@arcium-hq/client 0.9.2 → 0.9.3

package/src/cryptography/rescueDesc.ts

@@ -0,0 +1,492 @@
+import { ed25519 } from '@noble/curves/ed25519';
+import { shake256 } from '@noble/hashes/sha3';
+import { IField, invert } from '@noble/curves/abstract/modular';
+import { Matrix } from '../matrix.js';
+import { deserializeLE } from './cryptography.js';
+
+/**
+ * Represents the operational mode for the Rescue cryptographic primitive.
+ * Can be either a block cipher mode with a key, or a hash function mode with parameters.
+ */
+type RescueMode = BlockCipher | HashFunction;
+
+/**
+ * Block cipher mode configuration for Rescue.
+ * Use a key for encryption/decryption operations.
+ */
+type BlockCipher = { kind: 'cipher'; key: bigint[] };
+
+/**
+ * Hash function mode configuration for Rescue.
+ * @param m - Rate (number of field elements absorbed per round).
+ * @param capacity - Capacity (number of field elements in the state that are not directly accessible).
+ */
+type HashFunction = { kind: 'hash'; m: number; capacity: number };
+
+/**
+ * Field type.
+ */
+export type FpField = IField<bigint>;
+
+/**
+ * Curve25519 base field as an IField instance.
+ */
+export const CURVE25519_BASE_FIELD: FpField = ed25519.Point.Fp;
+
+/**
+ * Curve25519 scalar field as an IField instance.
+ */
+export const CURVE25519_SCALAR_FIELD: FpField = ed25519.Point.Fn;
+
+// Security level for the block cipher.
+const SECURITY_LEVEL_BLOCK_CIPHER = 128;
+
+// Security level for the hash function.
+const SECURITY_LEVEL_HASH_FUNCTION = 256;
+
+// We refer to https://tosc.iacr.org/index.php/ToSC/article/view/8695/8287 for more details.
+/**
+ * Description and parameters for the Rescue cipher or hash function, including round constants, MDS matrix, and key schedule.
+ * See: https://tosc.iacr.org/index.php/ToSC/article/view/8695/8287
+ */
+export class RescueDesc {
+    mode: RescueMode;
+
+    field: FpField;
+
+    // The smallest prime that does not divide p-1.
+    alpha: bigint;
+
+    // The inverse of alpha modulo p-1.
+    alphaInverse: bigint;
+
+    nRounds: number;
+
+    m: number;
+
+    // A Maximum Distance Separable matrix.
+    mdsMat: Matrix;
+
+    // Its inverse.
+    mdsMatInverse: Matrix;
+
+    // The round keys, needed for encryption and decryption.
+    roundKeys: Matrix[];
+
+    /**
+     * Construct a RescueDesc for a given field and mode (cipher or hash).
+     * Initialize round constants, MDS matrix, and key schedule.
+     * @param field - Field to use (e.g., CURVE25519_BASE_FIELD).
+     * @param mode - Mode: block cipher or hash function.
+     */
+    constructor(field: FpField, mode: RescueMode) {
+        this.field = field;
+        this.mode = mode;
+        switch (this.mode.kind) {
+            case 'cipher': {
+                this.m = this.mode.key.length;
+                if (this.m < 2) {
+                    throw Error(`parameter m must be at least 2 (found ${this.m})`);
+                }
+                break;
+            }
+            case 'hash': {
+                this.m = this.mode.m;
+                break;
+            }
+            default: {
+                this.m = 0;
+                break;
+            }
+        }
+        const alphaAndInverse = getAlphaAndInverse(this.field.ORDER);
+        this.alpha = alphaAndInverse[0];
+        this.alphaInverse = alphaAndInverse[1];
+        this.nRounds = getNRounds(this.field.ORDER, this.mode, this.alpha, this.m);
+        const mdsMatrixAndInverse = getMdsMatrixAndInverse(this.field, this.m);
+        this.mdsMat = mdsMatrixAndInverse[0];
+        this.mdsMatInverse = mdsMatrixAndInverse[1];
+
+        // generate the round constants using SHAKE256
+        const roundConstants = this.sampleConstants(this.nRounds);
+
+        switch (this.mode.kind) {
+            case 'cipher': {
+                // do the key schedule
+                this.roundKeys = rescuePermutation(
+                    this.mode,
+                    this.alpha,
+                    this.alphaInverse,
+                    this.mdsMat,
+                    roundConstants,
+                    new Matrix(this.field, toVec(this.mode.key)),
+                );
+                break;
+            }
+            case 'hash': {
+                this.roundKeys = roundConstants;
+                break;
+            }
+            default: {
+                this.roundKeys = [];
+                break;
+            }
+        }
+    }
+
+    /**
+     * Sample round constants for the Rescue permutation, using SHAKE256.
