@noble/curves 0.1.0 → 0.2.1

package/lib/{shortw.js → weierstrass.js}

@@ -1,33 +1,34 @@
 "use strict";
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-// Implementation of Short weierstrass curve. The formula is: y² = x³ + ax + b
+// Implementation of Short Weierstrass curve. The formula is: y² = x³ + ax + b
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.weierstrass = void 0;
 // TODO: sync vs async naming
 // TODO: default randomBytes
+// Differences from @noble/secp256k1 1.7:
+// 1. Different double() formula (but same addition)
+// 2. Different sqrt() function
+// 3. truncateHash() truncateOnly mode
+// 4. DRBG supports outputLen bigger than outputLen of hmac
 const mod = require("./modular.js");
 const utils_js_1 = require("./utils.js");
+const group_js_1 = require("./group.js");
 // Should be separate from overrides, since overrides can use information about curve (for example nBits)
 function validateOpts(curve) {
-    if (typeof curve.hash !== 'function' || !Number.isSafeInteger(curve.hash.outputLen))
+    const opts = (0, utils_js_1.validateOpts)(curve);
+    if (typeof opts.hash !== 'function' || !Number.isSafeInteger(opts.hash.outputLen))
         throw new Error('Invalid hash function');
-    if (typeof curve.hmac !== 'function')
+    if (typeof opts.hmac !== 'function')
         throw new Error('Invalid hmac function');
-    if (typeof curve.randomBytes !== 'function')
+    if (typeof opts.randomBytes !== 'function')
         throw new Error('Invalid randomBytes function');
-    for (const i of ['a', 'b', 'P', 'n', 'Gx', 'Gy']) {
-        if (typeof curve[i] !== 'bigint')
-            throw new Error(`Invalid curve param ${i}=${curve[i]} (${typeof curve[i]})`);
+    for (const i of ['a', 'b']) {
+        if (typeof opts[i] !== 'bigint')
+            throw new Error(`Invalid curve param ${i}=${opts[i]} (${typeof opts[i]})`);
     }
-    for (const i of ['nBitLength', 'nByteLength']) {
-        if (curve[i] === undefined)
-            continue; // Optional
-        if (!Number.isSafeInteger(curve[i]))
-            throw new Error(`Invalid curve param ${i}=${curve[i]} (${typeof curve[i]})`);
-    }
-    const endo = curve.endo;
+    const endo = opts.endo;
     if (endo) {
-        if (curve.a !== _0n) {
+        if (opts.a !== _0n) {
             throw new Error('Endomorphism can only be defined for Koblitz curves that have a=0');
         }
         if (typeof endo !== 'object' ||
@@ -36,10 +37,8 @@ function validateOpts(curve) {
             throw new Error('Expected endomorphism with beta: bigint and splitScalar: function');
         }
     }
-    const nBitLength = curve.n.toString(2).length; // Bit size of CURVE.n
-    const nByteLength = Math.ceil(nBitLength / 8); // Byte size of CURVE.n
     // Set defaults
-    return Object.freeze({ lowS: true, nBitLength, nByteLength, ...curve });
+    return Object.freeze({ lowS: true, ...opts });
 }
 // TODO: convert bits to bytes aligned to 32 bits? (224 for example)
 // DER encoding utilities
@@ -66,7 +65,7 @@ function parseDERInt(data) {
     if (res[0] === 0x00 && res[1] <= 0x7f) {
         throw new DERError('Invalid signature integer: trailing length');
     }
-    return { data: (0, utils_js_1.bytesToNumber)(res), left: data.subarray(len + 2) };
+    return { data: (0, utils_js_1.bytesToNumberBE)(res), left: data.subarray(len + 2) };
 }
 function parseDERSignature(data) {
     if (data.length < 2 || data[0] != 0x30) {
@@ -104,8 +103,8 @@ class HmacDrbg {
         if (typeof hmacFn !== 'function')
             throw new Error('hmacFn must be a function');
         // Step B, Step C: set hashLen to 8*ceil(hlen/8)
-        this.v = new Uint8Array(this.hashLen).fill(1);
-        this.k = new Uint8Array(this.hashLen).fill(0);
+        this.v = new Uint8Array(hashLen).fill(1);
+        this.k = new Uint8Array(hashLen).fill(0);
         this.counter = 0;
     }
     hmacSync(...values) {
@@ -141,7 +140,10 @@ class HmacDrbg {
 // Use only input from curveOpts!
