLoopSize: params.ateLoopSize,
twistType: params.twistType,
}),
utils: Object.freeze({
randomSecretKey,
calcPairingPrecomputes,
}),
});
}
// We can export this too, but seems there is not much reasons for now? If user wants hasher, they can just create hasher.
function blsHashers(
fields: TArg<BlsFields>,
G1_Point: WeierstrassPointCons<Fp>,
G2_Point: WeierstrassPointCons<Fp2>,
params: TArg<BlsPairingParams>,
hasherParams: TArg<BlsHasherParams>
): BlsCurvePairWithHashers {
const base = blsBasic(fields, G1_Point, G2_Point, params);
// Missing map hooks intentionally fail closed via notImplemented on first hash use.
const G1Hasher = createHasher(
G1_Point,
hasherParams.mapToG1 === undefined ? notImplemented : hasherParams.mapToG1,
{
...hasherParams.hasherOpts,
...hasherParams.hasherOptsG1,
}
);
const G2Hasher = createHasher(
G2_Point,
hasherParams.mapToG2 === undefined ? notImplemented : hasherParams.mapToG2,
{
...hasherParams.hasherOpts,
...hasherParams.hasherOptsG2,
}
);
return Object.freeze({ ...base, G1: G1Hasher, G2: G2Hasher });
}
// G1_Point: ProjConstructor<bigint>, G2_Point: ProjConstructor<Fp2>,
// Rename to blsSignatures?
/**
* @param fields - Tower field implementations.
* @param G1_Point - G1 point constructor.
* @param G2_Point - G2 point constructor.
* @param params - Pairing parameters. See {@link BlsPairingParams}.
* @param hasherParams - Hash-to-curve configuration. See {@link BlsHasherParams}.
* @param signatureCoders - Signature codecs.
* @returns BLS helpers with signers. The inherited pairing surface still rejects infinity inputs,
* and empty `pairingBatch(...)` calls still return the multiplicative identity in GT. Aggregate
* verification still requires proof of possession or another rogue-key defense from the caller.
* @throws If the pairing, hashing, or signature helpers are configured inconsistently. {@link Error}
* @example
* ```ts
* import { bls } from '@noble/curves/abstract/bls.js';
* import { bls12_381 } from '@noble/curves/bls12-381.js';
* const sigs = bls12_381.longSignatures;
* // Use the full BLS helper set when you need hashing, keygen, signing, and verification.
* const { secretKey, publicKey } = sigs.keygen();
* const msg = sigs.hash(new TextEncoder().encode('hello noble'));
* const sig = sigs.sign(msg, secretKey);
* const isValid = sigs.verify(sig, msg, publicKey);
* ```
*/
export function bls(
fields: TArg<BlsFields>,
G1_Point: WeierstrassPointCons<Fp>,
G2_Point: WeierstrassPointCons<Fp2>,
params: TArg<BlsPairingParams>,
hasherParams: TArg<BlsHasherParams>,
signatureCoders: BlsSignatureCoders
): BlsCurvePairWithSignatures {
const base = blsHashers(fields, G1_Point, G2_Point, params, hasherParams);
const pairingRes: BlsPairing = {
...base,
Fr: base.fields.Fr,
Fp12: base.fields.Fp12,
calcPairingPrecomputes: base.utils.calcPairingPrecomputes,
randomSecretKey: base.utils.randomSecretKey,
};
const longSignatures = createBlsSig(
pairingRes,
G1_Point,
G2_Point,
false,
base.G2.hashToCurve,
signatureCoders?.LongSignature
);
const shortSignatures = createBlsSig(
pairingRes,
G2_Point,
G1_Point,
true,
base.G1.hashToCurve,
signatureCoders?.ShortSignature
);
return Object.freeze({ ...base, longSignatures, shortSignatures });
}
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/src/abstract/curve.ts
Generated Vendored
+916
View File
@@ -0,0 +1,916 @@
/**
* Methods for elliptic curve multiplication by scalars.
* Contains wNAF, pippenger.
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { bitLen, bitMask, validateObject, type Signer, type TArg, type TRet } from '../utils.ts';
import { Field, FpInvertBatch, validateField, type IField } from './modular.ts';
const _0n = /* @__PURE__ */ BigInt(0);
const _1n = /* @__PURE__ */ BigInt(1);
/** Affine point coordinates without projective fields. */
export type AffinePoint<T> = {
/** Affine x coordinate. */
x: T;
/** Affine y coordinate. */
y: T;
} & { Z?: never };
// We can't "abstract out" coordinates (X, Y, Z; and T in Edwards): argument names of constructor
// are not accessible. See Typescript gh-56093, gh-41594.
//
// We have to use recursive types, so it will return actual point, not constained `CurvePoint`.
// If, at any point, P is `any`, it will erase all types and replace it
// with `any`, because of recursion, `any implements CurvePoint`,
// but we lose all constrains on methods.
/** Base interface for all elliptic-curve point instances. */
export interface CurvePoint<F, P extends CurvePoint<F, P>> {
/** Affine x coordinate. Different from projective / extended X coordinate. */
x: F;
/** Affine y coordinate. Different from projective / extended Y coordinate. */
y: F;
/** Projective Z coordinate when the point keeps projective state. */
Z?: F;
/**
* Double the point.
* @returns Doubled point.
*/
double(): P;
/**
* Negate the point.
* @returns Negated point.
*/
negate(): P;
/**
* Add another point from the same curve.
* @param other - Point to add.
* @returns Sum point.
*/
add(other: P): P;
/**
* Subtract another point from the same curve.
* @param other - Point to subtract.
* @returns Difference point.
*/
subtract(other: P): P;
/**
* Compare two points for equality.
* @param other - Point to compare.
* @returns Whether the points are equal.
*/
equals(other: P): boolean;
/**
* Multiply the point by a scalar in constant time.
* Implementations keep the subgroup-scalar contract strict and may reject
* `0` instead of returning the identity point.
* @param scalar - Scalar multiplier.
* @returns Product point.
*/
multiply(scalar: bigint): P;
/** Assert that the point satisfies the curve equation and subgroup checks. */
assertValidity(): void;
/**
* Map the point into the prime-order subgroup when the curve requires it.
* @returns Prime-order point.
*/
clearCofactor(): P;
/**
* Check whether the point is the point at infinity.
* @returns Whether the point is zero.
*/
is0(): boolean;
/**
* Check whether the point belongs to the prime-order subgroup.
* @returns Whether the point is torsion-free.
*/
isTorsionFree(): boolean;
/**
* Check whether the point lies in a small torsion subgroup.
* @returns Whether the point has small order.
*/
isSmallOrder(): boolean;
/**
* Multiply the point by a scalar without constant-time guarantees.
* Public-scalar callers that need `0` should use this method instead of
* relying on `multiply(...)` to return the identity point.
* @param scalar - Scalar multiplier.
* @returns Product point.
*/
multiplyUnsafe(scalar: bigint): P;
/**
* Massively speeds up `p.multiply(n)` by using precompute tables (caching). See {@link wNAF}.
* Cache state lives in internal WeakMaps keyed by point identity, not on the point object.
* Repeating `precompute(...)` for the same point identity replaces the remembered window size
* and forces table regeneration for that point.
* @param windowSize - Precompute window size.
* @param isLazy - calculate cache now. Default (true) ensures it's deferred to first `multiply()`
* @returns Same point instance with precompute tables attached.
*/
precompute(windowSize?: number, isLazy?: boolean): P;
/**
* Converts point to 2D xy affine coordinates.
* @param invertedZ - Optional inverted Z coordinate for batch normalization.
* @returns Affine x/y coordinates.
*/
toAffine(invertedZ?: F): AffinePoint<F>;
/**
* Encode the point into the curve's canonical byte form.
* @returns Encoded point bytes.
*/
toBytes(): Uint8Array;
/**
* Encode the point into the curve's canonical hex form.
* @returns Encoded point hex.
*/
toHex(): string;
}
/** Base interface for elliptic-curve point constructors. */
export interface CurvePointCons<P extends CurvePoint<any, P>> {
/**
* Runtime brand check for points created by this constructor.
* @param item - Value to test.
* @returns Whether the value is a point from this constructor.
*/
[Symbol.hasInstance]: (item: unknown) => boolean;
/** Canonical subgroup generator. */
BASE: P;
/** Point at infinity. */
ZERO: P;
/** Field for basic curve math */
Fp: IField<P_F<P>>;
/** Scalar field, for scalars in multiply and others */
Fn: IField<bigint>;
/**
* Create one point from affine coordinates.
* Does NOT validate curve, subgroup, or wrapper invariants.
* Use `.assertValidity()` on adversarial inputs.
* @param p - Affine point coordinates.
* @returns Point instance.
*/
fromAffine(p: AffinePoint<P_F<P>>): P;
/**
* Decode a point from the canonical byte encoding.
* @param bytes - Encoded point bytes.
* Implementations MUST treat `bytes` as read-only.
* @returns Point instance.
*/
fromBytes(bytes: Uint8Array): P;
/**
* Decode a point from the canonical hex encoding.
* @param hex - Encoded point hex.
* @returns Point instance.
*/
fromHex(hex: string): P;
}
// Type inference helpers: PC - PointConstructor, P - Point, Fp - Field element
// Short names, because we use them a lot in result types:
// * we can't do 'P = GetCurvePoint<PC>': this is default value and doesn't constrain anything
// * we can't do 'type X = GetCurvePoint<PC>': it won't be accesible for arguments/return types
// * `CurvePointCons<P extends CurvePoint<any, P>>` constraints from interface definition
// won't propagate, if `PC extends CurvePointCons<any>`: the P would be 'any', which is incorrect
// * PC could be super specific with super specific P, which implements CurvePoint<any, P>.
// this means we need to do stuff like
// `function test<P extends CurvePoint<any, P>, PC extends CurvePointCons<P>>(`
// if we want type safety around P, otherwise PC_P<PC> will be any
/** Returns the affine field type for a point instance (`P_F<P> == P.F`). */
export type P_F<P extends CurvePoint<any, P>> = P extends CurvePoint<infer F, P> ? F : never;
/** Returns the affine field type for a point constructor (`PC_F<PC> == PC.P.F`). */
export type PC_F<PC extends CurvePointCons<CurvePoint<any, any>>> = PC['Fp']['ZERO'];
/** Returns the point instance type for a point constructor (`PC_P<PC> == PC.P`). */
export type PC_P<PC extends CurvePointCons<CurvePoint<any, any>>> = PC['ZERO'];
// Ugly hack to get proper type inference, because in typescript fails to infer resursively.
// The hack allows to do up to 10 chained operations without applying type erasure.
//
// Types which won't work:
// * `CurvePointCons<CurvePoint<any, any>>`, will return `any` after 1 operation
// * `CurvePointCons<any>: WeierstrassPointCons<bigint> extends CurvePointCons<any> = false`
// * `P extends CurvePoint, PC extends CurvePointCons<P>`
// * It can't infer P from PC alone
// * Too many relations between F, P & PC
// * It will infer P/F if `arg: CurvePointCons<F, P>`, but will fail if PC is generic
// * It will work correctly if there is an additional argument of type P
// * But generally, we don't want to parametrize `CurvePointCons` over `F`: it will complicate
// types, making them un-inferable
// prettier-ignore
/** Wide point-constructor type used when the concrete curve is not important. */
export type PC_ANY = CurvePointCons<
CurvePoint<any,
CurvePoint<any,
CurvePoint<any,
CurvePoint<any,
CurvePoint<any,
CurvePoint<any,
CurvePoint<any,
CurvePoint<any,
CurvePoint<any,
CurvePoint<any, any>
>>>>>>>>>
>;
/**
* Validates the static surface of a point constructor.
* This is only a cheap sanity check for the constructor hooks and fields consumed by generic
* factories; it does not certify `BASE`/`ZERO` semantics or prove the curve implementation itself.
* @param Point - Runtime point constructor.
* @throws On missing constructor hooks or malformed field metadata. {@link TypeError}
* @example
* Check that one point constructor exposes the static hooks generic helpers need.
*
* ```ts
* import { ed25519 } from '@noble/curves/ed25519.js';
* import { validatePointCons } from '@noble/curves/abstract/curve.js';
* validatePointCons(ed25519.Point);
* ```
*/
export function validatePointCons<P extends CurvePoint<any, P>>(Point: CurvePointCons<P>): void {
const pc = Point as unknown as CurvePointCons<any>;
if (typeof (pc as unknown) !== 'function') throw new TypeError('Point must be a constructor');
// validateObject only accepts plain objects, so copy the constructor statics into one bag first.
validateObject(
{
Fp: pc.Fp,
Fn: pc.Fn,
fromAffine: pc.fromAffine,
fromBytes: pc.fromBytes,
fromHex: pc.fromHex,
},
{
Fp: 'object',
Fn: 'object',
fromAffine: 'function',
fromBytes: 'function',
fromHex: 'function',
}
);
validateField(pc.Fp);
validateField(pc.Fn);
}
/** Byte lengths used by one curve implementation. */
export interface CurveLengths {
/** Secret-key length in bytes. */
secretKey?: number;
/** Compressed public-key length in bytes. */
publicKey?: number;
/** Uncompressed public-key length in bytes. */
publicKeyUncompressed?: number;
/** Whether public-key encodings include a format prefix byte. */
publicKeyHasPrefix?: boolean;
/** Signature length in bytes. */
signature?: number;
/** Seed length in bytes when the curve exposes deterministic keygen from seed. */
seed?: number;
}
/** Reorders or otherwise remaps a batch while preserving its element type. */
export type Mapper<T> = (i: T[]) => T[];
/**
* Computes both candidates first, but the final selection still branches on `condition`, so this
* is not a strict constant-time CMOV primitive.
* @param condition - Whether to negate the point.
* @param item - Point-like value.
* @returns Original or negated value.
* @example
* Keep the point or return its negation based on one boolean branch.
*
* ```ts
* import { negateCt } from '@noble/curves/abstract/curve.js';
* import { p256 } from '@noble/curves/nist.js';
* const maybeNegated = negateCt(true, p256.Point.BASE);
* ```
*/
export function negateCt<T extends { negate: () => T }>(condition: boolean, item: T): T {
const neg = item.negate();
return condition ? neg : item;
}
/**
* Takes a bunch of Projective Points but executes only one
* inversion on all of them. Inversion is very slow operation,
* so this improves performance massively.
* Optimization: converts a list of projective points to a list of identical points with Z=1.
* Input points are left unchanged; the normalized points are returned as fresh instances.
* @param c - Point constructor.
* @param points - Projective points.
* @returns Fresh projective points reconstructed from normalized affine coordinates.
* @example
* Batch-normalize projective points with a single shared inversion.
*
* ```ts
* import { normalizeZ } from '@noble/curves/abstract/curve.js';
* import { p256 } from '@noble/curves/nist.js';
* const points = normalizeZ(p256.Point, [p256.Point.BASE, p256.Point.BASE.double()]);
* ```
*/
export function normalizeZ<P extends CurvePoint<any, P>, PC extends CurvePointCons<P>>(
c: PC,
points: P[]
): P[] {
const invertedZs = FpInvertBatch(
c.Fp,
points.map((p) => p.Z!)
);
return points.map((p, i) => c.fromAffine(p.toAffine(invertedZs[i])));
}
function validateW(W: number, bits: number) {
if (!Number.isSafeInteger(W) || W <= 0 || W > bits)
throw new Error('invalid window size, expected [1..' + bits + '], got W=' + W);
}
/** Internal wNAF opts for specific W and scalarBits.
* Zero digits are skipped, so tables store only the positive half-window and callers reserve one
* extra carry window.
*/
type WOpts = {
windows: number;
windowSize: number;
mask: bigint;
maxNumber: number;
shiftBy: bigint;
};
function calcWOpts(W: number, scalarBits: number): WOpts {
validateW(W, scalarBits);
const windows = Math.ceil(scalarBits / W) + 1; // W=8 33. Not 32, because we skip zero
const windowSize = 2 ** (W - 1); // W=8 128. Not 256, because we skip zero
const maxNumber = 2 ** W; // W=8 256
const mask = bitMask(W); // W=8 255 == mask 0b11111111
const shiftBy = BigInt(W); // W=8 8
return { windows, windowSize, mask, maxNumber, shiftBy };
}
function calcOffsets(n: bigint, window: number, wOpts: WOpts) {
const { windowSize, mask, maxNumber, shiftBy } = wOpts;
let wbits = Number(n & mask); // extract W bits.
let nextN = n >> shiftBy; // shift number by W bits.
// What actually happens here:
// const highestBit = Number(mask ^ (mask >> 1n));
// let wbits2 = wbits - 1; // skip zero
// if (wbits2 & highestBit) { wbits2 ^= Number(mask); // (~);
// split if bits > max: +224 => 256-32
if (wbits > windowSize) {
// we skip zero, which means instead of `>= size-1`, we do `> size`
wbits -= maxNumber; // -32, can be maxNumber - wbits, but then we need to set isNeg here.
nextN += _1n; // +256 (carry)
}
const offsetStart = window * windowSize;
const offset = offsetStart + Math.abs(wbits) - 1; // -1 because we skip zero; ignore when isZero
const isZero = wbits === 0; // is current window slice a 0?
const isNeg = wbits < 0; // is current window slice negative?
const isNegF = window % 2 !== 0; // fake branch noise only
const offsetF = offsetStart; // fake branch noise only
return { nextN, offset, isZero, isNeg, isNegF, offsetF };
}
function validateMSMPoints(points: any[], c: any) {
if (!Array.isArray(points)) throw new Error('array expected');
points.forEach((p, i) => {
if (!(p instanceof c)) throw new Error('invalid point at index ' + i);
});
}
function validateMSMScalars(scalars: any[], field: any) {
if (!Array.isArray(scalars)) throw new Error('array of scalars expected');
scalars.forEach((s, i) => {
if (!field.isValid(s)) throw new Error('invalid scalar at index ' + i);
});
}
// Since points in different groups cannot be equal (different object constructor),
// we can have single place to store precomputes.
// Allows to make points frozen / immutable.
const pointPrecomputes = new WeakMap<any, any[]>();
const pointWindowSizes = new WeakMap<any, number>();
function getW(P: any): number {
// To disable precomputes:
// return 1;
// `1` is also the uncached sentinel: use the ladder / non-precomputed path.
return pointWindowSizes.get(P) || 1;
}
function assert0(n: bigint): void {
// Internal invariant: a non-zero remainder here means the wNAF window decomposition or loop
// count is inconsistent, not that the original caller provided a bad scalar.
if (n !== _0n) throw new Error('invalid wNAF');
}
/**
* Elliptic curve multiplication of Point by scalar. Fragile.
* Table generation takes **30MB of ram and 10ms on high-end CPU**,
* but may take much longer on slow devices. Actual generation will happen on
* first call of `multiply()`. By default, `BASE` point is precomputed.
*
* Scalars should always be less than curve order: this should be checked inside of a curve itself.
* Creates precomputation tables for fast multiplication:
* - private scalar is split by fixed size windows of W bits
* - every window point is collected from window's table & added to accumulator
* - since windows are different, same point inside tables won't be accessed more than once per calc
* - each multiplication is 'Math.ceil(CURVE_ORDER / 𝑊) + 1' point additions (fixed for any scalar)
* - +1 window is neccessary for wNAF
* - wNAF reduces table size: 2x less memory + 2x faster generation, but 10% slower multiplication
*
* TODO: research returning a 2d JS array of windows instead of a single window.
* This would allow windows to be in different memory locations.
* @param Point - Point constructor.
* @param bits - Scalar bit length.
* @example
* Elliptic curve multiplication of Point by scalar.
*
* ```ts
* import { wNAF } from '@noble/curves/abstract/curve.js';
* import { p256 } from '@noble/curves/nist.js';
* const ladder = new wNAF(p256.Point, p256.Point.Fn.BITS);
* ```
*/
export class wNAF<PC extends PC_ANY> {
private readonly BASE: PC_P<PC>;
private readonly ZERO: PC_P<PC>;
private readonly Fn: PC['Fn'];
readonly bits: number;
// Parametrized with a given Point class (not individual point)
constructor(Point: PC, bits: number) {
this.BASE = Point.BASE;
this.ZERO = Point.ZERO;
this.Fn = Point.Fn;
this.bits = bits;
}
// non-const time multiplication ladder
_unsafeLadder(elm: PC_P<PC>, n: bigint, p: PC_P<PC> = this.ZERO): PC_P<PC> {
let d: PC_P<PC> = elm;
while (n > _0n) {
if (n & _1n) p = p.add(d);
d = d.double();
n >>= _1n;
}
return p;
}
/**
* Creates a wNAF precomputation window. Used for caching.
* Default window size is set by `utils.precompute()` and is equal to 8.
* Number of precomputed points depends on the curve size:
* 2^(𝑊−1) * (Math.ceil(𝑛 / 𝑊) + 1), where:
* - 𝑊 is the window size
* - 𝑛 is the bitlength of the curve order.
* For a 256-bit curve and window size 8, the number of precomputed points is 128 * 33 = 4224.
* @param point - Point instance
* @param W - window size
* @returns precomputed point tables flattened to a single array
*/
private precomputeWindow(point: PC_P<PC>, W: number): PC_P<PC>[] {
const { windows, windowSize } = calcWOpts(W, this.bits);
const points: PC_P<PC>[] = [];
let p: PC_P<PC> = point;
let base = p;
for (let window = 0; window < windows; window++) {
base = p;
points.push(base);
// i=1, bc we skip 0
for (let i = 1; i < windowSize; i++) {
base = base.add(p);
points.push(base);
}
p = base.double();
}
return points;
}
/**
* Implements ec multiplication using precomputed tables and w-ary non-adjacent form.
* More compact implementation:
* https://github.com/paulmillr/noble-secp256k1/blob/47cb1669b6e506ad66b35fe7d76132ae97465da2/index.ts#L502-L541
* @returns real and fake (for const-time) points
*/
private wNAF(W: number, precomputes: PC_P<PC>[], n: bigint): { p: PC_P<PC>; f: PC_P<PC> } {
// Scalar should be smaller than field order
if (!this.Fn.isValid(n)) throw new Error('invalid scalar');
// Accumulators
let p = this.ZERO;
let f = this.BASE;
// This code was first written with assumption that 'f' and 'p' will never be infinity point:
// since each addition is multiplied by 2 ** W, it cannot cancel each other. However,
// there is negate now: it is possible that negated element from low value
// would be the same as high element, which will create carry into next window.
// It's not obvious how this can fail, but still worth investigating later.
const wo = calcWOpts(W, this.bits);
for (let window = 0; window < wo.windows; window++) {
// (n === _0n) is handled and not early-exited. isEven and offsetF are used for noise
const { nextN, offset, isZero, isNeg, isNegF, offsetF } = calcOffsets(n, window, wo);
n = nextN;
if (isZero) {
// bits are 0: add garbage to fake point
// Important part for const-time getPublicKey: add random "noise" point to f.
f = f.add(negateCt(isNegF, precomputes[offsetF]));
} else {
// bits are 1: add to result point
p = p.add(negateCt(isNeg, precomputes[offset]));
}
}
assert0(n);
// Return both real and fake points so JIT keeps the noise path alive.
// Known caveat: negate/carry interactions can still drive `f` to infinity even when `p` is not,
// which weakens the noise path and leaves this only "less const-time" by about one bigint mul.
return { p, f };
}
/**
* Implements unsafe EC multiplication using precomputed tables
* and w-ary non-adjacent form.
* @param acc - accumulator point to add result of multiplication
* @returns point
*/
private wNAFUnsafe(
W: number,
precomputes: PC_P<PC>[],
n: bigint,
acc: PC_P<PC> = this.ZERO
): PC_P<PC> {
const wo = calcWOpts(W, this.bits);
for (let window = 0; window < wo.windows; window++) {
if (n === _0n) break; // Early-exit, skip 0 value
const { nextN, offset, isZero, isNeg } = calcOffsets(n, window, wo);
n = nextN;
if (isZero) {
// Window bits are 0: skip processing.
// Move to next window.
continue;
} else {
const item = precomputes[offset];
acc = acc.add(isNeg ? item.negate() : item); // Re-using acc allows to save adds in MSM
}
}
assert0(n);
return acc;
}
private getPrecomputes(W: number, point: PC_P<PC>, transform?: Mapper<PC_P<PC>>): PC_P<PC>[] {
// Cache key is only point identity plus the remembered window size; callers must not reuse the
// same point with incompatible `transform(...)` layouts and expect a separate cache entry.
let comp = pointPrecomputes.get(point);
if (!comp) {
comp = this.precomputeWindow(point, W) as PC_P<PC>[];
if (W !== 1) {
// Doing transform outside of if brings 15% perf hit
if (typeof transform === 'function') comp = transform(comp);
pointPrecomputes.set(point, comp);
}
}
return comp;
}
cached(
point: PC_P<PC>,
scalar: bigint,
transform?: Mapper<PC_P<PC>>
): { p: PC_P<PC>; f: PC_P<PC> } {
const W = getW(point);
return this.wNAF(W, this.getPrecomputes(W, point, transform), scalar);
}
unsafe(point: PC_P<PC>, scalar: bigint, transform?: Mapper<PC_P<PC>>, prev?: PC_P<PC>): PC_P<PC> {
const W = getW(point);
if (W === 1) return this._unsafeLadder(point, scalar, prev); // For W=1 ladder is ~x2 faster
return this.wNAFUnsafe(W, this.getPrecomputes(W, point, transform), scalar, prev);
}
// We calculate precomputes for elliptic curve point multiplication
// using windowed method. This specifies window size and
// stores precomputed values. Usually only base point would be precomputed.
createCache(P: PC_P<PC>, W: number): void {
validateW(W, this.bits);
pointWindowSizes.set(P, W);
pointPrecomputes.delete(P);
}
hasCache(elm: PC_P<PC>): boolean {
return getW(elm) !== 1;
}
}
/**
* Endomorphism-specific multiplication for Koblitz curves.
* Cost: 128 dbl, 0-256 adds.
* @param Point - Point constructor.
* @param point - Input point.
* @param k1 - First non-negative absolute scalar chunk.
* @param k2 - Second non-negative absolute scalar chunk.
* @returns Partial multiplication results.
* @example
* Endomorphism-specific multiplication for Koblitz curves.
*
* ```ts
* import { mulEndoUnsafe } from '@noble/curves/abstract/curve.js';
* import { secp256k1 } from '@noble/curves/secp256k1.js';
* const parts = mulEndoUnsafe(secp256k1.Point, secp256k1.Point.BASE, 3n, 5n);
* ```
*/
export function mulEndoUnsafe<P extends CurvePoint<any, P>, PC extends CurvePointCons<P>>(
Point: PC,
point: P,
k1: bigint,
k2: bigint
): { p1: P; p2: P } {
let acc = point;
let p1 = Point.ZERO;
let p2 = Point.ZERO;
while (k1 > _0n || k2 > _0n) {
if (k1 & _1n) p1 = p1.add(acc);
if (k2 & _1n) p2 = p2.add(acc);
acc = acc.double();
k1 >>= _1n;
k2 >>= _1n;
}
return { p1, p2 };
}
/**
* Pippenger algorithm for multi-scalar multiplication (MSM, Pa + Qb + Rc + ...).
* 30x faster vs naive addition on L=4096, 10x faster than precomputes.
* For N=254bit, L=1, it does: 1024 ADD + 254 DBL. For L=5: 1536 ADD + 254 DBL.
* Algorithmically constant-time (for same L), even when 1 point + scalar, or when scalar = 0.
* @param c - Curve Point constructor
* @param points - array of L curve points
* @param scalars - array of L scalars (aka secret keys / bigints)
* @returns MSM result point. Empty input is accepted and returns the identity.
* @throws If the point set, scalar set, or MSM sizing is invalid. {@link Error}
* @example
* Pippenger algorithm for multi-scalar multiplication (MSM, Pa + Qb + Rc + ...).
*
* ```ts
* import { pippenger } from '@noble/curves/abstract/curve.js';
* import { p256 } from '@noble/curves/nist.js';
* const point = pippenger(p256.Point, [p256.Point.BASE, p256.Point.BASE.double()], [2n, 3n]);
* ```
*/
export function pippenger<P extends CurvePoint<any, P>, PC extends CurvePointCons<P>>(
c: PC,
points: P[],
scalars: bigint[]
): P {
// If we split scalars by some window (let's say 8 bits), every chunk will only
// take 256 buckets even if there are 4096 scalars, also re-uses double.
// TODO:
// - https://eprint.iacr.org/2024/750.pdf
// - https://tches.iacr.org/index.php/TCHES/article/view/10287
// 0 is accepted in scalars
const fieldN = c.Fn;
validateMSMPoints(points, c);
validateMSMScalars(scalars, fieldN);
const plength = points.length;
const slength = scalars.length;
if (plength !== slength) throw new Error('arrays of points and scalars must have equal length');
// if (plength === 0) throw new Error('array must be of length >= 2');
const zero = c.ZERO;
const wbits = bitLen(BigInt(plength));
let windowSize = 1; // bits
if (wbits > 12) windowSize = wbits - 3;
else if (wbits > 4) windowSize = wbits - 2;
else if (wbits > 0) windowSize = 2;
const MASK = bitMask(windowSize);
const buckets = new Array(Number(MASK) + 1).fill(zero); // +1 for zero array
const lastBits = Math.floor((fieldN.BITS - 1) / windowSize) * windowSize;
let sum = zero;
for (let i = lastBits; i >= 0; i -= windowSize) {
buckets.fill(zero);
for (let j = 0; j < slength; j++) {
const scalar = scalars[j];
const wbits = Number((scalar >> BigInt(i)) & MASK);
buckets[wbits] = buckets[wbits].add(points[j]);
}
let resI = zero; // not using this will do small speed-up, but will lose ct
// Skip first bucket, because it is zero
for (let j = buckets.length - 1, sumI = zero; j > 0; j--) {
sumI = sumI.add(buckets[j]);
resI = resI.add(sumI);
}
sum = sum.add(resI);
if (i !== 0) for (let j = 0; j < windowSize; j++) sum = sum.double();
}
return sum as P;
}
/**
* Precomputed multi-scalar multiplication (MSM, Pa + Qb + Rc + ...).
* @param c - Curve Point constructor
* @param points - array of L curve points
* @param windowSize - Precompute window size.
* @returns Function which multiplies points with scalars. The closure accepts
* `scalars.length <= points.length`, and omitted trailing scalars are treated as zero.
* @throws If the point set or precompute window is invalid. {@link Error}
* @example
* Precomputed multi-scalar multiplication (MSM, Pa + Qb + Rc + ...).
*
* ```ts
* import { precomputeMSMUnsafe } from '@noble/curves/abstract/curve.js';
* import { p256 } from '@noble/curves/nist.js';
* const msm = precomputeMSMUnsafe(p256.Point, [p256.Point.BASE], 4);
* const point = msm([3n]);
* ```
*/
export function precomputeMSMUnsafe<P extends CurvePoint<any, P>, PC extends CurvePointCons<P>>(
c: PC,
points: P[],
windowSize: number
): (scalars: bigint[]) => P {
/**
* Performance Analysis of Window-based Precomputation
*
* Base Case (256-bit scalar, 8-bit window):
* - Standard precomputation requires:
* - 31 additions per scalar × 256 scalars = 7,936 ops
* - Plus 255 summary additions = 8,191 total ops
* Note: Summary additions can be optimized via accumulator
*
* Chunked Precomputation Analysis:
* - Using 32 chunks requires:
* - 255 additions per chunk
* - 256 doublings
* - Total: (255 × 32) + 256 = 8,416 ops
*
* Memory Usage Comparison:
* Window Size | Standard Points | Chunked Points
* ------------|-----------------|---------------
* 4-bit | 520 | 15
* 8-bit | 4,224 | 255
* 10-bit | 13,824 | 1,023
* 16-bit | 557,056 | 65,535
*
* Key Advantages:
* 1. Enables larger window sizes due to reduced memory overhead
* 2. More efficient for smaller scalar counts:
* - 16 chunks: (16 × 255) + 256 = 4,336 ops
* - ~2x faster than standard 8,191 ops
*
* Limitations:
* - Not suitable for plain precomputes (requires 256 constant doublings)
* - Performance degrades with larger scalar counts:
* - Optimal for ~256 scalars
* - Less efficient for 4096+ scalars (Pippenger preferred)
*/
const fieldN = c.Fn;
validateW(windowSize, fieldN.BITS);
validateMSMPoints(points, c);
const zero = c.ZERO;
const tableSize = 2 ** windowSize - 1; // table size (without zero)
const chunks = Math.ceil(fieldN.BITS / windowSize); // chunks of item
const MASK = bitMask(windowSize);
const tables = points.map((p: P) => {
const res = [];
for (let i = 0, acc = p; i < tableSize; i++) {
res.push(acc);
acc = acc.add(p);
}
return res;
});
return (scalars: bigint[]): P => {
validateMSMScalars(scalars, fieldN);
if (scalars.length > points.length)
throw new Error('array of scalars must be smaller than array of points');
let res = zero;
for (let i = 0; i < chunks; i++) {
// No need to double if accumulator is still zero.
if (res !== zero) for (let j = 0; j < windowSize; j++) res = res.double();
const shiftBy = BigInt(chunks * windowSize - (i + 1) * windowSize);
for (let j = 0; j < scalars.length; j++) {
const n = scalars[j];
const curr = Number((n >> shiftBy) & MASK);
if (!curr) continue; // skip zero scalars chunks
res = res.add(tables[j][curr - 1]);
}
}
return res;
};
}
/** Minimal curve parameters needed to construct a Weierstrass or Edwards curve. */
export type ValidCurveParams<T> = {
/** Base-field modulus. */
p: bigint;
/** Prime subgroup order. */
n: bigint;
/** Cofactor. */
h: bigint;
/** Curve parameter `a`. */
a: T;
/** Weierstrass curve parameter `b`. */
b?: T;
/** Edwards curve parameter `d`. */
d?: T;
/** Generator x coordinate. */
Gx: T;
/** Generator y coordinate. */
Gy: T;
};
function createField<T>(order: bigint, field?: TArg<IField<T>>, isLE?: boolean): TRet<IField<T>> {
if (field) {
// Reuse supplied field overrides as-is; `isLE` only affects freshly constructed fallback
// fields, and validateField() below only checks the arithmetic subset, not full byte/cmov
// behavior.
if (field.ORDER !== order) throw new Error('Field.ORDER must match order: Fp == p, Fn == n');
validateField(field);
return field as TRet<IField<T>>;
} else {
return Field(order, { isLE }) as unknown as TRet<IField<T>>;
}
}
/** Pair of fields used by curve constructors. */
export type FpFn<T> = {
/** Base field used for curve coordinates. */
Fp: IField<T>;
/** Scalar field used for secret scalars and subgroup arithmetic. */
Fn: IField<bigint>;
};
/**
* Validates basic CURVE shape and field membership, then creates fields.
* This does not prove that the generator is on-curve, that subgroup/order data are consistent, or
* that the curve equation itself is otherwise sane.
* @param type - Curve family.
* @param CURVE - Curve parameters.
* @param curveOpts - Optional field overrides:
* - `Fp` (optional): Optional base-field override.
* - `Fn` (optional): Optional scalar-field override.
* @param FpFnLE - Whether field encoding is little-endian.
* @returns Frozen curve parameters and fields.
* @throws If the curve parameters or field overrides are invalid. {@link Error}
* @example
* Build curve fields from raw constants before constructing a curve instance.
