@noble/curves 0.4.0 → 0.5.0

package/lib/esm/{edwards.js → abstract/edwards.js}

@@ -1,5 +1,5 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-// Implementation of Twisted Edwards curve. The formula is: ax² + y² = 1 + dx²y²
+// Twisted Edwards curve. The formula is: ax² + y² = 1 + dx²y²
 // Differences from @noble/ed25519 1.7:
 // 1. Different field element lengths in ed448:
 //   EDDSA (RFC8032) is 456 bits / 57 bytes, ECDH (RFC7748) is 448 bits / 56 bytes
@@ -10,6 +10,7 @@
 import * as mod from './modular.js';
 import { bytesToHex, concatBytes, ensureBytes, numberToBytesLE, bytesToNumberLE, hashToPrivateScalar, validateOpts as utilOpts, } from './utils.js'; // TODO: import * as u from './utils.js'?
 import { wNAF } from './group.js';
+import { hash_to_field, validateHTFOpts } from './hash-to-curve.js';
 // Be friendly to bad ECMAScript parsers by not using bigint literals like 123n
 const _0n = BigInt(0);
 const _1n = BigInt(1);
@@ -28,12 +29,20 @@ function validateOpts(curve) {
         if (typeof opts[fn] !== 'function')
             throw new Error(`Invalid ${fn} function`);
     }
-    for (const fn of ['adjustScalarBytes', 'domain', 'uvRatio']) {
+    for (const fn of [
+        'adjustScalarBytes',
+        'domain',
+        'uvRatio',
+        'mapToCurve',
+        'clearCofactor',
+    ]) {
         if (opts[fn] === undefined)
             continue; // Optional
         if (typeof opts[fn] !== 'function')
             throw new Error(`Invalid ${fn} function`);
     }
+    if (opts.htfDefaults !== undefined)
+        validateHTFOpts(opts.htfDefaults);
     // Set defaults
     return Object.freeze({ ...opts });
 }
@@ -153,7 +162,7 @@ export function twistedEdwards(curveDef) {
                 const B = modP((Y1 + X1) * (Y2 - X2));
                 const F = modP(B - A);
                 if (F === _0n)
-                    return this.double(); // Same point.
+                    return this.double(); // Same point. Tests say it doesn't affect timing
                 const C = modP(Z1 * _2n * T2);
                 const D = modP(T1 * _2n * Z2);
                 const E = D + C;
@@ -170,7 +179,6 @@ export function twistedEdwards(curveDef) {
             const C = modP(T1 * d * T2); // C = T1*d*T2
             const D = modP(Z1 * Z2); // D = Z1*Z2
             const E = modP((X1 + Y1) * (X2 + Y2) - A - B); // E = (X1+Y1)*(X2+Y2)-A-B
-            // TODO: do we need to check for same point here? Looks like working without it
             const F = D - C; // F = D-C
             const G = D + C; // G = D+C
             const H = modP(B - a * A); // H = B-a*A
@@ -244,6 +252,15 @@ export function twistedEdwards(curveDef) {
                 throw new Error('invZ was invalid');
             return new Point(ax, ay);
         }
+        clearCofactor() {
+            if (CURVE.h === _1n)
+                return this; // Fast-path
+            // clear_cofactor(P) := h_eff * P
+            // hEff = h for ed25519/ed448. Maybe worth moving to params?
+            if (CURVE.clearCofactor)
+                return CURVE.clearCofactor(ExtendedPoint, this);
+            return this.multiplyUnsafe(CURVE.h);
+        }
     }
     ExtendedPoint.BASE = new ExtendedPoint(CURVE.Gx, CURVE.Gy, _1n, modP(CURVE.Gx * CURVE.Gy));
     ExtendedPoint.ZERO = new ExtendedPoint(_0n, _1n, _1n, _0n);
@@ -352,6 +369,30 @@ export function twistedEdwards(curveDef) {
         multiply(scalar) {
             return ExtendedPoint.fromAffine(this).multiply(scalar, this).toAffine();
         }
+        clearCofactor() {
+            return ExtendedPoint.fromAffine(this).clearCofactor().toAffine();
+        }
+        // Encodes byte string to elliptic curve
+        // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#section-3
+        static hashToCurve(msg, options) {
+            if (!CURVE.mapToCurve)
+                throw new Error('No mapToCurve defined for curve');
+            msg = ensureBytes(msg);
+            const u = hash_to_field(msg, 2, { ...CURVE.htfDefaults, ...options });
+            const { x: x0, y: y0 } = CURVE.mapToCurve(u[0]);
+            const { x: x1, y: y1 } = CURVE.mapToCurve(u[1]);
+            const p = new Point(x0, y0).add(new Point(x1, y1)).clearCofactor();
+            return p;
+        }
+        // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-16#section-3
+        static encodeToCurve(msg, options) {
+            if (!CURVE.mapToCurve)
+                throw new Error('No mapToCurve defined for curve');
+            msg = ensureBytes(msg);
+            const u = hash_to_field(msg, 1, { ...CURVE.htfDefaults, ...options });
+            const { x, y } = CURVE.mapToCurve(u[0]);
+            return new Point(x, y).clearCofactor();
+        }
     }
     // Base point aka generator
     // public_key = Point.BASE * private_key