 function weierstrass(curveDef) {
     const CURVE = validateOpts(curveDef);
+    const CURVE_ORDER = CURVE.n;
     // Lengths
+    // All curves has same field / group length as for now, but it can be different for other curves
+    const groupLen = CURVE.nByteLength;
     const fieldLen = CURVE.nByteLength; // 32 (length of one field element)
     if (fieldLen > 2048)
         throw new Error('Field lengths over 2048 are not supported');
@@ -191,15 +193,15 @@ function weierstrass(curveDef) {
             num = BigInt(key);
         }
         else if (typeof key === 'string') {
-            key = key.padStart(2 * fieldLen, '0'); // Eth-like hexes
-            if (key.length !== 2 * fieldLen)
-                throw new Error(`Expected ${fieldLen} bytes of private key`);
+            key = key.padStart(2 * groupLen, '0'); // Eth-like hexes
+            if (key.length !== 2 * groupLen)
+                throw new Error(`Expected ${groupLen} bytes of private key`);
             num = (0, utils_js_1.hexToNumber)(key);
         }
         else if (key instanceof Uint8Array) {
-            if (key.length !== fieldLen)
-                throw new Error(`Expected ${fieldLen} bytes of private key`);
-            num = (0, utils_js_1.bytesToNumber)(key);
+            if (key.length !== groupLen)
+                throw new Error(`Expected ${groupLen} bytes of private key`);
+            num = (0, utils_js_1.bytesToNumberBE)(key);
         }
         else {
             throw new TypeError('Expected valid private key');
@@ -224,11 +226,11 @@ function weierstrass(curveDef) {
             throw new Error(`Unknown type of public key: ${publicKey}`);
     }
     function isBiggerThanHalfOrder(number) {
-        const HALF = CURVE.n >> _1n;
+        const HALF = CURVE_ORDER >> _1n;
         return number > HALF;
     }
     function normalizeS(s) {
-        return isBiggerThanHalfOrder(s) ? mod.mod(-s, CURVE.n) : s;
+        return isBiggerThanHalfOrder(s) ? mod.mod(-s, CURVE_ORDER) : s;
     }
     function normalizeScalar(num) {
         if (typeof num === 'number' && Number.isSafeInteger(num) && num > 0)
@@ -243,7 +245,7 @@ function weierstrass(curveDef) {
         const { n, nBitLength } = CURVE;
         const byteLength = hash.length;
         const delta = byteLength * 8 - nBitLength; // size of curve.n (252 bits)
-        let h = (0, utils_js_1.bytesToNumber)(hash);
+        let h = (0, utils_js_1.bytesToNumberBE)(hash);
         if (delta > 0)
             h = h >> BigInt(delta);
         if (!truncateOnly && h >= n)
@@ -311,6 +313,22 @@ function weierstrass(curveDef) {
         double() {
             const { x: X1, y: Y1, z: Z1 } = this;
             const { a } = CURVE;
+            // Faster algorithm: when a=0
+            // From: https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#doubling-dbl-2009-l
+            // Cost: 2M + 5S + 6add + 3*2 + 1*3 + 1*8.