+     * @param nRounds - Number of rounds.
+     * @returns Array of round constant matrices.
+     */
+    sampleConstants(nRounds: number): Matrix[] {
+        const field = this.field;
+        const m = this.m;
+
+        // setup randomness
+        // dkLen is the output length from the Keccak instance behind shake.
+        // this is irrelevant for our extendable output function (xof), but still we use
+        // the default value from one-time shake256 hashing, as defined in shake256's definition
+        // in noble-hashes-sha3.
+        const hasher = shake256.create({ dkLen: 256 / 8 });
+
+        // buffer to create field elements from bytes
+        // we add 16 bytes to get a distribution statistically close to uniform
+        const bufferLen = Math.ceil(field.BITS / 8) + 16;
+
+        switch (this.mode.kind) {
+            case 'cipher': {
+                hasher.update('encrypt everything, compute anything');
+
+                const rFieldArray = Array.from({ length: m * m + 2 * m }, () => {
+                    // create field element from the shake hash
+                    const randomness = hasher.xof(bufferLen);
+                    // we need not check whether the obtained field element f is in any subgroup,
+                    // because we use only prime fields (i.e. there are no subgroups)
+                    return field.create(deserializeLE(randomness));
+                });
+
+                // create matrix and vectors
+                const matData = Array.from({ length: m }, () => rFieldArray.splice(0, m));
+                let roundConstantMat = new Matrix(field, matData);
+                const initData = Array.from({ length: m }, () => rFieldArray.splice(0, 1));
+                const initialRoundConstant = new Matrix(field, initData);
+                const roundData = Array.from({ length: m }, () => rFieldArray.splice(0, 1));
+                const roundConstantAffineTerm = new Matrix(field, roundData);
+
+                // check for inversability
+                while (field.is0(roundConstantMat.det())) {
+                    // resample matrix
+                    const resampleArray = Array.from({ length: m * m }, () => {
+                        const randomness = hasher.xof(bufferLen);
+                        return field.create(deserializeLE(randomness));
+                    });
+                    const resampleData = Array.from({ length: m }, () => resampleArray.splice(0, m));
+                    roundConstantMat = new Matrix(field, resampleData);
+                }
+
+                const roundConstants = [initialRoundConstant];
+                for (let r = 0; r < 2 * this.nRounds; ++r) {
+                    roundConstants.push(roundConstantMat.matMul(roundConstants[r]).add(roundConstantAffineTerm));
+                }
+
+                return roundConstants;
+            }
+            case 'hash': {
+                hasher.update(`Rescue-XLIX(${this.field.ORDER},${m},${this.mode.capacity},${SECURITY_LEVEL_HASH_FUNCTION})`);
+
+                // this.permute requires an odd number of round keys
+                // prepending a 0 matrix makes it equivalent to Algorithm 3 from https://eprint.iacr.org/2020/1143.pdf
+                const zeros = [];
+                for (let i = 0; i < m; ++i) {
+                    zeros.push([0n]);
+                }
+                const roundConstants = [new Matrix(field, zeros)];
+                const rFieldArray = Array.from({ length: 2 * m * nRounds }, () => {
+                    // create field element from the shake hash
+                    const randomness = hasher.xof(bufferLen);
+                    // we need not check whether the obtained field element f is in any subgroup,
+                    // because we use only prime fields (i.e. there are no subgroups)
+                    return field.create(deserializeLE(randomness));
+                });
+                for (let r = 0; r < 2 * nRounds; ++r) {
+                    const data = [];
+                    for (let i = 0; i < m; ++i) {
+                        data.push([rFieldArray[r * m + i]]);
+                    }
+                    roundConstants.push(new Matrix(field, data));
+                }
+
+                return roundConstants;
+            }
+            default: return [];
+        }
+    }
+
+    /**
+     * Apply the Rescue permutation to a state matrix.
