@noble/curves 0.5.0 → 0.5.2

package/lib/esm/abstract/modular.js

@@ -1,10 +1,11 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+// TODO: remove circular imports
 import * as utils from './utils.js';
 // Utilities for modular arithmetics and finite fields
 // prettier-ignore
 const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3);
 // prettier-ignore
-const _4n = BigInt(4), _5n = BigInt(5), _7n = BigInt(7), _8n = BigInt(8);
+const _4n = BigInt(4), _5n = BigInt(5), _8n = BigInt(8);
 // prettier-ignore
 const _9n = BigInt(9), _16n = BigInt(16);
 // Calculates a modulo b
@@ -54,6 +55,7 @@ export function invert(number, modulo) {
     // prettier-ignore
     let x = _0n, y = _1n, u = _1n, v = _0n;
     while (a !== _0n) {
+        // JIT applies optimization if those two lines follow each other
         const q = b / a;
         const r = b % a;
         const m = x - u * q;
@@ -66,25 +68,68 @@ export function invert(number, modulo) {
         throw new Error('invert: does not exist');
     return mod(x, modulo);
 }
-/**
- * Calculates Legendre symbol (a | p), which denotes the value of a^((p-1)/2) (mod p).
- * * (a | p) ≡ 1    if a is a square (mod p)
- * * (a | p) ≡ -1   if a is not a square (mod p)
- * * (a | p) ≡ 0    if a ≡ 0 (mod p)
- */
-export function legendre(num, fieldPrime) {
-    return pow(num, (fieldPrime - _1n) / _2n, fieldPrime);
+// Tonelli-Shanks algorithm
+// Paper 1: https://eprint.iacr.org/2012/685.pdf (page 12)
+// Paper 2: Square Roots from 1; 24, 51, 10 to Dan Shanks
+export function tonelliShanks(P) {
+    // Legendre constant: used to calculate Legendre symbol (a | p),
+    // which denotes the value of a^((p-1)/2) (mod p).
+    // (a | p) ≡ 1    if a is a square (mod p)
+    // (a | p) ≡ -1   if a is not a square (mod p)
+    // (a | p) ≡ 0    if a ≡ 0 (mod p)
+    const legendreC = (P - _1n) / _2n;
+    let Q, S, Z;
+    // Step 1: By factoring out powers of 2 from p - 1,
+    // find q and s such that p - 1 = q*(2^s) with q odd
+    for (Q = P - _1n, S = 0; Q % _2n === _0n; Q /= _2n, S++)
+        ;
+    // Step 2: Select a non-square z such that (z | p) ≡ -1 and set c ≡ zq
+    for (Z = _2n; Z < P && pow(Z, legendreC, P) !== P - _1n; Z++)
+        ;
+    // Fast-path
+    if (S === 1) {
+        const p1div4 = (P + _1n) / _4n;
+        return function tonelliFast(Fp, n) {
+            const root = Fp.pow(n, p1div4);
+            if (!Fp.equals(Fp.square(root), n))
+                throw new Error('Cannot find square root');
+            return root;
+        };
+    }
+    // Slow-path
+    const Q1div2 = (Q + _1n) / _2n;
+    return function tonelliSlow(Fp, n) {
+        // Step 0: Check that n is indeed a square: (n | p) should not be ≡ -1
+        if (Fp.pow(n, legendreC) === Fp.negate(Fp.ONE))
+            throw new Error('Cannot find square root');
+        let r = S;
+        // TODO: will fail at Fp2/etc
+        let g = Fp.pow(Fp.mul(Fp.ONE, Z), Q); // will update both x and b
+        let x = Fp.pow(n, Q1div2); // first guess at the square root
+        let b = Fp.pow(n, Q); // first guess at the fudge factor
+        while (!Fp.equals(b, Fp.ONE)) {
+            if (Fp.equals(b, Fp.ZERO))
+                return Fp.ZERO; // https://en.wikipedia.org/wiki/Tonelli%E2%80%93Shanks_algorithm (4. If t = 0, return r = 0)
+            // Find m such b^(2^m)==1
+            let m = 1;
+            for (let t2 = Fp.square(b); m < r; m++) {
+                if (Fp.equals(t2, Fp.ONE))
+                    break;
+                t2 = Fp.square(t2); // t2 *= t2
+            }
+            // NOTE: r-m-1 can be bigger than 32, need to convert to bigint before shift, otherwise there will be overflow
+            const ge = Fp.pow(g, _1n << BigInt(r - m - 1)); // ge = 2^(r-m-1)
+            g = Fp.square(ge); // g = ge * ge
+            x = Fp.mul(x, ge); // x *= ge
+            b = Fp.mul(b, g); // b *= g
+            r = m;
+        }
+        return x;
+    };
 }
-/**
- * Calculates square root of a number in a finite field.