*
* ```ts
* const curve = createCurveFields('weierstrass', {
* p: 17n,
* n: 19n,
* h: 1n,
* a: 2n,
* b: 2n,
* Gx: 5n,
* Gy: 1n,
* });
* ```
*/
export function createCurveFields<T>(
type: 'weierstrass' | 'edwards',
CURVE: ValidCurveParams<T>,
curveOpts: TArg<Partial<FpFn<T>>> = {},
FpFnLE?: boolean
): TRet<FpFn<T> & { CURVE: ValidCurveParams<T> }> {
if (FpFnLE === undefined) FpFnLE = type === 'edwards';
if (!CURVE || typeof CURVE !== 'object') throw new Error(`expected valid ${type} CURVE object`);
for (const p of ['p', 'n', 'h'] as const) {
const val = CURVE[p];
if (!(typeof val === 'bigint' && val > _0n))
throw new Error(`CURVE.${p} must be positive bigint`);
}
const Fp = createField(CURVE.p, curveOpts.Fp, FpFnLE);
const Fn = createField(CURVE.n, curveOpts.Fn, FpFnLE);
const _b: 'b' | 'd' = type === 'weierstrass' ? 'b' : 'd';
const params = ['Gx', 'Gy', 'a', _b] as const;
for (const p of params) {
// @ts-ignore
if (!Fp.isValid(CURVE[p]))
throw new Error(`CURVE.${p} must be valid field element of CURVE.Fp`);
}
CURVE = Object.freeze(Object.assign({}, CURVE));
return { CURVE, Fp, Fn } as TRet<FpFn<T> & { CURVE: ValidCurveParams<T> }>;
}
type KeygenFn = (
seed?: Uint8Array,
isCompressed?: boolean
) => { secretKey: Uint8Array; publicKey: Uint8Array };
/**
* @param randomSecretKey - Secret-key generator.
* @param getPublicKey - Public-key derivation helper.
* @returns Keypair generator.
* @example
* Build a `keygen()` helper from existing secret-key and public-key primitives.
*
* ```ts
* import { createKeygen } from '@noble/curves/abstract/curve.js';
* import { p256 } from '@noble/curves/nist.js';
* const keygen = createKeygen(p256.utils.randomSecretKey, p256.getPublicKey);
* const pair = keygen();
* ```
*/
export function createKeygen(
randomSecretKey: Function,
getPublicKey: TArg<Signer['getPublicKey']>
): TRet<KeygenFn> {
return function keygen(seed?: TArg<Uint8Array>) {
const secretKey = randomSecretKey(seed) as TRet<Uint8Array>;
return { secretKey, publicKey: getPublicKey(secretKey) as TRet<Uint8Array> };
};
}
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/src/abstract/edwards.ts
Generated Vendored
+1013
View File
File diff suppressed because it is too large Load Diff
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/src/abstract/fft.ts
Generated Vendored
+854
View File
@@ -0,0 +1,854 @@
/**
* Experimental implementation of NTT / FFT (Fast Fourier Transform) over finite fields.
* API may change at any time. The code has not been audited. Feature requests are welcome.
* @module
*/
import type { TArg } from '../utils.ts';
import type { IField } from './modular.ts';
/** Array-like coefficient storage that can be mutated in place. */
export interface MutableArrayLike<T> {
/** Element access by numeric index. */
[index: number]: T;
/** Current amount of stored coefficients. */
length: number;
/**
* Return a sliced copy using the same storage shape.
* @param start - Inclusive start index.
* @param end - Exclusive end index.
* @returns Sliced copy.
*/
slice(start?: number, end?: number): this;
/**
* Iterate over stored coefficients in order.
* @returns Coefficient iterator.
*/
[Symbol.iterator](): Iterator<T>;
}
/**
* Concrete polynomial containers accepted by the high-level `poly(...)` helpers.
* Lower-level FFT helpers can work with structural `MutableArrayLike`, but `poly(...)`
* intentionally keeps runtime dispatch on plain arrays and typed-array views.
*/
export type PolyStorage<T> = T[] | (MutableArrayLike<T> & ArrayBufferView);
function checkU32(n: number) {
// 0xff_ff_ff_ff
if (!Number.isSafeInteger(n) || n < 0 || n > 0xffffffff)
throw new Error('wrong u32 integer:' + n);
return n;
}
/**
* Checks if integer is in form of `1 << X`.
* @param x - Integer to inspect.
* @returns `true` when the value is a power of two.
* @throws If `x` is not a valid unsigned 32-bit integer. {@link Error}
* @example
* Validate that an FFT size is a power of two.
*
* ```ts
* isPowerOfTwo(8);
* ```
*/
export function isPowerOfTwo(x: number): boolean {
checkU32(x);
return (x & (x - 1)) === 0 && x !== 0;
}
/**
* @param n - Input value.
* @returns Next power of two within the u32/array-length domain.
* @throws If `n` is not a valid unsigned 32-bit integer. {@link Error}
* @example
* Round an integer up to the FFT size it needs.
*
* ```ts
* nextPowerOfTwo(9);
* ```
*/
export function nextPowerOfTwo(n: number): number {
checkU32(n);
if (n <= 1) return 1;
// FFT sizes here are used as JS array lengths, so `2^32` is not a meaningful result:
// keep the fast u32 bit-twiddling path and fail explicitly instead of wrapping to 1.
if (n > 0x8000_0000) throw new Error('nextPowerOfTwo overflow: result does not fit u32');
return (1 << (log2(n - 1) + 1)) >>> 0;
}
/**
* @param n - Value to reverse.
* @param bits - Number of bits to use.
* @returns Bit-reversed integer.
* @throws If `n` is not a valid unsigned 32-bit integer. {@link Error}
* @example
* Reverse the low `bits` bits of one index.
*
* ```ts
* reverseBits(3, 3);
* ```
*/
export function reverseBits(n: number, bits: number): number {
checkU32(n);
if (!Number.isSafeInteger(bits) || bits < 0 || bits > 32)
throw new Error(`expected integer 0 <= bits <= 32, got ${bits}`);
let reversed = 0;
for (let i = 0; i < bits; i++, n >>>= 1) reversed = (reversed << 1) | (n & 1);
// JS bitwise ops are signed i32; cast back so 32-bit reversals stay in the unsigned u32 domain.
return reversed >>> 0;
}
/**
* Similar to `bitLen(x)-1` but much faster for small integers, like indices.
* @param n - Input value.
* @returns Base-2 logarithm. For `n = 0`, the current implementation returns `-1`.
* @throws If `n` is not a valid unsigned 32-bit integer. {@link Error}
* @example
* Compute the radix-2 stage count for one transform size.
*
* ```ts
* log2(8);
* ```
*/
export function log2(n: number): number {
checkU32(n);
return 31 - Math.clz32(n);
}
/**
* Moves lowest bit to highest position, which at first step splits
* array on even and odd indices, then it applied again to each part,
* which is core of fft
* @param values - Mutable coefficient array.
* @returns Mutated input array.
* @throws If the array length is not a positive power of two. {@link Error}
* @example
* Reorder coefficients into bit-reversed order in place.
*
* ```ts
* const values = Uint8Array.from([0, 1, 2, 3]);
* bitReversalInplace(values);
* ```
*/
export function bitReversalInplace<T extends MutableArrayLike<any>>(values: T): T {
const n = values.length;
// Size-1 FFT is the identity, so bit-reversal must stay a no-op there instead of rejecting it.
if (!isPowerOfTwo(n)) throw new Error('expected positive power-of-two length, got ' + n);
const bits = log2(n);
for (let i = 0; i < n; i++) {
const j = reverseBits(i, bits);
if (i < j) {
const tmp = values[i];
values[i] = values[j];
values[j] = tmp;
}
}
return values;
}
/**
* @param values - Input values.
* @returns Reordered copy.
* @throws If the array length is not a positive power of two. {@link Error}
* @example
* Return a reordered copy instead of mutating the input in place.
*
* ```ts
* const reordered = bitReversalPermutation([0, 1, 2, 3]);
* ```
*/
export function bitReversalPermutation<T>(values: T[]): T[] {
return bitReversalInplace(values.slice()) as T[];
}
const _1n = /** @__PURE__ */ BigInt(1);
function findGenerator(field: TArg<IField<bigint>>) {
let G = BigInt(2);
for (; field.eql(field.pow(G, field.ORDER >> _1n), field.ONE); G++);
return G;
}
/** Cached roots-of-unity tables derived from one finite field. */
export type RootsOfUnity = {
/** Generator and 2-adicity metadata for the cached field. */
info: { G: bigint; oddFactor: bigint; powerOfTwo: number };
/**
* Return the natural-order roots of unity for one radix-2 size.
* @param bits - Transform size as `log2(N)`.
* @returns Natural-order roots for that size.
*/
roots: (bits: number) => bigint[];
/**
* Return the bit-reversal permutation of the roots for one radix-2 size.
* @param bits - Transform size as `log2(N)`.
* @returns Bit-reversed roots.
*/
brp(bits: number): bigint[];
/**
* Return the inverse roots of unity for one radix-2 size.
* @param bits - Transform size as `log2(N)`.
* @returns Inverse roots.
*/
inverse(bits: number): bigint[];
/**
* Return one primitive root used by a radix-2 stage.
* @param bits - Transform size as `log2(N)`.
* @returns Primitive root for that stage.
*/
omega: (bits: number) => bigint;
/**
* Drop all cached root tables.
* @returns Nothing.
*/
clear: () => void;
};
/**
* We limit roots up to 2**31, which is a lot: 2-billion polynomimal should be rare.
* @param field - Field implementation.
* @param generator - Optional generator override.
* @returns Roots-of-unity cache.
* @example
* Cache roots once, then ask for the omega table of one FFT size.
*
* ```ts
* import { rootsOfUnity } from '@noble/curves/abstract/fft.js';
* import { Field } from '@noble/curves/abstract/modular.js';
* const roots = rootsOfUnity(Field(17n));
* const omega = roots.omega(4);
* ```
*/
export function rootsOfUnity(field: TArg<IField<bigint>>, generator?: bigint): RootsOfUnity {
// Factor field.ORDER-1 as oddFactor * 2^powerOfTwo
let oddFactor = field.ORDER - _1n;
let powerOfTwo = 0;
for (; (oddFactor & _1n) !== _1n; powerOfTwo++, oddFactor >>= _1n);
// Find non quadratic residue
let G = generator !== undefined ? BigInt(generator) : findGenerator(field);
// Powers of generator
const omegas: bigint[] = new Array(powerOfTwo + 1);
omegas[powerOfTwo] = field.pow(G, oddFactor);
for (let i = powerOfTwo; i > 0; i--) omegas[i - 1] = field.sqr(omegas[i]);
// Compute all roots of unity for powers up to maxPower
const rootsCache: bigint[][] = [];
const checkBits = (bits: number) => {
checkU32(bits);
if (bits > 31 || bits > powerOfTwo)
throw new Error('rootsOfUnity: wrong bits ' + bits + ' powerOfTwo=' + powerOfTwo);
return bits;
};
const precomputeRoots = (maxPower: number) => {
checkBits(maxPower);
for (let power = maxPower; power >= 0; power--) {
if (rootsCache[power]) continue; // Skip if we've already computed roots for this power
const rootsAtPower: bigint[] = [];
for (let j = 0, cur = field.ONE; j < 2 ** power; j++, cur = field.mul(cur, omegas[power]))
rootsAtPower.push(cur);
rootsCache[power] = rootsAtPower;
}
return rootsCache[maxPower];
};
const brpCache = new Map<number, bigint[]>();
const inverseCache = new Map<number, bigint[]>();
// roots()/brp()/inverse() expose shared cached arrays by reference for speed; callers must treat them as read-only.
// NOTE: we use bits instead of power, because power = 2**bits,
// but power is not neccesary isPowerOfTwo(power)!
return {
info: { G, powerOfTwo, oddFactor },
roots: (bits: number): bigint[] => {
const b = checkBits(bits);
return precomputeRoots(b);
},
brp(bits: number): bigint[] {
const b = checkBits(bits);
if (brpCache.has(b)) return brpCache.get(b)!;
else {
const res = bitReversalPermutation(this.roots(b));
brpCache.set(b, res);
return res;
}
},
inverse(bits: number): bigint[] {
const b = checkBits(bits);
if (inverseCache.has(b)) return inverseCache.get(b)!;
else {
const res = field.invertBatch(this.roots(b));
inverseCache.set(b, res);
return res;
}
},
omega: (bits: number): bigint => omegas[checkBits(bits)],
clear: (): void => {
rootsCache.splice(0, rootsCache.length);
brpCache.clear();
inverseCache.clear();
},
};
}
/** Polynomial coefficient container used by the FFT helpers. */
export type Polynomial<T> = MutableArrayLike<T>;
/**
* Arithmetic operations used by the generic FFT implementation.
*
* Maps great to Field<bigint>, but not to Group (EC points):
* - inv from scalar field
* - we need multiplyUnsafe here, instead of multiply for speed
* - multiplyUnsafe is safe in the context: we do mul(rootsOfUnity), which are public and sparse
*/
export type FFTOpts<T, R> = {
/**
* Add two coefficients.
* @param a - Left coefficient.
* @param b - Right coefficient.
* @returns Sum coefficient.
*/
add: (a: T, b: T) => T;
/**
* Subtract two coefficients.
* @param a - Left coefficient.
* @param b - Right coefficient.
* @returns Difference coefficient.
*/
sub: (a: T, b: T) => T;
/**
* Multiply one coefficient by a scalar/root factor.
* @param a - Coefficient value.
* @param scalar - Scalar/root factor.
* @returns Scaled coefficient.
*/
mul: (a: T, scalar: R) => T;
/**
* Invert one scalar/root factor.
* @param a - Scalar/root factor.
* @returns Inverse factor.
*/
inv: (a: R) => R;
};
/** Configuration for one low-level FFT loop. */
export type FFTCoreOpts<R> = {
/** Transform size. Must be a power of two. */
N: number;
/** Stage roots for the selected transform size. */
roots: Polynomial<R>;
/** Whether to run the DIT variant instead of DIF. */
dit: boolean;
/** Whether to invert butterfly placement for decode-oriented layouts. */
invertButterflies?: boolean;
/** Number of initial stages to skip. */
skipStages?: number;
/** Whether to apply bit-reversal permutation at the boundary. */
brp?: boolean;
};
/**
* Callable low-level FFT loop over one polynomial storage shape.
* @param values - Polynomial coefficients to transform in place.
* @returns The mutated input polynomial.
*/
export type FFTCoreLoop<T> = <P extends Polynomial<T>>(values: P) => P;
/**
* Constructs different flavors of FFT. radix2 implementation of low level mutating API. Flavors:
*
* - DIT (Decimation-in-Time): Bottom-Up (leaves to root), Cool-Turkey
* - DIF (Decimation-in-Frequency): Top-Down (root to leaves), Gentleman-Sande
*
* DIT takes brp input, returns natural output.
* DIF takes natural input, returns brp output.
*
* The output is actually identical. Time / frequence distinction is not meaningful
* for Polynomial multiplication in fields.
* Which means if protocol supports/needs brp output/inputs, then we can skip this step.
*
* Cyclic NTT: Rq = Zq[x]/(x^n-1). butterfly_DIT+loop_DIT OR butterfly_DIF+loop_DIT, roots are omega
* Negacyclic NTT: Rq = Zq[x]/(x^n+1). butterfly_DIT+loop_DIF, at least for mlkem / mldsa
* @param F - Field operations.
* @param coreOpts - FFT configuration:
* - `N`: Transform size. Must be a power of two.
* - `roots`: Stage roots for the selected transform size.
* - `dit`: Whether to run the DIT variant instead of DIF.
* - `invertButterflies` (optional): Whether to invert butterfly placement.
* - `skipStages` (optional): Number of initial stages to skip.
* - `brp` (optional): Whether to apply bit-reversal permutation at the boundary.
* @returns Low-level FFT loop.
* @throws If the FFT options or cached roots are invalid for the requested size. {@link Error}
* @example
* Constructs different flavors of FFT.
*
* ```ts
* import { FFTCore, rootsOfUnity } from '@noble/curves/abstract/fft.js';
* import { Field } from '@noble/curves/abstract/modular.js';
* const Fp = Field(17n);
* const roots = rootsOfUnity(Fp).roots(2);
* const loop = FFTCore(Fp, { N: 4, roots, dit: true });
* const values = loop([1n, 2n, 3n, 4n]);
* ```
*/
export const FFTCore = <T, R>(F: FFTOpts<T, R>, coreOpts: FFTCoreOpts<R>): FFTCoreLoop<T> => {
const { N, roots, dit, invertButterflies = false, skipStages = 0, brp = true } = coreOpts;
const bits = log2(N);
if (!isPowerOfTwo(N)) throw new Error('FFT: Polynomial size should be power of two');
// Wrong-sized root tables can stay in-bounds for some loop shapes and silently compute nonsense.
if (roots.length !== N)
throw new Error(`FFT: wrong roots length: expected ${N}, got ${roots.length}`);
const isDit = dit !== invertButterflies;
isDit;
return <P extends Polynomial<T>>(values: P): P => {
if (values.length !== N) throw new Error('FFT: wrong Polynomial length');
if (dit && brp) bitReversalInplace(values);
for (let i = 0, g = 1; i < bits - skipStages; i++) {
// For each stage s (sub-FFT length m = 2^s)
const s = dit ? i + 1 + skipStages : bits - i;
const m = 1 << s;
const m2 = m >> 1;
const stride = N >> s;
// Loop over each subarray of length m
for (let k = 0; k < N; k += m) {
// Loop over each butterfly within the subarray
for (let j = 0, grp = g++; j < m2; j++) {
const rootPos = invertButterflies ? (dit ? N - grp : grp) : j * stride;
const i0 = k + j;
const i1 = k + j + m2;
const omega = roots[rootPos];
const b = values[i1];
const a = values[i0];
// Inlining gives us 10% perf in kyber vs functions
if (isDit) {
const t = F.mul(b, omega); // Standard DIT butterfly
values[i0] = F.add(a, t);
values[i1] = F.sub(a, t);
} else if (invertButterflies) {
values[i0] = F.add(b, a); // DIT loop + inverted butterflies (Kyber decode)
values[i1] = F.mul(F.sub(b, a), omega);
} else {
values[i0] = F.add(a, b); // Standard DIF butterfly
values[i1] = F.mul(F.sub(a, b), omega);
}
}
}
}
if (!dit && brp) bitReversalInplace(values);
return values;
};
};
/** Forward and inverse FFT helpers for one coefficient domain. */
export type FFTMethods<T> = {
/**
* Apply the forward transform.
* @param values - Polynomial coefficients to transform.
* @param brpInput - Whether the input is already bit-reversed.
* @param brpOutput - Whether to keep the output bit-reversed.
* @returns Transformed copy.
*/
direct<P extends Polynomial<T>>(values: P, brpInput?: boolean, brpOutput?: boolean): P;
/**
* Apply the inverse transform.
* @param values - Polynomial coefficients to transform.
* @param brpInput - Whether the input is already bit-reversed.
* @param brpOutput - Whether to keep the output bit-reversed.
* @returns Inverse-transformed copy.
*/
inverse<P extends Polynomial<T>>(values: P, brpInput?: boolean, brpOutput?: boolean): P;
};
/**
* NTT aka FFT over finite field (NOT over complex numbers).
* Naming mirrors other libraries.
* @param roots - Roots-of-unity cache.
* @param opts - Field operations. See {@link FFTOpts}.
* @returns Forward and inverse FFT helpers.
* @example
* NTT aka FFT over finite field (NOT over complex numbers).
*
* ```ts
* import { FFT, rootsOfUnity } from '@noble/curves/abstract/fft.js';
* import { Field } from '@noble/curves/abstract/modular.js';
* const Fp = Field(17n);
* const fft = FFT(rootsOfUnity(Fp), Fp);
* const values = fft.direct([1n, 2n, 3n, 4n]);
* ```
*/
export function FFT<T>(roots: RootsOfUnity, opts: FFTOpts<T, bigint>): FFTMethods<T> {
const getLoop = (
N: number,
roots: Polynomial<bigint>,
brpInput = false,
brpOutput = false
): (<P extends Polynomial<T>>(values: P) => P) => {
if (brpInput && brpOutput) {
// we cannot optimize this case, but lets support it anyway
return (values) =>
FFTCore(opts, { N, roots, dit: false, brp: false })(bitReversalInplace(values));
}
if (brpInput) return FFTCore(opts, { N, roots, dit: true, brp: false });
if (brpOutput) return FFTCore(opts, { N, roots, dit: false, brp: false });
return FFTCore(opts, { N, roots, dit: true, brp: true }); // all natural
};
return {
direct<P extends Polynomial<T>>(values: P, brpInput = false, brpOutput = false): P {
const N = values.length;
if (!isPowerOfTwo(N)) throw new Error('FFT: Polynomial size should be power of two');
const bits = log2(N);
return getLoop(N, roots.roots(bits), brpInput, brpOutput)<P>(values.slice());
},
inverse<P extends Polynomial<T>>(values: P, brpInput = false, brpOutput = false): P {
const N = values.length;
if (!isPowerOfTwo(N)) throw new Error('FFT: Polynomial size should be power of two');
const bits = log2(N);
const res = getLoop(N, roots.inverse(bits), brpInput, brpOutput)(values.slice());
const ivm = opts.inv(BigInt(values.length)); // scale
// we can get brp output if we use dif instead of dit!
for (let i = 0; i < res.length; i++) res[i] = opts.mul(res[i], ivm);
// Allows to re-use non-inverted roots, but is VERY fragile
// return [res[0]].concat(res.slice(1).reverse());
// inverse calculated as pow(-1), which transforms into ω^{-kn} (-> reverses indices)
return res;
},
};
}
/**
* Factory that allocates one polynomial storage container.
* Callers must ensure `_create(len)` returns field-zero-filled storage when `elm` is omitted,
* because the quadratic `mul()` / `convolve()` paths and the Kronecker-δ shortcut in
* `lagrange.basis()` rely on that default instead of always passing `field.ZERO` explicitly.
* @param len - Requested amount of coefficients.
* @param elm - Optional fill value.
* @returns Newly allocated polynomial container.
*/
export type CreatePolyFn<P extends PolyStorage<T>, T> = (len: number, elm?: T) => P;
/** High-level polynomial helpers layered on top of FFT and field arithmetic. */
export type PolyFn<P extends PolyStorage<T>, T> = {
/** Roots-of-unity cache used by the helper namespace. */
roots: RootsOfUnity;
/** Factory used to allocate new polynomial containers. */
create: CreatePolyFn<P, T>;
/** Optional enforced polynomial length. */
length?: number;
/**
* Compute the polynomial degree.
* @param a - Polynomial coefficients.
* @returns Polynomial degree.
*/
degree: (a: P) => number;
/**
* Extend or truncate one polynomial to a requested length.
* @param a - Polynomial coefficients.
* @param len - Target length.
* @returns Resized polynomial.
*/
extend: (a: P, len: number) => P;
/**
* Add two polynomials coefficient-wise.
* @param a - Left polynomial.
* @param b - Right polynomial.
* @returns Sum polynomial.
*/
add: (a: P, b: P) => P;
/**
* Subtract two polynomials coefficient-wise.
* @param a - Left polynomial.
* @param b - Right polynomial.
* @returns Difference polynomial.
*/
sub: (a: P, b: P) => P;
/**
* Multiply by another polynomial or by one scalar.
* @param a - Left polynomial.
* @param b - Right polynomial or scalar.
* @returns Product polynomial.
*/
mul: (a: P, b: P | T) => P;
/**
* Multiply coefficients point-wise.
* @param a - Left polynomial.
* @param b - Right polynomial.
* @returns Point-wise product polynomial.
*/
dot: (a: P, b: P) => P;
/**
* Multiply two polynomials with convolution.
* @param a - Left polynomial.
* @param b - Right polynomial.
* @returns Convolution product.
*/
convolve: (a: P, b: P) => P;
/**
* Apply a point-wise coefficient shift by powers of one factor.
* @param p - Polynomial coefficients.
* @param factor - Shift factor.
* @returns Shifted polynomial.
*/
shift: (p: P, factor: bigint) => P;
/**
* Clone one polynomial container.
* @param a - Polynomial coefficients.
* @returns Cloned polynomial.
*/
clone: (a: P) => P;
/**
* Evaluate one polynomial on a basis vector.
* @param a - Polynomial coefficients.
* @param basis - Basis vector.
* @returns Evaluated field element.
*/
eval: (a: P, basis: P) => T;
/** Helpers for monomial-basis polynomials. */
monomial: {
/** Build the monomial basis vector for one evaluation point. */
basis: (x: T, n: number) => P;
/** Evaluate a polynomial in the monomial basis. */
eval: (a: P, x: T) => T;
};
/** Helpers for Lagrange-basis polynomials. */
lagrange: {
/** Build the Lagrange basis vector for one evaluation point. */
basis: (x: T, n: number, brp?: boolean) => P;
/** Evaluate a polynomial in the Lagrange basis. */
eval: (a: P, x: T, brp?: boolean) => T;
};
/**
* Build the vanishing polynomial for a root set.
* @param roots - Root set.
* @returns Vanishing polynomial.
*/
vanishing: (roots: P) => P;
};
/**
* Poly wants a cracker.
*
* Polynomials are functions like `y=f(x)`, which means when we multiply two polynomials, result is
* function `f3(x) = f1(x) * f2(x)`, we don't multiply values. Key takeaways:
*
* - **Polynomial** is an array of coefficients: `f(x) = sum(coeff[i] * basis[i](x))`
* - **Basis** is array of functions
* - **Monominal** is Polynomial where `basis[i](x) == x**i` (powers)
* - **Array size** is domain size
* - **Lattice** is matrix (Polynomial of Polynomials)
* @param field - Field implementation.
* @param roots - Roots-of-unity cache.
* @param create - Optional polynomial factory. Runtime input validation accepts only plain `Array`
* and typed-array polynomial containers; arbitrary structural wrappers are intentionally rejected.
* @param fft - Optional FFT implementation.
* @param length - Optional fixed polynomial length.
* @returns Polynomial helper namespace.
* @example
* Build polynomial helpers, then convolve two coefficient arrays.
*
* ```ts
* import { poly, rootsOfUnity } from '@noble/curves/abstract/fft.js';
* import { Field } from '@noble/curves/abstract/modular.js';
* const Fp = Field(17n);
* const poly17 = poly(Fp, rootsOfUnity(Fp));
* const product = poly17.convolve([1n, 2n], [3n, 4n]);
* ```
*/
export function poly<T>(
field: TArg<IField<T>>,
roots: RootsOfUnity,
create?: undefined,
fft?: FFTMethods<T>,
length?: number
): PolyFn<T[], T>;
export function poly<T, P extends PolyStorage<T>>(
field: TArg<IField<T>>,
roots: RootsOfUnity,
create: CreatePolyFn<P, T>,
fft?: FFTMethods<T>,
length?: number
): PolyFn<P, T>;
export function poly<T, P extends PolyStorage<T>>(
field: TArg<IField<T>>,
roots: RootsOfUnity,
create?: CreatePolyFn<P, T>,
fft?: FFTMethods<T>,
length?: number
): PolyFn<any, T> {
const F = field as IField<T>;
const _create =
create ||
(((len: number, elm?: T): T[] => new Array(len).fill(elm ?? F.ZERO)) as CreatePolyFn<P, T>);
// `poly.mul(a, b)` distinguishes polynomial-vs-scalar at runtime, so keep accepted
// polynomial containers concrete instead of trying to support arbitrary wrappers.
const isPoly = (x: any): x is P => {
if (Array.isArray(x)) return true;
if (!ArrayBuffer.isView(x)) return false;
const v = x as unknown as ArrayLike<unknown> & { slice?: unknown; [Symbol.iterator]?: unknown };
return (
typeof v.length === 'number' &&
typeof v.slice === 'function' &&
typeof v[Symbol.iterator] === 'function'
);
};
const checkLength = (...lst: P[]): number => {
if (!lst.length) return 0;
for (const i of lst) if (!isPoly(i)) throw new Error('poly: not polynomial: ' + i);
const L = lst[0].length;
for (let i = 1; i < lst.length; i++)
if (lst[i].length !== L) throw new Error(`poly: mismatched lengths ${L} vs ${lst[i].length}`);
if (length !== undefined && L !== length)
throw new Error(`poly: expected fixed length ${length}, got ${L}`);
return L;
};
function findOmegaIndex(x: T, n: number, brp = false): number {
const bits = log2(n);
const omega = brp ? roots.brp(bits) : roots.roots(bits);
for (let i = 0; i < n; i++) if (F.eql(x, omega[i] as T)) return i;
return -1;
}
// TODO: mutating versions for mlkem/mldsa
return {
roots,
create: _create,
length,
extend: (a: P, len: number): P => {
checkLength(a);
const out = _create(len, F.ZERO);
// Plain arrays grow when writing past `out.length`, so cap the copy explicitly to keep
// `extend()` consistent with typed arrays and with its documented truncate behavior.
for (let i = 0; i < Math.min(a.length, len); i++) out[i] = a[i];
return out;
},
degree: (a: P): number => {
checkLength(a);
for (let i = a.length - 1; i >= 0; i--) if (!F.is0(a[i])) return i;
return -1;
},
add: (a: P, b: P): P => {
const len = checkLength(a, b);
const out = _create(len);
for (let i = 0; i < len; i++) out[i] = F.add(a[i], b[i]);
return out;
},
sub: (a: P, b: P): P => {
const len = checkLength(a, b);
const out = _create(len);
for (let i = 0; i < len; i++) out[i] = F.sub(a[i], b[i]);
return out;
},
dot: (a: P, b: P): P => {
const len = checkLength(a, b);
const out = _create(len);
for (let i = 0; i < len; i++) out[i] = F.mul(a[i], b[i]);
return out;
},
mul: (a: P, b: P | T): P => {
if (isPoly(b)) {
const len = checkLength(a, b);
if (fft) {
const A = fft.direct(a, false, true);
const B = fft.direct(b, false, true);
for (let i = 0; i < A.length; i++) A[i] = F.mul(A[i], B[i]);
return fft.inverse(A, true, false) as P;
} else {
// NOTE: this is quadratic and mostly for compat tests with FFT
const res = _create(len);
for (let i = 0; i < len; i++) {
for (let j = 0; j < len; j++) {
const k = (i + j) % len; // wrap mod length
res[k] = F.add(res[k], F.mul(a[i], b[j]));
}
}
return res;
}
} else {
const out = _create(checkLength(a));
for (let i = 0; i < out.length; i++) out[i] = F.mul(a[i], b);
return out;
}
},
convolve(a: P, b: P): P {
const len = nextPowerOfTwo(a.length + b.length - 1);
return this.mul(this.extend(a, len), this.extend(b, len));
},
shift(p: P, factor: bigint): P {
const out = _create(checkLength(p));
out[0] = p[0];
for (let i = 1, power = F.ONE; i < p.length; i++) {
power = F.mul(power, factor);
out[i] = F.mul(p[i], power);
}
return out;
},
clone: (a: P): P => {
checkLength(a);
const out = _create(a.length);
for (let i = 0; i < a.length; i++) out[i] = a[i];
return out;
},
eval: (a: P, basis: P): T => {
checkLength(a, basis);
let acc = F.ZERO;
for (let i = 0; i < a.length; i++) acc = F.add(acc, F.mul(a[i], basis[i]));
return acc;
},
monomial: {
basis: (x: T, n: number): P => {
const out = _create(n);
let pow = F.ONE;
for (let i = 0; i < n; i++) {
out[i] = pow;
pow = F.mul(pow, x);
}
return out;
},
eval: (a: P, x: T): T => {
checkLength(a);
// Same as eval(a, monomialBasis(x, a.length)), but it is faster this way
let acc = F.ZERO;
for (let i = a.length - 1; i >= 0; i--) acc = F.add(F.mul(acc, x), a[i]);
return acc;
},
},
lagrange: {
basis: (x: T, n: number, brp = false, weights?: P): P => {
const bits = log2(n);
const cache = weights || (brp ? roots.brp(bits) : roots.roots(bits)); // [ω⁰, ω¹, ..., ωⁿ⁻¹]
const out = _create(n);
// Fast Kronecker-δ shortcut
const idx = findOmegaIndex(x, n, brp);
if (idx !== -1) {
out[idx] = F.ONE;
return out;
}
const tm = F.pow(x, BigInt(n));
const c = F.mul(F.sub(tm, F.ONE), F.inv(BigInt(n) as T)); // c = (xⁿ - 1)/n
const denom = _create(n);
for (let i = 0; i < n; i++) denom[i] = F.sub(x, cache[i] as T);
const inv = F.invertBatch(denom as any as T[]);
for (let i = 0; i < n; i++) out[i] = F.mul(c, F.mul(cache[i] as T, inv[i]));
return out;
},
eval(a: P, x: T, brp = false): T {
checkLength(a);
const idx = findOmegaIndex(x, a.length, brp);
if (idx !== -1) return a[idx]; // fast path
const L = this.basis(x, a.length, brp); // Lᵢ(x)
let acc = F.ZERO;
for (let i = 0; i < a.length; i++) if (!F.is0(a[i])) acc = F.add(acc, F.mul(a[i], L[i]));
return acc;
},
},
vanishing(roots: P): P {
checkLength(roots);
const out = _create(roots.length + 1, F.ZERO);
out[0] = F.ONE;
for (const r of roots) {
const neg = F.neg(r);
for (let j = out.length - 1; j > 0; j--) out[j] = F.add(F.mul(out[j], neg), out[j - 1]);
out[0] = F.mul(out[0], neg);
}
return out;
},
};
}
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/src/abstract/frost.ts
Generated Vendored
+1092
View File
File diff suppressed because it is too large Load Diff
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/src/abstract/hash-to-curve.ts
Generated Vendored
+491
View File
@@ -0,0 +1,491 @@
/**
* hash-to-curve from RFC 9380.
* Hashes arbitrary-length byte strings to a list of one or more elements of a finite field F.
* https://www.rfc-editor.org/rfc/rfc9380
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import type { CHash, TArg, TRet } from '../utils.ts';
import {
abytes,
asafenumber,
asciiToBytes,
bytesToNumberBE,
copyBytes,
concatBytes,
isBytes,
validateObject,
} from '../utils.ts';
import type { AffinePoint, PC_ANY, PC_F, PC_P } from './curve.ts';
import { FpInvertBatch, mod, type IField } from './modular.ts';
/** ASCII domain-separation tag or raw bytes. */
export type AsciiOrBytes = string | Uint8Array;
type H2CDefaults = {
DST: AsciiOrBytes;
expand: 'xmd' | 'xof';
hash: CHash;
p: bigint;
m: number;
k: number;
encodeDST?: AsciiOrBytes;
};
/**
* * `DST` is a domain separation tag, defined in section 2.2.5
* * `p` characteristic of F, where F is a finite field of characteristic p and order q = p^m
* * `m` is extension degree (1 for prime fields)
* * `k` is the target security target in bits (e.g. 128), from section 5.1
* * `expand` is `xmd` (SHA2, SHA3, BLAKE) or `xof` (SHAKE, BLAKE-XOF)
* * `hash` conforming to `utils.CHash` interface, with `outputLen` / `blockLen` props
*/
export type H2COpts = {
/** Domain separation tag. */
DST: AsciiOrBytes;
/** Expander family used by RFC 9380. */
expand: 'xmd' | 'xof';
/** Hash or XOF implementation used by the expander. */
hash: CHash;
/** Base-field characteristic. */
p: bigint;
/** Extension degree (`1` for prime fields). */
m: number;
/** Target security level in bits. */
k: number;
};
/** Hash-only subset of RFC 9380 options used by per-call overrides. */
export type H2CHashOpts = {
/** Expander family used by RFC 9380. */
expand: 'xmd' | 'xof';
/** Hash or XOF implementation used by the expander. */
hash: CHash;
};
/**
* Map one hash-to-field output tuple onto affine curve coordinates.
