@noble/curves 0.2.1 → 0.3.1

package/lib/definitions/stark.d.ts

@@ -0,0 +1,62 @@
+import { CHash } from '../weierstrass';
+import * as cutils from '../utils';
+export declare const starkCurve: import("../weierstrass").CurveFn;
+declare function getPublicKey0x(privKey: Hex, isCompressed?: boolean): Uint8Array;
+declare function getSharedSecret0x(privKeyA: Hex, pubKeyB: Hex): Uint8Array;
+declare function sign0x(msgHash: Hex, privKey: Hex, opts: any): import("../weierstrass").SignatureType;
+declare function verify0x(signature: Hex, msgHash: Hex, pubKey: Hex): boolean;
+declare const CURVE: Readonly<{
+    readonly nBitLength: number;
+    readonly nByteLength: number;
+    readonly P: bigint;
+    readonly n: bigint;
+    readonly h: bigint;
+    readonly Gx: bigint;
+    readonly Gy: bigint;
+    readonly a: bigint;
+    readonly b: bigint;
+    lowS: boolean;
+    readonly hash: CHash;
+    readonly hmac: (key: Uint8Array, ...messages: Uint8Array[]) => Uint8Array;
+    randomBytes: typeof cutils.randomBytes;
+    readonly truncateHash?: ((hash: Uint8Array, truncateOnly?: boolean | undefined) => bigint) | undefined;
+    readonly sqrtMod?: ((n: bigint) => bigint) | undefined;
+    readonly normalizePrivateKey?: ((key: cutils.PrivKey) => cutils.PrivKey) | undefined;
+    readonly endo?: {
+        beta: bigint;
+        splitScalar: (k: bigint) => {
+            k1neg: boolean;
+            k1: bigint;
+            k2neg: boolean;
+            k2: bigint;
+        };
+    } | undefined;
+}>, Point: import("../weierstrass").PointConstructor, JacobianPoint: import("../weierstrass").JacobianPointConstructor, Signature: import("../weierstrass").SignatureConstructor;
+export declare const utils: {
+    mod: (a: bigint, b?: bigint | undefined) => bigint;
+    invert: (number: bigint, modulo?: bigint | undefined) => bigint;
+    _bigintToBytes: (num: bigint) => Uint8Array;
+    _bigintToString: (num: bigint) => string;
+    _normalizePrivateKey: (key: cutils.PrivKey) => bigint;
+    _normalizePublicKey: (publicKey: import("../weierstrass").PubKey) => import("../weierstrass").PointType;
+    _isWithinCurveOrder: (num: bigint) => boolean;
+    _isValidFieldElement: (num: bigint) => boolean;
+    _weierstrassEquation: (x: bigint) => bigint;
+    isValidPrivateKey(privateKey: cutils.PrivKey): boolean;
+    hashToPrivateKey: (hash: cutils.Hex) => Uint8Array;
+    randomPrivateKey: () => Uint8Array;
+};
+export { CURVE, Point, Signature, JacobianPoint, getPublicKey0x as getPublicKey, getSharedSecret0x as getSharedSecret, sign0x as sign, verify0x as verify, };
+export declare const bytesToHexEth: (uint8a: Uint8Array) => string;
+export declare const strip0x: (hex: string) => string;
+export declare const numberToHexEth: (num: bigint | number) => string;
+declare type Hex = Uint8Array | string;
+export declare function grindKey(seed: Hex): string;
+export declare function getStarkKey(privateKey: Hex): string;
+export declare function ethSigToPrivate(signature: string): string;
+export declare function getAccountPath(layer: string, application: string, ethereumAddress: string, index: number): string;
+declare type PedersenArg = Hex | bigint | number;
+export declare function pedersen(x: PedersenArg, y: PedersenArg): string;
+export declare function hashChain(data: PedersenArg[], fn?: typeof pedersen): PedersenArg;
+export declare const computeHashOnElements: (data: PedersenArg[], fn?: typeof pedersen) => PedersenArg;
+export declare const keccak: (data: Uint8Array) => bigint;

