@noble/curves 0.5.1 → 0.6.0

package/lib/stark.d.ts

@@ -1,6 +1,7 @@
-import { ProjectivePointType } from './abstract/weierstrass.js';
+import { ProjPointType } from './abstract/weierstrass.js';
 import * as cutils from './abstract/utils.js';
-declare type ProjectivePoint = ProjectivePointType<bigint>;
+import { Field } from './abstract/modular.js';
+declare type ProjectivePoint = ProjPointType<bigint>;
 export declare const starkCurve: import("./abstract/weierstrass.js").CurveFn;
 declare function getPublicKey0x(privKey: Hex, isCompressed?: boolean): Uint8Array;
 declare function getSharedSecret0x(privKeyA: Hex, pubKeyB: Hex): Uint8Array;
@@ -9,7 +10,7 @@ declare function verify0x(signature: Hex, msgHash: Hex, pubKey: Hex): boolean;
 declare const CURVE: Readonly<{
     readonly nBitLength: number;
     readonly nByteLength: number;
-    readonly Fp: import("./abstract/modular.js").Field<bigint>;
+    readonly Fp: Field<bigint>;
     readonly n: bigint;
     readonly h: bigint;
     readonly hEff?: bigint | undefined;
@@ -29,34 +30,22 @@ declare const CURVE: Readonly<{
             k2: bigint;
         };
     } | undefined;
-    readonly isTorsionFree?: ((c: import("./abstract/weierstrass.js").ProjectiveConstructor<bigint>, point: ProjectivePointType<bigint>) => boolean) | undefined;
-    readonly clearCofactor?: ((c: import("./abstract/weierstrass.js").ProjectiveConstructor<bigint>, point: ProjectivePointType<bigint>) => ProjectivePointType<bigint>) | undefined;
-    readonly htfDefaults?: import("./abstract/hash-to-curve.js").htfOpts | undefined;
-    readonly mapToCurve?: ((scalar: bigint[]) => {
-        x: bigint;
-        y: bigint;
-    }) | undefined;
+    readonly isTorsionFree?: ((c: import("./abstract/weierstrass.js").ProjConstructor<bigint>, point: ProjPointType<bigint>) => boolean) | undefined;
+    readonly clearCofactor?: ((c: import("./abstract/weierstrass.js").ProjConstructor<bigint>, point: ProjPointType<bigint>) => ProjPointType<bigint>) | undefined;
     lowS: boolean;
     readonly hash: cutils.CHash;
     readonly hmac: (key: Uint8Array, ...messages: Uint8Array[]) => Uint8Array;
     readonly randomBytes: (bytesLength?: number | undefined) => Uint8Array;
-    readonly truncateHash?: ((hash: Uint8Array, truncateOnly?: boolean | undefined) => bigint) | undefined;
-}>, Point: import("./abstract/weierstrass.js").PointConstructor<bigint>, ProjectivePoint: import("./abstract/weierstrass.js").ProjectiveConstructor<bigint>, Signature: import("./abstract/weierstrass.js").SignatureConstructor;
+    readonly bits2int?: ((bytes: Uint8Array) => bigint) | undefined;
+    readonly bits2int_modN?: ((bytes: Uint8Array) => bigint) | undefined;
+}>, ProjectivePoint: import("./abstract/weierstrass.js").ProjConstructor<bigint>, Signature: import("./abstract/weierstrass.js").SignatureConstructor;
 export declare const utils: {
-    mod: (a: bigint, b?: bigint | undefined) => bigint;
-    invert: (number: bigint, modulo?: bigint | undefined) => bigint;
-    _bigintToBytes: (num: bigint) => Uint8Array;
-    _bigintToString: (num: bigint) => string;
     _normalizePrivateKey: (key: cutils.PrivKey) => bigint;
-    _normalizePublicKey: (publicKey: import("./abstract/weierstrass.js").PubKey) => import("./abstract/weierstrass.js").PointType<bigint>;
