@noble/curves 0.5.1 → 0.5.2

package/lib/esm/abstract/modular.js

@@ -55,6 +55,7 @@ export function invert(number, modulo) {
     // prettier-ignore
     let x = _0n, y = _1n, u = _1n, v = _0n;
     while (a !== _0n) {
+        // JIT applies optimization if those two lines follow each other
         const q = b / a;
         const r = b % a;
         const m = x - u * q;
@@ -68,7 +69,8 @@ export function invert(number, modulo) {
     return mod(x, modulo);
 }
 // Tonelli-Shanks algorithm
-// https://eprint.iacr.org/2012/685.pdf (page 12)
+// Paper 1: https://eprint.iacr.org/2012/685.pdf (page 12)
+// Paper 2: Square Roots from 1; 24, 51, 10 to Dan Shanks
 export function tonelliShanks(P) {
     // Legendre constant: used to calculate Legendre symbol (a | p),
     // which denotes the value of a^((p-1)/2) (mod p).
@@ -78,7 +80,7 @@ export function tonelliShanks(P) {
     const legendreC = (P - _1n) / _2n;
     let Q, S, Z;
     // Step 1: By factoring out powers of 2 from p - 1,
-    // find q and s such that p - 1 = q2s with q odd
+    // find q and s such that p - 1 = q*(2^s) with q odd
     for (Q = P - _1n, S = 0; Q % _2n === _0n; Q /= _2n, S++)
         ;
     // Step 2: Select a non-square z such that (z | p) ≡ -1 and set c ≡ zq
@@ -97,31 +99,32 @@ export function tonelliShanks(P) {
     // Slow-path
     const Q1div2 = (Q + _1n) / _2n;
     return function tonelliSlow(Fp, n) {
-        // Step 0: Check that n is indeed a square: (n | p) must be ≡ 1
-        if (Fp.pow(n, legendreC) !== Fp.ONE)
+        // Step 0: Check that n is indeed a square: (n | p) should not be ≡ -1
+        if (Fp.pow(n, legendreC) === Fp.negate(Fp.ONE))
             throw new Error('Cannot find square root');
-        let s = S;
-        let c = pow(Z, Q, P);
-        let r = Fp.pow(n, Q1div2);
-        let t = Fp.pow(n, Q);
-        let t2 = Fp.ZERO;
-        while (!Fp.equals(Fp.sub(t, Fp.ONE), Fp.ZERO)) {
-            t2 = Fp.square(t);
-            let i;
-            for (i = 1; i < s; i++) {
-                // stop if t2-1 == 0
-                if (Fp.equals(Fp.sub(t2, Fp.ONE), Fp.ZERO))
+        let r = S;
+        // TODO: will fail at Fp2/etc
+        let g = Fp.pow(Fp.mul(Fp.ONE, Z), Q); // will update both x and b
+        let x = Fp.pow(n, Q1div2); // first guess at the square root
+        let b = Fp.pow(n, Q); // first guess at the fudge factor
+        while (!Fp.equals(b, Fp.ONE)) {
+            if (Fp.equals(b, Fp.ZERO))
+                return Fp.ZERO; // https://en.wikipedia.org/wiki/Tonelli%E2%80%93Shanks_algorithm (4. If t = 0, return r = 0)
+            // Find m such b^(2^m)==1
+            let m = 1;
+            for (let t2 = Fp.square(b); m < r; m++) {
+                if (Fp.equals(t2, Fp.ONE))
                     break;
-                // t2 *= t2
-                t2 = Fp.square(t2);
+                t2 = Fp.square(t2); // t2 *= t2
             }
-            let b = pow(c, BigInt(1 << (s - i - 1)), P);
-            r = Fp.mul(r, b);
-            c = mod(b * b, P);
-            t = Fp.mul(t, c);
-            s = i;
+            // NOTE: r-m-1 can be bigger than 32, need to convert to bigint before shift, otherwise there will be overflow
+            const ge = Fp.pow(g, _1n << BigInt(r - m - 1)); // ge = 2^(r-m-1)
+            g = Fp.square(ge); // g = ge * ge
+            x = Fp.mul(x, ge); // x *= ge
+            b = Fp.mul(b, g); // b *= g
+            r = m;
         }
-        return r;
+        return x;
     };
 }
 export function FpSqrt(P) {

