@noble/curves 0.4.0 → 0.5.0

package/lib/esm/p521.js

@@ -0,0 +1,58 @@
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { createCurve } from './_shortw_utils.js';
+import { sha512 } from '@noble/hashes/sha512';
+import { bytesToHex } from './abstract/utils.js';
+import { Fp as Field } from './abstract/modular.js';
+import { mapToCurveSimpleSWU } from './abstract/weierstrass.js';
+// NIST secp521r1 aka P521
+// Note that it's 521, which differs from 512 of its hash function.
+// https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-521
+// Field over which we'll do calculations; 2n**521n - 1n
+// prettier-ignore
+const P = BigInt('0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff');
+const Fp = Field(P);
+const CURVE_A = Fp.create(BigInt('-3'));
+// prettier-ignore
+const CURVE_B = BigInt('0x0051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00');
+const mapSWU = mapToCurveSimpleSWU(Fp, {
+    A: CURVE_A,
+    B: CURVE_B,
+    Z: Fp.create(BigInt('-4')),
+});
+// prettier-ignore
+export const P521 = createCurve({
+    // Params: a, b
+    a: CURVE_A,
+    b: CURVE_B,
+    Fp,
+    // Curve order, total count of valid points in the field
+    n: BigInt('0x01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409'),
+    // Base point (x, y) aka generator point
+    Gx: BigInt('0x00c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66'),
+    Gy: BigInt('0x011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650'),
+    h: BigInt(1),
+    lowS: false,
+    // P521 keys could be 130, 131, 132 bytes - which doesn't play nicely.
+    // We ensure all keys are 132 bytes.
+    // Does not replace validation; invalid keys would still be rejected.
+    normalizePrivateKey(key) {
+        if (typeof key === 'bigint')
+            return key;
+        if (key instanceof Uint8Array)
+            key = bytesToHex(key);
+        if (typeof key !== 'string' || !([130, 131, 132].includes(key.length))) {
+            throw new Error('Invalid key');
+        }
+        return key.padStart(66 * 2, '0');
+    },
+    mapToCurve: (scalars) => mapSWU(scalars[0]),
+    htfDefaults: {
+        DST: 'P521_XMD:SHA-512_SSWU_RO_',
+        p: Fp.ORDER,
+        m: 1,
+        k: 256,
+        expand: true,
+        hash: sha512,
+    },
+}, sha512);
+export const secp521r1 = P521;

package/lib/esm/pasta.js

@@ -0,0 +1,29 @@
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { sha256 } from '@noble/hashes/sha256';
+import { weierstrass } from './abstract/weierstrass.js';
+import { getHash } from './_shortw_utils.js';
+import * as mod from './abstract/modular.js';
+export const p = BigInt('0x40000000000000000000000000000000224698fc094cf91b992d30ed00000001');
+export const q = BigInt('0x40000000000000000000000000000000224698fc0994a8dd8c46eb2100000001');
+// https://neuromancer.sk/std/other/Pallas
+export const pallas = weierstrass({
+    a: BigInt(0),
+    b: BigInt(5),
+    Fp: mod.Fp(p),
+    n: q,
+    Gx: mod.mod(BigInt(-1), p),
+    Gy: BigInt(2),
+    h: BigInt(1),
+    ...getHash(sha256),
+});
+// https://neuromancer.sk/std/other/Vesta
+export const vesta = weierstrass({
+    a: BigInt(0),
+    b: BigInt(5),
+    Fp: mod.Fp(q),
+    n: p,
+    Gx: mod.mod(BigInt(-1), q),
+    Gy: BigInt(2),
+    h: BigInt(1),
+    ...getHash(sha256),
+});

package/lib/esm/secp256k1.js

@@ -0,0 +1,290 @@
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { sha256 } from '@noble/hashes/sha256';
+import { Fp as Field, mod, pow2 } from './abstract/modular.js';
+import { createCurve } from './_shortw_utils.js';
+import { mapToCurveSimpleSWU } from './abstract/weierstrass.js';
+import { ensureBytes, concatBytes, hexToBytes, bytesToNumberBE, } from './abstract/utils.js';
+import { randomBytes } from '@noble/hashes/utils';
+import { isogenyMap } from './abstract/hash-to-curve.js';
+/**
+ * secp256k1 belongs to Koblitz curves: it has
+ * efficiently computable Frobenius endomorphism.