* Implementations receive the validated scalar tuple by reference for performance and MUST treat it
* as read-only. Callers that need scratch space should copy before mutating.
* @param scalar - Field-element tuple produced by `hash_to_field`.
* @returns Affine point before subgroup clearing.
*/
export type MapToCurve<T> = (scalar: bigint[]) => AffinePoint<T>;
// Separated from initialization opts, so users won't accidentally change per-curve parameters
// (changing DST is ok!)
/** Per-call override for the domain-separation tag. */
export type H2CDSTOpts = {
/** Domain-separation tag override. */
DST: AsciiOrBytes;
};
/** Base hash-to-curve helpers shared by `hashToCurve` and `encodeToCurve`. */
export type H2CHasherBase<PC extends PC_ANY> = {
/**
* Hash arbitrary bytes to one curve point.
* @param msg - Input message bytes.
* @param options - Optional domain-separation override. See {@link H2CDSTOpts}.
* @returns Curve point after hash-to-curve.
*/
hashToCurve(msg: TArg<Uint8Array>, options?: TArg<H2CDSTOpts>): PC_P<PC>;
/**
* Hash arbitrary bytes to one scalar.
* @param msg - Input message bytes.
* @param options - Optional domain-separation override. See {@link H2CDSTOpts}.
* @returns Scalar reduced into the target field.
*/
hashToScalar(msg: TArg<Uint8Array>, options?: TArg<H2CDSTOpts>): bigint;
/**
* Derive one curve point from non-uniform bytes without the random-oracle
* guarantees of `hashToCurve`.
* Accepts the same arguments as `hashToCurve`, but runs the encode-to-curve
* path instead of the random-oracle construction.
*/
deriveToCurve?(msg: TArg<Uint8Array>, options?: TArg<H2CDSTOpts>): PC_P<PC>;
/** Point constructor for the target curve. */
Point: PC;
};
/**
* RFC 9380 methods, with cofactor clearing. See {@link https://www.rfc-editor.org/rfc/rfc9380#section-3 | RFC 9380 section 3}.
*
* * hashToCurve: `map(hash(input))`, encodes RANDOM bytes to curve (WITH hashing)
* * encodeToCurve: `map(hash(input))`, encodes NON-UNIFORM bytes to curve (WITH hashing)
* * mapToCurve: `map(scalars)`, encodes NON-UNIFORM scalars to curve (NO hashing)
*/
export type H2CHasher<PC extends PC_ANY> = H2CHasherBase<PC> & {
/**
* Encode non-uniform bytes to one curve point.
* @param msg - Input message bytes.
* @param options - Optional domain-separation override. See {@link H2CDSTOpts}.
* @returns Curve point after encode-to-curve.
*/
encodeToCurve(msg: TArg<Uint8Array>, options?: TArg<H2CDSTOpts>): PC_P<PC>;
/** Deterministic map from `hash_to_field` tuples into affine coordinates. */
mapToCurve: MapToCurve<PC_F<PC>>;
/** Default RFC 9380 options captured by this hasher bundle. */
defaults: H2CDefaults;
};
// Octet Stream to Integer. "spec" implementation of os2ip is 2.5x slower vs bytesToNumberBE.
const os2ip = bytesToNumberBE;
// Integer to Octet Stream (numberToBytesBE).
function i2osp(value: number, length: number): TRet<Uint8Array> {
asafenumber(value);
asafenumber(length);
// This helper stays on the JS bitwise/u32 fast-path. Callers that need wider encodings should
// use bigint + numberToBytesBE instead of routing large widths through this small helper.
if (length < 0 || length > 4) throw new Error('invalid I2OSP length: ' + length);
if (value < 0 || value > 2 ** (8 * length) - 1) throw new Error('invalid I2OSP input: ' + value);
const res = Array.from({ length }).fill(0) as number[];
for (let i = length - 1; i >= 0; i--) {
res[i] = value & 0xff;
value >>>= 8;
}
return new Uint8Array(res) as TRet<Uint8Array>;
}
// RFC 9380 only applies strxor() to equal-length strings; callers must preserve that invariant.
function strxor(a: TArg<Uint8Array>, b: TArg<Uint8Array>): TRet<Uint8Array> {
const arr = new Uint8Array(a.length);
for (let i = 0; i < a.length; i++) {
arr[i] = a[i] ^ b[i];
}
return arr as TRet<Uint8Array>;
}
// User can always use utf8 if they want, by passing Uint8Array.
// If string is passed, we treat it as ASCII: other formats are likely a mistake.
function normDST(DST: TArg<AsciiOrBytes>): TRet<Uint8Array> {
if (!isBytes(DST) && typeof DST !== 'string')
throw new Error('DST must be Uint8Array or ascii string');
const dst = typeof DST === 'string' ? asciiToBytes(DST) : DST;
// RFC 9380 §3.1 requirement 2: tags "MUST have nonzero length".
if (dst.length === 0) throw new Error('DST must be non-empty');
return dst as TRet<Uint8Array>;
}
/**
* Produces a uniformly random byte string using a cryptographic hash
* function H that outputs b bits.
* See {@link https://www.rfc-editor.org/rfc/rfc9380#section-5.3.1 | RFC 9380 section 5.3.1}.
* @param msg - Input message.
* @param DST - Domain separation tag. This helper normalizes DST, rejects empty DSTs, and
* oversize-hashes DST when needed.
* @param lenInBytes - Output length.
* @param H - Hash function.
* @returns Uniform byte string.
* @throws If the message, DST, hash, or output length is invalid. {@link Error}
* @example
* Expand one message into uniform bytes with the XMD construction.
*
* ```ts
* import { expand_message_xmd } from '@noble/curves/abstract/hash-to-curve.js';
* import { sha256 } from '@noble/hashes/sha2.js';
* const uniform = expand_message_xmd(new TextEncoder().encode('hello noble'), 'DST', 32, sha256);
* ```
*/
export function expand_message_xmd(
msg: TArg<Uint8Array>,
DST: TArg<AsciiOrBytes>,
lenInBytes: number,
H: TArg<CHash>
): TRet<Uint8Array> {
abytes(msg);
asafenumber(lenInBytes);
DST = normDST(DST);
// https://www.rfc-editor.org/rfc/rfc9380#section-5.3.3
if (DST.length > 255) DST = H(concatBytes(asciiToBytes('H2C-OVERSIZE-DST-'), DST));
const { outputLen: b_in_bytes, blockLen: r_in_bytes } = H;
const ell = Math.ceil(lenInBytes / b_in_bytes);
if (lenInBytes > 65535 || ell > 255) throw new Error('expand_message_xmd: invalid lenInBytes');
const DST_prime = concatBytes(DST, i2osp(DST.length, 1));
const Z_pad = new Uint8Array(r_in_bytes); // RFC 9380: Z_pad = I2OSP(0, s_in_bytes)
const l_i_b_str = i2osp(lenInBytes, 2); // len_in_bytes_str
const b = new Array<Uint8Array>(ell);
const b_0 = H(concatBytes(Z_pad, msg, l_i_b_str, i2osp(0, 1), DST_prime));
b[0] = H(concatBytes(b_0, i2osp(1, 1), DST_prime));
// `b[0]` already stores RFC `b_1`, so only derive `b_2..b_ell` here. The old `<= ell`
// loop computed one extra tail block, which was usually sliced away but broke at max `ell=255`
// by reaching `I2OSP(256, 1)`.
for (let i = 1; i < ell; i++) {
const args = [strxor(b_0, b[i - 1]), i2osp(i + 1, 1), DST_prime];
b[i] = H(concatBytes(...args));
}
const pseudo_random_bytes = concatBytes(...b);
return pseudo_random_bytes.slice(0, lenInBytes);
}
/**
* Produces a uniformly random byte string using an extendable-output function (XOF) H.
* 1. The collision resistance of H MUST be at least k bits.
* 2. H MUST be an XOF that has been proved indifferentiable from
* a random oracle under a reasonable cryptographic assumption.
* See {@link https://www.rfc-editor.org/rfc/rfc9380#section-5.3.2 | RFC 9380 section 5.3.2}.
* @param msg - Input message.
* @param DST - Domain separation tag. This helper normalizes DST, rejects empty DSTs, and
* oversize-hashes DST when needed.
* @param lenInBytes - Output length.
* @param k - Target security level.
* @param H - XOF hash function.
* @returns Uniform byte string.
* @throws If the message, DST, XOF, or output length is invalid. {@link Error}
* @example
* Expand one message into uniform bytes with the XOF construction.
*
* ```ts
* import { expand_message_xof } from '@noble/curves/abstract/hash-to-curve.js';
* import { shake256 } from '@noble/hashes/sha3.js';
* const uniform = expand_message_xof(
* new TextEncoder().encode('hello noble'),
* 'DST',
* 32,
* 128,
* shake256
* );
* ```
*/
export function expand_message_xof(
msg: TArg<Uint8Array>,
DST: TArg<AsciiOrBytes>,
lenInBytes: number,
k: number,
H: TArg<CHash>
): TRet<Uint8Array> {
abytes(msg);
asafenumber(lenInBytes);
DST = normDST(DST);
// https://www.rfc-editor.org/rfc/rfc9380#section-5.3.3
// RFC 9380 §5.3.3: DST = H("H2C-OVERSIZE-DST-" || a_very_long_DST, ceil(2 * k / 8)).
if (DST.length > 255) {
const dkLen = Math.ceil((2 * k) / 8);
DST = H.create({ dkLen }).update(asciiToBytes('H2C-OVERSIZE-DST-')).update(DST).digest();
}
if (lenInBytes > 65535 || DST.length > 255)
throw new Error('expand_message_xof: invalid lenInBytes');
return (
H.create({ dkLen: lenInBytes })
.update(msg)
.update(i2osp(lenInBytes, 2))
// 2. DST_prime = DST || I2OSP(len(DST), 1)
.update(DST)
.update(i2osp(DST.length, 1))
.digest()
);
}
/**
* Hashes arbitrary-length byte strings to a list of one or more elements of a finite field F.
* See {@link https://www.rfc-editor.org/rfc/rfc9380#section-5.2 | RFC 9380 section 5.2}.
* @param msg - Input message bytes.
* @param count - Number of field elements to derive. Must be `>= 1`.
* @param options - RFC 9380 options. See {@link H2COpts}. `m` must be `>= 1`.
* @returns `[u_0, ..., u_(count - 1)]`, a list of field elements.
* @throws If the expander choice or RFC 9380 options are invalid. {@link Error}
* @example
* Hash one message into field elements before mapping it onto a curve.
*
* ```ts
* import { hash_to_field } from '@noble/curves/abstract/hash-to-curve.js';
* import { sha256 } from '@noble/hashes/sha2.js';
* const scalars = hash_to_field(new TextEncoder().encode('hello noble'), 2, {
* DST: 'DST',
* p: 17n,
* m: 1,
* k: 128,
* expand: 'xmd',
* hash: sha256,
* });
* ```
*/
export function hash_to_field(
msg: TArg<Uint8Array>,
count: number,
options: TArg<H2COpts>
): bigint[][] {
validateObject(options, {
p: 'bigint',
m: 'number',
k: 'number',
hash: 'function',
});
const { p, k, m, hash, expand, DST } = options;
asafenumber(hash.outputLen, 'valid hash');
abytes(msg);
asafenumber(count);
// RFC 9380 §5.2 defines hash_to_field over a list of one or more field elements and requires
// extension degree `m >= 1`; rejecting here avoids degenerate `[]` / `[[]]` helper outputs.
if (count < 1) throw new Error('hash_to_field: expected count >= 1');
if (m < 1) throw new Error('hash_to_field: expected m >= 1');
const log2p = p.toString(2).length;
const L = Math.ceil((log2p + k) / 8); // section 5.1 of ietf draft link above
const len_in_bytes = count * m * L;
let prb; // pseudo_random_bytes
if (expand === 'xmd') {
prb = expand_message_xmd(msg, DST, len_in_bytes, hash);
} else if (expand === 'xof') {
prb = expand_message_xof(msg, DST, len_in_bytes, k, hash);
} else if (expand === '_internal_pass') {
// for internal tests only
prb = msg;
} else {
throw new Error('expand must be "xmd" or "xof"');
}
const u = new Array(count);
for (let i = 0; i < count; i++) {
const e = new Array(m);
for (let j = 0; j < m; j++) {
const elm_offset = L * (j + i * m);
const tv = prb.subarray(elm_offset, elm_offset + L);
e[j] = mod(os2ip(tv), p);
}
u[i] = e;
}
return u;
}
type XY<T> = (x: T, y: T) => { x: T; y: T };
type XYRatio<T> = [T[], T[], T[], T[]]; // xn/xd, yn/yd
/**
* @param field - Field implementation.
* @param map - Isogeny coefficients.
* @returns Isogeny mapping helper.
* @example
* Build one rational isogeny map, then apply it to affine x/y coordinates.
*
* ```ts
* import { isogenyMap } from '@noble/curves/abstract/hash-to-curve.js';
* import { Field } from '@noble/curves/abstract/modular.js';
* const Fp = Field(17n);
* const iso = isogenyMap(Fp, [[0n, 1n], [1n], [1n], [1n]]);
* const point = iso(3n, 5n);
* ```
*/
export function isogenyMap<T, F extends IField<T>>(field: F, map: XYRatio<T>): XY<T> {
// Make same order as in spec
const coeff = map.map((i) => Array.from(i).reverse());
return (x: T, y: T) => {
const [xn, xd, yn, yd] = coeff.map((val) =>
val.reduce((acc, i) => field.add(field.mul(acc, x), i))
);
// RFC 9380 §6.6.3 / Appendix E: denominator-zero exceptional cases must
// return the identity on E.
// Shipped Weierstrass consumers encode that affine identity as all-zero
// coordinates, so `passZero=true` intentionally collapses zero
// denominators to `{ x: 0, y: 0 }`.
const [xd_inv, yd_inv] = FpInvertBatch(field, [xd, yd], true);
x = field.mul(xn, xd_inv); // xNum / xDen
y = field.mul(y, field.mul(yn, yd_inv)); // y * (yNum / yDev)
return { x, y };
};
}
// Keep the shared DST removable when the selected bundle never hashes to scalar.
// Callers that need protocol-specific scalar domain separation must override this generic default.
// RFC 9497 §§4.1-4.5 use this ASCII prefix before appending the ciphersuite context string.
// Export a string instead of mutable bytes so callers cannot poison default hash-to-scalar behavior
// by mutating a shared Uint8Array in place.
export const _DST_scalar = 'HashToScalar-' as const;
/**
* Creates hash-to-curve methods from EC Point and mapToCurve function. See {@link H2CHasher}.
* @param Point - Point constructor.
* @param mapToCurve - Map-to-curve function.
* @param defaults - Default hash-to-curve options. This object is frozen in place and reused as
* the shared defaults bundle for the returned helpers.
* @returns Hash-to-curve helper namespace.
* @throws If the map-to-curve callback or default hash-to-curve options are invalid. {@link Error}
* @example
* Bundle hash-to-curve, hash-to-scalar, and encode-to-curve helpers for one curve.
*
* ```ts
* import { createHasher } from '@noble/curves/abstract/hash-to-curve.js';
* import { p256 } from '@noble/curves/nist.js';
* import { sha256 } from '@noble/hashes/sha2.js';
* const hasher = createHasher(p256.Point, () => p256.Point.BASE.toAffine(), {
* DST: 'P256_XMD:SHA-256_SSWU_RO_',
* encodeDST: 'P256_XMD:SHA-256_SSWU_NU_',
* p: p256.Point.Fp.ORDER,
* m: 1,
* k: 128,
* expand: 'xmd',
* hash: sha256,
* });
* const point = hasher.encodeToCurve(new TextEncoder().encode('hello noble'));
* ```
*/
export function createHasher<PC extends PC_ANY>(
Point: PC,
mapToCurve: MapToCurve<PC_F<PC>>,
defaults: TArg<H2COpts & { encodeDST?: AsciiOrBytes }>
): H2CHasher<PC> {
if (typeof mapToCurve !== 'function') throw new Error('mapToCurve() must be defined');
// `Point` is intentionally not shape-validated eagerly here: point constructors vary across
// curve families, so this helper only checks the hooks it can validate cheaply. Misconfigured
// suites fail later when hashing first touches Point.fromAffine / Point.ZERO / clearCofactor().
const snapshot = (src: TArg<H2COpts & { encodeDST?: AsciiOrBytes }>): TRet<H2CDefaults> =>
Object.freeze({
...src,
DST: isBytes(src.DST) ? copyBytes(src.DST) : src.DST,
...(src.encodeDST === undefined
? {}
: { encodeDST: isBytes(src.encodeDST) ? copyBytes(src.encodeDST) : src.encodeDST }),
}) as TRet<H2CDefaults>;
// Keep one private defaults snapshot for actual hashing and expose fresh
// detached snapshots via the public getter.
// Otherwise a caller could mutate `hasher.defaults.DST` in place and poison
// the singleton hasher for every other consumer in the same process.
const safeDefaults = snapshot(defaults);
function map(num: bigint[]): PC_P<PC> {
return Point.fromAffine(mapToCurve(num)) as PC_P<PC>;
}
function clear(initial: PC_P<PC>): PC_P<PC> {
const P = initial.clearCofactor();
// Keep ZERO as the algebraic cofactor-clearing result here; strict public point-validity
// surfaces may still reject it later, but createHasher.clear() itself is not that boundary.
if (P.equals(Point.ZERO)) return Point.ZERO as PC_P<PC>;
P.assertValidity();
return P as PC_P<PC>;
}
return Object.freeze({
get defaults() {
return snapshot(safeDefaults);
},
Point,
hashToCurve(msg: TArg<Uint8Array>, options?: TArg<H2CDSTOpts>): PC_P<PC> {
const opts = Object.assign({}, safeDefaults, options);
const u = hash_to_field(msg, 2, opts);
const u0 = map(u[0]);
const u1 = map(u[1]);
return clear(u0.add(u1) as PC_P<PC>);
},
encodeToCurve(msg: TArg<Uint8Array>, options?: TArg<H2CDSTOpts>): PC_P<PC> {
const optsDst = safeDefaults.encodeDST ? { DST: safeDefaults.encodeDST } : {};
const opts = Object.assign({}, safeDefaults, optsDst, options);
const u = hash_to_field(msg, 1, opts);
const u0 = map(u[0]);
return clear(u0);
},
/** See {@link H2CHasher} */
mapToCurve(scalars: bigint | bigint[]): PC_P<PC> {
// Curves with m=1 accept only single scalar
if (safeDefaults.m === 1) {
if (typeof scalars !== 'bigint') throw new Error('expected bigint (m=1)');
return clear(map([scalars]));
}
if (!Array.isArray(scalars)) throw new Error('expected array of bigints');
for (const i of scalars)
if (typeof i !== 'bigint') throw new Error('expected array of bigints');
return clear(map(scalars));
},
// hash_to_scalar can produce 0: https://www.rfc-editor.org/errata/eid8393
// RFC 9380, draft-irtf-cfrg-bbs-signatures-08. Default scalar DST is the shared generic
// `HashToScalar-` prefix above unless the caller overrides it per invocation.
hashToScalar(msg: TArg<Uint8Array>, options?: TArg<H2CDSTOpts>): bigint {
// @ts-ignore
const N = Point.Fn.ORDER;
const opts = Object.assign({}, safeDefaults, { p: N, m: 1, DST: _DST_scalar }, options);
return hash_to_field(msg, 1, opts)[0][0];
},
});
}
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/src/abstract/modular.ts
Generated Vendored
+1068
View File
File diff suppressed because it is too large Load Diff
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/src/abstract/montgomery.ts
Generated Vendored
+271
View File
@@ -0,0 +1,271 @@
/**
* Montgomery curve methods. It's not really whole montgomery curve,
* just bunch of very specific methods for X25519 / X448 from
* [RFC 7748](https://www.rfc-editor.org/rfc/rfc7748)
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import {
abytes,
aInRange,
bytesToNumberLE,
copyBytes,
numberToBytesLE,
randomBytes,
validateObject,
type CryptoKeys,
type TArg,
type TRet,
} from '../utils.ts';
import { createKeygen, type CurveLengths } from './curve.ts';
import { mod } from './modular.ts';
const _0n = BigInt(0);
const _1n = BigInt(1);
const _2n = BigInt(2);
/** Curve-specific hooks required to build one X25519/X448 helper. */
export type MontgomeryOpts = {
/** Prime field modulus. */
P: bigint;
/** RFC 7748 variant name. */
type: 'x25519' | 'x448';
/**
* Clamp or otherwise normalize one scalar byte string before use.
* @param bytes - Raw secret scalar bytes.
* @returns Adjusted scalar bytes ready for Montgomery multiplication.
*/
adjustScalarBytes: (bytes: TArg<Uint8Array>) => TRet<Uint8Array>;
/**
* Invert one field element with exponentiation by `p - 2`.
* @param x - Field element to invert.
* @returns Multiplicative inverse of `x`.
*/
powPminus2: (x: bigint) => bigint;
/**
* Optional randomness source for `keygen()` and `utils.randomSecretKey()`.
* Receives the requested byte length and returns fresh random bytes.
*/
randomBytes?: (bytesLength?: number) => TRet<Uint8Array>;
};
/** Public X25519/X448 ECDH API built on a Montgomery ladder. */
export type MontgomeryECDH = {
/**
* Multiply one scalar by one Montgomery `u` coordinate.
* @param scalar - Secret scalar bytes.
* @param u - Public Montgomery `u` coordinate.
* @returns Shared point encoded as bytes.
*/
scalarMult: (scalar: TArg<Uint8Array>, u: TArg<Uint8Array>) => TRet<Uint8Array>;
/**
* Multiply one scalar by the curve base point.
* @param scalar - Secret scalar bytes.
* @returns Public key bytes.
*/
scalarMultBase: (scalar: TArg<Uint8Array>) => TRet<Uint8Array>;
/**
* Derive a shared secret from a local secret key and peer public key.
* @param secretKeyA - Local secret key bytes.
* @param publicKeyB - Peer public key bytes.
* Rejects low-order public inputs instead of returning the all-zero shared secret.
* @returns Shared secret bytes.
*/
getSharedSecret: (secretKeyA: TArg<Uint8Array>, publicKeyB: TArg<Uint8Array>) => TRet<Uint8Array>;
/**
* Derive one public key from a secret key.
* @param secretKey - Secret key bytes.
* @returns Public key bytes.
*/
getPublicKey: (secretKey: TArg<Uint8Array>) => TRet<Uint8Array>;
/** Utility helpers for secret-key generation. */
utils: {
/** Generate one random secret key with the curve's expected byte length. */
randomSecretKey: () => TRet<Uint8Array>;
};
/** Encoded Montgomery base point `u`. */
GuBytes: TRet<Uint8Array>;
/** Public lengths for keys and seeds. */
lengths: CurveLengths;
/**
* Generate one random secret/public keypair.
* @param seed - Optional seed bytes to use instead of random generation.
* @returns Fresh secret/public keypair.
*/
keygen: (seed?: TArg<Uint8Array>) => {
secretKey: TRet<Uint8Array>;
publicKey: TRet<Uint8Array>;
};
};
function validateOpts(curve: TArg<MontgomeryOpts>) {
// Validate constructor config eagerly, but do not call user-provided hooks here:
// `randomBytes` may be transcript-backed or otherwise contextual. Runtime type checks are
// enough to fail fast on malformed configs without consuming user state.
validateObject(
curve,
{
P: 'bigint',
type: 'string',
adjustScalarBytes: 'function',
powPminus2: 'function',
},
{
randomBytes: 'function',
}
);
return Object.freeze({ ...curve } as const);
}
/**
* @param curveDef - Montgomery curve definition.
* @returns ECDH helper namespace.
* @throws If the curve definition or derived shared point is invalid. {@link Error}
* @example
* Perform one X25519 key exchange through the generic Montgomery helper.
*
* ```ts
* import { x25519 } from '@noble/curves/ed25519.js';
* const alice = x25519.keygen();
* const shared = x25519.getSharedSecret(alice.secretKey, alice.publicKey);
* ```
*/
export function montgomery(curveDef: TArg<MontgomeryOpts>): TRet<MontgomeryECDH> {
const CURVE = validateOpts(curveDef);
const { P, type, adjustScalarBytes, powPminus2, randomBytes: rand } = CURVE;
const is25519 = type === 'x25519';
if (!is25519 && type !== 'x448') throw new Error('invalid type');
const randomBytes_ = rand === undefined ? randomBytes : rand;
const montgomeryBits = is25519 ? 255 : 448;
const fieldLen = is25519 ? 32 : 56;
const Gu = is25519 ? BigInt(9) : BigInt(5);
// RFC 7748 #5:
// The constant a24 is (486662 - 2) / 4 = 121665 for curve25519/X25519 and
// (156326 - 2) / 4 = 39081 for curve448/X448
// const a = is25519 ? 486662n : 156326n;
const a24 = is25519 ? BigInt(121665) : BigInt(39081);
// RFC: x25519 "the resulting integer is of the form 2^254 plus
// eight times a value between 0 and 2^251 - 1 (inclusive)"
// x448: "2^447 plus four times a value between 0 and 2^445 - 1 (inclusive)"
const minScalar = is25519 ? _2n ** BigInt(254) : _2n ** BigInt(447);
const maxAdded = is25519
? BigInt(8) * _2n ** BigInt(251) - _1n
: BigInt(4) * _2n ** BigInt(445) - _1n;
const maxScalar = minScalar + maxAdded + _1n; // (inclusive)
const modP = (n: bigint) => mod(n, P);
const GuBytes = encodeU(Gu);
function encodeU(u: bigint): TRet<Uint8Array> {
return numberToBytesLE(modP(u), fieldLen);
}
function decodeU(u: TArg<Uint8Array>): bigint {
const _u = copyBytes(abytes(u, fieldLen, 'uCoordinate'));
// RFC: When receiving such an array, implementations of X25519
// (but not X448) MUST mask the most significant bit in the final byte.
if (is25519) _u[31] &= 127; // 0b0111_1111
// RFC: Implementations MUST accept non-canonical values and process them as
// if they had been reduced modulo the field prime. The non-canonical
// values are 2^255 - 19 through 2^255 - 1 for X25519 and 2^448 - 2^224
// - 1 through 2^448 - 1 for X448.
return modP(bytesToNumberLE(_u));
}
function decodeScalar(scalar: TArg<Uint8Array>): bigint {
return bytesToNumberLE(adjustScalarBytes(copyBytes(abytes(scalar, fieldLen, 'scalar'))));
}
function scalarMult(scalar: TArg<Uint8Array>, u: TArg<Uint8Array>): TRet<Uint8Array> {
const pu = montgomeryLadder(decodeU(u), decodeScalar(scalar));
// Some public keys are useless, of low-order. Curve author doesn't think
// it needs to be validated, but we do it nonetheless.
// https://cr.yp.to/ecdh.html#validate
if (pu === _0n) throw new Error('invalid private or public key received');
return encodeU(pu);
}
// Computes public key from private. By doing scalar multiplication of base point.
function scalarMultBase(scalar: TArg<Uint8Array>): TRet<Uint8Array> {
return scalarMult(scalar, GuBytes);
}
const getPublicKey = scalarMultBase;
const getSharedSecret = scalarMult;
// cswap from RFC7748 "example code"
function cswap(swap: bigint, x_2: bigint, x_3: bigint): { x_2: bigint; x_3: bigint } {
// dummy = mask(swap) AND (x_2 XOR x_3)
// Where mask(swap) is the all-1 or all-0 word of the same length as x_2
// and x_3, computed, e.g., as mask(swap) = 0 - swap.
const dummy = modP(swap * (x_2 - x_3));
x_2 = modP(x_2 - dummy); // x_2 = x_2 XOR dummy
x_3 = modP(x_3 + dummy); // x_3 = x_3 XOR dummy
return { x_2, x_3 };
}
/**
* Montgomery x-only multiplication ladder for the selected X25519/X448 curve.
* @param pointU - decoded Montgomery u coordinate for the selected curve
* @param scalar - decoded clamped scalar by which the point is multiplied
* @returns resulting Montgomery u coordinate for the selected curve
*/
function montgomeryLadder(u: bigint, scalar: bigint): bigint {
aInRange('u', u, _0n, P);
aInRange('scalar', scalar, minScalar, maxScalar);
const k = scalar;
const x_1 = u;
let x_2 = _1n;
let z_2 = _0n;
let x_3 = u;
let z_3 = _1n;
let swap = _0n;
for (let t = BigInt(montgomeryBits - 1); t >= _0n; t--) {
const k_t = (k >> t) & _1n;
swap ^= k_t;
({ x_2, x_3 } = cswap(swap, x_2, x_3));
({ x_2: z_2, x_3: z_3 } = cswap(swap, z_2, z_3));
swap = k_t;
const A = x_2 + z_2;
const AA = modP(A * A);
const B = x_2 - z_2;
const BB = modP(B * B);
const E = AA - BB;
const C = x_3 + z_3;
const D = x_3 - z_3;
const DA = modP(D * A);
const CB = modP(C * B);
const dacb = DA + CB;
const da_cb = DA - CB;
x_3 = modP(dacb * dacb);
z_3 = modP(x_1 * modP(da_cb * da_cb));
x_2 = modP(AA * BB);
z_2 = modP(E * (AA + modP(a24 * E)));
}
({ x_2, x_3 } = cswap(swap, x_2, x_3));
({ x_2: z_2, x_3: z_3 } = cswap(swap, z_2, z_3));
const z2 = powPminus2(z_2); // `Fp.pow(x, P - _2n)` is much slower equivalent
return modP(x_2 * z2); // Return x_2 * (z_2^(p - 2))
}
const lengths = {
secretKey: fieldLen,
publicKey: fieldLen,
seed: fieldLen,
};
const randomSecretKey = (seed?: TArg<Uint8Array>): TRet<Uint8Array> => {
seed = seed === undefined ? randomBytes_(fieldLen) : seed;
abytes(seed, lengths.seed, 'seed');
// Reuse caller-supplied seed bytes verbatim; clamping is deferred until
// decodeScalar(...) when the secret key is actually used.
return seed as TRet<Uint8Array>;
};
const utils = { randomSecretKey };
Object.freeze(lengths);
Object.freeze(utils);
return Object.freeze({
keygen: createKeygen(randomSecretKey, getPublicKey),
getSharedSecret,
getPublicKey,
scalarMult,
scalarMultBase,
utils,
GuBytes: GuBytes.slice() as TRet<Uint8Array>,
lengths,
}) satisfies CryptoKeys;
}
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/src/abstract/oprf.ts
Generated Vendored
+789
View File
@@ -0,0 +1,789 @@
/**
* RFC 9497: Oblivious Pseudorandom Functions (OPRFs) Using Prime-Order Groups.
* https://www.rfc-editor.org/rfc/rfc9497
*
OPRF allows to interactively create an `Output = PRF(Input, serverSecretKey)`:
- Server cannot calculate Output by itself: it doesn't know Input
- Client cannot calculate Output by itself: it doesn't know server secretKey
- An attacker interception the communication can't restore Input/Output/serverSecretKey and can't
link Input to some value.
## Issues
- Low-entropy inputs (e.g. password '123') enable brute-forced dictionary attacks by the server
(solveable by domain separation in POPRF)
- High-level protocol needs to be constructed on top, because OPRF is low-level
## Use cases
1. **Password-Authenticated Key Exchange (PAKE):** Enables secure password login (e.g., OPAQUE)
without revealing the password to the server.
2. **Private Set Intersection (PSI):** Allows two parties to compute the intersection of their
private sets without revealing non-intersecting elements.
3. **Anonymous Credential Systems:** Supports issuance of anonymous, unlinkable credentials
(e.g., Privacy Pass) using blind OPRF evaluation.
4. **Private Information Retrieval (PIR):** Helps users query databases without revealing which
item they accessed.
5. **Encrypted Search / Secure Indexing:** Enables keyword search over encrypted data while keeping
queries private.
6. **Spam Prevention and Rate-Limiting:** Issues anonymous tokens to prevent abuse
(e.g., CAPTCHA bypass) without compromising user privacy.
## Modes
- OPRF: simple mode, client doesn't need to know server public key
- VOPRF: verifiable mode. It lets the client verify that the server used the
secret key corresponding to a known public key
- POPRF: partially oblivious mode, VOPRF + domain separation
There is also non-interactive mode (Evaluate), which creates Output
non-interactively with knowledge of the secret key.
Flow:
- (once) Server generates secret and public keys, distributes public keys to clients
- deterministically: `deriveKeyPair` or just random: `generateKeyPair`
- Client blinds input: `blind(secretInput)`
- Server evaluates blinded input: `blindEvaluate` generated by client, sends result to client
- Client creates output using result of evaluation via 'finalize'
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import {
abytes,
asciiToBytes,
bytesToNumberBE,
bytesToNumberLE,
concatBytes,
numberToBytesBE,
randomBytes,
validateObject,
type TArg,
type TRet,
} from '../utils.ts';
import { pippenger, validatePointCons, type CurvePoint, type CurvePointCons } from './curve.ts';
import { _DST_scalar, type H2CDSTOpts } from './hash-to-curve.ts';
import { getMinHashLength, mapHashToField } from './modular.ts';
// OPRF is designed to be used across network, so we default to serialized values.
/** Serialized group element passed between OPRF participants. */
export type PointBytes = Uint8Array;
/** Serialized scalar used for blinds and server secret keys. */
export type ScalarBytes = Uint8Array;
/** Arbitrary byte input or output used by the OPRF protocol. */
export type Bytes = Uint8Array;
const _DST_scalarBytes = /* @__PURE__ */ asciiToBytes(_DST_scalar);
/** Cryptographically secure byte generator used for blinds and proofs. */
export type RNG = typeof randomBytes;
/** Curve and hash hooks required to instantiate one OPRF ciphersuite. */
export type OPRFOpts<P extends CurvePoint<any, P>> = {
/** Human-readable suite identifier used for domain separation. */
name: string;
/**
* Prime-order group used by the OPRF construction.
* Kept generic because the suite returns serialized points.
*/
Point: CurvePointCons<P>;
// Fn: IField<bigint>;
/**
* Hash function used for transcripts, proofs, and outputs.
* @param msg - Message bytes to hash.
* @returns Digest bytes.
*/
hash(msg: TArg<Bytes>): TRet<Bytes>;
/**
* Hash arbitrary bytes into one scalar in the suite order.
* @param msg - Message bytes to map.
* @param options - Hash-to-field domain-separation options. See {@link H2CDSTOpts}.
* Implementations MUST treat `msg` and `options` as read-only.
* @returns Scalar in the suite order.
*/
hashToScalar(msg: TArg<Uint8Array>, options: TArg<H2CDSTOpts>): bigint;
/**
* Hash arbitrary bytes directly onto one curve point.
* @param msg - Message bytes to map.