+     * @param state - Input state matrix.
+     * @returns Permuted state matrix.
+     */
+    permute(state: Matrix): Matrix {
+        return rescuePermutation(
+            this.mode,
+            this.alpha,
+            this.alphaInverse,
+            this.mdsMat,
+            this.roundKeys,
+            state,
+        )[2 * this.nRounds];
+    }
+
+    /**
+     * Apply the inverse Rescue permutation to a state matrix.
+     * @param state - Input state matrix.
+     * @returns Inverse-permuted state matrix.
+     */
+    permuteInverse(state: Matrix): Matrix {
+        return rescuePermutationInverse(
+            this.mode,
+            this.alpha,
+            this.alphaInverse,
+            this.mdsMatInverse,
+            this.roundKeys,
+            state,
+        )[2 * this.nRounds];
+    }
+}
+
+/**
+ * Find the smallest prime alpha that does not divide p-1, and compute its inverse modulo p-1.
+ * The alpha parameter is used in the Rescue permutation for exponentiation operations.
+ * @param p - Field modulus (prime number).
+ * @returns Tuple [alpha, alphaInverse] where alpha is the prime and alphaInverse is its modular inverse.
+ * @throws Error if no suitable prime alpha is found.
+ */
+function getAlphaAndInverse(p: bigint): bigint[] {
+    const pMinusOne = p - 1n;
+    let alpha = 0n;
+    for (const a of [2n, 3n, 5n, 7n, 11n, 13n, 17n, 19n, 23n, 29n, 31n, 37n, 41n, 43n, 47n]) {
+        if (pMinusOne % a !== 0n) {
+            alpha = a;
+            break;
+        }
+    }
+    if (alpha === 0n) {
+        throw Error('Could not find prime alpha that does not divide p-1.');
+    }
+    const alphaInverse = invert(alpha, pMinusOne);
+    return [alpha, alphaInverse];
+}
+
+/**
+ * Calculate the number of rounds required for the Rescue permutation based on security analysis.
+ * The number of rounds is determined by analyzing resistance to differential and algebraic attacks.
+ * See: https://tosc.iacr.org/index.php/ToSC/article/view/8695/8287 for the security analysis.
+ * @param p - Field modulus.
+ * @param mode - Rescue mode (cipher or hash).
+ * @param alpha - Prime alpha parameter.
+ * @param m - State size (block size for cipher, total size for hash).
+ * @returns Number of rounds (will be doubled for the full permutation).