package/lib/definitions/stark.js

@@ -0,0 +1,248 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.keccak = exports.computeHashOnElements = exports.hashChain = exports.pedersen = exports.getAccountPath = exports.ethSigToPrivate = exports.getStarkKey = exports.grindKey = exports.numberToHexEth = exports.strip0x = exports.bytesToHexEth = exports.verify = exports.sign = exports.getSharedSecret = exports.getPublicKey = exports.JacobianPoint = exports.Signature = exports.Point = exports.CURVE = exports.utils = exports.starkCurve = void 0;
+/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+const sha3_1 = require("@noble/hashes/sha3");
+const sha256_1 = require("@noble/hashes/sha256");
+const hmac_1 = require("@noble/hashes/hmac");
+const utils_1 = require("@noble/hashes/utils");
+const weierstrass_1 = require("../weierstrass");
+const cutils = require("../utils");
+// Stark-friendly elliptic curve
+// https://docs.starkware.co/starkex/stark-curve.html
+// TODO: clarify exports; it is exporting both starkCurve and sign() now, can be confusing
+function getHash(hash) {
+    return {
+        hash,
+        hmac: (key, ...msgs) => (0, hmac_1.hmac)(hash, key, (0, utils_1.concatBytes)(...msgs)),
+    };
+}
+const CURVE_N = BigInt('3618502788666131213697322783095070105526743751716087489154079457884512865583');
+const nBitLength = 252;
+exports.starkCurve = (0, weierstrass_1.weierstrass)({
+    // Params: a, b
+    a: BigInt(1),
+    b: BigInt('3141592653589793238462643383279502884197169399375105820974944592307816406665'),
+    // Field over which we'll do calculations; 2n**251n + 17n * 2n**192n + 1n
+    // There is no efficient sqrt for field (P%4==1)
+    P: BigInt('0x800000000000011000000000000000000000000000000000000000000000001'),
+    // Curve order, total count of valid points in the field.
+    n: CURVE_N,
+    nBitLength: nBitLength,
+    // Base point (x, y) aka generator point
+    Gx: BigInt('874739451078007766457464989774322083649278607533249481151382481072868806602'),
+    Gy: BigInt('152666792071518830868575557812948353041420400780739481342941381225525861407'),
+    h: BigInt(1),
+    // Default options
+    lowS: false,
+    ...getHash(sha256_1.sha256),
+    truncateHash: (hash, truncateOnly = false) => {
+        // TODO: cleanup, ugly code
+        // Fix truncation
+        if (!truncateOnly) {
+            let hashS = bytesToNumber0x(hash).toString(16);
+            if (hashS.length === 63) {
+                hashS += '0';
+                hash = hexToBytes0x(hashS);
+            }
+        }
+        // Truncate zero bytes on left (compat with elliptic)
+        while (hash[0] === 0)
+            hash = hash.subarray(1);
+        const byteLength = hash.length;
+        const delta = byteLength * 8 - nBitLength; // size of curve.n (252 bits)
+        let h = hash.length ? bytesToNumber0x(hash) : 0n;
+        if (delta > 0)
+            h = h >> BigInt(delta);
+        if (!truncateOnly && h >= CURVE_N)
+            h -= CURVE_N;
+        return h;
+    },
+});
+// Custom Starknet type conversion functions that can handle 0x and unpadded hex
+function hexToBytes0x(hex) {
+    if (typeof hex !== 'string') {
+        throw new TypeError('hexToBytes: expected string, got ' + typeof hex);
+    }
+    hex = (0, exports.strip0x)(hex);
+    if (hex.length & 1)
+        hex = '0' + hex; // padding
+    if (hex.length % 2)
+        throw new Error('hexToBytes: received invalid unpadded hex ' + hex.length);
+    const array = new Uint8Array(hex.length / 2);
+    for (let i = 0; i < array.length; i++) {
+        const j = i * 2;
+        const hexByte = hex.slice(j, j + 2);
+        const byte = Number.parseInt(hexByte, 16);
+        if (Number.isNaN(byte) || byte < 0)
+            throw new Error('Invalid byte sequence');