+ * Endomorphism improves efficiency:
+ * Uses 2x less RAM, speeds up precomputation by 2x and ECDH / sign key recovery by 20%.
+ * Should always be used for Projective's double-and-add multiplication.
+ * For affines cached multiplication, it trades off 1/2 init time & 1/3 ram for 20% perf hit.
+ * https://gist.github.com/paulmillr/eb670806793e84df628a7c434a873066
+ */
+const secp256k1P = BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f');
+const secp256k1N = BigInt('0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141');
+const _1n = BigInt(1);
+const _2n = BigInt(2);
+const divNearest = (a, b) => (a + b / _2n) / b;
+/**
+ * Allows to compute square root √y 2x faster.
+ * To calculate √y, we need to exponentiate it to a very big number:
+ * `y² = x³ + ax + b; y = y² ^ (p+1)/4`
+ * We are unwrapping the loop and multiplying it bit-by-bit.
+ * (P+1n/4n).toString(2) would produce bits [223x 1, 0, 22x 1, 4x 0, 11, 00]
+ */
+function sqrtMod(y) {
+    const P = secp256k1P;
+    // prettier-ignore
+    const _3n = BigInt(3), _6n = BigInt(6), _11n = BigInt(11), _22n = BigInt(22);
+    // prettier-ignore
+    const _23n = BigInt(23), _44n = BigInt(44), _88n = BigInt(88);
+    const b2 = (y * y * y) % P; // x^3, 11
+    const b3 = (b2 * b2 * y) % P; // x^7
+    const b6 = (pow2(b3, _3n, P) * b3) % P;
+    const b9 = (pow2(b6, _3n, P) * b3) % P;
+    const b11 = (pow2(b9, _2n, P) * b2) % P;
+    const b22 = (pow2(b11, _11n, P) * b11) % P;
+    const b44 = (pow2(b22, _22n, P) * b22) % P;
+    const b88 = (pow2(b44, _44n, P) * b44) % P;
+    const b176 = (pow2(b88, _88n, P) * b88) % P;
+    const b220 = (pow2(b176, _44n, P) * b44) % P;
+    const b223 = (pow2(b220, _3n, P) * b3) % P;
+    const t1 = (pow2(b223, _23n, P) * b22) % P;
+    const t2 = (pow2(t1, _6n, P) * b2) % P;
+    return pow2(t2, _2n, P);
+}
+const Fp = Field(secp256k1P, undefined, undefined, { sqrt: sqrtMod });
+const isoMap = isogenyMap(Fp, [
+    // xNum
+    [
+        '0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38daaaaa8c7',
+        '0x7d3d4c80bc321d5b9f315cea7fd44c5d595d2fc0bf63b92dfff1044f17c6581',
+        '0x534c328d23f234e6e2a413deca25caece4506144037c40314ecbd0b53d9dd262',
+        '0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38daaaaa88c',
+    ],
+    // xDen
+    [
+        '0xd35771193d94918a9ca34ccbb7b640dd86cd409542f8487d9fe6b745781eb49b',
+        '0xedadc6f64383dc1df7c4b2d51b54225406d36b641f5e41bbc52a56612a8c6d14',
+        '0x0000000000000000000000000000000000000000000000000000000000000001', // LAST 1
+    ],
+    // yNum
+    [
+        '0x4bda12f684bda12f684bda12f684bda12f684bda12f684bda12f684b8e38e23c',
+        '0xc75e0c32d5cb7c0fa9d0a54b12a0a6d5647ab046d686da6fdffc90fc201d71a3',
+        '0x29a6194691f91a73715209ef6512e576722830a201be2018a765e85a9ecee931',
+        '0x2f684bda12f684bda12f684bda12f684bda12f684bda12f684bda12f38e38d84',
+    ],
+    // yDen
+    [
+        '0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffff93b',
+        '0x7a06534bb8bdb49fd5e9e6632722c2989467c1bfc8e8d978dfb425d2685c2573',
+        '0x6484aa716545ca2cf3a70c3fa8fe337e0a3d21162f0d6299a7bf8192bfd2a76f',
+        '0x0000000000000000000000000000000000000000000000000000000000000001', // LAST 1
+    ],
+].map((i) => i.map((j) => BigInt(j))));
+const mapSWU = mapToCurveSimpleSWU(Fp, {
+    A: BigInt('0x3f8731abdd661adca08a5558f0f5d272e953d363cb6f0e5d405447c01a444533'),
+    B: BigInt('1771'),