* @param options - Hash-to-curve domain-separation options. See {@link H2CDSTOpts}.
* Implementations MUST treat `msg` and `options` as read-only.
* @returns Point on the suite curve.
*/
hashToGroup(msg: TArg<Uint8Array>, options: TArg<H2CDSTOpts>): P;
};
/** Server keypair for one OPRF suite. */
export type OPRFKeys = {
/** Secret scalar kept by the server. */
secretKey: TRet<ScalarBytes>;
/** Public point distributed to clients in verifiable modes. */
publicKey: TRet<PointBytes>;
};
/** Result of the client-side blind step. */
export type OPRFBlind = {
/** Secret blind scalar that the client keeps locally. */
blind: TRet<ScalarBytes>;
/** Blinded group element sent to the server. */
blinded: TRet<PointBytes>;
};
/** Server response for one verifiable OPRF evaluation. */
export type OPRFBlindEval = {
/** Evaluated group element returned by the server. */
evaluated: TRet<PointBytes>;
/** DLEQ proof binding the evaluation to the server public key. */
proof: TRet<Bytes>;
};
/** Server response for a batch of verifiable OPRF evaluations. */
export type OPRFBlindEvalBatch = {
/** Evaluated group elements returned for each blinded input. */
evaluated: TRet<PointBytes[]>;
/** Batch proof covering all evaluated elements. */
proof: TRet<Bytes>;
};
/** One finalized transcript item used by batch verification helpers. */
export type OPRFFinalizeItem = {
/** Original client input. */
input: Bytes;
/** Secret blind scalar used for the input. */
blind: ScalarBytes;
/** Evaluated point returned by the server. */
evaluated: PointBytes;
/** Blinded point originally sent to the server. */
blinded: PointBytes;
};
/** Result of the POPRF client-side blind step with the tweaked server public key. */
export type OPRFBlindTweaked = OPRFBlind & { tweakedKey: TRet<PointBytes> };
/**
* Represents a full OPRF ciphersuite implementation according to RFC 9497.
* This object bundles the three protocol variants (OPRF, VOPRF, POPRF) for a specific
* prime-order group and hash function combination.
*
* @see https://www.rfc-editor.org/rfc/rfc9497.html
*/
export type OPRF = {
/**
* The unique identifier for the ciphersuite, e.g., "ristretto255-SHA512".
* This name is used for domain separation to prevent cross-protocol attacks.
*/
readonly name: string;
/**
* The base Oblivious Pseudorandom Function (OPRF) mode (mode 0x00).
* This is a two-party protocol between a client and a server to compute F(k, x)
* where 'k' is the server's key and 'x' is the client's input.
*
* The client learns the output F(k, x) but nothing about 'k'.
* The server learns nothing about 'x' or F(k, x).
* This mode is NOT verifiable; the client cannot prove the server used a specific key.
*/
readonly oprf: {
/**
* (Server-side) Generates a new random private/public key pair for the server.
* @returns A new key pair.
*/
generateKeyPair(): TRet<OPRFKeys>;
/**
* (Server-side) Deterministically derives a private/public key pair from a seed.
* @param seed - A 32-byte cryptographically secure random seed.
* @param keyInfo - An optional byte string for domain separation.
* @returns The derived key pair.
*/
deriveKeyPair(seed: TArg<Bytes>, keyInfo: TArg<Bytes>): TRet<OPRFKeys>;
/**
* (Client-side) The first step of the protocol. The client blinds its private input.
* @param input - The client's private input bytes.
* @param rng - An optional cryptographically secure random number generator.
* @returns An object containing the `blind` scalar (which the client MUST keep secret)
* and the `blinded` element (which the client sends to the server).
*/
blind(input: TArg<Bytes>, rng?: RNG): TRet<OPRFBlind>;
/**
* (Server-side) The second step. The server evaluates the client's blinded element
* using its secret key.
* @param secretKey - The server's private key.
* @param blinded - The blinded group element received from the client.
* @returns The evaluated group element, to be sent back to the client.
*/
blindEvaluate(secretKey: TArg<ScalarBytes>, blinded: TArg<PointBytes>): TRet<PointBytes>;
/**
* (Client-side) The final step. The client unblinds the server's response to
* compute the final OPRF output.
* @param input - The original private input from the `blind` step.
* @param blind - The secret scalar from the `blind` step.
* @param evaluated - The evaluated group element received from the server.
* @returns The final OPRF output, `Hash(len(input)||input||len(unblinded)||unblinded||"Finalize")`.
*/
finalize(
input: TArg<Bytes>,
blind: TArg<ScalarBytes>,
evaluated: TArg<PointBytes>
): TRet<Bytes>;
};
/**
* The Verifiable Oblivious Pseudorandom Function (VOPRF) mode (mode 0x01).
* This mode extends the base OPRF by providing a proof that the server used the
* secret key corresponding to its known public key.
*/
readonly voprf: {
/** (Server-side) Generates a key pair for the VOPRF mode. */
generateKeyPair(): TRet<OPRFKeys>;
/** (Server-side) Deterministically derives a key pair for the VOPRF mode. */
deriveKeyPair(seed: TArg<Bytes>, keyInfo: TArg<Bytes>): TRet<OPRFKeys>;
/** (Client-side) Blinds the client's private input for the VOPRF protocol. */
blind(input: TArg<Bytes>, rng?: RNG): TRet<OPRFBlind>;
/**
* (Server-side) Evaluates the client's blinded element and generates a DLEQ proof
* of correctness.
* @param secretKey - The server's private key.
* @param publicKey - The server's public key, used in proof generation.
* @param blinded - The blinded group element received from the client.
* @param rng - An optional cryptographically secure random number generator for the proof.
* @returns The evaluated element and a proof of correct computation.
*/
blindEvaluate(
secretKey: TArg<ScalarBytes>,
publicKey: TArg<PointBytes>,
blinded: TArg<PointBytes>,
rng?: RNG
): TRet<OPRFBlindEval>;
/**
* (Server-side) An optimized batch version of `blindEvaluate`. It evaluates multiple
* blinded elements and produces a single, constant-size proof for the entire batch,
* amortizing the cost of proof generation.
* @param secretKey - The server's private key.
* @param publicKey - The server's public key.
* @param blinded - An array of blinded group elements from one or more clients.
* @param rng - An optional cryptographically secure random number generator for the proof.
* @returns An array of evaluated elements and a single proof for the batch.
*/
blindEvaluateBatch(
secretKey: TArg<ScalarBytes>,
publicKey: TArg<PointBytes>,
blinded: TArg<PointBytes[]>,
rng?: RNG
): TRet<OPRFBlindEvalBatch>;
/**
* (Client-side) The final step. The client verifies the server's proof, and if valid,
* unblinds the result to compute the final VOPRF output.
* @param input - The original private input.
* @param blind - The secret scalar from the `blind` step.
* @param evaluated - The evaluated element from the server.
* @param blinded - The blinded element sent to the server (needed for proof verification).
* @param publicKey - The server's public key against which the proof is verified.
* @param proof - The DLEQ proof from the server.
* @returns The final VOPRF output.
* @throws If the proof verification fails. {@link Error}
*/
finalize(
input: TArg<Bytes>,
blind: TArg<ScalarBytes>,
evaluated: TArg<PointBytes>,
blinded: TArg<PointBytes>,
publicKey: TArg<PointBytes>,
proof: TArg<Bytes>
): TRet<Bytes>;
/**
* (Client-side) The batch-aware version of `finalize`. It verifies a single batch proof
* against a list of corresponding inputs and outputs.
* @param items - An array of objects, each containing the parameters for a single finalization.
* @param publicKey - The server's public key.
* @param proof - The single DLEQ proof for the entire batch.
* @returns An array of final VOPRF outputs, one for each item in the input.
* @throws If the proof verification fails. {@link Error}
*/
finalizeBatch(
items: TArg<OPRFFinalizeItem[]>,
publicKey: TArg<PointBytes>,
proof: TArg<Bytes>
): TRet<Bytes[]>;
};
/**
* A factory for the Partially Oblivious Pseudorandom Function (POPRF) mode (mode 0x02).
* This mode extends VOPRF to include a public `info` parameter, known to both client and
* server, which is cryptographically bound to the final output.
* This is useful for domain separation at the application level.
* @param info - A public byte string to be mixed into the computation.
* @returns An object with the POPRF protocol functions.
*/
readonly poprf: (info: TArg<Bytes>) => {
/** (Server-side) Generates a key pair for the POPRF mode. */
generateKeyPair(): TRet<OPRFKeys>;
/** (Server-side) Deterministically derives a key pair for the POPRF mode. */
deriveKeyPair(seed: TArg<Bytes>, keyInfo: TArg<Bytes>): TRet<OPRFKeys>;
/**
* (Client-side) Blinds the client's private input and computes the "tweaked key".
* The tweaked key is a public value derived from the server's public key and the public `info`.
* @param input - The client's private input.
* @param publicKey - The server's public key.
* @param rng - An optional cryptographically secure random number generator.
* @returns The `blind`, `blinded` element, and the `tweakedKey`
* the client uses for verification.
*/
blind(input: TArg<Bytes>, publicKey: TArg<PointBytes>, rng?: RNG): TRet<OPRFBlindTweaked>;
/**
* (Server-side) Evaluates the blinded element using a key derived from
* its secret key and the public `info`.
* It generates a DLEQ proof against the tweaked key.
* @param secretKey - The server's private key.
* @param blinded - The blinded element from the client.
* @param rng - An optional RNG for the proof.
* @returns The evaluated element and a proof of correct computation.
*/
blindEvaluate(
secretKey: TArg<ScalarBytes>,
blinded: TArg<PointBytes>,
rng?: RNG
): TRet<OPRFBlindEval>;
/**
* (Server-side) A batch-aware version of `blindEvaluate` for the POPRF mode.
* @param secretKey - The server's private key.
* @param blinded - An array of blinded elements.
* @param rng - An optional RNG for the proof.
* @returns An array of evaluated elements and a single proof for the batch.
*/
blindEvaluateBatch(
secretKey: TArg<ScalarBytes>,
blinded: TArg<PointBytes[]>,
rng: RNG
): TRet<OPRFBlindEvalBatch>;
/**
* (Client-side) A batch-aware version of `finalize` for the POPRF mode.
* It verifies the proof against the tweaked key.
* @param items - An array containing the parameters for each finalization.
* @param proof - The single DLEQ proof for the batch.
* @param tweakedKey - The tweaked key corresponding to the proof.
* All items must share the same `info` and `publicKey`.
* @returns An array of final POPRF outputs.
* @throws If proof verification fails. {@link Error}
*/
finalizeBatch(
items: TArg<OPRFFinalizeItem[]>,
proof: TArg<Bytes>,
tweakedKey: TArg<PointBytes>
): TRet<Bytes[]>;
/**
* (Client-side) Finalizes the POPRF protocol. It verifies the server's proof against the
* `tweakedKey` computed in the `blind` step. The final output is bound to the public `info`.
* @param input - The original private input.
* @param blind - The secret scalar.
* @param evaluated - The evaluated element from the server.
* @param blinded - The blinded element sent to the server.
* @param proof - The DLEQ proof from the server.
* @param tweakedKey - The public tweaked key computed by the client during the `blind` step.
* @returns The final POPRF output.
* @throws If proof verification fails. {@link Error}
*/
finalize(
input: TArg<Bytes>,
blind: TArg<ScalarBytes>,
evaluated: TArg<PointBytes>,
blinded: TArg<PointBytes>,
proof: TArg<Bytes>,
tweakedKey: TArg<PointBytes>
): TRet<Bytes>;
/**
* A non-interactive evaluation function for an entity that knows all inputs.
* Computes the final POPRF output directly. Useful for testing or specific applications
* where the server needs to compute the output for a known input.
* @param secretKey - The server's private key.
* @param input - The client's private input.
* @returns The final POPRF output.
*/
evaluate(secretKey: TArg<ScalarBytes>, input: TArg<Bytes>): TRet<Bytes>;
};
};
// welcome to generic hell
/**
* @param opts - OPRF ciphersuite options. See {@link OPRFOpts}.
* @returns OPRF helper namespace.
* @example
* Instantiate an OPRF suite from curve-specific hashing hooks.
*
* ```ts
* import { createOPRF } from '@noble/curves/abstract/oprf.js';
* import { p256, p256_hasher } from '@noble/curves/nist.js';
* import { sha256 } from '@noble/hashes/sha2.js';
* const oprf = createOPRF({
* name: 'P256-SHA256',
* Point: p256.Point,
* hash: sha256,
* hashToGroup: p256_hasher.hashToCurve,
* hashToScalar: p256_hasher.hashToScalar,
* });
* const keys = oprf.oprf.generateKeyPair();
* ```
*/
export function createOPRF<P extends CurvePoint<any, P>>(opts: OPRFOpts<P>): TRet<OPRF> {
validateObject(opts, {
name: 'string',
hash: 'function',
hashToScalar: 'function',
hashToGroup: 'function',
});
// Cheap constructor-surface sanity check only: this verifies the generic static hooks/fields that
// OPRF consumes, but it does not certify point semantics like BASE/ZERO correctness.
validatePointCons(opts.Point);
const { name, Point, hash } = opts;
const { Fn } = Point;
const hashToGroup = (msg: TArg<Uint8Array>, ctx: TArg<Uint8Array>) =>
opts.hashToGroup(msg, {
DST: concatBytes(asciiToBytes('HashToGroup-'), ctx),
}) as P;
const hashToScalarPrefixed = (msg: TArg<Uint8Array>, ctx: TArg<Uint8Array>) =>
opts.hashToScalar(msg, { DST: concatBytes(_DST_scalarBytes, ctx) });
const randomScalar = (rng: RNG = randomBytes) => {
// RFC 9497 §2.1 defines RandomScalar as nonzero; blind inversion and generated public keys
// both rely on keeping this helper in the `1..n-1` range.
const t = mapHashToField(rng(getMinHashLength(Fn.ORDER)), Fn.ORDER, Fn.isLE);
// We cannot use Fn.fromBytes here, because field
// can have different number of bytes (like ed448)
return Fn.isLE ? bytesToNumberLE(t) : bytesToNumberBE(t);
};
const msm = (points: P[], scalars: bigint[]) => pippenger(Point, points, scalars);
const getCtx = (mode: number) =>
concatBytes(asciiToBytes('OPRFV1-'), new Uint8Array([mode]), asciiToBytes('-' + name));
const ctxOPRF = getCtx(0x00);
const ctxVOPRF = getCtx(0x01);
const ctxPOPRF = getCtx(0x02);
function encode(...args: TArg<(Uint8Array | number | string)[]>): TRet<Bytes> {
const res = [];
for (const a of args) {
if (typeof a === 'number') res.push(numberToBytesBE(a, 2));
else if (typeof a === 'string') res.push(asciiToBytes(a));
else {
abytes(a);
res.push(numberToBytesBE(a.length, 2), a);
}
}
// No wipe here, since will modify actual bytes
return concatBytes(...res) as TRet<Bytes>;
}
const inputBytes = (title: string, bytes: TArg<Uint8Array>) => {
abytes(bytes, undefined, title);
// RFC 9497 §1.2 limits PrivateInput/PublicInput to 2^16 - 1 bytes because these values are
// length-prefixed with two bytes before use throughout the protocol.
if (bytes.length > 0xffff)
throw new Error(
`"${title}" expected Uint8Array of length <= 65535, got length=${bytes.length}`
);
return bytes;
};
const hashInput = (...bytes: TArg<Uint8Array[]>): TRet<Bytes> =>
hash(encode(...bytes, 'Finalize')) as TRet<Bytes>;
function getTranscripts(B: P, C: P[], D: P[], ctx: TArg<Bytes>) {
const Bm = B.toBytes();
const seed = hash(encode(Bm, concatBytes(asciiToBytes('Seed-'), ctx)));
const res: bigint[] = [];
for (let i = 0; i < C.length; i++) {
const Ci = C[i].toBytes();
const Di = D[i].toBytes();
const di = hashToScalarPrefixed(encode(seed, i, Ci, Di, 'Composite'), ctx);
res.push(di);
}
return res;
}
function computeComposites(B: P, C: P[], D: P[], ctx: TArg<Bytes>) {
const T = getTranscripts(B, C, D, ctx);
const M = msm(C, T);
const Z = msm(D, T);
return { M, Z };
}
function computeCompositesFast(
k: bigint,
B: P,
C: P[],
D: P[],
ctx: TArg<Bytes>
): { M: P; Z: P } {
const T = getTranscripts(B, C, D, ctx);
const M = msm(C, T);
// RFC 9497 §2.2.1 ComputeCompositesFast derives weights from both C and D in getTranscripts(),
// then uses the server shortcut Z = k * M instead of a second MSM over D.
const Z = M.multiply(k);
return { M, Z };
}
function challengeTranscript(B: P, M: P, Z: P, t2: P, t3: P, ctx: TArg<Bytes>) {
const [Bm, a0, a1, a2, a3] = [B, M, Z, t2, t3].map((i) => i.toBytes());
return hashToScalarPrefixed(encode(Bm, a0, a1, a2, a3, 'Challenge'), ctx);
}
function generateProof(ctx: TArg<Bytes>, k: bigint, B: P, C: P[], D: P[], rng: RNG): TRet<Bytes> {
const { M, Z } = computeCompositesFast(k, B, C, D, ctx);
const r = randomScalar(rng);
const t2 = Point.BASE.multiply(r);
const t3 = M.multiply(r);
const c = challengeTranscript(B, M, Z, t2, t3, ctx);
const s = Fn.sub(r, Fn.mul(c, k)); // r - c*k
return concatBytes(...[c, s].map((i) => Fn.toBytes(i))) as TRet<Bytes>;
}
function verifyProof(ctx: TArg<Bytes>, B: P, C: P[], D: P[], proof: TArg<Bytes>) {
abytes(proof, 2 * Fn.BYTES);
const { M, Z } = computeComposites(B, C, D, ctx);
const [c, s] = [proof.subarray(0, Fn.BYTES), proof.subarray(Fn.BYTES)].map((f) =>
Fn.fromBytes(f)
);
const t2 = Point.BASE.multiply(s).add(B.multiply(c)); // s*G + c*B
const t3 = M.multiply(s).add(Z.multiply(c)); // s*M + c*Z
const expectedC = challengeTranscript(B, M, Z, t2, t3, ctx);
if (!Fn.eql(c, expectedC)) throw new Error('proof verification failed');
}
function generateKeyPair(): TRet<OPRFKeys> {
const skS = randomScalar();
const pkS = Point.BASE.multiply(skS);
return { secretKey: Fn.toBytes(skS), publicKey: pkS.toBytes() } as TRet<OPRFKeys>;
}
function deriveKeyPair(ctx: TArg<Bytes>, seed: TArg<Bytes>, info: TArg<Bytes>): TRet<OPRFKeys> {
// RFC 9497 §3.2.1 defines `seed[32]`; reject other sizes here because this public API already
// documents a 32-byte seed instead of generic input keying material.
abytes(seed, 32, 'seed');
info = inputBytes('keyInfo', info);
const dst = concatBytes(asciiToBytes('DeriveKeyPair'), ctx);
const msg = concatBytes(seed, encode(info), Uint8Array.of(0));
for (let counter = 0; counter <= 255; counter++) {
msg[msg.length - 1] = counter;
const skS = opts.hashToScalar(msg, { DST: dst });
if (Fn.is0(skS)) continue; // should not happen
return {
secretKey: Fn.toBytes(skS),
publicKey: Point.BASE.multiply(skS).toBytes(),
} as TRet<OPRFKeys>;
}
throw new Error('Cannot derive key');
}
const wirePoint = (label: string, bytes: TArg<Uint8Array>) => {
const point = Point.fromBytes(bytes);
// RFC 9497 §3.3 says applications MUST reject group-identity Elements received over the wire
// after deserialization, even if the suite decoder itself accepts the identity encoding.
if (point.equals(Point.ZERO)) throw new Error(label + ' point at infinity');
return point;
};
function blind(
ctx: TArg<Bytes>,
input: TArg<Uint8Array>,
rng: RNG = randomBytes
): TRet<OPRFBlind> {
input = inputBytes('input', input);
const blind = randomScalar(rng);
const inputPoint = hashToGroup(input, ctx);
if (inputPoint.equals(Point.ZERO)) throw new Error('Input point at infinity');
const blinded = inputPoint.multiply(blind);
return { blind: Fn.toBytes(blind), blinded: blinded.toBytes() } as TRet<OPRFBlind>;
}
function evaluate(
ctx: TArg<Bytes>,
secretKey: TArg<ScalarBytes>,
input: TArg<Bytes>
): TRet<Bytes> {
input = inputBytes('input', input);
const skS = Fn.fromBytes(secretKey);
const inputPoint = hashToGroup(input, ctx);
if (inputPoint.equals(Point.ZERO)) throw new Error('Input point at infinity');
const unblinded = inputPoint.multiply(skS).toBytes();
return hashInput(input, unblinded);
}
const oprf = Object.freeze({
generateKeyPair,
deriveKeyPair: (seed: TArg<Bytes>, keyInfo: TArg<Bytes>) =>
deriveKeyPair(ctxOPRF, seed, keyInfo),
blind: (input: TArg<Bytes>, rng: RNG = randomBytes) => blind(ctxOPRF, input, rng),
blindEvaluate(secretKey: TArg<ScalarBytes>, blindedPoint: TArg<PointBytes>): TRet<PointBytes> {
const skS = Fn.fromBytes(secretKey);
const elm = wirePoint('blinded', blindedPoint);
return elm.multiply(skS).toBytes() as TRet<PointBytes>;
},
finalize(
input: TArg<Bytes>,
blindBytes: TArg<ScalarBytes>,
evaluatedBytes: TArg<PointBytes>
): TRet<Bytes> {
input = inputBytes('input', input);
const blind = Fn.fromBytes(blindBytes);
const evalPoint = wirePoint('evaluated', evaluatedBytes);
const unblinded = evalPoint.multiply(Fn.inv(blind)).toBytes();
return hashInput(input, unblinded);
},
evaluate: (secretKey: TArg<ScalarBytes>, input: TArg<Bytes>) =>
evaluate(ctxOPRF, secretKey, input),
});
const voprf = Object.freeze({
generateKeyPair,
deriveKeyPair: (seed: TArg<Bytes>, keyInfo: TArg<Bytes>) =>
deriveKeyPair(ctxVOPRF, seed, keyInfo),
blind: (input: TArg<Bytes>, rng: RNG = randomBytes) => blind(ctxVOPRF, input, rng),
blindEvaluateBatch(
secretKey: TArg<ScalarBytes>,
publicKey: TArg<PointBytes>,
blinded: TArg<PointBytes[]>,
rng: RNG = randomBytes
): TRet<OPRFBlindEvalBatch> {
if (!Array.isArray(blinded)) throw new Error('expected array');
const skS = Fn.fromBytes(secretKey);
const pkS = wirePoint('public key', publicKey);
const blindedPoints = blinded.map((i) => wirePoint('blinded', i));
const evaluated = blindedPoints.map((i) => i.multiply(skS));
const proof = generateProof(ctxVOPRF, skS, pkS, blindedPoints, evaluated, rng);
return { evaluated: evaluated.map((i) => i.toBytes()), proof } as TRet<OPRFBlindEvalBatch>;
},
blindEvaluate(
secretKey: TArg<ScalarBytes>,
publicKey: TArg<PointBytes>,
blinded: TArg<PointBytes>,
rng: RNG = randomBytes
): TRet<OPRFBlindEval> {
const res = this.blindEvaluateBatch(secretKey, publicKey, [blinded], rng);
return { evaluated: res.evaluated[0], proof: res.proof } as TRet<OPRFBlindEval>;
},
finalizeBatch(
items: TArg<OPRFFinalizeItem[]>,
publicKey: TArg<PointBytes>,
proof: TArg<Bytes>
): TRet<Bytes[]> {
if (!Array.isArray(items)) throw new Error('expected array');
const pkS = wirePoint('public key', publicKey);
const blindedPoints = items.map((i) => wirePoint('blinded', i.blinded));
const evalPoints = items.map((i) => wirePoint('evaluated', i.evaluated));
verifyProof(ctxVOPRF, pkS, blindedPoints, evalPoints, proof);
return items.map((i) => oprf.finalize(i.input, i.blind, i.evaluated)) as TRet<Bytes[]>;
},
finalize(
input: TArg<Bytes>,
blind: TArg<ScalarBytes>,
evaluated: TArg<PointBytes>,
blinded: TArg<PointBytes>,
publicKey: TArg<PointBytes>,
proof: TArg<Bytes>
): TRet<Bytes> {
return this.finalizeBatch([{ input, blind, evaluated, blinded }], publicKey, proof)[0];
},
evaluate: (secretKey: TArg<ScalarBytes>, input: TArg<Bytes>) =>
evaluate(ctxVOPRF, secretKey, input),
});
// NOTE: info is domain separation
const poprf = (info: TArg<Bytes>) => {
info = inputBytes('info', info);
const m = hashToScalarPrefixed(encode('Info', info), ctxPOPRF);
const T = Point.BASE.multiply(m);
return Object.freeze({
generateKeyPair,
deriveKeyPair: (seed: TArg<Bytes>, keyInfo: TArg<Bytes>) =>
deriveKeyPair(ctxPOPRF, seed, keyInfo),
blind(
input: TArg<Bytes>,
publicKey: TArg<PointBytes>,
rng: RNG = randomBytes
): TRet<OPRFBlindTweaked> {
input = inputBytes('input', input);
const pkS = wirePoint('public key', publicKey);
const tweakedKey = T.add(pkS);
if (tweakedKey.equals(Point.ZERO)) throw new Error('tweakedKey point at infinity');
const blind = randomScalar(rng);
const inputPoint = hashToGroup(input, ctxPOPRF);
if (inputPoint.equals(Point.ZERO)) throw new Error('Input point at infinity');
const blindedPoint = inputPoint.multiply(blind);
return {
blind: Fn.toBytes(blind),
blinded: blindedPoint.toBytes(),
tweakedKey: tweakedKey.toBytes(),
} as TRet<OPRFBlindTweaked>;
},
blindEvaluateBatch(
secretKey: TArg<ScalarBytes>,
blinded: TArg<PointBytes[]>,
rng: RNG = randomBytes
): TRet<OPRFBlindEvalBatch> {
if (!Array.isArray(blinded)) throw new Error('expected array');
const skS = Fn.fromBytes(secretKey);
const t = Fn.add(skS, m);
// "Hence, this error can be a signal for the server to replace its
// private key". We throw inside; this should be impossible.
const invT = Fn.inv(t);
const blindedPoints = blinded.map((i) => wirePoint('blinded', i));
const evalPoints = blindedPoints.map((i) => i.multiply(invT));
const tweakedKey = Point.BASE.multiply(t);
const proof = generateProof(ctxPOPRF, t, tweakedKey, evalPoints, blindedPoints, rng);
return { evaluated: evalPoints.map((i) => i.toBytes()), proof } as TRet<OPRFBlindEvalBatch>;
},
blindEvaluate(
secretKey: TArg<ScalarBytes>,
blinded: TArg<PointBytes>,
rng: RNG = randomBytes
): TRet<OPRFBlindEval> {
const res = this.blindEvaluateBatch(secretKey, [blinded], rng);
return { evaluated: res.evaluated[0], proof: res.proof } as TRet<OPRFBlindEval>;
},
finalizeBatch(
items: TArg<OPRFFinalizeItem[]>,
proof: TArg<Bytes>,
tweakedKey: TArg<PointBytes>
): TRet<Bytes[]> {
if (!Array.isArray(items)) throw new Error('expected array');
const inputs = items.map((i) => inputBytes('input', i.input));
const evalPoints = items.map((i) => wirePoint('evaluated', i.evaluated));
verifyProof(
ctxPOPRF,
wirePoint('tweakedKey', tweakedKey),
evalPoints,
items.map((i) => wirePoint('blinded', i.blinded)),
proof
);
return items.map((i, j) => {
const blind = Fn.fromBytes(i.blind);
const point = evalPoints[j].multiply(Fn.inv(blind)).toBytes();
return hashInput(inputs[j], info, point);
}) as TRet<Bytes[]>;
},
finalize(
input: TArg<Bytes>,
blind: TArg<ScalarBytes>,
evaluated: TArg<PointBytes>,
blinded: TArg<PointBytes>,
proof: TArg<Bytes>,
tweakedKey: TArg<PointBytes>
): TRet<Bytes> {
return this.finalizeBatch([{ input, blind, evaluated, blinded }], proof, tweakedKey)[0];
},
evaluate(secretKey: TArg<ScalarBytes>, input: TArg<Bytes>): TRet<Bytes> {
input = inputBytes('input', input);
const skS = Fn.fromBytes(secretKey);
const inputPoint = hashToGroup(input, ctxPOPRF);
if (inputPoint.equals(Point.ZERO)) throw new Error('Input point at infinity');
const t = Fn.add(skS, m);
const invT = Fn.inv(t);
const unblinded = inputPoint.multiply(invT).toBytes();
return hashInput(input, info, unblinded);
},
});
};
const res = { name, oprf, voprf, poprf, __tests: Object.freeze({ Fn }) };
return Object.freeze(res) as TRet<OPRF>;
}
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/src/abstract/poseidon.ts
Generated Vendored
+533
View File
@@ -0,0 +1,533 @@
/**
* Implements [Poseidon](https://www.poseidon-hash.info) ZK-friendly hash.
*
* There are many poseidon variants with different constants.
* We don't provide them: you should construct them manually.
* Check out [micro-starknet](https://github.com/paulmillr/micro-starknet) package for a proper example.
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { asafenumber, bitGet, validateObject, type TArg, type TRet } from '../utils.ts';
import { FpInvertBatch, FpPow, type IField, validateField } from './modular.ts';
// Grain LFSR (Linear-Feedback Shift Register): https://eprint.iacr.org/2009/109.pdf
function grainLFSR(state: number[]): () => boolean {
// Advances the caller-provided 80-entry state array in place; only the length
// is checked here, so entries are assumed to already be bits.
let pos = 0;
if (state.length !== 80) throw new Error('grainLFRS: wrong state length, should be 80 bits');
const getBit = (): boolean => {
const r = (offset: number) => state[(pos + offset) % 80];
const bit = r(62) ^ r(51) ^ r(38) ^ r(23) ^ r(13) ^ r(0);
state[pos] = bit;
pos = ++pos % 80;
return !!bit;
};
for (let i = 0; i < 160; i++) getBit();
return () => {
// https://en.wikipedia.org/wiki/Shrinking_generator
while (true) {
const b1 = getBit();
const b2 = getBit();
if (!b1) continue;
return b2;
}
};
}
/** Core Poseidon permutation parameters shared by all variants. */
export type PoseidonBasicOpts = {
/** Prime field used by the permutation. */
Fp: IField<bigint>;
/** Poseidon width `t = rate + capacity`. */
t: number;
/** Number of full S-box rounds. */
roundsFull: number;
/** Number of partial S-box rounds. */
roundsPartial: number;
/** Whether to use the inverse S-box variant. */
isSboxInverse?: boolean;
};
function assertValidPosOpts(opts: TArg<PoseidonBasicOpts>) {
const { Fp, roundsFull } = opts;
validateField(Fp);
validateObject(
opts,
{
t: 'number',
roundsFull: 'number',
roundsPartial: 'number',
},
{
isSboxInverse: 'boolean',
}
);
for (const k of ['t', 'roundsFull', 'roundsPartial'] as const) {
asafenumber(opts[k], k);
if (opts[k] < 1) throw new Error('invalid number ' + k);
}
// Poseidon splits full rounds as `R_F / 2`, then partial rounds, then `R_F / 2` again.
if (roundsFull & 1) throw new Error('roundsFull is not even' + roundsFull);
}
function poseidonGrain(opts: TArg<PoseidonBasicOpts>) {
assertValidPosOpts(opts);
const { Fp } = opts;
const state = Array(80).fill(1);
let pos = 0;
const writeBits = (value: bigint, bitCount: number) => {
for (let i = bitCount - 1; i >= 0; i--) state[pos++] = Number(bitGet(value, i));
};
const _0n = BigInt(0);
const _1n = BigInt(1);
// The Grain seed layout is fixed-width: `Fp.BITS` and `t` use 12 bits,
// `roundsFull` and `roundsPartial` use 10, so larger values are truncated here.
// This is intentional for compatibility with snarkVM / arkworks PoseidonGrainLFSR:
// they write the same fixed-width seed fields without range checks, then still consume
// the LFSR using the caller-provided round count for ARK/MDS generation.
// Normalizing or rejecting here would diverge from those implementations.
writeBits(_1n, 2); // prime field
writeBits(opts.isSboxInverse ? _1n : _0n, 4); // b2..b5
writeBits(BigInt(Fp.BITS), 12); // b6..b17
writeBits(BigInt(opts.t), 12); // b18..b29
writeBits(BigInt(opts.roundsFull), 10); // b30..b39
writeBits(BigInt(opts.roundsPartial), 10); // b40..b49
const getBit = grainLFSR(state);
return (count: number, reject: boolean): bigint[] => {
const res: bigint[] = [];
for (let i = 0; i < count; i++) {
while (true) {
let num = _0n;
for (let i = 0; i < Fp.BITS; i++) {
num <<= _1n;
if (getBit()) num |= _1n;
}
if (reject && num >= Fp.ORDER) continue; // rejection sampling
res.push(Fp.create(num));
break;
}
}
return res;
};
}
/** Poseidon settings used by the Grain-LFSR constant generator. */
export type PoseidonGrainOpts = PoseidonBasicOpts & {
/** S-box power used while generating constants. */
sboxPower?: number;
};
type PoseidonConstants = { mds: bigint[][]; roundConstants: bigint[][] };
// NOTE: this is not standard but used often for constant generation for poseidon
// (grain LFRS-like structure)
/**
* @param opts - Poseidon grain options. See {@link PoseidonGrainOpts}.
* @param skipMDS - Number of MDS samples to skip.
* @returns Generated constants.
* @throws If the generated MDS matrix contains a zero denominator. {@link Error}
* @example
* Generate Poseidon round constants and an MDS matrix from the Grain LFSR.
*
* ```ts
* import { grainGenConstants } from '@noble/curves/abstract/poseidon.js';
* import { Field } from '@noble/curves/abstract/modular.js';
* const Fp = Field(17n);
* const constants = grainGenConstants({ Fp, t: 2, roundsFull: 8, roundsPartial: 8 });
* ```
*/
export function grainGenConstants(
opts: TArg<PoseidonGrainOpts>,
skipMDS: number = 0
): PoseidonConstants {
const { Fp, t, roundsFull, roundsPartial } = opts;
// `skipMDS` counts how many candidate matrices to discard before taking one.
asafenumber(skipMDS, 'skipMDS');
if (skipMDS < 0) throw new Error('invalid number skipMDS');
const rounds = roundsFull + roundsPartial;
// `sboxPower` is carried in the opts shape for Poseidon compatibility, but
// Grain constant generation here only depends on field/size/round counts/inverse flag.
const sample = poseidonGrain(opts);
const roundConstants: bigint[][] = [];
for (let r = 0; r < rounds; r++) roundConstants.push(sample(t, true));
if (skipMDS > 0) for (let i = 0; i < skipMDS; i++) sample(2 * t, false);
const xs = sample(t, false);
const ys = sample(t, false);
// Construct MDS Matrix M[i][j] = 1 / (xs[i] + ys[j])
const mds: bigint[][] = [];
for (let i = 0; i < t; i++) {
const row: bigint[] = [];
for (let j = 0; j < t; j++) {
const xy = Fp.add(xs[i], ys[j]);
if (Fp.is0(xy))
throw new Error(`Error generating MDS matrix: xs[${i}] + ys[${j}] resulted in zero.`);
row.push(xy);
}
mds.push(FpInvertBatch(Fp, row));
}
return { roundConstants, mds };
}
/** Fully specified Poseidon permutation options with explicit constants. */
export type PoseidonOpts = PoseidonBasicOpts &
PoseidonConstants & {
/** S-box power used by the permutation. */
sboxPower?: number;
/** Whether to reverse the partial-round S-box index. */
reversePartialPowIdx?: boolean; // Hack for stark
};
/**
* @param opts - Poseidon options. See {@link PoseidonOpts}.