+        array[i] = byte;
+    }
+    return array;
+}
+function hexToNumber0x(hex) {
+    if (typeof hex !== 'string') {
+        throw new TypeError('hexToNumber: expected string, got ' + typeof hex);
+    }
+    // Big Endian
+    // TODO: strip vs no strip?
+    return BigInt(`0x${(0, exports.strip0x)(hex)}`);
+}
+function bytesToNumber0x(bytes) {
+    return hexToNumber0x(cutils.bytesToHex(bytes));
+}
+function ensureBytes0x(hex) {
+    // Uint8Array.from() instead of hash.slice() because node.js Buffer
+    // is instance of Uint8Array, and its slice() creates **mutable** copy
+    return hex instanceof Uint8Array ? Uint8Array.from(hex) : hexToBytes0x(hex);
+}
+function normalizePrivateKey(privKey) {
+    return cutils.bytesToHex(ensureBytes0x(privKey)).padStart(32 * 2, '0');
+}
+function getPublicKey0x(privKey, isCompressed) {
+    return exports.starkCurve.getPublicKey(normalizePrivateKey(privKey), isCompressed);
+}
+exports.getPublicKey = getPublicKey0x;
+function getSharedSecret0x(privKeyA, pubKeyB) {
+    return exports.starkCurve.getSharedSecret(normalizePrivateKey(privKeyA), pubKeyB);
+}
+exports.getSharedSecret = getSharedSecret0x;
+function sign0x(msgHash, privKey, opts) {
+    return exports.starkCurve.sign(ensureBytes0x(msgHash), normalizePrivateKey(privKey), opts);
+}
+exports.sign = sign0x;
+function verify0x(signature, msgHash, pubKey) {
+    const sig = signature instanceof Signature ? signature : ensureBytes0x(signature);
+    return exports.starkCurve.verify(sig, ensureBytes0x(msgHash), ensureBytes0x(pubKey));
+}
+exports.verify = verify0x;
+const { CURVE, Point, JacobianPoint, Signature } = exports.starkCurve;
+exports.CURVE = CURVE;
+exports.Point = Point;
+exports.JacobianPoint = JacobianPoint;
+exports.Signature = Signature;
+exports.utils = exports.starkCurve.utils;
+const stripLeadingZeros = (s) => s.replace(/^0+/gm, '');
+const bytesToHexEth = (uint8a) => `0x${stripLeadingZeros(cutils.bytesToHex(uint8a))}`;
+exports.bytesToHexEth = bytesToHexEth;
+const strip0x = (hex) => hex.replace(/^0x/i, '');
+exports.strip0x = strip0x;
+const numberToHexEth = (num) => `0x${num.toString(16)}`;
+exports.numberToHexEth = numberToHexEth;
+// 1. seed generation
+function hashKeyWithIndex(key, index) {
+    let indexHex = cutils.numberToHexUnpadded(index);
+    if (indexHex.length & 1)
+        indexHex = '0' + indexHex;
+    return bytesToNumber0x((0, sha256_1.sha256)(cutils.concatBytes(key, hexToBytes0x(indexHex))));
+}
+function grindKey(seed) {
+    const _seed = ensureBytes0x(seed);
+    const sha256mask = 2n ** 256n;
+    const limit = sha256mask - exports.starkCurve.utils.mod(sha256mask, exports.starkCurve.CURVE.n);
+    for (let i = 0;; i++) {
+        const key = hashKeyWithIndex(_seed, i);
+        // key should be in [0, limit)
+        if (key < limit)
+            return exports.starkCurve.utils.mod(key, exports.starkCurve.CURVE.n).toString(16);
+    }
+}
+exports.grindKey = grindKey;
+function getStarkKey(privateKey) {
+    return (0, exports.bytesToHexEth)(getPublicKey0x(privateKey, true).slice(1));
+}
+exports.getStarkKey = getStarkKey;
+function ethSigToPrivate(signature) {
+    signature = (0, exports.strip0x)(signature.replace(/^0x/, ''));
+    if (signature.length !== 130)
+        throw new Error('Wrong ethereum signature');
+    return grindKey(signature.substring(0, 64));
+}
+exports.ethSigToPrivate = ethSigToPrivate;
+const MASK_31 = 2n ** 31n - 1n;
+const int31 = (n) => Number(n & MASK_31);
+function getAccountPath(layer, application, ethereumAddress, index) {
+    const layerNum = int31(bytesToNumber0x((0, sha256_1.sha256)(layer)));
+    const applicationNum = int31(bytesToNumber0x((0, sha256_1.sha256)(application)));
+    const eth = hexToNumber0x(ethereumAddress);