- * √a mod P
- */
-// TODO: rewrite as generic Fp function && remove bls versions
-export function sqrt(number, modulo) {
-    // prettier-ignore
-    const n = number;
-    const P = modulo;
-    const p1div4 = (P + _1n) / _4n;
+export function FpSqrt(P) {
+    // NOTE: different algorithms can give different roots, it is up to user to decide which one they want.
+    // For example there is FpSqrtOdd/FpSqrtEven to choice root based on oddness (used for hash-to-curve).
     // P ≡ 3 (mod 4)
     // √n = n^((P+1)/4)
     if (P % _4n === _3n) {
@@ -92,50 +137,53 @@ export function sqrt(number, modulo) {
         // const ORDER =
         //   0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaabn;
         // const NUM = 72057594037927816n;
-        // TODO: fix sqrtMod in secp256k1
-        const root = pow(n, p1div4, P);
-        if (mod(root * root, modulo) !== number)
-            throw new Error('Cannot find square root');
-        return root;
+        const p1div4 = (P + _1n) / _4n;
+        return function sqrt3mod4(Fp, n) {
+            const root = Fp.pow(n, p1div4);
+            // Throw if root**2 != n
+            if (!Fp.equals(Fp.square(root), n))
+                throw new Error('Cannot find square root');
+            return root;
+        };
     }
-    // P ≡ 5 (mod 8)
+    // Atkin algorithm for q ≡ 5 (mod 8), https://eprint.iacr.org/2012/685.pdf (page 10)
     if (P % _8n === _5n) {
-        const n2 = mod(n * _2n, P);
-        const v = pow(n2, (P - _5n) / _8n, P);
-        const nv = mod(n * v, P);
-        const i = mod(_2n * nv * v, P);
-        const r = mod(nv * (i - _1n), P);
-        return r;
+        const c1 = (P - _5n) / _8n;
+        return function sqrt5mod8(Fp, n) {
+            const n2 = Fp.mul(n, _2n);
+            const v = Fp.pow(n2, c1);
+            const nv = Fp.mul(n, v);
+            const i = Fp.mul(Fp.mul(nv, _2n), v);
+            const root = Fp.mul(nv, Fp.sub(i, Fp.ONE));
+            if (!Fp.equals(Fp.square(root), n))
+                throw new Error('Cannot find square root');
+            return root;
+        };
     }
-    // Other cases: Tonelli-Shanks algorithm
-    if (legendre(n, P) !== _1n)
-        throw new Error('Cannot find square root');
-    let q, s, z;
-    for (q = P - _1n, s = 0; q % _2n === _0n; q /= _2n, s++)
-        ;
-    if (s === 1)
-        return pow(n, p1div4, P);
-    for (z = _2n; z < P && legendre(z, P) !== P - _1n; z++)
-        ;
-    let c = pow(z, q, P);
-    let r = pow(n, (q + _1n) / _2n, P);
-    let t = pow(n, q, P);
-    let t2 = _0n;
-    while (mod(t - _1n, P) !== _0n) {
-        t2 = mod(t * t, P);
-        let i;
-        for (i = 1; i < s; i++) {
-            if (mod(t2 - _1n, P) === _0n)
-                break;
-            t2 = mod(t2 * t2, P);
-        }
-        let b = pow(c, BigInt(1 << (s - i - 1)), P);
-        r = mod(r * b, P);
-        c = mod(b * b, P);
-        t = mod(t * c, P);
-        s = i;
+    // P ≡ 9 (mod 16)
+    if (P % _16n === _9n) {
+        // NOTE: tonelli is too slow for bls-Fp2 calculations even on start
+        // Means we cannot use sqrt for constants at all!