+            if (a === _0n) {
+                const A = modP(X1 * X1);
+                const B = modP(Y1 * Y1);
+                const C = modP(B * B);
+                const x1b = X1 + B;
+                const D = modP(_2n * (modP(x1b * x1b) - A - C));
+                const E = modP(_3n * A);
+                const F = modP(E * E);
+                const X3 = modP(F - _2n * D);
+                const Y3 = modP(E * (D - X3) - _8n * C);
+                const Z3 = modP(_2n * Y1 * Z1);
+                return new JacobianPoint(X3, Y3, Z3);
+            }
             const XX = modP(X1 * X1);
             const YY = modP(Y1 * Y1);
             const YYYY = modP(YY * YY);
@@ -332,9 +350,6 @@ function weierstrass(curveDef) {
         add(other) {
             if (!(other instanceof JacobianPoint))
                 throw new TypeError('JacobianPoint expected');
-            // TODO: remove
-            if (this.equals(JacobianPoint.ZERO))
-                return other;
             const { x: X1, y: Y1, z: Z1 } = this;
             const { x: X2, y: Y2, z: Z2 } = other;
             if (X2 === _0n || Y2 === _0n)
@@ -377,17 +392,8 @@ function weierstrass(curveDef) {
             let n = normalizeScalar(scalar);
             if (n === _1n)
                 return this;
-            if (!CURVE.endo) {
-                let p = P0;
-                let d = this;
-                while (n > _0n) {
-                    if (n & _1n)
-                        p = p.add(d);
-                    d = d.double();
-                    n >>= _1n;
-                }
-                return p;
-            }
+            if (!CURVE.endo)
+                return wnaf.unsafeLadder(this, n);
             // Apply endomorphism
             let { k1neg, k1, k2neg, k2 } = CURVE.endo.splitScalar(n);
             let k1p = P0;
@@ -409,99 +415,23 @@ function weierstrass(curveDef) {
             k2p = new JacobianPoint(modP(k2p.x * CURVE.endo.beta), k2p.y, k2p.z);
             return k1p.add(k2p);
         }
-        /**
-         * Creates a wNAF precomputation window. Used for caching.
-         * Default window size is set by `utils.precompute()` and is equal to 8.
-         * Which means we are caching 65536 points: 256 points for every bit from 0 to 256.
-         * @returns 65K precomputed points, depending on W
-         */
-        precomputeWindow(W) {
-            const windows = CURVE.endo
-                ? Math.ceil(CURVE.nBitLength / 2) / W + 1
-                : CURVE.nBitLength / W + 1;
-            const points = [];
-            let p = this;
-            let base = p;
-            for (let window = 0; window < windows; window++) {
-                base = p;
-                points.push(base);
-                for (let i = 1; i < 2 ** (W - 1); i++) {
-                    base = base.add(p);
-                    points.push(base);
-                }
-                p = base.double();
-            }
-            return points;
-        }
         /**
          * Implements w-ary non-adjacent form for calculating ec multiplication.
-         * @param n
-         * @param affinePoint optional 2d point to save cached precompute windows on it.
-         * @returns real and fake (for const-time) points
          */
         wNAF(n, affinePoint) {
             if (!affinePoint && this.equals(JacobianPoint.BASE))
                 affinePoint = Point.BASE;
             const W = (affinePoint && affinePoint._WINDOW_SIZE) || 1;
-            if (256 % W) {
-                throw new Error('Point#wNAF: Invalid precomputation window, must be power of 2');
-            }
             // Calculate precomputes on a first run, reuse them after
             let precomputes = affinePoint && pointPrecomputes.get(affinePoint);
             if (!precomputes) {
-                precomputes = this.precomputeWindow(W);
+                precomputes = wnaf.precomputeWindow(this, W);
                 if (affinePoint && W !== 1) {
                     precomputes = JacobianPoint.normalizeZ(precomputes);
                     pointPrecomputes.set(affinePoint, precomputes);
                 }
             }
-            // Initialize real and fake points for const-time
-            let p = JacobianPoint.ZERO;
-            // Should be G (base) point, since otherwise f can be infinity point in the end
-            let f = JacobianPoint.BASE;
-            const nBits = CURVE.endo ? CURVE.nBitLength / 2 : CURVE.nBitLength;
-            const windows = 1 + Math.ceil(nBits / W); // W=8 17
-            const windowSize = 2 ** (W - 1); // W=8 128
-            const mask = BigInt(2 ** W - 1); // Create mask with W ones: 0b11111111 for W=8
-            const maxNumber = 2 ** W; // W=8 256
-            const shiftBy = BigInt(W); // W=8 8
-            for (let window = 0; window < windows; window++) {
-                const offset = window * windowSize;
-                // Extract W bits.
