@li0ard/gost 0.0.1 → 0.1.2

package/gost3410/const.d.ts

@@ -0,0 +1,47 @@
+/** Parameters for GOST curves */
+export interface GostCurveParameters {
+    /** Prime field (`Fp`) */
+    p: bigint;
+    /** Curve order (`Fn`) */
+    n: bigint;
+    /** Param `a` */
+    a: bigint;
+    /** Param `b` */
+    b: bigint;
+    /** Base point `X` coordinate */
+    Gx: bigint;
+    /** Base point `Y` coordinate */
+    Gy: bigint;
+    /** Cofactor */
+    h: bigint;
+    /** Curve point length */
+    length: number;
+    /** Param `e` (`a`) for representation as Twisted Edwards */
+    e?: bigint;
+    /** Param `d` for representation as Twisted Edwards */
+    d?: bigint;
+    /** Precomputed parameters for point conversion */
+    st?: bigint[];
+    /** Curve OIDs */
+    oids?: string[];
+}
+/** GOST R 34.10-2001 CryptoCom param set */
+export declare const ID_GOSTR3410_2001_PARAM_SET_CC: Readonly<GostCurveParameters>;
+/** GOST R 34.10-2001 test param set */
+export declare const ID_GOSTR3410_2001_TEST_PARAM_SET: Readonly<GostCurveParameters>;
+/** GOST R 34.10-2012 256 bit `A` param set */
+export declare const ID_GOSTR3410_2012_256_PARAM_SET_A: Readonly<GostCurveParameters>;
+/** GOST R 34.10-2012 256 bit `B` param set (aka CryptoPro `A` (`XchA`) param set) */
+export declare const ID_GOSTR3410_2012_256_PARAM_SET_B: Readonly<GostCurveParameters>;
+/** GOST R 34.10-2012 256 bit `C` param set (aka CryptoPro `B` param set) */
+export declare const ID_GOSTR3410_2012_256_PARAM_SET_C: Readonly<GostCurveParameters>;
+/** GOST R 34.10-2012 256 bit `D` param set (aka CryptoPro `C` (`XchB`) param set) */
+export declare const ID_GOSTR3410_2012_256_PARAM_SET_D: Readonly<GostCurveParameters>;
+/** GOST R 34.10-2012 512 bit test param set */
+export declare const ID_GOSTR3410_2012_512_TEST_PARAM_SET: Readonly<GostCurveParameters>;
+/** GOST R 34.10-2012 512 bit `A` param set */
+export declare const ID_GOSTR3410_2012_512_PARAM_SET_A: Readonly<GostCurveParameters>;
+/** GOST R 34.10-2012 512 bit `B` param set */
+export declare const ID_GOSTR3410_2012_512_PARAM_SET_B: Readonly<GostCurveParameters>;
+/** GOST R 34.10-2012 512 bit `C` param set */
+export declare const ID_GOSTR3410_2012_512_PARAM_SET_C: Readonly<GostCurveParameters>;