+    return `m/2645'/${layerNum}'/${applicationNum}'/${int31(eth)}'/${int31(eth >> 31n)}'/${index}`;
+}
+exports.getAccountPath = getAccountPath;
+// https://docs.starkware.co/starkex/pedersen-hash-function.html
+const PEDERSEN_POINTS = [
+    new Point(2089986280348253421170679821480865132823066470938446095505822317253594081284n, 1713931329540660377023406109199410414810705867260802078187082345529207694986n),
+    new Point(996781205833008774514500082376783249102396023663454813447423147977397232763n, 1668503676786377725805489344771023921079126552019160156920634619255970485781n),
+    new Point(2251563274489750535117886426533222435294046428347329203627021249169616184184n, 1798716007562728905295480679789526322175868328062420237419143593021674992973n),
+    new Point(2138414695194151160943305727036575959195309218611738193261179310511854807447n, 113410276730064486255102093846540133784865286929052426931474106396135072156n),
+    new Point(2379962749567351885752724891227938183011949129833673362440656643086021394946n, 776496453633298175483985398648758586525933812536653089401905292063708816422n),
+];
+// for (const p of PEDERSEN_POINTS) p._setWindowSize(8);
+const PEDERSEN_POINTS_JACOBIAN = PEDERSEN_POINTS.map(JacobianPoint.fromAffine);
+function pedersenPrecompute(p1, p2) {
+    const out = [];
+    let p = p1;
+    for (let i = 0; i < 248; i++) {
+        out.push(p);
+        p = p.double();
+    }
+    p = p2;
+    for (let i = 0; i < 4; i++) {
+        out.push(p);
+        p = p.double();
+    }
+    return out;
+}
+const PEDERSEN_POINTS1 = pedersenPrecompute(PEDERSEN_POINTS_JACOBIAN[1], PEDERSEN_POINTS_JACOBIAN[2]);
+const PEDERSEN_POINTS2 = pedersenPrecompute(PEDERSEN_POINTS_JACOBIAN[3], PEDERSEN_POINTS_JACOBIAN[4]);
+function pedersenArg(arg) {
+    let value;
+    if (typeof arg === 'bigint')
+        value = arg;
+    else if (typeof arg === 'number') {
+        if (!Number.isSafeInteger(arg))
+            throw new Error(`Invalid pedersenArg: ${arg}`);
+        value = BigInt(arg);
+    }
+    else
+        value = bytesToNumber0x(ensureBytes0x(arg));
+    // [0..Fp)
+    if (!(0n <= value && value < exports.starkCurve.CURVE.P))
+        throw new Error(`PedersenArg should be 0 <= value < CURVE.P: ${value}`);
+    return value;
+}
+function pedersenSingle(point, value, constants) {
+    let x = pedersenArg(value);
+    for (let j = 0; j < 252; j++) {
+        const pt = constants[j];
+        if (pt.x === point.x)
+            throw new Error('Same point');
+        if ((x & 1n) !== 0n)
+            point = point.add(pt);
+        x >>= 1n;
+    }
+    return point;
+}
+// shift_point + x_low * P_0 + x_high * P1 + y_low * P2  + y_high * P3
+function pedersen(x, y) {
+    let point = PEDERSEN_POINTS_JACOBIAN[0];
+    point = pedersenSingle(point, x, PEDERSEN_POINTS1);
+    point = pedersenSingle(point, y, PEDERSEN_POINTS2);
+    return (0, exports.bytesToHexEth)(point.toAffine().toRawBytes(true).slice(1));
+}
+exports.pedersen = pedersen;
+function hashChain(data, fn = pedersen) {
+    if (!Array.isArray(data) || data.length < 1)
+        throw new Error('data should be array of at least 1 element');
+    if (data.length === 1)
+        return (0, exports.numberToHexEth)(pedersenArg(data[0]));
+    return Array.from(data)
+        .reverse()
+        .reduce((acc, i) => fn(i, acc));
+}
+exports.hashChain = hashChain;
+// Same as hashChain, but computes hash even for single element and order is not revesed
+const computeHashOnElements = (data, fn = pedersen) => [0, ...data, data.length].reduce((x, y) => fn(x, y));
+exports.computeHashOnElements = computeHashOnElements;
+const MASK_250 = 2n ** 250n - 1n;
+const keccak = (data) => bytesToNumber0x((0, sha3_1.keccak_256)(data)) & MASK_250;
+exports.keccak = keccak;