-    _isWithinCurveOrder: (num: bigint) => boolean;
-    _isValidFieldElement: (num: bigint) => boolean;
-    _weierstrassEquation: (x: bigint) => bigint;
     isValidPrivateKey(privateKey: cutils.PrivKey): boolean;
     hashToPrivateKey: (hash: cutils.Hex) => Uint8Array;
     randomPrivateKey: () => Uint8Array;
 };
-export { CURVE, Point, Signature, ProjectivePoint, getPublicKey0x as getPublicKey, getSharedSecret0x as getSharedSecret, sign0x as sign, verify0x as verify, };
+export { CURVE, Signature, ProjectivePoint, getPublicKey0x as getPublicKey, getSharedSecret0x as getSharedSecret, sign0x as sign, verify0x as verify, };
 export declare const bytesToHexEth: (uint8a: Uint8Array) => string;
 export declare const strip0x: (hex: string) => string;
 export declare const numberToHexEth: (num: bigint | number) => string;
@@ -70,3 +59,29 @@ export declare function pedersen(x: PedersenArg, y: PedersenArg): string;
 export declare function hashChain(data: PedersenArg[], fn?: typeof pedersen): PedersenArg;
 export declare const computeHashOnElements: (data: PedersenArg[], fn?: typeof pedersen) => PedersenArg;
 export declare const keccak: (data: Uint8Array) => bigint;
+export declare const Fp253: Readonly<Field<bigint> & Required<Pick<Field<bigint>, "isOdd">>>;
+export declare const Fp251: Readonly<Field<bigint> & Required<Pick<Field<bigint>, "isOdd">>>;
+export declare function _poseidonMDS(Fp: Field<bigint>, name: string, m: number, attempt?: number): bigint[][];
+export declare type PoseidonOpts = {
+    Fp: Field<bigint>;
+    rate: number;
+    capacity: number;
+    roundsFull: number;
+    roundsPartial: number;
+};
+export declare function poseidonBasic(opts: PoseidonOpts, mds: bigint[][]): {
+    (values: bigint[]): bigint[];
+    roundConstants: bigint[][];
+};
+export declare function poseidonCreate(opts: PoseidonOpts, mdsAttempt?: number): {
+    (values: bigint[]): bigint[];
+    roundConstants: bigint[][];
+};
+export declare const poseidonSmall: {
+    (values: bigint[]): bigint[];
+    roundConstants: bigint[][];
+};
+export declare function poseidonHash(x: bigint, y: bigint, fn?: {
+    (values: bigint[]): bigint[];
+    roundConstants: bigint[][];
+}): bigint;

package/lib/stark.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.keccak = exports.computeHashOnElements = exports.hashChain = exports.pedersen = exports.getAccountPath = exports.ethSigToPrivate = exports.getStarkKey = exports.grindKey = exports.numberToHexEth = exports.strip0x = exports.bytesToHexEth = exports.verify = exports.sign = exports.getSharedSecret = exports.getPublicKey = exports.ProjectivePoint = exports.Signature = exports.Point = exports.CURVE = exports.utils = exports.starkCurve = void 0;
+exports.poseidonHash = exports.poseidonSmall = exports.poseidonCreate = exports.poseidonBasic = exports._poseidonMDS = exports.Fp251 = exports.Fp253 = exports.keccak = exports.computeHashOnElements = exports.hashChain = exports.pedersen = exports.getAccountPath = exports.ethSigToPrivate = exports.getStarkKey = exports.grindKey = exports.numberToHexEth = exports.strip0x = exports.bytesToHexEth = exports.verify = exports.sign = exports.getSharedSecret = exports.getPublicKey = exports.ProjectivePoint = exports.Signature = exports.CURVE = exports.utils = exports.starkCurve = void 0;