+    Z: Fp.create(BigInt('-11')),
+});
+export const secp256k1 = createCurve({
+    // Params: a, b
+    // Seem to be rigid https://bitcointalk.org/index.php?topic=289795.msg3183975#msg3183975
+    a: BigInt(0),
+    b: BigInt(7),
+    // Field over which we'll do calculations;
+    // 2n**256n - 2n**32n - 2n**9n - 2n**8n - 2n**7n - 2n**6n - 2n**4n - 1n
+    Fp,
+    // Curve order, total count of valid points in the field
+    n: secp256k1N,
+    // Base point (x, y) aka generator point
+    Gx: BigInt('55066263022277343669578718895168534326250603453777594175500187360389116729240'),
+    Gy: BigInt('32670510020758816978083085130507043184471273380659243275938904335757337482424'),
+    h: BigInt(1),
+    // Alllow only low-S signatures by default in sign() and verify()
+    lowS: true,
+    endo: {
+        // Params taken from https://gist.github.com/paulmillr/eb670806793e84df628a7c434a873066
+        beta: BigInt('0x7ae96a2b657c07106e64479eac3434e99cf0497512f58995c1396c28719501ee'),
+        splitScalar: (k) => {
+            const n = secp256k1N;
+            const a1 = BigInt('0x3086d221a7d46bcde86c90e49284eb15');
+            const b1 = -_1n * BigInt('0xe4437ed6010e88286f547fa90abfe4c3');
+            const a2 = BigInt('0x114ca50f7a8e2f3f657c1108d9d44cfd8');
+            const b2 = a1;
+            const POW_2_128 = BigInt('0x100000000000000000000000000000000');
+            const c1 = divNearest(b2 * k, n);
+            const c2 = divNearest(-b1 * k, n);
+            let k1 = mod(k - c1 * a1 - c2 * a2, n);
+            let k2 = mod(-c1 * b1 - c2 * b2, n);
+            const k1neg = k1 > POW_2_128;
+            const k2neg = k2 > POW_2_128;
+            if (k1neg)
+                k1 = n - k1;
+            if (k2neg)
+                k2 = n - k2;
+            if (k1 > POW_2_128 || k2 > POW_2_128) {
+                throw new Error('splitScalar: Endomorphism failed, k=' + k);
+            }
+            return { k1neg, k1, k2neg, k2 };
+        },
+    },
+    mapToCurve: (scalars) => {
+        const { x, y } = mapSWU(Fp.create(scalars[0]));
+        return isoMap(x, y);
+    },
+    htfDefaults: {
+        DST: 'secp256k1_XMD:SHA-256_SSWU_RO_',
+        p: Fp.ORDER,
+        m: 1,
+        k: 128,
+        expand: true,
+        hash: sha256,
+    },
+}, sha256);
+// Schnorr
+const _0n = BigInt(0);
+const numTo32b = secp256k1.utils._bigintToBytes;
+const numTo32bStr = secp256k1.utils._bigintToString;
+const normalizePrivateKey = secp256k1.utils._normalizePrivateKey;
+// TODO: export?
+function normalizePublicKey(publicKey) {
+    if (publicKey instanceof secp256k1.Point) {
+        publicKey.assertValidity();
+        return publicKey;
+    }
+    else {
+        const bytes = ensureBytes(publicKey);
+        // Schnorr is 32 bytes
+        if (bytes.length === 32) {
+            const x = bytesToNumberBE(bytes);
+            if (!isValidFieldElement(x))
+                throw new Error('Point is not on curve');
+            const y2 = secp256k1.utils._weierstrassEquation(x); // y² = x³ + ax + b
+            let y = sqrtMod(y2); // y = y² ^ (p+1)/4
+            const isYOdd = (y & _1n) === _1n;
+            // Schnorr
+            if (isYOdd)
+                y = secp256k1.CURVE.Fp.negate(y);
+            const point = new secp256k1.Point(x, y);
+            point.assertValidity();
+            return point;
+        }
+        // Do we need that in schnorr at all?