package/gost3410/const.js

@@ -0,0 +1,126 @@
+/** GOST R 34.10-2001 CryptoCom param set */
+export const ID_GOSTR3410_2001_PARAM_SET_CC = ({
+    p: 0xc0000000000000000000000000000000000000000000000000000000000003c7n,
+    n: 0x5fffffffffffffffffffffffffffffff606117a2f4bde428b7458a54b6e87b85n,
+    a: 0xc0000000000000000000000000000000000000000000000000000000000003c4n,
+    b: 0x2d06b4265ebc749ff7d0f1f1f88232e81632e9088fd44b7787d5e407e955080cn,
+    Gx: 2n,
+    Gy: 0xa20e034bf8813ef5c18d01105e726a17eb248b264ae9706f440bedc8ccb6b22cn,
+    h: 1n,
+    length: 32,
+    oids: ["1.2.643.2.9.1.8.1"]
+});
+/** GOST R 34.10-2001 test param set */
+export const ID_GOSTR3410_2001_TEST_PARAM_SET = ({
+    p: 0x8000000000000000000000000000000000000000000000000000000000000431n,
+    n: 0x8000000000000000000000000000000150fe8a1892976154c59cfc193accf5b3n,
+    a: 7n,
+    b: 0x5fbff498aa938ce739b8e022fbafef40563f6e6a3472fc2a514c0ce9dae23b7en,
+    Gx: 2n,
+    Gy: 0x08e2a8a0e65147d4bd6316030e16d19c85c97f0a9ca267122b96abbcea7e8fc8n,
+    h: 1n,
+    length: 32,
+    oids: ["1.2.643.2.2.35.0"]
+});
+/** GOST R 34.10-2012 256 bit `A` param set */
+export const ID_GOSTR3410_2012_256_PARAM_SET_A = ({
+    p: 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd97n,
+    n: 0x400000000000000000000000000000000fd8cddfc87b6635c115af556c360c67n,
+    a: 0xc2173f1513981673af4892c23035a27ce25e2013bf95aa33b22c656f277e7335n,
+    b: 0x295f9bae7428ed9ccc20e7c359a9d41a22fccd9108e17bf7ba9337a6f8ae9513n,
+    Gx: 0x91e38443a5e82c0d880923425712b2bb658b9196932e02c78b2582fe742daa28n,
+    Gy: 0x32879423ab1a0375895786c4bb46e9565fde0b5344766740af268adb32322e5cn,
+    h: 4n,
+    e: 1n,
+    d: 0x0605f6b7c183fa81578bc39cfad518132b9df62897009af7e522c32d6dc7bffbn,
+    length: 32,
+    st: [0x7e7e82520f9f015faa1d0f18c14ab9fb35188275da3fd94206b74f34a48e0ecdn, 0x0100fe73f595ff158e974b44d478d9588744fe5c192ac47ea63075dce7a14aaan],
+    oids: ["1.2.643.7.1.2.1.1.1"]
+});
+/** GOST R 34.10-2012 256 bit `B` param set (aka CryptoPro `A` (`XchA`) param set) */
+export const ID_GOSTR3410_2012_256_PARAM_SET_B = ({
+    p: 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd97n,
+    n: 0xffffffffffffffffffffffffffffffff6c611070995ad10045841b09b761b893n,
+    a: 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd94n,
+    b: 0xa6n,
+    Gx: 1n,
+    Gy: 0x8d91e471e0989cda27df505a453f2b7635294f2ddf23e3b122acc99c9e9f1e14n,
+    h: 1n,
+    length: 32,
+    oids: ["1.2.643.7.1.2.1.1.2", "1.2.643.2.2.35.1", "1.2.643.2.2.36.0"]
+});
+/** GOST R 34.10-2012 256 bit `C` param set (aka CryptoPro `B` param set) */
+export const ID_GOSTR3410_2012_256_PARAM_SET_C = ({
+    p: 0x8000000000000000000000000000000000000000000000000000000000000c99n,
+    n: 0x800000000000000000000000000000015f700cfff1a624e5e497161bcc8a198fn,
+    a: 0x8000000000000000000000000000000000000000000000000000000000000c96n,
+    b: 0x3e1af419a269a5f866a7d3c25c3df80ae979259373ff2b182f49d4ce7e1bbc8bn,
+    Gx: 1n,
+    Gy: 0x3fa8124359f96680b83d1c3eb2c070e5c545c9858d03ecfb744bf8d717717efcn,
+    h: 1n,
+    length: 32,
+    oids: ["1.2.643.7.1.2.1.1.3", "1.2.643.2.2.35.2"]
+});
+/** GOST R 34.10-2012 256 bit `D` param set (aka CryptoPro `C` (`XchB`) param set) */
+export const ID_GOSTR3410_2012_256_PARAM_SET_D = ({
+    p: 0x9b9f605f5a858107ab1ec85e6b41c8aacf846e86789051d37998f7b9022d759bn,
+    n: 0x9b9f605f5a858107ab1ec85e6b41c8aa582ca3511eddfb74f02f3a6598980bb9n,
+    a: 0x9b9f605f5a858107ab1ec85e6b41c8aacf846e86789051d37998f7b9022d7598n,
+    b: 0x0805an,
+    Gx: 0n,
+    Gy: 0x41ece55743711a8c3cbf3783cd08c0ee4d4dc440d4641a8f366e550dfdb3bb67n,
+    h: 1n,
+    length: 32,
+    oids: ["1.2.643.7.1.2.1.1.4", "1.2.643.2.2.35.3", "1.2.643.2.2.36.1"]
+});