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 const sha3_1 = require("@noble/hashes/sha3");
 const sha256_1 = require("@noble/hashes/sha256");
@@ -8,10 +8,21 @@ const weierstrass_js_1 = require("./abstract/weierstrass.js");
 const cutils = require("./abstract/utils.js");
 const modular_js_1 = require("./abstract/modular.js");
 const _shortw_utils_js_1 = require("./_shortw_utils.js");
+const poseidon = require("./abstract/poseidon.js");
+const utils_1 = require("@noble/hashes/utils");
 // Stark-friendly elliptic curve
 // https://docs.starkware.co/starkex/stark-curve.html
 const CURVE_N = BigInt('3618502788666131213697322783095070105526743751716087489154079457884512865583');
 const nBitLength = 252;
+// Copy-pasted from weierstrass.ts
+function bits2int(bytes) {
+    const delta = bytes.length * 8 - nBitLength;
+    const num = cutils.bytesToNumberBE(bytes);
+    return delta > 0 ? num >> BigInt(delta) : num;
+}
+function bits2int_modN(bytes) {
+    return (0, modular_js_1.mod)(bits2int(bytes), CURVE_N);
+}
 exports.starkCurve = (0, weierstrass_js_1.weierstrass)({
     // Params: a, b
     a: BigInt(1),
@@ -29,33 +40,28 @@ exports.starkCurve = (0, weierstrass_js_1.weierstrass)({
     // Default options
     lowS: false,
     ...(0, _shortw_utils_js_1.getHash)(sha256_1.sha256),
-    truncateHash: (hash, truncateOnly = false) => {
-        // TODO: cleanup, ugly code
-        // Fix truncation
-        if (!truncateOnly) {
-            let hashS = bytesToNumber0x(hash).toString(16);
-            if (hashS.length === 63) {
-                hashS += '0';
-                hash = hexToBytes0x(hashS);
-            }
+    // Custom truncation routines for stark curve
+    bits2int: (bytes) => {
+        while (bytes[0] === 0)
+            bytes = bytes.subarray(1);
+        return bits2int(bytes);
+    },
+    bits2int_modN: (bytes) => {
+        let hashS = cutils.bytesToNumberBE(bytes).toString(16);
+        if (hashS.length === 63) {
+            hashS += '0';
+            bytes = hexToBytes0x(hashS);
         }
         // Truncate zero bytes on left (compat with elliptic)
-        while (hash[0] === 0)
-            hash = hash.subarray(1);
-        const byteLength = hash.length;
-        const delta = byteLength * 8 - nBitLength; // size of curve.n (252 bits)
-        let h = hash.length ? bytesToNumber0x(hash) : 0n;
-        if (delta > 0)
-            h = h >> BigInt(delta);
-        if (!truncateOnly && h >= CURVE_N)
-            h -= CURVE_N;
-        return h;
+        while (bytes[0] === 0)
+            bytes = bytes.subarray(1);
+        return bits2int_modN(bytes);
     },
 });
 // Custom Starknet type conversion functions that can handle 0x and unpadded hex
 function hexToBytes0x(hex) {
     if (typeof hex !== 'string') {
-        throw new TypeError('hexToBytes: expected string, got ' + typeof hex);
+        throw new Error('hexToBytes: expected string, got ' + typeof hex);
     }
     hex = (0, exports.strip0x)(hex);
     if (hex.length & 1)
@@ -75,7 +81,7 @@ function hexToBytes0x(hex) {
 }
 function hexToNumber0x(hex) {
     if (typeof hex !== 'string') {
-        throw new TypeError('hexToNumber: expected string, got ' + typeof hex);
+        throw new Error('hexToNumber: expected string, got ' + typeof hex);
     }
     // Big Endian
     // TODO: strip vs no strip?
