@noble/curves 0.3.1 → 0.4.0

package/lib/esm/modular.js

@@ -1,4 +1,5 @@
 /*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import * as utils from './utils.js';
 // Utilities for modular arithmetics
 const _0n = BigInt(0);
 const _1n = BigInt(1);
@@ -14,6 +15,7 @@ export function mod(a, b) {
  * @example
  * powMod(2n, 6n, 11n) // 64n % 11n == 9n
  */
+// TODO: use field version && remove
 export function pow(num, power, modulo) {
     if (modulo <= _0n || power < _0n)
         throw new Error('Expected power/modulo > 0');
@@ -29,6 +31,7 @@ export function pow(num, power, modulo) {
     return res;
 }
 // Does x ^ (2 ^ power) mod p. pow2(30, 4) == 30 ^ (2 ^ 4)
+// TODO: Fp version?
 export function pow2(x, power, modulo) {
     let res = x;
     while (power-- > _0n) {
@@ -60,56 +63,19 @@ export function invert(number, modulo) {
         throw new Error('invert: does not exist');
     return mod(x, modulo);
 }
-/**
- * Division over finite field.
- * `a/b mod p == a * invert(b) mod p`
- */
-export function div(numerator, denominator, modulo) {
-    const num = mod(numerator, modulo);
-    const iden = invert(denominator, modulo);
-    return mod(num * iden, modulo);
-}
-/**
- * Takes a list of numbers, efficiently inverts all of them.
- * @param nums list of bigints
- * @param p modulo
- * @returns list of inverted bigints
- * @example
- * invertBatch([1n, 2n, 4n], 21n);
- * // => [1n, 11n, 16n]
- */
-export function invertBatch(nums, modulo) {
-    const scratch = new Array(nums.length);
-    // Walk from first to last, multiply them by each other MOD p
-    const lastMultiplied = nums.reduce((acc, num, i) => {
-        if (num === _0n)
-            return acc;
-        scratch[i] = acc;
-        return mod(acc * num, modulo);
-    }, _1n);
-    // Invert last element
-    const inverted = invert(lastMultiplied, modulo);
-    // Walk from last to first, multiply them by inverted each other MOD p
-    nums.reduceRight((acc, num, i) => {
-        if (num === _0n)
-            return acc;
-        scratch[i] = mod(acc * scratch[i], modulo);
-        return mod(acc * num, modulo);
-    }, inverted);
-    return scratch;
-}
 /**
  * Calculates Legendre symbol (a | p), which denotes the value of a^((p-1)/2) (mod p).
  * * (a | p) ≡ 1    if a is a square (mod p)
  * * (a | p) ≡ -1   if a is not a square (mod p)
  * * (a | p) ≡ 0    if a ≡ 0 (mod p)
  */
-export function legendre(num, P) {
-    return pow(num, (P - _1n) / _2n, P);
+export function legendre(num, fieldPrime) {
+    return pow(num, (fieldPrime - _1n) / _2n, fieldPrime);
 }
 /**
  * Calculates square root of a number in a finite field.
  */
+// TODO: rewrite as generic Fp function && remove bls versions
 export function sqrt(number, modulo) {
     // prettier-ignore
     const _3n = BigInt(3), _4n = BigInt(4), _5n = BigInt(5), _8n = BigInt(8);
@@ -118,8 +84,17 @@ export function sqrt(number, modulo) {
     const p1div4 = (P + _1n) / _4n;
     // P ≡ 3 (mod 4)
     // sqrt n = n^((P+1)/4)
-    if (P % _4n === _3n)
-        return pow(n, p1div4, P);
+    if (P % _4n === _3n) {
+        // Not all roots possible!
+        // const ORDER =
+        //   0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaabn;
+        // const NUM = 72057594037927816n;
+        // TODO: fix sqrtMod in secp256k1
+        const root = pow(n, p1div4, P);
+        if (mod(root * root, modulo) !== number)
+            throw new Error('Cannot find square root');
+        return root;
+    }
     // P ≡ 5 (mod 8)
     if (P % _8n === _5n) {
         const n2 = mod(n * _2n, P);
@@ -130,7 +105,6 @@ export function sqrt(number, modulo) {
         return r;
     }
     // Other cases: Tonelli-Shanks algorithm
-    // Check whether n is square
     if (legendre(n, P) !== _1n)
         throw new Error('Cannot find square root');
     let q, s, z;
@@ -162,10 +136,117 @@ export function sqrt(number, modulo) {
 }
 // Little-endian check for first LE bit (last BE bit);
 export const isNegativeLE = (num, modulo) => (mod(num, modulo) & _1n) === _1n;
-// An idea on modular arithmetic for bls12-381:
-// const FIELD = {add, pow, sqrt, mul};
-// Functions will take field elements, no need for an additional class
-// Could be faster. 1 bigint field will just do operations and mod later:
-// instead of 'r = mod(r * b, P)' we will write r = mul(r, b);
-// Could be insecure without shape check, so it needs to be done.