+        return secp256k1.Point.fromHex(publicKey);
+    }
+}
+const isWithinCurveOrder = secp256k1.utils._isWithinCurveOrder;
+const isValidFieldElement = secp256k1.utils._isValidFieldElement;
+const TAGS = {
+    challenge: 'BIP0340/challenge',
+    aux: 'BIP0340/aux',
+    nonce: 'BIP0340/nonce',
+};
+/** An object mapping tags to their tagged hash prefix of [SHA256(tag) | SHA256(tag)] */
+const TAGGED_HASH_PREFIXES = {};
+export function taggedHash(tag, ...messages) {
+    let tagP = TAGGED_HASH_PREFIXES[tag];
+    if (tagP === undefined) {
+        const tagH = sha256(Uint8Array.from(tag, (c) => c.charCodeAt(0)));
+        tagP = concatBytes(tagH, tagH);
+        TAGGED_HASH_PREFIXES[tag] = tagP;
+    }
+    return sha256(concatBytes(tagP, ...messages));
+}
+const toRawX = (point) => point.toRawBytes(true).slice(1);
+// Schnorr signatures are superior to ECDSA from above.
+// Below is Schnorr-specific code as per BIP0340.
+function schnorrChallengeFinalize(ch) {
+    return mod(bytesToNumberBE(ch), secp256k1.CURVE.n);
+}
+// Do we need this at all for Schnorr?
+class SchnorrSignature {
+    constructor(r, s) {
+        this.r = r;
+        this.s = s;
+        this.assertValidity();
+    }
+    static fromHex(hex) {
+        const bytes = ensureBytes(hex);
+        if (bytes.length !== 64)
+            throw new TypeError(`SchnorrSignature.fromHex: expected 64 bytes, not ${bytes.length}`);
+        const r = bytesToNumberBE(bytes.subarray(0, 32));
+        const s = bytesToNumberBE(bytes.subarray(32, 64));
+        return new SchnorrSignature(r, s);
+    }
+    assertValidity() {
+        const { r, s } = this;
+        if (!isValidFieldElement(r) || !isWithinCurveOrder(s))
+            throw new Error('Invalid signature');
+    }
+    toHex() {
+        return numTo32bStr(this.r) + numTo32bStr(this.s);
+    }
+    toRawBytes() {
+        return hexToBytes(this.toHex());
+    }
+}
+function schnorrGetScalar(priv) {
+    const point = secp256k1.Point.fromPrivateKey(priv);
+    const scalar = point.hasEvenY() ? priv : secp256k1.CURVE.n - priv;
+    return { point, scalar, x: toRawX(point) };
+}
+/**
+ * Synchronously creates Schnorr signature. Improved security: verifies itself before
+ * producing an output.
+ * @param msg message (not message hash)
+ * @param privateKey private key
+ * @param auxRand random bytes that would be added to k. Bad RNG won't break it.
+ */
+function schnorrSign(message, privateKey, auxRand = randomBytes(32)) {
+    if (message == null)
+        throw new TypeError(`sign: Expected valid message, not "${message}"`);
+    const m = ensureBytes(message);
+    // checks for isWithinCurveOrder
+    const { x: px, scalar: d } = schnorrGetScalar(normalizePrivateKey(privateKey));
+    const rand = ensureBytes(auxRand);
+    if (rand.length !== 32)
+        throw new TypeError('sign: Expected 32 bytes of aux randomness');
+    const tag = taggedHash;
+    const t0h = tag(TAGS.aux, rand);
+    const t = numTo32b(d ^ bytesToNumberBE(t0h));
+    const k0h = tag(TAGS.nonce, t, px, m);
+    const k0 = mod(bytesToNumberBE(k0h), secp256k1.CURVE.n);
+    if (k0 === _0n)
+        throw new Error('sign: Creation of signature failed. k is zero');
+    const { point: R, x: rx, scalar: k } = schnorrGetScalar(k0);
+    const e = schnorrChallengeFinalize(tag(TAGS.challenge, rx, px, m));
+    const sig = new SchnorrSignature(R.x, mod(k + e * d, secp256k1.CURVE.n)).toRawBytes();
+    if (!schnorrVerify(sig, m, px))
+        throw new Error('sign: Invalid signature produced');
+    return sig;
+}
+/**
+ * Verifies Schnorr signature synchronously.