package/lib/esm/{group.js → abstract/group.js}

@@ -1,5 +1,5 @@
-/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-// Default group related functions
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+// Abelian group utilities
 const _0n = BigInt(0);
 const _1n = BigInt(1);
 // Not big, but pretty complex and it is easy to break stuff. To avoid too much copy paste
@@ -52,8 +52,9 @@ export function wNAF(c, bits) {
         },
         /**
          * Implements w-ary non-adjacent form for calculating ec multiplication.
-         * @param n
+         * @param W window size
          * @param affinePoint optional 2d point to save cached precompute windows on it.
+         * @param n bits
          * @returns real and fake (for const-time) points
          */
         wNAF(W, precomputes, n) {

package/lib/esm/{hashToCurve.js → abstract/hash-to-curve.js}

@@ -1,3 +1,4 @@
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { concatBytes } from './utils.js';
 import * as mod from './modular.js';
 export function validateHTFOpts(opts) {
@@ -15,6 +16,7 @@ export function validateHTFOpts(opts) {
         throw new Error('Invalid htf/hash function');
 }
 // UTF8 to ui8a
+// TODO: looks broken, ASCII only, why not TextEncoder/TextDecoder? it is in hashes anyway
 export function stringToBytes(str) {
     const bytes = new Uint8Array(str.length);
     for (let i = 0; i < str.length; i++)
@@ -56,7 +58,7 @@ export function expand_message_xmd(msg, DST, lenInBytes, H) {
     if (DST.length > 255)
         DST = H(concatBytes(stringToBytes('H2C-OVERSIZE-DST-'), DST));
     const b_in_bytes = H.outputLen;
-    const r_in_bytes = b_in_bytes * 2;
+    const r_in_bytes = H.blockLen;
     const ell = Math.ceil(lenInBytes / b_in_bytes);
     if (ell > 255)
         throw new Error('Invalid xmd length');
@@ -103,3 +105,13 @@ export function hash_to_field(msg, count, options) {
     }
     return u;
 }
+export function isogenyMap(field, map) {
+    // Make same order as in spec
+    const COEFF = map.map((i) => Array.from(i).reverse());
+    return (x, y) => {
+        const [xNum, xDen, yNum, yDen] = COEFF.map((val) => val.reduce((acc, i) => field.add(field.mul(acc, x), i)));
+        x = field.div(xNum, xDen); // xNum / xDen
+        y = field.mul(y, field.div(yNum, yDen)); // y * (yNum / yDev)
+        return { x, y };
+    };
+}