* @returns Normalized poseidon options.
* @throws If the Poseidon options, constants, or MDS matrix are invalid. {@link Error}
* @example
* Validate generated constants before constructing a permutation.
*
* ```ts
* import { grainGenConstants, validateOpts } from '@noble/curves/abstract/poseidon.js';
* import { Field } from '@noble/curves/abstract/modular.js';
* const Fp = Field(17n);
* const constants = grainGenConstants({ Fp, t: 2, roundsFull: 8, roundsPartial: 8 });
* const opts = validateOpts({ ...constants, Fp, t: 2, roundsFull: 8, roundsPartial: 8, sboxPower: 3 });
* ```
*/
export function validateOpts(opts: TArg<PoseidonOpts>): TRet<
Readonly<{
rounds: number;
sboxFn: (n: bigint) => bigint;
roundConstants: bigint[][];
mds: bigint[][];
Fp: IField<bigint>;
t: number;
roundsFull: number;
roundsPartial: number;
sboxPower?: number;
reversePartialPowIdx?: boolean; // Hack for stark
}>
> {
// This only normalizes shapes and field membership for the provided constants;
// it does not prove the stronger MDS/security criteria discussed in the specs.
assertValidPosOpts(opts);
const { Fp, mds, reversePartialPowIdx: rev, roundConstants: rc } = opts;
const { roundsFull, roundsPartial, sboxPower, t } = opts;
// MDS is TxT matrix
if (!Array.isArray(mds) || mds.length !== t) throw new Error('Poseidon: invalid MDS matrix');
const _mds = mds.map((mdsRow) => {
if (!Array.isArray(mdsRow) || mdsRow.length !== t)
throw new Error('invalid MDS matrix row: ' + mdsRow);
return mdsRow.map((i) => {
if (typeof i !== 'bigint') throw new Error('invalid MDS matrix bigint: ' + i);
// Hardcoded Poseidon MDS matrices often use signed entries like `-1`;
// accept bigint representatives here and reduce them into the field.
return Fp.create(i);
});
});
if (rev !== undefined && typeof rev !== 'boolean')
throw new Error('invalid param reversePartialPowIdx=' + rev);
if (roundsFull & 1) throw new Error('roundsFull is not even' + roundsFull);
const rounds = roundsFull + roundsPartial;
if (!Array.isArray(rc) || rc.length !== rounds)
throw new Error('Poseidon: invalid round constants');
const roundConstants = rc.map((rc) => {
if (!Array.isArray(rc) || rc.length !== t) throw new Error('invalid round constants');
return rc.map((i) => {
if (typeof i !== 'bigint' || !Fp.isValid(i)) throw new Error('invalid round constant');
return Fp.create(i);
});
});
// Freeze nested constants so exported handles cannot retune a live permutation instance.
const freezeRows = (rows: bigint[][]) =>
Object.freeze(rows.map((row) => Object.freeze(row))) as unknown as bigint[][];
if (!sboxPower || ![3, 5, 7, 17].includes(sboxPower)) throw new Error('invalid sboxPower');
const _sboxPower = BigInt(sboxPower);
let sboxFn = (n: bigint) => FpPow(Fp, n, _sboxPower);
// Unwrapped sbox power for common cases (195->142μs)
if (sboxPower === 3) sboxFn = (n: bigint) => Fp.mul(Fp.sqrN(n), n);
else if (sboxPower === 5) sboxFn = (n: bigint) => Fp.mul(Fp.sqrN(Fp.sqrN(n)), n);
return Object.freeze({
...opts,
rounds,
sboxFn,
roundConstants: freezeRows(roundConstants),
mds: freezeRows(_mds),
}) as TRet<
Readonly<{
rounds: number;
sboxFn: (n: bigint) => bigint;
roundConstants: bigint[][];
mds: bigint[][];
Fp: IField<bigint>;
t: number;
roundsFull: number;
roundsPartial: number;
sboxPower?: number;
reversePartialPowIdx?: boolean;
}>
>;
}
/**
* @param rc - Flattened round constants.
* @param t - Poseidon width.
* @returns Constants grouped by round.
* @throws If the width or flattened constant array is invalid. {@link Error}
* @example
* Regroup a flat constant list into per-round chunks.
*
* ```ts
* const rounds = splitConstants([1n, 2n, 3n, 4n], 2);
* ```
*/
export function splitConstants(rc: bigint[], t: number): bigint[][] {
asafenumber(t, 't');
if (t < 1) throw new Error('poseidonSplitConstants: invalid t');
if (!Array.isArray(rc) || rc.length % t) throw new Error('poseidonSplitConstants: invalid rc');
const res = [];
let tmp = [];
for (let i = 0; i < rc.length; i++) {
const c = rc[i];
if (typeof c !== 'bigint') throw new Error('invalid bigint=' + c);
tmp.push(c);
if (tmp.length === t) {
res.push(tmp);
tmp = [];
}
}
return res;
}
/**
* Poseidon permutation callable.
* @param values - Poseidon state vector. Non-canonical bigints are normalized with `Fp.create(...)`.
* @returns Permuted state vector.
*/
export type PoseidonFn = {
(values: bigint[]): bigint[];
/** Round constants captured by the permutation instance. */
roundConstants: bigint[][];
};
/** Poseidon NTT-friendly hash. */
/**
* @param opts - Poseidon options. See {@link PoseidonOpts}.
* @returns Poseidon permutation.
* @throws If the Poseidon options or state vector are invalid. {@link Error}
* @example
* Build a Poseidon permutation from validated parameters and constants.
*
* ```ts
* import { grainGenConstants, poseidon } from '@noble/curves/abstract/poseidon.js';
* import { Field } from '@noble/curves/abstract/modular.js';
* const Fp = Field(17n);
* const constants = grainGenConstants({ Fp, t: 2, roundsFull: 8, roundsPartial: 8 });
* const hash = poseidon({ ...constants, Fp, t: 2, roundsFull: 8, roundsPartial: 8, sboxPower: 3 });
* const state = hash([1n, 2n]);
* ```
*/
export function poseidon(opts: TArg<PoseidonOpts>): PoseidonFn {
const _opts = validateOpts(opts);
const { Fp, mds, roundConstants, rounds: totalRounds, roundsPartial, sboxFn, t } = _opts;
const halfRoundsFull = _opts.roundsFull / 2;
const partialIdx = _opts.reversePartialPowIdx ? t - 1 : 0;
const poseidonRound = (values: bigint[], isFull: boolean, idx: number) => {
values = values.map((i, j) => Fp.add(i, roundConstants[idx][j]));
if (isFull) values = values.map((i) => sboxFn(i));
else values[partialIdx] = sboxFn(values[partialIdx]);
// Matrix multiplication
values = mds.map((i) => i.reduce((acc, i, j) => Fp.add(acc, Fp.mulN(i, values[j])), Fp.ZERO));
return values;
};
const poseidonHash = function poseidonHash(values: bigint[]) {
if (!Array.isArray(values) || values.length !== t)
throw new Error('invalid values, expected array of bigints with length ' + t);
// `.map()` skips sparse holes, which would leak `undefined` into round math below.
values = values.slice();
for (let j = 0; j < values.length; j++) {
const i = values[j];
if (typeof i !== 'bigint') throw new Error('invalid bigint=' + i);
values[j] = Fp.create(i);
}
let lastRound = 0;
// Apply r_f/2 full rounds.
for (let i = 0; i < halfRoundsFull; i++) values = poseidonRound(values, true, lastRound++);
// Apply r_p partial rounds.
for (let i = 0; i < roundsPartial; i++) values = poseidonRound(values, false, lastRound++);
// Apply r_f/2 full rounds.
for (let i = 0; i < halfRoundsFull; i++) values = poseidonRound(values, true, lastRound++);
if (lastRound !== totalRounds) throw new Error('invalid number of rounds');
return values;
} as PoseidonFn;
// For verification in tests
Object.defineProperty(poseidonHash, 'roundConstants', {
value: roundConstants,
enumerable: true,
});
return poseidonHash;
}
/**
* @param Fp - Field implementation.
* @param rate - Sponge rate.
* @param capacity - Sponge capacity.
* @param hash - Poseidon permutation.
* @example
* Wrap one Poseidon permutation in a sponge interface.
*
* ```ts
* import { PoseidonSponge, grainGenConstants, poseidon } from '@noble/curves/abstract/poseidon.js';
* import { Field } from '@noble/curves/abstract/modular.js';
* const Fp = Field(17n);
* const constants = grainGenConstants({ Fp, t: 2, roundsFull: 8, roundsPartial: 8 });
* const hash = poseidon({ ...constants, Fp, t: 2, roundsFull: 8, roundsPartial: 8, sboxPower: 3 });
* const sponge = new PoseidonSponge(Fp, 1, 1, hash);
* sponge.absorb([1n]);
* const out = sponge.squeeze(1);
* ```
*/
export class PoseidonSponge {
private Fp: IField<bigint>;
readonly rate: number;
readonly capacity: number;
readonly hash: PoseidonFn;
private state: bigint[]; // [...capacity, ...rate]
private pos = 0;
private isAbsorbing = true;
constructor(Fp: IField<bigint>, rate: number, capacity: number, hash: PoseidonFn) {
const width = spongeShape(rate, capacity);
// The direct constructor accepts an arbitrary permutation hook, but callers still
// need to preserve the `PoseidonFn.roundConstants` width metadata. Reject width
// mismatches here instead of deferring them until the first `process()` call.
if (width !== hash.roundConstants[0]?.length)
throw new Error(
`invalid sponge width: expected ${hash.roundConstants[0]?.length}, got ${width}`
);
this.Fp = Fp;
this.hash = hash;
this.rate = rate;
this.capacity = capacity;
this.state = new Array(width);
this.clean();
}
private process(): void {
// The permutation is expected to return an owned state array. If callers inject a custom
// hook that reuses external storage, `clean()` will zero that shared buffer too.
this.state = this.hash(this.state);
}
absorb(input: bigint[]): void {
for (const i of input)
if (typeof i !== 'bigint' || !this.Fp.isValid(i)) throw new Error('invalid input: ' + i);
for (let i = 0; i < input.length; ) {
if (!this.isAbsorbing || this.pos === this.rate) {
this.process();
this.pos = 0;
this.isAbsorbing = true;
}
const chunk = Math.min(this.rate - this.pos, input.length - i);
for (let j = 0; j < chunk; j++) {
const idx = this.capacity + this.pos++;
this.state[idx] = this.Fp.add(this.state[idx], input[i++]);
}
}
}
squeeze(count: number): bigint[] {
// Rust oracles use unsigned counts. In JS we keep `squeeze(0) => []` for
// compatibility, but still reject negative/fractional counts explicitly.
asafenumber(count, 'count');
if (count < 0) throw new Error('invalid number count');
const res: bigint[] = [];
while (res.length < count) {
if (this.isAbsorbing || this.pos === this.rate) {
this.process();
this.pos = 0;
this.isAbsorbing = false;
}
const chunk = Math.min(this.rate - this.pos, count - res.length);
for (let i = 0; i < chunk; i++) res.push(this.state[this.capacity + this.pos++]);
}
return res;
}
clean(): void {
this.state.fill(this.Fp.ZERO);
this.isAbsorbing = true;
this.pos = 0;
}
clone(): PoseidonSponge {
const c = new PoseidonSponge(this.Fp, this.rate, this.capacity, this.hash);
c.pos = this.pos;
c.isAbsorbing = this.isAbsorbing;
c.state = [...this.state];
return c;
}
}
/** Options for the non-standard but commonly used Poseidon sponge wrapper. */
export type PoseidonSpongeOpts = Omit<PoseidonOpts, 't'> & {
/** Sponge rate. */
rate: number;
/** Sponge capacity. */
capacity: number;
};
const spongeShape = (rate: number, capacity: number) => {
asafenumber(rate, 'rate');
asafenumber(capacity, 'capacity');
// A sponge with zero rate cannot absorb or squeeze any field elements.
if (rate < 1) throw new Error('invalid number rate');
// Negative capacity can accidentally keep `rate + capacity` coherent while still
// producing a nonsensical sponge shape.
if (capacity < 0) throw new Error('invalid number capacity');
return rate + capacity;
};
/**
* The method is not defined in spec, but nevertheless used often.
* Check carefully for compatibility: there are many edge cases, like absorbing an empty array.
* We cross-test against:
* - {@link https://github.com/ProvableHQ/snarkVM/tree/staging/algorithms | snarkVM algorithms}
* - {@link https://github.com/arkworks-rs/crypto-primitives/tree/main | arkworks crypto-primitives}
* @param opts - Sponge options. See {@link PoseidonSpongeOpts}.
* @returns Factory for sponge instances.
* @throws If the sponge dimensions or backing permutation options are invalid. {@link Error}
* @example
* Use the sponge helper to absorb several field elements and squeeze one digest.
*
* ```ts
* import { grainGenConstants, poseidonSponge } from '@noble/curves/abstract/poseidon.js';
* import { Field } from '@noble/curves/abstract/modular.js';
* const Fp = Field(17n);
* const constants = grainGenConstants({ Fp, t: 2, roundsFull: 8, roundsPartial: 8 });
* const makeSponge = poseidonSponge({
* ...constants,
* Fp,
* rate: 1,
* capacity: 1,
* roundsFull: 8,
* roundsPartial: 8,
* sboxPower: 3,
* });
* const sponge = makeSponge();
* sponge.absorb([1n]);
* const out = sponge.squeeze(1);
* ```
*/
export function poseidonSponge(opts: TArg<PoseidonSpongeOpts>): TRet<() => PoseidonSponge> {
const { rate, capacity } = opts;
const t = spongeShape(rate, capacity);
// Re-use one hash instance between sponge instances; isolation depends on
// poseidon(...) itself staying immutable and not carrying mutable call state.
const hash = poseidon({ ...opts, t });
const { Fp } = opts;
return (() => new PoseidonSponge(Fp, rate, capacity, hash)) as TRet<() => PoseidonSponge>;
}
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/src/abstract/tower.ts
Generated Vendored
+1133
View File
File diff suppressed because it is too large Load Diff
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/src/abstract/weierstrass.ts
Generated Vendored
+1960
View File
File diff suppressed because it is too large Load Diff
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/src/bls12-381.ts
Generated Vendored
+778
View File
@@ -0,0 +1,778 @@
/**
* bls12-381 is pairing-friendly Barreto-Lynn-Scott elliptic curve construction allowing to:
* Construct zk-SNARKs at the ~120-bit security, as per [Barbulescu-Duquesne 2017](https://hal.science/hal-01534101/file/main.pdf)
* Efficiently verify N aggregate signatures with 1 pairing and N ec additions:
the Boneh-Lynn-Shacham signature scheme is orders of magnitude more efficient than Schnorr
BLS can mean 2 different things:
* Barreto-Lynn-Scott: BLS12, a Pairing Friendly Elliptic Curve
* Boneh-Lynn-Shacham: A Signature Scheme.
### Summary
1. BLS Relies on expensive bilinear pairing
2. Secret Keys: 32 bytes
3. Public Keys: 48 OR 96 bytes - big-endian x coordinate of point on G1 OR G2 curve
4. Signatures: 96 OR 48 bytes - big-endian x coordinate of point on G2 OR G1 curve
5. The 12 stands for the Embedding degree.
Modes of operation:
* Long signatures: 48-byte keys + 96-byte sigs (G1 keys + G2 sigs).
* Short signatures: 96-byte keys + 48-byte sigs (G2 keys + G1 sigs).
### Formulas
- `P = pk x G` - public keys
- `S = pk x H(m)` - signing, uses hash-to-curve on m
- `e(P, H(m)) == e(G, S)` - verification using pairings
- `e(G, S) = e(G, SUM(n)(Si)) = MUL(n)(e(G, Si))` - signature aggregation
### Curves
G1 is ordinary elliptic curve. G2 is extension field curve, think "over complex numbers".
- G1: y² = x³ + 4
- G2: y² = x³ + 4(u + 1) where u = √−1; r-order subgroup of E'(Fp²), M-type twist
### Towers
Pairing G1 + G2 produces element in Fp₁₂, 12-degree polynomial.
Fp₁₂ is usually implemented using tower of lower-degree polynomials for speed.
- Fp₁₂ = Fp₆² => Fp₂³
- Fp(u) / (u² - β) where β = -1
- Fp₂(v) / (v³ - ξ) where ξ = u + 1
- Fp₆(w) / (w² - γ) where γ = v
- Fp²[u] = Fp/u²+1
- Fp⁶[v] = Fp²/v³-1-u
- Fp¹²[w] = Fp⁶/w²-v
### Params
* Embedding degree (k): 12
* Seed is sometimes named x or t
* t = -15132376222941642752
* p = (t-1)² * (t⁴-t²+1)/3 + t
* r = t⁴-t²+1
* Ate loop size: X
To verify curve parameters, see
[pairing-friendly-curves spec](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-pairing-friendly-curves-11).
Basic math is done over finite fields over p.
More complicated math is done over polynominal extension fields.
### Compatibility and notes
1. It is compatible with Algorand, Chia, Dfinity, Ethereum, Filecoin, ZEC.
Filecoin uses little endian byte arrays for secret keys - make sure to reverse byte order.
2. Make sure to correctly select mode: "long signature" or "short signature".
3. Compatible with specs:
RFC 9380,
[cfrg-pairing-friendly-curves-11](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-pairing-friendly-curves-11),
[cfrg-bls-signature-05](https://datatracker.ietf.org/doc/draft-irtf-cfrg-bls-signature/).
*
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { sha256 } from '@noble/hashes/sha2.js';
import { bls, type BlsCurvePairWithSignatures } from './abstract/bls.ts';
import { Field, type IField } from './abstract/modular.ts';
import {
abytes,
bitLen,
bitMask,
bytesToHex,
bytesToNumberBE,
concatBytes,
copyBytes,
hexToBytes,
numberToBytesBE,
randomBytes,
type TArg,
type TRet,
} from './utils.ts';
// Types
import { isogenyMap } from './abstract/hash-to-curve.ts';
import type { BigintTuple, Fp, Fp12, Fp2, Fp6 } from './abstract/tower.ts';
import { psiFrobenius, tower12 } from './abstract/tower.ts';
import {
mapToCurveSimpleSWU,
weierstrass,
type AffinePoint,
type WeierstrassOpts,
type WeierstrassPoint,
type WeierstrassPointCons,
} from './abstract/weierstrass.ts';
// Be friendly to bad ECMAScript parsers by not using bigint literals
// prettier-ignore
const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3), _4n = BigInt(4);
// To verify math:
// https://tools.ietf.org/html/draft-irtf-cfrg-pairing-friendly-curves-11
// The BLS parameter x (seed) for BLS12-381. The stored constant is `|x|`; call
// sites that need the signed parameter apply the minus sign themselves.
// x = -2^63 - 2^62 - 2^60 - 2^57 - 2^48 - 2^16
const BLS_X = BigInt('0xd201000000010000');
// t = x (called differently in different places)
// const t = -BLS_X;
const BLS_X_LEN = bitLen(BLS_X);
// a=0, b=4
// P is characteristic of field Fp, in which curve calculations are done.
// p = (t-1)² * (t⁴-t²+1)/3 + t
// bls12_381_Fp = (t-1n)**2n * (t**4n - t**2n + 1n) / 3n + t
// r*h is curve order, amount of points on curve,
// where r is order of prime subgroup and h is cofactor.
// r = t⁴-t²+1
// r = (t**4n - t**2n + 1n)
// cofactor h of G1: (t - 1)²/3, with the signed convention `t = -x`
// cofactorG1 = (t-1n)**2n/3n
// x = 3685416753713387016781088315183077757961620795782546409894578378688607592378376318836054947676345821548104185464507
// y = 1339506544944476473020471379941921221584933875938349620426543736416511423956333506472724655353366534992391756441569
const bls12_381_CURVE_G1: WeierstrassOpts<bigint> = {
p: BigInt(
'0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab'
),
n: BigInt('0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001'),
h: BigInt('0x396c8c005555e1568c00aaab0000aaab'),
a: _0n,
b: _4n,
Gx: BigInt(
'0x17f1d3a73197d7942695638c4fa9ac0fc3688c4f9774b905a14e3a3f171bac586c55e83ff97a1aeffb3af00adb22c6bb'
),
Gy: BigInt(
'0x08b3f481e3aaa0f1a09e30ed741d8ae4fcf5e095d5d00af600db18cb2c04b3edd03cc744a2888ae40caa232946c5e7e1'
),
};
// CURVE FIELDS
// r = z⁴ z² + 1; CURVE.n from other curves
/**
* bls12-381 Fr (Fn) field.
* `fromBytes()` reduces modulo `q` instead of rejecting non-canonical encodings.
*/
export const bls12_381_Fr: TRet<IField<bigint>> = Field(bls12_381_CURVE_G1.n, {
modFromBytes: true,
}) as TRet<IField<bigint>>;
const { Fp, Fp2, Fp6, Fp12 } = tower12({
ORDER: bls12_381_CURVE_G1.p,
X_LEN: BLS_X_LEN,
// Finite extension field over irreducible polynominal.
// Fp(u) / (u² - β) where β = -1
// Public `Fp2.NONRESIDUE` below is the sextic-tower value `(1, 1) = u + 1`;
// the quadratic non-residue for the base Fp2 construction is still `-1`.
FP2_NONRESIDUE: [_1n, _1n],
Fp2mulByB: ({ c0, c1 }: Fp2) => {
const t0 = Fp.mul(c0, _4n); // 4 * c0
const t1 = Fp.mul(c1, _4n); // 4 * c1
// (T0-T1) + (T0+T1)*i
return { c0: Fp.sub(t0, t1), c1: Fp.add(t0, t1) };
},
Fp12finalExponentiate: (num: Fp12) => {
const x = BLS_X;
// this^(q⁶) / this
const t0 = Fp12.div(Fp12.frobeniusMap(num, 6), num);
// t0^(q²) * t0
const t1 = Fp12.mul(Fp12.frobeniusMap(t0, 2), t0);
const t2 = Fp12.conjugate(Fp12._cyclotomicExp(t1, x));
const t3 = Fp12.mul(Fp12.conjugate(Fp12._cyclotomicSquare(t1)), t2);
const t4 = Fp12.conjugate(Fp12._cyclotomicExp(t3, x));
const t5 = Fp12.conjugate(Fp12._cyclotomicExp(t4, x));
const t6 = Fp12.mul(Fp12.conjugate(Fp12._cyclotomicExp(t5, x)), Fp12._cyclotomicSquare(t2));
const t7 = Fp12.conjugate(Fp12._cyclotomicExp(t6, x));
const t2_t5_pow_q2 = Fp12.frobeniusMap(Fp12.mul(t2, t5), 2);
const t4_t1_pow_q3 = Fp12.frobeniusMap(Fp12.mul(t4, t1), 3);
const t6_t1c_pow_q1 = Fp12.frobeniusMap(Fp12.mul(t6, Fp12.conjugate(t1)), 1);
const t7_t3c_t1 = Fp12.mul(Fp12.mul(t7, Fp12.conjugate(t3)), t1);
// (t2 * t5)^(q²) * (t4 * t1)^(q³) * (t6 * t1.conj)^(q^1) * t7 * t3.conj * t1
return Fp12.mul(Fp12.mul(Fp12.mul(t2_t5_pow_q2, t4_t1_pow_q3), t6_t1c_pow_q1), t7_t3c_t1);
},
});
// GLV endomorphism Ψ(P), for fast cofactor clearing. `Fp2.NONRESIDUE` here is
// the tower value `u + 1`, so the Frobenius base passed to psiFrobenius is
// `1 / (u + 1)`, and psi2 derives the published `1 / 2^((p - 1) / 3)` constant internally.
let frob: ReturnType<typeof psiFrobenius> | undefined;
const getFrob = () => frob || (frob = psiFrobenius(Fp, Fp2, Fp2.div(Fp2.ONE, Fp2.NONRESIDUE)));
// Eager psiFrobenius setup now dominates `bls12-381.js` import, so defer it to
// first use. After that these locals are rewritten to the direct helper refs.
let G2psi: ReturnType<typeof psiFrobenius>['G2psi'] = (c, P) => {
const fn = getFrob().G2psi;
G2psi = fn;
return fn(c, P);
};
let G2psi2: ReturnType<typeof psiFrobenius>['G2psi2'] = (c, P) => {
const fn = getFrob().G2psi2;
G2psi2 = fn;
return fn(c, P);
};
/**
* Default hash_to_field / hash-to-curve for BLS.
* m: 1 for G1, 2 for G2
* k: target security level in bits
* hash: any function, e.g. BBS+ uses BLAKE2: see [github](https://github.com/hyperledger/aries-framework-go/issues/2247).
* Field/hash parameters come from [section 8.8.2 of RFC 9380](https://www.rfc-editor.org/rfc/rfc9380#section-8.8.2),
* but the `DST` / `encodeDST` strings below are the BLS-signature-suite override.
*/
const hasher_opts = Object.freeze({
DST: 'BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_NUL_',
encodeDST: 'BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_NUL_',
p: Fp.ORDER,
m: 2,
k: 128,
expand: 'xmd',
hash: sha256,
});
// a=0, b=4
// cofactor h of G2, derived with the signed convention `t = -x`
// (t^8 - 4t^7 + 5t^6 - 4t^4 + 6t^3 - 4t^2 - 4t + 13)/9
// cofactorG2 = (t**8n - 4n*t**7n + 5n*t**6n - 4n*t**4n + 6n*t**3n - 4n*t**2n - 4n*t+13n)/9n
// x = 3059144344244213709971259814753781636986470325476647558659373206291635324768958432433509563104347017837885763365758*u + 352701069587466618187139116011060144890029952792775240219908644239793785735715026873347600343865175952761926303160
// y = 927553665492332455747201965776037880757740193453592970025027978793976877002675564980949289727957565575433344219582*u + 1985150602287291935568054521177171638300868978215655730859378665066344726373823718423869104263333984641494340347905
const bls12_381_CURVE_G2 = {
p: Fp2.ORDER,
n: bls12_381_CURVE_G1.n,
h: BigInt(
'0x5d543a95414e7f1091d50792876a202cd91de4547085abaa68a205b2e5a7ddfa628f1cb4d9e82ef21537e293a6691ae1616ec6e786f0c70cf1c38e31c7238e5'
),
a: Fp2.ZERO,
b: Fp2.fromBigTuple([_4n, _4n]),
Gx: Fp2.fromBigTuple([
BigInt(
'0x024aa2b2f08f0a91260805272dc51051c6e47ad4fa403b02b4510b647ae3d1770bac0326a805bbefd48056c8c121bdb8'
),
BigInt(
'0x13e02b6052719f607dacd3a088274f65596bd0d09920b61ab5da61bbdc7f5049334cf11213945d57e5ac7d055d042b7e'
),
]),
Gy: Fp2.fromBigTuple([
BigInt(
'0x0ce5d527727d6e118cc9cdc6da2e351aadfd9baa8cbdd3a76d429a695160d12c923ac9cc3baca289e193548608b82801'
),
BigInt(
'0x0606c4a02ea734cc32acd2b02bc28b99cb3e287e85a763af267492ab572e99ab3f370d275cec1da1aaa9075ff05f79be'
),
]),
};
// Encoding utils
const sortBit = (parts: bigint[], p: bigint) => {
for (const part of parts) {
if (part !== _0n) return Boolean((part * _2n) / p);
}
return false;
};
const fp2 = {
// Generic tower bytes use `c0 || c1`, but the BLS12-381 G2 point/signature wire encoding uses
// `c1 || c0`, so keep this local wrapper instead of changing generic field serialization.
encode({ c0, c1 }: Fp2): TRet<Uint8Array> {
const { BYTES: L } = Fp;
return concatBytes(numberToBytesBE(c1, L), numberToBytesBE(c0, L)) as TRet<Uint8Array>;
},
decode(bytes: TArg<Uint8Array>) {
const { BYTES: L } = Fp;
return Fp2.create({
c0: Fp.create(bytesToNumberBE(bytes.subarray(L))),
c1: Fp.create(bytesToNumberBE(bytes.subarray(0, L))),
});
},
};
const BaseFp = Fp;
type Mask = { compressed: boolean; infinity: boolean; sort: boolean };
// Keep BLS12-381 point/signature codecs on one control-flow skeleton: the G1/G2
// and point/signature variants differ only in field packing, subgroup bytes, and
// whether uncompressed form is allowed. Copy-paste decoders were diverging.
const coder = <T>(
name: 'G1' | 'G2',
Fp: TArg<IField<T>>,
b: T,
encode: TArg<(v: T) => TRet<Uint8Array>>,
decode: TArg<(bytes: TArg<Uint8Array>) => T>,
yparts: (y: T) => bigint[]
) => {
const F = Fp as IField<T>;
const enc = encode as (v: T) => TRet<Uint8Array>;
const dec = decode as (bytes: TArg<Uint8Array>) => T;
const W = F.BYTES;
return (allowUncompressed: boolean) => ({
encode(point: WeierstrassPoint<T>, compressed = true): TRet<Uint8Array> {
if (!compressed && !allowUncompressed)
throw new Error('invalid signature: expected compressed encoding');
const infinity = point.is0();
const { x, y } = point.toAffine();
const bytes = compressed ? enc(x) : concatBytes(enc(x), enc(y));
let sort;
if (compressed && !infinity) sort = sortBit(yparts(y), BaseFp.ORDER);
return setMask(bytes, { compressed, infinity, sort }) as TRet<Uint8Array>;
},
decode(bytes: TArg<Uint8Array>): AffinePoint<T> {
const raw = allowUncompressed
? abytes(bytes, undefined, 'point')
: abytes(bytes, W, 'signature');
const { compressed, infinity, sort, value } = parseMask(raw);
if (!allowUncompressed && !compressed)
throw new Error('invalid signature: expected compressed encoding');
const len = compressed ? W : 2 * W;
if (value.length !== len) throw new Error(`invalid ${name} point: expected ${len} bytes`);
if (infinity) {
// Infinity canonicality has to be checked on raw bytes before decode()
// reduces coordinates modulo p and turns non-empty payloads into zero.
for (const b of value) {
if (b) throw new Error(`invalid ${name} point: non-canonical zero`);
}
return { x: F.ZERO, y: F.ZERO };
}
const x = dec(compressed ? value : value.subarray(0, W));
let y;
if (compressed) {
y = F.sqrt(F.add(F.pow(x, _3n), b));
if (!y) throw new Error(`invalid ${name} point: compressed`);
if (sortBit(yparts(y), BaseFp.ORDER) !== sort) y = F.neg(y);
} else {
y = dec(value.subarray(W));
}
// Noble keeps the permissive coordinate reduction path here, but an
// omitted infinity flag must not still decode to ZERO afterwards.
if (!compressed && F.is0(x) && F.is0(y))
throw new Error(`invalid ${name} point: uncompressed`);
return { x, y };
},
});
};
// Internal helper only: it copies before clearing the top flag bits. The
// pairing-friendly-curves draft C.2 step 1 rejects 0x20 / 0x60 / 0xe0 because
// S_bit must be zero for infinity and for all uncompressed encodings.
function validateMask({ compressed, infinity, sort }: Mask) {
if (
(!compressed && !infinity && sort) || // 0010_0000 = 0x20
(!compressed && infinity && sort) || // 0110_0000 = 0x60
(compressed && infinity && sort) // 1110_0000 = 0xe0
)
throw new Error('invalid encoding flag');
}
function parseMask(bytes: TArg<Uint8Array>) {
// Copy, so we can remove mask data.
// It will be removed also later, when Fp.create will call modulo.
bytes = copyBytes(bytes);
const mask = bytes[0] & 0b1110_0000;
const compressed = !!((mask >> 7) & 1); // compression bit (0b1000_0000)
const infinity = !!((mask >> 6) & 1); // point at infinity bit (0b0100_0000)
const sort = !!((mask >> 5) & 1); // sort bit (0b0010_0000)
validateMask({ compressed, infinity, sort });
bytes[0] &= 0b0001_1111; // clear mask (zero first 3 bits)
return { compressed, infinity, sort, value: bytes };
}
// Internal helper only: mutates a non-empty fresh buffer in place and just
// sets bits. Keep the same invalid-flag guard as parseMask() so encoders cannot
// manufacture states that decoders already reject.
function setMask(bytes: TArg<Uint8Array>, mask: Partial<Mask>) {
if (bytes[0] & 0b1110_0000) throw new Error('setMask: non-empty mask');
validateMask({ compressed: !!mask.compressed, infinity: !!mask.infinity, sort: !!mask.sort });
if (mask.compressed) bytes[0] |= 0b1000_0000;
if (mask.infinity) bytes[0] |= 0b0100_0000;
if (mask.sort) bytes[0] |= 0b0010_0000;
return bytes;
}
const g1coder = coder(
'G1',
Fp,
Fp.create(bls12_381_CURVE_G1.b),
(x: Fp) => numberToBytesBE(x, Fp.BYTES),
(bytes: TArg<Uint8Array>) => Fp.create(bytesToNumberBE(bytes) & bitMask(Fp.BITS)),
(y: Fp) => [y]
);
const g1 = { point: g1coder(true), sig: g1coder(false) };
const signatureG1ToBytes = (point: WeierstrassPoint<Fp>): TRet<Uint8Array> => {
point.assertValidity();
return g1.sig.encode(point);
};
function signatureG1FromBytes(bytes: TArg<Uint8Array>): WeierstrassPoint<Fp> {
const Point = bls12_381.G1.Point;
const point = Point.fromAffine(g1.sig.decode(bytes));
point.assertValidity();
return point;
}
const g2coder = coder('G2', Fp2, bls12_381_CURVE_G2.b, fp2.encode, fp2.decode, (y: Fp2) => [
y.c1,
y.c0,
]);
const g2 = { point: g2coder(true), sig: g2coder(false) };
const signatureG2ToBytes = (point: WeierstrassPoint<Fp2>): TRet<Uint8Array> => {
point.assertValidity();
return g2.sig.encode(point);
};
function signatureG2FromBytes(bytes: TArg<Uint8Array>) {
const Point = bls12_381.G2.Point;
const point = Point.fromAffine(g2.sig.decode(bytes));
point.assertValidity();
return point;
}
const signatureCoders = {
ShortSignature: {
fromBytes(bytes: TArg<Uint8Array>) {
return signatureG1FromBytes(abytes(bytes));
},
fromHex(hex: string): WeierstrassPoint<Fp> {
return signatureG1FromBytes(hexToBytes(hex));
},
toBytes(point: WeierstrassPoint<Fp>) {
return signatureG1ToBytes(point);
},
// Historical alias: BLS signatures have a single compressed byte format here.
toRawBytes(point: WeierstrassPoint<Fp>) {
return signatureG1ToBytes(point);
},
toHex(point: WeierstrassPoint<Fp>) {
return bytesToHex(signatureG1ToBytes(point));
},
},
LongSignature: {
fromBytes(bytes: TArg<Uint8Array>): WeierstrassPoint<Fp2> {
return signatureG2FromBytes(abytes(bytes));
},
fromHex(hex: string): WeierstrassPoint<Fp2> {
return signatureG2FromBytes(hexToBytes(hex));
},
toBytes(point: WeierstrassPoint<Fp2>) {
return signatureG2ToBytes(point);
},
// Historical alias: BLS signatures have a single compressed byte format here.
toRawBytes(point: WeierstrassPoint<Fp2>) {
return signatureG2ToBytes(point);
},
toHex(point: WeierstrassPoint<Fp2>) {
return bytesToHex(signatureG2ToBytes(point));
},
},
};
const fields = {
Fp,
Fp2,
Fp6,
Fp12,
Fr: bls12_381_Fr,
};
const G1_Point = weierstrass(bls12_381_CURVE_G1, {
// Public point APIs still accept infinity, even though the Zcash proof
// encoding rules cited above only define nonzero point encodings.
allowInfinityPoint: true,
Fn: bls12_381_Fr,
fromBytes: g1.point.decode,
toBytes: (
_c: WeierstrassPointCons<Fp>,
point: WeierstrassPoint<Fp>,
isComp: boolean
): TRet<Uint8Array> => g1.point.encode(point, isComp) as TRet<Uint8Array>,
// Checks is the point resides in prime-order subgroup.