+        //
+        // const c1 = Fp.sqrt(Fp.negate(Fp.ONE)); //  1. c1 = sqrt(-1) in F, i.e., (c1^2) == -1 in F
+        // const c2 = Fp.sqrt(c1);                //  2. c2 = sqrt(c1) in F, i.e., (c2^2) == c1 in F
+        // const c3 = Fp.sqrt(Fp.negate(c1));     //  3. c3 = sqrt(-c1) in F, i.e., (c3^2) == -c1 in F
+        // const c4 = (P + _7n) / _16n;           //  4. c4 = (q + 7) / 16        # Integer arithmetic
+        // sqrt = (x) => {
+        //   let tv1 = Fp.pow(x, c4);             //  1. tv1 = x^c4
+        //   let tv2 = Fp.mul(c1, tv1);           //  2. tv2 = c1 * tv1
+        //   const tv3 = Fp.mul(c2, tv1);         //  3. tv3 = c2 * tv1
+        //   let tv4 = Fp.mul(c3, tv1);           //  4. tv4 = c3 * tv1
+        //   const e1 = Fp.equals(Fp.square(tv2), x); //  5.  e1 = (tv2^2) == x
+        //   const e2 = Fp.equals(Fp.square(tv3), x); //  6.  e2 = (tv3^2) == x
+        //   tv1 = Fp.cmov(tv1, tv2, e1); //  7. tv1 = CMOV(tv1, tv2, e1)  # Select tv2 if (tv2^2) == x
+        //   tv2 = Fp.cmov(tv4, tv3, e2); //  8. tv2 = CMOV(tv4, tv3, e2)  # Select tv3 if (tv3^2) == x
+        //   const e3 = Fp.equals(Fp.square(tv2), x); //  9.  e3 = (tv2^2) == x
+        //   return Fp.cmov(tv1, tv2, e3); //  10.  z = CMOV(tv1, tv2, e3)  # Select the sqrt from tv1 and tv2
+        // }
     }
-    return r;
+    // Other cases: Tonelli-Shanks algorithm
+    return tonelliShanks(P);
 }
 // Little-endian check for first LE bit (last BE bit);
 export const isNegativeLE = (num, modulo) => (mod(num, modulo) & _1n) === _1n;
@@ -202,17 +250,21 @@ export function FpInvertBatch(f, nums) {
 export function FpDiv(f, lhs, rhs) {
     return f.mul(lhs, typeof rhs === 'bigint' ? invert(rhs, f.ORDER) : f.invert(rhs));
 }
-// NOTE: very fragile, always bench. Major performance points:
-// - NonNormalized ops
-// - Object.freeze
-// - same shape of object (don't add/remove keys)
+// This function returns True whenever the value x is a square in the field F.
