@noble/curves 0.4.0 → 0.5.1

package/lib/esm/abstract/modular.js

@@ -0,0 +1,319 @@
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+// TODO: remove circular imports
+import * as utils from './utils.js';
+// Utilities for modular arithmetics and finite fields
+// prettier-ignore
+const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3);
+// prettier-ignore
+const _4n = BigInt(4), _5n = BigInt(5), _8n = BigInt(8);
+// prettier-ignore
+const _9n = BigInt(9), _16n = BigInt(16);
+// Calculates a modulo b
+export function mod(a, b) {
+    const result = a % b;
+    return result >= _0n ? result : b + result;
+}
+/**
+ * Efficiently exponentiate num to power and do modular division.
+ * Unsafe in some contexts: uses ladder, so can expose bigint bits.
+ * @example
+ * powMod(2n, 6n, 11n) // 64n % 11n == 9n
+ */
+// TODO: use field version && remove
+export function pow(num, power, modulo) {
+    if (modulo <= _0n || power < _0n)
+        throw new Error('Expected power/modulo > 0');
+    if (modulo === _1n)
+        return _0n;
+    let res = _1n;
+    while (power > _0n) {
+        if (power & _1n)
+            res = (res * num) % modulo;
+        num = (num * num) % modulo;
+        power >>= _1n;
+    }
+    return res;
+}
+// Does x ^ (2 ^ power) mod p. pow2(30, 4) == 30 ^ (2 ^ 4)
+// TODO: Fp version?
+export function pow2(x, power, modulo) {
+    let res = x;
+    while (power-- > _0n) {
+        res *= res;
+        res %= modulo;
+    }
+    return res;
+}
+// Inverses number over modulo
+export function invert(number, modulo) {
+    if (number === _0n || modulo <= _0n) {
+        throw new Error(`invert: expected positive integers, got n=${number} mod=${modulo}`);
+    }
+    // Eucledian GCD https://brilliant.org/wiki/extended-euclidean-algorithm/
+    let a = mod(number, modulo);
+    let b = modulo;
+    // prettier-ignore
+    let x = _0n, y = _1n, u = _1n, v = _0n;
+    while (a !== _0n) {
+        const q = b / a;
+        const r = b % a;
+        const m = x - u * q;
+        const n = y - v * q;
+        // prettier-ignore
+        b = a, a = r, x = u, y = v, u = m, v = n;
+    }
+    const gcd = b;
+    if (gcd !== _1n)
+        throw new Error('invert: does not exist');
+    return mod(x, modulo);
+}
+// Tonelli-Shanks algorithm
+// https://eprint.iacr.org/2012/685.pdf (page 12)
+export function tonelliShanks(P) {
+    // Legendre constant: used to calculate Legendre symbol (a | p),
+    // which denotes the value of a^((p-1)/2) (mod p).
+    // (a | p) ≡ 1    if a is a square (mod p)
+    // (a | p) ≡ -1   if a is not a square (mod p)
+    // (a | p) ≡ 0    if a ≡ 0 (mod p)
+    const legendreC = (P - _1n) / _2n;
+    let Q, S, Z;
+    // Step 1: By factoring out powers of 2 from p - 1,
+    // find q and s such that p - 1 = q2s with q odd
+    for (Q = P - _1n, S = 0; Q % _2n === _0n; Q /= _2n, S++)
+        ;
+    // Step 2: Select a non-square z such that (z | p) ≡ -1 and set c ≡ zq
+    for (Z = _2n; Z < P && pow(Z, legendreC, P) !== P - _1n; Z++)
+        ;
+    // Fast-path
+    if (S === 1) {
+        const p1div4 = (P + _1n) / _4n;
+        return function tonelliFast(Fp, n) {
+            const root = Fp.pow(n, p1div4);
+            if (!Fp.equals(Fp.square(root), n))
+                throw new Error('Cannot find square root');
+            return root;
+        };
+    }
+    // Slow-path
+    const Q1div2 = (Q + _1n) / _2n;
+    return function tonelliSlow(Fp, n) {
+        // Step 0: Check that n is indeed a square: (n | p) must be ≡ 1
+        if (Fp.pow(n, legendreC) !== Fp.ONE)
+            throw new Error('Cannot find square root');
+        let s = S;
+        let c = pow(Z, Q, P);
+        let r = Fp.pow(n, Q1div2);
+        let t = Fp.pow(n, Q);
+        let t2 = Fp.ZERO;
+        while (!Fp.equals(Fp.sub(t, Fp.ONE), Fp.ZERO)) {
+            t2 = Fp.square(t);
+            let i;
+            for (i = 1; i < s; i++) {
+                // stop if t2-1 == 0
+                if (Fp.equals(Fp.sub(t2, Fp.ONE), Fp.ZERO))
+                    break;
+                // t2 *= t2
+                t2 = Fp.square(t2);
+            }
+            let b = pow(c, BigInt(1 << (s - i - 1)), P);
+            r = Fp.mul(r, b);
+            c = mod(b * b, P);
+            t = Fp.mul(t, c);
+            s = i;
+        }
+        return r;
+    };
+}
+export function FpSqrt(P) {
+    // NOTE: different algorithms can give different roots, it is up to user to decide which one they want.