package/lib/esm/{modular.js → abstract/modular.js}

@@ -1,9 +1,12 @@
-/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import * as utils from './utils.js';
-// Utilities for modular arithmetics
-const _0n = BigInt(0);
-const _1n = BigInt(1);
-const _2n = BigInt(2);
+// Utilities for modular arithmetics and finite fields
+// prettier-ignore
+const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3);
+// prettier-ignore
+const _4n = BigInt(4), _5n = BigInt(5), _7n = BigInt(7), _8n = BigInt(8);
+// prettier-ignore
+const _9n = BigInt(9), _16n = BigInt(16);
 // Calculates a modulo b
 export function mod(a, b) {
     const result = a % b;
@@ -74,16 +77,16 @@ export function legendre(num, fieldPrime) {
 }
 /**
  * Calculates square root of a number in a finite field.
+ * √a mod P
  */
 // TODO: rewrite as generic Fp function && remove bls versions
 export function sqrt(number, modulo) {
     // prettier-ignore
-    const _3n = BigInt(3), _4n = BigInt(4), _5n = BigInt(5), _8n = BigInt(8);
     const n = number;
     const P = modulo;
     const p1div4 = (P + _1n) / _4n;
     // P ≡ 3 (mod 4)
-    // sqrt n = n^((P+1)/4)
+    // √n = n^((P+1)/4)
     if (P % _4n === _3n) {
         // Not all roots possible!
         // const ORDER =
@@ -139,8 +142,8 @@ export const isNegativeLE = (num, modulo) => (mod(num, modulo) & _1n) === _1n;
 // prettier-ignore
 const FIELD_FIELDS = [
     'create', 'isValid', 'isZero', 'negate', 'invert', 'sqrt', 'square',
-    'equals', 'add', 'subtract', 'multiply', 'pow', 'div',
-    'addN', 'subtractN', 'multiplyN', 'squareN'
+    'equals', 'add', 'sub', 'mul', 'pow', 'div',
+    'addN', 'subN', 'mulN', 'squareN'
 ];
 export function validateField(field) {
     for (const i of ['ORDER', 'MASK']) {
@@ -170,7 +173,7 @@ export function FpPow(f, num, power) {
     let d = num;
     while (power > _0n) {
         if (power & _1n)
-            p = f.multiply(p, d);
+            p = f.mul(p, d);
         d = f.square(d);
         power >>= 1n;
     }
@@ -183,7 +186,7 @@ export function FpInvertBatch(f, nums) {
         if (f.isZero(num))
             return acc;
         tmp[i] = acc;
-        return f.multiply(acc, num);
+        return f.mul(acc, num);
     }, f.ONE);
     // Invert last element
     const inverted = f.invert(lastMultiplied);
@@ -191,13 +194,13 @@ export function FpInvertBatch(f, nums) {
     nums.reduceRight((acc, num, i) => {
         if (f.isZero(num))
             return acc;
-        tmp[i] = f.multiply(acc, tmp[i]);
-        return f.multiply(acc, num);
+        tmp[i] = f.mul(acc, tmp[i]);
+        return f.mul(acc, num);
     }, inverted);
     return tmp;
 }
 export function FpDiv(f, lhs, rhs) {
-    return f.multiply(lhs, typeof rhs === 'bigint' ? invert(rhs, f.ORDER) : f.invert(rhs));
+    return f.mul(lhs, typeof rhs === 'bigint' ? invert(rhs, f.ORDER) : f.invert(rhs));
 }
 // NOTE: very fragile, always bench. Major performance points:
 // - NonNormalized ops
@@ -229,18 +232,21 @@ export function Fp(ORDER, bitLen, isLE = false, redef = {}) {
         equals: (lhs, rhs) => lhs === rhs,
         square: (num) => mod(num * num, ORDER),
         add: (lhs, rhs) => mod(lhs + rhs, ORDER),
-        subtract: (lhs, rhs) => mod(lhs - rhs, ORDER),
-        multiply: (lhs, rhs) => mod(lhs * rhs, ORDER),
+        sub: (lhs, rhs) => mod(lhs - rhs, ORDER),
+        mul: (lhs, rhs) => mod(lhs * rhs, ORDER),
         pow: (num, power) => FpPow(f, num, power),
         div: (lhs, rhs) => mod(lhs * invert(rhs, ORDER), ORDER),
         // Same as above, but doesn't normalize
         squareN: (num) => num * num,
         addN: (lhs, rhs) => lhs + rhs,
-        subtractN: (lhs, rhs) => lhs - rhs,
-        multiplyN: (lhs, rhs) => lhs * rhs,
+        subN: (lhs, rhs) => lhs - rhs,
+        mulN: (lhs, rhs) => lhs * rhs,
         invert: (num) => invert(num, ORDER),
         sqrt: redef.sqrt || sqrtP,
         invertBatch: (lst) => FpInvertBatch(f, lst),
+        // TODO: do we really need constant cmov?
+        // We don't have const-time bigints anyway, so probably will be not very useful
+        cmov: (a, b, c) => (c ? b : a),
         toBytes: (num) => isLE ? utils.numberToBytesLE(num, BYTES) : utils.numberToBytesBE(num, BYTES),
         fromBytes: (bytes) => {
             if (bytes.length !== BYTES)