-                let wbits = Number(n & mask);
-                // Shift number by W bits.
-                n >>= shiftBy;
-                // If the bits are bigger than max size, we'll split those.
-                // +224 => 256 - 32
-                if (wbits > windowSize) {
-                    wbits -= maxNumber;
-                    n += _1n;
-                }
-                // This code was first written with assumption that 'f' and 'p' will never be infinity point:
-                // since each addition is multiplied by 2 ** W, it cannot cancel each other. However,
-                // there is negate now: it is possible that negated element from low value
-                // would be the same as high element, which will create carry into next window.
-                // It's not obvious how this can fail, but still worth investigating later.
-                // Check if we're onto Zero point.
-                // Add random point inside current window to f.
-                const offset1 = offset;
-                const offset2 = offset + Math.abs(wbits) - 1;
-                const cond1 = window % 2 !== 0;
-                const cond2 = wbits < 0;
-                if (wbits === 0) {
-                    // The most important part for const-time getPublicKey
-                    f = f.add(constTimeNegate(cond1, precomputes[offset1]));
-                }
-                else {
-                    p = p.add(constTimeNegate(cond2, precomputes[offset2]));
-                }
-            }
-            // JIT-compiler should not eliminate f here, since it will later be used in normalizeZ()
-            // Even if the variable is still unused, there are some checks which will
-            // throw an exception, so compiler needs to prove they won't happen, which is hard.
-            // At this point there is a way to F be infinity-point even if p is not,
-            // which makes it less const-time: around 1 bigint multiply.
-            return { p, f };
+            return wnaf.wNAF(W, precomputes, n);
         }
         /**
          * Constant time multiplication.
@@ -521,8 +451,8 @@ function weierstrass(curveDef) {
                 const { k1neg, k1, k2neg, k2 } = CURVE.endo.splitScalar(n);
                 let { p: k1p, f: f1p } = this.wNAF(k1, affinePoint);
                 let { p: k2p, f: f2p } = this.wNAF(k2, affinePoint);
-                k1p = constTimeNegate(k1neg, k1p);
-                k2p = constTimeNegate(k2neg, k2p);
+                k1p = wnaf.constTimeNegate(k1neg, k1p);
+                k2p = wnaf.constTimeNegate(k2neg, k2p);
                 k2p = new JacobianPoint(modP(k2p.x * CURVE.endo.beta), k2p.y, k2p.z);
                 point = k1p.add(k2p);
                 fake = f1p.add(f2p);
@@ -561,11 +491,7 @@ function weierstrass(curveDef) {
     }
     JacobianPoint.BASE = new JacobianPoint(CURVE.Gx, CURVE.Gy, _1n);
     JacobianPoint.ZERO = new JacobianPoint(_0n, _1n, _0n);
-    // Const-time utility for wNAF
-    function constTimeNegate(condition, item) {
-        const neg = item.negate();
-        return condition ? neg : item;
-    }
+    const wnaf = (0, group_js_1.wNAF)(JacobianPoint, CURVE.endo ? CURVE.nBitLength / 2 : CURVE.nBitLength);
     // Stores precomputed values for points.