+/** GOST R 34.10-2012 512 bit test param set */
+export const ID_GOSTR3410_2012_512_TEST_PARAM_SET = ({
+    p: 0x4531acd1fe0023c7550d267b6b2fee80922b14b2ffb90f04d4eb7c09b5d2d15df1d852741af4704a0458047e80e4546d35b8336fac224dd81664bbf528be6373n,
+    n: 0x4531acd1fe0023c7550d267b6b2fee80922b14b2ffb90f04d4eb7c09b5d2d15da82f2d7ecb1dbac719905c5eecc423f1d86e25edbe23c595d644aaf187e6e6dfn,
+    a: 7n,
+    b: 0x1cff0806a31116da29d8cfa54e57eb748bc5f377e49400fdd788b649eca1ac4361834013b2ad7322480a89ca58e0cf74bc9e540c2add6897fad0a3084f302adcn,
+    Gx: 0x24d19cc64572ee30f396bf6ebbfd7a6c5213b3b3d7057cc825f91093a68cd762fd60611262cd838dc6b60aa7eee804e28bc849977fac33b4b530f1b120248a9an,
+    Gy: 0x2bb312a43bd2ce6e0d020613c857acddcfbf061e91e5f2c3f32447c259f39b2c83ab156d77f1496bf7eb3351e1ee4e43dc1a18b91b24640b6dbb92cb1add371en,
+    h: 1n,
+    length: 64,
+    oids: ["1.2.643.7.1.2.1.2.0"]
+});
+/** GOST R 34.10-2012 512 bit `A` param set */
+export const ID_GOSTR3410_2012_512_PARAM_SET_A = ({
+    p: 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffdc7n,
+    n: 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff27e69532f48d89116ff22b8d4e0560609b4b38abfad2b85dcacdb1411f10b275n,
+    a: 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffdc4n,
+    b: 0xe8c2505dedfc86ddc1bd0b2b6667f1da34b82574761cb0e879bd081cfd0b6265ee3cb090f30d27614cb4574010da90dd862ef9d4ebee4761503190785a71c760n,
+    Gx: 3n,
+    Gy: 0x7503cfe87a836ae3a61b8816e25450e6ce5e1c93acf1abc1778064fdcbefa921df1626be4fd036e93d75e6a50e3a41e98028fe5fc235f5b889a589cb5215f2a4n,
+    h: 1n,
+    length: 64,
+    oids: ["1.2.643.7.1.2.1.2.1"]
+});
+/** GOST R 34.10-2012 512 bit `B` param set */
+export const ID_GOSTR3410_2012_512_PARAM_SET_B = ({
+    p: 0x8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006fn,
+    n: 0x800000000000000000000000000000000000000000000000000000000000000149a1ec142565a545acfdb77bd9d40cfa8b996712101bea0ec6346c54374f25bdn,
+    a: 0x8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006cn,
+    b: 0x687d1b459dc841457e3e06cf6f5e2517b97c7d614af138bcbf85dc806c4b289f3e965d2db1416d217f8b276fad1ab69c50f78bee1fa3106efb8ccbc7c5140116n,
+    Gx: 2n,
+    Gy: 0x1a8f7eda389b094c2c071e3647a8940f3c123b697578c213be6dd9e6c8ec7335dcb228fd1edf4a39152cbcaaf8c0398828041055f94ceeec7e21340780fe41bdn,
+    h: 1n,
+    length: 64,
+    oids: ["1.2.643.7.1.2.1.2.2"]
+});
+/** GOST R 34.10-2012 512 bit `C` param set */
+export const ID_GOSTR3410_2012_512_PARAM_SET_C = ({
+    p: 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffdc7n,
+    n: 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc98cdba46506ab004c33a9ff5147502cc8eda9e7a769a12694623cef47f023edn,
+    a: 0xdc9203e514a721875485a529d2c722fb187bc8980eb866644de41c68e143064546e861c0e2c9edd92ade71f46fcf50ff2ad97f951fda9f2a2eb6546f39689bd3n,
+    b: 0xb4c4ee28cebc6c2c8ac12952cf37f16ac7efb6a9f69f4b57ffda2e4f0de5ade038cbc2fff719d2c18de0284b8bfef3b52b8cc7a5f5bf0a3c8d2319a5312557e1n,
+    Gx: 0xe2e31edfc23de7bdebe241ce593ef5de2295b7a9cbaef021d385f7074cea043aa27272a7ae602bf2a7b9033db9ed3610c6fb85487eae97aac5bc7928c1950148n,
+    Gy: 0xf5ce40d95b5eb899abbccff5911cb8577939804d6527378b8c108c3d2090ff9be18e2d33e3021ed2ef32d85822423b6304f726aa854bae07d0396e9a9addc40fn,
+    h: 4n,
+    e: 1n,
+    d: 0x9e4f5d8c017d8d9f13a5cf3cdf5bfe4dab402d54198e31ebde28a0621050439ca6b39e0a515c06b304e2ce43e79e369e91a0cfc2bc2a22b4ca302dbb33ee7550n,
+    length: 64,
+    st: [0x186c289cffa09c983b168c30c829006c952ff4aaf99c73850875d7e77bebef18d653187d6ba8fe533ec74c6f061872585b97cc0f50f57752cd73f4913304621en, 0x9a628f975594ecefd89ba28a2539ffb79c8ab238aeed0851fa5c1abb02b80b44c6734501b83a011dd625cd0b5145091a6d9acd4b1f5c5b1e21b2b249ddfd1271n],
+    oids: ["1.2.643.7.1.2.1.2.3"]
+});