@@ -250,3 +256,87 @@ export function Fp(ORDER, bitLen, isLE = false, redef = {}) {
     });
     return Object.freeze(f);
 }
+// TODO: re-use in bls/generic sqrt for field/etc?
+// Something like sqrtUnsafe which always returns value, but sqrt throws exception if non-square
+// From draft-irtf-cfrg-hash-to-curve-16
+export function FpSqrt(Fp) {
+    // NOTE: it requires another sqrt for constant precomputes, but no need for roots of unity,
+    // probably we can simply bls code using it
+    const q = Fp.ORDER;
+    const squareConst = (q - _1n) / _2n;
+    // is_square(x) := { True,  if x^((q - 1) / 2) is 0 or 1 in F;
+    //                 { False, otherwise.
+    let isSquare = (x) => {
+        const p = Fp.pow(x, squareConst);
+        return Fp.equals(p, Fp.ZERO) || Fp.equals(p, Fp.ONE);
+    };
+    // Constant-time Tonelli-Shanks algorithm
+    let l = _0n;
+    for (let o = q - _1n; o % _2n === _0n; o /= _2n)
+        l += _1n;
+    const c1 = l; // 1. c1, the largest integer such that 2^c1 divides q - 1.
+    const c2 = (q - _1n) / _2n ** c1; // 2. c2 = (q - 1) / (2^c1)        # Integer arithmetic
+    const c3 = (c2 - _1n) / _2n; // 3. c3 = (c2 - 1) / 2            # Integer arithmetic
+    //  4. c4, a non-square value in F
+    //  5. c5 = c4^c2 in F
+    let c4 = Fp.ONE;
+    while (isSquare(c4))
+        c4 = Fp.add(c4, Fp.ONE);
+    const c5 = Fp.pow(c4, c2);
+    let sqrt = (x) => {
+        let z = Fp.pow(x, c3); // 1.  z = x^c3
+        let t = Fp.square(z); // 2.  t = z * z
+        t = Fp.mul(t, x); // 3.  t = t * x
+        z = Fp.mul(z, x); // 4.  z = z * x
+        let b = t; // 5.  b = t
+        let c = c5; // 6.  c = c5
+        // 7.  for i in (c1, c1 - 1, ..., 2):
+        for (let i = c1; i > 1; i--) {
+            // 8.    for j in (1, 2, ..., i - 2):
+            // 9.      b = b * b
+            for (let j = _1n; j < i - _1n; i++)
+                b = Fp.square(b);
+            const e = Fp.equals(b, Fp.ONE); // 10.   e = b == 1
+            const zt = Fp.mul(z, c); // 11.   zt = z * c
+            z = Fp.cmov(zt, z, e); // 12.   z = CMOV(zt, z, e)
+            c = Fp.square(c); // 13.   c = c * c
+            let tt = Fp.mul(t, c); // 14.   tt = t * c
+            t = Fp.cmov(tt, t, e); // 15.   t = CMOV(tt, t, e)
+            b = t; // 16.   b = t
+        }
+        return z; // 17. return z
+    };
+    if (q % _4n === _3n) {
+        const c1 = (q + _1n) / _4n; // 1. c1 = (q + 1) / 4     # Integer arithmetic
+        sqrt = (x) => Fp.pow(x, c1);
+    }
+    else if (q % _8n === _5n) {
+        const c1 = Fp.sqrt(Fp.negate(Fp.ONE)); //  1. c1 = sqrt(-1) in F, i.e., (c1^2) == -1 in F
+        const c2 = (q + _3n) / _8n; //  2. c2 = (q + 3) / 8     # Integer arithmetic
+        sqrt = (x) => {
+            let tv1 = Fp.pow(x, c2); //  1. tv1 = x^c2
+            let tv2 = Fp.mul(tv1, c1); //  2. tv2 = tv1 * c1
+            let e = Fp.equals(Fp.square(tv1), x); //  3.   e = (tv1^2) == x
+            return Fp.cmov(tv2, tv1, e); //  4.   z = CMOV(tv2, tv1, e)
+        };
+    }
+    else if (Fp.ORDER % _16n === _9n) {
+        const c1 = Fp.sqrt(Fp.negate(Fp.ONE)); //  1. c1 = sqrt(-1) in F, i.e., (c1^2) == -1 in F
+        const c2 = Fp.sqrt(c1); //  2. c2 = sqrt(c1) in F, i.e., (c2^2) == c1 in F
+        const c3 = Fp.sqrt(Fp.negate(c1)); //  3. c3 = sqrt(-c1) in F, i.e., (c3^2) == -c1 in F
+        const c4 = (Fp.ORDER + _7n) / _16n; //  4. c4 = (q + 7) / 16         # Integer arithmetic
+        sqrt = (x) => {
+            let tv1 = Fp.pow(x, c4); //  1. tv1 = x^c4
+            let tv2 = Fp.mul(c1, tv1); //  2. tv2 = c1 * tv1
+            const tv3 = Fp.mul(c2, tv1); //  3. tv3 = c2 * tv1
+            let tv4 = Fp.mul(c3, tv1); //  4. tv4 = c3 * tv1
+            const e1 = Fp.equals(Fp.square(tv2), x); //  5.  e1 = (tv2^2) == x
+            const e2 = Fp.equals(Fp.square(tv3), x); //  6.  e2 = (tv3^2) == x
+            tv1 = Fp.cmov(tv1, tv2, e1); //  7. tv1 = CMOV(tv1, tv2, e1)  # Select tv2 if (tv2^2) == x
+            tv2 = Fp.cmov(tv4, tv3, e2); //  8. tv2 = CMOV(tv4, tv3, e2)  # Select tv3 if (tv3^2) == x
+            const e3 = Fp.equals(Fp.square(tv2), x); //  9.  e3 = (tv2^2) == x
+            return Fp.cmov(tv1, tv2, e3); //  10.  z = CMOV(tv1, tv2, e3)  # Select the sqrt from tv1 and tv2
+        };
+    }
+    return { sqrt, isSquare };
+}