+export function FpIsSquare(f) {
+    const legendreConst = (f.ORDER - _1n) / _2n; // Integer arithmetic
+    return (x) => {
+        const p = f.pow(x, legendreConst);
+        return f.equals(p, f.ZERO) || f.equals(p, f.ONE);
+    };
+}
 export function Fp(ORDER, bitLen, isLE = false, redef = {}) {
     if (ORDER <= _0n)
         throw new Error(`Expected Fp ORDER > 0, got ${ORDER}`);
     const { nBitLength: BITS, nByteLength: BYTES } = utils.nLength(ORDER, bitLen);
     if (BYTES > 2048)
         throw new Error('Field lengths over 2048 bytes are not supported');
-    const sqrtP = (num) => sqrt(num, ORDER);
+    const sqrtP = FpSqrt(ORDER);
     const f = Object.freeze({
         ORDER,
         BITS,
@@ -242,7 +294,7 @@ export function Fp(ORDER, bitLen, isLE = false, redef = {}) {
         subN: (lhs, rhs) => lhs - rhs,
         mulN: (lhs, rhs) => lhs * rhs,
         invert: (num) => invert(num, ORDER),
-        sqrt: redef.sqrt || sqrtP,
+        sqrt: redef.sqrt || ((n) => sqrtP(f, n)),
         invertBatch: (lst) => FpInvertBatch(f, lst),
         // TODO: do we really need constant cmov?
         // We don't have const-time bigints anyway, so probably will be not very useful
@@ -256,87 +308,15 @@ export function Fp(ORDER, bitLen, isLE = false, redef = {}) {
     });
     return Object.freeze(f);
 }
-// TODO: re-use in bls/generic sqrt for field/etc?
-// Something like sqrtUnsafe which always returns value, but sqrt throws exception if non-square
-// From draft-irtf-cfrg-hash-to-curve-16
-export function FpSqrt(Fp) {
-    // NOTE: it requires another sqrt for constant precomputes, but no need for roots of unity,
-    // probably we can simply bls code using it
-    const q = Fp.ORDER;
-    const squareConst = (q - _1n) / _2n;
-    // is_square(x) := { True,  if x^((q - 1) / 2) is 0 or 1 in F;
-    //                 { False, otherwise.
-    let isSquare = (x) => {
-        const p = Fp.pow(x, squareConst);
-        return Fp.equals(p, Fp.ZERO) || Fp.equals(p, Fp.ONE);
-    };
-    // Constant-time Tonelli-Shanks algorithm
-    let l = _0n;
-    for (let o = q - _1n; o % _2n === _0n; o /= _2n)
-        l += _1n;
-    const c1 = l; // 1. c1, the largest integer such that 2^c1 divides q - 1.
-    const c2 = (q - _1n) / _2n ** c1; // 2. c2 = (q - 1) / (2^c1)        # Integer arithmetic
-    const c3 = (c2 - _1n) / _2n; // 3. c3 = (c2 - 1) / 2            # Integer arithmetic
-    //  4. c4, a non-square value in F
-    //  5. c5 = c4^c2 in F
-    let c4 = Fp.ONE;
-    while (isSquare(c4))
-        c4 = Fp.add(c4, Fp.ONE);
-    const c5 = Fp.pow(c4, c2);
-    let sqrt = (x) => {
-        let z = Fp.pow(x, c3); // 1.  z = x^c3
-        let t = Fp.square(z); // 2.  t = z * z
-        t = Fp.mul(t, x); // 3.  t = t * x
-        z = Fp.mul(z, x); // 4.  z = z * x
-        let b = t; // 5.  b = t
-        let c = c5; // 6.  c = c5
-        // 7.  for i in (c1, c1 - 1, ..., 2):
-        for (let i = c1; i > 1; i--) {
-            // 8.    for j in (1, 2, ..., i - 2):
-            // 9.      b = b * b
-            for (let j = _1n; j < i - _1n; i++)
-                b = Fp.square(b);
-            const e = Fp.equals(b, Fp.ONE); // 10.   e = b == 1
-            const zt = Fp.mul(z, c); // 11.   zt = z * c
-            z = Fp.cmov(zt, z, e); // 12.   z = CMOV(zt, z, e)