+ */
+function getNRounds(p: bigint, mode: RescueMode, alpha: bigint, m: number): number {
+    function dcon(n: number): number {
+        return Math.floor(0.5 * (Number(alpha) - 1) * m * (n - 1) + 2.0);
+    }
+    function v(n: number, rate: number): number {
+        return m * (n - 1) + rate;
+    }
+    function binomial(n: number, k: number): bigint {
+        function factorial(x: bigint): bigint {
+            if (x === 0n || x === 1n) {
+                return 1n;
+            }
+            return x * factorial(x - 1n);
+        }
+        return factorial(BigInt(n)) / (factorial(BigInt(n - k)) * factorial(BigInt(k)));
+    }
+
+    switch (mode.kind) {
+        case 'cipher': {
+            const l0 = Math.ceil(
+                (2 * SECURITY_LEVEL_BLOCK_CIPHER) / ((m + 1) * (Math.log2(Number(p)) - Math.log2(Number(alpha) - 1))),
+            );
+            let l1 = 0;
+            if (alpha === 3n) {
+                l1 = Math.ceil((SECURITY_LEVEL_BLOCK_CIPHER + 2) / (4 * m));
+            }
+            else {
+                l1 = Math.ceil((SECURITY_LEVEL_BLOCK_CIPHER + 3) / (5.5 * m));
+            }
+            return 2 * Math.max(l0, l1, 5);
+        }
+        case 'hash': {
+            // get number of rounds for Groebner basis attack
+            const rate = m - mode.capacity;
+            const target = 1n << BigInt(SECURITY_LEVEL_HASH_FUNCTION);
+            let l1 = 1;
+            let tmp = binomial(v(l1, rate) + dcon(l1), v(l1, rate));
+            while (tmp * tmp <= target && l1 <= 23) {
+                l1 += 1;
+                tmp = binomial(v(l1, rate) + dcon(l1), v(l1, rate));
+            }
+
+            // set a minimum value for sanity and add 50%
+            return Math.ceil(1.5 * Math.max(5, l1));
+        }
+        default: return 0;
+    }
+}
+
+/**
+ * Build a Cauchy matrix for use as an MDS (Maximum Distance Separable) matrix.
+ * A Cauchy matrix is guaranteed to be invertible and provides optimal diffusion properties.
+ * The matrix is constructed using the formula: M[i][j] = 1/(i + j) for i, j in [1, size].
+ * @param field - Finite field over which to construct the matrix.
+ * @param size - Size of the square matrix.
+ * @returns Cauchy matrix of the specified size.
+ */
+function buildCauchy(field: FpField, size: number): Matrix {
+    const data = [];
+    for (let i = 1n; i <= size; ++i) {
+        const row = [];
+        for (let j = 1n; j <= size; ++j) {
+            row.push(field.inv(i + j));
+        }
+        data.push(row);
+    }
+    return new Matrix(field, data);
+}
+
+/**
+ * Build the inverse of a Cauchy matrix for use as the inverse MDS matrix.
+ * The inverse is computed using a closed-form formula for Cauchy matrix inversion.
+ * @param field - Finite field over which to construct the matrix.
+ * @param size - Size of the square matrix.
+ * @returns Inverse of the Cauchy matrix.
+ */
+function buildInverseCauchy(field: FpField, size: number): Matrix {
+    function product(arr: bigint[]): bigint {
+        return arr.reduce((acc, curr) => field.mul(acc, field.create(curr)), field.ONE);
+    }
+    function prime(arr: bigint[], val: bigint): bigint {
+        return product(
+            arr.map(
+                (u) => {
+                    if (u !== val) {
+                        return val - u;
+                    }
+                    return 1n;
+                },
+            ),
+        );
+    }
+    const data = [];
+    for (let i = 1n; i <= size; ++i) {
+        const row = [];
+        for (let j = 1n; j <= size; ++j) {
+            const a = product(Array.from({ length: size }, (_, key) => -i - BigInt(1 + key)));
+            const aPrime = prime(Array.from({ length: size }, (_, key) => BigInt(1 + key)), j);
+            const b = product(Array.from({ length: size }, (_, key) => j + BigInt(1 + key)));
+            const bPrime = prime(Array.from({ length: size }, (_, key) => -BigInt(1 + key)), -i);
+            row.push(field.mul(a, field.mul(b, field.mul(field.inv(aPrime), field.mul(field.inv(bPrime), field.inv(-i - j))))));
+        }
+        data.push(row);
+    }
+    return new Matrix(field, data);
+}
+
+function getMdsMatrixAndInverse(field: FpField, m: number): Matrix[] {
+    const mdsMat = buildCauchy(field, m);
+    const mdsMatInverse = buildInverseCauchy(field, m);
+    return [mdsMat, mdsMatInverse];
+}
+
+function exponentForEven(mode: RescueMode, alpha: bigint, alphaInverse: bigint): bigint {
+    switch (mode.kind) {
+        case 'cipher': { return alphaInverse; }
+        case 'hash': { return alpha; }
+        default: return 0n;
+    }
+}
+
+function exponentForOdd(mode: RescueMode, alpha: bigint, alphaInverse: bigint): bigint {
+    switch (mode.kind) {
+        case 'cipher': { return alpha; }
+        case 'hash': { return alphaInverse; }
+        default: return 0n;
+    }
+}
+
+/**
+ * Core Rescue permutation function implementing the cryptographic primitive.