+    // For example there is FpSqrtOdd/FpSqrtEven to choice root based on oddness (used for hash-to-curve).
+    // P ≡ 3 (mod 4)
+    // √n = n^((P+1)/4)
+    if (P % _4n === _3n) {
+        // Not all roots possible!
+        // const ORDER =
+        //   0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaabn;
+        // const NUM = 72057594037927816n;
+        const p1div4 = (P + _1n) / _4n;
+        return function sqrt3mod4(Fp, n) {
+            const root = Fp.pow(n, p1div4);
+            // Throw if root**2 != n
+            if (!Fp.equals(Fp.square(root), n))
+                throw new Error('Cannot find square root');
+            return root;
+        };
+    }
+    // Atkin algorithm for q ≡ 5 (mod 8), https://eprint.iacr.org/2012/685.pdf (page 10)
+    if (P % _8n === _5n) {
+        const c1 = (P - _5n) / _8n;
+        return function sqrt5mod8(Fp, n) {
+            const n2 = Fp.mul(n, _2n);
+            const v = Fp.pow(n2, c1);
+            const nv = Fp.mul(n, v);
+            const i = Fp.mul(Fp.mul(nv, _2n), v);
+            const root = Fp.mul(nv, Fp.sub(i, Fp.ONE));
+            if (!Fp.equals(Fp.square(root), n))
+                throw new Error('Cannot find square root');
+            return root;
+        };
+    }
+    // P ≡ 9 (mod 16)
+    if (P % _16n === _9n) {
+        // NOTE: tonelli is too slow for bls-Fp2 calculations even on start
+        // Means we cannot use sqrt for constants at all!
+        //
+        // const c1 = Fp.sqrt(Fp.negate(Fp.ONE)); //  1. c1 = sqrt(-1) in F, i.e., (c1^2) == -1 in F
+        // const c2 = Fp.sqrt(c1);                //  2. c2 = sqrt(c1) in F, i.e., (c2^2) == c1 in F
+        // const c3 = Fp.sqrt(Fp.negate(c1));     //  3. c3 = sqrt(-c1) in F, i.e., (c3^2) == -c1 in F
+        // const c4 = (P + _7n) / _16n;           //  4. c4 = (q + 7) / 16        # Integer arithmetic
+        // sqrt = (x) => {
+        //   let tv1 = Fp.pow(x, c4);             //  1. tv1 = x^c4
+        //   let tv2 = Fp.mul(c1, tv1);           //  2. tv2 = c1 * tv1
+        //   const tv3 = Fp.mul(c2, tv1);         //  3. tv3 = c2 * tv1
+        //   let tv4 = Fp.mul(c3, tv1);           //  4. tv4 = c3 * tv1
+        //   const e1 = Fp.equals(Fp.square(tv2), x); //  5.  e1 = (tv2^2) == x
+        //   const e2 = Fp.equals(Fp.square(tv3), x); //  6.  e2 = (tv3^2) == x
+        //   tv1 = Fp.cmov(tv1, tv2, e1); //  7. tv1 = CMOV(tv1, tv2, e1)  # Select tv2 if (tv2^2) == x
+        //   tv2 = Fp.cmov(tv4, tv3, e2); //  8. tv2 = CMOV(tv4, tv3, e2)  # Select tv3 if (tv3^2) == x
+        //   const e3 = Fp.equals(Fp.square(tv2), x); //  9.  e3 = (tv2^2) == x
+        //   return Fp.cmov(tv1, tv2, e3); //  10.  z = CMOV(tv1, tv2, e3)  # Select the sqrt from tv1 and tv2
+        // }
+    }
+    // Other cases: Tonelli-Shanks algorithm
+    return tonelliShanks(P);
+}
+// Little-endian check for first LE bit (last BE bit);
+export const isNegativeLE = (num, modulo) => (mod(num, modulo) & _1n) === _1n;
+// prettier-ignore
+const FIELD_FIELDS = [
+    'create', 'isValid', 'isZero', 'negate', 'invert', 'sqrt', 'square',
+    'equals', 'add', 'sub', 'mul', 'pow', 'div',
+    'addN', 'subN', 'mulN', 'squareN'
+];
+export function validateField(field) {
+    for (const i of ['ORDER', 'MASK']) {
+        if (typeof field[i] !== 'bigint')
+            throw new Error(`Invalid field param ${i}=${field[i]} (${typeof field[i]})`);
+    }
+    for (const i of ['BYTES', 'BITS']) {
+        if (typeof field[i] !== 'number')
+            throw new Error(`Invalid field param ${i}=${field[i]} (${typeof field[i]})`);
+    }
+    for (const i of FIELD_FIELDS) {
+        if (typeof field[i] !== 'function')
+            throw new Error(`Invalid field param ${i}=${field[i]} (${typeof field[i]})`);
+    }
+}
+// Generic field functions
+export function FpPow(f, num, power) {
+    // Should have same speed as pow for bigints
+    // TODO: benchmark!