@@ -90,7 +96,7 @@ function ensureBytes0x(hex) {
     return hex instanceof Uint8Array ? Uint8Array.from(hex) : hexToBytes0x(hex);
 }
 function normalizePrivateKey(privKey) {
-    return cutils.bytesToHex(ensureBytes0x(privKey)).padStart(32 * 2, '0');
+    return cutils.bytesToHex(ensureBytes0x(privKey)).padStart(64, '0');
 }
 function getPublicKey0x(privKey, isCompressed) {
     return exports.starkCurve.getPublicKey(normalizePrivateKey(privKey), isCompressed);
@@ -111,9 +117,8 @@ function verify0x(signature, msgHash, pubKey) {
     return exports.starkCurve.verify(sig, ensureBytes0x(msgHash), ensureBytes0x(pubKey));
 }
 exports.verify = verify0x;
-const { CURVE, Point, ProjectivePoint, Signature } = exports.starkCurve;
+const { CURVE, ProjectivePoint, Signature } = exports.starkCurve;
 exports.CURVE = CURVE;
-exports.Point = Point;
 exports.ProjectivePoint = ProjectivePoint;
 exports.Signature = Signature;
 exports.utils = exports.starkCurve.utils;
@@ -129,17 +134,17 @@ function hashKeyWithIndex(key, index) {
     let indexHex = cutils.numberToHexUnpadded(index);
     if (indexHex.length & 1)
         indexHex = '0' + indexHex;
-    return bytesToNumber0x((0, sha256_1.sha256)(cutils.concatBytes(key, hexToBytes0x(indexHex))));
+    return sha256Num(cutils.concatBytes(key, hexToBytes0x(indexHex)));
 }
 function grindKey(seed) {
     const _seed = ensureBytes0x(seed);
     const sha256mask = 2n ** 256n;
-    const limit = sha256mask - exports.starkCurve.utils.mod(sha256mask, exports.starkCurve.CURVE.n);
+    const limit = sha256mask - (0, modular_js_1.mod)(sha256mask, CURVE_N);
     for (let i = 0;; i++) {
         const key = hashKeyWithIndex(_seed, i);
         // key should be in [0, limit)
         if (key < limit)
-            return exports.starkCurve.utils.mod(key, exports.starkCurve.CURVE.n).toString(16);
+            return (0, modular_js_1.mod)(key, CURVE_N).toString(16);
     }
 }
 exports.grindKey = grindKey;
@@ -157,22 +162,22 @@ exports.ethSigToPrivate = ethSigToPrivate;
 const MASK_31 = 2n ** 31n - 1n;
 const int31 = (n) => Number(n & MASK_31);
 function getAccountPath(layer, application, ethereumAddress, index) {
-    const layerNum = int31(bytesToNumber0x((0, sha256_1.sha256)(layer)));
-    const applicationNum = int31(bytesToNumber0x((0, sha256_1.sha256)(application)));
+    const layerNum = int31(sha256Num(layer));
+    const applicationNum = int31(sha256Num(application));
     const eth = hexToNumber0x(ethereumAddress);
     return `m/2645'/${layerNum}'/${applicationNum}'/${int31(eth)}'/${int31(eth >> 31n)}'/${index}`;
 }
 exports.getAccountPath = getAccountPath;
 // https://docs.starkware.co/starkex/pedersen-hash-function.html
 const PEDERSEN_POINTS_AFFINE = [
-    new Point(2089986280348253421170679821480865132823066470938446095505822317253594081284n, 1713931329540660377023406109199410414810705867260802078187082345529207694986n),
-    new Point(996781205833008774514500082376783249102396023663454813447423147977397232763n, 1668503676786377725805489344771023921079126552019160156920634619255970485781n),
-    new Point(2251563274489750535117886426533222435294046428347329203627021249169616184184n, 1798716007562728905295480679789526322175868328062420237419143593021674992973n),
-    new Point(2138414695194151160943305727036575959195309218611738193261179310511854807447n, 113410276730064486255102093846540133784865286929052426931474106396135072156n),