+ * Apply alternating rounds of exponentiation and MDS matrix multiplication with round keys.
+ * The permutation alternates between using alpha and alphaInverse as exponents based on round parity.
+ * This is the fundamental building block for both Rescue cipher and Rescue-Prime hash.
+ * @param mode - Rescue mode (cipher or hash) determining exponent selection.
+ * @param alpha - Prime exponent for even rounds.
+ * @param alphaInverse - Inverse exponent for odd rounds.
+ * @param mdsMat - Maximum Distance Separable matrix for diffusion.
+ * @param subkeys - Array of round key matrices.
+ * @param state - Initial state matrix to permute.
+ * @returns Array of all intermediate states during the permutation.
+ */
+function rescuePermutation(
+    mode: RescueMode,
+    alpha: bigint,
+    alphaInverse: bigint,
+    mdsMat: Matrix,
+    subkeys: Matrix[],
+    state: Matrix,
+): Matrix[] {
+    const exponentEven = exponentForEven(mode, alpha, alphaInverse);
+    const exponentOdd = exponentForOdd(mode, alpha, alphaInverse);
+    const states = [state.add(subkeys[0])];
+    for (let r = 0; r < subkeys.length - 1; ++r) {
+        let s = states[r];
+        if (r % 2 === 0) {
+            s = s.pow(exponentEven);
+        }
+        else {
+            s = s.pow(exponentOdd);
+        }
+        states.push(mdsMat.matMul(s).add(subkeys[r + 1]));
+    }
+    return states;
+}
+
+function rescuePermutationInverse(
+    mode: RescueMode,
+    alpha: bigint,
+    alphaInverse: bigint,
+    mdsMatInverse: Matrix,
+    subkeys: Matrix[],
+    state: Matrix,
+): Matrix[] {
+    const exponentEven = exponentForEven(mode, alpha, alphaInverse);
+    const exponentOdd = exponentForOdd(mode, alpha, alphaInverse);
+    // the initial state will need to be removed afterwards
+    const states = [state];
+    for (let r = 0; r < subkeys.length - 1; ++r) {
+        let s = states[r];
+        s = mdsMatInverse.matMul(s.sub(subkeys[subkeys.length - 1 - r]));
+        if (r % 2 === 0) {
+            s = s.pow(exponentEven);
+        }
+        else {
+            s = s.pow(exponentOdd);
+        }
+        states.push(s);
+    }
+    states.push(states[states.length - 1].sub(subkeys[0]));
+    states.shift();
+    return states;
+}
+
+export function toVec(data: bigint[]): bigint[][] {
+    const dataVec = [];
+    for (let i = 0; i < data.length; ++i) {
+        dataVec.push([data[i]]);
+    }
+    return dataVec;
+}

package/src/cryptography/rescuePrimeHash.ts

@@ -0,0 +1,72 @@
+import {
+    RescueDesc,
+    FpField,
+} from './rescueDesc.js';
+import { Matrix } from '../matrix.js';
+
+/**
+ * The Rescue-Prime hash function, as described in https://eprint.iacr.org/2020/1143.pdf, offering 256 bits
+ * of security against collision, preimage and second-preimage attacks for any field of size at least 102 bits.