+ */
+function schnorrVerify(signature, message, publicKey) {
+    try {
+        const raw = signature instanceof SchnorrSignature;
+        const sig = raw ? signature : SchnorrSignature.fromHex(signature);
+        if (raw)
+            sig.assertValidity(); // just in case
+        const { r, s } = sig;
+        const m = ensureBytes(message);
+        const P = normalizePublicKey(publicKey);
+        const e = schnorrChallengeFinalize(taggedHash(TAGS.challenge, numTo32b(r), toRawX(P), m));
+        // Finalize
+        // R = s⋅G - e⋅P
+        // -eP == (n-e)P
+        const R = secp256k1.Point.BASE.multiplyAndAddUnsafe(P, normalizePrivateKey(s), mod(-e, secp256k1.CURVE.n));
+        if (!R || !R.hasEvenY() || R.x !== r)
+            return false;
+        return true;
+    }
+    catch (error) {
+        return false;
+    }
+}
+export const schnorr = {
+    Signature: SchnorrSignature,
+    // Schnorr's pubkey is just `x` of Point (BIP340)
+    getPublicKey: (privateKey) => toRawX(secp256k1.Point.fromPrivateKey(privateKey)),
+    sign: schnorrSign,
+    verify: schnorrVerify,
+};

package/lib/esm/stark.js

@@ -0,0 +1,222 @@
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { keccak_256 } from '@noble/hashes/sha3';
+import { sha256 } from '@noble/hashes/sha256';
+import { weierstrass } from './abstract/weierstrass.js';
+import * as cutils from './abstract/utils.js';
+import { Fp } from './abstract/modular.js';
+import { getHash } from './_shortw_utils.js';
+// Stark-friendly elliptic curve
+// https://docs.starkware.co/starkex/stark-curve.html
+const CURVE_N = BigInt('3618502788666131213697322783095070105526743751716087489154079457884512865583');
+const nBitLength = 252;
+export const starkCurve = weierstrass({
+    // Params: a, b
+    a: BigInt(1),
+    b: BigInt('3141592653589793238462643383279502884197169399375105820974944592307816406665'),
+    // Field over which we'll do calculations; 2n**251n + 17n * 2n**192n + 1n
+    // There is no efficient sqrt for field (P%4==1)
+    Fp: Fp(BigInt('0x800000000000011000000000000000000000000000000000000000000000001')),
+    // Curve order, total count of valid points in the field.
+    n: CURVE_N,
+    nBitLength: nBitLength,
+    // Base point (x, y) aka generator point
+    Gx: BigInt('874739451078007766457464989774322083649278607533249481151382481072868806602'),
+    Gy: BigInt('152666792071518830868575557812948353041420400780739481342941381225525861407'),
+    h: BigInt(1),
+    // Default options
+    lowS: false,
+    ...getHash(sha256),
+    truncateHash: (hash, truncateOnly = false) => {
+        // TODO: cleanup, ugly code
+        // Fix truncation
+        if (!truncateOnly) {
+            let hashS = bytesToNumber0x(hash).toString(16);
+            if (hashS.length === 63) {
+                hashS += '0';
+                hash = hexToBytes0x(hashS);
+            }
+        }
+        // Truncate zero bytes on left (compat with elliptic)
+        while (hash[0] === 0)
+            hash = hash.subarray(1);
+        const byteLength = hash.length;
+        const delta = byteLength * 8 - nBitLength; // size of curve.n (252 bits)
+        let h = hash.length ? bytesToNumber0x(hash) : 0n;
+        if (delta > 0)
+            h = h >> BigInt(delta);
+        if (!truncateOnly && h >= CURVE_N)
+            h -= CURVE_N;
+        return h;
+    },
+});
+// Custom Starknet type conversion functions that can handle 0x and unpadded hex
+function hexToBytes0x(hex) {
+    if (typeof hex !== 'string') {
+        throw new TypeError('hexToBytes: expected string, got ' + typeof hex);
+    }
+    hex = strip0x(hex);
+    if (hex.length & 1)
+        hex = '0' + hex; // padding
+    if (hex.length % 2)
+        throw new Error('hexToBytes: received invalid unpadded hex ' + hex.length);
+    const array = new Uint8Array(hex.length / 2);
+    for (let i = 0; i < array.length; i++) {
+        const j = i * 2;
+        const hexByte = hex.slice(j, j + 2);
+        const byte = Number.parseInt(hexByte, 16);
+        if (Number.isNaN(byte) || byte < 0)
+            throw new Error('Invalid byte sequence');
+        array[i] = byte;
+    }
+    return array;
+}
+function hexToNumber0x(hex) {
+    if (typeof hex !== 'string') {
+        throw new TypeError('hexToNumber: expected string, got ' + typeof hex);
+    }
+    // Big Endian
+    // TODO: strip vs no strip?