package/gost3410/conversion.d.ts

@@ -0,0 +1,19 @@
+import type { AffinePoint } from "@noble/curves/abstract/curve.js";
+import type { GostCurveParameters } from "./const.js";
+/**
+ * Compute parameters (`s`, `t`) for conversion
+ * @param curve Curve to use
+ */
+export declare const computeST: (curve: GostCurveParameters) => bigint[];
+/**
+ * Convert Twisted Edwards point (`u`, `v`) to Weierstrass (`x`, `y`)
+ * @param curve Curve to use
+ * @param point Twisted Edwards point
+ */
+export declare const uv2xy: (curve: GostCurveParameters, point: AffinePoint<bigint>) => AffinePoint<bigint>;
+/**
+ * Convert Weierstrass point (`x`, `y`) to Twisted Edwards (`u`, `v`)
+ * @param curve Curve to use
+ * @param point Weierstrass point
+ */
+export declare const xy2uv: (curve: GostCurveParameters, point: AffinePoint<bigint>) => AffinePoint<bigint>;

package/gost3410/conversion.js

@@ -0,0 +1,35 @@
+import { Field } from "@noble/curves/abstract/modular.js";
+/**
+ * Compute parameters (`s`, `t`) for conversion
+ * @param curve Curve to use
+ */
+export const computeST = (curve) => {
+    if (!curve.e || !curve.d)
+        throw new Error("No Twisted Edwards parameters");
+    if (curve.st && curve.st.length != 0)
+        return curve.st;
+    const Fp = Field(curve.p);
+    return [Fp.div(Fp.sub(curve.e, curve.d), 4n), Fp.div(Fp.add(curve.e, curve.d), 6n)];
+};
+/**
+ * Convert Twisted Edwards point (`u`, `v`) to Weierstrass (`x`, `y`)
+ * @param curve Curve to use
+ * @param point Twisted Edwards point
+ */
+export const uv2xy = (curve, point) => {
+    const Fp = Field(curve.p);
+    const [s, t] = computeST(curve);
+    const s1v = Fp.mul(s, Fp.add(1n, point.y)), onev = Fp.sub(1n, point.y);
+    return { x: Fp.add(t, Fp.div(s1v, onev)), y: Fp.div(s1v, Fp.mul(point.x, onev)) };
+};
+/**
+ * Convert Weierstrass point (`x`, `y`) to Twisted Edwards (`u`, `v`)
+ * @param curve Curve to use
+ * @param point Weierstrass point
+ */
+export const xy2uv = (curve, point) => {
+    const Fp = Field(curve.p);
+    const [s, t] = computeST(curve);
+    const xt = Fp.sub(point.x, t);
+    return { x: Fp.div(xt, point.y), y: Fp.div(Fp.sub(xt, s), Fp.add(xt, s)) };
+};