+ * We use the sponge construction with fixed rate = 7 and capacity = 5 (i.e., m = 12), and truncate the
+ * output to 5 field elements.
+ */
+export class RescuePrimeHash {
+    desc: RescueDesc;
+
+    rate: number;
+
+    digestLength: number;
+
+    /**
+     * Construct a RescuePrimeHash instance with rate = 7 and capacity = 5.
+     */
+    constructor(field: FpField) {
+        this.desc = new RescueDesc(
+            field,
+            { kind: 'hash', m: 12, capacity: 5 },
+        );
+
+        this.rate = 7;
+        this.digestLength = 5;
+    }
+
+    // This is Algorithm 1 from https://eprint.iacr.org/2020/1143.pdf, though with the padding (see Algorithm 2).
+    // The hash is truncated to digestLength elements.
+    // According to Section 2.2, this offers min(log2(CURVE25519_BASE_FIELD.ORDER) / 2 * min(digestLength, capacity), s)
+    // bits of security against collision, preimage and second-preimage attacks.
+    // The security level is thus of the order of 256 bits for any field of size at least 102 bits.
+    // The rate and capacity are chosen to achieve minimal number of rounds 8.
+    /**
+     * Compute the Rescue-Prime hash of a message, with padding as described in Algorithm 2 of the paper.
+     * @param message - Input message as an array of bigints.
+     * @returns Hash output as an array of bigints (length = digestLength).
+     */
+    digest(message: bigint[]): bigint[] {
+        // Create a copy and pad message to avoid mutating input parameter
+        const paddedMessage = [...message, 1n];
+        while (paddedMessage.length % this.rate !== 0) {
+            paddedMessage.push(0n);
+        }
+        const zeros = [];
+        for (let i = 0; i < this.desc.m; ++i) {
+            zeros.push([0n]);
+        }
+        let state = new Matrix(this.desc.field, zeros);
+        for (let r = 0; r < paddedMessage.length / this.rate; ++r) {
+            const data = [];
+            for (let i = 0; i < this.rate; ++i) {
+                data[i] = [paddedMessage[r * this.rate + i]];
+            }
+            for (let i = this.rate; i < this.desc.m; ++i) {
+                data[i] = [0n];
+            }
+            const s = new Matrix(this.desc.field, data);
+            state = this.desc.permute(state.add(s, true));
+        }
+        const res = [];
+        for (let i = 0; i < this.digestLength; ++i) {
+            res.push(state.data[i][0]);
+        }
+        return res;
+    }
+}

package/src/ctUtils.ts

@@ -0,0 +1,124 @@
+/**
+ * Convert a bigint to an array of bits (least significant to most significant, in 2's complement representation).
+ * @param x - Bigint to convert.
+ * @param binSize - Number of bits to use in the representation.
+ * @returns Array of booleans representing the bits of x.
+ */
+function toBinLE(x: bigint, binSize: bigint): boolean[] {
+    const res: boolean[] = [];
+    for (let i = 0; i < binSize; ++i) {
+        res.push(ctSignBit(x, BigInt(i)));
+    }
+    return res;
+}
+
+/**
+ * Convert an array of bits (least significant to most significant, in 2's complement representation) to a bigint.
+ * @param xBin - Array of bits to convert.
+ * @returns Bigint represented by the bit array.
+ */
+function fromBinLE(xBin: boolean[]): bigint {
+    let res = 0n;
+    for (let i = 0; i < xBin.length - 1; ++i) {
+        res |= BigInt(xBin[i]) << BigInt(i);
+    }
+    return res - (BigInt(xBin[xBin.length - 1]) << BigInt(xBin.length - 1));
+}
+
+/**
+ * Binary adder between x and y (assumes xBin and yBin are of the same length and large enough to represent the sum).
+ * @param xBin - First operand as a bit array.
+ * @param yBin - Second operand as a bit array.
+ * @param carryIn - Initial carry-in value.
+ * @param binSize - Number of bits to use in the operation.
+ * @returns Sum as a bit array.