+    if (power < _0n)
+        throw new Error('Expected power > 0');
+    if (power === _0n)
+        return f.ONE;
+    if (power === _1n)
+        return num;
+    let p = f.ONE;
+    let d = num;
+    while (power > _0n) {
+        if (power & _1n)
+            p = f.mul(p, d);
+        d = f.square(d);
+        power >>= 1n;
+    }
+    return p;
+}
+export function FpInvertBatch(f, nums) {
+    const tmp = new Array(nums.length);
+    // Walk from first to last, multiply them by each other MOD p
+    const lastMultiplied = nums.reduce((acc, num, i) => {
+        if (f.isZero(num))
+            return acc;
+        tmp[i] = acc;
+        return f.mul(acc, num);
+    }, f.ONE);
+    // Invert last element
+    const inverted = f.invert(lastMultiplied);
+    // Walk from last to first, multiply them by inverted each other MOD p
+    nums.reduceRight((acc, num, i) => {
+        if (f.isZero(num))
+            return acc;
+        tmp[i] = f.mul(acc, tmp[i]);
+        return f.mul(acc, num);
+    }, inverted);
+    return tmp;
+}
+export function FpDiv(f, lhs, rhs) {
+    return f.mul(lhs, typeof rhs === 'bigint' ? invert(rhs, f.ORDER) : f.invert(rhs));
+}
+// This function returns True whenever the value x is a square in the field F.
+export function FpIsSquare(f) {
+    const legendreConst = (f.ORDER - _1n) / _2n; // Integer arithmetic
+    return (x) => {
+        const p = f.pow(x, legendreConst);
+        return f.equals(p, f.ZERO) || f.equals(p, f.ONE);
+    };
+}
+export function Fp(ORDER, bitLen, isLE = false, redef = {}) {
+    if (ORDER <= _0n)
+        throw new Error(`Expected Fp ORDER > 0, got ${ORDER}`);
+    const { nBitLength: BITS, nByteLength: BYTES } = utils.nLength(ORDER, bitLen);
+    if (BYTES > 2048)
+        throw new Error('Field lengths over 2048 bytes are not supported');
+    const sqrtP = FpSqrt(ORDER);
+    const f = Object.freeze({
+        ORDER,
+        BITS,
+        BYTES,
+        MASK: utils.bitMask(BITS),
+        ZERO: _0n,
+        ONE: _1n,
+        create: (num) => mod(num, ORDER),
+        isValid: (num) => {
+            if (typeof num !== 'bigint')
+                throw new Error(`Invalid field element: expected bigint, got ${typeof num}`);
+            return _0n <= num && num < ORDER;
+        },
+        isZero: (num) => num === _0n,
+        isOdd: (num) => (num & _1n) === _1n,
+        negate: (num) => mod(-num, ORDER),
+        equals: (lhs, rhs) => lhs === rhs,
+        square: (num) => mod(num * num, ORDER),
+        add: (lhs, rhs) => mod(lhs + rhs, ORDER),
+        sub: (lhs, rhs) => mod(lhs - rhs, ORDER),
+        mul: (lhs, rhs) => mod(lhs * rhs, ORDER),
+        pow: (num, power) => FpPow(f, num, power),
+        div: (lhs, rhs) => mod(lhs * invert(rhs, ORDER), ORDER),
+        // Same as above, but doesn't normalize
+        squareN: (num) => num * num,
+        addN: (lhs, rhs) => lhs + rhs,
+        subN: (lhs, rhs) => lhs - rhs,
+        mulN: (lhs, rhs) => lhs * rhs,
+        invert: (num) => invert(num, ORDER),
+        sqrt: redef.sqrt || ((n) => sqrtP(f, n)),
+        invertBatch: (lst) => FpInvertBatch(f, lst),
+        // TODO: do we really need constant cmov?