package/lib/esm/abstract/montgomery.js

@@ -1,8 +1,6 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import * as mod from './modular.js';
-import { ensureBytes, numberToBytesLE, bytesToNumberLE,
-// nLength,
- } from './utils.js';
+import { ensureBytes, numberToBytesLE, bytesToNumberLE, isPositiveInt } from './utils.js';
 const _0n = BigInt(0);
 const _1n = BigInt(1);
 function validateOpts(curve) {
@@ -13,7 +11,7 @@ function validateOpts(curve) {
     for (const i of ['montgomeryBits', 'nByteLength']) {
         if (curve[i] === undefined)
             continue; // Optional
-        if (!Number.isSafeInteger(curve[i]))
+        if (!isPositiveInt(curve[i]))
             throw new Error(`Invalid curve param ${i}=${curve[i]} (${typeof curve[i]})`);
     }
     for (const fn of ['adjustScalarBytes', 'domain', 'powPminus2']) {

package/lib/esm/abstract/utils.js

@@ -3,21 +3,27 @@ import * as mod from './modular.js';
 const _0n = BigInt(0);
 const _1n = BigInt(1);
 const _2n = BigInt(2);
+// Bans floats and integers above 2^53-1
+export function isPositiveInt(num) {
+    return typeof num === 'number' && Number.isSafeInteger(num) && num > 0;
+}
 export function validateOpts(curve) {
     mod.validateField(curve.Fp);
     for (const i of ['n', 'h']) {
-        if (typeof curve[i] !== 'bigint')
-            throw new Error(`Invalid curve param ${i}=${curve[i]} (${typeof curve[i]})`);
+        const val = curve[i];
+        if (typeof val !== 'bigint')
+            throw new Error(`Invalid curve param ${i}=${val} (${typeof val})`);
     }
     if (!curve.Fp.isValid(curve.Gx))
         throw new Error('Invalid generator X coordinate Fp element');
     if (!curve.Fp.isValid(curve.Gy))
         throw new Error('Invalid generator Y coordinate Fp element');
     for (const i of ['nBitLength', 'nByteLength']) {
-        if (curve[i] === undefined)
+        const val = curve[i];
+        if (val === undefined)
             continue; // Optional
-        if (!Number.isSafeInteger(curve[i]))
-            throw new Error(`Invalid curve param ${i}=${curve[i]} (${typeof curve[i]})`);
+        if (!isPositiveInt(val))
+            throw new Error(`Invalid curve param ${i}=${val} (${typeof val})`);
     }
     // Set defaults
     return Object.freeze({ ...nLength(curve.n, curve.nBitLength), ...curve });
@@ -104,21 +110,22 @@ export function nLength(n, nBitLength) {
     return { nBitLength: _nBitLength, nByteLength };
 }
 /**
+ * FIPS 186 B.4.1-compliant "constant-time" private key generation utility.
  * Can take (n+8) or more bytes of uniform input e.g. from CSPRNG or KDF
  * and convert them into private scalar, with the modulo bias being neglible.
- * As per FIPS 186 B.4.1.
+ * Needs at least 40 bytes of input for 32-byte private key.
  * https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/
- * @param hash hash output from sha512, or a similar function
+ * @param hash hash output from SHA3 or a similar function
  * @returns valid private scalar
  */
-export function hashToPrivateScalar(hash, CURVE_ORDER, isLE = false) {
+export function hashToPrivateScalar(hash, groupOrder, isLE = false) {
     hash = ensureBytes(hash);
-    const orderLen = nLength(CURVE_ORDER).nByteLength;
-    const minLen = orderLen + 8;
-    if (orderLen < 16 || hash.length < minLen || hash.length > 1024)
-        throw new Error('Expected valid bytes of private key as per FIPS 186');
+    const hashLen = hash.length;
+    const minLen = nLength(groupOrder).nByteLength + 8;
+    if (minLen < 24 || hashLen < minLen || hashLen > 1024)
+        throw new Error(`hashToPrivateScalar: expected ${minLen}-1024 bytes of input, got ${hashLen}`);
     const num = isLE ? bytesToNumberLE(hash) : bytesToNumberBE(hash);
-    return mod.mod(num, CURVE_ORDER - _1n) + _1n;
+    return mod.mod(num, groupOrder - _1n) + _1n;
 }
 export function equalBytes(b1, b2) {
     // We don't care about timing attacks here