+    return BigInt(`0x${strip0x(hex)}`);
+}
+function bytesToNumber0x(bytes) {
+    return hexToNumber0x(cutils.bytesToHex(bytes));
+}
+function ensureBytes0x(hex) {
+    // Uint8Array.from() instead of hash.slice() because node.js Buffer
+    // is instance of Uint8Array, and its slice() creates **mutable** copy
+    return hex instanceof Uint8Array ? Uint8Array.from(hex) : hexToBytes0x(hex);
+}
+function normalizePrivateKey(privKey) {
+    return cutils.bytesToHex(ensureBytes0x(privKey)).padStart(32 * 2, '0');
+}
+function getPublicKey0x(privKey, isCompressed) {
+    return starkCurve.getPublicKey(normalizePrivateKey(privKey), isCompressed);
+}
+function getSharedSecret0x(privKeyA, pubKeyB) {
+    return starkCurve.getSharedSecret(normalizePrivateKey(privKeyA), pubKeyB);
+}
+function sign0x(msgHash, privKey, opts) {
+    if (typeof privKey === 'string')
+        privKey = strip0x(privKey).padStart(64, '0');
+    return starkCurve.sign(ensureBytes0x(msgHash), normalizePrivateKey(privKey), opts);
+}
+function verify0x(signature, msgHash, pubKey) {
+    const sig = signature instanceof Signature ? signature : ensureBytes0x(signature);
+    return starkCurve.verify(sig, ensureBytes0x(msgHash), ensureBytes0x(pubKey));
+}
+const { CURVE, Point, ProjectivePoint, Signature } = starkCurve;
+export const utils = starkCurve.utils;
+export { CURVE, Point, Signature, ProjectivePoint, getPublicKey0x as getPublicKey, getSharedSecret0x as getSharedSecret, sign0x as sign, verify0x as verify, };
+const stripLeadingZeros = (s) => s.replace(/^0+/gm, '');
+export const bytesToHexEth = (uint8a) => `0x${stripLeadingZeros(cutils.bytesToHex(uint8a))}`;
+export const strip0x = (hex) => hex.replace(/^0x/i, '');
+export const numberToHexEth = (num) => `0x${num.toString(16)}`;
+// 1. seed generation
+function hashKeyWithIndex(key, index) {
+    let indexHex = cutils.numberToHexUnpadded(index);
+    if (indexHex.length & 1)
+        indexHex = '0' + indexHex;
+    return bytesToNumber0x(sha256(cutils.concatBytes(key, hexToBytes0x(indexHex))));
+}
+export function grindKey(seed) {
+    const _seed = ensureBytes0x(seed);
+    const sha256mask = 2n ** 256n;
+    const limit = sha256mask - starkCurve.utils.mod(sha256mask, starkCurve.CURVE.n);
+    for (let i = 0;; i++) {
+        const key = hashKeyWithIndex(_seed, i);
+        // key should be in [0, limit)
+        if (key < limit)
+            return starkCurve.utils.mod(key, starkCurve.CURVE.n).toString(16);
+    }
+}
+export function getStarkKey(privateKey) {
+    return bytesToHexEth(getPublicKey0x(privateKey, true).slice(1));
+}
+export function ethSigToPrivate(signature) {
+    signature = strip0x(signature.replace(/^0x/, ''));
+    if (signature.length !== 130)
+        throw new Error('Wrong ethereum signature');
+    return grindKey(signature.substring(0, 64));
+}
+const MASK_31 = 2n ** 31n - 1n;
+const int31 = (n) => Number(n & MASK_31);
+export function getAccountPath(layer, application, ethereumAddress, index) {
+    const layerNum = int31(bytesToNumber0x(sha256(layer)));
+    const applicationNum = int31(bytesToNumber0x(sha256(application)));
+    const eth = hexToNumber0x(ethereumAddress);
+    return `m/2645'/${layerNum}'/${applicationNum}'/${int31(eth)}'/${int31(eth >> 31n)}'/${index}`;
+}
+// https://docs.starkware.co/starkex/pedersen-hash-function.html
+const PEDERSEN_POINTS_AFFINE = [