// point.isTorsionFree() should return true for valid points
// It returns false for shitty points.
// https://eprint.iacr.org/2021/1130.pdf
isTorsionFree: (c, point): boolean => {
// GLV endomorphism ψ(P)
const beta = BigInt(
'0x5f19672fdf76ce51ba69c6076a0f77eaddb3a93be6f89688de17d813620a00022e01fffffffefffe'
);
const phi = new c(Fp.mul(point.X, beta), point.Y, point.Z);
// TODO: unroll
const xP = point.multiplyUnsafe(BLS_X).negate(); // [x]P
const u2P = xP.multiplyUnsafe(BLS_X); // [u2]P
return u2P.equals(phi);
},
// Clear cofactor of G1
// https://eprint.iacr.org/2019/403
clearCofactor: (_c, point) => {
// return this.multiplyUnsafe(CURVE.h);
return point.multiplyUnsafe(BLS_X).add(point); // x*P + P
},
});
const G2_Point = weierstrass(bls12_381_CURVE_G2, {
Fp: Fp2,
// Public point APIs still accept infinity, even though the Zcash proof
// encoding rules cited above only define nonzero point encodings.
allowInfinityPoint: true,
Fn: bls12_381_Fr,
fromBytes: g2.point.decode,
toBytes: (
_c: WeierstrassPointCons<Fp2>,
point: WeierstrassPoint<Fp2>,
isComp: boolean
): TRet<Uint8Array> => g2.point.encode(point, isComp) as TRet<Uint8Array>,
// https://eprint.iacr.org/2021/1130.pdf
// Older version: https://eprint.iacr.org/2019/814.pdf
isTorsionFree: (c, P): boolean => {
return P.multiplyUnsafe(BLS_X).negate().equals(G2psi(c, P)); // ψ(P) == [u](P)
},
// clear_cofactor_bls12381_g2 from RFC 9380.
// https://eprint.iacr.org/2017/419.pdf
// prettier-ignore
clearCofactor: (c, P) => {
const x = BLS_X;
let t1 = P.multiplyUnsafe(x).negate(); // [-x]P
let t2 = G2psi(c, P); // Ψ(P)
let t3 = P.double(); // 2P
t3 = G2psi2(c, t3); // Ψ²(2P)
t3 = t3.subtract(t2); // Ψ²(2P) - Ψ(P)
t2 = t1.add(t2); // [-x]P + Ψ(P)
t2 = t2.multiplyUnsafe(x).negate(); // [x²]P - [x]Ψ(P)
t3 = t3.add(t2); // Ψ²(2P) - Ψ(P) + [x²]P - [x]Ψ(P)
t3 = t3.subtract(t1); // Ψ²(2P) - Ψ(P) + [x²]P - [x]Ψ(P) + [x]P
const Q = t3.subtract(P); // Ψ²(2P) - Ψ(P) + [x²]P - [x]Ψ(P) + [x]P - 1P
return Q; // [x²-x-1]P + [x-1]Ψ(P) + Ψ²(2P)
},
});
const bls12_hasher_opts = {
mapToG1: mapToG1,
mapToG2: mapToG2,
hasherOpts: hasher_opts,
// RFC 9380 Appendix J defines distinct G1/G2 RO and NU suite IDs, and
// draft-irtf-cfrg-bls-signature-06 §4.2.1 gives separate G1/G2 `_NUL_` DSTs.
// Keep G1 encode-to-curve on the G1 domain instead of inheriting G2's `encodeDST`.
hasherOptsG1: {
...hasher_opts,
m: 1,
DST: 'BLS_SIG_BLS12381G1_XMD:SHA-256_SSWU_RO_NUL_',
encodeDST: 'BLS_SIG_BLS12381G1_XMD:SHA-256_SSWU_RO_NUL_',
},
hasherOptsG2: { ...hasher_opts },
} as const;
const bls12_params = {
ateLoopSize: BLS_X, // The BLS parameter x for BLS12-381
xNegative: true,
twistType: 'multiplicative' as const,
randomBytes: randomBytes,
};
/**
* bls12-381 pairing-friendly curve construction.
* Provides both longSignatures and shortSignatures.
* @example
* bls12-381 pairing-friendly curve construction.
*
* ```ts
* const bls = bls12_381.longSignatures;
* const { secretKey, publicKey } = bls.keygen();
* const msg = bls.hash(new TextEncoder().encode('hello noble'));
* const sig = bls.sign(msg, secretKey);
* const isValid = bls.verify(sig, msg, publicKey);
* ```
*/
export const bls12_381: BlsCurvePairWithSignatures = bls(
fields,
G1_Point,
G2_Point,
bls12_params,
bls12_hasher_opts,
signatureCoders
);
// 3-isogeny map from E' to E https://www.rfc-editor.org/rfc/rfc9380#appendix-E.3
// Coefficients stay in ascending `k_(?,0)`..`k_(?,d)` order; isogenyMap()
// reverses them internally for Horner evaluation.
const isogenyMapG2 = isogenyMap(
Fp2,
[
// xNum
[
[
'0x5c759507e8e333ebb5b7a9a47d7ed8532c52d39fd3a042a88b58423c50ae15d5c2638e343d9c71c6238aaaaaaaa97d6',
'0x5c759507e8e333ebb5b7a9a47d7ed8532c52d39fd3a042a88b58423c50ae15d5c2638e343d9c71c6238aaaaaaaa97d6',
],
[
'0x0',
'0x11560bf17baa99bc32126fced787c88f984f87adf7ae0c7f9a208c6b4f20a4181472aaa9cb8d555526a9ffffffffc71a',
],
[
'0x11560bf17baa99bc32126fced787c88f984f87adf7ae0c7f9a208c6b4f20a4181472aaa9cb8d555526a9ffffffffc71e',
'0x8ab05f8bdd54cde190937e76bc3e447cc27c3d6fbd7063fcd104635a790520c0a395554e5c6aaaa9354ffffffffe38d',
],
[
'0x171d6541fa38ccfaed6dea691f5fb614cb14b4e7f4e810aa22d6108f142b85757098e38d0f671c7188e2aaaaaaaa5ed1',
'0x0',
],
],
// xDen
[
[
'0x0',
'0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaa63',
],
[
'0xc',
'0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaa9f',
],
['0x1', '0x0'], // LAST 1
],
// yNum
[
[
'0x1530477c7ab4113b59a4c18b076d11930f7da5d4a07f649bf54439d87d27e500fc8c25ebf8c92f6812cfc71c71c6d706',
'0x1530477c7ab4113b59a4c18b076d11930f7da5d4a07f649bf54439d87d27e500fc8c25ebf8c92f6812cfc71c71c6d706',
],
[
'0x0',
'0x5c759507e8e333ebb5b7a9a47d7ed8532c52d39fd3a042a88b58423c50ae15d5c2638e343d9c71c6238aaaaaaaa97be',
],
[
'0x11560bf17baa99bc32126fced787c88f984f87adf7ae0c7f9a208c6b4f20a4181472aaa9cb8d555526a9ffffffffc71c',
'0x8ab05f8bdd54cde190937e76bc3e447cc27c3d6fbd7063fcd104635a790520c0a395554e5c6aaaa9354ffffffffe38f',
],
[
'0x124c9ad43b6cf79bfbf7043de3811ad0761b0f37a1e26286b0e977c69aa274524e79097a56dc4bd9e1b371c71c718b10',
'0x0',
],
],
// yDen
[
[
'0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffa8fb',
'0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffa8fb',
],
[
'0x0',
'0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffa9d3',
],
[
'0x12',
'0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaa99',
],
['0x1', '0x0'], // LAST 1
],
].map((i) => i.map((pair) => Fp2.fromBigTuple(pair.map(BigInt) as BigintTuple))) as [
Fp2[],
Fp2[],
Fp2[],
Fp2[],
]
);
// 11-isogeny map from E' to E. Coefficients stay in ascending
// `k_(?,0)`..`k_(?,d)` order; isogenyMap() reverses them for Horner evaluation.
const isogenyMapG1 = isogenyMap(
Fp,
[
// xNum
[
'0x11a05f2b1e833340b809101dd99815856b303e88a2d7005ff2627b56cdb4e2c85610c2d5f2e62d6eaeac1662734649b7',
'0x17294ed3e943ab2f0588bab22147a81c7c17e75b2f6a8417f565e33c70d1e86b4838f2a6f318c356e834eef1b3cb83bb',
'0xd54005db97678ec1d1048c5d10a9a1bce032473295983e56878e501ec68e25c958c3e3d2a09729fe0179f9dac9edcb0',
'0x1778e7166fcc6db74e0609d307e55412d7f5e4656a8dbf25f1b33289f1b330835336e25ce3107193c5b388641d9b6861',
'0xe99726a3199f4436642b4b3e4118e5499db995a1257fb3f086eeb65982fac18985a286f301e77c451154ce9ac8895d9',
'0x1630c3250d7313ff01d1201bf7a74ab5db3cb17dd952799b9ed3ab9097e68f90a0870d2dcae73d19cd13c1c66f652983',
'0xd6ed6553fe44d296a3726c38ae652bfb11586264f0f8ce19008e218f9c86b2a8da25128c1052ecaddd7f225a139ed84',
'0x17b81e7701abdbe2e8743884d1117e53356de5ab275b4db1a682c62ef0f2753339b7c8f8c8f475af9ccb5618e3f0c88e',
'0x80d3cf1f9a78fc47b90b33563be990dc43b756ce79f5574a2c596c928c5d1de4fa295f296b74e956d71986a8497e317',
'0x169b1f8e1bcfa7c42e0c37515d138f22dd2ecb803a0c5c99676314baf4bb1b7fa3190b2edc0327797f241067be390c9e',
'0x10321da079ce07e272d8ec09d2565b0dfa7dccdde6787f96d50af36003b14866f69b771f8c285decca67df3f1605fb7b',
'0x6e08c248e260e70bd1e962381edee3d31d79d7e22c837bc23c0bf1bc24c6b68c24b1b80b64d391fa9c8ba2e8ba2d229',
],
// xDen
[
'0x8ca8d548cff19ae18b2e62f4bd3fa6f01d5ef4ba35b48ba9c9588617fc8ac62b558d681be343df8993cf9fa40d21b1c',
'0x12561a5deb559c4348b4711298e536367041e8ca0cf0800c0126c2588c48bf5713daa8846cb026e9e5c8276ec82b3bff',
'0xb2962fe57a3225e8137e629bff2991f6f89416f5a718cd1fca64e00b11aceacd6a3d0967c94fedcfcc239ba5cb83e19',
'0x3425581a58ae2fec83aafef7c40eb545b08243f16b1655154cca8abc28d6fd04976d5243eecf5c4130de8938dc62cd8',
'0x13a8e162022914a80a6f1d5f43e7a07dffdfc759a12062bb8d6b44e833b306da9bd29ba81f35781d539d395b3532a21e',
'0xe7355f8e4e667b955390f7f0506c6e9395735e9ce9cad4d0a43bcef24b8982f7400d24bc4228f11c02df9a29f6304a5',
'0x772caacf16936190f3e0c63e0596721570f5799af53a1894e2e073062aede9cea73b3538f0de06cec2574496ee84a3a',
'0x14a7ac2a9d64a8b230b3f5b074cf01996e7f63c21bca68a81996e1cdf9822c580fa5b9489d11e2d311f7d99bbdcc5a5e',
'0xa10ecf6ada54f825e920b3dafc7a3cce07f8d1d7161366b74100da67f39883503826692abba43704776ec3a79a1d641',
'0x95fc13ab9e92ad4476d6e3eb3a56680f682b4ee96f7d03776df533978f31c1593174e4b4b7865002d6384d168ecdd0a',
'0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001', // LAST 1
],
// yNum
[
'0x90d97c81ba24ee0259d1f094980dcfa11ad138e48a869522b52af6c956543d3cd0c7aee9b3ba3c2be9845719707bb33',
'0x134996a104ee5811d51036d776fb46831223e96c254f383d0f906343eb67ad34d6c56711962fa8bfe097e75a2e41c696',
'0xcc786baa966e66f4a384c86a3b49942552e2d658a31ce2c344be4b91400da7d26d521628b00523b8dfe240c72de1f6',
'0x1f86376e8981c217898751ad8746757d42aa7b90eeb791c09e4a3ec03251cf9de405aba9ec61deca6355c77b0e5f4cb',
'0x8cc03fdefe0ff135caf4fe2a21529c4195536fbe3ce50b879833fd221351adc2ee7f8dc099040a841b6daecf2e8fedb',
'0x16603fca40634b6a2211e11db8f0a6a074a7d0d4afadb7bd76505c3d3ad5544e203f6326c95a807299b23ab13633a5f0',
'0x4ab0b9bcfac1bbcb2c977d027796b3ce75bb8ca2be184cb5231413c4d634f3747a87ac2460f415ec961f8855fe9d6f2',
'0x987c8d5333ab86fde9926bd2ca6c674170a05bfe3bdd81ffd038da6c26c842642f64550fedfe935a15e4ca31870fb29',
'0x9fc4018bd96684be88c9e221e4da1bb8f3abd16679dc26c1e8b6e6a1f20cabe69d65201c78607a360370e577bdba587',
'0xe1bba7a1186bdb5223abde7ada14a23c42a0ca7915af6fe06985e7ed1e4d43b9b3f7055dd4eba6f2bafaaebca731c30',
'0x19713e47937cd1be0dfd0b8f1d43fb93cd2fcbcb6caf493fd1183e416389e61031bf3a5cce3fbafce813711ad011c132',
'0x18b46a908f36f6deb918c143fed2edcc523559b8aaf0c2462e6bfe7f911f643249d9cdf41b44d606ce07c8a4d0074d8e',
'0xb182cac101b9399d155096004f53f447aa7b12a3426b08ec02710e807b4633f06c851c1919211f20d4c04f00b971ef8',
'0x245a394ad1eca9b72fc00ae7be315dc757b3b080d4c158013e6632d3c40659cc6cf90ad1c232a6442d9d3f5db980133',
'0x5c129645e44cf1102a159f748c4a3fc5e673d81d7e86568d9ab0f5d396a7ce46ba1049b6579afb7866b1e715475224b',
'0x15e6be4e990f03ce4ea50b3b42df2eb5cb181d8f84965a3957add4fa95af01b2b665027efec01c7704b456be69c8b604',
],
// yDen
[
'0x16112c4c3a9c98b252181140fad0eae9601a6de578980be6eec3232b5be72e7a07f3688ef60c206d01479253b03663c1',
'0x1962d75c2381201e1a0cbd6c43c348b885c84ff731c4d59ca4a10356f453e01f78a4260763529e3532f6102c2e49a03d',
'0x58df3306640da276faaae7d6e8eb15778c4855551ae7f310c35a5dd279cd2eca6757cd636f96f891e2538b53dbf67f2',
'0x16b7d288798e5395f20d23bf89edb4d1d115c5dbddbcd30e123da489e726af41727364f2c28297ada8d26d98445f5416',
'0xbe0e079545f43e4b00cc912f8228ddcc6d19c9f0f69bbb0542eda0fc9dec916a20b15dc0fd2ededda39142311a5001d',
'0x8d9e5297186db2d9fb266eaac783182b70152c65550d881c5ecd87b6f0f5a6449f38db9dfa9cce202c6477faaf9b7ac',
'0x166007c08a99db2fc3ba8734ace9824b5eecfdfa8d0cf8ef5dd365bc400a0051d5fa9c01a58b1fb93d1a1399126a775c',
'0x16a3ef08be3ea7ea03bcddfabba6ff6ee5a4375efa1f4fd7feb34fd206357132b920f5b00801dee460ee415a15812ed9',
'0x1866c8ed336c61231a1be54fd1d74cc4f9fb0ce4c6af5920abc5750c4bf39b4852cfe2f7bb9248836b233d9d55535d4a',
'0x167a55cda70a6e1cea820597d94a84903216f763e13d87bb5308592e7ea7d4fbc7385ea3d529b35e346ef48bb8913f55',
'0x4d2f259eea405bd48f010a01ad2911d9c6dd039bb61a6290e591b36e636a5c871a5c29f4f83060400f8b49cba8f6aa8',
'0xaccbb67481d033ff5852c1e48c50c477f94ff8aefce42d28c0f9a88cea7913516f968986f7ebbea9684b529e2561092',
'0xad6b9514c767fe3c3613144b45f1496543346d98adf02267d5ceef9a00d9b8693000763e3b90ac11e99b138573345cc',
'0x2660400eb2e4f3b628bdd0d53cd76f2bf565b94e72927c1cb748df27942480e420517bd8714cc80d1fadc1326ed06f7',
'0xe0fa1d816ddc03e6b24255e0d7819c171c40f65e273b853324efcd6356caa205ca2f570f13497804415473a1d634b8f',
'0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001', // LAST 1
],
].map((i) => i.map((j) => BigInt(j))) as [Fp[], Fp[], Fp[], Fp[]]
);
let G1_SWU: ((u: bigint) => { x: bigint; y: bigint }) | undefined;
let G2_SWU: ((u: Fp2) => { x: Fp2; y: Fp2 }) | undefined;
// SWU setup validates the pre-isogeny curve parameters and builds sqrt-ratio helpers.
// Doing that eagerly adds about 10ms to `bls12-381.js` import here, so keep it lazy; after the
// first map call the cached mapper is reused directly.
const getG1_SWU = () =>
G1_SWU ||
(G1_SWU = mapToCurveSimpleSWU(Fp, {
A: Fp.create(
BigInt(
'0x144698a3b8e9433d693a02c96d4982b0ea985383ee66a8d8e8981aefd881ac98936f8da0e0f97f5cf428082d584c1d'
)
),
B: Fp.create(
BigInt(
'0x12e2908d11688030018b12e8753eee3b2016c1f0f24f4070a0b9c14fcef35ef55a23215a316ceaa5d1cc48e98e172be0'
)
),
Z: Fp.create(BigInt(11)),
}));
const getG2_SWU = () =>
G2_SWU ||
(G2_SWU = mapToCurveSimpleSWU(Fp2, {
// SWU map for the RFC 9380 §8.8.2 pre-isogeny G2 curve E':
// y² = x³ + 240i * x + 1012 + 1012i
A: Fp2.create({ c0: Fp.create(_0n), c1: Fp.create(BigInt(240)) }), // A' = 240 * I
B: Fp2.create({ c0: Fp.create(BigInt(1012)), c1: Fp.create(BigInt(1012)) }), // B' = 1012 * (1 + I)
Z: Fp2.create({ c0: Fp.create(BigInt(-2)), c1: Fp.create(BigInt(-1)) }), // Z: -(2 + I)
}));
// Internal hash-to-curve step: G1 uses `m = 1`, so only `scalars[0]` is read,
// and the result is the isogeny image on E before the subgroup clear.
function mapToG1(scalars: bigint[]) {
const { x, y } = getG1_SWU()(Fp.create(scalars[0]));
return isogenyMapG1(x, y);
}
// Internal hash-to-curve step: G2 expects the RFC `m = 2` pair, and the result
// is the isogeny image on E before the subgroup clear.
function mapToG2(scalars: bigint[]) {
const { x, y } = getG2_SWU()(Fp2.fromBigTuple(scalars as BigintTuple));
return isogenyMapG2(x, y);
}
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/src/bn254.ts
Generated Vendored
+280
View File
@@ -0,0 +1,280 @@
/**
* bn254, previously known as alt_bn_128, when it had 128-bit security.
Barbulescu-Duquesne 2017 shown it's weaker: just about 100 bits,
so the naming has been adjusted to its prime bit count:
https://hal.science/hal-01534101/file/main.pdf.
Compatible with EIP-196 and EIP-197.
There are huge compatibility issues in the ecosystem:
1. Different libraries call it in different ways: "bn254", "bn256", "alt_bn128", "bn128".
2. libff has bn128, but it's a different curve with different G2:
https://github.com/scipr-lab/libff/blob/a44f482e18b8ac04d034c193bd9d7df7817ad73f/libff/algebra/curves/bn128/bn128_init.cpp#L166-L169
3. halo2curves bn256 is also incompatible and returns different outputs
We don't implement Point methods toHex / toBytes.
To work around this limitation, has to initialize points on their own from BigInts.
Reason it's not implemented is because [there is no standard](https://github.com/privacy-scaling-explorations/halo2curves/issues/109).
Points of divergence:
- Endianness: LE vs BE (byte-swapped)
- Flags as first hex bits (similar to BLS) vs no-flags
- Imaginary part last in G2 vs first (c0, c1 vs c1, c0)
The goal of our implementation is to support "Ethereum" variant of the curve,
because it at least has specs:
- EIP196 (https://eips.ethereum.org/EIPS/eip-196) describes bn254 ECADD and ECMUL opcodes for EVM
- EIP197 (https://eips.ethereum.org/EIPS/eip-197) describes bn254 pairings
- It's hard: EIPs don't have proper tests. EIP-197 returns boolean output instead of Fp12
- The existing implementations are bad. Some are deprecated:
- https://github.com/paritytech/bn (old version)
- https://github.com/ewasm/ethereum-bn128.rs (uses paritytech/bn)
- https://github.com/zcash-hackworks/bn
- https://github.com/arkworks-rs/curves/blob/master/bn254/src/lib.rs
- Python implementations use different towers and produce different Fp12 outputs:
- https://github.com/ethereum/py_pairing
- https://github.com/ethereum/py_ecc/tree/main/py_ecc/bn128
- Points are encoded differently in different implementations
### Params
Seed (X): 4965661367192848881
Fr: (36x⁴+36x³+18x²+6x+1)
Fp: (36x⁴+36x³+24x²+6x+1)
(E / Fp ): Y² = X³+3
(Et / Fp²): Y² = X³+3/(u+9) (D-type twist)
Ate loop size: 6x+2
### Towers
- Fp²[u] = Fp/u²+1
- Fp⁶[v] = Fp²/v³-9-u
- Fp¹²[w] = Fp⁶/w²-v
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import {
blsBasic,
type BlsCurvePair,
type BlsPostPrecomputeFn,
type BlsPostPrecomputePointAddFn,
} from './abstract/bls.ts';
import { Field, type IField } from './abstract/modular.ts';
import type { Fp, Fp12, Fp2 } from './abstract/tower.ts';
import { psiFrobenius, tower12 } from './abstract/tower.ts';
import { weierstrass, type WeierstrassOpts } from './abstract/weierstrass.ts';
import { bitLen, type TRet } from './utils.ts';
// prettier-ignore
const _0n = /* @__PURE__ */ BigInt(0), _1n = /* @__PURE__ */ BigInt(1), _2n = /* @__PURE__ */ BigInt(2), _3n = /* @__PURE__ */ BigInt(3);
const _6n = /* @__PURE__ */ BigInt(6);
// Locally documented BN pairing seed. EIP-197 does not name this scalar
// directly; noble stores the positive value and derives any `-x` uses later.
const BN_X = /* @__PURE__ */ BigInt('4965661367192848881');
// Bit width of the stored seed itself, not the derived Miller-loop scalar `6x+2`.
const BN_X_LEN = /* @__PURE__ */ (() => bitLen(BN_X))();
// Derived scalar used by the optimized G2 subgroup test required by EIP-197.
const SIX_X_SQUARED = /* @__PURE__ */ (() => _6n * BN_X ** _2n)();
const bn254_G1_CURVE: WeierstrassOpts<bigint> = {
p: BigInt('0x30644e72e131a029b85045b68181585d97816a916871ca8d3c208c16d87cfd47'),
n: BigInt('0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593f0000001'),
// The Ethereum specs define G1 as prime-order but do not spell out the
// cofactor separately; `h = 1` is the implementation-derived value.
h: _1n,
a: _0n,
b: _3n,
Gx: _1n,
Gy: BigInt(2),
};
// r == n
// Finite field over r. It's for convenience and is not used in the code below,
// and its canonical `fromBytes()` decoder is stricter than the EIP-196 MUL
// scalar rule that accepts any 256-bit integer.
// These factories are side-effect free; mark them pure so single-export bundles can drop the rest.
/** bn254 scalar field. */
export const bn254_Fr: TRet<IField<bigint>> = /* @__PURE__ */ (() =>
Field(bn254_G1_CURVE.n) as TRet<IField<bigint>>)();
// `3 / (i + 9)` from EIP-197, stored in noble's internal `(c0, c1) = (b, a)`
// order rather than the spec's `a * i + b` notation.
const Fp2B = /* @__PURE__ */ (() => ({
c0: BigInt('19485874751759354771024239261021720505790618469301721065564631296452457478373'),
c1: BigInt('266929791119991161246907387137283842545076965332900288569378510910307636690'),
}))();
// Bootstrap binding: `Fp12finalExponentiate` needs to reference the finished
// field object while `tower12(...)` is still constructing it.
let Fp12: ReturnType<typeof tower12>['Fp12'];
const tower = /* @__PURE__ */ (() => {
const res = tower12({
ORDER: bn254_G1_CURVE.p,
X_LEN: BN_X_LEN,
// Public `Fp2.NONRESIDUE` below is the sextic-tower seed `(9, 1)`, not the
// quadratic relation `i^2 + 1 = 0` from the EIP text.
FP2_NONRESIDUE: [BigInt(9), _1n],
Fp2mulByB: (num: Fp2) => Fp2.mul(num, Fp2B),
Fp12finalExponentiate: (num: Fp12) => {
const powMinusX = (num: Fp12) => Fp12.conjugate(Fp12._cyclotomicExp(num, BN_X));
const r0 = Fp12.mul(Fp12.conjugate(num), Fp12.inv(num));
const r = Fp12.mul(Fp12.frobeniusMap(r0, 2), r0);
const y1 = Fp12._cyclotomicSquare(powMinusX(r));
const y2 = Fp12.mul(Fp12._cyclotomicSquare(y1), y1);
const y4 = powMinusX(y2);
const y6 = powMinusX(Fp12._cyclotomicSquare(y4));
const y8 = Fp12.mul(Fp12.mul(Fp12.conjugate(y6), y4), Fp12.conjugate(y2));
const y9 = Fp12.mul(y8, y1);
return Fp12.mul(
Fp12.frobeniusMap(Fp12.mul(Fp12.conjugate(r), y9), 3),
Fp12.mul(
Fp12.frobeniusMap(y8, 2),
Fp12.mul(Fp12.frobeniusMap(y9, 1), Fp12.mul(Fp12.mul(y8, y4), r))
)
);
},
});
Fp12 = res.Fp12;
return res;
})();
const Fp = /* @__PURE__ */ (() => tower.Fp)();
const Fp2 = /* @__PURE__ */ (() => tower.Fp2)();
// END OF CURVE FIELDS
// BN254 uses the same tower seed `(9, 1)` for the Frobenius helper that powers
// the divisive-twist G2 endomorphism.
let frob: ReturnType<typeof psiFrobenius> | undefined;
const getFrob = () => frob || (frob = psiFrobenius(Fp, Fp2, Fp2.NONRESIDUE));
// Eager psiFrobenius setup now dominates `bn254.js` import, so defer it to
// first use. After that these locals are rewritten to the direct helper refs.
let psi: ReturnType<typeof psiFrobenius>['psi'] = (x, y) => {
const fn = getFrob().psi;
psi = fn;
return fn(x, y);
};
let G2psi: ReturnType<typeof psiFrobenius>['G2psi'] = (c, P) => {
const fn = getFrob().G2psi;
G2psi = fn;
return fn(c, P);
};
export const _postPrecompute: BlsPostPrecomputeFn = (
Rx: Fp2,
Ry: Fp2,
Rz: Fp2,
Qx: Fp2,
Qy: Fp2,
pointAdd: BlsPostPrecomputePointAddFn
) => {
const q = psi(Qx, Qy);
({ Rx, Ry, Rz } = pointAdd(Rx, Ry, Rz, q[0], q[1]));
const q2 = psi(q[0], q[1]);
pointAdd(Rx, Ry, Rz, q2[0], Fp2.neg(q2[1]));
};
// cofactor: (36 * X^4) + (36 * X^3) + (30 * X^2) + 6*X + 1
const bn254_G2_CURVE: WeierstrassOpts<Fp2> = /* @__PURE__ */ (() => ({
p: Fp2.ORDER,
n: bn254_G1_CURVE.n,
// As with G1, the Ethereum specs do not spell out the G2 cofactor
// separately; this literal is the implementation-derived value.
h: BigInt('0x30644e72e131a029b85045b68181585e06ceecda572a2489345f2299c0f9fa8d'),
a: Fp2.ZERO,
b: Fp2B,
Gx: Fp2.fromBigTuple([
BigInt('10857046999023057135944570762232829481370756359578518086990519993285655852781'),
BigInt('11559732032986387107991004021392285783925812861821192530917403151452391805634'),
]),
Gy: Fp2.fromBigTuple([
BigInt('8495653923123431417604973247489272438418190587263600148770280649306958101930'),
BigInt('4082367875863433681332203403145435568316851327593401208105741076214120093531'),
]),
}))();
const fields = /* @__PURE__ */ (() => ({ Fp, Fp2, Fp6: tower.Fp6, Fp12, Fr: bn254_Fr }))();
const bn254_G1 = /* @__PURE__ */ weierstrass(bn254_G1_CURVE, {
Fp,
Fn: bn254_Fr,
// Ethereum encodes infinity as `(0, 0)`, so the public point API accepts it
// even though it is not an affine curve point, and `fromAffine()` stays lazy:
// adversarial inputs still need `assertValidity()`.
allowInfinityPoint: true,
});
const bn254_G2 = /* @__PURE__ */ weierstrass(bn254_G2_CURVE, {
Fp: Fp2,
Fn: bn254_Fr,
// Ethereum encodes infinity as `((0, 0), (0, 0))`, so the public point API
// accepts it even though it is not an affine curve point.
allowInfinityPoint: true,
// Optimized BN254 G2 subgroup test used to satisfy the EIP-197 order check.
isTorsionFree: (c, P) => P.multiplyUnsafe(SIX_X_SQUARED).equals(G2psi(c, P)), // [p]P = [6X^2]P
});
/*
No hashToCurve for now (and signatures):
- RFC 9380 doesn't mention bn254 and doesn't provide test vectors
- Overall seems like nobody is using BLS signatures on top of bn254
- Seems like it can utilize SVDW, which is not implemented yet
*/
// const htfDefaults = Object.freeze({
// // DST: a domain separation tag defined in section 2.2.5
// DST: 'BN254G2_XMD:SHA-256_SVDW_RO_',
// encodeDST: 'BN254G2_XMD:SHA-256_SVDW_RO_',
// p: Fp.ORDER,
// m: 2,
// k: 128,
// expand: 'xmd',
// hash: sha256,
// });
// const hasherOpts = {
// { ...htfDefaults, m: 1, DST: 'BN254G2_XMD:SHA-256_SVDW_RO_' }
// };
const bn254_params = /* @__PURE__ */ (() => ({
// Optimal-ate Miller loop parameter derived from the positive BN seed.
ateLoopSize: BN_X * _6n + _2n,
r: bn254_Fr.ORDER,
xNegative: false,
// EIP-197 writes G2 as `y^2 = x^3 + 3 / (i + 9)`, so the pairing
// configuration uses the divisive twist convention.
twistType: 'divisive' as const,
postPrecompute: _postPrecompute,
}))();
// const bn254_hasher = {
// hasherOpts: htfDefaults,
// hasherOptsG1: { m: 1, DST: 'BN254G2_XMD:SHA-256_SVDW_RO_' },
// hasherOptsG2: htfDefaults
// };
// G2_heff hEff: BigInt('21888242871839275222246405745257275088844257914179612981679871602714643921549'),
// fromBytes: notImplemented,
// toBytes: notImplemented,
// mapToCurve: notImplemented,
// fromBytes: notImplemented,
// toBytes: notImplemented,
// ShortSignature: {
// fromBytes: notImplemented,
// fromHex: notImplemented,
// toBytes: notImplemented,
// toRawBytes: notImplemented,
// toHex: notImplemented,
// },
/**
* bn254 (a.k.a. alt_bn128) pairing-friendly curve.
* Contains G1 / G2 operations and pairings only; the commented-out
* hash-to-curve and signature surface is intentionally not exposed here.
* @example
* Compute a pairing from the two generator points.