package/lib/edwards.d.ts

@@ -11,7 +11,7 @@ export declare type CurveType = BasicCurve & {
     a: bigint;
     d: bigint;
     hash: CHash;
-    randomBytes: (bytesLength?: number) => Uint8Array;
+    randomBytes?: (bytesLength?: number) => Uint8Array;
     adjustScalarBytes?: (bytes: Uint8Array) => Uint8Array;
     domain?: (data: Uint8Array, ctx: Uint8Array, phflag: boolean) => Uint8Array;
     uvRatio?: (u: bigint, v: bigint) => {
@@ -31,7 +31,7 @@ declare function validateOpts(curve: CurveType): Readonly<{
     readonly a: bigint;
     readonly d: bigint;
     readonly hash: CHash;
-    readonly randomBytes: (bytesLength?: number | undefined) => Uint8Array;
+    randomBytes: (bytesLength?: number | undefined) => Uint8Array;
     readonly adjustScalarBytes?: ((bytes: Uint8Array) => Uint8Array) | undefined;
     readonly domain?: ((data: Uint8Array, ctx: Uint8Array, phflag: boolean) => Uint8Array) | undefined;
     readonly uvRatio?: ((u: bigint, v: bigint) => {

package/lib/edwards.js

@@ -27,18 +27,14 @@ function validateOpts(curve) {
         if (typeof opts[i] !== 'bigint')
             throw new Error(`Invalid curve param ${i}=${opts[i]} (${typeof opts[i]})`);
     }
-    for (const fn of ['randomBytes']) {
-        if (typeof opts[fn] !== 'function')
-            throw new Error(`Invalid ${fn} function`);
-    }
-    for (const fn of ['adjustScalarBytes', 'domain', 'uvRatio']) {
+    for (const fn of ['adjustScalarBytes', 'domain', 'randomBytes', 'uvRatio']) {
         if (opts[fn] === undefined)
             continue; // Optional
         if (typeof opts[fn] !== 'function')
             throw new Error(`Invalid ${fn} function`);
     }
     // Set defaults
-    return Object.freeze({ ...opts });
+    return Object.freeze({ randomBytes: utils_js_1.randomBytes, ...opts });
 }
 // NOTE: it is not generic twisted curve for now, but ed25519/ed448 generic implementation
 function twistedEdwards(curveDef) {

package/lib/esm/crypto.js

@@ -0,0 +1,5 @@
+import * as nodeCrypto from 'crypto';
+export const crypto = {
+    node: nodeCrypto,
+    web: undefined,
+};

package/lib/esm/cryptoBrowser.js

@@ -0,0 +1,4 @@
+export const crypto = {
+    node: undefined,
+    web: typeof self === 'object' && 'crypto' in self ? self.crypto : undefined,
+};

package/lib/esm/definitions/_shortw_utils.js

@@ -0,0 +1,13 @@
+import { hmac } from '@noble/hashes/hmac';
+import { concatBytes } from '@noble/hashes/utils';
+import { weierstrass } from '../weierstrass';
+export function getHash(hash) {
+    return {
+        hash,
+        hmac: (key, ...msgs) => hmac(hash, key, concatBytes(...msgs)),
+    };
+}
+export function createCurve(curveDef, defHash) {
+    const create = (hash) => weierstrass({ ...curveDef, ...getHash(hash) });
+    return Object.freeze({ ...create(defHash), create });
+}

package/lib/esm/definitions/bn.js

@@ -0,0 +1,20 @@
+/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { weierstrass } from '../weierstrass';
+import { sha256 } from '@noble/hashes/sha256';
+import { getHash } from './_shortw_utils.js';
+/**
+ * bn254 pairing-friendly curve.
+ * Previously known as alt_bn_128, when it had 128-bit security.
+ * Recent research shown it's weaker, the naming has been adjusted to its prime bit count.
+ * https://github.com/zcash/zcash/issues/2502
+ */
+export const bn254 = weierstrass({
+    a: BigInt(0),
+    b: BigInt(3),
+    P: BigInt('0x30644e72e131a029b85045b68181585d97816a916871ca8d3c208c16d87cfd47'),
+    n: BigInt('0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593f0000001'),
+    Gx: BigInt(1),
+    Gy: BigInt(2),
+    h: BigInt(1),
+    ...getHash(sha256),
+});