package/gost3410/index.d.ts

@@ -0,0 +1,29 @@
+import { type TArg, type TRet } from "@noble/curves/utils.js";
+import { type GostCurveParameters } from "./const.js";
+/**
+ * Generate public key from private.
+ * @param parameters Curve parameters
+ * @param prv Private key
+ * @returns {TRet<Uint8Array>} Uncompressed public key in ANSI X9.62 format
+ */
+export declare const getPublicKey: (parameters: GostCurveParameters, prv: TArg<Uint8Array>) => TRet<Uint8Array>;
+/**
+ * Generate signature of provided digest
+ * @param parameters Curve parameters
+ * @param prv Private key
+ * @param digest Digest to sign
+ * @param rand Optional. Predefined random data for `r` and `k` generation
+ * @returns {TRet<Uint8Array>} Concated `r` and `s`
+ */
+export declare const sign: (parameters: GostCurveParameters, prv: TArg<Uint8Array>, digest: TArg<Uint8Array>, rand?: TArg<Uint8Array>) => TRet<Uint8Array>;
+/**
+ * Verify signature of provided digest
+ * @param parameters Curve parameters
+ * @param pub Public key
+ * @param digest Digest to verify
+ * @param signature Signature (Concated `r` and `s`)
+ */
+export declare const verify: (parameters: GostCurveParameters, pub: TArg<Uint8Array>, digest: TArg<Uint8Array>, signature: TArg<Uint8Array>) => boolean;
+export * from "./const.js";
+export * from "./vko.js";
+export * from "./conversion.js";

package/gost3410/index.js

@@ -0,0 +1,84 @@
+import { bytesToNumberBE, concatBytes, numberToBytesBE, randomBytes } from "@noble/curves/utils.js";
+import {} from "./const.js";
+import { mod } from "@noble/curves/abstract/modular.js";
+import { weierstrass } from "@noble/curves/abstract/weierstrass.js";
+/**
+ * Generate public key from private.
+ * @param parameters Curve parameters
+ * @param prv Private key
+ * @returns {TRet<Uint8Array>} Uncompressed public key in ANSI X9.62 format
+ */
+export const getPublicKey = (parameters, prv) => weierstrass(parameters).BASE.multiply(bytesToNumberBE(prv)).toBytes(false);
+/**
+ * Generate signature of provided digest
+ * @param parameters Curve parameters
+ * @param prv Private key
+ * @param digest Digest to sign
+ * @param rand Optional. Predefined random data for `r` and `k` generation
+ * @returns {TRet<Uint8Array>} Concated `r` and `s`
+ */
+export const sign = (parameters, prv, digest, rand) => {
+    const size = parameters.length;
+    const curve = weierstrass(parameters);
+    const Fn = curve.Fn;
+    let e = Fn.fromBytes(digest);
+    if (e === 0n)
+        e = 1n;
+    const prvNum = Fn.fromBytes(prv);
+    while (true) {
+        rand ||= randomBytes(size);
+        const k = mod(bytesToNumberBE(rand), parameters.n);
+        if (k === 0n)
+            continue;
+        try {
+            let { x: r } = curve.BASE.multiply(k);
+            r = Fn.create(r);
+            if (r === 0n)
+                continue;
+            const s = Fn.add(Fn.mul(r, prvNum), Fn.mul(k, e));
+            if (s === 0n)
+                continue;
+            return concatBytes(numberToBytesBE(r, parameters.length), numberToBytesBE(s, parameters.length));
+        }
+        catch (e) {
+            if (e instanceof Error && e.message === "invalid scalar: out of range")
+                continue;
+            throw e;
+        }
+    }
+};
+/**
+ * Verify signature of provided digest
+ * @param parameters Curve parameters
+ * @param pub Public key
+ * @param digest Digest to verify
+ * @param signature Signature (Concated `r` and `s`)
+ */
+export const verify = (parameters, pub, digest, signature) => {
+    const size = parameters.length;
+    const curve = weierstrass(parameters);
+    const Fn = curve.Fn;
+    if (signature.length != size * 2)
+        throw new Error("Invalid signature");
+    const r = bytesToNumberBE(signature.slice(0, size));
+    const s = bytesToNumberBE(signature.slice(size));
+    if (r <= 0 || r >= parameters.n || s <= 0 || s >= parameters.n)
+        return false;
+    let e = Fn.fromBytes(digest);
+    if (e === 0n)
+        e = 1n;
+    const v = Fn.inv(e);
+    const z1 = Fn.mul(s, v), z2 = Fn.mul(r, v);
+    let P, Q;
+    try {
+        P = curve.BASE.multiply(z1);
+        Q = curve.fromBytes(pub).multiply(z2).negate();
+    }
+    catch {
+        return false;
+    }
+    return Fn.create(P.add(Q).x) === r;
+};
+export * from "./const.js";
+export * from "./vko.js";
+export * from "./conversion.js";