*
* ```ts
* const gt = bn254.pairing(bn254.G1.Point.BASE, bn254.G2.Point.BASE);
* ```
*/
// bn254_hasher
export const bn254: BlsCurvePair = /* @__PURE__ */ blsBasic(
fields,
bn254_G1,
bn254_G2,
bn254_params
);
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/src/ed25519.ts
Generated Vendored
+705
View File
@@ -0,0 +1,705 @@
/**
* ed25519 Twisted Edwards curve with following addons:
* - X25519 ECDH
* - Ristretto cofactor elimination
* - Elligator hash-to-group / point indistinguishability
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { sha512 } from '@noble/hashes/sha2.js';
import { abytes, concatBytes, hexToBytes } from '@noble/hashes/utils.js';
import { type AffinePoint } from './abstract/curve.ts';
import {
eddsa,
edwards,
PrimeEdwardsPoint,
type EdDSA,
type EdDSAOpts,
type EdwardsOpts,
type EdwardsPoint,
type EdwardsPointCons,
} from './abstract/edwards.ts';
import { createFROST, type FROST } from './abstract/frost.ts';
import {
_DST_scalar,
createHasher,
expand_message_xmd,
type H2CDSTOpts,
type H2CHasher,
type H2CHasherBase,
} from './abstract/hash-to-curve.ts';
import {
FpInvertBatch,
FpSqrtEven,
isNegativeLE,
mod,
pow2,
type IField,
} from './abstract/modular.ts';
import { montgomery, type MontgomeryECDH } from './abstract/montgomery.ts';
import { createOPRF, type OPRF } from './abstract/oprf.ts';
import { asciiToBytes, bytesToNumberLE, equalBytes, type TArg, type TRet } from './utils.ts';
// prettier-ignore
const _0n = /* @__PURE__ */ BigInt(0), _1n = /* @__PURE__ */ BigInt(1), _2n = /* @__PURE__ */ BigInt(2), _3n = /* @__PURE__ */ BigInt(3);
// prettier-ignore
const _5n = /* @__PURE__ */ BigInt(5), _8n = /* @__PURE__ */ BigInt(8);
// P = 2n**255n - 19n
const ed25519_CURVE_p = /* @__PURE__ */ BigInt(
'0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed'
);
// N = 2n**252n + 27742317777372353535851937790883648493n
// a = Fp.create(BigInt(-1))
// d = -121665/121666 a.k.a. Fp.neg(121665 * Fp.inv(121666))
const ed25519_CURVE: EdwardsOpts = /* @__PURE__ */ (() => ({
p: ed25519_CURVE_p,
n: BigInt('0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed'),
h: _8n,
a: BigInt('0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffec'),
d: BigInt('0x52036cee2b6ffe738cc740797779e89800700a4d4141d8ab75eb4dca135978a3'),
Gx: BigInt('0x216936d3cd6e53fec0a4e231fdd6dc5c692cc7609525a7b2c9562d608f25d51a'),
Gy: BigInt('0x6666666666666666666666666666666666666666666666666666666666666658'),
}))();
function ed25519_pow_2_252_3(x: bigint) {
// prettier-ignore
const _10n = BigInt(10), _20n = BigInt(20), _40n = BigInt(40), _80n = BigInt(80);
const P = ed25519_CURVE_p;
const x2 = (x * x) % P;
const b2 = (x2 * x) % P; // x^3, 11
const b4 = (pow2(b2, _2n, P) * b2) % P; // x^15, 1111
const b5 = (pow2(b4, _1n, P) * x) % P; // x^31
const b10 = (pow2(b5, _5n, P) * b5) % P;
const b20 = (pow2(b10, _10n, P) * b10) % P;
const b40 = (pow2(b20, _20n, P) * b20) % P;
const b80 = (pow2(b40, _40n, P) * b40) % P;
const b160 = (pow2(b80, _80n, P) * b80) % P;
const b240 = (pow2(b160, _80n, P) * b80) % P;
const b250 = (pow2(b240, _10n, P) * b10) % P;
const pow_p_5_8 = (pow2(b250, _2n, P) * x) % P;
// ^ This is x^((p-5)/8); multiply by x once more to get x^((p+3)/8).
return { pow_p_5_8, b2 };
}
// Mutates and returns the provided 32-byte buffer in place.
function adjustScalarBytes(bytes: TArg<Uint8Array>): TRet<Uint8Array> {
// Section 5: For X25519, in order to decode 32 random bytes as an integer scalar,
// set the three least significant bits of the first byte
bytes[0] &= 248; // 0b1111_1000
// and the most significant bit of the last to zero,
bytes[31] &= 127; // 0b0111_1111
// set the second most significant bit of the last byte to 1
bytes[31] |= 64; // 0b0100_0000
return bytes as TRet<Uint8Array>;
}
// √(-1) aka √(a) aka 2^((p-1)/4)
// Fp.sqrt(Fp.neg(1))
const ED25519_SQRT_M1 = /* @__PURE__ */ BigInt(
'19681161376707505956807079304988542015446066515923890162744021073123829784752'
);
// sqrt(u/v). Returns `{ isValid, value }`; on non-squares `value` is still a
// dummy root-shaped field element so callers can stay constant-time.
function uvRatio(u: bigint, v: bigint): { isValid: boolean; value: bigint } {
const P = ed25519_CURVE_p;
const v3 = mod(v * v * v, P); // v³
const v7 = mod(v3 * v3 * v, P); // v⁷
// (p+3)/8 and (p-5)/8
const pow = ed25519_pow_2_252_3(u * v7).pow_p_5_8;
let x = mod(u * v3 * pow, P); // (uv³)(uv⁷)^(p-5)/8
const vx2 = mod(v * x * x, P); // vx²
const root1 = x; // First root candidate
const root2 = mod(x * ED25519_SQRT_M1, P); // Second root candidate
const useRoot1 = vx2 === u; // If vx² = u (mod p), x is a square root
const useRoot2 = vx2 === mod(-u, P); // If vx² = -u, set x <-- x * 2^((p-1)/4)
const noRoot = vx2 === mod(-u * ED25519_SQRT_M1, P); // There is no valid root, vx² = -u√(-1)
if (useRoot1) x = root1;
if (useRoot2 || noRoot) x = root2; // We return root2 anyway, for const-time
if (isNegativeLE(x, P)) x = mod(-x, P);
return { isValid: useRoot1 || useRoot2, value: x };
}
const ed25519_Point = /* @__PURE__ */ edwards(ed25519_CURVE, { uvRatio });
// Public field alias stays stricter than the RFC 8032 Appendix A sample code:
// `Fp.inv(0)` throws instead of returning `0`.
const Fp = /* @__PURE__ */ (() => ed25519_Point.Fp)();
const Fn = /* @__PURE__ */ (() => ed25519_Point.Fn)();
// RFC 8032 `dom2` helper for ctx/ph variants only. Plain Ed25519 keeps the
// empty-domain path in `ed()` and would be wrong if routed through this helper.
function ed25519_domain(
data: TArg<Uint8Array>,
ctx: TArg<Uint8Array>,
phflag: boolean
): TRet<Uint8Array> {
if (ctx.length > 255) throw new Error('Context is too big');
return concatBytes(
asciiToBytes('SigEd25519 no Ed25519 collisions'),
new Uint8Array([phflag ? 1 : 0, ctx.length]),
ctx,
data
) as TRet<Uint8Array>;
}
function ed(opts: TArg<EdDSAOpts>) {
// Ed25519 keeps ZIP-215 default verification semantics for consensus compatibility.
return eddsa(
ed25519_Point,
sha512,
Object.assign({ adjustScalarBytes, zip215: true }, opts as EdDSAOpts)
);
}
/**
* ed25519 curve with EdDSA signatures.
* Seeded `keygen(seed)` / `utils.randomSecretKey(seed)` reuse the provided
* 32-byte seed buffer instead of copying it.
* @example
* Generate one Ed25519 keypair, sign a message, and verify it.
*
* ```js
* import { ed25519 } from '@noble/curves/ed25519.js';
* const { secretKey, publicKey } = ed25519.keygen();
* // const publicKey = ed25519.getPublicKey(secretKey);
* const msg = new TextEncoder().encode('hello noble');
* const sig = ed25519.sign(msg, secretKey);
* const isValid = ed25519.verify(sig, msg, publicKey); // ZIP215
* // RFC8032 / FIPS 186-5
* const isValid2 = ed25519.verify(sig, msg, publicKey, { zip215: false });
* ```
*/
export const ed25519: EdDSA = /* @__PURE__ */ ed({});
/**
* Context version of ed25519 (ctx for domain separation). See {@link ed25519}
* Seeded `keygen(seed)` / `utils.randomSecretKey(seed)` reuse the provided
* 32-byte seed buffer instead of copying it.
* @example
* Sign and verify with Ed25519ctx under one explicit context.
*
* ```ts
* const context = new TextEncoder().encode('docs');
* const { secretKey, publicKey } = ed25519ctx.keygen();
* const msg = new TextEncoder().encode('hello noble');
* const sig = ed25519ctx.sign(msg, secretKey, { context });
* const isValid = ed25519ctx.verify(sig, msg, publicKey, { context });
* ```
*/
export const ed25519ctx: EdDSA = /* @__PURE__ */ ed({ domain: ed25519_domain });
/**
* Prehashed version of ed25519. See {@link ed25519}
* Seeded `keygen(seed)` / `utils.randomSecretKey(seed)` reuse the provided
* 32-byte seed buffer instead of copying it.
* @example
* Use the prehashed Ed25519 variant for one message.
*
* ```ts
* const { secretKey, publicKey } = ed25519ph.keygen();
* const msg = new TextEncoder().encode('hello noble');
* const sig = ed25519ph.sign(msg, secretKey);
* const isValid = ed25519ph.verify(sig, msg, publicKey);
* ```
*/
export const ed25519ph: EdDSA = /* @__PURE__ */ ed({ domain: ed25519_domain, prehash: sha512 });
/**
* FROST threshold signatures over ed25519. RFC 9591.
* @example
* Create one trusted-dealer package for 2-of-3 ed25519 signing.
*
* ```ts
* const alice = ed25519_FROST.Identifier.derive('alice@example.com');
* const bob = ed25519_FROST.Identifier.derive('bob@example.com');
* const carol = ed25519_FROST.Identifier.derive('carol@example.com');
* const deal = ed25519_FROST.trustedDealer({ min: 2, max: 3 }, [alice, bob, carol]);
* ```
*/
export const ed25519_FROST: TRet<FROST> = /* @__PURE__ */ (() =>
createFROST({
name: 'FROST-ED25519-SHA512-v1',
Point: ed25519_Point,
validatePoint: (p) => {
p.assertValidity();
if (!p.isTorsionFree()) throw new Error('bad point: not torsion-free');
},
hash: sha512,
// RFC 9591 keeps H2 undecorated here for RFC 8032 compatibility. In createFROST(),
// `H2: ''` becomes an empty DST prefix; the built-in hashToScalar fallback treats
// that the same as omitted DST, even though custom hooks can still observe the empty bag.
H2: '',
}))();
/**
* ECDH using curve25519 aka x25519.
* `getSharedSecret()` rejects low-order peer inputs by default, and seeded
* `keygen(seed)` reuses the provided 32-byte seed buffer instead of copying it.
* @example
* Derive one shared secret between two X25519 peers.
*
* ```js
* import { x25519 } from '@noble/curves/ed25519.js';
* const alice = x25519.keygen();
* const bob = x25519.keygen();
* const shared = x25519.getSharedSecret(alice.secretKey, bob.publicKey);
* ```
*/
export const x25519: TRet<MontgomeryECDH> = /* @__PURE__ */ (() => {
const P = ed25519_CURVE_p;
return montgomery({
P,
type: 'x25519',
powPminus2: (x: bigint): bigint => {
// x^(p-2) aka x^(2^255-21)
const { pow_p_5_8, b2 } = ed25519_pow_2_252_3(x);
return mod(pow2(pow_p_5_8, _3n, P) * b2, P);
},
adjustScalarBytes,
});
})();
// Hash To Curve Elligator2 Map (NOTE: different from ristretto255 elligator)
// RFC 9380 Appendix G.2.2 / Err4730 requires `sgn0(c1) = 0` for the Edwards
// map constant below, so use the even root explicitly.
// 1. c1 = (q + 3) / 8 # Integer arithmetic
const ELL2_C1 = /* @__PURE__ */ (() => (ed25519_CURVE_p + _3n) / _8n)();
const ELL2_C2 = /* @__PURE__ */ (() => Fp.pow(_2n, ELL2_C1))(); // 2. c2 = 2^c1
const ELL2_C3 = /* @__PURE__ */ (() => Fp.sqrt(Fp.neg(Fp.ONE)))(); // 3. c3 = sqrt(-1)
/**
* RFC 9380 method `map_to_curve_elligator2_curve25519`. Experimental name: may be renamed later.
* @private
*/
// prettier-ignore
export function _map_to_curve_elligator2_curve25519(u: bigint): {
xMn: bigint, xMd: bigint, yMn: bigint, yMd: bigint
} {
const ELL2_C4 = (ed25519_CURVE_p - _5n) / _8n; // 4. c4 = (q - 5) / 8 # Integer arithmetic
const ELL2_J = BigInt(486662);
let tv1 = Fp.sqr(u); // 1. tv1 = u^2
tv1 = Fp.mul(tv1, _2n); // 2. tv1 = 2 * tv1
// 3. xd = tv1 + 1 # Nonzero: -1 is square (mod p), tv1 is not
let xd = Fp.add(tv1, Fp.ONE);
let x1n = Fp.neg(ELL2_J); // 4. x1n = -J # x1 = x1n / xd = -J / (1 + 2 * u^2)
let tv2 = Fp.sqr(xd); // 5. tv2 = xd^2
let gxd = Fp.mul(tv2, xd); // 6. gxd = tv2 * xd # gxd = xd^3
let gx1 = Fp.mul(tv1, ELL2_J);// 7. gx1 = J * tv1 # x1n + J * xd
gx1 = Fp.mul(gx1, x1n); // 8. gx1 = gx1 * x1n # x1n^2 + J * x1n * xd
gx1 = Fp.add(gx1, tv2); // 9. gx1 = gx1 + tv2 # x1n^2 + J * x1n * xd + xd^2
gx1 = Fp.mul(gx1, x1n); // 10. gx1 = gx1 * x1n # x1n^3 + J * x1n^2 * xd + x1n * xd^2
let tv3 = Fp.sqr(gxd); // 11. tv3 = gxd^2
tv2 = Fp.sqr(tv3); // 12. tv2 = tv3^2 # gxd^4
tv3 = Fp.mul(tv3, gxd); // 13. tv3 = tv3 * gxd # gxd^3
tv3 = Fp.mul(tv3, gx1); // 14. tv3 = tv3 * gx1 # gx1 * gxd^3
tv2 = Fp.mul(tv2, tv3); // 15. tv2 = tv2 * tv3 # gx1 * gxd^7
let y11 = Fp.pow(tv2, ELL2_C4); // 16. y11 = tv2^c4 # (gx1 * gxd^7)^((p - 5) / 8)
y11 = Fp.mul(y11, tv3); // 17. y11 = y11 * tv3 # gx1*gxd^3*(gx1*gxd^7)^((p-5)/8)
let y12 = Fp.mul(y11, ELL2_C3); // 18. y12 = y11 * c3
tv2 = Fp.sqr(y11); // 19. tv2 = y11^2
tv2 = Fp.mul(tv2, gxd); // 20. tv2 = tv2 * gxd
let e1 = Fp.eql(tv2, gx1); // 21. e1 = tv2 == gx1
// 22. y1 = CMOV(y12, y11, e1) # If g(x1) is square, this is its sqrt
let y1 = Fp.cmov(y12, y11, e1);
let x2n = Fp.mul(x1n, tv1); // 23. x2n = x1n * tv1 # x2 = x2n / xd = 2 * u^2 * x1n / xd
let y21 = Fp.mul(y11, u); // 24. y21 = y11 * u
y21 = Fp.mul(y21, ELL2_C2); // 25. y21 = y21 * c2
let y22 = Fp.mul(y21, ELL2_C3); // 26. y22 = y21 * c3
let gx2 = Fp.mul(gx1, tv1); // 27. gx2 = gx1 * tv1 # g(x2) = gx2 / gxd = 2 * u^2 * g(x1)
tv2 = Fp.sqr(y21); // 28. tv2 = y21^2
tv2 = Fp.mul(tv2, gxd); // 29. tv2 = tv2 * gxd
let e2 = Fp.eql(tv2, gx2); // 30. e2 = tv2 == gx2
// 31. y2 = CMOV(y22, y21, e2) # If g(x2) is square, this is its sqrt
let y2 = Fp.cmov(y22, y21, e2);
tv2 = Fp.sqr(y1); // 32. tv2 = y1^2
tv2 = Fp.mul(tv2, gxd); // 33. tv2 = tv2 * gxd
let e3 = Fp.eql(tv2, gx1); // 34. e3 = tv2 == gx1
let xn = Fp.cmov(x2n, x1n, e3); // 35. xn = CMOV(x2n, x1n, e3) # If e3, x = x1, else x = x2
let y = Fp.cmov(y2, y1, e3); // 36. y = CMOV(y2, y1, e3) # If e3, y = y1, else y = y2
let e4 = Fp.isOdd!(y); // 37. e4 = sgn0(y) == 1 # Fix sign of y
y = Fp.cmov(y, Fp.neg(y), e3 !== e4); // 38. y = CMOV(y, -y, e3 XOR e4)
return { xMn: xn, xMd: xd, yMn: y, yMd: _1n }; // 39. return (xn, xd, y, 1)
}
// sgn0(c1) MUST equal 0
const ELL2_C1_EDWARDS = /* @__PURE__ */ (() => FpSqrtEven(Fp, Fp.neg(BigInt(486664))))();
function map_to_curve_elligator2_edwards25519(u: bigint) {
// 1. (xMn, xMd, yMn, yMd) = map_to_curve_elligator2_curve25519(u)
const { xMn, xMd, yMn, yMd } = _map_to_curve_elligator2_curve25519(u);
// map_to_curve_elligator2_curve25519(u)
let xn = Fp.mul(xMn, yMd); // 2. xn = xMn * yMd
xn = Fp.mul(xn, ELL2_C1_EDWARDS); // 3. xn = xn * c1
let xd = Fp.mul(xMd, yMn); // 4. xd = xMd * yMn # xn / xd = c1 * xM / yM
let yn = Fp.sub(xMn, xMd); // 5. yn = xMn - xMd
// 6. yd = xMn + xMd # (n / d - 1) / (n / d + 1) = (n - d) / (n + d)
let yd = Fp.add(xMn, xMd);
let tv1 = Fp.mul(xd, yd); // 7. tv1 = xd * yd
let e = Fp.eql(tv1, Fp.ZERO); // 8. e = tv1 == 0
xn = Fp.cmov(xn, Fp.ZERO, e); // 9. xn = CMOV(xn, 0, e)
xd = Fp.cmov(xd, Fp.ONE, e); // 10. xd = CMOV(xd, 1, e)
yn = Fp.cmov(yn, Fp.ONE, e); // 11. yn = CMOV(yn, 1, e)
yd = Fp.cmov(yd, Fp.ONE, e); // 12. yd = CMOV(yd, 1, e)
const [xd_inv, yd_inv] = FpInvertBatch(Fp, [xd, yd], true); // batch division
// Noble normalizes the RFC rational representation to affine `{ x, y }`
// before returning from the internal helper.
return { x: Fp.mul(xn, xd_inv), y: Fp.mul(yn, yd_inv) }; // 13. return (xn, xd, yn, yd)
}
/**
* Hashing to ed25519 points / field. RFC 9380 methods.
* Public `mapToCurve()` returns the cofactor-cleared subgroup point; the
* internal map callback below consumes one field element bigint, not `[bigint]`.
* @example
* Hash one message onto the ed25519 curve.
*
* ```ts
* const point = ed25519_hasher.hashToCurve(new TextEncoder().encode('hello noble'));
* ```
*/
export const ed25519_hasher: H2CHasher<EdwardsPointCons> = /* @__PURE__ */ (() =>
createHasher(
ed25519_Point,
(scalars: bigint[]) => map_to_curve_elligator2_edwards25519(scalars[0]),
{
DST: 'edwards25519_XMD:SHA-512_ELL2_RO_',
encodeDST: 'edwards25519_XMD:SHA-512_ELL2_NU_',
p: ed25519_CURVE_p,
m: 1,
k: 128,
expand: 'xmd',
hash: sha512,
}
))();
// √(-1) aka √(a) aka 2^((p-1)/4)
const SQRT_M1 = ED25519_SQRT_M1;
// √(ad - 1)
const SQRT_AD_MINUS_ONE = /* @__PURE__ */ BigInt(
'25063068953384623474111414158702152701244531502492656460079210482610430750235'
);
// 1 / √(a-d)
const INVSQRT_A_MINUS_D = /* @__PURE__ */ BigInt(
'54469307008909316920995813868745141605393597292927456921205312896311721017578'
);
// 1-d²
const ONE_MINUS_D_SQ = /* @__PURE__ */ BigInt(
'1159843021668779879193775521855586647937357759715417654439879720876111806838'
);
// (d-1)²
const D_MINUS_ONE_SQ = /* @__PURE__ */ BigInt(
'40440834346308536858101042469323190826248399146238708352240133220865137265952'
);
// `SQRT_RATIO_M1(1, number)` specialization. Returns `{ isValid, value }`,
// where non-squares get the nonnegative `sqrt(SQRT_M1 / number)` branch.
const invertSqrt = (number: bigint) => uvRatio(_1n, number);
const MAX_255B = /* @__PURE__ */ BigInt(
'0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
);
// RFC 9496 §4.3.4 MAP parser: masks bit 255 and reduces modulo p for element
// derivation. The decode path has the opposite contract and rejects that bit.
const bytes255ToNumberLE = (bytes: TArg<Uint8Array>) =>
Fp.create(bytesToNumberLE(bytes) & MAX_255B);
/**
* Computes Elligator map for Ristretto255.
* Primary formula source is RFC 9496 §4.3.4 MAP; RFC 9380 Appendix B builds
* `hash_to_ristretto255` on top of this helper.
* Returns an internal Edwards representative, not a public `_RistrettoPoint`.
*/
function calcElligatorRistrettoMap(r0: bigint): EdwardsPoint {
const { d } = ed25519_CURVE;
const P = ed25519_CURVE_p;
const mod = (n: bigint) => Fp.create(n);
const r = mod(SQRT_M1 * r0 * r0); // 1
const Ns = mod((r + _1n) * ONE_MINUS_D_SQ); // 2
let c = BigInt(-1); // 3
const D = mod((c - d * r) * mod(r + d)); // 4
let { isValid: Ns_D_is_sq, value: s } = uvRatio(Ns, D); // 5
let s_ = mod(s * r0); // 6
if (!isNegativeLE(s_, P)) s_ = mod(-s_);
if (!Ns_D_is_sq) s = s_; // 7
if (!Ns_D_is_sq) c = r; // 8
const Nt = mod(c * (r - _1n) * D_MINUS_ONE_SQ - D); // 9
const s2 = s * s;
const W0 = mod((s + s) * D); // 10
const W1 = mod(Nt * SQRT_AD_MINUS_ONE); // 11
const W2 = mod(_1n - s2); // 12
const W3 = mod(_1n + s2); // 13
return new ed25519_Point(mod(W0 * W3), mod(W2 * W1), mod(W1 * W3), mod(W0 * W2));
}
/**
* Wrapper over Edwards Point for ristretto255.
*
* Each ed25519/EdwardsPoint has 8 different equivalent points. This can be
* a source of bugs for protocols like ring signatures. Ristretto was created to solve this.
* Ristretto point operates in X:Y:Z:T extended coordinates like EdwardsPoint,
* but it should work in its own namespace: do not combine those two.
* See [RFC9496](https://www.rfc-editor.org/rfc/rfc9496).
*/
class _RistrettoPoint extends PrimeEdwardsPoint<_RistrettoPoint> {
// Do NOT change syntax: the following gymnastics is done,
// because typescript strips comments, which makes bundlers disable tree-shaking.
// prettier-ignore
static BASE: _RistrettoPoint =
/* @__PURE__ */ (() => new _RistrettoPoint(ed25519_Point.BASE))();
// prettier-ignore
static ZERO: _RistrettoPoint =
/* @__PURE__ */ (() => new _RistrettoPoint(ed25519_Point.ZERO))();
// prettier-ignore
static Fp: IField<bigint> =
/* @__PURE__ */ (() => Fp)();
// prettier-ignore
static Fn: IField<bigint> =
/* @__PURE__ */ (() => Fn)();
constructor(ep: EdwardsPoint) {
super(ep);
}
/**
* Create one Ristretto255 point from affine Edwards coordinates.
* This wraps the internal Edwards representative directly and is not a
* canonical ristretto255 decoding path.
* Use `toBytes()` / `fromBytes()` if canonical ristretto255 bytes matter.
*/
static fromAffine(ap: AffinePoint<bigint>): _RistrettoPoint {
return new _RistrettoPoint(ed25519_Point.fromAffine(ap));
}
protected assertSame(other: _RistrettoPoint): void {
if (!(other instanceof _RistrettoPoint)) throw new Error('RistrettoPoint expected');
}
protected init(ep: EdwardsPoint): _RistrettoPoint {
return new _RistrettoPoint(ep);
}
static fromBytes(bytes: TArg<Uint8Array>): _RistrettoPoint {
abytes(bytes, 32);
const { a, d } = ed25519_CURVE;
const P = ed25519_CURVE_p;
const mod = (n: bigint) => Fp.create(n);
const s = bytes255ToNumberLE(bytes);
// 1. Check that s_bytes is the canonical encoding of a field element, or else abort.
// 3. Check that s is non-negative, or else abort
if (!equalBytes(Fp.toBytes(s), bytes) || isNegativeLE(s, P))
throw new Error('invalid ristretto255 encoding 1');
const s2 = mod(s * s);
const u1 = mod(_1n + a * s2); // 4 (a is -1)
const u2 = mod(_1n - a * s2); // 5
const u1_2 = mod(u1 * u1);
const u2_2 = mod(u2 * u2);
const v = mod(a * d * u1_2 - u2_2); // 6
const { isValid, value: I } = invertSqrt(mod(v * u2_2)); // 7
const Dx = mod(I * u2); // 8
const Dy = mod(I * Dx * v); // 9
let x = mod((s + s) * Dx); // 10
if (isNegativeLE(x, P)) x = mod(-x); // 10
const y = mod(u1 * Dy); // 11
const t = mod(x * y); // 12
if (!isValid || isNegativeLE(t, P) || y === _0n)
throw new Error('invalid ristretto255 encoding 2');
return new _RistrettoPoint(new ed25519_Point(x, y, _1n, t));
}
/**
* Converts ristretto-encoded string to ristretto point.
* Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-decode).
* @param hex - Ristretto-encoded 32 bytes. Not every 32-byte string is valid ristretto encoding
*/
static fromHex(hex: string): _RistrettoPoint {
return _RistrettoPoint.fromBytes(hexToBytes(hex));
}
/**
* Encodes ristretto point to Uint8Array.
* Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-encode).
*/
toBytes(): TRet<Uint8Array> {
let { X, Y, Z, T } = this.ep;
const P = ed25519_CURVE_p;
const mod = (n: bigint) => Fp.create(n);
const u1 = mod(mod(Z + Y) * mod(Z - Y)); // 1
const u2 = mod(X * Y); // 2
// Square root always exists
const u2sq = mod(u2 * u2);
const { value: invsqrt } = invertSqrt(mod(u1 * u2sq)); // 3
const D1 = mod(invsqrt * u1); // 4
const D2 = mod(invsqrt * u2); // 5
const zInv = mod(D1 * D2 * T); // 6
let D: bigint; // 7
if (isNegativeLE(T * zInv, P)) {
let _x = mod(Y * SQRT_M1);
let _y = mod(X * SQRT_M1);
X = _x;
Y = _y;
D = mod(D1 * INVSQRT_A_MINUS_D);
} else {
D = D2; // 8
}
if (isNegativeLE(X * zInv, P)) Y = mod(-Y); // 9
let s = mod((Z - Y) * D); // 10 (check footer's note, no sqrt(-a))
if (isNegativeLE(s, P)) s = mod(-s);
return Fp.toBytes(s) as TRet<Uint8Array>; // 11
}
/**
* Compares two Ristretto points.
* Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-equals).
*/
equals(other: _RistrettoPoint): boolean {
this.assertSame(other);
const { X: X1, Y: Y1 } = this.ep;
const { X: X2, Y: Y2 } = other.ep;
const mod = (n: bigint) => Fp.create(n);
// (x1 * y2 == y1 * x2) | (y1 * y2 == x1 * x2)
const one = mod(X1 * Y2) === mod(Y1 * X2);
const two = mod(Y1 * Y2) === mod(X1 * X2);
return one || two;
}
is0(): boolean {
return this.equals(_RistrettoPoint.ZERO);
}
}
Object.freeze(_RistrettoPoint.BASE);
Object.freeze(_RistrettoPoint.ZERO);
Object.freeze(_RistrettoPoint.prototype);
Object.freeze(_RistrettoPoint);
/** Prime-order Ristretto255 group bundle. */
export const ristretto255: {
Point: typeof _RistrettoPoint;
} = /* @__PURE__ */ Object.freeze({ Point: _RistrettoPoint });
/**
* Hashing to ristretto255 points / field. RFC 9380 methods.
* `hashToCurve()` is RFC 9380 Appendix B, `deriveToCurve()` is the RFC 9496
* §4.3.4 element-derivation building block, and `hashToScalar()` is a
* library-specific helper for OPRF-style use.
* @example
* Hash one message onto ristretto255.
*
* ```ts
* const point = ristretto255_hasher.hashToCurve(new TextEncoder().encode('hello noble'));
* ```
*/
export const ristretto255_hasher: H2CHasherBase<typeof _RistrettoPoint> = Object.freeze({
Point: _RistrettoPoint,
/**
* Spec: https://www.rfc-editor.org/rfc/rfc9380.html#name-hashing-to-ristretto255. Caveats:
* * There are no test vectors
* * encodeToCurve / mapToCurve is undefined
* * mapToCurve would be `calcElligatorRistrettoMap(scalars[0])`, not ristretto255_map!
* * hashToScalar is undefined too, so we just use OPRF implementation
* * We cannot re-use 'createHasher', because ristretto255_map is different algorithm/RFC
(os2ip -> bytes255ToNumberLE)
* * mapToCurve == calcElligatorRistrettoMap, hashToCurve == ristretto255_map
* * hashToScalar is undefined in RFC9380 for ristretto, so we use the OPRF
version here. Using `bytes255ToNumblerLE` will create a different result
if we use `bytes255ToNumberLE` as os2ip
* * current version is closest to spec.
*/
hashToCurve(msg: TArg<Uint8Array>, options?: TArg<H2CDSTOpts>): _RistrettoPoint {
// == 'hash_to_ristretto255'
// Preserve explicit empty/invalid DST overrides so expand_message_xmd() can reject them.
const DST = options?.DST === undefined ? 'ristretto255_XMD:SHA-512_R255MAP_RO_' : options.DST;
const xmd = expand_message_xmd(msg, DST, 64, sha512);
// NOTE: RFC 9380 incorrectly calls this function `ristretto255_map`.
// In RFC 9496, `map` was the per-point function inside the construction.
// That also led to confusion that `ristretto255_map` is `mapToCurve`.
// It is not: it is the older hash-to-curve construction.
return ristretto255_hasher.deriveToCurve!(xmd);
},
hashToScalar(msg: TArg<Uint8Array>, options: TArg<H2CDSTOpts> = { DST: _DST_scalar }) {
const xmd = expand_message_xmd(msg, options.DST, 64, sha512);
return Fn.create(bytesToNumberLE(xmd));
},
/**
* HashToCurve-like construction based on RFC 9496 (Element Derivation).
* Converts 64 uniform random bytes into a curve point.
*
* WARNING: This represents an older hash-to-curve construction from before
* RFC 9380 was finalized.
* It was later reused as a component in the newer
* `hash_to_ristretto255` function defined in RFC 9380.
*/
deriveToCurve(bytes: TArg<Uint8Array>): _RistrettoPoint {
// https://www.rfc-editor.org/rfc/rfc9496.html#name-element-derivation
abytes(bytes, 64);
const r1 = bytes255ToNumberLE(bytes.subarray(0, 32));
const R1 = calcElligatorRistrettoMap(r1);
const r2 = bytes255ToNumberLE(bytes.subarray(32, 64));
const R2 = calcElligatorRistrettoMap(r2);
return new _RistrettoPoint(R1.add(R2));
},
});
/**
* ristretto255 OPRF/VOPRF/POPRF bundle, defined in RFC 9497.
* @example
* Run one blind/evaluate/finalize OPRF round over ristretto255.
*
* ```ts
* const input = new TextEncoder().encode('hello noble');
* const keys = ristretto255_oprf.oprf.generateKeyPair();
* const blind = ristretto255_oprf.oprf.blind(input);
* const evaluated = ristretto255_oprf.oprf.blindEvaluate(keys.secretKey, blind.blinded);
* const output = ristretto255_oprf.oprf.finalize(input, blind.blind, evaluated);
* ```
*/
export const ristretto255_oprf: TRet<OPRF> = /* @__PURE__ */ (() =>
createOPRF({
name: 'ristretto255-SHA512',
Point: _RistrettoPoint,
hash: sha512,
hashToGroup: ristretto255_hasher.hashToCurve,
hashToScalar: ristretto255_hasher.hashToScalar,
}))();
/**
* FROST threshold signatures over ristretto255. RFC 9591.
* @example
* Create one trusted-dealer package for 2-of-3 ristretto255 signing.
*
* ```ts
* const alice = ristretto255_FROST.Identifier.derive('alice@example.com');
* const bob = ristretto255_FROST.Identifier.derive('bob@example.com');
* const carol = ristretto255_FROST.Identifier.derive('carol@example.com');
* const deal = ristretto255_FROST.trustedDealer({ min: 2, max: 3 }, [alice, bob, carol]);
* ```
*/
export const ristretto255_FROST: TRet<FROST> = /* @__PURE__ */ (() =>
createFROST({
name: 'FROST-RISTRETTO255-SHA512-v1',
Point: _RistrettoPoint,
validatePoint: (p) => {
// Prime-order wrappers are torsion-free at the abstract-group level.
p.assertValidity();
},
hash: sha512,
}))();
/**
* Weird / bogus points, useful for debugging.
* All 8 ed25519 points of 8-torsion subgroup can be generated from the point
* T = `26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc05`.
* The subgroup generated by `T` is `{ O, T, 2T, 3T, 4T, 5T, 6T, 7T }`; the
* array below is that set, not the powers in that exact index order.
* @example
* Decode one known torsion point for debugging.
*
* ```ts
* import { ED25519_TORSION_SUBGROUP, ed25519 } from '@noble/curves/ed25519.js';
* const point = ed25519.Point.fromHex(ED25519_TORSION_SUBGROUP[1]);
* ```
*/
export const ED25519_TORSION_SUBGROUP: readonly string[] = /* @__PURE__ */ Object.freeze([
'0100000000000000000000000000000000000000000000000000000000000000',
'c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac037a',
'0000000000000000000000000000000000000000000000000000000000000080',
'26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc05',
'ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f',
'26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc85',
'0000000000000000000000000000000000000000000000000000000000000000',
'c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac03fa',
]);
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/src/ed448.ts
Generated Vendored
+695
View File
@@ -0,0 +1,695 @@
/**
* Edwards448 (also called Goldilocks) curve with following addons:
* - X448 ECDH
* - Decaf cofactor elimination
* - Elligator hash-to-group / point indistinguishability
* Conforms to RFC 8032 https://www.rfc-editor.org/rfc/rfc8032.html#section-5.2
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { shake256 } from '@noble/hashes/sha3.js';
import { concatBytes, hexToBytes, createHasher as wrapConstructor } from '@noble/hashes/utils.js';
import type { AffinePoint } from './abstract/curve.ts';
import {
eddsa,
edwards,
PrimeEdwardsPoint,
type EdDSA,
type EdDSAOpts,
type EdwardsOpts,
type EdwardsPoint,
type EdwardsPointCons,
} from './abstract/edwards.ts';
import { createFROST, type FROST } from './abstract/frost.ts';
import {
_DST_scalar,
createHasher,
expand_message_xof,
type H2CDSTOpts,
type H2CHasher,
type H2CHasherBase,
} from './abstract/hash-to-curve.ts';
import { Field, FpInvertBatch, isNegativeLE, mod, pow2, type IField } from './abstract/modular.ts';
import { montgomery, type MontgomeryECDH } from './abstract/montgomery.ts';
import { createOPRF, type OPRF } from './abstract/oprf.ts';
import {
abytes,
asciiToBytes,
bytesToNumberLE,
equalBytes,
type TArg,
type TRet,
} from './utils.ts';
// edwards448 curve
// a = 1n
// d = Fp.neg(39081n)
// Finite field 2n**448n - 2n**224n - 1n
// Subgroup order
// 2n**446n - 13818066809895115352007386748515426880336692474882178609894547503885n
const ed448_CURVE_p = /* @__PURE__ */ BigInt(
'0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
);
const ed448_CURVE: EdwardsOpts = /* @__PURE__ */ (() => ({
p: ed448_CURVE_p,
n: BigInt(
'0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffff7cca23e9c44edb49aed63690216cc2728dc58f552378c292ab5844f3'
),
h: BigInt(4),
a: BigInt(1),
d: BigInt(
'0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffffffffffffffffffffffffffffffffffffffffffffffff6756'
),
Gx: BigInt(
'0x4f1970c66bed0ded221d15a622bf36da9e146570470f1767ea6de324a3d3a46412ae1af72ab66511433b80e18b00938e2626a82bc70cc05e'
),
Gy: BigInt(
'0x693f46716eb6bc248876203756c9c7624bea73736ca3984087789c1e05a0c2d73ad3ff1ce67c39c4fdbd132c4ed7c8ad9808795bf230fa14'
),
}))();
// This is not RFC 8032 edwards448 / Goldilocks (`ed448` below, d = -39081).