     const pointPrecomputes = new WeakMap();
     /**
@@ -586,13 +512,12 @@ function weierstrass(curveDef) {
             return this.y % _2n === _0n;
         }
         /**
-         * Supports compressed ECDSA (33-byte) points
-         * @param bytes 33 bytes
+         * Supports compressed ECDSA points
          * @returns Point instance
          */
         static fromCompressedHex(bytes) {
             const P = CURVE.P;
-            const x = (0, utils_js_1.bytesToNumber)(bytes.subarray(1));
+            const x = (0, utils_js_1.bytesToNumberBE)(bytes.subarray(1));
             if (!isValidFieldElement(x))
                 throw new Error('Point is not on curve');
             const y2 = weierstrassEquation(x); // y² = x³ + ax + b
@@ -607,15 +532,15 @@ function weierstrass(curveDef) {
             return point;
         }
         static fromUncompressedHex(bytes) {
-            const x = (0, utils_js_1.bytesToNumber)(bytes.subarray(1, fieldLen + 1));
-            const y = (0, utils_js_1.bytesToNumber)(bytes.subarray(fieldLen + 1, 2 * fieldLen + 1));
+            const x = (0, utils_js_1.bytesToNumberBE)(bytes.subarray(1, fieldLen + 1));
+            const y = (0, utils_js_1.bytesToNumberBE)(bytes.subarray(fieldLen + 1, 2 * fieldLen + 1));
             const point = new Point(x, y);
             point.assertValidity();
             return point;
         }
         /**
          * Converts hash string or Uint8Array to Point.
-         * @param hex 33/65-byte (ECDSA) hex
+         * @param hex short/long ECDSA hex
          */
         static fromHex(hex) {
             const bytes = (0, utils_js_1.ensureBytes)(hex);
@@ -647,7 +572,8 @@ function weierstrass(curveDef) {
         }
         // A point on curve is valid if it conforms to equation.
         assertValidity() {
-            const msg = 'Point is not on curve';
+            // Some 3rd-party test vectors require different wording between here & `fromCompressedHex`
+            const msg = 'Point is not on elliptic curve';
             const { x, y } = this;
             if (!isValidFieldElement(x) || !isValidFieldElement(y))
                 throw new Error(msg);
@@ -657,6 +583,8 @@ function weierstrass(curveDef) {
                 throw new Error(msg);
         }
         equals(other) {
+            if (!(other instanceof Point))
+                throw new TypeError('Point#equals: expected Point');
             return this.x === other.x && this.y === other.y;
         }
         // Returns the same point with inverted `y`
@@ -784,7 +712,7 @@ function weierstrass(curveDef) {
         }
         normalizeS() {
             return this.hasHighS()
-                ? new Signature(this.r, mod.mod(-this.s, CURVE.n), this.recovery)
+                ? new Signature(this.r, mod.mod(-this.s, CURVE_ORDER), this.recovery)
                 : this;
         }
         // DER-encoded
@@ -822,26 +750,20 @@ function weierstrass(curveDef) {
             }
         },
         _bigintToBytes: numToField,
+        _bigintToString: numToFieldStr,
         _normalizePrivateKey: normalizePrivateKey,
+        _normalizePublicKey: normalizePublicKey,
+        _isWithinCurveOrder: isWithinCurveOrder,
+        _isValidFieldElement: isValidFieldElement,
+        _weierstrassEquation: weierstrassEquation,
         /**
-         * Can take (keyLength + 8) or more bytes of uniform input e.g. from CSPRNG or KDF
-         * and convert them into private key, with the modulo bias being neglible.
-         * As per FIPS 186 B.4.1.
-         * https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/
-         * @param hash hash output from sha512, or a similar function
-         * @returns valid private key
+         * Converts some bytes to a valid private key. Needs at least (nBitLength+64) bytes.
+         */
+        hashToPrivateKey: (hash) => numToField((0, utils_js_1.hashToPrivateScalar)(hash, CURVE_ORDER)),
+        /**
+         * Produces cryptographically secure private key from random of size (nBitLength+64)
+         * as per FIPS 186 B.4.1 with modulo bias being neglible.