package/gost3410/vko.d.ts

@@ -0,0 +1,38 @@
+import type { GostCurveParameters } from "./const.js";
+import { type TArg, type TRet } from "@noble/curves/utils.js";
+/**
+ * Key agreement function
+ * @param parameters Curve parameters
+ * @param prv Private key
+ * @param pub Public key
+ * @param ukm User keying material (aka salt)
+ * @returns {TRet<Uint8Array>} Shared key
+ */
+export declare const kek: (parameters: GostCurveParameters, prv: TArg<Uint8Array>, pub: TArg<Uint8Array>, ukm: TArg<Uint8Array>) => TRet<Uint8Array>;
+/**
+ * Key agreement function over GOST R 34.11-94 hash
+ * @param parameters Curve parameters
+ * @param prv Private key
+ * @param pub Public key
+ * @param ukm User keying material (aka salt)
+ * @returns {TRet<Uint8Array>} Shared key
+ */
+export declare const kek_34102001: (parameters: GostCurveParameters, prv: TArg<Uint8Array>, pub: TArg<Uint8Array>, ukm: TArg<Uint8Array>) => TRet<Uint8Array>;
+/**
+ * Key agreement function over Streebog (GOST R 34.11-2012) 256 bit hash
+ * @param parameters Curve parameters
+ * @param prv Private key
+ * @param pub Public key
+ * @param ukm User keying material (aka salt)
+ * @returns {TRet<Uint8Array>} Shared key
+ */
+export declare const kek_34102012256: (parameters: GostCurveParameters, prv: TArg<Uint8Array>, pub: TArg<Uint8Array>, ukm: TArg<Uint8Array>) => TRet<Uint8Array>;
+/**
+ * Key agreement function over Streebog (GOST R 34.11-2012) 512 bit hash
+ * @param parameters Curve parameters
+ * @param prv Private key
+ * @param pub Public key
+ * @param ukm User keying material (aka salt)
+ * @returns {TRet<Uint8Array>} Shared key
+ */
+export declare const kek_34102012512: (parameters: GostCurveParameters, prv: TArg<Uint8Array>, pub: TArg<Uint8Array>, ukm: TArg<Uint8Array>) => TRet<Uint8Array>;

package/gost3410/vko.js

@@ -0,0 +1,47 @@
+import { Field } from "@noble/curves/abstract/modular.js";
+import { weierstrass } from "@noble/curves/abstract/weierstrass.js";
+import { gost341194 } from "../gost341194";
+import { streebog256, streebog512 } from "../streebog/index.js";
+import { bytesToNumberBE, concatBytes, numberToBytesLE } from "@noble/curves/utils.js";
+/**
+ * Key agreement function
+ * @param parameters Curve parameters
+ * @param prv Private key
+ * @param pub Public key
+ * @param ukm User keying material (aka salt)
+ * @returns {TRet<Uint8Array>} Shared key
+ */
+export const kek = (parameters, prv, pub, ukm) => {
+    const Fn = Field(parameters.n);
+    const key = weierstrass(parameters).fromBytes(pub)
+        .multiply(bytesToNumberBE(prv))
+        .multiply(Fn.mulN(parameters.h, bytesToNumberBE(ukm)));
+    return concatBytes(numberToBytesLE(key.x, parameters.length), numberToBytesLE(key.y, parameters.length));
+};
+/**
+ * Key agreement function over GOST R 34.11-94 hash
+ * @param parameters Curve parameters
+ * @param prv Private key
+ * @param pub Public key
+ * @param ukm User keying material (aka salt)
+ * @returns {TRet<Uint8Array>} Shared key
+ */
+export const kek_34102001 = (parameters, prv, pub, ukm) => gost341194(kek(parameters, prv, pub, ukm));
+/**
+ * Key agreement function over Streebog (GOST R 34.11-2012) 256 bit hash
+ * @param parameters Curve parameters
+ * @param prv Private key
+ * @param pub Public key
+ * @param ukm User keying material (aka salt)
+ * @returns {TRet<Uint8Array>} Shared key
+ */
+export const kek_34102012256 = (parameters, prv, pub, ukm) => streebog256(kek(parameters, prv, pub, ukm));
+/**
+ * Key agreement function over Streebog (GOST R 34.11-2012) 512 bit hash
+ * @param parameters Curve parameters
+ * @param prv Private key
+ * @param pub Public key
+ * @param ukm User keying material (aka salt)
+ * @returns {TRet<Uint8Array>} Shared key
+ */
+export const kek_34102012512 = (parameters, prv, pub, ukm) => streebog512(kek(parameters, prv, pub, ukm));