// It is NIST SP 800-186 §3.2.3.3 E448, the Curve448-isomorphic Edwards model
// also described in draft-ietf-lwig-curve-representations-23 Appendix M, with
// d = 39082/39081 and Gy = 3/2.
// RFC 7748's literal Edwards point / birational map are wrong here: the literal
// point is the wrong-sign (Gx, -Gy) order-2*n variant. Keep the corrected
// prime-order (Gx, Gy) base so Point.BASE stays a subgroup generator, which is
// what noble's generic Edwards API expects.
const E448_CURVE: EdwardsOpts = /* @__PURE__ */ (() =>
Object.assign({}, ed448_CURVE, {
d: BigInt(
'0xd78b4bdc7f0daf19f24f38c29373a2ccad46157242a50f37809b1da3412a12e79ccc9c81264cfe9ad080997058fb61c4243cc32dbaa156b9'
),
Gx: BigInt(
'0x79a70b2b70400553ae7c9df416c792c61128751ac92969240c25a07d728bdc93e21f7787ed6972249de732f38496cd11698713093e9c04fc'
),
Gy: BigInt(
'0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffff80000000000000000000000000000000000000000000000000000001'
),
}))();
const shake256_114 = /* @__PURE__ */ wrapConstructor(() => shake256.create({ dkLen: 114 }));
const shake256_64 = /* @__PURE__ */ wrapConstructor(() => shake256.create({ dkLen: 64 }));
// prettier-ignore
const _1n = /* @__PURE__ */ BigInt(1), _2n = /* @__PURE__ */ BigInt(2), _3n = /* @__PURE__ */ BigInt(3), _4n = /* @__PURE__ */ BigInt(4), _11n = /* @__PURE__ */ BigInt(11);
// prettier-ignore
const _22n = /* @__PURE__ */ BigInt(22), _44n = /* @__PURE__ */ BigInt(44), _88n = /* @__PURE__ */ BigInt(88), _223n = /* @__PURE__ */ BigInt(223);
// powPminus3div4 calculates z = x^k mod p, where k = (p-3)/4.
// Used for efficient square root calculation.
// ((P-3)/4).toString(2) would produce bits [223x 1, 0, 222x 1]
function ed448_pow_Pminus3div4(x: bigint): bigint {
const P = ed448_CURVE_p;
const b2 = (x * x * x) % P;
const b3 = (b2 * b2 * x) % P;
const b6 = (pow2(b3, _3n, P) * b3) % P;
const b9 = (pow2(b6, _3n, P) * b3) % P;
const b11 = (pow2(b9, _2n, P) * b2) % P;
const b22 = (pow2(b11, _11n, P) * b11) % P;
const b44 = (pow2(b22, _22n, P) * b22) % P;
const b88 = (pow2(b44, _44n, P) * b44) % P;
const b176 = (pow2(b88, _88n, P) * b88) % P;
const b220 = (pow2(b176, _44n, P) * b44) % P;
const b222 = (pow2(b220, _2n, P) * b2) % P;
const b223 = (pow2(b222, _1n, P) * x) % P;
return (pow2(b223, _223n, P) * b222) % P;
}
// Mutates and returns the provided buffer in place. The final `bytes[56] = 0`
// write is the Ed448 path; for 56-byte X448 inputs it is an out-of-bounds no-op.
function adjustScalarBytes(bytes: TArg<Uint8Array>): TRet<Uint8Array> {
// Section 5: Likewise, for X448, set the two least significant bits of the first byte to 0,
bytes[0] &= 252; // 0b11111100
// and the most significant bit of the last byte to 1.
bytes[55] |= 128; // 0b10000000
// NOTE: is NOOP for 56 bytes scalars (X25519/X448)
bytes[56] = 0; // Byte outside of group (456 buts vs 448 bits)
return bytes as TRet<Uint8Array>;
}
// Constant-time Ed448 decode helper for RFC 8032 §5.2.3 steps 2-3. Unlike
// `SQRT_RATIO_M1`, the returned `value` only has the documented meaning when
// `isValid` is true.
function uvRatio(u: bigint, v: bigint): { isValid: boolean; value: bigint } {
const P = ed448_CURVE_p;
// https://www.rfc-editor.org/rfc/rfc8032#section-5.2.3
// To compute the square root of (u/v), the first step is to compute the
// candidate root x = (u/v)^((p+1)/4). This can be done using the
// following trick, to use a single modular powering for both the
// inversion of v and the square root:
// x = (u/v)^((p+1)/4) = u³v(u⁵v³)^((p-3)/4) (mod p)
const u2v = mod(u * u * v, P); // u²v
const u3v = mod(u2v * u, P); // u³v
const u5v3 = mod(u3v * u2v * v, P); // u⁵v³
const root = ed448_pow_Pminus3div4(u5v3);
const x = mod(u3v * root, P);
// Verify that root is exists
const x2 = mod(x * x, P); // x²
// If vx² = u, the recovered x-coordinate is x. Otherwise, no
// square root exists, and the decoding fails.
return { isValid: mod(x2 * v, P) === u, value: x };
}
// Finite field 2n**448n - 2n**224n - 1n
// RFC 8032 encodes Ed448 field/scalar elements in 57 bytes even though field
// values fit in 448 bits and scalars in 446 bits. Noble models that with a
// 456-bit storage width so the final-octet x-sign bit (bit 455) still fits in
// the shared little-endian container.
const Fp = /* @__PURE__ */ (() => Field(ed448_CURVE_p, { BITS: 456, isLE: true }))();
// Same 57-byte container shape as `Fp`; canonical scalar encodings still have
// the top ten bits clear per RFC 8032.
const Fn = /* @__PURE__ */ (() => Field(ed448_CURVE.n, { BITS: 456, isLE: true }))();
// Generic 56-byte field shape used by decaf448 and raw X448 u-coordinates.
// Plain `Field` decoding stays canonical here, so callers that want RFC 7748's
// modulo-p acceptance must reduce externally.
const Fp448 = /* @__PURE__ */ (() => Field(ed448_CURVE_p, { BITS: 448, isLE: true }))();
// Strict 56-byte scalar parser matching RFC 9496's recommended canonical form.
const Fn448 = /* @__PURE__ */ (() => Field(ed448_CURVE.n, { BITS: 448, isLE: true }))();
// SHAKE256(dom4(phflag,context)||x, 114)
// RFC 8032 `dom4` prefix. Empty contexts are valid; the accepted length range
// is 0..255 octets inclusive.
function dom4(data: TArg<Uint8Array>, ctx: TArg<Uint8Array>, phflag: boolean): TRet<Uint8Array> {
if (ctx.length > 255) throw new Error('context must be smaller than 255, got: ' + ctx.length);
return concatBytes(
asciiToBytes('SigEd448'),
new Uint8Array([phflag ? 1 : 0, ctx.length]),
ctx,
data
) as TRet<Uint8Array>;
}
const ed448_Point = /* @__PURE__ */ edwards(ed448_CURVE, { Fp, Fn, uvRatio });
// Shared internal factory for both `ed448` and `ed448ph`; callers are only
// expected to override narrow family options such as prehashing.
function ed4(opts: TArg<EdDSAOpts>) {
return eddsa(
ed448_Point,
shake256_114,
Object.assign({ adjustScalarBytes, domain: dom4 }, opts as EdDSAOpts)
);
}
/**
* ed448 EdDSA curve and methods.
* @example
* Generate one Ed448 keypair, sign a message, and verify it.
*
* ```js
* import { ed448 } from '@noble/curves/ed448.js';
* const { secretKey, publicKey } = ed448.keygen();
* // const publicKey = ed448.getPublicKey(secretKey);
* const msg = new TextEncoder().encode('hello noble');
* const sig = ed448.sign(msg, secretKey);
* const isValid = ed448.verify(sig, msg, publicKey);
* ```
*/
export const ed448: EdDSA = /* @__PURE__ */ ed4({});
// There is no ed448ctx, since ed448 supports ctx by default
/**
* Prehashed version of ed448. See {@link ed448}
* @example
* Use the prehashed Ed448 variant for one message.
*
* ```ts
* const { secretKey, publicKey } = ed448ph.keygen();
* const msg = new TextEncoder().encode('hello noble');
* const sig = ed448ph.sign(msg, secretKey);
* const isValid = ed448ph.verify(sig, msg, publicKey);
* ```
*/
export const ed448ph: EdDSA = /* @__PURE__ */ ed4({ prehash: shake256_64 });
/**
* E448 here is NIST SP 800-186 §3.2.3.3 E448, the Edwards representation of
* Curve448, not RFC 8032 edwards448 / Goldilocks.
* Goldilocks is the separate 4-isogenous curve exposed as `ed448`.
* We keep the corrected prime-order base here; RFC 7748's literal Edwards
* point / map are wrong for this curve model, and the literal point is the
* wrong-sign order-2*n variant.
* @param X - Projective X coordinate.
* @param Y - Projective Y coordinate.
* @param Z - Projective Z coordinate.
* @param T - Projective T coordinate.
* @example
* Multiply the E448 base point.
*
* ```ts
* const point = E448.BASE.multiply(2n);
* ```
*/
export const E448: EdwardsPointCons = /* @__PURE__ */ edwards(E448_CURVE);
/**
* ECDH using curve448 aka x448.
* The wrapper aborts on all-zero shared secrets by default, and seeded
* `keygen(seed)` reuses the provided 56-byte seed buffer instead of copying it.
*
* @example
* Derive one shared secret between two X448 peers.
*
* ```js
* import { x448 } from '@noble/curves/ed448.js';
* const alice = x448.keygen();
* const bob = x448.keygen();
* const shared = x448.getSharedSecret(alice.secretKey, bob.publicKey);
* ```
*/
export const x448: TRet<MontgomeryECDH> = /* @__PURE__ */ (() => {
const P = ed448_CURVE_p;
return montgomery({
P,
type: 'x448',
powPminus2: (x: bigint): bigint => {
const Pminus3div4 = ed448_pow_Pminus3div4(x);
const Pminus3 = pow2(Pminus3div4, _2n, P);
return mod(Pminus3 * x, P); // Pminus3 * x = Pminus2
},
adjustScalarBytes,
});
})();
// Hash To Curve Elligator2 Map
// 1. c1 = (q - 3) / 4 # Integer arithmetic
const ELL2_C1 = /* @__PURE__ */ (() => (ed448_CURVE_p - BigInt(3)) / BigInt(4))();
const ELL2_J = /* @__PURE__ */ BigInt(156326);
// Returns RFC 9380 Appendix G.2.3 rational Montgomery numerators/denominators
// `{ xn, xd, yn, yd }`, not an affine point.
function map_to_curve_elligator2_curve448(u: bigint) {
let tv1 = Fp.sqr(u); // 1. tv1 = u^2
let e1 = Fp.eql(tv1, Fp.ONE); // 2. e1 = tv1 == 1
tv1 = Fp.cmov(tv1, Fp.ZERO, e1); // 3. tv1 = CMOV(tv1, 0, e1) # If Z * u^2 == -1, set tv1 = 0
let xd = Fp.sub(Fp.ONE, tv1); // 4. xd = 1 - tv1
let x1n = Fp.neg(ELL2_J); // 5. x1n = -J
let tv2 = Fp.sqr(xd); // 6. tv2 = xd^2
let gxd = Fp.mul(tv2, xd); // 7. gxd = tv2 * xd # gxd = xd^3
let gx1 = Fp.mul(tv1, Fp.neg(ELL2_J)); // 8. gx1 = -J * tv1 # x1n + J * xd
gx1 = Fp.mul(gx1, x1n); // 9. gx1 = gx1 * x1n # x1n^2 + J * x1n * xd
gx1 = Fp.add(gx1, tv2); // 10. gx1 = gx1 + tv2 # x1n^2 + J * x1n * xd + xd^2
gx1 = Fp.mul(gx1, x1n); // 11. gx1 = gx1 * x1n # x1n^3 + J * x1n^2 * xd + x1n * xd^2
let tv3 = Fp.sqr(gxd); // 12. tv3 = gxd^2
tv2 = Fp.mul(gx1, gxd); // 13. tv2 = gx1 * gxd # gx1 * gxd
tv3 = Fp.mul(tv3, tv2); // 14. tv3 = tv3 * tv2 # gx1 * gxd^3
let y1 = Fp.pow(tv3, ELL2_C1); // 15. y1 = tv3^c1 # (gx1 * gxd^3)^((p - 3) / 4)
y1 = Fp.mul(y1, tv2); // 16. y1 = y1 * tv2 # gx1 * gxd * (gx1 * gxd^3)^((p - 3) / 4)
// 17. x2n = -tv1 * x1n # x2 = x2n / xd = -1 * u^2 * x1n / xd
let x2n = Fp.mul(x1n, Fp.neg(tv1));
let y2 = Fp.mul(y1, u); // 18. y2 = y1 * u
y2 = Fp.cmov(y2, Fp.ZERO, e1); // 19. y2 = CMOV(y2, 0, e1)
tv2 = Fp.sqr(y1); // 20. tv2 = y1^2
tv2 = Fp.mul(tv2, gxd); // 21. tv2 = tv2 * gxd
let e2 = Fp.eql(tv2, gx1); // 22. e2 = tv2 == gx1
let xn = Fp.cmov(x2n, x1n, e2); // 23. xn = CMOV(x2n, x1n, e2) # If e2, x = x1, else x = x2
let y = Fp.cmov(y2, y1, e2); // 24. y = CMOV(y2, y1, e2) # If e2, y = y1, else y = y2
let e3 = Fp.isOdd(y); // 25. e3 = sgn0(y) == 1 # Fix sign of y
y = Fp.cmov(y, Fp.neg(y), e2 !== e3); // 26. y = CMOV(y, -y, e2 XOR e3)
return { xn, xd, yn: y, yd: Fp.ONE }; // 27. return (xn, xd, y, 1)
}
// Returns affine `{ x, y }` after inverting the Appendix G.2.4 denominators.
function map_to_curve_elligator2_edwards448(u: bigint) {
// 1. (xn, xd, yn, yd) = map_to_curve_elligator2_curve448(u)
let { xn, xd, yn, yd } = map_to_curve_elligator2_curve448(u);
let xn2 = Fp.sqr(xn); // 2. xn2 = xn^2
let xd2 = Fp.sqr(xd); // 3. xd2 = xd^2
let xd4 = Fp.sqr(xd2); // 4. xd4 = xd2^2
let yn2 = Fp.sqr(yn); // 5. yn2 = yn^2
let yd2 = Fp.sqr(yd); // 6. yd2 = yd^2
let xEn = Fp.sub(xn2, xd2); // 7. xEn = xn2 - xd2
let tv2 = Fp.sub(xEn, xd2); // 8. tv2 = xEn - xd2
xEn = Fp.mul(xEn, xd2); // 9. xEn = xEn * xd2
xEn = Fp.mul(xEn, yd); // 10. xEn = xEn * yd
xEn = Fp.mul(xEn, yn); // 11. xEn = xEn * yn
xEn = Fp.mul(xEn, _4n); // 12. xEn = xEn * 4
tv2 = Fp.mul(tv2, xn2); // 13. tv2 = tv2 * xn2
tv2 = Fp.mul(tv2, yd2); // 14. tv2 = tv2 * yd2
let tv3 = Fp.mul(yn2, _4n); // 15. tv3 = 4 * yn2
let tv1 = Fp.add(tv3, yd2); // 16. tv1 = tv3 + yd2
tv1 = Fp.mul(tv1, xd4); // 17. tv1 = tv1 * xd4
let xEd = Fp.add(tv1, tv2); // 18. xEd = tv1 + tv2
tv2 = Fp.mul(tv2, xn); // 19. tv2 = tv2 * xn
let tv4 = Fp.mul(xn, xd4); // 20. tv4 = xn * xd4
let yEn = Fp.sub(tv3, yd2); // 21. yEn = tv3 - yd2
yEn = Fp.mul(yEn, tv4); // 22. yEn = yEn * tv4
yEn = Fp.sub(yEn, tv2); // 23. yEn = yEn - tv2
tv1 = Fp.add(xn2, xd2); // 24. tv1 = xn2 + xd2
tv1 = Fp.mul(tv1, xd2); // 25. tv1 = tv1 * xd2
tv1 = Fp.mul(tv1, xd); // 26. tv1 = tv1 * xd
tv1 = Fp.mul(tv1, yn2); // 27. tv1 = tv1 * yn2
tv1 = Fp.mul(tv1, BigInt(-2)); // 28. tv1 = -2 * tv1
let yEd = Fp.add(tv2, tv1); // 29. yEd = tv2 + tv1
tv4 = Fp.mul(tv4, yd2); // 30. tv4 = tv4 * yd2
yEd = Fp.add(yEd, tv4); // 31. yEd = yEd + tv4
tv1 = Fp.mul(xEd, yEd); // 32. tv1 = xEd * yEd
let e = Fp.eql(tv1, Fp.ZERO); // 33. e = tv1 == 0
xEn = Fp.cmov(xEn, Fp.ZERO, e); // 34. xEn = CMOV(xEn, 0, e)
xEd = Fp.cmov(xEd, Fp.ONE, e); // 35. xEd = CMOV(xEd, 1, e)
yEn = Fp.cmov(yEn, Fp.ONE, e); // 36. yEn = CMOV(yEn, 1, e)
yEd = Fp.cmov(yEd, Fp.ONE, e); // 37. yEd = CMOV(yEd, 1, e)
const inv = FpInvertBatch(Fp, [xEd, yEd], true); // batch division
return { x: Fp.mul(xEn, inv[0]), y: Fp.mul(yEn, inv[1]) }; // 38. return (xEn, xEd, yEn, yEd)
}
/**
* Hashing / encoding to ed448 points / field. RFC 9380 methods.
* Public `mapToCurve()` consumes one field element bigint for `m = 1`, and RFC
* Appendix J vectors use the special `QUUX-V01-*` test DST overrides rather
* than the default suite IDs below.
* @example
* Hash one message onto the ed448 curve.
*
* ```ts
* const point = ed448_hasher.hashToCurve(new TextEncoder().encode('hello noble'));
* ```
*/
export const ed448_hasher: H2CHasher<EdwardsPointCons> = /* @__PURE__ */ (() =>
createHasher(ed448_Point, (scalars: bigint[]) => map_to_curve_elligator2_edwards448(scalars[0]), {
DST: 'edwards448_XOF:SHAKE256_ELL2_RO_',
encodeDST: 'edwards448_XOF:SHAKE256_ELL2_NU_',
p: ed448_CURVE_p,
m: 1,
k: 224,
expand: 'xof',
hash: shake256,
}))();
/**
* FROST threshold signatures over ed448. RFC 9591.
* @example
* Create one trusted-dealer package for 2-of-3 ed448 signing.
*
* ```ts
* const alice = ed448_FROST.Identifier.derive('alice@example.com');
* const bob = ed448_FROST.Identifier.derive('bob@example.com');
* const carol = ed448_FROST.Identifier.derive('carol@example.com');
* const deal = ed448_FROST.trustedDealer({ min: 2, max: 3 }, [alice, bob, carol]);
* ```
*/
export const ed448_FROST: TRet<FROST> = /* @__PURE__ */ (() =>
createFROST({
name: 'FROST-ED448-SHAKE256-v1',
Point: ed448_Point,
validatePoint: (p) => {
p.assertValidity();
if (!p.isTorsionFree()) throw new Error('bad point: not torsion-free');
},
// Group: edwards448 [RFC8032], where Ne = 57 and Ns = 57.
// Fn is 57 bytes, Fp is 57 bytes too
Fn,
hash: shake256_114,
H2: 'SigEd448\0\0',
}))();
// 1-d
const ONE_MINUS_D = /* @__PURE__ */ BigInt('39082');
// 1-2d
const ONE_MINUS_TWO_D = /* @__PURE__ */ BigInt('78163');
// √(-d)
const SQRT_MINUS_D = /* @__PURE__ */ BigInt(
'98944233647732219769177004876929019128417576295529901074099889598043702116001257856802131563896515373927712232092845883226922417596214'
);
// 1 / √(-d)
const INVSQRT_MINUS_D = /* @__PURE__ */ BigInt(
'315019913931389607337177038330951043522456072897266928557328499619017160722351061360252776265186336876723201881398623946864393857820716'
);
// RFC 9496 `SQRT_RATIO_M1` must return `CT_ABS(s)`, i.e. the nonnegative root.
// Keep this Decaf-local: RFC 9496 decode/encode/map formulas depend on that
// canonical representative, while ordinary Ed448 decoding still uses `uvRatio()`
// plus the public sign bit from RFC 8032.
const sqrtRatioM1 = (u: bigint, v: bigint) => {
const P = ed448_CURVE_p;
const { isValid, value } = uvRatio(u, v);
return { isValid, value: isNegativeLE(value, P) ? Fp448.create(-value) : value };
};
const invertSqrt = (number: bigint) => sqrtRatioM1(_1n, number);
/**
* Elligator map for hash-to-curve of decaf448.
* Primary formula source is RFC 9496 §5.3.4. Step 1 intentionally reduces the
* input modulo `p`, and the return value is the internal Edwards
* representation, not a public decaf encoding.
*/
function calcElligatorDecafMap(r0: bigint): EdwardsPoint {
const { d, p: P } = ed448_CURVE;
const mod = (n: bigint) => Fp448.create(n);
const r = mod(-(r0 * r0)); // 1
const u0 = mod(d * (r - _1n)); // 2
const u1 = mod((u0 + _1n) * (u0 - r)); // 3
const { isValid: was_square, value: v } = sqrtRatioM1(ONE_MINUS_TWO_D, mod((r + _1n) * u1)); // 4
let v_prime = v; // 5
if (!was_square) v_prime = mod(r0 * v);
let sgn = _1n; // 6
if (!was_square) sgn = mod(-_1n);
const s = mod(v_prime * (r + _1n)); // 7
let s_abs = s;
if (isNegativeLE(s, P)) s_abs = mod(-s);
const s2 = s * s;
const W0 = mod(s_abs * _2n); // 8
const W1 = mod(s2 + _1n); // 9
const W2 = mod(s2 - _1n); // 10
const W3 = mod(v_prime * s * (r - _1n) * ONE_MINUS_TWO_D + sgn); // 11
return new ed448_Point(mod(W0 * W3), mod(W2 * W1), mod(W1 * W3), mod(W0 * W2));
}
// Keep the Decaf448 base representative literal here: deriving it with
// `new _DecafPoint(ed448_Point.BASE).multiplyUnsafe(2)` forces eager WNAF precomputes and
// adds about 100ms to `ed448.js` import time.
const DECAF_BASE_X = /* @__PURE__ */ BigInt(
'0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa955555555555555555555555555555555555555555555555555555555'
);
const DECAF_BASE_Y = /* @__PURE__ */ BigInt(
'0xae05e9634ad7048db359d6205086c2b0036ed7a035884dd7b7e36d728ad8c4b80d6565833a2a3098bbbcb2bed1cda06bdaeafbcdea9386ed'
);
const DECAF_BASE_T = /* @__PURE__ */ BigInt(
'0x696d84643374bace9d70983a12aa9d461da74d2d5c35e8d97ba72c3aba4450a5d29274229bd22c1d5e3a6474ee4ffb0e7a9e200a28eee402'
);
/**
* Each ed448/EdwardsPoint has 4 different equivalent points. This can be
* a source of bugs for protocols like ring signatures. Decaf was created to solve this.
* Decaf point operates in X:Y:Z:T extended coordinates like EdwardsPoint,
* but it should work in its own namespace: do not combine those two.
* See [RFC9496](https://www.rfc-editor.org/rfc/rfc9496).
*/
class _DecafPoint extends PrimeEdwardsPoint<_DecafPoint> {
// The following gymnastics is done because typescript strips comments otherwise
// prettier-ignore
static BASE: _DecafPoint =
/* @__PURE__ */ (() => new _DecafPoint(new ed448_Point(DECAF_BASE_X, DECAF_BASE_Y, _1n, DECAF_BASE_T)))();
// prettier-ignore
static ZERO: _DecafPoint =
/* @__PURE__ */ (() => new _DecafPoint(ed448_Point.ZERO))();
// prettier-ignore
static Fp: IField<bigint> =
/* @__PURE__ */ (() => Fp448)();
// prettier-ignore
static Fn: IField<bigint> =
/* @__PURE__ */ (() => Fn448)();
constructor(ep: EdwardsPoint) {
super(ep);
}
/**
* Create one Decaf448 point from affine Edwards coordinates.
* This wraps the internal Edwards representative directly and is not a
* canonical decaf448 decoding path.
* Use `toBytes()` / `fromBytes()` if canonical decaf448 bytes matter.
*/
static fromAffine(ap: AffinePoint<bigint>): _DecafPoint {
return new _DecafPoint(ed448_Point.fromAffine(ap));
}
protected assertSame(other: _DecafPoint): void {
if (!(other instanceof _DecafPoint)) throw new Error('DecafPoint expected');
}
protected init(ep: EdwardsPoint): _DecafPoint {
return new _DecafPoint(ep);
}
static fromBytes(bytes: TArg<Uint8Array>): _DecafPoint {
abytes(bytes, 56);
const { d, p: P } = ed448_CURVE;
const mod = (n: bigint) => Fp448.create(n);
const s = Fp448.fromBytes(bytes);
// 1. Check that s_bytes is the canonical encoding of a field element, or else abort.
// 2. Check that s is non-negative, or else abort
if (!equalBytes(Fn448.toBytes(s), bytes) || isNegativeLE(s, P))
throw new Error('invalid decaf448 encoding 1');
const s2 = mod(s * s); // 1
const u1 = mod(_1n + s2); // 2
const u1sq = mod(u1 * u1);
const u2 = mod(u1sq - _4n * d * s2); // 3
const { isValid, value: invsqrt } = invertSqrt(mod(u2 * u1sq)); // 4
let u3 = mod((s + s) * invsqrt * u1 * SQRT_MINUS_D); // 5
if (isNegativeLE(u3, P)) u3 = mod(-u3);
const x = mod(u3 * invsqrt * u2 * INVSQRT_MINUS_D); // 6
const y = mod((_1n - s2) * invsqrt * u1); // 7
const t = mod(x * y); // 8
if (!isValid) throw new Error('invalid decaf448 encoding 2');
return new _DecafPoint(new ed448_Point(x, y, _1n, t));
}
/**
* Converts decaf-encoded string to decaf point.
* Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-decode-2).
* @param hex - Decaf-encoded 56 bytes. Not every 56-byte string is valid decaf encoding
*/
static fromHex(hex: string): _DecafPoint {
return _DecafPoint.fromBytes(hexToBytes(hex));
}
/**
* Encodes decaf point to Uint8Array.
* Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-encode-2).
*/
toBytes(): TRet<Uint8Array> {
const { X, Z, T } = this.ep;
const P = ed448_CURVE.p;
const mod = (n: bigint) => Fp448.create(n);
const u1 = mod(mod(X + T) * mod(X - T)); // 1
const x2 = mod(X * X);
const { value: invsqrt } = invertSqrt(mod(u1 * ONE_MINUS_D * x2)); // 2
let ratio = mod(invsqrt * u1 * SQRT_MINUS_D); // 3
if (isNegativeLE(ratio, P)) ratio = mod(-ratio);
const u2 = mod(INVSQRT_MINUS_D * ratio * Z - T); // 4
let s = mod(ONE_MINUS_D * invsqrt * X * u2); // 5
if (isNegativeLE(s, P)) s = mod(-s);
return Fn448.toBytes(s) as TRet<Uint8Array>;
}
/**
* Compare one point to another.
* Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-equals-2).
*/
equals(other: _DecafPoint): boolean {
this.assertSame(other);
const { X: X1, Y: Y1 } = this.ep;
const { X: X2, Y: Y2 } = other.ep;
// (x1 * y2 == y1 * x2)
return Fp448.create(X1 * Y2) === Fp448.create(Y1 * X2);
}
is0(): boolean {
return this.equals(_DecafPoint.ZERO);
}
}
Object.freeze(_DecafPoint.BASE);
Object.freeze(_DecafPoint.ZERO);
Object.freeze(_DecafPoint.prototype);
Object.freeze(_DecafPoint);
/** Prime-order Decaf448 group bundle. */
export const decaf448: {
Point: typeof _DecafPoint;
} = /* @__PURE__ */ Object.freeze({ Point: _DecafPoint });
/**
* Hashing to decaf448 points / field. RFC 9380 methods.
* `hashToCurve()` is RFC 9380 `hash_to_decaf448`, `deriveToCurve()` is RFC
* 9496 element derivation, and `hashToScalar()` is a library helper layered on
* top of RFC 9496 scalar reduction.
* @example
* Hash one message onto decaf448.
*
* ```ts
* const point = decaf448_hasher.hashToCurve(new TextEncoder().encode('hello noble'));
* ```
*/
export const decaf448_hasher: H2CHasherBase<typeof _DecafPoint> = Object.freeze({
Point: _DecafPoint,
hashToCurve(msg: TArg<Uint8Array>, options?: TArg<H2CDSTOpts>): _DecafPoint {
// Preserve explicit empty/invalid DST overrides so expand_message_xof() can reject them.
const DST = options?.DST === undefined ? 'decaf448_XOF:SHAKE256_D448MAP_RO_' : options.DST;
return decaf448_hasher.deriveToCurve!(expand_message_xof(msg, DST, 112, 224, shake256));
},
/**
* Warning: has big modulo bias of 2^-64.
* RFC is invalid. RFC says "use 64-byte xof", while for 2^-112 bias
* it must use 84-byte xof (56+56/2), not 64.
*/
hashToScalar(msg: TArg<Uint8Array>, options: TArg<H2CDSTOpts> = { DST: _DST_scalar }): bigint {
// Can't use `Fn448.fromBytes()`. 64-byte input => 56-byte field element
const xof = expand_message_xof(msg, options.DST, 64, 256, shake256);
return Fn448.create(bytesToNumberLE(xof));
},
/**
* HashToCurve-like construction based on RFC 9496 (Element Derivation).
* Converts 112 uniform random bytes into a curve point.
*
* WARNING: This represents an older hash-to-curve construction from before
* RFC 9380 was finalized.
* It was later reused as a component in the newer
* `hash_to_decaf448` function defined in RFC 9380.
*/
deriveToCurve(bytes: TArg<Uint8Array>): _DecafPoint {
abytes(bytes, 112);
const skipValidation = true;
// Note: Similar to the field element decoding described in
// [RFC7748], and unlike the field element decoding described in
// Section 5.3.1, non-canonical values are accepted.
const r1 = Fp448.create(Fp448.fromBytes(bytes.subarray(0, 56), skipValidation));
const R1 = calcElligatorDecafMap(r1);
const r2 = Fp448.create(Fp448.fromBytes(bytes.subarray(56, 112), skipValidation));
const R2 = calcElligatorDecafMap(r2);
return new _DecafPoint(R1.add(R2));
},
});
/**
* decaf448 OPRF, defined in RFC 9497.
* @example
* Run one blind/evaluate/finalize OPRF round over decaf448.
*
* ```ts
* const input = new TextEncoder().encode('hello noble');
* const keys = decaf448_oprf.oprf.generateKeyPair();
* const blind = decaf448_oprf.oprf.blind(input);
* const evaluated = decaf448_oprf.oprf.blindEvaluate(keys.secretKey, blind.blinded);
* const output = decaf448_oprf.oprf.finalize(input, blind.blind, evaluated);
* ```
*/
export const decaf448_oprf: TRet<OPRF> = /* @__PURE__ */ (() =>
createOPRF({
name: 'decaf448-SHAKE256',
Point: _DecafPoint,
hash: (msg: TArg<Uint8Array>) => shake256(msg, { dkLen: 64 }),
hashToGroup: decaf448_hasher.hashToCurve,
hashToScalar: decaf448_hasher.hashToScalar,
}))();
/**
* Weird / bogus points, useful for debugging.
* Unlike ed25519, there is no ed448 generator point which can produce full T subgroup.
* Instead, the torsion subgroup here is cyclic of order 4, generated by
* `(1, 0)`, and the array below lists that subgroup set (Klein four-group).
* @example
* Decode one known torsion point for debugging.
*
* ```ts
* import { ED448_TORSION_SUBGROUP, ed448 } from '@noble/curves/ed448.js';
* const point = ed448.Point.fromHex(ED448_TORSION_SUBGROUP[1]);
* ```
*/
export const ED448_TORSION_SUBGROUP: readonly string[] = /* @__PURE__ */ Object.freeze([
'010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000',
'fefffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffff00',
'000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000',
'000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080',
]);
web/node_modules/.pnpm/@noble+curves@2.2.0/node_modules/@noble/curves/src/index.ts
Generated Vendored
+37
View File
@@ -0,0 +1,37 @@
/**
* Audited & minimal JS implementation of elliptic curve cryptography.
* @module
* @example
```js
import { secp256k1, schnorr } from '@noble/curves/secp256k1.js';
import { ed25519, ed25519ph, ed25519ctx, x25519, ristretto255 } from '@noble/curves/ed25519.js';
import { ed448, ed448ph, x448, decaf448 } from '@noble/curves/ed448.js';
import { p256, p384, p521 } from '@noble/curves/nist.js';
import { bls12_381 } from '@noble/curves/bls12-381.js';
import { bn254 } from '@noble/curves/bn254.js';
import {
jubjub,
babyjubjub,
brainpoolP256r1,
brainpoolP384r1,
brainpoolP512r1,
} from '@noble/curves/misc.js';
import * as webcrypto from '@noble/curves/webcrypto.js';
// hash-to-curve
import { secp256k1_hasher } from '@noble/curves/secp256k1.js';
import { p256_hasher, p384_hasher, p521_hasher } from '@noble/curves/nist.js';
import { ristretto255_hasher } from '@noble/curves/ed25519.js';
import { decaf448_hasher } from '@noble/curves/ed448.js';
// OPRFs
import { p256_oprf, p384_oprf, p521_oprf } from '@noble/curves/nist.js';
import { ristretto255_oprf } from '@noble/curves/ed25519.js';
import { decaf448_oprf } from '@noble/curves/ed448.js';
// utils
import { bytesToHex, hexToBytes, concatBytes } from '@noble/curves/abstract/utils.js';
import { Field } from '@noble/curves/abstract/modular.js';
```
*/
throw new Error('root module cannot be imported: import submodules instead. Check out README');

Some files were not shown because too many files have changed in this diff Show More