-// Functions could be inlined by JIT.
+// prettier-ignore
+const FIELD_FIELDS = [
+    'create', 'isValid', 'isZero', 'negate', 'invert', 'sqrt', 'square',
+    'equals', 'add', 'subtract', 'multiply', 'pow', 'div',
+    'addN', 'subtractN', 'multiplyN', 'squareN'
+];
+export function validateField(field) {
+    for (const i of ['ORDER', 'MASK']) {
+        if (typeof field[i] !== 'bigint')
+            throw new Error(`Invalid field param ${i}=${field[i]} (${typeof field[i]})`);
+    }
+    for (const i of ['BYTES', 'BITS']) {
+        if (typeof field[i] !== 'number')
+            throw new Error(`Invalid field param ${i}=${field[i]} (${typeof field[i]})`);
+    }
+    for (const i of FIELD_FIELDS) {
+        if (typeof field[i] !== 'function')
+            throw new Error(`Invalid field param ${i}=${field[i]} (${typeof field[i]})`);
+    }
+}
+// Generic field functions
+export function FpPow(f, num, power) {
+    // Should have same speed as pow for bigints
+    // TODO: benchmark!
+    if (power < _0n)
+        throw new Error('Expected power > 0');
+    if (power === _0n)
+        return f.ONE;
+    if (power === _1n)
+        return num;
+    let p = f.ONE;
+    let d = num;
+    while (power > _0n) {
+        if (power & _1n)
+            p = f.multiply(p, d);
+        d = f.square(d);
+        power >>= 1n;
+    }
+    return p;
+}
+export function FpInvertBatch(f, nums) {
+    const tmp = new Array(nums.length);
+    // Walk from first to last, multiply them by each other MOD p
+    const lastMultiplied = nums.reduce((acc, num, i) => {
+        if (f.isZero(num))
+            return acc;
+        tmp[i] = acc;
+        return f.multiply(acc, num);
+    }, f.ONE);
+    // Invert last element
+    const inverted = f.invert(lastMultiplied);
+    // Walk from last to first, multiply them by inverted each other MOD p
+    nums.reduceRight((acc, num, i) => {
+        if (f.isZero(num))
+            return acc;
+        tmp[i] = f.multiply(acc, tmp[i]);
+        return f.multiply(acc, num);
+    }, inverted);
+    return tmp;
+}
+export function FpDiv(f, lhs, rhs) {
+    return f.multiply(lhs, typeof rhs === 'bigint' ? invert(rhs, f.ORDER) : f.invert(rhs));
+}
+// NOTE: very fragile, always bench. Major performance points:
+// - NonNormalized ops
+// - Object.freeze
+// - same shape of object (don't add/remove keys)
+export function Fp(ORDER, bitLen, isLE = false, redef = {}) {
+    if (ORDER <= _0n)
+        throw new Error(`Expected Fp ORDER > 0, got ${ORDER}`);
+    const { nBitLength: BITS, nByteLength: BYTES } = utils.nLength(ORDER, bitLen);
+    if (BYTES > 2048)
+        throw new Error('Field lengths over 2048 bytes are not supported');
+    const sqrtP = (num) => sqrt(num, ORDER);
+    const f = Object.freeze({
+        ORDER,
+        BITS,
+        BYTES,
+        MASK: utils.bitMask(BITS),
+        ZERO: _0n,
+        ONE: _1n,
+        create: (num) => mod(num, ORDER),
+        isValid: (num) => {
+            if (typeof num !== 'bigint')
+                throw new Error(`Invalid field element: expected bigint, got ${typeof num}`);
+            return _0n <= num && num < ORDER;
+        },
+        isZero: (num) => num === _0n,
+        isOdd: (num) => (num & _1n) === _1n,
+        negate: (num) => mod(-num, ORDER),
+        equals: (lhs, rhs) => lhs === rhs,
+        square: (num) => mod(num * num, ORDER),
+        add: (lhs, rhs) => mod(lhs + rhs, ORDER),
+        subtract: (lhs, rhs) => mod(lhs - rhs, ORDER),
+        multiply: (lhs, rhs) => mod(lhs * rhs, ORDER),
+        pow: (num, power) => FpPow(f, num, power),
+        div: (lhs, rhs) => mod(lhs * invert(rhs, ORDER), ORDER),
+        // Same as above, but doesn't normalize