+    new Point(2089986280348253421170679821480865132823066470938446095505822317253594081284n, 1713931329540660377023406109199410414810705867260802078187082345529207694986n),
+    new Point(996781205833008774514500082376783249102396023663454813447423147977397232763n, 1668503676786377725805489344771023921079126552019160156920634619255970485781n),
+    new Point(2251563274489750535117886426533222435294046428347329203627021249169616184184n, 1798716007562728905295480679789526322175868328062420237419143593021674992973n),
+    new Point(2138414695194151160943305727036575959195309218611738193261179310511854807447n, 113410276730064486255102093846540133784865286929052426931474106396135072156n),
+    new Point(2379962749567351885752724891227938183011949129833673362440656643086021394946n, 776496453633298175483985398648758586525933812536653089401905292063708816422n),
+];
+// for (const p of PEDERSEN_POINTS) p._setWindowSize(8);
+const PEDERSEN_POINTS = PEDERSEN_POINTS_AFFINE.map(ProjectivePoint.fromAffine);
+function pedersenPrecompute(p1, p2) {
+    const out = [];
+    let p = p1;
+    for (let i = 0; i < 248; i++) {
+        out.push(p);
+        p = p.double();
+    }
+    p = p2;
+    for (let i = 0; i < 4; i++) {
+        out.push(p);
+        p = p.double();
+    }
+    return out;
+}
+const PEDERSEN_POINTS1 = pedersenPrecompute(PEDERSEN_POINTS[1], PEDERSEN_POINTS[2]);
+const PEDERSEN_POINTS2 = pedersenPrecompute(PEDERSEN_POINTS[3], PEDERSEN_POINTS[4]);
+function pedersenArg(arg) {
+    let value;
+    if (typeof arg === 'bigint')
+        value = arg;
+    else if (typeof arg === 'number') {
+        if (!Number.isSafeInteger(arg))
+            throw new Error(`Invalid pedersenArg: ${arg}`);
+        value = BigInt(arg);
+    }
+    else
+        value = bytesToNumber0x(ensureBytes0x(arg));
+    // [0..Fp)
+    if (!(0n <= value && value < starkCurve.CURVE.Fp.ORDER))
+        throw new Error(`PedersenArg should be 0 <= value < CURVE.P: ${value}`);
+    return value;
+}
+function pedersenSingle(point, value, constants) {
+    let x = pedersenArg(value);
+    for (let j = 0; j < 252; j++) {
+        const pt = constants[j];
+        if (pt.x === point.x)
+            throw new Error('Same point');
+        if ((x & 1n) !== 0n)
+            point = point.add(pt);
+        x >>= 1n;
+    }
+    return point;
+}
+// shift_point + x_low * P_0 + x_high * P1 + y_low * P2  + y_high * P3
+export function pedersen(x, y) {
+    let point = PEDERSEN_POINTS[0];
+    point = pedersenSingle(point, x, PEDERSEN_POINTS1);
+    point = pedersenSingle(point, y, PEDERSEN_POINTS2);
+    return bytesToHexEth(point.toAffine().toRawBytes(true).slice(1));
+}
+export function hashChain(data, fn = pedersen) {
+    if (!Array.isArray(data) || data.length < 1)
+        throw new Error('data should be array of at least 1 element');
+    if (data.length === 1)
+        return numberToHexEth(pedersenArg(data[0]));
+    return Array.from(data)
+        .reverse()
+        .reduce((acc, i) => fn(i, acc));
+}
+// Same as hashChain, but computes hash even for single element and order is not revesed
+export const computeHashOnElements = (data, fn = pedersen) => [0, ...data, data.length].reduce((x, y) => fn(x, y));
+const MASK_250 = 2n ** 250n - 1n;
+export const keccak = (data) => bytesToNumber0x(keccak_256(data)) & MASK_250;

package/lib/index.js

@@ -0,0 +1,2 @@
+"use strict";
+throw new Error('Incorrect usage. Import submodules instead');

package/lib/jubjub.d.ts

@@ -0,0 +1,7 @@
+/**
+ * jubjub Twisted Edwards curve.