-            c = Fp.square(c); // 13.   c = c * c
-            let tt = Fp.mul(t, c); // 14.   tt = t * c
-            t = Fp.cmov(tt, t, e); // 15.   t = CMOV(tt, t, e)
-            b = t; // 16.   b = t
-        }
-        return z; // 17. return z
-    };
-    if (q % _4n === _3n) {
-        const c1 = (q + _1n) / _4n; // 1. c1 = (q + 1) / 4     # Integer arithmetic
-        sqrt = (x) => Fp.pow(x, c1);
-    }
-    else if (q % _8n === _5n) {
-        const c1 = Fp.sqrt(Fp.negate(Fp.ONE)); //  1. c1 = sqrt(-1) in F, i.e., (c1^2) == -1 in F
-        const c2 = (q + _3n) / _8n; //  2. c2 = (q + 3) / 8     # Integer arithmetic
-        sqrt = (x) => {
-            let tv1 = Fp.pow(x, c2); //  1. tv1 = x^c2
-            let tv2 = Fp.mul(tv1, c1); //  2. tv2 = tv1 * c1
-            let e = Fp.equals(Fp.square(tv1), x); //  3.   e = (tv1^2) == x
-            return Fp.cmov(tv2, tv1, e); //  4.   z = CMOV(tv2, tv1, e)
-        };
-    }
-    else if (Fp.ORDER % _16n === _9n) {
-        const c1 = Fp.sqrt(Fp.negate(Fp.ONE)); //  1. c1 = sqrt(-1) in F, i.e., (c1^2) == -1 in F
-        const c2 = Fp.sqrt(c1); //  2. c2 = sqrt(c1) in F, i.e., (c2^2) == c1 in F
-        const c3 = Fp.sqrt(Fp.negate(c1)); //  3. c3 = sqrt(-c1) in F, i.e., (c3^2) == -c1 in F
-        const c4 = (Fp.ORDER + _7n) / _16n; //  4. c4 = (q + 7) / 16         # Integer arithmetic
-        sqrt = (x) => {
-            let tv1 = Fp.pow(x, c4); //  1. tv1 = x^c4
-            let tv2 = Fp.mul(c1, tv1); //  2. tv2 = c1 * tv1
-            const tv3 = Fp.mul(c2, tv1); //  3. tv3 = c2 * tv1
-            let tv4 = Fp.mul(c3, tv1); //  4. tv4 = c3 * tv1
-            const e1 = Fp.equals(Fp.square(tv2), x); //  5.  e1 = (tv2^2) == x
-            const e2 = Fp.equals(Fp.square(tv3), x); //  6.  e2 = (tv3^2) == x
-            tv1 = Fp.cmov(tv1, tv2, e1); //  7. tv1 = CMOV(tv1, tv2, e1)  # Select tv2 if (tv2^2) == x
-            tv2 = Fp.cmov(tv4, tv3, e2); //  8. tv2 = CMOV(tv4, tv3, e2)  # Select tv3 if (tv3^2) == x
-            const e3 = Fp.equals(Fp.square(tv2), x); //  9.  e3 = (tv2^2) == x
-            return Fp.cmov(tv1, tv2, e3); //  10.  z = CMOV(tv1, tv2, e3)  # Select the sqrt from tv1 and tv2
-        };
-    }
-    return { sqrt, isSquare };
+export function FpSqrtOdd(Fp, elm) {
+    if (!Fp.isOdd)
+        throw new Error(`Field doesn't have isOdd`);
+    const root = Fp.sqrt(elm);
+    return Fp.isOdd(root) ? root : Fp.negate(root);
+}
+export function FpSqrtEven(Fp, elm) {
+    if (!Fp.isOdd)
+        throw new Error(`Field doesn't have isOdd`);
+    const root = Fp.sqrt(elm);
+    return Fp.isOdd(root) ? Fp.negate(root) : root;
 }

package/lib/esm/abstract/montgomery.js

@@ -1,8 +1,6 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import * as mod from './modular.js';
-import { ensureBytes, numberToBytesLE, bytesToNumberLE,
-// nLength,
- } from './utils.js';
+import { ensureBytes, numberToBytesLE, bytesToNumberLE, isPositiveInt } from './utils.js';
 const _0n = BigInt(0);
 const _1n = BigInt(1);
 function validateOpts(curve) {
@@ -13,7 +11,7 @@ function validateOpts(curve) {
     for (const i of ['montgomeryBits', 'nByteLength']) {
         if (curve[i] === undefined)
             continue; // Optional
-        if (!Number.isSafeInteger(curve[i]))