package/gost341194/index.d.ts

@@ -0,0 +1,23 @@
+import { type Hash, type TArg, type TRet } from "@noble/hashes/utils.js";
+/** GOST R 34.11-94 hash function */
+export declare class Gost341194 implements Hash<Gost341194> {
+    private data;
+    private sbox;
+    readonly blockLen: number;
+    readonly outputLen = 32;
+    readonly canXOF = false;
+    /** GOST R 34.11-94 hash function */
+    constructor(data?: TArg<Uint8Array>, sbox?: TArg<Uint8Array>[]);
+    /** Create hash instance */
+    static create(): Gost341194;
+    destroy(): void;
+    clone(): Gost341194;
+    _cloneInto(to?: Gost341194): Gost341194;
+    update(data: TArg<Uint8Array>): this;
+    digestInto(buf: TArg<Uint8Array>): void;
+    digest(): TRet<Uint8Array>;
+}
+/** GOST R 34.11-94 hash function */
+export declare const gost341194: (msg: TArg<Uint8Array>, sbox?: TArg<Uint8Array>[]) => TRet<Uint8Array>;
+/** DSTU GOST 34.311-95 */
+export declare const gost3431195: (msg: TArg<Uint8Array>) => TRet<Uint8Array>;

package/gost341194/index.js

@@ -0,0 +1,193 @@
+import { concatBytes } from "@noble/hashes/utils.js";
+import { Magma } from "../magma/index.js";
+import { DSSZZI_UA_DKE_1, ID_GOSTR_3411_94_CRYPTOPRO_PARAM_SET } from "../magma/const.js";
+import { bytesToNumberBE, numberToBytesBE } from "@noble/curves/utils.js";
+import { xorBytes } from "../utils.js";
+const BLOCKSIZE = 32;
+const r = (1n << 256n) - 1n;
+const C2 = new Uint8Array(32);
+const C3 = new Uint8Array([
+    0xff, 0x00, 0xff, 0xff, 0x00, 0x00, 0x00, 0xff,
+    0xff, 0x00, 0x00, 0xff, 0x00, 0xff, 0xff, 0x00,
+    0x00, 0xff, 0x00, 0xff, 0x00, 0xff, 0x00, 0xff,
+    0xff, 0x00, 0xff, 0x00, 0xff, 0x00, 0xff, 0x00
+]);
+const C4 = new Uint8Array(32);
+const A = (x) => {
+    const x2 = x.subarray(16, 24);
+    return concatBytes(xorBytes(x.subarray(24, 32), x2), x.subarray(0, 8), x.subarray(8, 16), x2);
+};
+const P = (x) => new Uint8Array([
+    x[0], x[8], x[16], x[24], x[1], x[9], x[17], x[25],
+    x[2], x[10], x[18], x[26], x[3], x[11], x[19], x[27],
+    x[4], x[12], x[20], x[28], x[5], x[13], x[21], x[29],
+    x[6], x[14], x[22], x[30], x[7], x[15], x[23], x[31]
+]);
+/*const chi = (Y: TArg<Uint8Array>): TRet<Uint8Array> => {
+    const byx = new Uint8Array(2);
+    byx[0] = Y[30] ^ Y[28] ^ Y[26] ^ Y[24] ^ Y[6] ^ Y[0];
+    byx[1] = Y[31] ^ Y[29] ^ Y[27] ^ Y[25] ^ Y[7] ^ Y[1];
+
+    const result = new Uint8Array(BLOCKSIZE);
+    result.set(byx, 0);
+    result.set(Y.slice(0,30), 2);
+
+    return result;
+}*/
+const chi = (Y) => new Uint8Array([
+    Y[30] ^ Y[28] ^ Y[26] ^ Y[24] ^ Y[6] ^ Y[0],
+    Y[31] ^ Y[29] ^ Y[27] ^ Y[25] ^ Y[7] ^ Y[1],
+    ...Y.subarray(0, 30)
+]);
+const _step = (hin, m, sbox) => {
+    let u = hin;
+    let v = m;
+    let w = xorBytes(hin, m);
+    const k1 = new Magma(P(w).reverse(), sbox, true);
+    u = xorBytes(A(u), C2);
+    v = A(A(v));
+    w = xorBytes(u, v);
+    const k2 = new Magma(P(w).reverse(), sbox, true);
+    u = xorBytes(A(u), C3);
+    v = A(A(v));
+    w = xorBytes(u, v);
+    const k3 = new Magma(P(w).reverse(), sbox, true);
+    u = xorBytes(A(u), C4);
+    v = A(A(v));
+    w = xorBytes(u, v);
+    const k4 = new Magma(P(w).reverse(), sbox, true);