+        // We don't have const-time bigints anyway, so probably will be not very useful
+        cmov: (a, b, c) => (c ? b : a),
+        toBytes: (num) => isLE ? utils.numberToBytesLE(num, BYTES) : utils.numberToBytesBE(num, BYTES),
+        fromBytes: (bytes) => {
+            if (bytes.length !== BYTES)
+                throw new Error(`Fp.fromBytes: expected ${BYTES}, got ${bytes.length}`);
+            return isLE ? utils.bytesToNumberLE(bytes) : utils.bytesToNumberBE(bytes);
+        },
+    });
+    return Object.freeze(f);
+}
+export function FpSqrtOdd(Fp, elm) {
+    if (!Fp.isOdd)
+        throw new Error(`Field doesn't have isOdd`);
+    const root = Fp.sqrt(elm);
+    return Fp.isOdd(root) ? root : Fp.negate(root);
+}
+export function FpSqrtEven(Fp, elm) {
+    if (!Fp.isOdd)
+        throw new Error(`Field doesn't have isOdd`);
+    const root = Fp.sqrt(elm);
+    return Fp.isOdd(root) ? Fp.negate(root) : root;
+}

package/lib/esm/{montgomery.js → abstract/montgomery.js}

@@ -1,3 +1,4 @@
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import * as mod from './modular.js';
 import { ensureBytes, numberToBytesLE, bytesToNumberLE,
 // nLength,
@@ -161,8 +162,14 @@ export function montgomery(curveDef) {
             throw new Error(`Expected ${montgomeryBytes} or ${fieldLen} bytes, got ${bytes.length}`);
         return bytesToNumberLE(adjustScalarBytes(bytes));
     }
-    // Multiply point u by scalar
-    function scalarMult(u, scalar) {
+    /**
+     * Computes shared secret between private key "scalar" and public key's "u" (x) coordinate.
+     * We can get 'y' coordinate from 'u',
+     * but Point.fromHex also wants 'x' coordinate oddity flag,
+     * and we cannot get 'x' without knowing 'v'.
+     * Need to add generic conversion between twisted edwards and complimentary curve for JubJub.
+     */
+    function scalarMult(scalar, u) {
         const pointU = decodeUCoordinate(u);
         const _scalar = decodeScalar(scalar);
         const pu = montgomeryLadder(pointU, _scalar);
@@ -172,17 +179,19 @@ export function montgomery(curveDef) {
             throw new Error('Invalid private or public key received');
         return encodeUCoordinate(pu);
     }
-    // Multiply base point by scalar
+    /**
+     * Computes public key from private.
+     * Executes scalar multiplication of curve's base point by scalar.
+     * @param scalar private key
+     * @returns new public key
+     */
     function scalarMultBase(scalar) {
-        return scalarMult(CURVE.Gu, scalar);
+        return scalarMult(scalar, CURVE.Gu);
     }
     return {
-        // NOTE: we can get 'y' coordinate from 'u', but Point.fromHex also wants 'x' coordinate oddity flag, and we cannot get 'x' without knowing 'v'
-        // Need to add generic conversion between twisted edwards and complimentary curve for JubJub
         scalarMult,
         scalarMultBase,
-        // NOTE: these function work on complimentary montgomery curve
-        // getSharedSecret: (privateKey: Hex, publicKey: Hex) => scalarMult(publicKey, privateKey),
+        getSharedSecret: (privateKey, publicKey) => scalarMult(privateKey, publicKey),
         getPublicKey: (privateKey) => scalarMultBase(privateKey),
         Gu: CURVE.Gu,
     };

package/lib/esm/{utils.js → abstract/utils.js}

@@ -1,4 +1,4 @@
-/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import * as mod from './modular.js';
 const _0n = BigInt(0);
 const _1n = BigInt(1);