+        if (!isPositiveInt(curve[i]))
             throw new Error(`Invalid curve param ${i}=${curve[i]} (${typeof curve[i]})`);
     }
     for (const fn of ['adjustScalarBytes', 'domain', 'powPminus2']) {

package/lib/esm/abstract/utils.js

@@ -3,21 +3,27 @@ import * as mod from './modular.js';
 const _0n = BigInt(0);
 const _1n = BigInt(1);
 const _2n = BigInt(2);
+// Bans floats and integers above 2^53-1
+export function isPositiveInt(num) {
+    return typeof num === 'number' && Number.isSafeInteger(num) && num > 0;
+}
 export function validateOpts(curve) {
     mod.validateField(curve.Fp);
     for (const i of ['n', 'h']) {
-        if (typeof curve[i] !== 'bigint')
-            throw new Error(`Invalid curve param ${i}=${curve[i]} (${typeof curve[i]})`);
+        const val = curve[i];
+        if (typeof val !== 'bigint')
+            throw new Error(`Invalid curve param ${i}=${val} (${typeof val})`);
     }
     if (!curve.Fp.isValid(curve.Gx))
         throw new Error('Invalid generator X coordinate Fp element');
     if (!curve.Fp.isValid(curve.Gy))
         throw new Error('Invalid generator Y coordinate Fp element');
     for (const i of ['nBitLength', 'nByteLength']) {
-        if (curve[i] === undefined)
+        const val = curve[i];
+        if (val === undefined)
             continue; // Optional
-        if (!Number.isSafeInteger(curve[i]))
-            throw new Error(`Invalid curve param ${i}=${curve[i]} (${typeof curve[i]})`);
+        if (!isPositiveInt(val))
+            throw new Error(`Invalid curve param ${i}=${val} (${typeof val})`);
     }
     // Set defaults
     return Object.freeze({ ...nLength(curve.n, curve.nBitLength), ...curve });
@@ -104,21 +110,22 @@ export function nLength(n, nBitLength) {
     return { nBitLength: _nBitLength, nByteLength };
 }
 /**
+ * FIPS 186 B.4.1-compliant "constant-time" private key generation utility.
  * Can take (n+8) or more bytes of uniform input e.g. from CSPRNG or KDF
  * and convert them into private scalar, with the modulo bias being neglible.
- * As per FIPS 186 B.4.1.
+ * Needs at least 40 bytes of input for 32-byte private key.
  * https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/
- * @param hash hash output from sha512, or a similar function
+ * @param hash hash output from SHA3 or a similar function
  * @returns valid private scalar
  */
-export function hashToPrivateScalar(hash, CURVE_ORDER, isLE = false) {
+export function hashToPrivateScalar(hash, groupOrder, isLE = false) {
     hash = ensureBytes(hash);
-    const orderLen = nLength(CURVE_ORDER).nByteLength;
-    const minLen = orderLen + 8;
-    if (orderLen < 16 || hash.length < minLen || hash.length > 1024)
-        throw new Error('Expected valid bytes of private key as per FIPS 186');
+    const hashLen = hash.length;
+    const minLen = nLength(groupOrder).nByteLength + 8;
+    if (minLen < 24 || hashLen < minLen || hashLen > 1024)
+        throw new Error(`hashToPrivateScalar: expected ${minLen}-1024 bytes of input, got ${hashLen}`);
     const num = isLE ? bytesToNumberLE(hash) : bytesToNumberBE(hash);
-    return mod.mod(num, CURVE_ORDER - _1n) + _1n;
+    return mod.mod(num, groupOrder - _1n) + _1n;
 }
 export function equalBytes(b1, b2) {
     // We don't care about timing attacks here