-    new Point(2379962749567351885752724891227938183011949129833673362440656643086021394946n, 776496453633298175483985398648758586525933812536653089401905292063708816422n),
+    new ProjectivePoint(2089986280348253421170679821480865132823066470938446095505822317253594081284n, 1713931329540660377023406109199410414810705867260802078187082345529207694986n, 1n),
+    new ProjectivePoint(996781205833008774514500082376783249102396023663454813447423147977397232763n, 1668503676786377725805489344771023921079126552019160156920634619255970485781n, 1n),
+    new ProjectivePoint(2251563274489750535117886426533222435294046428347329203627021249169616184184n, 1798716007562728905295480679789526322175868328062420237419143593021674992973n, 1n),
+    new ProjectivePoint(2138414695194151160943305727036575959195309218611738193261179310511854807447n, 113410276730064486255102093846540133784865286929052426931474106396135072156n, 1n),
+    new ProjectivePoint(2379962749567351885752724891227938183011949129833673362440656643086021394946n, 776496453633298175483985398648758586525933812536653089401905292063708816422n, 1n),
 ];
 // for (const p of PEDERSEN_POINTS) p._setWindowSize(8);
-const PEDERSEN_POINTS = PEDERSEN_POINTS_AFFINE.map(ProjectivePoint.fromAffine);
+const PEDERSEN_POINTS = PEDERSEN_POINTS_AFFINE;
 function pedersenPrecompute(p1, p2) {
     const out = [];
     let p = p1;
@@ -211,7 +216,7 @@ function pedersenSingle(point, value, constants) {
     let x = pedersenArg(value);
     for (let j = 0; j < 252; j++) {
         const pt = constants[j];
-        if (pt.x === point.x)
+        if (pt.px === point.px)
             throw new Error('Same point');
         if ((x & 1n) !== 0n)
             point = point.add(pt);
@@ -224,7 +229,7 @@ function pedersen(x, y) {
     let point = PEDERSEN_POINTS[0];
     point = pedersenSingle(point, x, PEDERSEN_POINTS1);
     point = pedersenSingle(point, y, PEDERSEN_POINTS2);
-    return (0, exports.bytesToHexEth)(point.toAffine().toRawBytes(true).slice(1));
+    return (0, exports.bytesToHexEth)(point.toRawBytes(true).slice(1));
 }
 exports.pedersen = pedersen;
 function hashChain(data, fn = pedersen) {
@@ -240,6 +245,69 @@ exports.hashChain = hashChain;
 // Same as hashChain, but computes hash even for single element and order is not revesed
 const computeHashOnElements = (data, fn = pedersen) => [0, ...data, data.length].reduce((x, y) => fn(x, y));
 exports.computeHashOnElements = computeHashOnElements;
-const MASK_250 = 2n ** 250n - 1n;
+const MASK_250 = cutils.bitMask(250);
 const keccak = (data) => bytesToNumber0x((0, sha3_1.keccak_256)(data)) & MASK_250;
 exports.keccak = keccak;
+const sha256Num = (data) => cutils.bytesToNumberBE((0, sha256_1.sha256)(data));
+// Poseidon hash
+exports.Fp253 = (0, modular_js_1.Fp)(BigInt('14474011154664525231415395255581126252639794253786371766033694892385558855681')); // 2^253 + 2^199 + 1
+exports.Fp251 = (0, modular_js_1.Fp)(BigInt('3618502788666131213697322783095070105623107215331596699973092056135872020481')); // 2^251 + 17 * 2^192 + 1
+function poseidonRoundConstant(Fp, name, idx) {
+    const val = Fp.fromBytes((0, sha256_1.sha256)((0, utils_1.utf8ToBytes)(`${name}${idx}`)));
+    return Fp.create(val);
+}
+// NOTE: doesn't check eiginvalues and possible can create unsafe matrix. But any filtration here will break compatibility with starknet
+// Please use only if you really know what you doing.