+ * https://neuromancer.sk/std/other/JubJub
+ */
+export declare const jubjub: import("./abstract/edwards.js").CurveFn;
+export declare function groupHash(tag: Uint8Array, personalization: Uint8Array): import("./abstract/edwards.js").ExtendedPointType;
+export declare function findGroupHash(m: Uint8Array, personalization: Uint8Array): import("./abstract/edwards.js").ExtendedPointType;

package/lib/jubjub.js

@@ -0,0 +1,57 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.findGroupHash = exports.groupHash = exports.jubjub = void 0;
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+const sha256_1 = require("@noble/hashes/sha256");
+const utils_1 = require("@noble/hashes/utils");
+const edwards_js_1 = require("./abstract/edwards.js");
+const blake2s_1 = require("@noble/hashes/blake2s");
+const modular_js_1 = require("./abstract/modular.js");
+/**
+ * jubjub Twisted Edwards curve.
+ * https://neuromancer.sk/std/other/JubJub
+ */
+exports.jubjub = (0, edwards_js_1.twistedEdwards)({
+    // Params: a, d
+    a: BigInt('0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000000'),
+    d: BigInt('0x2a9318e74bfa2b48f5fd9207e6bd7fd4292d7f6d37579d2601065fd6d6343eb1'),
+    // Finite field 𝔽p over which we'll do calculations
+    Fp: (0, modular_js_1.Fp)(BigInt('0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001')),
+    // Subgroup order: how many points ed25519 has
+    // 2n ** 252n + 27742317777372353535851937790883648493n;
+    n: BigInt('0xe7db4ea6533afa906673b0101343b00a6682093ccc81082d0970e5ed6f72cb7'),
+    // Cofactor
+    h: BigInt(8),
+    // Base point (x, y) aka generator point
+    Gx: BigInt('0x11dafe5d23e1218086a365b99fbf3d3be72f6afd7d1f72623e6b071492d1122b'),
+    Gy: BigInt('0x1d523cf1ddab1a1793132e78c866c0c33e26ba5cc220fed7cc3f870e59d292aa'),
+    hash: sha256_1.sha256,
+    randomBytes: utils_1.randomBytes,
+});
+const GH_FIRST_BLOCK = (0, utils_1.utf8ToBytes)('096b36a5804bfacef1691e173c366a47ff5ba84a44f26ddd7e8d9f79d5b42df0');
+// Returns point at JubJub curve which is prime order and not zero
+function groupHash(tag, personalization) {
+    const h = blake2s_1.blake2s.create({ personalization, dkLen: 32 });
+    h.update(GH_FIRST_BLOCK);
+    h.update(tag);
+    // NOTE: returns ExtendedPoint, in case it will be multiplied later
+    let p = exports.jubjub.ExtendedPoint.fromAffine(exports.jubjub.Point.fromHex(h.digest()));
+    // NOTE: cannot replace with isSmallOrder, returns Point*8
+    p = p.multiply(exports.jubjub.CURVE.h);
+    if (p.equals(exports.jubjub.ExtendedPoint.ZERO))
+        throw new Error('Point has small order');
+    return p;
+}
+exports.groupHash = groupHash;
+function findGroupHash(m, personalization) {
+    const tag = (0, utils_1.concatBytes)(m, new Uint8Array([0]));
+    for (let i = 0; i < 256; i++) {
+        tag[tag.length - 1] = i;
+        try {
+            return groupHash(tag, personalization);
+        }
+        catch (e) { }
+    }
+    throw new Error('findGroupHash tag overflow');
+}
+exports.findGroupHash = findGroupHash;