          */
-        hashToPrivateKey: (hash) => {
-            hash = (0, utils_js_1.ensureBytes)(hash);
-            const minLen = fieldLen + 8;
-            if (hash.length < minLen || hash.length > 1024) {
-                throw new Error(`Expected ${minLen}-1024 bytes of private key as per FIPS 186`);
-            }
-            const num = mod.mod((0, utils_js_1.bytesToNumber)(hash), CURVE.n - _1n) + _1n;
-            return numToField(num);
-        },
-        // Takes curve order + 64 bits from CSPRNG
-        // so that modulo bias is neglible, matches FIPS 186 B.4.1.
         randomPrivateKey: () => utils.hashToPrivateKey(CURVE.randomBytes(fieldLen + 8)),
         /**
          * 1. Returns cached point which you can use to pass to `getSharedSecret` or `#multiply` by it.
@@ -860,8 +782,8 @@ function weierstrass(curveDef) {
     };
     /**
      * Computes public key for a private key.
-     * @param privateKey 32-byte private key
-     * @param isCompressed whether to return compact (33-byte), or full (65-byte) key
+     * @param privateKey private key
+     * @param isCompressed whether to return compact, or full key
      * @returns Public key, full by default; short when isCompressed=true
      */
     function getPublicKey(privateKey, isCompressed = false) {
@@ -903,11 +825,11 @@ function weierstrass(curveDef) {
     // RFC6979 methods
     function bits2int(bytes) {
         const slice = bytes.length > fieldLen ? bytes.slice(0, fieldLen) : bytes;
-        return (0, utils_js_1.bytesToNumber)(slice);
+        return (0, utils_js_1.bytesToNumberBE)(slice);
     }
     function bits2octets(bytes) {
         const z1 = bits2int(bytes);
-        const z2 = mod.mod(z1, CURVE.n);
+        const z2 = mod.mod(z1, CURVE_ORDER);
         return int2octets(z2 < _0n ? z1 : z2);
     }
     function int2octets(num) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@noble/curves",
-  "version": "0.1.0",
+  "version": "0.2.1",
   "description": "Minimal, zero-dependency JS implementation of elliptic curve cryptography",
   "files": [
     "index.js",
@@ -8,7 +8,7 @@
     "lib/esm"
   ],
   "scripts": {
-    "bench": "node test/benchmark/index.js",
+    "bench": "node curve-definitions/benchmark/index.js",
     "build": "tsc && tsc -p tsconfig.esm.json",
     "build:release": "rollup -c rollup.config.js",
     "lint": "prettier --check 'src/**/*.{js,ts}' 'curve-definitions/src/**/*.{js,ts}'",
@@ -32,15 +32,25 @@
   },
   "main": "index.js",
   "exports": {
+    "./edwards": {
+      "types": "./lib/edwards.d.ts",
+      "import": "./lib/esm/edwards.js",
+      "default": "./lib/edwards.js"
+    },
     "./modular": {
       "types": "./lib/modular.d.ts",
       "import": "./lib/esm/modular.js",
       "default": "./lib/modular.js"
     },
-    "./shortw": {
-      "types": "./lib/shortw.d.ts",
-      "import": "./lib/esm/shortw.js",
-      "default": "./lib/shortw.js"
+    "./montgomery": {
+      "types": "./lib/montgomery.d.ts",
+      "import": "./lib/esm/montgomery.js",
+      "default": "./lib/montgomery.js"
+    },
+    "./weierstrass": {
+      "types": "./lib/weierstrass.d.ts",
+      "import": "./lib/esm/weierstrass.js",
+      "default": "./lib/weierstrass.js"
     },
     "./utils": {
       "types": "./lib/utils.d.ts",
@@ -53,14 +63,16 @@
     "curve",
     "cryptography",
     "hyperelliptic",
+    "weierstrass",
+    "edwards",
+    "montgomery",
+    "secp256k1",
+    "ed25519",
+    "ed448",
     "p256",
     "p384",
     "p521",
     "nist",
-    "weierstrass",
-    "edwards",
-    "montgomery",
-    "hashes",
     "ecc",
     "ecdsa",
     "eddsa",
@@ -72,4 +84,4 @@
       "url": "https://paulmillr.com/funding/"
     }
   ]
-}
+}