+// https://eprint.iacr.org/2019/458.pdf Section 2.3 (Avoiding Insecure Matrices)
+function _poseidonMDS(Fp, name, m, attempt = 0) {
+    const x_values = [];
+    const y_values = [];
+    for (let i = 0; i < m; i++) {
+        x_values.push(poseidonRoundConstant(Fp, `${name}x`, attempt * m + i));
+        y_values.push(poseidonRoundConstant(Fp, `${name}y`, attempt * m + i));
+    }
+    if (new Set([...x_values, ...y_values]).size !== 2 * m)
+        throw new Error('X and Y values are not distinct');
+    return x_values.map((x) => y_values.map((y) => Fp.inv(Fp.sub(x, y))));
+}
+exports._poseidonMDS = _poseidonMDS;
+const MDS_SMALL = [
+    [3, 1, 1],
+    [1, -1, 1],
+    [1, 1, -2],
+].map((i) => i.map(BigInt));
+function poseidonBasic(opts, mds) {
+    (0, modular_js_1.validateField)(opts.Fp);
+    if (!Number.isSafeInteger(opts.rate) || !Number.isSafeInteger(opts.capacity))
+        throw new Error(`Wrong poseidon opts: ${opts}`);
+    const m = opts.rate + opts.capacity;
+    const rounds = opts.roundsFull + opts.roundsPartial;
+    const roundConstants = [];
+    for (let i = 0; i < rounds; i++) {
+        const row = [];
+        for (let j = 0; j < m; j++)
+            row.push(poseidonRoundConstant(opts.Fp, 'Hades', m * i + j));
+        roundConstants.push(row);
+    }
+    return poseidon.poseidon({
+        ...opts,
+        t: m,
+        sboxPower: 3,
+        reversePartialPowIdx: true,
+        mds,
+        roundConstants,
+    });
+}
+exports.poseidonBasic = poseidonBasic;
+function poseidonCreate(opts, mdsAttempt = 0) {
+    const m = opts.rate + opts.capacity;
+    if (!Number.isSafeInteger(mdsAttempt))
+        throw new Error(`Wrong mdsAttempt=${mdsAttempt}`);
+    return poseidonBasic(opts, _poseidonMDS(opts.Fp, 'HadesMDS', m, mdsAttempt));
+}
+exports.poseidonCreate = poseidonCreate;
+exports.poseidonSmall = poseidonBasic({ Fp: exports.Fp251, rate: 2, capacity: 1, roundsFull: 8, roundsPartial: 83 }, MDS_SMALL);
+function poseidonHash(x, y, fn = exports.poseidonSmall) {
+    return fn([x, y, 2n])[0];
+}
+exports.poseidonHash = poseidonHash;

package/package.json

@@ -1,12 +1,12 @@
 {
   "name": "@noble/curves",
-  "version": "0.5.1",
+  "version": "0.6.0",
   "description": "Minimal, auditable JS implementation of elliptic curve cryptography",
   "files": [
     "lib"
   ],
   "scripts": {
-    "bench": "node benchmark/index.js",
+    "bench": "cd benchmark; node index.js",
     "build": "tsc && tsc -p tsconfig.esm.json",
     "build:release": "rollup -c rollup.config.js",
     "lint": "prettier --check 'src/**/*.{js,ts}' 'test/*.js'",
@@ -31,8 +31,8 @@
     "@types/node": "18.11.3",
     "fast-check": "3.0.0",
     "micro-bmark": "0.2.0",
-    "micro-should": "0.2.0",
-    "prettier": "2.6.2",
+    "micro-should": "0.3.0",
+    "prettier": "2.8.3",
     "rollup": "2.75.5",
     "typescript": "4.7.3"
   },
@@ -73,16 +73,21 @@
       "import": "./lib/esm/abstract/hash-to-curve.js",
       "default": "./lib/abstract/hash-to-curve.js"
     },
-    "./abstract/group": {
-      "types": "./lib/abstract/group.d.ts",
-      "import": "./lib/esm/abstract/group.js",
-      "default": "./lib/abstract/group.js"
+    "./abstract/curve": {
+      "types": "./lib/abstract/curve.d.ts",
+      "import": "./lib/esm/abstract/curve.js",
+      "default": "./lib/abstract/curve.js"
     },
     "./abstract/utils": {
       "types": "./lib/abstract/utils.d.ts",
       "import": "./lib/esm/abstract/utils.js",
       "default": "./lib/abstract/utils.js"
     },
+    "./abstract/poseidon": {
+      "types": "./lib/abstract/poseidon.d.ts",
+      "import": "./lib/esm/abstract/poseidon.js",
+      "default": "./lib/abstract/poseidon.js"
+    },
     "./_shortw_utils": {
       "types": "./lib/_shortw_utils.d.ts",
       "import": "./lib/esm/_shortw_utils.js",
@@ -189,4 +194,4 @@
       "url": "https://paulmillr.com/funding/"
     }
   ]
-}
+}