+        squareN: (num) => num * num,
+        addN: (lhs, rhs) => lhs + rhs,
+        subtractN: (lhs, rhs) => lhs - rhs,
+        multiplyN: (lhs, rhs) => lhs * rhs,
+        invert: (num) => invert(num, ORDER),
+        sqrt: redef.sqrt || sqrtP,
+        invertBatch: (lst) => FpInvertBatch(f, lst),
+        toBytes: (num) => isLE ? utils.numberToBytesLE(num, BYTES) : utils.numberToBytesBE(num, BYTES),
+        fromBytes: (bytes) => {
+            if (bytes.length !== BYTES)
+                throw new Error(`Fp.fromBytes: expected ${BYTES}, got ${bytes.length}`);
+            return isLE ? utils.bytesToNumberLE(bytes) : utils.bytesToNumberBE(bytes);
+        },
+    });
+    return Object.freeze(f);
+}

package/lib/esm/utils.js

@@ -1,12 +1,18 @@
 /*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-// The import here is via the package name. This is to ensure
-// that exports mapping/resolution does fall into place.
-import { crypto } from '@noble/curves/crypto';
+import * as mod from './modular.js';
+const _0n = BigInt(0);
+const _1n = BigInt(1);
+const _2n = BigInt(2);
 export function validateOpts(curve) {
-    for (const i of ['P', 'n', 'h', 'Gx', 'Gy']) {
+    mod.validateField(curve.Fp);
+    for (const i of ['n', 'h']) {
         if (typeof curve[i] !== 'bigint')
             throw new Error(`Invalid curve param ${i}=${curve[i]} (${typeof curve[i]})`);
     }
+    if (!curve.Fp.isValid(curve.Gx))
+        throw new Error('Invalid generator X coordinate Fp element');
+    if (!curve.Fp.isValid(curve.Gy))
+        throw new Error('Invalid generator Y coordinate Fp element');
     for (const i of ['nBitLength', 'nByteLength']) {
         if (curve[i] === undefined)
             continue; // Optional
@@ -16,7 +22,6 @@ export function validateOpts(curve) {
     // Set defaults
     return Object.freeze({ ...nLength(curve.n, curve.nBitLength), ...curve });
 }
-import * as mod from './modular.js';
 const hexes = Array.from({ length: 256 }, (v, i) => i.toString(16).padStart(2, '0'));
 export function bytesToHex(uint8a) {
     if (!(uint8a instanceof Uint8Array))
@@ -106,7 +111,6 @@ export function nLength(n, nBitLength) {
  * @param hash hash output from sha512, or a similar function
  * @returns valid private scalar
  */
-const _1n = BigInt(1);
 export function hashToPrivateScalar(hash, CURVE_ORDER, isLE = false) {
     hash = ensureBytes(hash);
     const orderLen = nLength(CURVE_ORDER).nByteLength;
@@ -125,17 +129,19 @@ export function equalBytes(b1, b2) {
             return false;
     return true;
 }
-/**
- * Cryptographically secure PRNG
- */
-export function randomBytes(bytesLength = 32) {
-    if (crypto.web) {
-        return crypto.web.getRandomValues(new Uint8Array(bytesLength));
-    }
-    else if (crypto.node) {
-        return new Uint8Array(crypto.node.randomBytes(bytesLength).buffer);
-    }
-    else {
-        throw new Error("The environment doesn't have randomBytes function");
-    }
+// Bit operations
+// Amount of bits inside bigint (Same as n.toString(2).length)
+export function bitLen(n) {
+    let len;
+    for (len = 0; n > 0n; n >>= _1n, len += 1)
+        ;
+    return len;
 }
+// Gets single bit at position. NOTE: first bit position is 0 (same as arrays)
+// Same as !!+Array.from(n.toString(2)).reverse()[pos]
+export const bitGet = (n, pos) => (n >> BigInt(pos)) & 1n;
+// Sets single bit at position
+export const bitSet = (n, pos, value) => n | ((value ? _1n : _0n) << BigInt(pos));
+// Return mask for N bits (Same as BigInt(`0b${Array(i).fill('1').join('')}`))
+// Not using ** operator with bigints for old engines.
+export const bitMask = (n) => (_2n << BigInt(n - 1)) - _1n;