+ */
+function adder(xBin: boolean[], yBin: boolean[], carryIn: boolean, binSize: bigint): boolean[] {
+    const res: boolean[] = [];
+    let carry: boolean = carryIn;
+    for (let i = 0; i < binSize; ++i) {
+        // res[i] = xBin[i] XOR yBin[i] XOR carry
+        const yXorCarry = yBin[i] !== carry;
+        res.push(xBin[i] !== yXorCarry);
+        // newCarry = (xBin[i] AND yBin[i]) XOR (xBin[i] AND carry) XOR (yBin[i] AND carry)
+        //          = (yBin[i] XOR carry) ? xBin[i] : yBin[i]
+        const newCarry = yBin[i] !== (yXorCarry && (xBin[i] !== yBin[i]));
+        carry = newCarry;
+    }
+    return res;
+}
+
+/**
+ * Constant-time addition of two bigints, using 2's complement representation.
+ * @param x - First operand.
+ * @param y - Second operand.
+ * @param binSize - Number of bits to use in the operation.
+ * @returns Sum as a bigint.
+ */
+export function ctAdd(x: bigint, y: bigint, binSize: bigint): bigint {
+    const resBin = adder(toBinLE(x, binSize), toBinLE(y, binSize), false, binSize);
+    return fromBinLE(resBin);
+}
+
+/**
+ * Constant-time subtraction of two bigints, using 2's complement representation.
+ * @param x - First operand.
+ * @param y - Second operand.
+ * @param binSize - Number of bits to use in the operation.
+ * @returns Difference as a bigint.
+ */
+export function ctSub(x: bigint, y: bigint, binSize: bigint): bigint {
+    const yBin = toBinLE(y, binSize);
+    const yBinNot: boolean[] = [];
+    for (let i = 0; i < binSize; ++i) {
+        yBinNot.push(yBin[i] === false);
+    }
+    const resBin = adder(toBinLE(x, binSize), yBinNot, true, binSize);
+    return fromBinLE(resBin);
+}
+
+/**
+ * Return the sign bit of a bigint in constant time.
+ * @param x - Bigint to check.
+ * @param binSize - Bit position to check (typically the highest bit).
+ * @returns True if the sign bit is set, false otherwise.
+ */
+export function ctSignBit(x: bigint, binSize: bigint): boolean {
+    return ((x >> binSize) & 1n) === 1n;
+}
+
+/**
+ * Constant-time less-than comparison for two bigints.
+ * @param x - First operand.
+ * @param y - Second operand.
+ * @param binSize - Number of bits to use in the operation.
+ * @returns True if x < y, false otherwise.
+ */
+export function ctLt(x: bigint, y: bigint, binSize: bigint): boolean {
+    return ctSignBit(ctSub(x, y, binSize), binSize);
+}
+
+/**
+ * Constant-time select between two bigints based on a boolean condition.
+ * @param b - Condition; if true, select x, otherwise select y.
+ * @param x - Value to select if b is true.
+ * @param y - Value to select if b is false.
+ * @param binSize - Number of bits to use in the operation.
+ * @returns Selected bigint.
+ */
+export function ctSelect(b: boolean, x: bigint, y: bigint, binSize: bigint): bigint {
+    return ctAdd(y, BigInt(b) * (ctSub(x, y, binSize)), binSize);
+}
+
+/**
+ * Check if a bigint fits in the range -2^binSize <= x < 2^binSize.
+ * Not constant-time for arbitrary x, but is constant-time for all inputs for which the function returns true.
+ * If you assert your inputs satisfy verifyBinSize(x, binSize), you need not care about the non constant-timeness of this function.
+ * @param x - Bigint to check.
+ * @param binSize - Number of bits to use in the check.
+ * @returns True if x fits in the range, false otherwise.
+ */
+export function verifyBinSize(x: bigint, binSize: bigint): boolean {
+    const bin = (x >> binSize).toString(2);
+    return bin === '0' || bin === '-1';
+}