+    const s = concatBytes(k4.encrypt(hin.slice(0, 8).reverse()).reverse(), k3.encrypt(hin.slice(8, 16).reverse()).reverse(), k2.encrypt(hin.slice(16, 24).reverse()).reverse(), k1.encrypt(hin.slice(24, 32).reverse()).reverse());
+    //let x = new Uint8Array(s);
+    //for(let i = 0; i < 12; i++) x = chi(x);
+    let x = chi(s);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = xorBytes(x, m);
+    x = chi(x);
+    x = xorBytes(hin, x);
+    //for(let i = 0; i < 61; i++) x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    x = chi(x);
+    return x;
+};
+/** GOST R 34.11-94 hash function */
+export class Gost341194 {
+    data;
+    sbox;
+    blockLen = BLOCKSIZE;
+    outputLen = 32;
+    canXOF = false;
+    /** GOST R 34.11-94 hash function */
+    constructor(data = new Uint8Array(), sbox = ID_GOSTR_3411_94_CRYPTOPRO_PARAM_SET) {
+        this.data = data;
+        this.sbox = sbox;
+    }
+    /** Create hash instance */
+    static create() { return new Gost341194(); }
+    destroy() { this.data = new Uint8Array(); }
+    clone() { return this._cloneInto(); }
+    _cloneInto(to) {
+        to ||= new Gost341194();
+        to.data = new Uint8Array(this.data);
+        to.sbox = this.sbox;
+        return to;
+    }
+    update(data) {
+        this.data = concatBytes(this.data, data);
+        return this;
+    }
+    digestInto(buf) {
+        let len = 0n;
+        let checksum = 0n;
+        const h = new Uint8Array(BLOCKSIZE);
+        const m = new Uint8Array(this.data);
+        for (let i = 0; i < m.length; i += BLOCKSIZE) {
+            let part = m.slice(i, i + BLOCKSIZE).reverse();
+            len += BigInt(part.length) * 8n;
+            checksum = (checksum + bytesToNumberBE(part)) & r;
+            if (part.length < BLOCKSIZE)
+                part = numberToBytesBE(bytesToNumberBE(part), BLOCKSIZE);
+            h.set(_step(h, part, this.sbox));
+        }
+        h.set(_step(_step(h, numberToBytesBE(len, BLOCKSIZE), this.sbox), numberToBytesBE(checksum, BLOCKSIZE), this.sbox));
+        buf.set(h.reverse());
+        this.destroy();
+    }
+    digest() {
+        const buffer = new Uint8Array(this.outputLen);
+        this.digestInto(buffer);
+        return buffer;
+    }
+}
+/** GOST R 34.11-94 hash function */
+export const gost341194 = (msg, sbox) => new Gost341194(msg, sbox).digest();
+/** DSTU GOST 34.311-95 */
+export const gost3431195 = (msg) => gost341194(msg, DSSZZI_UA_DKE_1);

package/hmac.d.ts

@@ -0,0 +1,15 @@
+import { type TArg, type TRet } from "@noble/hashes/utils.js";
+import { _HMAC } from "@noble/hashes/hmac.js";
+import { Gost341194 } from "./gost341194/index.js";
+export declare class Streebog256HMAC extends _HMAC<Streebog256HMAC> {
+    constructor(key: TArg<Uint8Array>);
+}
+export declare class Streebog512HMAC extends _HMAC<Streebog512HMAC> {
+    constructor(key: TArg<Uint8Array>);
+}
+export declare class Gost341194HMAC extends _HMAC<Gost341194> {
+    constructor(key: TArg<Uint8Array>);
+}
+export declare const streebog256hmac: (key: TArg<Uint8Array>, message: TArg<Uint8Array>) => TRet<Uint8Array>;
+export declare const streebog512hmac: (key: TArg<Uint8Array>, message: TArg<Uint8Array>) => TRet<Uint8Array>;
+export declare const gost341194hmac: (key: TArg<Uint8Array>, message: TArg<Uint8Array>) => TRet<Uint8Array>;