package/lib/esm/{montgomery.js → abstract/montgomery.js}

@@ -1,3 +1,4 @@
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import * as mod from './modular.js';
 import { ensureBytes, numberToBytesLE, bytesToNumberLE,
 // nLength,
@@ -161,8 +162,14 @@ export function montgomery(curveDef) {
             throw new Error(`Expected ${montgomeryBytes} or ${fieldLen} bytes, got ${bytes.length}`);
         return bytesToNumberLE(adjustScalarBytes(bytes));
     }
-    // Multiply point u by scalar
-    function scalarMult(u, scalar) {
+    /**
+     * Computes shared secret between private key "scalar" and public key's "u" (x) coordinate.
+     * We can get 'y' coordinate from 'u',
+     * but Point.fromHex also wants 'x' coordinate oddity flag,
+     * and we cannot get 'x' without knowing 'v'.
+     * Need to add generic conversion between twisted edwards and complimentary curve for JubJub.
+     */
+    function scalarMult(scalar, u) {
         const pointU = decodeUCoordinate(u);
         const _scalar = decodeScalar(scalar);
         const pu = montgomeryLadder(pointU, _scalar);
@@ -172,17 +179,19 @@ export function montgomery(curveDef) {
             throw new Error('Invalid private or public key received');
         return encodeUCoordinate(pu);
     }
-    // Multiply base point by scalar
+    /**
+     * Computes public key from private.
+     * Executes scalar multiplication of curve's base point by scalar.
+     * @param scalar private key
+     * @returns new public key
+     */
     function scalarMultBase(scalar) {
-        return scalarMult(CURVE.Gu, scalar);
+        return scalarMult(scalar, CURVE.Gu);
     }
     return {
-        // NOTE: we can get 'y' coordinate from 'u', but Point.fromHex also wants 'x' coordinate oddity flag, and we cannot get 'x' without knowing 'v'
-        // Need to add generic conversion between twisted edwards and complimentary curve for JubJub
         scalarMult,
         scalarMultBase,
-        // NOTE: these function work on complimentary montgomery curve
-        // getSharedSecret: (privateKey: Hex, publicKey: Hex) => scalarMult(publicKey, privateKey),
+        getSharedSecret: (privateKey, publicKey) => scalarMult(privateKey, publicKey),
         getPublicKey: (privateKey) => scalarMultBase(privateKey),
         Gu: CURVE.Gu,
     };

package/lib/esm/{utils.js → abstract/utils.js}

@@ -1,4 +1,4 @@
-/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import * as mod from './modular.js';
 const _0n = BigInt(0);
 const _1n = BigInt(1);